auth-js icon indicating copy to clipboard operation
auth-js copied to clipboard

Published 20 hours ago verified publisher icon supabase

bug: accessing pages with an invalid `#access_token` hash param logs error but won't throw

Open naripok opened this issue 3 years ago • 2 comments

Bug report

Describe the bug

As per title, accessing a page with an invalid #access_token will result in GoTrueClient failing to initialize the user sessions, but the error is only logged internally and there is no way for the client to handle this error. For an example, in my application, I would like to redirect the user to a error page and log it to Sentry, given that I know that the user with #access_token param expects to have a session associated to it.

Here it is where the error gets caught and where the "log-and-go" happens.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

Minimal reproducible example lives here

  1. run supabase stack locally supabase start
  2. serve the POC file and open it in the browser
  3. visit the link including #access_token=test in the url, e.g. http://localhost:3000/#access_token=test
  4. check the browser logs for the error Error getting session from URL. Error: No expires_in detected. but won't bubble it.

Expected behavior

I would like to be able to handle that error by taking action upon it, so I would expect it to get bubbled up.

naripok avatar Jun 07 '22 16:06 naripok

@supabase/auth-team Assigning it to the PIC of the Auth team to take care of this.

monicakh avatar Jul 13 '22 14:07 monicakh

@naripok there is a workaround for v1, how you can handle this error (for v2 see next comment):

async createSupabaseClient() {
  const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY, {
    // disable the call to getSessionFromUrl in the constructor
    detectSessionInUrl: false, 
  });

  // call getSessionFromUrl on your own
  const {session, error} = await supabase.auth.getSessionFromUrl({storeSession: true});

  return supabase;
}

Doing it this has the benefit, that you can handle other errors as well. Most notably; if there is an error_description present in the url - happens for example when a magic link has expired.

See here for other errors that might occur: https://github.com/supabase/gotrue-js/blob/master/src/GoTrueClient.ts#L434

@monicakh probably makes sense to move this issue to gotrue-js?

pixtron avatar Jul 30 '22 13:07 pixtron

@naripok with supbase v2 release candidate (rc branch) you can catch that error and handle it. I amended your POC. Does that fix your issue?

 <html>
  <head>
    <meta charset="utf-8">
    <title>Supabase token bug POC</title>
    <script src="https://cdn.jsdelivr.net/npm/@supabase/supabase-js@rc"></script>
    <script>
      (async () => {
        const { createClient } = supabase
        const client = createClient(
          'http://localhost:54321',
          'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24ifQ.625_WdcF3KHqz5amU0x2X5WWHP-OEs_4qj0ssLNHzTs'
        );

        const { error } = await client.auth.initialize();

        if (error) {
          console.error('Got error', error);
        } else {
          const { data: { user }, error } = await client.auth.getUser();
          console.log(user, error);
        }
      })();
    </script>
</html>

pixtron avatar Sep 28 '22 22:09 pixtron

Hey @pixtron!

Thanks for the replies and sorry for the delay.

Yea, it looks like it would solve the issue. The work around looks good too. I'll try and test it when I get the chance and let you know of any problems.

Again, thank you very much! =D

naripok avatar Oct 06 '22 16:10 naripok

@naripok the workaround, will only work in v1, it won't work anymore in v2.

pixtron avatar Oct 06 '22 20:10 pixtron

@pixtron It will work, the method is still there. https://supabase.github.io/gotrue-js/v2/classes/GoTrueClient.html#initialize

hf avatar Dec 30 '22 18:12 hf