capacitor
capacitor copied to clipboard
ionic-team
[Bug]: Inconsistent NextAuth cookie state
Capacitor Version
💊 Capacitor Doctor 💊
Latest Dependencies:
@capacitor/cli: 5.7.0
@capacitor/core: 5.7.0
@capacitor/android: 5.7.0
@capacitor/ios: 5.7.0
Installed Dependencies:
@capacitor/cli: 5.7.0
@capacitor/core: 5.7.0
@capacitor/android: 5.7.0
@capacitor/ios: 5.7.0
[success] iOS looking great! 👌
[error] index.html file is missing in /Users/myuser/repos/capacitor-poc/android/app/src/main/assets/public
Other API Details
npm version: 9.8.0
node version: 20.5.1
pod version: 1.12.1
next version: 13.3.4
next-auth version: 4.23.2
iOS version: 17.2.1
Platforms Affected
- [X] iOS
- [ ] Android
- [ ] Web
Current Behavior
We have a NextJS project that is authenticating with Keycloak via the NextAuth library. Web browsers and the Android Capacitor app work without issue, but we are experiencing "sticky" auth state in our iOS Capacitor app.
Here are a few examples (but there are many other permutations):
- Sign in -> close and reopen the app -> now in a signed out state
- Sign in -> refresh the app's web view using Safari Dev tools -> now in a signed out state
- Sign in -> close and reopen the app -> still signed in -> sign out -> briefly in a signed out state, but the pages reloads and we are signed in again (at least until our auth token expires)
- Sign in -> see the landing page in a signed in state -> sign out -> briefly in a signed out state, but the pages reloads and we are signed in again (at least until our auth token expires)
However, sometimes sign in / sign out works without issue. That is to say, the issue is sporadic, but:
- It seems to occur more on WiFi than wired connections.
- It happens on simulators and physical devices.
- It happens on local builds and TestFlight builds.
Turning off the iOS cookies plugin makes the issue go away. I created a WKHTTPCookieStore watcher that logs changes of our auth cookie. With the plugin disabled, I can see the cookie get created at sign in and removed at sign out. With the plugin enabled, I can see the cookie get created at sign in, removed at sign out, but re-added shortly after removal.
It seems that syncCookiesToWebView in CapacitorCookieManager is causing the cookie to be re-added. For example - HTTPCookieStorage may still have the auth cookie after logout, so triggering this function causes it to be added to WKHTTPCookieStore (which had already correctly removed it).
Expected Behavior
I expect the Capacitor app to respect the cookie state as set (or cleared) by the NextAuth library. Signing in should result in a consistent signed in state, both within the same app session and between sessions. Signing out should result in a consistent signed out state, both within the same app session and between sessions.
Project Reproduction
N/A
Additional Information
- I'm not sure that I can quickly throw together an example project because this involves authentication services.
- The NextAuth library is managing the cookie for us (i.e. we are not adding and removing it with
CapacitorCookies.setCookieorCapacitorCookies.deleteCookie). - When the cookies plugin is enabled, I do not see the auth cookie go through
CapacitorCookieManager.setCookie. We have another cookie for managing our hamburger menu and, when its state changes, I do see it go throughCapacitorCookieManager.setCookie. So... I'm not sure why some cookies go throughsetCookiebut others don't.
