auth-js icon indicating copy to clipboard operation
auth-js copied to clipboard

Published 20 hours ago verified publisher icon supabase

Supabase auth cookie expiry date is not set according to the JWT expiry time

Open Ngineer101 opened this issue 2 years ago • 3 comments

Bug report

Describe the bug

The Supabase auth cookie (sb-access-token/sb-refresh-token) expiration dates are not set according to the JWT expiry time configured in my Supabase dashboard.

I have a basic Next.js app that uses Supabase for authentication. In my Supabase dashboard I configured my JWT expiration time to be 1 week (604 800 seconds). I also have an API route that creates/deletes the auth cookies when the authentication state changes (shown below).

api-route

When I sign into the app the expiry date of the created cookies are never more than 6 hours. The session data stored in the LocalStorage has the expected expiry date (1 week).

Cookie data cookies

Session data session

This difference in expiry dates between the cookies and the session data sometimes lead to unexpected behavior in the application. I use supabase.auth.session() to check the auth state in the front-end, but for API requests I use supabase.auth.api.getUserByCookie(req). It often happens that the session is still valid, but the cookie is expired and that results in unexpected 401 responses.

To Reproduce

This repository can be used for reproduction of the issue: https://github.com/Ngineer101/nextjs-supabase-crud

  1. Add your Supabase keys to the .env.local file
  2. Run the application
  3. Navigate to the "signin" page and sign in
  4. The Supabase auth cookies will be created with an expiry date no more than 6 hours from the initial sign in
  5. The session will have an expiry date equal to the JWT expiry time set in the Supabase dashboard

Expected behavior

The cookie expiration date should be equal to the session expiration date.

Screenshots

See screenshots above

System information

  • OS: MacOS
  • Browser Chrome, Safari, Firefox
  • Version of supabase-js: 1.30.3
  • Version of Node.js: 14.17.2

Ngineer101 avatar Feb 17 '22 15:02 Ngineer101

I’ve been also having this issue for a while now. Users must log in every some hours. Ideally, the token should expire after a week (or even longer if desired). Once a user logs in, the season should extend for another week.

This is a high priority issue for my current project and creates a lot of friction for UX.

edgarasben avatar Feb 17 '22 16:02 edgarasben

You could try initializing your own GoTrue client to change the expiration of the cookies as explained here. You can check out the possible options for the cookies here.

import { GoTrueClient } from "@supabase/gotrue-js"

const customAuthClient = new GoTrueClient({
  url: `${process.env.NEXT_PUBLIC_SUPABASE_URL}/auth/v1`,
  headers: {
    Authorization: `Bearer ${process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY}`,
    apikey: `${process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY}`,
  },
  cookieOptions: {
    lifetime: 604800,
    domain: "",
    path: "/",
  },
})

export default (req, res) => {
  customAuthClient.api.setAuthCookie(req, res)
}

santerisarle avatar Apr 22 '22 12:04 santerisarle

@santerisarle, thanks for proposing this workaround :)

It will solve the issue in the short term.

Ngineer101 avatar Apr 26 '22 18:04 Ngineer101

We no longer recommend relying on the sb-access-token and sb-refresh-token cookies which are only sent for backward compatibility reasons.

hf avatar Dec 30 '22 17:12 hf