auth icon indicating copy to clipboard operation
auth copied to clipboard

Published 20 hours ago verified publisher icon supabase

auth-token cookie exceeds 4096 bytes and is rejected by Chrome

Open KrisBraun opened this issue 1 year ago • 3 comments

Bug report

  • [X] I confirm this is a bug with Supabase, not with my own application.
  • [X] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Using the PKCE flow, under certain conditions the auth-token (JWT) returned by Azure causes the total cookie size to exceed the 4096-byte limit, so it is rejected by the browser. This causes the session not to be set and the user is signed out.

For me, this only happens in production when adding extra scopes. On localhost, because the cookie name sb-localhost-auth-token is less characters, the cookie just fits (4094 bytes).

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

(I realize these steps involve a closed-source deployment. I can develop a minimal, open-source reproduction in the future if needed.)

  1. Go to divvy.day and sign in. Only common, non-sensitive scopes are requested and the PKCE works well.
  2. Authorize calendar read access, which adds two scopes.
  3. This time, using the same PKCE flow (which works in development) the cookie is too large which results in the user being signed out.

Expected behavior

The auth-token cookie must be kept within the limit so it is set.

Screenshots

Screenshot 2023-06-28 at 11 40 40 AM

(Yes, I understand the risk of sharing auth tokens. This is only a fraction of the token.)

Screenshot 2023-06-28 at 11 41 27 AM

System information

  • OS: macOS
  • Browser: Chrome
  • Version of supabase-js: 2.26.0
  • Version of @supabase/auth-helpers-remix: 0.2.1
  • Running on Cloudflare Pages

KrisBraun avatar Jun 28 '23 15:06 KrisBraun