auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

auth-token cookie exceeds 4096 bytes and is rejected by Chrome

Open KrisBraun opened this issue 2 years ago • 3 comments

Bug report

  • [X] I confirm this is a bug with Supabase, not with my own application.
  • [X] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Using the PKCE flow, under certain conditions the auth-token (JWT) returned by Azure causes the total cookie size to exceed the 4096-byte limit, so it is rejected by the browser. This causes the session not to be set and the user is signed out.

For me, this only happens in production when adding extra scopes. On localhost, because the cookie name sb-localhost-auth-token is less characters, the cookie just fits (4094 bytes).

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

(I realize these steps involve a closed-source deployment. I can develop a minimal, open-source reproduction in the future if needed.)

  1. Go to divvy.day and sign in. Only common, non-sensitive scopes are requested and the PKCE works well.
  2. Authorize calendar read access, which adds two scopes.
  3. This time, using the same PKCE flow (which works in development) the cookie is too large which results in the user being signed out.

Expected behavior

The auth-token cookie must be kept within the limit so it is set.

Screenshots

Screenshot 2023-06-28 at 11 40 40 AM

(Yes, I understand the risk of sharing auth tokens. This is only a fraction of the token.)

Screenshot 2023-06-28 at 11 41 27 AM

System information

  • OS: macOS
  • Browser: Chrome
  • Version of supabase-js: 2.26.0
  • Version of @supabase/auth-helpers-remix: 0.2.1
  • Running on Cloudflare Pages

KrisBraun avatar Jun 28 '23 15:06 KrisBraun

Hey @KrisBraun, did you ever find a solution to this? I'm getting something similar but it only occurs when trying to sign into a single account. All other accounts work

yndotdev avatar Sep 14 '23 06:09 yndotdev

Yes, I found that using a two-character cookie name just barely allows the value to fit. So:

createClient/createServerClient/CreateBrowserClient(
  ...
   {
    cookieOptions: {name: "au"},
    ...
   }
)

KrisBraun avatar Sep 14 '23 15:09 KrisBraun

I am using supabase for authentication with nextjs and writing my backend API in express Cookies are being set in http server(my localhost) but when set over production(https) cookies are not passed with the request headers How can I change the configuration of cookie set by supabase I have checked in my application tab , secure attribute is false May be I changed this to true and the things get in work Correct me If I am wrong..

But the main question is how to chang the configuration?So that I can access the token set in the cookies in express to verify a middleware

maddy020 avatar Mar 30 '24 13:03 maddy020