supabase-js icon indicating copy to clipboard operation
supabase-js copied to clipboard
verified publisher icon supabase

[BUG]: trying to `signOut` of an invalid session should still clear local storage

Open Snehil-Shah opened this issue 8 months ago • 2 comments

Bug report

  • [x] I confirm this is a bug with Supabase, not with my own application.
  • [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Trying to sign out of an invalid/non-existent session throws a [AuthSessionMissingError: Auth session missing!] error and doesn't clear the invalid session from local storage, causing the client to hang.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Login to the same account from two devices.
  2. Sign out from one device with global scope (removes all sessions)
  3. Try to sign out from the second device.
  4. See error.

Expected behavior

The error is correct as the session doesn't exist anymore, but it should clear the invalid session from local storage instead of returning early with an error.

System information

  • OS: Windows
  • Client: Expo apps
  • Version of supabase-js: 2.5.0
  • Version of Node.js: 22.13.1

Snehil-Shah avatar Jun 29 '25 21:06 Snehil-Shah

I’d like to share my view on this bug.

The issue reported is happening inside the signOut method, specifically in the admin.signOut block. Currently, the code looks like this:

const { error } = await this.admin.signOut(accessToken, scope)
if (error) {
  // ignore AuthApiError with status 404, 401, 403
  if (!(isAuthApiError(error) && [404, 401, 403].includes(error.status))) {
    return { error }
  }
}

Here, only AuthApiError with status 404, 401, or 403 are ignored. But AuthSessionMissingError is not handled, so when you try to sign out with an already invalid or non-existent session, this error is thrown and the invalid session is left in local storage. This is exactly the bug described in the report.

I reproduced this locally with a dedicated test and confirmed that the session remains in storage if AuthSessionMissingError is thrown. When I added a condition to also ignore AuthSessionMissingError in this block, the test passed and the invalid session was removed as expected. For example:

if (
  !(
    (isAuthApiError(error) && [404, 401, 403].includes(error.status)) ||
    isAuthSessionMissingError(error)
  )
) {
  return { error }
}

This solves the specific problem in the issue.

However, I also noticed that at the top of _signOut we have:

const { data, error: sessionError } = result
if (sessionError) {
  return { error: sessionError }
}

So if _useSession returns an AuthSessionMissingError at this point (e.g. through _callRefreshToken), it’s not ignored but returned immediately. That makes me wonder if the author intentionally designed this method to fail fast when no session exists at all.

That said, I do think the reporter’s point is valid: the goal of signOut is to ensure there is no valid session, so maybe AuthSessionMissingError should always be ignored and the local storage cleared anyway.

If that makes sense, I’d be happy to open a PR that safely handles AuthSessionMissingError in _signOut. Would love to hear thoughts on whether this is the right approach or if there’s a design reason for the current behavior.

Thanks!

gonchantech avatar Jul 02 '25 02:07 gonchantech

Seeing the same issue, getting AuthSessionMissingError: Auth session missing! when calling supabase.auth.signOut() in react-native Expo.

SamYu avatar Nov 14 '25 12:11 SamYu