supabase-swift icon indicating copy to clipboard operation
supabase-swift copied to clipboard
verified publisher icon supabase

Session deleted from auth local storage while refreshing token due to "refresh token already used" when sharing auth local storage with multiple processes

Open paulofaria opened this issue 9 months ago • 1 comments

Bug report

  • [x] I confirm this is a bug with Supabase, not with my own application.
  • [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

When multiple processes share the same auth local storage (keychain in an app group, for example) and they try to refresh the token at the same time, one of them succeeds, and the others fail since the refresh token was already used, then the SDK deletes the token from the keychain.

It is similar to what was reported here: https://github.com/supabase/supabase-swift/issues/486

To Reproduce

This issue happens with any configuration when there are multiple processes involved sharing the same auth local storage and they try to refresh the token at the same time. This is hard to reproduce, but eventually the configuration below will reproduce the issue.

  • Create a custom auth local storage with a keychain in an app group.
  • Run different processes using the shared keychain. For example, a single app and an app extension, or two apps. Whatever combination of different processes using the same keychain. In my case it was an app, a widget and app intents.

Expected behavior

It is expected that the SDK doesn't delete valid tokens from the keychain.

Proposed Fix

My fix proposal is to introduce a check before deleting tokens. If the error that was thrown in the api.execute call of LiveSessionManager.refreshsession(_ refreshToken:) is AuthError.api where errorCode is "refresh_token_already_used", then extract the current session from storage, if the session is not expired, do nothing.

https://github.com/supabase/supabase-swift/blob/5c06db6d03c791fa4a99576127bf60d79a058a62/Sources/Auth/Internal/SessionManager.swift#L100-L116

Another approach is to not even check if the error is "refresh_token_already_used", maybe just never delete valid tokens in:

https://github.com/supabase/supabase-swift/blob/5c06db6d03c791fa4a99576127bf60d79a058a62/Sources/Auth/Internal/SessionManager.swift#L130

Screenshots

Not applicable.

System information

  • This issue happens with any system that uses a shared auth local storage

Additional context

No additional context.

paulofaria avatar Apr 09 '25 13:04 paulofaria

Chiming in about the business impact -- this was a particularly nasty bug for us. As soon as we added a widget to our app, users constantly complained about getting randomly logged out, and it took us a long time to track this down. More than a few users ragequit over this.

pawarren avatar Apr 10 '25 04:04 pawarren

Hi, thanks for reporting this. I'll be taking a deeper look at this issue and getting back to you with a solution.

Thanks.

grdsdev avatar Apr 22 '25 09:04 grdsdev