supabase-swift icon indicating copy to clipboard operation
supabase-swift copied to clipboard
verified publisher icon supabase

[Bug]: Session.refreshToken returns truncated 12-character string instead of full JWT

Open randalllex-collab opened this issue 2 months ago • 2 comments

Version

2.36.0 (supabase-swift)

Platform

iOS

Swift Version

Swift: 5.9

What happened?

Bug Report:

Environment

  • SDK Version: 2.36.0 (supabase-swift)
  • Platform: iOS 17.0+
  • Xcode: 15.x
  • Swift: 5.9

Description The Session.refreshToken property consistently returns a 12-character string instead of the expected ~300+ character JWT refresh token. This makes it impossible to implement persistent authentication features like Face ID/Touch ID sign-in, as the truncated token cannot be used to restore sessions.

Expected Behavior After successful sign-in via supabaseClient.auth.signIn(email:password:), the returned session should contain a full JWT refresh token (typically 300+ characters) that can be used to restore the session later via supabaseClient.auth.refreshSession(refreshToken:).

Actual Behavior The session.refreshToken property contains only 12 characters (e.g., hydeicecivzz, fm5lfos4zojb, it72eq5z2owa), which is clearly not a valid JWT token.

Steps to Reproduce

Reproduction Steps

  1. Sign in user with email/password: let session = try await supabaseClient.auth.signIn(email: email, password: password)

  2. Check the refresh token immediately: print("Refresh token length: (session.refreshToken.count)") print("Refresh token: (session.refreshToken)")

  3. Observe that the token is only 12 characters long

Diagnostic Logs 🔍 [AuthManager] IMMEDIATE session after sign-in:

  • refreshToken length: 12
  • refreshToken preview: hydeicecivzz...
  • accessToken length: 865 chars (correct)
  • User ID: 328F2A63-8C8D-44DD-869D-FE67B4656F10

The access token has the correct length (865 characters), but the refresh token is truncated to 12 characters.

Impact This bug makes it impossible to:

  • Implement biometric authentication (Face ID/Touch ID) with persistent sessions
  • Store and restore user sessions across app launches
  • Use any feature that requires the refresh token

Additional Context

  • The Supabase project JWT settings are standard (1-hour access token expiry)
  • This occurs on fresh sign-ins, not just restored sessions
  • The issue is reproducible 100% of the time
  • Deleting the app and reinstalling does not fix the issue
  • The session object itself appears valid otherwise (user data, access token, expiry times all correct)

Workaround None available. The feature requiring refresh tokens must be disabled until this is fixed.

Code Sample

Relevant log output

randalllex-collab avatar Nov 04 '25 02:11 randalllex-collab

Hi @randalllex-collab,

The refresh token isn't truncated. 12 chars of length is the correct size of the refresh token. Did you try to use it to restore a session using it? If so, which error did it return?

Thanks.

grdsdev avatar Nov 04 '25 08:11 grdsdev

You're absolutely right - I apologize for the incorrect bug report. I incorrectly assumed that refresh tokens should be JWT format (~300+ chars) and added validation that rejected the 12-character token without actually testing if it works.

I have NOT attempted to restore a session using the 12-character refresh token. The code was rejecting it based on length validation before even calling refreshSession(refreshToken:).

I'll remove that incorrect validation and test the actual session restore flow. Sorry for wasting your time with this - it was an assumption error on my part, not a bug in the SDK.

Closing this issue.

randalllex-collab avatar Nov 04 '25 14:11 randalllex-collab