supabase icon indicating copy to clipboard operation
supabase copied to clipboard

Published 20 hours ago verified publisher icon supabase

Supabase Auth: Issue regarding login when the requested url already had some '#' based value in it when using third-party auths

Open rahul3v opened this issue 3 months ago • 2 comments

Bug report

  • [+] I confirm this is a bug with Supabase, not with my own application.
  • [+] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

The URL with pre-existing '#' value lead to no-authentication at all, when using any third-party authentication. example : https://example.com/abc#test#access_token=TOKEN_KEY

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Add a client side Supabase authentication
  2. Login using third-party auths, my case using github authentication
  3. Now open your UI containing Authentication button, with a YOUR_URL + "#Test" (example : https://example.com/abc#test)
  4. The url redirect back with the access_token value but not tigger any authentication under UI (example : https://example.com/abc#test#access_token=TOKEN_KEY)
  5. To authenticate with the same url you need to remove any exciting #values in this case (example : https://example.com/abc#access_token=TOKEN_KEY)

Expected behavior

Should trigger authentication

Screenshots

If applicable, add screenshots to help explain your problem.

System information

  • OS: Windows 11
  • Version of @supabase/supabase-js": "^2.43.0",
  • Version of Node.js: 20+

Solution

Either remove #.* before adding #access_token=TOKEN_KEY on a redirect url or access to client side with #access_token=

rahul3v avatar May 03 '24 07:05 rahul3v

Hi @rahul3v ,

Thanks for opening! Redirect URLs should go to direct urls and not to nested components within the page.

Tokens can come back with that prefix but the redirect url itself should not have a hash. Is your request to make this clearer in the docs?

encima avatar May 03 '24 09:05 encima

Hello @encima,
Yes, that would really help to avoid the general url auth bug, More batter if add it to the auth source code to filter that atleast and extract the #access_auth=* value to trigger auth,

Otherwise user will at some moment face this issue regardless of there redirect url as user share url with #values to point something on their site and authenticating at that moment when url contains # then the supabase auth ignores the authentication and do nothing which will break the authentication cycle.

But in other cases it will do authenticate regardless of redirect url provided

rahul3v avatar May 03 '24 10:05 rahul3v