Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setting a custom cookie name breaks email signup flow #647

Closed
2 tasks done
novalex opened this issue Oct 7, 2023 · 5 comments
Closed
2 tasks done

Setting a custom cookie name breaks email signup flow #647

novalex opened this issue Oct 7, 2023 · 5 comments
Assignees
Labels
bug Something isn't working

Comments

@novalex
Copy link

novalex commented Oct 7, 2023

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Initialising the Supabase client with cookieOptions containing a custom name (e.g. custom-name-auth-token) breaks the signup flow, as it no longer sets both custom-name-auth-token and custom-name-auth-token-code-verifier cookies.
Instead, the client tries setting 2 cookies with the same name, and the custom-name-auth-token cookie gets overridden with the code verifier value and fails to parse afterwards with Failed to parse cookie string: [Error: Unexpected format: String].
This also results in users being unable to verify their account via email link, as they see a invalid request: both auth code and code verifier should be non-empty error.

Example response headers when there is no custom cookie name set:

Set-Cookie: sb-localhost-auth-token-code-verifier=<code verifier>; Path=/; Expires=Fri, 07 Feb 3023 09:22:27 GMT; Max-Age=31536000000; Domain=localhost; HttpOnly; SameSite=strict
Set-Cookie: sb-localhost-auth-token=; Path=/; Max-Age=0

Example response headers when a custom cookie name is specified:

Set-Cookie: custom-name-auth-token=<code verifier>; Path=/; Expires=Fri, 07 Feb 3023 09:24:52 GMT; Max-Age=31536000000; Domain=localhost; HttpOnly; SameSite=strict

Logging Next.js' cookies().getAll() confirms the client is trying to set 2 cookies with the same name:

  { name: 'custom-name-auth-token', value: '', maxAge: 0, path: '/' },
  {
    name: 'custom-name-auth-token',
    value: '<code verifier>',
    path: '/',
    maxAge: 31536000000,
    domain: 'localhost',
    sameSite: 'strict',
    secure: false,
    httpOnly: true,
    expires: 3023-02-07T09:24:52.884Z
  }

Commenting out the name field of cookieOptions solves the issue, so I am certain it's a bug in the handling of custom cookie names/storageKey although I could not find an explanation when looking at the code for the auth-helpers or gotrue.

To Reproduce

  1. Initialise Supabase route handler client with custom cookie options, e.g.:
import { cookies } from "next/headers"
import { createRouteHandlerClient } from "@supabase/auth-helpers-nextjs"
...

const supabase = createRouteHandlerClient<Database>({ cookies }, { cookieOptions: {
  name: "custom-name-auth-token",
  ...
}})
  1. Perform user signup using the client, e.g.:
const { error } = await supabase.auth.signUp({
  email,
  password,
  options: {
	  emailRedirectTo: `<app url>/auth/callback`,
  },
})
  1. Inspect the cookies set by Supabase, and/or the response headers, e.g.:
console.log("cookies after signup", cookies().getAll())

Expected behavior

The -auth-token and -auth-token-code-verifier cookies should both be set and not override each other.

The signup + email confirmation link should function as expected and not show errors to the users.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

  • OS: [Ubuntu 20.04.6, MacOS]
  • Browser (if applies) [Any]
  • Version of supabase-js: [2.31.0]
  • Version of Node.js: [18.16.1]

Additional context

Add any other context about the problem here.

@novalex novalex added the bug Something isn't working label Oct 7, 2023
@silentworks silentworks self-assigned this Nov 4, 2023
@silentworks
Copy link
Contributor

PR #674 should fix this issue.

@silentworks
Copy link
Contributor

Had to revert this PR as it was causing breaks.

@atanaskanchev
Copy link

Any news on this one?

@ghost
Copy link

ghost commented Jan 24, 2024

@silentworks is this still an issue?

@kangmingtay
Copy link
Member

@nbarrow-inspire-labs @atanaskanchev this is no longer an issue and it has been fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants