You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Initialising the Supabase client with cookieOptions containing a custom name (e.g. custom-name-auth-token) breaks the signup flow, as it no longer sets both custom-name-auth-token and custom-name-auth-token-code-verifier cookies.
Instead, the client tries setting 2 cookies with the same name, and the custom-name-auth-token cookie gets overridden with the code verifier value and fails to parse afterwards with Failed to parse cookie string: [Error: Unexpected format: String].
This also results in users being unable to verify their account via email link, as they see a invalid request: both auth code and code verifier should be non-empty error.
Example response headers when there is no custom cookie name set:
Commenting out the name field of cookieOptions solves the issue, so I am certain it's a bug in the handling of custom cookie names/storageKey although I could not find an explanation when looking at the code for the auth-helpers or gotrue.
To Reproduce
Initialise Supabase route handler client with custom cookie options, e.g.:
import { cookies } from "next/headers"
import { createRouteHandlerClient } from "@supabase/auth-helpers-nextjs"
...
const supabase = createRouteHandlerClient<Database>({ cookies }, { cookieOptions: {
name: "custom-name-auth-token",
...
}})
Bug report
Describe the bug
Initialising the Supabase client with
cookieOptions
containing a customname
(e.g.custom-name-auth-token
) breaks the signup flow, as it no longer sets bothcustom-name-auth-token
andcustom-name-auth-token-code-verifier
cookies.Instead, the client tries setting 2 cookies with the same name, and the
custom-name-auth-token
cookie gets overridden with the code verifier value and fails to parse afterwards withFailed to parse cookie string: [Error: Unexpected format: String]
.This also results in users being unable to verify their account via email link, as they see a
invalid request: both auth code and code verifier should be non-empty
error.Example response headers when there is no custom cookie name set:
Example response headers when a custom cookie name is specified:
Logging Next.js'
cookies().getAll()
confirms the client is trying to set 2 cookies with the same name:Commenting out the
name
field ofcookieOptions
solves the issue, so I am certain it's a bug in the handling of custom cookie names/storageKey
although I could not find an explanation when looking at the code for theauth-helpers
orgotrue
.To Reproduce
Expected behavior
The
-auth-token
and-auth-token-code-verifier
cookies should both be set and not override each other.The signup + email confirmation link should function as expected and not show errors to the users.
Screenshots
If applicable, add screenshots to help explain your problem.
System information
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: