Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

signOut does not clear storage when session is invalid #778

Open
2 tasks done
chaichontat opened this issue May 11, 2024 · 5 comments
Open
2 tasks done

signOut does not clear storage when session is invalid #778

chaichontat opened this issue May 11, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@chaichontat
Copy link

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

supabase.auth.signOut does not remove storage/cookies when a session has been revoked. This meant the client retains a session and a (potentially) unexpired JWT.

This is a known issue in different auth repos and is recently fixed in auth-js: supabase/auth-js#894.
supabase/auth#1550
supabase/auth#1518
https://github.com/orgs/supabase/discussions/9327

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Sign in using the supabase code template.
  2. Remove the session manually in the auth table using the supabase console.
  3. supabase.auth.signOut returns error: AuthApiError: Session from session_id claim in JWT does not exist and does not clear storage or cookies.

Expected behavior

supabase.auth.signOut should clear storage/cookies regardless of return from the supabase server.

System information

  • OS: macOS
  • Version of supabase-ssr: 0.1.0
  • Version of Node.js: 20.11
@chaichontat chaichontat added the bug Something isn't working label May 11, 2024
@paule89123
Copy link

This is causing a big bug for me. If a user deletes their account, the app still thinks they're logged in. If they want to create a new account, I have to tell them to uninstall and re-install the app. This has resulted in my app receiving negative feedback.

Please can the supabase team look into this urgently?

@justinianoleo
Copy link

justinianoleo commented May 14, 2024

I'm having the same issue, the signOut function doesn't work when the token has expired or when i close the session in other device.

@justinianoleo
Copy link

justinianoleo commented May 14, 2024

I found a temp solution, you need to create a route handler and if the logout failed, you can redirect to this route: /auth/signout

export async function GET(req) { cookies().delete("your-cookie-name"); return NextResponse.redirect(new URL("/login", req.url), { status: 302, }); }

` const supabase = createClient();
const { data, error } = await supabase.auth.getUser();

if (error) {

const { error: erroruser } = await supabase.auth.signOut({
  revocation: true,
});

if (erroruser) {
  redirect("/auth/signout");
}

console.log("error signoyt", erroruser);

}`

@chaichontat
Copy link
Author

This is my current mitigation by forcibly removing all cookies when signOut is called.

try {
	await event.locals.supabase.auth.signOut({ scope: "local" });
} catch (e) {
	console.error(e);
}
// https://github.com/supabase/auth-helpers/issues/778
event.cookies.getAll().forEach((cookie) => {
	event.cookies.delete(cookie.name, { path: "/" });
});

@kangmingtay
Copy link
Member

hi @chaichontat, which version of supabase-js are you on? we fixed this in supabase/auth-js#894

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants