Skip to content

cookieOptions and config.toml config for cookie MaxAge are ignored #40

Open
@Rudolf-Dudarev

Description

@Rudolf-Dudarev

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

The supabase/ssr method createServerClient ignores cookieOptions property maxAge. Not only that but the config.toml property jwt_expiry is also ignored when setting the auth cookie expiry. So we get cookies set with Expires / Max-Age of about 1 year. I have a Next.js app where this is observed.

To Reproduce

  1. Open config.toml, set the jwt_expiry to a low value, e.g., 300 (5min)
  2. Initiate a supabase server client with vanilla config found in docs:
    https://supabase.com/docs/guides/auth/server-side/creating-a-client
  3. Add cokieOptions object with the maxAge property in the server client config object with a low value, e.g., 300..
  4. From client side initiate a request to an endpoint that handles server side auth. Use one of the sign-in options like signInAnonymousley() or signInWithPassword() on the server side.
  5. Inspect set auth cookie in your browsers dev tools - the Max Age / Expiry of the cookie is set to be around 1 year, which does not match configuration in the cookieOptions or the config.toml.

I observed this issue in my supabase server client utility function:

import { createServerClient, type CookieOptions } from '@supabase/ssr';
import { Database } from '@/lib/types/supabase';
import { cookies } from 'next/headers';

export default function supabaseServerClient() {
  const cookieStore = cookies();
  return createServerClient<Database>(
    process.env.NEXT_PUBLIC_SUPABASE_API_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    {
      cookieOptions: {
        // The maxAge property I would expect to be used in setting the cookie expiry and overriding the config.toml config value.
        maxAge: 300,
      },
      cookies: {
        getAll() {
          return cookieStore.getAll();
        },
        setAll(cookiesToSet) {
          try {
            cookiesToSet.forEach(({ name, value, options }) => {
              console.log('_@ OPTIONS', options);

              // The maxAge is not matching the maxAge set in cookieOptions. Nor is it matching the value in the config.toml  
              
              // _@ OPTIONS {
              //   path: '/',
              //   sameSite: 'lax',
              //   httpOnly: false,
              //   maxAge: 31536000000,
              //   expires: 2024-07-14T17:11:04.968Z
              // }

              return cookieStore.set(name, value, options);
            });
          } catch {}
        },
      },
    },
  );
}

Expected behavior

The set cookie has an expiry matching the jwt_expiry field in config.toml or is overriden and matches the maxAge property set in the createServerClient config cookieOptions.

Screenshots

Screenshot 2024-07-14 at 21 13 43

System information

  • OS: macOS
  • Browser: Chrome
  • Version of supabase-js: v2.38.4
  • Version supabase/ssr: v0.4.0
  • Version of Node.js: v20.9.0

Additional context

Using Next.js 14.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions