Error: Invalid UTF-8 sequence crashing Vercel

[k2xl]

Bug report

• [x ] I confirm this is a bug with Supabase, not with my own application.
• [ x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

On version
"@supabase/ssr": "^0.4.0",

Randomly been getting these errors for my app. Only solution is to destroy my cookies and refresh.

Error: Invalid UTF-8 sequence
at (node_modules/@supabase/ssr/dist/module/utils/base64url.js:187:0)
at (node_modules/@supabase/ssr/dist/module/utils/base64url.js:90:0)
at (node_modules/@supabase/ssr/dist/module/cookies.js:246:30)
at (node_modules/@supabase/auth-js/dist/module/lib/helpers.js:100:0)
at (node_modules/@supabase/auth-js/dist/module/GoTrueClient.js:787:0)
at (node_modules/@supabase/auth-js/dist/module/GoTrueClient.js:768:0)
at (node_modules/@supabase/auth-js/dist/module/GoTrueClient.js:714:0)

This us a super weird bug where when I visit my website it just literally crashes. However clearing my cookies the website works for a bit then stops.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

I do not know how the bug occurs.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

Running on a nextjs app with supabase. My app allows google logins

[Nishchit14]

This is happening to me as well on the production app. Need to degrade the version asap.

[k2xl]

@Nishchit14 which version did you downgrade? I continuously get this error in production too

[Nishchit14]

@k2xl @supabase/ssr": "^0.0.10

[j4w8n]

@Nishchit14 @k2xl would you mind adding this option to all of your Supabase client-creation code, to see if it resolves the issue? Keep in mind that this will alter how the cookie is stored; so, if you are grabbing the cookie yourself, somewhere in your code, you'd need to change how that functions.

I'm not offering this as a long-term solution, but rather a test. Although, if it's a client option then it could be used long-term.

/* example only. this option is needed in all code that creates a client. */
export function createClient() {
  return createBrowserClient(process.env.NEXT_PUBLIC_SUPABASE_URL!, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    {
      cookieEncoding: "raw"
    }
  )
}

base64:

raw:

Roughly how long is the time between failures?

[k2xl]

Trying and will get back to you
(Apologies, accidentally closed the task. reopened it now)

[k2xl]

Still occurs. Happens an hour or so in

[j4w8n]

I'm not sure what would be going on then. I went through every source file, and the only references I can find to base64url.js are when cookies are being encoded/decoded to/from base64 (or for tests).

And you're sure you added that option in every place that a Supabase client is created?

And the error is the same as the original?

[k2xl]

@j4w8n I added it to all the createClients that allow me to pass that cookieEncoding

  // Create a supabase client on the browser with project's credentials
  return createBrowserClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    { cookieEncoding: 'raw' }
  );

const cookieStore = cookies();

  return createServerClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    {
      cookieEncoding: 'raw',
      cookies: {
        get(name: string) {
          return cookieStore.get(name)?.value;
        },
        set(name: string, value: string, options: CookieOptions) {
          try {
            cookieStore.set({ name, value, ...options });
          } catch (error) {
            // The `set` method was called from a Server Component.
            // This can be ignored if you have middleware refreshing
            // user sessions.
          }
        },
        remove(name: string, options: CookieOptions) {
          try {
            cookieStore.set({ name, value: '', ...options });
          } catch (error) {
            // The `delete` method was called from a Server Component.
            // This can be ignored if you have middleware refreshing
            // user sessions.
          }
        },
      },
    }
  );

Initialization error: Error: Invalid UTF-8 sequence
    at stringFromUTF8 (webpack-internal:///(rsc)/./node_modules/@supabase/ssr/dist/module/utils/base64url.js:195:19)
    at stringFromBase64URL (webpack-internal:///(rsc)/./node_modules/@supabase/ssr/dist/module/utils/base64url.js:98:17)

[j4w8n]

@k2xl that's really strange. Can you verify the cookie is not being stored with a base64 prefix at the beginning?

[k2xl]

Actually the cookies still do begin with base64…

[j4w8n]

@k2xl Is this reproducible during dev on your machine, or is it only during prod on Vercel?

[k2xl]

Reproduces on dev and on prod

[fincha]

I have the same issue, but it happens to me only on prod... what a shame :(

    "@nuxtjs/supabase": "^1.4.1",

error stack

[nitro] [unhandledRejection] Error: Invalid UTF-8 sequence
    at stringFromUTF8 (/opt/render/project/src/.output/server/node_modules/@supabase/ssr/dist/main/utils/base64url.js:200:19)
    at stringFromBase64URL (/opt/render/project/src/.output/server/node_modules/@supabase/ssr/dist/main/utils/base64url.js:94:17)
    at Object.getItem (/opt/render/project/src/.output/server/node_modules/@supabase/ssr/dist/main/cookies.js:249:63)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async getItemAsync (/opt/render/project/src/.output/server/node_modules/@supabase/auth-js/dist/main/lib/helpers.js:134:19)
    at async SupabaseAuthClient.__loadSession (/opt/render/project/src/.output/server/node_modules/@supabase/auth-js/dist/main/GoTrueClient.js:800:34)
    at async SupabaseAuthClient._useSession (/opt/render/project/src/.output/server/node_modules/@supabase/auth-js/dist/main/GoTrueClient.js:781:28)
    at async SupabaseAuthClient._emitInitialSession (/opt/render/project/src/.output/server/node_modules/@supabase/auth-js/dist/main/GoTrueClient.js:1218:16)

PS: ok, it only happens, when I have this cookie... no idea how it happend. I haven't even deployed today.
PPS:

I have decoded this base64 cookie and have found probably the issue:

{"access_token":"eyJhb...Z3q0","token_type":"bearer","expires_in":3600,"expires_at":1729179524,"refresh_token":"LOt97s...ky-A","user":{"id":"8f71b6c8-32bb-40a0-b22e

Total length: 2379 characters (decoded)
I am using latest Version of firefox on macos.

it is not a valid JSON... the user id is not fully represended. Now idea how it happend.

[fincha]

Ok... my bad, I wondered why the first part of the cookie was decodeable and others not, so I combined it 😄 (what a hacker I am) anyway, the string was also decodeable.

I used this tool to decode: https://base64.guru/converter/decode

and I had this warning:

The character encoding was detected as “ISO-8859-1”, but the algorithm is inaccurate and there is a high probability that this is wrong. Because of this you can get the wrong results. To know for sure, please check the Character Encoding Detector tool.

at the end of the json I had this

ÓuCS£C�£#ã3�3Cs%¢"Â&�5öæöç�Ö÷W2#¦fÇ6W×Ð

this might be the issue