-
-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Getting 400 on /auth/v1/token?grant_type=refresh_token #454
Comments
update: I'm going to give supabase-js@v2 a try. I'll report soon |
Well, that didn't last long. Here's the 400 error using supabase v2.
The verdict, still seeing auth issues with supabase v2 |
I'm starting to think that the gotrue server can not handle a certain number of tabs. At this point, I'm thinking the only solution is to isolate the supabase instance to only one process. |
@kangmingtay any thoughts on this? I'm noticing 3 tabs is the minimum needed to trigger this 400 response code. I have a few logs that could give you a few pointers on what could be causing this issue: Token refresh logst1, t2, t3 indicates tab 1, 2, 3
should the auth token
|
Thank you for the detailed issue submission! We'll definitely take a look at what's going on. If you're having production issues on Supabase, you can get priority access if you open a ticket on the dashboard or write to [email protected]. |
Hey @miguelespinoza — thanks for doing so much work on this issue. So helpful! I noticed that when Supabase clients are initialized and they set the timeout to refresh the token, they use the value of the refresh token at initialization time. I wonder if this could be causing some of this trouble? Imagine this scenario:
What if the scheduled refresh requests accessed whatever is the current value of the refresh token from storage? Instead of using the closed over value from the |
Hey @andyjakubowski, happy this has helped you. I'm hoping we can come to a solution very soon. Although if you look at the PR I submitted, there's been a few updates. I encourage you to check it out -> #444 You're on the right track with checking for a new token in storage before making a request, which is what the PR handles. But I'm curious about this statement:
I'm not sure if you mean you're calling If you leave the library to make a request. The backend has logic for reusing tokens within an interval. This is defaulted to 10 seconds. So technically the "stale" refresh token for tab 2 and 3 should reconcile with the latest refresh token Also, there's an effort in supabase v2 to consolidate auth logic. This addresses your first point about:
This is not a problem in v2. |
Thanks for elaborating @miguelespinoza. I’m looking at the The scenario I described makes any and all calls through the Supabase client instance. In my actual code I use the I don’t know if this is the cause of the issue you’re experiencing, but I wanted to point out this fact in case it’s relevant. |
Yup, we're both on the same page. That's something that should be accounted for by the library. To pick up the latest And yup, you're on the right branch, |
Hey @miguelespinoza , I have encountered a related issue while trying to set up auth in a browser extension and keeping a session in the popup and service-worker. Would you mind having a look? Maybe you can shed some light... |
Thanks for pointing this out; I didn’t realize
Yep! 👌 |
Hey everyone, i think i've figured out the issue, seems like the session passed into the Tested with the following scenarios:
|
🎉 This issue has been resolved in version 2.0.0-rc.7 🎉 The release is available on: Your semantic-release bot 📦🚀 |
just merged #461 in, will bump the supabase-js branch to include this fix next - shoutout to @miguelespinoza, thanks for pointing this out and writing up such a detailed issue! |
Bug report
Describe the bug
I'm having an issue where
/auth/v1/token?grant_type=refresh_token
suddenly returns 400. It's unclear what could cause this issue. When the token is approaching expiration supabase-js fires correctly, but it gets to a point where the 400 request occurs.This originated after finding out that the supabase token disappears from localStorage on my extension.
The video walks through the situation in more detail: https://share.cleanshot.com/mc6hDzOEoD7lzwk4ZSrk
I've read that supabase v2 fixes "getting logged out” issues, but I'm not so sure this happens from the javascript side. To be precise, I'm initializing the client without the
multiTab
option, so it's not the race condition mentioned throughout the discussions/issues on Github.Also, the Network logs, are isolated to one process. Meaning only one supabase client. Inside this process, each request uses the previous request's refresh token from the response. Being that it's isolated to only one process, I'm not sure how this could be a library issue. I could be wrong though
This is how I'm creating the supabase client.
To Reproduce
Steps to reproduce the behavior, please provide code snippets or a repository:
Expected behavior
At no point should refreshing the token return status code 400.
Screenshots
https://share.cleanshot.com/mc6hDzOEoD7lzwk4ZSrk
System information
Additional context
Help post on Discord: https://discord.com/channels/839993398554656828/1019328795129421944/1019328795129421944
The text was updated successfully, but these errors were encountered: