Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passed cookies with a different supabase url should be cleaned when passed to the supabase js client. #1314

Open
JungeWerther opened this issue Nov 13, 2024 · 1 comment
Open

Passed cookies with a different supabase url should be cleaned when passed to the supabase js client. #1314

JungeWerther opened this issue Nov 13, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@JungeWerther
Copy link

Disclaimer not sure if feature or bug.

Bug report

  • [x ] I confirm this is a bug with Supabase, not with my own application.
  • [x ] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

I am migrating my supabase project because I wanted to change the main region (to reduce latency between backend apis).

In the process, my supabase url changed. However, I'm unable to authenticate users on my staging environment, because the header size for requests sent to my middleware (running on Vercel) exceed a maximum threshold of 16kb. This is because cookies persist of both the old and the new project.

As an individual, this is easily solved by deleting old cookies. However, I will not request the same of my existing users.

The only way I see so far is to check the existing cookies that get passed in the first request, check whether their project-url is different from the one defined in my environment variables, and send a request from the server to delete existing old cookies on the old domain, before adding new cookies on the new domain.

This could be IMO a feature of the supabase client.

I think the existing size of auth cookies is a bit of an issue, also in the future. The provider tokens are really huge, and encode a LOT of information that is unnecessary for the main use case of the JWTs which is identifying a user.

I know you can add custom JWT claims but it is quite complex - in my opinion the default should be passing minimal information, then when a dev wants to pass more metadata on each request they still have the option to add it.

image
@JungeWerther JungeWerther added the bug Something isn't working label Nov 13, 2024
@JungeWerther
Copy link
Author

Right now I found a workaround by defining

  const badCookie = ({ name }: RequestCookie) =>
    name.startsWith('sb-') &&
    !name.includes(
      new URL(process.env.NEXT_PUBLIC_SUPABASE_URL!).hostname.split('.')[0],
    )

and then

  const response = await updateSession<Database>(request)

  for (const cookie of request.cookies.getAll()) {
    if (badCookie(cookie)) {
      response.cookies.delete(cookie.name)
    }
  }

  return response

Such that cookies from the old project get deleted. Not a general solution though, only if you're on NEXTJS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JungeWerther