Comments (5)
To add more context, we are running into an issue when there's a global log out, we're still seeing that the user is authenticated on the client (seems to be the correct behavior from Sign out a user documentation), but on our server, when we call await supabase.auth.getUser(token);
to get relevant data, we get this error:
message: "Session from session_id claim in JWT does not exist"
name: "AuthApiError"
stack: "AuthApiError: Session from session_id claim in JWT does not exist"
status: 403
What is the best way to handle this, in the case of a global log out? We were planning on using the onAuthStateChange to handle this, but it seems like it isn't working properly.
Sign out a user
Inside a browser context, signOut() will remove the logged in user from the browser session and log them out - removing all items from localstorage and then trigger a "SIGNED_OUT" event.
In order to use the signOut() method, the user needs to be signed in first.
By default, signOut() uses the global scope, which signs out all other sessions that the user is logged into as well.
Since Supabase Auth uses JWTs for authentication, the access token JWT will be valid until it's expired. When the user signs out, Supabase revokes the refresh token and deletes the JWT from the client-side. This does not revoke the JWT and it will still be valid until it expires.
from auth-js.
@belle-chang, can you clarify a couple of things?
we're still seeing that the user is authenticated on the client
Is this on the browser where the logout happened, or the the other?
on our server, when we call await supabase.auth.getUser(token); to get relevant data, we get [the] error
Which browser session is this token from?
from auth-js.
This is happening in a React Native app, so say I have 2 devices where a user is logged in. If a user does a global log out on device A, the user is still seen as authenticated on device B when you call supabase.auth.getSession()
-- which seems to be expected behavior due to Supabase signOut documentation. However, when calling supabase.auth.getUser()
in our backend (no local storage/it's not recommended as a source of trusted data on the server), which we use to authenticate each API call, it's throwing that error.
The token is passed from our front end in an Authorization bearer header to the backend, where it's used in the supabase.auth.getUser()
to check if the user is authenticated before executing an api call
from auth-js.
Ok, I believe I understand what you're saying.
So when the device/app with a still-logged-in-session(at least locally) does something, the error is thrown when calling supabase.auth.getUser(access_token)
on the backend.
This makes sense, since it's a global signout. Supabase would likely remove both sessions in the auth.sessions
table - even though the access token from said device would still be good for the rest of its lifetime.
from auth-js.
Session from session_id claim in JWT does not exist
@belle-chang you can fix this issue by upgrading to the latest supabase-js version - for context, we fixed it in this PR (#894), basically, signOut should always remove the existing session from the client regardless of any 4xx error because the user could've been deleted by an admin.
on the main topic of the SIGNED_OUT
event not being broadcast to other devices:
currently, onAuthStateChange
only emits the events to the listeners scoped to the instance of the supabase client class. when you're on a separate device, that is using a different instance of the supabase client so it won't receive any of these events.
apologies for the confusion in the docs - we'll update it so it's clear next time.
from auth-js.
Related Issues (20)
- Retrieving session from local storage is not working HOT 1
- Supabase password requirement breaks signUp through `signInWithOtp` function HOT 1
- { "code": 500, "message": "An error has occurred: fetch failed", "requestId": "ca5520d8-5cc6-40e3-9f27-ce1ae6227025" } HOT 1
- getSession user data out of data with access_token
- Functions that call `_removeSession` internally do not trigger `SIGNED_OUT` event when the function fails HOT 5
- `GoTrueClient` Memory Leak HOT 24
- No recovery email sent after sign up a second time after provider login HOT 1
- Error: Permission denied to access property "then" for Firefox Extensions HOT 1
- supabase.auth.signInWithIdToken() authunknownerror when used on real ios device
- Add missing 'is_anonymous' property to the User type
- Can't get rid of getUser() warning HOT 121
- "User with this email not found" error when using generateLink HOT 9
- Google OAuth doesn't work in Safari with next-js-auth-helpers HOT 1
- New, unsigned in user can not be deleted from supabase console. HOT 1
- [email protected] breaks client auth with edge functions HOT 15
- New error code is missing in error object
- user object warning logged, even when not touching `session.user` HOT 21
- Security and performance risk with `getUser` and `getSession` HOT 6
- Current session lost when auth function call fails
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from auth-js.