"Auth session missing!" when getting user server side with supabase.auth.getUser()

[XStarlink]

Version

@nuxtjs/supabase: 1.2.2
nuxt: 3.12.3

Reproduction Link

https://stackblitz.com/edit/nuxt-starter-v3dd6h

Problem

Our Nuxt web application is experiencing a critical issue affecting user experience since few months. After approximately one hour of inactivity on a tab, users receive an "Unauthorized" error when attempting to perform an action on the webapp.

Problem details

• Our Nitro server uses supabase.auth.getUser() before executing the code of each route to authenticate the user. (By the way, I don't use await serverSupabaseUser(event) because it uses getSession() and this is not recommended by Supabase on the server side)
• After a period of inactivity from the user on our webapp, this verification fails on the server side, causing the "Unauthorized" error.
• On the client side, the user still appears to be logged in and can perform actions involving database operations (insert, select, update).
• The backend, however, no longer recognizes the user as authenticated. The session does not exist anymore in Supabase auth.session table.
• Even if the user wants to logout via a button that is using supabase.auth.signOut(), it fails with the error:

{
  code: "session_not_found",
  message: "Session from session_id claim in JWT does not exist"
}

which leaves my users unable to do anything, they can no longer perform actions or log themselves out, I'm starting to get a lot of complaints about this.

To try to debug, I have currently followed these steps:

1. I read about how Supabase sessions work, I found that sessions are stored in the auth.sessions table
2. I've compared the cookies on the front side with those received on the back side, and they're exactly the same.
3. I compared the cookies of a functioning session and the cookies of a session that returns the message "Auth session missing!" when I use supabase.auth.getUser() on the server side. They both contain a sb-access-token and a sb-refresh-token.
4. By pasting both sb-access-tokens into https://jwt.io/ to see their content, they both contain the same payload, only the session_id key changes (and of course exp (expiration time) and iat (issued at), no problem on that side, the exp was further away than iat)
5. When I search for the session_id of the working connection in the auth.sessions table, it exists, and conversely, when I search for the one that comes from the cookie that returns "Auth session missing!", it doesn't exist in the auth.sessions table.
6. Then I tried to change the "Access token (JWT) expiry time" in the Supabase dashboard, and set the JWT expiry to 604800 (one week) instead of 3600 (one hour), but I'm still disconnected after one hour.

Which leads me to think that there's a problem with the session refresh, something must be wrong and the session isn't properly refreshed.

Steps to reproduce

Not easy to reproduce because you have to wait for a period of inactivity in the tab containing the webapp where you are logged in. When I'm developing new features, I regularly get the bug I'm describing here. I come back to the tab and want to perform an action, but I get "Unauthorized" (which is the error returned from the API route when the user is not found).

1. Login to the webapp
2. Don't touch the webapp tab for a while
3. Return to the webapp, and perform actions: front-end actions work, but on back-end user is not considered logged in, and his session no longer exists.

What is Expected?

The refresh session must be reliable and a user can stay connected for two weeks if he wants to.

What is actually happening?

The user is randomly disconnected after one hour, his session is lost and non-existent in Supabase's auth.sessions table.

---

Thank you for the work you have done with this module.

[larbish]

Can you have a try with the latest release? https://github.com/nuxt-modules/supabase/releases/tag/v1.3.1

You can open it back if it's not fixed.

[XStarlink]

Can you have a try with the latest release? https://github.com/nuxt-modules/supabase/releases/tag/v1.3.1

You can open it back if it's not fixed.

@larbish On NPM the module is still in 1.2.2, I can't install the latest version for testing because it's not available (yet).

But thank you for all your hard work !

[larbish]

Should be good now!

[XStarlink]

Should be good now!

@larbish

I've just installed it and I get an error message when I launch Nuxt,
I've even tried deleting the package.lock and the node_modules to reinstall all packages but I still get this message.

Uncaught SyntaxError: The requested module '/_nuxt/@fs/Users/quentin/Code/my-app/node_modules/@supabase/postgrest-js/dist/cjs/index.js?v=64b02254' does not provide an export named 'default' (at wrapper.mjs:1:8)

Thats point to:

The app won't launch, I just get a blank page

[larbish]

Indeed, I've seen this error which is not happening in the playground... I fixed it in 1.3.2! Sorry, I hope it's ok now.

[XStarlink]

@larbish Hello, I've done a lot of tests and I still have the problem of the session not refreshing in my app,

I think we can reopen this issue.

I'm asking a lot of questions all over the Supabase ecosystem to understand and solve this problem.

In your own projects that use this lib, if you don't touch the project tab for 1 day and you come back to it, are you still connected or not?

[XStarlink]

@felixgabler Thanks for your work on the new version which uses ssr!

Sorry to ping you here but I have a small question, I've been trying for a few weeks to solve a problem which is that my users session are deleted from auth.session at some point by something. I've gone through all the docs, read a lot of issues to find out what's going on, but I haven't found the reason yet.

I wanted to ask you if in your project the session refresh works correctly and if you can, for example, close the browser for a few days then come back to your app and still be connected? (In Supabase's Github one of the devs of their Auth lib told me that there was normally no problem with this, but since I've been using this module for +6 months I've never managed to stay connected for several days).

Or more simply, can you be logged in on a tab, not touch it for a day, come back to it and still be logged in?

I used debug: true in the config to see what was going on, and I can see the logs of auth which refreshes regularly, except that when I paste the access token into jwt.io and take the session_id to look for it in the auth.session table there's nothing.... (But just after a login yes ! and if I use the app continuously yes, but if I stop more than one hour, something delete the session)

How is it possible to still be connected to the front end, being able to perform actions on the DB, but without a valid session!?

GoTrueClient@0 (2.64.2) 2024-07-08T17:54:50.106Z #_autoRefreshTokenTick() begin
GoTrueClient.ts:266 GoTrueClient@0 (2.64.2) 2024-07-08T17:54:50.106Z #_acquireLock begin 0
GoTrueClient.ts:266 GoTrueClient@0 (2.64.2) 2024-07-08T17:54:50.107Z #_acquireLock lock acquired for storage key sb-ywazevpallcihcdmurdx-auth-token
GoTrueClient.ts:266 GoTrueClient@0 (2.64.2) 2024-07-08T17:54:50.107Z #_useSession begin
GoTrueClient.ts:266 GoTrueClient@0 (2.64.2) 2024-07-08T17:54:50.107Z #__loadSession() begin
GoTrueClient.ts:266 GoTrueClient@0 (2.64.2) 2024-07-08T17:54:50.108Z #getSession() session from storage {access_token: 'eyJhbGciOiJIUzI1NiIsImtpZCI6InhtWHpNWjBtUUVVbjR5V3…xzZX0.8VvSxuea56oynR7L4WdInS4MLSM0hCi3Y4UtIoZILYU', token_type: 'bearer', expires_in: 604800, expires_at: 1720802658, refresh_token: 'L_HAIMidKYmWcIQ8lUo8zQ', …}
GoTrueClient.ts:266 GoTrueClient@0 (2.64.2) 2024-07-08T17:54:50.108Z #__loadSession() session has not expired expires_at 1720802658
GoTrueClient.ts:266 GoTrueClient@0 (2.64.2) 2024-07-08T17:54:50.108Z #__loadSession() end
GoTrueClient.ts:266 GoTrueClient@0 (2.64.2) 2024-07-08T17:54:50.108Z #_autoRefreshTokenTick() access token expires in 11378 ticks, a tick lasts 30000ms, refresh threshold is 3 ticks
GoTrueClient.ts:266 GoTrueClient@0 (2.64.2) 2024-07-08T17:54:50.108Z #_useSession end
GoTrueClient.ts:266 GoTrueClient@0 (2.64.2) 2024-07-08T17:54:50.108Z #_autoRefreshTokenTick() end
GoTrueClient.ts:266 GoTrueClient@0 (2.64.2) 2024-07-08T17:54:50.108Z #_acquireLock lock released for storage key sb-ywqazepallcihcdmurdx-auth-token
GoTrueClient.ts:266 GoTrueClient@0 (2.64.2) 2024-07-08T17:54:50.108Z #_acquireLock end

I still don't understand where this could be coming from, after a lot of researchs it seems that there are many of people in this situation but no one has found a solution...

If you have any advice or info I'd be grateful,
Thanks again for your work!

[felixgabler]

Hi! As far as I know, it should not be possible to be logged out in the frontend and still being able to perform restricted DB actions. The DB will receive your authentication credentials from the JWT. I'm sorry if this is no real new insight.

As for the issue where you get logged out after a while, I don't think this happens for us. We haven't received complaints at least and I've stayed logged in over weekends.

I'm hoping things will become more stable with the 1.0.0 release of @supabase/ssr

[XStarlink]

@felixgabler Thank you much for your reply,

I have the impression that since a few days they have changed something on their side because I have really much less log Unauthorized coming from my users than before while I have strictly changed nothing since I updated this module which includes the SSR.....

I hope as you say that with the release of v1.0 it will be completely stable.

Thanks again for all your hard work!