Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cleanup for session tables doesn't run #1143

Closed
2 tasks done
jwhits opened this issue Jun 16, 2023 · 1 comment
Closed
2 tasks done

Cleanup for session tables doesn't run #1143

jwhits opened this issue Jun 16, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@jwhits
Copy link

jwhits commented Jun 16, 2023

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

When a user deletes the browser local storage session, new sessions are created in auth.sessions table for that users even if one already exists.
This PR #875 was added to cleanup the session tables.

I can see the cleanup SQL runs on every request. This is the SQL for the session table (there is similar SQL for the other tables) cleanup in this code

fmt.Sprintf("delete from %q where id in (select id from %q where not_after < now() - interval '72 hours' limit 10 for update skip locked);", tableSessions, tableSessions)

However the column not_after allows nulls and has nulls for the session data in the session table and I can't see in the code where it ever gets a value? So the cleanup will never happens?

This is where the column not_after was added which also said its not used PR #810

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Login using Supabase auth
  2. Check session is created in auth.sessions table
  3. Delete session data from browser local storage. This forces browser logout
  4. Login again using same user
  5. Check auth.sessions. There is 2 sessions for the same user.

Expected behavior

All related unused session/token data to be cleaned up/deleted from supabase. This also counts towards database storage.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

  • OS: Mac
  • Browser: Safari
  • Version of supabase-js: 2.25.0
  • Version of Node.js: 18.16.0

Additional context

I came across this because I was looking into how you could see what active sessions there is. Is there another way to do this?
@jwhits jwhits added the bug Something isn't working label Jun 16, 2023
@hf
Copy link
Contributor

hf commented Dec 19, 2023

The not_after column is used only when using SSO and the identity provider has specified an absolute time.

Please enable the new single session per user or inactivity timeout / timeboxing features to get the cleanup of sessions.

https://supabase.com/docs/guides/auth/sessions#limiting-session-lifetime-and-number-of-allowed-sessions-per-user

@hf hf closed this as completed Dec 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hf @jwhits