Supabase.initialize don't refresh token after 1h on app open again #906
Comments
gabrielviannadev
changed the title
dshukertjr
added
the
auth
|
@gabrielviannadev I cannot reproduce this on my end, but are you able to reproduce it? Do you have reliable steps to reproduce every time, or do you see this happening only once in a while? |
|
i am also facing the issue but i is not happening consistently but many times when app is opened after some time is gives below error and user gets sign out. |
|
I experience the same problem on my production app - users are randomly logged out from the app. In Supabase logs, I see exactly the same log as @com8member2 included above. Please bump priority on it! |
|
@com8member2 @marektomczyk |
|
In our case when app is closed for more than an hour, token expires which is expected. Problem happens when app is started again, we then issue the API request using the most recent JWT (which has expired) which results in API call failing with 403 Forbidden. Perhaps: |
|
@tomekit What's your use case to manually use the latest jwt? If you are calling supabase endpoints via the sdk, the sdk should try to get a new jwt before making the actual request. |
|
Maybe we need an example |
|
Hi @Vinzent03, Sorry for late reply. In our case we're using Supabase mostly for auth and then pass JWT to external APIs outside of Supabase ecosystem. I think it's fair to assume that there are many systems (legacy or not) which would like to integrate authentication mechanism and not necessarily would like to be rewritten using Supabase mindset. My point is, that if Supabase Flutter allows user to access current session: Session? get currentSession => _currentSession;it already leaks enough internals (and that's good, because it allows JWT external use) that it should probably allow user to access Future to await to make sure that |
|
Calling |
|
Thanks for you reply. I've just double checked our codebase and that's actually what we've been doing already... and in fact it should behave as you describe. |
|
Hi, @gabrielviannadev. Did you ever find a solution to this issue? I've run into the same issue when the iOS application tries to update in the background. |
|
@vikrvm Do you have a way to reproduce this issue consistently? That would help us figure out what the root cause is. |
I do, I have a Swift application I'm working on and this happens frequently. I could send you over a private copy? It's very barebones at the moment but you'll see the logs in the dashboard start throwing token errors after some time. |
|
@vikrvm Is it a Swift or Flutter application running on iOS? |
I'm running into the same issue described in a Swift application using Supabase. I know this is a Flutter specific issue but the description matched my issue exactly also. |
|
@vikrvm Okay, could you open an issue on the supabase-swift repo for that? |
|
We are experiencing the same issue too. We are using supabase as our auth service and pass the JWT to our backend. If the user opens the app after 1 hour the token doesn't refresh and user is unable to use our app. But if the user kills the app and opens it again, It starts working again. For now, we are manually refreshing the token. |
|
@ArbazIrshad And this is with supabase-flutter? |
|
Yes, Currently facing this issue with supabase-flutter. |
|
Please fix |
|
This issue should not be happening. supabase-flutter will refresh the token automatically if the token has expired. If you really believe you are facing this issue, please provide a public GitHub repo with minimal code to reproduce this issue. |
|
@dshukertjr こんにちは Tyler :D In theory, the refresh token should be updated upon expiration. However, in practice, I encountered an issue with supabase-flutter 2.8.1. After a while ( maybe more than an hour), when I reopened the app and connected to the realtime channel, I received an error message indicating the token had expired: 
Upon reviewing the source code, I found that the realtime auth token should be updated if supabase-flutter/packages/supabase/lib/src/supabase_client.dart Lines 359 to 369 in c971786 Therefore, the realtime auth token was not updated because the token refresh did not occur as I think Realtime connect source: void warmUpLobby() {
logger.i('Warm up lobby');
warmUpLobbyChannel = supabase
.channel('lobby')
.onPostgresChanges(
event: PostgresChangeEvent.insert,
schema: 'public',
table: 'players',
filter: PostgresChangeFilter(
type: PostgresChangeFilterType.eq,
column: 'user_id',
value: authService.userId,
),
callback: _handleWarmUpPlayerCreated)
.onSystemEvents(_handleSystemEvent)
.subscribe(_handleSubscribeLobby);
}
Future<void> _handleSubscribeLobby(
RealtimeSubscribeStatus status, Object? error) async {
if ([
RealtimeSubscribeStatus.channelError,
RealtimeSubscribeStatus.timedOut,
].contains(status)) {
logger.i('Subscribe lobby status: $status');
logger.i('Subscribe lobby error: $error');
showDialog(
context: Get.context!,
builder: (context) => AlertDialog(
title: Text('Status: $status'),
content: Text('Error subscribing to lobby: $error'),
));
await _restartLobbySubscription();
}
} |
|
Your access token is being refreshed, but you are trying to connect to Realtime before you receive the new accessToken, which is causing this error is what I think is happening here. This should certainly be handled by the client, so we will confirm on our end if this is really happening, but make necessary changes. For now, you can just make sure to only connect to realtime after you receive the |
|
@dshukertjr Thank you. Just to confirm, I’ve already addressed this case across all real-time channels, and I hope it resolves the issue. Future<void> _handleSubscribeLobby(
RealtimeSubscribeStatus status, Object? error) async {
if ([
RealtimeSubscribeStatus.channelError,
RealtimeSubscribeStatus.timedOut,
].contains(status)) {
logger.i('Subscribe lobby status: $status');
logger.i('Subscribe lobby error: $error');
if (error.toString().contains('Invalid value for JWT claim')) {
logger.i('Session is expired while warm up lobby, refreshing session');
await supabase.auth.refreshSession();
}
await _restartLobbySubscription();
}
} |
|
@zcmgyu Not sure if that will fix the issue, but did it work? Once this version is released, it should fix the issue for you. |
|
@dshukertjr I'm not sure it worked. Until now, that issue did not occur. Waiting for it :D |
|
In our case token wasn't automatically refreshing in the background after upgrading to 2.8.2 release. Desktop and mobile seem to be unaffected and refreshing takes places normally on 2.8.2. |
Describe the bug
From 1 week and a couple days ago, we have a problem in our application, basically, before this time, users use login with OTP normally, and have a refresh token automatically, every good.
But now, after this days, when user login with OTP, this generate a valid token, but, if they close and access app again after 1 hour, this is logged out, because the token is no more valid.
The problem is, i use Supase from 1 year, and never have this problem, i use Supabase.initialize all time on start app, and this check if the old token is valid, if not, refresh that. But now, don't work anymore.
Debbuging, i see the client.auth.session <- its comming null on app after this 1hour time.
To Reproduce
Only starts Supabase.initialiize, this generate a token in console -> put app closed in background, and re-open after a medium time, this retorn the same token (don't refresh).
Expected behavior
The token needs to be refresh when i open app again, when the old token its not valid, and goTrue Session not be null.
Screenshots
Version (please complete the following information):
On Linux/macOS
I'm using latest version of Flutter, and latest version of Supabase supabase_flutter 2.5.1.
On Windows
Additional context
I think explained all infos.
The text was updated successfully, but these errors were encountered: