Hi, I've been reading a lot of the messages regarding Auth and they all say that the acess & refresh token is stored in local storage with the

supabase.auth.token

key. Indeed supabase.io does the same. But in my NextJS app with auth-helpers I'm not seeing anything in local storage but two cookies with the name

sb-access-token

and

sb-refresh-token

. Can someone please explain why it's different for my app?

Hello @sbr! This thread has been automatically created from your message in #843999948717555735 a ``few seconds ago``. Pinging @User so that they see this as well! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ... menu) and select Leave Thread to unsubscribe from future updates. Want to change the title? Use the

/title

command! We have solved your problem? Click the button below to archive it.

@User the nextjs-auth-helpers manage tokens server-side via JWT which is more robust and where we'll be moving to in the near future for all of supabase

I see, thanks for your reply @User ! Can this move to cookies break an

onAuthStateChange

listener from triggering if the user logs out in a different tab?

yes, since it's not stored in localStorage, the change is not communicated across tabs. When using the auth helpers, you should use the logout API route instead: https://github.com/supabase-community/supabase-auth-helpers/blob/next/src/nextjs/README.md#basic-setup See example: https://github.com/supabase-community/supabase-auth-helpers/blob/next/examples/nextjs/pages/_app.tsx#L9

Do you mean that if a user logs out using

/api/auth/logout

instead of

supabaseClient.auth.signOut()

, the

onAuthStateChange

listener will be triggered?

the latter

Hmm but it doesn't seem to work in my app :/

given that all of the API routes are stateless functions, there's no way you can trigger sending data to call open tabs, since that would require a web socket connection, which isn't something you can do with lambda functions

Access token in cookies vs local storage

I think at best what could be done is that when a client with a stale session tries to make a request to say a protected route or an API route is to bounce the request with a SIGNED_OUT response that clears the client session state

Thanks @User that's a good approach. @User if your concern is someone leaving their session behind on a public computer for example, one thing you can do is expire the access token fairly quickly *default is 1h) e.g. set it to 5mins. When they log out, the refresh token associated with the access token is revoked, meaning after the access token expires they won't be able to refresh it.

yes, this and don't make requests directly to Supabase from within your client app, always route them through an API handler. Since the client doesn't have access to the auth cookies (only the API handlers in this case will receive them), I don't think the client can check the state of the cookies

We're setting the auth context on the supabaseClient on the client side: https://github.com/supabase-community/supabase-auth-helpers/blob/next/src/react/components/UserProvider.tsx#L55 so that works fine with client-side data fetching 👍

@User thanks for your replies! This is a good idea to route all Supabase requests through a NextJS api route. So if I understand you correctly, the client will have to read the

sb-access-token

cookie every time it makes a request to Supabase instead of using the stored credentials like @User pointed out here https://github.com/supabase-community/supabase-auth-helpers/blob/next/src/react/components/UserProvider.tsx#L55 ?

Have you tried to use it with React Native? I have created a custom client like https://supabase.com/docs/guides/with-expo but when initializing the provider it crashes