https://supabase.com/ logo
Join Discord
Powered by
Hello, is the supabase session supposed to be perm...
# help
m
Hello, is the supabase session supposed to be permanent like firebase? I am having problems getting the user to be constantly logged in. I need the session to be resilient to the client being offline or the server being down. Right now it seems like if the token refresh fails once, the session will be completely wiped out and my refresh token is lost.
n
Hello @MechEdge! This thread has been automatically created from your message in #843999948717555735 a ``few seconds ago``. Pinging @User so that they see this as well! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ... menu) and select Leave Thread to unsubscribe from future updates. Want to change the title? Use the 
/title
command! We have solved your problem? Click the button below to archive it.
🆕 Permanent sessions
g
The Supabase client maintains persistence on a browser with local storage by storing session there.
n
Permanent sessions
m
Yes, I expected that, the problem we have now is that after a while the session stops refreshing
and supabase deletes all the session data from local storage
g
So is it possible the refresh token that is saved is being used on another browser for the account? Is storage clear when you come back or after Supabase client init?
m
huh, interesting, we are using the same account for testing across multiple browsers
could the problem be that the refresh token is single use and after that we have to get a new one?
also that each time a refresh token is generated, the old one is invalid?
g
Absolutely. Refresh token is good once. That is how the JWTs are safe. You can’t get more than one.
m
interesting, I wonder how firebase does it then, because we never had a problem maintaining that session permanently
g
Their refresh token is only expired on major events. User account changes and a few other event. Gotrue and SB use this method https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation. Why Firebase methods is secure for them and the rotation method is used here is something I’ve not researched.
Just a quick glance and Firebase appears to also use token rotation for their REST API versus client. But this was quick look and did not look at dates just first hit.
m
I found the 
auth.refresh_tokens
table in my db, and also checked across the browsers and the refresh token is not being invalidated when multiple sessions are used at the same time
as you can see here, I have two refresh tokens for the same user and neither of them are revoked
g
Sorry I’m probably wrong on the rotation then . I’ve seen discussions though that signing out kills all sessions. In thinking about rotation if it was being used it would have to allow multiple browsers at same time on an account which does work I know that. Im traveling and can’t look but does each session have its own refresh token?
From gotrue: // Logout deletes all refresh tokens for a user. func Logout(tx *storage.Connection, instanceID uuid.UUID, id uuid.UUID) error { return tx.RawQuery("DELETE FROM "+(&pop.Model{Value: RefreshToken{}}).TableName()+" WHERE instance_id = ? AND user_id = ?", instanceID, id).Exec() }
m
for what I have seen, rotation does happen as you mention, however it is possible to have 2 sessions in parallel until one of them signs out
yes, I just tested that hahahaha
logged out and saw all tokens were removed
that makes sense
g
So each session is independent token chain until sign out.
m
right
however it seems like if connection is disturbed somehow, supabase signs out and does not allow for refreshing the token
that was a problem I ran into before testing it with multiple people
g
Could be something going on… https://github.com/supabase/supabase-js/issues/254 but thread is somewhat unclear at least at quick glance.
m
Interesting
this seems to be the problem for me, when refreshing, the session and the user get reset to null
I try to refresh the session when I recover internet, it may be possible that supabase does it at the same time and removes the session before I check it
PreviousNext
Powered by