-
-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updating & refreshing user metadata causes Error "Invalid Refresh Token: Already Used" #755
Comments
+1 also hitting this in our production app. Not a blocker, but hugely painful to have to log out and log back in everytime to manually reset the token. For our use case, we use
Normally we call But after refreshing the browser tab it loads org |
@skoshx i can't seem to reproduce the issue on my end - this is the code i'm using to test: https://gist.github.com/kangmingtay/c3559556033ba599f51182cf5956ac6c
The access and refresh tokens are created by gotrue as gotrue acts as the intermediary. If you need the tokens returned by google, you need to retrieve the Based on your code, you don't need to call |
@kangmingtay , the problem is that |
This feels like an issue for another repo. |
This was fixed recently in the auth-helpers by a PR from a user supabase/auth-helpers#617 |
I see that now the session is updated which is good. I'm wondering though that does the refreshed session also make it so that the refresh token rotates? Just wondering that does the auth-helper fix really close out this issue. |
Bug report
Describe the bug
I'm trying to use the Supabase user metadata as a means of storing user metadata (like preferences eg. is_subscribed_to_newsletter), since it seems way more intuitive than having a clone of it in Postgres, and updating those... This is my code:
Basically, the first time I update any user metadata, it works perfectly, but the second time and all times after that I get the error "Invalid Refresh Token: Already Used"
As seen here and here, other people are also facing this issue.
To Reproduce
Expected behavior
I expect the refreshSession to also refetch a new refresh-token, while refetching updated account information for the useUser hook.
Being able to use the user_metadata field for small personal user preferences is super good for DX. I always cringed at the idea of creating some Postgres triggers (that last I checked weren't even production ready) only to create a matching public.users table that then contained the users data, when we could just use the user_metadata itself.
Screenshots
If applicable, add screenshots to help explain your problem.
System information
The text was updated successfully, but these errors were encountered: