You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently we are using Supabase's client-side Auth in our next.js app, and bumped into a problem where a few users kept getting session expired and thus requesting new refresh tokens in supa.auth.getSession() call. After following with these users, we found that their local times were a lot earlier than the access token expiration time, causing newly fetched sessions to expire immediately (https://github.com/supabase/auth-js/blob/f131300d753634fcf3fbc93dc7a762031f096749/src/GoTrueClient.ts#L1081-L1090).
Given that this Date.now() reads the epoch time purely using the user's local system info, potentially with a time drift against the server, we wonder if it is required to run the Auth logic on the server side?
We can fairly easily reproduce this problem just by setting our system time to be JWT.exp + 1 minute before the actual time.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Supabase
-
Hi supabase devs!
Currently we are using Supabase's client-side Auth in our next.js app, and bumped into a problem where a few users kept getting session expired and thus requesting new refresh tokens in
supa.auth.getSession()call. After following with these users, we found that their local times were a lot earlier than the access token expiration time, causing newly fetched sessions to expire immediately (https://github.com/supabase/auth-js/blob/f131300d753634fcf3fbc93dc7a762031f096749/src/GoTrueClient.ts#L1081-L1090).Given that this
Date.now()reads the epoch time purely using the user's local system info, potentially with a time drift against the server, we wonder if it is required to run the Auth logic on the server side?We can fairly easily reproduce this problem just by setting our system time to be
JWT.exp + 1 minutebefore the actual time.Related discord question: https://discord.com/channels/839993398554656828/1252203935075405855
Thanks,
Ye
Beta Was this translation helpful? Give feedback.
All reactions