# Apply @supabase/ssr PR #176 fix for CDN cache prevention

[jlemonz]

Apply @supabase/ssr PR #176 fix for CDN cache prevention

Types of changes

• Bug fix (a non-breaking change which fixes an issue)
• New feature (a non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Description

This PR applies the fix from supabase/ssr#176 to prevent CDN caching of authentication responses.

Problem

When @supabase/ssr refreshes a session server-side, the new JWT is written to the response via Set-Cookie. If a CDN (CloudFront, Vercel Edge, Cloudflare, etc.) caches that response and serves it to a different user, that user's browser stores the cached token and is signed in as the wrong person. This has been confirmed in production by multiple users.

See: supabase/supabase-js#1682

Solution

Updated the setAll cookie callback to accept a second parameter headers: Record<string, string> containing cache control headers. When @supabase/ssr refreshes tokens, it now passes these headers:

{
  'Cache-Control': 'private, no-cache, no-store, must-revalidate, max-age=0',
  'Expires': '0',
  'Pragma': 'no-cache'
}

These headers are automatically applied to the HTTP response to prevent CDN caching.

Changes Made

1. Updated @supabase/ssr from ^0.9.0 to ^0.10.0 (includes the upstream fix)
2. Modified src/runtime/utils/cookies.ts:
   • Added setHeader import from h3
   • Updated setCookies function to accept optional headers parameter
   • Added logic to apply cache control headers to HTTP response
3. Updated src/runtime/server/services/serverSupabaseClient.ts:
   • Modified setAll callback to accept and pass headers parameter
4. Updated src/runtime/plugins/supabase.server.ts:
   • Modified setAll callback to accept and pass headers parameter

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes (if not applicable, please state why)
  • Tests not added as this follows the implementation from upstream @supabase/ssr which has its own test coverage. The fix is a direct integration of the upstream changes.

Related Issues

• Resolves: session send to other user #481
• Related upstream issue: Got user session from different user? supabase/supabase-js#1682
• Implements fix from feat: pass cache headers to setAll to prevent CDN caching of auth responses supabase/ssr#176

[vercel]

@jlemonz is attempting to deploy a commit to the NuxtLabs Team on Vercel.

A member of the Team first needs to authorize it.

[pkg-pr-new]

npm i https://pkg.pr.new/@nuxtjs/supabase@592

commit: b5ab4c9

[larbish]

Thanks a lot @jlemonz

Can you please remove the logger which is not related to this PR? I'll merge then 👍

[larbish]

I did remove the logger myself 👌

[jlemonz]

Yes thank you. Do note I am not a senior dev.

[jlemonz]

Any timeframe when this will be released? Also maybe include the newly released https://github.com/supabase/supabase-js/releases/tag/v2.102.0 ?

[larbish]

It has been released in https://github.com/nuxt-modules/supabase/releases/tag/v2.0.5