supabase.auth.set_session does not like the access token (Incorrect padding error raised)

[jbasko]

Python package versions:

• gotrue==1.0.0
• supabase=1.0.0
• Python 3.9.11

1. On client side I retrieve access token with @supabase/auth-helpers-react's useSession().access_token. I send this token via header to the server side.
2. On server, I can successfully use this token with supabase.auth.get_user(jwt=access_token) where supabase is created with create_client and anon key passed in. I get back the user as specified in the token.
3. Now the bug (in my view) is that I cannot use this same access token with supabase.auth.set_session.

The error is being thrown in gotrue/helpers.py in decode_jwt_payload. The error is binascii.a2b_base64(s) binascii.Error: Incorrect padding. It fails to parse the middle (the main) part of the access token. If I pad the middle part (just before decoding by editing gotrue code) with == then it works fine and I am able to set the session.

Of course, if I do the padding earlier where I pass the token then the signature of the token becomes invalid.

Here is an example token I am getting with a JS client for which the error happens:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhdXRoZW50aWNhdGVkIiwiZXhwIjoxNjc1OTc3ODk3LCJzdWIiOiI4NDY1ZTgyZS01YjZkLTRkYmEtODI5Yy03YjA4MmYxM2UzNTYiLCJlbWFpbCI6ImphemVwc0BleGFtcGxlLmNvbSIsInBob25lIjoiIiwiYXBwX21ldGFkYXRhIjp7InByb3ZpZGVyIjoiZW1haWwiLCJwcm92aWRlcnMiOlsiZW1haWwiXX0sInVzZXJfbWV0YWRhdGEiOnt9LCJyb2xlIjoiYXV0aGVudGljYXRlZCIsInNlc3Npb25faWQiOiJjNDMyNGVlOC00NWM2LTRhMDktYWNlZS0wMzY3ODk5YTMxNTIifQ.SZuTGp0LXIeSWRQJMGhh_2DmO2dIFsFADlnvjfwpouc

I have tried several tokens and this happens for all of them. Once again, if I "fix" the padding manually then set_session works.

UPDATE 2:

There are two issues in the way. 1) Setting the session, 2) Updating the already initialised postgrest client (it's really bad design to eagerly instantiate them all in __init__ — should have happened lazily or should be reinitialised in set_session).

My workaround for set_session (notice also the last line):

def set_supabase_session(sup, access_token, refresh_token):
    """
    Workaround for the buggy supabase.auth.set_session method
    which fails to decode the access_token.

    The only changes:
    1) Do not return AuthResponse
    2) _decode_jwt call replaced.
    """

    time_now = round(time())
    expires_at = time_now
    has_expired = True
    session: Union[Session, None] = None
    if access_token and access_token.split(".")[1]:

        # start of _decode_jwt replacement:
        parts = access_token.split(".")
        if len(parts) != 3:
            raise ValueError("JWT is not valid: not a JWT structure")
        payload = json.loads(base64.b64decode(parts[1] + "==").decode("utf-8"))
        # end of _decode_jwt replacement:

        exp = payload.get("exp")
        if exp:
            expires_at = int(exp)
            has_expired = expires_at <= time_now
    if has_expired:
        if not refresh_token:
            raise AuthSessionMissingError()
        response = sup.auth._refresh_access_token(refresh_token)
        if not response.session:
            return
        session = response.session
    else:
        response = sup.auth.get_user(access_token)
        session = Session(
            access_token=access_token,
            refresh_token=refresh_token,
            user=response.user,
            token_type="bearer",
            expires_in=expires_at - time_now,
            expires_at=expires_at,
        )
    sup.auth._save_session(session)
    sup.auth._notify_all_subscribers("TOKEN_REFRESHED", session)

    # !!!
    sup.postgrest.auth(access_token)

[J0]

Hey this should be patched now but let us know if there are further issues.

Thanks!