New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid Refresh Token: Refresh Token Not Found #436
Comments
One of the places I found this error is when calling getSession, it sees the session as expired, then calls the gotrue api to try and refresh the session. Part of that process is trying to find a user that has the refresh token. If something goes wrong when searching for a user, it'll return this error. Can you look in your auth.refresh_tokens table and find an entry that matches the token? |
Yeah, that exactly the call that it's giving me that error.
What should I look here? Whenever I get the error, I try to find a refresh token that matches the current token? Btw, a temporary "solution" was to increase the user session from 1 hour to 1 week, so it minimize the error occurrence. |
Yes What's the timeframe between when a user signs in and when this error occurs? |
Need to investigate, the application is production — what would be the best way to track this? Should I change the session time to 1 hour again and see if the error happens with more frequency? |
Did you ever solve this issue? Im running into the same problem |
Not sure why, but this happened on my local dev server, and when I restarted, the problem was gone. J |
I am trying to refresh user data by calling |
This comment was marked as off-topic.
This comment was marked as off-topic.
Increasing the interval "solved" the issue. I don't think this is the ideal solution, but for me it stopped breaking the application at least. |
What did you increase this to? I'm also running into this issue with |
But is this also a solution, or will it only make the issue very less like to happen? So in the example of this max seconds being a week, will will get the error again if we logon to the app only to open it 8 days later..? |
Also experiencing this |
Ok, I have a reproducible Scenario where this happens on my server. I can't seem to log the user out in a proper way, maybe like the signOut api I guess I have to automatically clear cookies of users every time I encounter this? Please let me know if I'm wrong here. I need help. EDIT: not really sure it is because of multiple instances at this moment. might just be other bug. |
@david-plugge is this similar to #343 ? |
Now getting same problem. Not quite sure what triggered it in the first place as it was working ok until now. It might be that I logged out the user and since I logged back in, it started giving this error. Increasing JWT expiry (to several values and up to maximum) and increasing reuse interval in settings/auth did not solve it for me. This is all with local development in NextJS 13, logging in with Google OneTap. |
We haven't been able to reproduce this issue and will find it hard to fix since we have no way of seeing or testing the issue. Can one of you on the thread provide a reproducible repository with the issue so we can take a look at it. |
@silentworks - One of the ways this has been triggered is by logging in to my website, then running There are other cases, and as I find them (may be randomly in the future), I will post a repo and try and replicate it. I can't speak for anyone else. J |
This comment was marked as off-topic.
This comment was marked as off-topic.
I think I found a reproducible one which produces a similar result. Could you please try this scenario?
[AuthApiError: Invalid Refresh Token: Refresh Token Not Found] {
1|vhub_fe | __isAuthError: true,
1|vhub_fe | name: 'AuthApiError',
1|vhub_fe | status: 400
1|vhub_fe | }
Disclaimer here is that my bug happens to have same result, but I never log out of the app nor do I turn off my server. My server is always online, and "Refresh token not found" happens after some time has passed. Also not sure what the expiry was set in cookie for the actual error scenario, but in actual scenario, the error persisted even if I closed the browser and reentered the website. My current solution to bypass const res = NextResponse.next();
const supabase = createMiddlewareClient<Database>({ req, res });
const {
data: { session },
error,
} = await supabase.auth.getSession();
if (error) {
res.cookies.delete("my-auth-token-name");
return ["error", res];
} |
@seho0808 Thank you for providing the solution. I'm facing the same issue. |
@seho0808 those steps don't make sense as that is intentionally creating an issue. The auth-helpers does auto-refreshing of the token so you logging out would remove the whole effect of the auto-refreshing happening. Please provide an example app repository simulating this issue whilst logged in. Intentionally breaking the flow to create an issue isn't a good way to fix an issue. |
I apologize for a bad example. I couldn't find a way to reproduce it so I shared a closest example to what I can simulate. I will try not to provide such examples from now on. Thank you for the reply! |
I believe the issue is that you have info in your cookies that references a deleted user. |
the issue is still there. Any solution or workaround? @wdavidturner I have the same issue, it happens when the auth token expires but the user is still logged in. |
I have the same error, I deleted user in auth tab while beeing login on my localhost, clearing cookies do nothing |
I think I will just move to next auth for now :( |
I encountered this error during testing due to being logged in with a cookie from a user I deleted from my database. I seem to have fixed it with this workaround, which clears all Supabase-related cookies if this error is thrown:
|
By the way, for reproducibility purposes, here's the context in which I encountered this error: I have two separate Supabase projects that I test on the same 'http://localhost:3000". When I toggle between them, I often find myself logged in with cookies for the wrong project, and my middlewar throws this error. |
Am I correctly understanding that the issue here is that supabase is handling refresh tokens behind the scenes in many cases, but when an expired session is still active,
|
You nailed it. Note also that the cookie names generated by the SSR package include a random hash. So even if you want to manipulate them manually you can't because you don't know the name. My preference would be that supabase automatically deletes the expired cookie and returns a null session (indicating the user is not logged in). Note that this problem can be resolved manually now that the issue with setting a custom cookie name has been fixed. (You can set your own name for the cookie by passing an option to "creatServerClient") This means if this error occurs, you can just delete the cookie. And follow what ever your normal flow is for unauthenticated users. Alternatively you can use the solution mentioned above and just remove all cookies starting with "sb-". This is the solution we initially implemented to get around the problem |
I do not see this behavior on a new Seemingly, the token refresh behavior is taken care of. This is after around 1 day of letting the token expire etc. Note that the (obviously, you can delete those extraneous
This is with everything at their latest versions on a fresh project using Again it seems all good, even after multiple expirations take place, it seems to refresh properly. |
Ugh, and still no good solution to this problem? Because I tried everything I found in github issues, reddit and there is still no valid workaround it seems. |
From what I've found, it seems that the refresh token workflow works well until supabase/ssr decides to split the cookie in two chunks. Maybe the refresh token code misses to handle this situation. In my case, the refresh token workflow works well with email login, but it doesn't work properly with google signin/up as it pulls all user info in cookies and it gets split. I didn't found time to investigate this further and submit a PR yet, so take it with a grain of salt. In the meantime, going back to old auth-helpers package helps, but this would be really awesome for the refresh token workflow to work again reliably with supabase/ssr - because as of today users are forced-unlogged as soon as the JWT token expires (1h by default) |
This happens when i have an old token, calling getUser() doesn't overwrite the old token unless i sign in again. Any ideas on workarounds? |
commenting because I'm also experiencing this issue with social logins (azure specifically). the user being logged out every hour isn't a huge issue in my scenario but definitely inconvenient. |
Hi folks, any update on this? I keep getting 404 on the site I'm building if I don't visit it for a few hours. This is terrible for business critical apps and users who won't bother in refreshing the page (which I assume are all). I'm seriously thinking about migrating away if this is not resolved (which is also frustrating giving all the hours I invested in making it work with Supabase). |
OK thanks for this insight. I'll check the code there. |
These are some fixes I identified that could be causing weird issues: #760 |
Also one thing that may be confusing you is if you are getting this error on How many of you are actually seeing this on a real, live project (or staging environment) -- not local development? |
Thanks for starting investigations, really appreciated! I moved on to something else so I won't be able to give more valuable feedback moving forward, but I have to say that I had invalid refresh token happening on prod on my end sadly, not just localhost |
OK I've done a deep dive into this with NextJS. It is very important for your If it's just a bit off, your server-rendered pages and components won't see the correct state and all hell will break loose. https://supabase.com/docs/guides/auth/server-side/creating-a-client?environment=middleware |
I'm seeing this is production with Remix but interestingly I haven't been able to reproduce on localhost |
@hf Thanks you for the investigation! I am also seeing this issue in production with Remix deployed to cloudflare pages. A log is below. This event occurs only rarely, but a few users have encountered this issue.
|
I can reproduce it in production always. I just need to wait less than a day, I check the production site and it always fails on the first load. |
I understand that this is ideal, but in a real application the middleware could look different. In my case I have next-intl configured: next-intl modifies the middleware https://next-intl-docs.vercel.app/docs/getting-started/app-router#middleware So for example, I need to modify the matcher, which it may create some problems? |
Any updates on this? Our users get signed out at random times because of this and it's a big issue for our app. |
@cervantes-x I found out they changed the docs few months ago with a suspicious change:
I had in my middleware:
but in the docs now says:
I haven't tested it yet, but any application created prior to that change (4 months ago) I guess should update to that. I'll monitor my app for a while and post some update. |
This seems to have helped, however every user that's visited the site since this change has had to manually clear their cookies, otherwise they were permanently met with a Once |
It sounds like you're suspecting that the issue might not be resolved because the getUser method is calling the same getSession method(https://github.com/supabase/auth-js/blob/bd91e72824ceb075f6fca7ae25bf9f066e6508d2/src/GoTrueClient.ts#L1195-L1207). In fact, in my application, I'm experiencing |
ok, it didn't solve the issue. I'm tired of this and no support from Supabase. |
Bug report
Describe the bug
I'm currently getting
Invalid Refresh Token: Refresh Token Not Found
error in my Next.js middlewareA clear and concise description of what the bug is.
To Reproduce
I think the issue is pretty similar to this one:
supabase/auth-js#323
Steps to reproduce the behavior, please provide code snippets or a repository:
Expected behavior
To logout the user, or keep them signed in
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
System information
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: