Not possible to keep user signed in

[mousindev]

Bug report

Describe the bug

The issues is that the user gets kicked off the app and needs to sign in again over and over.
After checking the many threads on this issue, these are the two scenarios we face:

1. The token gets refreshed when I come back to the application after 1 hour which is the default expiration time (see screenshot below where the event is captured), but the immediate next call (and all subsequent ones) fail with the error message "JWT expired"
   

2. If I take way longer to come back to the application, the token does not get refreshed an the next request fails with a "invalid_grant Invalid Refresh Token" error.

To Reproduce

The project is using supabase-js and Angular installed as PWA

1. Create the SupabaseClient with autoRefreshToken set to true.
2. Sign in a user with supabase.auth.signIn({ email: email, password: password });
3. Leave the application idle for a bit more than 1 hour for the first case described, or for several hours for the second one

Expected behavior

We are porting from Firebase to Supabase, and our understanding was that the autoRefreshToken should help achieving keeping the user signed in.
There are some other threads where it is proposed to check the result of every call, and if the error is "JWT expired" then try to sign in the user again in the background and retry the original call, but that would be a workaround more than the solution.

System information

• Version of supabase-js: 1.33.3

Additional context

Just to say that we are loving Supabase. It would be great to be able to keep our users signed in automatically, otherwise it will be hard to deploy the version backed by Supabase rather than Firebase. Thanks!

[kiwicopple]

Hey @nereolopez - just a quick check: what platform/framework are you using?

[mousindev]

Hey @kiwicopple , thanks for your message. We are using Angular's latest version and Supabase directly

[mousindev]

Hi @kiwicopple, just wanted to check if there is any progress on this? I personally don't know where the issue is coming from, but if somehow we could support or contribute, we can try with some guidance. Thanks!

[kiwicopple]

This one is getting worked on over here! #274

[mousindev]

Great news! I will keep an eye on it and test it as soon it is available, both in the browser and in Android/iOS installed as a PWA. Thanks!

[mousindev]

Hi @kiwicopple, we noticed something additional (not sure if related, but in case it gives any hint).

When opening the App (be it on the browser or on the phone as a PWA) we are automatically redirected to the Sign in page. This is because the Angular guard that checks that route makes the user stay in the Sign In page if there is no supabase.auth.user(), otherwise redirects the user to the home page. The strange thing there is that if I look at the LocalStorage I can see the supabase.auth.token entry, and, if I reload the page (or pull to reload on the PWA) then the next time the guard checks the supabase.auth.user() is no longer null and the user gets redirected to the home page directly.
As said, this is not always the case due to what we discussed prior in this thread that the session is not always kept alive.

It is a strange behavior and can't see why, but hope the info is helpful.

Thanks

[lebrinkma]

@nereolopez this sounds like the issue I tried to solve with #265, but I have not received any feedback on the PR so far.
supabase.auth.user() returns null if the session is currently refreshing after the token expired.

[anngbaum]

@nereolopez @lebrinkma we are also encountering the same challenge (React Native app on iOS) and my understanding from the comment here was that it's likely due to our use of AsyncStorage. between the token expiring from background + user being null on first load, it's been a bit difficult to ensure we're using the correct user auth. would love to see a solution like #265 go out!

[mousindev]

@anngbaum @lebrinkma, apologies for my delay, business trips are keeping me busy. Interesting the comment you linked, most likely it is scenario 3 which we are facing. The proposed solution supabase/gotrue-js#265 looks good. The only point I see is that then we have user and refreshedUser, and what this last one does (waiting in case there is a need of refresh and then return it) is what I would expect from the user directly. So not sure if it would be better to have that behavior inside the user itself. What do you think?

Also, I see that supabase/gotrue-js#274 that @kiwicopple mentioned is already closed. Is this available now if we update supabase-js version? Does it fix the problem we are describing?

Thanks to all!

[mousindev]

Quick update. I just tried by updating to the latest version in case changes were already there, and still face the same. Angular Guard is redirecting the user to the home page because session and user are null, but if I refresh, then it enters directly into the application.

Is there any workaround in the meantime that could be taken?

[anngbaum]

this was a helpful comment illustrating the delay, which I agree is still a problem for us as well.

the workaround that we're using is a listener onAuthStateChange which does successfully fire once the token is refreshed, and then using that to update the UI so that the user is taken directly into the application. It does cause an unfortunate flicker in the UI which is suboptimal, but at least prevents having to re-log in.

I asked a somewhat similar question in the #gotrue discord here but have not heard anything further, will let you know if that generates any responses though!

[J0]

Hey team,

Thanks for your patience -- we haven't forgotten about this issue and we'll be transferring this to the auth repo so we can best track this.
Thanks!