Cant log out deleted user with supabase.auth.signOut()

[SebasScript]

Bug report

• [x ] I confirm this is a bug with Supabase, not with my own application.
• [x ] I confirm I have searched the Docs, GitHub Discussions, and Discord.

here is a linked discussion
delete user RPC causes subsequent signOut request to fail

Describe the bug

If a user deletes their acccount using the javascript sdk, and the frontend calls supabase.auth.signOut() right after delete the account. The signOut will fail and the local cookie wont be deleted.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

• create a cloud fn that can delete a user with a service key

const { data, error } = await supabase.auth.admin.deleteUser(
  'userr_id'
)

on the frontend now call

const { error } = await supabase.functions.invoke("delete-user");
const { error:} = await supabase.auth.signOut();
console.log(error);

this will throw the following error

AuthApiError: User from sub claim in JWT does not exist
    at handleError (fetch.ts:71:9)
    at async _handleRequest (fetch.ts:150:5)
    at async _request (fetch.ts:117:16)
    at async GoTrueAdminApi.signOut (GoTrueAdminApi.ts:65:7)
    at async GoTrueClient.ts:1491:27
    at async SupabaseAuthClient._useSession (GoTrueClient.ts:991:14)
    at async SupabaseAuthClient._signOut (GoTrueClient.ts:1484:12)
    at async GoTrueClient.ts:1477:14

Expected behavior

user should be signed out and cookies / local session removed

System information

• OS: [ Windows 11]
• Browser chrome/brave
• Version of supabase-js:
  "@supabase/ssr": "^0.3.0",
  "@supabase/supabase-js": "^2.42.4",

        SERVICE IMAGE      │        LOCAL         │   LINKED
  ─────────────────────────┼──────────────────────┼─────────────
    supabase/postgres      │ 15.1.0.137           │ 15.1.0.137
    supabase/gotrue        │ v2.148.0             │ v2.148.0
    postgrest/postgrest    │ v11.2.2              │ v11.2.2
    supabase/realtime      │ v2.28.23             │ -
    supabase/storage-api   │ v1.0.10              │ v1.0.10
    supabase/edge-runtime  │ v1.43.2              │ -
    supabase/studio        │ 20240408-6bf3b81     │ -
    supabase/postgres-meta │ v0.80.0              │ -
    supabase/logflare      │ 1.4.0                │ -
    bitnami/pgbouncer      │ 1.20.1-debian-11-r39 │ -
    darthsim/imgproxy      │ v3.8.0               │ -

[andymitchell]

+1

In local development, I manually deleted/reset the database while still logged in, and thereafter could not log out using supabase.auth.signOut in the client.

It returned 403 forbidden every time.

Eventually, I cleared the session from LocalStorage in the browser.

[amadeus]

I too seem to be hitting this, feels like a recent change that caused it

[SebasScript]

As a work around deleting the cookies for the site will logout the user

default function deleteAllCookies() {
  var cookies = document.cookie; // Get all cookies as a single string
  var allCookies = cookies.split(";"); // Split into individual cookies

  for (var i = 0; i < allCookies.length; i++) {
    var cookie = allCookies[i];
    var eqPos = cookie.indexOf("="); // Find the first '='
    var name = eqPos > -1 ? cookie.substring(0, eqPos) : cookie; // Extract the cookie name 
    document.cookie = name + "=;expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/"; // Set cookie to expire in the past
  }
}

this is going to remove all cookies for the site by setting their expiry date into the past. This simply removes all cookies. One could also remove specifically the Supabase cookies. Can call this after deleting the user instead of the supabase.tuh.signOut().