Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth-token cookie exceeds 4096 bytes and is rejected by Chrome #1160

Open
2 tasks done
KrisBraun opened this issue Jun 28, 2023 · 3 comments
Open
2 tasks done

auth-token cookie exceeds 4096 bytes and is rejected by Chrome #1160

KrisBraun opened this issue Jun 28, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@KrisBraun
Copy link

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Using the PKCE flow, under certain conditions the auth-token (JWT) returned by Azure causes the total cookie size to exceed the 4096-byte limit, so it is rejected by the browser. This causes the session not to be set and the user is signed out.

For me, this only happens in production when adding extra scopes. On localhost, because the cookie name sb-localhost-auth-token is less characters, the cookie just fits (4094 bytes).

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

(I realize these steps involve a closed-source deployment. I can develop a minimal, open-source reproduction in the future if needed.)

  1. Go to divvy.day and sign in. Only common, non-sensitive scopes are requested and the PKCE works well.
  2. Authorize calendar read access, which adds two scopes.
  3. This time, using the same PKCE flow (which works in development) the cookie is too large which results in the user being signed out.

Expected behavior

The auth-token cookie must be kept within the limit so it is set.

Screenshots

Screenshot 2023-06-28 at 11 40 40 AM

(Yes, I understand the risk of sharing auth tokens. This is only a fraction of the token.)

Screenshot 2023-06-28 at 11 41 27 AM

System information

  • OS: macOS
  • Browser: Chrome
  • Version of supabase-js: 2.26.0
  • Version of @supabase/auth-helpers-remix: 0.2.1
  • Running on Cloudflare Pages
@KrisBraun KrisBraun added the bug Something isn't working label Jun 28, 2023
@yndotdev
Copy link

Hey @KrisBraun, did you ever find a solution to this? I'm getting something similar but it only occurs when trying to sign into a single account. All other accounts work

@KrisBraun
Copy link
Author

Yes, I found that using a two-character cookie name just barely allows the value to fit. So:

createClient/createServerClient/CreateBrowserClient(
  ...
   {
    cookieOptions: {name: "au"},
    ...
   }
)

@maddy020
Copy link

I am using supabase for authentication with nextjs and writing my backend API in express
Cookies are being set in http server(my localhost) but when set over production(https) cookies are not passed with the request headers
How can I change the configuration of cookie set by supabase
I have checked in my application tab , secure attribute is false
May be I changed this to true and the things get in work
Correct me If I am wrong..

But the main question is how to chang the configuration?So that I can access the token set in the cookies in express to verify a middleware

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@KrisBraun @yndotdev @maddy020