You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using the PKCE flow, under certain conditions the auth-token (JWT) returned by Azure causes the total cookie size to exceed the 4096-byte limit, so it is rejected by the browser. This causes the session not to be set and the user is signed out.
For me, this only happens in production when adding extra scopes. On localhost, because the cookie name sb-localhost-auth-token is less characters, the cookie just fits (4094 bytes).
To Reproduce
Steps to reproduce the behavior, please provide code snippets or a repository:
(I realize these steps involve a closed-source deployment. I can develop a minimal, open-source reproduction in the future if needed.)
Go to divvy.day and sign in. Only common, non-sensitive scopes are requested and the PKCE works well.
Authorize calendar read access, which adds two scopes.
This time, using the same PKCE flow (which works in development) the cookie is too large which results in the user being signed out.
Expected behavior
The auth-token cookie must be kept within the limit so it is set.
Screenshots
(Yes, I understand the risk of sharing auth tokens. This is only a fraction of the token.)
System information
OS: macOS
Browser: Chrome
Version of supabase-js: 2.26.0
Version of @supabase/auth-helpers-remix: 0.2.1
Running on Cloudflare Pages
The text was updated successfully, but these errors were encountered:
Hey @KrisBraun, did you ever find a solution to this? I'm getting something similar but it only occurs when trying to sign into a single account. All other accounts work
I am using supabase for authentication with nextjs and writing my backend API in express
Cookies are being set in http server(my localhost) but when set over production(https) cookies are not passed with the request headers
How can I change the configuration of cookie set by supabase
I have checked in my application tab , secure attribute is false
May be I changed this to true and the things get in work
Correct me If I am wrong..
But the main question is how to chang the configuration?So that I can access the token set in the cookies in express to verify a middleware
Bug report
Describe the bug
Using the PKCE flow, under certain conditions the auth-token (JWT) returned by Azure causes the total cookie size to exceed the 4096-byte limit, so it is rejected by the browser. This causes the session not to be set and the user is signed out.
For me, this only happens in production when adding extra scopes. On localhost, because the cookie name
sb-localhost-auth-token
is less characters, the cookie just fits (4094 bytes).To Reproduce
Steps to reproduce the behavior, please provide code snippets or a repository:
(I realize these steps involve a closed-source deployment. I can develop a minimal, open-source reproduction in the future if needed.)
Expected behavior
The auth-token cookie must be kept within the limit so it is set.
Screenshots
(Yes, I understand the risk of sharing auth tokens. This is only a fraction of the token.)
System information
The text was updated successfully, but these errors were encountered: