Warning: @supabase/ssr: createServerClient was configured without the setAll cookie method - but it's definitely defined

[wiesson]

Bug report

Describe the bug

I receive the error message

@supabase/ssr: createServerClient was configured without the setAll cookie method, but the client needs to set cookies. This can lead to issues such as random logouts, early session termination or increased token refresh requests. If in NextJS, check your middleware.ts file, route handlers and server actions for correctness.

But I'm using sveltekit and the setAll method is defined.

src/hooks.server.ts

event.locals.supabase = createServerClient<Database>(
  PUBLIC_SUPABASE_URL,
  PUBLIC_SUPABASE_ANON_KEY,
  {
      cookies: {
        getAll: () => event.cookies.getAll(),
        setAll: (cookiesToSet) => {
          cookiesToSet.forEach(({ name, value, options }) => {
            event.cookies.set(name, value, { ...options, path: '/' });
        });
      },
    },
  },
);

To Reproduce

Follow the tutorial on https://supabase.com/docs/guides/auth/server-side/sveltekit

Expected behavior

No error or warning is visible when using the code from the official examples

Screenshots

System information

• OS: [e.g. macOS, Windows]
• Browser (if applies) [e.g. chrome, safari]
• Version of supabase-js: latest
• Version of Node.js: latest

[wiesson]

After creating this bug-report and revisiting the docs, I think it comes from Step 5 of the Example: https://supabase.com/docs/guides/auth/server-side/sveltekit

export const load: LayoutLoad = async ({ data, depends, fetch }) => {
  /**
   * Declare a dependency so the layout can be invalidated, for example, on
   * session refresh.
   */
  depends('supabase:auth')
  const supabase = isBrowser()
    ? createBrowserClient(PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY, {
        global: {
          fetch,
        },
      })
    : createServerClient(PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY, {
        global: {
          fetch,
        },
        cookies: { // no set all is present here
          getAll() {
            return data.cookies
          },
        },
      })
  /**
   * It's fine to use `getSession` here, because on the client, `getSession` is
   * safe, and on the server, it reads `session` from the `LayoutData`, which
   * safely checked the session using `safeGetSession`.
   */
  const {
    data: { session },
  } = await supabase.auth.getSession()
  const {
    data: { user },
  } = await supabase.auth.getUser()
  return { session, supabase, user }
}

[j4w8n]

@wiesson I've got roughly the same code, but not seeing that log. Out of curiosity, does it still log if you replace your getSession and getUser calls with what I have? If needed, you can also return user with return { supabase, session, user: session.user }.

import { PUBLIC_SUPABASE_ANON_KEY, PUBLIC_SUPABASE_URL } from '$env/static/public'
import { createBrowserClient, createServerClient, isBrowser } from '@supabase/ssr'

export const load = async ({ fetch, data, depends }) => {
  depends('supabase:auth')

  const supabase = isBrowser()
    ? createBrowserClient(PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY, {
        global: { fetch }
      })
    : createServerClient(PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY, {
        global: { fetch },
        cookies: {
          getAll() { 
            return data.cookies
          }
        }
      })

  const session = isBrowser() ? (await supabase.auth.getSession()).data.session : data.session

  return { supabase, session }
}

[j4w8n]

Also, are you doing anything in the <script> tags of child svelte files that would need to set cookies? That is more likely the cause, since after reading the source code, that warning only logs if the server client is trying to actually set cookies but the setAll method hasn't been defined.

If you are, then you'll just need to add the method.

[wiesson]

I tested it with a fresh Sveltekit app, copied the example data in and got the error as well. Also, I'm not aware that I have changed anything in the Script tag.

setAll: (cookiesToSet) => {
  console.log(cookiesToSet);
}

Out of curiosity, I added a console.log in the +layout.ts and it gets called regularly. I assume when a token refresh happens, the server likes to update the cookies, but that's just a guess.

Afaik, I can't simply add the method, because I don't have access to cookies in +layout.ts (?)

[j4w8n]

Hmm, I'm not sure then. My demo app works flawlessly, and it's setup mostly like the guide you referenced.

What are your package versions? sveltekit, supabase, ssr

If you'd like, as a sanity check, you could clone mine if you want. Setup process is pretty easy and you likely have most of the steps done already. https://github.com/j4w8n/sveltekit-supabase-ssr

[lecramr]

Having the same issue right now, pretty sure after the update to ssr@0.6.1.

@wiesson Could you fix the issue? Looks like a Token refresh is now logging out my user :/

[sdocquir]

Same issue here. createServerClient() is properly setup in hooks.server.ts since we have access to the cookies there, but we don't in layout.ts, which runs both on server and in the client.