New 0.6.0 breaks signin in Nextjs 15 #96
Description
Bug report
- I confirm this is a bug with Supabase, not with my own application.
- I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
After updating to @supabase/ssr v0.6.0, authentication is broken. Cookies are being set very briefly and then immediately deleted. Multiple errors appear in the console related to cookie manipulation.
The primary error is:
Error: Cookies can only be modified in a Server Action or Route Handler. Read more: https://nextjs.org/docs/app/api-reference/functions/cookies#options
at <unknown> (lib/server/server.ts:25:22)
at Array.forEach (<anonymous>)
at setAll (lib/server/server.ts:24:21)
at applyServerStorage (../../src/cookies.ts:515:8)
at async Object.callback (../../src/createServerClient.ts:196:6)
The error specifically points to the setAll function in the cookie handling:
23 | setAll(cookiesToSet) {
24 | cookiesToSet.forEach(({ name, value, options }) =>
> 25 | cookieStore.set(name, value, options)
| ^
26 | );
27 | }
28 | }
Additionally, there are warnings:
@supabase/ssr: Detected stale cookie data. Please check your integration with Supabase for bugs. This can cause your users to loose the session.
To Reproduce
- Update
@supabase/ssrto version 0.6.0 - Attempt to sign in to a Next.js application using the standard Supabase auth flow
- Observe that authentication fails and cookies are not properly maintained
- Check console for errors about cookies only being modifiable in Server Actions or Route Handlers
Expected behavior
Authentication should work properly as it did in version 0.5.x, with cookies being set and maintained correctly.
System information
- OS: Ubuntu on WSL2
- Browser: Chrome/Firefox/Safari
- Version of supabase-js: 0.6.0
- Version of Next.js: 15.2
Additional context
My setup follows the official documentation. Here's my server client setup:
import 'server-only';
import { createServerClient } from '@supabase/ssr';
import { cookies } from 'next/headers';
import { Database } from '@/types/db';
export const createServerSupabaseClient = async () => {
const cookieStore = await cookies();
const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
const supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
if (!supabaseUrl || !supabaseAnonKey) {
throw new Error('Missing Supabase environment variables');
}
return createServerClient<Database>(supabaseUrl, supabaseAnonKey, {
cookies: {
getAll() {
return cookieStore.getAll();
},
setAll(cookiesToSet) {
cookiesToSet.forEach(({ name, value, options }) =>
cookieStore.set(name, value, options)
);
}
}
});
};And my middleware:
import { type NextRequest, NextResponse } from 'next/server';
import { createServerClient } from '@supabase/ssr';
export async function middleware(request: NextRequest) {
let response = NextResponse.next({
request
});
const supabase = createServerClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
{
cookies: {
getAll() {
return request.cookies.getAll();
},
setAll(cookiesToSet) {
cookiesToSet.forEach(({ name, value }) =>
request.cookies.set(name, value)
);
response = NextResponse.next({
request
});
cookiesToSet.forEach(({ name, value, options }) =>
response.cookies.set(name, value, options)
);
}
}
}
);
// Get user session
const {
data: { user: session }
} = await supabase.auth.getUser();
// Rest of middleware code...
return response;
}Downgrading to version 0.5.x resolves the issue, confirming this is a regression in the 0.6.0 release.