The authenticated user get logout after a hour

[iampopal]

Authentication Bug

If user is not connected to internet and open app after a hour or two, the supabase.auth.user is null so the app show the login screen to user again.

To Reproduce

1. Run the quick start example
2. Close the app
3. Open app after hour or two with no internet connection
4. The supabase.auth.user which is current user will be null

[bdlukaa]

did you await when calling Supabase.initialize?

[iampopal]

Yes i do await
And my main function has async

[iampopal]

This issue happens after couples hours of login when u not has internet

[iampopal]

Please do a test with supabase quick start for flutter

Just run the simple
Login
Then force close the app
...
After 2 hours
Close your wifi or mobile data
Then open app again.

[iampopal]

Issue is that
supabase.auth.currentUser is null after couples hours of having no internet connection

[bdlukaa]

Is supabase.auth.session also null?

[dshukertjr]

Session being deleted when offline is a known issue of Supabase. Supabase lacks offline capability at the moment in general. We should implement a fix once it is fixed on js SDK, but until then, the use of this library should be with apps that you can safely assume your users are connected at all times.

supabase/auth-js#141 (comment)

[phamhieu]

Just run the simple
Login
Then force close the app
...
After 2 hours
Close your wifi or mobile data
Then open app again.

Issue is that
supabase.auth.currentUser is null after couples hours of having no internet connection

The library works as it should be. When you turn on the app again, the library will try to refresh user session if it's expired. If the device is offline, then refresh token will fail and user is log out.

@iampopal what's your expectation when the device is offline and user session is expired ?

[phamhieu]

btw, default session expiry is in 1 hour. You can increase this value under auth settings

[iampopal]

The JWT shall Expire as it normally do
But what I want is that after expiration of JWT

supabase.auth.currentUser

Shall not return null.

[iampopal]

Like
Whatsapp and Telegram or other social media apps

They never logout us when we get offline

The user session shall be saved and user shall not logout even the jwt expires

[KirioXX]

We see similar behaviour in production mode even when the app is open all the time.
It seems like the automatic token refresh is not happening.

Would it be possible to at least make the token refresh available via the API to let the client manually refresh the token when it is expired? Even better would be if the expire behaviour could be configured on the initialization.

[Jay-flow]

We see similar behaviour in production mode even when the app is open all the time. It seems like the automatic token refresh is not happening.

Would it be possible to at least make the token refresh available via the API to let the client manually refresh the token when it is expired? Even better would be if the expire behaviour could be configured on the initialization.

I found the API.

await supabase.auth.api.refreshAccessToken(refreshToken);

But I don't know where to get the refresh token.

[Jay-flow]

I confirmed that when the app is running, Supabase automatically refreshes the token.
However, when the app is turned off and then expired, the session returns a null value.

I think the app should be turned on again and Supabase should process the process to get a new token, but this doesn't happen automatically.

I wonder what we think about this.
Additionally, If Supabase does not automatically receive a new token, I would like to know how to do this manually.

[KirioXX]

@Jay-flow great find! I agree it would be great if supabase refreshes the token after opening the app.
We for example have devices that need to stay logged in
because the user doesn't have the auth credentials and has to call an operator every time he gets logged out.

At the moment we hard refresh the token with this API on all server interactions:

Supabase.instance.client.auth.refreshSession();

but we already had some scenarios where this fails too.

[Jay-flow]

@KirioXX Thx for leaving comments. That's right. As you know, It's not a perfect solution. This is because if the user does not access the app for a long time, the method will fail. Better measures are needed for this. If anyone shares a good idea about this, it will help everyone. :)

[christrunk]

Just to add our own experience here:

Scenario:

• Flutter app is used in a factory setting, Android and iOS devices
• Devices are used 7am-4pm, then left on charge each night
• During the day, the app is left idle 3 hours at most
• The factory has decent Wifi, but not perfect

Summary

• We find that out of 70 active devices, 1-2 get logged out each week since we deployed mid-January this year
• It doesn't seem to correlate with the length of service (time elapsed since the device was first used) or idle time (time elapsed since the device was last used)

Examples

First occurrence:
Was found logged out at 4.10pm
The device was last used around 4.00pm to clock out at the end of shift
The device has been in service just over 7 days

Second occurrence:
Was reported as logged out at 2pm
Was last used at lunchtime when coming back from break at 12pm
The device had been in service 10 days

Third occurrence:
Device was reported logged out at 8:40am
Was last used at 7:00am that day
The device had been in service approx 9 days

Fourth occurrence:
Device was reported logged out at 9:31am
Was last used at 7:10am on the same day
The device had been in service 7 days

Whilst these all seem to be getting logged out at around 7-10 days of service, there are likely 40-50 devices that have NEVER been logged out in 80 days of service.

JWT is set to 1 week.

[dshukertjr]

@christrunk @KirioXX Thank you for providing additional details on this issue. This issue is the next issue we will tackle, and we hope to ship a fix sometime next week. We apologize for the inconvenience we have caused.

[caseycrogers]

I'm getting this issue. However, in my case, neither user nor session are null. Was the above merged PR supposed to resolve this?

Here are my thoughts:

1. Supabase client should handle all this under the hood so I don't have to think about it
2. If there's a reason the client can't refresh the token, that should be reflected in the client's state so my app can catch it and handle it appropriately before attempting a failed server call. eg maybe add a hasValidToken flag to the auth client and call the auth state change callback whenever this flag changes.

[bdlukaa]

neither user nor session are null

@caseycrogers could you explain this?

[caseycrogers]

void main() async {
  WidgetsFlutterBinding.ensureInitialized();
  await Supabase.initialize(
    url: '<snipped for brevity>',
    anonKey: '<snipped for brevity>',
  );
  print(Supabase.instance.client.auth.currentUser); // instance of 'User'
  print(Supabase.instance.client.auth.currentSession); // instance of 'Session'
  final dynamic result =
      await Supabase.instance.client.from('profiles').select(); // crashes with jwt expired error
  runApp(MyApp());
}

The error does not seem consistent. Just now I re-ran the above and it did not crash. Perhaps sometimes the client is failing to refresh the JWT token and other times it is not?

[bdlukaa]

It'd be awesome if you could post the crash error and stacktrace in here

[caseycrogers]

Error: PostgrestException(message: {"code":"PGRST301","details":null,"hint":null,"message":"JWT expired"}, code: 401, details: Unauthor

StackTrace:

[ERROR:flutter/lib/ui/ui_dart_state.cc(198)] Unhandled Exception: PostgrestException(message: {"code":"PGRST301","details":null,"hint":null,"message":"JWT expired"}, code: 401, details: Unauthorized, hint: null)
#0      PostgrestBuilder._parseResponse (package:postgrest/src/postgrest_builder.dart:251:7)
<asynchronous suspension>
#1      PostgrestBuilder.then (package:postgrest/src/postgrest_builder.dart:327:24)
<asynchronous suspension>

[caseycrogers]

I've realized that this only happens on my emulator and only happens when the emulator time is out of sync and behind the real time so I'm presuming that's the issue!

[dshukertjr]

I will close this issue as we have implemented a retry for when when the client is offline and fails to refresh the token.