Skip to content

fix(auth): emit local stored session as the initial session #822

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 15, 2025
Merged

fix(auth): emit local stored session as the initial session #822

merged 3 commits into from
Oct 15, 2025
+346 −41

Conversation

grdsdev
Copy link
Contributor

@grdsdev grdsdev commented Oct 13, 2025
edited
Loading

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

  1. Customer reads the currentSession variable which returns the stored session, without validating if it is expired or not, and lets users in.
  2. Then the customer attaches an authStateChange listener and receives initialSession = nil, since the stored session couldn't be refreshed.
  3. The user has been logged in but now has no session, making all API calls fail.

Although the behavior above isn't wrong nor a bug, since it is documented that the currentSession may have been expired, it is a behavior that just brings more confusion to the usage.

What is the new behavior?

Added a new trait EmitLocalSessionAsInitialSession for customers to opt-in to the new behavior since this is a breaking change.

supabase.auth.onAuthStateChanges { event, session in 
    if event == .initialSession {
        if let session {
            if session.isExpired {
                // Session exists but has been expired. It will try to refresh it in the background and emit a `tokenRefresh` or `signOut` event depending on the result.
                // Probably should show a loading indicator until a `tokenRefreshed`/`signOut` event is received.
            } else {
                // Session exists and is valid, can let user in.
            }
        } else {
            // Session does not exist, user needs to sign in
        }
    } else if event == .tokenRefreshed {
        assert(session != nil && session?.isExpired == false)
    } else if event == .signOut {
        assert(session == nil)
    }
}

Additional context

#630
#753

@coveralls
Copy link

coveralls commented Oct 13, 2025
edited
Loading

Pull Request Test Coverage Report for Build 18477966756

Details

  • 14 of 14 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.2%) to 77.582%
Totals Coverage Status
Change from base Build 18462418370: 0.2%
Covered Lines: 5942
Relevant Lines: 7659
💛 - Coveralls

@grdsdev grdsdev mentioned this pull request Oct 14, 2025
Closed
2 tasks
@grdsdev grdsdev marked this pull request as ready for review October 14, 2025 12:27
@grdsdev grdsdev requested a review from a team October 14, 2025 14:01
This was linked to issues Oct 14, 2025
Auto-refreshing of tokens can fail and never restart again #630
Closed
iOS SDK wipes permanent sessions & caches sessions on launch while initialSession returns nil, causing ghost-session #753
Closed
@grdsdev grdsdev merged commit c5721fe into main Oct 15, 2025
23 checks passed
@grdsdev grdsdev deleted the guilherme/ghost-initial-session branch October 15, 2025 09:51
@github-actions github-actions bot mentioned this pull request Oct 15, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mandarini mandarini mandarini approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

3 participants

@grdsdev @coveralls @mandarini