-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat!: Migrate to @supabase/ssr
#357
base: main
Are you sure you want to change the base?
Conversation
👷 Deploy request for n3-supabase pending review.Visit the deploys page to approve it
|
There is another issue that comes up now:
This is actually something that should be changed in the library regardless of whether this PR is merged. EDIT: After upgrading |
Previously, the following error was thrown Failed to execute 'postMessage' on 'BroadcastChannel': #<Object> could not be cloned.
Hello @felixgabler, I' don't have a lot of time for this module since I've created it for a side project that do not need evolution no more and I'm so happy when people help me to maintain it and make it evolve, thanks for that! Concerning the PR, I faced two blocking points:
After reading the Supabase docs concerning the Those changes include breaking changes but it make sense to release a major version once this PR is merged to be sure users make some complete test to upgrade the module. Tell me what you think of this and if it's working well on your project. Also I want to get rid of the |
That all sounds very reasonable and I welcome the changes you made to keep things more secure! Very cool.
We deployed my branch and have not faced issues so far. It actually fixed some bugs (we set cookies on the top-level domain which the subdomains inherit and I suspect something broke around this but works now with
That is weird.. I don't get them anymore after the upgrade. Perhaps you need to delete the |
If
A simple example would be fetching the user profile with |
I pushed two new fix:
|
I tried to play with |
I created a branch with a repro of the warning: https://github.com/felixgabler/supabase-nuxt/tree/warning-repro The warning is shown when navigating between However, I might have figured out what the problem is. Does "useAsyncData is a composable meant to be called directly in the Nuxt context" (Nuxt Docs) mean that these composables can't be reused in other composables? That would be somewhat annoying but would at least explain the warning.. If this is indeed true, do you know what the "right" way would be to share this user state? |
Indeed I don't think that calling |
Let's closely follow this issue. Once it's fixed, we can merge this PR . Wdyt? |
We put useAsyncData in a composable because we have many pages/components in our app that work on the same underlying data. The problem is that there is not really one component that is always there which could become the owner of the useAsyncData, where we could update a shared state. This is where the reusability of composables really comes in handy. Does that make sense? |
Sounds good to me! |
Maybe you can try with this experimental feature: https://nuxt.com/docs/guide/going-further/experimental-features#asynccontext Or what about calling the |
Unfortunately, this does not remove the warnings. The good thing right now is that at least it works in SPA mode. It is only that the warnings are annoying but they can be lived with.
The issue here is that we also don't want to load all data if it won't be used. So calling it inside a root page or plugin is also not optimal. The only way I can think of making the Especially given that the convention is that all composables (i.e., anything with |
Still facing the warning even after upgrading to the latest To discuss with Supabase team here: supabase/auth-js#895 |
I wonder if it fell off the plate. Perhaps best to create a new issue? |
@Atinux could I perhaps also get your thoughts on this? I was quite surprised to learn that |
Indeed I've create a new one: supabase/auth-js#912 |
} | ||
// We rely on `getSession` on the client. | ||
else { | ||
const session = await useSupabaseSession() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we already get the user info for the server in the plugin, does it make sense to also do the same for the client plugin? This would clean up this composable a bit and we also have the onAuthStateChange
listener there already, so it would be a fitting place.
Cannot really think of reasons why not to do it. I am not sure if there is value in refreshing the userState each time useSupabaseUser is called. It might even be bad for performance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From my point of view, onAuthStateChange
is only triggered when Supabase API is called to refresh the session either when getSession
or refreshSession
are called or when user is logged out. But on client side, when navigating, we want to ensure that the session (and the user) are still connected (token not expired) that's why calling getSession
ensures this.
Important to note that getSession
is not calling Supabase API when token are not expired (most of the time) but only reading local storage, this is not a lack of performance thus.
However, if you want to make some tests and prove that onAuthStateChange
is triggered when token is expired and not refresh, we could remove it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From what I can tell, the onAuthStateChange
is called on events that would cover token expiration because SIGNED_OUT
is also called when the token expires. Reading the docs, it definitely looks to me like one can rely on these auth events to track sessions. We also might not even need to call a getSession
to initialize since the INITIAL_SESSION
auth event triggers after client creation.
I can do more testing later today if you'd like
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this case we can indeed remove the async call to useSupabaseSession
and get useSupabaseUser
back to a synchronous composable. Which is a good thing meaning no breaking changes!
You can update the code then we'll both update our personal projects to ensure it works as expected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
useSupabaseUser
will be back to the old version only returning the state. State being muted by either the server plugin or the onAuthStateChange
. It makes sense to me. useSupabaseSession
stays as a standalone composable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right that we need to make sure the session is 100% valid. I've gone over the code again and here are some thoughts:
- We want the behavior to be the same regardless of whether it is called on the client or the server. I am wondering whether there could be a case where the
onAuthStateChange
fires after theuseSupabaseUser
is already accessed somewhere? Maybe we should initialize it with data from the session too here? - I dislike that
session
anduser
are not handled uniformly. Right now, on the server, the user is read viagetUser()
in the server plugin but the session is not initialized there. On the client, both are managed through theonAuthStateChange
in the client plugin.
To me, the cleanest and probably safest approach would be to make useSupabaseSession
also only hold state that is managed by the plugin. I would then move the session initialization logic into supabase.server.ts
. Additionally, I think we might want to also run the same logic in supabase.client.ts
and initialize currentSession
and currentUser
with it to be safe. This way, we always ensure that the session and user are read on startup. Does that sound reasonable to you?
The only drawback I see is that the session and the user are not updated on the server during SSR. This, however, should not really happen very often because SSR is so fast and the odds of the token expiring during render are almost non-existent in my opinion. As long as we refresh the session and user in our Nitro server routes (which we are doing in serverSupabaseSession
and serverSupabaseUser
, I think we are fine with the approach defined above. Otherwise we could also use onAuthStateChange
in the server plugin..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I made the changes on a separate branch (felixgabler@0895ccc). Will test it out in my local project because I prefer the general approach and cleaner code :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@felixgabler If you confirm everything works smoothly with your project, let's push your changes in this PR. It looks all good to me! I'll test it on mine once you push your changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We've been running it for the last few days without issues related to the changes. We do get the supabase useSession
warnings which are annoying but not a problem. Looking forward to hearing how it works on your project :)
EDIT: One issue we did encounter is a header overflow:
ERROR [h3] [unhandled] Parse Error: Header overflow 9:40:44 AM
at Socket.socketOnData (node:_http_client:540:22)
at Socket.emit (node:events:519:28)
at addChunk (node:internal/streams/readable:559:12)
at readableAddChunkPushByteMode (node:internal/streams/readable:510:3)
at Readable.push (node:internal/streams/readable:390:5)
at Pipe.onStreamRead (node:internal/stream_base_commons:190:23)
This is most likely due to large auth and refresh tokens in the Supabase headers.
I've since increased the max header size (NODE_OPTIONS=--max-http-header-size=32384
) and hopefully it is resolved now. Did you encounter this too? If so, we might have to add something to the docs about increasing the header size.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've pushed the new version on my side project. I'll tell you if everything's ok :)
This warning is really annoying, they do not seem to be in a hurry with it...
…rough plugin instead
Control session through plugin
Started using
@supabase/ssr
to create clients, simplifying cookie handling.https://supabase.com/docs/guides/auth/server-side/creating-a-client
Types of changes
Description
Resolves: #301
I replaced the plain usage of
createClient
(inserverSupabaseClient
,supabase.server.ts
, andsupabase.client.ts
) with the more advancedcreateServerClient
andcreateBrowserClient
from@supabase/ssr
. In the process, I removed some of the manual cookie handling since it should be taken care of by Supabase'sauth.storage
setting. This is based on my limited understanding though, so would appreciate a confirmation.This was because we were encountering quite a few issues of cookies getting lost somewhere. Now everything seems to work fine again.
I was not entirely sure what to do about the
clientOptions
since they should be managed by@supabase/ssr
now. Also, thecookieName
is now also quite irrelevant and I did not find a good way to include it in the new setup for the other cookies. One idea would be to prefix them all again through thecookies
option functions?Checklist: