Not possible to keep user signed in

[mousindev]

Bug report

Describe the bug

The issues is that the user gets kicked off the app and needs to sign in again over and over.
After checking the many threads on this issue, these are the two scenarios we face:

1. The token gets refreshed when I come back to the application after 1 hour which is the default expiration time (see screenshot below where the event is captured), but the immediate next call (and all subsequent ones) fail with the error message "JWT expired"
   

2. If I take way longer to come back to the application, the token does not get refreshed an the next request fails with a "invalid_grant Invalid Refresh Token" error.

To Reproduce

The project is using supabase-js and Angular installed as PWA

1. Create the SupabaseClient with autoRefreshToken set to true.
2. Sign in a user with supabase.auth.signIn({ email: email, password: password });
3. Leave the application idle for a bit more than 1 hour for the first case described, or for several hours for the second one

Expected behavior

We are porting from Firebase to Supabase, and our understanding was that the autoRefreshToken should help achieving keeping the user signed in.
There are some other threads where it is proposed to check the result of every call, and if the error is "JWT expired" then try to sign in the user again in the background and retry the original call, but that would be a workaround more than the solution.

System information

• Version of supabase-js: 1.33.3

Additional context

Just to say that we are loving Supabase. It would be great to be able to keep our users signed in automatically, otherwise it will be hard to deploy the version backed by Supabase rather than Firebase. Thanks!

[kiwicopple]

Hey @nereolopez - just a quick check: what platform/framework are you using?

[mousindev]

Hey @kiwicopple , thanks for your message. We are using Angular's latest version and Supabase directly

[mousindev]

Hi @kiwicopple, just wanted to check if there is any progress on this? I personally don't know where the issue is coming from, but if somehow we could support or contribute, we can try with some guidance. Thanks!

[kiwicopple]

This one is getting worked on over here! #274

[mousindev]

Great news! I will keep an eye on it and test it as soon it is available, both in the browser and in Android/iOS installed as a PWA. Thanks!

[mousindev]

Hi @kiwicopple, we noticed something additional (not sure if related, but in case it gives any hint).

When opening the App (be it on the browser or on the phone as a PWA) we are automatically redirected to the Sign in page. This is because the Angular guard that checks that route makes the user stay in the Sign In page if there is no supabase.auth.user(), otherwise redirects the user to the home page. The strange thing there is that if I look at the LocalStorage I can see the supabase.auth.token entry, and, if I reload the page (or pull to reload on the PWA) then the next time the guard checks the supabase.auth.user() is no longer null and the user gets redirected to the home page directly.
As said, this is not always the case due to what we discussed prior in this thread that the session is not always kept alive.

It is a strange behavior and can't see why, but hope the info is helpful.

Thanks

[lebrinkma]

@nereolopez this sounds like the issue I tried to solve with #265, but I have not received any feedback on the PR so far.
supabase.auth.user() returns null if the session is currently refreshing after the token expired.

[anngbaum]

@nereolopez @lebrinkma we are also encountering the same challenge (React Native app on iOS) and my understanding from the comment here was that it's likely due to our use of AsyncStorage. between the token expiring from background + user being null on first load, it's been a bit difficult to ensure we're using the correct user auth. would love to see a solution like #265 go out!

[mousindev]

@anngbaum @lebrinkma, apologies for my delay, business trips are keeping me busy. Interesting the comment you linked, most likely it is scenario 3 which we are facing. The proposed solution supabase/gotrue-js#265 looks good. The only point I see is that then we have user and refreshedUser, and what this last one does (waiting in case there is a need of refresh and then return it) is what I would expect from the user directly. So not sure if it would be better to have that behavior inside the user itself. What do you think?

Also, I see that supabase/gotrue-js#274 that @kiwicopple mentioned is already closed. Is this available now if we update supabase-js version? Does it fix the problem we are describing?

Thanks to all!

[mousindev]

Quick update. I just tried by updating to the latest version in case changes were already there, and still face the same. Angular Guard is redirecting the user to the home page because session and user are null, but if I refresh, then it enters directly into the application.

Is there any workaround in the meantime that could be taken?

[anngbaum]

this was a helpful comment illustrating the delay, which I agree is still a problem for us as well.

the workaround that we're using is a listener onAuthStateChange which does successfully fire once the token is refreshed, and then using that to update the UI so that the user is taken directly into the application. It does cause an unfortunate flicker in the UI which is suboptimal, but at least prevents having to re-log in.

I asked a somewhat similar question in the #gotrue discord here but have not heard anything further, will let you know if that generates any responses though!

[J0]

Hey team,

Thanks for your patience -- we haven't forgotten about this issue and we'll be transferring this to the auth repo so we can best track this.
Thanks!

[anngbaum]

@J0 I was optimistic that the changes described in PR #285 would alleviate this problem (for us, at least). I have not updated our repo to test the go-true/next branch yet, but if there's any approximate timeline for that release, we would definitely still love to see this handling improved.

[alaister]

Hey @anngbaum,
You can try out this version of gotrue-js by running npm install @supabase/supabase-js@next as it's included there.
It may be a little difficult to upgrade without any docs, so I'd recommend leaning heavily on the typescript typings.

We're aiming to get v2 out next month! 🤞🏻

[ARMATAV]

https://supabase.com/blog/supabase-js-v2

This solves the “getting logged out” issue, which has been a recurring challenge in our GitHub Discussions.

Should be good to go here now, right?

[mousindev]

Hi @ARMATAV, that would be good news. Please allow us few days to test it and revert :)

[mousindev]

@ARMATAV we've been testing with RC3 both on web and installed on phones as PWA in different scenarios and in all the cases the session kept open, first calls to backend after wake up of the app succeeded, so for now, not able to reproduce the issue 🥳.

Please feel free to close it and thanks again for the fix and support!

[ARMATAV]

@nereolopez Ah, now it finally is the best auth experience available. Hopefully they fix the auth-helpers repo by including this new update.

I'm not actually a repo contributor my dude - so I can't close the issue - but, hey, good that it works though!

[mousindev]

Sorry @ARMATAV, I am in the middle of my first paternity leave and went straight to test it. As you left the note I did not check and just assumed you were. I am closing the issue then. Thanks!

[ARMATAV]

@nereolopez Congratulations on the kid!