Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infinite Loop redirection #9134

Open
ohrrkan opened this issue Aug 19, 2024 · 1 comment
Open

Infinite Loop redirection #9134

ohrrkan opened this issue Aug 19, 2024 · 1 comment

Comments

@ohrrkan
Copy link

ohrrkan commented Aug 19, 2024

Those two redirect can lead to an infinite loop redirection

Signin should only redirect on dashboard if the JWT is valid not only because not !

docs/src/content/docs/en/guides/backend/supabase.mdx

Line 285 in af56f40

return redirect("/dashboard");

Dashboard should only redirect on signin if no error validating the tokens

docs/src/content/docs/en/guides/backend/supabase.mdx

Line 331 in af56f40

return redirect("/signin");

setSession can return an error but also throw an error. this is a bad practice (I already report to Supabase team) but it is the case.
This mean that checking return error is not enough and the example should be rewrite like this maybe :

...
const { cookies, redirect } = Astro;

const accessToken = cookies.get("sb-access-token");
const refreshToken = cookies.get("sb-refresh-token");

if (!accessToken || !refreshToken) {
  return redirect("/signin");
}
let setSession: AuthResponse;
try {
  setSession = await supabase.auth.setSession({
    refresh_token: refreshToken.value,
    access_token: accessToken.value,
  });
  if (setSession.error) {
    cookies.delete("sb-access-token", {
      path: "/",
    });
    cookies.delete("sb-refresh-token", {
      path: "/",
    });
    return redirect("/signin");
  }
} catch (error) {
  return redirect("/signin");
}
const email = setSession.data.user?.email;
...

You can produce the infinite loop by editing your cookie with invalid data on sb-access-token for example.
it will create a server error by the way because of the unhandled throw but you have the point.
@sarah11918
Copy link
Member

Hi @ohrrkan , thanks for reporting this!

Have you tested your solution to see if it works? If that's working code that is preferable to avoid the infinite loop redirection, we'd be happy to receive a PR to the docs page to update the content!

We are quite busy getting our docs together for our launch of 5.0 beta next week, so I'm not sure how quickly someone would be able to get around to reviewing it. Maybe @kevinzunigacuellar who worked on a lot of our third-party guides originally and has experience with Supabase would be able to help verify and guide you through a PR to update the docs!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sarah11918 @ohrrkan