Auth token is stored in local storage?
I feel like this is a dumb question but I don't get it...so here it goes:
I read everywhere about the token being stored in a cookie, but that isn't the case for me. I'm using the AuthUI + email only. I couldn't get the server client initiated with the cookies ... and come to find out...those cookies aren't there. So I inspected my browser and I found things like the auth token, in local storage, but nothing in cookies.
What am I missing? I'm sure it's simple.
15 Replies
To be more specific. I would assume I wouldn't nee dto do this, to talk to an API where Im trying to check against the user's session.
Currently I'm doing this to get it to even work (Which looking at the docs...doesn't seem like I should be doing this):
CLIENT SIDE:
And on server side (NextJS API)
reading the docs and examples, it def doesn't seem like I should be doing this...
Ohh, hmm, this actually explains some weirdness I was seeing too! I was trying to complete my PKCE flow in middleware, so I can use any page on the site as a redirect URL (my login form is an in-app modal, and I want to return the user to the same page they were on) and everything seemed to be working, but the session wasn't taking. That makes sense if it's being stored in local storage rather than a cookie.
Hmm, but now that I think of it, that doesn't explain why the route handler method worked...
I'm not sure why it's happening. From what I can tell in the docs, it's supposed to be in a cookie.
check the docs on how to make it use the cookie instead of local storage. pretty sure you need to specify the cookie methods to the gotrue client on ssr
By default, the supabase client stores the user session in browser localStorage. The cookies piece comes into play if you're using either the legacy auth helpers or the new "auth helpers" aka SSR package.
Right, so I'm using SSR package. I didn't see in the docs where it indicates local storage, for the server client stuff. I'll look again
https://discord.com/channels/839993398554656828/1185907497790361670 similar issue
I'm actually fine to use the local storage route but it just seems like all the docs are heavily impressing me to move to cookies, for the server side handlers.
Yes, you have to use cookies for the server side. But I'm not sure why something is being stored in local storage. Are you creating a client somewhere with
createClient instead of the SSR package's client-creation functions?You know ... I was only using the SSR package for the server ... using AuthUI on the front end ... maybe it doesn't use that?
You'd still need to create a supabase client and pass it to the ui; so what does that code look like?
yeh you’re right. i’m using supabasejs
I did end up getting this working, here's how I'm creating my client with SSR:
I'm using PKCE, but all I need to do other than that is call this serverside:
And then when I return
response, it includes all of the appropriate Set-Cookie: headers for my session
And then there's nothing extra that I need to do to include auth when I call fetch() because the browser already sends along the cookie
Can you share the full serverside function where you're doing supabase.auth.setSession({ ... })GitHub
1982vsthefuture/pages/api/search.ts at 3678dcacb7fab3915e6079148a3a...
Beat the hacker from the future. (A Supabase hackathon entry 2023) - rblalock/1982vsthefuture
Hmm, yeah, this doesn't look quite right in a couple ways. When I'm creating a supabase client in a page handler like this, I don't have to do anything to set up auth at all, it just works. I also don't need to do
setSession() anywhere except the login page. Where is your login page or login callback?I think I'd go back to these docs pages, figure out how you want to log users in, and follow along with the step-by-step https://supabase.com/docs/reference/javascript/auth-signinwithpassword
Yeh exasctly what I would expect too is that the cookies are present but they're not.
I will try to do the manual signin flow and see how that works out.