Supabase•9mo ago•

8 replies

Auth ?grant_type=refresh_token 429

I'm on a Free Supabase plan.

On

06-24 20:48

06-24 20:48

I've released the latest version of my app.

Today, I've got reports that users aren't able to login anymore. From the Supabase logs, it's clear that

?grant_type=refresh_token

?grant_type=refresh_token

endpoint is being rate limited. Whats suspicious, is that from

06-24

06-24

up till today

07-01

07-01

there were no such issue registered. Users we're using the application as expected, able to log-in, refresh the session and use the application. There were no production code modifications during the period of

06-24-07-01

06-24-07-01

.

The authentication is happening with my custom REST API, here's the initialisation part on a bun runtime:

import { createClient } from "@supabase/supabase-js";

const supabaseUrl = process.env.SUPABASE_URL!;
const supabaseServiceKey = process.env.SUPABASE_SERVICE_KEY!;

export const supabase = createClient(supabaseUrl, supabaseServiceKey, {
    auth: {
        autoRefreshToken: false, // false, because I control this on my own
        persistSession: false,
    },
});

import { createClient } from "@supabase/supabase-js";

const supabaseUrl = process.env.SUPABASE_URL!;
const supabaseServiceKey = process.env.SUPABASE_SERVICE_KEY!;

export const supabase = createClient(supabaseUrl, supabaseServiceKey, {
    auth: {
        autoRefreshToken: false, // false, because I control this on my own
        persistSession: false,
    },
});

/sign-in

/sign-in

endpoint:

const { email, password } = c.req.valid("json");

        const { data, error } = await supabase.auth.signInWithPassword({
            email,
            password,
        });

        if (error) handleSupabaseAuthError(error);

        if (!data.session) {
            throw new ApiError(
                AUTH_MESSAGES.AUTH.INVALID_CREDENTIALS,
                401,
                "AUTH_ERROR"
            );
        }

        return c.json({
            message: "Login successful.",
            access_token: data.session.access_token,
            refresh_token: data.session.refresh_token,
        });

const { email, password } = c.req.valid("json");

        const { data, error } = await supabase.auth.signInWithPassword({
            email,
            password,
        });

        if (error) handleSupabaseAuthError(error);

        if (!data.session) {
            throw new ApiError(
                AUTH_MESSAGES.AUTH.INVALID_CREDENTIALS,
                401,
                "AUTH_ERROR"
            );
        }

        return c.json({
            message: "Login successful.",
            access_token: data.session.access_token,
            refresh_token: data.session.refresh_token,
        });

I'm on:

"@supabase/supabase-js": "^2.48.1",

"@supabase/supabase-js": "^2.48.1",

I'm really concerned how did the issue started to appear today if the last production code both for

client

client

and

server

server

made was on

06-24

06-24

and the latest migration submitted to Supabase was on

06-22

06-22

Auth ?grant_type=refresh_token 429

I'm on a Free Supabase plan.

On

06-24 20:48

06-24 20:48

I've released the latest version of my app.

Today, I've got reports that users aren't able to login anymore. From the Supabase logs, it's clear that

?grant_type=refresh_token

?grant_type=refresh_token

endpoint is being rate limited. Whats suspicious, is that from

06-24

06-24

up till today

07-01

07-01

06-24-07-01

06-24-07-01

.

The authentication is happening with my custom REST API, here's the initialisation part on a bun runtime:

import { createClient } from "@supabase/supabase-js";

const supabaseUrl = process.env.SUPABASE_URL!;
const supabaseServiceKey = process.env.SUPABASE_SERVICE_KEY!;

export const supabase = createClient(supabaseUrl, supabaseServiceKey, {
    auth: {
        autoRefreshToken: false, // false, because I control this on my own
        persistSession: false,
    },
});

import { createClient } from "@supabase/supabase-js";

const supabaseUrl = process.env.SUPABASE_URL!;
const supabaseServiceKey = process.env.SUPABASE_SERVICE_KEY!;

export const supabase = createClient(supabaseUrl, supabaseServiceKey, {
    auth: {
        autoRefreshToken: false, // false, because I control this on my own
        persistSession: false,
    },
});

/sign-in

/sign-in

endpoint:

const { email, password } = c.req.valid("json");

        const { data, error } = await supabase.auth.signInWithPassword({
            email,
            password,
        });

        if (error) handleSupabaseAuthError(error);

        if (!data.session) {
            throw new ApiError(
                AUTH_MESSAGES.AUTH.INVALID_CREDENTIALS,
                401,
                "AUTH_ERROR"
            );
        }

        return c.json({
            message: "Login successful.",
            access_token: data.session.access_token,
            refresh_token: data.session.refresh_token,
        });

const { email, password } = c.req.valid("json");

        const { data, error } = await supabase.auth.signInWithPassword({
            email,
            password,
        });

        if (error) handleSupabaseAuthError(error);

        if (!data.session) {
            throw new ApiError(
                AUTH_MESSAGES.AUTH.INVALID_CREDENTIALS,
                401,
                "AUTH_ERROR"
            );
        }

        return c.json({
            message: "Login successful.",
            access_token: data.session.access_token,
            refresh_token: data.session.refresh_token,
        });

I'm on:

"@supabase/supabase-js": "^2.48.1",

"@supabase/supabase-js": "^2.48.1",

I'm really concerned how did the issue started to appear today if the last production code both for

client

client

and

server

server

made was on

06-24

06-24

and the latest migration submitted to Supabase was on

06-22

06-22

Auth ?grant_type=refresh_token 429

Auth ?grant_type=refresh_token 429

Similar Threads

Similar Threads

Similar Threads