auth.getUser returns an error: Auth Session Missing v2.43.2

[NickG-NZ]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

After upgrading from v2.38.4 to v2.43.2, calling auth.getUser in a NextJS route handler returns an AuthSessionMissing error for a logged in user (session cookie exists and is passed to the client).
It seems to be the same bug from issue supabase/supabase-js#1025 that was discovered and already fixed for edge functions. In this case it is happening when using the Supabase SSR library.

To Reproduce

Steps to reproduce the behaviour, please provide code snippets or a repository:

Run await supabaseAuthClient.auth.getUser() in a NextJS route-handler (or presumably any serverless runtime using a supabase SSR client)

Expected behavior

The user is returned.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

• OS: Ubuntu 22
• Browser Chromium
• Version of supabase-js: 2.43.2
• Version of Node.js: 20

Additional context

Add any other context about the problem here.

[peterje]

@NickG-NZ I also ran in to this yesterday intermittently Any resolution?

[NickG-NZ]

No resolution for us yet. We're sitting on an old version until the supabase team responds

[geoffreygarrett]

For what it's worth, I had the same error.

I manually inspected the cookies and found my cookies were not chunked correctly as [cookie-part.0, cookie-part.1] for some reason. Might be unrelated and a by-product of my cookie management, but I found: [cookie-part, cookie-part.0, cookie-part.1] where cookie-part==cookie-part.1. (yes I have sizeable cookies).

The cookie chunking algorithm, when provided with cookie-part will return cookie-part if it exists and ignore the enumerated chunks.

[vanceingalls]

@NickG-NZ which version of next.js are you on? seem to be running into the same issue with supabase-js 2.43.2 and any version of next.js above 14.0.4

[RickWoltheus]

can confirm this is also happening for me on supabase-js 2.43.4 and nextjs 14.0.4

[Donald646]

Same here I can't use .getUser() in serverless functions, or in API Routes.

[Donald646]

@RickWoltheus I'm running into the same problem. I installed the latest version, but when I downgrade it doesn't work anymore. I'm a relatively new dev, so how do I downgrade to a version that works?

[Donald646]

these are my dependencies when I run npm list.

[NickG-NZ]

these are my dependencies when I run npm list.

You haven't included your supabase-js version in the screenshot. The package that this Github issue is about (@supabase/supabase-js) should be in your dependencies.
I can't remember exactly which version breaks it, but my team is sitting on 2.38.4.

To switch to this particular version you would just run
npm install @supabase/supabase-js@2.38.4

[NickG-NZ]

@NickG-NZ which version of next.js are you on? seem to be running into the same issue with supabase-js 2.43.2 and any version of next.js above 14.0.4

We're on 14.1.4. Are you saying that running an older version of NextJS fixes it?

[Donald646]

Your screen shot isn't working for me, but when I run npm list @supabase/supabase-js doesnt appear, but I have run the install.

[NickG-NZ]

@Donald646 This is really unrelated to the current issue. Can you please try Google, GPT or StackOverflow.

[Donald646]

Going back to an older version of @supabase/supabase-js doesn't work for me. My local development is down, as users on the serverside is a core part of it. This issue has also been open for a while now, so I don't know when it's gonna be fixed.

[createdbymax]

Having the same issue on supabase-js 2.43.4.

[latifs]

Hey Guys,

Having the same issue on:

• @supabase/supabase-js 2.43.5
• @supabase/ssr 0.3.0
• next 14.2.3

Has anyone figured out which version introduces the breaking change?
Thanks

[NickG-NZ]

@kangmingtay Seems there are a lot of people affected by this. Just want to make sure the supabase team is aware of it.

[latifs]

This is insane,
looks like this issue has been reported months ago in lots of issues and discussions and nothing.
I've started watching firebase videos, they have postgres now!

[Donald646]

I've reached out to their support team directly, and they told me they have escalated this issue to the auth team. But no other fixes so far.

[tecoad]

This is freaking insane!
I have spent over 10 hours revisiting my codebase to find out this has nothing to do with the code.
Anyone figured out how to fix it?

[enzotar]

Similar here. If a route fetches using POST with body to another route, auth/cookies are lost. Works if I change it to redirect with GET and query params

"@supabase/ssr": "^0.4.0",
"@supabase/supabase-js": "^2.44.2",
 "next": "^14.2.4",

[zeropaper]

The strangest bit for me is that everything works fine locally.
However, it doesn't work with the remote (supabase).
My version of @supabase/supabase-js is 2.42.0.

My flow is the following:

1. I make a request to login

   const { data, error } = await supabase.auth.signInWithPassword({
     email,
     password,
   });
   // this will work just fine:
   logger.debug(
     "login auth.getUser",
     JSON.stringify(await supabase.auth.getUser(), null, 2),
   );
   logger.debug(
     "login auth.getSession",
     JSON.stringify(await supabase.auth.getSession(), null, 2),
   );
   

   and respond with the data (that includes the access_token).
2. Then I make another request to another endpoint (passing the access_token in the headers)

   const userClient = createClient(SUPABASE_URL, access_token);
   // this will fail. But not when done locally.
   const { data } = await userClient.auth.getUser();
   

[kangmingtay]

hey everyone, we're investigating this issue - we made getUser() return null in this PR as to indicate that:

1. The user doesn't exist
2. The access token you're using is invalid (which used to return an invalid claim: missing sub claim) error

you should also be able to see any errors with the auth service in your project's auth logs (https://supabase.com/dashboard/project/_/logs/auth-logs) - specifically, you should be watching out for errors against the "/user" endpoint over the time period where getUser() returns null

@zeropaper i don't think you can pass the access_token as the key - can you try this instead?

const userClient = createClient(SUPABASE_URL, SUPABASE_ANON_KEY, {
  auth: {
    autoRefreshToken: false,
    persistSession: false,
    detectSessionInUrl: false
  }
});
const { data } = await userClient.auth.getUser();

[denull0]

Similar here. If a route fetches using POST with body to another route, auth/cookies are lost. Works if I change it to redirect with GET and query params

"@supabase/ssr": "^0.4.0",
"@supabase/supabase-js": "^2.44.2",
 "next": "^14.2.4",

Changed POST to GET and cookies are now getting passed correctly.

Edit: It keeps on braking. The cookie are passed only sometimes.

[denull0]

It might be related to caching. I removed the staleTime of my React Query config and the cookie now persist and it's passed to the route handler with both GET and POST.

[caelinsutch]

Ran into this issue, downgrading to

    "@supabase/ssr": "0.3.0",
    "@supabase/supabase-js": "2.35.0",

didn't seem to fix it with "next": "14.2.4".

This is following the documentation and attempting to access current user in a page.tsx file and middleware

Was migrating a from Firebase but I guess we'll wait until this is figured out.

[hiroki-307]

I get an error when I call auth.getUser as follows using the browser client in Nextjs.

  const supabase = createClient()
  const { data, error } = await supabase.auth.getUser()

but when I did the same thing using the server client, no error occurred and it was handled correctly.

I implemented the browser client and server client according to the following link: https://supabase.com/docs/guides/auth/server-side/nextjs

I hope this helps.

[dukuo]

I'm getting the exact same error, is there a way to solve this another way?

[Shaun-Regenbaum]

I am experiencing these issues as well.

[denull0]

It seems this person is getting around the issues:

https://github.com/ElectricCodeGuy/SupabaseAuthWithSSR/tree/main

[caelinsutch]

It seems this person is getting around the issues:

https://github.com/ElectricCodeGuy/SupabaseAuthWithSSR/tree/main

This approach worked great - cookies().set() can only be called from server functions or endpoints so had to remove from being ran on server-side components which was throwing errors in prod

[hf]

Hey everyone. Getting no user if the cookies are present means that you probably have an incorrect middleware.ts file. The middleware must run. If it doesn't the token will be refreshed multiple times causing the following refresh to fail.

Please follow the SSR guides to the dot. https://supabase.com/docs/guides/auth/server-side/creating-a-client?environment=server-component&queryGroups=framework&framework=nextjs

[tomasmenezes]

Just started getting this error on the latest "@supabase/supabase-js": "^2.45.3". Rolling back to 2.45.1 seems to prevent it.

[elbarbi]

Hi everyone, I have the same issue. It happened after a reset of the database, but I don't know if it is linked. Someone find a solution ?
Here is my discussion link:
https://github.com/orgs/supabase/discussions/29185

      '@supabase/ssr':
        specifier: ^0.3.0
        version: 0.3.0(@supabase/supabase-js@2.43.5)