Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Supabase Auth: Issue regarding login when the requested url already had some '#' based value in it when using third-party auths #23704

Open
rahul3v opened this issue May 3, 2024 · 2 comments
Open

Supabase Auth: Issue regarding login when the requested url already had some '#' based value in it when using third-party auths #23704

rahul3v opened this issue May 3, 2024 · 2 comments
Labels
auth All thing Supabase Auth related bug Something isn't working

Comments

@rahul3v
Copy link
Contributor

rahul3v commented May 3, 2024

Bug report

  • [+] I confirm this is a bug with Supabase, not with my own application.
  • [+] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

The URL with pre-existing '#' value lead to no-authentication at all, when using any third-party authentication.
example : https://example.com/abc#test#access_token=TOKEN_KEY

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Add a client side Supabase authentication
  2. Login using third-party auths, my case using github authentication
  3. Now open your UI containing Authentication button, with a YOUR_URL + "#Test" (example : https://example.com/abc#test)
  4. The url redirect back with the access_token value but not tigger any authentication under UI (example : https://example.com/abc#test#access_token=TOKEN_KEY)
  5. To authenticate with the same url you need to remove any exciting #values in this case (example : https://example.com/abc#access_token=TOKEN_KEY)

Expected behavior

Should trigger authentication

Screenshots

If applicable, add screenshots to help explain your problem.

System information

  • OS: Windows 11
  • Version of @supabase/supabase-js": "^2.43.0",
  • Version of Node.js: 20+

Solution

Either remove #.* before adding #access_token=TOKEN_KEY on a redirect url
or access to client side with #access_token=
@rahul3v rahul3v added the bug Something isn't working label May 3, 2024
@rahul3v rahul3v changed the title Supabase Auth: There is an issue regarding login when the requested url already had some '#' based value in it Supabase Auth: Issue regarding login when the requested url already had some '#' based value in it when using third-party auths May 3, 2024
@encima
Copy link
Contributor

encima commented May 3, 2024

Hi @rahul3v ,

Thanks for opening! Redirect URLs should go to direct urls and not to nested components within the page.

Tokens can come back with that prefix but the redirect url itself should not have a hash. Is your request to make this clearer in the docs?

@encima encima added the auth All thing Supabase Auth related label May 3, 2024
@rahul3v
Copy link
Contributor Author

rahul3v commented May 3, 2024
edited

Hello @encima,
Yes, that would really help to avoid the general url auth bug,
More batter if add it to the auth source code to filter that atleast and extract the #access_auth=* value to trigger auth,

Otherwise user will at some moment face this issue regardless of there redirect url as user share url with #values to point something on their site and authenticating at that moment when url contains # then the supabase auth ignores the authentication and do nothing which will break the authentication cycle.

But in other cases it will do authenticate regardless of redirect url provided

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth All thing Supabase Auth related bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@encima @rahul3v