AuthApiError: Error invoking access token hook with custom claim

[agrittiwari]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

So I am simply signing with email and password. I added a custom claim to be added in jwt,
here it is

create or replace function public.custom_access_token_hook(event jsonb)
returns jsonb
language plpgsql
as $$
declare
  claims jsonb;
  user_email text;
begin
  claims := event->'claims';
  select email
    into user_email
    from auth.users
    where id = (event ->> 'user.id')::uuid;

  if user_email is not null then
    claims := jsonb_set(claims, '{https://www.abc.co/email}', to_jsonb(user_email));
    event := jsonb_set(event, '{claims}', claims);
  end if;

  return event;
end
$$;

grant usage on schema public to supabase_auth_admin;
grant execute on function public.custom_access_token_hook to supabase_auth_admin;
revoke execute on function public.custom_access_token_hook from authenticated, anon;

this ran successfully and it does not resolve when I am hitting the handler from supabase-js from my client and giving this error

 AuthApiError: Error invoking access token hook.
    at construct (native)
    at apply (native)
    at _construct (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:4738:28)
    at Wrapper (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:4696:25)
    at construct (native)
    at _createSuperInternal (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:662042:294)
    at call (native)
    at AuthError (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:662054:26)
    at construct (native)
    at _createSuperInternal (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:662042:294)
    at call (native)
    at AuthApiError (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:662074:28)
    at ?anon_0_ (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:661451:38)
    at next (native)
    at asyncGeneratorStep (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:6044:26)
    at _next (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:6063:29)
    at tryCallOne (/Users/distiller/react-native/packages/react-native/sdks/hermes/build_iphoneos/lib/InternalBytecode/InternalBytecode.js:53:16)
    at anonymous (/Users/distiller/react-native/packages/react-native/sdks/hermes/build_iphoneos/lib/InternalBytecode/InternalBytecode.js:139:27)
    at apply (native)
    at anonymous (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:15491:26)
    at _callTimer (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:15370:17)
    at _callReactNativeMicrotasksPass (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:15415:17)
    at callReactNativeMicrotasks (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:15621:44)
    at __callReactNativeMicrotasks (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:2878:48)
    at anonymous (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:2651:45)
    at __guard (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:2850:15)
    at flushedQueue (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:2650:21)
    at invokeCallbackAndReturnFlushedQueue (http://192.168.1.4:8081/index.bundle//&platform=ios&dev=true&hot=false&lazy=true&transform.engine=hermes&transform.bytecode=true&transform.routerRoot=app:2644:33)

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

No idea , what profiles it is referring to:

 async function signUpWithEmail() {
    setLoading(true);
    const {
      data: { session },
      error,
    } = await supabase.auth.signUp({
      email: email,
      password: password,
    });
    console.log(session?.user);
    if (error) Alert.alert(error.message);
    if (!session) Alert.alert('Please check your inbox for email verification!');
    setLoading(false);
  }
  
  return (

 <View style={styles.verticallySpaced}>
        <Button
          backgroundColor={!email || !password ? '$background' : '$primary'}
          disabled={!email || !password}
          onPress={() => signUpWithEmail()}>
          {loading ? (
            <ActivityIndicator color={colors.primary} />
          ) : (
            <Button.Text color={!email || !password ? 'black' : 'white'}>Sign up</Button.Text>
          )}
        </Button>
      </View>
)

Log from Supabase console

 Log ID
f6019b30-2f0b-42c0-bf9a-27d15df1e3e5

Log Timestamp (UTC)
2024-04-29T08:36:31.000Z

Log Event Message
{"auth_event":{"action":"login","actor_id":"e08266f1-cc4e-4bf4-9827-7505efe26b91","actor_name":"Agrit Tiwari","actor_username":"agrit@wishup.co","actor_via_sso":false,"log_type":"account","traits":{"provider":"email"}},"component":"api","error":"ERROR: relation \"profiles\" does not exist (SQLSTATE 42P01)","level":"error","method":"POST","msg":"500: Error invoking access token hook.","path":"/token","referer":"http://localhost:8081/","remote_addr":"223.233.67.151","time":"2024-04-29T08:36:31Z","timestamp":"2024-04-29T08:36:30Z"}

Log Metadata
[
  {
    "message": null,
    "timestamp": "2024-04-29T08:36:30Z",
    "__MONOTONIC_TIMESTAMP": null,
    "CODE_FUNC": null,
    "instance_id": null,
    "status": null,
    "_CMDLINE": null,
    "method": "POST",
    "_SYSTEMD_CGROUP": null,
    "CODE_FILE": null,
    "EXECUTABLE": null,
    "_EXE": null,
    "UNIT": null,
    "level": "error",
    "_COMM": null,
    "duration": null,
    "issuer": null,
    "_LINE_BREAK": null,
    "_SOURCE_REALTIME_TIMESTAMP": null,
    "msg": "500: Error invoking access token hook.",
    "action": null,
    "login_method": null,
    "_UID": null,
    "host": "db-mkhoedkvreydjdvqnbqy",
    "PRIORITY": null,
    "_CAP_EFFECTIVE": null,
    "_PID": null,
    "INVOCATION_ID": null,
    "_SYSTEMD_UNIT": null,
    "source_type": null,
    "SYSLOG_FACILITY": null,
    "request_id": null,
    "CODE_LINE": null,
    "path": "/token",
    "component": "api",
    "project": null,
    "user_id": null,
    "auth_event": [
      {
        "action": "login",
        "actor_id": "e08266f1-cc4e-4bf4-9827-7505efe26b91",
        "actor_name": "Agrit Tiwari",
        "actor_username": "agrit@wishup.co",
        "actor_via_sso": false,
        "log_type": "account",
        "traits": [
          {
            "channel": null,
            "identity_id": null,
            "provider": "email",
            "provider_id": null,
            "provider_type": null,
            "user_email": null,
            "user_id": null,
            "user_phone": null
          }
        ]
      }
    ],
    "args": [],
    "referer": "http://localhost:8081/",
    "factor_id": null,
    "provider": null,
    "client_id": null,
    "remote_addr": "223.233.67.151",
    "_SYSTEMD_SLICE": null,
    "_SYSTEMD_INVOCATION_ID": null,
    "header": null,
    "_MACHINE_ID": null,
    "_AUDIT_LOGINUID": null,
    "_TRANSPORT": null,
    "_SELINUX_CONTEXT": null,
    "MESSAGE_ID": null,
    "__REALTIME_TIMESTAMP": null,
    "metadata": [],
    "_STREAM_ID": null,
    "metering": null,
    "time": null,
    "_GID": null,
    "_BOOT_ID": null,
    "SYSLOG_IDENTIFIER": null,
    "_AUDIT_SESSION": null,
    "error": "ERROR: relation \"profiles\" does not exist (SQLSTATE 42P01)"
  }
]

Expected behavior

Expected behavior is for supabase to return the session with accessToken and refreshToken , accessToken rich with custom claim.
that I am gonna send in API header for following calls.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

• OS: macOS
• Browser (if applies) [e.g. chrome, safari]
• Version of supabase-js: [e.g. 6.0.2]
• Version of Node.js: [e.g. 20.10.0]

Additional context

I have read this issue extensively and it does n't seem to address the problem I am facing #1523

[GaryAustin1]

This seems like an error on possibly an auth.users trigger trying to write to a profiles table when you create a new user?
Do you have such a trigger/function installed on auth.users? You probably did not use public.profiles, or your table is named something else.
Also seems like this is not a bug report at this point, versus a call for help which is better in Discord or Discussions.

[wishup-agrit]

This would have been a call for help surely, if I wasn't sure that it is related to auth hook, which is in beta. It is surely related to that and yes, before logging this here I got rid of error, getting help from discord.
my apologies, If I escalated this issue unncessarily.

[GaryAustin1]

Do you have an auth.users trigger function? You can see in the dashboard database triggers section.
Your code does not show using profiles table so not sure how auth hook would cause that error.
BUT is very very common to get that error from a auth.users trigger with a profiles table for user data.

[GaryAustin1]

And you are showing signUp which is what will cause that insert trigger to run.

[agrittiwari]

yeah so, users who are using SSO are also getting those triggers under the hood, I guess, cause SSO doesn't force user to perform sign up action, but it does behind the UI , right. What should I do in that case? FYI there aren't any trigger functions.
There were no errors thrown by Auth hook as well.

[J0]

Hey @agrittiwari ,

Thanks for the query - can I check if you're still facing the issue? Like @GaryAustin1 mentioned it's quite common to see an error from a trigger there.

There's an authentication_method entry that you can use if you only wish for the hook to run after completion of certain authentication methods

[agrittiwari]

Hi @J0 , thanks. Would you please share the relevant doc here for authenticated_method. Btw I wantthe hook to run after every jwt generation.
There's no trigger.

[J0]

Here's the docs for the hook

There's no trigger.
Could you open a ticket at supabase.help ?

If it helps we'll be releasing HTTP Hooks soon so it'll be possible to edit claims using JavaScript which might be significantly easier