[fix] Call SIGNED_OUT event where session is removed#854
Conversation
|
Any feedback on this @kangmingtay @hf ? We're needing to patch this library whenever a new version is released. |
|
Any updates here? |
| if (currentSession) { | ||
| await this._saveSession(currentSession) | ||
| } |
There was a problem hiding this comment.
i'm not sure why it's necessary to preserve the existing session when one calls the signup method - we always want to remove the session when signup is called to prevent any possibilities of the user logging in as someone else.
There was a problem hiding this comment.
this applies to all the other sign-in methods too - if you're signing in, there won't be any session in the first place, else you'd be logged in already
There was a problem hiding this comment.
This truly depends on the UI implementation. We may need to allow logged-in users to switch accounts directly so it is possible to call sign-in/sign-up. Currently, if something fails, the user is kicked out of their current session.
In addition, I don't see how this would log a user into someone else's account. Either the sign-in is successful, and the current session switches to the new one, or it fails, and you keep the existing one. If you were never logged in, you stay logged out.
There was a problem hiding this comment.
If the team wanted to go down this path, you could simplify a lot of these methods by moving the _removeSession call to right before the _saveSession calls. There would be a few exceptions to that though.
I've seen more and more discussions about people trying to implement a "switch account" feature; or they already have, but recent changes have broken their implementations.
There was a problem hiding this comment.
I agree. I just wasn't sure if some logic was dependent on having no session while executing, so I preferred keeping it and reverting at the end.
Hopefully, we can remove the current limitation, be it by removing _removeSession where not necessary or, as my PR suggests, restoring the session on fail.
This is already working for us in production, we patch this library in our app for this behavior, but we'd prefer if the lib had it working natively.
|
Any updates on this, it's breaking our production Electron app, seems that when a request fails, the user just gets signed out entirely. |
j4w8n
left a comment
There was a problem hiding this comment.
I appreciate the review tag, but this one will ultimately need to be looked at by kangmingtay or hf. Last I knew, the team's time was limited; so, who knows if/when they'll consider this PR further.
|
Ok, I'll mention @hf so they'll be aware and have visibility on this fix request. |
|
sorry @bombillazo i was on vacation last week - i'll be looking into this further to see if we can just do away with removing the session prematurely before hitting the underlying auth endpoint - not too sure if it will cause any unintended breaking changes here so we need some time to test this out |
|
@bombillazo i've made a separate PR (#915) to address this - would be great if you can take a look at it too |
## What kind of change does this PR introduce? * Replaces #854 * Fixes #853, #904 * We don't need to remove the existing session prematurely. This causes some issues when users want to implement some sort of switch-account functionality since the existing session will always be removed regardless of whether the signup / sign-in attempt succeeds. * It's safe to remove `_removeSession` since calling `_saveSession` multiple times will just replace the existing session
|
Hey @kangmingtay thanks for the PR, I merged the current repo to my branch and the only thing missing is a few lines of code to emit the |
SIGNED_OUT event where sessino is removed
SIGNED_OUT event where sessino is removedSIGNED_OUT event where session is removed
|
Any update here? This fixes #853 |
|
Hey @kangmingtay , any update on this issue? |
|
Hey @kangmingtay @hf , I know 2.65.0 was released but this is missing to truly close #853 |
|
@kangmingtay @j4w8n @hf Could this be rechecked please? We still need to run auth-js patched on our side due to this. This is needed to resolve #853 which was incorrectly marked as completed |
|
I see you moved the SIGNED_OUT event trigger into _removeSession. I understand wanting to move it there, but I still think there are one or two cases where calling _removeSession shouldn't necessarily trigger the event. However, this isn't my party, and the maintainers may be fine with it. I'm not sure it would hurt anything. |
j4w8n
left a comment
There was a problem hiding this comment.
This is ultimately up to the maintainers, but I wrote a couple of things.
| this._debug(debugName, 'session is not valid') | ||
| if (currentSession !== null) { | ||
| await this._removeSession() | ||
| await this._notifyAllSubscribers('SIGNED_OUT', null) |
There was a problem hiding this comment.
If the session isn't valid, then no one should've been signed in to begin with; so I'm not sure if triggering the event here is strictly necessary. Is it causing an issue, or are you just trying to cover all bases?
There was a problem hiding this comment.
_recoverAndRefresh could be called with someone already in a signed in state, like from the _onVisibilityChanged function. Also, we may have cookies during the client initialization we need to clear if the session is invalid, and by not triggering this event in the initial "no one is signed in to begin with" state, we get inconsistent issues. This is what is happening in our case. So, the way to avoid this is to trigger the SIGNED_OUT event every moment the session is removed, regardless of why it was removed. We also have logic that depends on reacting to the session that no longer exists in the client. This is also how it is described in the documentation:
| // `unref()` on the returned object. | ||
| ticker.unref() | ||
| // @ts-ignore | ||
| // @ts-expect-error TS has no context of Deno |
There was a problem hiding this comment.
Is this needed here, since the Deno scenario is covered below? Or maybe the Deno check should happen first?
There was a problem hiding this comment.
IMO @ts-expect-error is a much better way to document why a typescript error needs to be ignored compared to @ts-ignore, I simply replaced the existing ts comment with this one.
There was a problem hiding this comment.
I don't know of a way to check for Deno without TS complaining
|
Thanks @j4w8n for the questions/feedback, hopefully this can be reviewed by the corresponding devs to keep the ball rolling. |
kangmingtay
left a comment
There was a problem hiding this comment.
hey @bombillazo, apologies for the delayed review on this PR - the changes look good, thanks for helping to fix this issue!
🤖 I have created a release *beep* *boop* --- ## [2.65.1](v2.65.0...v2.65.1) (2024-10-14) ### Bug Fixes * Call `SIGNED_OUT` event where session is removed ([#854](#854)) ([436fd9f](436fd9f)) * improve `mfa.enroll` return types ([#956](#956)) ([8a1ec06](8a1ec06)) * move MFA sub types to internal file ([#964](#964)) ([4b7455c](4b7455c)) * remove phone mfa deletion, match on error codes ([#963](#963)) ([ef3911c](ef3911c)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
🤖 I have created a release *beep* *boop* --- ## [2.65.1](supabase/auth-js@v2.65.0...v2.65.1) (2024-10-14) ### Bug Fixes * Call `SIGNED_OUT` event where session is removed ([#854](supabase/auth-js#854)) ([421d7d4](supabase/auth-js@421d7d4)) * improve `mfa.enroll` return types ([#956](supabase/auth-js#956)) ([aca7870](supabase/auth-js@aca7870)) * move MFA sub types to internal file ([#964](supabase/auth-js#964)) ([70cecdb](supabase/auth-js@70cecdb)) * remove phone mfa deletion, match on error codes ([#963](supabase/auth-js#963)) ([3547cd9](supabase/auth-js@3547cd9)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
What kind of change does this PR introduce?
This adds the SIGNED_OUT event missing in some logic that clears/logs out the session.
What is the current behavior?
#853