supabase browser client: match server cookie attributes (SameSite=Lax, no Secure)
The browser-side createBrowserClient was writing cookies with
'Secure; SameSite=None' while the server-side createServerClient
writes the same cookie names with 'SameSite=Lax' (no Secure flag —
Next.js cookies().set() default).
When the wp-login API set the auth cookie via NextResponse, the browser
stored it with SameSite=Lax. Then the browser supabase client (via
AuthContext or any subsequent auth call) tried to re-write the cookie
via document.cookie with Secure;SameSite=None. Browsers can't reconcile
this — depending on Chrome/Safari/Firefox version, you get either:
- duplicate cookies that confuse session detection
- the JS write silently failing because Secure;SameSite=None has
additional constraints
- the existing Lax cookie getting clobbered with attributes that
conflict with same-site navigation
Net effect: AuthContext on /contributor doesn't reliably see the
session even though the cookie exists, so /contributor's
'!loading && !user → router.push(/login)' check bounces the user
back to /client-login. Looks like login failed.
Fix: align the JS-side cookie attributes with the server-side defaults
(SameSite=Lax, no Secure). Both writes now produce the same cookie
shape, no conflict.
This commit is contained in:
@@ -17,7 +17,12 @@ export function createClient() {
|
|||||||
setAll(cookiesToSet: Array<{ name: string; value: string; options?: any }>) {
|
setAll(cookiesToSet: Array<{ name: string; value: string; options?: any }>) {
|
||||||
if (typeof document === 'undefined') return;
|
if (typeof document === 'undefined') return;
|
||||||
cookiesToSet.forEach(({ name, value, options }) => {
|
cookiesToSet.forEach(({ name, value, options }) => {
|
||||||
let cookieString = `${name}=${encodeURIComponent(value)}; Path=${options?.path || '/'}; Secure; SameSite=None`;
|
// Match server-side cookie attributes. Server uses Next.js
|
||||||
|
// cookies().set(), which defaults to SameSite=Lax with no
|
||||||
|
// Secure flag. Writing the same cookie name with different
|
||||||
|
// SameSite/Secure from JS produces conflicting state in the
|
||||||
|
// browser cookie store and breaks AuthContext on /contributor.
|
||||||
|
let cookieString = `${name}=${encodeURIComponent(value)}; Path=${options?.path || '/'}; SameSite=Lax`;
|
||||||
if (options?.maxAge) cookieString += `; max-age=${options.maxAge}`;
|
if (options?.maxAge) cookieString += `; max-age=${options.maxAge}`;
|
||||||
if (options?.domain) cookieString += `; domain=${options.domain}`;
|
if (options?.domain) cookieString += `; domain=${options.domain}`;
|
||||||
if (options?.expires) cookieString += `; expires=${options.expires}`;
|
if (options?.expires) cookieString += `; expires=${options.expires}`;
|
||||||
|
|||||||
Reference in New Issue
Block a user