You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@auth/sveltekit@0.8.0 broke an undocumented behavior which I was using in my application, which was lazily retrieving the Session object in a root layout, then awaiting it where necessary in the application. This way, I could start rendering full page, while displaying spinners/skeletons on data which need user data from the Session object.
#9694 introduces setting cookies when retrieving the Session object. Migrating to version @auth/sveltekit@0.8.0 (replacing getSession with auth) will cause a possible race condition, where if the first response was already sent from the server before below code is executed:
In the deployed application, you should be able to observe Loading... before Sign in button appears.
Login in the application.
After successful login and redirect, observe client-side error Could not load user data and below error on server side.
Error: Cannot use `cookies.set(...)` after the response has been generated at event2.cookies.set (file:///var/task/.svelte-kit/output/server/index.js:3259:15) at auth (file:///var/task/.svelte-kit/output/server/chunks/auth.js:6376:19)
Session should be allowed to be streamed using Promise.
While I find the feature of streaming the Session object to be potentially beneficial, I acknowledge that there may be valid reasons why it's not implemented as such. This opens the floor for discussion, and I'm welcome to insights on this matter.
I see following outcomes of this discussion:
Session promise should NEVER be streamed, and we should indicate that explicitly in the documentation,
Session promise should allow to be streamed, and it would be fairly easy to refactor the auth function to allow for this,
Session promise should theoretically allow to be streamed, but it would a significant refactor of library's core functionality and the handler hooks.
The text was updated successfully, but these errors were encountered:
deronek
added
bug
Something isn't working
triage
Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
labels
Apr 10, 2024
Environment
Also reproducible on Vercel deployment
Reproduction URL
https://github.com/deronek/sveltekit-auth-example/
Describe the issue
@auth/sveltekit@0.8.0
broke an undocumented behavior which I was using in my application, which was lazily retrieving theSession
object in a root layout, then awaiting it where necessary in the application. This way, I could start rendering full page, while displaying spinners/skeletons on data which need user data from theSession
object.#9694 introduces setting cookies when retrieving the
Session
object. Migrating to version@auth/sveltekit@0.8.0
(replacinggetSession
withauth
) will cause a possible race condition, where if the first response was already sent from the server before below code is executed:next-auth/packages/frameworks-sveltekit/src/lib/actions.ts
Lines 120 to 125 in 6116736
we will receive an error:
Cannot use `cookies.set(...)` after the response has been generated
traced to here:
https://github.com/sveltejs/kit/blob/f80ba75dfd967fb9d28d705d6891933bab603dc9/packages/kit/src/runtime/server/respond.js#L541-L543
How to reproduce
https://github.com/deronek/sveltekit-auth-example/blob/230836cb600db61db0ac81619a0caac83296b1a1/src/routes/%2Blayout.server.ts#L3-L7
https://github.com/deronek/sveltekit-auth-example/blob/230836cb600db61db0ac81619a0caac83296b1a1/src/components/header.svelte#L9-L27
Loading...
beforeSign in
button appears.Could not load user data
and below error on server side.Live deployment on Vercel: sveltekit-auth-example-eight-smoky.vercel.app
Expected behavior
Session
should be allowed to be streamed using Promise.While I find the feature of streaming the
Session
object to be potentially beneficial, I acknowledge that there may be valid reasons why it's not implemented as such. This opens the floor for discussion, and I'm welcome to insights on this matter.I see following outcomes of this discussion:
Session
promise should NEVER be streamed, and we should indicate that explicitly in the documentation,Session
promise should allow to be streamed, and it would be fairly easy to refactor theauth
function to allow for this,Session
promise should theoretically allow to be streamed, but it would a significant refactor of library's core functionality and the handler hooks.The text was updated successfully, but these errors were encountered: