[fix] Keep existing session on auth functions if they fail #854
Conversation
bombillazo
changed the title
|
Any feedback on this @kangmingtay @hf ? We're needing to patch this library whenever a new version is released. |
|
Any updates here? |
| if (currentSession) { | ||
| await this._saveSession(currentSession) | ||
| } |
There was a problem hiding this comment.
i'm not sure why it's necessary to preserve the existing session when one calls the signup method - we always want to remove the session when signup is called to prevent any possibilities of the user logging in as someone else.
There was a problem hiding this comment.
this applies to all the other sign-in methods too - if you're signing in, there won't be any session in the first place, else you'd be logged in already
There was a problem hiding this comment.
This truly depends on the UI implementation. We may need to allow logged-in users to switch accounts directly so it is possible to call sign-in/sign-up. Currently, if something fails, the user is kicked out of their current session.
In addition, I don't see how this would log a user into someone else's account. Either the sign-in is successful, and the current session switches to the new one, or it fails, and you keep the existing one. If you were never logged in, you stay logged out.
There was a problem hiding this comment.
If the team wanted to go down this path, you could simplify a lot of these methods by moving the _removeSession call to right before the _saveSession calls. There would be a few exceptions to that though.
I've seen more and more discussions about people trying to implement a "switch account" feature; or they already have, but recent changes have broken their implementations.
There was a problem hiding this comment.
I agree. I just wasn't sure if some logic was dependent on having no session while executing, so I preferred keeping it and reverting at the end.
Hopefully, we can remove the current limitation, be it by removing _removeSession where not necessary or, as my PR suggests, restoring the session on fail.
This is already working for us in production, we patch this library in our app for this behavior, but we'd prefer if the lib had it working natively.
What kind of change does this PR introduce?
The supabase auth client now restores/keeps the existing session data when the auth functions run and fail instead of clearing it and not restoring it. Also adds the SIGNED_OUT event missing in some logic that clears/logs out the session.
What is the current behavior?
#853
#904