Skip to content

Fix token refresh logic #113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix token refresh logic #113

wants to merge 2 commits into from

Conversation

@azegallo
Copy link

@azegallo azegallo commented Oct 22, 2025
edited
Loading

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

  • Token refresh logic rejects refreshes if the access token is expired.
  • In many (most?) use cases the token will never refresh.

#108 #112 #106 #109

What is the new behavior?

Tokens refresh correctly.

Additional context

We have been wrongly assuming that Session.ExpiresIn represented the users Supabase session expiry time. And that we should invalidate the users session when this time expired.
The Session.ExpiresIn property actually represents the entire lifetime (in seconds) of the access token (if you set a JWT expiry in Supabase of 3600 then ExpiresIn should always be 3600).
We should not be concerned with "ending sessions" in this library. That is handled by Supabase invalidating the refresh tokens. So I have removed all of the Expired() checks.

The SetSession method in Client.cs was also setting an incorrect value for ExpiresIn, using payload.Expiration which is the timestamp for when the token expires, not the expected expires_in time. So I have calculated that as the payloads (exp - iat).

After these changes the ExpiresAt() and Expired() methods in Session.cs are unused so I have removed them as well as the AnonKeyClientTests.cs SessionCalculatesExpiresAtTimeCorrectly() method.

@azegallo
Fix token refresh logic
20ee19d 
We were wrongly assuming that Session.ExpiresIn meant the users session was to expire at that time and we should destroy the session. Session.ExpiresIn property is actually meant to be the entire lifetime of the access token (in seconds).
We shouldn't be concerned with "ending sessions" in this library. That is handled by Supabase invalidating refresh tokens.
We also were providing the wrong value to ExpiresIn in the `SetSession` method.
@azegallo
Remove CreatedAt assignments
af823f7 
On second thought, using the default assigned CreatedAt is correct for session creation.
Geek-bule
Geek-bule approved these changes Nov 17, 2025
View reviewed changes
Copy link

@Geek-bule Geek-bule left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i need this fix

@wiverson
Copy link
Collaborator

wiverson commented Nov 17, 2025

Not sure what the status is for this project WRT maintainer(s). I did go ahead and kick off a build and it's got test failures.

@jaimeatsherpa
Copy link

jaimeatsherpa commented Nov 25, 2025

Any updates here?

@azegallo
Copy link
Author

azegallo commented Nov 25, 2025

This is failing because on of a test that expects an exception to be thrown if the "session" is expired which is the logic error this PR is addressing.

@wiverson
Copy link
Collaborator

wiverson commented Nov 25, 2025

The test should be updated to reflect the desired behavior, not just left broken.

I'm not actively working on this - not sure who is - but I can't in good conscience accept a PR that breaks the build, and I don't have time to go into the weeds on this. If there's nobody else left maintaining this I can barely justify hitting accept on a build based on code-only review, but not if the PR leads to a breaking build. Note that just deleting the test is also not acceptable.

@jaimeatsherpa
Copy link

jaimeatsherpa commented Nov 27, 2025

@azegallo Can you please fix the test?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Geek-bule Geek-bule Geek-bule approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@azegallo @wiverson @jaimeatsherpa @Geek-bule