You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the docs for the Next.js middleware, it shows modifying the request cookies: set(name: string, value: string, options: CookieOptions) { request.cookies.set({ name, value, ...options, })
I don't think this is needed? Why would you want to modify the request cookies in place? They are not being sent back to the client.
Describe the improvement
Remove modifying the request cookies in set and remove. Modifying the request cookies within the middleware function has no lasting effect on the client's state. Only the response cookies, which are sent back to the client, can modify the client's cookies and persist changes. Therefore, the correct approach is to modify only the response cookies.
The text was updated successfully, but these errors were encountered:
Hi @ThomasBurgess2000, the point of this is to make sure server components that are called downstream have the updated cookies. Otherwise they may see a stale JWT and attempt to refresh it themselves, but since the JWT has already been refreshed by the middleware, Supabase Auth will interpret this as a potentially malicious actor trying to reuse a refresh token and log the user out.
You can see that the updated request, with the new cookie header, is passed to NextResponse.next.
Improve documentation
Link
https://supabase.com/docs/guides/auth/server-side/creating-a-client?environment=middleware
Describe the problem
In the docs for the Next.js middleware, it shows modifying the request cookies:
set(name: string, value: string, options: CookieOptions) { request.cookies.set({ name, value, ...options, })
I don't think this is needed? Why would you want to modify the request cookies in place? They are not being sent back to the client.
Describe the improvement
Remove modifying the request cookies in
set
andremove
. Modifying the request cookies within the middleware function has no lasting effect on the client's state. Only the response cookies, which are sent back to the client, can modify the client's cookies and persist changes. Therefore, the correct approach is to modify only the response cookies.The text was updated successfully, but these errors were encountered: