supabase
Flow State Not Found
Bug report
- [x] I confirm this is a bug with Supabase, not with my own application.
- [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
Google oauth with
auth.exchangeCodeForSession(code);
Doesn't work 30% of the times, especially for mobile devices. The exact same implementation works perfectly for twitch
To Reproduce
Go to jaaneek.feedbackvote.com Try to login with Google(youtube), preferably with mobile chrome browser
Expected behavior
user is logged in
Screenshots
After further investigation seems like exchnageCodeForSession throws error and crashes the program. I believe this is a bug because we are already receiving error in { data, error }
We can also see that the request fires TWICE, meaning that the supabase redirects TWICE. We believe the second redirect crashes the program. First is validated & works. Second with exactly the same code crashes, because the code is already used.
I might have found a lead/related bug - if scopes includes "https://www.googleapis.com/auth/youtube.readonly" so you pick a YouTube account after picking Google one and you have only one YouTube account for given gmail, you get to see the pick screen but are getting redirected automatically after a moment - if you explicitly pick and click the account in the meantime, the riderctTo url will be hit twice! If there is more YT account on your gmail, automatic redirect does not happen and you can pick whatever account you want and everything will be fine
Now the specifics depends - sometimes you will get the same code twice, sometimes the 2nd code is null but in both cases You get the 422 error in return and are not logged in! The 30% of the times failure depends on I guess the timing you explicitly hit the YouTube account and how Google Auth/Supa (dunno) handles it - if you just wait I get positive login 100% of times.
The issue is I don't see the way to prevent this automatic account picking by Google or skipping this screen entirely if there is only one YT account associated to the Google one. One way is to give the consent every time, because AFAIK this screen does not automatically redirect, so you won't get 2 redirectTo hits. But the login UX is obnoxious to say the least.
Anyway it seems like the Google Auth issue at the core, but I believe given the Supabase is wrapping the entire process with this specific 422 code error returning, maybe there is some workaround that could be implemented directly in Supa for these "double redirects". WDYT?
@Forsect is right, this happens a lot!
But I also noticed that sometimes the code is not accepted anyway, even if it's the first time. For no particular reason.
The issue with my application:
I was redirecting to a webpage with Notion oauth params (/my/app/route?code=[VALUE]&state=value) that supabase erroneously thought had to do with the supabase session.
