Skip to content

fix: restore session before auth middleware in SPA mode#571

Open
zlotnika wants to merge 1 commit intonuxt-modules:mainfrom
zlotnika:fix/spa-session-race-condition
Open

fix: restore session before auth middleware in SPA mode#571
zlotnika wants to merge 1 commit intonuxt-modules:mainfrom
zlotnika:fix/spa-session-race-condition

Conversation

@zlotnika
Copy link

@zlotnika zlotnika commented Feb 2, 2026

Summary

In SPA mode (useSsrCookies: false), there's a race condition where the auth-redirect middleware checks
useSupabaseSession() before the session is hydrated from localStorage. This causes authenticated users to be incorrectly
redirected to the login page on direct navigation or page reload.

The Problem

  1. User is authenticated with a valid session in localStorage
  2. User navigates directly to a protected route (or reloads the page)
  3. The auth-redirect middleware runs and checks useSupabaseSession().value
  4. Session state is still null because onAuthStateChange hasn't fired yet
  5. User gets redirected to /login
  6. onAuthStateChange fires with the valid session
  7. Login page detects session and redirects back

This creates a flash/redirect loop that degrades UX and can break deep linking.

The Fix

Explicitly call getSession() and populate the session state before the plugin setup completes. This ensures the session is
available when middleware runs.

The fix only applies when useSsrCookies is false (SPA mode), since SSR mode uses cookies which are available synchronously.

Test Plan

  • Tested with ssr: false and useSsrCookies: false configuration
  • Direct navigation to protected routes works without redirect flash
  • Page reload maintains authentication state
  • Logout still works correctly
  • Login flow still works correctly

Fixes #496

🤖 Generated with Claude Code

@vercel
Copy link

vercel bot commented Feb 2, 2026

@zlotnika is attempting to deploy a commit to the NuxtLabs Team on Vercel.

A member of the Team first needs to authorize it.

zlotnika
zlotnika commented Feb 2, 2026
View reviewed changes
src/runtime/plugins/supabase.client.ts
// In SPA mode, restore session from storage before auth middleware runs
// This prevents a race condition where middleware checks session before it's hydrated
// See: https://github.com/nuxt-modules/supabase/issues/496
if (!useSsrCookies) {
Copy link
Author

@zlotnika zlotnika Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if this is the best value to check.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Feb 2, 2026
edited
Loading 

npm i https://pkg.pr.new/@nuxtjs/supabase@571

commit: a0c41ee

@Shooteger
Copy link
Contributor

Shooteger commented Feb 10, 2026

@larbish

@larbish
Copy link
Collaborator

larbish commented Feb 13, 2026

Thanks @zlotnika, can you please remove the dist folder from your PR? 🙏

@XStarlink
Copy link

XStarlink commented Feb 14, 2026
edited
Loading

@larbish @zlotnika Hello I’m linking this issue for additional context about the same problem:
#565

The session is not yet initialized in the plugin when the middleware runs its check. The session only gets set afterward, inside the page:start hook, which executes after the middleware.

As a result, the middleware runs before the session is available, leading to the issue described above.

@zlotnika
Copy link
Author

zlotnika commented Mar 15, 2026

Alright, sorry for forgetting this for so long. @larbish I've removed dist. Let me know if you want anything else!

@zlotnika zlotnika force-pushed the fix/spa-session-race-condition branch from be268ed to d6fe4d5 Compare March 15, 2026 21:46
@zlotnika @claude
fix: restore session before auth middleware in SPA mode
a0c41ee 
In SPA mode (useSsrCookies: false), explicitly call getSession() during
plugin setup so the session state is populated before auth middleware runs.
This prevents authenticated users from being incorrectly redirected on
direct navigation or page reload.

Fixes nuxt-modules#496

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@zlotnika zlotnika force-pushed the fix/spa-session-race-condition branch from d6fe4d5 to a0c41ee Compare March 15, 2026 21:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Race condition in auth flow in SPA mode

4 participants

@zlotnika @Shooteger @larbish @XStarlink