From a0c41ee45e4949e9e72c687c5695e8e2fc1ab6fd Mon Sep 17 00:00:00 2001
From: Alexander William Zlotnik <zlotnika@gmail.com>
Date: Sun, 15 Mar 2026 14:46:12 -0700
Subject: [PATCH] fix: restore session before auth middleware in SPA mode

In SPA mode (useSsrCookies: false), explicitly call getSession() during
plugin setup so the session state is populated before auth middleware runs.
This prevents authenticated users from being incorrectly redirected on
direct navigation or page reload.

Fixes #496

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/runtime/plugins/supabase.client.ts | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/runtime/plugins/supabase.client.ts b/src/runtime/plugins/supabase.client.ts
index 2319e86f..674a8fd8 100644
--- a/src/runtime/plugins/supabase.client.ts
+++ b/src/runtime/plugins/supabase.client.ts
@@ -44,6 +44,16 @@ export default defineNuxtPlugin({
     const currentSession = useSupabaseSession()
     const currentUser = useSupabaseUser()
 
+    // In SPA mode, restore session from storage before auth middleware runs.
+    // This prevents a race condition where middleware checks session before it's hydrated.
+    // See: https://github.com/nuxt-modules/supabase/issues/496
+    if (!useSsrCookies) {
+      const { data } = await client.auth.getSession()
+      if (data.session) {
+        currentSession.value = data.session
+      }
+    }
+
     // Populate user before each page load to ensure the user state is correctly set before the page is rendered
     nuxtApp.hook('page:start', async () => {
       const { data } = await client.auth.getClaims()