Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug for server side to generate verifier and challenge pairs #505

Open
nullne opened this issue May 24, 2024 · 7 comments
Open

bug for server side to generate verifier and challenge pairs #505

nullne opened this issue May 24, 2024 · 7 comments
Assignees
@silentworks

Comments

@nullne
Copy link

nullne commented May 24, 2024

https://github.com/supabase-community/auth-py/blob/16e571fc19168314d82074523de6f246bdd74960/supabase_auth/_sync/gotrue_client.py#L943C9-L952C1

for example:
user A generates a url, with verifier A, user A doesn't verify immediately
then, user A generate another url, for now, previous url won't be verified by the new code_verifier
@silentworks
Copy link
Contributor

I'm not understanding your explanation above. Can you use example along with step by step instructions of the issue please?

@nullne
Copy link
Author

nullne commented May 28, 2024

let me try to explain again before deploying a demo :)

in "pkce" mode, step1, a google login link is generated and not clicked. if you dive deep into the related code, a code_verifier is generated and saved to memory by default which is used to validate the code_challenge later .
step2, generate the google login link again, this time, a new code_verifier generated and cannot match the previous code_challenge, this is the problem

@silentworks
Copy link
Contributor

You've just described how PKCE works. This is not a bug, it's just how the feature works.

@nullne
Copy link
Author

nullne commented May 30, 2024

it's ok for frontend lib, because browser remembers which verifier key is used, but for backend, it generate verifier key in one request, and verify it in another, in which scene backend can't remember which verifier key for which challenge.

@silentworks
Copy link
Contributor

I'm looking into this to see what's the best way to handle it with current setup. Ideally we need to get the authorization code flow from Supabase, but this hasn't been implemented as yet into Supabase's auth setup.

@silentworks silentworks self-assigned this Jun 4, 2024
@silentworks
Copy link
Contributor

So I have a solution for this which would mean saving the sessions as cookies and then retrieving them on a per request basis. In my current setup I'm using cookies and redis, the cookie stores the session_id and redis stores the actual JWT with the session_id for the lookup. I'm going to try and create a repo with this for others to see how its implemented, I'm also almost certain it can be done with cookies only without redis, however the benefit of redis is that its a quick in memory storage and you can store larger bytes in it than a cookie.

@nullne
Copy link
Author

nullne commented Jun 21, 2024

So I have a solution for this which would mean saving the sessions as cookies and then retrieving them on a per request basis. In my current setup I'm using cookies and redis, the cookie stores the session_id and redis stores the actual JWT with the session_id for the lookup. I'm going to try and create a repo with this for others to see how its implemented, I'm also almost certain it can be done with cookies only without redis, however the benefit of redis is that its a quick in memory storage and you can store larger bytes in it than a cookie.

it should work. for now is there any method to pass cookies to verify code_challenge?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@silentworks silentworks

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@silentworks @nullne