Persist Supabase auth session/user state
I'm really struggling to figure out how to persist a login state with my extension - I'm using Supabase and Vue (so unfortunately I can't use the boilerplate code exactly - with the user state watcher).
I've noticed a few things:
- State doesn't carry over between tabs (neither existing nor new ones)
- It seems as though, state is "locked" to the parent domain, I login in on - ie. I'm logging the user in within a CSUI and if it happens to be overlayed on linkedin, the logged in state will be recognized when I return to that domain but not others
- My web app also uses Supabase auth and it seems the states sort of interact with each other but not predictably - ideally I wouldn't use the extension to login at all. I'd have the user login to the web app and share that auth with the extension
- The boiler plate example sends state to a BGSW. I'm not sure if this is needed to persist state or just an example of how it can be done?
- When I've made calls from the BGSW it almost seems like a different session state (often results in "user not found")
I'm all out of wack here and feel like I'm randomly throwing a bunch of
storage
and setSession
calls hoping something will magically work π6 Replies
@louisgv Any thoughts here?
@Joshua Perk if you're trying to use supabase with CSUI, I'd persist the auth state via a JWT scheme within the bgsw and invoke stuff in BGSW instead of directly from CSUI
otherwise, you'd have to deal with the target page policy, which really depends on whether you can control that page or not
And by JWT scheme, you mean actually store the bearer token and make requests directly with it vs the supabase session stuff?
And by persist in the bgsw, you mean put it in
storage
but make the requests from the bgsw to prevent cors issues? I just want to make sure the bgsw doesn't have some magical state persistence I'm unware of (it will eventually close, right?)Yeah, similar to mobile app persistent auth where you store a refresh token and use that to get new access token to ping your service
You can think of extension auth scheme in a very similar vein as mobile/native app auth - essentially you're operating at the hybrid of device and web layer, but you actually don't "own" the web within the extension, so a lot of the auth scheme will be similar to native device auth esp when it comes to invoking your own API/backend
yup that's the case - grab the JWT from storage and use it to call backend from bgsw
That's really helpful - thank you so much man. I'm going to give this a shot tonight π
yw!