In production authGuard event.cookies.getAll() is null though signInWithPassword() is successfull and hooks.server.ts cookies.set() is successfully called. The same works in localserver

[anoobbacker]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

I followed the documentation: https://supabase.com/docs/guides/auth/server-side/sveltekit and everything works on my local server, even with HTTPS. However, in production on Azure Static Web Apps, I'm having an:

The problem is that authGuard in src/hooks.server.ts redirects to login again, even though login was successful. When I log event.cookies.getAll(), it shows no cookies, even though the cookie is being set.

1. The login action in src/routes/login/+page.server.ts using signInWithPassword is successful
2. The cookies.set in src/hooks.server.ts sets the sb-<supbaseprojectname>-auth-token cookie

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

1. authGuard:src/hooks.server.ts

const authGuard: Handle = async ({ event, resolve }) => {
  let cookies : { name: string; value: string; }[] = event.cookies.getAll()
  console.log(new Date().toLocaleString(), 'src/hooks.server.ts: authGuard() Cookies: ', JSON.stringify(cookies));  // Log when action is called  
    
  const { session, user } = await event.locals.safeGetSession()
  event.locals.session = session
  event.locals.user = user

  if (!event.locals.session && event.url.pathname.startsWith('/private')) {    
    console.log(new Date().toLocaleString(), 'src/hooks.server.ts: authGuard() No session. Redirecting to /login');  // Log when action is called  
    return redirect(303, '/login')
  }

  if (event.locals.session && event.url.pathname === '/login') {
    console.log(new Date().toLocaleString(), 'src/hooks.server.ts: authGuard() Redirecting to /private');  // Log when action is called  
    return redirect(303, '/private')
  }

  console.log(new Date().toLocaleString(), 'src/hooks.server.ts: authGuard() Return', JSON.stringify(event));  // Log when action is called  
  return resolve(event)
}

1. safeGetSession: src/hooks.server.ts

  event.locals.safeGetSession = async () => {
      const {
        data: { session },
        error: serr
      } = await event.locals.supabase.auth.getSession()
      if (!session) {
        console.log(new Date().toLocaleString(), 'src/hooks.server.ts: safeGetSession() No Session found. Error = ', serr);  // Log when action is called
        return { session: null, user: null }
      }
  
      const {
        data: { user },
        error: uerr,
      } = await event.locals.supabase.auth.getUser()
      if (uerr) {
        // JWT validation has failed
        console.log(new Date().toLocaleString(), 'src/hooks.server.ts: safeGetSession() JWT validation failed.',uerr);  // Log when action is called
        return { session: null, user: null }
      }
  
      return { session, user }
    }

1. login action in src/routes/login/+page.server.ts:

export const actions: Actions = {
  login: async (event) => {
    console.log(new Date().toLocaleString(), 'src/routes/login/+page.server.ts: Login action called');  // Log when action is called
    
    const formData = await event.request.formData()
    const email = formData.get('email') as string
    const password = formData.get('password') as string

    if (!email) {
      console.error(new Date().toLocaleString(), 'src/routes/login/+page.server.ts: Login action missing email!');  // Log when action is called
  		  return fail(400, { email, missing: true });
  	  }

    if (!password) {
      console.error(new Date().toLocaleString(), 'src/routes/login/+page.server.ts: Login action missing password!');  // Log when action is called
  		  return fail(400, { password, missing: true });
  	  }
    
    console.log(new Date().toLocaleString(), 'src/routes/login/+page.server.ts: Login form data received:', email);

    const { data, error: err } = await event.locals.supabase.auth.signInWithPassword({ 
      email: email,
      password: password,
    })

    if (err) {
      console.log(new Date().toLocaleString(), 'src/routes/login/+page.server.ts: Login action signIn error.', 'Error = ', err.message);  // Log when action is called
      return fail(500, {email, incorrect: true});
    } else {
      const { session, user } = data
      console.log(new Date().toLocaleString(), 'src/routes/login/+page.server.ts: Login action return successfully', JSON.stringify(session).replace(/\r/g, ''), JSON.stringify(user).replace(/\r/g, ''));  // Log when action is called    
      return redirect(303, '/private')
    }
  },

1. See error

...
5/18/2024, 6:03:43 AM src/routes/login/+page.server.ts: Login action called
5/18/2024, 6:03:43 AM src/routes/login/+page.server.ts: Login form data received: *********@gmail.com
5/18/2024, 6:03:44 AM src/hooks.server.ts: Set Cookie. sb-****-auth-token {"access_token":"***
5/18/2024, 6:03:44 AM src/routes/login/+page.server.ts: Login action return successfully {"access_token":"***
5/18/2024, 6:03:44 AM src/hooks.server.ts: authGuard() Cookies: []
5/18/2024, 6:03:44 AM src/hooks.server.ts: authGuard() No session. Redirecting to /login
...

Expected behavior

After successful login redirect to /private

Screenshots

If applicable, add screenshots to help explain your problem.

System information

• OS: Windows
• Browser (if applies): Edge
• Version of supabase-js: ^2.43.1
• Version of Node.js: 20.11.1

Additional context

Add any other context about the problem here.

[BombayV]

I’m having the same issue with cookies not being set on production Azure.