Skip to content

fix: restore session before auth middleware in SPA mode#571

Open
zlotnika wants to merge 2 commits intonuxt-modules:mainfrom
zlotnika:fix/spa-session-race-condition
Open

fix: restore session before auth middleware in SPA mode#571
zlotnika wants to merge 2 commits intonuxt-modules:mainfrom
zlotnika:fix/spa-session-race-condition

Conversation

@zlotnika
Copy link

@zlotnika zlotnika commented Feb 2, 2026

Summary

In SPA mode (useSsrCookies: false), there's a race condition where the auth-redirect middleware checks
useSupabaseSession() before the session is hydrated from localStorage. This causes authenticated users to be incorrectly
redirected to the login page on direct navigation or page reload.

The Problem

  1. User is authenticated with a valid session in localStorage
  2. User navigates directly to a protected route (or reloads the page)
  3. The auth-redirect middleware runs and checks useSupabaseSession().value
  4. Session state is still null because onAuthStateChange hasn't fired yet
  5. User gets redirected to /login
  6. onAuthStateChange fires with the valid session
  7. Login page detects session and redirects back

This creates a flash/redirect loop that degrades UX and can break deep linking.

The Fix

Explicitly call getSession() and populate the session state before the plugin setup completes. This ensures the session is
available when middleware runs.

The fix only applies when useSsrCookies is false (SPA mode), since SSR mode uses cookies which are available synchronously.

Test Plan

  • Tested with ssr: false and useSsrCookies: false configuration
  • Direct navigation to protected routes works without redirect flash
  • Page reload maintains authentication state
  • Logout still works correctly
  • Login flow still works correctly

Fixes #496

🤖 Generated with Claude Code

@zlotnika @claude
fix: restore session before auth middleware in SPA mode
d2bc3de 
In SPA mode (useSsrCookies: false), there's a race condition where the
auth-redirect middleware checks useSupabaseSession() before the session
is hydrated from localStorage. This causes authenticated users to be
incorrectly redirected to the login page on direct navigation or reload.

This fix explicitly calls getSession() and populates the session state
before the plugin setup completes, ensuring the session is available
when middleware runs.

Fixes nuxt-modules#496

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@vercel
Copy link

vercel bot commented Feb 2, 2026

@zlotnika is attempting to deploy a commit to the NuxtLabs Team on Vercel.

A member of the Team first needs to authorize it.

zlotnika
zlotnika commented Feb 2, 2026
View reviewed changes
src/runtime/plugins/supabase.client.ts
// In SPA mode, restore session from storage before auth middleware runs
// This prevents a race condition where middleware checks session before it's hydrated
// See: https://github.com/nuxt-modules/supabase/issues/496
if (!useSsrCookies) {
Copy link
Author

@zlotnika zlotnika Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if this is the best value to check.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Feb 2, 2026
edited
Loading 

npm i https://pkg.pr.new/@nuxtjs/supabase@571

commit: ee3612d

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Race condition in auth flow in SPA mode

1 participant

@zlotnika