Invalid Base64 characters in auth-token crashes server #87
Description
(Updated issue, see comments)
Bug report
- I confirm this is a bug with Supabase, not with my own application.
- I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
If the auth-token contains an invalid base-64 character, this crashes the server completely, in a non-savable way, after creating a server client. This is a problem because any user can just edit the cookie to crash the server. I'm unable to fix this by using try-catch because the parsing itself is not done instantly, but rather done "at some point" asynchronously after the client has been created.
Error:
Error: Invalid Base64-URL character "." at position 2887 at stringFromBase64URL (/home/project/node_modules/@supabase/ssr/dist/main/utils/base64url.js:103:19) at Object.getItem (/home/project/node_modules/@supabase/ssr/dist/main/cookies.js:250:63) at async getItemAsync (/home/project/node_modules/@supabase/auth-js/dist/main/lib/helpers.js:134:19) at async SupabaseAuthClient.__loadSession (/home/project/node_modules/@supabase/auth-js/dist/main/GoTrueClient.js:815:34) at async SupabaseAuthClient._useSession (/home/project/node_modules/@supabase/auth-js/dist/main/GoTrueClient.js:796:28) /home/project/node_modules/@supabase/ssr/dist/main/utils/base64url.js:103 throw new Error(`Invalid Base64-URL character "${str.at(i)}" at position ${i}`); ^ Error: Invalid Base64-URL character "." at position 2887 at stringFromBase64URL (/home/project/node_modules/@supabase/ssr/dist/main/utils/base64url.js:103:19) at Object.getItem (/home/project/node_modules/@supabase/ssr/dist/main/cookies.js:250:63) at async getItemAsync (/home/project/node_modules/@supabase/auth-js/dist/main/lib/helpers.js:134:19) at async SupabaseAuthClient.__loadSession (/home/project/node_modules/@supabase/auth-js/dist/main/GoTrueClient.js:815:34) at async SupabaseAuthClient._useSession (/home/project/node_modules/@supabase/auth-js/dist/main/GoTrueClient.js:796:28) at async SupabaseAuthClient._emitInitialSession (/home/project/node_modules/@supabase/auth-js/dist/main/GoTrueClient.js:1242:16) To Reproduce
- Edit an auth token cookie with a character that is not valid in base-64. For example
.. - Create a client with createServerClient, passing this cookie into it.
Expected behavior
Invalid base-64 should not crash the server.
System information
- OS: Linux
- Version of supabase-js: 2.47.10
- Version of ssr: 0.5.2
- Version of Node.js: 22.12.0