JWT expired not being renewed

[rhuanbarros]

I noticed a problem with the session in the Blazor template. It happens when I login and close the app. After the JWT expiry time, I open the app again and it not set the session to not logged in.
To test this, I set the JWT expiry limit in the Supabase dashboard to 180 seconds.

I realize that, maybe I need to verify if that token is expired inside the SessionRetriever method and return null if it is expired. So, I implemented that. But doing this I noticed that the field CreatedAt has it's set operator private.

This way a managed to create another Session class like the Session of the API, and implemented the verification like this:

public class Session2
{
    public string? AccessToken { get; set; }
    public int ExpiresIn { get; set; }
    public string? RefreshToken { get; set; }
    public string? TokenType { get; set; }
    public User? User { get; set; }
    public DateTime CreatedAt { get; set; }
    public DateTime ExpiresAt() => new DateTime(CreatedAt.Ticks).AddSeconds(ExpiresIn);
}

public async Task<TSession?> SessionRetriever<TSession>() where TSession : Session
{
Session2 session = await localStorage.GetItemAsync<Session2>(SESSION_KEY); // work around
if(session?.ExpiresAt() <= DateTime.Now)
     return null;
else
     return (TSession?) await localStorage.GetItemAsync<Session>(SESSION_KEY);
}

My doubt is that this implementation is correct or not.
Previously I tought that _await client.InitializeAsync(); would managed all this...

I don't have for sure, but if the CreatedAt field has a private set, like this below, when it is instantiated it will always be DateTime.Now, it never will be the value retrieved from the cookie.

[JsonProperty("created_at")] public DateTime CreatedAt { get; private set; } = DateTime.Now;

https://github.com/supabase-community/gotrue-csharp/blob/d00fa4c5ac05983c26b9b9e3b967d2155e199f78/Gotrue/Session.cs

I implemented it in my fork:
https://github.com/rhuanbarros/supabase-csharp/tree/master/Examples/BlazorWebAssemblySupabaseTemplate

[acupofjose]

Ooo my. That's a fantastic catch! I'll make a quick change and push an update to gotrue-csharp.

But you're correct, ideally the session would be validated by the retriever before being returned. Gotrue-csharp will take the returned session and attempt to refresh it's token and everything. This will fail if the session is invalid.

The easiest way to do it (IMO) is to do isValid = await Supabase.Auth.GetUser(savedSession.Token) (you get the idea). Or you can check the CreatedAt vs. the ExpiredAt.

The CreatedAt not being set correctly does produce issues with the token being automatically refreshed - so this update will fix that!

[rhuanbarros]

Thank you. I will update the template soon.