1

I am using node and express as a backend for API endpoints with Vite as a frontend. So far, I have been able to send info from frontend to backend for signing in and signing up a user. However, I've hit a wall with signing out.

Supabase does not allow you to specify exactly which user to sign out. They only have a generic auth.signOut() function. So, how does my backend know which user to sign out from my front end?

I am setting the returned user session in local storage, for later use with protected routes. I'm wondering if there's any way I can pass what is in my local storage variable to the sign out function of supabase to sign out that specific user. Here is my code so far:

// Get user from local storage
    const user = getStorage();
    const token = user?.session.access_token;

    try {
      // Send to api action log out
      const url = "http://localhost:4000/api/users/logout";
      const request = await fetch(url, {
        method: "POST",
        mode: "cors",
        headers: {
          "Content-Type": "application/json",

          Authorization: `Bearer ${token}`,
        },
      });

      const response = await request.json();

      if (response.status !== 200) {
        throw new Error(response.message);
      }

      // Remove user from local storage
      removeStorage();

      // Redirect to sign in
      navigate("/sign-in");
    } catch (error) {
      console.log(error);
    }

Backend:

// Log out user from app
const logOutUser = async (req, res) => {
  // Get token from header
  const token = await req.headers.authorization.split(" ")[1];

  try {
    const { error } = await supabase.auth.signOut(token);

    if (error) {
      throw error;
    }

    return res.status(200);
  } catch (error) {
    res.status(400).send(error);
  }
};

Any help is extremely appreciated. I guess I picked the wrong tool since I didn't realize supabase auth was supposed to be run strictly on the front end of the application?

--

I have tried passing both an email and session access_token as an argument to signOut() but those do not seem like they work. I am hoping to be able to sign the user out from the backend, so I do not have to create a new Supabase client on my frontend.

Improve this question
0

2 Answers 2

Reset to default
2

Supabase auth sessions are stored client-side, so in theory clearing local storage without calling your logout API endpoint should suffice. However the downside is that if the user is logged in on multiple devices, this will only log them out on the current one.

Ideally yes, you would have the Supabase client on your frontend. Any alternative would be a bit hacky, such as interacting with the users table directly rather than auth sessions.

Improve this answer
5
  • Thanks for your response! The only reason I'm so attached to using signOut on the backend is because I'm trying to use Node & Express for a project on my portfolio. Is it ill-advised to have some Supabase functions run on the client while others run on the server? I wanted to prevent having a Supbase client on both front and backend. I'm also not sure how I would share one client between the two, since at deployment, I would need to separate them.
    – Alex N.
    Mar 12 at 23:27
  • 1
    I don't see an issue with having two Supabase clients on the frontend and backend respectively. You could have your frontend handle auth while your backend handles other things like CRUD operations.
    – aurelienrichard
    Mar 12 at 23:44
  • So it looks like tokens still persist on other devices even when you use supabase.signOut(), which I've found in this answer. It seems like supabase just handles client side javascript for you such as setting localstorage and token expiry, but there is no backend session storage. Not sure if I'm correct in that assumption.
    – Alex N.
    Mar 13 at 0:01
  • 1
    The documentation mentions a "scope" optional parameter that can be passed to supabase.auth.signOut() which allows you to control this behavior. Your assumption is correct I think, because of the fact that Supabase auth use JWT under the hood so there is no record of user sessions on the backend, only a secret string that is used to sign and verify tokens.
    – aurelienrichard
    Mar 13 at 9:35
  • Thanks. Think I may just fully switch over to auth myself without Supabse's help, and just use them as a database for this project anyway.
    – Alex N.
    Mar 13 at 15:14
0

hi there I've been working with a similar idea and the same issue with my backend with Python FastAPI I solved that by this code to logout the user from the backend supabase.auth.admin.sign_out(jwt) but you have to create the supabase client with your service role key to do so.

Improve this answer
New contributor
Black Wolf is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.