Invalid Base64 characters in auth-token crashes server

[Cikmo]

(Updated issue, see comments)

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

If the auth-token contains an invalid base-64 character, this crashes the server completely, in a non-savable way, after creating a server client. This is a problem because any user can just edit the cookie to crash the server. I'm unable to fix this by using try-catch because the parsing itself is not done instantly, but rather done "at some point" asynchronously after the client has been created.

Error:

Error: Invalid Base64-URL character "." at position 2887
    at stringFromBase64URL (/home/project/node_modules/@supabase/ssr/dist/main/utils/base64url.js:103:19)
    at Object.getItem (/home/project/node_modules/@supabase/ssr/dist/main/cookies.js:250:63)
    at async getItemAsync (/home/project/node_modules/@supabase/auth-js/dist/main/lib/helpers.js:134:19)
    at async SupabaseAuthClient.__loadSession (/home/project/node_modules/@supabase/auth-js/dist/main/GoTrueClient.js:815:34)
    at async SupabaseAuthClient._useSession (/home/project/node_modules/@supabase/auth-js/dist/main/GoTrueClient.js:796:28)
/home/project/node_modules/@supabase/ssr/dist/main/utils/base64url.js:103
            throw new Error(`Invalid Base64-URL character "${str.at(i)}" at position ${i}`);
                  ^

Error: Invalid Base64-URL character "." at position 2887
    at stringFromBase64URL (/home/project/node_modules/@supabase/ssr/dist/main/utils/base64url.js:103:19)
    at Object.getItem (/home/project/node_modules/@supabase/ssr/dist/main/cookies.js:250:63)
    at async getItemAsync (/home/project/node_modules/@supabase/auth-js/dist/main/lib/helpers.js:134:19)
    at async SupabaseAuthClient.__loadSession (/home/project/node_modules/@supabase/auth-js/dist/main/GoTrueClient.js:815:34)
    at async SupabaseAuthClient._useSession (/home/project/node_modules/@supabase/auth-js/dist/main/GoTrueClient.js:796:28)
    at async SupabaseAuthClient._emitInitialSession (/home/project/node_modules/@supabase/auth-js/dist/main/GoTrueClient.js:1242:16)

To Reproduce

1. Edit an auth token cookie with a character that is not valid in base-64. For example ..
2. Create a client with createServerClient, passing this cookie into it.

Expected behavior

Invalid base-64 should not crash the server.

System information

• OS: Linux
• Version of supabase-js: 2.47.10
• Version of ssr: 0.5.2
• Version of Node.js: 22.12.0

[Cikmo]

After a bit of testing, it doesn't even seem like getSession is what triggers it. I'm actually unable to pinpoint what triggers it. All I know is that if a cookie is invalid, the server crashes from the ssr module.

[Cikmo]

Okay, I figured out it's the client itself.

After creating:

event.locals.supabase = createServerClient(PUBLIC_SUPABASE_URL, PUBLIC_SUPABASE_ANON_KEY, {
    cookies: {
        getAll: () => event.cookies.getAll(),
        setAll: (cookies) => {
            cookies.forEach(({ name, value, options }) => {
                event.cookies.set(name, value, { ...options, path: '/' });
            });
        }
    }
});

it will parse the cookies and then the error will be raised, however not instantly as it's probably done async behind the scenes. Because of that, try-catch does not work from a user of the library, it would have to be done internally.

I can update this issue to reflect the actual issue tomorrow.

[hf]

See this: #90