I am using the Supabase auth plugin with Google social login (Google oAuth) which is all working very well, but I have some questions around that.
If a user logs in, how long do they stay logged in? Can I configure this on WeWeb side in the plugin or is this on Supabase side?
Per Supabase auth documentation, a login creates a session. Refreshing the session gives a new refresh token and access token pair. I’m using these access tokens to authorize REST API requests coming from my front-end. However, with some testing I noticed that the access token expires after 1 hour and a user will run into the error that the JWT token has expired. I suppose the simple approach would be to use the “Refresh session” in the workflow before sending the REST API request, but I wonder whether this is the best approach (I have about ~50 distinct workflows with rest API Requests). Is it best practice to build something like a “global session refresher” that automatically refreshes the token? Would that be even possible in WeWeb?
I upload the thing with weweb team, from what I understand if you use restApi it’s your responsibility to figure out how to keep the JWT valid.
If you use supabase functions there are dedicated actions that will stay valid as long as the session is valid
So here’s what I figured out. The WeWeb editor shows different behavior than published applications. Once a user logs in via Supabase, they stay logged in indefinitely. However, in the Editor, they are automatically logged out after 1 hour. I’m not sure why it’s like that.
In a published application, the error for JWT invalid does not occur at all, because the logged in state persists. This also aligns with supabase documentation
By default, it lasts indefinitely and a user can have an unlimited number of active sessions on as many devices.
A session is represented by the Supabase Auth access token in the form of a JWT, and a refresh token which is a unique string.
Does it happen when the editor is also active/logged in on the same Supabase authentication? Because that is also true for me, but when the editor is not logged in on the same Supabase authentication it works according to Supabase documentation.