Some questions around using WeWeb Supabase auth plugin

Hi all,

I am using the Supabase auth plugin with Google social login (Google oAuth) which is all working very well, but I have some questions around that.

  1. If a user logs in, how long do they stay logged in? Can I configure this on WeWeb side in the plugin or is this on Supabase side?
  2. Per Supabase auth documentation, a login creates a session. Refreshing the session gives a new refresh token and access token pair. I’m using these access tokens to authorize REST API requests coming from my front-end. However, with some testing I noticed that the access token expires after 1 hour and a user will run into the error that the JWT token has expired. I suppose the simple approach would be to use the “Refresh session” in the workflow before sending the REST API request, but I wonder whether this is the best approach (I have about ~50 distinct workflows with rest API Requests). Is it best practice to build something like a “global session refresher” that automatically refreshes the token? Would that be even possible in WeWeb?

Not sure if this is allowed, but bumping this for visibility

I also needed this information, the same problem happens to me. Did you find any solution?

I upload the thing with weweb team, from what I understand if you use restApi it’s your responsibility to figure out how to keep the JWT valid.
If you use supabase functions there are dedicated actions that will stay valid as long as the session is valid

So here’s what I figured out. The WeWeb editor shows different behavior than published applications. Once a user logs in via Supabase, they stay logged in indefinitely. However, in the Editor, they are automatically logged out after 1 hour. I’m not sure why it’s like that.

In a published application, the error for JWT invalid does not occur at all, because the logged in state persists. This also aligns with supabase documentation

By default, it lasts indefinitely and a user can have an unlimited number of active sessions on as many devices.

A session is represented by the Supabase Auth access token in the form of a JWT, and a refresh token which is a unique string.

1 Like

In my case it happens in the already published application, after some time and based on that sometimes duplicating the page also happens

Does it happen when the editor is also active/logged in on the same Supabase authentication? Because that is also true for me, but when the editor is not logged in on the same Supabase authentication it works according to Supabase documentation.

Okay, so if I use the same login in the editor and in production, the editor ends up causing production to be disconnected? That would be my situation