I am using node and express as a backend for API endpoints with Vite as a frontend. So far, I have been able to send info from frontend to backend for signing in and signing up a user. However, I've hit a wall with signing out.
Supabase does not allow you to specify exactly which user to sign out. They only have a generic auth.signOut() function. So, how does my backend know which user to sign out from my front end?
I am setting the returned user session in local storage, for later use with protected routes. I'm wondering if there's any way I can pass what is in my local storage variable to the sign out function of supabase to sign out that specific user. Here is my code so far:
// Get user from local storage
const user = getStorage();
const token = user?.session.access_token;
try {
// Send to api action log out
const url = "http://localhost:4000/api/users/logout";
const request = await fetch(url, {
method: "POST",
mode: "cors",
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${token}`,
},
});
const response = await request.json();
if (response.status !== 200) {
throw new Error(response.message);
}
// Remove user from local storage
removeStorage();
// Redirect to sign in
navigate("/sign-in");
} catch (error) {
console.log(error);
}
Backend:
// Log out user from app
const logOutUser = async (req, res) => {
// Get token from header
const token = await req.headers.authorization.split(" ")[1];
try {
const { error } = await supabase.auth.signOut(token);
if (error) {
throw error;
}
return res.status(200);
} catch (error) {
res.status(400).send(error);
}
};
Any help is extremely appreciated. I guess I picked the wrong tool since I didn't realize supabase auth was supposed to be run strictly on the front end of the application?
--
I have tried passing both an email and session access_token as an argument to signOut() but those do not seem like they work. I am hoping to be able to sign the user out from the backend, so I do not have to create a new Supabase client on my frontend.
Supabase auth sessions are stored client-side, so in theory clearing local storage without calling your logout API endpoint should suffice. However the downside is that if the user is logged in on multiple devices, this will only log them out on the current one.
Ideally yes, you would have the Supabase client on your frontend. Any alternative would be a bit hacky, such as interacting with the users table directly rather than auth sessions.