Skip to content

fix: avoid window.location access in SSR environments #1074

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: avoid window.location access in SSR environments #1074

wants to merge 2 commits into from

Conversation

gonchantech
Copy link

@gonchantech gonchantech commented Jun 25, 2025
edited by hf
Loading

When creating a Supabase client on the server side, the _initialize() method tries to access window.location.href, causing a ReferenceError and crashing the process. As a result, the method this.recoverAndRefresh responsible for restoring and refreshing the authentication state does not get called properly. other methods may recover the session later, so this doesn’t immediately break all functionality. However, this still represents an inconsistent design: recoverAndRefresh() is server-compatible, yet it's gated behind a browser-only execution path.

What is the new behavior?

This change adds a check using isBrowser() to avoid accessing window.location.href on the server side by providing empty parameters instead. This prevents the crash and allows this.recoverAndRefresh to be called correctly, enabling proper restoration and refreshing of the authentication state in server-side environments.

Additional context

Closes #1073

@hf hf changed the title fix(auth): avoid window.location access in SSR environments fix: avoid window.location access in SSR environments Jul 17, 2025
@hf hf force-pushed the fix/ssr-initialize-crash branch from 467b39c to b7b4f64 Compare July 17, 2025 11:07
@gonchantech
fix: check expires_in instead of expires_at in _isValidSession
6f46f80 
The _isValidSession method was incorrectly checking for 'expires_at'
which is optional, instead of 'expires_in' which is required for
valid session validation.
@gonchantech
Copy link
Author

@hf
I apologize for submitting the previous fix without verifying the tests — thank you for taking the time to review it.

It turns out that the previous fix caused a test failure because it inadvertently triggered a logic branch that wasn’t previously reachable due to window.location throwing in SSR. Now that the SSR-safe check allowed the logic to run, another underlying issue surfaced.

I’ve identified and fixed the root cause in this commit. Could you please take another look?

@gonchantech
Copy link
Author

@hf
Thank you for your continued review.
The same CI configuration runs successfully multiple times on my fork.
If there’s anything I should do, please let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ReferenceError: window is not defined crash in GoTrueClient _initialize() on server-side environments
1 participant
@gonchantech