AuthApiError: Session from session_id claim in JWT does not exist

[Whitebytes]

Bug report

Describe the bug

Getting a "AuthApiError: Session from session_id claim in JWT does not exist" when doing a
client.auth.setSession({ access_token, refresh_token }) with access_token, refresh_token retrieved from:

client.auth.admin.generateLink( { type: 'recovery', email, redirectTo })

Users are unable to recover password on production site.

Steps:

1. client.auth.admin.generateLink( { type: 'recovery', email, redirectTo }), gives me:
2. https://vzuflxgfykebwmisvssp.supabase.co/auth/v1/verify?token=df90ebfc4e344c0f3c60bf0b7123d738591a3bd454fce8c24db79618&type=recovery&redirect_to=http://localhost:3005. (<- sample url, slightly modified for security reasons, this is also not production site, but dev)
3. opened a new incognito window of chrome
4. pasted url, redirects me to:
5. http://localhost:3005/set-password?access_token=eyJhbGciOiJIUzI1NiIsImtpZCI6InpCeHllYzM2SStxZm5tNUMiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJhdXRoZW50aWNhdGVkIiwiZXhwIjoxNzE0OTgwMzEzLCJpYXQiOjE3MTQ5NzY3MTMsImlzcyI6Imh0dHBzOi8vdnp1Zmx4Z2Z5a2Vid21pc3Zzc3Auc3VwYWJhc2UuY28vYXV0aC92MSIsInN1YiI6IjE3YmQ5MTgzLWZjYzgtNGIwOC05YTY5LWYyNzRhNDRkMzAyYSIsImVtYWlsIjoiZ2pAcWVtbWUubmwiLCJwaG9uZSI6IiIsImFwcF9tZXRhZGF0YSI6eyJwcm92aWRlciI6ImVtYWlsIiwicHJvdmlkZXJzIjpbImVtYWlsIiwiZ29vZ2xlIl19LCJ1c2VyX21ldGFkYXRhIjp7IkNvbXBhbnlJZCI6IjIzYzg1NDliLTdiNmEtNGZhOS04ZTQzLWY3MDNhZDJhNDkwMyIsImF2YXRhcl91cmwiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vYS9BQ2c4b2NJRV9lRk9vZVhlOTc2MlVheHZpSFJkUXFwaG9OLXhxa0dqRWlwdUNNbU9lNXVTc3c9czk2LWMiLCJiaXJ0aGRheSI6IjIwMDEtMDEtMDEiLCJjaXR5IjoiMTExIiwiY29uZmlybV9wYXNzd29yZCI6ImdqMjM5NyIsImNyZWF0ZWRfYXQiOiIyMDIzLTExLTMwVDEzOjUyOjM5Ljk5MTI2NiswMDowMCIsImN1c3RvbV9jbGFpbXMiOnsiaGQiOiJxZW1tZS5ubCJ9LCJlbWFpbCI6ImdqQHFlbW1lLm5sIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImZpcnN0TmFtZSI6IkpvaG4iLCJmdWxsX25hbWUiOiJHZWVydEphbiBLwZw1tZSIsImlkIjoiYmUyMTY2MWMtNGE3OC00NDM0LTg4NGMtNjA3MDM4NDYyZjE2IiwiaXNzIjoiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tIiwibGFzdE5hbWUiOiJEb2UiLCJuYW1lIjoiR2VlcnRKYW4gS2VtbWUiLCJwaG9uZSI6IjEyMzQ1Njc4OTAiLCJwaG9uZV92ZXJpZmllZCI6ZmFsc2UsInBpY3R1cmUiOiJodHRwczovL2xoMy5nb29nbGV1c2VyY29udGVudC5jb20vYS9BQ2c4b2NJRV9lRk9vZVhlOTc2MlVheHZpSFJkUXFwaG9OLXhxa0dqRWlwdUNNbU9lNXVTc3c9czk2LWMiLCJwcm92aWRlcl9pZCI6IjEwMDQ2MTY4NDc4MzczNTA1OTg5NyIsInN1YiI6IjEwMDQ2MTY4NDc4MzczNTA1OTg5NyIsInVwZGF0ZWRfYXQiOiIyMDIzLTExLTMwVDEzOjUyOjM5Ljk5MTI2NiswMDowMCJ9LCJyb2xlIjoiYXV0aGVudGljYXRlZCIsImFhbCI6ImFhbDEiLCJhbXIiOlt7Im1ldGhvZCI6Im90cCIsInRpbWVzdGFtcCI6MTcxNDk3NjcxM31dLCJzZXNzaW9uX2lkIjoiOGE4OGY5ODEtNmMxYi00Mzc5LTg3NTItMzgzZWI1ZDA2OTg0IiwiaXNfYW5vbnltb3VzIjpmYWxzZX0.b4bMEWULNmh_QhZhHEzxxV3LWoyu30W0Ws7y4aKOHU4&refresh_token=tMCR-ELvILoTyov1-4g4ww&type=recovery (<-sample, token modified for sec. reasons, dev env)
6. using the access_token and refresh_token from this url to do a client.auth.setSession({ access_token, refresh_token }), gives the error

Expected behavior

session set and be able to set user/password

did found some related reports on discord, not sure if it is the exact same issue:

https://discord.com/channels/839993398554656828/1235896967754682478

[JOsacky]

I am also running into this issue and users are not able to logout using the iOS client and instead throws an error because the response is a 403.

Force log outs only happen for 404s and 401s on the iOS client, perhaps updating the response to a 401 would make more sense

Here is the a reference to the swift supabase client code that throws
https://github.com/supabase/supabase-swift/blob/f1e17ee7ceef4e9da56c57fdd299fa1cf1641381/Sources/Auth/AuthClient.swift#L714-L723

Here is a photo of the error in the xcode debugger:

Edit: there has already been a PR to address this by force logging out from 403s.

supabase/supabase-swift@7c4e62b

[otang]

I am experiencing the same issue