Skip to content

fix(#518): guard cookie writes when response headers already sent #525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 9, 2025
Merged

fix(#518): guard cookie writes when response headers already sent #525

merged 3 commits into from
Sep 9, 2025

Conversation

@nicokempe
Copy link
Contributor

@nicokempe nicokempe commented Sep 4, 2025

Types of changes

  • Bug fix (a non-breaking change which fixes an issue)
  • New feature (a non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Description

This PR implements a defensive guard for SSR cookie writes.
Previously, setAll unconditionally attempted to call setCookie even when the H3/Node response headers had already been sent. This caused runtime errors and unhandledRejection spam during token refresh in dev after idle:

ERROR Cannot remove headers after they are sent to the client
    at ServerResponse.removeHeader (node:_http_outgoing:848:11)
    at setCookie (h3/dist/index.mjs:615:18)
    at node_modules/@nuxtjs/supabase/dist/runtime/plugins/supabase.server.js:31:111
    at Array.forEach (<anonymous>)
    at setAll (.../node_modules/@nuxtjs/supabase/dist/runtime/plugins/supabase.server.js:31:38)
    at applyServerStorage (.../@supabase/ssr/dist/module/cookies.js:274:9)
    at async Object.callback (.../@supabase/ssr/dist/module/createServerClient.js:51:13)
    at async .../@supabase/auth-js/dist/module/GoTrueClient.js:1604:11
    at async Promise.all (index 1)

The fix introduces a headersWritable check in both runtime/plugins/supabase.server.js and runtime/server/services/serverSupabaseClient.js.
If headers are already sent or the response has ended, cookie writes are skipped.
This prevents crashes and log spam without altering normal behavior when headers are writable.

Resolves: #518

Checklist

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes

@netlify
Copy link

netlify bot commented Sep 4, 2025
edited
Loading

Deploy Preview for n3-supabase canceled.

Name Link
🔨 Latest commit 57a2de5
🔍 Latest deploy log https://app.netlify.com/projects/n3-supabase/deploys/68bfe6dd0cd13a000821981a

@vercel
Copy link

vercel bot commented Sep 4, 2025

@nicokempe is attempting to deploy a commit to the NuxtLabs Team on Vercel.

A member of the Team first needs to authorize it.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Sep 4, 2025
edited
Loading 

npm i https://pkg.pr.new/@nuxtjs/supabase@525

commit: 57a2de5

@nicokempe nicokempe marked this pull request as ready for review September 5, 2025 00:35
larbish
larbish approved these changes Sep 9, 2025
View reviewed changes
Copy link
Collaborator

@larbish larbish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @nicokempe, I just factorized your logic into one utility file. Merging! 🚀

@larbish larbish merged commit 2338991 into nuxt-modules:main Sep 9, 2025
6 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@larbish larbish larbish approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Guard SSR cookie writes to prevent “Cannot remove headers after they are sent to the client” in dev after idle

2 participants

@nicokempe @larbish