Error [AuthApiError]: Invalid Refresh Token: Refresh Token Not Found

[f-z-coder]

Bug: Error [AuthApiError]: Invalid Refresh Token when using auth.uid() in RLS policies with unauthenticated users

Description

When a user is not logged in and an RLS policy tries to use auth.uid(), the system throws an "Invalid Refresh Token: Refresh Token Not Found" error instead of handling this case gracefully.

Error Details

Error [AuthApiError]: Invalid Refresh Token: Refresh Token Not Found
    at handleError (../../../src/lib/fetch.ts:102:8)
    at async _handleRequest (../../../src/lib/fetch.ts:195:4)       
    at async _request (../../../src/lib/fetch.ts:157:15)
    at async (../../src/GoTrueClient.ts:1847:17)
    at async (../../../src/lib/helpers.ts:228:25) {
  __isAuthError: true,
  status: 400,
  code: 'refresh_token_not_found'
}

Steps to Reproduce

1. Create an RLS policy that uses auth.uid() to restrict access
2. Attempt to access this protected resource when not logged in
3. The system throws "Invalid Refresh Token: Refresh Token Not Found" instead of handling this gracefully

Expected Behavior

When a user is not authenticated and a policy uses auth.uid(), the system should either:

• Handle this case gracefully by returning null for auth.uid()
• Provide a more helpful error message indicating that authentication is required
• Document clearly that auth.uid() should only be used with additional checks for authenticated sessions

System Information

• OS: Windows 10
• Browser: [Please specify]
• Version of supabase-js: [Please specify]
• Version of Node.js: [Please specify]

Possible Solution

Update the RLS policy handling to check if a user is authenticated before attempting to access auth.uid(), or provide better error handling for this common use case.

[mandarini]

Hi, the skipAutoInitialize fix in @supabase/ssr@0.9.0-rc.6 addresses a token refresh race condition, but your case appears to be different: the error is triggered when an unauthenticated user hits a query protected by an RLS policy using auth.uid() — there is no refresh token at all in this scenario.

The client should handle this more gracefully (returning null or a clear "not authenticated" error rather than attempting a refresh). We're tracking this as a separate issue.

In the meantime, adding an auth check before making RLS-protected queries will avoid the error:

const { data: { user } } = await supabase.auth.getUser()
if (!user) { /* handle unauthenticated case */ }

Thank you for contributing to Supabase! 💚