🚨 [CRITICAL] Authentication Handshake Failure: JWT Session Propagation Missing in /login response

[aniket866]

Is there an existing issue for this?

• I have searched the existing issues

What happened?

📌 Issue Overview

The FastAPI /api/auth/login endpoint successfully authenticates users via Supabase but fails to return the access_token and session object in the response body. This prevents the frontend or API clients from making subsequent authenticated requests, as there is no JWT (JSON Web Token) available to include in the Authorization header.

🔍 Steps to Reproduce (via Postman)

1. Signup: Send a POST request to /api/auth/signup with user credentials to create a new account.
2. Verification: Confirm the user account by clicking the link in the Supabase confirmation email.
3. Login: Send a POST request to /api/auth/login with the verified email and password.
4. Inspect Response: Observe the JSON response. It contains a user_id and success message but is missing the session object and access_token.
5. Authenticated Request: Attempt a GET request to a protected endpoint (e.g., /analytics/creator/dashboard-stats) using the expected Bearer token. It will fail with 401 Unauthorized or an algorithm mismatch error because no valid token was provided during login.

🎯 Expected Behavior

The login endpoint should return the full Supabase session object, which includes the access_token, refresh_token, and expires_in fields.

🚨 Actual Behavior

The endpoint currently returns a custom dictionary that excludes session data, effectively losing the JWT required for client-side authentication.

📷 Screenshot

Postman screenshot here showing the login response missing the "session" key:

💡 Suggested Improvements

The Faulty Code

File:backend\app\api\routes\auth.py

The current implementation only extracts the user ID and ignores the session metadata returned by the Supabase SDK.

 return LoginResponse(
            message="Login successful.",
            user_id=user.id,
            email=user.email,
            role=profile.get("role"),
            name=profile.get("name"),
            onboarding_completed=profile.get("onboarding_completed", False)
        )

The Reason

The supabase.auth.sign_in_with_password() method returns an AuthResponse object containing both user and session properties. By manually constructing a return dictionary that excludes res.session, the backend fails to pass the necessary JWT back to the client. Without this session object, the frontend cannot authorize requests to protected routes.

The Recommended Fix

Update the return statement to include the full session object. This ensures the frontend receives the access_token needed for the Bearer authentication header.

Record

• I agree to follow this project's Code of Conduct
• I want to work on this issue

[coderabbitai]

📝 CodeRabbit Plan Mode

Generate an implementation plan and prompts that you can use with your favorite coding agent.

• Create Plan

Examples

• Example 1
• Example 2

---

🔗 Related PRs

#65 - Made password reset flow functional and also added username selection(with uniqueness check) on the signup form [merged]
#135 - feat(auth):login and role-based authentication system [merged]
#150 - feat(api): refactor backend, add collaborations/creators routes, security, and config updates [merged]

👤 Suggested Assignees

• Saahi30

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!