The OAuth cookie that wouldn't survive a redirect
Google sign-in had been broken for an unknown number of users for an unknown number of hours. I spent an hour staring at code that hadn't changed. The bug turned out to be a single 308 redirect between two domains.
Google sign-in had been broken for an unknown number of users for an unknown number of hours. The symptom: click "Sign in with Google," go through the consent dance, land back on cfitrim.com with no session. Try again. Same result.
I spent an hour staring at code that hadn't changed.
The bug turned out to be a 308 redirect between two domains. We had trim-tarmaclabs.vercel.app — the preview URL Google still knew about — and cfitrim.com, the real production domain. The redirect was correct and intentional. The problem: in the middle of the redirect, the PKCE verifier cookie — the thing that proves to Google "this is the same browser that started the OAuth flow" — was set with SameSite=Lax. SameSite=Lax cookies do not survive a cross-site bounce.
Small thing, wrong place, big consequences. The same way aviation accidents work — never one cause.
The fix
Don't add HTTP redirects between OAuth-bearing domains. Period. The right fix is to update the Supabase Site URL plus the Redirect URLs allowlist so the OAuth flow ends at the canonical domain in the first place. No bounce, no dead cookie.
I rolled back the redirect, updated the allowlist, and tested with a fresh browser profile. Sign-in worked. Took two minutes once I knew the cause.
What it taught
Two things. First, OAuth is one of those systems where the visible failure mode (no session) is three steps removed from the actual cause (cookie didn't survive the hop). The debugging cost was an hour. The productive minutes were maybe four. The rest was scanning, ruling out, reading docs, swearing.
Second, the urge to "just patch it" with a redirect needs to be examined. A redirect is a tiny, satisfying line of config. It is also a mode change in the middle of an auth flow, and auth flows are governed by browser security rules I don't get to override.
Now permanent rule: fix the upstream config, never paper over with a redirect when the failure is auth-adjacent. Same logic as troubleshooting an instrument failure in the airplane — you don't cover a misreading gauge with tape. You go find the source.