Skip to content

fix(auth): include Cloudflare error codes in NETWORK_ERROR_CODES#2239

Merged
mandarini merged 1 commit intosupabase:masterfrom
Vansh1811:fix/auth-cloudflare-network-error-codes
Apr 15, 2026
Merged

fix(auth): include Cloudflare error codes in NETWORK_ERROR_CODES#2239
mandarini merged 1 commit intosupabase:masterfrom
Vansh1811:fix/auth-cloudflare-network-error-codes

Conversation

@Vansh1811
Copy link
Copy Markdown
Contributor

@Vansh1811 Vansh1811 commented Apr 10, 2026

Description

When Supabase is deployed behind Cloudflare and the server goes down, Cloudflare responds with HTTP 5xx error codes that are not standard HTTP codes:

  • 520 — Unknown error
  • 521 — Web server is down
  • 522 — Connection timed out
  • 523 — Origin is unreachable
  • 524 — A timeout occurred
  • 530 — Cloudflare 1xxx error

Previously, NETWORK_ERROR_CODES only included [502, 503, 504]. When Cloudflare returned a 521 (or similar), handleError would fall through to parse the response body as an auth API error — which would fail (since the Cloudflare HTML error page isn't valid JSON), and in some cases cause the auth client to wipe the user's session token as if it were an auth failure.

What changed?

  • packages/core/auth-js/src/lib/fetch.ts: Extended NETWORK_ERROR_CODES to include Cloudflare-specific error codes (520, 521, 522, 523, 524, 530). These are now correctly classified as retryable infrastructure errors (AuthRetryableFetchError) instead of auth API errors.

Checklist

  • PR title follows the conventional commit format
  • Changes are limited to a single logical unit
  • Code is self-documenting with inline comments explaining the Cloudflare codes

Fixes #1684

@Vansh1811
fix(auth): include Cloudflare error codes in NETWORK_ERROR_CODES
7c65323 
Expanded NETWORK_ERROR_CODES to include Cloudflare-specific error codes.When Supabase is deployed behind Cloudflare and the server goes down, Cloudflare responds with HTTP 5xx codes (521 'Web server is down', 520 'Unknown error', 522 'Connection timed out', etc.). Previously, only 502/503/504 were treated as retryable network errors - other 5xx codes would fall through to be parsed as auth API errors, potentially wiping the user session token.

Fix: Add Cloudflare-specific error codes (520-524, 530) to NETWORK_ERROR_CODES so they are correctly treated as retryable infrastructure errors via AuthRetryableFetchError, not as auth failures.

Fixes supabase#1684
@Vansh1811 Vansh1811 requested review from a team as code owners April 10, 2026 06:10
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Apr 15, 2026

Open in StackBlitz

@supabase/auth-js

npm i https://pkg.pr.new/@supabase/auth-js@2239

@supabase/functions-js

npm i https://pkg.pr.new/@supabase/functions-js@2239

@supabase/postgrest-js

npm i https://pkg.pr.new/@supabase/postgrest-js@2239

@supabase/realtime-js

npm i https://pkg.pr.new/@supabase/realtime-js@2239

@supabase/storage-js

npm i https://pkg.pr.new/@supabase/storage-js@2239

@supabase/supabase-js

npm i https://pkg.pr.new/@supabase/supabase-js@2239

commit: 7c65323

@mandarini mandarini self-assigned this Apr 15, 2026
@mandarini mandarini added do-not-merge Do not merge this PR. and removed do-not-merge Do not merge this PR. labels Apr 15, 2026
@mandarini mandarini merged commit 7f47b36 into supabase:master Apr 15, 2026
22 of 23 checks passed
@supabase-supabase-autofixer supabase-supabase-autofixer Bot mentioned this pull request Apr 15, 2026
Merged
This was referenced Apr 15, 2026
Merged
Merged
Open
@supabase-supabase-autofixer supabase-supabase-autofixer Bot mentioned this pull request Apr 15, 2026
Merged
mandarini pushed a commit to supabase/supabase that referenced this pull request Apr 16, 2026
@supabase-supabase-autofixer @supabase-workflow-trigger
feat: update @supabase/*-js libraries to v2.103.2 (#44903)
f575b39 
This PR updates @supabase/*-js libraries to version 2.103.2.

**Source**: supabase-js-stable-release

**Changes**:
- Updated @supabase/supabase-js to 2.103.2
- Updated @supabase/auth-js to 2.103.2
- Updated @supabase/realtime-js to 2.103.2
- Updated @supabase/postgest-js to 2.103.2
- Refreshed pnpm-lock.yaml

---

## Release Notes

## v2.103.2

## 2.103.2 (2026-04-15)

### 🩹 Fixes

- **auth:** include Cloudflare error codes in NETWORK_ERROR_CODES
([#2239](supabase/supabase-js#2239))
- **auth:** remove Prettify wrapper from exported types for TypeDoc
expansion ([#2250](supabase/supabase-js#2250))
- **misc:** add explicit return types to toJSON methods for JSR compat
([#2252](supabase/supabase-js#2252))
- **storage:** remove client-side signed URL render endpoint
normalization
([#2249](supabase/supabase-js#2249))

### ❤️ Thank You

- Katerina Skroumpelou @mandarini
- Vansh Sharma @Vansh1811
## v2.103.1

## 2.103.1 (2026-04-15)

### 🩹 Fixes

- **auth:** add toJSON to AuthError for correct JSON serialization
([#2238](supabase/supabase-js#2238))
- **postgrest:** handle bigint rpc
([#2245](supabase/supabase-js#2245))
- **storage:** add toJSON to StorageError for correct JSON serialization
([#2246](supabase/supabase-js#2246))
- **storage:** apply empty transform check to download and getPublicUrl
([#2219](supabase/supabase-js#2219))

### ❤️ Thank You

- oniani1
- Vaibhav @7ttp

This PR was created automatically.

Co-authored-by: supabase-workflow-trigger[bot] <266661614+supabase-workflow-trigger[bot]@users.noreply.github.com>
@supabase-libs-pr-manager supabase-libs-pr-manager Bot mentioned this pull request Apr 16, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mandarini mandarini mandarini approved these changes

Assignees

@mandarini mandarini

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Auth-js does not handle Cloudflare Web server is down 521 error code correctly

2 participants

@Vansh1811 @mandarini