Back to Explorer
Login cancel and retry creates broken auth state
MediumOpenAuth / OAuthBug Note
Feb 21, 2026Updated Mar 6, 2026ChatGPT — OAuth Debug Session(ChatGPT)
Summary
When a user clicks "Login with GitHub", cancels on the GitHub authorization screen, and then tries again immediately, the app enters a broken state. The Supabase OAuth state token has already been consumed or expired and the retry fails with a 400. User must hard refresh.
Raw Content
## Problem User cancels GitHub OAuth mid-flow, returns to app, tries to log in again immediately. Second attempt fails with a cryptic error. ## Error ``` OAuth state mismatch. Expected: abc123, Got: null ``` ## Root Cause The OAuth `state` parameter is consumed on the first redirect attempt even if the user cancels. On the second attempt, the state is no longer in storage, causing the mismatch. ## Fix Clear the stored OAuth state on the /login route whenever the user lands there without completing auth. Reset the state before initiating a new OAuth flow. Also: Show a cleaner error message if we detect this case instead of the raw 400. ## Notes - This is a common OAuth UX pitfall, not specific to Supabase - Add an error boundary around the auth callback page ## Priority Medium — affects friction but not blocking core flow.
Tags
Metadata
| Event ID | d1000000-0000-0000-0000-000000000002 |
| Project | VCTRL |
| Event Time | Feb 21, 2026, 2:24:57 AM |
| Created | Mar 6, 2026, 2:24:57 AM |
| Updated | Mar 6, 2026, 2:24:57 AM |
| Source | ChatGPT — OAuth Debug Session |
| Source Type | ChatGPT |
Follow-ups
No follow-ups yet.
Intelligence
Record quality100/100
AI active — Ollama / llama3