mirror of
https://github.com/supabase/supabase.git
synced 2026-06-21 19:22:46 +08:00
e88f389fa5
## Problem React Query cache keys for permissions and organizations are generic (`['permissions']`, `['organizations']`) with no user identifier. When a new session is established without going through the explicit sign-out flow (e.g. clicking an email verification link while still logged in as another account), stale data from the previous user persists in cache. The new user ends up seeing the old user's permissions and org list, which makes the project creation form appear enabled. When submitted, the backend rejects with "not an owner" because the token belongs to the new account which has no ownership of the old org. A hard refresh clears the in-memory React Query state and forces a fresh fetch, which is why it resolved the issue. ## Fix Scope `permissionKeys.list` and `organizationKeys.list` by user ID so different accounts never share the same cache slot. When a different user logs in, their queries simply get fresh cache entries and never see data from the previous session. Updated all invalidation and `setQueriesData` call sites across 18 files to pass the current user ID. ## How to test I don't think it can be tested in the preview environment sadly since the request to verify has to go to auth.supabase.green instead of vercel-ref.supabase.green --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>