Skip to content

feat(auth): add support for Supabase Auth sb identifier #1959

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
mandarini wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

feat(auth): add support for Supabase Auth sb identifier #1959

mandarini wants to merge 2 commits into from
+119 −4

Conversation

@mandarini
Copy link
Contributor

@mandarini mandarini commented Dec 16, 2025
edited
Loading

Summary

Add client-side support for the sb identifier that Supabase Auth server adds to OAuth redirect URLs (supabase/auth#2299).

Problem

auth-js intercepts all URL fragments containing access_token, including those from non-Supabase OAuth providers (e.g., Facebook Login). This causes unintended authentication issues when apps use multiple OAuth providers.

Solution

  • Updated _isImplicitGrantCallback() to check for the sb parameter first
  • Falls back to legacy detection (access_token / error_description) for backwards compatibility with older Auth server versions
  • Updated JSDoc documentation with a comprehensive example

Example

  // New default behavior (automatic):
  // 1. Check for 'sb' parameter (new Auth servers)
  // 2. Fall back to access_token/error_description (legacy)

  // Custom predicate for advanced use cases:
  detectSessionInUrl: (url, params) => {
    if ('sb' in params) return true
    if (url.pathname === '/facebook/redirect') return false
    return Boolean(params.access_token || params.error_description)
  }

Related

Blocked by:

TODO as breaking change

On v3, as breaking change, remove the legacy fallback

@mandarini mandarini requested review from a team as code owners December 16, 2025 12:37
@mandarini mandarini added the do-not-merge Do not merge this PR. label Dec 16, 2025
@github-actions github-actions bot added the auth-js Related to the auth-js library. label Dec 16, 2025
@mandarini mandarini changed the base branch from master to feat/auth-detect-session-url-predicate December 16, 2025 12:37
@mandarini mandarini self-assigned this Dec 16, 2025
Base automatically changed from feat/auth-detect-session-url-predicate to master December 16, 2025 12:40
depthfirst-app[bot]
depthfirst-app bot reviewed Dec 16, 2025
View reviewed changes
@mandarini mandarini force-pushed the feat/auth-sb-identifier branch from fee89ed to 34374c6 Compare December 17, 2025 16:15
@mandarini mandarini mentioned this pull request Dec 17, 2025
Open
@coveralls
Copy link

coveralls commented Dec 17, 2025
edited
Loading

Coverage Status

coverage: 95.367% (+14.0%) from 81.37%
when pulling 05d6a29 on feat/auth-sb-identifier
into efca12c on master.

@mandarini mandarini force-pushed the feat/auth-sb-identifier branch from d36da73 to 05d6a29 Compare December 17, 2025 16:56
@mandarini mandarini marked this pull request as draft December 17, 2025 17:04
@mandarini
Copy link
Contributor Author

mandarini commented Dec 17, 2025
edited
Loading

Need to think a bit more on this, maybe it's not even needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@depthfirst-app depthfirst-app[bot] depthfirst-app[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@mandarini mandarini

Labels

auth-js Related to the auth-js library. do-not-merge Do not merge this PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mandarini @coveralls