Skip to content

fix(auth): encode client-id in oauth requests#2383

Merged
mandarini merged 1 commit into
masterfrom
etienne/prodsec-142-ardvark-supa-02
May 20, 2026
Merged

fix(auth): encode client-id in oauth requests#2383
mandarini merged 1 commit into
masterfrom
etienne/prodsec-142-ardvark-supa-02

Conversation

@staaldraad
Copy link
Copy Markdown
Member

@staaldraad staaldraad commented May 19, 2026

🔍 Description

ensure client-id is encoded when passed to URL creation for oauth related requests

What changed?

The client-id is url encoded before use in forming oauth requests

Why was this change needed?

client-id can contain URL influencing characters that are not escaped. If this is passed in an admin context, where the SDK is treated as a security boundary, there can be unintended side effects.

🔄 Breaking changes

  • This PR contains no breaking changes

📋 Checklist

  • I have read the Contributing Guidelines
  • My PR title follows the conventional commit format: <type>(<scope>): <description>
  • I have run pnpm nx format to ensure consistent code formatting
  • I have added tests for new functionality (if applicable)
  • I have updated documentation (if applicable)

📝 Additional notes

@staaldraad
fix(auth): encode client-id in oauth requests
062b361 
ensure client-id is encoded when passed to URL creation for oauth related requests
@staaldraad staaldraad requested review from a team as code owners May 19, 2026 19:25
@github-actions github-actions Bot added the auth-js Related to the auth-js library. label May 19, 2026
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 19, 2026

Open in StackBlitz

@supabase/auth-js

npm i https://pkg.pr.new/@supabase/auth-js@2383

@supabase/functions-js

npm i https://pkg.pr.new/@supabase/functions-js@2383

@supabase/postgrest-js

npm i https://pkg.pr.new/@supabase/postgrest-js@2383

@supabase/realtime-js

npm i https://pkg.pr.new/@supabase/realtime-js@2383

@supabase/storage-js

npm i https://pkg.pr.new/@supabase/storage-js@2383

@supabase/supabase-js

npm i https://pkg.pr.new/@supabase/supabase-js@2383

commit: 062b361

@mandarini mandarini merged commit 3944b82 into master May 20, 2026
25 checks passed
@mandarini mandarini deleted the etienne/prodsec-142-ardvark-supa-02 branch May 20, 2026 09:23
@supabase-supabase-autofixer supabase-supabase-autofixer Bot mentioned this pull request May 20, 2026
Closed
This was referenced May 20, 2026
Closed
Open
Closed
This was referenced May 20, 2026
Closed
Closed
This was referenced May 20, 2026
Closed
Closed
Closed
This was referenced May 20, 2026
Closed
Merged
This was referenced May 20, 2026
Open
Merged
Closed
@supabase-supabase-autofixer supabase-supabase-autofixer Bot mentioned this pull request May 20, 2026
Open
mandarini pushed a commit to supabase/ssr that referenced this pull request May 20, 2026
@supabase-libs-pr-manager @supabase-workflow-trigger
chore: update @supabase/supabase-js to v2.106.1 (#236)
4292d04 
This PR updates `@supabase/supabase-js` to v2.106.1.

**Source**: supabase-js-stable-release

---

## Release Notes

## v2.106.1

## 2.106.1 (2026-05-20)

### 🩹 Fixes

- **auth:** encode client-id in oauth requests
([#2383](supabase/supabase-js#2383))
- **misc:** hide dynamic import from hermesc
([#2381](supabase/supabase-js#2381))

### ❤️ Thank You

- Etienne Stalmans @staaldraad
- Katerina Skroumpelou @mandarini

This PR was created automatically.

Co-authored-by: supabase-workflow-trigger[bot] <266661614+supabase-workflow-trigger[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mandarini mandarini mandarini approved these changes

Assignees

No one assigned

Labels

auth-js Related to the auth-js library.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@staaldraad @mandarini