Skip to content

feat(auth): add support for Supabase Auth sb identifier#1959

Draft
mandarini wants to merge 2 commits intomasterfrom
feat/auth-sb-identifier
Draft

feat(auth): add support for Supabase Auth sb identifier#1959
mandarini wants to merge 2 commits intomasterfrom
feat/auth-sb-identifier

Conversation

@mandarini
Copy link
Contributor

@mandarini mandarini commented Dec 16, 2025
edited
Loading

Summary

Add client-side support for the sb identifier that Supabase Auth server adds to OAuth redirect URLs (supabase/auth#2299).

Problem

auth-js intercepts all URL fragments containing access_token, including those from non-Supabase OAuth providers (e.g., Facebook Login). This causes unintended authentication issues when apps use multiple OAuth providers.

Solution

  • Updated _isImplicitGrantCallback() to check for the sb parameter first
  • Falls back to legacy detection (access_token / error_description) for backwards compatibility with older Auth server versions
  • Updated JSDoc documentation with a comprehensive example

Example

  // New default behavior (automatic):
  // 1. Check for 'sb' parameter (new Auth servers)
  // 2. Fall back to access_token/error_description (legacy)

  // Custom predicate for advanced use cases:
  detectSessionInUrl: (url, params) => {
    if ('sb' in params) return true
    if (url.pathname === '/facebook/redirect') return false
    return Boolean(params.access_token || params.error_description)
  }

Related

Blocked by:

TODO as breaking change

On v3, as breaking change, remove the legacy fallback

@mandarini mandarini requested review from a team as code owners December 16, 2025 12:37
@mandarini mandarini added the do-not-merge Do not merge this PR. label Dec 16, 2025
@github-actions github-actions bot added the auth-js Related to the auth-js library. label Dec 16, 2025
@mandarini mandarini changed the base branch from master to feat/auth-detect-session-url-predicate December 16, 2025 12:37
@mandarini mandarini self-assigned this Dec 16, 2025
Base automatically changed from feat/auth-detect-session-url-predicate to master December 16, 2025 12:40
depthfirst-app[bot]
depthfirst-app bot reviewed Dec 16, 2025
View reviewed changes
@mandarini mandarini force-pushed the feat/auth-sb-identifier branch from fee89ed to 34374c6 Compare December 17, 2025 16:15
@mandarini mandarini mentioned this pull request Dec 17, 2025
Merged
@coveralls
Copy link

coveralls commented Dec 17, 2025
edited
Loading

Coverage Status

coverage: 95.367% (+14.0%) from 81.37%
when pulling 05d6a29 on feat/auth-sb-identifier
into efca12c on master.

@mandarini mandarini force-pushed the feat/auth-sb-identifier branch from d36da73 to 05d6a29 Compare December 17, 2025 16:56
@mandarini mandarini marked this pull request as draft December 17, 2025 17:04
@mandarini
Copy link
Contributor Author

mandarini commented Dec 17, 2025
edited
Loading

Need to think a bit more on this, maybe it's not even needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@depthfirst-app depthfirst-app[bot] depthfirst-app[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@mandarini mandarini

Labels

auth-js Related to the auth-js library. do-not-merge Do not merge this PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mandarini @coveralls

Comments