@jskit-ai/auth-provider-supabase-core 0.1.9 → 0.1.11

package/package.descriptor.mjs

@@ -1,7 +1,7 @@
 export default Object.freeze({
   "packageVersion": 1,
   "packageId": "@jskit-ai/auth-provider-supabase-core",
-  "version": "0.1.9",
+  "version": "0.1.11",
   "options": {
     "auth-supabase-url": {
       "required": true,
@@ -83,8 +83,8 @@ export default Object.freeze({
   "mutations": {
     "dependencies": {
       "runtime": {
-        "@jskit-ai/auth-core": "0.1.9",
-        "@jskit-ai/kernel": "0.1.9",
+        "@jskit-ai/auth-core": "0.1.11",
+        "@jskit-ai/kernel": "0.1.11",
         "dotenv": "^16.4.5",
         "@supabase/supabase-js": "^2.57.4",
         "jose": "^6.1.0"
@@ -132,6 +132,16 @@ export default Object.freeze({
         "reason": "Configure application public URL for auth redirect flows.",
         "category": "runtime-config",
         "id": "auth-app-public-url"
+      },
+      {
+        "op": "append-text",
+        "file": "config/server.js",
+        "position": "bottom",
+        "skipIfContains": "config.auth = {",
+        "value": "\nconfig.auth = {\n  oauth: {\n    providers: [],\n    defaultProvider: \"\"\n  }\n};\n",
+        "reason": "Append app-owned OAuth provider visibility config for stock auth screens.",
+        "category": "runtime-config",
+        "id": "auth-oauth-app-config"
       }
     ]
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jskit-ai/auth-provider-supabase-core",
-  "version": "0.1.9",
+  "version": "0.1.11",
   "type": "module",
   "scripts": {
     "test": "node --test"
@@ -12,8 +12,8 @@
     "./client": "./src/client/index.js"
   },
   "dependencies": {
-    "@jskit-ai/auth-core": "0.1.9",
-    "@jskit-ai/kernel": "0.1.9",
+    "@jskit-ai/auth-core": "0.1.11",
+    "@jskit-ai/kernel": "0.1.11",
     "jose": "^6.1.0",
     "@supabase/supabase-js": "^2.57.4"
   }

package/src/server/lib/accountFlows.js

@@ -1,4 +1,9 @@
 import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
+import {
+  requireAuthUser,
+  requireAuthUserSession,
+  requireNoFieldErrors
+} from "./flowGuards.js";
 
 function normalizeLocalReturnToPath(value, { fallback = "" } = {}) {
   const normalized = String(value || "").trim();
@@ -61,19 +66,31 @@ function createAccountFlows(deps) {
     }
   }
 
+  function resolveRegisterEmailRedirectTo() {
+    if (typeof buildOtpLoginRedirectUrl === "function") {
+      try {
+        return buildOtpLoginRedirectUrl({
+          appPublicUrl
+        });
+      } catch {
+        // Fall through to the pre-built URL fallback below.
+      }
+    }
+    return otpLoginRedirectUrl;
+  }
+
   async function register(payload) {
     ensureConfigured();
 
     const parsed = validators.registerInput(payload);
-    if (Object.keys(parsed.fieldErrors).length > 0) {
-      throw validationError(parsed.fieldErrors);
-    }
+    requireNoFieldErrors(parsed, validationError);
 
     const supabase = getSupabaseClient();
     const response = await supabase.auth.signUp({
       email: parsed.email,
       password: parsed.password,
       options: {
+        emailRedirectTo: resolveRegisterEmailRedirectTo(),
         data: {
           display_name: displayNameFromEmail(parsed.email)
         }
@@ -81,7 +98,7 @@ function createAccountFlows(deps) {
     });
 
     if (response.error) {
-      throw mapAuthError(response.error, 400);
+      throw mapAuthError(response.error, Number(response.error?.status || 400));
     }
 
     if (!response.data?.user) {
@@ -106,13 +123,60 @@ function createAccountFlows(deps) {
     };
   }
 
+  async function resendRegisterConfirmation(payload) {
+    ensureConfigured();
+
+    const parsed = validators.forgotPasswordInput(payload);
+    requireNoFieldErrors(parsed, validationError);
+
+    const supabase = getSupabaseClient();
+    const emailRedirectTo = resolveRegisterEmailRedirectTo();
+    let response;
+    try {
+      response = await supabase.auth.resend({
+        type: "signup",
+        email: parsed.email,
+        options: {
+          emailRedirectTo
+        }
+      });
+    } catch (error) {
+      if (isTransientSupabaseError(error)) {
+        throw mapAuthError(error, 503);
+      }
+
+      return {
+        ok: true,
+        message: "If an account exists for that email, a confirmation email has been sent."
+      };
+    }
+
+    if (response.error) {
+      if (isTransientSupabaseError(response.error)) {
+        throw mapAuthError(response.error, 503);
+      }
+
+      if (isUserNotFoundLikeAuthError(response.error)) {
+        return {
+          ok: true,
+          message: "If an account exists for that email, a confirmation email has been sent."
+        };
+      }
+
+      throw mapAuthError(response.error, Number(response.error?.status || 400));
+    }
+
+    return {
+      ok: true,
+      message: "If an account exists for that email, a confirmation email has been sent."
+    };
+  }
+
   async function login(payload) {
     ensureConfigured();
 
     const parsed = validators.loginInput(payload);
-    if (Object.keys(parsed.fieldErrors).length > 0) {
-      throw validationError(parsed.fieldErrors);
-    }
+    requireNoFieldErrors(parsed, validationError);
 
     const supabase = getSupabaseClient();
     const response = await supabase.auth.signInWithPassword({
@@ -120,11 +184,9 @@ function createAccountFlows(deps) {
       password: parsed.password
     });
 
-    if (response.error || !response.data?.user || !response.data?.session) {
-      throw mapAuthError(response.error, 401);
-    }
+    const { user, session } = requireAuthUserSession(response, mapAuthError, 401);
 
-    const profile = await syncProfileFromSupabaseUser(response.data.user, parsed.email);
+    const profile = await syncProfileFromSupabaseUser(user, parsed.email);
     const passwordSignInPolicy = await resolvePasswordSignInPolicyForUserId(profile.id);
     if (!passwordSignInPolicy.passwordSignInEnabled) {
       throw new AppError(401, "Invalid email or password.");
@@ -132,7 +194,7 @@ function createAccountFlows(deps) {
 
     return {
       profile,
-      session: response.data.session
+      session
     };
   }
 
@@ -140,9 +202,7 @@ function createAccountFlows(deps) {
     ensureConfigured();
 
     const parsed = validators.forgotPasswordInput(payload);
-    if (Object.keys(parsed.fieldErrors).length > 0) {
-      throw validationError(parsed.fieldErrors);
-    }
+    requireNoFieldErrors(parsed, validationError);
 
     const emailRedirectTo = resolveOtpEmailRedirectTo(payload?.returnTo);
     const supabase = getSupabaseClient();
@@ -191,9 +251,7 @@ function createAccountFlows(deps) {
     ensureConfigured();
 
     const parsed = parseOtpLoginVerifyPayload(payload);
-    if (Object.keys(parsed.fieldErrors).length > 0) {
-      throw validationError(parsed.fieldErrors);
-    }
+    requireNoFieldErrors(parsed, validationError);
 
     const supabase = getSupabaseClient();
     let response;
@@ -214,15 +272,13 @@ function createAccountFlows(deps) {
       throw mapOtpVerifyError(error);
     }
 
-    if (response.error || !response.data?.session || !response.data?.user) {
-      throw mapOtpVerifyError(response.error);
-    }
+    const { user, session } = requireAuthUserSession(response, mapOtpVerifyError);
 
-    const profile = await syncProfileFromSupabaseUser(response.data.user, response.data.user.email || parsed.email);
+    const profile = await syncProfileFromSupabaseUser(user, user.email || parsed.email);
 
     return {
       profile,
-      session: response.data.session
+      session
     };
   }
 
@@ -252,11 +308,9 @@ function createAccountFlows(deps) {
       throw mapProfileUpdateError(error);
     }
 
-    if (updateResponse.error || !updateResponse.data?.user) {
-      throw mapProfileUpdateError(updateResponse.error);
-    }
+    const { user } = requireAuthUser(updateResponse, mapProfileUpdateError);
 
-    const profile = await syncProfileFromSupabaseUser(updateResponse.data.user, updateResponse.data.user.email);
+    const profile = await syncProfileFromSupabaseUser(user, user.email);
 
     return {
       profile,
@@ -266,6 +320,7 @@ function createAccountFlows(deps) {
 
   return {
     register,
+    resendRegisterConfirmation,
     login,
     requestOtpLogin,
     verifyOtpLogin,

package/src/server/lib/actions/auth.contributor.js

@@ -1,15 +1,18 @@
 import {
   EMPTY_INPUT_VALIDATOR
 } from "@jskit-ai/kernel/shared/actions/actionContributorHelpers";
-import { authRegisterCommand } from "@jskit-ai/auth-core/shared/commands/authRegisterCommand";
-import { authLoginPasswordCommand } from "@jskit-ai/auth-core/shared/commands/authLoginPasswordCommand";
-import { authLoginOtpRequestCommand } from "@jskit-ai/auth-core/shared/commands/authLoginOtpRequestCommand";
-import { authLoginOtpVerifyCommand } from "@jskit-ai/auth-core/shared/commands/authLoginOtpVerifyCommand";
-import { authLoginOAuthStartCommand } from "@jskit-ai/auth-core/shared/commands/authLoginOAuthStartCommand";
-import { authLoginOAuthCompleteCommand } from "@jskit-ai/auth-core/shared/commands/authLoginOAuthCompleteCommand";
-import { authPasswordResetRequestCommand } from "@jskit-ai/auth-core/shared/commands/authPasswordResetRequestCommand";
-import { authPasswordRecoveryCompleteCommand } from "@jskit-ai/auth-core/shared/commands/authPasswordRecoveryCompleteCommand";
-import { authPasswordResetCommand } from "@jskit-ai/auth-core/shared/commands/authPasswordResetCommand";
+import {
+  authRegisterCommand,
+  authRegisterConfirmationResendCommand,
+  authLoginPasswordCommand,
+  authLoginOtpRequestCommand,
+  authLoginOtpVerifyCommand,
+  authLoginOAuthStartCommand,
+  authLoginOAuthCompleteCommand,
+  authPasswordResetRequestCommand,
+  authPasswordRecoveryCompleteCommand,
+  authPasswordResetCommand
+} from "@jskit-ai/auth-core/shared/commands";
 
 function requireRequestContext(context, actionId) {
   const request = context?.requestMeta?.request || null;
@@ -37,6 +40,22 @@ const authActions = Object.freeze([
       return deps.authService.register(input);
     }
   },
+  {
+    id: "auth.register.confirmation.resend",
+    version: 1,
+    kind: "command",
+    channels: ["api", "internal"],
+    surfacesFrom: "enabled",
+    inputValidator: authRegisterConfirmationResendCommand.operation.bodyValidator,
+    idempotency: "none",
+    audit: {
+      actionName: "auth.register.confirmation.resend"
+    },
+    observability: {},
+    async execute(input, _context, deps) {
+      return deps.authService.resendRegisterConfirmation(input);
+    }
+  },
   {
     id: "auth.login.password",
     version: 1,

package/src/server/lib/authErrorMappers.js

@@ -47,9 +47,14 @@ function mapAuthError(error, fallbackStatus) {
     return new AppError(503, "Authentication service temporarily unavailable. Please retry.");
   }
 
+  const statusFromError = Number(error?.status || error?.statusCode);
   const message = sanitizeAuthMessage(error?.message, "Authentication failed.");
   const lower = message.toLowerCase();
 
+  if (statusFromError === 429 || lower.includes("rate limit")) {
+    return new AppError(429, "Too many authentication attempts. Please wait and try again.");
+  }
+
   if (lower.includes("already registered") || lower.includes("already been registered")) {
     return new AppError(409, "Email is already registered.");
   }
@@ -89,7 +94,11 @@ function mapAuthError(error, fallbackStatus) {
     return new AppError(409, "This sign-in method is not currently linked.");
   }
 
-  const status = Number.isInteger(Number(fallbackStatus)) ? Number(fallbackStatus) : 400;
+  const status = Number.isInteger(statusFromError)
+    ? statusFromError
+    : Number.isInteger(Number(fallbackStatus))
+      ? Number(fallbackStatus)
+      : 400;
   if (status >= 500) {
     return new AppError(503, "Authentication service temporarily unavailable. Please retry.");
   }

package/src/server/lib/authInputParsers.js

@@ -106,7 +106,6 @@ function validatePasswordRecoveryPayload(payload) {
 }
 
 function parseOAuthCompletePayload(payload = {}, options = {}) {
-  const provider = normalizeOAuthProviderInput(payload.provider || options.defaultProvider, options);
   const code = String(payload.code || "").trim();
   const accessToken = String(payload.accessToken || "").trim();
   const refreshToken = String(payload.refreshToken || "").trim();
@@ -137,6 +136,10 @@ function parseOAuthCompletePayload(payload = {}, options = {}) {
   applySessionPairValidation(accessToken, refreshToken, fieldErrors);
 
   const hasSessionPair = Boolean(accessToken && refreshToken);
+  const provider =
+    !hasSessionPair || code || errorCode
+      ? normalizeOAuthProviderInput(payload.provider || options.defaultProvider, options)
+      : null;
 
   if (!code && !errorCode && !hasSessionPair) {
     fieldErrors.code = "OAuth code is required when access/refresh tokens are not provided.";

package/src/server/lib/authRedirectUrls.js

@@ -27,6 +27,16 @@ function parseHttpUrl(rawValue, variableName) {
   return parsedUrl;
 }
 
+function createAppBaseUrl(appPublicUrl) {
+  const baseUrl = parseHttpUrl(String(appPublicUrl || "").trim(), "APP_PUBLIC_URL");
+  if (!baseUrl.pathname.endsWith("/")) {
+    baseUrl.pathname = `${baseUrl.pathname}/`;
+  }
+  baseUrl.search = "";
+  baseUrl.hash = "";
+  return baseUrl;
+}
+
 function buildPasswordResetRedirectUrl(options) {
   const appPublicUrl = String(options.appPublicUrl || "").trim();
 
@@ -34,13 +44,7 @@ function buildPasswordResetRedirectUrl(options) {
     throw new Error("APP_PUBLIC_URL is required to build password reset links.");
   }
 
-  const baseUrl = parseHttpUrl(appPublicUrl, "APP_PUBLIC_URL");
-  if (!baseUrl.pathname.endsWith("/")) {
-    baseUrl.pathname = `${baseUrl.pathname}/`;
-  }
-  baseUrl.search = "";
-  baseUrl.hash = "";
-  return new URL(PASSWORD_RESET_PATH, baseUrl).toString();
+  return new URL(PASSWORD_RESET_PATH, createAppBaseUrl(appPublicUrl)).toString();
 }
 
 function buildOtpLoginRedirectUrl(options) {
@@ -51,13 +55,7 @@ function buildOtpLoginRedirectUrl(options) {
     throw new Error("APP_PUBLIC_URL is required to build OTP login redirects.");
   }
 
-  const baseUrl = parseHttpUrl(appPublicUrl, "APP_PUBLIC_URL");
-  if (!baseUrl.pathname.endsWith("/")) {
-    baseUrl.pathname = `${baseUrl.pathname}/`;
-  }
-  baseUrl.search = "";
-  baseUrl.hash = "";
-  const redirectUrl = new URL(OAUTH_LOGIN_PATH, baseUrl);
+  const redirectUrl = new URL(OAUTH_LOGIN_PATH, createAppBaseUrl(appPublicUrl));
   if (returnTo) {
     redirectUrl.searchParams.set("returnTo", returnTo);
   }
@@ -91,14 +89,7 @@ function buildOAuthRedirectUrl(options) {
     throw new Error("OAuth callback path is required.");
   }
 
-  const baseUrl = parseHttpUrl(appPublicUrl, "APP_PUBLIC_URL");
-  if (!baseUrl.pathname.endsWith("/")) {
-    baseUrl.pathname = `${baseUrl.pathname}/`;
-  }
-  baseUrl.search = "";
-  baseUrl.hash = "";
-
-  const redirectUrl = new URL(callbackPath, baseUrl);
+  const redirectUrl = new URL(callbackPath, createAppBaseUrl(appPublicUrl));
   redirectUrl.searchParams.set(OAUTH_QUERY_PARAM_PROVIDER, provider);
   redirectUrl.searchParams.set(OAUTH_QUERY_PARAM_INTENT, intent);
   if (returnTo) {
@@ -125,6 +116,7 @@ function buildOAuthLinkRedirectUrl(options) {
 
 export {
   parseHttpUrl,
+  createAppBaseUrl,
   buildPasswordResetRedirectUrl,
   buildOtpLoginRedirectUrl,
   normalizeOAuthIntent,

package/src/server/lib/flowGuards.js

@@ -0,0 +1,58 @@
+function requireNoFieldErrors(parsed, validationError) {
+  if (typeof validationError !== "function") {
+    throw new TypeError("requireNoFieldErrors requires validationError.");
+  }
+
+  const fieldErrors =
+    parsed && typeof parsed === "object" && parsed.fieldErrors && typeof parsed.fieldErrors === "object"
+      ? parsed.fieldErrors
+      : {};
+  if (Object.keys(fieldErrors).length > 0) {
+    throw validationError(fieldErrors);
+  }
+}
+
+function requireAuthUserSession(response, mapError, status = 401) {
+  if (typeof mapError !== "function") {
+    throw new TypeError("requireAuthUserSession requires mapError.");
+  }
+
+  if (response?.error || !response?.data?.user || !response?.data?.session) {
+    throw mapError(response?.error, status);
+  }
+
+  return {
+    user: response.data.user,
+    session: response.data.session
+  };
+}
+
+function requireAuthUser(response, mapError, status = 400) {
+  if (typeof mapError !== "function") {
+    throw new TypeError("requireAuthUser requires mapError.");
+  }
+
+  if (response?.error || !response?.data?.user) {
+    throw mapError(response?.error, status);
+  }
+
+  return {
+    user: response.data.user
+  };
+}
+
+function requireAuthSession(response, mapError, status = 401) {
+  if (typeof mapError !== "function") {
+    throw new TypeError("requireAuthSession requires mapError.");
+  }
+
+  if (response?.error || !response?.data?.session) {
+    throw mapError(response?.error, status);
+  }
+
+  return {
+    session: response.data.session
+  };
+}
+
+export { requireNoFieldErrors, requireAuthUserSession, requireAuthUser, requireAuthSession };

package/src/server/lib/oauthProviderCatalog.js

@@ -25,7 +25,7 @@ const SUPABASE_OAUTH_PROVIDER_METADATA = Object.freeze({
   zoom: Object.freeze({ id: "zoom", label: "Zoom" })
 });
 
-const DEFAULT_SUPABASE_OAUTH_PROVIDER_IDS = Object.freeze(["google"]);
+const DEFAULT_SUPABASE_OAUTH_PROVIDER_IDS = Object.freeze([]);
 
 function normalizeProviderLabel(value, fallback) {
   const normalized = String(value || "").trim();

package/src/server/lib/passwordSecurityFlows.js

@@ -1,4 +1,10 @@
 import { AppError } from "@jskit-ai/kernel/server/runtime/errors";
+import {
+  requireAuthUser,
+  requireAuthSession,
+  requireAuthUserSession,
+  requireNoFieldErrors
+} from "./flowGuards.js";
 
 function createPasswordSecurityFlows(deps) {
   const {
@@ -33,9 +39,7 @@ function createPasswordSecurityFlows(deps) {
     ensureConfigured();
 
     const parsed = validators.forgotPasswordInput(payload);
-    if (Object.keys(parsed.fieldErrors).length > 0) {
-      throw validationError(parsed.fieldErrors);
-    }
+    requireNoFieldErrors(parsed, validationError);
 
     const supabase = getSupabaseClient();
     const options = { redirectTo: passwordResetRedirectUrl };
@@ -62,9 +66,7 @@ function createPasswordSecurityFlows(deps) {
     ensureConfigured();
 
     const parsed = validatePasswordRecoveryPayload(payload);
-    if (Object.keys(parsed.fieldErrors).length > 0) {
-      throw validationError(parsed.fieldErrors);
-    }
+    requireNoFieldErrors(parsed, validationError);
 
     const supabase = getSupabaseClient();
     let response;
@@ -91,16 +93,12 @@ function createPasswordSecurityFlows(deps) {
       throw mapRecoveryError(response.error);
     }
 
-    /* c8 ignore next 3 -- defensive against malformed SDK responses without explicit error payload. */
-    if (!response.data?.session || !response.data?.user) {
-      throw new AppError(401, "Recovery link is invalid or has expired.");
-    }
-
-    const profile = await syncProfileFromSupabaseUser(response.data.user, response.data.user.email);
+    const { user, session } = requireAuthUserSession(response, () => new AppError(401, "Recovery link is invalid or has expired."));
+    const profile = await syncProfileFromSupabaseUser(user, user.email);
 
     return {
       profile,
-      session: response.data.session
+      session
     };
   }
 
@@ -108,9 +106,7 @@ function createPasswordSecurityFlows(deps) {
     ensureConfigured();
 
     const parsed = validators.resetPasswordInput(payload);
-    if (Object.keys(parsed.fieldErrors).length > 0) {
-      throw validationError(parsed.fieldErrors);
-    }
+    requireNoFieldErrors(parsed, validationError);
 
     const supabase = getSupabaseClient();
     const sessionResponse = await setSessionFromRequestCookies(request, {
@@ -134,11 +130,9 @@ function createPasswordSecurityFlows(deps) {
       throw mapPasswordUpdateError(error);
     }
 
-    if (updateResponse.error || !updateResponse.data?.user) {
-      throw mapPasswordUpdateError(updateResponse.error);
-    }
+    const { user } = requireAuthUser(updateResponse, mapPasswordUpdateError);
 
-    const updatedProfile = await syncProfileFromSupabaseUser(updateResponse.data.user, updateResponse.data.user.email);
+    const updatedProfile = await syncProfileFromSupabaseUser(user, user.email);
     await setPasswordSetupRequiredForUserId(updatedProfile.id, false);
   }
 
@@ -170,9 +164,7 @@ function createPasswordSecurityFlows(deps) {
         throw mapCurrentPasswordError(error);
       }
 
-      if (verifyResponse.error || !verifyResponse.data?.session) {
-        throw mapCurrentPasswordError(verifyResponse.error);
-      }
+      requireAuthSession(verifyResponse, mapCurrentPasswordError);
     }
 
     let updateResponse;
@@ -184,11 +176,9 @@ function createPasswordSecurityFlows(deps) {
       throw mapPasswordUpdateError(error);
     }
 
-    if (updateResponse.error || !updateResponse.data?.user) {
-      throw mapPasswordUpdateError(updateResponse.error);
-    }
+    const { user } = requireAuthUser(updateResponse, mapPasswordUpdateError);
 
-    const profile = await syncProfileFromSupabaseUser(updateResponse.data.user, updateResponse.data.user.email);
+    const profile = await syncProfileFromSupabaseUser(user, user.email);
     await setPasswordSetupRequiredForUserId(profile.id, false);
 
     return {

package/src/server/lib/service.js

@@ -560,7 +560,7 @@ function createService(options) {
     };
   }
 
-  const { register, login, requestOtpLogin, verifyOtpLogin, updateDisplayName } = createAccountFlows({
+  const { register, resendRegisterConfirmation, login, requestOtpLogin, verifyOtpLogin, updateDisplayName } = createAccountFlows({
     ensureConfigured,
     validators,
     validationError,
@@ -797,6 +797,7 @@ function createService(options) {
 
   return {
     register,
+    resendRegisterConfirmation,
     login,
     requestOtpLogin,
     verifyOtpLogin,

package/src/server/providers/AuthSupabaseServiceProvider.js

@@ -20,6 +20,35 @@ function splitCsv(value) {
     .filter(Boolean);
 }
 
+function normalizeRecord(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : {};
+}
+
+function normalizeOAuthProviderConfigList(value) {
+  if (Array.isArray(value)) {
+    return value
+      .map((entry) => String(entry || "").trim())
+      .filter(Boolean);
+  }
+
+  if (typeof value === "string") {
+    return splitCsv(value);
+  }
+
+  return [];
+}
+
+function resolveOAuthConfigFromAppConfig(appConfig) {
+  const source = normalizeRecord(appConfig);
+  const auth = normalizeRecord(source.auth);
+  const oauth = normalizeRecord(auth.oauth);
+
+  return {
+    oauthProviders: normalizeOAuthProviderConfigList(oauth.providers),
+    oauthDefaultProvider: String(oauth.defaultProvider || "").trim()
+  };
+}
+
 function resolveAllowedReturnToOrigins({ appConfig = {}, appPublicUrl = "" } = {}) {
   const surfaceDefinitions =
     appConfig && typeof appConfig === "object" && appConfig.surfaceDefinitions && typeof appConfig.surfaceDefinitions === "object"
@@ -31,8 +60,12 @@ function resolveAllowedReturnToOrigins({ appConfig = {}, appPublicUrl = "" } = {
   });
 }
 
-function resolveAuthProviderConfig(env) {
+function resolveAuthProviderConfig(env, appConfig = {}) {
   const source = env && typeof env === "object" ? env : {};
+  const oauthConfigFromApp = resolveOAuthConfigFromAppConfig(appConfig);
+  const oauthProvidersFromEnv = splitCsv(source.AUTH_OAUTH_PROVIDERS);
+  const oauthDefaultProviderFromEnv = String(source.AUTH_OAUTH_DEFAULT_PROVIDER || "").trim();
+
   return {
     id: "supabase",
     supabaseUrl: String(source.AUTH_SUPABASE_URL || source.SUPABASE_URL || "").trim(),
@@ -40,8 +73,9 @@ function resolveAuthProviderConfig(env) {
       source.AUTH_SUPABASE_PUBLISHABLE_KEY || source.SUPABASE_PUBLISHABLE_KEY || ""
     ).trim(),
     jwtAudience: String(source.AUTH_JWT_AUDIENCE || "authenticated").trim(),
-    oauthProviders: splitCsv(source.AUTH_OAUTH_PROVIDERS),
-    oauthDefaultProvider: String(source.AUTH_OAUTH_DEFAULT_PROVIDER || "").trim()
+    oauthProviders:
+      oauthProvidersFromEnv.length > 0 ? oauthProvidersFromEnv : oauthConfigFromApp.oauthProviders,
+    oauthDefaultProvider: oauthDefaultProviderFromEnv || oauthConfigFromApp.oauthDefaultProvider
   };
 }
 
@@ -138,7 +172,7 @@ class AuthSupabaseServiceProvider {
           ...envFromDependencies
         };
         const appConfig = scope.has("appConfig") ? scope.make("appConfig") : {};
-        const authProvider = resolveAuthProviderConfig(env);
+        const authProvider = resolveAuthProviderConfig(env, appConfig);
         const repositories = resolveOptionalRepositories(scope);
         const userSettingsRepository = repositories.userSettingsRepository || fallbackUserSettingsRepository;
         if (!authProvider.supabaseUrl || !authProvider.supabasePublishableKey) {

package/test/authErrorMappers.test.js

@@ -0,0 +1,29 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { mapAuthError } from "../src/server/lib/authErrorMappers.js";
+
+test("mapAuthError preserves rate-limit errors as 429 with actionable message", () => {
+  const mapped = mapAuthError(
+    {
+      status: 429,
+      message: "email rate limit exceeded"
+    },
+    400
+  );
+
+  assert.equal(mapped.status, 429);
+  assert.equal(mapped.message, "Too many authentication attempts. Please wait and try again.");
+});
+
+test("mapAuthError honors upstream status codes for unknown client errors", () => {
+  const mapped = mapAuthError(
+    {
+      status: 422,
+      message: "unexpected auth validation issue"
+    },
+    400
+  );
+
+  assert.equal(mapped.status, 422);
+  assert.equal(mapped.message, "Authentication request could not be processed.");
+});

package/test/authInputParsers.test.js

@@ -0,0 +1,40 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { parseOAuthCompletePayload } from "../src/server/lib/authInputParsers.js";
+
+test("parseOAuthCompletePayload accepts provider-less session pairs", () => {
+  const parsed = parseOAuthCompletePayload(
+    {
+      accessToken: "access-token",
+      refreshToken: "refresh-token"
+    },
+    {
+      providerIds: [],
+      defaultProvider: null
+    }
+  );
+
+  assert.equal(parsed.hasSessionPair, true);
+  assert.equal(parsed.provider, null);
+  assert.deepEqual(parsed.fieldErrors, {});
+});
+
+test("parseOAuthCompletePayload still requires OAuth provider for code exchanges", () => {
+  assert.throws(
+    () =>
+      parseOAuthCompletePayload(
+        {
+          code: "oauth-code"
+        },
+        {
+          providerIds: [],
+          defaultProvider: null
+        }
+      ),
+    (error) => {
+      assert.equal(error?.status, 400);
+      assert.equal(String(error?.details?.fieldErrors?.provider || "").length > 0, true);
+      return true;
+    }
+  );
+});

package/test/oauthProviderCatalog.test.js

@@ -0,0 +1,28 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import {
+  DEFAULT_SUPABASE_OAUTH_PROVIDER_IDS,
+  resolveSupabaseOAuthProviderCatalog
+} from "../src/server/lib/oauthProviderCatalog.js";
+
+test("oauth provider catalog defaults to no providers", () => {
+  assert.deepEqual(DEFAULT_SUPABASE_OAUTH_PROVIDER_IDS, []);
+
+  const catalog = resolveSupabaseOAuthProviderCatalog();
+  assert.deepEqual(catalog.providers, []);
+  assert.deepEqual(catalog.providerIds, []);
+  assert.equal(catalog.defaultProvider, null);
+});
+
+test("oauth provider catalog uses explicit provider configuration", () => {
+  const catalog = resolveSupabaseOAuthProviderCatalog({
+    oauthProviders: ["github", "google"],
+    oauthDefaultProvider: "google"
+  });
+
+  assert.deepEqual(
+    catalog.providers.map((provider) => provider.id),
+    ["github", "google"]
+  );
+  assert.equal(catalog.defaultProvider, "google");
+});

package/test/providerRuntime.test.js

@@ -69,6 +69,7 @@ test("auth supabase provider registers authService and contributes auth actions
   const definitions = actionExecutor.listDefinitions();
   assert.equal(Array.isArray(definitions), true);
   assert.equal(definitions.some((definition) => definition.id === "auth.login.password"), true);
+  assert.equal(definitions.some((definition) => definition.id === "auth.register.confirmation.resend"), true);
   const sessionRead = definitions.find((definition) => definition.id === "auth.session.read");
   assert.deepEqual(sessionRead?.surfaces, ["home", "console"]);
 });
@@ -154,3 +155,81 @@ test("auth supabase provider rejects unsupported AUTH_PROFILE_MODE values", asyn
 
   assert.throws(() => app.make("authService"), /Unsupported AUTH_PROFILE_MODE/);
 });
+
+test("auth supabase provider reads oauth providers from appConfig.auth.oauth", async () => {
+  const app = createApplication();
+  app.instance("appConfig", {
+    ...createAppConfigFixture(),
+    auth: {
+      oauth: {
+        providers: ["github"],
+        defaultProvider: "github"
+      }
+    }
+  });
+  app.instance(KERNEL_TOKENS.Env, {
+    AUTH_SUPABASE_URL: "https://example.supabase.co",
+    AUTH_SUPABASE_PUBLISHABLE_KEY: "sb_publishable_test_key",
+    AUTH_PROFILE_MODE: "standalone",
+    APP_PUBLIC_URL: "http://localhost:5173",
+    NODE_ENV: "test"
+  });
+  app.instance(KERNEL_TOKENS.Logger, {
+    info() {},
+    warn() {},
+    error() {},
+    debug() {}
+  });
+  app.instance("domainEvents", {
+    async publish() {}
+  });
+
+  await app.start({
+    providers: [ActionRuntimeServiceProvider, AuthSupabaseServiceProvider]
+  });
+
+  const authService = app.make("authService");
+  const catalog = authService.getOAuthProviderCatalog();
+  assert.deepEqual(catalog.providers.map((provider) => provider.id), ["github"]);
+  assert.equal(catalog.defaultProvider, "github");
+});
+
+test("auth supabase provider lets env oauth settings override appConfig.auth.oauth", async () => {
+  const app = createApplication();
+  app.instance("appConfig", {
+    ...createAppConfigFixture(),
+    auth: {
+      oauth: {
+        providers: ["github"],
+        defaultProvider: "github"
+      }
+    }
+  });
+  app.instance(KERNEL_TOKENS.Env, {
+    AUTH_SUPABASE_URL: "https://example.supabase.co",
+    AUTH_SUPABASE_PUBLISHABLE_KEY: "sb_publishable_test_key",
+    AUTH_OAUTH_PROVIDERS: "google",
+    AUTH_OAUTH_DEFAULT_PROVIDER: "google",
+    AUTH_PROFILE_MODE: "standalone",
+    APP_PUBLIC_URL: "http://localhost:5173",
+    NODE_ENV: "test"
+  });
+  app.instance(KERNEL_TOKENS.Logger, {
+    info() {},
+    warn() {},
+    error() {},
+    debug() {}
+  });
+  app.instance("domainEvents", {
+    async publish() {}
+  });
+
+  await app.start({
+    providers: [ActionRuntimeServiceProvider, AuthSupabaseServiceProvider]
+  });
+
+  const authService = app.make("authService");
+  const catalog = authService.getOAuthProviderCatalog();
+  assert.deepEqual(catalog.providers.map((provider) => provider.id), ["google"]);
+  assert.equal(catalog.defaultProvider, "google");
+});