@supabase/auth-js 2.77.0 → 2.77.1-canary.1

package/src/GoTrueClient.ts

@@ -38,6 +38,7 @@ import {
   getAlgorithm,
   getCodeChallengeAndMethod,
   getItemAsync,
+  insecureUserWarningProxy,
   isBrowser,
   parseParametersFromURL,
   removeItemAsync,
@@ -105,6 +106,9 @@ import type {
   MFAVerifyWebauthnParamFields,
   MFAVerifyWebauthnParams,
   OAuthResponse,
+  AuthOAuthServerApi,
+  AuthOAuthAuthorizationDetailsResponse,
+  AuthOAuthConsentResponse,
   Prettify,
   Provider,
   ResendParams,
@@ -196,6 +200,12 @@ export default class GoTrueClient {
    * Namespace for the MFA methods.
    */
   mfa: GoTrueMFAApi
+  /**
+   * Namespace for the OAuth 2.1 authorization server methods.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   * Used to implement the authorization code flow on the consent page.
+   */
+  oauth: AuthOAuthServerApi
   /**
    * The storage key used to identify the values saved in localStorage
    */
@@ -322,6 +332,12 @@ export default class GoTrueClient {
       webauthn: new WebAuthnApi(this),
     }
 
+    this.oauth = {
+      getAuthorizationDetails: this._getAuthorizationDetails.bind(this),
+      approveAuthorization: this._approveAuthorization.bind(this),
+      denyAuthorization: this._denyAuthorization.bind(this),
+    }
+
     if (this.persistSession) {
       if (settings.storage) {
         this.storage = settings.storage
@@ -1585,22 +1601,20 @@ export default class GoTrueClient {
           }
         }
 
-        if (this.storage.isServer && currentSession.user) {
-          let suppressWarning = this.suppressGetSessionWarning
-          const proxySession: Session = new Proxy(currentSession, {
-            get: (target: any, prop: string, receiver: any) => {
-              if (!suppressWarning && prop === 'user') {
-                // only show warning when the user object is being accessed from the server
-                console.warn(
-                  'Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and may not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.'
-                )
-                suppressWarning = true // keeps this proxy instance from logging additional warnings
-                this.suppressGetSessionWarning = true // keeps this client's future proxy instances from warning
-              }
-              return Reflect.get(target, prop, receiver)
-            },
-          })
-          currentSession = proxySession
+        // Wrap the user object with a warning proxy on the server
+        // This warns when properties of the user are accessed, not when session.user itself is accessed
+        if (
+          this.storage.isServer &&
+          currentSession.user &&
+          !(currentSession.user as any).__isUserNotAvailableProxy
+        ) {
+          const suppressWarningRef = { value: this.suppressGetSessionWarning }
+          currentSession.user = insecureUserWarningProxy(currentSession.user, suppressWarningRef)
+
+          // Update the client-level suppression flag when the proxy suppresses the warning
+          if (suppressWarningRef.value) {
+            this.suppressGetSessionWarning = true
+          }
         }
 
         return { data: { session: currentSession }, error: null }
@@ -3344,6 +3358,158 @@ export default class GoTrueClient {
     })
   }
 
+  /**
+   * Retrieves details about an OAuth authorization request.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * Returns authorization details including client info, scopes, and user information.
+   * If the API returns a redirect_uri, it means consent was already given - the caller
+   * should handle the redirect manually if needed.
+   */
+  private async _getAuthorizationDetails(
+    authorizationId: string
+  ): Promise<AuthOAuthAuthorizationDetailsResponse> {
+    try {
+      return await this._useSession(async (result) => {
+        const {
+          data: { session },
+          error: sessionError,
+        } = result
+
+        if (sessionError) {
+          return { data: null, error: sessionError }
+        }
+
+        if (!session) {
+          return { data: null, error: new AuthSessionMissingError() }
+        }
+
+        return await _request(
+          this.fetch,
+          'GET',
+          `${this.url}/oauth/authorizations/${authorizationId}`,
+          {
+            headers: this.headers,
+            jwt: session.access_token,
+            xform: (data: any) => ({ data, error: null }),
+          }
+        )
+      })
+    } catch (error) {
+      if (isAuthError(error)) {
+        return { data: null, error }
+      }
+
+      throw error
+    }
+  }
+
+  /**
+   * Approves an OAuth authorization request.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   */
+  private async _approveAuthorization(
+    authorizationId: string,
+    options?: { skipBrowserRedirect?: boolean }
+  ): Promise<AuthOAuthConsentResponse> {
+    try {
+      return await this._useSession(async (result) => {
+        const {
+          data: { session },
+          error: sessionError,
+        } = result
+
+        if (sessionError) {
+          return { data: null, error: sessionError }
+        }
+
+        if (!session) {
+          return { data: null, error: new AuthSessionMissingError() }
+        }
+
+        const response = await _request(
+          this.fetch,
+          'POST',
+          `${this.url}/oauth/authorizations/${authorizationId}/consent`,
+          {
+            headers: this.headers,
+            jwt: session.access_token,
+            body: { action: 'approve' },
+            xform: (data: any) => ({ data, error: null }),
+          }
+        )
+
+        if (response.data && response.data.redirect_url) {
+          // Automatically redirect in browser unless skipBrowserRedirect is true
+          if (isBrowser() && !options?.skipBrowserRedirect) {
+            window.location.assign(response.data.redirect_url)
+          }
+        }
+
+        return response
+      })
+    } catch (error) {
+      if (isAuthError(error)) {
+        return { data: null, error }
+      }
+
+      throw error
+    }
+  }
+
+  /**
+   * Denies an OAuth authorization request.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   */
+  private async _denyAuthorization(
+    authorizationId: string,
+    options?: { skipBrowserRedirect?: boolean }
+  ): Promise<AuthOAuthConsentResponse> {
+    try {
+      return await this._useSession(async (result) => {
+        const {
+          data: { session },
+          error: sessionError,
+        } = result
+
+        if (sessionError) {
+          return { data: null, error: sessionError }
+        }
+
+        if (!session) {
+          return { data: null, error: new AuthSessionMissingError() }
+        }
+
+        const response = await _request(
+          this.fetch,
+          'POST',
+          `${this.url}/oauth/authorizations/${authorizationId}/consent`,
+          {
+            headers: this.headers,
+            jwt: session.access_token,
+            body: { action: 'deny' },
+            xform: (data: any) => ({ data, error: null }),
+          }
+        )
+
+        if (response.data && response.data.redirect_url) {
+          // Automatically redirect in browser unless skipBrowserRedirect is true
+          if (isBrowser() && !options?.skipBrowserRedirect) {
+            window.location.assign(response.data.redirect_url)
+          }
+        }
+
+        return response
+      })
+    } catch (error) {
+      if (isAuthError(error)) {
+        return { data: null, error }
+      }
+
+      throw error
+    }
+  }
+
   private async fetchJwk(kid: string, jwks: { keys: JWK[] } = { keys: [] }): Promise<JWK | null> {
     // try fetching from the supplied jwks
     let jwk = jwks.keys.find((key) => key.kid === kid)

package/src/lib/helpers.ts

@@ -407,6 +407,50 @@ export function userNotAvailableProxy(): User {
   })
 }
 
+/**
+ * Creates a proxy around a user object that warns when properties are accessed on the server.
+ * This is used to alert developers that using user data from getSession() on the server is insecure.
+ *
+ * @param user The actual user object to wrap
+ * @param suppressWarningRef An object with a 'value' property that controls warning suppression
+ * @returns A proxied user object that warns on property access
+ */
+export function insecureUserWarningProxy(user: User, suppressWarningRef: { value: boolean }): User {
+  return new Proxy(user, {
+    get: (target: any, prop: string | symbol, receiver: any) => {
+      // Allow internal checks without warning
+      if (prop === '__isInsecureUserWarningProxy') {
+        return true
+      }
+
+      // Preventative check for common problematic symbols during cloning/inspection
+      // These symbols might be accessed by structuredClone or other internal mechanisms
+      if (typeof prop === 'symbol') {
+        const sProp = prop.toString()
+        if (
+          sProp === 'Symbol(Symbol.toPrimitive)' ||
+          sProp === 'Symbol(Symbol.toStringTag)' ||
+          sProp === 'Symbol(util.inspect.custom)' ||
+          sProp === 'Symbol(nodejs.util.inspect.custom)'
+        ) {
+          // Return the actual value for these symbols to allow proper inspection
+          return Reflect.get(target, prop, receiver)
+        }
+      }
+
+      // Emit warning on first property access
+      if (!suppressWarningRef.value && typeof prop === 'string') {
+        console.warn(
+          'Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and may not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.'
+        )
+        suppressWarningRef.value = true
+      }
+
+      return Reflect.get(target, prop, receiver)
+    },
+  })
+}
+
 /**
  * Deep clones a JSON-serializable object using JSON.parse(JSON.stringify(obj)).
  * Note: Only works for JSON-safe data.

package/src/lib/types.ts

@@ -1492,6 +1492,8 @@ export type OAuthClient = {
   registration_type: OAuthClientRegistrationType
   /** URI of the OAuth client */
   client_uri?: string
+  /** URI of the OAuth client's logo */
+  logo_uri?: string
   /** Array of allowed redirect URIs */
   redirect_uris: string[]
   /** Array of allowed grant types */
@@ -1525,6 +1527,24 @@ export type CreateOAuthClientParams = {
   scope?: string
 }
 
+/**
+ * Parameters for updating an existing OAuth client.
+ * All fields are optional. Only provided fields will be updated.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type UpdateOAuthClientParams = {
+  /** Human-readable name of the OAuth client */
+  client_name?: string
+  /** URI of the OAuth client */
+  client_uri?: string
+  /** URI of the OAuth client's logo */
+  logo_uri?: string
+  /** Array of allowed redirect URIs */
+  redirect_uris?: string[]
+  /** Array of allowed grant types */
+  grant_types?: OAuthClientGrantType[]
+}
+
 /**
  * Response type for OAuth client operations.
  * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
@@ -1574,6 +1594,14 @@ export interface GoTrueAdminOAuthApi {
    */
   getClient(clientId: string): Promise<OAuthClientResponse>
 
+  /**
+   * Updates an existing OAuth client.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  updateClient(clientId: string, params: UpdateOAuthClientParams): Promise<OAuthClientResponse>
+
   /**
    * Deletes an OAuth client.
    * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
@@ -1590,3 +1618,103 @@ export interface GoTrueAdminOAuthApi {
    */
   regenerateClientSecret(clientId: string): Promise<OAuthClientResponse>
 }
+
+/**
+ * OAuth client details in an authorization request.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthAuthorizationClient = {
+  /** Unique identifier for the OAuth client (UUID) */
+  client_id: string
+  /** Human-readable name of the OAuth client */
+  client_name: string
+  /** URI of the OAuth client's website */
+  client_uri: string
+  /** URI of the OAuth client's logo */
+  logo_uri: string
+}
+
+/**
+ * OAuth authorization details for the consent flow.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthAuthorizationDetails = {
+  /** The authorization ID */
+  authorization_id: string
+  /** Redirect URI - present if user already consented (can be used to trigger immediate redirect) */
+  redirect_uri?: string
+  /** OAuth client requesting authorization */
+  client: OAuthAuthorizationClient
+  /** User object associated with the authorization */
+  user: {
+    /** User ID (UUID) */
+    id: string
+    /** User email */
+    email: string
+  }
+  /** Space-separated list of requested scopes */
+  scope: string
+}
+
+/**
+ * Response type for getting OAuth authorization details.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type AuthOAuthAuthorizationDetailsResponse = RequestResult<OAuthAuthorizationDetails>
+
+/**
+ * Response type for OAuth consent decision (approve/deny).
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type AuthOAuthConsentResponse = RequestResult<{
+  /** URL to redirect the user back to the OAuth client */
+  redirect_url: string
+}>
+
+/**
+ * Contains all OAuth 2.1 authorization server user-facing methods.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ *
+ * These methods are used to implement the consent page.
+ */
+export interface AuthOAuthServerApi {
+  /**
+   * Retrieves details about an OAuth authorization request.
+   * Used to display consent information to the user.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This method returns authorization details including client info, scopes, and user information.
+   * If the response includes a redirect_uri, it means consent was already given - the caller
+   * should handle the redirect manually if needed.
+   *
+   * @param authorizationId - The authorization ID from the authorization request
+   * @returns Authorization details including client info and requested scopes
+   */
+  getAuthorizationDetails(authorizationId: string): Promise<AuthOAuthAuthorizationDetailsResponse>
+
+  /**
+   * Approves an OAuth authorization request.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * @param authorizationId - The authorization ID to approve
+   * @param options - Optional parameters including skipBrowserRedirect
+   * @returns Redirect URL to send the user back to the OAuth client
+   */
+  approveAuthorization(
+    authorizationId: string,
+    options?: { skipBrowserRedirect?: boolean }
+  ): Promise<AuthOAuthConsentResponse>
+
+  /**
+   * Denies an OAuth authorization request.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * @param authorizationId - The authorization ID to deny
+   * @param options - Optional parameters including skipBrowserRedirect
+   * @returns Redirect URL to send the user back to the OAuth client
+   */
+  denyAuthorization(
+    authorizationId: string,
+    options?: { skipBrowserRedirect?: boolean }
+  ): Promise<AuthOAuthConsentResponse>
+}

package/src/lib/version.ts

@@ -4,4 +4,4 @@
 // - Debugging and support (identifying which version is running)
 // - Telemetry and logging (version reporting in errors/analytics)
 // - Ensuring build artifacts match the published package version
-export const version = '2.77.0'
+export const version = '2.77.1-canary.1'