@supabase/auth-js 2.80.1-canary.1 → 2.80.1-canary.2

package/src/lib/error-codes.ts

@@ -1,6 +1,6 @@
 /**
  * Known error codes. Note that the server may also return other error codes
- * not included in this list (if the client library is older than the version
+ * not included in this list (if the SDK is older than the version
  * on the server).
  */
 export type ErrorCode =

package/src/lib/helpers.ts

@@ -94,16 +94,10 @@ export function parseParametersFromURL(href: string) {
 type Fetch = typeof fetch
 
 export const resolveFetch = (customFetch?: Fetch): Fetch => {
-  let _fetch: Fetch
   if (customFetch) {
-    _fetch = customFetch
-  } else if (typeof fetch === 'undefined') {
-    _fetch = (...args) =>
-      import('@supabase/node-fetch' as any).then(({ default: fetch }) => fetch(...args))
-  } else {
-    _fetch = fetch
+    return (...args) => customFetch(...args)
   }
-  return (...args) => _fetch(...args)
+  return (...args) => fetch(...args)
 }
 
 export const looksLikeFetchResponse = (maybeResponse: unknown): maybeResponse is Response => {
@@ -407,6 +401,50 @@ export function userNotAvailableProxy(): User {
   })
 }
 
+/**
+ * Creates a proxy around a user object that warns when properties are accessed on the server.
+ * This is used to alert developers that using user data from getSession() on the server is insecure.
+ *
+ * @param user The actual user object to wrap
+ * @param suppressWarningRef An object with a 'value' property that controls warning suppression
+ * @returns A proxied user object that warns on property access
+ */
+export function insecureUserWarningProxy(user: User, suppressWarningRef: { value: boolean }): User {
+  return new Proxy(user, {
+    get: (target: any, prop: string | symbol, receiver: any) => {
+      // Allow internal checks without warning
+      if (prop === '__isInsecureUserWarningProxy') {
+        return true
+      }
+
+      // Preventative check for common problematic symbols during cloning/inspection
+      // These symbols might be accessed by structuredClone or other internal mechanisms
+      if (typeof prop === 'symbol') {
+        const sProp = prop.toString()
+        if (
+          sProp === 'Symbol(Symbol.toPrimitive)' ||
+          sProp === 'Symbol(Symbol.toStringTag)' ||
+          sProp === 'Symbol(util.inspect.custom)' ||
+          sProp === 'Symbol(nodejs.util.inspect.custom)'
+        ) {
+          // Return the actual value for these symbols to allow proper inspection
+          return Reflect.get(target, prop, receiver)
+        }
+      }
+
+      // Emit warning on first property access
+      if (!suppressWarningRef.value && typeof prop === 'string') {
+        console.warn(
+          'Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and may not be authentic. Use supabase.auth.getUser() instead which authenticates the data by contacting the Supabase Auth server.'
+        )
+        suppressWarningRef.value = true
+      }
+
+      return Reflect.get(target, prop, receiver)
+    },
+  })
+}
+
 /**
  * Deep clones a JSON-serializable object using JSON.parse(JSON.stringify(obj)).
  * Note: Only works for JSON-safe data.

package/src/lib/types.ts

@@ -107,6 +107,11 @@ export type GoTrueClientOptions = {
    * @experimental
    */
   hasCustomAuthorizationHeader?: boolean
+  /**
+   * If there is an error with the query, throwOnError will reject the promise by
+   * throwing the error instead of returning it as part of a successful response.
+   */
+  throwOnError?: boolean
 }
 
 const WeakPasswordReasons = ['length', 'characters', 'pwned'] as const
@@ -346,7 +351,14 @@ export type Factor<
 }
 
 export interface UserAppMetadata {
+  /**
+   * The first provider that the user used to sign up with.
+   */
   provider?: string
+  /**
+   * A list of all providers that the user has linked to their account.
+   */
+  providers?: string[]
   [key: string]: any
 }
 
@@ -1434,7 +1446,31 @@ export type RequiredClaims = {
   session_id: string
 }
 
-export type JwtPayload = RequiredClaims & {
+/**
+ * JWT Payload containing claims for Supabase authentication tokens.
+ *
+ * Required claims (iss, aud, exp, iat, sub, role, aal, session_id) are inherited from RequiredClaims.
+ * All other claims are optional as they can be customized via Custom Access Token Hooks.
+ *
+ * @see https://supabase.com/docs/guides/auth/jwt-fields
+ */
+export interface JwtPayload extends RequiredClaims {
+  // Standard optional claims (can be customized via custom access token hooks)
+  email?: string
+  phone?: string
+  is_anonymous?: boolean
+
+  // Optional claims
+  jti?: string
+  nbf?: number
+  app_metadata?: UserAppMetadata
+  user_metadata?: UserMetadata
+  amr?: AMREntry[]
+
+  // Special claims (only in anon/service role tokens)
+  ref?: string
+
+  // Allow custom claims via custom access token hooks
   [key: string]: any
 }
 
@@ -1448,3 +1484,273 @@ export interface JWK {
 
 export const SIGN_OUT_SCOPES = ['global', 'local', 'others'] as const
 export type SignOutScope = (typeof SIGN_OUT_SCOPES)[number]
+
+/**
+ * OAuth client grant types supported by the OAuth 2.1 server.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthClientGrantType = 'authorization_code' | 'refresh_token'
+
+/**
+ * OAuth client response types supported by the OAuth 2.1 server.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthClientResponseType = 'code'
+
+/**
+ * OAuth client type indicating whether the client can keep credentials confidential.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthClientType = 'public' | 'confidential'
+
+/**
+ * OAuth client registration type.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthClientRegistrationType = 'dynamic' | 'manual'
+
+/**
+ * OAuth client object returned from the OAuth 2.1 server.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthClient = {
+  /** Unique identifier for the OAuth client */
+  client_id: string
+  /** Human-readable name of the OAuth client */
+  client_name: string
+  /** Client secret (only returned on registration and regeneration) */
+  client_secret?: string
+  /** Type of OAuth client */
+  client_type: OAuthClientType
+  /** Token endpoint authentication method */
+  token_endpoint_auth_method: string
+  /** Registration type of the client */
+  registration_type: OAuthClientRegistrationType
+  /** URI of the OAuth client */
+  client_uri?: string
+  /** URI of the OAuth client's logo */
+  logo_uri?: string
+  /** Array of allowed redirect URIs */
+  redirect_uris: string[]
+  /** Array of allowed grant types */
+  grant_types: OAuthClientGrantType[]
+  /** Array of allowed response types */
+  response_types: OAuthClientResponseType[]
+  /** Scope of the OAuth client */
+  scope?: string
+  /** Timestamp when the client was created */
+  created_at: string
+  /** Timestamp when the client was last updated */
+  updated_at: string
+}
+
+/**
+ * Parameters for creating a new OAuth client.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type CreateOAuthClientParams = {
+  /** Human-readable name of the OAuth client */
+  client_name: string
+  /** URI of the OAuth client */
+  client_uri?: string
+  /** Array of allowed redirect URIs */
+  redirect_uris: string[]
+  /** Array of allowed grant types (optional, defaults to authorization_code and refresh_token) */
+  grant_types?: OAuthClientGrantType[]
+  /** Array of allowed response types (optional, defaults to code) */
+  response_types?: OAuthClientResponseType[]
+  /** Scope of the OAuth client */
+  scope?: string
+}
+
+/**
+ * Parameters for updating an existing OAuth client.
+ * All fields are optional. Only provided fields will be updated.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type UpdateOAuthClientParams = {
+  /** Human-readable name of the OAuth client */
+  client_name?: string
+  /** URI of the OAuth client */
+  client_uri?: string
+  /** URI of the OAuth client's logo */
+  logo_uri?: string
+  /** Array of allowed redirect URIs */
+  redirect_uris?: string[]
+  /** Array of allowed grant types */
+  grant_types?: OAuthClientGrantType[]
+}
+
+/**
+ * Response type for OAuth client operations.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthClientResponse = RequestResult<OAuthClient>
+
+/**
+ * Response type for listing OAuth clients.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthClientListResponse =
+  | {
+      data: { clients: OAuthClient[]; aud: string } & Pagination
+      error: null
+    }
+  | {
+      data: { clients: [] }
+      error: AuthError
+    }
+
+/**
+ * Contains all OAuth client administration methods.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export interface GoTrueAdminOAuthApi {
+  /**
+   * Lists all OAuth clients with optional pagination.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  listClients(params?: PageParams): Promise<OAuthClientListResponse>
+
+  /**
+   * Creates a new OAuth client.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  createClient(params: CreateOAuthClientParams): Promise<OAuthClientResponse>
+
+  /**
+   * Gets details of a specific OAuth client.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  getClient(clientId: string): Promise<OAuthClientResponse>
+
+  /**
+   * Updates an existing OAuth client.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  updateClient(clientId: string, params: UpdateOAuthClientParams): Promise<OAuthClientResponse>
+
+  /**
+   * Deletes an OAuth client.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  deleteClient(clientId: string): Promise<{ data: null; error: AuthError | null }>
+
+  /**
+   * Regenerates the secret for an OAuth client.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  regenerateClientSecret(clientId: string): Promise<OAuthClientResponse>
+}
+
+/**
+ * OAuth client details in an authorization request.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthAuthorizationClient = {
+  /** Unique identifier for the OAuth client (UUID) */
+  client_id: string
+  /** Human-readable name of the OAuth client */
+  client_name: string
+  /** URI of the OAuth client's website */
+  client_uri: string
+  /** URI of the OAuth client's logo */
+  logo_uri: string
+}
+
+/**
+ * OAuth authorization details for the consent flow.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthAuthorizationDetails = {
+  /** The authorization ID */
+  authorization_id: string
+  /** Redirect URI - present if user already consented (can be used to trigger immediate redirect) */
+  redirect_uri?: string
+  /** OAuth client requesting authorization */
+  client: OAuthAuthorizationClient
+  /** User object associated with the authorization */
+  user: {
+    /** User ID (UUID) */
+    id: string
+    /** User email */
+    email: string
+  }
+  /** Space-separated list of requested scopes */
+  scope: string
+}
+
+/**
+ * Response type for getting OAuth authorization details.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type AuthOAuthAuthorizationDetailsResponse = RequestResult<OAuthAuthorizationDetails>
+
+/**
+ * Response type for OAuth consent decision (approve/deny).
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type AuthOAuthConsentResponse = RequestResult<{
+  /** URL to redirect the user back to the OAuth client */
+  redirect_url: string
+}>
+
+/**
+ * Contains all OAuth 2.1 authorization server user-facing methods.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ *
+ * These methods are used to implement the consent page.
+ */
+export interface AuthOAuthServerApi {
+  /**
+   * Retrieves details about an OAuth authorization request.
+   * Used to display consent information to the user.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This method returns authorization details including client info, scopes, and user information.
+   * If the response includes a redirect_uri, it means consent was already given - the caller
+   * should handle the redirect manually if needed.
+   *
+   * @param authorizationId - The authorization ID from the authorization request
+   * @returns Authorization details including client info and requested scopes
+   */
+  getAuthorizationDetails(authorizationId: string): Promise<AuthOAuthAuthorizationDetailsResponse>
+
+  /**
+   * Approves an OAuth authorization request.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * @param authorizationId - The authorization ID to approve
+   * @param options - Optional parameters including skipBrowserRedirect
+   * @returns Redirect URL to send the user back to the OAuth client
+   */
+  approveAuthorization(
+    authorizationId: string,
+    options?: { skipBrowserRedirect?: boolean }
+  ): Promise<AuthOAuthConsentResponse>
+
+  /**
+   * Denies an OAuth authorization request.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * @param authorizationId - The authorization ID to deny
+   * @param options - Optional parameters including skipBrowserRedirect
+   * @returns Redirect URL to send the user back to the OAuth client
+   */
+  denyAuthorization(
+    authorizationId: string,
+    options?: { skipBrowserRedirect?: boolean }
+  ): Promise<AuthOAuthConsentResponse>
+}

package/src/lib/version.ts

@@ -4,4 +4,4 @@
 // - Debugging and support (identifying which version is running)
 // - Telemetry and logging (version reporting in errors/analytics)
 // - Ensuring build artifacts match the published package version
-export const version = '2.80.1-canary.1'
+export const version = '2.80.1-canary.2'

package/src/lib/webauthn.ts

@@ -763,10 +763,10 @@ export class WebAuthnApi {
         rpId = typeof window !== 'undefined' ? window.location.hostname : undefined,
         rpOrigins = typeof window !== 'undefined' ? [window.location.origin] : undefined,
         signal,
-      },
+      } = {},
     }: {
       factorId: string
-      webauthn: {
+      webauthn?: {
         rpId?: string
         rpOrigins?: string[]
         signal?: AbortSignal
@@ -844,14 +844,18 @@ export class WebAuthnApi {
   public async _register(
     {
       friendlyName,
-      rpId = typeof window !== 'undefined' ? window.location.hostname : undefined,
-      rpOrigins = typeof window !== 'undefined' ? [window.location.origin] : undefined,
-      signal,
+      webauthn: {
+        rpId = typeof window !== 'undefined' ? window.location.hostname : undefined,
+        rpOrigins = typeof window !== 'undefined' ? [window.location.origin] : undefined,
+        signal,
+      } = {},
     }: {
       friendlyName: string
-      rpId?: string
-      rpOrigins?: string[]
-      signal?: AbortSignal
+      webauthn?: {
+        rpId?: string
+        rpOrigins?: string[]
+        signal?: AbortSignal
+      }
     },
     overrides?: Partial<PublicKeyCredentialCreationOptionsFuture>
   ): Promise<RequestResult<AuthMFAVerifyResponseData, WebAuthnError | AuthError>> {