Skip to content

feat: replace JWT OAuth state with flow_state.id UUID#2331

Merged
fadymak merged 3 commits intomasterfrom
fm/auth-969-state-param
Jan 16, 2026
Merged

feat: replace JWT OAuth state with flow_state.id UUID#2331
fadymak merged 3 commits intomasterfrom
fm/auth-969-state-param

Conversation

@fadymak
Copy link
Contributor

@fadymak fadymak commented Jan 15, 2026
edited
Loading

  • Migrate OAuth state parameter from JWT to UUID (flow_state.id)
  • Add OAuth context fields to flow_state table (invite_token, referrer, oauth_client_state_id, linking_target_id, email_optional)
  • Make PKCE fields nullable to support implicit flow
  • Always create flow_state record for all OAuth flows, not just PKCE
  • Add IsPKCE() method to distinguish PKCE vs implicit flows
  • Backward compatible: callback still accepts legacy JWT state format
  • Update all external provider tests to verify UUID state format

In a follow-up release, the legacy JWT state support will be removed; ensuring there are no breaking changes.

Closes AUTH-981
Closes AUTH-969

@fadymak fadymak requested a review from a team as a code owner January 15, 2026 08:02
@fadymak fadymak force-pushed the fm/auth-969-state-param branch from e93a0e6 to 13d0d1f Compare January 15, 2026 08:05
@coveralls
Copy link

coveralls commented Jan 15, 2026
edited
Loading

Pull Request Test Coverage Report for Build 21059992921

Details

  • 116 of 152 (76.32%) changed or added relevant lines in 6 files are covered.
  • 16 unchanged lines in 5 files lost coverage.
  • Overall coverage decreased (-0.05%) to 68.512%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/api/pkce.go 10 12 83.33%
internal/api/sso.go 11 14 78.57%
internal/models/flow_state.go 30 34 88.24%
internal/api/samlacs.go 0 5 0.0%
internal/api/external.go 56 78 71.79%
Files with Coverage Reduction New Missed Lines %
internal/api/pkce.go 1 79.71%
internal/api/sso.go 1 70.18%
internal/tokens/service.go 2 80.91%
internal/api/context.go 4 77.71%
internal/api/external.go 8 74.29%
Totals Coverage Status
Change from base Build 20948007489: -0.05%
Covered Lines: 14724
Relevant Lines: 21491
💛 - Coveralls

@fadymak fadymak force-pushed the fm/auth-969-state-param branch from 13d0d1f to dec8337 Compare January 15, 2026 11:40
@kallebysantos kallebysantos mentioned this pull request Jan 15, 2026
Closed
2 tasks
hf
hf approved these changes Jan 16, 2026
View reviewed changes
Copy link
Contributor

@hf hf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if it makes sense to proactively delete from the flow_state table when an OAuth flow is being started. Want to avoid the problems with a giant table that does not get cleaned up under a DOS-like scenario.

hf
hf reviewed Jan 16, 2026
View reviewed changes
@fadymak fadymak merged commit 645654d into master Jan 16, 2026
9 checks passed
@fadymak fadymak deleted the fm/auth-969-state-param branch January 16, 2026 08:49
@supabase-releaser supabase-releaser bot mentioned this pull request Jan 19, 2026
Merged
cstockton pushed a commit that referenced this pull request Jan 28, 2026
@supabase-releaser
chore(master): release 2.186.0 (#2337)
effd662 
🤖 I have created a release *beep* *boop*
---


##
[2.186.0](v2.185.0...v2.186.0)
(2026-01-28)


### Features

* Add email send operation metrics
([#2311](#2311))
([0096575](0096575))
* add Supabase Auth identifier to OAuth redirect URLs
([#2299](#2299))
([2d3dbc6](2d3dbc6))
* log sb-auth-user-id, sb-auth-session-id, ... on sign in not just
refresh token ([#2342](#2342))
([a486ada](a486ada))
* **oauth-server:** store and enforce token_endpoint_auth_method
([#2300](#2300))
([bcd6cd5](bcd6cd5))
* replace JWT OAuth state with `flow_state.id` UUID
([#2331](#2331))
([645654d](645654d))
* upgrade existing sessions to v2 refresh tokens though config value
([#2356](#2356))
([6fb0e8a](6fb0e8a))


### Bug Fixes

* reloader unittest races on writeWg
([#2352](#2352))
([088b714](088b714))
* update migration version
([#2343](#2343))
([61ef4db](61ef4db))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hf hf hf approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fadymak @coveralls @hf