Skip to content

feat(auth): allow custom predicate for detectSessionInUrl option#1958

Merged
mandarini merged 2 commits intomasterfrom
feat/auth-detect-session-url-predicate
Dec 16, 2025
Merged

feat(auth): allow custom predicate for detectSessionInUrl option#1958
mandarini merged 2 commits intomasterfrom
feat/auth-detect-session-url-predicate

Conversation

@mandarini
Copy link
Contributor

@mandarini mandarini commented Dec 16, 2025
edited
Loading

Summary

  • Extends detectSessionInUrl option to accept a custom predicate function
  • Allows users to exclude specific URLs from Supabase's implicit grant detection
  • Fixes issue where non-Supabase OAuth flows (e.g., Facebook Login) were incorrectly intercepted

Problem

When users have other OAuth providers that return access_token in the URL fragment (like Facebook Login for connecting Instagram accounts), Supabase Auth intercepts these tokens and attempts to process them, causing unintended session logouts.

Solution

The detectSessionInUrl option now accepts either:

  • boolean - existing behavior (default: true)
  • function(url: URL, params: object) => boolean - custom predicate

Example usage:

  const supabase = createClient(url, key, {
    auth: {
      detectSessionInUrl: (url, params) => {
        // Ignore Facebook OAuth redirects
        if (url.pathname === '/facebook/redirect') return false
        // Default behavior for Supabase callbacks
        return Boolean(params.access_token || params.error_description)
      }
    }
  })

Related:

@mandarini mandarini requested review from a team as code owners December 16, 2025 11:54
@mandarini mandarini self-assigned this Dec 16, 2025
@github-actions github-actions bot added the auth-js Related to the auth-js library. label Dec 16, 2025
@mandarini mandarini force-pushed the feat/auth-detect-session-url-predicate branch from da6326c to 7cbe212 Compare December 16, 2025 11:57
hf
hf previously approved these changes Dec 16, 2025
View reviewed changes
@coveralls
Copy link

coveralls commented Dec 16, 2025
edited
Loading

Coverage Status

coverage: 95.367% (+14.1%) from 81.237%
when pulling f0264ec on feat/auth-detect-session-url-predicate
into 02c3224 on master.

@mandarini mandarini requested a review from hf December 16, 2025 12:26
@mandarini mandarini mentioned this pull request Dec 16, 2025
Draft
@mandarini mandarini enabled auto-merge (squash) December 16, 2025 12:39
@mandarini mandarini merged commit f346169 into master Dec 16, 2025
25 checks passed
@mandarini mandarini deleted the feat/auth-detect-session-url-predicate branch December 16, 2025 12:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hf hf hf approved these changes

@grdsdev grdsdev grdsdev approved these changes

Assignees

@mandarini mandarini

Labels

auth-js Related to the auth-js library.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mandarini @coveralls @hf @grdsdev