Skip to content

feat(auth): add skipAutoInitialize option to prevent constructor auto-init#2123

Merged
mandarini merged 1 commit intomasterfrom
feat/auth-skipAutoInitialize
Feb 18, 2026
Merged

feat(auth): add skipAutoInitialize option to prevent constructor auto-init#2123
mandarini merged 1 commit intomasterfrom
feat/auth-skipAutoInitialize

Conversation

@mandarini
Copy link
Contributor

@mandarini mandarini commented Feb 18, 2026

Problem

Currently, GoTrueClient constructor automatically calls this.initialize() as a fire-and-forget promise. This starts async operations (URL detection, session recovery, token refresh) immediately without waiting for completion.

In SSR contexts, this causes a race condition:

  1. Client created in request handler
  2. Constructor fires off initialize() promise (doesn't await)
  3. SSR framework generates and sends HTTP response
  4. Token refresh completes AFTER response sent
  5. Cookie setting fails: Error: Cannot use cookies.set(...) after the response has been generated

Solution

Add skipAutoInitialize option to GoTrueClientOptions that:

  • When true: Skip automatic initialize() call in constructor
  • When false (default): Maintain existing auto-initialization behavior
  • Rely on existing lazy initialization in all public methods (already present)
  • Allow SSR packages to control initialization timing

Changes

  • Add skipAutoInitialize?: boolean to GoTrueClientOptions interface
  • Update DEFAULT_OPTIONS with skipAutoInitialize: false
  • Conditionally skip auto-init in constructor when option is true

Related

@github-actions github-actions bot added the auth-js Related to the auth-js library. label Feb 18, 2026
@pkg-pr-new
Copy link

pkg-pr-new bot commented Feb 18, 2026

Open in StackBlitz

@supabase/auth-js

npm i https://pkg.pr.new/@supabase/auth-js@2123

@supabase/functions-js

npm i https://pkg.pr.new/@supabase/functions-js@2123

@supabase/postgrest-js

npm i https://pkg.pr.new/@supabase/postgrest-js@2123

@supabase/realtime-js

npm i https://pkg.pr.new/@supabase/realtime-js@2123

@supabase/storage-js

npm i https://pkg.pr.new/@supabase/storage-js@2123

@supabase/supabase-js

npm i https://pkg.pr.new/@supabase/supabase-js@2123

commit: bb0ea90

@mandarini mandarini mentioned this pull request Feb 18, 2026
Merged
@mandarini mandarini marked this pull request as ready for review February 18, 2026 13:11
@mandarini mandarini requested review from a team as code owners February 18, 2026 13:11
@mandarini mandarini self-assigned this Feb 18, 2026
@mandarini mandarini requested a review from fadymak February 18, 2026 13:11
@coderabbitai
Copy link

coderabbitai bot commented Feb 18, 2026

Warning

Rate limit exceeded

@mandarini has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minutes and 46 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Comment @coderabbitai help to get the list of available commands and usage tips.

@coveralls
Copy link

coveralls commented Feb 18, 2026

Coverage Status

coverage: 82.851% (-0.02%) from 82.869%
when pulling bb0ea90 on feat/auth-skipAutoInitialize
into 32c319b on master.

@mandarini mandarini merged commit c903551 into master Feb 18, 2026
18 of 19 checks passed
@mandarini mandarini deleted the feat/auth-skipAutoInitialize branch February 18, 2026 13:31
GuzekAlan added a commit to software-mansion-labs/supabase-js that referenced this pull request Feb 19, 2026
@GuzekAlan @7ttp
@mandarini @dependabot @supabase-releaser
chore(realtime): merge master (#50)
3c4518c 
* fix(postgrest): enforce type safety for table and view names in from() method (supabase#2058)

* docs(auth): clarify updateUserById does not trigger client listeners (supabase#2114)

* fix(auth): resolve Firefox content script Promise.then() security errors in locks (supabase#2112)

* build(deps): bump qs from 6.14.1 to 6.14.2 in the npm_and_yarn group across 1 directory (supabase#2118)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(release): version 2.96.0 changelogs (supabase#2121)

Co-authored-by: supabase-releaser[bot] <supabase-releaser[bot]@users.noreply.github.com>

* docs(supabase): document UNUSED_EXTERNAL_IMPORT build warning as false positive (supabase#2122)

* feat(auth): add skipAutoInitialize option to prevent constructor auto-init (supabase#2123)

* chore(release): version 2.97.0 changelogs (supabase#2124)

Co-authored-by: supabase-releaser[bot] <supabase-releaser[bot]@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Vaibhav <[email protected]>
Co-authored-by: Katerina Skroumpelou <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>
Co-authored-by: supabase-releaser[bot] <supabase-releaser[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fadymak fadymak fadymak approved these changes

Assignees

@mandarini mandarini

Labels

auth-js Related to the auth-js library.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mandarini @coveralls @fadymak