Skip to content

fix(auth): lower lockAcquireTimeout default to 5s and fix stale JSDoc#2125

Merged
mandarini merged 1 commit intomasterfrom
fix/auth-lock-doc-timeout
Feb 19, 2026
Merged

fix(auth): lower lockAcquireTimeout default to 5s and fix stale JSDoc#2125
mandarini merged 1 commit intomasterfrom
fix/auth-lock-doc-timeout

Conversation

@mandarini
Copy link
Contributor

@mandarini mandarini commented Feb 19, 2026

Description

Follow-up to #2106 (steal-based orphaned-lock recovery).

  • Lower lockAcquireTimeout default from 10 s to 5 s (GoTrueClient.ts). The auth team aligned on a shorter default in the original Slack thread; now that the steal fallback handles recovery, a shorter wait is safe.
  • Fix stale lock JSDoc (types.ts): the previous comment claimed "no locking is done by default", which is false — navigatorLock (Web Locks API) has been the default in browser environments with persistSession: true for
    some time.
  • Rewrite lockAcquireTimeout JSDoc (types.ts): the previous doc said a positive timeout throws LockAcquireTimeoutError. With fix(auth): recover from orphaned navigator locks via steal fallback #2106 merged, a positive timeout now triggers steal-based recovery instead. Updated @default, bullet descriptions, and the example snippet accordingly.

@mandarini mandarini requested review from a team as code owners February 19, 2026 15:31
@github-actions github-actions bot added the auth-js Related to the auth-js library. label Feb 19, 2026
@coderabbitai
Copy link

coderabbitai bot commented Feb 19, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

📝 Walkthrough

Summary by CodeRabbit

  • Configuration

    • Reduced default lock acquisition timeout for improved performance.

  • Documentation

    • Enhanced documentation for locking behavior and timeout recovery semantics across different environments.

  • Tests

    • Updated test expectations to reflect timeout configuration changes.

Walkthrough

The pull request reduces the lock acquisition timeout in the GoTrueClient authentication library from 10,000 milliseconds to 5,000 milliseconds. This change is applied to the default options configuration, with corresponding updates to type documentation explaining lock recovery semantics and the behavior of different timeout values. Test cases have been updated to reflect the new default timeout value.

Comment @coderabbitai help to get the list of available commands and usage tips.

@mandarini mandarini self-assigned this Feb 19, 2026
@pkg-pr-new
Copy link

pkg-pr-new bot commented Feb 19, 2026

Open in StackBlitz

@supabase/auth-js

npm i https://pkg.pr.new/@supabase/auth-js@2125

@supabase/functions-js

npm i https://pkg.pr.new/@supabase/functions-js@2125

@supabase/postgrest-js

npm i https://pkg.pr.new/@supabase/postgrest-js@2125

@supabase/realtime-js

npm i https://pkg.pr.new/@supabase/realtime-js@2125

@supabase/storage-js

npm i https://pkg.pr.new/@supabase/storage-js@2125

@supabase/supabase-js

npm i https://pkg.pr.new/@supabase/supabase-js@2125

commit: aff5ce6

@mandarini mandarini enabled auto-merge (squash) February 19, 2026 15:56
@fadymak fadymak disabled auto-merge February 19, 2026 16:01
fadymak
fadymak approved these changes Feb 19, 2026
View reviewed changes
Copy link
Contributor

@fadymak fadymak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one note that this could potentially be a behavioral breaking change:

a positive timeout now triggers steal-based recovery instead

@mandarini mandarini merged commit 0f52237 into master Feb 19, 2026
18 checks passed
@mandarini mandarini deleted the fix/auth-lock-doc-timeout branch February 19, 2026 16:03
@mandarini
Copy link
Contributor Author

mandarini commented Feb 19, 2026

@fadymak timeout was there since before. we just decreased it to 5s, as you suggested!

@mandarini mandarini mentioned this pull request Feb 25, 2026
Merged
@everettbu everettbu mentioned this pull request Feb 25, 2026
Closed
mandarini added a commit to supabase/supabase that referenced this pull request Feb 25, 2026
@mandarini
chore: remove steal fallback from debuggableNavigatorLock (#43172)
996104a 
The SDK now handles orphaned lock recovery via steal internally
(supabase-js#2106). Keep the BroadcastChannel observability wrapper for
Sentry signals. The steal-based orphaned lock recovery in
`debuggableNavigatorLock` (packages/common/gotrue.ts) (introduced in
#39868) is now redundant,
supabase-js#2106 handles this natively in the SDK.

Removes the `navigator.locks.request({ steal: true })` block while
keeping the BroadcastChannel wrapper that sends lock-holder stack traces
to Sentry.

Related: supabase/supabase-js#2106, supabase/supabase-js#2125
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fadymak fadymak fadymak approved these changes

Assignees

@mandarini mandarini

Labels

auth-js Related to the auth-js library.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mandarini @fadymak