fix(auth): update logic and add todo

mandarini · mandarini · commit d36da730e9df · 2025-12-17T18:49:55.000+02:00
diff --git a/packages/core/auth-js/src/GoTrueClient.ts b/packages/core/auth-js/src/GoTrueClient.ts
@@ -2112,10 +2112,13 @@ export default class GoTrueClient {
       return this.detectSessionInUrl(new URL(window.location.href), params)
     }
     // Check for Supabase Auth identifier
-    // Fall back to legacy detection for backwards compatibility with older Auth servers
     if ('sb' in params) {
-      return true
+      // sb is just an identifier
+      // Still require OAuth params to prevent forced logout via crafted URLs with only 'sb'
+      return Boolean(params.access_token || params.error || params.error_description)
     }
+    // TODO @mandarini: Remove this legacy fallback in next major version and return false instead
+    // Legacy detection for backwards compatibility with older Auth servers that don't include 'sb'
     return Boolean(params.access_token || params.error_description)
   }
 
diff --git a/packages/core/auth-js/src/lib/types.ts b/packages/core/auth-js/src/lib/types.ts
@@ -93,10 +93,13 @@ export type GoTrueClientOptions = {
    * @example
    * ```ts
    * detectSessionInUrl: (url, params) => {
-   *   // Prefer sb identifier (available on newer Auth servers)
-   *   if ('sb' in params) return true
    *   // Ignore known third-party OAuth paths
    *   if (url.pathname === '/facebook/redirect') return false
+   *   // Check for sb identifier (available on newer Auth servers)
+   *   // Still require OAuth params to prevent issues with crafted URLs
+   *   if ('sb' in params) {
+   *     return Boolean(params.access_token || params.error || params.error_description)
+   *   }
    *   // Fall back to legacy detection for older Auth servers
    *   return Boolean(params.access_token || params.error_description)
    * }
diff --git a/packages/core/supabase-js/src/lib/types.ts b/packages/core/supabase-js/src/lib/types.ts
@@ -63,10 +63,13 @@ export type SupabaseClientOptions<SchemaName> = {
      * @example
      * ```ts
      * detectSessionInUrl: (url, params) => {
-     *   // Prefer sb identifier (available on newer Auth servers)
-     *   if ('sb' in params) return true
      *   // Ignore known third-party OAuth paths
      *   if (url.pathname === '/facebook/redirect') return false
+     *   // Check for sb identifier (available on newer Auth servers)
+     *   // Still require OAuth params to prevent issues with crafted URLs
+     *   if ('sb' in params) {
+     *     return Boolean(params.access_token || params.error || params.error_description)
+     *   }
      *   // Fall back to legacy detection for older Auth servers
      *   return Boolean(params.access_token || params.error_description)
      * }

Original file line number	Diff line number	Diff line change
`@@ -2112,10 +2112,13 @@ export default class GoTrueClient {`
`2112`	`2112`	`return this.detectSessionInUrl(new URL(window.location.href), params)`
`2113`	`2113`	`}`
`2114`	`2114`	`// Check for Supabase Auth identifier`
`2115`		`- // Fall back to legacy detection for backwards compatibility with older Auth servers`
`2116`	`2115`	`if ('sb' in params) {`
`2117`		`- return true`
	`2116`	`+ // sb is just an identifier`
	`2117`	`+ // Still require OAuth params to prevent forced logout via crafted URLs with only 'sb'`
	`2118`	`+ return Boolean(params.access_token \|\| params.error \|\| params.error_description)`
`2118`	`2119`	`}`
	`2120`	`+ // TODO @mandarini: Remove this legacy fallback in next major version and return false instead`
	`2121`	`+ // Legacy detection for backwards compatibility with older Auth servers that don't include 'sb'`
`2119`	`2122`	`return Boolean(params.access_token \|\| params.error_description)`
`2120`	`2123`	`}`
`2121`	`2124`