feat: add Supabase Auth identifier to OAuth redirect URLs (#2299)

## Summary

Adds a Supabase Auth identifier (`sb`) to URL fragments in all OAuth
redirect responses to help clients distinguish Supabase Auth redirects
from third-party OAuth flows.

## Problem

auth-js GoTrueClient currently intercepts all URL fragments containing
`access_token`, including those from non-Supabase OAuth providers. This
causes unintended logouts and authentication issues when users have
other OAuth flows in their applications.

Related issue: supabase/supabase-js#1697

## Solution

Added an empty `sb` parameter to the URL fragment in all redirect
responses:
  - Success redirects with tokens (via `AsRedirectURL`)
- Error redirects in OAuth callbacks ([supabase-js
has](https://github.com/supabase/supabase-js/blob/a66387e9923255160031a1c55545cf7ab27b3aaf/packages/core/auth-js/src/lib/errors.ts#L14-L38)
a `__isAuthError`, but adding it for error to be fault-tolerant, and
non-supabase-sdk cases)
  - Error redirects in verification flows
  - Message redirects in verification flows

Example redirect URL:

`https://example.com/callback#access_token=xxx&refresh_token=yyy&expires_in=3600&sb`

Clients can now check for the presence of `sb` in the fragment to
confirm the redirect originated from Supabase Auth.

Author: cemalkilic

internal/api/external.go

@@ -779,6 +779,8 @@ func redirectErrors(handler apiHandler, w http.ResponseWriter, r *http.Request,
 		if q.Get("error_code") != "" {
 			hq.Set("error_code", q.Get("error_code"))
 		}
+		// Add Supabase Auth identifier to help clients distinguish Supabase Auth redirects
+		hq.Set("sb", "")
 		u.Fragment = hq.Encode()
 		http.Redirect(w, r, u.String(), http.StatusFound)
 	}

internal/api/external_test.go

@@ -207,6 +207,8 @@ func assertAuthorizationSuccess(ts *ExternalTestSuite, u *url.URL, tokenCount in
 	ts.NotEmpty(v.Get("refresh_token"))
 	ts.NotEmpty(v.Get("expires_in"))
 	ts.Equal("bearer", v.Get("token_type"))
+	// Verify Supabase Auth identifier is present
+	ts.Contains(v, "sb", "Fragment should contain Supabase Auth identifier 'sb'")
 
 	ts.Equal(1, tokenCount)
 	if userCount > -1 {
@@ -248,6 +250,8 @@ func assertAuthorizationFailure(ts *ExternalTestSuite, u *url.URL, errorDescript
 	ts.Empty(v.Get("refresh_token"))
 	ts.Empty(v.Get("expires_in"))
 	ts.Empty(v.Get("token_type"))
+	// Verify Supabase Auth identifier is present even in error responses
+	ts.Contains(v, "sb", "Fragment should contain Supabase Auth identifier 'sb' even in errors")
 
 	// ensure user is nil
 	user, err := models.FindUserByEmailAndAudience(ts.API.db, email, ts.Config.JWT.Aud)

internal/api/verify.go

@@ -507,6 +507,8 @@ func (a *API) prepErrorRedirectURL(err *HTTPError, r *http.Request, rurl string,
 		u.RawQuery = q.Encode()
 	}
 	// Left as hash fragment to comply with spec.
+	// Add Supabase Auth identifier to help clients distinguish Supabase Auth redirects
+	hq.Set("sb", "")
 	u.Fragment = hq.Encode()
 	return u.String(), nil
 }
@@ -523,6 +525,8 @@ func (a *API) prepRedirectURL(message string, rurl string, flowType models.FlowT
 		q.Set("message", message)
 	}
 	u.RawQuery = q.Encode()
+	// Add Supabase Auth identifier to help clients distinguish Supabase Auth redirects
+	hq.Set("sb", "")
 	u.Fragment = hq.Encode()
 	return u.String(), nil
 }

internal/api/verify_test.go

@@ -1155,28 +1155,28 @@ func (ts *VerifyTestSuite) TestPrepRedirectURL() {
 			message:  singleConfirmationAccepted,
 			rurl:     "https://example.com/?first=another&second=other",
 			flowType: models.PKCEFlow,
-			expected: fmt.Sprintf("https://example.com/?first=another&message=%s&second=other#message=%s", escapedMessage, escapedMessage),
+			expected: fmt.Sprintf("https://example.com/?first=another&message=%s&second=other#message=%s&sb=", escapedMessage, escapedMessage),
 		},
 		{
 			desc:     "(PKCE): Query params in redirect url are overriden",
 			message:  singleConfirmationAccepted,
 			rurl:     "https://example.com/?message=Valid+redirect+URL",
 			flowType: models.PKCEFlow,
-			expected: fmt.Sprintf("https://example.com/?message=%s#message=%s", escapedMessage, escapedMessage),
+			expected: fmt.Sprintf("https://example.com/?message=%s#message=%s&sb=", escapedMessage, escapedMessage),
 		},
 		{
 			desc:     "(Implicit): plain redirect url",
 			message:  singleConfirmationAccepted,
 			rurl:     "https://example.com/",
 			flowType: models.ImplicitFlow,
-			expected: fmt.Sprintf("https://example.com/#message=%s", escapedMessage),
+			expected: fmt.Sprintf("https://example.com/#message=%s&sb=", escapedMessage),
 		},
 		{
 			desc:     "(Implicit): query params retained",
 			message:  singleConfirmationAccepted,
 			rurl:     "https://example.com/?first=another",
 			flowType: models.ImplicitFlow,
-			expected: fmt.Sprintf("https://example.com/?first=another#message=%s", escapedMessage),
+			expected: fmt.Sprintf("https://example.com/?first=another#message=%s&sb=", escapedMessage),
 		},
 	}
 	for _, c := range cases {
@@ -1204,28 +1204,28 @@ func (ts *VerifyTestSuite) TestPrepErrorRedirectURL() {
 			message:  "Valid redirect URL",
 			rurl:     "https://example.com/",
 			flowType: models.PKCEFlow,
-			expected: fmt.Sprintf("https://example.com/?%s#%s", redirectError, redirectError),
+			expected: fmt.Sprintf("https://example.com/?%s#%s&sb=", redirectError, redirectError),
 		},
 		{
 			desc:     "(PKCE): Error with conflicting query params in redirect url",
 			message:  DefaultError,
 			rurl:     "https://example.com/?error=Error+to+be+overriden",
 			flowType: models.PKCEFlow,
-			expected: fmt.Sprintf("https://example.com/?%s#%s", redirectError, redirectError),
+			expected: fmt.Sprintf("https://example.com/?%s#%s&sb=", redirectError, redirectError),
 		},
 		{
 			desc:     "(Implicit): plain redirect url",
 			message:  DefaultError,
 			rurl:     "https://example.com/",
 			flowType: models.ImplicitFlow,
-			expected: fmt.Sprintf("https://example.com/#%s", redirectError),
+			expected: fmt.Sprintf("https://example.com/#%s&sb=", redirectError),
 		},
 		{
 			desc:     "(Implicit): query params preserved",
 			message:  DefaultError,
 			rurl:     "https://example.com/?test=param",
 			flowType: models.ImplicitFlow,
-			expected: fmt.Sprintf("https://example.com/?test=param#%s", redirectError),
+			expected: fmt.Sprintf("https://example.com/?test=param#%s&sb=", redirectError),
 		},
 	}
 	for _, c := range cases {

internal/tokens/service.go

@@ -145,6 +145,8 @@ func (r *AccessTokenResponse) AsRedirectURL(redirectURL string, extraParams url.
 	extraParams.Set("expires_in", strconv.Itoa(r.ExpiresIn))
 	extraParams.Set("expires_at", strconv.FormatInt(r.ExpiresAt, 10))
 	extraParams.Set("refresh_token", r.RefreshToken)
+	// Add Supabase Auth identifier to help clients distinguish Supabase Auth redirects
+	extraParams.Set("sb", "")
 
 	return redirectURL + "#" + extraParams.Encode()
 }

internal/tokens/service_test.go

@@ -6,6 +6,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"net/http"
+	"net/url"
 	"strconv"
 	"strings"
 	"sync"
@@ -1089,3 +1090,39 @@ func TestAMRClaimUnmarshal(t *testing.T) {
 		require.Equal(t, "webauthn", claim[1].Provider, "provider should be preserved")
 	})
 }
+
+// TestAsRedirectURL tests that AsRedirectURL includes the Supabase Auth identifier
+func TestAsRedirectURL(t *testing.T) {
+	response := &AccessTokenResponse{
+		Token:        "test_access_token",
+		TokenType:    "bearer",
+		ExpiresIn:    3600,
+		ExpiresAt:    1234567890,
+		RefreshToken: "test_refresh_token",
+	}
+
+	extraParams := url.Values{}
+	extraParams.Set("provider_token", "provider_access_token")
+
+	redirectURL := response.AsRedirectURL("https://example.com/callback", extraParams)
+
+	// Parse the URL
+	u, err := url.Parse(redirectURL)
+	require.NoError(t, err)
+
+	// Parse the fragment
+	fragment, err := url.ParseQuery(u.Fragment)
+	require.NoError(t, err)
+
+	// Verify all expected parameters are present
+	require.Equal(t, "test_access_token", fragment.Get("access_token"))
+	require.Equal(t, "bearer", fragment.Get("token_type"))
+	require.Equal(t, "3600", fragment.Get("expires_in"))
+	require.Equal(t, "1234567890", fragment.Get("expires_at"))
+	require.Equal(t, "test_refresh_token", fragment.Get("refresh_token"))
+	require.Equal(t, "provider_access_token", fragment.Get("provider_token"))
+
+	// Verify Supabase Auth identifier is present
+	require.Contains(t, fragment, "sb", "Fragment should contain Supabase Auth identifier 'sb'")
+	require.Equal(t, "", fragment.Get("sb"), "Supabase Auth identifier should have empty value")
+}