Skip to content

feat(cookies): add clearAuthCookiesAtScopes migration helper#240

Merged
mandarini merged 1 commit into
mainfrom
fix/cookie-domain-migration
Jun 4, 2026
Merged

feat(cookies): add clearAuthCookiesAtScopes migration helper#240
mandarini merged 1 commit into
mainfrom
fix/cookie-domain-migration

Conversation

@mandarini

@mandarini mandarini commented Jun 1, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Fixes a stuck-session bug for users who change their cookie Domain in production (typically host-only to .parent.tld). After such a migration, signOut could not clear the stale host-only cookies, the browser kept returning both copies, and the session resurrected on the next read.

Reported on supabase/supabase-js#2392. No read-side fix is possible: document.cookie does not expose Domain to JS, so the fix has to be on the write side.

What changed

  • removeItem, setItem chunk cleanup, and applyServerStorage: when cookieOptions.domain is set, also emit a Set-Cookie clear with no Domain attribute. No change when domain is not configured.
  • New exported helper clearAuthCookiesAtScopes for rarer multi-scope migrations (.parent1 to .parent2, path changes). Idempotent; safe to over-call (browser ignores clears at scopes the host does not own).

Behavior

Not breaking. Zero observable change for clients that do not set cookieOptions.domain. For clients that do, the extra Set-Cookie is a no-op unless a stale host-only cookie at the same name actually exists. Ship as minor (feat for the helper dominates the fix for the auto-clear).

Tests

New describe block in cookies.spec.ts covering removeItem, setItem chunk cleanup, and applyServerStorage for both with-domain and baseline cases. New clearAuthCookiesAtScopes.spec.ts covering the helper.

@mandarini mandarini requested review from a team as code owners June 1, 2026 13:51
@mandarini mandarini force-pushed the fix/cookie-domain-migration branch from eecf164 to 2dbd9ff Compare June 1, 2026 13:56
@mandarini mandarini self-assigned this Jun 1, 2026
@mandarini mandarini merged commit 4e47249 into main Jun 4, 2026
4 checks passed
@mandarini mandarini deleted the fix/cookie-domain-migration branch June 4, 2026 11:45
@supabase-releaser supabase-releaser Bot mentioned this pull request Jun 4, 2026
Merged
mandarini pushed a commit that referenced this pull request Jun 8, 2026
@supabase-releaser
chore(main): release 0.11.0 (#244)
dd766c4 
🤖 I have created a release *beep* *boop*
---


## [0.11.0](v0.10.3...v0.11.0)
(2026-06-05)


### Features

* **cookies:** add clearAuthCookiesAtScopes migration helper
([#240](#240))
([4e47249](4e47249))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>
@supabase-releaser supabase-releaser Bot mentioned this pull request Jun 8, 2026
Merged
@mandarini mandarini mentioned this pull request Jun 8, 2026
Merged
mandarini added a commit that referenced this pull request Jun 9, 2026
@mandarini @claude
fix(release): pin npm to 11.5.2 so OIDC trusted publisher works (#249)
4af89f7 
## Summary

- Re-adds an explicit npm install before the publish step so the
workflow runs on **npm 11.5.2** (the version that supports OIDC
trusted-publisher exchange) instead of Node 22's bundled npm 10.9.x.
- Adds a multi-line comment in the workflow explaining the dependency,
so the line is not deleted again.

## Background

The release pipeline has been silently broken since #221 (May 12). That
PR removed `corepack enable npm && corepack prepare npm@11 --activate`
with the claim "no longer needed", but `actions/setup-node@v6.4.0` does
**not** upgrade npm — Node 22 ships with npm 10.9.x.

npm only learned how to do OIDC trusted-publisher exchange in
**11.5.1**. On npm 10, `npm publish --provenance` signs the provenance
via sigstore (which works because it uses the GitHub OIDC token
directly), then sends the bogus `.npmrc` placeholder
`XXXXX-XXXXX-XXXXX-XXXXX` as the bearer token to the registry. The
registry returns `404 Not Found - PUT
https://registry.npmjs.org/@supabase%2fssr` (npm registry returns 404
for unauthenticated PUTs to avoid leaking which packages exist).

The repo has **no `NPM_TOKEN` secret** configured anywhere — by design,
per #221's hardening posture. Auth is OIDC-only via the
trusted-publisher binding on npmjs.com. Re-adding a token would weaken
that posture, so the fix is to ensure the npm CLI is new enough to use
OIDC.

## Why this went undetected

Between #221's merge (May 12) and #240's merge (June 4), every release
run was for a `chore: update @supabase/supabase-js` commit. Those have
no pending release-please PR, so the workflow's version-determination
step took the `skip=true` branch and never attempted to publish. The
first publish attempt on npm 10 — #240's merge on June 4 — failed with
E404, as did the two release runs after it (#245, #244).

Failed runs:
-
[27136548767](https://github.com/supabase/ssr/actions/runs/27136548767)
— PR #244 ("release 0.11.0") merge, tried to publish `0.12.0-rc.118`
-
[27008002122](https://github.com/supabase/ssr/actions/runs/27008002122)
— PR #245 merge
-
[26949675017](https://github.com/supabase/ssr/actions/runs/26949675017)
— PR #240 merge, tried to publish `0.11.0-rc.117`

Last successful publish: `v0.10.3` on May 7 (run
[25509681243](https://github.com/supabase/ssr/actions/runs/25509681243)),
which ran on npm 11 via the corepack line that #221 removed.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mandarini pushed a commit that referenced this pull request Jun 9, 2026
@supabase-releaser
chore(main): release 0.12.0 (#247)
d8c9b60 
🤖 I have created a release *beep* *boop*
---


## [0.12.0](v0.11.0...v0.12.0)
(2026-06-09)


### Features

* adds `cookies.encode` option allowing minimal cookie sizes
([#126](#126))
([cf38b22](cf38b22))
* bump `cookie` to 1.0.2
([#113](#113))
([b4a77b4](b4a77b4))
* **cookies:** add clearAuthCookiesAtScopes migration helper
([#240](#240))
([4e47249](4e47249))
* full rewrite using `getAll` and `setAll` cookie methods
([#1](#1))
([b6ae192](b6ae192))
* improve cookie chunk handling via base64url+length encoding
([#90](#90))
([6deb687](6deb687))
* pass cache headers to setAll to prevent CDN caching of auth responses
([#176](#176))
([14962d2](14962d2))
* publish SSR under deprecated auth-helpers package names
([#127](#127))
([e8b6102](e8b6102))
* release workflow RC versioning and publish reliability
([#164](#164))
([81e68f4](81e68f4))
* update CI so it runs on release as well
([#33](#33))
([4517996](4517996))
* update supabase-js to latest
([#133](#133))
([d65044d](d65044d))
* update supabase-js to latest
([#145](#145))
([08bf7d6](08bf7d6))
* upgrade cookie dependency and cleanup imports
([#77](#77))
([9524528](9524528))


### Bug Fixes

* add @types/cookies to dependencies
([#63](#63))
([47e5f16](47e5f16))
* add `create*Client` string in `x-client-info`
([#85](#85))
([f271acc](f271acc))
* allow cookies encode without getAll/setAll on browser client
([#213](#213))
([89f3f28](89f3f28)),
closes [#170](#170)
* allow use of `createBrowserClient` without `window` present
([#20](#20))
([27d868d](27d868d))
* **auth:** respect user-provided auth options in createBrowserClient
([#167](#167))
([5f04837](5f04837))
* check chunkedCookie is string in server client
([#57](#57))
([549fe62](549fe62))
* **ci:** remove packageManager field
([#197](#197))
([6bf0226](6bf0226))
* cookies console warnings
([#136](#136))
([64ff6b3](64ff6b3))
* deprecate `parse`, `serialize` exports for more useful functions
([#14](#14))
([0b5f881](0b5f881))
* enable tree-shaking for browser bundles
([#216](#216))
([f009d71](f009d71))
* fix `createBrowserClient` deprecation tsdoc
([#17](#17))
([1df70ad](1df70ad))
* force release ([#98](#98))
([66710e8](66710e8))
* re-apply update CI so it runs on release as well
([#49](#49))
([51d5a43](51d5a43))
* **release:** pin npm to 11.5.2 so OIDC trusted publisher works
([#249](#249))
([4af89f7](4af89f7))
* remove optional dependencies
([#41](#41))
([a48fe6f](a48fe6f))
* remove usage of internal type params
([#123](#123))
([8f3e89e](8f3e89e))
* revert "update CI so it runs on release as well"
([#44](#44))
([9d0e859](9d0e859))
* **revert:** "feat: improve cookie chunk handling via base64url+length
encoding ([#90](#90))"
([#100](#100))
([2ea8e23](2ea8e23))
* set `max-age` default cookie option to 400 days
([#54](#54))
([f4ed2e0](f4ed2e0))
* set cookies for password recovery event
([#32](#32))
([7dc1837](7dc1837))
* set cookies when mfa challenge is verified
([#27](#27))
([c217f53](c217f53))
* **tsconfig:** set explicit rootDir to silence TS6059 in consumer IDEs
([#211](#211))
([a77ee8a](a77ee8a)),
closes [#209](#209)
* update conventional commits ci to use main instead of master
([#31](#31))
([bebce89](bebce89))
* update README session docs
([#159](#159))
([b859905](b859905))
* update type, remove unused imports, define AuthEvent type
([#47](#47))
([4f4a375](4f4a375))
* use skipAutoInitialize to prevent SSR token refresh race condition
([#131](#131))
([0b7be28](0b7be28))
* validate base64-prefixed chunked cookies decode to valid JSON
([#210](#210))
([302cc0e](302cc0e))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@grdsdev grdsdev grdsdev approved these changes

Assignees

@mandarini mandarini

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mandarini @grdsdev