Skip to content

feat: adds cookies.encode option allowing minimal cookie sizes#126

Merged
hf merged 1 commit into
mainfrom
hf/split-session
Sep 16, 2025
Merged

feat: adds cookies.encode option allowing minimal cookie sizes#126
hf merged 1 commit into
mainfrom
hf/split-session

Conversation

@hf
Copy link
Copy Markdown
Collaborator

@hf hf commented Aug 29, 2025

Adds an experimental option encode on the cookies object when using createBrowserClient() and createServerClient().

If this is set to tokens-only then only the user's access token and refresh token will be encoded in the cookies, causing significant cookie size savings, often greater than 50%. It utilizes split session storage in auth-js, with some trade-offs such as the inability to access the user property on the supabase.auth.getSession() object in the server. This wasn't supposed to be done anyway, and getClaims() is a secure alternative for it.

hf
hf commented Aug 29, 2025
View reviewed changes
Comment thread package.json Outdated
cemalkilic
cemalkilic reviewed Aug 29, 2025
View reviewed changes
Comment thread src/types.ts Outdated
@j4w8n
Copy link
Copy Markdown
Contributor

j4w8n commented Aug 30, 2025
edited
Loading

Nice.

Have you considered setting the fallback for userStorage to null in each case? Then the encode option would be a great way for developers to just not store user anywhere unless we set userStorage explicitly ourselves. This has the great benefit of avoiding the warnings of supabase/supabase-js#1709, since Supabase source code also calls getSession() for various things that trigger the warning; more secure all around.

@hf hf force-pushed the hf/split-session branch 2 times, most recently from 0679e64 to 816f906 Compare September 16, 2025 14:38
@hf hf force-pushed the hf/split-session branch from 816f906 to 32a260d Compare September 16, 2025 15:45
@hf
Copy link
Copy Markdown
Collaborator Author

hf commented Sep 16, 2025

@j4w8n Null userStorage would break existing semantics in auth-js. I'd rather it gets controlled by a flag like this instead until we figure out how to do this in the next major version properly.

@hf hf merged commit cf38b22 into main Sep 16, 2025
4 checks passed
@hf hf deleted the hf/split-session branch September 16, 2025 17:07
@github-actions github-actions Bot mentioned this pull request Sep 16, 2025
Merged
mandarini pushed a commit that referenced this pull request Nov 26, 2025
@github-actions
chore(main): release 0.8.0 (#128)
bcf502f 
🤖 I have created a release *beep* *boop*
---


## [0.8.0](v0.7.0...v0.8.0)
(2025-11-26)


### Features

* adds `cookies.encode` option allowing minimal cookie sizes
([#126](#126))
([cf38b22](cf38b22))
* publish SSR under deprecated auth-helpers package names
([#127](#127))
([e8b6102](e8b6102))
* update supabase-js to latest
([#133](#133))
([d65044d](d65044d))
* update supabase-js to latest
([#145](#145))
([08bf7d6](08bf7d6))


### Bug Fixes

* cookies console warnings
([#136](#136))
([64ff6b3](64ff6b3))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@github-actions github-actions Bot mentioned this pull request Nov 28, 2025
Closed
@claude claude Bot mentioned this pull request Nov 29, 2025
Merged
1 task
@wong2
Copy link
Copy Markdown

wong2 commented Jan 21, 2026

Is it safe to switch from the default behavior to tokens-only for a production app? Like will the currently auth-ed users working normally?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cemalkilic cemalkilic cemalkilic left review comments

@cstockton cstockton cstockton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@hf @j4w8n @wong2 @cstockton @cemalkilic