17383331724
69%

Ran 01 Sep 2025 04:56PM UTC

Jobs 1

Files 161

Run time 1min

Badge

Embed ▾

Committed 01 Sep 2025 04:48PM UTC coverage: 68.707% (-2.0%) from 70.664%

Build # 17383331724

Build Type

push

github

Committed by

web-flow

Commit Message

feat: implement OAuth2 authorization endpoint (#2107)

# Summary

This PR implements the OAuth 2.1 authorization endpoint in Supabase
Auth, completing the server-side OAuth flow by adding user authorization
and consent management. Building on the OAuth client registration
foundation (#2098), this enables Supabase Auth to function as an OAuth
2.1 authorization server.

# Features Added
## Authorization Flow Endpoints

- **Authorization Initiation** (`GET /oauth/authorize`) - Initiates
OAuth 2.1 authorization code flow with PKCE support and redirects user
to (for now) pre-configured url
- **Authorization Details** (`GET
/oauth/authorizations/{authorization_id}`) - Retrieves authorization
request details for consent UI
- **Consent Processing** (`POST
/oauth/authorizations/{authorization_id}/consent`) - Handles user
consent decisions (approve/deny)

## Authorization Management

- **PKCE Enforcement** - Mandatory PKCE (RFC 7636) with S256/Plain
support for OAuth 2.1 compliance
- **User Consent Tracking** - Persistent consent storage with
scope-based auto-approval for trusted clients
- **State Management** - Complete authorization lifecycle management
(pending → approved/denied/expired)
- **Security Controls** - Authorization expiration, redirect URI
validation

# Technical Implementation
## Database Schema

- New `oauth_authorizations` table for authorization requests with
status tracking
- New `oauth_consents` table for persistent user consent management  
- Enhanced enums for authorization status and response types
- Comprehensive indexing for performance and cleanup operations

## Code Organization

- Extended `internal/api/oauthserver` package with authorization flow
handlers
- New models: `OAuthServerAuthorization`, `OAuthServerConsent`, and
scope utilities
- Shared PKCE utilities extracted to `internal/models/pkce.go` for reuse
- Context utilities moved to `internal/api/shared` to avoid circular
dependencies

# Future Work

- **Integration Tests** - ... (continued)

Run Details

205 of 785 new or added lines in 12 files covered. (26.11%)

12537 of 18247 relevant lines covered (68.71%)

67.13 hits per line

New Missed Lines in Diff

Lines	Coverage	∆	File
3	80.0		internal/api/shared/context.go
25	64.23	-13.64%	internal/api/oauthserver/handlers.go
82	24.07		internal/models/oauth_consent.go
95	40.99		internal/models/oauth_authorization.go
375	0.0		internal/api/oauthserver/authorize.go

Jobs

ID	Job ID	Ran	Files	Coverage
1	17383331724.1	01 Sep 2025 04:56PM UTC	161	68.71	GitHub Action Run

supabase / auth / 17383331724
69%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

New Missed Lines in Diff

Jobs

Source Files on build 17383331724

supabase / auth / 17383331724 69%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

New Missed Lines in Diff

Jobs

Source Files on build 17383331724

supabase / auth / 17383331724
69%

README BADGES
x