Skip to content

feat: adds cookies.encode option allowing minimal cookie sizes#126

Merged
hf merged 1 commit into
mainfrom
hf/split-session
Sep 16, 2025
Merged

feat: adds cookies.encode option allowing minimal cookie sizes#126
hf merged 1 commit into
mainfrom
hf/split-session

Conversation

@hf

@hf hf commented Aug 29, 2025

Copy link
Copy Markdown
Collaborator

Adds an experimental option encode on the cookies object when using createBrowserClient() and createServerClient().

If this is set to tokens-only then only the user's access token and refresh token will be encoded in the cookies, causing significant cookie size savings, often greater than 50%. It utilizes split session storage in auth-js, with some trade-offs such as the inability to access the user property on the supabase.auth.getSession() object in the server. This wasn't supposed to be done anyway, and getClaims() is a secure alternative for it.

hf
hf commented Aug 29, 2025
View reviewed changes
Comment thread package.json Outdated
cemalkilic
cemalkilic reviewed Aug 29, 2025
View reviewed changes
Comment thread src/types.ts Outdated
@j4w8n

j4w8n commented Aug 30, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Nice.

Have you considered setting the fallback for userStorage to null in each case? Then the encode option would be a great way for developers to just not store user anywhere unless we set userStorage explicitly ourselves. This has the great benefit of avoiding the warnings of supabase/supabase-js#1709, since Supabase source code also calls getSession() for various things that trigger the warning; more secure all around.

@hf hf force-pushed the hf/split-session branch 2 times, most recently from 0679e64 to 816f906 Compare September 16, 2025 14:38
@hf hf force-pushed the hf/split-session branch from 816f906 to 32a260d Compare September 16, 2025 15:45
@hf

hf commented Sep 16, 2025

Copy link
Copy Markdown
Collaborator Author

@j4w8n Null userStorage would break existing semantics in auth-js. I'd rather it gets controlled by a flag like this instead until we figure out how to do this in the next major version properly.

@hf hf merged commit cf38b22 into main Sep 16, 2025
4 checks passed
@hf hf deleted the hf/split-session branch September 16, 2025 17:07
@github-actions github-actions Bot mentioned this pull request Sep 16, 2025
Merged
mandarini pushed a commit that referenced this pull request Nov 26, 2025
@github-actions
chore(main): release 0.8.0 (#128)
bcf502f 
🤖 I have created a release *beep* *boop*
---


## [0.8.0](v0.7.0...v0.8.0)
(2025-11-26)


### Features

* adds `cookies.encode` option allowing minimal cookie sizes
([#126](#126))
([cf38b22](cf38b22))
* publish SSR under deprecated auth-helpers package names
([#127](#127))
([e8b6102](e8b6102))
* update supabase-js to latest
([#133](#133))
([d65044d](d65044d))
* update supabase-js to latest
([#145](#145))
([08bf7d6](08bf7d6))


### Bug Fixes

* cookies console warnings
([#136](#136))
([64ff6b3](64ff6b3))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@github-actions github-actions Bot mentioned this pull request Nov 28, 2025
Closed
@claude claude Bot mentioned this pull request Nov 29, 2025
Merged
1 task
@wong2

wong2 commented Jan 21, 2026

Copy link
Copy Markdown

Is it safe to switch from the default behavior to tokens-only for a production app? Like will the currently auth-ed users working normally?

@supabase-releaser supabase-releaser Bot mentioned this pull request Jun 8, 2026
Merged
mandarini pushed a commit that referenced this pull request Jun 9, 2026
@supabase-releaser
chore(main): release 0.12.0 (#247)
d8c9b60 
🤖 I have created a release *beep* *boop*
---


## [0.12.0](v0.11.0...v0.12.0)
(2026-06-09)


### Features

* adds `cookies.encode` option allowing minimal cookie sizes
([#126](#126))
([cf38b22](cf38b22))
* bump `cookie` to 1.0.2
([#113](#113))
([b4a77b4](b4a77b4))
* **cookies:** add clearAuthCookiesAtScopes migration helper
([#240](#240))
([4e47249](4e47249))
* full rewrite using `getAll` and `setAll` cookie methods
([#1](#1))
([b6ae192](b6ae192))
* improve cookie chunk handling via base64url+length encoding
([#90](#90))
([6deb687](6deb687))
* pass cache headers to setAll to prevent CDN caching of auth responses
([#176](#176))
([14962d2](14962d2))
* publish SSR under deprecated auth-helpers package names
([#127](#127))
([e8b6102](e8b6102))
* release workflow RC versioning and publish reliability
([#164](#164))
([81e68f4](81e68f4))
* update CI so it runs on release as well
([#33](#33))
([4517996](4517996))
* update supabase-js to latest
([#133](#133))
([d65044d](d65044d))
* update supabase-js to latest
([#145](#145))
([08bf7d6](08bf7d6))
* upgrade cookie dependency and cleanup imports
([#77](#77))
([9524528](9524528))


### Bug Fixes

* add @types/cookies to dependencies
([#63](#63))
([47e5f16](47e5f16))
* add `create*Client` string in `x-client-info`
([#85](#85))
([f271acc](f271acc))
* allow cookies encode without getAll/setAll on browser client
([#213](#213))
([89f3f28](89f3f28)),
closes [#170](#170)
* allow use of `createBrowserClient` without `window` present
([#20](#20))
([27d868d](27d868d))
* **auth:** respect user-provided auth options in createBrowserClient
([#167](#167))
([5f04837](5f04837))
* check chunkedCookie is string in server client
([#57](#57))
([549fe62](549fe62))
* **ci:** remove packageManager field
([#197](#197))
([6bf0226](6bf0226))
* cookies console warnings
([#136](#136))
([64ff6b3](64ff6b3))
* deprecate `parse`, `serialize` exports for more useful functions
([#14](#14))
([0b5f881](0b5f881))
* enable tree-shaking for browser bundles
([#216](#216))
([f009d71](f009d71))
* fix `createBrowserClient` deprecation tsdoc
([#17](#17))
([1df70ad](1df70ad))
* force release ([#98](#98))
([66710e8](66710e8))
* re-apply update CI so it runs on release as well
([#49](#49))
([51d5a43](51d5a43))
* **release:** pin npm to 11.5.2 so OIDC trusted publisher works
([#249](#249))
([4af89f7](4af89f7))
* remove optional dependencies
([#41](#41))
([a48fe6f](a48fe6f))
* remove usage of internal type params
([#123](#123))
([8f3e89e](8f3e89e))
* revert "update CI so it runs on release as well"
([#44](#44))
([9d0e859](9d0e859))
* **revert:** "feat: improve cookie chunk handling via base64url+length
encoding ([#90](#90))"
([#100](#100))
([2ea8e23](2ea8e23))
* set `max-age` default cookie option to 400 days
([#54](#54))
([f4ed2e0](f4ed2e0))
* set cookies for password recovery event
([#32](#32))
([7dc1837](7dc1837))
* set cookies when mfa challenge is verified
([#27](#27))
([c217f53](c217f53))
* **tsconfig:** set explicit rootDir to silence TS6059 in consumer IDEs
([#211](#211))
([a77ee8a](a77ee8a)),
closes [#209](#209)
* update conventional commits ci to use main instead of master
([#31](#31))
([bebce89](bebce89))
* update README session docs
([#159](#159))
([b859905](b859905))
* update type, remove unused imports, define AuthEvent type
([#47](#47))
([4f4a375](4f4a375))
* use skipAutoInitialize to prevent SSR token refresh race condition
([#131](#131))
([0b7be28](0b7be28))
* validate base64-prefixed chunked cookies decode to valid JSON
([#210](#210))
([302cc0e](302cc0e))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cemalkilic cemalkilic cemalkilic left review comments

@cstockton cstockton cstockton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@hf @j4w8n @wong2 @cstockton @cemalkilic