Back to Explorer
Selective cookie blocking breaks GitHub OAuth callback
HighIn ProgressAuth / OAuthBug Note
Feb 20, 2026Updated Mar 6, 2026ChatGPT — OAuth Debug Session(ChatGPT)
Summary
Users with strict browser cookie settings (Firefox Enhanced Tracking Protection, Brave Shields) fail the GitHub OAuth callback. The session cookie set by Supabase during the OAuth handshake is blocked as a third-party cookie, causing a silent redirect loop back to /login. Requires domain-matching fix or first-party cookie workaround.
Raw Content
## Problem Users hitting /auth/callback after GitHub OAuth were being silently redirected back to /login with no error shown. ## Root Cause Identified via ChatGPT debug session: Supabase sets the auth session cookie during the OAuth callback. In browsers with strict cookie policies (Firefox ETP set to "Strict", Brave with Shields up), this cookie is classified as third-party because the callback domain is on Supabase's infrastructure before being redirected back to our domain. ## Reproduction Steps 1. Open Firefox, set Enhanced Tracking Protection to "Strict" 2. Click "Login with GitHub" on VCTRL 3. Authorize on GitHub 4. Get redirected back — observe silent loop back to /login ## Fix Investigated - Option A: Use PKCE flow (Supabase supports this) — keeps everything first-party - Option B: Custom domain for Supabase auth so cookies are same-origin - Option C: Detect the failure and show a user-facing error with instructions to allow cookies ## Decision Implement PKCE flow as primary fix. Add fallback cookie error detection for Option C as safety net. ## Status PKCE branch in progress. ETA: 2 days.
Tags
Metadata
| Event ID | d1000000-0000-0000-0000-000000000001 |
| Project | VCTRL |
| Event Time | Feb 20, 2026, 2:24:57 AM |
| Created | Mar 6, 2026, 2:24:57 AM |
| Updated | Mar 6, 2026, 2:24:57 AM |
| Source | ChatGPT — OAuth Debug Session |
| Source Type | ChatGPT |
Follow-ups
No follow-ups yet.
Intelligence
Record quality100/100
AI active — Ollama / llama3