Auth & OAuth
Saved view — modify filters to explore further
Showing 3 of 3 events
| Event | Type | Severity | Status | Category | Tags | When |
|---|---|---|---|---|---|---|
| Auth decision: Adopt PKCE flow for all OAuth providers Decision made to standardize on PKCE (Proof Key for Code Exchange) for all OAuth flows in VCTRL. This resolves cookie-blocking issues, improves security posture, and is Supabase's recommended approach. Applies to GitHub OAuth and any future providers (Google, GitLab). ChatGPT — OAuth Debug Session | Decision | High | Resolved | Auth / OAuth | 2 months ago | |
| Login cancel and retry creates broken auth state When a user clicks "Login with GitHub", cancels on the GitHub authorization screen, and then tries again immediately, the app enters a broken state. The Supabase OAuth state token has already been consumed or expired and the retry fails with a 400. User must hard refresh. ChatGPT — OAuth Debug Session | Bug Note | Medium | Open | Auth / OAuth | 2 months ago | |
| Selective cookie blocking breaks GitHub OAuth callback Users with strict browser cookie settings (Firefox Enhanced Tracking Protection, Brave Shields) fail the GitHub OAuth callback. The session cookie set by Supabase during the OAuth handshake is blocked as a third-party cookie, causing a silent redirect loop back to /login. Requires domain-matching fix or first-party cookie workaround. ChatGPT — OAuth Debug Session | Bug Note | High | In Progress | Auth / OAuth | 2 months ago |