CtrlK
BlogDocsLog inGet started
Tessl Logo

g14wxz/pkce-auth-flow

Enforces PKCE-based OAuth code flow replacing implicit auth flows for modern Supabase auth.

100

Quality

100%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

pkce-auth-rules.mdrules/

PKCE Auth Rules

FATAL Constraints

  • NEVER use implicit auth flow (flowType: 'implicit'). HALT immediately if detected.
  • NEVER store auth tokens in localStorage, sessionStorage, or URL hash fragments.
  • NEVER exchange authorization codes on the client side. The code-to-session exchange MUST happen server-side.
  • NEVER parse access_token from window.location.hash or URL fragments.
  • HALT if supabase-mcp-verification is not installed or not passing.
  • Incompatible with supabase/implicit-auth-flow. HALT if that tile is installed.

Mandatory Behaviors

  • MUST set flowType: 'pkce' on every Supabase client auth configuration.
  • MUST implement a server-side callback route that calls supabase.auth.exchangeCodeForSession(code).
  • MUST use @supabase/ssr for cookie-based session management with secure, HTTP-only cookies.
  • MUST implement middleware that calls supabase.auth.getUser() to refresh sessions on each server request.
  • MUST remove all implicit flow artifacts: hash-based token parsing, fragment-based onAuthStateChange listeners, and localStorage token reads.
  • MUST synchronize tokens exclusively via secure HTTP-only cookies between client and server.

rules

pkce-auth-rules.md

tile.json