chore: restrict Supabase audience to string

[gentamura]

Summary

• restrict to a single string
• drop runtime array normalization in supabase auth provider

Testing

• bun run lint
• bun test

Summary by CodeRabbit

• Breaking Changes

  • Supabase authentication's audience parameter now only accepts string values instead of string or array formats.

• Refactor

  • Simplified internal audience handling in Supabase authentication by removing intermediate normalization steps.

[coderabbitai]

Walkthrough

Supabase authentication audience handling simplified by narrowing the audience type from string | readonly string[] to string and removing the normalizeAudience helper function, eliminating type conversion logic from the authentication flow.

Changes

Cohort / File(s)	Summary
Audience type narrowing and normalization removal packages/types/src/authentication.ts, packages/auth/src/authentication/supabase.ts	Type definition narrowed to accept only string values instead of string or array. Helper function normalizeAudience removed; audience now used directly without conversion or normalization step.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify no remaining code references to the removed normalizeAudience function
• Confirm all consumers of SupabaseAuthenticationOptions.audience are updated for the narrowed type
• Check downstream audience verification logic handles string-only values correctly

Poem

🐰 One audience, no more arrays to bind,
Normalization vanished—simpler design!
Types now strict, clarity takes the stage,
A cleaner path, a simpler page.

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'chore: restrict Supabase audience to string' clearly and directly describes the main change in the changeset. The title accurately reflects the primary modifications: restricting the SupabaseAuthenticationOptions audience type from 'string | readonly string[]' to just 'string', and removing the normalizeAudience helper function that handled array normalization. The title is specific, concise, and conveys the exact nature of the restriction being implemented.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/auth-audience-string-only

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6ca7ac0 and 1069095.

📒 Files selected for processing (2)

• packages/auth/src/authentication/supabase.ts (1 hunks)
• packages/types/src/authentication.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

packages/*/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

packages/*/src/**/*.{ts,tsx}: Avoid implicit any; TypeScript is run with strict enabled
Prefer type guards or the satisfies operator over as casts where appropriate
Prefer unknown for external inputs
Use PascalCase for types and enums
Use camelCase for variables and functions
Ensure source comments are written in English

Files:

• packages/auth/src/authentication/supabase.ts
• packages/types/src/authentication.ts

packages/auth/src/authentication/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Place runtime-specific authentication adapters under packages/auth/src/authentication/ (e.g., header.ts, supabase.ts, shared utilities, errors.ts)

Files:

• packages/auth/src/authentication/supabase.ts

packages/auth/src/authentication/**/*.ts

📄 CodeRabbit inference engine (AGENTS.md)

Extend Supabase JWT verification (createSupabaseAuthentication using .well-known/jwks.json) only via dedicated modules to keep caching and claim validation centralized

Files:

• packages/auth/src/authentication/supabase.ts

🧠 Learnings (3)

📓 Common learnings

Learnt from: CR
Repo: listee-dev/listee-libs PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-10-02T12:40:33.718Z
Learning: Applies to packages/auth/src/authentication/**/*.ts : Extend Supabase JWT verification (createSupabaseAuthentication using .well-known/jwks.json) only via dedicated modules to keep caching and claim validation centralized

Learnt from: CR
Repo: listee-dev/listee-libs PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-10-02T12:40:33.718Z
Learning: Applies to packages/auth/src/authentication/**/*.{ts,tsx} : Place runtime-specific authentication adapters under packages/auth/src/authentication/ (e.g., header.ts, supabase.ts, shared utilities, errors.ts)

📚 Learning: 2025-10-02T12:40:33.718Z

Learnt from: CR
Repo: listee-dev/listee-libs PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-10-02T12:40:33.718Z
Learning: Applies to packages/auth/src/authentication/**/*.ts : Extend Supabase JWT verification (createSupabaseAuthentication using .well-known/jwks.json) only via dedicated modules to keep caching and claim validation centralized

Applied to files:

• packages/auth/src/authentication/supabase.ts
• packages/types/src/authentication.ts

📚 Learning: 2025-10-02T12:40:33.718Z

Learnt from: CR
Repo: listee-dev/listee-libs PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-10-02T12:40:33.718Z
Learning: Applies to packages/auth/src/authentication/**/*.{ts,tsx} : Place runtime-specific authentication adapters under packages/auth/src/authentication/ (e.g., header.ts, supabase.ts, shared utilities, errors.ts)

Applied to files:

• packages/auth/src/authentication/supabase.ts
• packages/types/src/authentication.ts

🔇 Additional comments (4)

packages/auth/src/authentication/supabase.ts (3)

56-56: LGTM! Direct usage aligns with simplified type.

The removal of normalizeAudience is correct since options.audience is now guaranteed to be string | undefined. The direct assignment is cleaner and eliminates unnecessary runtime type conversion.

---

72-74: Correct usage of simplified audience option.

The conditional assignment appropriately handles the optional audience parameter. When provided, jose's jwtVerify will verify that the JWT's aud claim matches this value.

---

115-116: Payload audience normalization remains correctly in place.

This normalization handles the JWT payload's aud claim (which can be string | string[] per RFC 7519), separate from the removed normalizeAudience helper that was for options.audience. This logic is still necessary and correct.

packages/types/src/authentication.ts (1)

24-24: The type restriction appears to have no incompatible usages in the codebase.

The search found no instances of audience being passed as an array across the codebase. All usages in packages/auth/src/authentication/supabase.ts and its tests consistently use string audiences. While this is technically a breaking change if external consumers were using array audiences, no such usage was detected within the repository.

However, since SupabaseAuthenticationOptions is exported as a public API type from @listee/types, potential external consumers cannot be verified from the codebase search alone. The change should still be treated as breaking for any consumers outside this repository.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}