feat: adds cookies.encode option allowing minimal cookie sizes

package.json

@@ -33,7 +33,7 @@
   "homepage": "https://github.com/supabase/ssr#readme",
   "devDependencies": {
     "@eslint/js": "^9.3.0",
-    "@supabase/supabase-js": "^2.43.4",
+    "@supabase/supabase-js": "^2.56.0",
     "@vitest/coverage-v8": "^1.6.0",
     "eslint": "^8.57.0",
     "prettier": "^3.2.5",

src/createBrowserClient.ts

@@ -141,6 +141,13 @@
       detectSessionInUrl: isBrowser(),
       persistSession: true,
       storage,
+      ...(options?.cookies &&
+      "encode" in options.cookies &&
+      options.cookies.encode === "tokens-only"
+        ? {
+            userStorage: options?.auth?.userStorage ?? window.localStorage,
+          }
+        : null),
     },
   });
 

src/createServerClient.ts

@@ -12,6 +12,7 @@
   CookieMethodsServer,
   CookieMethodsServerDeprecated,
 } from "./types";
+import { memoryLocalStorageAdapter } from "./utils/helpers";
 
 /**
  * @deprecated Please specify `getAll` and `setAll` cookie methods instead of
@@ -170,6 +171,14 @@
       detectSessionInUrl: false,
       persistSession: true,
       storage,
+      ...(options?.cookies &&
+      "encode" in options.cookies &&
+      options.cookies.encode === "tokens-only"
+        ? {
+            userStorage:
+              options?.auth?.userStorage ?? memoryLocalStorageAdapter(),
+          }
+        : null),
     },
   });
 

src/types.ts

@@ -33,6 +33,15 @@ export type CookieMethodsBrowserDeprecated = {
 };
 
 export type CookieMethodsBrowser = {
+  /**
+   * If set to true, only the user's session (access and refresh tokens) will be encoded in cookies. The user object will be encoded in local storage if the `userStorage` option is not provided when creating the client.
+   *
+   * You should keep this option the same between `createBrowserClient()` and `createServerClient()`. When set to `tokens-only` accessing the `user` property on the data returned from `getSession()` will only be possible if the user has already been stored in the separate storage. It's best to use `getClaims()` instead to avoid surprizes.
+   *
+   * @expermental
+   */
+  encode?: "user-and-tokens" | "tokens-only";
+
   getAll: GetAllCookies;
   setAll: SetAllCookies;
 };
@@ -44,6 +53,15 @@ export type CookieMethodsServerDeprecated = {
 };
 
 export type CookieMethodsServer = {
+  /**
+   * If set to `tokens-only`, only the user's access and refresh tokens will be encoded in cookies. The user object will be encoded in memory if the `userStorage` option is not provided when creating the client. Unset value defaults to `user-and-tokens`.
+   *
+   * You should keep this option the same between `createBrowserClient()` and `createServerClient()`. When set to `tokens-only` accessing the `user` property on the data returned from `getSession()` will not be possible. Use `getUser()` or preferably `getClaims()` instead.
+   *
+   * @experimental
+   */
+  encode?: "user-and-tokens" | "tokens-only";
+
   getAll: GetAllCookies;
   setAll?: SetAllCookies;
 };

src/utils/helpers.ts

@@ -51,3 +51,25 @@ export function isBrowser() {
     typeof window !== "undefined" && typeof window.document !== "undefined"
   );
 }
+
+/**
+ * Returns a localStorage-like object that stores the key-value pairs in
+ * memory.
+ */
+export function memoryLocalStorageAdapter(
+  store: { [key: string]: string } = {},
+) {
+  return {
+    getItem: (key: string) => {
+      return store[key] || null;
+    },
+
+    setItem: (key: string, value: string) => {
+      store[key] = value;
+    },
+
+    removeItem: (key: string) => {
+      delete store[key];
+    },
+  };
+}