fix(auth): support Auth0/OIDC namespaced custom role claims in JWT decoding

[MuzzaiyyanHussain]

Description

Fixes #1792 — Ensures Auth0 and other OIDC providers’ namespaced claims
(e.g. https://example.com/roles) are parsed into user_metadata.

Changes

• Updated decodeJWT() in helpers.ts to detect and flatten namespaced claims.
• Added test verifying roles are extracted correctly.

Impact

• Developers can now access Auth0-style custom claims via user.user_metadata.roles.

Checklist

• Build passes
• Added unit test
• Closes Supabase Rpc function sliently failing #1792

[coveralls]

coverage: 95.367% (+13.8%) from 81.58%
when pulling 537756b on MuzzaiyyanHussain:fix-auth0-namespaced-claims
into 1371057 on supabase:master.

[mandarini]

Hey @MuzzaiyyanHussain, thanks for the contribution! The idea of supporting Auth0/OIDC namespaced claims is useful. However, there are a few issues with this PR that need to be addressed before it can be merged.

1. Incorrect Issue Reference

The PR references #1792, but that issue is about "Supabase RPC function silently failing" - an unrelated bug about partial data being returned in Expo apps. Could you either:

• Link to the correct issue, or
• Create a new issue describing the Auth0 namespaced claims feature request?

2. Unrelated Changes Bundled Together

This PR contains changes across multiple packages with different concerns:

Change	Package	Related to Auth0 Claims?
Namespaced claim extraction in decodeJWT()	auth-js	✅ Yes
allowExpired logic change in GoTrueClient.ts	auth-js	❌ No
Auto return=representation header	postgrest-js	❌ No

Following the https://github.com/supabase/supabase-js/blob/master/CONTRIBUTING.md, each PR should focus on a single concern. Could you split this into separate PRs?

3. The postgrest-js Change Needs Discussion

The change to automatically add Prefer: return=representation to inserts is a behavioral change that affects all users:

// This would change default behavior for all insert operations
if (!this.headers.has('Prefer')) {
this.headers.append('Prefer', 'return=representation')
}

This could:

• Impact performance by returning data when users don't need it
• Change existing application behavior unexpectedly
• Potentially be considered a breaking change

If this change is needed, it deserves its own PR with a discussion about the use case and potential impact.

4. Missing Tests

The checklist mentions "Added unit test" but no test files appear in the diff. Could you include the tests?

5. Minor Suggestion on Namespace Extraction

The current logic:
const claimName = key.split('/').pop() || key
user_metadata[claimName] = value

A few considerations:

• This could silently overwrite existing user_metadata keys if there's a naming collision
• Consider preserving the original key as well, or documenting this behavior
• Maybe add a check: if (!(claimName in user_metadata)) to avoid overwrites?

To sum up, the core feature (Auth0 namespaced claims) is valuable! To get this merged, I'd suggest:

1. Create a proper issue for the Auth0 claims feature
2. Split into separate PRs:
   - PR 1: Auth0 namespaced claims support (the helpers.ts change + tests)
   - PR 2: The allowExpired logic change (if needed, with explanation)
   - PR 3: The postgrest-js return=representation change (needs discussion)
3. Include the test files
4. Consider edge cases in the namespace extraction logic

Thanks again for contributing! Let me know if you have any questions.

[MuzzaiyyanHussain]

Closing this PR as discussed , will split the changes into focused PRs
starting with Auth0/OIDC namespaced claims support (with tests).
Thanks for the review and guidance!