9f65e3d415
* fix(auth): handle OAuth callback errors on desktop deeplink (#4881) The Tauri deeplink OAuth handler only parsed the URL hash for an access_token, so error callbacks were silently swallowed and the login screen froze with no feedback. This is how an expired Apple provider secret (GoTrue "Unable to exchange external code") surfaced to users as a dead login screen on macOS and Linux. Extract a pure, tested parseOAuthCallbackUrl() that reads both the hash (implicit-flow tokens) and the query string (provider/GoTrue errors), and route errors to /auth/error before the token branch, matching the web callback page. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * chore(scripts): add Apple client secret generator (#4881) Apple caps the "Sign in with Apple" client secret JWT at 6 months, so the web OAuth flow (macOS non-store and Linux) breaks with "Unable to exchange external code" when it expires. This script regenerates the ES256 JWT using Node built-in crypto (no new dependency) for pasting into the Supabase Apple provider config. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>