ci(docs): bump linter + expand linting to auth section (supabase#30704)

.github/workflows/docs-lint-v2.yml

@@ -28,10 +28,10 @@ jobs:
             ~/.cargo/registry/index/
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
-          key: e23c860111349d8bac17b78b1fe632afe84223f9
+          key: 2d535367b06fe62354035464cf8334929bafca85
       - name: install linter
         if: steps.cache-cargo.outputs.cache-hit != 'true'
-        run: cargo install --locked --git https://github.com/supabase-community/supa-mdx-lint --rev e23c860111349d8bac17b78b1fe632afe84223f9
+        run: cargo install --locked --git https://github.com/supabase-community/supa-mdx-lint --rev 2d535367b06fe62354035464cf8334929bafca85
       - name: install reviewdog
         uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.0
         with:
@@ -41,4 +41,4 @@ jobs:
           REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set -o pipefail
-          supa-mdx-lint apps/docs/content/guides/getting-started apps/docs/content/guides/ai --format rdf | reviewdog -f=rdjsonl -reporter=github-pr-review
+          supa-mdx-lint apps/docs/content/guides/getting-started apps/docs/content/guides/ai apps/docs/content/guides/auth --format rdf | tee >(cat) | reviewdog -f=rdjsonl -reporter=github-pr-review

apps/docs/content/guides/api/sql-to-api.mdx

@@ -30,7 +30,7 @@ const { data, error } = await supabase
   .limit(20)
 ```
 
-## Select statement with complex Boolean Logic clause
+## Select statement with complex Boolean logic clause
 
 Select all columns from a single table with a complex where clause: OR AND OR
 

apps/docs/content/guides/auth/auth-anonymous.mdx

@@ -102,7 +102,7 @@ response = supabase.auth.sign_in_anonymously()
 
 Converting an anonymous user to a permanent user requires [linking an identity](/docs/guides/auth/auth-identity-linking#manual-linking-beta) to the user. This requires you to [enable manual linking](/dashboard/project/_/settings/auth) in your Supabase project.
 
-### Link an Email / Phone identity
+### Link an email / phone identity
 
 <Tabs
   scrollable

apps/docs/content/guides/auth/auth-email-passwordless.mdx

@@ -146,7 +146,7 @@ const { error } = await supabase.auth.verifyOtp({ token_hash, type })
 
 Email one-time passwords (OTP) are a form of passwordless login where users key in a six digit code sent to their email address to log in to their accounts.
 
-### Enabling Email OTP
+### Enabling email OTP
 
 Email authentication methods, including Email OTPs, are enabled by default.
 
@@ -162,7 +162,7 @@ Modify the template to include the `{{ .Token }}` variable, for example:
 
 By default, a user can only request an OTP once every <SharedData data="config">auth.rate_limits.otp.period</SharedData> and they expire after <SharedData data="config">auth.rate_limits.otp.validity</SharedData>. This is configurable via `Auth > Providers > Email > Email OTP Expiration`. An expiry duration of more than 86400 seconds (one day) is disallowed to guard against brute force attacks. The longer an OTP remains valid, the more time an attacker has to attempt brute force attacks. If the OTP is valid for several days, an attacker might have more opportunities to guess the correct OTP through repeated attempts.
 
-### Signing in with Email OTP
+### Signing in with email OTP
 
 #### Step 1: Send the user an OTP code
 

apps/docs/content/guides/auth/auth-email-templates.mdx

@@ -29,7 +29,7 @@ The templating system provides the following variables for use:
 
 On hosted Supabase projects, edit your email templates on the [Email Templates](/dashboard/project/_/auth/templates) page. On self-hosted projects or in local development, edit your [configuration files](/docs/guides/local-development/customizing-email-templates).
 
-## Mobile Deep Linking
+## Mobile deep linking
 
 For mobile applications, you might need to link or redirect to a specific page within your app. See the [Mobile Deep Linking guide](/docs/guides/auth/native-mobile-deep-linking) to set this up.
 

apps/docs/content/guides/auth/auth-helpers/auth-ui.mdx

@@ -478,7 +478,7 @@ Setting `showLinks` to `false` will hide the following links:
 - Send a magic link email
 - Forgot your password?
 
-### Sign in and Sign up views
+### Sign in and sign up views
 
 Add `sign_in` or `sign_up` views with the `view` prop:
 

apps/docs/content/guides/auth/auth-hooks.mdx

@@ -46,7 +46,7 @@ A HTTP Hook is an endpoint which takes in a JSON event payload and returns a JSO
 </TabPanel>
 </Tabs>
 
-## Security Model
+## Security model
 
 Sign the payload and grant permissions selectively in order to guard the integrity of the payload.
 
@@ -261,7 +261,7 @@ Note that payloads are sent uncompressed in order to accurately track Content Le
 
 In the dashboard, navigate to [`Authentication > Hooks`](/dashboard/project/_/auth/hooks) and select the appropriate function type (SQL or HTTP) from the dropdown menu.
 
-### Error Handling
+### Error handling
 
 You should return an error when facing a runtime error. Runtime errors are specific to your application and arise from specific business rules rather than programmer errors.
 

apps/docs/content/guides/auth/auth-hooks/send-email-hook.mdx

@@ -6,7 +6,7 @@ subtitle: 'Use a custom email provider to send authentication messages'
 
 The Send Email Hook runs before an email is sent and allows for flexibility around email sending. You can use this hook to configure a back-up email provider or add internationalization to your emails.
 
-## Email Sending Behavior
+## Email sending behavior
 
 Email sending depends on two settings: Email Provider and Auth Hook status.
 

apps/docs/content/guides/auth/auth-mfa/phone.mdx

@@ -306,7 +306,7 @@ function AuthMFA() {
   the background automatically and finally call the `onSuccess` callback, which
   will show the authenticated `App` component on screen.
 
-### Security Configuration
+### Security configuration
 
 Each code is valid for up to 5 minutes, after which a new one can be sent. Successive codes remain valid until expiry. When possible choose the longest code length acceptable to your use case, at a minimum of 6. This can be configured in the [Authentication Settings](/dashboard/project/_/settings/auth).
 

apps/docs/content/guides/auth/debugging/error-codes.mdx

@@ -5,11 +5,11 @@ description: 'Supabase Auth Error Codes'
 subtitle: 'Learn about the Auth error codes and how to resolve them'
 ---
 
-## Auth Error Codes
+## Auth error codes
 
 Supabase Auth can return various errors when using its API. This guide explains how to handle these errors effectively across different programming languages.
 
-## Error Types
+## Error types
 
 Supabase Auth errors are generally categorized into two main types:
 
@@ -73,10 +73,12 @@ All instances and subclasses of a `AuthRestException` have a `errorCode` propert
 
 </Tabs>
 
-## HTTP Status Codes
+## HTTP status codes
 
 Below are the most common HTTP status codes you might encounter, along with their meanings in the context of Supabase Auth:
 
+{/* supa-mdx-lint-disable Rule001HeadingCase */}
+
 ### [403 Forbidden](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403)
 
 Sent out in rare situations where a certain Auth feature is not available for the user, and you as the developer are not checking a precondition whether that API is available for the user.
@@ -97,13 +99,15 @@ Indicate that the Auth server's service is degraded. Most often it points to iss
 
 Sent out when a feature is not enabled on the Auth server, and you are trying to use an API which requires it.
 
-The following table provides a comprehensive list of error codes you may encounter when working with Supabase Auth. Each error code is associated with a specific issue and includes a description to help you understand and resolve the problem efficiently.
+{/* supa-mdx-lint-enable Rule001HeadingCase */}
 
-## Auth Error Codes Table
+## Auth error codes table
+
+The following table provides a comprehensive list of error codes you may encounter when working with Supabase Auth. Each error code is associated with a specific issue and includes a description to help you understand and resolve the problem efficiently.
 
 <AuthErrorCodesTable />
 
-## Best Practices for Error Handling
+## Best practices for error handling
 
 - Always use `error.code` and `error.name` to identify errors, not string matching on error messages.
 - Avoid relying solely on HTTP status codes, as they may change unexpectedly.

apps/docs/content/guides/auth/native-mobile-deep-linking.mdx

@@ -11,7 +11,7 @@ Many Auth methods involve a redirect to your app. For example:
 
 With Deep Linking, you can configure this redirect to open a specific page. This is necessary if, for example, you need to display a form for password reset, or to manually exchange a token hash.
 
-## Setting up Deep Linking
+## Setting up deep linking
 
 <Tabs
   scrollable

apps/docs/content/guides/auth/phone-login.mdx

@@ -15,7 +15,7 @@ Phone OTP login can:
 
 <CostWarning />
 
-## Enabling Phone Login
+## Enabling phone login
 
 Enable phone authentication on the [Auth Providers page](/dashboard/project/_/auth/providers) for hosted Supabase projects.
 

apps/docs/content/guides/auth/redirect-urls.mdx

@@ -100,7 +100,7 @@ For mobile applications you can use deep linking URIs. For example, for your `SI
 
 Read more about deep linking and find code examples for different frameworks [here](/docs/guides/auth/native-mobile-deep-linking).
 
-## Error Handling
+## Error handling
 
 When authentication fails, the user will still be redirected to the redirect URL provided. However, the error details will be returned as query fragments in the URL. You can parse these query fragments and show a custom error message to the user. For example:
 

apps/docs/content/guides/auth/server-side/advanced-guide.mdx

@@ -38,6 +38,8 @@ To improve experience for your users, we recommend redirecting users to one spec
 
 This is not necessary. Both the access token and refresh token are designed to be passed around to different components in your application. The browser-based side of your application needs access to the refresh token to properly maintain a browser session anyway.
 
+{/* supa-mdx-lint-disable-next-line Rule001HeadingCase */}
+
 ### My server is getting invalid refresh token errors. What's going on?
 
 It is likely that the refresh token sent from the browser to your server is stale. Make sure the `onAuthStateChange` listener callback is free of bugs and is registered relatively early in your application's lifetime

apps/docs/content/guides/auth/sessions.mdx

@@ -119,7 +119,7 @@ When a user signs out, the sessions affected by the logout are removed from the
 
 Note that sessions are not proactively terminated when their maximum lifetime (time-box) or inactivity timeout are reached. These sessions are cleaned up progressively 24 hours after reaching that status. This allows you to tweak the values or roll back changes without causing unintended user friction.
 
-### Can I use HTTP-Only cookies to store the access and refresh tokens?
+### Can I use HTTP-only cookies to store the access and refresh tokens?
 
 This is possible, but only for apps that use the traditional server-only web app approach where all of the application logic is implemented on the server and it returns rendered HTML only.
 

apps/docs/content/guides/auth/third-party/aws-cognito.mdx

@@ -140,7 +140,7 @@ user_pool_id = "<id>"
 user_pool_region = "<region>"
 ```
 
-## Use a Pre-Token Generation Trigger to assign the authenticated role
+## Use a pre-token generation trigger to assign the authenticated role
 
 Your Supabase project inspects the `role` claim present in all JWTs sent to it, to assign the correct Postgres role when using the Data API, Storage or Realtime authorization.
 

supa-mdx-lint.config.toml

@@ -6,30 +6,66 @@ ignore_patterns = ["**/_*.mdx"]
 # Can also specify a regex that is compatible with the [Rust regex crate](https://docs.rs/regex/latest/regex/).
 may_uppercase = [
     "[A-Z0-9]{2,5}",
+    "APIs",
     "Android",
     "Angular",
     "Apple",
     "Auth",
+    "Auth0",
+    "Auth0 Actions?",
+    "Azure",
+    "Azure Developers?",
+    "Bitbucket",
+    "Boolean",
+    "Captcha",
     "ChatGPT",
+    "Chrome",
+    "Code Exchange",
     "Content Delivery Network",
     "Dart",
+    "Discord",
     "Edge Functions?",
+    "Expo",
+    "Facebook",
+    "Facebook Developers?",
+    "Figma",
+    "Figma Developers?",
+    "Firebase",
+    "Firebase Authentication",
     "Flutter",
+    "GitHub",
+    "GitHub Actions",
+    "GitLab",
     "GoTrue",
     "Google",
     "GraphQL",
+    "Hooks?",
     "Hugging Face",
     "I",
     "IVFFlat",
+    "Inbucket",
     "Ionic Angular",
     "Ionic React",
     "Ionic Vue",
     "JavaScript",
+    "JWTs",
+    "Kakao",
+    "Kakao Developers?",
+    "Kakao Login",
+    "Keycloak",
     "Kotlin",
+    "Kotlin Multiplatform",
+    "LinkedIn",
+    "LinkedIn Developers?",
+    "Linux",
+    "Magic Link",
     "Navigable Small World",
     "Next.js",
+    "Notion",
     "Nuxt",
+    "OAuth",
     "OpenAI",
+    "Open ID Connect",
     "Poetry",
     "Postgres",
     "PostgreSQL",
@@ -39,23 +75,41 @@ may_uppercase = [
     "React Native",
     "Reciprocal Ranked Fusion",
     "RedwoodJS",
+    "Remix",
     "Retrieval Plugin",
     "Roboflow Inference",
     "Row Level Security",
     "Server-Side Auth",
+    "Server-Side Rendering",
     "Single Sign-On",
+    "Slack",
+    "Slack Developers?",
     "SolidJS",
+    "Spotify",
+    "Spotify Developers?",
     "Supabase",
     "Svelte",
     "SvelteKit",
     "Swift",
     "SwiftUI",
+    "Third-Party Auth",
+    "Twitch",
+    "Twitch Developers?",
+    "Twitter",
+    "Twitter Developers?",
     "TypeScript",
+    "URIs",
+    "URLs",
     "Xcode",
     "Vecs",
     "Vue",
+    "Web",
+    "Windows",
+    "WorkOS",
     "Wrappers",
+    "Zoom",
+    "Zoom Developers?",
 ]
 # Words that may be lowercased even if they are the first word in the sentence.
 # Can also specify a regex that is compatible with the [Rust regex crate](https://docs.rs/regex/latest/regex/).
-may_lowercase = []
+may_lowercase = ["iOS"]