From RFC 9700: Best Current Practice for OAuth 2.0 Security:
4.4. Mix-Up Attacks
Mix-up attacks can occur in scenarios where an OAuth client interacts with two or more authorization servers and at least one authorization server is under the control of the attacker. This can be the case, for example, if the attacker uses dynamic registration to register the client at their own authorization server or if an authorization server becomes compromised.
4.4.2.2. Mix-Up Defense via Distinct Redirect URIs
For this defense, clients MUST use a distinct redirection URI for each issuer they interact with.
Clients MUST check that the authorization response was received from the correct issuer by comparing the distinct redirection URI for the issuer to the URI where the authorization response was received on. If there is a mismatch, the client MUST abort the flow.
Although providers that Supabase Auth supports becoming compromised is highly unlikely, it seems trivial for the current codebase to move/alias /auth/v1/callback to /auth/v1/callback/[provider].
From RFC 9700: Best Current Practice for OAuth 2.0 Security:
Although providers that Supabase Auth supports becoming compromised is highly unlikely, it seems trivial for the current codebase to move/alias
/auth/v1/callbackto/auth/v1/callback/[provider].