supabase / auth / 23904213312
69%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 186
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 69.148% (+0.006%) from 69.142%
23904213312

push

github

web-flow 
feat: add PKCE support for `/resend` (#2401)

## What kind of change does this PR introduce?

Bug fix

## What is the current behavior?

The `/resend` endpoint hardcodes `models.ImplicitFlow` for both `signup`
and `email_change` verification types
([#42527](https://github.com/supabase/supabase/issues/42527)). This
means resent confirmation emails always use the implicit flow —
redirecting with tokens in the URL hash fragment (`#access_token=...`) —
even when the original `signUp()` used PKCE.

This creates an inconsistency where:
- Initial signup email: `https://example.com/auth/confirm?code=xxx`
(PKCE, works with server routes)
- Resent email: `https://example.com/auth/confirm#access_token=xxx`
(implicit, requires client-side handling)

Server-side route handlers (e.g., Next.js `route.ts`) cannot read hash
fragments, forcing developers to implement workarounds with client
components and dual flow handling.

Closes #42527

## What is the new behavior?

The `/resend` endpoint now accepts optional `code_challenge` and
`code_challenge_method` parameters for `signup` and `email_change`
types. When provided, the endpoint:

1. Determines the flow type from `code_challenge` (PKCE if present,
implicit if absent)
2. Creates a `FlowState` record for PKCE flows (needed by `/verify` to
issue an auth code)
3. Passes the correct flow type to `sendConfirmation` /
`sendEmailChange`

This produces confirmation emails with `?code=...` query params instead
of `#access_token=...` hash fragments, consistent with the initial
signup flow.

When `code_challenge` is not provided, behavior is **unchanged** —
implicit flow is used, maintaining full backward compatibility.

**Changes:**
- `internal/api/resend.go`: Added `CodeChallenge` and
`CodeChallengeMethod` fields to `ResendConfirmationParams`. Added PKCE
param validation for email-based types. Replaced hardcoded
`ImplicitFlow` with flow-aware logic for `signup` and `email_change`
cases.
- `internal/api/resend_test.go`: Adde... (continued)

13 of 17 new or added lines in 1 file covered. (76.47%)

16462 of 23807 relevant lines covered (69.15%)

80.12 hits per line

New Missed Lines in Diff

Lines Coverage File
4
59.85
 1.37% internal/api/resend.go
Jobs
ID Job ID Ran Files Coverage
1 23904213312.1 186
69.15
 GitHub Action Run
Source Files on build 23904213312