supabase / supabase-flutter / 27371060468
85%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 72
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 81.111% (+0.05%) from 81.058%
27371060468

push

github

web-flow 
fix(auth): update session on email change links in PKCE flow (#1395)

## Description

Fixes #986. `auth.currentUser?.email` still contained the old email
after an email change was confirmed.

### Root cause

`supabase_flutter` defaults to the **PKCE** flow. However, `updateUser`
does not send a `code_challenge` when initiating an email change (unlike
`resetPasswordForEmail`), so GoTrue returns an **implicit-style**
confirmation link with the tokens in the URL fragment
(`#access_token=...&type=email_change`), not a PKCE `code`.

Both the deep-link detector and `getSessionFromUrl` gated their behavior
on the *configured* flow type:

- `SupabaseAuth._isAuthCallbackDeeplink` only recognized an
`access_token` fragment when the flow was `implicit`, so for a
PKCE-configured client the email-change link was ignored entirely and
`getSessionFromUrl` was never called.
- `GoTrueClient.getSessionFromUrl` threw
`AuthPKCEGrantCodeExchangeError('No code detected...')` for any
PKCE-flow URL without a `code`, so even if reached it would reject the
token.

The result was that the session was never updated and the stale email
remained.

### Fix

Detect the callback type from the **URL contents** rather than the
configured flow type (matching how `supabase-js` behaves):

- `gotrue`: exchange the code when a `code` is present; otherwise fall
through to implicit token handling. Only throw the PKCE error when there
is neither a `code` nor an `access_token`.
- `supabase_flutter`: recognize the `access_token` / `code` /
`error_description` parameters in both the query and the fragment,
matching them as exact keys rather than substrings, regardless of the
configured flow type. Removed the now-unused `_authFlowType` field.

### Edge-case behavior change to note

A client configured for the `implicit` flow that receives a URL
containing a `code` will now route to `exchangeCodeForSession` (which
requires `asyncStorage`), whereas previously it would fall through to
"No access_token... (continued)

9 of 11 new or added lines in 2 files covered. (81.82%)

1 existing line in 1 file now uncovered.

3620 of 4463 relevant lines covered (81.11%)

3.14 hits per line

Uncovered Changes

Lines Coverage File
1
70.47
 0.22% packages/gotrue/lib/src/gotrue_client.dart
1
63.73
 1.35% packages/supabase_flutter/lib/src/supabase_auth.dart

Coverage Regressions

Lines Coverage File
1
70.47
 0.22% packages/gotrue/lib/src/gotrue_client.dart
Jobs
ID Job ID Ran Files Coverage
1 27371060468.1 72
81.11
 GitHub Action Run
Source Files on build 27371060468