supabase / supabase-flutter / 28227073552
86%

Ran 26 Jun 2026 08:39AM UTC

Jobs 8

Files 80

Run time 1min

Badge

Committed 26 Jun 2026 08:37AM UTC coverage: 85.559% (+0.1%) from 85.464%

Build # 28227073552

Build Type

push

github

Committed by

Commit Message

fix(gotrue): avoid duplicate auth error on recoverSession with invalid refresh token (#1450)

Fixes the long-standing reports of `AuthException(message: Invalid
Refresh Token: Refresh Token Not Found, statusCode: 400)` surfacing as
an uncaught error (often seen in Sentry).

When `recoverSession` restores a persisted session whose refresh token
is invalid or expired, the refresh goes through `_callRefreshToken` ->
`_executeRefresh`. For a non-retryable `AuthException` (like "Refresh
Token Not Found"), `_executeRefresh` already does the right thing: it
removes the session and emits a `signedOut` event, deliberately **not**
calling `notifyException`.

The problem was that `recoverSession`'s blanket `catch` then called
`notifyException(error, stackTrace)` a **second time**, pushing the
`AuthException` onto the `onAuthStateChange` stream. For an expected
condition (a rotated, expired, or revoked token at app startup),
consumers listening to `onAuthStateChange` without an `onError` handler
get an uncaught async error. That is what those Sentry reports were.

Notification in `recoverSession` is now explicit per path instead of a
catch-all re-notify:

- The refresh-token path defers entirely to `_callRefreshToken` /
`_executeRefresh`, the single owner of that outcome (`signedOut` for an
invalid token, an exception for a retryable failure). No more duplicate
stream error.
- Genuinely unexpected parse failures (corrupt JSON) are still notified.
- The explicit "missing data" and "Session expired" (`autoRefreshToken:
false`) notifications are preserved unchanged.

- Updated `Sign out on wrong refresh token` to assert the invalid-token
path surfaces **only** a `signedOut` event and never a stream error,
while still throwing to the direct caller.
- Verified the unaffected `autoRefreshToken: false` path still emits its
exception (`supabase_flutter` "emits exception when no auto refresh"
still passes).

Coverage Stats

29 of 31 new or added lines in 1 file covered. (93.55%)

71 existing lines in 1 file now uncovered.

4100 of 4792 relevant lines covered (85.56%)

3.65 hits per line

Uncovered Changes

Lines	Coverage	∆	File
2	73.26	0.74%	packages/gotrue/lib/src/gotrue_client.dart

Coverage Regressions

Lines	Coverage	∆	File
71	73.26	0.74%	packages/gotrue/lib/src/gotrue_client.dart

Jobs

ID	Job ID	Ran	Files	Coverage
6	supabase_flutter - 28227073552.6	26 Jun 2026 08:40AM UTC	11	77.52	GitHub Action Run
7	gotrue - 28227073552.7	26 Jun 2026 08:41AM UTC	26	84.31	GitHub Action Run
8	supabase - 28227073552.8	26 Jun 2026 08:39AM UTC	15	81.99	GitHub Action Run
4	functions_client - 27986095786.4	22 Jun 2026 09:45PM UTC	2	97.14	GitHub Action Run
7	yet_another_json_isolate - 27986095786.7	22 Jun 2026 09:45PM UTC	1	79.03	GitHub Action Run
8	realtime_client - 28190414303.8	25 Jun 2026 06:08PM UTC	11	88.5	GitHub Action Run
5	storage_client - 28160249676.5	25 Jun 2026 09:26AM UTC	5	92.97	GitHub Action Run
7	postgrest - 28160249676.7	25 Jun 2026 09:26AM UTC	9	84.05	GitHub Action Run

Source Files on build 28227073552