Commit 2af904a
authored
feat: add PKCE support for
## What kind of change does this PR introduce?
Bug fix
## What is the current behavior?
The `/resend` endpoint hardcodes `models.ImplicitFlow` for both `signup`
and `email_change` verification types
([#42527](supabase/supabase#42527)). This
means resent confirmation emails always use the implicit flow —
redirecting with tokens in the URL hash fragment (`#access_token=...`) —
even when the original `signUp()` used PKCE.
This creates an inconsistency where:
- Initial signup email: `https://example.com/auth/confirm?code=xxx`
(PKCE, works with server routes)
- Resent email: `https://example.com/auth/confirm#access_token=xxx`
(implicit, requires client-side handling)
Server-side route handlers (e.g., Next.js `route.ts`) cannot read hash
fragments, forcing developers to implement workarounds with client
components and dual flow handling.
Closes #42527
## What is the new behavior?
The `/resend` endpoint now accepts optional `code_challenge` and
`code_challenge_method` parameters for `signup` and `email_change`
types. When provided, the endpoint:
1. Determines the flow type from `code_challenge` (PKCE if present,
implicit if absent)
2. Creates a `FlowState` record for PKCE flows (needed by `/verify` to
issue an auth code)
3. Passes the correct flow type to `sendConfirmation` /
`sendEmailChange`
This produces confirmation emails with `?code=...` query params instead
of `#access_token=...` hash fragments, consistent with the initial
signup flow.
When `code_challenge` is not provided, behavior is **unchanged** —
implicit flow is used, maintaining full backward compatibility.
**Changes:**
- `internal/api/resend.go`: Added `CodeChallenge` and
`CodeChallengeMethod` fields to `ResendConfirmationParams`. Added PKCE
param validation for email-based types. Replaced hardcoded
`ImplicitFlow` with flow-aware logic for `signup` and `email_change`
cases.
- `internal/api/resend_test.go`: Added `TestResendPKCEValidation`
(invalid PKCE params return 400) and `TestResendPKCESuccess` (signup and
email change tokens get `pkce_` prefix when PKCE params are provided).
## Additional context
This is the server-side half of the fix. The JS SDK (`auth-js`) needs a
corresponding update to send `code_challenge` / `code_challenge_method`
in `resend()` calls when `flowType === 'pkce'`, following the same
pattern already used by `signUp()` and `signInWithOtp()`. See [this
PR](supabase/supabase-js#2144)
The implementation mirrors the existing PKCE pattern used across the
codebase (`signup.go`, `user.go`, `recover.go`, `magic_link.go`):
`getFlowFromChallenge` → conditional `generateFlowState` → pass
`flowType` to the email sender./resend (#2401)1 parent 3821290 commit 2af904a
2 files changed
Lines changed: 156 additions & 9 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
15 | | - | |
16 | | - | |
17 | | - | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
18 | 20 | | |
19 | 21 | | |
20 | 22 | | |
21 | 23 | | |
22 | 24 | | |
23 | 25 | | |
24 | | - | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
25 | 31 | | |
26 | 32 | | |
27 | 33 | | |
| |||
121 | 127 | | |
122 | 128 | | |
123 | 129 | | |
124 | | - | |
125 | | - | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
126 | 137 | | |
127 | 138 | | |
128 | 139 | | |
| |||
133 | 144 | | |
134 | 145 | | |
135 | 146 | | |
136 | | - | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
137 | 154 | | |
138 | 155 | | |
139 | 156 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5 | 5 | | |
6 | 6 | | |
7 | 7 | | |
| 8 | + | |
8 | 9 | | |
9 | 10 | | |
10 | 11 | | |
| |||
109 | 110 | | |
110 | 111 | | |
111 | 112 | | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
| 155 | + | |
| 156 | + | |
| 157 | + | |
| 158 | + | |
| 159 | + | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
112 | 175 | | |
113 | 176 | | |
114 | 177 | | |
| |||
150 | 213 | | |
151 | 214 | | |
152 | 215 | | |
153 | | - | |
154 | | - | |
| 216 | + | |
155 | 217 | | |
156 | 218 | | |
157 | 219 | | |
| |||
215 | 277 | | |
216 | 278 | | |
217 | 279 | | |
| 280 | + | |
| 281 | + | |
| 282 | + | |
| 283 | + | |
| 284 | + | |
| 285 | + | |
| 286 | + | |
| 287 | + | |
| 288 | + | |
| 289 | + | |
| 290 | + | |
| 291 | + | |
| 292 | + | |
| 293 | + | |
| 294 | + | |
| 295 | + | |
| 296 | + | |
| 297 | + | |
| 298 | + | |
| 299 | + | |
| 300 | + | |
| 301 | + | |
| 302 | + | |
| 303 | + | |
| 304 | + | |
| 305 | + | |
| 306 | + | |
| 307 | + | |
| 308 | + | |
| 309 | + | |
| 310 | + | |
| 311 | + | |
| 312 | + | |
| 313 | + | |
| 314 | + | |
| 315 | + | |
| 316 | + | |
| 317 | + | |
| 318 | + | |
| 319 | + | |
| 320 | + | |
| 321 | + | |
| 322 | + | |
| 323 | + | |
| 324 | + | |
| 325 | + | |
| 326 | + | |
| 327 | + | |
| 328 | + | |
| 329 | + | |
| 330 | + | |
| 331 | + | |
| 332 | + | |
| 333 | + | |
| 334 | + | |
| 335 | + | |
| 336 | + | |
| 337 | + | |
| 338 | + | |
| 339 | + | |
| 340 | + | |
| 341 | + | |
| 342 | + | |
| 343 | + | |
| 344 | + | |
| 345 | + | |
| 346 | + | |
| 347 | + | |
0 commit comments