fix(auth): fix verifyOTP parameter validation for OtpType.recovery with tokenHash (#1295)

grdsdev · web-flow · commit 0719e55b6a98 · 2026-01-05T10:09:39.000-03:00
fix(auth): token hash verification
diff --git a/packages/gotrue/lib/src/gotrue_client.dart b/packages/gotrue/lib/src/gotrue_client.dart
@@ -518,17 +518,28 @@ class GoTrueClient {
     String? captchaToken,
     String? tokenHash,
   }) async {
-    assert(
-        ((email != null && phone == null) ||
-                (email == null && phone != null)) ||
-            (tokenHash != null),
-        '`email` or `phone` needs to be specified.');
-    assert(token != null || tokenHash != null,
-        '`token` or `tokenHash` needs to be specified.');
+    // For recovery type with tokenHash, only tokenHash and type are required
+    final isRecoveryWithTokenHash =
+        type == OtpType.recovery && tokenHash != null;
+
+    if (!isRecoveryWithTokenHash) {
+      assert(
+          ((email != null && phone == null) ||
+                  (email == null && phone != null)) ||
+              (tokenHash != null),
+          '`email` or `phone` needs to be specified.');
+      assert(token != null || tokenHash != null,
+          '`token` or `tokenHash` needs to be specified.');
+    } else {
+      // For recovery with tokenHash, email/phone should not be provided
+      assert(email == null && phone == null,
+          'For recovery type with tokenHash, only tokenHash and type should be provided.');
+    }
 
     final body = {
-      if (email != null) 'email': email,
-      if (phone != null) 'phone': phone,
+      // For recovery type with tokenHash, exclude email/phone
+      if (!isRecoveryWithTokenHash && email != null) 'email': email,
+      if (!isRecoveryWithTokenHash && phone != null) 'phone': phone,
       if (token != null) 'token': token,
       'type': type.snakeCase,
       'redirect_to': redirectTo,
diff --git a/packages/gotrue/test/otp_mock_test.dart b/packages/gotrue/test/otp_mock_test.dart
@@ -130,6 +130,41 @@ void main() {
       expect(client.currentUser, isNotNull);
     });
 
+    test('verifyOTP() with recovery type and tokenHash', () async {
+      // Recovery type with tokenHash should only include tokenHash and type
+      final response = await client.verifyOTP(
+        tokenHash: 'mock-token-hash',
+        type: OtpType.recovery,
+      );
+
+      expect(response.session, isNotNull);
+      expect(response.user, isNotNull);
+
+      // Verify session was set
+      expect(client.currentSession, isNotNull);
+      expect(client.currentUser, isNotNull);
+    });
+
+    test(
+        'verifyOTP() with recovery type and tokenHash should reject email/phone',
+        () async {
+      // Recovery type with tokenHash should not accept email/phone
+      try {
+        await client.verifyOTP(
+          email: testEmail,
+          tokenHash: 'mock-token-hash',
+          type: OtpType.recovery,
+        );
+        fail('Should have thrown an assertion error');
+      } catch (e) {
+        expect(e, isA<AssertionError>());
+        expect(
+            e.toString(),
+            contains(
+                'For recovery type with tokenHash, only tokenHash and type should be provided'));
+      }
+    });
+
     test('verifyOTP() without token should throw', () async {
       try {
         await client.verifyOTP(
