fix(gotrue): allow TOTP MFA enrollment without an issuer#1501
Open
AndroidPoet wants to merge 2 commits into
Open
fix(gotrue): allow TOTP MFA enrollment without an issuer#1501AndroidPoet wants to merge 2 commits into
AndroidPoet wants to merge 2 commits into
Conversation
spydon
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
GoTrueMFAApi.enroll()no longer requires anissuerwhen enrolling a TOTP factor. The canonical call now works:Why
issueris documented as optional for TOTP (/// [issuer] : Domain which the user is enrolled with (TOTP only).) and is optional in supabase-js, but the argument validation made it mandatory:When a TOTP factor is enrolled without an
issuer, bothifbranches are false, so it falls through to theelseand throwsArgumentErrorsynchronously — before any request is sent. The standardmfa.enroll()therefore always failed unless an issuer was passed.This was an unintended regression from #1188 (Add phone mfa enrollment), which introduced the combined branch. The existing
enroll totpintegration test always passesissuer: 'MyFriend', so it never exercised the no-issuer path.The fix separates the factor-type handling so TOTP forwards
issueronly when provided, while phone enrollment keeps its existing requirement that a phone number is supplied.Not a breaking change
issuerbehaves exactly as before (the value is still sent).ArgumentErrorwhenphoneis omitted (covered by the existingenroll phone requires phone numbertest).Tests
Added
packages/gotrue/test/mfa_enroll_test.dart, an offline test using a recordingBaseClientthat inspects the outgoing request body:enroll()reaches the network and sends noissuer(previously threwArgumentError).enroll(issuer: 'MyApp')forwards the issuer.enroll(factorType: FactorType.phone)without a phone still throwsArgumentError.