feat(auth)!: emit USER_UPDATED for email and phone change verification#2446
Open
mandarini wants to merge 1 commit into
Open
feat(auth)!: emit USER_UPDATED for email and phone change verification#2446mandarini wants to merge 1 commit into
mandarini wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Aligns auth-js with the auth server's classification of email-change and phone-change verifications as user modifications rather than sign-ins. Subscribers to
onAuthStateChangenow receiveUSER_UPDATEDfor these flows instead ofSIGNED_IN.What changed?
GoTrueClientnow branch onemail_change/phone_changeand emitUSER_UPDATED:_initialize(thesetTimeoutblock following_getSessionFromURL)_exchangeCodeForSession(PKCE)verifyOtpgetCodeChallengeAndMethodsignature changed from(storage, key, isPasswordRecovery?: boolean)to(storage, key, flowType?: 'recovery' | 'email_change'). The helper is internal and not re-exported.updateUser({ email })PKCE branch now tags the stored verifier withemail_changeso the post-redirect_exchangeCodeForSessionstep actually reaches the new branch. Without this, the PKCE-side fix would have been dead code (the server's PKCE redirect URL only carriescode, nottype).'recovery'instead oftrue(semantically identical).verifyOtpandonAuthStateChangedocuments the new event mapping.packages/core/auth-js/migrations/email-phone-change-user-updated-event.md.Why was this change needed?
The auth server (
supabase/auth) records email- and phone-change verifications asUserModifiedActionin the audit log. BothemailChangeVerifyand thephone_changebranch ofsmsVerifywrite that action; neither is treated as a sign-in. EmittingSIGNED_INon the client diverged from that semantics and produced spurious sign-in events on what is fundamentally a profile mutation. This change brings auth-js in line with the server and prepares parity with the other SDKs (Flutter/Dart, Swift, Kotlin, Python), which previously had to mirror the inaccurate auth-js behavior.Breaking changes
Behavioral breaking change. No type or signature changes for the public API: both
USER_UPDATEDandSIGNED_INare already members ofAuthChangeEvent. Consumers running first-login work (analytics, redirects, welcome UI) inside theirSIGNED_INhandler and relying on it firing after email or phone change will no longer receive that event for those flows. Migration guidance: handle the post-mutation case inUSER_UPDATEDinstead. Full details in the new per-package migration note.The internal
getCodeChallengeAndMethodhelper signature changed, but the helper is not re-exported from the package, so no external caller is affected.Checklist
<type>(<scope>): <description>pnpm nx formatto ensure consistent code formattingAdditional notes
v3branch as a breaking change.test.eachblocks coveringverifyOtp(email_change,phone_change,recovery,magiclink) andexchangeCodeForSession(verifier taggedemail_change,recovery, untagged). Seven new assertions in total againstonAuthStateChange.