@supabase/gotrue-js 2.20.1 → 2.20.2

package/src/GoTrueClient.ts

@@ -3,6 +3,7 @@ import { DEFAULT_HEADERS, EXPIRY_MARGIN, GOTRUE_URL, STORAGE_KEY } from './lib/c
 import {
   AuthError,
   AuthImplicitGrantRedirectError,
+  AuthPKCEGrantCodeExchangeError,
   AuthInvalidCredentialsError,
   AuthRetryableFetchError,
   AuthSessionMissingError,
@@ -66,7 +67,7 @@ import type {
   AuthenticatorAssuranceLevels,
   Factor,
   MFAChallengeAndVerifyParams,
-  OAuthFlowType,
+  AuthFlowType,
 } from './lib/types'
 
 polyfillGlobalThis() // Make "globalThis" available
@@ -78,6 +79,7 @@ const DEFAULT_OPTIONS: Omit<Required<GoTrueClientOptions>, 'fetch' | 'storage'>
   persistSession: true,
   detectSessionInUrl: true,
   headers: DEFAULT_HEADERS,
+  flowType: 'implicit',
 }
 
 /** Current session will be checked for refresh at this interval. */
@@ -108,6 +110,8 @@ export default class GoTrueClient {
    */
   protected inMemorySession: Session | null
 
+  protected flowType: AuthFlowType
+
   protected autoRefreshToken: boolean
   protected persistSession: boolean
   protected storage: SupportedStorage
@@ -154,6 +158,7 @@ export default class GoTrueClient {
     this.headers = settings.headers
     this.fetch = resolveFetch(settings.fetch)
     this.detectSessionInUrl = settings.detectSessionInUrl
+    this.flowType = settings.flowType
 
     this.mfa = {
       verify: this._verify.bind(this),
@@ -208,8 +213,9 @@ export default class GoTrueClient {
     }
 
     try {
-      if (this.detectSessionInUrl && this._isImplicitGrantFlow()) {
-        const { data, error } = await this._getSessionFromUrl()
+      const isPKCEFlow = await this._isPKCEFlow()
+      if ((this.detectSessionInUrl && this._isImplicitGrantFlow()) || isPKCEFlow) {
+        const { data, error } = await this._getSessionFromUrl(isPKCEFlow)
 
         if (error) {
           // failed login attempt via url,
@@ -323,7 +329,7 @@ export default class GoTrueClient {
   /**
    * Log in an existing user with an email and password or phone and password.
    *
-   * Be aware that you may get back an error message that will not distingish
+   * Be aware that you may get back an error message that will not distinguish
    * between the cases where the account does not exist or that the
    * email/phone and password combination is wrong or that the account can only
    * be accessed via social login.
@@ -386,7 +392,7 @@ export default class GoTrueClient {
       scopes: credentials.options?.scopes,
       queryParams: credentials.options?.queryParams,
       skipBrowserRedirect: credentials.options?.skipBrowserRedirect,
-      flowType: credentials.options?.flowType ?? 'implicit',
+      flowType: this.flowType ?? 'implicit',
     })
   }
 
@@ -394,7 +400,7 @@ export default class GoTrueClient {
    * Log in an existing user via a third-party provider.
    */
   async exchangeCodeForSession(authCode: string): Promise<AuthResponse> {
-    const codeVerifier = await getItemAsync(this.storage, `${this.storageKey}-oauth-code-verifier`)
+    const codeVerifier = await getItemAsync(this.storage, `${this.storageKey}-code-verifier`)
     const { data, error } = await _request(
       this.fetch,
       'POST',
@@ -408,7 +414,7 @@ export default class GoTrueClient {
         xform: _sessionResponse,
       }
     )
-    await removeItemAsync(this.storage, `${this.storageKey}-oauth-code-verifier`)
+    await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
     if (error || !data) return { data: { user: null, session: null }, error }
     if (data.session) {
       await this._saveSession(data.session)
@@ -845,7 +851,7 @@ export default class GoTrueClient {
   /**
    * Gets the session data from a URL string
    */
-  private async _getSessionFromUrl(): Promise<
+  private async _getSessionFromUrl(isPKCEFlow: boolean): Promise<
     | {
         data: { session: Session; redirectType: string | null }
         error: null
@@ -854,8 +860,18 @@ export default class GoTrueClient {
   > {
     try {
       if (!isBrowser()) throw new AuthImplicitGrantRedirectError('No browser detected.')
-      if (!this._isImplicitGrantFlow()) {
+      if (this.flowType == 'implicit' && !this._isImplicitGrantFlow()) {
         throw new AuthImplicitGrantRedirectError('Not a valid implicit grant flow url.')
+      } else if (this.flowType == 'pkce' && !isPKCEFlow) {
+        throw new AuthPKCEGrantCodeExchangeError('Not a valid PKCE flow url.')
+      }
+      if (isPKCEFlow) {
+        const authCode = getParameterByName('code')
+        if (!authCode) throw new AuthPKCEGrantCodeExchangeError('No code detected.')
+        const { data, error } = await this.exchangeCodeForSession(authCode)
+        if (error) throw error
+        if (!data.session) throw new AuthPKCEGrantCodeExchangeError('No session detected.')
+        return { data: { session: data.session, redirectType: null }, error: null }
       }
 
       const error_description = getParameterByName('error_description')
@@ -920,6 +936,16 @@ export default class GoTrueClient {
         Boolean(getParameterByName('error_description')))
     )
   }
+  /**
+   * Checks if the current URL and backing storage contain parameters given by a PKCE flow
+   */
+  private async _isPKCEFlow(): Promise<boolean> {
+    const currentStorageContent = await getItemAsync(
+      this.storage,
+      `${this.storageKey}-code-verifier`
+    )
+    return isBrowser() && Boolean(getParameterByName('code')) && Boolean(currentStorageContent)
+  }
 
   /**
    * Inside a browser context, `signOut()` will remove the logged in user from the browser session
@@ -1073,7 +1099,7 @@ export default class GoTrueClient {
       scopes?: string
       queryParams?: { [key: string]: string }
       skipBrowserRedirect?: boolean
-      flowType: OAuthFlowType
+      flowType: AuthFlowType
     }
   ) {
     const url: string = await this._getUrlForProvider(provider, {
@@ -1392,7 +1418,7 @@ export default class GoTrueClient {
       redirectTo?: string
       scopes?: string
       queryParams?: { [key: string]: string }
-      flowType: OAuthFlowType
+      flowType: AuthFlowType
     }
   ) {
     const urlParams: string[] = [`provider=${encodeURIComponent(provider)}`]
@@ -1404,7 +1430,7 @@ export default class GoTrueClient {
     }
     if (options?.flowType === 'pkce') {
       const codeVerifier = generatePKCEVerifier()
-      await setItemAsync(this.storage, `${this.storageKey}-oauth-code-verifier`, codeVerifier)
+      await setItemAsync(this.storage, `${this.storageKey}-code-verifier`, codeVerifier)
       const codeChallenge = await generatePKCEChallenge(codeVerifier)
       const flowParams = new URLSearchParams({
         flow_type: `${encodeURIComponent(options.flowType)}`,

package/src/lib/errors.ts

@@ -92,6 +92,23 @@ export class AuthImplicitGrantRedirectError extends CustomAuthError {
   }
 }
 
+export class AuthPKCEGrantCodeExchangeError extends CustomAuthError {
+  details: { error: string; code: string } | null = null
+  constructor(message: string, details: { error: string; code: string } | null = null) {
+    super(message, 'AuthPKCEGrantCodeExchangeError', 500)
+    this.details = details
+  }
+
+  toJSON() {
+    return {
+      name: this.name,
+      message: this.message,
+      status: this.status,
+      details: this.details,
+    }
+  }
+}
+
 export class AuthRetryableFetchError extends CustomAuthError {
   constructor(message: string, status: number) {
     super(message, 'AuthRetryableFetchError', status)

package/src/lib/types.ts

@@ -29,7 +29,6 @@ export type AuthChangeEvent =
   | 'SIGNED_OUT'
   | 'TOKEN_REFRESHED'
   | 'USER_UPDATED'
-  | 'USER_DELETED'
   | AuthChangeEventMFA
 
 export type GoTrueClientOptions = {
@@ -49,6 +48,8 @@ export type GoTrueClientOptions = {
   storage?: SupportedStorage
   /* A custom fetch implementation. */
   fetch?: Fetch
+  /* If set to 'pkce' PKCE flow. Defaults to the 'implicit' flow otherwise */
+  flowType?: AuthFlowType
 }
 
 export type AuthResponse =
@@ -435,7 +436,7 @@ export type SignInWithPasswordlessCredentials =
       }
     }
 
-export type OAuthFlowType = 'implicit' | 'pkce'
+export type AuthFlowType = 'implicit' | 'pkce'
 export type SignInWithOAuthCredentials = {
   /** One of the providers supported by GoTrue. */
   provider: Provider
@@ -448,8 +449,6 @@ export type SignInWithOAuthCredentials = {
     queryParams?: { [key: string]: string }
     /** If set to true does not immediately redirect the current browser context to visit the OAuth authorization page for the provider. */
     skipBrowserRedirect?: boolean
-    /** If set to 'pkce' PKCE flow. Defaults to the 'implicit' flow otherwise */
-    flowType?: OAuthFlowType
   }
 }
 

package/src/lib/version.ts

@@ -1,2 +1,2 @@
 // Generated by genversion.
-export const version = '2.20.1'
+export const version = '2.20.2'