supabase
supabase.auth.admin.generateLink() don't work with PKCE flow
Bug report
- [X] I confirm this is a bug with Supabase, not with my own application.
- [X] I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
When using the PKCE flow and generating a link with supabase.auth.admin.generateLink() it doesn't not generate a link that supports the PKCE flow as the code is missing in the url.searchParams when hitting the callback url
It works as expected when using supabase.auth.signInWithPassword() and letting supabase send the e-mail
To Reproduce
Code
const supabase = createClient(PUBLIC_SUPABASE_URL, SUPABASE_SERVICE_ROLE_KEY, {
auth: {
autoRefreshToken: false,
persistSession: false,
flowType: 'pkce'
}
})
// Access auth admin api
const adminAuthClient = supabase.auth.admin;
const { data, error } = await supabase.auth.admin.generateLink({
type: 'magiclink',
email: '[email protected]',
options: {
redirectTo: 'http://127.0.0.1:5173/api/auth/callback'
}
});
console.log(data);
Output in console log
{
"data": {
"properties": {
"action_link": "http://localhost:54321/auth/v1/verify?token=51a3fc23c11754db785d06b52da2c155b46e9556537936cdb67f87c7&type=magiclink&redirect_to=http://127.0.0.1:5173/api/auth/callback",
"email_otp": "793015",
"hashed_token": "51a3fc23c11754db785d06b52da2c155b46e9556537936cdb67f87c7",
"redirect_to": "http://127.0.0.1:5173/api/auth/callback",
"verification_type": "magiclink"
},
"user": {...}
}
}
In the callback route I try to get the code searchParams but it is null.
const code = url.searchParams.get('code');
Expected behavior
When using generateLink with the pkce flow I expect that when the user is redirected to the callback route, the code searchParam is included.
Screenshots
If applicable, add screenshots to help explain your problem.
System information
- OS: [e.g. macOS]
- Browser (if applies) [chrome]
- Version of supabase-js: [2.31.0]
- Version of Node.js: [e.g. 16.20.1]
Additional context
Add any other context about the problem here.
There's an increasing amount of people bringing this up. I'm fairly sure this isn't supported right now; although https://github.com/supabase/gotrue-js/pull/722 claims to fix it.
Related: https://github.com/supabase/auth-helpers/issues/610 Also: https://discord.com/channels/839993398554656828/1130871916249497751
hey @tobiassern, supabase.auth.admin.generateLink() isn't meant to work with the PKCE flow because the PKCE flow requires the generation of a code verifier. Since the code verifier must be generated and used when the authentication request is made (i.e signup / request for otp) and when the link is verified (i.e. when the email link is clicked), it doesn't work for supabase.auth.admin.generateLink() because that's typically done on the server-side and not the client-side.
note, the code verifier is meant to prevent replay attacks, which is why it has to be created when the authentication request starts and sent when the verification request is made (ensures that the person verifying is the same person who requested for the auth).
we are aware that this is a problem if you are using the auth-helpers and we're working on a separate solution to fix it
have you tried the solution proposed by @kamerat ? https://github.com/supabase/auth-helpers/issues/610#issuecomment-1672296227
