Skip to content

fix(gotrue): OAuth server throws FormatException instead of ArgumentE…#1535

Merged
spydon merged 1 commit into
supabase:mainfrom
Unlock-d:fix/oauth_server_formatexception
Jul 7, 2026
Merged

fix(gotrue): OAuth server throws FormatException instead of ArgumentE…#1535
spydon merged 1 commit into
supabase:mainfrom
Unlock-d:fix/oauth_server_formatexception

Conversation

@Pieter-JanRobrechtCronos

Copy link
Copy Markdown
Contributor

What kind of change does this PR introduce?

As mentioned in this discussion for #1499, the OAuthAuthorizationDetailsResponse.fromJson best throws a FormatException to be inline with the rest of the codebase.

What is the current behavior?

Currently, when a JSON without a user key is parsed by the OAuthAuthorizationDetailsResponse.fromJson factory, the factory throws an ArgumentError.

What is the new behavior?

Now, when a JSON without a user key is parsed by the OAuthAuthorizationDetailsResponse.fromJson factory, the
factory throws a FormatException.

Additional context

@spydon from the discussion I had the idea that you updated this, but I haven't found any related changes, so I've made a small PR to fix this.

@spydon spydon left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is technically a breaking change, but I think we can let it slip.

@Pieter-JanRobrechtCronos

Copy link
Copy Markdown
Contributor Author

Indeed, the signature changes so it makes sense to make it a breaking change. I can change the commit to mark it as breaking since the automatic checks are failing as well on the commit message?

@spydon

spydon commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Indeed, the signature changes so it makes sense to make it a breaking change. I can change the commit to mark it as breaking since the automatic checks are failing as well on the commit message?

It's failing because the first letter is capital, we really should remove the casing check 😅

@spydon spydon merged commit da0f6e0 into supabase:main Jul 7, 2026
26 of 27 checks passed
spydon pushed a commit that referenced this pull request Jul 7, 2026
…1536)

> Stacked on #1535. Review/merge that one first.

## What kind of change does this PR introduce?

Bug fix

## What is the current behavior?

`getAuthorizationDetails` crashed with a `FormatException` when the
OAuth 2.1 server short-circuited the consent flow. This happens when a
user who already approved a client starts a new authorization for it:
the server returns a redirect-only body (`{"redirect_url":
"...?code=..."}`) with no user or client, which the parser rejected
because it required a user object.

## What is the new behavior?

`getAuthorizationDetails` now checks whether a `redirect_url` is present
returning `OAuthAuthorizationRedirectResponse` when it is present. When
the key isn't present the old `OAuthAuthorizationDetailsResponse` object
is returned.

Callers now switch on the result and forward the redirect instead of
losing it to an exception. Genuinely malformed detail bodies (no
redirect_url and no user) still throw, so validation isn't weakened.

## Additional context

BREAKING CHANGE: `getAuthorizationDetails` now returns the sealed
`OAuthAuthorizationResponse` instead of
`OAuthAuthorizationDetailsResponse`. Callers must switch/cast to access
client, user, scope and redirectUri.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants