Skip to content

fix(gotrue): handle already-consented OAuth authorization responses#1536

Merged
spydon merged 4 commits into
supabase:mainfrom
Unlock-d:fix/oauth_server_second_consent
Jul 7, 2026
Merged

fix(gotrue): handle already-consented OAuth authorization responses#1536
spydon merged 4 commits into
supabase:mainfrom
Unlock-d:fix/oauth_server_second_consent

Conversation

@Pieter-JanRobrechtCronos

Copy link
Copy Markdown
Contributor

Stacked on #1535. Review/merge that one first.

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

getAuthorizationDetails crashed with a FormatException when the OAuth 2.1 server short-circuited the consent flow. This happens when a user who already approved a client starts a new authorization for it: the server returns a redirect-only body ({"redirect_url": "...?code=..."}) with no user or client, which the parser rejected because it required a user object.

What is the new behavior?

getAuthorizationDetails now checks whether a redirect_url is present returning OAuthAuthorizationRedirectResponse when it is present. When the key isn't present the old OAuthAuthorizationDetailsResponse object is returned.

Callers now switch on the result and forward the redirect instead of losing it to an exception. Genuinely malformed detail bodies (no redirect_url and no user) still throw, so validation isn't weakened.

Additional context

BREAKING CHANGE: getAuthorizationDetails now returns the sealed OAuthAuthorizationResponse instead of OAuthAuthorizationDetailsResponse. Callers must switch/cast to access client, user, scope and redirectUri.

getAuthorizationDetails crashed with a FormatException when the OAuth
2.1 server short-circuited the consent flow. This happens when a user
who already approved a client starts a new authorization for it: the
server returns a redirect-only body
({"redirect_url": "...?code=..."}) with no user or client, which the
parser rejected because it required a user object.

Model the two possible outcomes as a sealed OAuthAuthorizationResponse:
- OAuthAuthorizationDetailsResponse when consent is still required
- OAuthAuthorizationRedirectResponse carrying the redirect URL when the
  user already consented

Callers now switch on the result and forward the redirect instead of
losing it to an exception. Genuinely malformed detail bodies (no
redirect_url and no user) still throw, so validation isn't weakened.

BREAKING CHANGE: getAuthorizationDetails now returns the sealed
OAuthAuthorizationResponse instead of OAuthAuthorizationDetailsResponse.
Callers must switch/cast to access client, user, scope and redirectUri.
@Pieter-JanRobrechtCronos Pieter-JanRobrechtCronos requested a review from a team as a code owner July 6, 2026 12:55
@Pieter-JanRobrechtCronos

Copy link
Copy Markdown
Contributor Author

@spydon I spotted this bug when I was working with the code that I've introduced for #1499. I hope you don't mind me creating a PR before opening an issue. I'm happy to create an issue if you still require one!

@spydon

spydon commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

@spydon I spotted this bug when I was working with the code that I've introduced for #1499. I hope you don't mind me creating a PR before opening an issue. I'm happy to create an issue if you still require one!

It's all good, when it's not a new feature it's fine to create a PR directly.

@spydon spydon left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally we shouldn't pull in breaking changes now, but since this fixes a bug it's fine.

@Pieter-JanRobrechtCronos

Copy link
Copy Markdown
Contributor Author

Ah I see, I can still make some changes if you prefer? I don't see how I would be able to keep out the breaking change though.

@spydon

spydon commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

@Pieter-JanRobrechtCronos can you turn on so that maintainers can modify the PR? Then I can fix up the compliance matrix

Pieter-JanRobrechtCronos and others added 2 commits July 7, 2026 09:57
`sdk-compliance.yaml` only tracked didn't yet track the new
`OAuthAuthorizationResponse` and `OAuthAuthorizationRedirectResponse`
models.
@Pieter-JanRobrechtCronos

Copy link
Copy Markdown
Contributor Author

I've checked, and I don't see any checkmarks that I can toggle to give you the necessary access... Is that something that I would need to toggle in my fork or a setting in this PR?

In the meantime I've made the necessary changes to the compliance matrix.

@spydon spydon changed the title fix(gotrue)!: handle already-consented OAuth authorization responses fix(gotrue): handle already-consented OAuth authorization responses Jul 7, 2026
@spydon spydon merged commit 22d4123 into supabase:main Jul 7, 2026
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants