`auth.admin.generateLink` not working with PKCE

[probablykasper]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

auth.admin.generateLink() does not seem to work with PKCE.

To Reproduce

const supabaseAdmin = createClient<Database>(
	PUBLIC_SUPABASE_URL,
	SUPABASE_SERVICE_ROLE_KEY,
	{
		auth: {
			autoRefreshToken: false,
			persistSession: false,
			detectSessionInUrl: false,
			flowType: 'pkce',
		},
	}
const link_result = await supabaseAdmin.auth.admin.generateLink({
	email: 'dev@example.com',
	type: 'magiclink',
})
console.log(link_result.data.properties)

Running the above outputs this:

{
  action_link: 'http://localhost:5801/auth/v1/verify?token=be63b5c2adbcb1152b102d51459bdf4df5f1ff47e26d44d0447c6835&type=magiclink&redirect_to=http://localhost:5800',
  email_otp: '840907',
  hashed_token: 'be63b5c2adbcb1152b102d51459bdf4df5f1ff47e26d44d0447c6835',
  redirect_to: 'http://localhost:5800',
  verification_type: 'magiclink'
}

As you can see, the token above doesn't start with pkce_.

Expected behavior

Would expect it to work like supabase.auth.signInWithOtp(), where you get emailed a PKCE token, which does start with pkce_, e.g:

http://localhost:5801/auth/v1/verify?token=pkce_681cbde9a87acc3223cf75c8a068ab56c530bec5855d16457c5254b6&type=magiclink&redirect_to=http://localhost:5800

System information

• OS: macOS
• Version of supabase-js: 2.22.0
• Version of Node.js: 18.14.2

[J0]

Hey @probablykasper,

Thanks for taking the time to file the issue! Do you mind expanding more on the use case for using generateLink with PKCE?

[probablykasper]

I'm just trying to have a button that instantly logs you into a test account during development, so it's not massively critical for me. I imagine others using generateLink() are still interested in the benefits of PKCE though

[J0]

Thanks for the swift response. Was wondering as one major use case of generateLink to generate a link to bypass the Supabase Auth mailing system and use another mailing system.

For that particular case, the mailer link would only work when sending to an email address is accessible via your browser since both the code challenge which is generated would be stored in localStorage of the browser (when using default storage) and the security benefits of the flow would be lost if the code challenge is sent around.

We'll let you know once we have a workaround for using generateLink + PKCE

[probablykasper]

What are the security benefits that would be lost if the code challenge is sent around?

[J0]

Hey @probablykasper,

Apologies for the delayed reply. I'm re-reading this message now and realise that I misspoke it is the code_verifier that is stored in localStorage and needs to be sent together with the link. I think the overall concern is that by supporting generateLink with PKCE we may not be able to provide the guarantees that PKCE is supposed to provide.

My understanding is that PKCE is meant to guarantee that the account initiating the flow is the same as the account exchanging the token. When the generated link is clicked, an auth code is returned and the auth_code is used together with the code_verifier in order to generate an access token. The code_verifier serves to correlate the final access token request with the initial authorisation request and this might give an added level of security in a mobile or SPA environment. If the code_verifier is sent over the network the auth system cannot know that the code_verifier and associated link was not intercepted and used by a malicious attacker.

As a workaround, we are considering support for the auth code flow which would not require a code challenge. Do let us know if you have any suggestions or alternative approaches that should be considered. There might be something that we've missed on our end.

[probablykasper]

Thanks for the in-depth explanation! I'm having a hard time imagining cases where this security benefit helps though. If an attacker reads the link from my email, they can simply request a new login, read the new email and gain access. It would help if I accidentally send the link to someone without clicking it, but beyond that I'm not too sure?

As a workaround, we are considering support for the auth code flow which would not require a code challenge.

That would be great, if the email link instead just approves the login! That would also let me use my phone to approve the login, so I could more easily and safely log in on someone else's computer.

[akoenig]

Thank you, @probablykasper, for reporting the issue, and thank you, @J0, for taking care of it. We also encountered the same problem today. Our situation is quite similar as we have an invite feature in our application. When a user wants to invite another user, we use the generateLink function to create an URL and manually send the email through our own provider.

Here's the code we use for generating the link:

const response = await supabase.auth.admin.generateLink({
  type: "invite",
  email: request.email,
  options: {
    redirectTo: request.redirectToUrl,
  },
});

The redirectToUrl parameter directs the user to the Code Exchange Route, which fails because the code was not passed. We were thrilled to hear about PKCE and immediately switched to it. Unfortunately, this caused this issue in our invitation flow 🙂 Fortunately, we're not in production yet, but we're eager to learn about any possible workarounds and share more information if it helps speed up the process.

[kangmingtay]

hey @akoenig, @probablykasper, we're working on a way to allow server-side redirects for the invite links, or any email links created through supabase.auth.admin.generateLink for that matter - #722

[github-actions]

🎉 This issue has been resolved in version 2.44.1 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀