Return user on successful /POST verify

[kangmingtay]

Bug report

Current JSON response returned on successful POST /verify contains user: null

Reason for current implementation: Netlify upstream originally returns user:null on the /verify endpoint

[aaronkai]

I'm hitting this error calling the SignOut() function from the Svelte quick-start documentation:

async function signOut() {
		try {
			loading = true;
			let { error } = await supabase.auth.signOut();
			if (error) throw error;
		} catch (error) {
			alert(error.message);
		} finally {
			loading = false;
		}
	}

Getting error:

SignOut.svelte:19 TypeError: Cannot read properties of null (reading 'user')
    at Object.callback (index.svelte? [sm]:11)
    at GoTrueClient.ts:617
    at Map.forEach (<anonymous>)
    at SupabaseAuthClient._notifyAllSubscribers (GoTrueClient.ts:617)
    at SupabaseAuthClient.<anonymous> (GoTrueClient.ts:437)
    at Generator.next (<anonymous>)
    at polyfills.ts:19
    at new Promise (<anonymous>)
    at __awaiter3 (polyfills.ts:19)
    at SupabaseAuthClient.signOut (GoTrueClient.ts:434)

[domnantas]

What are the options here, considering upstream might not fix this?

[Seanmclem]

@domnantas

I was able to mitigate this, in JS frontend, by signing in again with the refresh_token, like this:

  const veriyOTP = async () => {
    let { session, error } = await supabase.auth.verifyOTP({
      phone: `+1${phoneNumber}`,
      token: code,
    });
    
    if (session?.refresh_token && !error) {
      const {
        user,
        session: sesh,
        error,
      } = await supabase.auth.signIn({
        refreshToken: session.refresh_token,
      });
    }
  };

This returns the user, and fires supabase.auth.onAuthStateChange with a user in the session. This will work for now, but SMS auth has been heavily promoted as a big new feature and this was reported a while ago

[kangmingtay]

Hey @Seanmclem, apologies for missing out on this and the delay! We've been working alot on other aspects of gotrue - in particular migrating our dashboard from auth0 to gotrue so we can start dogfooding gotrue. But since this seems like a high priority for most of yall, I'll discuss this with my team and look to push out a fix ASAP.

Another workaround you can consider is to also call the GET /user endpoint with the access token you get after verification to obtain the user object.

[kangmingtay]

Hey everyone, just an update, we have decided not to return a user on successful POST /verify due to the following reasons:

1. /verify should be only responsible for verifying confirmation / recovery / invite / email change tokens
2. To get an authenticated user, you should use the GET /user endpoint and pass a valid access token JWT as the authorisation header.

Will be closing this issue if there are no further questions!

[github-actions]

🎉 This issue has been resolved in version 2.5.19 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀