Skip to content

fix: patch secure email change (double confirm) response format.#1241

Merged
J0 merged 4 commits into
masterfrom
j0/patch_email_change_double_confirmation
Sep 6, 2023
Merged

fix: patch secure email change (double confirm) response format.#1241
J0 merged 4 commits into
masterfrom
j0/patch_email_change_double_confirmation

Conversation

@J0
Copy link
Copy Markdown
Contributor

@J0 J0 commented Sep 4, 2023
edited
Loading

What kind of change does this PR introduce?

There are two issues the PR aims to resolve:

  1. Currently, a Token Hash can be re-used twice in place of using the token hash send to the new email and a token has in the current mail. A solve attempt was originally made in fix: clear email change token when token hash is used #1240 but a test was added in this branch.

  2. Currently, the single confirmation response is slightly misformed and has an additional null param

CleanShot 2023-09-04 at 15 47 04@2x

This stems from the return in the transaction. sendJSON doesn't return an error. Consequently, he error returned by the transaction will be nil. This leads to

CleanShot 2023-09-04 at 15 47 41@2x

sendJSON(w, http.StatusOK, token) being run after sendJSON is callled which will write the token (nil in this case) to the existing singleConfirmationResponse. This in turn affects returned response for the first confirmation as the client library is unable to unpack the returned JSON with extra null leading to an error.

What is the new behavior?

Returns response
CleanShot 2023-09-04 at 15 50 07@2x

Additional context

TODO

  • Need to complete a test for the SecureEmailChange TokenHash to prevent a regression

@J0 J0 requested a review from silentworks September 4, 2023 11:50
@J0 J0 marked this pull request as ready for review September 5, 2023 09:17
@J0 J0 requested a review from a team as a code owner September 5, 2023 09:17
@J0 J0 mentioned this pull request Sep 5, 2023
Closed
@kangmingtay
Copy link
Copy Markdown
Member

kangmingtay commented Sep 5, 2023

nice one, thanks for catching this!

@J0 J0 merged commit 064e8a1 into master Sep 6, 2023
@J0 J0 deleted the j0/patch_email_change_double_confirmation branch September 6, 2023 03:09
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Sep 6, 2023

🎉 This PR is included in version 2.95.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

uxodb pushed a commit to uxodb/auth that referenced this pull request Nov 13, 2024
@J0
fix: patch secure email change (double confirm) response format. (sup…
9f6a289 
…abase#1241)

## What kind of change does this PR introduce?

There are two issues the PR aims to resolve:

1. Currently, a Token Hash can be re-used twice in place of using the
token hash send to the new email and a token has in the current mail. A
solve attempt was originally made in supabase#1240 but a test was added in this
branch.

2. Currently, the single confirmation response is slightly misformed and
has an additional null param

<img width="1062" alt="CleanShot 2023-09-04 at 15 47 04@2x"
src="https://github.com/supabase/gotrue/assets/8011761/69da91e5-e646-4970-8e80-1659e2e3fd41">

This stems from the return in the transaction. sendJSON doesn't return
an error. Consequently, he error returned by the transaction will be
nil. This leads to

<img width="755" alt="CleanShot 2023-09-04 at 15 47 41@2x"
src="https://github.com/supabase/gotrue/assets/8011761/af583492-1aac-4cbd-aaad-856282cce808">

`sendJSON(w, http.StatusOK, token)` being run after `sendJSON` is
callled which will write the `token` (`nil` in this case) to the
existing singleConfirmationResponse. This in turn affects returned
response for the first confirmation as the client library is unable to
unpack the returned JSON with extra null leading to an error.


## What is the new behavior?

Returns response
<img width="617" alt="CleanShot 2023-09-04 at 15 50 07@2x"
src="https://github.com/supabase/gotrue/assets/8011761/e27db0ab-0489-4cda-a25f-8a650db5cab1">

## Additional context

TODO
- [x] Need to complete a test for the SecureEmailChange TokenHash to
prevent a regression

---------

Co-authored-by: joel@joellee.org <joel@joellee.org>
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 13, 2024
@J0 @LashaJini
fix: patch secure email change (double confirm) response format. (sup…
1357f9a 
…abase#1241)

## What kind of change does this PR introduce?

There are two issues the PR aims to resolve:

1. Currently, a Token Hash can be re-used twice in place of using the
token hash send to the new email and a token has in the current mail. A
solve attempt was originally made in supabase#1240 but a test was added in this
branch.

2. Currently, the single confirmation response is slightly misformed and
has an additional null param

<img width="1062" alt="CleanShot 2023-09-04 at 15 47 04@2x"
src="https://github.com/supabase/gotrue/assets/8011761/69da91e5-e646-4970-8e80-1659e2e3fd41">

This stems from the return in the transaction. sendJSON doesn't return
an error. Consequently, he error returned by the transaction will be
nil. This leads to

<img width="755" alt="CleanShot 2023-09-04 at 15 47 41@2x"
src="https://github.com/supabase/gotrue/assets/8011761/af583492-1aac-4cbd-aaad-856282cce808">

`sendJSON(w, http.StatusOK, token)` being run after `sendJSON` is
callled which will write the `token` (`nil` in this case) to the
existing singleConfirmationResponse. This in turn affects returned
response for the first confirmation as the client library is unable to
unpack the returned JSON with extra null leading to an error.


## What is the new behavior?

Returns response
<img width="617" alt="CleanShot 2023-09-04 at 15 50 07@2x"
src="https://github.com/supabase/gotrue/assets/8011761/e27db0ab-0489-4cda-a25f-8a650db5cab1">

## Additional context

TODO
- [x] Need to complete a test for the SecureEmailChange TokenHash to
prevent a regression

---------

Co-authored-by: joel@joellee.org <joel@joellee.org>
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 15, 2024
@J0 @LashaJini
fix: patch secure email change (double confirm) response format. (sup…
446599c 
…abase#1241)

## What kind of change does this PR introduce?

There are two issues the PR aims to resolve:

1. Currently, a Token Hash can be re-used twice in place of using the
token hash send to the new email and a token has in the current mail. A
solve attempt was originally made in supabase#1240 but a test was added in this
branch.

2. Currently, the single confirmation response is slightly misformed and
has an additional null param

<img width="1062" alt="CleanShot 2023-09-04 at 15 47 04@2x"
src="https://github.com/supabase/gotrue/assets/8011761/69da91e5-e646-4970-8e80-1659e2e3fd41">

This stems from the return in the transaction. sendJSON doesn't return
an error. Consequently, he error returned by the transaction will be
nil. This leads to

<img width="755" alt="CleanShot 2023-09-04 at 15 47 41@2x"
src="https://github.com/supabase/gotrue/assets/8011761/af583492-1aac-4cbd-aaad-856282cce808">

`sendJSON(w, http.StatusOK, token)` being run after `sendJSON` is
callled which will write the `token` (`nil` in this case) to the
existing singleConfirmationResponse. This in turn affects returned
response for the first confirmation as the client library is unable to
unpack the returned JSON with extra null leading to an error.


## What is the new behavior?

Returns response
<img width="617" alt="CleanShot 2023-09-04 at 15 50 07@2x"
src="https://github.com/supabase/gotrue/assets/8011761/e27db0ab-0489-4cda-a25f-8a650db5cab1">

## Additional context

TODO
- [x] Need to complete a test for the SecureEmailChange TokenHash to
prevent a regression

---------

Co-authored-by: joel@joellee.org <joel@joellee.org>
cemalkilic pushed a commit that referenced this pull request Aug 7, 2025
@J0 @cemalkilic
fix: patch secure email change (double confirm) response format. (#1241)
631207e 
## What kind of change does this PR introduce?

There are two issues the PR aims to resolve:

1. Currently, a Token Hash can be re-used twice in place of using the
token hash send to the new email and a token has in the current mail. A
solve attempt was originally made in #1240 but a test was added in this
branch.

2. Currently, the single confirmation response is slightly misformed and
has an additional null param

<img width="1062" alt="CleanShot 2023-09-04 at 15 47 04@2x"
src="https://github.com/supabase/gotrue/assets/8011761/69da91e5-e646-4970-8e80-1659e2e3fd41">

This stems from the return in the transaction. sendJSON doesn't return
an error. Consequently, he error returned by the transaction will be
nil. This leads to

<img width="755" alt="CleanShot 2023-09-04 at 15 47 41@2x"
src="https://github.com/supabase/gotrue/assets/8011761/af583492-1aac-4cbd-aaad-856282cce808">

`sendJSON(w, http.StatusOK, token)` being run after `sendJSON` is
callled which will write the `token` (`nil` in this case) to the
existing singleConfirmationResponse. This in turn affects returned
response for the first confirmation as the client library is unable to
unpack the returned JSON with extra null leading to an error.


## What is the new behavior?

Returns response
<img width="617" alt="CleanShot 2023-09-04 at 15 50 07@2x"
src="https://github.com/supabase/gotrue/assets/8011761/e27db0ab-0489-4cda-a25f-8a650db5cab1">

## Additional context

TODO
- [x] Need to complete a test for the SecureEmailChange TokenHash to
prevent a regression

---------

Co-authored-by: joel@joellee.org <joel@joellee.org>
xeladotbe pushed a commit to xeladotbe/supabase-auth that referenced this pull request Sep 27, 2025
@J0 @xeladotbe
fix: patch secure email change (double confirm) response format. (sup…
cc13576 
…abase#1241)

## What kind of change does this PR introduce?

There are two issues the PR aims to resolve:

1. Currently, a Token Hash can be re-used twice in place of using the
token hash send to the new email and a token has in the current mail. A
solve attempt was originally made in supabase#1240 but a test was added in this
branch.

2. Currently, the single confirmation response is slightly misformed and
has an additional null param

<img width="1062" alt="CleanShot 2023-09-04 at 15 47 04@2x"
src="https://github.com/supabase/gotrue/assets/8011761/69da91e5-e646-4970-8e80-1659e2e3fd41">

This stems from the return in the transaction. sendJSON doesn't return
an error. Consequently, he error returned by the transaction will be
nil. This leads to

<img width="755" alt="CleanShot 2023-09-04 at 15 47 41@2x"
src="https://github.com/supabase/gotrue/assets/8011761/af583492-1aac-4cbd-aaad-856282cce808">

`sendJSON(w, http.StatusOK, token)` being run after `sendJSON` is
callled which will write the `token` (`nil` in this case) to the
existing singleConfirmationResponse. This in turn affects returned
response for the first confirmation as the client library is unable to
unpack the returned JSON with extra null leading to an error.


## What is the new behavior?

Returns response
<img width="617" alt="CleanShot 2023-09-04 at 15 50 07@2x"
src="https://github.com/supabase/gotrue/assets/8011761/e27db0ab-0489-4cda-a25f-8a650db5cab1">

## Additional context

TODO
- [x] Need to complete a test for the SecureEmailChange TokenHash to
prevent a regression

---------

Co-authored-by: joel@joellee.org <joel@joellee.org>
fadymak pushed a commit that referenced this pull request Sep 30, 2025
@J0 @fadymak
fix: patch secure email change (double confirm) response format. (#1241)
056b586 
## What kind of change does this PR introduce?

There are two issues the PR aims to resolve:

1. Currently, a Token Hash can be re-used twice in place of using the
token hash send to the new email and a token has in the current mail. A
solve attempt was originally made in #1240 but a test was added in this
branch.

2. Currently, the single confirmation response is slightly misformed and
has an additional null param

<img width="1062" alt="CleanShot 2023-09-04 at 15 47 04@2x"
src="https://github.com/supabase/gotrue/assets/8011761/69da91e5-e646-4970-8e80-1659e2e3fd41">

This stems from the return in the transaction. sendJSON doesn't return
an error. Consequently, he error returned by the transaction will be
nil. This leads to

<img width="755" alt="CleanShot 2023-09-04 at 15 47 41@2x"
src="https://github.com/supabase/gotrue/assets/8011761/af583492-1aac-4cbd-aaad-856282cce808">

`sendJSON(w, http.StatusOK, token)` being run after `sendJSON` is
callled which will write the `token` (`nil` in this case) to the
existing singleConfirmationResponse. This in turn affects returned
response for the first confirmation as the client library is unable to
unpack the returned JSON with extra null leading to an error.


## What is the new behavior?

Returns response
<img width="617" alt="CleanShot 2023-09-04 at 15 50 07@2x"
src="https://github.com/supabase/gotrue/assets/8011761/e27db0ab-0489-4cda-a25f-8a650db5cab1">

## Additional context

TODO
- [x] Need to complete a test for the SecureEmailChange TokenHash to
prevent a regression

---------

Co-authored-by: joel@joellee.org <joel@joellee.org>
@benshump benshump mentioned this pull request May 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kangmingtay kangmingtay kangmingtay approved these changes

@silentworks silentworks Awaiting requested review from silentworks

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@J0 @kangmingtay