This repository has been archived by the owner on May 13, 2023. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 36
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Vinzent03
suggested changes
May 2, 2023
Vinzent03
approved these changes
May 3, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some more tests would be useful, but they are hard to implement, right?
Yeah, since it involves a redirect, it's kind of hard to do a through testing. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
PKCE flow is a secure way of performing OAuth on a mobile app. Specifically, it prevents attacker from performing authorization code interception attack.
The
GotrueClient
can now be initialized with aflowType
parameter, which can take value ofAuthFlowType.implicit
orAuthFlowType.pkce
. When setting the flowType to pkce,asyncStorage
also needs to be provided, which is used to store the pkce code verifier (essentially a randomly generated string).When
GotrueClient
is initialized with flowType of pkce, a codeChallenge will be passed as query parameters for sign-in flows that involve deep links, such as magic link sign in or OAuth. Once the user comes back to the app via deep link, no access token or refresh token is contained in the URL, but instead there is the code challenge. The client then sends the code verifier and the code challenge viaexchangeCodeForSession()
method to the Gotrue server to verify it, and returns a session securely.The process of calling the
exchangeCodeForSession()
method will be handled automatically in the background by supabase_flutter just like it does for the current deep link handling.In future major version update, we will remove implicit grant flow and use pkce for all OAuth logins.
Once this PR is merged, these PRs on supabase-dart and supabase-flutter will be merged.
Related gotrue-js PRs