feat: add pkce flow support

[dshukertjr]

What kind of change does this PR introduce?

PKCE flow is a secure way of performing OAuth on a mobile app. Specifically, it prevents attacker from performing authorization code interception attack.

The GotrueClient can now be initialized with a flowType parameter, which can take value of AuthFlowType.implicit or AuthFlowType.pkce. When setting the flowType to pkce, asyncStorage also needs to be provided, which is used to store the pkce code verifier (essentially a randomly generated string).

final gotrueClient = GoTrueClient(
  url: gotrueUrl,
  flowType: AuthFlowType.pkce,
  asyncStorage: TestAsyncStorage(),
);

When GotrueClient is initialized with flowType of pkce, a codeChallenge will be passed as query parameters for sign-in flows that involve deep links, such as magic link sign in or OAuth. Once the user comes back to the app via deep link, no access token or refresh token is contained in the URL, but instead there is the code challenge. The client then sends the code verifier and the code challenge via exchangeCodeForSession() method to the Gotrue server to verify it, and returns a session securely.

The process of calling the exchangeCodeForSession() method will be handled automatically in the background by supabase_flutter just like it does for the current deep link handling.

In future major version update, we will remove implicit grant flow and use pkce for all OAuth logins.

Once this PR is merged, these PRs on supabase-dart and supabase-flutter will be merged.

• feat: add async storage as parameter to support pkce flow supabase-dart#190
• feat: add pkce support supabase-flutter#432

Related gotrue-js PRs

• feat: add pkce auth-js#591
• fix: pkce does not generate truly random values in a browser auth-js#636
• refactor: drop oauth_ auth-js#637
• fix: remove crypto-js auth-js#641

[Vinzent03]

Some more tests would be useful, but they are hard to implement, right?

[dshukertjr]

Yeah, since it involves a redirect, it's kind of hard to do a through testing.