auth.resend() consistent confirmation flow

[weilirs]

🔍 Description

What changed?

When flowType is 'pkce', resend() now generates a fresh code_verifier/code_challenge pair (via the existing getCodeChallengeAndMethod helper), stores the verifier, and includes code_challenge + code_challenge_method in the request body to /resend. This follows the exact same pattern already used by signUp() and signInWithOtp(). See this PR

• packages/core/auth-js/src/GoTrueClient.ts — Added PKCE challenge generation in the email branch of resend(), included code_challenge and code_challenge_method in the request body, and added code-verifier cleanup in the error path.
• packages/core/auth-js/test/GoTrueClient.test.ts — Added test for resend() with PKCE flowType.

No changes to the phone/SMS resend path, user-facing types, or implicit flow behavior.

Why was this change needed?

The GoTrue server has been updated to accept code_challenge and code_challenge_method on the /resend endpoint. Previously, resend() always produced implicit-flow confirmation links (#access_token=...), even when the original signUp() used PKCE. This forced developers using server-side frameworks (e.g., Next.js App Router) to implement workarounds for handling hash fragments that aren't accessible in server route handlers.

With this change, resend confirmation emails use ?code=... (PKCE) when the SDK is configured for PKCE flow, consistent with the initial signup email.

Closes supabase/supabase#42527

📸 Screenshots/Examples

Before (implicit flow on resend — hash fragment not accessible server-side):

https://example.com/auth/confirm#access_token=xxx&refresh_token=yyy

After (PKCE flow on resend — query param works with server routes):

https://example.com/auth/confirm?code=xxx

🔄 Breaking changes

• This PR contains no breaking changes

📋 Checklist

• I have read the Contributing Guidelines
• My PR title follows the conventional commit format: feat(auth-js): add PKCE support to resend()
• I have run npx nx format to ensure consistent code formatting
• I have added tests for new functionality (if applicable)
• I have updated documentation (if applicable)

📝 Additional notes

• Each resend() call generates a fresh code_verifier/code_challenge pair — it does not reuse the pair from the original signUp(), since the user may be in a different browser session.
• The user-facing ResendParams type is unchanged; PKCE params are added internally by the SDK based on the configured flowType, matching how signUp() and signInWithOtp() already work.
• SMS-based resend types (sms, phone_change) are unaffected.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Cache: Disabled due to Reviews > Disable Cache setting

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e6bdfe2 and f976688.

📒 Files selected for processing (2)

• packages/core/auth-js/src/GoTrueClient.ts
• packages/core/auth-js/test/GoTrueClient.test.ts

---

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Added PKCE (Proof Key for Code Exchange) flow support to the email resend functionality, enabling enhanced security for authentication requests.

• Tests

  • Added test coverage for email resend with PKCE flow.

Walkthrough

This PR adds PKCE flow support to the resend() method in GoTrueClient. When the PKCE flow type is detected, the code retrieves the code_verifier and code_challenge from browser storage and includes code_challenge and code_challenge_method parameters in the resend request body. Error handling is also enhanced to clean up the stored code-verifier entry on failure. A new test case validates that PKCE-enabled resend works correctly for email authentication scenarios.

Assessment against linked issues

Objective	Addressed	Explanation
Add PKCE flow support to resend() method [#42527]	✅
Include code_challenge and code_challenge_method in resend requests when PKCE is enabled [#42527]	✅
Clean up stored code-verifier on resend errors [#42527]	✅

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

@supabase/auth-js

npm i https://pkg.pr.new/@supabase/auth-js@2144

@supabase/functions-js

npm i https://pkg.pr.new/@supabase/functions-js@2144

@supabase/postgrest-js

npm i https://pkg.pr.new/@supabase/postgrest-js@2144

@supabase/realtime-js

npm i https://pkg.pr.new/@supabase/realtime-js@2144

@supabase/storage-js

npm i https://pkg.pr.new/@supabase/storage-js@2144

@supabase/supabase-js

npm i https://pkg.pr.new/@supabase/supabase-js@2144

commit: 068adea