supabase.auth.admin.generateLink() don't work with PKCE flow

[tobiassern]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

When using the PKCE flow and generating a link with supabase.auth.admin.generateLink() it doesn't not generate a link that supports the PKCE flow as the code is missing in the url.searchParams when hitting the callback url

It works as expected when using supabase.auth.signInWithPassword() and letting supabase send the e-mail

To Reproduce

Code

    const supabase = createClient(PUBLIC_SUPABASE_URL, SUPABASE_SERVICE_ROLE_KEY, {
        auth: {
            autoRefreshToken: false,
            persistSession: false,
            flowType: 'pkce'
        }
    })

    // Access auth admin api
    const adminAuthClient = supabase.auth.admin;

    const { data, error } = await supabase.auth.admin.generateLink({
        type: 'magiclink',
        email: '[email protected]',
        options: {
            redirectTo: 'http:https://127.0.0.1:5173/api/auth/callback'
        }
    });

    console.log(data);

Output in console log

{
    "data": {
        "properties": {
            "action_link": "http:https://localhost:54321/auth/v1/verify?token=51a3fc23c11754db785d06b52da2c155b46e9556537936cdb67f87c7&type=magiclink&redirect_to=http:https://127.0.0.1:5173/api/auth/callback",
            "email_otp": "793015",
            "hashed_token": "51a3fc23c11754db785d06b52da2c155b46e9556537936cdb67f87c7",
            "redirect_to": "http:https://127.0.0.1:5173/api/auth/callback",
            "verification_type": "magiclink"
        },
        "user": {...}
    }
}

In the callback route I try to get the code searchParams but it is null.

const code = url.searchParams.get('code');

Expected behavior

When using generateLink with the pkce flow I expect that when the user is redirected to the callback route, the code searchParam is included.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

• OS: [e.g. macOS]
• Browser (if applies) [chrome]
• Version of supabase-js: [2.31.0]
• Version of Node.js: [e.g. 16.20.1]

Additional context

Add any other context about the problem here.

[j4w8n]

There's an increasing amount of people bringing this up. I'm fairly sure this isn't supported right now; although #722 claims to fix it.

Related: supabase/auth-helpers#610
Also: https://discord.com/channels/839993398554656828/1130871916249497751

[kangmingtay]

hey @tobiassern, supabase.auth.admin.generateLink() isn't meant to work with the PKCE flow because the PKCE flow requires the generation of a code verifier. Since the code verifier must be generated and used when the authentication request is made (i.e signup / request for otp) and when the link is verified (i.e. when the email link is clicked), it doesn't work for supabase.auth.admin.generateLink() because that's typically done on the server-side and not the client-side.

note, the code verifier is meant to prevent replay attacks, which is why it has to be created when the authentication request starts and sent when the verification request is made (ensures that the person verifying is the same person who requested for the auth).

we are aware that this is a problem if you are using the auth-helpers and we're working on a separate solution to fix it

[kbsali]

have you tried the solution proposed by @kamerat ?
supabase/auth-helpers#610 (comment)