[Bug]: OAuth redirect for identity linking fails

[jshxr]

General Info

• I checked for similar bug report
• I am using the latest version (should fail on 3.0.3 aswell though)
• I checked the troubleshooting page for similar problems

Version(s)

3.0.1

Kotlin Target(s) and their respective versions

2.0.21 / WasmJs

What happened? (include your code)

In my Compose Multiplatform webapp, calling

supabaseClient.auth.linkIdentity(Google)

to have an anonymous user sign in with Google differs greatly from calling

supabaseClient.auth.signIn(Google)

to sign in a completely new user.

While the latter works just fine, with the browser redirecting to the Google Sign In page, calling linkIdentity results in a failed request (blocked preflight due to missing headers) to the Google OAuth endpoint.

Looking at the implementation

supabase-kt/Auth/src/commonMain/kotlin/io/github/jan/supabase/auth/AuthImpl.kt

Lines 145 to 171 in 79a4192

	override suspend fun linkIdentity(
	provider: OAuthProvider,
	redirectUrl: String?,
	config: ExternalAuthConfigDefaults.() -> Unit
	): String? {
	val automaticallyOpen = ExternalAuthConfigDefaults().apply(config).automaticallyOpenUrl
	val fetchUrl: suspend (String?) -> String = { redirectTo: String? ->
	val url = getOAuthUrl(provider, redirectTo, "user/identities/authorize", config)
	val response = api.rawRequest(url) {
	method = HttpMethod.Get
	}
	response.request.url.toString()
	}
	if(!automaticallyOpen) {
	return fetchUrl(redirectUrl ?: "")
	}
	startExternalAuth(
	redirectUrl = redirectUrl,
	getUrl = {
	fetchUrl(it)
	},
	onSessionSuccess = {
	importSession(it, source = SessionSource.UserIdentitiesChanged(it))
	}
	)
	return null
	}

it seems as if response.request.url.toString() on line 156 might be the problem.

Based on how the linkIdentity method is implemented in the official JS client,
I assume that the line tries to extract the URL returned by the /user/identities/authorize endpoint.
However, instead, the previously constructed URL used to make the request is being accessed.

A second problem is that the /user/identities/authorize endpoint doesn't return the wanted URL, but instead
tries to redirect to it right away.

Possible fix

1. Adding the query parameter skip_http_redirect=true to the /user/identities/authorize URL.
2. Parsing the returned URL correctly

Workaround

This is my current workaround:

@Serializable
data class SupabaseLinkIdentityResponse(val url: String)

@OptIn(SupabaseInternal::class)
suspend fun signInWithGoogle(uriHandler: UriHandler) {
    val api = supabaseClient.authenticatedSupabaseApi(supabaseClient.auth)
    val fetchUrl: suspend (String?) -> String = { redirectTo: String? ->
        val url =
            supabaseClient.auth.getOAuthUrl(
                Google,
                redirectTo,
                "user/identities/authorize"
            ) {
                queryParams["skip_http_redirect"] = "true"
            }
        val response = api.rawRequest(url) {
            method = HttpMethod.Get
        }
        Json.decodeFromString<SupabaseLinkIdentityResponse>(response.body()).url
    }

    val url = fetchUrl(null)
    uriHandler.openUri(url)
}

Note: I haven't yet tested this on platforms/targets other than Web/WasmJs.

Steps To Reproduce (optional)

No response

Relevant log output (optional)

No response

[jan-tennert]

Thanks for reporting, this was a bug. Fixed in #d7dd01a.
Will publish a version later today for testing.

[jan-tennert]

Released 3.1.0-beta-1. Let me know if this was fixed.