When calling signUpWithEmail, I occasionally get a TypeError.

This is the line of code that's throwing:
final data = response.rawData as Map<String, dynamic>;

And the location is here
https://github.com/supabase-community/gotrue-dart/blob/3c1e471ea433af453811ba1b8315ffce8e993564/lib/src/gotrue_api.dart#L48

It happens when I run this method a second time right after this first.

This is: response.rawData.

{
	error: GotrueError(message: For security purposes, you can only request this after 28 seconds.),
	rawData: null,
}

The Try block then catches the type error and returns the TypeError message, not the actual rate limit error.

Chore

Describe the chore

Update signUp to use named parameters.

Additional context

This would be a breaking change, but signIn users named parameters, it feels inconsistent to have signUp take a subset of the same parameters as positional instead of named.

Feature request

Is your feature request related to a problem? Please describe.

We need help with completing test coverage for this library. Following gotrue-js there are 3 test files:

• client_test
• provider_test
• subscriptions_test

Additional context

Before running test file, It's required to start a docker instance first:

1. Install Docker
2. cd infra/db
3. docker-compose down && docker-compose up -d

Feature request

Will gotrue-dart add apple provider support? I noticed that supabase/auth#102 is merged into the supabase/gotrue repo.

Is it just a matter of updating the Provider enum to include apple? (Sorry this is my first few hours using supabase) If so, I can make PR for it.

Feature request

Is your feature request related to a problem? Please describe.

I am using row-level security policies on my db and need to be able to make server-side requests (cloud functions) including a user's jwt. Currently, a supabase client is created with the anon key and I can use the embedded gotrue client to get a user object from the jwt passed to my cloud function. This is sufficient to verify the validity of the jwt but does not create or restore a session and so the subsequent db query fails because the jwt doesn't get passed to the supabase backend.

So the call looks like this:

Mobile app (signed in) -> passes jwt -> azure cloud function -> creates supabase client -> checks jwt -> performs db operation (fails here) -> passes back data.

The reason I cannot perform this client-side is that the cloud function needs to use private keys to manipulate the incoming data before interacting with the database and then returning the result.

Describe the solution you'd like

I would like a way to either tell the supabase or gotrue client to include my user's jwt in the auth header of all requests or a way to "restore" a session from the jwt. This has been solved already for the gotrue and supabase js clients.

Discussion is here: supabase/supabase#1094

Related issue: supabase/supabase-js#166

Gotrue JS PR: supabase/auth-js#80

Landed in this supabase release: https://github.com/supabase/supabase-js/releases/tag/v1.11.10

A clear and concise description of what you want to happen.

Describe alternatives you've considered

Making a manual api call against the postgrest service. (this seems somewhat overengineered / less maintainable)

The login provider callback URL: baseUrl/#accessToken=xyz.

getSessionFromUrl expects the URL to use query params: baseUrl/?accessToken=xyz.

https://github.com/supabase/gotrue-dart/blob/main/lib/src/gotrue_client.dart#L109

@phamhieu Is this due to supabase incorrectly prepending # to the query params or should the dart-sdk be able to handle baseUrl/#accessToken=xyz, with a # ?

Original problem: baseUrl/#accessToken: Everything after # is stripped => This was due to using the url path strategy.

Feature request

Persist the user's session upon application reload.

I could very well be implementing auth wrong, but opening request in case I'm not.

Describe the solution you'd like

When a user is signed in and leave->reload the application, they should not be prompted to login. Speaking specifically for flutter, a reload prompts back to sign in.

Describe alternatives you've considered

Storing token in the device, and silent refresh token as needed.

Additional context

I would be more than happy to create a PR with changes if given some guidance on implementation. Mobile authentication is not my strong suit.

Hi. While implementing a signup flow (see supabase/supabase-flutter#144), the docs did not indicate that the email validation required state is represented by the session and error values being null. This is indicated in the javascript docs however, I never thought of checking that website.

It would be better if these docs could be integrated within the dart code - https://pub.dev/documentation/gotrue/latest/gotrue/GoTrueClient/signUp.html

Bug report

Describe the bug

When attempting to restore the session, the user object is is returning null which causes the session to not be loaded.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

1. Log in with a phone number user, using verifyOTP
2. Refresh the screen
3. Error should be printed when referencing recoverSession directly

Expected behavior

The user information should be returned when a user has successfully logged in using an SMS token. I noticed that this is not the case, when trying to print out the user info after a login, but I ignored it.

Screenshots

n/a

System information

• OS: Linux
• Browser (if applies): Chrome
• • Version of supabase: 0.1.0

Additional context

n/a

Feature request

await supabase.auth.api.deleteUser(
  '715ed5db-f090-4b8c-a067-640ecee36aa0',
  'YOUR_SERVICE_ROLE_KEY'
)

Is your feature request related to a problem? Please describe.

I would like my users to be able delete their accounts and associated data.

Describe the solution you'd like

https://supabase.io/docs/reference/javascript/delete-user

Describe alternatives you've considered

1. Deploying Ory Kratos on my K8s cluster.
2. Dropping the Table from the DB directly.
3. Making a PR to perform the rest hit.

Additional context

https://github.com/netlify/gotrue/blob/feb3c89564b573e306119a83b918f2e76c91a9a0/api/admin.go#L226-L250
https://github.com/supabase/gotrue-js/blob/master/src/GoTrueApi.ts#L251
https://github.com/supabase/gotrue-dart/blob/main/lib/src/gotrue_api.dart

The issue is better described here:

• supabase/supabase#5110

TL;DR: recovering session returns "Invalid Refresh Token" error.

Root cause

I debugged the issue manually using the REST API for go-true and found no issues with the server. I also debugged gotrue-dart and I believe I found the root cause there.

When making a refresh token request to gotrue server, the Authorization header should be the JWT from the recovered session. Since a SupabaseClient is instantiated before recovering the session, the Authorization header defaults to the apikey. Therefore, when calling client.auth.receoverSession(sessionString), the Authorization header will be incorrect and it doesn't get updated with the JWT which causes an "Invalid Refresh Token" and I believe it invalidates the token from being used in the future as well.

To reproduce:

• place a debug point here:
  https://github.com/supabase-community/gotrue-dart/blob/936e807159658539ee95d83925e297c900b05fa2/lib/src/gotrue_api.dart#L357

• Invoke client.auth.receoverSession(sessionString) with an expired JWT and valid refresh token.

• Print the headers, you'll find the Authorization isn't the JWT from the recovered session:

{
  "X-Client-Info" : "supabase-dart/0.2.14",
  "apikey" : "<api_key>",
  "Authorization" : "Bearer <api_key>" <~~~ this should be the JWT
}

• Also the result of client.auth.receoverSession(sessionString) should have an "Invalid Refresh Token" error.

Additional Context:

I believe the same issue happens when a token is refreshed before it's expired by the timer because I always have to log-in again after 1-hour.

Feature request

Rename Provider enum

Is your feature request related to a problem? Please describe.

Using supabase with riverpod in the same class will raise an error since both uses the same class name.

Describe the solution you'd like

Rename "Provider" enum class to "ProviderEnum". I'll open a pull request asap.

Describe alternatives you've considered

Alternatively i could give an alias to one of the imports.. but this is

1. annoying
2. due to riverpods popularity it's likely that more users will have the same problem soon
3. improve developer experience by avoiding this error in first place

Additional context

Current erorr message:

'Provider' isn't a function. (Documentation) Try correcting the name to match an existing function, or define a method or function named 'Provider'. The name 'Provider' is defined in the libraries 'package:gotrue/src/provider.dart' and 'package:riverpod/src/provider.dart'. (Documentation) Try using 'as prefix' for one of the import directives, or hiding the name from all but one of the imports.

Not sure this was intentional or a bug.
I just noticed that some keys that are in the User.fromJson() do not appear in the User.toJson() method.
Let me know if this was intentional

Below keys are missing
phone, email_confirmed_at, phone_confirmed_at

Map<String, dynamic> toJson() => {
        'id': id,
        'app_metadata': appMetadata,
        'user_metadata': userMetadata,
        'aud': aud,
        'email': email,
        'created_at': createdAt,
        'confirmed_at': confirmedAt,
        'last_sign_in_at': lastSignInAt,
        'role': role,
        'updated_at': updatedAt,
      };
}

Release new version because gotrue:0.1.2 is not exporting gotrue_error.dart class

Bug report

Describe the bug

Calling recoverSession() results in changing the auth state if the recovery is successful, so I thought the callback function of onAuthStateChange() would be called, but it actually wasn't.

To Reproduce

final client = SupabaseClient(...);
client.auth.onAuthStateChange((event, session) => print(event));  // Nothing is printed.

...

final session = await fetchSession();
final response = await client.auth.recoverSession(session);
if (response.error != null) {
  // Error handling
}

...

Future<String> fetchSession() async {
  // Fetching the json string from the local DB
  final session = await ...;
  return session;
}

Expected behavior

"AuthChangeEvent.signedIn" is printed in the console when the user's sign-in state is recovered by recoverSession().

I’m not really sure if this is the right behaviour as it is not documented in the API reference of the package. Therefore it is just what I personally expected to happen.

System information

• OS: Windows
• Version of supabase-js: 0.4.2
• Version of Node.js: 15.11.0

Firebase and Amplify have that feature (user/session on local storage).

Can it be on roadmap ?

In the readme:

• signIn with oauth2 provider only return provider url. Users have to launch that url to continue the auth flow. I recommend to use url_launcher package.
• After receiving callback uri from oauth2 provider, use getSessionFromUrl to parse session data.

But I want to know how to get the callback uri from oauth2 provider?

The example code doesn't help much:

  void _onSignInWithGithub(BuildContext context) async {
    final response = await gotrueClient.signIn(provider: Provider.github);
    if (await canLaunch(response.url)) {
      print('response.url: ${response.url}');
      await launch(response.url);
    } else {
      throw 'Could not launch ${response.url}';
    }
  }  

Feature request

Is your feature request related to a problem? Please describe.

Currently Supabase support only web oAuth which is mainly used for web applications and thus provide no UX to mobile users.

Describe the solution you'd like

Change how the SDK handles auth on mobile devices and this could be achieved by such code example (pseudo code)

consider having such an abstract class

abstract class AuthProvider {
  Provider get provider;
}

then Supabase supported third party auth vendors could be implemented in such way

class GoogleProvider implements AuthProvider {
  final String accessToken;
  final String idToken;

  const GoogleProvider({
    required this.accessToken,
    required this.idToken,
  });

  @override
  Provider get provider => Provider.google;
}

then simply we can let the user uses Google lib to authenticate the user on a mobile flow using

 final user = await _googleSignIn.signIn();
 final googleAuth = await user.authentication;

_supabase.client.signInProvider(GoogleProvider(accessToken: googleAuth.accessToken, 
                                               idToken: googleAuth.idToken));

then simply we could call a function in Supabase SDk that could handle this for example:

Future<GotrueSessionResponse> signInProvider({ required AuthProvider provider}) async {
    String accessToken, idToken;
    if (provider is GoogleProvider) {
       accessToken = provider.accessToken;
       idToken = provider.idToken;
    } else if ( provider is Facebook ) {
       accessToken = provider.accessToken;
   }
   final response = await api.signWithProvider(provider.provider, .accessToken , idToken); 
    return GotrueSessionResponse(error: response.error);
  }

with that Supabase shall support native auth instead of web focused auth system.

Describe alternatives you've considered

• current auth which is almost broken on ios due to redirecting isn't working and user has to manually click done on safari to return to the app.

Additional context

I would definitely like to help here if me jumping in gonna make this FR implemented faster.

Cheers.

https://github.com/supabase-community/gotrue-dart/blob/c658af271aaeeaed444d922fb1643634ddd163b3/lib/src/types/auth_response.dart#L87

Error:

References:

https://blog.stevenlevithan.com/archives/mimic-lookbehind-javascript
https://www.regular-expressions.info/lookaround.html
https://www.lambdatest.com/web-technologies/js-regexp-lookbehind

The User Attributes Cannot Be Imported
If You reference the Directory the IDE spit warning

// ignore: implementation_imports
import 'package:gotrue/src/user_attributes.dart';

This PR:
#6
Allows you to do Reference UserAttributes By Exporting its class

import 'package:gotrue/gotrue.dart' show UserAttributes;

This Other PR,
#4

FIxes then the Bug when you Change Pass and the password defaults to email
The Same goes to other fields Being reference by both method update and updateUser.

Prior to this when you log in and change pass you cannot log in back
but you can if u used your email address as your password.

Future<void> updatePassword() async {
   // Token i Copied from reset URL
    String token = 'LONGTOKENSTRING';
    try {
      var response = await client.auth.api.updateUser(
          token,
          UserAttributes(
            password: 'superpass1234',
          ));
      if (response.error == null) {
        print("SUCCESS");
        print(response.rawData);
      } else {
        response.printError();
      }
    } catch (e) {
      print(e.toString());
    }
  }

Hope this PR Will be Approved Since Im Using it On My Project and
I cannot Use a Git Version , since the superbase repo reference the official on.

Thanks

I have enabled Enable email confirmations.

When trying to SignUp a new user, not getting Session or User object. But based on this documentation
https://supabase.com/docs/reference/javascript/auth-signup (i know this is Javascript ref).

• If "Email Confirmations" is turned on, a user is returned but session will be null.

Auth 'users' table is also showing the registered user.

Here is the code:
pubspec => supabase: ^0.2.14

final GotrueSessionResponse response = await _client.auth.signUp(email, pwd);
log('DATA : ${response.data?.toJson()}');

Result is NULL.

Only currentUser is updated in the GoTrueClient.update() method. The currentSession.user property is not updated. This leads to a discrepancy between these two sources of truth which should always be in sync.

/// Updates user data, if there is a logged in user.
  Future<GotrueUserResponse> update(UserAttributes attributes) async {
    if (currentSession?.accessToken == null) {
      final error = GotrueError('Not logged in.');
      return GotrueUserResponse(error: error);
    }

    final response =
        await api.updateUser(currentSession!.accessToken, attributes);
    if (response.error != null) return response;

    currentUser = response.user;
    _notifyAllSubscribers(AuthChangeEvent.userUpdated);

    return response;
  }