fix: use standard 'code' parameter for pkce flow

internal/api/external_figma_test.go

@@ -128,7 +128,7 @@ func (ts *ExternalTestSuite) TestSignupExternalFigma_PKCE() {
 			var buffer bytes.Buffer
 			require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(map[string]interface{}{
 				"code_verifier": codeVerifier,
-				"auth_code":     authCode,
+				"code":          authCode,
 			}))
 			req := httptest.NewRequest(http.MethodPost, "http://localhost/token?grant_type=pkce", &buffer)
 			req.Header.Set("Content-Type", "application/json")

internal/api/external_fly_test.go

@@ -128,7 +128,7 @@ func (ts *ExternalTestSuite) TestSignupExternalFly_PKCE() {
 			var buffer bytes.Buffer
 			require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(map[string]interface{}{
 				"code_verifier": codeVerifier,
-				"auth_code":     authCode,
+				"code":          authCode,
 			}))
 			req := httptest.NewRequest(http.MethodPost, "http://localhost/token?grant_type=pkce", &buffer)
 			req.Header.Set("Content-Type", "application/json")

internal/api/external_github_test.go

@@ -135,7 +135,7 @@ func (ts *ExternalTestSuite) TestSignupExternalGitHub_PKCE() {
 			var buffer bytes.Buffer
 			require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(map[string]interface{}{
 				"code_verifier": codeVerifier,
-				"auth_code":     authCode,
+				"code":          authCode,
 			}))
 			req := httptest.NewRequest(http.MethodPost, "http://localhost/token?grant_type=pkce", &buffer)
 			req.Header.Set("Content-Type", "application/json")

internal/api/token.go

@@ -29,7 +29,7 @@ type PasswordGrantParams struct {
 
 // PKCEGrantParams are the parameters the PKCEGrant method accepts
 type PKCEGrantParams struct {
-	AuthCode     string `json:"auth_code"`
+	Code         string `json:"code"`
 	CodeVerifier string `json:"code_verifier"`
 }
 
@@ -226,11 +226,11 @@ func (a *API) PKCE(ctx context.Context, w http.ResponseWriter, r *http.Request)
 		return err
 	}
 
-	if params.AuthCode == "" || params.CodeVerifier == "" {
-		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "invalid request: both auth code and code verifier should be non-empty")
+	if params.Code == "" || params.CodeVerifier == "" {
+		return apierrors.NewBadRequestError(apierrors.ErrorCodeValidationFailed, "invalid request: both code and code_verifier should be non-empty")
 	}
 
-	flowState, err := models.FindFlowStateByAuthCode(db, params.AuthCode)
+	flowState, err := models.FindFlowStateByAuthCode(db, params.Code)
 	// Sanity check in case user ID was not set properly
 	if models.IsNotFoundError(err) || flowState.UserID == nil {
 		return apierrors.NewNotFoundError(apierrors.ErrorCodeFlowStateNotFound, "invalid flow state, no valid flow state found")

internal/api/token_test.go

@@ -370,7 +370,7 @@ func (ts *TokenTestSuite) TestTokenPKCEGrantFailure() {
 			var buffer bytes.Buffer
 			require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(map[string]interface{}{
 				"code_verifier": v.codeVerifier,
-				"auth_code":     v.authCode,
+				"code":          v.authCode,
 			}))
 			req := httptest.NewRequest(http.MethodPost, "http://localhost/token?grant_type=pkce", &buffer)
 			req.Header.Set("Content-Type", "application/json")
@@ -614,7 +614,7 @@ func (ts *TokenTestSuite) TestMagicLinkPKCESignIn() {
 	// Extract token and sign in
 	require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(map[string]interface{}{
 		"code_verifier": codeVerifier,
-		"auth_code":     authCode,
+		"code":          authCode,
 	}))
 	req = httptest.NewRequest(http.MethodPost, "http://localhost/token?grant_type=pkce", &buffer)
 	req.Header.Set("Content-Type", "application/json")

openapi.yaml

@@ -99,7 +99,7 @@ paths:
                   refresh_token: 4nYUCw0wZR_DNOTSDbSGMQ
               grant_type=pkce:
                 value:
-                  auth_code: 009e5066-fc11-4eca-8c8c-6fd82aa263f2
+                  code: 009e5066-fc11-4eca-8c8c-6fd82aa263f2
                   code_verifier: ktPNXpR65N6JtgzQA8_5HHtH6PBSAahMNoLKRzQEa0Tzgl.vdV~b6lPk004XOd.4lR0inCde.NoQx5K63xPfzL8o7tJAjXncnhw5Niv9ycQ.QRV9JG.y3VapqbgLfIrJ
               web3_solana:
                 value:
@@ -151,9 +151,10 @@ paths:
                   description: If `provider` is `azure` then you can specify any Azure OIDC issuer string here, which will be used for verification.
                 gotrue_meta_security:
                   $ref: "#/components/schemas/GoTrueSecurity"
-                auth_code:
+                code:
                   type: string
                   format: uuid
+                  description: Authorization code from OAuth2 PKCE flow
                 code_verifier:
                   type: string
                 message: