fix(auth): code verifier remains in storage during edge cases

j4w8n · mandarini · commit 2427babbd209 · 2025-10-09T16:50:51.000+03:00
diff --git a/packages/core/auth-js/src/GoTrueClient.ts b/packages/core/auth-js/src/GoTrueClient.ts
@@ -572,6 +572,7 @@ export default class GoTrueClient {
       const { data, error } = res
 
       if (error || !data) {
+        await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
         return { data: { user: null, session: null }, error: error }
       }
 
@@ -585,6 +586,7 @@ export default class GoTrueClient {
 
       return { data: { user, session }, error: null }
     } catch (error) {
+      await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
       if (isAuthError(error)) {
         return { data: { user: null, session: null }, error }
       }
@@ -1186,6 +1188,7 @@ export default class GoTrueClient {
       }
       throw new AuthInvalidCredentialsError('You must provide either an email or phone number.')
     } catch (error) {
+      await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
       if (isAuthError(error)) {
         return { data: { user: null, session: null }, error }
       }
@@ -1285,6 +1288,7 @@ export default class GoTrueClient {
         xform: _ssoResponse,
       })
     } catch (error) {
+      await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
       if (isAuthError(error)) {
         return { data: null, error }
       }
@@ -1741,6 +1745,7 @@ export default class GoTrueClient {
         return { data: { user: session.user }, error: null }
       })
     } catch (error) {
+      await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
       if (isAuthError(error)) {
         return { data: { user: null }, error }
       }
@@ -2193,6 +2198,7 @@ export default class GoTrueClient {
         redirectTo: options.redirectTo,
       })
     } catch (error) {
+      await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
       if (isAuthError(error)) {
         return { data: null, error }
       }
@@ -2319,6 +2325,7 @@ export default class GoTrueClient {
         }
         return { data, error }
       } catch (error) {
+        await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
         if (isAuthError(error)) {
           return { data: { user: null, session: null }, error }
         }

Original file line number	Diff line number	Diff line change
`@@ -572,6 +572,7 @@ export default class GoTrueClient {`
`572`	`572`	`const { data, error } = res`
`573`	`573`
`574`	`574`	`if (error \|\| !data) {`
	`575`	+ await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
`575`	`576`	`return { data: { user: null, session: null }, error: error }`
`576`	`577`	`}`
`577`	`578`
`@@ -585,6 +586,7 @@ export default class GoTrueClient {`
`585`	`586`
`586`	`587`	`return { data: { user, session }, error: null }`
`587`	`588`	`} catch (error) {`
	`589`	+ await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
`588`	`590`	`if (isAuthError(error)) {`
`589`	`591`	`return { data: { user: null, session: null }, error }`
`590`	`592`	`}`
`@@ -1186,6 +1188,7 @@ export default class GoTrueClient {`
`1186`	`1188`	`}`
`1187`	`1189`	`throw new AuthInvalidCredentialsError('You must provide either an email or phone number.')`
`1188`	`1190`	`} catch (error) {`
	`1191`	+ await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
`1189`	`1192`	`if (isAuthError(error)) {`
`1190`	`1193`	`return { data: { user: null, session: null }, error }`
`1191`	`1194`	`}`
`@@ -1285,6 +1288,7 @@ export default class GoTrueClient {`
`1285`	`1288`	`xform: _ssoResponse,`
`1286`	`1289`	`})`
`1287`	`1290`	`} catch (error) {`
	`1291`	+ await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
`1288`	`1292`	`if (isAuthError(error)) {`
`1289`	`1293`	`return { data: null, error }`
`1290`	`1294`	`}`
`@@ -1741,6 +1745,7 @@ export default class GoTrueClient {`
`1741`	`1745`	`return { data: { user: session.user }, error: null }`
`1742`	`1746`	`})`
`1743`	`1747`	`} catch (error) {`
	`1748`	+ await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
`1744`	`1749`	`if (isAuthError(error)) {`
`1745`	`1750`	`return { data: { user: null }, error }`
`1746`	`1751`	`}`
`@@ -2193,6 +2198,7 @@ export default class GoTrueClient {`
`2193`	`2198`	`redirectTo: options.redirectTo,`
`2194`	`2199`	`})`
`2195`	`2200`	`} catch (error) {`
	`2201`	+ await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
`2196`	`2202`	`if (isAuthError(error)) {`
`2197`	`2203`	`return { data: null, error }`
`2198`	`2204`	`}`
`@@ -2319,6 +2325,7 @@ export default class GoTrueClient {`
`2319`	`2325`	`}`
`2320`	`2326`	`return { data, error }`
`2321`	`2327`	`} catch (error) {`
	`2328`	+ await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
`2322`	`2329`	`if (isAuthError(error)) {`
`2323`	`2330`	`return { data: { user: null, session: null }, error }`
`2324`	`2331`	`}`