Open
Description
Description:
I encountered a parameter swapping bug with the verifyOTP() method where the email and token parameters appear to be reversed in the actual HTTP request.
Issue Description:
When calling verifyOTP() with named parameters, the values are being swapped in the network request - the email value is sent as the token, and the token value is sent as the email.
Code example:
static Future<AuthResponse> verifyEmailAndOtp(String email, String otp) async {
return await _supabaseClient.auth.verifyOTP(
type: OtpType.email,
token: otp,
email: email
);
}
// Usage
try {
final response = await AuthService.verifyEmailAndOtp("test@test.com", "329169");
if (response.user != null) {
state = const AsyncData(null);
return true;
} else {
state = AsyncError('Verifying otp failed: No user returned', StackTrace.current);
return false;
}
} catch (e, st) {
log("Registration Error: $e");
state = AsyncError(e, st);
return false;
}
Expected request body
{
"email": "test@test.com",
"token": "329169",
"type": "email",
"redirect_to": null,
"gotrue_meta_security": {"captchaToken": null}
}
Actual request body after setting the httpClient
{
"email": "329169",
"token": "test@test.com",
"type": "email",
"redirect_to": null,
"gotrue_meta_security": {"captchaToken": null}
}
Workaround
By temporarily swapping the email and token you can get by it although it really quirky
{
"email": "329169",
"token": "test@test.com",
"type": "email",
"redirect_to": null,
"gotrue_meta_security": {"captchaToken": null}
}
Info
- Flutter version:
Flutter 3.29.3 • channel stable • https://github.com/flutter/flutter.git
Framework • revision ea121f8859 (7 weeks ago) • 2025-04-11 19:10:07 +0000
Engine • revision cf56914b32
Tools • Dart 3.7.2 • DevTools 2.42.3
- Supabase flutter version: supabase_flutter 2.9.0
Note: I am still learning flutter. It could be that I did something wrong but based on debugging I think not.