Skip to content

verifyOTP() method parameters are swapped - email and token arguments reversed #1179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Frankfx9 opened this issue May 29, 2025 · 0 comments
Open

verifyOTP() method parameters are swapped - email and token arguments reversed #1179

Frankfx9 opened this issue May 29, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@Frankfx9
Copy link

Frankfx9 commented May 29, 2025
edited
Loading

Description:

I encountered a parameter swapping bug with the verifyOTP() method where the email and token parameters appear to be reversed in the actual HTTP request.

Issue Description:

When calling verifyOTP() with named parameters, the values are being swapped in the network request - the email value is sent as the token, and the token value is sent as the email.

Code example:

static Future<AuthResponse> verifyEmailAndOtp(String email, String otp) async {
  return await _supabaseClient.auth.verifyOTP(
    type: OtpType.email, 
    token: otp, 
    email: email
  );
}

// Usage
try {
  final response = await AuthService.verifyEmailAndOtp("test@test.com", "329169");
  if (response.user != null) {
    state = const AsyncData(null);
    return true;
  } else {
    state = AsyncError('Verifying otp failed: No user returned', StackTrace.current);
    return false;
  }
} catch (e, st) {
  log("Registration Error: $e");
  state = AsyncError(e, st);
  return false;
}

Expected request body

{
  "email": "test@test.com",
  "token": "329169",
  "type": "email",
  "redirect_to": null,
  "gotrue_meta_security": {"captchaToken": null}
}

Actual request body after setting the httpClient

{
  "email": "329169",
  "token": "test@test.com", 
  "type": "email",
  "redirect_to": null,
  "gotrue_meta_security": {"captchaToken": null}
}

Workaround

By temporarily swapping the email and token you can get by it although it really quirky

{
  "email": "329169",
  "token": "test@test.com", 
  "type": "email",
  "redirect_to": null,
  "gotrue_meta_security": {"captchaToken": null}
}

Info

  • Flutter version:
Flutter 3.29.3 • channel stable • https://github.com/flutter/flutter.git
Framework • revision ea121f8859 (7 weeks ago) • 2025-04-11 19:10:07 +0000
Engine • revision cf56914b32
Tools • Dart 3.7.2 • DevTools 2.42.3
  • Supabase flutter version: supabase_flutter 2.9.0

Note: I am still learning flutter. It could be that I did something wrong but based on debugging I think not.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Frankfx9