Skip to content

fix(gotrue): don't throw in verifyOTP when secure email/phone change returns no session #1448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
spydon merged 2 commits into from
Jun 22, 2026
+23 −18
Merged

fix(gotrue): don't throw in verifyOTP when secure email/phone change returns no session #1448

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2dd7aae
fix(gotrue): don't throw in verifyOTP when secure email/phone change …
spydon Jun 22, 2026
f82eaa6
Merge branch 'main' into fix/verify-otp-secure-email-change
spydon Jun 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 12 additions & 9 deletions packages/gotrue/lib/src/gotrue_client.dart
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -607,17 +607,20 @@ class GoTrueClient {

final authResponse = AuthResponse.fromJson(response);

if (authResponse.session == null) {
throw AuthException('An error occurred on token verification.');
// A secure email or phone change verifies in two steps: the server accepts
// the first OTP without returning a session and only issues one once the
// second OTP is verified. In that case there is nothing to persist yet, so
// return the intermediate response instead of treating it as an error.
final session = authResponse.session;
if (session != null) {
_saveSession(session);
notifyAllSubscribers(
type == OtpType.recovery
? AuthChangeEvent.passwordRecovery
: AuthChangeEvent.signedIn,
);
}

_saveSession(authResponse.session!);
notifyAllSubscribers(
type == OtpType.recovery
? AuthChangeEvent.passwordRecovery
: AuthChangeEvent.signedIn,
);

return authResponse;
}

Expand Down
20 changes: 11 additions & 9 deletions packages/gotrue/test/otp_mock_test.dart
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -475,22 +475,24 @@ void main() {
);
});

test('response with null session', () async {
test('response with null session returns the intermediate response',
() async {
final client = GoTrueClient(
url: 'https://example.com',
httpClient: NullSessionClient(testEmail),
asyncStorage: TestAsyncStorage(),
);

await expectLater(
() => client.verifyOTP(
email: testEmail,
token: '123456',
type: OtpType.email,
),
throwsA(isA<AuthException>().having((e) => e.message, 'message',
'An error occurred on token verification.')),
// Verifying the first OTP of a secure email change does not return a
// session. This should not throw, the intermediate response is returned
// so the second OTP can subsequently be verified.
final response = await client.verifyOTP(
email: testEmail,
token: '123456',
type: OtpType.emailChange,
);

expect(response.session, isNull);
});
});

Expand Down
Loading