From ba66b4d366e6c7d4428c06f75badb627120b7414 Mon Sep 17 00:00:00 2001
From: Joel Lee <lee.yi.jie.joel@gmail.com>
Date: Fri, 20 Oct 2023 12:02:13 +0800
Subject: [PATCH] feat: add SSO PKCE (#707)

## What kind of change does this PR introduce?

Companion PR to: https://github.com/supabase/gotrue/pull/1137

Server-Side PR: PKCE https://github.com/supabase/gotrue/pull/1137

Co-authored-by: joel@joellee.org <joel@joellee.org>
---
 src/GoTrueClient.ts | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/GoTrueClient.ts b/src/GoTrueClient.ts
index 97e367f99..6337df87f 100644
--- a/src/GoTrueClient.ts
+++ b/src/GoTrueClient.ts
@@ -709,6 +709,14 @@ export default class GoTrueClient {
   async signInWithSSO(params: SignInWithSSO): Promise<SSOResponse> {
     try {
       await this._removeSession()
+      let codeChallenge: string | null = null
+      let codeChallengeMethod: string | null = null
+      if (this.flowType === 'pkce') {
+        const codeVerifier = generatePKCEVerifier()
+        await setItemAsync(this.storage, `${this.storageKey}-code-verifier`, codeVerifier)
+        codeChallenge = await generatePKCEChallenge(codeVerifier)
+        codeChallengeMethod = codeVerifier === codeChallenge ? 'plain' : 's256'
+      }
 
       return await _request(this.fetch, 'POST', `${this.url}/sso`, {
         body: {
@@ -719,6 +727,8 @@ export default class GoTrueClient {
             ? { gotrue_meta_security: { captcha_token: params.options.captchaToken } }
             : null),
           skip_http_redirect: true, // fetch does not handle redirects
+          code_challenge: codeChallenge,
+          code_challenge_method: codeChallengeMethod,
         },
         headers: this.headers,
         xform: _ssoResponse,