Flow State Not Found about gotrue HOT 4 OPEN

After further investigation seems like exchnageCodeForSession throws error and crashes the program. I believe this is a bug because we are already receiving error in { data, error }

We can also see that the request fires TWICE, meaning that the supabase redirects TWICE. We believe the second redirect crashes the program. First is validated & works. Second with exactly the same code crashes, because the code is already used.

from gotrue.

I might have found a lead/related bug - if scopes includes "https://www.googleapis.com/auth/youtube.readonly" so you pick a YouTube account after picking Google one and you have only one YouTube account for given gmail, you get to see the pick screen but are getting redirected automatically after a moment - if you explicitly pick and click the account in the meantime, the riderctTo url will be hit twice! If there is more YT account on your gmail, automatic redirect does not happen and you can pick whatever account you want and everything will be fine

Now the specifics depends - sometimes you will get the same code twice, sometimes the 2nd code is null but in both cases You get the 422 error in return and are not logged in! The 30% of the times failure depends on I guess the timing you explicitly hit the YouTube account and how Google Auth/Supa (dunno) handles it - if you just wait I get positive login 100% of times.

The issue is I don't see the way to prevent this automatic account picking by Google or skipping this screen entirely if there is only one YT account associated to the Google one. One way is to give the consent every time, because AFAIK this screen does not automatically redirect, so you won't get 2 redirectTo hits. But the login UX is obnoxious to say the least.

Anyway it seems like the Google Auth issue at the core, but I believe given the Supabase is wrapping the entire process with this specific 422 code error returning, maybe there is some workaround that could be implemented directly in Supa for these "double redirects". WDYT?

from gotrue.

@Forsect is right, this happens a lot!

But I also noticed that sometimes the code is not accepted anyway, even if it's the first time. For no particular reason.

from gotrue.

The issue with my application:

I was redirecting to a webpage with Notion oauth params (/my/app/route?code=[VALUE]&state=value) that supabase erroneously thought had to do with the supabase session.

from gotrue.