feat: opt-in update for cross-device/browser otp, 0Auth, and magic link sign in

infra/db/00-schema.sql

@@ -84,3 +84,22 @@ GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA auth TO postgres;
 GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA auth TO postgres;
 ALTER USER postgres SET search_path = "auth";
 
+-- auth.pkce_sessions definition
+CREATE TABLE auth.pkce_sessions (
+    id uuid NOT NULL,
+    session_id varchar(255) NOT NULL,
+    code_verifier varchar(255) NOT NULL,
+    instance_id uuid NULL,
+    created_at timestamptz NOT NULL DEFAULT now(),
+    expires_at timestamptz NOT NULL,
+    CONSTRAINT pkce_sessions_pkey PRIMARY KEY (id),
+    CONSTRAINT pkce_sessions_session_id_key UNIQUE (session_id)
+);
+
+CREATE INDEX pkce_sessions_instance_id_idx ON auth.pkce_sessions USING btree (instance_id);
+CREATE INDEX pkce_sessions_session_id_idx ON auth.pkce_sessions USING btree (session_id);
+CREATE INDEX pkce_sessions_expires_at_idx ON auth.pkce_sessions USING btree (expires_at);
+
+-- Add permissions for the new table
+GRANT ALL PRIVILEGES ON TABLE auth.pkce_sessions TO postgres;
+

infra/docker-compose.yml

@@ -38,6 +38,8 @@ services:
       GOTRUE_SMS_TWILIO_MESSAGE_SERVICE_SID: '${GOTRUE_SMS_TWILIO_MESSAGE_SERVICE_SID}'
       GOTRUE_SMS_AUTOCONFIRM: 'false'
       GOTRUE_COOKIE_KEY: 'sb'
+      GOTRUE_PKCE_CROSS_DEVICE_ENABLED: 'true'
+      GOTRUE_PKCE_SESSION_EXPIRY: '300'
     depends_on:
       - db
     restart: on-failure

src/GoTrueAdminApi.ts

@@ -19,6 +19,7 @@ import {
   AuthMFAAdminListFactorsParams,
   AuthMFAAdminListFactorsResponse,
   PageParams,
+  PKCESession,
 } from './lib/types'
 import { AuthError, isAuthError } from './lib/errors'
 
@@ -330,4 +331,53 @@ export default class GoTrueAdminApi {
       throw error
     }
   }
+
+  /**
+   * Lists all active PKCE sessions.
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  async listPKCESessions(): Promise<
+    { data: { sessions: PKCESession[] }; error: null } | { data: null; error: AuthError }
+  > {
+    try {
+      const { data, error } = await _request(this.fetch, 'GET', `${this.url}/admin/pkce-sessions`, {
+        headers: this.headers,
+      })
+
+      if (error) throw error
+      return { data, error: null }
+    } catch (error) {
+      if (isAuthError(error)) {
+        return { data: null, error }
+      }
+      throw error
+    }
+  }
+
+  /**
+   * Deletes a PKCE session.
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  async deletePKCESession(
+    sessionId: string
+  ): Promise<{ data: { success: boolean }; error: null } | { data: null; error: AuthError }> {
+    try {
+      const { data, error } = await _request(
+        this.fetch,
+        'DELETE',
+        `${this.url}/admin/pkce-sessions/${sessionId}`,
+        {
+          headers: this.headers,
+        }
+      )
+
+      if (error) throw error
+      return { data, error: null }
+    } catch (error) {
+      if (isAuthError(error)) {
+        return { data: null, error }
+      }
+      throw error
+    }
+  }
 }