`prepPKCERedirectURL`drops `//` from custom scheme URIs, corrupting PKCE auth code on iOS (`%23`)

[rintaro-okahara]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

When using PKCE OAuth from on iOS with a custom URL scheme that has no path (ex. myapp://), the redirect URL returned to the app contains a corrupted auth code a trailing %23 (URL-encoded #). This causes exchangeCode ForSession to fail with "No valid flow state found".

To Reproduce

1. Create an Expo React Native app targeting iOS
2. Use makeRedirectUri() with no arguments → returns myapp://
3. Call supabase.auth.signInWithOAuth({ provider: 'google', options: { redirectTo: 'myapp://', skipBrowserRedirect: true } })
4. Open the auth URL with WebBrowser.openAuthSessionAsync
5. Complete Google sign-in
6. Observe result.url contains myapp:?code=CODE%23 instead of myapp://?code=CODE
7. exchangeCodeForSession fails with "No valid flow state found"

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

• OS: [e.g. macOS, Windows]
• Browser (if applies) [e.g. chrome, safari]
• Version of supabase-js: [e.g. 6.0.2]
• Version of Node.js: [e.g. 10.10.0]

Additional context

Add any other context about the problem here.

[nathanschram]

I think this is coming from how Go's net/url package handles custom scheme URIs in prepPKCERedirectURL.

That function does a url.Parse(redirectURL) then re-serialises with u.String() after appending the code query param. The problem is that for a bare custom scheme like myapp:// (no host component), Go's URL parser sets Host to an empty string - and when String() rebuilds the URL, it drops the // authority marker entirely because there's no host to anchor it to. So myapp:// becomes myapp:, and you end up with myapp:?code=CODE instead of myapp://?code=CODE.

The %23 (URL-encoded #) you're seeing likely comes from a related issue - the auth server's implicit flow redirect helpers set a fragment on the URL struct, and when that interacts with the mangled custom scheme, the fragment delimiter gets percent-encoded rather than treated as a literal #.

For an immediate fix, I'd try changing your redirect URI from bare myapp:// to something like myapp://callback in your makeRedirectUri() call:

const redirectUri = makeRedirectUri({ path: 'callback' })
// produces: myapp://callback

This gives Go's URL parser a non-empty host to work with, so it should preserve the // correctly. You'd need to update the redirect URI in your Supabase dashboard's URL allowlist to match.

This is also what RFC 8252 (OAuth 2.0 for Native Apps) recommends - bare scheme URIs without a host/path are discouraged because different URL parsers handle them inconsistently, which is exactly what's biting you here.

The underlying bug in prepPKCERedirectURL should probably still get fixed server-side (the implicit flow path uses string concatenation instead of parse+re-serialise and doesn't have this issue), but the myapp://callback approach should unblock you right away.