auth.resend() consistent confirmation flow

[weilirs]

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

The /resend endpoint hardcodes models.ImplicitFlow for both signup and email_change verification types (#42527). This means resent confirmation emails always use the implicit flow — redirecting with tokens in the URL hash fragment (#access_token=...) — even when the original signUp() used PKCE.

This creates an inconsistency where:

• Initial signup email: https://example.com/auth/confirm?code=xxx (PKCE, works with server routes)
• Resent email: https://example.com/auth/confirm#access_token=xxx (implicit, requires client-side handling)

Server-side route handlers (e.g., Next.js route.ts) cannot read hash fragments, forcing developers to implement workarounds with client components and dual flow handling.

Closes #42527

What is the new behavior?

The /resend endpoint now accepts optional code_challenge and code_challenge_method parameters for signup and email_change types. When provided, the endpoint:

1. Determines the flow type from code_challenge (PKCE if present, implicit if absent)
2. Creates a FlowState record for PKCE flows (needed by /verify to issue an auth code)
3. Passes the correct flow type to sendConfirmation / sendEmailChange

This produces confirmation emails with ?code=... query params instead of #access_token=... hash fragments, consistent with the initial signup flow.

When code_challenge is not provided, behavior is unchanged — implicit flow is used, maintaining full backward compatibility.

Changes:

• internal/api/resend.go: Added CodeChallenge and CodeChallengeMethod fields to ResendConfirmationParams. Added PKCE param validation for email-based types. Replaced hardcoded ImplicitFlow with flow-aware logic for signup and email_change cases.
• internal/api/resend_test.go: Added TestResendPKCEValidation (invalid PKCE params return 400) and TestResendPKCESuccess (signup and email change tokens get pkce_ prefix when PKCE params are provided).

Additional context

This is the server-side half of the fix. The JS SDK (auth-js) needs a corresponding update to send code_challenge / code_challenge_method in resend() calls when flowType === 'pkce', following the same pattern already used by signUp() and signInWithOtp(). See this PR

The implementation mirrors the existing PKCE pattern used across the codebase (signup.go, user.go, recover.go, magic_link.go): getFlowFromChallenge → conditional generateFlowState → pass flowType to the email sender.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Cache: Disabled due to Reviews > Disable Cache setting

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ab7c9f9 and 284a68a.

📒 Files selected for processing (2)

• internal/api/resend.go
• internal/api/resend_test.go

---

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• New Features

  • Added PKCE (Proof Key for Code Exchange) support to resend confirmation flows for enhanced security in signup and email change operations.
  • System now generates PKCE-specific confirmation tokens when PKCE parameters are provided.

• Bug Fixes

  • Implemented validation to enforce required PKCE parameters, preventing incomplete security configurations.

Walkthrough

The changes add PKCE (Proof Key for Code Exchange) support to the resend confirmation API. The ResendConfirmationParams struct is extended with two new fields: CodeChallenge and CodeChallengeMethod. Validation logic now enforces the presence of PKCE parameters for signup and email_change flow types. The resend flow determines the flow type from the provided CodeChallenge and conditionally generates flow state for PKCE-enabled requests. Test coverage is expanded with validation and success test cases for PKCE scenarios.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant ResendHandler as Resend Handler
    participant Validator as PKCE Validator
    participant FlowState as Flow State Generator
    participant MailService as Mail Service

    Client->>ResendHandler: POST /resend<br/>(with code_challenge, code_challenge_method)
    ResendHandler->>Validator: validatePKCEParams(method, challenge)
    
    alt PKCE params invalid
        Validator-->>ResendHandler: Error
        ResendHandler-->>Client: HTTP 400
    else PKCE params valid
        Validator-->>ResendHandler: Valid
        ResendHandler->>ResendHandler: Determine flowType from CodeChallenge
        alt PKCE flow detected
            ResendHandler->>FlowState: Generate flow state
            FlowState-->>ResendHandler: Flow state data
        end
        ResendHandler->>MailService: sendConfirmation/sendEmailChange(flowType)
        MailService->>MailService: Create PKCE-prefixed token
        MailService-->>Client: Confirmation sent
    end

Loading

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[depthfirst-app]

🟠 Severity: HIGH

The /resend endpoint allows unauthenticated users to create a new PKCE FlowState for any user. Since verification retrieves the latest FlowState by user_id, an attacker can overwrite a victim's flow. By providing a controlled redirect_to URL, the attacker can intercept the auth_code and hijack the session.
Helpful? Add 👍 / 👎

💡 Fix Suggestion

Suggestion: The /resend endpoint should not allow unauthenticated users to create or modify FlowState records with PKCE parameters for arbitrary users. The most secure fix is to reject PKCE parameters entirely on the /resend endpoint for signup and email_change verification types. Remove the PKCE flow handling code (lines 130-135 for signup and lines 147-152 for email_change) that calls generateFlowState(). The /resend endpoint is meant for retrying delivery of verification emails, not for initiating new PKCE authentication flows. Since this endpoint is unauthenticated and allows lookups by email, allowing PKCE flow creation creates an inherent authorization vulnerability where attackers can overwrite legitimate users' FlowState records with attacker-controlled code_challenge values.

[cemalkilic]

Hi @weilirs , this looks good! Can you rebase the master?

[weilirs]

Hi @weilirs , this looks good! Can you rebase the master?

@cemalkilic sorry for the late reply, I've rebased the master.

[Copilot]

Pull request overview

Updates the /resend endpoint to support PKCE-based confirmation for signup and email_change, so resent emails can follow the same code-based confirmation flow as the original signup/email-change request (instead of always using implicit/hash tokens).

Changes:

• Add optional code_challenge / code_challenge_method to resend request params for email-based resend types.
• Determine flow type from code_challenge, create a PKCE flow_state when needed, and pass the computed flow type into the mail senders.
• Add tests covering PKCE param validation and successful PKCE resend behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
internal/api/resend.go	Adds PKCE request fields + validation and makes resend flow-type aware for signup/email_change (including flow_state creation).
internal/api/resend_test.go	Adds PKCE-specific validation and success tests for resend behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

validatePKCEParams only checks that both PKCE params are present and that code_challenge is well-formed; it does not validate that code_challenge_method is one of the supported values. With the current flow, an unsupported method (e.g. "sha512") will pass validation but later fail in models.NewFlowState and be returned as an unhandled error, resulting in a 500. Consider validating/parsing CodeChallengeMethod when CodeChallenge is set and returning a 400 (validation failed) on unsupported methods.

[Copilot]

For signup resends, generateFlowState is being created with ProviderType set to models.EmailSignup.String() ("email/signup"). In the initial signup flow, the flow state is created with ProviderType set to the provider ("email"). This means PKCE token exchange after a resend will report a different provider_type to audit logging/metering than the original signup. Consider using the same provider type as signup.go ("email") for consistency.

Suggested change

	if _, terr := generateFlowState(tx, models.EmailSignup.String(), models.EmailSignup, params.CodeChallengeMethod, params.CodeChallenge, &user.ID); terr != nil {
	if _, terr := generateFlowState(tx, "email", models.EmailSignup, params.CodeChallengeMethod, params.CodeChallenge, &user.ID); terr != nil {

[Copilot]

The PKCE validation tests cover missing/partial parameters, but there is no case for an unsupported code_challenge_method. Given the current implementation, an unsupported method would currently bubble up as an unhandled error (500). Adding a test for an invalid method (and asserting a 400) will help lock in the desired behavior once method validation is added.

Suggested change

	},
	},
	{
	desc: "Signup with unsupported code_challenge_method",
	params: map[string]interface{}{
	"type": "signup",
	"email": "foo@example.com",
	"code_challenge": validChallenge,
	"code_challenge_method": "unsupported",
	},
	expected: map[string]interface{}{
	"code": http.StatusBadRequest,
	"message": InvalidPKCEParamsErrorMessage,
	},
	},