Fix missing verifier from password reset flow

packages/auth-core/src/core.ts

@@ -1,9 +1,9 @@
 import jwtDecode from "jwt-decode";
 import * as edgedb from "edgedb";
 import { ResolvedConnectConfig } from "edgedb/dist/conUtils";
 
 import * as pkce from "./pkce";
 import { BuiltinOAuthProviderNames, emailPasswordProviderName } from "./consts";
 
 export interface TokenData {
   auth_token: string;
@@ -25,7 +25,7 @@
 
   static async create(client: edgedb.Client) {
     const connectConfig: ResolvedConnectConfig = (
       await (client as any).pool._getNormalizedConnectConfig()
     ).connectionParams;
 
     const [host, port] = connectConfig.address;
@@ -37,7 +37,7 @@
   }
 
   /** @internal */
   public async _get<T extends any = unknown>(path: string): Promise<T> {
     const res = await fetch(new URL(path, this.baseUrl), {
       method: "get",
     });
@@ -47,13 +47,13 @@
     if (res.headers.get("content-type")?.startsWith("application/json")) {
       return res.json();
     }
     return null as any;
   }
 
   /** @internal */
   public async _post<T extends any = unknown>(
     path: string,
     body?: any
   ): Promise<T> {
     const res = await fetch(new URL(path, this.baseUrl), {
       method: "post",
@@ -70,7 +70,7 @@
     if (res.headers.get("content-type")?.startsWith("application/json")) {
       return res.json();
     }
     return null as any;
   }
 
   createPKCESession() {
@@ -141,11 +141,16 @@
   }
 
   async sendPasswordResetEmail(email: string, resetUrl: string) {
-    return this._post<{ email_sent: string }>("send-reset-email", {
-      provider: emailPasswordProviderName,
-      email,
-      reset_url: resetUrl,
-    });
+    const { challenge, verifier } = pkce.createVerifierChallengePair();
+    return {
+      verifier,
+      ...(await this._post<{ email_sent: string }>("send-reset-email", {
+        provider: emailPasswordProviderName,
+        challenge,
+        email,
+        reset_url: resetUrl,
+      })),
+    };
   }
 
   static checkPasswordResetTokenValid(resetToken: string) {
@@ -165,19 +170,24 @@
     }
   }
 
-  async resetPasswordWithResetToken(resetToken: string, password: string) {
-    return this._post<TokenData>("reset-password", {
+  async resetPasswordWithResetToken(
+    resetToken: string,
+    verifier: string,
+    password: string
+  ) {
+    const { code } = await this._post<{ code: string }>("reset-password", {
       provider: emailPasswordProviderName,
       reset_token: resetToken,
       password,
     });
+    return this.getToken(code, verifier);
   }
 
   async getProvidersInfo() {
     // TODO: cache this data when we have a way to invalidate on config update
     try {
       return await this.client.queryRequiredSingle<{
-        oauth: { name: string; display_name: string }[];
+        oauth: { name: BuiltinOAuthProviderNames; display_name: string }[];
         emailPassword: boolean;
       }>(`
       with

packages/auth-nextjs/src/app/index.ts

@@ -354,10 +354,15 @@ export class NextAppAuth extends NextAuth {
               ["email"],
               "email missing from request body"
             );
-            (await this.core).sendPasswordResetEmail(
-              email,
-              this.options.passwordResetUrl
-            );
+            const { verifier } = await (
+              await this.core
+            ).sendPasswordResetEmail(email, this.options.passwordResetUrl);
+            cookies().set({
+              name: this.options.pkceVerifierCookieName,
+              value: verifier,
+              httpOnly: true,
+              sameSite: "strict",
+            });
             return new Response(null, { status: 204 });
           }
           case "emailpassword/reset-password": {
@@ -368,6 +373,14 @@ export class NextAppAuth extends NextAuth {
             }
             let tokenData: TokenData;
             try {
+              const verifier = req.cookies.get(
+                this.options.pkceVerifierCookieName
+              )?.value;
+              if (!verifier) {
+                return onEmailPasswordReset({
+                  error: new Error("no pkce verifier cookie found"),
+                });
+              }
               const [resetToken, password] = _extractParams(
                 await _getReqBody(req),
                 ["reset_token", "password"],
@@ -376,7 +389,7 @@ export class NextAppAuth extends NextAuth {
 
               tokenData = await (
                 await this.core
-              ).resetPasswordWithResetToken(resetToken, password);
+              ).resetPasswordWithResetToken(resetToken, verifier, password);
             } catch (err) {
               return onEmailPasswordReset({
                 error: err instanceof Error ? err : new Error(String(err)),
@@ -388,6 +401,7 @@ export class NextAppAuth extends NextAuth {
               httpOnly: true,
               sameSite: "strict",
             });
+            cookies().delete(this.options.pkceVerifierCookieName);
             return onEmailPasswordReset({ error: null, tokenData });
           }
           case "emailpassword/resend-verification-email": {
@@ -472,30 +486,43 @@ export class NextAppAuth extends NextAuth {
           throw new Error(`'passwordResetUrl' option not configured`);
         }
         const [email] = _extractParams(data, ["email"], "email missing");
-        await (
+        const { verifier } = await (
           await this.core
         ).sendPasswordResetEmail(
           email,
           `${this.options.baseUrl}/${this.options.passwordResetUrl}`
         );
+        cookies().set({
+          name: this.options.pkceVerifierCookieName,
+          value: verifier,
+          httpOnly: true,
+          sameSite: "strict",
+        });
       },
       emailPasswordResetPassword: async (
         data: FormData | { resetToken: string; password: string }
       ) => {
+        const verifier = cookies().get(
+          this.options.pkceVerifierCookieName
+        )?.value;
+        if (!verifier) {
+          throw new Error("no pkce verifier cookie found");
+        }
         const [resetToken, password] = _extractParams(
           data,
           ["reset_token", "password"],
           "reset_token or password missing"
         );
         const tokenData = await (
           await this.core
-        ).resetPasswordWithResetToken(resetToken, password);
+        ).resetPasswordWithResetToken(resetToken, verifier, password);
         cookies().set({
           name: this.options.authCookieName,
           value: tokenData.auth_token,
           httpOnly: true,
           sameSite: "strict",
         });
+        cookies().delete(this.options.pkceVerifierCookieName);
         return tokenData;
       },
       emailPasswordResendVerificationEmail: async (