Missing PKCE is success in email verification flow

Since end users might verify their email on a different device than
the user agent they initiated the sign up (or sign in) flow with, treat
this as a success condition. The application will need to detect this
case and show a message that confirms that the email is verified, but
that the user will need to sign in to complete.

Author: scotttrinh

packages/auth-express/src/index.ts

@@ -498,8 +498,13 @@ export class ExpressAuth {
           throw new PKCEError("no verification_token in response");
         }
         if (!verifier) {
-          throw new PKCEError("no pkce verifier cookie found");
+          // End user verified email from a different user agent than sign-up.
+          // This is fine, but the application will need to detect this and
+          // inform the end user that they will need to initiate a new sign up
+          // attempt to complete the flow.
+          return next();
         }
+
         const tokenData = await (
           await this.core
         ).verifyEmailPasswordSignup(verificationToken, verifier);

packages/auth-nextjs/src/shared.ts

@@ -53,7 +53,7 @@ export interface CreateAuthRouteHandlers {
   ): Promise<Response>;
   onEmailVerify(
     params: ParamsOrError<
-      { tokenData: TokenData },
+      { tokenData: TokenData | null },
       { verificationToken?: string }
     >,
     req: NextRequest,
@@ -357,10 +357,14 @@ export abstract class NextAuth extends NextAuthHelpers {
               );
             }
             if (!verifier) {
+              // End user verified email from a different user agent than
+              // sign-up. This is fine, but the application will need to detect
+              // this and inform the end user that they will need to initiate a
+              // new sign up attempt to complete the flow.
               return onEmailVerify(
                 {
-                  error: new PKCEError("no pkce verifier cookie found"),
-                  verificationToken,
+                  error: null,
+                  tokenData: null,
                 },
                 req,
               );

packages/auth-remix/src/server.ts

@@ -86,7 +86,7 @@ export interface CreateAuthRouteHandlers {
   ): Promise<Response>;
   onEmailVerify(
     params: ParamsOrError<
-      { tokenData: TokenData },
+      { tokenData: TokenData | null },
       { verificationToken?: string }
     >,
   ): Promise<Response>;
@@ -422,9 +422,13 @@ export class RemixServerAuth extends RemixClientAuth {
               });
             }
             if (!verifier) {
+              // End user verified email from a different user agent than
+              // sign-up. This is fine, but the application will need to detect
+              // this and inform the end user that they will need to initiate a
+              // new sign up attempt to complete the flow.
               return cbCall(onEmailVerify, {
-                error: new PKCEError("no pkce verifier cookie found"),
-                verificationToken,
+                error: null,
+                tokenData: null,
               });
             }
             let tokenData: TokenData;

packages/auth-sveltekit/src/server.ts

@@ -63,7 +63,7 @@ export interface AuthRouteHandlers {
   ) => Promise<never>;
   onEmailVerify?: (
     params: ParamsOrError<
-      { tokenData: TokenData },
+      { tokenData: TokenData | null },
       { verificationToken?: string }
     >,
   ) => Promise<never>;
@@ -653,9 +653,13 @@ async function handleAuthRoutes(
         });
       }
       if (!verifier) {
+        // End user verified email from a different user agent than sign-up.
+        // This is fine, but the application will need to detect this and inform
+        // the end user that they will need to initiate a new sign up attempt to
+        // complete the flow.
         return onEmailVerify({
-          error: new PKCEError("no pkce verifier cookie found"),
-          verificationToken,
+          error: null,
+          tokenData: null,
         });
       }
       let tokenData: TokenData;