feat(gotrue): introduce getClaims method to verify and extract JWT claims #1246
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
grdsdev
requested review from
Vinzent03 and
dshukertjr
and removed request for
Vinzent03
Pull Request Test Coverage Report for Build 18494104211Details
💛 - Coveralls |
Vinzent03
requested changes
Oct 10, 2025
Vinzent03
requested changes
Oct 13, 2025
|
Okay seems like pointycastle v4.0 needs Dart 3.4.0, but we only support Dart 3.3.0. Great... |
|
Yes @Vinzent03 I think we can use |
…aims This introduces a new `getClaims` method that supports verifying JWTs (both symmetric and asymmetric) and returns the entire set of claims in the JWT payload. Key changes: - Add `getClaims()` method to GoTrueClient for JWT verification and claims extraction - Implement base64url encoding/decoding utilities (RFC 4648) - Add JWT types: JwtHeader, JwtPayload, DecodedJwt, GetClaimsResponse - Add helper functions: decodeJwt() and validateExp() - Add AuthInvalidJwtException for JWT-related errors - Include comprehensive tests for getClaims, JWT helpers, and base64url utilities The method verifies JWTs by calling getUser() to validate against the server, supporting both HS256 (symmetric) and RS256/ES256 (asymmetric) algorithms. Note: This is an experimental API and may change in future versions. Ported from: supabase/auth-js#1030 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Following up on the initial getClaims implementation, this commit: - Removes experimental status from getClaims() method - Adds GetClaimsOptions class with allowExpired parameter - Updates getClaims() to accept optional options parameter - Improves documentation to better describe the method's behavior - Exports helper functions (decodeJwt, validateExp) for public use - Adds tests for allowExpired option The allowExpired option allows users to extract claims from expired JWTs without throwing an error during expiration validation. This is useful for scenarios where you need to access JWT data even after expiration. Ported from: supabase/auth-js#1078 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Updates getClaims() documentation and comments to clarify that the method always uses server-side verification via getUser(). This approach gracefully handles edge cases such as: - Key rotation scenarios where JWKS cache might not have the new signing key - Symmetric JWTs (HS256) that require server-side verification - Revoked or invalidated tokens that are still unexpired This aligns the implementation intent with the auth-js behavior where getClaims() falls back to getUser() when the signing key is not found in JWKS or when client-side verification is not available. The Flutter implementation uses this server-side verification approach for all JWT types, providing robust and consistent validation regardless of the signing algorithm. Related: supabase/auth-js#1080 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Fixed the _base64ToBase64url method to preserve padding characters when pad=true is specified. Previously, padding was always stripped during conversion, causing encode(data, pad: true) to return unpadded output. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
# Conflicts: # packages/gotrue/pubspec.yaml
grdsdev
force-pushed
the
feat/gotrue-get-claims
branch
from
0f1a053 to
4875df0
Compare
Vinzent03
reviewed
Oct 14, 2025
| logging: ^1.2.0 | ||
| web: '>=0.5.0 <2.0.0' | ||
| web: ">=0.5.0 <2.0.0" | ||
| dart_jsonwebtoken: ^2.17.0 |
There was a problem hiding this comment.
Suggested change
| dart_jsonwebtoken: ^2.17.0 | |
| dart_jsonwebtoken: ">=2.17.0 <4.0.0" |
I know these versions conflicts are really tedious, be I think we should support if possible the latest version. This constraint should use 3.0.0 for people with at least Dart 3.4.0 and fallback to 2.17.0 for people below that.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR ports the
getClaimsmethod from supabase/auth-js#1030 to the Flutter client. The method supports verifying JWTs (both symmetric and asymmetric) and returns the entire set of claims in the JWT payload.Close #1117
Changes
getClaims()method inGoTrueClientfor JWT verification and claims extractionJwtHeader,JwtPayload,DecodedJwt,GetClaimsResponsedecodeJwt()andvalidateExp()AuthInvalidJwtExceptionfor JWT-related errorsImplementation Details
The method handles different JWT signature algorithms:
getUser()call - we cannot verify HMAC signatures client-side without the secret keyUsage Example
Related
🤖 Generated with Claude Code