Magic link doesn't support PKCE + opens up PKCE bypass for OTP

[lauri865]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Only OTP supports PKCE, but not magic link, opening us up to a host of vulnerabilities: phishing, account takeovers via emails, etc.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

Just read this line:

auth/internal/api/verify.go

Lines 135 to 138 in cda62a9

	flowType := models.ImplicitFlow
	var authenticationMethod models.AuthenticationMethod
	if strings.HasPrefix(params.Token, PKCEPrefix) {
	flowType = models.PKCEFlow

PKCE flow is triggered only for the token param, and not token_hash.

Expected behavior

PKCE enabled for magic link flows.

Docs imply that PKCE is enabled for magic link emails, but that's not the case:

Also here: https://supabase.com/features/passwordless-login-via-magicklink

[lauri865]

Another huge red flag in all of this is that PKCE is enabled client-side.

Someone can easily create a replica of our site, with PKCE disabled. Send 6-digit code to email through there, and have it entered on the replica website and steal a session + refresh token.

[lauri865]

Successfully bypassed PKCE flow for OTP as well (whereby flow was started with PKCE enabled). Sent POC to security@supabase.io

[lauri865]

It's even worse. PKCE doesn't work for OTP flow either.

params.Token (the OTP, e.g. 123456) would never have a PKCE prefix, so it's always stuck in implicit flow:
if strings.HasPrefix(params.Token, PKCEPrefix) {