fix: return email_address_not_provided for external provider with no email

PierreVieira · claude · PierreVieira · commit 7e7ec9eb8e7a · 2026-06-17T22:14:27.000-03:00
The OAuth callback rejected a missing provider email with a generic
NewInternalServerError, surfacing as HTTP 500 / unexpected_failure. That
masks a non-server fault and leaves clients without a stable way to detect
the case (only the human-readable message). Use the already-defined but
unused ErrorCodeEmailAddressNotProvided via NewUnprocessableEntityError
(422) so clients can handle it explicitly.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
diff --git a/internal/api/external.go b/internal/api/external.go
@@ -173,7 +173,7 @@ func (a *API) internalExternalProviderCallback(w http.ResponseWriter, r *http.Re
 	userData := data.userData
 
 	if len(userData.Emails) == 0 && !emailOptional {
-		return apierrors.NewInternalServerError("Error getting user email from external provider")
+		return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeEmailAddressNotProvided, "Error getting user email from external provider")
 	}
 
 	userData.Metadata.EmailVerified = false
diff --git a/internal/api/external_google_test.go b/internal/api/external_google_test.go
@@ -8,6 +8,7 @@ import (
 	"net/url"
 
 	"github.com/stretchr/testify/require"
+	"github.com/supabase/auth/internal/api/apierrors"
 	"github.com/supabase/auth/internal/api/provider"
 )
 
@@ -105,6 +106,10 @@ func (ts *ExternalTestSuite) TestSignupExternalGoogleDisableSignupErrorWhenEmpty
 	u := performAuthorization(ts, "google", code, "")
 
 	assertAuthorizationFailure(ts, u, "Error getting user email from external provider", "server_error", "google@example.com")
+
+	q, err := url.ParseQuery(u.RawQuery)
+	ts.Require().NoError(err)
+	ts.Require().Equal(apierrors.ErrorCodeEmailAddressNotProvided, q.Get("error_code"))
 }
 
 func (ts *ExternalTestSuite) TestSignupExternalGoogleDisableSignupSuccessWithPrimaryEmail() {

Original file line number	Diff line number	Diff line change
`@@ -173,7 +173,7 @@ func (a API) internalExternalProviderCallback(w http.ResponseWriter, r http.Re`
`173`	`173`	`userData := data.userData`
`174`	`174`
`175`	`175`	`if len(userData.Emails) == 0 && !emailOptional {`
`176`		`- return apierrors.NewInternalServerError("Error getting user email from external provider")`
	`176`	`+ return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeEmailAddressNotProvided, "Error getting user email from external provider")`
`177`	`177`	`}`
`178`	`178`
`179`	`179`	`userData.Metadata.EmailVerified = false`
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import (`
`8`	`8`	`"net/url"`
`9`	`9`
`10`	`10`	`"github.com/stretchr/testify/require"`
	`11`	`+ "github.com/supabase/auth/internal/api/apierrors"`
`11`	`12`	`"github.com/supabase/auth/internal/api/provider"`
`12`	`13`	`)`
`13`	`14`
`@@ -105,6 +106,10 @@ func (ts *ExternalTestSuite) TestSignupExternalGoogleDisableSignupErrorWhenEmpty`
`105`	`106`	`u := performAuthorization(ts, "google", code, "")`
`106`	`107`
`107`	`108`	`assertAuthorizationFailure(ts, u, "Error getting user email from external provider", "server_error", "google@example.com")`
	`109`	`+`
	`110`	`+ q, err := url.ParseQuery(u.RawQuery)`
	`111`	`+ ts.Require().NoError(err)`
	`112`	`+ ts.Require().Equal(apierrors.ErrorCodeEmailAddressNotProvided, q.Get("error_code"))`
`108`	`113`	`}`
`109`	`114`
`110`	`115`	`func (ts *ExternalTestSuite) TestSignupExternalGoogleDisableSignupSuccessWithPrimaryEmail() {`