From 7e7ec9eb8e7abab1bf8068f71230eced4984c802 Mon Sep 17 00:00:00 2001
From: PierreVieira <pierrevieiraggg@gmail.com>
Date: Wed, 17 Jun 2026 22:14:27 -0300
Subject: [PATCH] fix: return email_address_not_provided for external provider
 with no email

The OAuth callback rejected a missing provider email with a generic
NewInternalServerError, surfacing as HTTP 500 / unexpected_failure. That
masks a non-server fault and leaves clients without a stable way to detect
the case (only the human-readable message). Use the already-defined but
unused ErrorCodeEmailAddressNotProvided via NewUnprocessableEntityError
(422) so clients can handle it explicitly.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 internal/api/external.go             | 2 +-
 internal/api/external_google_test.go | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/internal/api/external.go b/internal/api/external.go
index 75bad9bc58..b29dc8c2f9 100644
--- a/internal/api/external.go
+++ b/internal/api/external.go
@@ -173,7 +173,7 @@ func (a *API) internalExternalProviderCallback(w http.ResponseWriter, r *http.Re
 	userData := data.userData
 
 	if len(userData.Emails) == 0 && !emailOptional {
-		return apierrors.NewInternalServerError("Error getting user email from external provider")
+		return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeEmailAddressNotProvided, "Error getting user email from external provider")
 	}
 
 	userData.Metadata.EmailVerified = false
diff --git a/internal/api/external_google_test.go b/internal/api/external_google_test.go
index 2ed5cb1975..9a7d66fa15 100644
--- a/internal/api/external_google_test.go
+++ b/internal/api/external_google_test.go
@@ -8,6 +8,7 @@ import (
 	"net/url"
 
 	"github.com/stretchr/testify/require"
+	"github.com/supabase/auth/internal/api/apierrors"
 	"github.com/supabase/auth/internal/api/provider"
 )
 
@@ -105,6 +106,10 @@ func (ts *ExternalTestSuite) TestSignupExternalGoogleDisableSignupErrorWhenEmpty
 	u := performAuthorization(ts, "google", code, "")
 
 	assertAuthorizationFailure(ts, u, "Error getting user email from external provider", "server_error", "google@example.com")
+
+	q, err := url.ParseQuery(u.RawQuery)
+	ts.Require().NoError(err)
+	ts.Require().Equal(apierrors.ErrorCodeEmailAddressNotProvided, q.Get("error_code"))
 }
 
 func (ts *ExternalTestSuite) TestSignupExternalGoogleDisableSignupSuccessWithPrimaryEmail() {