Password Reset Flow #3360
-
Is the documentation out of date? It seems to be. I'm using Vue. Upon clicking the reset password link in the email, it redirects and I briefly see the # escaped fragment in the url, then it disappears. I have a function that allows user to update their password, it seems like supabase auth is automatically detecting the temporary access token cause I haven't done any parsing of it. Like everything works correctly, I'm just wondering if that's some new "magic" in the supabase library. Love what you guys are doing but you definitely need to get better with documentation, since your start it's been a weak point of the project.
|
Beta Was this translation helpful? Give feedback.
Replies: 28 comments 91 replies
-
The documentation is being worked on constantly, thanks for your feedback on this. The reset password flow should however still be the same. I'm going to test it out and get back to you soon. |
Beta Was this translation helpful? Give feedback.
-
Hello, about password reset flow, the documentation says:
Does supabase provide a way to detect the |
Beta Was this translation helpful? Give feedback.
-
IS there any update to this issue? When I click the reset link in the email, I get redirected to my site url with a # on hte end, but no access token or type parameter or anything. Is the new expected way to listen for the recovery event? |
Beta Was this translation helpful? Give feedback.
-
Hi, I can confirm what @ulisses-cruz is seeing here. It is impossible for a user to reset their password because supabase.auth.onAuthStateChange() is called with SIGNED_IN as the event, causing the URL to be wiped before it can be used. Also can confirm that SIGNED_IN is being called before PASSWORD_RECOVERY. I think the SIGNED_IN event should be removed when a user clicks the password recovery link. I'm guessing it sees the recovery link as a "magic link" as well. This should be changed. |
Beta Was this translation helpful? Give feedback.
-
What I did was
|
Beta Was this translation helpful? Give feedback.
-
Was setting up password recovery for user. And problem is that clicking on recovery link it opens my page in new tab. In new tab auth events are SIGNED_IN and then PASSWORD_RECOVERY. But in original tab from which i was requesting for password recovery i'm signed in and there i'm even not getting password_recovery event. Why would user keep reseting password if he's already loged in in tab he requested for password recovery? |
Beta Was this translation helpful? Give feedback.
-
Hi all, Not sure if anyone else has had a similar problem, but I'm getting the following response from the supabase reset email link: My app is hosted on a subdomain ie: app.project.com -- however the redirect url does not include the subdomain. The url includes the subdomain on the supabase admin, as well in the redirect option as follows: |
Beta Was this translation helpful? Give feedback.
-
This works for me as expected according to the documentation at https://supabase.com/docs/reference/javascript/auth-api-resetpasswordforemail, but only for my dev app hitting a local Supabase. In that case, the email sent through Inbucket has the URL for localhost with the fragment containing the |
Beta Was this translation helpful? Give feedback.
-
Update: I see that the link for the local Supabase also is to the API URL, not the Site URL, and the expected flow is to then redirect the browser to an allowed URL with the fragment. I don't know why it works as expected (or at least desired) in my dev env but not in production. I thought I could add some logic in my app to prevent redirecting on detecting |
Beta Was this translation helpful? Give feedback.
-
Hello, Edit: since those 2 cookies have secure true, using supabse.auth.signout() later in the app doesnt not delete those cookies... I am using SSR and having those cookies means the user is authenticated, but has no active session, which breaks many pages in my case. However the redirect link doesnt have any token, nor type (what doc says) all I see is Another issue is that the cookies that gets written has completely another expiration date, relative to the session. Please excuse me for maybe some stupid things, but I have never done any BE / Auth work, so its all new and mostly following the docs. Edit: I have mostly tested on |
Beta Was this translation helpful? Give feedback.
-
What worked for me
This works
This doesn't work (from documentation)
|
Beta Was this translation helpful? Give feedback.
-
This really needs resolved in the documentation, it's been 9 months since this discussion was created and the docs still aren't clear on this. Maybe this should probably be created in an issue instead of discussion? I'm new to Supabase and we have prod apps in Firebase and we're evaluating Supabase because switching to postgres without the infrastructure headache is super appealing. Everything has been great except how to handle auth flow for things like password resets. |
Beta Was this translation helpful? Give feedback.
-
So my setup for password reset is a forgot password page where the user enters their email and submits a form which calls That works great and the email is sent however I decided to add a
This, in local development, automatically redirects the user to that page without needing to listen for the
This all works perfectly, and is pretty clean, on local development but when I deploy it to my test server it just decides not to work at all. The issue occurs when the link that is sent in the email is created. For some reason it doesn't append the token to the end of the redirect url using my Supabase Cloud DB but does when I use Supabase Local Development DB. I will add that the error I get on my deployed test server when submitting a new password is that the user has to be reauthenticated to update the password. I agree with @jacob-buscher, this should not be as much of an issue as it is. Documentation really is sparse and this took more time than I had to put towards it and still doesn't work. |
Beta Was this translation helpful? Give feedback.
-
I would add that it's very hard to implement password recovery when app is using hash router. |
Beta Was this translation helpful? Give feedback.
-
Another problem with the hash: Nextjs isn't able to read hashes on the server/edge. I'd like to handle the redirect at the edge, but I'm not able to because of the hash. I'd love to see a solution where we can specify our own url for the reset link, rather than just index. |
Beta Was this translation helpful? Give feedback.
-
I'm working with supabase-rc@2.0.0-rc.10, and I'm still running into the problem that when listening to onAuthStateChange, only a SIGNED_IN event is registered and no PASSWORD_RECOVERY events. I'm working with next.js. The access token and type=recovery are both present in the path for a short period of time, but is reset because of the signed in event. |
Beta Was this translation helpful? Give feedback.
-
+1 Any update on this It seems to be a simple use case. I don't know why it is not solved yet. |
Beta Was this translation helpful? Give feedback.
-
Hi everyone, just to clarify a couple of misconceptions I'm seeing from this discussion regarding the password reset flow: On the high level, the password reset flow consists of 2 broad steps: (i) Allowing the user to login via the password reset link and (ii) Updating the user's password. This is what the password reset flow should look like in detail:
Note: If you are using supabase-js, the client library will parse the url fragments for you. A Other important points to note:
|
Beta Was this translation helpful? Give feedback.
-
@kangmingtay Thanks for the extensive walk through. I have one question though, the React example indicates that I need supabase in the browser. Isn't that a no no? That means I have to store the anonkey and the supabaseurl in the browser? doesn't seem safe?.. |
Beta Was this translation helpful? Give feedback.
-
I have a problem with supabase resetemail
}` |
Beta Was this translation helpful? Give feedback.
-
Following the react example I don't get a "password recovery" event, only the "signed in" event. I can see the that url has type="recovery" in it though. Anyone else getting the same? |
Beta Was this translation helpful? Give feedback.
-
Is there a way to send users an OTP they then could use in the app to reset their password? Docs suggest we set OTP could be anything that is short an easy to copy from email to app. |
Beta Was this translation helpful? Give feedback.
-
Any idea why my reset password email link is properly directing to a url that looks like the one below: ...but then immediately redirecting to: https://www.website.com/reset-password# FWIW, I'm using SvelteKit v1.0.1 and supabase-js v2.2.2. The redirect occurs so quickly that my onMount function doesn't even have time to capture the original url. I had this functionality working properly with Supabase v1, but am struggling to get it working in Supabase v2--an updated SvelteKit example would be oh so greatly appreciated! :) |
Beta Was this translation helpful? Give feedback.
-
Hm, for me
(The I also have this on my forgot password page to handle form submission:
I successfully get sent the email contain a link like this:
When I click the link it redirects to http://localhost:3000 after some other link that starts with http://localhost:3000 and has some other stuff after it but is too quick for me to see. Anyway, I never see the Update: I noticed that |
Beta Was this translation helpful? Give feedback.
-
I've also been struggling with the password reset flow with NextJS. At first I wasn't receiving the neither the SIGN_IN nor the PASSWORD_RECOVERY events on the onAuthStateChange callback. After disabling React strict mode and adding the supabase client as a dependency on the useEffect that created the callback, I began to receive the SIGN_IN event, but not the PASSWORD_RECOVERY. |
Beta Was this translation helpful? Give feedback.
-
Hi everyone I'm gonna put here the code that I used to recover the password in my app when the user forgot the password before log in. export class AppComponent implements OnInit { //button to send the confirmation code
} async isLoggedIn() { async logOut() { ngOnInit() { constructor() { |
Beta Was this translation helpful? Give feedback.
-
Looks like PASSWORD_RECOVERY event is never sent.
And in your app start reset password flow when you detect this parameter. |
Beta Was this translation helpful? Give feedback.
-
I finally combined several answers given here and this worked quite well for me, only to return true or false if the current password matches and a couple of error handling (It is worth mentioning that I use supabase locally with its Docker). CREATE OR REPLACE FUNCTION new_verify_user_password(password text)
RETURNS BOOLEAN SECURITY DEFINER AS
$$
DECLARE
user_id uuid;
BEGIN
IF (password = '') IS NOT FALSE THEN
RAISE EXCEPTION 'La contraseña actual esta vacia';
END IF;
user_id := auth.uid();
IF NOT EXISTS (
SELECT id
FROM auth.users
WHERE id = user_id
AND encrypted_password = crypt(password::text, auth.users.encrypted_password)
) THEN
RAISE EXCEPTION 'Contraseña incorrecta, vuelva a intentarlo';
END IF;
RETURN true;
END; sorry for my bad English 😅 |
Beta Was this translation helpful? Give feedback.
Hi everyone, just to clarify a couple of misconceptions I'm seeing from this discussion regarding the password reset flow:
On the high level, the password reset flow consists of 2 broad steps: (i) Allowing the user to login via the password reset link and (ii) Updating the user's password. This is what the password reset flow should look like in detail:
options.redirectTo
param inresetPasswordForEmail
to point to your password reset form