-
-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nextjs 13 / PKCE flow is not supported on signups with autoconfirm enabled #569
Comments
Locally, I just had to set Looks like PKCE is going to be the only flow they'll be supporting |
supabase/auth-helpers#562 (comment) PKCE is the only flow that'll be supported moving forward and that needs to have autoconfirm disabled. Closes this issue too when email-password signup is used locally supabase/auth-helpers#569
It works, thanks a lot |
supabase/auth-helpers#562 (comment) PKCE is the only flow that'll be supported moving forward and that needs to have autoconfirm disabled. Closes this issue too when email-password signup is used locally supabase/auth-helpers#569
For those who still want the user to sign in with a session without the user confirming their email, my temporary workaround was to manually set the const { data } = await supabase.auth.signUp({ email, password });
const verificationTime = new Date().toISOString();
// Update the email_confirmed_at and confirmation_sent_at columns from the auth.users table.
await prisma.users.update({
data: {
email_confirmed_at: verificationTime,
confirmation_sent_at: verificationTime
},
where: { id: data.user.id }
});
const { data: _data } = await supabase.auth.signInWithPassword({ email, password });
const session = _data.session; |
@bmichotte has this already been fixed? PKCE flow is not supported on signups with autoconfirm enabled I disabled Confirm email inside Auth Providers in supabase because I don't want to see an email being sent automatically when the user create an account. Just after disabling this feature in supabase i am getting that error message from supabase. Is there any solution for this issue from the supabase team? I am using nextJS 13 and |
@byamasu-patrick As the error stated you can't use the |
PKCE flow with email confirmation though seems to be suffering another bug #587 |
You have to roll back to version 0.9.4 |
@jramiroz98 I will try your approach and see if it is going to work with. Because my goal is to totally disable the default behavior when someone create an account the deafault confirmation email should not be sent to the user. |
supabase/auth-helpers#562 (comment) PKCE is the only flow that'll be supported moving forward and that needs to have autoconfirm disabled. Closes this issue too when email-password signup is used locally supabase/auth-helpers#569
Another workaround: // Create a "admin client"
import { createClient } from '@supabase/supabase-js';
export const SupabaseAdmin = (req?) => {
return createClient<Database>(
process.env.NEXT_PUBLIC_SUPABASE_URL,
process.env.SUPABASE_SERVICE_ROLE,
);
};
// then use it to create the new user
const {
data: { user },
} = await SupabaseAdmin().auth.signUp({
email: email,
password,
});
// then log in using the serverside supabase normally
await supabase.auth.signInWithPassword({ email, password }); |
This is not a fix. Nor is using supabase admin client-side. This is a really frustrating update as it adds a lot of friction to new customer signups making them check their email. |
yes exactly. why is the default method the one with highest friction?? smh bruh |
for me doesn't work, in local environment created user by hand for now :/ |
I hope someone from the Supabase teams notices this, it is totally unacceptable, that in this day and age we should start requiring our users to confirm their emails like this was back in 2015. Customers want to log in with no friction, that's why there is magic link log in. I just upgraded to the PKCE flow, and now I realize that I will need to go back to using the old flow, because PKCE doesn't work if you want to manually send the login link email (because you want it to be branded)... |
Exactly. I'm sure we're going to lose sales forcing new customers to jump through hoops to create an account. One thought I had (haven't tried it yet) is to use NextJS server actions to use supabase admin to add the customer, but I don't know if this feasible or secure, plus it's still an alpha feature. Might be the only way to do this if supabase don't correct the changes they've made. |
@thorwebdev @silentworks Sorry for the mention, but in this case it seems warranted, as the implications of this has a massive impact on Developer Experience. Following discussions in #562 it became apparent that Following discussions in #567 it becomes apparent that the migration to the I would like to hear a bit more about the future of Supabase as an auth provider... Is Supabase completely going to throw away magic links, and force users of their auth systems to have to confirm their emails going forward? I guess what I'm curious to understand is, why make all these changes that seem to have been released and pushed towards so hastily, without exploring the many repercussions of them, and with seemingly little care for the decrease in Developer Experience? Ps. I hope the answer isn't gonna be to "just use |
Hey @skoshx thanks for your detailed points here I will try and explain what happened and what we are doing to rectify this. Firstly this isn't a marketing gimmick (i.e your statement in a previous post Rectifying this isn't as straight forward as one might think it is as we have to make some changes internally to our systems hence why my first recommendation is to revert to the previous version of the auth-helpers (no you won't be stuck on that version as we are working on fixing the current issue). We are currently working on a way to have both fully server-side auth along with autoconfirm working too. |
Hello @silentworks , and thanks for the thorough answer! I understand the push towards I'm glad to hear that this is something that you plan on fixing, and understand that possible changes to accomodate these fixes will take time, and I will be eagerly waiting for the fixes! :) |
Got the same problem with the SignUp and the PKCE flow not supported. Worked around that by :
If you don't have server actions enabled, I think you could create an API route that does the same It seems to work pretty fine. const { data } = await supbaseAdmin.auth.admin.createUser({
email,
password,
user_metadata: { displayName } satisfies UserMetadata,
email_confirm: true,
}); |
Great. I think an API route handler might be a better way, since server actions aren't production-ready yet. |
I can't signup user using works
don't works
and also setting |
I couldn't find that version in nextjs tho, anoyone knows? |
We will be reverting the |
PKCE should be supabase's default method as it's more secure than other auth strategies like oauth implicit flow (and not even Firebase has PKCE flow support). But I'm totally with you (and everyone in this discussion apparently) about the unnecessary PITA caused by further coupling the flow to email confirmation. |
Until the awesome people at supabase make a more legit fix for this, the way i currently traversed this was to roll back the @supabase/auth-helpers-nextjs version to 6.1.0. By doing this, you have to use the slightly older API. here is what to replace (at least what i replaced in my use case) yarn remove @supabase/auth-helpers-nextjs &&
yarn add @supabase/auth-helpers-nextjs@6.1.0 server component clientimport { createServerComponentClient } from "@supabase/auth-helpers-nextjs";
import { cookies } from "next/dist/client/components/headers";
const supabase = createServerComponentClient({ cookies }); the above was replaced with the code below to work with version 6.1.0 import { createServerComponentSupabaseClient } from "@supabase/auth-helpers-nextjs";
import { cookies, headers } from "next/dist/client/components/headers";
const supabase = createServerComponentSupabaseClient({ headers, cookies }); client/browser component clientimport { createClientComponentClient } from "@supabase/auth-helpers-nextjs";
const supabase = createClientComponentClient(); the above was replaced with the code below to work with version 6.1.0 import { createBrowserSupabaseClient } from "@supabase/auth-helpers-nextjs";
const supabase = createBrowserSupabaseClient(); Of course, this worked in my app and might not work in yours. Hoping they issue a real fix soon! |
@omonk Glad it worked for you! @silentworks I just checked my Docker images, and it looks like the gotrue image is at v2.82.4, which would explain the issue for me. So with that
UpdateSo I think I found the root cause of the issue. In my lockfile (
But the latest version of supabase/gotrue-js (per https://github.com/supabase/gotrue-js/releases) is v2.48.1. And because I typically use I think https://github.com/supabase/supabase-js/blob/master/package.json needs to be updated to have the minimum semantic versions of all supabase/supabase-js dependencies to be the latest versions of those dependencies. Right now, it shows some older versions: "dependencies": {
"@supabase/functions-js": "^2.1.0",
"@supabase/gotrue-js": "^2.46.1",
"@supabase/postgrest-js": "^1.8.0",
"@supabase/realtime-js": "^2.7.4",
"@supabase/storage-js": "^2.5.1",
"cross-fetch": "^3.1.5"
}, Granted, even after I explicitly run |
@silentworks - When does this get rolled out locally for testing? J |
@silentworks I think I found why Supabase CLI keeps downloading the supabase/gotrue:v2.82.4 image, even after clearing pnpm store, reinstalling node modules, etc. It's because supabase/supabase (master) is still pointing to the 2.82.4 image in docker-compose.yml: auth:
container_name: supabase-auth
image: supabase/gotrue:v2.82.4 Source: Line 89 of the docker-compose.yml file. I also found another reference to v2.82.4 in supabase-cli: Can someone please update these places to use the latest supabase/gotrue image? Or is there a way I can manually update the image versions myself? |
@caleb531 the |
I stated how to get the latest using the steps above. When will this be officially set in the CLI, I'm not sure as we do take a bit longer to add stuff to the CLI than we do to the hosted platform. |
@caleb531 to update it yourself would be the steps I provided you with earlier. |
After downloading new images, signup worked. Thanks! |
@silentworks - I think you should move this up the ladder as a problem (the fact that it takes longer to add stuff to CLI). People develop before they update their production versions, if anything this is backwards. I keep reading everywhere that Supabase tries to have the local version match the hosted platform, yet huge issues like this continue to create problems for people. Hence, why we see many complaints about developing on local. That being said, I appreciate you and the work around. J |
@jdgamble555 we started as a hosted first solution, there was no CLI until like around a year ago. Most of our users use the hosted first approach too but this is something we have started putting effort into fixing (we still have users whose machines cannot handle Docker as its resource heavy). From the outside everything might look like a quick and easy PR but thats not how all the moving parts of Supabase work. I come from a background of local development first approach as this is how it was with PHP, but you need to remember that Supabase isn't a language or a framework, its an amalgamation of different open source technologies being provided to an user, this is something thats not easy to deliver for local development. |
Just found this! Works! Yeah, if it didn't pull images, just a docker issue. Similar to when using Thanks for your time @silentworks ! |
I'm closing this out as it has been resolved on hosted Supabase and can be resolved in local Supabase following the instructions I've left on this issue. |
Hi @silentworks when creating the file i got this:
any hint? EDIT: it was caused from an additional line ending added by IntelliJ |
@piccinnigius it is adviced to not use a version locally that hasn't been deployed to the platform as yet. The current version that has been deployed to the platform is v2.92.1. |
@silentworks ok thanks so much for the advice 🙏 |
@silentworks - A suggestion about closing threads. There are developer and user reasons to not close an issue until it is actually fixed, not with a work-around, which is what this is. Anyone who is using the latest local version of Supabase and trying to test an auth flow could come across this error and need to read this Github issue. Not only is your fix in the middle of this thread and hard to find, it will be under closed issues. It might be advantageous to keep this open for those people until the CLI update is pushed. That being said, on a different note, I was getting this error when using the fix with When I use the "v2.92.1," I am getting the:
Which is said to be fixed in the latest cli version: supabase/supabase#16702 However, I can't use the latest CLI version, or I will not have this issue fixed. Perhaps I a missing something here. Thanks, J |
@jdgamble555 any reason why you can't use the latest CLI version? btw the issue you are having now isn't related to this thread, probably best to move it over to the CLI repo and tag me there. You might be confusing what issue this thread is about when you say it hasn't been fixed. The original author of this issue said this wasn't working in self-hosted (not CLI) but this has been fixed in both hosted and self-hosted (since this is up to a user to manage and they can simply pull the docker container for the gotrue version with the fix mentioned). The fix for anyone using the CLI is stated above in this comment #569 (comment) |
@silentworks - Well you need the CLI to install the docker, but this is a moot point now. Got it working by deleting all docker files and reinstalling (with the gotrue-version file intact). Thanks for you help :) My other point was just to not close this until the gotrue version is pushed as the default version on docker for the reasons I mentioned above. J |
I've just hit the same issue as @jdgamble555. I've had to add v2.92.1 to the |
Upgrading supabase package to last version resolve the issue in my case. |
The latest cli version seems to have updated gotrue, so you don't need the workaround anymore. J |
I can confirm that updating my local supabase instance has fixed the issue 🕺🎉 Simply
Thanks for everyone that took the time to investigate the issue and help solve it :) |
supabase/auth-helpers#562 (comment) PKCE is the only flow that'll be supported moving forward and that needs to have autoconfirm disabled. Closes this issue too when email-password signup is used locally supabase/auth-helpers#569
supabase/auth-helpers#562 (comment) PKCE is the only flow that'll be supported moving forward and that needs to have autoconfirm disabled. Closes this issue too when email-password signup is used locally supabase/auth-helpers#569
supabase/auth-helpers#562 (comment) PKCE is the only flow that'll be supported moving forward and that needs to have autoconfirm disabled. Closes this issue too when email-password signup is used locally supabase/auth-helpers#569
supabase/auth-helpers#562 (comment) PKCE is the only flow that'll be supported moving forward and that needs to have autoconfirm disabled. Closes this issue too when email-password signup is used locally supabase/auth-helpers#569
supabase/auth-helpers#562 (comment) PKCE is the only flow that'll be supported moving forward and that needs to have autoconfirm disabled. Closes this issue too when email-password signup is used locally supabase/auth-helpers#569
supabase/auth-helpers#562 (comment) PKCE is the only flow that'll be supported moving forward and that needs to have autoconfirm disabled. Closes this issue too when email-password signup is used locally supabase/auth-helpers#569
Bug report
Describe the bug
Following the documentation for auth with nextjs13,
I receive an error AuthApiError: PKCE flow is not supported on signups with autoconfirm enabled when I try to signup a user.
I tried both client and server action versions without success.
System information
Additional context
I'm currently working on a self-hosted version of supabase for the development.
The text was updated successfully, but these errors were encountered: