Password Reset Flow not working as documented

[djemrose]

Bug report

Describe the bug

As heavily discussed there is a bug that logs the user in when they go to reset their password: supabase/supabase#3360

The onAuthStateChange shows this happening by firing the SIGNED IN event before the PASSWORD_RECOVERY event. I would imagine this is undesirable for everyone. This also causes the hash-bang url to get cleared in the browser immediately on page load, which prevents some apps from grabbing the documented access_token for later use.

To Reproduce

1. Follow the official guide here whilst listening to the onAuthStateChange event: https://supabase.com/docs/reference/javascript/auth-api-resetpasswordforemail
2. Also witness the hash-bang url being cleared on page load.

Expected behavior

1. The hashbang url to not be cleared
2. Only the PASSWORD_RECOVERY event to fire.
3. No SIGNED_IN event should fire on page load.

Screenshots

System information

• OS: macOS
• Browser Chrome
• Version of supabase-js: @supabase/supabase-js 1.1.2
• Version of Node.js: v16.13.1

[MKlblangenois]

Same issue on my side, PASSWORD_RECOVERY hasn't fired, only SIGNED_IN with link from reset-password e-mail. Have you any update ?

[mryechkin]

I'm seeing this issue as well. The PASSWORD_RECOVERY event used to fire when going to the URL in the Reset Password email, but for whatever reason doesn't anymore. I know this because my old code that used to run perfectly fine is no longer working as expected.

[funwithtriangles]

Having a similar issue, I just get SIGNED_IN instead of PASSWORD_RECOVERY

[funwithtriangles]

FWIW I fixed my issue by avoiding the auth event altogether and just making sure the link redirects the user to the correct page:

await supabase.auth.resetPasswordForEmail(email, {
    redirectTo: `${window.location.origin}/reset-password`,
  })

[hf]

Please avoid relying on the sequence of events fired in the onAuthStateChange callback as the order is never guaranteed.

You can always use getSession() to safely access the latest access token.

[laygir]

I'm quite new to Supabase, I've been hearing it a lot and wanted to give it a go in a side project.
But seeing this issue open for more than a year is a bit surprising considering its impact, but hopefully the fix is on the way I believe 🤞 #629

Meanwhile, before I came across #629 and after spending several hours trying to make my frontend flow nice and tight, I gave up on using onAuthStateChange and I am not sure what I am losing by not using it.

Fwiw, to prevent user from being logged in while reset password op, I do this;

1. I am using the following in my Reset Password email:

<p><a href="{{ .SiteURL }}/reset-password?confirmation_url={{ .ConfirmationURL }}%26token%3d{{ .Token}}%26email%3d{{ .Email}}">Reset Password

2. Then when user lands on /reset-password without doing any auth.getSession(), pick up the confirmation_url from url, run it through new URLSearchParams, extract the token, email, type.

3. Manually call auth.verifyOtp({ token, email, type })

4. Finally call updatePassword({ password })

[abdulrahimiliasu]

Any update on this ?

[kangmingtay]

Hey @abdulrahimiliasu and @laygir, we've already merged in the PR to fix this issue: #629 so we'll be closing this issue. Please feel free to reopen it if you're still experiencing the same issue.