Password change not possible if GOTRUE_SECURITY_UPDATE_PASSWORD_REQUIRE_REAUTHENTICATION enabled. Error: "update requires reauthentication" - not possible to provide Nonce

[tomekit]

If: GOTRUE_SECURITY_UPDATE_PASSWORD_REQUIRE_REAUTHENTICATION option is enabled for the GoTrue API it is not possible to change password using updateUser, e.g.:

final res = await supabase.auth.updateUser(
                                      UserAttributes(
                                        password: password,
                                      ),
                                    );

According to current docs:
https://github.com/supabase/gotrue#get-reauthenticate
https://github.com/supabase/gotrue#put-user

user will need to reauthenticate first, however it doesn't seem is currently possible to provide nonce using Flutter library.

I am using Flutter gotrue v1.5.7.

[Vinzent03]

Seems like gotrue-js doesn't support this either. I guess because the supabase platform does not support that flag, but only self-hosted. Do I understand the flow correctly, that you need a reAuthenticate() method, which sends a nonce to the user via email, which you then pass to updateUser()?

[tomekit]

@Vinzent03
Yes, I've just scanned the JS library, especially: gotrue-js/src/GoTrueClient.ts and didn't find any reference to reauthenticate as well.

Speaking of password change flow, I am not exactly sure what's the "right" way, documentation is sparse and I've only deducted that I need nonce from reading the code gotrue/internal/api/user.go:112 (please find snippet at the bottom of this message).

Even if I get the reauthenticate method running via JS/Flutter, there is an issue with password reset (not change) workflow.
Currently you call: /recover, an e-mail gets clicked, and then updateUser() gets called... unfortunately since setting the ...REQUIRE_REAUTH... setting, the updateUser() call now fails with an error: update requires reauthentication... so would I need to call reauthenticate to send a nonce (in a similar way as with password change) again? If so, that would be pretty horrendous experience both from an user and dev perspective.

I didn't find this setting in a hosted Supabase so you're probably right... but honestly, allowing password change without reauth of some sort or without requiring current password is a deal breaker to me regardless where my Auth API is self-hosted or managed.

# gotrue/internal/api/user.go`:112
if !config.Security.UpdatePasswordRequireReauthentication {
		if terr = user.UpdatePassword(tx, *params.Password); terr != nil {
			return internalServerError("Error during password storage").WithInternalError(terr)
		}
		isPasswordUpdated = true
	} else if params.Nonce == "" {
		return unauthorizedError("Password update requires reauthentication.")
	} else {
		if terr = a.verifyReauthentication(params.Nonce, tx, config, user); terr != nil {
			return terr
		}
		if terr = user.UpdatePassword(tx, *params.Password); terr != nil {
			return internalServerError("Error during password storage").WithInternalError(terr)
		}
		isPasswordUpdated = true
	}

[dshukertjr]

Since the scope is larger than just the Flutter library, I am transferring this to gotrue repo.

[kangmingtay]

Hi everyone, we've added the methods to the supabase-js client library already and have also updated the docs for the following:

• Sending a reauthentication nonce (https://supabase.com/docs/reference/javascript/auth-reauthentication)
• Sending a nonce + password in the update user method (https://supabase.com/docs/reference/javascript/auth-updateuser)