Invite OTPs can't be verified by POST /verify endpoint

[lukecyca]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

The invite link that is included in the invite email does not validate using the POST /verify endpoint. It results in HTTP 400 "Error: Only an email address or phone number should be provided on verify".

This means that OTPs in the invite email cannot be used with e.g. the gotrue-js verifyOtp() method.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

1. Invite a user by POST /invite {"email":"user@example.com"}
2. The user receives an email with a link such as: https://frontend.example.com/verify?token=066b180ce6f9e6db6ab803cde4d43c880133cbeca173b3db8a12a5a7&type=invite&redirect_to=https://frontend.example.com. Note that this has been customized using GOTRUE_MAILER_URLPATHS_INVITE to point to a frontend page which uses gotrue-js rather than pointing to the GoTrue API directly.
3. That page uses gotrue-js's verifyOtp() to make a POST request to the GoTrue API: https://gotrue.example.com/verify with the body: {"token":"066b180ce6f9e6db6ab803cde4d43c880133cbeca173b3db8a12a5a7", "type":"invite"}

Expected behavior

The verify endpoint should accept the token and result in a valid session so that the user can continue to e.g. set their initial password.

System information

• Version of gotrue-js: 2.57.0
• Version of gotrue: 2.105.0

Additional context

The expected behaviour used to work (possibly not since many versions ago).

It looks like the GET and POST versions of the /verify endpoint behave differently. I expect I could use the GET instead of the POST and would have my expected behaviour. However that would require modifying gotrue-js which currently uses the POST request. Also using a GET /verify seems weird since it'd decidedly a non-idempotent operation.

[kangmingtay]

hey @lukecyca, this is not a bug, you need to pass the email of the invitee in the body when you make the post request to /verify

[lukecyca]

Hi @kangmingtay, thanks for the response. I did see from reading the codebase that it wants the email supplied as well. I still think something is amiss with this, because:

• The email field is not available when verifying a generated link, because gotrue's link generator does not include it. How should we be able to get the email when verifying an invite link?
• The documentation says the email field is not required for the POST /verify endpoint.

Presumably I'm missing something here. How is an invite link supposed to be verified?

[kangmingtay]

@lukecyca if you are generating a link and sending the email link to a user's email, clicking on the link invokes a GET /verify request and not POST /verify

GET /verify doesn't require an email because it contains a unique token that can be used to identify which user requested for the email link

ah good point, the documentation is incorrect and we'll need to update it, thanks for catching it!

[lukecyca]

I have overridden the GOTRUE_MAILER_URLPATHS_INVITE to point to a page that requires the user to click a button before actually verifying the token, as a workaround to #1214.

When they click the button, I'm using gotrue-js to hit the POST /verify endpoint. I suppose I could redo this flow to send the user to GET /verify instead.

Unfortunately the fact that GET /verify is not idempotent (calling it expires the token) is the root issue in #1214.

Edit: In addition to #1214, there is more discussion over at supabase/auth-js#342. And #713.

[kangmingtay]

@lukecyca have you seen https://supabase.com/docs/guides/auth/auth-email-templates#email-prefetching ? GET /verify cannot be idempotent because it is dangerous for the email link to be reused. If you are already using POST /verify, why not display a screen for the user to enter the 6 digit OTP?