-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invite OTPs can't be verified by POST /verify endpoint #1284
Comments
hey @lukecyca, this is not a bug, you need to pass the |
Hi @kangmingtay, thanks for the response. I did see from reading the codebase that it wants the email supplied as well. I still think something is amiss with this, because:
Presumably I'm missing something here. How is an invite link supposed to be verified? |
@lukecyca if you are generating a link and sending the email link to a user's email, clicking on the link invokes a
ah good point, the documentation is incorrect and we'll need to update it, thanks for catching it! |
I have overridden the When they click the button, I'm using Unfortunately the fact that Edit: In addition to #1214, there is more discussion over at supabase/auth-js#342. And #713. |
@lukecyca have you seen https://supabase.com/docs/guides/auth/auth-email-templates#email-prefetching ? |
Bug report
Describe the bug
The invite link that is included in the invite email does not validate using the
POST /verify
endpoint. It results inHTTP 400
"Error: Only an email address or phone number should be provided on verify".This means that OTPs in the invite email cannot be used with e.g. the
gotrue-js
verifyOtp()
method.To Reproduce
Steps to reproduce the behavior, please provide code snippets or a repository:
{"email":"user@example.com"}
https://frontend.example.com/verify?token=066b180ce6f9e6db6ab803cde4d43c880133cbeca173b3db8a12a5a7&type=invite&redirect_to=https://frontend.example.com
. Note that this has been customized using GOTRUE_MAILER_URLPATHS_INVITE to point to a frontend page which usesgotrue-js
rather than pointing to the GoTrue API directly.verifyOtp()
to make a POST request to the GoTrue API:https://gotrue.example.com/verify
with the body:{"token":"066b180ce6f9e6db6ab803cde4d43c880133cbeca173b3db8a12a5a7", "type":"invite"}
Expected behavior
The verify endpoint should accept the token and result in a valid session so that the user can continue to e.g. set their initial password.
System information
Additional context
The expected behaviour used to work (possibly not since many versions ago).
It looks like the GET and POST versions of the
/verify
endpoint behave differently. I expect I could use the GET instead of the POST and would have my expected behaviour. However that would require modifyinggotrue-js
which currently uses the POST request. Also using aGET /verify
seems weird since it'd decidedly a non-idempotent operation.The text was updated successfully, but these errors were encountered: