OTP signup fails with 422 when minimum_password_length is high

[Magnuti]

Bug report

Describe the bug

When minimum_password_length is set to a high value (e.g. 100) in config.toml, signInWithOtp fails with a 422 error:

{"code":422,"error_code":"weak_password","msg":"Password should be at least 100 characters.","weak_password":{"reasons":["length"]}}

OTP signup is passwordless — no password is supplied by the client. It appears that GoTrue internally generates a dummy password when creating the user account, but that generated password doesn't respect the minimum_password_length setting. It then validates the password it just generated against the config and rejects it.

To reproduce

1. Set minimum_password_length = 100 in config.toml under [auth]
2. Enable OTP/magic link signup (enable_signup = true under [auth.email])
3. Call supabase.auth.signInWithOtp({ email: "test@example.com" })
4. Get 422 Unprocessable Entity error

Expected behavior

OTP signup should work regardless of minimum_password_length, since no password is involved. The internally generated dummy password should either bypass the length check or be generated to match the configured minimum.

System information

• Local Supabase CLI
• OTP / magic link auth flow

[abhijeet-rane]

Opened a fix at #2503. Happy to iterate on feedback.