fix: send otp in email link #379

kangmingtay · 2022-02-08T06:47:50Z

What kind of change does this PR introduce?

Fixes Email Confirm and Password reset via code #139, Send code instead of magic link #264, Email client previewing links expires confirmation/reset/invite tokens #368
Sends the OTP (which can either be a confirmation / invite / recovery / email change token) in the email together with the url link
Developers can choose to omit {{ .ConfirmationURL }} from their email templates to prevent cases where email clients preview the URL thus resulting in the token being consumed. (addresses Email client previewing links expires confirmation/reset/invite tokens #368)

API Additions / Changes

POST /verify now accepts an email field which would be used together with the token to verify the user.

{
  "type": "signup",
  "email": "foo@example.com",
  "token": "random token",
  "redirect_to": "my_redirect_to_url"
}

If type=email_change and MAILER_SECURE_EMAIL_CHANGE_ENABLED=true, the old email will be used for verifying both OTPs sent to the old and new email address.

Implementation Details

I refactored the common parts in signupVerify, recoverVerify, emailChangeVerify and smsVerify into a new function called verifyUserAndToken
verifyUserAndToken does the following:
- Checks if the verification is an url or otp verification
- If it's an otp verification, check if its an sms or email otp.
Checks if the user is banned
Checks if the otp is valid

To-Dos:

Allow url link / otp expiration to be configurable rather than restricted to 24hrs
Send a human-readable hash / slug instead of an otp (will be added as an enhancement in a separate PR)

J0

Looks fine to me. But let me sleep on it and read once more before approving

api/verify_test.go

J0 · 2022-02-10T02:44:37Z

api/verify.go

+	return time.Now().Before(expiresAt) && (actual == expected)
+}
+
+func isUrlVerification(params *VerifyParams) bool {


/nit Would be nice if we could check directly params.Type == URLVerification instead of via exclusion (e.g. it is not (email or sms) so it is url)

That said, it is not a priority and would require a refactor. Probably not within a scope of this PR.

Yeah i thought about that too but the type (signup vs recover) is tightly coupled to the ConfirmationToken & RecoveryToken fields, so it would be hard to tell whether the URL is a confirmation or recovery URL if we introduced a params.Type == URLVerification

J0

Looks great! Thanks for the PR :)

awalias

I may have overlooked it, but do we have a test case for: valid token used in combination with the email address of a different user?

api/verify.go

kangmingtay · 2022-02-10T06:30:00Z

I may have overlooked it, but do we have a test case for: valid token used in combination with the email address of a different user?

yeah i can add a test for that too, in this case, the verification should be rejected because the valid token doesn't belong to that user.

github-actions · 2022-02-10T07:50:19Z

🎉 This PR is included in version 2.5.8 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

asyncink · 2022-02-17T18:13:20Z

Hi guys and thank you for your work! Can you please provide some information about your plans to support email OTP in supabase-js client? @J0

This aligns the connection handling behaviour with the rest of the functions in `api/verify.go`. This looks like it might have been a leftover bug during refactoring in PR supabase#379.

…424) This aligns the connection handling behaviour with the rest of the functions in `api/verify.go`. This looks like it might have been a leftover bug during refactoring in PR #379.

cloudorbush · 2022-05-07T23:43:38Z

This is awesome @kangmingtay.

Now the OTP code sent looks like this:

pLPxtiXsMC_D7hQqhuLQDw

Unfortunately that's too long to copy manually.

Especially on mobile that doesn't add much benefit over redirects.

Instead an example code should look like this:

234 432

That way, a user could type it manually from the email notification they receive, and not have to close the app.

I'm not sure how much of a headache it is to implement this, but it's the standard on most other services.

kangmingtay · 2022-05-09T08:09:11Z

hey @vbylen, with this PR (#446), the email codes are now in the following format: ycjho-qjvns-nadyy-kcpbu which would be much easier for the user to either copy manually or type it manually since they are divided into even chunks.

cloudorbush · 2022-05-11T04:04:04Z

great job @kangmingtay

Now if it was possible to replace it with just 6 digits like in two-factor authentication... 😄

zebaroni · 2022-06-21T18:46:01Z

ycjho-qjvns-nadyy-kcpbu Is not easy at all for a user to copy...

cloudorbush · 2022-06-25T09:01:33Z

@bicijay agreed, this was a missed opportunity

@kiwicopple thoughts?

kangmingtay · 2022-06-25T10:31:21Z

@bicijay @vbylen we're working on a PR to shorten the email otp to [6-10] digits long, thanks for the feedback everyone!

kaaloo · 2022-09-02T13:43:02Z

Is there any ongoing work on this @kangmingtay ?

@bicijay @vbylen we're working on a PR to shorten the email otp to [6-10] digits long, thanks for the feedback everyone!

J0 · 2022-09-02T16:01:12Z

Hey @kaaloo,

The work by @kangmingtay to shorten the email otp to 6-10 digits has been merged. Do check out the/generate_link endpoint on the README and let us know if you have any questions.

Thanks!