Signup confirmation email link buggy on second click

[laurentS]

Bug report

Describe the bug

if I click the account confirmation link again after confirming, I get an ugly JSON 404 response. Since this is user facing, it can be confusing.
The JSON response looks like this {"code":404,"msg":"User not found"}.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

1. signup as a user of a supabase app (triggered by supabase.auth.signup())
2. open confirmation email and click the link, and find yourself in the app as expected
3. go back to mailbox and click the link again (say I forgot if I clicked it or not)
4. end up on the error message above

Expected behavior

A proper HTML page with a meaningful message would be better. Maybe "you've already confirmed your account"?

[carlosstenzel]

use

const { data, error } = await supabase.auth.signUp({
    email: email,
    password: password,
  });

  if (error) {
    toast.error(error.message, {
      position: toast.POSITION.TOP_RIGHT,
    });
    return false;
  }

and

const { error } = await supabase.auth.signIn({
    email: email,
    password: password,
  });

  if (error) {
    toast.error(error.message, {
      position: toast.POSITION.TOP_RIGHT,
    });
  }

in https://app.supabase.io/project//auth/settings config the field Site URL

and everything will work :D

[laurentS]

@carlosstenzel Thanks for sharing these, and sorry for not replying earlier. Unfortunately, I don't think these address my issue. I have configured the site url in settings, and everything works fine from clicking the signup confirmation link in the email until I'm back in my app. The email has a link like https://<app_id>.supabase.co/auth/v1/verify?token=<the_token>&type=signup. My error happens after clicking this link (a second time), not at the initial call to supabase.auth.signUp.
Is there something else I'm missing?

[carlosstenzel]

understand

double clicking to confirm it returns the error.

{"code":404,"msg":"User not found"}

@kiwicopple . can we make a lake to deal with this error?

** if the token does not exist, just redirect to the site

[laurentS]

I was just looking at the code in gotrue to understand what is happening. I don't speak Go, but it seems that this line is where the issue is. I'm seeing a 404 JSON, but maybe a more user friendly page that shows HTML instead of JSON would be easier. Or redirect to the siteURL with an extra param so we can handle it in the app.

[laurentS]

Just found this other issue which seems to be the same

[awalias]

ah! looks like we applied the fix only to recovery and not to signup: https://github.com/supabase/gotrue/pull/44/files

[AngeloAnolin]

Attempt to fix via https://github.com/supabase/gotrue/pull/82

Sorry had to put the comment here as the fix was made in the gotrue repo but the issue is in this supabase repo.

[tylermercer]

What is the status on this? The PRs mentioned above were merged but it still happens.

[janzheng]

Is it possible to handle stale magic links w/ a redirect URL, e.g. to a signup page?

[awalias]

appears to be fixed now, I get redirected to "<SITE_URL>/#error_code=404&error_description=Confirmation+Token+not+found"

[peachp]

@awalias I see it's closed, but since this is the only place I found when googling, for benefit of others:

When clicking on the {{ .ConfirmationURL }} second time from email, user gets redirected to an URL which includes:

#error=unauthorized_client&error_code=401&error_description=Email+link+is+invalid+or+has+expired

Now I didn't test how it looks when you click on it when it's actually expired*. The error_description says "invalid+or+has+expired", so I wonder how do I know which one it is? Because I need to show different things to the user. (Unless you can advise me if I need to do it, it's a smell that my auth flow is bad...?)

*Btw, is this controlled by
Auth settings > User Sessions > JWT expiry limit
?

[chrisguerrero]

+1. Wondering what the preferred method of handling auth errors for an expired magic link is.

[Chippd]

+1 I'm in the same boat as @peachp. I don't know if my auth flow is bad or what, I'm getting multiple reports of users being put in an endless loop where the magic links they're clicking from email are expired. This is also the only place I found via Google that mentions this.

[AdamBCo]

+1

[xEverth]

Also had some users report this issue. I'm trying to see if it's an email security setting that "clicks" on the links before the users are able to. Any updates from the team as how to handle invalid confirmation links?