supabase / auth-helpers

A collection of framework specific Auth utilities for working with Supabase.
https://supabase.github.io/auth-helpers/
MIT License
908 stars 232 forks source link

Problem with password reset flow #695

Open muezz opened 1 year ago

muezz commented 1 year ago

Bug report

Describe the bug

I am trying to set up password reset flow in Next13 with app router. I get the following error in my Vercel logs:

[AuthApiError]: invalid request: both auth code and code verifier should be non-empty

To Reproduce

  1. User enters their email and triggers the flow using:

    export const authRouter = router({
    sendPwdResetEmail: publicProcedure
        .input(z.string().email())
        .mutation(async ({ input }) => {
            const sp = spServerClient();
            const { error } = await sp.auth.resetPasswordForEmail(
                input,
                {redirectTo: 'http://my-domain.io/api/auth/callback'}
            );
            if (error) throw Error(error.message);
        }),
    resetPwd: publicProcedure
        .input(z.string().min(8).max(25))
        .mutation(async ({ input }) => {
            const sp = spServerClient();
            const { error } = await sp.auth.updateUser({password: input});
            if (error) throw Error(error.message);
        }),
    });
  2. User receives an email where they click on the button. They are redirected to the following callback url (api). This comes directly from the Supabase+Next13 template

    export async function GET(request: NextRequest) {
    const requestUrl = new URL(request.url)
    const code = requestUrl.searchParams.get('code')
    if (code) {
    const supabase = createRouteHandlerClient({ cookies })
    await supabase.auth.exchangeCodeForSession(code)
    }
    return NextResponse.redirect(`${requestUrl.origin}/reset-password`)
    }
  3. Browser shows an error that it has been redirected too many times and the vercel logs say the error I mentioned above.

  4. If I click on the button in the email again, it takes me to the reset password url but the url has some search params that mention that the auth code has expired or is invalid.

Expected behavior

I expect the callback url to redirect the user to the password reset page.

System information

Additional context

If I am doing anything wrong or if you require more info, please let me know.

oldbettie commented 11 months ago

This is an ongoing issue but they seem to just move on here is another thread that was closed. https://github.com/supabase/auth-helpers/issues/545

I have been scratching my head for days. following the guide provided in that thread creates the session correctly in the confirm/route.ts but once the next redirect happens it has no session sounds like there are a few open bugs about it.