Problem with password reset flow

[muezz]

Bug report

• [ ] I confirm this is a bug with Supabase, not with my own application.
• [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

I am trying to set up password reset flow in Next13 with app router. I get the following error in my Vercel logs:

[AuthApiError]: invalid request: both auth code and code verifier should be non-empty

To Reproduce

1. User enters their email and triggers the flow using:

   export const authRouter = router({
   sendPwdResetEmail: publicProcedure
       .input(z.string().email())
       .mutation(async ({ input }) => {
           const sp = spServerClient();
           const { error } = await sp.auth.resetPasswordForEmail(
               input,
               {redirectTo: 'http://my-domain.io/api/auth/callback'}
           );
           if (error) throw Error(error.message);
       }),
   resetPwd: publicProcedure
       .input(z.string().min(8).max(25))
       .mutation(async ({ input }) => {
           const sp = spServerClient();
           const { error } = await sp.auth.updateUser({password: input});
           if (error) throw Error(error.message);
       }),
   });

2. User receives an email where they click on the button. They are redirected to the following callback url (api). This comes directly from the Supabase+Next13 template

   export async function GET(request: NextRequest) {
   const requestUrl = new URL(request.url)
   const code = requestUrl.searchParams.get('code')
   if (code) {
   const supabase = createRouteHandlerClient({ cookies })
   await supabase.auth.exchangeCodeForSession(code)
   }
   return NextResponse.redirect(`${requestUrl.origin}/reset-password`)
   }

3. Browser shows an error that it has been redirected too many times and the vercel logs say the error I mentioned above.

4. If I click on the button in the email again, it takes me to the reset password url but the url has some search params that mention that the auth code has expired or is invalid.

Expected behavior

I expect the callback url to redirect the user to the password reset page.

System information

• OS: macOS
• Browser: Arc (Chromium)
• Version of supabase-js: latest

Additional context

If I am doing anything wrong or if you require more info, please let me know.

[oldbettie]

This is an ongoing issue but they seem to just move on here is another thread that was closed. https://github.com/supabase/auth-helpers/issues/545

I have been scratching my head for days. following the guide provided in that thread creates the session correctly in the confirm/route.ts but once the next redirect happens it has no session sounds like there are a few open bugs about it.