search

supabase / auth

A JWT based API for managing users and issuing JWT tokens
https://supabase.com/docs/guides/auth
MIT License
1.51k stars 368 forks source link

auth.admin.generateLink does not return proper redirectTo #1738

Open apertureless opened 2 months ago

apertureless commented 2 months ago

Bug report

Describe the bug

I am using auth.admin.generateLink with type magiclink in an edge function and passing the redirectTo param. However the generated link does not respect the provided redirectTo param and returns the site url.

To Reproduce

 const { data: linkData, error: linkError } =
    await supabaseClient.auth.admin.generateLink({
      type: "magiclink",
      email: email,
      options: {
        data: {
          orga: orga_id,
        },
        redirectTo: "http://localhost:3000/confirm",
      },
    });

After triggering the edge function locally this is the response:

[Info] [Generated link: ] http://127.0.0.1:54321/auth/v1/verify?token=9cdd921dc47c0e1b136f3659e6926f45697209047abc95d7964efb67&type=magiclink&redirect_to=http://127.0.0.1:3000/auth/login

[Info] [Generated linkdata: ] {
  action_link: "http://127.0.0.1:54321/auth/v1/verify?token=9cdd921dc47c0e1b136f3659e6926f45697209047abc95d7964efb67"... 60 more characters,
  email_otp: "275123",
  hashed_token: "9cdd921dc47c0e1b136f3659e6926f45697209047abc95d7964efb67",
  redirect_to: "http://127.0.0.1:3000/auth/login",
  verification_type: "magiclink"
}

Expected behavior

redirect_to should be set to the param provided (http://localhost:3000/confirm) instead of http://127.0.0.1:3000/auth/login

encima commented 2 months ago

Hi there,

thanks for opening. I believe there have been a few reports of this so I will move this to the Auth repo for the team to respond.

apertureless commented 2 months ago

Well I could pinpoint my issue here. It has to do, with the undocumented fact, that the redirect_url has to be from the same host / site ? https://github.com/supabase/auth/blob/master/internal/utilities/request.go#L91

If I change the redirectTo param in my example to http://127.0.0.1/confirm it works.

However, I am not sure how I feel about this, because in my case I will run the auth.admin.generateLink in an edge function which will be triggered from app-a and should generate a magic-link and redirect to app-b but this does not seem to be possible, right?

kangmingtay commented 2 months ago

@apertureless have you verified that you've add the redirect url to the allow list: https://supabase.com/docs/guides/auth/redirect-urls?

apertureless commented 2 months ago

I've added localhost and 127.0.0.1 to the config