search

supabase / auth

A JWT based API for managing users and issuing JWT tokens
https://supabase.com/docs/guides/auth
MIT License
1.55k stars 374 forks source link

auth.email.double_confirm_changes not working #1820

Open maximilian-hammerl opened 4 weeks ago

maximilian-hammerl commented 4 weeks ago

Describe the bug

The auth.email.double_confirm_changes configuration option (https://supabase.com/docs/guides/local-development/cli/config#auth.email.double_confirm_changes) in the config.toml does not seem to work.

To Reproduce

Repository: https://github.com/maximilian-hammerl/supabase-change-email-address-example

After starting both Supabase (npm run start, and optionally npm run serve) and the frontend (npm install and npm run dev), open http://localhost:5173/

Then:

  1. One the first screen click on "Register and login" (e-mail address and password are randomly generated)
  2. On the second screen, request the change e-mail address links
  3. On the third screen, click on any of the two links, then on "Reload user and display current e-mail address" and check that the current e-mail address has now changed to the requested e-mail address, although you only clicked on one of the two links

Expected behavior

The e-mail address of the user should only change after the user clicked on both links, not just one of them.

System information

        SERVICE IMAGE      │      LOCAL       │ LINKED
  ─────────────────────────┼──────────────────┼─────────
    supabase/postgres      │ 15.1.1.78        │ -
    supabase/gotrue        │ v2.158.1         │ -
    postgrest/postgrest    │ v12.2.0          │ -
    supabase/realtime      │ v2.30.34         │ -
    supabase/storage-api   │ v1.11.13         │ -
    supabase/edge-runtime  │ v1.59.0          │ -
    supabase/studio        │ 20241014-c083b3b │ -
    supabase/postgres-meta │ v0.84.2          │ -
    supabase/logflare      │ 1.4.0            │ -
    supabase/supavisor     │ 1.1.56           │ -

Additional context

We also contacted the Supabase support regarding this issue (Support ticket ID: 15644055709), because we first assumed that it was not a bug, but an issue on our side, but received two less than helpful answers (telling us to use updateUser to change the e-mail address of the user, completely disregarding that we want the user to confirm the e-mail address change, as well as forgetting and repeatedly asking where we set the double_confirm_changes configuration option).

maximilian-hammerl commented 4 weeks ago

I created a test Supabase instance with project ID djigzxpjteusflninqtt, enabled "secure email change" image and I am still able to reproduce this issue.

This bug seems to affect a locally running as well as a hosted Supabase instance.

avallete commented 3 weeks ago

Hey there ! Thank's for reporting and taking the time to make a MRE that's very helpful !

Seems like this might be a bug with the generateLink used to generate the mail links. After some testing the bug doesn't happen if you just "updateUser" and change it's mail. In such case, both adresses of the users receive an email, and both links need to be clicked to confirm the change.

I've pinged our auth team to have a look at it. I'm transferring the issue over the appropriate repo.

maximilian-hammerl commented 2 weeks ago

Hi, what is the status of this issue? Are you already working on it?