Open Mr-Pepe opened 1 week ago
The #access_token...
is part of the implicit auth flow and should be automatically parsed by the supabase client - assuming there's a supabase client running on your /#/settings
page.
Having said that, I've never tried it when it's preceded by a dev's query param, but I assume it ought to still work.
assuming there's a supabase client running on your /#/settings page.
Yes, there is.
I am not sure whether the access_token gets parsed correctly, because accessing client.auth.currentUser?.email
still yields the old email address. I'd expect it to be the new email.
The first redirect link completely dropping the path (#/settings
) looks like a clear bug to me in any case.
Can you provide the Redirect URLs you have set, as well as your Site URL?
Authentication is not live yet, due to the issues I have faced with Supabase Auth. I can try to stitch together a minimal example though.
Here you go.
flutter create supabase_auth
flutter pub add supabase_flutter
flutter pub add go_router
Paste the following into main.dart
```dart
import 'package:flutter/material.dart';
import 'package:go_router/go_router.dart';
import 'package:supabase_flutter/supabase_flutter.dart';
final _router = GoRouter(
routes: [
GoRoute(
path: '/',
builder: (context, state) => const HomePage(),
),
GoRoute(
path: "/settings",
builder: (context, state) => const SettingsPage(),
)
],
);
final supabase = Supabase.instance.client;
Future
flutter run -d web-server --web-hostname localhost --web-port 8000 --dart-define=SUPABASE_URL=<your-supabase-url> --dart-define=SUPABASE_ANON_KEY=<your-anon-key>
http://localhost:8000
http://localhost:8000/?code=a6eb8fb0-3bcd-4ba8-9756-8ce3f3f1a8f8#/settings
(already weird URL formatting) -> It says "Logged in as xxx" at the topGet redirected to http://localhost:8000/#message=Confirmation+link+accepted.+Please+proceed+to+confirm+link+sent+to+the+other+email
-> #/settings
got dropped, leading to the following UI:
http://localhost:8000/#/settings#access_token=eyJhbGci....&expires_at=1719827394&expires_in=3600&refresh_token=G_sLgwu.....&token_type=bearer&type=email_change
-> It still says "Logged in as xxx" at the top although the email has changed in auth.users
For extra fun:
_passwordResetController
const SizedBox(height: 50),
const Text("Reset password"),
TextFormField(
controller: _passwordResetController,
decoration: const InputDecoration(label: Text("Email")),
),
const SizedBox(height: 20),
ElevatedButton(
onPressed: () async {
await supabase.auth.resetPasswordForEmail(
_passwordResetController.text.trim(),
redirectTo: "http://localhost:8000/#/settings");
},
child: const Text("Reset password"))
http://localhost:8000/?error=access_denied&error_code=403&error_description=Email+link+is+invalid+or+has+expired#error=access_denied&error_code=403&error_description=Email+link+is+invalid+or+has+expired
-> This seems similar to step 13 from above, but in addition to dropping the #/settings
path, it also adds all the parameters twice :man_shrugging: Not sure if this is "fun" but it certainly seems problematic :D Thanks for the detailed repro guide also, I will work on getting this reproduced and triaged!
Transferring this to the flutter repo as I can reproduce and it seems to be 2 things (which may be Auth bugs):
emailRedirectTo
is not respected and redirects seem to default to root domainsecure email change
enabled, this is a visible bug that is user facing, without it, it is less obvious
Bug report
Describe the bug
I have a Flutter web app.
Calling
updateUser
with a new email sends two confirmation emails.Both emails contain a confirmation link ending with
&type=email_change&redirect_to=http://localhost:8000/#/settings?enableUserSignIn
.However, clicking one of the two links redirects to
http://localhost:8000/#message=Confirmation+link+accepted.+Please+proceed+to+confirm+link+sent+to+the+other+email
.Clicking the other link (order doesn't seem to matter) redirects to
http://localhost:8000/#/settings?enableUserSignIn#access_token=eyJhbGciblablabla&token_type=bearer&type=email_change
which is also not a valid URL with the hashtag instead of an ampersand.Expected behavior
Supabase honors the redirect link I provided and adds query parameters correctly.
System information
Additional context
I couldn't find any documentation on how the workflow should be implemented correctly. Not gonna lie, implementing basic user management functionalities with Supabase (Auth) and its Flutter client has been mostly disappointing so far due to stuff like https://github.com/supabase/supabase/issues/27554, https://github.com/supabase/supabase-flutter/issues/937, and https://github.com/supabase/auth/issues/1517.