search

supabase / supabase-js

An isomorphic Javascript client for Supabase. Query your Supabase database, subscribe to realtime events, upload and download files, browse typescript examples, invoke postgres functions via rpc, invoke supabase edge functions, query pgvector.
https://supabase.com
MIT License
3.18k stars 255 forks source link

Unable to Log in with New Email After Email Update Confirmation in Supabase #1278

Closed araera111 closed 2 hours ago

araera111 commented 2 hours ago

Bug report

Describe the bug

After updating the user's email using supabase.auth.updateUser, the email confirmation is sent to both the old and new email addresses. However, after confirming the new email and attempting to log in with it, login fails. Checking the database reveals that the auth.users table still shows the old email, and the email_change field is populated with the new email. This inconsistency prevents logging in with the new email.

To Reproduce

Steps to reproduce the behavior:

  1. Clone the public repository from GitHub supabase-login-change-email).
  2. Modify src/supabase.ts with your own Supabase URL and token.
  3. pnpm dev -> access http://localhost:3000
  4. Sign up using the "Sign Up" button (toSignUp).
  5. Confirm the sign-up link sent to your email and log in.
  6. Confirm you see "This is Authenticated area."
  7. In the authenticated area, use the form at the bottom to enter a new email address and submit.
  8. Confirmation links are sent to both the old and new email addresses.
  9. Click the confirmation link for the new email (it redirects to http://localhost:3000).
  10. Log out and attempt to log in with the new email.
  11. Login fails with the new email but works with the old one.

Expected behavior

After confirming the new email address, I expected to be able to log in with the new email. The auth.users table should update the email field with the new email, and the session should reflect this as well.

System information

Additional context

Upon checking the auth.users table, the email field remains as the old email, while the email_change field holds the new email. The session information also reflects this, preventing login with the new email address.

araera111 commented 2 hours ago

I found that this was not a bug but a result of configuration in the project settings.

Steps to resolve:

  1. Click the confirmation link sent to the old email.
  2. Then, click the confirmation link sent to the new email.
  3. This successfully updates the email. Additionally, to send the confirmation link only to the new email address, you need to disable Secure email change in the project's email authentication provider settings.

Closing this issue. sorry.