search

supabase / supabase-js

An isomorphic Javascript client for Supabase. Query your Supabase database, subscribe to realtime events, upload and download files, browse typescript examples, invoke postgres functions via rpc, invoke supabase edge functions, query pgvector.
https://supabase.com
MIT License
2.86k stars 220 forks source link

When I send magic link to user from APi and they click it, I get: 401: invalid claim: missing sub claim #946

Closed jvgeee closed 4 months ago

jvgeee commented 4 months ago

Bug report

Describe the bug

I'm running a NextJS server to sell products. When my user buys a product with Stripe, I have a webhook which receives the payment info and client info (email + name).

I want to sign the user up and send them a magic link after they make a purchase. From what I can see, this has to happen from within my webhook code.

I'm doing:

  const supabase = new SupabaseClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL,
    process.env.SUPABASE_SERVICE_ROLE_KEY
  );

        await supabase.auth.signInWithOtp({
          email,
          options: {
            shouldCreateUser: true,
            emailRedirectTo: redirectURL,
          },
        });

This works fine and the link successfully goes to the user's email. HOWEVER, when the user clicks the link, my callback handler does:

const requestUrl = new URL(request.url);
const code = requestUrl.searchParams.get("code");

there is NO code sent from Supabase, it's null. When I sign up a user from the client side of the website then the code works fine.

I also see this error in my supabase logs: {"component":"api","error":"401: invalid claim: missing sub claim","level":"info","method":"GET","msg":"401: invalid claim: missing sub claim","path":"/user","referer":"http://localhost:3000/","remote_addr":"XXX","time":"2024-01-12T00:54:59Z","timestamp":"2024-01-12T00:54:59Z"}

jvgeee commented 4 months ago

Solving this myself cos it's really hard to find documentation anywhere on this:

The issue is that when you sign someone up/in with passwordless, it creates a code-challenge on the browser they signed up from. This is matched to the code answer the magic link provides.

So it seems like you simply can't sign up a user from your server / API with a magic link and log them in on their own device.

0xmax commented 3 months ago

wait so this functionality is essentially broken?