search

supabase / supabase-js

An isomorphic Javascript client for Supabase. Query your Supabase database, subscribe to realtime events, upload and download files, browse typescript examples, invoke postgres functions via rpc, invoke supabase edge functions, query pgvector.
https://supabase.com
MIT License
2.86k stars 220 forks source link

Error on exchangeCodeForSession when setting the token key for password recovery #950

Open JuanxCursed opened 3 months ago

JuanxCursed commented 3 months ago

Bug report

Describe the bug

I was trying to work on a more detailed workflow when recovering the password, and when I was taking a look at the source code, I've found a possible bug

When the recovery token is recorded into the storage, the key stored is sb-api-auth-token-code-verifier but when the code tries to exchangeCodeForSession at line 545, ${this.storageKey}-code-verifier. this.storageKey is a constant set into the constants.ts named STORAGE_KEY and its value is supabase.auth.token

Due to this, when exchangeCodeForSession is executed, since it doesn't find the code-verifier, I receive this error:

AuthApiError: invalid request: both auth code and code verifier should be non-empty

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Send a email password reset link
  2. Check the storage key created
  3. Click on the reset link
  4. When redirect to your site with the code query string try to execute exchangeCodeForSession with this value
  5. See the error on console

Expected behavior

Recover the session to reset the password properly

System information

Lenninlasd commented 1 month ago

Same bug here, I got this error message:

AuthApiError: invalid request: both auth code and code verifier should be non-empty
    at handleError (/Users/.../node_modules/@supabase/auth-js/dist/main/lib/fetch.js:63:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async _handleRequest (/Users/.../node_modules/@supabase/auth-js/dist/main/lib/fetch.js:111:9)
    at async _request (/Users/.../node_modules/@supabase/auth-js/dist/main/lib/fetch.js:89:18)
    at async SupabaseAuthClient._exchangeCodeForSession (/Users/.../node_modules/@supabase/auth-js/dist/main/GoTrueClient.js:409:33)
    at async /Users.../node_modules/@supabase/auth-js/dist/main/GoTrueClient.js:736:28 {
  __isAuthError: true,
  status: 400,
  code: undefined