auth-helpers icon indicating copy to clipboard operation
auth-helpers copied to clipboard
verified publisher icon supabase

New user confirmation is broken

Open kitzj opened this issue 1 year ago • 0 comments

Bug report

  • [x] I confirm this is a bug with Supabase, not with my own application.
  • [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

There are several, potentially interconnected issues at play here:

  • emailRedirectTo field for a new user sign-up is always ignored for new user sign-up confirmation email. It always redirects to whatever is in the default in URL Confirmation settings.
  • When I initiate a new user sign-up, upon the confirmation email even being sent to the person, the user is confirmed (before they even click the link)
  • When I confirm a user with my own code, I get (screenshot 1) sequence of logs, and with the Supabase example I get (screenshot 2) logs. The difference is that with min I get the 401 missing subclaim error: ({"component":"api","error":"401: invalid claim: missing sub claim","level":"info","method":"GET","msg":"401: invalid claim: missing sub claim","path":"/user","referer":"https://ostira.com/auth/verify","remote_addr":"157.245.130.122","time":"2024- 01-04T20:58:28Z","timestamp":"2024-01-04T20:58:28Z"} whereas with the example application I don't. However, the result of 401 Email link is invalid or has expired is still the same (the error is triggered when the call for exchangeCodeForSession call is made in both scenarios), which suggests that the 401 missing subclaim error may not have to do with the 401 email link is invalid or has expired error: {"component":"api","error":"Confirmation Token not found","level":"info","method":"GET","msg":"401: Email link is invalid or has expired","path":"/verify","referer":"http://localhost:3000/auth/callback","remote_addr":"108.30.150.98","time":"2024- 01-04T21:01:09Z","timestamp":"2024-01-04T21:01:09Z"}

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Put this URL to the nextjs supabase example repo into https://download-directory.github.io/ to download it locally.
  2. Change the name of .env.example to just .env and add your credentials
  3. Run the application locally (npm run dev)
  4. Sign up
  5. Open the auth logs and see if you're getting the same errors as me when you click the link

Expected behavior

There should be no errors exchangeCodeForSession should return a valid session.

Screenshots

Screenshot 1 image

Screenshot 2 image

System information

  • OS: macOS
  • Browser: Brave
  • Version of supabase-js: ^2.39.1 (my application), ^2.33.1 example application
  • Version of Node.js: v20.8.0 (both)

Additional context

In both my app and the example supabase/ssr auth library is being used. Something I did notice is that supabase-ssr is dependent on supabase-js version ^2.33.1 not the latest version my application is running, ^2.39.1 (well now ^2.39.2, but basically the same)

kitzj avatar Jan 04 '24 21:01 kitzj