auth icon indicating copy to clipboard operation
auth copied to clipboard

Published 20 hours ago verified publisher icon supabase

Fix Broken Email Links Behind Proxy

Open nickmitchko opened this issue 9 months ago • 11 comments

What kind of change does this PR introduce?

Fixes #1228

What is the current behavior?

supabase/auth behind a proxy with incorrect or internal-external X-Forwarded headers cause incorrect email account links

What is the new behavior?

  • Adds new environment variable API_FORCE_EXTERNAL_URL=[true | false] to force the API_EXTERNAL_URL to remain unchained. This new variable is turned off by default. Users reliant on the current (slightly broken) behavior have no changes.

Additional context

Total lines changed: 3

nickmitchko avatar May 05 '24 02:05 nickmitchko

hello👋? Anyone....

nickmitchko avatar May 20 '24 14:05 nickmitchko

@hf Do you know why this PR hasn't been reviewed / merged yet? I believe this makes the changes as you proposed in the open issue by adding a new config variable. What can be done to to complete this?

Obeyed avatar May 23 '24 07:05 Obeyed

@kangmingtay not sure who to ping on this. Are you perhaps able to assist on this PR? Any input / review would be great.

I believe the solution here is what hf proposed on the original issue: https://github.com/supabase/auth/issues/1228#issuecomment-1865912389

Obeyed avatar May 29 '24 09:05 Obeyed

Any news on this?

tonven avatar May 29 '24 11:05 tonven

Re: all interested, I'll continue to merge and keep up to date my feature repo based on main until it comes upstream to this repo.

Update: CI in my repo is running and follows the releases here to https://hub.docker.com/repository/docker/nickmitchko/gotrue/tags

If you need an SBOM, please build your own image.

nickmitchko avatar May 29 '24 11:05 nickmitchko

Hi, anyone from the supabase team here? is it there a reason why this important fix is not merged? Thanks

mariopepe avatar Jun 09 '24 14:06 mariopepe

@nickmitchko thanks for contributing to fix this issue - the team is quite tight on bandwidth right now so we'll need some time to review this

at first glance, i don't think we want to introduce a new config this way just to override the issue with the domain being set incorrectly by an external proxy service like kong

my initial thoughts on this would be to expose a config option specifically for the external url to be used in emails - similar to what we did recently for the SAML metadata (https://github.com/supabase/auth/pull/1599)

kangmingtay avatar Jun 11 '24 05:06 kangmingtay

@kangmingtay Not the OP of this PR, but do want to point out that this PR aims to fix Supabase Auth's broken behavior introduced in version 2.67.1. When following Supabase's self-hosting documentation and code, the end result is simply broken, since version 2.67.1. As far as everyone in this issue (myself included) understands it, it's Supabase's own self-hosting setup / code that is broken, as that is what is being followed and used. If we're all mistaken about that, please spare a couple of minutes to let all of us in that issue know (or in the documentation) what you mean exactly by domains being set incorrectly* and/or how we should be reading the Supabase documentation / code / env files. Clearly, there are a lot of people running into this issue, and have been for 10 months.

* Keeping in mind that in many setups, services should not use external URLs for other services

rmvh avatar Jun 13 '24 11:06 rmvh

@kangmingtay I use self-hosted version of gotrue i have nginx that serves my react client on domain.com, and it also redirects all requests from domain.com/api/auth to gotrue when I specify API_EXTERNAL_URL like this API_EXTERNAL_URL=http://domain.com/api/auth/

only http://domain.com is used in the email, the route is trimmed. This essentially prevents me from using emails for auth handling. i.e. the core functionality of gotrue is essentially broken

Mykyta-Chernenko avatar Jul 24 '24 13:07 Mykyta-Chernenko

@kangmingtay Can we please get a resolution on this? @nickmitchko has offered an elegant 3 lines change solution.

Thanks

Edit: For anyone else struggling with this and that don't want to build an outdated image: MAILER_URLPATHS_RECOVERY="/auth/v1/verify" changing this in your .env to an absolute URL is a workaround.

Edit2: ~~Another solution might be to go to https://studio.mywebsite.com/project/default/auth/templates (yes that's a hidden URL that doesnt appear on the left bar) and edit the text.~~

y4my4my4m avatar Jul 25 '24 10:07 y4my4my4m

@kangmingtay Can we please get a resolution on this? @nickmitchko has offered an elegant 3 lines change solution.

Thanks

Edit: For anyone else struggling with this and that don't want to build an outdated image: MAILER_URLPATHS_RECOVERY="/auth/v1/verify" changing this in your .env to an absolute URL is a workaround.

Edit2: Another solution might be to go to https://studio.mywebsite.com/project/default/auth/templates (yes that's a hidden URL that doesnt appear on the left bar) and edit the text.

@y4my4my4m Thank you bro, this issue beat me so hard. Changing the MAILER_ in .env works

dshongphuc avatar Aug 09 '24 03:08 dshongphuc