auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

auth.admin.generateLink does not return proper redirectTo

Open apertureless opened this issue 1 year ago • 9 comments

Bug report

Describe the bug

I am using auth.admin.generateLink with type magiclink in an edge function and passing the redirectTo param. However the generated link does not respect the provided redirectTo param and returns the site url.

To Reproduce

 const { data: linkData, error: linkError } =
    await supabaseClient.auth.admin.generateLink({
      type: "magiclink",
      email: email,
      options: {
        data: {
          orga: orga_id,
        },
        redirectTo: "http://localhost:3000/confirm",
      },
    });

After triggering the edge function locally this is the response:

[Info] [Generated link: ] http://127.0.0.1:54321/auth/v1/verify?token=9cdd921dc47c0e1b136f3659e6926f45697209047abc95d7964efb67&type=magiclink&redirect_to=http://127.0.0.1:3000/auth/login

[Info] [Generated linkdata: ] {
  action_link: "http://127.0.0.1:54321/auth/v1/verify?token=9cdd921dc47c0e1b136f3659e6926f45697209047abc95d7964efb67"... 60 more characters,
  email_otp: "275123",
  hashed_token: "9cdd921dc47c0e1b136f3659e6926f45697209047abc95d7964efb67",
  redirect_to: "http://127.0.0.1:3000/auth/login",
  verification_type: "magiclink"
}

Expected behavior

redirect_to should be set to the param provided (http://localhost:3000/confirm) instead of http://127.0.0.1:3000/auth/login

apertureless avatar Aug 22 '24 08:08 apertureless

Hi there,

thanks for opening. I believe there have been a few reports of this so I will move this to the Auth repo for the team to respond.

encima avatar Aug 23 '24 07:08 encima

Well I could pinpoint my issue here. It has to do, with the undocumented fact, that the redirect_url has to be from the same host / site ? https://github.com/supabase/auth/blob/master/internal/utilities/request.go#L91

If I change the redirectTo param in my example to http://127.0.0.1/confirm it works.

However, I am not sure how I feel about this, because in my case I will run the auth.admin.generateLink in an edge function which will be triggered from app-a and should generate a magic-link and redirect to app-b but this does not seem to be possible, right?

apertureless avatar Aug 23 '24 12:08 apertureless

@apertureless have you verified that you've add the redirect url to the allow list: https://supabase.com/docs/guides/auth/redirect-urls?

kangmingtay avatar Aug 23 '24 19:08 kangmingtay

I've added localhost and 127.0.0.1 to the config

apertureless avatar Aug 26 '24 06:08 apertureless

@encima running into that issue, any workarounds please?

gdaybrice avatar Jan 29 '25 00:01 gdaybrice

@blechatellier can you confirm the library version you are running?

encima avatar Jan 29 '25 06:01 encima

@encima figured out the issue, auth sets the cookie on localhost but gotrue redirects to 127.0.0.1 and no way to change this in the settings I believe.

gdaybrice avatar Jan 29 '25 06:01 gdaybrice

I am facing this as well. auth.admin.generateLink does not respect the set redirect URL, always redirects back to the site URL.

Any workarounds until this is fixed?

joshdance avatar Feb 28 '25 14:02 joshdance

Please check whether you have inserted the redirect URL into the permitted list as mentioned here. https://supabase.com/docs/guides/auth/redirect-urls#use-wildcards-in-redirect-urls You can use wildcards to add your URL to the list.

I assume you only add your host to the list like: http://127.0.0.1

Instead, you should do: http://127.0.0.1:3000/confirm or http://127.0.0.1:3000/* or http://127.0.0.1:3000/**

risaruno avatar Jul 14 '25 10:07 risaruno