auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

PASSWORD_RECOVERY event onAuthStateChange is never emitted

Open spaansba opened this issue 10 months ago • 2 comments

Bug report

  • [X ] I confirm this is a bug with Supabase, not with my own application.
  • [ X] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

onAuthStateChange() should emit an PASSWORD_REVOCERY event, like it states on the docs:

A SIGNED_IN and PASSWORD_RECOVERY event will be emitted when the password recovery link is clicked. You can use onAuthStateChange() to listen and invoke a callback function on these events.

Currently it only emits an SIGNED_IN event, which makes it very hard to create a correct password recovery system.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

Repo https://github.com/spaansba/Toaster

  1. Create an account
  2. Go to the auth screen > email > forgot password? and enter your mail to recieve the standard password recovery email from supabase.
  3. Click on the link in your mail to recover your password
  4. Only a SIGNED_IN event will now be logged in the onAuthStateChange() in my global AuthProvider.

Expected behavior

Not only should there be an SIGNED_IN event, there should also be an PASSWORD_RECOVERY event. (To be fair, I think there should only be a PASSWORD_RECOVERY event but this is what the docs states)

System information

  • Expo react native app
  • Apple Iphone 14
  • Version of supabase-js: latest

spaansba avatar Feb 23 '25 15:02 spaansba

On a sidenote: this issue should be transferred to the auth-js repo.

I've created a PR that fixes the javascript docs, saying that two events are fired (SIGNED_IN and PASSWORD_RECOVERY). This is no longer the case after PR https://github.com/supabase/auth-js/pull/629

j4w8n avatar Feb 23 '25 18:02 j4w8n

Futhermore, as I finally realized on this Discord thread, the password recovery flow is different for the likes of React Native and Expo, per docs. This flow prevents the PASSWORD_RECOVERY event from firing in these cases.

I'm not sure how or if the team wants to address this, but I mention one option in this Discord comment; to add a second parameter to setSession() that accepts a string (e.g. 'recovery'), that the dev would get from the url params, and then the method would use to determine what event to fire. This is similar to how things are handled normally - albeit only within auth-js code.

j4w8n avatar Feb 23 '25 18:02 j4w8n