4

The following function fails with error "Auth Session Missing"

const { error } = await supabase.auth.updateUser({
   password: password,
});

After getting the reset password link on my mail i redirect the user to '/reset' link. The link i get look like this

https://www.example.com/reset#access_token=eyJhbGciOiJIUzI1NiIsImtpZCI6Ik5rK1VQTmlRYk9RZ2xXMUUiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJhdXRoZW50aWNhdGVkIiwiZXhwIjoxNjg5ODg1MjE2LCJpYXQiOjE2ODk4ODE2MTYsImlzcyI6Imh0dHBzOi8vaHR0cHM6Ly9lbnZtbHBnYXlpd3FidWR2YWh2YS5zdXBhYmFzZS5jby9hdXRoL3YxIiwic3ViIjoiYTZiMzE1MjktNDUxOC00YjkyLTg3MzYtZDZmMTkyNTBmMzZhIiwiZW1haWwiOiJkZWVwc2hldHllMUBnbWFpbC5jb20iLCJwaG9uZSI6IiIsImFwcF9tZXRhZGF0YSI6eyJwcm92aWRlciI6ImVtYWlsIiwicHJvdmlkZXJzIjpbImVtYWlsIl19LCJ1c2VyX21ldGFkYXRhIjp7fSwicm9sZSI6ImF1dGhlbnRpY2F0ZWQiLCJhYWwiOiJhYWwxIiwiYW1yIjpbeyJtZXRob2QiOiJvdHAiLCJ0aW1lc3RhbXAiOjE2ODk4ODE2MTZ9XSwic2Vzc2lvbl9pZCI6IjA0YjJlMTRlLThkMDUtNDIwYy1iNmRkLTBjODEzNDhkNjUzZCJ9.AcLI2nO1BbCqCwAgrQ8flIjkvC2kRtKcujfXpqRFVG0&expires_in=3600&refresh_token=rUB74qIa-G3GNh6mpJxWdg&token_type=bearer&type=recovery

But on submitting the new password i get the error.

I'm using "@supabase/auth-helpers-nextjs" for creating client.

Improve this question
1

3 Answers 3

Reset to default
2

Now Supabase has a new package in SSR that avoid this problem redirecting to an api route in next.js. You need to use the new SSR package Package here.

To avoid this problem I use this guide: SSR reset password

I hope it work for you!

Improve this answer
2
  • I had this issue while creating a custom reset-password form. From the docs it was not clear to me that the reset-password form needs to be protected and before redirecting to this form, i have to first redirect to the route that signs the user in with the given token_hash. I used this as the custom redirect URL in the reset-password email template: <a href="{{ .SiteURL }}/auth/confirm?token_hash={{ .TokenHash }}&type=recovery&next=/auth/reset-password" > The confirm route handler component i created based on this guide: supabase.com/docs/guides/auth/server-side/nextjs
    – vindom
    Apr 2 at 13:45
  • 1
    Yes but, the new package don´t use the token_hash and use de code parameter. And I used this approach: supabase.com/docs/guides/auth/server-side/…
    – HEV Pro
    Apr 3 at 15:08
0

It seems that certain providers automatically pre-load the URLs in the email for faster page loading. However, since Supabase reset links are designed for one-time use, this preloading action causes the URLs to expire prematurely, resulting in errors when users attempt to reset their passwords.

Possible solution could be adding captcha verification or just a button that redirects to the url given by supabase

Improve this answer
0

supabase store cookie in the browser when you call

const { error } = await supabase.auth.updateUser({
   password: password,
});

when you open reset password link from other device or browser then it throw this error because the cookie is missing.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.