Password Reset Workflow
Hello - I'm a bit confused/concerned by the password reset workflow that exists in Supabase.
My current understanding of the password reset workflow, is I send the user a Password Reset link, which is really just a magic login link with a redirect to my password reset page.
So now my user is logged in to their account and at the password reset page. However, as far as I can tell, there are no URL parameters or anything passed to the password reset page that tell my page that this user has arrived here via the authenticated magic link. So my question is - how do I know they are actually intending to reset their password?
I only ask this because I'm concerned about the case where a user leaves my webapp logged in on their computer, and a bad actor goes to the password reset link - they could change the user's password to whatever they want, and then gain access on their own?
Is there any way to make the magic link redirect to my password reset page with some sort of access_token or something I can use to verify that the password reset request is legitimate?
My current understanding of the password reset workflow, is I send the user a Password Reset link, which is really just a magic login link with a redirect to my password reset page.
So now my user is logged in to their account and at the password reset page. However, as far as I can tell, there are no URL parameters or anything passed to the password reset page that tell my page that this user has arrived here via the authenticated magic link. So my question is - how do I know they are actually intending to reset their password?
I only ask this because I'm concerned about the case where a user leaves my webapp logged in on their computer, and a bad actor goes to the password reset link - they could change the user's password to whatever they want, and then gain access on their own?
Is there any way to make the magic link redirect to my password reset page with some sort of access_token or something I can use to verify that the password reset request is legitimate?
