Reset password expires too quickly

I have a case where users are resetting their passwords, but when they click the link in the email it's already expired. The settings are all default so I'm thinking maybe their email client is pinging the links before the user which is invalidating the token.

Has anyone experienced this and solved it?

I also remember reading something in the docs a few months back about how you need to use the same browser as you did the reset on, but I can't seem to find any mention of that now.

garyaustin•1/29/25, 11:13 PM

https://supabase.com/docs/guides/auth/auth-email-templates#limitations

For sure if you are using SSR with PKCE you have to be same device/browser.

I'll leave for one of the Auth user gurus to add more if they know.

j4•1/29/25, 11:41 PM

Regarding the same browser: that's the case for the pkce flow because it sets a code verifier that needs to be accessed later on in the reset process.

BearOP•1/29/25, 11:45 PM

Is it possible to disable that? Or use something simpler. The users of this platform are very tech-illiterate and explaing to them it's a security feature has only been met with blank faces because they don't really care.

j4•1/29/25, 11:49 PM

Are you using the ssr library?

BearOP•1/30/25, 12:00 AM

Still on "@supabase/auth-helpers-nextjs", I tried the new package but was facing a lot of issues with it not holding auth sessions and they'd expire without being renewed so figured I'd hold off migrating.

j4•1/30/25, 12:06 AM

Ok. So you have the option of using token_hash. It's in the server-side rendering docs on the site. It's more of a click-based solution, if you think otp is going to be too involved.

BearOP•1/30/25, 12:08 AM

If I change to that, but then look to update to the ssr package later, is that going to be a bit of a rework?

silentworks•1/30/25, 12:08 AM

Just follow the docs here, it's the same process whether you are using ssr or auth-helpers https://supabase.com/docs/guides/auth/passwords?queryGroups=language&language=js&queryGroups=flow&flow=pkce&queryGroups=framework&framework=nextjs#resetting-a-password

BearOP•1/30/25, 12:08 AM

Just thinking if it's not supported in the new package, maybe best to not do it and wait till I eventually migrate to ssr.

BearOP•1/30/25, 12:10 AM

Cheers I'll take a look into it. Thanks for everyone's help!

Reset password expires too quickly

Similar Threads

Similar Threads

Similar Threads