Password reset
Im trying to setup an password reset to my site, but when i did it sent me to localhost:3000, but i found this site, but whatever i put here it doesnt work, currently it displays what shows in the second image. im wondering, how does this all work, and how can i get it to work correctly
83 Replies
The site url is your app's main site. You'll wanna move the full resetpassword url to the redirect section.
so do i put the netlify url there now and the subpage in the
Redirect URLs section?so like this?
I've never tried with netlify, but theoretically yes.
If you're just developing locally right now, then it would need to be http://localhost:port
i use bolt to publish the site, and it auto publishes to netlify
so for testing yes, but later on we will host it out self prob
but when i click the reset link it just takes me here
You have to set a redirectTO option in your reset call.
Redirect URLs | Supabase Docs
Set up redirect urls with Supabase Auth.
Otherwise it always goes to siteUrl.
im very new to this, so i dont know how to do that exactly
So if the link is
https://gorgeous-cheesecake-6f3397.netlify.app/ and the sub page is update-password how would that be setup in thereWhat call are you using for auth... Each has a redirectTo type of option that you pass and that has to match exactly one of your redirectTo URLs in the settings.
Look at the reference for JS client and your auth call.
im making the full site via bolt so im not 100% sure
Not much we can do to help if you don't have the call.
I mean its surely somewhere, i just dont know where exactly
but give me a sec to find it
https://supabase.com/docs/reference/javascript/auth-resetpasswordforemail
For instance is one kind of reset password call.
JavaScript: Send a password reset request | Supabase Docs
Supabase API reference for JavaScript: Send a password reset request
That section of the docs all all the auth calls and shows the redirect option for each.
should be this one
This all depends on if bolt creates single page application (SPA) or server-side rendering (SSR) apps.
How would i know which it did?
Isn't bolt some sort of ai thing? if it is then just ask it.
can try
thats its answer
Yeah so the code you shared above should work
its currently set up like this
https://ezsybaiksalcmhcoqmbn.supabase.co/auth/v1/verify?token=d4dc95b65db4eca90261511a4140393608420087078dd590eac475fa&type=recovery&redirect_to=http://localhost:3000
and thats the link i got on the mail
and going to it take me to this
https://gorgeous-cheesecake-6f3397.netlify.app/#error=access_denied&error_code=otp_expired&error_description=Email+link+is+invalid+or+has+expired
With the
redirectTo set on the .resetPasswordForEmail?this is the full code of that page called UpdatePassword.tsx
bruh it didnt fit
Please answer the question I asked above your message
this is how its set
so it would be
according to bolt
Ok so it has the netlify url harcoded in there and thats the same URL you have in your dashboard
yep
No they have two slashes
Well you did.
Have you tested it since you removed the extra slash in the Redirect URLs?
Can you share how your supabase.ts file looks inside of your
lib directory. You can retract the anon key before sharing it if you wish.import { createClient } from '@supabase/supabase-js';
const supabaseUrl = import.meta.env.VITE_SUPABASE_URL;
const supabaseAnonKey = import.meta.env.VITE_SUPABASE_ANON_KEY;
export const supabase = createClient(supabaseUrl, supabaseAnonKey);
Maybe your email client has link pre-fetching and is visiting the link causing it to expire before you click the actual link.
how could i fix that xd
Email Templates | Supabase Docs
Learn how to manage the email templates in Supabase.
i use gmail so thats prob the case
I hate to suggest something that could destroy where bolt has your app, but OTP signup instead of redirects works in alot more environments.
Plus it is odd that you just got that and not before... Maybe you are running the same email link?
You can only click it once.
I don't have this issue with gmail. Maybe it's something else.
If the project isn't a sensitive one you can probably share the code in a repo and tomorrow I can take a look at it. Otherwise I have a React SPA which works with all these flows that you can test and also look at the code to see how it works https://github.com/silentworks/supabase-by-example/tree/main/react
GitHub
supabase-by-example/react at main · silentworks/supabase-by-example
Contribute to silentworks/supabase-by-example development by creating an account on GitHub.
sure thing, i think we actually have it setup already to upload to github
https://github.com/Ryzz3nn/BlitzForge
its prob not up to date though
i think i need to manually push it
Take your time... silentworks is way past bedtime where he is.
Yep and that's my cue to go bed
GitHub
GitHub - Ryzz3nn/BlitzBoost: Created with StackBlitz ⚡️
Created with StackBlitz ⚡️. Contribute to Ryzz3nn/BlitzBoost development by creating an account on GitHub.
that one is from now
I'm testing this out now
App code work fine for me when testing it with the Supabase CLI, here is a screen recording of it working. I'm going to deploy it to Netlify and see if I get a different result.
I just tested this on Netlify and its working there too. Now I'm not sure what you have wrong in your Supabase dashboard because the application code itself works as expected.
Did you click the link in the email more than once as you were debugging? It can only be used once.
My URL config looks like this too and my
.resetPasswordForEmail code in the ResetPassword.tsx looks like this
@W0idz I just tested it on your domain and it works there for me too. So something off about your email client or you have something installed on your computer that is scanning links in your emails.
Hmm weird, i opened the mail via gmail in my browser so it’s all in the browser
And you click the link or are you copy and pasting it?
Just clicking the link
Which browser are you using and do you have any browser extensions installed?
Brave. Yes but none that should interact in that way, like a volume addon that can adjust volume etc
And the link you got in your email had
http://localhost:3000 in it instead of https://gorgeous-cheesecake-6f3397.netlify.app/update-password?
Because the link I got in the email from your domain is https://ezsybaiksalcmhcoqmbn.supabase.co/auth/v1/verify?token=5c1b7334b187cb781b34aa1286e7e32ecc592e5bca59a121815c6eb4&type=recovery&redirect_to=https://gorgeous-cheesecake-6f3397.netlify.app/update-password which as you can see has the https://gorgeous-cheesecake-6f3397.netlify.app/update-password in it.The second one forwarding to localhost, I can double check once I’m on pc in like 30 minutes
this is the link i get
https://ezsybaiksalcmhcoqmbn.supabase.co/auth/v1/verify?token=10c19e3b88bcb1fe6dda3a7a14dde34cc10cd32793a2eeaf93896538&type=recovery&redirect_to=https://gorgeous-cheesecake-6f3397.netlify.app/update-passwordAnd what happened when you clicked on that link?
it actually took me to the right site now
but i copied it
if i click it directly in the mail it expires though
Likely your email provider is testing the link then when you click it.
If you look in the Dashboard auth logs you will likely see two requests with the 2nd failing.
Gmail most likely checks everything yea
But can’t you change the behavior of the link
Are you using their browser client? If so likely. It may be an option.
That is why one of the first links given was how to deal with that or use OTP 6 digit token.
https://supabase.com/docs/guides/auth/auth-email-templates#limitations
Im using brave and opening the mail via the browser
With gmail's client?
It really does not matter that much though as you won't control your users email setup.
Fair, but yea Gmail is mostly doing something
But it’s when I click the link in the mail
Scanning can occur when the link is clicked, when the mail is opened or even on the server before it gets to your mailbox depending on the setup for various mail services/clients.
So in this case it likely check it when I click it
Sounds like you are getting scanned when you click it. If you can copy and it is still good.
Click-time link protections in third-party email clients - Gmail Help
Because links to malicious websites can be sent in emails, Google adds link protection for all official Gmail clients (web, Android, and iPhone & iPad). Some of these protections are now available
I’ve never run into this issue before though on any other site
The Supabase link I gave shows ways to handle. Some in your app, and alternative of OTP.
Not sure why your gmail would be doing that whilst mine doesn't. I haven't changed any settings in my gmail at all.
Can you test this in a different browser? I'm somehow feeling like Brave is the one pre-scanning the link when you click it.