is this a bug?
I am new to supabase and not entirely certain how things should work. I am researching Supabase Auth and trying to implement a simple signup worflow.
1. Backend system signs up user.
2. Backend system sends a email confirmation link (Magic Link).
3. User confirms the link in the email to complete validation and users can now login in on their own.
4. User enters email via the login page.
5. User checks for Magic Link in the inbox to complete login to the app. However, I found that these two Endponts behave exactly alike. 1. Observed behavior: User is created if no user exists. curl -X POST "$SUPABASE_URL/auth/v1/signup" \ -H "apikey: $SUPABASE_ANON_KEY" \ -H "Content-Type: application/json" \ -d '{ "email": "arvindja01@gmail.com", "options": { "email_redirect_to": "http://localhost:9292/auth/callback" } }' 2. Observed behavior: User is created if no user exists. curl -X POST "$SUPABASE_URL/auth/v1/magiclink" \ -H "apikey: $SUPABASE_ANON_KEY" \ -H "Content-Type: application/json" \ -d '{ "email": "arvindja01@gmail.com", "options": { "shouldCreateUser": false, "emailRedirectTo": "http://localhost:9292/auth/callback" } }' Is there a bug in ("shouldCreateUser": false) ? Expected Behavior (code snippet 2): I believe that the user should not be created. Link: https://supabase.com/docs/guides/auth/auth-email-passwordless
5. User checks for Magic Link in the inbox to complete login to the app. However, I found that these two Endponts behave exactly alike. 1. Observed behavior: User is created if no user exists. curl -X POST "$SUPABASE_URL/auth/v1/signup" \ -H "apikey: $SUPABASE_ANON_KEY" \ -H "Content-Type: application/json" \ -d '{ "email": "arvindja01@gmail.com", "options": { "email_redirect_to": "http://localhost:9292/auth/callback" } }' 2. Observed behavior: User is created if no user exists. curl -X POST "$SUPABASE_URL/auth/v1/magiclink" \ -H "apikey: $SUPABASE_ANON_KEY" \ -H "Content-Type: application/json" \ -d '{ "email": "arvindja01@gmail.com", "options": { "shouldCreateUser": false, "emailRedirectTo": "http://localhost:9292/auth/callback" } }' Is there a bug in ("shouldCreateUser": false) ? Expected Behavior (code snippet 2): I believe that the user should not be created. Link: https://supabase.com/docs/guides/auth/auth-email-passwordless
Passwordless email logins | Supabase Docs
Email logins using Magic Links or One-Time Passwords (OTPs)
3 Replies
If you use the REST API directly you need to use the syntax they have not the Supabase-js syntax.
https://github.com/supabase/auth?tab=readme-ov-file#post-otp
@garyaustin thanks in advance. I have run multiple scenarios the o/p.
curl -X POST "$SUPABASE_URL/auth/v1/magiclink" \
-H "apikey: $SUPABASE_ANON_KEY" \
-H "Content-Type: application/json" \
-d '{
"email": "arvindja01@gmail.com",
"create_user": false,
"options": {
"emailRedirectTo": "http://localhost:9292/auth/callback"
}
}' creates a user
curl -X POST "$SUPABASE_URL/auth/v1/magiclink" \
-H "apikey: $SUPABASE_ANON_KEY" \
-H "Content-Type: application/json" \
-d '{
"email": "arvindja01@gmail.com",
"options": {
"create_user": false,
"emailRedirectTo": "http://localhost:9292/auth/callback"
}
}'
creates a user
curl -X POST "$SUPABASE_URL/auth/v1/signup" \
-H "apikey: $SUPABASE_ANON_KEY" \
-H "Content-Type: application/json" \
-d '{
"email": "arvindja01@gmail.com",
"create_user": false,
"options": {
"email_redirect_to": "http://localhost:9292/auth/callback"
}
}'
{"code":400,"error_code":"validation_failed","msg":"Signup requires a valid password"}%
curl -X POST "$SUPABASE_URL/auth/v1/signup" \
-H "apikey: $SUPABASE_ANON_KEY" \
-H "Content-Type: application/json" \
-d '{
"email": "arvindja01@gmail.com",
"options": {
"create_user": false,
"email_redirect_to": "http://localhost:9292/auth/callback"
}
}'
{"code":400,"error_code":"validation_failed","msg":"Signup requires a valid password"}%
I don't think it should matter but try /otp instead which I think is the endpoint the clients use. Not sure if magiclink is an older syntax or not as both are mentioned in the auth repository for the same thing.
Ahh... look at the link I showed. There is a difference between the two.