auth.verifyOtp always failed with invalid or expired token using supabasejs
Hi,
Until yesterday, admin.generateLink was giving me both access_token and refresh_token. But all of a sudden now, its returning only token in the action url. I have tried to verifying the same token using auth.verifyOTP and that fails every time with otp_expired error. I have custom otp email generating flow and validation. Below is the flow. attached a file with my code snippet and sample logs for the same. I am using "@supabase/supabase-js": "^2.45.3", in my NestJS api project. In the snippet code, "client" is created by service role key and "publicClient" is created by anon key of my supabase project. Can anyone please help in resolveing this issue. Thanks in advance. Let me know if you need more details.
Flow:
1. I generate otp to user's email by custom logic.
2. users submit otp and validation hits.
3. once otp is valid, try to create supabase session using generateLink recovery type.
const { data: linkResult, error: linkErr } = await client.auth.admin.generateLink({
type: 'recovery',
email: normEmail,
options: { redirectTo: undefined },
});
const verifyType = (linkType === 'recovery' linkType === 'magiclink' linkType === 'invite' || linkType === 'signup') ? (linkType as any) : 'recovery';
const verifyOtpReq: any = { email: normEmail, token: recoveryToken, type: verifyType };
console.log('verifyOtp Request:', JSON.stringify(verifyOtpReq));
const { data: verified, error: verifyErr } = await publicClient.auth.verifyOtp(verifyOtpReq);
3 Replies
Which token are you referring to here? you won't get an
access_token nor a refresh_token from the admin.generateLink method. You normally get these tokens when you do a verifyOtp.You can see the response payload in the reference docs here https://supabase.com/docs/reference/javascript/auth-admin-generatelink
JavaScript: Generate an email link | Supabase Docs
Supabase API reference for JavaScript: Generate an email link
Hi,
Thanks @silentworks for responding.
My bad, sorry initially I was not dependent on access_token and refresh_token, I was handling those in my custom logic. But now I am trying to switch to supabase sessions. But the token verification is failing with otp_expired always. I tried both recovery and magiclinks. Just to be clear, I am trying to create supabase sesison from server layer using NestJS. I am not opening recovery and magiclinks in any UI. Attached word file with latest code snippet and logs for the same. please have a look and let mw know if you want more details. Thanks