Oauth reset password is working
I'm not sure if this is a bug, but when a user creates an account using OAuth and not through email, and then resets their password and tries to sign in with an email, it works. Not sure if this is intended behaviour or not, should I check user identity provider before sending a reset email?
10 Replies
How are they resetting their password? and where are they resetting their password? it's not very clear if you are talking about in your app or on the OAuth provider's website.
on our app using supabase.auth.resetPasswordForEmail
and update using await supabase.auth.updateUser({ password });
Yes that's expected behaviour
okay then should I filter it out to prevent?
What are you trying to prevent?
prevent to reset a password since user only created an account using oauth
If you want to prevent it then you can try filtering it somehow, but to me I don't see the issue with a user setting up email/password access.
But since it does not show on provider after resetting (only showing Google doesnt show email), so I felt it was something like a backdoor
Not a backdoor, it's the intended behaviour.
One thing i was wondering, if the user should only sign up with oauth then why not just avoid any resetting of password functionality at all? i.e don't call
supabase.auth.resetPasswordForEmail anywhere and don't have a form input for adding a password if you want to deter that behavior