Self Hosted Password Reset Link Expired (Mimecast)
We’ve built an application that uses a self-hosted Supabase instance, and we’ve run into an issue with the default password-reset email.
Because Supabase sends a single-use link for password resets, our users behind Mimecast are finding that the link has already been consumed by the time they open the email. It appears Mimecast is pre-scanning or “clicking” the link to check it for safety, which triggers the one-time token before the user ever sees it.
Has anyone else experienced this behaviour, or found a good workaround for password resets when using Supabase with Mimecast (e.g. multi-use links, custom reset flow, or alternative verification method)?
Thanks in advance for any advice!
19 Replies
This doc mentions some solutions to this https://supabase.com/docs/guides/auth/auth-email-templates#email-prefetching
I'll review and get back if I have any questions 🙂
Ok, so I plan on using custom template, using custom html files located in supabase-project/templates/recovery.html. I then created a config.toml file in supabase-project/config.toml. However after multiple reboots its still using the default template. I must have missed a step?
Did you also add configuration in config.toml to use that template?
https://github.com/silentworks/supabase-by-example/blob/c3bf91ed710e13716daf9440b5a7d56a18d6a3d4/react/supabase/config.toml#L179C1-L193C57
Here you will find all the template types https://supabase.com/docs/guides/local-development/cli/config#auth.email.template.type.subject
I did, I’ll do some more testing to see if I missed anything else.
If you weren't able to solve the issue, please share the relevant parts of your config.toml
Ok still not working, my current Setup is:
supabase-project/
├─config.toml
├─ templates/
└─ recovery.html
Inside of my config.toml:
[auth.email.template.recovery]
subject = “Reset your Password”
content_path = “./supabase-project/templates/recovery.html
this file is new just for this template so contains nothing else, do I need to tell supabase to use it now or should auto find it after reboot?
Also share the recovery.html. If there were some issues parsing the file, then it falls back to default one.
You can also confirm this with a minimal recovery.html file which doesn't have any template variables. Plain text
Just tested it with: <!doctype html>
<html lang="en" style="margin:0;padding:0;">
<body>
<p>test</p>
</body>
</html>
And it still sent the default email.
Did you take down the stack and rerun it?
Yeah I did a docker down/up
Aren't you using supabase cli?
You need to do supabase down and supabase start
Wait a minute are you using supabase cli with docker-compose?
I'm using docker-compose in a self hosted instance in AWS
Config.toml can only be used with supabase cli
Any config settings you change in config.toml won't be reflected in docker compose stack
oh I see, is there a way of using custom templates in Supabase docker compose?
https://medium.com/@singh-inder/ultimate-guide-to-send-emails-with-self-hosted-supabase-including-custom-templates-21f778d2e4c3
There is also a yt video linked in the article if you prefer that
Perfect this is exactly what I need, I'll review! Thank you 🙂
YOU ARE A LIFE SAVER
Do you have a buy me a coffee link or anything?
No need. Supabase compensates mods/supausers for their time on this server.
Thankyou!
I'm very happy to hear that!
Sorry to jump in here and ask separate question my self hosted instance will stay nice at 20% utilisation then randomly go to 70-80% and stay there. Do you know any potential reasons (realtime is turned off). Do you have a recommended minium size? For ec2?
Its usually analytics service which causes this spike. You can add this memory limit. docker will automatically restart the container if this limit is crossed. Worst case you lose some log entries while this service is being restarted but there won't be any spikes
And you can inspect how many times it was restarted using
docker inspect