S
Supabase3d ago
bighead

Setting a New Password for Non-Authenticated Users

I am trying to set a new password for a user who is not currently authenticated. I couldn't find any information on this in the documentation https://supabase.com/docs/reference/javascript/auth-updateuser. updateUser works only for an authenticated user, but in my opinion, it is not safe to automatically log in the user immediately after they click the "reset password" link sent to their email. What is the recommended approach for updating the password for non-authenticated users? Thank you.
19 Replies
ibrahim
ibrahim3d ago
Has the user been signed in using annonymous sign in?
bighead
bigheadOP3d ago
It wasn't signed in. I just clicked on 'forgot password', entered the email and clicked on 'reset password' link, which was send to my email after that, I try to enter new password and it says that the user is not authenticated
ibrahim
ibrahim3d ago
This user doesn't have an account right so how are they using reset password if their email is not tied to a user account?
bighead
bigheadOP3d ago
because the email exists in the users table it is not signed in, but it is signed up I want to reset password without being logged in
ibrahim
ibrahim3d ago
I understand, why do you think the current approach of updateUser is not safe? It's more or less the standard in many applications?
bighead
bigheadOP3d ago
As far as I remember, some websites use this approach and some not. Because the token gives instant access, and if it's intercepted, the attacker gets full control right away but even if I use the default approach, which is from what I understand: I should be logged in automatically after clicking on 'reset password', for some reason it doesn't create a session
ibrahim
ibrahim3d ago
are you listening for the password recovery event 
 useEffect(() => {
   supabase.auth.onAuthStateChange(async (event, session) => {
     if (event == "PASSWORD_RECOVERY") {
       const newPassword = prompt("What would you like your new password to be?");
       const { data, error } = await supabase.auth
         .updateUser({ password: newPassword })
       if (data) alert("Password updated successfully!")
       if (error) alert("There was an error updating your password.")
     }
   })
 }, [])
 useEffect(() => {
   supabase.auth.onAuthStateChange(async (event, session) => {
     if (event == "PASSWORD_RECOVERY") {
       const newPassword = prompt("What would you like your new password to be?");
       const { data, error } = await supabase.auth
         .updateUser({ password: newPassword })
       if (data) alert("Password updated successfully!")
       if (error) alert("There was an error updating your password.")
     }
   })
 }, [])
bighead
bigheadOP3d ago
that's what I've been trying to find in the docs, thanks. Tbh they could've just create another function like resetPassword and that's it
ibrahim
ibrahim3d ago
Do you have any examples to mind, any company that i can think off either does this or MFA (i.e stripe)
bighead
bigheadOP3d ago
https://www.salesforce.com/eu/
Salesforce
Salesforce: The #1 AI CRM
Salesforce is the #1 AI CRM, where humans with agents drive customer success together with AI, data and Customer 360 apps on one unified platform.
ibrahim
ibrahim3d ago
How do they do it?
bighead
bigheadOP3d ago
they handle it server side. the reset link token is validated on their backend, password is changed without creating a client session, so you're not auto-logged in I thought I can do something like this using supabase out of the box but if auto login is the default behavior in most websites, I will follow the same approach
ibrahim
ibrahim3d ago
So you enter the email and the new password up front?
bighead
bigheadOP3d ago
no, you just click the link on the email, it redirects you to the change password page. their server validates the token from the url and updates the password if valid, and the link expires after one use you don't want to enter the email
ibrahim
ibrahim3d ago
I think that is more or less what supabase does?
bighead
bigheadOP3d ago
it is already connected to the token in the url not really because from what I understand it auto logs you
ibrahim
ibrahim3d ago
makes sense
bighead
bigheadOP3d ago
@ibrahim by the way, since it auto logs you, can we consider it a magic link?
ibrahim
ibrahim2d ago
Yeah i guess it is like a magick link

Did you find this page helpful?