Question about handling OTP recovery errors (Supabase / auth flow)
self-hostedauthI’m implementing a password recovery flow using
Current flow (simplified):
Problematic case:
* User enters a correct OTP
* But enters an invalid new password (e.g. same as old password, fails policy, etc.)
*
* The OTP is now burned
* User must wait X minutes and request a new code, even though the OTP itself was valid
This feels like a bad UX because a password validation error permanently consumes a valid recovery token.
Questions:
* Is this expected behavior with Supabase OTP recovery?
* Is there a recommended way to avoid burning the OTP before password validation?
* Should password validation be done before calling
* Or is the intended solution to re-issue a new recovery OTP if
Basically, how do you handle OTP verification errors vs password validation errors without locking users out unnecessarily?
Any best-practice guidance would be appreciated.
verifyOtpupdateUserCurrent flow (simplified):
Problematic case:
* User enters a correct OTP
* But enters an invalid new password (e.g. same as old password, fails policy, etc.)
*
updateUser* The OTP is now burned
* User must wait X minutes and request a new code, even though the OTP itself was valid
This feels like a bad UX because a password validation error permanently consumes a valid recovery token.
Questions:
* Is this expected behavior with Supabase OTP recovery?
* Is there a recommended way to avoid burning the OTP before password validation?
* Should password validation be done before calling
verifyOtp* Or is the intended solution to re-issue a new recovery OTP if
updateUserBasically, how do you handle OTP verification errors vs password validation errors without locking users out unnecessarily?
Any best-practice guidance would be appreciated.
