Forgot password and PKCE workflow issues
authI have a "forgot password" workflow in my app that some users are getting an "Auth session missing!" response from the API while using, and am unsure how to resolve.
I am sending an email to the user using supabase.auth.resetPasswordForEmail(), and this is correctly sending an email through my SMTP service. The redirect sends users to the correct URL, but then some users are getting the "Auth session missing!" error when attempting to set the new password on the page they are redirected to. I am using supabase.auth.updateUser() using the password they enter into the form on the page.
Whenever I attempt to test this, the flow works just fine for me. When asking the AI assistant it insists I use supabase.auth.exchangeCodeForSession() without passing parameters, but this gives a 400 error: "PKCE code verifier not found in storage. This can happen if the auth flow was initiated in a different browser or device, or if the storage was cleared. For SSR frameworks (Next.js, SvelteKit, etc.), use @supabase/ssr on both the server and client to store the code verifier in cookies.". This happens when using the same browser to request a reset and then reset the password on the update page; not in incognito mode.
I am using Nuxt, but I have SSR disabled for both of these pages. The AI assistant is basing all of it's suggestions on simplifying the workflow and supabase initialization, but I am never seeing the keys for the verification key set in localStorage (so it makes sense the library is telling me the verification key cannot be found).
Am I missing a step here to ensure the verification key is set? Is the PKCE workflow appropriate here? When exactly should the verification code be set in localStorage, and is there another method or parameter I should be passing somewhere to make this happen?
I am unable to actually reproduce the "Auth session missing!" error on my end unless I intentionally invalidate the code sent via email, so I'm confused in general about whether PKCE is the right workflow or if it's entirely unrelated.
Thanks in advance!
I am sending an email to the user using supabase.auth.resetPasswordForEmail(), and this is correctly sending an email through my SMTP service. The redirect sends users to the correct URL, but then some users are getting the "Auth session missing!" error when attempting to set the new password on the page they are redirected to. I am using supabase.auth.updateUser() using the password they enter into the form on the page.
Whenever I attempt to test this, the flow works just fine for me. When asking the AI assistant it insists I use supabase.auth.exchangeCodeForSession() without passing parameters, but this gives a 400 error: "PKCE code verifier not found in storage. This can happen if the auth flow was initiated in a different browser or device, or if the storage was cleared. For SSR frameworks (Next.js, SvelteKit, etc.), use @supabase/ssr on both the server and client to store the code verifier in cookies.". This happens when using the same browser to request a reset and then reset the password on the update page; not in incognito mode.
I am using Nuxt, but I have SSR disabled for both of these pages. The AI assistant is basing all of it's suggestions on simplifying the workflow and supabase initialization, but I am never seeing the keys for the verification key set in localStorage (so it makes sense the library is telling me the verification key cannot be found).
Am I missing a step here to ensure the verification key is set? Is the PKCE workflow appropriate here? When exactly should the verification code be set in localStorage, and is there another method or parameter I should be passing somewhere to make this happen?
I am unable to actually reproduce the "Auth session missing!" error on my end unless I intentionally invalidate the code sent via email, so I'm confused in general about whether PKCE is the right workflow or if it's entirely unrelated.
Thanks in advance!
