RedirectTo Recovery Path Stripped When Using Localhost
MeyerOppelt opened this issue · comments
Bug report
- I confirm this is a bug with Supabase, not with my own application.
- I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
May be related to #161. It was the only issue I found that looked similar.
I am using the Supabase Dart Client, although this seems to be a GoTrue Issue. When using resetPasswordForEmail()
method, and the redirectTo parameter is localhost with a port, the rest of the path is stripped from the email.
await Supabase.instance.client.auth.resetPasswordForEmail(
emailController.text,
redirectTo: (kDebugMode && kIsWeb)
? "http://localhost:61000/recovery/"
: "https://app.domain.com/recovery/");
This code seems to work absolutely perfectly. When receiving an email from the app (not on debug mode), the email is correctly formatted to have /recovery at the end of the domain, as expected.
When the email is sent with a redirectTo parameter equal to https://app.domain.com/recovery/
the backend correctly sends an email with the correct parameter also in the OTP link. This is not the case if the redirectTo parameter is equal to http://localhost:61000/recovery
.
Query String Parameters:
redirect_to=http%3A%2F%2Flocalhost%3A61000%2Frecovery%2F
Decoded
redirect_to=http://localhost:61000/recovery/
When receiving the OTP email however, the path is stripped, even though the HTTP request was correctly sent.
https://domain.supabase.co/auth/v1/verify?token=${token}&type=recovery&redirect_to=http://localhost:61000/
In supabase auth logs, it appears that the path is correctly parsed aswell.
I have also set up the auth settings to allow this domain.
When using this code, I do get the correct email with the correct path.
await Supabase.instance.client.auth.resetPasswordForEmail(
emailController.text,
redirectTo: false //(kDebugMode && kIsWeb)
? "http://localhost:61000/recovery/"
: "https://app.domain.com/recovery/");
https://domain.supabase.co/auth/v1/verify?token=${token}&type=recovery&redirect_to=https://app.domain.com/recovery/
The HTTP redirectTo query parameter for this email is:
https%3A%2F%2Fapp.domain.com%2Frecovery%2F
https://app.domain.com/recovery/
As specified in these documents I should have my redirect domains setup correctly:
https://supabase.com/docs/guides/auth/concepts/redirect-urls
System information
- OS:
MacOS Sonoma 14.1.1
- Browser (if applies)
Google Chrome 112.0.5615.121 ARM64
- Version of supabase-js: N/A
- Version of Node.js: N/A
- Version of supabase_flutter:
^2.3.1
If you need any more information, I would be happy to oblige, Thank you in advance for your help.
Correction:
It doesn't look like GoTrue is correctly parsing the path, as stated above. (Oops) I got path of Supabase domain mixed up with the path of my domain.
This is the output of the request start and complete, in the supabase auth logs.
Start Localhost Log:
{"component":"api","level":"info","method":"POST","msg":"request started","path":"/recover","referer":"http://localhost:61000/","remote_addr":"xxx.xxx.xxx.xxx","time":"2024-02-16T02:31:57Z","timestamp":"2024-02-16T02:31:57Z"}
Complete Localhost Log:
{"component":"api","duration":1593632,"level":"info","method":"POST","msg":"request completed","path":"/recover","referer":"http://localhost:61000/","remote_addr":"xxx.xxx.xxx.xxx","status":200,"time":"2024-02-16T02:31:57Z","timestamp":"2024-02-16T02:31:57Z"}
^^ This looks different from the Domain Complete Log (No auth event key in the JSON?)
Start Domain Log:
{"component":"api","level":"info","method":"POST","msg":"request started","path":"/recover","referer":"https://app.domain.com/recovery/","remote_addr":"xxx.xxx.xxx.xxx","time":"2024-02-16T02:47:23Z","timestamp":"2024-02-16T02:47:23Z"}
Complete Domain Log:
{"auth_event":{"action":"user_recovery_requested","actor_id":"c0ae2322-dbc0-4531-bc24-c37ff8141f2f","actor_username":"${email}","actor_via_sso":false,"log_type":"user"},"component":"api","duration":340455010,"level":"info","method":"POST","msg":"request completed","path":"/recover","referer":"https://app.domain.com/recovery/","remote_addr":"xxx.xxx.xxx.xxx","status":200,"time":"2024-02-16T02:47:24Z","timestamp":"2024-02-16T02:47:23Z"}
This reddit post looks related aswell:
https://www.reddit.com/r/Supabase/comments/11ps0ua/sign_in_redirect_always_goes_to/
Hi @MeyerOppelt, as mentioned in our docs, the *
operator doesn't consider urls with a separator. It seems like you have a /
character at the end of your redirect urls, which is a separator. You can either removing that character or use **
in your allow list of redirect urls.