Giters

supabase / auth

A JWT based API for managing users and issuing JWT tokens

Home Page:https://supabase.com/docs/guides/auth

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

RedirectTo Recovery Path Stripped When Using Localhost

MeyerOppelt opened this issue · comments

commented

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

May be related to #161. It was the only issue I found that looked similar.

I am using the Supabase Dart Client, although this seems to be a GoTrue Issue. When using resetPasswordForEmail() method, and the redirectTo parameter is localhost with a port, the rest of the path is stripped from the email.

await Supabase.instance.client.auth.resetPasswordForEmail(
    emailController.text,
    redirectTo: (kDebugMode && kIsWeb)
        ? "http://localhost:61000/recovery/"
        : "https://app.domain.com/recovery/");

This code seems to work absolutely perfectly. When receiving an email from the app (not on debug mode), the email is correctly formatted to have /recovery at the end of the domain, as expected.

When the email is sent with a redirectTo parameter equal to https://app.domain.com/recovery/ the backend correctly sends an email with the correct parameter also in the OTP link. This is not the case if the redirectTo parameter is equal to http://localhost:61000/recovery.

Query String Parameters:
redirect_to=http%3A%2F%2Flocalhost%3A61000%2Frecovery%2F
Decoded
redirect_to=http://localhost:61000/recovery/

When receiving the OTP email however, the path is stripped, even though the HTTP request was correctly sent.
https://domain.supabase.co/auth/v1/verify?token=${token}&type=recovery&redirect_to=http://localhost:61000/

In supabase auth logs, it appears that the path is correctly parsed aswell.
Screenshot 2024-02-15 at 8 42 09 PM

I have also set up the auth settings to allow this domain.
Screenshot 2024-02-15 at 8 44 08 PM

When using this code, I do get the correct email with the correct path.

await Supabase.instance.client.auth.resetPasswordForEmail(
    emailController.text,
    redirectTo: false //(kDebugMode && kIsWeb)
        ? "http://localhost:61000/recovery/"
        : "https://app.domain.com/recovery/");

https://domain.supabase.co/auth/v1/verify?token=${token}&type=recovery&redirect_to=https://app.domain.com/recovery/

The HTTP redirectTo query parameter for this email is:
https%3A%2F%2Fapp.domain.com%2Frecovery%2F
https://app.domain.com/recovery/

As specified in these documents I should have my redirect domains setup correctly:
https://supabase.com/docs/guides/auth/concepts/redirect-urls

Glob Tool

Screenshot 2024-02-15 at 9 03 44 PM

System information

  • OS: MacOS Sonoma 14.1.1
  • Browser (if applies) Google Chrome 112.0.5615.121 ARM64
  • Version of supabase-js: N/A
  • Version of Node.js: N/A
  • Version of supabase_flutter: ^2.3.1

If you need any more information, I would be happy to oblige, Thank you in advance for your help.

commented

Correction:
It doesn't look like GoTrue is correctly parsing the path, as stated above. (Oops) I got path of Supabase domain mixed up with the path of my domain.

This is the output of the request start and complete, in the supabase auth logs.

Start Localhost Log:
{"component":"api","level":"info","method":"POST","msg":"request started","path":"/recover","referer":"http://localhost:61000/","remote_addr":"xxx.xxx.xxx.xxx","time":"2024-02-16T02:31:57Z","timestamp":"2024-02-16T02:31:57Z"}

Complete Localhost Log:
{"component":"api","duration":1593632,"level":"info","method":"POST","msg":"request completed","path":"/recover","referer":"http://localhost:61000/","remote_addr":"xxx.xxx.xxx.xxx","status":200,"time":"2024-02-16T02:31:57Z","timestamp":"2024-02-16T02:31:57Z"}

^^ This looks different from the Domain Complete Log (No auth event key in the JSON?)

Start Domain Log:
{"component":"api","level":"info","method":"POST","msg":"request started","path":"/recover","referer":"https://app.domain.com/recovery/","remote_addr":"xxx.xxx.xxx.xxx","time":"2024-02-16T02:47:23Z","timestamp":"2024-02-16T02:47:23Z"}

Complete Domain Log:
{"auth_event":{"action":"user_recovery_requested","actor_id":"c0ae2322-dbc0-4531-bc24-c37ff8141f2f","actor_username":"${email}","actor_via_sso":false,"log_type":"user"},"component":"api","duration":340455010,"level":"info","method":"POST","msg":"request completed","path":"/recover","referer":"https://app.domain.com/recovery/","remote_addr":"xxx.xxx.xxx.xxx","status":200,"time":"2024-02-16T02:47:24Z","timestamp":"2024-02-16T02:47:23Z"}

This reddit post looks related aswell:
https://www.reddit.com/r/Supabase/comments/11ps0ua/sign_in_redirect_always_goes_to/

commented

Hi @MeyerOppelt, as mentioned in our docs, the * operator doesn't consider urls with a separator. It seems like you have a / character at the end of your redirect urls, which is a separator. You can either removing that character or use ** in your allow list of redirect urls.