7

The following function fails with error "Auth Session Missing"

const { error } = await supabase.auth.updateUser({
   password: password,
});

After getting the reset password link on my mail i redirect the user to '/reset' link. The link i get look like this

https://www.example.com/reset#access_token=eyJhbGciOiJIUzI1NiIsImtpZCI6Ik5rK1VQTmlRYk9RZ2xXMUUiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJhdXRoZW50aWNhdGVkIiwiZXhwIjoxNjg5ODg1MjE2LCJpYXQiOjE2ODk4ODE2MTYsImlzcyI6Imh0dHBzOi8vaHR0cHM6Ly9lbnZtbHBnYXlpd3FidWR2YWh2YS5zdXBhYmFzZS5jby9hdXRoL3YxIiwic3ViIjoiYTZiMzE1MjktNDUxOC00YjkyLTg3MzYtZDZmMTkyNTBmMzZhIiwiZW1haWwiOiJkZWVwc2hldHllMUBnbWFpbC5jb20iLCJwaG9uZSI6IiIsImFwcF9tZXRhZGF0YSI6eyJwcm92aWRlciI6ImVtYWlsIiwicHJvdmlkZXJzIjpbImVtYWlsIl19LCJ1c2VyX21ldGFkYXRhIjp7fSwicm9sZSI6ImF1dGhlbnRpY2F0ZWQiLCJhYWwiOiJhYWwxIiwiYW1yIjpbeyJtZXRob2QiOiJvdHAiLCJ0aW1lc3RhbXAiOjE2ODk4ODE2MTZ9XSwic2Vzc2lvbl9pZCI6IjA0YjJlMTRlLThkMDUtNDIwYy1iNmRkLTBjODEzNDhkNjUzZCJ9.AcLI2nO1BbCqCwAgrQ8flIjkvC2kRtKcujfXpqRFVG0&expires_in=3600&refresh_token=rUB74qIa-G3GNh6mpJxWdg&token_type=bearer&type=recovery

But on submitting the new password i get the error.

I'm using "@supabase/auth-helpers-nextjs" for creating client.

Improve this question
2
  • How are you instantiating the client? You will need to use the clientComponentClient for the session to be parsed from the URL: supabase.com/docs/guides/auth/auth-helpers/…. Commented Jul 31, 2023 at 4:25
  • Any luck on this? Commented Feb 15 at 11:40

8 Answers 8

Reset to default
4

Once the user has received a password reset email, a code is provided by supabase auth in the redirect URL.

It will be looking like this : https://your_app/your_redirect?code=

This code can be exchanged to a session:

    const { data, error } = await supabase.auth.exchangeCodeForSession(code)

Then you can update the user password without "Auth Session Missing Error"

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

This should be the accepted answer.
but the code does not appear on the url
If you use "Reset Password" email template provided by supabase auth and use {{ .ConfirmationURL }} in the forwarding link, A code will be there.
worked for me, thanks!
3

Now Supabase has a new package in SSR that avoid this problem redirecting to an api route in next.js. You need to use the new SSR package Package here.

To avoid this problem I use this guide: SSR reset password

I hope it work for you!

Improve this answer

2 Comments

I had this issue while creating a custom reset-password form. From the docs it was not clear to me that the reset-password form needs to be protected and before redirecting to this form, i have to first redirect to the route that signs the user in with the given token_hash. I used this as the custom redirect URL in the reset-password email template: <a href="{{ .SiteURL }}/auth/confirm?token_hash={{ .TokenHash }}&type=recovery&next=/auth/reset-password" > The confirm route handler component i created based on this guide: supabase.com/docs/guides/auth/server-side/nextjs
Yes but, the new package don´t use the token_hash and use de code parameter. And I used this approach: supabase.com/docs/guides/auth/server-side/…
1

It seems that certain providers automatically pre-load the URLs in the email for faster page loading. However, since Supabase reset links are designed for one-time use, this preloading action causes the URLs to expire prematurely, resulting in errors when users attempt to reset their passwords.

Possible solution could be adding captcha verification or just a button that redirects to the url given by supabase

Improve this answer

Comments

1

I’ve spent a considerable amount of time troubleshooting this issue on React Native/Expo, and here’s the solution that finally worked for me. Basically this catch the supabase deeplink redirection and iniatiate a user session using the access token and refresh token included in the redirection url. I found the solution here : https://blog.theodo.com/2023/03/supabase-reset-password-rn/

import * as Linking from "expo-linking";

Linking.addEventListener("url", async (event) => {
  const parseSupabaseUrl = (url: string) => {
    let parsedUrl = url;
    if (url.includes("#")) {
      parsedUrl = url.replace("#", "?");
    }
    return Linking.parse(parsedUrl);
  };
  const url = parseSupabaseUrl(event.url);

  console.log("parsed url", url);

  const { data: setSessionData, error: setSessionError } =
    await supabase.auth.setSession({
      access_token: url.queryParams.access_token,
      refresh_token: url.queryParams.refresh_token,
    });
  console.log("setSessionData", setSessionData);
  console.log("setSessionError", setSessionError);
});
Improve this answer

1 Comment

This the only solution for expo, parsing the supabase URL. Thanks
0

supabase store cookie in the browser when you call

const { error } = await supabase.auth.updateUser({
   password: password,
});

when you open reset password link from other device or browser then it throw this error because the cookie is missing.

Improve this answer

1 Comment

I guess yes when we open a link from mail supabase creates a session so there is no need of using code but that is creating a problem like session is created so user can access private sites I doubt
0 
export const onGet: RequestHandler = async ({ query, cookie }) => {

    const supabase = createServerPkceClient(cookie);
    supabase.auth.onAuthStateChange(async (event, session) => {
        if (event == "PASSWORD_RECOVERY") {

            const obj: Record<string, string> = {};
            query.forEach((v, k) => (obj[k] = v));

            if (obj.code) {
                try {
                    const { error, data } = await supabase.auth.exchangeCodeForSession(obj.code);
                    if (error) {
                        console.log('Error exchanging auth code for session:', error.message)
                    } else {
                        console.log('Session data:', data)
                    }
                } catch (error) {
                    console.error('Error during code exchange:', error);
                }
            }
            console.log('password recovery event occured')
            console.log(event, session)
        }
    })
}

This is how i handle supabase password reset in qwik js , make sure supabse

Improve this answer

Comments

0

After got the mail from resetpasswordforemail method, then click the link and its redirect to the reset-password page (you have to create that page in nextjs). Then, before to call the method of updateUser from supabase, you have to ensure the authenticated user. So, use the setSession method for whether check valid user or not that method expecting two value one access_token. Another one is refreshToken, these values are present in the URL, it from resetPasswordforemail.

My code look like this:

const { data : setSessionData, error : setSessionError } = await supabase.auth.setSession({
      access_token :accessToken,
      refresh_token :refreshToken
    })
Improve this answer

Comments

0

Using SSR + Pkce flow works. However make sure to have the used cookies whitelisted since i wasted 2 whole days not realizing “Auth season missing” since the cookies didn’t get placed in case you are using a cookie manager 😩

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.