Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth: Inconsistent Password Reset redirect_to URLs Between Custom Domains and .web.app #1842

Open
2 tasks done
jacoplane opened this issue Nov 7, 2024 · 0 comments
Open
2 tasks done

Auth: Inconsistent Password Reset redirect_to URLs Between Custom Domains and .web.app #1842

jacoplane opened this issue Nov 7, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@jacoplane
Copy link

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Password reset redirect URL handling is inconsistent between Firebase-hosted .web.app domains and custom domains. When using a custom domain, Supabase doesn't include the hash fragment (/#/reset-callback) in the redirect_to URL, though it does include it for .web.app domains.

To Reproduce

  1. Set up a Flutter web app with Supabase auth and hash-based routing
  2. Deploy to Firebase hosting (gets a .web.app domain)
  3. Add a custom domain to the Firebase hosting
  4. Configure Supabase with both domains: 
    Site URL: https://custom-domain.com
Redirect URLs: https://custom-domain.com/#/reset-callback
  5. Request password reset using the same app code on both domains

Expected URLs in reset email:

  • .web.app domain:
https://[project].supabase.co/auth/v1/verify?token=[token]&type=recovery&redirect_to=https://[project-id].web.app/#/reset-callback
  • Custom domain:
https://[project].supabase.co/auth/v1/verify?token=[token]&type=recovery&redirect_to=https://custom-domain.com/#/reset-callback

Actual URLs:

  • .web.app domain (correct):
https://[project].supabase.co/auth/v1/verify?token=[token]&type=recovery&redirect_to=https://[project-id].web.app/#/reset-callback
  • Custom domain (incorrect):
https://[project].supabase.co/auth/v1/verify?token=[token]&type=recovery&redirect_to=https://custom-domain.com/

Expected behavior

Supabase should include the hash fragment (/#/reset-callback) in the redirect URL consistently for both .web.app and custom domains when it's specified in the Redirect URLs configuration.

System information

  • OS: Windows 11
  • Browser: Chrome 121
  • Framework: Flutter Web
  • supabase_flutter: ^2.6.0

Additional context

Currently requires a JavaScript workaround to handle the redirect properly on custom domains:

<script>
    window.addEventListener("load", function () {
        var search = window.location.search;
        var hash = window.location.hash;

        if (window.location.href.includes('custom-domain.com/') && 
            search.includes('type=recovery') && 
            search.includes('token') && 
            !hash.includes('reset-callback')) {
            window.location.replace('/#/reset-callback' + search);
        }
    });
</script>

This workaround shouldn't be necessary if the redirect URL was handled consistently.
@jacoplane jacoplane added the bug Something isn't working label Nov 7, 2024
@encima encima transferred this issue from supabase/supabase Nov 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jacoplane