supabase: Signup confirmation email link buggy on second click

Bug report

Describe the bug

if I click the account confirmation link again after confirming, I get an ugly JSON 404 response. Since this is user facing, it can be confusing. The JSON response looks like this {"code":404,"msg":"User not found"}.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. signup as a user of a supabase app (triggered by supabase.auth.signup())
  2. open confirmation email and click the link, and find yourself in the app as expected
  3. go back to mailbox and click the link again (say I forgot if I clicked it or not)
  4. end up on the error message above

Expected behavior

A proper HTML page with a meaningful message would be better. Maybe “you’ve already confirmed your account”?

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 4
  • Comments: 15 (5 by maintainers)

Most upvoted comments

What is the status on this? The PRs mentioned above were merged but it still happens.

+5
tylermercer on May 8, 2021

understand

double clicking to confirm it returns the error.

{"code":404,"msg":"User not found"}

@kiwicopple . can we make a lake to deal with this error?

** if the token does not exist, just redirect to the site

+2
carlosstenzel on Jan 31, 2021

@awalias I see it’s closed, but since this is the only place I found when googling, for benefit of others:

When clicking on the {{ .ConfirmationURL }} second time from email, user gets redirected to an URL which includes:

#error=unauthorized_client&error_code=401&error_description=Email+link+is+invalid+or+has+expired

Now I didn’t test how it looks when you click on it when it’s actually expired*. The error_description says “invalid+or+has+expired”, so I wonder how do I know which one it is? Because I need to show different things to the user. (Unless you can advise me if I need to do it, it’s a smell that my auth flow is bad…?)

*Btw, is this controlled by Auth settings > User Sessions > JWT expiry limit ?

+1
peachp on Mar 10, 2023

appears to be fixed now, I get redirected to “<SITE_URL>/#error_code=404&error_description=Confirmation+Token+not+found”

+1
awalias on Sep 22, 2021

Is it possible to handle stale magic links w/ a redirect URL, e.g. to a signup page?

+1
janzheng on May 9, 2021

I was just looking at the code in gotrue to understand what is happening. I don’t speak Go, but it seems that this line is where the issue is. I’m seeing a 404 JSON, but maybe a more user friendly page that shows HTML instead of JSON would be easier. Or redirect to the siteURL with an extra param so we can handle it in the app.

+1
laurentS on Jan 31, 2021
Read more comments on GitHub
← supabase: Set-Cookie header is ignored
supabase: Signup fails: null value in column "provider_id" of relation "identities" violates not-null constraint →