https://supabase.com/ logo
#ideas-and-suggestions
Title
# ideas-and-suggestions
e

erik_flywheel

09/13/2021, 6:11 PM
Ability to update a password without using magic link & password reset email. Here are a few use cases: 1. Our mobile app doesn't have deep links, so we can't extract the user's auth token in the redirect URL. 2. Using a custom change password email from a registered email address 3. Building a custom change password process into an app that doesn't require email
s

silentworks

09/14/2021, 4:28 PM
@User and @User move your conversations here please
k

Kylar

09/14/2021, 4:34 PM
I don't think an auth provider should give the developers the ability to reset my password without me having a say in it, and that's exactly what an endpoint without sms/email would do
+ making that call from a frontend sdk? everything client-side is vulnerable, thats why supabase relies on database RLS for the data
e

erik_flywheel

09/14/2021, 4:38 PM
I'd give the developer the discretion. I dont think the platform should prevent developers from building applications the way they want...
The real issue for this is that I can't actually use the email auth because we don't have a way to redirect the URL for our mobile app
We want to build our own process of emailing the user an OTP, not a redirect. but can't update the user (I think?) without the bearer token
k

Kylar

09/14/2021, 4:45 PM
Once they have functions, they can have an admin sdk with full permissions for stufff like this, but they absolutely cannot enable that from a client sdk imo
I'd investigate into catching the links with something like https://firebase.google.com/docs/dynamic-links. It's easy to implement and (I think) completely free
e

erik_flywheel

09/14/2021, 4:46 PM
let me check this out
s

silentworks

09/14/2021, 4:48 PM
I actually don't think its a bad idea to have a function to updatePassword from the client, Firebase does this and I think it would be good if Supabase allowed this too. I'm sure there are security measures they can take to make sure it isn't abused.
e

erik_flywheel

09/14/2021, 4:48 PM
Yeah, I dont think this works for us. We're building apps using Adalo which doesn't support deep links
s

silentworks

09/14/2021, 4:48 PM
e

erik_flywheel

09/14/2021, 4:48 PM
in order to do anything with a URL, we'll have to build a web app just for that purpose...
k

Kylar

09/14/2021, 4:49 PM
Firebase does do it but requires recent auth, and therefore doesn't work as a "recover password"
e

erik_flywheel

09/14/2021, 4:49 PM
If there was an OTP email reset that would be ideal - trigger the reset, it updates the user's password to the OTP, supabase emails the user the OTP, send the user to a form to reset the OTP
k

Kylar

09/14/2021, 4:49 PM
For recovering pwd, you'd still need email
s

silentworks

09/14/2021, 4:50 PM
@User that is true, I think it would be good to have it work exactly the same as firebase's does.
Right now there is no way to change the password without using a reset password email even if the user is logged in.
This is where I would like to see this feature working.
k

Kylar

09/14/2021, 4:54 PM
For how Erik was presenting the issue, I had in mind the "recover password" flow, not simply updating it
You do have a point in allowing an "edit password" with your custom UI, i'd just have these security considerations in mind
s

silentworks

09/14/2021, 4:55 PM
I followed his thread on twitter and I would like to think he is after what I mentioned, but @User can verify this himself if this is not the case.
k

Kylar

09/14/2021, 4:56 PM
Yeah I'm re-reading now and I did assume a recover pwd flow after he mentioned the security questions in order to verify id. I would be on board for a client-based "edit password"
e

erik_flywheel

09/14/2021, 4:57 PM
For password reset or update we would need some process that doesn't involve a URL redirect. My current problem is more reset. if you need to update it I can always push a user to just reset. If you need to reset, I cant push you to update
I can't use the magic link or password recovery built in, so for users who lose their passwords, right now they'll have to delete the account and sign up again...
I'd be happy to do an OTP email reset. If supa didn't want to provide a direct update user password api call. If I could update the user password via api, I would build my own verification process with an OTP, verify them, then have them choose a new password and update the user
for reference, we're not using any javascript. we're 100% postgrest api calls using the bash functions