LinumIQ/linumiq_net-web_app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): SSR email confirmation flow

Browse Source 
- Add /auth/confirm GET route handler that verifies the signup token via
  verifyOtp({ type, token_hash }) and falls back to exchangeCodeForSession
  when a PKCE code is present. Whitelists  to same-origin paths.
- Signup: pass emailRedirectTo=<APP_URL>/auth/confirm, show a
  'check your email' confirmation state with a resend action (cooldown),
  and handle the already-registered case.
- Login: detect email_not_confirmed and offer a resend-confirmation action;
  surface verification_failed errors from the confirm route.
This commit is contained in:
Gerhard Scheikl
2026-05-31 20:38:48 +02:00
parent 8e8df7ae64
commit 37f1e7bbd5
3 changed files with 194 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/auth/confirm/route.ts
+53
View File
@@ -0,0 +1,53 @@
import { NextResponse, type NextRequest } from 'next/server';
import type { EmailOtpType } from '@supabase/supabase-js';
import { createSupabaseServerClient } from '@/lib/supabase/server';
export const runtime = 'nodejs';
export const dynamic = 'force-dynamic';
/**
* Whitelist `next` to same-origin relative paths only (open-redirect guard).
* Anything that isn't a single-slash-rooted path falls back to /dashboard.
*/
function safeNext(raw: string | null): string {
if (!raw || !raw.startsWith('/') || raw.startsWith('//')) {
return '/dashboard';
}
return raw;
}
/**
* Email confirmation / OTP verification landing route.
*
* Handles both GoTrue link styles defensively:
* - token_hash template: /auth/confirm?token_hash=<hash>&type=signup -> verifyOtp
* - PKCE/code redirect: /auth/confirm?code=<code> -> exchangeCodeForSession
*
* On success the server client persists the session cookies and we redirect to
* `next` (default /dashboard). On any failure we send the user to /login with a
* verification_failed flag so they can resend a fresh confirmation email.
*/
export async function GET(request: NextRequest) {
const url = request.nextUrl;
const token_hash = url.searchParams.get('token_hash');
const type = url.searchParams.get('type') as EmailOtpType | null;
const code = url.searchParams.get('code');
const next = safeNext(url.searchParams.get('next'));
const base = process.env.NEXT_PUBLIC_APP_URL ?? url.origin;
const supabase = createSupabaseServerClient();
if (token_hash && type) {
const { error } = await supabase.auth.verifyOtp({ type, token_hash });
if (!error) {
return NextResponse.redirect(new URL(next, base));
}
} else if (code) {
const { error } = await supabase.auth.exchangeCodeForSession(code);
if (!error) {
return NextResponse.redirect(new URL(next, base));
}
}
return NextResponse.redirect(new URL('/login?error=verification_failed', base));
}
app/login/page.tsx
+66 -1
View File
@@ -1,20 +1,47 @@
'use client'; 'use client';
import { useState, useTransition } from 'react'; import { useEffect, useState, useTransition } from 'react';
import { useRouter } from 'next/navigation'; import { useRouter } from 'next/navigation';
import Link from 'next/link'; import Link from 'next/link';
import type { AuthError } from '@supabase/supabase-js';
import { createSupabaseBrowserClient } from '@/lib/supabase/browser'; import { createSupabaseBrowserClient } from '@/lib/supabase/browser';
const RESEND_COOLDOWN = 45;
function isEmailNotConfirmed(error: AuthError): boolean {
return error.code === 'email_not_confirmed' || /not confirmed/i.test(error.message);
}
export default function LoginPage() { export default function LoginPage() {
const router = useRouter(); const router = useRouter();
const [email, setEmail] = useState(''); const [email, setEmail] = useState('');
const [password, setPassword] = useState(''); const [password, setPassword] = useState('');
const [error, setError] = useState<string | null>(null); const [error, setError] = useState<string | null>(null);
const [needsConfirm, setNeedsConfirm] = useState(false);
const [resendInfo, setResendInfo] = useState<string | null>(null);
const [cooldown, setCooldown] = useState(0);
const [isPending, startTransition] = useTransition(); const [isPending, startTransition] = useTransition();
const [isResending, startResend] = useTransition();
useEffect(() => {
const params = new URLSearchParams(window.location.search);
if (params.get('error') === 'verification_failed') {
setError(
'Email verification failed or the link expired. Sign in below to resend a confirmation email.',
);
}
}, []);
useEffect(() => {
if (cooldown <= 0) return;
const t = setTimeout(() => setCooldown((c) => c - 1), 1000);
return () => clearTimeout(t);
}, [cooldown]);
function onSubmit(e: React.FormEvent) { function onSubmit(e: React.FormEvent) {
e.preventDefault(); e.preventDefault();
setError(null); setError(null);
setResendInfo(null);
const supabase = createSupabaseBrowserClient(); const supabase = createSupabaseBrowserClient();
startTransition(async () => { startTransition(async () => {
const { error } = await supabase.auth.signInWithPassword({ const { error } = await supabase.auth.signInWithPassword({
@@ -22,7 +49,14 @@ export default function LoginPage() {
password, password,
}); });
if (error) { if (error) {
if (isEmailNotConfirmed(error)) {
setNeedsConfirm(true);
setError(
'Please confirm your email address before signing in. Check your inbox or resend the confirmation email below.',
);
} else {
setError(error.message); setError(error.message);
}
return; return;
} }
router.push('/dashboard'); router.push('/dashboard');
@@ -30,6 +64,20 @@ export default function LoginPage() {
}); });
} }
function onResend() {
setResendInfo(null);
const supabase = createSupabaseBrowserClient();
startResend(async () => {
const { error } = await supabase.auth.resend({ type: 'signup', email });
if (error) {
setError(error.message);
return;
}
setResendInfo('Confirmation email sent. Check your inbox.');
setCooldown(RESEND_COOLDOWN);
});
}
return ( return (
<div className="card"> <div className="card">
<h1>Login</h1> <h1>Login</h1>
@@ -53,6 +101,23 @@ export default function LoginPage() {
onChange={(e) => setPassword(e.target.value)} onChange={(e) => setPassword(e.target.value)}
/> />
{error && <p className="error">{error}</p>} {error && <p className="error">{error}</p>}
{resendInfo && <p className="success">{resendInfo}</p>}
{needsConfirm && (
<div className="row" style={{ marginTop: '0.75rem' }}>
<button
type="button"
className="secondary"
onClick={onResend}
disabled={isResending || cooldown > 0 || !email}
>
{cooldown > 0
? `Resend in ${cooldown}s`
: isResending
? 'Sending…'
: 'Resend confirmation email'}
</button>
</div>
)}
<div className="row" style={{ marginTop: '1rem' }}> <div className="row" style={{ marginTop: '1rem' }}>
<button type="submit" disabled={isPending}> <button type="submit" disabled={isPending}>
{isPending ? 'Signing in…' : 'Sign in'} {isPending ? 'Signing in…' : 'Sign in'}
app/signup/page.tsx
+74 -6
View File
@@ -1,41 +1,110 @@
'use client'; 'use client';
import { useState, useTransition } from 'react'; import { useEffect, useState, useTransition } from 'react';
import { useRouter } from 'next/navigation'; import { useRouter } from 'next/navigation';
import Link from 'next/link'; import Link from 'next/link';
import { createSupabaseBrowserClient } from '@/lib/supabase/browser'; import { createSupabaseBrowserClient } from '@/lib/supabase/browser';
const RESEND_COOLDOWN = 45;
export default function SignupPage() { export default function SignupPage() {
const router = useRouter(); const router = useRouter();
const [email, setEmail] = useState(''); const [email, setEmail] = useState('');
const [password, setPassword] = useState(''); const [password, setPassword] = useState('');
const [error, setError] = useState<string | null>(null); const [error, setError] = useState<string | null>(null);
const [info, setInfo] = useState<string | null>(null); const [submitted, setSubmitted] = useState(false);
const [resendInfo, setResendInfo] = useState<string | null>(null);
const [cooldown, setCooldown] = useState(0);
const [isPending, startTransition] = useTransition(); const [isPending, startTransition] = useTransition();
const [isResending, startResend] = useTransition();
useEffect(() => {
if (cooldown <= 0) return;
const t = setTimeout(() => setCooldown((c) => c - 1), 1000);
return () => clearTimeout(t);
}, [cooldown]);
function onSubmit(e: React.FormEvent) { function onSubmit(e: React.FormEvent) {
e.preventDefault(); e.preventDefault();
setError(null); setError(null);
setInfo(null); setResendInfo(null);
const supabase = createSupabaseBrowserClient(); const supabase = createSupabaseBrowserClient();
startTransition(async () => { startTransition(async () => {
const { data, error } = await supabase.auth.signUp({ const { data, error } = await supabase.auth.signUp({
email, email,
password, password,
options: {
emailRedirectTo: `${process.env.NEXT_PUBLIC_APP_URL ?? ''}/auth/confirm`,
},
}); });
if (error) { if (error) {
setError(error.message); setError(error.message);
return; return;
} }
// GoTrue returns a decoy user with an empty `identities` array when the
// email is already registered (to avoid leaking existence). Treat it as
// "already registered" and point them at login.
if (data.user && data.user.identities?.length === 0) {
setError(
'An account with this email already exists. Try signing in instead.',
);
return;
}
if (data.session) { if (data.session) {
router.push('/dashboard'); router.push('/dashboard');
router.refresh(); router.refresh();
} else { return;
setInfo('Check your email to confirm, then sign in.');
} }
setSubmitted(true);
setCooldown(RESEND_COOLDOWN);
}); });
} }
function onResend() {
setError(null);
setResendInfo(null);
const supabase = createSupabaseBrowserClient();
startResend(async () => {
const { error } = await supabase.auth.resend({ type: 'signup', email });
if (error) {
setError(error.message);
return;
}
setResendInfo('Confirmation email sent. Check your inbox.');
setCooldown(RESEND_COOLDOWN);
});
}
if (submitted) {
return (
<div className="card">
<h1>Check your email</h1>
<p>
We sent a confirmation link to <strong>{email}</strong>. Click the
link in that email to activate your account, then sign in.
</p>
{error && <p className="error">{error}</p>}
{resendInfo && <p className="success">{resendInfo}</p>}
<div className="row" style={{ marginTop: '1rem' }}>
<button
type="button"
onClick={onResend}
disabled={isResending || cooldown > 0}
>
{cooldown > 0
? `Resend in ${cooldown}s`
: isResending
? 'Sending…'
: 'Resend confirmation email'}
</button>
<Link className="muted" href="/login">
Back to login
</Link>
</div>
</div>
);
}
return ( return (
<div className="card"> <div className="card">
<h1>Sign up</h1> <h1>Sign up</h1>
@@ -60,7 +129,6 @@ export default function SignupPage() {
onChange={(e) => setPassword(e.target.value)} onChange={(e) => setPassword(e.target.value)}
/> />
{error && <p className="error">{error}</p>} {error && <p className="error">{error}</p>}
{info && <p className="success">{info}</p>}
<div className="row" style={{ marginTop: '1rem' }}> <div className="row" style={{ marginTop: '1rem' }}>
<button type="submit" disabled={isPending}> <button type="submit" disabled={isPending}>
{isPending ? 'Creating…' : 'Create account'} {isPending ? 'Creating…' : 'Create account'}