mirror of
https://github.com/Significant-Gravitas/AutoGPT.git
synced 2026-02-12 07:45:14 -05:00
01950ccc42
## Changes 🏗️ ### Root Cause With httpOnly cookies, the Supabase client can't automatically exchange password reset codes for sessions client-side because it can't access the secure cookies 🍪 ( _which is a good thing_ ). Previously, when users clicked email reset links, the Supabase client on the browser would automatically handle the code exchange, but with`httpOnly`, this is not possible because the Supabase browser client does not have access to session info, so it fails silently 🥵 ### Solution Moved password reset code exchange to server-side middleware that can access `httpOnly` cookies and properly create authenticated sessions. ### Code Changes **`middleware.ts`** - intercepts `/reset-password` URLs containing `code` parameter - uses helper function to exchange code for session server-side - redirects with error parameters if exchange fails - moved `getUser()` call to avoid middleware timing issues **`reset-password/page.tsx`** - added toast notifications for password reset errors - checks URL parameters for error messages on page load ## Checklist 📋 ### For code changes: - [x] I have clearly listed my changes in the PR description - [x] I have made a test plan - [x] I have tested my changes according to the test plan: - [x] Password reset emails send successfully - [x] Valid reset codes exchange for sessions server-side - [x] Invalid/expired codes show error messages via toast - [x] Successfully authenticated users can change passwords - [x] URL parameters are cleaned up after error display - [x] Middleware doesn't break normal authentication flows ### For configuration changes: For this to work we need to configure Supabase with the new password-reset redirect URL. ``` /api/auth/callback/reset-password ``` - [x] Already added in Supabase dev - [ ] We need to add it on Supabase prod