Skip to content

Clicking magic link twice logs user out via _removeSessionย #1685

New issue
New issue
Open
Open
Clicking magic link twice logs user out via _removeSession#1685
Labels
auth-jsRelated to the auth-js library.bugSomething isn't working
@taylorhakes

Description

@taylorhakes
taylorhakes
opened on Jan 23, 2025

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

A clear and concise description of what the bug is.

To Reproduce

  1. Send a Magic Link to a user email
  2. Click on the magic link in the email (user is now logged in)
  3. User clicks magic link again (User becomes logged out)

Expected behavior

The user is logged out when a user clicks a magic link twice. It should keep the user logged in because they already have a valid session from the first magic link click.

Here is the offending line:

// failed login attempt via url,
// remove old session as in verifyOtp, signUp and signInWith*
await this._removeSession()

https://github.com/supabase/auth-js/blob/master/src/GoTrueClient.ts#L340

Screenshots

N/A

System information

All systems

Additional context

There was a previous attempt to fix issues like this here. @kangmingtay was this missed or was there a reason to not remove the _removeSession for url based logins?
supabase/auth-js#915

Metadata

Metadata

Assignees

No one assigned

    Labels

    auth-jsRelated to the auth-js library.bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions