Feat: Custom OTP PKCE flow + Improve error logging in authentication flow & handle supabase rate-limit error by ben-fornefeld · Pull Request #89 · e2b-dev/dashboard

ben-fornefeld · 2025-07-03T09:50:48Z

This pr features a new custom OTP PKCE flow under /api/auth/confirm, which we can use to route password reset and first time e-mail sign-up e-mail urls to.

Also this pr improves the error logging inside /api/auth/callback and adds explicit error handling for supabase request password rate-limit errors, to inform the user about this state.

The old /api/auth/callback will eventually be removed when we ensure it isn't used anymore.

Migration Strategy
Replace the confirmationUrl value inside our Supbase "Reset Password" and "Confirm Sign-Up", with the following when this pr is deployed:

Reset Password
{{ .SiteURL }}/api/auth/confirm?token_hash={{ .TokenHash }}&type=recovery&next={{ .RedirectTo }}&confirmation_url={{ .ConfirmationURL }}

Confirm Sign-Up
{{ .SiteURL }}/api/auth/confirm?token_hash={{ .TokenHash }}&type=email&next={{ .RedirectTo }}&confirmation_url={{ .ConfirmationURL }}

This commit updates the error handling in the authentication process by replacing `logError` with `console.error` for better visibility of errors during code exchange and password reset actions. Additionally, it removes an unused import of `AUTH_URLS` to streamline the code.

linear · 2025-07-03T09:50:52Z

E2B-2619 Bug: handle password reset rate-limit error message

vercel · 2025-07-03T09:50:59Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
web	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 6, 2025 4:50pm
web-juliett	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 6, 2025 4:50pm

mishushakov · 2025-07-03T11:01:40Z


    if (error) {
-      logError(
+      console.error(


why change from logError > console.error?

the logger is nice when the args do not include a class instance (error in this case). i am about to fix this but in another pr.

mishushakov · 2025-07-03T11:03:49Z

    if (error) {
+      console.error(ERROR_CODES.SUPABASE, 'Error resetting password:', error)
+      if (error.message.includes('security purposes')) {
+        return returnServerError(


do you need to return here? returnServerError throws

no, it's just a convenient wrapper i am using because next-safe-action also has returnValidationError().
returnServerError actually also just throws under the hood since this is the way the actionClient is configured

ben-fornefeld · 2025-07-03T11:12:58Z

@mishushakov fyi - i will probably extend this pr in the next iterations so, let's not merge yet

This commit updates the authentication confirmation route by introducing better handling of redirect URLs based on the type of authentication request. It adds logging for successful and error cases, ensuring clearer visibility of the authentication process. Additionally, the `createRouteClient` function is modified to accept an optional `NextResponse` parameter, allowing for more flexible cookie management during authentication operations.

This commit improves the logic for determining redirect URLs in the authentication confirmation process. It introduces checks for absolute URLs and refines the handling of the 'next' parameter, ensuring that recovery requests without a specified destination correctly redirect to the password reset page. This change aims to streamline user navigation during authentication flows.

…onfirmation route This commit enhances the error handling for OTP verification by providing more specific error messages based on the error status. It also updates the response cookie management to support domain-specific settings for absolute redirect URLs, improving the overall user experience during the authentication process.

This PR refactors our authentication flow to improve both user experience and security. Key changes - Hardened redirect logic in the auth callback & confirm routes (origin checks, graceful fallbacks). - Enhanced server-side logging for easier debugging of auth issues.

…ameter handling - Renaming variables for clarity and consistency. - Adding validation for required parameters before processing. - Streamlining the redirect logic based on the type of authentication request.

…cation confirmation route - Introduced Zod schema for validating request parameters. - Improved error logging for invalid parameters and OTP verification. - Streamlined redirect logic based on authentication type and next URL handling.

… normalize trailing slashes

- Added logging for OAuth sign-in actions to improve traceability. - Introduced a new utility for error handling during the code exchange process, enhancing redirect logic for error scenarios.

…ion route - Replaced `createRouteClient` with `createClient` for improved client instantiation. - Removed the deprecated `createRouteClient` function to streamline the codebase.

…r authentication

…flow & handle supabase rate-limit error (e2b-dev#89) This pr features a new custom OTP PKCE flow under `/api/auth/confirm`, which we can use to route password reset and first time e-mail sign-up e-mail urls to. Also this pr improves the error logging inside `/api/auth/callback` and adds explicit error handling for supabase request password rate-limit errors, to inform the user about this state. The old `/api/auth/callback` will eventually be removed when we ensure it isn't used anymore. **Migration Strategy** Replace the confirmationUrl value inside our Supbase "Reset Password" and "Confirm Sign-Up", with the following when this pr is deployed: **Reset Password** `{{ .SiteURL }}/api/auth/confirm?token_hash={{ .TokenHash }}&type=recovery&next={{ .RedirectTo }}&confirmation_url={{ .ConfirmationURL }}` **Confirm Sign-Up** `{{ .SiteURL }}/api/auth/confirm?token_hash={{ .TokenHash }}&type=email&next={{ .RedirectTo }}&confirmation_url={{ .ConfirmationURL }}`

ben-fornefeld self-assigned this Jul 3, 2025

ben-fornefeld added the bug Something isn't working label Jul 3, 2025

vercel Bot deployed to Preview – web July 3, 2025 09:51 View deployment

mishushakov reviewed Jul 3, 2025

View reviewed changes

mishushakov approved these changes Jul 3, 2025

View reviewed changes

ben-fornefeld added 2 commits July 4, 2025 18:11

wip: PKCE

0335a02

vercel Bot deployed to Preview – web July 4, 2025 16:59 View deployment

ben-fornefeld changed the title ~~Path: Improve error logging in authentication flow & handle supabase rate-limit error~~ Refactor: Custom password reset PCKE flow + Improve error logging in authentication flow & handle supabase rate-limit error Jul 4, 2025

ben-fornefeld changed the title ~~Refactor: Custom password reset PCKE flow + Improve error logging in authentication flow & handle supabase rate-limit error~~ Refactor: Custom password reset PKCE flow + Improve error logging in authentication flow & handle supabase rate-limit error Jul 4, 2025

ben-fornefeld changed the title ~~Refactor: Custom password reset PKCE flow + Improve error logging in authentication flow & handle supabase rate-limit error~~ Feat: Custom password reset PKCE flow + Improve error logging in authentication flow & handle supabase rate-limit error Jul 4, 2025

ben-fornefeld changed the title ~~Feat: Custom password reset PKCE flow + Improve error logging in authentication flow & handle supabase rate-limit error~~ Feat: Custom OTP PKCE flow + Improve error logging in authentication flow & handle supabase rate-limit error Jul 4, 2025

ben-fornefeld marked this pull request as draft July 4, 2025 17:19

vercel Bot deployed to Preview – web July 5, 2025 17:46 View deployment

vercel Bot deployed to Preview – web July 6, 2025 10:44 View deployment

vercel Bot deployed to Preview – web July 6, 2025 13:06 View deployment

mishushakov reviewed Jul 6, 2025

View reviewed changes