Fix magic link submission getting stuck in production

[DongDuong2001]

Summary

Fixes the login/signup magic link flow getting stuck at Sending... in production.

Changes

• add /api/auth/magic-link server route for Supabase OTP requests
• move browser magic link submission through the internal API
• add a 15s client timeout so the UI can recover instead of staying stuck
• return clear API errors for validation, rate limit, missing config, and Supabase failures

Verification

• npm.cmd exec eslint app/api/auth/magic-link/route.ts lib/features/auth/auth-service.ts app/login/page.tsx app/signup/page.tsx
• npm.cmd run build

Summary by CodeRabbit

• New Features
  • Added magic-link email authentication for secure, password-free login. Users receive verification links via email to complete authentication. The system includes rate limiting and comprehensive error handling.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
lab68dev-platform-1ds5	Ready	Preview, Comment	May 25, 2026 12:05pm

[supabase]

This pull request has been ignored for the connected project xafgcrldyuapvnimoler because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5b4ff1d7-045c-4dd2-8e66-522c67e39257

📥 Commits

Reviewing files that changed from the base of the PR and between 86d82ba and d64a674.

📒 Files selected for processing (2)

• app/api/auth/magic-link/route.ts
• lib/features/auth/auth-service.ts

---

📝 Walkthrough

Walkthrough

This PR introduces server-side magic-link email authentication. A new API route handles rate limiting, email validation, and Supabase OTP dispatch. The frontend auth service is updated to call this route via fetch instead of directly invoking Supabase, adding timeout protection and defensive response parsing.

Changes

Magic-Link Email Authentication

Layer / File(s)	Summary
Email validation and request origin utilities app/api/auth/magic-link/route.ts	isValidEmail validates email format by checking @ position, domain length, spaces, and dot in domain. getRequestOrigin extracts the base URL from x-forwarded-* headers or falls back to request URL origin.
Magic-link API route with rate limiting and OTP dispatch app/api/auth/magic-link/route.ts	POST handler applies loginRateLimit and returns 429 with lock timing if blocked. Parses request body, normalizes and validates email, returning 400 for invalid/missing email. Checks Supabase environment variables, constructs a Supabase client with session persistence disabled, calls supabase.auth.signInWithOtp with emailRedirectTo set to computed origin, and returns success or error JSON. Catches and logs exceptions as 500 errors.
Auth service updated to use magic-link endpoint lib/features/auth/auth-service.ts	signInWithOtp now fetches /api/auth/magic-link instead of calling Supabase directly. Creates AbortController with 15-second timeout, handles AbortError for timeout messaging, defensively parses JSON response, checks HTTP status and result.success, and clears timeout in finally. rememberMe localStorage update retained within the new flow.

Sequence Diagram

sequenceDiagram
  participant Browser as Browser / signInWithOtp
  participant Endpoint as POST /api/auth/magic-link
  participant RateLimit as Rate Limiter
  participant Validator as Email Validator
  participant Supabase as Supabase Auth
  
  Browser->>Endpoint: fetch POST with email
  Endpoint->>RateLimit: check loginRateLimit
  alt Rate Limited
    RateLimit-->>Endpoint: return lock state
    Endpoint-->>Browser: 429 error
  else Allowed
    RateLimit-->>Endpoint: proceed
    Endpoint->>Validator: normalize & validate email
    alt Invalid Email
      Validator-->>Endpoint: validation failed
      Endpoint-->>Browser: 400 error
    else Valid Email
      Validator-->>Endpoint: email valid
      Endpoint->>Supabase: signInWithOtp with emailRedirectTo
      Supabase-->>Endpoint: success or error response
      alt OTP Success
        Endpoint-->>Browser: 200 with check email message
      else OTP Error
        Endpoint-->>Browser: 400 with error message
      end
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A magic link hops to the inbox with care,
Rate-limited bounces keep bots from the lair,
Email validation, then Supabase sings,
The frontend now trusts the new route it brings,
With timeout and parsing, no errors sneak through—hop hop! 🌟

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-magic-link-auth-flow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}