Every site_url is used as redirect_to param for auth/v1/verify #710
Description
Bug report
Describe the bug
Every site_url is used as redirect_to param for auth/v1/verify when resetting a password.
To Reproduce
Steps to reproduce the behavior, please provide code snippets or a repository:
- use below.. we are going to reset the password
const supabase = createClient(
'https://rsnibhkhsbfnncjmwnkj.supabase.co',
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYW5vbiIsImlhdCI6MTYxNTIxNDE1MywiZXhwIjoxOTMwNzkwMTUzfQ.OQEbAaTfgDdLCCht251P2JRD3QDnui6nsU8N-tZA_Mc'
)
const { error } = await supabaseClient.auth.resetPasswordForEmail(email, {
'http://localhost:3000',
})- gotrue route auth/v1/verify looks like this
notice the comma seperated string for redirect_to
https://rsnibhkhsbfnncjmwnkj.supabase.co/auth/v1/verify?token=ab9b60c82d4aa0269e71ec75cd3138fb0c2f354045f7ea99ddffafbf&type=recovery&redirect_to=http://localhost:3000,https://ui.supabase.com,https://supabase.com
Expected behavior
For the actual correct redirect url to be used
Screenshots
System information
├── @supabase/auth-ui-react@0.2.0
├── @supabase/supabase-js@2.0.0-rc.10
├── next@12.3.1
├── react-dom@17.0.2
└── react@17.0.2
node v16.16.0
Additional context
It is quite hard to understand the difference between 'redirect urls' and 'site urls' in gotrue config, it feels like it should just be 1 set of urls under 'allowed domains' like firebase does it.
maybe this is just a frontend thing though, and we need to make a better distinction or perhaps maybe phase one of them out in favour of the other.