fix(e2e): widen password reset link extraction for Supabase format variance (PP-q9r)#1279
Open
timothyfroehlich wants to merge 4 commits intomainfrom
Open
fix(e2e): widen password reset link extraction for Supabase format variance (PP-q9r)#1279timothyfroehlich wants to merge 4 commits intomainfrom
timothyfroehlich wants to merge 4 commits intomainfrom
Conversation
…abase email formats (PP-q9r) The PASSWORD_RESET_LINK_REGEX was only matching href attributes in HTML containing /auth/v1/verify. Newer GoTrue versions (used in CI via supabase/setup-cli@version:latest) may use a different email link format — either a plain-text URL, a token_hash variant, or a direct /auth/callback URL. Add two additional extraction strategies after the original href regex: - Strategy 2: bare URL with /auth/v1/verify (covers plain-text and single-quote href variants) - Strategy 3: direct /auth/callback URL (covers newer Supabase formats that embed the callback URL directly in the email) Also log the full message body (HTML + Text), headers, and ID to console.error when all strategies fail, so future CI flakes are immediately diagnosable without having to grep through hundreds of lines of webserver logs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Updates to Preview Branch (fix/e2e-password-reset-PP-q9r) ↗︎
Tasks are run on every commit but only new migration files are pushed.
View logs for this Workflow Run ↗︎. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves the resilience of the E2E password reset flow by broadening how the test helper extracts the Supabase password reset URL from Mailpit emails, accounting for email format differences across GoTrue/Supabase versions (notably in CI).
Changes:
- Expanded
getPasswordResetLink()to try multiple extraction strategies (/auth/v1/verifyviahref, then any verify URL, then/auth/callback). - Added failure diagnostics that print message metadata and bodies to help debug CI-only flakes.
…redact tokens in logs (PP-q9r) Two improvements from code review: 1. Strategy 2 and 3 now search HTML and text bodies independently (using ?? rather than htmlBody||textBody), so a non-empty HTML part no longer hides a link that appears only in the plain-text body. 2. The failure diagnostic log now redacts one-time token values (token=, token_hash=, code= query params are replaced with [REDACTED]) before printing, preventing accidental secret leakage into CI logs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…PP-q9r) Iteration 2 — actual CI email format diagnosed via the iteration 1 diagnostics. Current Supabase GoTrue serves password reset links from /verify (no /auth/v1/ prefix), and the redirect_to /auth/callback URL appears only URL-encoded as a query parameter. Updated all three strategies: - Strategy 1 (href in HTML): now matches /verify?...type=recovery - Strategy 2 (bare URL): now matches /verify?...type=recovery in either body - Strategy 3 (callback URL): kept unchanged as defensive coverage for any future format where the callback URL appears directly type=recovery disambiguates from signup/invite emails that also hit /verify but with type=signup or type=invite. Verified: 3/3 local Chromium runs pass for the password reset spec.
3 tasks
4 tasks
timothyfroehlich
added
the
ready-for-review
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
email-and-notifications.spec.ts:717consistently failing in CI with "Password reset link not found in email body"PASSWORD_RESET_LINK_REGEXonly matchedhref="..."patterns in HTML; newer GoTrue versions used viasupabase/setup-cli@version:latestin CI may produce different email formatsWhat changed
e2e/support/mailpit.ts—getPasswordResetLinkBefore: single
PASSWORD_RESET_LINK_REGEXmatching onlyhrefattributes in HTML body.After: three strategies tried in order:
href="...auth/v1/verify..."regex in HTML (strategy 1 — handles current format)/auth/v1/verifyanywhere in HTML or plain-text body (strategy 2 — handles plain-text emails and single-quote href variants)/auth/callbackURL (strategy 3 — handles newer Supabase formats that embed the callback URL directly in the email)On final failure, logs message ID, subject, recipients, date, and full HTML + text bodies to
console.errorso future CI failures are immediately diagnosable.Root cause confidence
The exact email format used in CI could not be directly observed (CI-only failure). Evidence:
version: latestwhich pulls newer GoTrue; format variance between local cached images and CI latest is the most likely causeTest plan
pnpm exec playwright test e2e/full/email-and-notifications.spec.ts -g "password reset flow" --project=chromium --repeat-each=3passes 3/3 locallypnpm run checkclean (1013 unit tests pass, typecheck clean, lint clean)Fixes #PP-q9r
🤖 Generated with Claude Code