Skip to content

Safari: AuthSessionMissingError in implicit flow password reset #2221

New issue
New issue
Open
Open
Safari: AuthSessionMissingError in implicit flow password reset#2221
Labels
bugSomething isn't working
@robert-wettstaedt

Description

@robert-wettstaedt
robert-wettstaedt
opened on Oct 20, 2025

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

The implicit flow for password reset is not working properly in Safari browser. When users click on a password reset link in Safari, they are not automatically signed in as expected, which causes AuthSessionMissingError when attempting to call updateUser() to change the password. This issue is specific to Safari and works correctly in other browsers (Firefox, Chrome).

The problem occurs during the implicit flow password reset process as described in the Supabase documentation, where the user should be automatically signed in when opening the reset link.

Code snippet of the password reset handler:

// +page.server.ts
export const actions = {
  default: async ({ request, locals }) => {
    const data = await request.formData()
    const values = await validateFormData(passwordActionSchema, data)
    
    // This fails in Safari with AuthSessionMissingError
    const updateResponse = await locals.supabase.auth.updateUser({ 
      password: values.password 
    })
    
    if (updateResponse.error != null) {
      return fail(400, { error: updateResponse.error.message })
    }

    return { success: true }
  },
}

To Reproduce

Steps to reproduce the behavior:

  1. Set up a SvelteKit application with Supabase auth using implicit flow for password reset
  2. Trigger a password reset email for a user account
  3. Open the password reset link in Safari browser on MacOS or iOS
  4. Attempt to submit the password reset form
  5. Observe that AuthSessionMissingError is thrown when calling supabase.auth.updateUser({ password: newPassword })

The issue occurs when calling locals.supabase.auth.updateUser({ password: values.password }) in the server-side form handler, which fails in Safari with AuthSessionMissingError but works correctly in other browsers.

Expected behavior

When opening a password reset link in Safari (or any browser), the user should be automatically signed in via the implicit flow, allowing them to successfully call updateUser() to change their password without encountering AuthSessionMissingError.

Screenshots

image

System information

  • OS: macOS, iOS
  • Browser: Safari
  • Version of supabase-js: 2.75.1
  • Version of Node.js: 22.13.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions