New Password Change Flow #26
Description
The current “Forgot Password” flow is not functioning correctly due to how Supabase handles OTP and Magic Link authentication. At the moment:
- Supabase allows users to sign in by either entering the OTP code sent to their email or using a Magic Link.
- The current workflow takes the OTP entered by the user and logs them directly into the app.
- Supabase then marks the OTP-based sign-in as “used,” which is not the behavior we want.
- Because of this issue, the “Forgot Password” button was temporarily removed.
What Needs to Be Achieved
- The user must be redirected to a password change screen, not signed in immediately after entering the OTP.
- The user should not be considered authenticated until they successfully change their password.
- If the user tries to bypass the password change step by closing the app:
- On app reopen, their Supabase session credentials should be cleared.
- They must log in again using either their password or the OTP method.
- They should remain stuck in this flow until they complete the password change.
This ensures that the user cannot use the OTP solely to gain access without updating their password.