signInWithOtp - First OTP always expired

[florianwalther-private]

Bug report

Describe the bug

When I use signInWithOtp, using an actual OTP and not the magic link, the first code is almost always expired when I use it in verifyOtp. Only when I request a new code (using signInWithOtp again), do I get a working one. It happens in development and production.

To Reproduce

1. Sign in with OTP (this happens inside a modal dialog):

const { error } = await supabaseClient.auth.signInWithOtp({
    email: email,
    options: { data: { ...Object.fromEntries(gameStats) } }
});

2. Verify the OTP (this happens in another modal):

const { error } = await supabaseClient.auth.verifyOtp({ email: emailToVerify, token: otp, type: "magiclink" });

3. The verify method throws an error (expired OTP) -> repeat steps 1 & 2 in the exact same way, now it works (the second OTP is valid).

Expected behavior

The first OTP should work.

System information

• OS: Windows
• Browser: Chrome
• Versions:
• "@supabase/auth-helpers-nextjs": "^0.5.2"
• "@supabase/auth-helpers-react": "^0.3.1"
• "@supabase/supabase-js": "^2.2.1"

Additional context

I'm using React + NextJS together with Supabase's helper packages.

[ZHRhodes]

Still an issue on supabase-js 2.10.0

[jaredramirez]

We've been hitting this as well, not through the supabase-js client library but directly through the REST API. Reliably the 1st OTP is invalid, then subsequent OTPs work correctly. Also using the latest types sms and email (not magiclink)

[rdewolff]

Could this be related to this similar issue supabase/supabase#18832 ?

[rdewolff]

Maybe due to the "(this happens in another modal)" part 🤔