The event PASSWORD_RECOVERY does not always fire

[tequila99]

When you recover a password, a user application receives two events (SIGN_IN and PASSWORD_RECOVERY) . If the handler of the first event (SIGN_IN) changes window.location.href (a redirect occurs, for example), then the second event (PASSWORD_RECOVERY) does not fire.

There is the code in GoTrueClient.ts:

if (options?.storeSession) {
  this._saveSession(session)
  this._notifyAllSubscribers('SIGNED_IN')
  if (getParameterByName('type') === 'recovery') {
    this._notifyAllSubscribers('PASSWORD_RECOVERY')
  }
}

I suppose the following code (or something similar) can fix this problem

if (options?.storeSession) {
  this._saveSession(session)
  const recoveryMode = getParameterByName('type')
  this._notifyAllSubscribers('SIGNED_IN')
  if (recoveryMode === 'recovery') {
    this._notifyAllSubscribers('PASSWORD_RECOVERY')
  }
}

Thanks

[mryechkin]

I'm running into a similar issue as well, and I'm wondering if this change could help address it. In my mind the SIGN_IN event shouldn't even fire before PASSWORD_RECOVERY (and INIT if that PR is accepted).

Otherwise as you said, if the SIGN_IN event handler does a redirect or something similar, then even if the PASSWORD_RECOVERY event does fire, the app may no longer be in the desired state. Users should be in the Update Password flow, rather than the "Authenticated" state - which is what happens right now in this case.

[awalias]

fixed here #142