auth.email.double_confirm_changes not working

[maximilian-hammerl]

Describe the bug

The auth.email.double_confirm_changes configuration option (https://supabase.com/docs/guides/local-development/cli/config#auth.email.double_confirm_changes) in the config.toml does not seem to work.

To Reproduce

Repository: https://github.com/maximilian-hammerl/supabase-change-email-address-example

After starting both Supabase (npm run start, and optionally npm run serve) and the frontend (npm install and npm run dev), open http://localhost:5173/

Then:

1. One the first screen click on "Register and login" (e-mail address and password are randomly generated)
2. On the second screen, request the change e-mail address links
3. On the third screen, click on any of the two links, then on "Reload user and display current e-mail address" and check that the current e-mail address has now changed to the requested e-mail address, although you only clicked on one of the two links

Expected behavior

The e-mail address of the user should only change after the user clicked on both links, not just one of them.

System information

• Version of OS: macOS 15.0.1
• Version of CLI: v1.207.9
• Version of Docker: v4.34.3
• Versions of services:

        SERVICE IMAGE      │      LOCAL       │ LINKED
  ─────────────────────────┼──────────────────┼─────────
    supabase/postgres      │ 15.1.1.78        │ -
    supabase/gotrue        │ v2.158.1         │ -
    postgrest/postgrest    │ v12.2.0          │ -
    supabase/realtime      │ v2.30.34         │ -
    supabase/storage-api   │ v1.11.13         │ -
    supabase/edge-runtime  │ v1.59.0          │ -
    supabase/studio        │ 20241014-c083b3b │ -
    supabase/postgres-meta │ v0.84.2          │ -
    supabase/logflare      │ 1.4.0            │ -
    supabase/supavisor     │ 1.1.56           │ -

Additional context

• Browser: Firefox v132.0b9
• Version of supabase-js: v2.45.6
• Version of Node.js: v22.10.0

---

We also contacted the Supabase support regarding this issue (Support ticket ID: 15644055709), because we first assumed that it was not a bug, but an issue on our side, but received two less than helpful answers (telling us to use updateUser to change the e-mail address of the user, completely disregarding that we want the user to confirm the e-mail address change, as well as forgetting and repeatedly asking where we set the double_confirm_changes configuration option).

[maximilian-hammerl]

I created a test Supabase instance with project ID djigzxpjteusflninqtt, enabled "secure email change"

and I am still able to reproduce this issue.

This bug seems to affect a locally running as well as a hosted Supabase instance.

[avallete]

Hey there ! Thank's for reporting and taking the time to make a MRE that's very helpful !

Seems like this might be a bug with the generateLink used to generate the mail links. After some testing the bug doesn't happen if you just "updateUser" and change it's mail. In such case, both adresses of the users receive an email, and both links need to be clicked to confirm the change.

I've pinged our auth team to have a look at it. I'm transferring the issue over the appropriate repo.

[maximilian-hammerl]

Hi, what is the status of this issue? Are you already working on it?

[Coop4Free]

Same problem here