Dev Tools · 2h ago
Supabase OTP Bug: Hardcoded 6-Digit Regex Rejects Valid 8-Digit Codes
A developer's client-side regex assumed OTPs are always six digits, but Supabase's GoTrue can emit eight-digit codes depending on configuration. This caused valid codes to be rejected before reaching the server, with a misleading error message. The fix is to use a loose regex that never rejects a real code, relying on server-side verification.
Meridian48 take
A cautionary tale: client-side validation should never be stricter than the server's actual token format, or you'll silently break auth for real users.
Read the full reporting
Your OTP regex assumes six digits. Supabase magic links don't. →
DEV Community
supabaseotp-validation