How can I get the reason for login/signup failure with Convex auth?
Hi, is there currently a way to get the reason for login/signup failure (e.g., email not found or invalid password) on the client side with Convex auth? Or is this something that will be added in the future? Thank you. ๐
12 Replies
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI.
- Avoid tagging staff unless specifically instructed.
Thank you!
By authentication provider?
Can you give me an example?
I don't think you can get the exact reason ... the authentication provider will only tell you it failed with some common errors code...
I would appreciate it if someone from the Convex team could confirm this.
which auth are you using? google, facebook?
Iโm using password provider
Usually on any login page with email and password, you should not tell the user if email is not found, or the password is wrong, because then they can bruteforce your site, and try to login with different passwords...
With all due respect, Jamal, while I appreciate your willingness to help, this is not the answer to what I am trying to learn.
Additionally, what you're saying isn't correct. If there isn't an active rate limiting system in place, regardless of whether you show the message or not, you could still fall victim to brute force attacks. Almost all platforms on the web nowadays display separate messages for "email not found" and "password incorrect" because it's better for the user experience. Thanks again.
Yep currently these aren't available on the client -- we're considering making some of these errors catchable on the client (https://github.com/get-convex/convex-auth/issues/54 is the closest issue I could find, but I might just make a new one).
I'll say that it is a common best practice to not distinguish between "you have an account, but your password is wrong" and "you don't have an account" to avoid attackers from being able to generate a list of emails signed up for your site, so at least by default we wouldn't expose this distinction to the client.
GitHub
Propagate auth errors through to client ยท Issue #54 ยท get-convex/co...
When auth fails in OAuth, e.g. redirect uri mismatches, it just redirects back and nothing ends up on the client afaict It'd be nice to have a callback for showing the error to the user / handl...
Thank you ๐