Convex Auth - reset password when logged in
I've set up convex auth with email verification and password reset using Resend. Everything is working great. I can reset the password as intended when a user is NOT logged in. I.e. the user has forgotten the password, they enter their email, they're emailed a code via Resend, they enter it together with a new password and it's updated correctly. However separately, I now have a modal within the app where a user should be able to update their password when they are already logged in.
The problem I'm having it that the reset flow seems to delete the session data, logging the user out. I ideally don't want this as this breaks the UI and throws an error as there are queries in the background that rerun and throw an error if there's no logged in user.
Is there a way round this? I feel like this is a common situation where a user would like to update their password whilst logged in?
I've alternatively looked at not using the signIn auth method with the reset flow, but instead trying to use a mutation to update the password but I note that you can't seem to patch the password as it isn't exposed
Thanks
5 Replies
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI.
- Avoid tagging staff unless specifically instructed.
Thank you!
I have this issue too. I want authenticated users to be able to change their email or password while logged in.
Agree this is a common use case, but looking through the source it simply isn't supported at the moment. The route forward would be opening a feature request on the repo (@ianpaschal I see you already have a feedback issue open, thanks for that): https://github.com/get-convex/convex-auth/issues
This has been said in a few places, but I'll repeat it here: if you need full fledged, feature rich auth, Convex Auth is unlikely to be that in the near term - a service like Clerk is recommended to help avoid frustrations. Convex Auth is reliable and secure, and has as it's main features the lack of an additional provider to set up / pay, and keeping your user and auth data right in your Convex db. For now, we as devs have to decide which is more important for us.
If I were in your shoes, I would just build around this by clarifying to the user that they'll need to be logged out and go through the reset password flow to update their password. Not ideal, for sure, just a personal suggestion to help keep it moving. And of course, you always have the option of opening a PR, or even running a fork of Convex Auth with your own changes to support this flow.
That's a bummer but I appreciate the response!
I am kind of surprised though as it seems like this is such basic functionality that it would have been like literally the very next thing built after adding password sign in. I would consider it a necessary feature to call password authentication "ready to release", not "feature rich." Seems shocking its not on the roadmap especially since Convex auth is new, not like, sunsetting or phasing out or whatever.
For now I'll probably actually just disable the reset page I built entirely because indeed I imagine 99% of the time password resets are going to come from users who forgot their password, not ones who are signed in and decided to change it.
Email update is a little bit more of an issue, and probably a GDPR liability as emails are basically PII by definition. Granted, I know that's what "Beta" means, but consider this my formal request to say "Pretttttty pleeeeasseeee".
I'll see if I can make a PR, but the whole benefit of using something like Convex is a bit about not having to re-build this sort of typical functionality myself. For me, password reset is of course a "nice to have" rather than "core feature" but my project isn't an authentication provider 😛
A perspective: as a Convex Auth user, I agree and really want a full fledged Convex Auth. But as a Convex user, knowing Convex is a small team building something pretty wild (Convex itself), I'd rather they put their time into the core at this stage, personally. All things considered, I'm glad they decided to release Convex Auth without all the things as opposed to waiting until they could do something full fledged.