Questions about Secure Password Change and Reauthentication

[FLiliequist]

Hi, I have some questions about the password update process.

1. Customizing the "recently logged in" time frame

I have enabled the Secure password change option in the email provider settings. The description says:

"Users will need to be recently logged in to change their password without requiring reauthentication. (A user is considered recently logged in if the session was created within the last 24 hours.) If disabled, a user can change their password at any time."

My concern is that 24 hours is a long time. Is it possible to change the time frame? I am guessing this is the line of code that controls this: internal/api/user.go#L150.

2. Requiring the current password instead of email nonce

I am using supabase.auth.reauthenticate to reauthenticate the user, which triggers a new email containing a nonce. However, i would prefer to require the current password instead. I found the setting auth.email.secure_password_change in the CLI docs which says:

If enabled, requires the user's current password to be provided when changing to a new password.

However, this is not working for me. Any ideas?

Btw, I have found this comment stating that:

We now require reauthentication(with current password) by default in order to update password as a non admin user

Have I missconfigured something, or is this the default behavior?

3. Sending a reset password email with a session time of 15 minutes

I first tried using supabase.auth.resetPasswordForEmail, but if i understood it correctly, this will send a Magic Link to the user. Which will log the user in, which i am afraid will confuse the user.

Is there a way to send a reset password email to the user and only giving them a session time for 15 minutes?

Thanks in advance!

[jolumoo]

I am also wondering about this field in the configuration: auth.email.secure_password_change
There seems to be no further documentation on this property?