Yaltopia-FIFA/docs/PASSWORD_RESET.md

# Password reset & email rate limits (429)

## Why you see 429

`resetPasswordForEmail` sends mail through **Supabase Auth**. Free and trial projects have **strict limits** (often about **2 auth emails per hour** for the whole project). Clicking “Send reset link” many times while testing quickly hits **429 Too Many Requests**.

The app cannot remove that limit; only waiting, using the dashboard, custom SMTP, or an admin password update can help.

## What to do right now

### 1. Use an email you already received

If you requested a reset earlier, search **inbox and spam** for “Reset your password” from Supabase. The link may still work for a while.

### 2. Wait, then try once

Wait **at least 60 minutes**, then submit **one** request. The forgot-password page enforces a short client cooldown so repeated clicks do not make the limit worse.

### 3. Reset from Supabase Dashboard

1. [Supabase Dashboard](https://supabase.com/dashboard) → your project  
2. **Authentication** → **Users**  
3. Find the user → **⋮** → **Send password recovery** (or update password if your plan shows that option)

### 4. Local dev: set password without email

Add the **service_role** key to `.env.local` (never commit it):

```env
SUPABASE_SERVICE_ROLE_KEY=eyJ...   # Dashboard → Settings → API
```

Then:

```bash
npm run auth:reset-password -- you@example.com YourNewPassword
```

Sign in at `/login/manager` or `/login/master`.

## Redirect URLs (required for email links)

**Authentication** → **URL configuration**:

- Site URL: `http://localhost:3000` (dev) or your production URL  
- Redirect URLs must include:
  - `http://localhost:3000/auth/callback`
  - `http://localhost:3000/**` (or explicit production URLs)

Password reset flow: email → `/auth/callback?next=/reset-password?portal=manager` → set new password.

## Raise limits long-term

**Project Settings** → **Authentication** → **SMTP Settings**: configure custom SMTP (Resend, SendGrid, etc.) for higher volume and your own domain.