Skip to main content

Overview

The reset-manager-password edge function allows organization owners and super admins to reset an event manager’s password. It generates a new random password and sends a magic link to the manager for secure password setup.
Only organization owners and super admins can reset event manager passwords. The function performs authorization checks via database RPC.

Endpoint

POST /functions/v1/reset-manager-password

Authentication

Requires a valid Bearer token. The authenticated user must be either:
  • The owner of the organization the manager belongs to
  • A super admin
Authorization: Bearer <supabase_access_token>

Request Body

manager_user_id
string
required
UUID of the event manager whose password should be reset.
organization_id
string
required
UUID of the organization. Used for authorization verification.

Example Request

curl -X POST 'https://<project-ref>.supabase.co/functions/v1/reset-manager-password' \
  -H 'Authorization: Bearer <owner_token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "manager_user_id": "9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d",
    "organization_id": "123e4567-e89b-12d3-a456-426614174000"
  }'

Response

Success Response (200 OK)

success
boolean
Always true for successful password reset
email
string
Email address where the magic link was sent
{
  "success": true,
  "email": "[email protected]"
}

Error Responses

400 Bad Request

Returned when request parameters are invalid. 
{
  "error": "Invalid manager_user_id"
}

{
  "error": "Invalid organization_id"
}

401 Unauthorized

Returned when authentication fails. 
{
  "error": "Unauthorized"
}

403 Forbidden

Returned when the caller lacks permission to reset this manager’s password. 
{
  "error": "Forbidden"
}

404 Not Found

Returned when the manager user is not found. 
{
  "error": "Manager not found"
}

500 Internal Server Error

Returned when password reset fails. 
{
  "error": "Failed to reset password"
}

{
  "error": "Internal server error"
}

Implementation Details

UUID Validation

From source/supabase/functions/reset-manager-password/index.ts:42-54: 
const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;

if (!manager_user_id || typeof manager_user_id !== "string" || 
    !uuidRegex.test(manager_user_id)) {
  return new Response(JSON.stringify({ error: "Invalid manager_user_id" }), {
    status: 400,
  });
}

if (!organization_id || typeof organization_id !== "string" || 
    !uuidRegex.test(organization_id)) {
  return new Response(JSON.stringify({ error: "Invalid organization_id" }), {
    status: 400,
  });
}

Authorization via Database RPC

From source/supabase/functions/reset-manager-password/index.ts:62-73: 
// Verify authorization via DB function
const { data: authorized } = await adminClient.rpc("reset_manager_password", {
  _manager_user_id: manager_user_id,
  _caller_user_id: callerUserId,
  _organization_id: organization_id,
});

if (!authorized) {
  return new Response(JSON.stringify({ error: "Forbidden" }), {
    status: 403,
  });
}
The reset_manager_password RPC function verifies:
  • Caller is the organization owner OR super admin
  • Manager belongs to the specified organization
  • Manager has the event_manager role

Password Generation and Update

From source/supabase/functions/reset-manager-password/index.ts:84-98: 
// Generate new random password and update
const randomBytes = new Uint8Array(24);
crypto.getRandomValues(randomBytes);
const newPassword = Array.from(randomBytes, (b) => 
  b.toString(36).padStart(2, "0")
).join("").slice(0, 32) + "A1!";

const { error: updateErr } = await adminClient.auth.admin.updateUserById(
  manager_user_id, 
  { password: newPassword }
);

if (updateErr) {
  return new Response(JSON.stringify({ error: "Failed to reset password" }), {
    status: 500,
  });
}
From source/supabase/functions/reset-manager-password/index.ts:100-104: 
// Send password reset email so user can set their own
await adminClient.auth.admin.generateLink({
  type: "magiclink",
  email: userData.user.email,
});
The magic link allows the event manager to securely set their own password without knowing the temporary random password.

Audit Trail

From source/supabase/functions/reset-manager-password/index.ts:106-113: 
await adminClient.rpc("log_audit_event", {
  _organization_id: organization_id,
  _user_id: callerUserId,
  _action: "reset_manager_password",
  _entity_type: "user",
  _entity_id: manager_user_id,
});
All password reset actions are logged in the audit trail for security and compliance.

Security Features

  • Authorization RPC: Database-level authorization check prevents unauthorized resets
  • UUID Validation: Strict validation of all UUID parameters
  • Cryptographically Secure Password: Uses crypto.getRandomValues() for random password generation
  • Magic Link: User sets their own password via secure, time-limited link
  • Audit Logging: All reset actions logged with caller, manager, and organization details
  • Service Role Required: Uses service role key for admin auth operations

Use Cases

  • Account Recovery: Help event managers who forgot their passwords
  • Security Response: Reset compromised accounts
  • Onboarding Issues: Re-send setup email if original was lost
  • Account Management: Organization owners managing their event manager accounts

Build docs developers (and LLMs) love

Get started for freeTalk to us