Captcha fails after migrating from hCaptcha to Turnstile

[retr0cube]

Bug report

Before opening a bug report, please verify the following:

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Whenever trying to sign in or sign up, the captcha verification process fails (after migrating to turnstile and setting it up properly in the dashboard and verifying the token) with the following error:
captcha protection: request disallowed (timeout-or-duplicate)

To Reproduce

1. Create a SvelteKit app and setup Supabase Auth with hCaptcha then migrate to Turnstile
2. Try to authenticate (sign in or sign up)

Expected behavior

For the captcha verfication process to succeed.

Screenshots

• Dashnoard UI captcha section:
  

System information

• OS: Windows 10 22H2
• Version of supabase-js: 2.45.1

Additional context

What I'm using in my app that might interfere with the process:

• SvelteKit 2.5.0
• svelte-turnstile 0.8.0

I made sure:

• That the token is valid
• And that the form submission process doesn't interfere/ or is the cause of the issue

Error: (some paths and URLs of mine have been removed)

AuthApiError: captcha protection: request disallowed (timeout-or-duplicate)
    at handleError (..\node_modules\@supabase\auth-js\dist\main\lib\fetch.js:63:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async _handleRequest (..\node_modules\@supabase\auth-js\dist\main\lib\fetch.js:108:9)
    at async _request (..\node_modules\@supabase\auth-js\dist\main\lib\fetch.js:89:18)
    at async SupabaseAuthClient.signInWithPassword (..\node_modules\@supabase\auth-js\dist\main\GoTrueClient.js:335:23)
    at async logIn (../src/routes/auth/login/+page.server.ts:37:23)
    at async Module.handle_action_request (../node_modules/@sveltejs/kit/src/runtime/server/page/actions.js:131:18)
    at async Module.render_page (../node_modules/@sveltejs/kit/src/runtime/server/page/index.js:70:20)
    at async resolve (../node_modules/@sveltejs/kit/src/runtime/server/respond.js:460:18)
    at async Module.respond (../node_modules/@sveltejs/kit/src/runtime/server/respond.js:333:20) {
  __isAuthError: true,
  status: 400,
  code: 'captcha_failed'
}

Error in the dashboard (event message):

{"component":"api","error":"400: captcha protection: request disallowed (timeout-or-duplicate)","level":"info","method":"POST","msg":"400: captcha protection: request disallowed (timeout-or-duplicate)","path":"/token","referer":"https://myurl.com/auth/callback","remote_addr":"myIPaddress","request_id":"8bad9138913194fe-LIS","time":"2024-08-29T15:27:48Z"}

[kangmingtay]

hi @retr0cube, can you please open a ticket at https://supabase.help and link this github issue in the ticket? we would love to help figure out the root cause here but it helps us investigate the underlying issue much faster with your project's context

[retr0cube]

hi @retr0cube, can you please open a ticket at https://supabase.help and link this github issue in the ticket? we would love to help figure out the root cause here but it helps us investigate the underlying issue much faster with your project's context

ok, will do! Thanks for the response!