diff --git a/apps/web/supabase/config.toml b/apps/web/supabase/config.toml
index 2a313773a..9678cab2d 100644
--- a/apps/web/supabase/config.toml
+++ b/apps/web/supabase/config.toml
@@ -42,7 +42,7 @@ file_size_limit = "50MiB"
 # in emails.
 site_url = "http://localhost:3000"
 # A list of *exact* URLs that auth providers are permitted to redirect to post authentication.
-additional_redirect_urls = ["https://localhost:3000"]
+additional_redirect_urls = ["http://localhost:3000", "http://localhost:3000/auth/callback", "http://localhost:3000/update-password"]
 # How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 seconds (one
 # week).
 jwt_expiry = 3600
@@ -69,4 +69,4 @@ secret = ""
 redirect_uri = ""
 # Overrides the default auth provider URL. Used to support self-hosted gitlab, single-tenant Azure,
 # or any other third-party OIDC providers.
-url = ""
+url = ""
\ No newline at end of file
diff --git a/packages/features/auth/src/components/update-password-form.tsx b/packages/features/auth/src/components/update-password-form.tsx
index 0e53a49c2..fb1091c88 100644
--- a/packages/features/auth/src/components/update-password-form.tsx
+++ b/packages/features/auth/src/components/update-password-form.tsx
@@ -4,10 +4,11 @@ import Link from 'next/link';
 
 import { zodResolver } from '@hookform/resolvers/zod';
 import {
-  ArrowLeftIcon,
   CheckIcon,
   ExclamationTriangleIcon,
 } from '@radix-ui/react-icons';
+
+import { ArrowRightIcon } from 'lucide-react';
 import { useForm } from 'react-hook-form';
 import type { z } from 'zod';
 
@@ -44,7 +45,7 @@ export function UpdatePasswordForm(params: { redirectTo: string }) {
   }
 
   if (updateUser.data && !updateUser.isPending) {
-    return <SuccessState />;
+    return <SuccessState redirectTo={params.redirectTo} />;
   }
 
   return (
@@ -114,7 +115,7 @@ export function UpdatePasswordForm(params: { redirectTo: string }) {
   );
 }
 
-function SuccessState() {
+function SuccessState(props: { redirectTo: string }) {
   return (
     <div className={'flex flex-col space-y-4'}>
       <Alert variant={'success'}>
@@ -129,13 +130,13 @@ function SuccessState() {
         </AlertDescription>
       </Alert>
 
-      <Link href={'/'}>
+      <Link href={props.redirectTo}>
         <Button variant={'outline'} className={'w-full'}>
-          <ArrowLeftIcon className={'mr-2 h-4'} />
-
           <span>
             <Trans i18nKey={'common:backToHomePage'} />
           </span>
+
+          <ArrowRightIcon className={'ml-2 h-4'} />
         </Button>
       </Link>
     </div>
diff --git a/packages/supabase/src/auth-callback.service.ts b/packages/supabase/src/auth-callback.service.ts
index a065ed754..1d709e7b1 100644
--- a/packages/supabase/src/auth-callback.service.ts
+++ b/packages/supabase/src/auth-callback.service.ts
@@ -45,11 +45,12 @@ class AuthCallbackService {
 
     const token_hash = searchParams.get('token_hash');
     const type = searchParams.get('type') as EmailOtpType | null;
-    const next = searchParams.get('next') ?? params.redirectPath;
     const callbackParam = searchParams.get('callback');
+    
+    const next = callbackParam ? new URL(callbackParam).pathname : params.redirectPath;
+
     const callbackUrl = callbackParam ? new URL(callbackParam) : null;
     const inviteToken = callbackUrl?.searchParams.get('invite_token');
-
     const errorPath = params.errorPath ?? '/auth/callback/error';
 
     // remove the query params from the url