Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

updateUser vs admin.updateUserById behavior with Anonymous Users #1578

Closed
r-southworth opened this issue May 7, 2024 · 2 comments · Fixed by #1623
Closed

updateUser vs admin.updateUserById behavior with Anonymous Users #1578

r-southworth opened this issue May 7, 2024 · 2 comments · Fixed by #1623
Labels
auth bug Something isn't working

Comments

@r-southworth
Copy link

r-southworth commented May 7, 2024

Bug report

  • [ X ] I confirm this is a bug with Supabase, not with my own application.
  • [ X ] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

There is no way to convert an anonymous user to a permanent user without sending a confirmation email. updateUser and admin.updateUserById have inconsistent behavior

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Run command server side using an anonymous user_id:
const { data, error } = await supabase.auth.admin.updateUserById(user_id, {
      email: response.email, 
      email_confirm: true,
  })
  1. Resulting user:
{
  "instance_id": "00000000-0000-0000-0000-000000000000",
  "id": "5b0c50f8-bd4d-4815-a21e-b67486593073",
  "aud": "authenticated",
  "role": "authenticated",
  "email": "[email protected]",
  "encrypted_password": "",
  "email_confirmed_at": "2024-05-07 15:52:39.207944+00",
  "invited_at": null,
  "confirmation_token": "",
  "confirmation_sent_at": null,
  "recovery_token": "",
  "recovery_sent_at": null,
  "email_change_token_new": "",
  "email_change": "",
  "email_change_sent_at": null,
  "last_sign_in_at": "2024-05-07 15:26:46.873409+00",
  "raw_app_meta_data": {},
  "raw_user_meta_data": {},
  "is_super_admin": null,
  "created_at": "2024-05-07 15:26:46.865084+00",
  "updated_at": "2024-05-07 15:52:39.212126+00",
  "phone": null,
  "phone_confirmed_at": null,
  "phone_change": "",
  "phone_change_token": "",
  "phone_change_sent_at": null,
  "confirmed_at": "2024-05-07 15:52:39.207944+00",
  "email_change_token_current": "",
  "email_change_confirm_status": 0,
  "banned_until": null,
  "reauthentication_token": "",
  "reauthentication_sent_at": null,
  "is_sso_user": false,
  "deleted_at": null,
  "is_anonymous": true
}

Expected behavior

I would expect

const { data, error } = await supabase.auth.admin.updateUserById(user_id, {
      email: response.email, 
      email_confirm: true,
  })

called from the server to convert a user from anonymous to email with no need for a confirmation email.

Currently that call adds the email address AND confirms the user but leaves them as provider = anonymous which makes it impossible to set a password for the user.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

  • OS: MacOS
  • Browser (if applies) Chrome but N/A I think in this case
  • Version of supabase-js: 2.42.0
  • Version of Supabase CLI - 1.165.0
  • Version of Node.js: 20.11.1

Additional context

The only documented way to change the user from anonymous that I am aware of is listed here: https://supabase.com/docs/guides/auth/auth-anonymous

It seems to require email confirmations.

Regardless of the local setting for auth.email.enable_confirmations using the supabase.auth.updateUser sends the standard email confirmation to the user.

If I have anonymous users I might want to store their information for future reference (ecommerce guest checkout with downloadable products) but since they did not choose to make an account I shouldn't be emailing them about an account AND there is no way to send them a different email than the standard confirmation email. The typical way around sending a confirmation email without turning off email confirmation is to do server side supabase.auth.admin.updateUserById however in this case it doesn't convert the user provider from Anonymous and there doesn't seem to be any documentation on how to change that in any other way.

More details can be found here: https://discord.com/channels/839993398554656828/1237139614486233119

@r-southworth r-southworth added the bug Something isn't working label May 7, 2024
@encima encima transferred this issue from supabase/supabase May 8, 2024
@encima encima added the auth label May 8, 2024
@evelant
Copy link

evelant commented May 24, 2024

Also running into this trying to transition from Firebase auth to Supabase auth. We always create anonymous accounts for new users then later let them link with social auth or enter an email and password without email verification. Currently with supabase auth it seems like it's impossible to set a password for an anonymous account without email verification.

IMO this is a bug. If email verification is disabled in the project it should not be required to verify email to link email/password credentials to an anonymous account. This may be a blocker to us releasing our transition to Supabase auth.

@hf @kangmingtay any thoughts on this? The current behavior makes it impossible to link an email/password to an anonymous account without email verification. That came as a big surprise given that there's a setting to disable email verification.

@kangmingtay
Copy link
Member

hi @r-southworth and @evelant, thanks for raising this issue! i've just made a PR to fix this partially (at least for the admin update user endpoint - it should be updating the is_anonymous field to false if email_confirm is set to true)

The current behavior makes it impossible to link an email/password to an anonymous account without email verification. That came as a big surprise given that there's a setting to disable email verification.

This seems like a separate issue which i'll look into fixing next week

uxodb pushed a commit to uxodb/auth that referenced this issue Nov 13, 2024
## What kind of change does this PR introduce?
* Fixes supabase#1578
LashaJini pushed a commit to LashaJini/auth that referenced this issue Nov 13, 2024
LashaJini pushed a commit to LashaJini/auth that referenced this issue Nov 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auth bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants