Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

With email verification disabled in my project, email verification is still required in order to promote an anonymous user #1619

Closed
2 tasks done
symbolpunk opened this issue Jun 13, 2024 · 6 comments · Fixed by #1646
Labels
bug Something isn't working

Comments

@symbolpunk
Copy link

symbolpunk commented Jun 13, 2024

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

With email verification disabled in my project, email verification is still required in order to promote an anonymous user (created via signInAnonymously) to a non-anonymous user (via auth.updateUser({ email }).

To Reproduce

  1. Disable email verification in your project.
  2. Create an anonymous user via auth.signInAnonymously().
  3. Attempt to link the anonymous user to an email identity via auth.updateUser({ email }) per instructions found in your docs and blog post.

Expected behavior

  • If I've disabled email verification, I expect email verification to be disabled globally, in all scenarios, along all paths.
  • If this is a known limitation, it ought to be disclosed in the docs and blog post.

Additional context

  • This is blocking us from migrating from Firebase. It would be wonderful to understand whether this can be prioritized, an ETA for a fix, and/or possible workarounds that do not require email linking to emit a verification email.
  • Devs may encounter "Updating password of an anonymous user is not possible" when attempting to set a user's password via auth.updateUser({ password }) per your docs, after attempting the auth.updateUser({ email }) call.
  • The current, buggy updateUser flow appears to write the supplied email to email_change instead of email on the anonymous user's row in the auth.users table.
    • This suggests that the bugfix would involve referring to the project settings, and then if email verification is disabled, set email and email_confirmed_at accordingly, while triggering whatever additional business logic is required to promote the anonymous user, without emitting an email or requiring email verification.
@symbolpunk symbolpunk added the bug Something isn't working label Jun 13, 2024
@kangmingtay
Copy link
Member

hey @symbolpunk,

This is blocking us from migrating from Firebase.

can you elaborate on why this is a blocker for migrating from Firebase?

Devs may encounter "Updating password of an anonymous user is not possible" when attempting to set a user's password via auth.updateUser({ password }) per your docs, after attempting the auth.updateUser({ email }) call.

This is the current limitation and we're working to see how this can be improved. Currently, an anonymous user will need to verify the email change first before calling updateUser to add a password.

The current, buggy updateUser flow appears to write the supplied email to email_change instead of email on the anonymous user's row in the auth.users table.

yeah, it doesn't respect the email verification disabled config and this seems like a bug - i'll check with the team if there are any concerns before making a fix for this

@NodeAdam
Copy link

This is a blocker for projects that want minimal friction, which is the purpose of anonymous logins

@symbolpunk
Copy link
Author

Thanks @kangmingtay -

can you elaborate on why this is a blocker for migrating from Firebase?

We require seamless migration without introducing breaking changes to the user experience or a significant amount of additional "work" for devs. Firebase lets us promote anon to non-anon without email verification.

This is the current limitation and we're working to see how this can be improved.

Great, thanks for acknowledging. It might be worth updating the docs & blog post in the meantime, so as not to lead teams astray who assume "absence of limitation disclosure" == "absence of limitation", which is the assumption that I made.

this seems like a bug - i'll check with the team if there are any concerns before making a fix for this

Wonderful, thank you again!

@symbolpunk
Copy link
Author

Related: #1578

@kangmingtay
Copy link
Member

hey @symbolpunk and @NodeAdam, this took some time as the team was quite tight on bandwidth, but i've just put a PR up for it, thanks for reporting this!

kangmingtay added a commit that referenced this issue Jul 4, 2024
## What kind of change does this PR introduce?
* `GOTRUE_MAILER_AUTOCONFIRM` setting should be respected in the update
email flow via `PUT /user`

## What is the current behavior?
* When `GOTRUE_MAILER_AUTOCONFIRM=true`, updating a user's email still
sends an email and requires user confirmation
* Difficult for anonymous users to upgrade to a permanent user
seamlessly without requiring email confirmation
* Fixes #1619 

## What is the new behavior?
* When `GOTRUE_MAILER_AUTOCONFIRM=true`, updating a user's email will
not require email confirmation.

## Additional context

Add any other context or screenshots.
@symbolpunk
Copy link
Author

Thank you so much for this @kangmingtay 🙏

uxodb pushed a commit to uxodb/auth that referenced this issue Nov 13, 2024
)

## What kind of change does this PR introduce?
* `GOTRUE_MAILER_AUTOCONFIRM` setting should be respected in the update
email flow via `PUT /user`

## What is the current behavior?
* When `GOTRUE_MAILER_AUTOCONFIRM=true`, updating a user's email still
sends an email and requires user confirmation
* Difficult for anonymous users to upgrade to a permanent user
seamlessly without requiring email confirmation
* Fixes supabase#1619 

## What is the new behavior?
* When `GOTRUE_MAILER_AUTOCONFIRM=true`, updating a user's email will
not require email confirmation.

## Additional context

Add any other context or screenshots.
LashaJini pushed a commit to LashaJini/auth that referenced this issue Nov 13, 2024
)

## What kind of change does this PR introduce?
* `GOTRUE_MAILER_AUTOCONFIRM` setting should be respected in the update
email flow via `PUT /user`

## What is the current behavior?
* When `GOTRUE_MAILER_AUTOCONFIRM=true`, updating a user's email still
sends an email and requires user confirmation
* Difficult for anonymous users to upgrade to a permanent user
seamlessly without requiring email confirmation
* Fixes supabase#1619 

## What is the new behavior?
* When `GOTRUE_MAILER_AUTOCONFIRM=true`, updating a user's email will
not require email confirmation.

## Additional context

Add any other context or screenshots.
LashaJini pushed a commit to LashaJini/auth that referenced this issue Nov 15, 2024
)

## What kind of change does this PR introduce?
* `GOTRUE_MAILER_AUTOCONFIRM` setting should be respected in the update
email flow via `PUT /user`

## What is the current behavior?
* When `GOTRUE_MAILER_AUTOCONFIRM=true`, updating a user's email still
sends an email and requires user confirmation
* Difficult for anonymous users to upgrade to a permanent user
seamlessly without requiring email confirmation
* Fixes supabase#1619 

## What is the new behavior?
* When `GOTRUE_MAILER_AUTOCONFIRM=true`, updating a user's email will
not require email confirmation.

## Additional context

Add any other context or screenshots.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants