Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

updateUser vs admin.updateUserById behavior with Anonymous Users #1578

Open
r-southworth opened this issue May 7, 2024 · 1 comment
Open

updateUser vs admin.updateUserById behavior with Anonymous Users #1578

r-southworth opened this issue May 7, 2024 · 1 comment
Labels
auth bug Something isn't working

Comments

@r-southworth
Copy link

r-southworth commented May 7, 2024
edited

Bug report

  • [ X ] I confirm this is a bug with Supabase, not with my own application.
  • [ X ] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

There is no way to convert an anonymous user to a permanent user without sending a confirmation email. updateUser and admin.updateUserById have inconsistent behavior

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Run command server side using an anonymous user_id:
const { data, error } = await supabase.auth.admin.updateUserById(user_id, {
      email: response.email, 
      email_confirm: true,
  })
  1. Resulting user:
{
  "instance_id": "00000000-0000-0000-0000-000000000000",
  "id": "5b0c50f8-bd4d-4815-a21e-b67486593073",
  "aud": "authenticated",
  "role": "authenticated",
  "email": "test55@test.com",
  "encrypted_password": "",
  "email_confirmed_at": "2024-05-07 15:52:39.207944+00",
  "invited_at": null,
  "confirmation_token": "",
  "confirmation_sent_at": null,
  "recovery_token": "",
  "recovery_sent_at": null,
  "email_change_token_new": "",
  "email_change": "",
  "email_change_sent_at": null,
  "last_sign_in_at": "2024-05-07 15:26:46.873409+00",
  "raw_app_meta_data": {},
  "raw_user_meta_data": {},
  "is_super_admin": null,
  "created_at": "2024-05-07 15:26:46.865084+00",
  "updated_at": "2024-05-07 15:52:39.212126+00",
  "phone": null,
  "phone_confirmed_at": null,
  "phone_change": "",
  "phone_change_token": "",
  "phone_change_sent_at": null,
  "confirmed_at": "2024-05-07 15:52:39.207944+00",
  "email_change_token_current": "",
  "email_change_confirm_status": 0,
  "banned_until": null,
  "reauthentication_token": "",
  "reauthentication_sent_at": null,
  "is_sso_user": false,
  "deleted_at": null,
  "is_anonymous": true
}

Expected behavior

I would expect

const { data, error } = await supabase.auth.admin.updateUserById(user_id, {
      email: response.email, 
      email_confirm: true,
  })

called from the server to convert a user from anonymous to email with no need for a confirmation email.

Currently that call adds the email address AND confirms the user but leaves them as provider = anonymous which makes it impossible to set a password for the user.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

  • OS: MacOS
  • Browser (if applies) Chrome but N/A I think in this case
  • Version of supabase-js: 2.42.0
  • Version of Supabase CLI - 1.165.0
  • Version of Node.js: 20.11.1

Additional context

The only documented way to change the user from anonymous that I am aware of is listed here: https://supabase.com/docs/guides/auth/auth-anonymous

It seems to require email confirmations.

Regardless of the local setting for auth.email.enable_confirmations using the supabase.auth.updateUser sends the standard email confirmation to the user.

If I have anonymous users I might want to store their information for future reference (ecommerce guest checkout with downloadable products) but since they did not choose to make an account I shouldn't be emailing them about an account AND there is no way to send them a different email than the standard confirmation email. The typical way around sending a confirmation email without turning off email confirmation is to do server side supabase.auth.admin.updateUserById however in this case it doesn't convert the user provider from Anonymous and there doesn't seem to be any documentation on how to change that in any other way.

More details can be found here: https://discord.com/channels/839993398554656828/1237139614486233119
@r-southworth r-southworth added the bug Something isn't working label May 7, 2024
@r-southworth r-southworth mentioned this issue May 7, 2024
Closed
2 tasks
@encima encima transferred this issue from supabase/supabase May 8, 2024
@encima encima added the auth label May 8, 2024
@evelant
Copy link

evelant commented May 24, 2024

Also running into this trying to transition from Firebase auth to Supabase auth. We always create anonymous accounts for new users then later let them link with social auth or enter an email and password without email verification. Currently with supabase auth it seems like it's impossible to set a password for an anonymous account without email verification.

IMO this is a bug. If email verification is disabled in the project it should not be required to verify email to link email/password credentials to an anonymous account. This may be a blocker to us releasing our transition to Supabase auth.

@hf @kangmingtay any thoughts on this? The current behavior makes it impossible to link an email/password to an anonymous account without email verification. That came as a big surprise given that there's a setting to disable email verification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@encima @evelant @r-southworth