Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SignUp with same address / Sign In With Apple with secondary email issue #270

Closed
Objy-marcus opened this issue Mar 18, 2024 · 5 comments
Closed

SignUp with same address / Sign In With Apple with secondary email issue #270

Objy-marcus opened this issue Mar 18, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@Objy-marcus
Copy link

Bug report

Describe the bug

I am sorry there are two issues here which may or may not be related:

I have a user with the following:

  • Apple account with two email addresses (email1@fake.com and email2@fake.com)
  • User has signed up with email provider using email1@fake.com > works good
  • User can sign in with apple, and will access their account correctly > unexpected behaviour but I like it!
  • User tries to sign up for a new account using email provider with email2@fake.com
  • Supabase client returns OK > however confirmation email is never sent.
  • Looking in my auth logs, I see {"auth_event":{"action":"user_repeated_signup",
  • Try to log in using email and password (email2@fake.com) > cannot log in (invalid credentials)

At this point I realised that I cannot make another account with email2@fake.com. However I had been using this email to make extra accounts for the last month. I did the following:

  • Remove my app from my Apple Account Sign In With Apple
  • Sign in with Apple on my app again (but using email1@fake.com this time) > signs in to existing account OK
  • Try to make a new account with email2@fake.com > Cannot create a new account again

I am not sure if this is expected behaviour? In the first lot of bullet points above, I believe that email2@fake.com should be able to sign in with a password to the existing account? If that was the case this behaviour makes sense, otherwise it is quite confusing.

  1. How to determine if a user already has an account when calling supabase.auth.signUp ? Given the same details as above:
  • if I try to sign up for another account with email1@fake.com I get AuthResponse that looks like below:
:AuthResp user(Auth.User(id: F307C847-FE01-4B6E-ACB0-34B70CDFCFBE, appMetadata: ["providers": ["email"], "provider": email], userMetadata: [:], aud: "authenticated", confirmationSentAt: Optional(2024-03-18 23:45:39 +0000), recoverySentAt: Optional(2024-03-18 00:04:14 +0000), emailChangeSentAt: nil, newEmail: nil, invitedAt: nil, actionLink: nil, email: Optional("REVOKED"), phone: Optional(""), createdAt: 2024-03-18 23:45:39 +0000, confirmedAt: nil, emailConfirmedAt: nil, phoneConfirmedAt: nil, lastSignInAt: nil, role: Optional(""), updatedAt: 2024-03-18 23:45:39 +0000, identities: Optional([]), factors: nil))

The id in the above does not seem to relate to anything in my DB. It is not match the Used ID from the auth.users which is very strange. There is nothing in this output to determine if this user already existed.

How are you expected to determine if a user already exists?

  • It does not seem responsible to create a table that an anon user could SELECT from with existing email addresses
  • Hiding this behind an edge function seems to have the same issues (it would still have to be usable by an anon user)
  • My auth logs however show: {"auth_event":{"action":"user_repeated_signup"

I tried signing up a fake email address to see what the response is:

:AuthResp user(Auth.User(id: AEC42A48-8C1C-483F-A023-84125BAA4A5F, appMetadata: ["provider": email, "providers": ["email"]], userMetadata: ["email": fake@fake.com, "email_verified": false, "sub": aec42a48-8c1c-483f-a023-84125baa4a5f, "phone_verified": false], aud: "authenticated", confirmationSentAt: Optional(2024-03-18 23:51:25 +0000), recoverySentAt: nil, emailChangeSentAt: nil, newEmail: nil, invitedAt: nil, actionLink: nil, email: Optional("fake@fake.com"), phone: Optional(""), createdAt: 2024-03-18 23:51:25 +0000, confirmedAt: nil, emailConfirmedAt: nil, phoneConfirmedAt: nil, lastSignInAt: nil, role: Optional("authenticated"), updatedAt: 2024-03-18 23:51:27 +0000, identities: Optional([Auth.UserIdentity(id: "aec42a48-8c1c-483f-a023-84125baa4a5f", userId: AEC42A48-8C1C-483F-A023-84125BAA4A5F, identityData: Optional(["sub": aec42a48-8c1c-483f-a023-84125baa4a5f, "phone_verified": false, "email_verified": false, "email": fake@fake.com]), provider: "email", createdAt: 2024-03-18 23:51:25 +0000, lastSignInAt: 2024-03-18 23:51:25 +0000, updatedAt: 2024-03-18 23:51:25 +0000)]), factors: nil))
  • The id now matches the ID of the user in my auth.users > why is that the case for new email sign ups?
  • There is a whole extra identityData

To Reproduce

Expected behavior

  1. I am not sure if this is expected behaviour? In the first lot of bullet points above, I believe that email2@fake.com should be able to sign in with a password to the existing account? If that was the case this behaviour makes sense, otherwise it is quite confusing.

  2. Can the client code please provide some data which makes it obvious an existing account already exists?

Additional context

Happy to provide any extra info or access to project. Thanks!
@Objy-marcus Objy-marcus added the bug Something isn't working label Mar 18, 2024
@Objy-marcus
Copy link
Author

Sorry I forgot to add the reason why I was wondering if the two issues are related.

When I use an entirely different email address not connected to any Apple account, say fake3@fake.com:

I get the following for the first and second sign up. As you can see the IDs match, and it does match the user id created from the first sign up in my auth.users table. This gives some path to making a view of uuids which can be checked by an anon user > which isnt the best thing in the world but better than email addresses I think 🙂

:AuthResp user(Auth.User(id: 673EF24E-2471-4D71-REVOKED-REVOKED, appMetadata: ["provider": email, "providers": ["email"]], userMetadata: ["sub": 673ef24e-2471-4d71-REVOKED-REVOKED, "email_verified": false, "phone_verified": false, "email": REVOKED], aud: "authenticated", confirmationSentAt: Optional(2024-03-19 00:04:20 +0000), recoverySentAt: nil, emailChangeSentAt: nil, newEmail: nil, invitedAt: nil, actionLink: nil, email: Optional("REVOKED"), phone: Optional(""), createdAt: 2024-03-19 00:04:20 +0000, confirmedAt: nil, emailConfirmedAt: nil, phoneConfirmedAt: nil, lastSignInAt: nil, role: Optional("authenticated"), updatedAt: 2024-03-19 00:04:22 +0000, identities: Optional([Auth.UserIdentity(id: "673ef24e-2471-4d71-REVOKED-REVOKED", userId: 673EF24E-2471-4D71-REVOKED-REVOKED, identityData: Optional(["email": REVOKED, "email_verified": false, "phone_verified": false, "sub": 673ef24e-2471-4d71-REVOKED-REVOKED]), provider: "email", createdAt: 2024-03-19 00:04:20 +0000, lastSignInAt: 2024-03-19 00:04:20 +0000, updatedAt: 2024-03-19 00:04:20 +0000)]), factors: nil))



:AuthResp user(Auth.User(id: 673EF24E-2471-4D71-REVOKED-REVOKED, appMetadata: ["provider": email, "providers": ["email"]], userMetadata: ["email": REVOKED, "phone_verified": false, "sub": 673ef24e-2471-4d71-REVOKED-REVOKED, "email_verified": false], aud: "authenticated", confirmationSentAt: Optional(2024-03-19 00:05:26 +0000), recoverySentAt: nil, emailChangeSentAt: nil, newEmail: nil, invitedAt: nil, actionLink: nil, email: Optional("REVOKED"), phone: Optional(""), createdAt: 2024-03-19 00:04:20 +0000, confirmedAt: nil, emailConfirmedAt: nil, phoneConfirmedAt: nil, lastSignInAt: nil, role: Optional("authenticated"), updatedAt: 2024-03-19 00:05:28 +0000, identities: Optional([Auth.UserIdentity(id: "673ef24e-2471-4d71-REVOKED-REVOKED", userId: 673EF24E-2471-4D71-REVOKED-REVOKED, identityData: Optional(["sub": 673ef24e-2471-4d71-REVOKED-REVOKED, "email": REVOKED, "phone_verified": false, "email_verified": false]), provider: "email", createdAt: 2024-03-19 00:04:20 +0000, lastSignInAt: 2024-03-19 00:04:20 +0000, updatedAt: 2024-03-19 00:04:20 +0000)]), factors: nil))

@Objy-marcus
Copy link
Author

I did another small test.

I tried to sign up for another account via the email provider for email1@fake.com (note: this is a real email address I have removed it for my ticket). I did this twice, and I get two different IDs in the AuthResponse - neither seem to match anything in my DB...

Sorry for the long ticket, but I think the end states needs to be a way to know if either an email provider user or an Apple Sign In provider user already have account.

Thanks again!

@JohanEkenstedt
Copy link

I have the same problem: When I Create a new user with supabase.auth.signUp(email: email, password: password) that have an email that already exist in supabase I don't get the error message that is stated in the documentation.

In the docs it reads:

When either Confirm email or Confirm phone (even when phone provider is disabled) is disabled, the error message, User already registered is returned.

I get the same type of response as when I create a new user without an existing email in supabase, but I don't get a verification mail.

@grdsdev
Copy link
Collaborator

grdsdev commented Apr 25, 2024

Hi, this appears to be the same reported in supabase/auth#1517

This is the expected behavior, to prevent attackers from scanning through existing users, this is known by User Enumeration Attack.

@grdsdev
Copy link
Collaborator

grdsdev commented May 15, 2024

Closing for now, feel free to re-open it if you still need something.

@grdsdev grdsdev closed this as completed May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@grdsdev @JohanEkenstedt @Objy-marcus