New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SignUp with same address / Sign In With Apple with secondary email issue #270
Comments
Sorry I forgot to add the reason why I was wondering if the two issues are related. When I use an entirely different email address not connected to any Apple account, say fake3@fake.com: I get the following for the first and second sign up. As you can see the IDs match, and it does match the user id created from the first sign up in my auth.users table. This gives some path to making a view of uuids which can be checked by an anon user > which isnt the best thing in the world but better than email addresses I think 🙂
|
I did another small test. I tried to sign up for another account via the email provider for email1@fake.com (note: this is a real email address I have removed it for my ticket). I did this twice, and I get two different IDs in the AuthResponse - neither seem to match anything in my DB... Sorry for the long ticket, but I think the end states needs to be a way to know if either an email provider user or an Apple Sign In provider user already have account. Thanks again! |
I have the same problem: When I Create a new user with supabase.auth.signUp(email: email, password: password) that have an email that already exist in supabase I don't get the error message that is stated in the documentation. In the docs it reads: When either Confirm email or Confirm phone (even when phone provider is disabled) is disabled, the error message, User already registered is returned. I get the same type of response as when I create a new user without an existing email in supabase, but I don't get a verification mail. |
Hi, this appears to be the same reported in supabase/auth#1517 This is the expected behavior, to prevent attackers from scanning through existing users, this is known by User Enumeration Attack. |
Closing for now, feel free to re-open it if you still need something. |
Bug report
Describe the bug
I am sorry there are two issues here which may or may not be related:
I have a user with the following:
{"auth_event":{"action":"user_repeated_signup",
At this point I realised that I cannot make another account with email2@fake.com. However I had been using this email to make extra accounts for the last month. I did the following:
I am not sure if this is expected behaviour? In the first lot of bullet points above, I believe that email2@fake.com should be able to sign in with a password to the existing account? If that was the case this behaviour makes sense, otherwise it is quite confusing.
supabase.auth.signUp
? Given the same details as above:The id in the above does not seem to relate to anything in my DB. It is not match the Used ID from the auth.users which is very strange. There is nothing in this output to determine if this user already existed.
How are you expected to determine if a user already exists?
{"auth_event":{"action":"user_repeated_signup"
I tried signing up a fake email address to see what the response is:
To Reproduce
Expected behavior
I am not sure if this is expected behaviour? In the first lot of bullet points above, I believe that email2@fake.com should be able to sign in with a password to the existing account? If that was the case this behaviour makes sense, otherwise it is quite confusing.
Can the client code please provide some data which makes it obvious an existing account already exists?
Additional context
Happy to provide any extra info or access to project. Thanks!
The text was updated successfully, but these errors were encountered: