supabase
Meta-data is overwritten with subsequent signup requests
Bug report
Describe the bug
Possible security vulnerability
When sending a signUp api call to an already existing user with attached meta-data, the user's existing meta-data is overwritten in an unauthenticated context.
To Reproduce
Steps to reproduce the behavior, please provide code snippets or a repository:
- Find a user that exists and has existing meta-data in your supabase project
- Issue another signUp api request for that same user's email with new meta-data
- observer the meta-data on the API response
const { user, session, error } = await supabase.auth.signUp({
email: email,
password: password,
},{
data:{
phone: phone,
name: name,
company: company
}
})
Expected behavior
- If a user is already signed up, the metadata should not be updated
- Nice to have: If a user is already signed up the API should respond with something like HTTP status code 409 instead of User object.
Update - if I use the service account to inspect the auth.users table the metadata is not updated there so it seems that its just a bug in how the API endpoint responds upon a secondary signUp call.
This is actually a security fix where duplicate signup requests will return a successful response (with a randomized UUID) to prevent leakage of whether user has signed up for a service before. See https://github.com/supabase/auth/issues/1517. I think the auth documentation will need some updating to reflect this, since there have been a much of similar issues raised about this behaviour recently.
Knowing that a user has already signed up is imho not in and of itself a security risk unless the api allows unlimited amounts of requests to try to 'brute force' out an accounts list. I would argue that knowing that an account already exists is important for most developers when building a useable workflow especially as users over time may have forgotten if they already signed up. Having to track this through a 'profiles' table or similar makes the auth feature less elegant .
