auth
auth copied to clipboard
auth.signUp() doesn't error for existing accounts - security vulnerability
Bug report
Describe the bug
supabase.auth.signUp()
is not erroring for existing accounts. Right now, you can submit an existing email with any incorrect password, and supabase will return you the account metadata (without a jwt).
To Reproduce
Go to this example app
Sign-up with an email and a password
Log out
Try to sign up again with the same email using any password you want. Try asdfasdfasdf
if you want!
You will get an alert saying you logged in, but you won't get a working access token. Just the email you submitted.
You can also view the request in the Network tab of the Dev Tools and see metadata about the account, like when it was created and what provider it uses.
Expected behavior
Attempting to sign up with an existing email should throw an error.
System information
- Version of supabase-js: [1.2.1]
- Version of Node.js: [14.17.4]