auth icon indicating copy to clipboard operation
auth copied to clipboard

Published 20 hours ago verified publisher icon supabase

auth.signUp() doesn't error for existing accounts - security vulnerability

Open CalebLovell opened this issue 2 years ago • 44 comments

Bug report

Describe the bug

supabase.auth.signUp() is not erroring for existing accounts. Right now, you can submit an existing email with any incorrect password, and supabase will return you the account metadata (without a jwt).

To Reproduce

Go to this example app Sign-up with an email and a password Log out Try to sign up again with the same email using any password you want. Try asdfasdfasdf if you want! You will get an alert saying you logged in, but you won't get a working access token. Just the email you submitted. You can also view the request in the Network tab of the Dev Tools and see metadata about the account, like when it was created and what provider it uses.

Expected behavior

Attempting to sign up with an existing email should throw an error.

System information

  • Version of supabase-js: [1.2.1]
  • Version of Node.js: [14.17.4]

CalebLovell avatar Nov 04 '21 08:11 CalebLovell