auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

raw_app_meta_data not updated when setting password for 3rd-party authenticated users

Open MoienTajik opened this issue 1 year ago • 0 comments

Bug report

  • [x] I confirm this is a bug with Supabase, not with my own application.
  • [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

When both Email/Password authentication and 3rd-party auth (in my case, Google) are enabled, if a user first signs up with Google, I want to allow them to set a password as well, so they can also log in using Email/Password later. The issue is that if you use the Update user endpoint (/user), it will set the password on Supabase and you can also log in with it, but the problem is it doesn't update raw_app_meta_data and as a result, when you retrieve the user object and examine their identities (raw_app_meta_data), the email is not there. This means you won't know if the user has set a password before to show them the Change Password page or if they never set a password, so you need to show them the Set Password page.

This flow works correctly vice versa, when you first sign up using email and then sign up again using the same email with another auth provider, such as Google.

To Reproduce

  1. Enable both Email/Password and Google authentication on Supabase.
  2. Sign up using Google.
  3. Use the Update user endpoint to set a password.
  4. Retrieve the user object and check the identities field, or use Supabase dashboard and use "view user info" button.

Expected behavior

When a user sets a password after signing up with Google, the raw_app_meta_data should be updated to include the email, so it is clear that the user has set a password, and you can show the appropriate password page (Change Password or Set Password).

Additional context

User object after updating password when he first signed up using Google (user specific info redacted). As you can see, encrypted_password is set, but raw_app_meta_data and raw_user_meta_data only contain Google:

{
  "instance_id": "00000000-0000-0000-0000-000000000000",
  "id": "3f9f70bb-ef51-4d24-c92c-182d5f1de8ff",
  "aud": "authenticated",
  "role": "authenticated",
  "email": "[email protected]",
  "encrypted_password": "$2a$10$0KLCYWQeUoHD9BNQ8ah4xeJXTVeJPACu5oEw2tC79UXq7OjebLwbC",
  "email_confirmed_at": "2024-05-30 15:23:29.382414+00",
  "invited_at": null,
  "confirmation_token": "",
  "confirmation_sent_at": null,
  "recovery_token": "",
  "recovery_sent_at": null,
  "email_change_token_new": "",
  "email_change": "",
  "email_change_sent_at": null,
  "last_sign_in_at": "2024-05-30 15:26:44.842975+00",
  "raw_app_meta_data": {
    "provider": "google",
    "providers": [
      "google"
    ]
  },
  "raw_user_meta_data": {
    "iss": "https://accounts.google.com",
    "sub": "222073180655295499353",
    "name": "Fake User",
    "email": "[email protected]",
    "picture": "https://example.com/avatar.jpg",
    "full_name": "Fake User",
    "avatar_url": "https://example.com/avatar.jpg",
    "provider_id": "222073180655295499353",
    "email_verified": true,
    "phone_verified": false
  },
  "is_super_admin": null,
  "created_at": "2024-05-30 15:23:29.37575+00",
  "updated_at": "2024-05-31 21:40:29.826062+00",
  "phone": null,
  "phone_confirmed_at": null,
  "phone_change": "",
  "phone_change_token": "",
  "phone_change_sent_at": null,
  "confirmed_at": "2024-05-30 15:23:29.382414+00",
  "email_change_token_current": "",
  "email_change_confirm_status": 0,
  "banned_until": null,
  "reauthentication_token": "ac98eabc07ef1df2080466b2e10c8b58bc633e5947605c26883cc9c9",
  "reauthentication_sent_at": "2024-05-30 15:23:41.412707+00",
  "is_sso_user": false,
  "deleted_at": null,
  "is_anonymous": false
}

MoienTajik avatar Jun 02 '24 14:06 MoienTajik