supabase-swift icon indicating copy to clipboard operation
supabase-swift copied to clipboard
verified publisher icon supabase

SignUp with same address / Sign In With Apple with secondary email issue

Open Objy-marcus opened this issue 1 year ago • 4 comments

Bug report

Describe the bug

I am sorry there are two issues here which may or may not be related:

I have a user with the following:

  • Apple account with two email addresses ([email protected] and [email protected])
  • User has signed up with email provider using [email protected] > works good
  • User can sign in with apple, and will access their account correctly > unexpected behaviour but I like it!
  • User tries to sign up for a new account using email provider with [email protected]
  • Supabase client returns OK > however confirmation email is never sent.
  • Looking in my auth logs, I see {"auth_event":{"action":"user_repeated_signup",
  • Try to log in using email and password ([email protected]) > cannot log in (invalid credentials)

At this point I realised that I cannot make another account with [email protected]. However I had been using this email to make extra accounts for the last month. I did the following:

  • Remove my app from my Apple Account Sign In With Apple
  • Sign in with Apple on my app again (but using [email protected] this time) > signs in to existing account OK
  • Try to make a new account with [email protected] > Cannot create a new account again

I am not sure if this is expected behaviour? In the first lot of bullet points above, I believe that [email protected] should be able to sign in with a password to the existing account? If that was the case this behaviour makes sense, otherwise it is quite confusing.

  1. How to determine if a user already has an account when calling supabase.auth.signUp ? Given the same details as above:
  • if I try to sign up for another account with [email protected] I get AuthResponse that looks like below:
:AuthResp user(Auth.User(id: F307C847-FE01-4B6E-ACB0-34B70CDFCFBE, appMetadata: ["providers": ["email"], "provider": email], userMetadata: [:], aud: "authenticated", confirmationSentAt: Optional(2024-03-18 23:45:39 +0000), recoverySentAt: Optional(2024-03-18 00:04:14 +0000), emailChangeSentAt: nil, newEmail: nil, invitedAt: nil, actionLink: nil, email: Optional("REVOKED"), phone: Optional(""), createdAt: 2024-03-18 23:45:39 +0000, confirmedAt: nil, emailConfirmedAt: nil, phoneConfirmedAt: nil, lastSignInAt: nil, role: Optional(""), updatedAt: 2024-03-18 23:45:39 +0000, identities: Optional([]), factors: nil))

The id in the above does not seem to relate to anything in my DB. It is not match the Used ID from the auth.users which is very strange. There is nothing in this output to determine if this user already existed.

How are you expected to determine if a user already exists?

  • It does not seem responsible to create a table that an anon user could SELECT from with existing email addresses
  • Hiding this behind an edge function seems to have the same issues (it would still have to be usable by an anon user)
  • My auth logs however show: {"auth_event":{"action":"user_repeated_signup"

I tried signing up a fake email address to see what the response is:

:AuthResp user(Auth.User(id: AEC42A48-8C1C-483F-A023-84125BAA4A5F, appMetadata: ["provider": email, "providers": ["email"]], userMetadata: ["email": [email protected], "email_verified": false, "sub": aec42a48-8c1c-483f-a023-84125baa4a5f, "phone_verified": false], aud: "authenticated", confirmationSentAt: Optional(2024-03-18 23:51:25 +0000), recoverySentAt: nil, emailChangeSentAt: nil, newEmail: nil, invitedAt: nil, actionLink: nil, email: Optional("[email protected]"), phone: Optional(""), createdAt: 2024-03-18 23:51:25 +0000, confirmedAt: nil, emailConfirmedAt: nil, phoneConfirmedAt: nil, lastSignInAt: nil, role: Optional("authenticated"), updatedAt: 2024-03-18 23:51:27 +0000, identities: Optional([Auth.UserIdentity(id: "aec42a48-8c1c-483f-a023-84125baa4a5f", userId: AEC42A48-8C1C-483F-A023-84125BAA4A5F, identityData: Optional(["sub": aec42a48-8c1c-483f-a023-84125baa4a5f, "phone_verified": false, "email_verified": false, "email": [email protected]]), provider: "email", createdAt: 2024-03-18 23:51:25 +0000, lastSignInAt: 2024-03-18 23:51:25 +0000, updatedAt: 2024-03-18 23:51:25 +0000)]), factors: nil))
  • The id now matches the ID of the user in my auth.users > why is that the case for new email sign ups?
  • There is a whole extra identityData

To Reproduce

Expected behavior

  1. I am not sure if this is expected behaviour? In the first lot of bullet points above, I believe that [email protected] should be able to sign in with a password to the existing account? If that was the case this behaviour makes sense, otherwise it is quite confusing.

  2. Can the client code please provide some data which makes it obvious an existing account already exists?

Additional context

Happy to provide any extra info or access to project. Thanks!

Objy-marcus avatar Mar 18 '24 23:03 Objy-marcus

Sorry I forgot to add the reason why I was wondering if the two issues are related.

When I use an entirely different email address not connected to any Apple account, say [email protected]:

I get the following for the first and second sign up. As you can see the IDs match, and it does match the user id created from the first sign up in my auth.users table. This gives some path to making a view of uuids which can be checked by an anon user > which isnt the best thing in the world but better than email addresses I think 🙂

:AuthResp user(Auth.User(id: 673EF24E-2471-4D71-REVOKED-REVOKED, appMetadata: ["provider": email, "providers": ["email"]], userMetadata: ["sub": 673ef24e-2471-4d71-REVOKED-REVOKED, "email_verified": false, "phone_verified": false, "email": REVOKED], aud: "authenticated", confirmationSentAt: Optional(2024-03-19 00:04:20 +0000), recoverySentAt: nil, emailChangeSentAt: nil, newEmail: nil, invitedAt: nil, actionLink: nil, email: Optional("REVOKED"), phone: Optional(""), createdAt: 2024-03-19 00:04:20 +0000, confirmedAt: nil, emailConfirmedAt: nil, phoneConfirmedAt: nil, lastSignInAt: nil, role: Optional("authenticated"), updatedAt: 2024-03-19 00:04:22 +0000, identities: Optional([Auth.UserIdentity(id: "673ef24e-2471-4d71-REVOKED-REVOKED", userId: 673EF24E-2471-4D71-REVOKED-REVOKED, identityData: Optional(["email": REVOKED, "email_verified": false, "phone_verified": false, "sub": 673ef24e-2471-4d71-REVOKED-REVOKED]), provider: "email", createdAt: 2024-03-19 00:04:20 +0000, lastSignInAt: 2024-03-19 00:04:20 +0000, updatedAt: 2024-03-19 00:04:20 +0000)]), factors: nil))



:AuthResp user(Auth.User(id: 673EF24E-2471-4D71-REVOKED-REVOKED, appMetadata: ["provider": email, "providers": ["email"]], userMetadata: ["email": REVOKED, "phone_verified": false, "sub": 673ef24e-2471-4d71-REVOKED-REVOKED, "email_verified": false], aud: "authenticated", confirmationSentAt: Optional(2024-03-19 00:05:26 +0000), recoverySentAt: nil, emailChangeSentAt: nil, newEmail: nil, invitedAt: nil, actionLink: nil, email: Optional("REVOKED"), phone: Optional(""), createdAt: 2024-03-19 00:04:20 +0000, confirmedAt: nil, emailConfirmedAt: nil, phoneConfirmedAt: nil, lastSignInAt: nil, role: Optional("authenticated"), updatedAt: 2024-03-19 00:05:28 +0000, identities: Optional([Auth.UserIdentity(id: "673ef24e-2471-4d71-REVOKED-REVOKED", userId: 673EF24E-2471-4D71-REVOKED-REVOKED, identityData: Optional(["sub": 673ef24e-2471-4d71-REVOKED-REVOKED, "email": REVOKED, "phone_verified": false, "email_verified": false]), provider: "email", createdAt: 2024-03-19 00:04:20 +0000, lastSignInAt: 2024-03-19 00:04:20 +0000, updatedAt: 2024-03-19 00:04:20 +0000)]), factors: nil))

Objy-marcus avatar Mar 19 '24 00:03 Objy-marcus

I did another small test.

I tried to sign up for another account via the email provider for [email protected] (note: this is a real email address I have removed it for my ticket). I did this twice, and I get two different IDs in the AuthResponse - neither seem to match anything in my DB...

Sorry for the long ticket, but I think the end states needs to be a way to know if either an email provider user or an Apple Sign In provider user already have account.

Thanks again!

Objy-marcus avatar Mar 19 '24 00:03 Objy-marcus

I have the same problem: When I Create a new user with supabase.auth.signUp(email: email, password: password) that have an email that already exist in supabase I don't get the error message that is stated in the documentation.

In the docs it reads:

When either Confirm email or Confirm phone (even when phone provider is disabled) is disabled, the error message, User already registered is returned.

I get the same type of response as when I create a new user without an existing email in supabase, but I don't get a verification mail.

JohanEkenstedt avatar Apr 25 '24 06:04 JohanEkenstedt

Hi, this appears to be the same reported in https://github.com/supabase/auth/issues/1517

This is the expected behavior, to prevent attackers from scanning through existing users, this is known by User Enumeration Attack.

grdsdev avatar Apr 25 '24 11:04 grdsdev

Closing for now, feel free to re-open it if you still need something.

grdsdev avatar May 15 '24 13:05 grdsdev