supabase icon indicating copy to clipboard operation
supabase copied to clipboard
verified publisher icon supabase

Disabling 'Confirm Email' still blocks non-confirmed users (created with admin client) from signing in

Open reid-moffat opened this issue 1 year ago • 5 comments

Bug report

  • [x] I confirm this is a bug with Supabase, not with my own application.
  • [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Disabling the 'Confirm Email' setting for email provider doesn't allow non-confirmed emails to sign in. I tried disabling the setting and then signing in with 3 cases, and all of them gave the same error ({"code":"email_not_confirmed","message":"Email not confirmed"}):

  • Signing in with an already created account which isn't verified
  • Deleting an existing account, re-creating it then attempting to sign in without confirming email
  • Creating a new account on an email that's never been used before on my project then attempting to sign in without confirming email

To Reproduce

  1. Go to the Authentication tab
  2. Go to 'Providers'
  3. Expand the email section
  4. Disable the 'Confirm Email' setting
  5. Save changes
  6. Create a new user on your app using the admin auth API (Edge functions): supabase.auth.admin.createUser({ email, password });
  7. Attempt to sign in to your app with the new account client-side: supabase.auth.signInWithPassword({ email, password });
  8. Signing in will give {"code":"email_not_confirmed","message":"Email not confirmed"}

Expected behavior

Signing in should not be blocked due to email not being confirmed. Signing in should be allowed.

Screenshots

image

System information

  • OS: Windows
  • Browser: Chrome
  • Version of supabase-js: 2.45.2
  • Version of Node.js: v20.11.0

reid-moffat avatar Oct 02 '24 00:10 reid-moffat

I have this problem too

teneburu avatar Jan 24 '25 16:01 teneburu

Welcome to the group. Take a seat, put an emoji and wait with us ; )

ClovisGP avatar Jan 27 '25 10:01 ClovisGP

Me too. workaround for now?

invoicingltd avatar Feb 12 '25 06:02 invoicingltd

I had to manually set all unverified users to be verified after switching this setting.

UPDATE auth.users SET email_confirmed_at = NOW(), raw_user_meta_data = jsonb_set( raw_user_meta_data, '{email_verified}', 'true'::jsonb, true ) WHERE email_confirmed_at IS NULL;

greendra8 avatar Jun 09 '25 11:06 greendra8

Same problem here happening on Supabase CLI even after setting auth.email.enable_confirmations = false. To reproduce:

  1. Call admin.admin.createUser with email_confirm: false
  2. Calling auth.signInWithPassword throws email_not_confirmed

rcomesan avatar Jun 11 '25 13:06 rcomesan

same here

obielwb avatar Jul 17 '25 21:07 obielwb

why is this so hard to fix such an annoying bug...

Werineld avatar Aug 13 '25 13:08 Werineld