Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting an error of: "User has more than one identity on signup" #1899

Closed
2 tasks done
TaxNowAndrewY opened this issue Dec 30, 2024 · 6 comments
Closed
2 tasks done

Getting an error of: "User has more than one identity on signup" #1899

TaxNowAndrewY opened this issue Dec 30, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@TaxNowAndrewY
Copy link

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

An auth bug of "User has more than one identity on signup" occurs when:

  1. a user signs up
  2. has a phone number associated to the user via admin.auth.updateUserById while the user is in the verification state
  3. Tries to use the method verifyOtp

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Sign up a user:
    signUpResult = await supabase.auth.signUp({
      email: payload.email,
      password: payload.password,
      options: {
        data: {
          first_name: payload.first_name,
          last_name: payload.last_name,
          phone_number: payload.phone_number,
        }
      }
  1. Update their phone number with supabase.admin.auth.udpateUserById
await supabase.auth.admin.updateUserById(user.id, {
      phone: payload.phone_number,
      app_metadata: {
        inSignUpFlow: true
      },
      user_metadata: {
        first_name: payload.first_name,
        last_name: payload.last_name,
        phone_number: payload.phone_number
      }
    });

  1. Get an OTP code with supabase.auth.signInWithOtp

  2. Verify OTP with supabase.auth.verifyOtp

supabase.auth.verifyOtp({ email: <email>, token: <token>, type: 'email' })

Expected behavior

This flow was working previously (within the last few days)

Screenshots

If applicable, add screenshots to help explain your problem.
image

System information

  • OS: [e.g. macOS, Windows]

  • Browser (if applies) [e.g. chrome, safari]

  • Version of supabase-js: [e.g. 6.0.2]

  • Version of Node.js: [e.g. 10.10.0]

  • macOS, m2

  • edge

  • supabase-js ^2.39.1

  • node v18.18.0

Additional context

This github commit seems to be where the error is introduced:
483463e#diff-e47b259bf17912f7ca1f5163ccbfb8a8c23da6c399412ce5aef78b8b684df5e5R330

The problem presents itself as the same as this one here:
#1840

But issue 1840 was addressed with udpateUser instead of admin.auth.updateUserById. In short, I think the assumption that there can be only 1 identity before a user confirms their email is too broad since we would like to be able to capture this information and have it associated all in the sign up flow.
@TaxNowAndrewY TaxNowAndrewY added the bug Something isn't working label Dec 30, 2024
@cdavis1324
Copy link

We're experiencing this issue as well and the impact may be quite bad.

It seems that if you call updateUserById and don't pass the phone_confirm: true or email_confirm: true params after updating phone/email, users can get in a state where they can't login at all even if they have already confirmed their previous email/phone.

https://supabase.com/docs/reference/javascript/auth-admin-updateuserbyid

Our organization's existing use of updateUserById was NOT passing these params and we now have multiple users that can't login using verifyOtp.

Our workaround has been to update our codepath to pass the auto-confirmation params and then re-update their phone/email. This workaround is pretty cumbersome and leading to a lot of customer annoyance.

@cdavis1324
Copy link

I've been able to reproduce this bug via another method as well that seems to be a common use-case.

  1. Create a user using auth.createUser and pass in both email and phone params.
  2. Call auth.signInWithOtp with an email address
  3. Call auth.verifyOtp with email and `type: 'email``

We're using the above flow to create users with both emails and phones on sign-up in our application and then letting them sign-in with either email or phone.

The above commit 483463e#diff-e47b259bf17912f7ca1f5163ccbfb8a8c23da6c399412ce5aef78b8b684df5e5R330 seems to have broken this use-case.

As @TaxNowAndrewY stated above, the assumption that a user only has 1 identity before confirming is wrong and breaks this use-case that previously worked.

@hf
Copy link
Contributor

hf commented Jan 3, 2025

Yup this is a problem. We'll get on a fix for it but earliest deploy looks like it's Monday. Please write to supabase.help anyone that's affected by this so we roll out the fix ASAP on your projects. Please reference this issue!

@hf hf mentioned this issue Jan 3, 2025
Merged
hf added a commit that referenced this issue Jan 6, 2025
@hf
feat: set email_verified to true on all identities with the verifie…
307892f 
…d email (#1902)

A fix for #1899 undoing changes in #1868.
@TaxNowAndrewY
Copy link
Author

@hf Just confirming that the fix is deployed to prod env for supabase?

@cdavis1324
Copy link

cdavis1324 commented Jan 8, 2025
edited
Loading

@hf Has this fix been deployed yet? We're still seeing the User has more than one identity on signup in our logs

@kangmingtay
Copy link
Member

hi everyone, this issue should be resolved now as we've deployed v2.168.0 (which contains the fix) to all projects. You can check which auth version your project is on from the [settings page].(https://supabase.com/dashboard/project/_/settings/infrastructure)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hf @cdavis1324 @kangmingtay @TaxNowAndrewY