https://supabase.com/ logo
Join Discord
Powered by
hi i've tried multiple times sign up as an existin...
# help
l
hi i've tried multiple times sign up as an existing user and it seems to return 200 status without any errors. The expected behaviour is to have an error "user has already signed up" Any ideas what could be the issue?
Copy code
const { data, error } = await supabase.auth.signUp({
        email,
        password,
      });
n
Hello @lanbau! This thread has been automatically created from your message in #843999948717555735 a few seconds ago. We have already mentioned the @User so that they can see your message and help you as soon as possible! Want to unsubscribe from this thread? Right-click the thread in Discord (or use the ``...`` menu) and select "Leave Thread" to unsubscribe from future updates. Want to change the title? Use the ``/title`` command! We have solved your problem? Click the button below to archive it.
g
400 error and error message is current behavior. Your call should be {email:emailvar,password:passwordvar} though, but I assume that is what you are doing if you don't get any error. In that case you need to check your email and password have correct values. You also need to use user instead of data. What comes back in user?
n
lanbau (2022-05-22)
l
ah i get what you mean now.. i do get 200 and the user object.. but its strange i don't get the 400 error
g
Not that any recent changes have made it work correctly, but are you on latest supabase.js?
l
Copy code
"@supabase/supabase-js": "^1.35.3",
g
Is the user in the auth.users table? How are you doing confirmation of email?
l
yes the user is in
i believe its the default settings
g
Do you get new confirmation email each time? Are you sure you are not calling signIn?
l
no i have a dedicated sign up page.. i only get the confirmation email once after deleting the user and signing up again
g
Is the user confirmed when the signUp is called again?
l
yes
g
wow
l
its driving me nuts 😆
i mean i still can use the user object to show an error
g
Can you confirm in the post data (I think) that the email and password are there on the call?
l
yes
because i use autocomplete.. its definitely there.. have checked as well..
g
I'm running same version and have same default settings and get the 400 above...
l
i do have some users that used the magic link prior.. could that be an issue?
g
If it operates differently between the two types that would be a clue.
l
yeah i just wiped out those users.. still getting 200 😆
g
A bad password also returns 400 with user exists.
l
bad password is 400 for me
g
So if you use same email and make it a bad password you get 400?
l
yes
g
ug... Maybe some sort of caching?
l
signing up with a bad password results in 200 as well
yeah i'll try on a clean browser
g
Wait, so bad password is 400 or 200, you just said both.
l
login with bad password is 400 sign up with bad password is 200
g
Ah, I get 400 even with signUp if email matches, no matter password
Any upper case characters in the email? (That is supposed to be dealt with)
l
nope
i'll record a quick video to illustrate what i mean
g
looks good... except for the 200 response...
l
Related to auth.. do you also have a password reset flow on your end? when i click on the reset password email link, the token is available but removed when it redirects to my app..
g
Looks like it will not error if user is not confirmed...
Copy code
if (params.Provider == "email" && user.IsConfirmed()) || (params.Provider == "phone" && user.IsPhoneConfirmed()) {
                return UserExistsError
            }
Can you check auth.users table for email_confirmed_at column?
I've not implemented password reset in my app yet. I'm at a loss on this 200 thing.
I did run a password reset and get this call to my pure javascript code test site:
Copy code
http://sommapp.us/#access_token=eyJhbGciO.....WvIcL_A&expires_in=120&refresh_token=Piu...vZZQ&token_type=bearer&type=recovery
https://github.com/supabase/supabase/issues/3815 Seems like the intent is when autoconfirm is off to return 200 and fake user. When it is on (like I have and you seem to show) a 400 error should happen. So a 200 with fake user uuid is intended at least in some cases for security. Strangely though when I play with the autoconfirm setting. I get 400 with it set either way when creating new user.
l
actually it's a security issue if i'm able to get user details back..
g
Are you getting real user details? Also are the signups being logged as duplicate in the log at bottom of auth settings?
l
yes i can get my user object with user_metadata
if i set any sensitive information.. anyone can get that using this loophole
yes
user_repeated_signup
g
Thing is you should be getting 400 error with confirmation on. But your data there is the possibly fake data, the uuid does not match and that looks like the data they fill in.
l
ah you are right
let me add some metadata
yes you are right..
its fake data
g
email gets filled in if you create a new user with auto confirm turned on
And you do have email confirmations toggled on for sure?
l
default settings
is there anywhere else i should be looking
g
So something strange going on (as they are reporting in that last issue). I should only get 400 when set like you have (and I do), but I also get 400 with it off and not the 200 with fake user. It is like something else is deciding it.
l
or i should switch it off
let me try that
wow
when its off i get the 400
after switching it back on.. still getting the fake user
😂
g
OK I reread and I think your's is operating the way they want.... "note: this is only the case for supabase instances where AUTOCONFIRM is disabled (as per the default)" by autoconfirm disabled that means enable email confirmations ON... sigh... autoconfirm is the real name of the setting in gotrue. MAILER_AUTOCONFIRM - bool If you do not require email confirmation, you may set this to true. Defaults to false.
I have no idea now why I always get 400...
l
oh wow 😆 the wording is confusing -> autoconfirm disabled email confirmation on... but thanks alot!
i
@lanbau @garyaustin I have similar confusion. I have a local setup of supabase and it behaves similar to what @lanbau was experiencing - 200 with faux user id for existing user with same email irrespective of the password when email_autoconfirm is false - 400 when email_autoconfirm is true This is indeed not very ideal as now I need to query db to figure out if it is a signup call is for an existing user assuming that email_autoconfirm is true. As commented here https://github.com/supabase/supabase-js/issues/296#issuecomment-976200828, proposed solution is to respond with 200 and faux user but also send a recovery email with magic link to signin the user. However, this does not seem to be implemented yet as per https://github.com/supabase/gotrue/issues/286. Just curious how you guys are handling the situation?
PreviousNext
Powered by