Unable to delete user if `encrypted_password` is set to `null`
thedalelakes opened this issue · comments
Bug report
- I confirm this is a bug with Supabase, not with my own application.
- I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
A user can be created with encrypted_password set to null. However, if you attempt to delete that user, it results in a 500 error.
To Reproduce
Steps to reproduce the behavior, please provide code snippets or a repository:
INSERT INTO auth.users (
instance_id,
id,
aud,
role,
email,
encrypted_password,
email_confirmed_at,
invited_at,
confirmation_token,
confirmation_sent_at,
recovery_token,
recovery_sent_at,
email_change_token_new,
email_change,
email_change_sent_at,
last_sign_in_at,
raw_app_meta_data,
raw_user_meta_data,
is_super_admin,
created_at,
updated_at,
phone,
phone_confirmed_at,
phone_change,
phone_change_token,
phone_change_sent_at,
email_change_token_current,
email_change_confirm_status
) VALUES (
'00000000-0000-0000-0000-000000000000', /* instance_id */
'1234567890', /* id */
'authenticated', /* aud character varying(255),*/
'authenticated', /* role character varying(255),*/
null, /* email character varying(255),*/
/*
*
* THE FOLLOWING LINE IS THE ISSUE
*
*/
null, /* encrypted_password character varying(255),*/
null, /* email_confirmed_at timestamp with time zone,*/
'2023-11-02T07:17:58.000Z', /* invited_at timestamp with time zone, */
'', /* confirmation_token character varying(255), */
null, /* confirmation_sent_at timestamp with time zone, */
'', /* recovery_token character varying(255), */
null, /* recovery_sent_at timestamp with time zone, */
'', /* email_change_token_new character varying(255), */
'', /* email_change character varying(255), */
null, /* email_change_sent_at timestamp with time zone, */
null, /* last_sign_in_at timestamp with time zone, */
'{"provider": "phone","providers":["phone"]}', /* raw_app_meta_data jsonb,*/
'{"fbuser":{"uid":"0019726b-bc97-586b-bb29-5624cb1529ec","emailVerified":false,"phoneNumber":"+15555550000","disabled":false,"metadata":{"lastSignInTime":"Thu, 02 Nov 2023 07:18:00 GMT","creationTime":"Thu, 02 Nov 2023 07:17:58 GMT"},"tokensValidAfterTime":"Thu, 02 Nov 2023 07:17:58 GMT","providerData":[{"uid":"+15555550000","providerId":"phone","phoneNumber":"+15555550000"}]}}', /* raw_user_meta_data jsonb,*/
false, /* is_super_admin boolean, */
NOW(), /* created_at timestamp with time zone, */
NOW(), /* updated_at timestamp with time zone, */
'+15555550000', /* phone character varying(15) DEFAULT NULL::character varying, */
NOW(), /* phone_confirmed_at timestamp with time zone, */
'', /* phone_change character varying(15) DEFAULT ''::character varying, */
'', /* phone_change_token character varying(255) DEFAULT ''::character varying, */
null, /* phone_change_sent_at timestamp with time zone, */
'', /* email_change_token_current character varying(255) DEFAULT ''::character varying, */
0 /*email_change_confirm_status smallint DEFAULT 0 */
) ON CONFLICT DO NOTHING;Expected behavior
User can be deleted, either via the Dashboard or programatically.
Screenshots
## System information
N/A
Additional context
N/A
listUsers via Supabase JS Admin API also fails w/ the same 500 error if the user w/ a NULL encrypted_password is in the page.
Are you creating the user by writing data directly in the database?
I've been working on migrating from firebase auth to supabase auth so I've had to insert/modify rows directly in auth.users. @hf there are some columns which are nullable currently but will cause crashes with null values. Those columns should probably be not null.
I think the affected columns are:
encrypted_passwordconfirmation_tokenrecovery_tokenemail_change_token_newemail_changephone_changephone_change_tokenemail_change_token_currentemail_change_confirm_statusreauthentication_token
I'm not sure if that covers all of the columns that need to be not null but at least those are the ones I discovered seem to crash auth if they're null.
I may have found another clue to this bug. During testing I authenticated a user using an external provider which supabase/auth had not seen before so a new user record was created with a NULL encrypted_password. I then tested authenticating the same user with a different external provider and the callback URL came back like this:
It appears there is logic in the supabase/auth application based on GoTrue that does not handle null passwords properly during use retrieval - in this case it failed to convert a null value to string
I had the same issue. I'm currently migrating my data from the supabase cloud to self-host. After importing the pg_dump file & setup the auth correctly, I got this issue back from the callback:
sql:+Scan+error+on+column+index+14,+name+"encrypted_password":+converting+NULL+to+string+is+unsupported#error=server_error
hey everyone, we made a fix for this recently and i'm not able to reproduce the error anymore - if you're still facing the issue, can you please visit https://supabase.com/dashboard/project/_/settings/infrastructure and check that the auth version is at least on 2.158.1?
if you're still facing issues, you should inspect the errors in your auth logs and postgres logs, which can be found in the logs explorer
and if the issue still persists, please open a ticket with us at https://supabase.help - the team will be more than happy to help investigate the root cause :)