updateUser vs admin.updateUserById behavior with Anonymous Users
r-southworth opened this issue · comments
Bug report
- [ X ] I confirm this is a bug with Supabase, not with my own application.
- [ X ] I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
There is no way to convert an anonymous user to a permanent user without sending a confirmation email. updateUser and admin.updateUserById have inconsistent behavior
To Reproduce
Steps to reproduce the behavior, please provide code snippets or a repository:
- Run command server side using an anonymous user_id:
const { data, error } = await supabase.auth.admin.updateUserById(user_id, {
email: response.email,
email_confirm: true,
})
- Resulting user:
{
"instance_id": "00000000-0000-0000-0000-000000000000",
"id": "5b0c50f8-bd4d-4815-a21e-b67486593073",
"aud": "authenticated",
"role": "authenticated",
"email": "test55@test.com",
"encrypted_password": "",
"email_confirmed_at": "2024-05-07 15:52:39.207944+00",
"invited_at": null,
"confirmation_token": "",
"confirmation_sent_at": null,
"recovery_token": "",
"recovery_sent_at": null,
"email_change_token_new": "",
"email_change": "",
"email_change_sent_at": null,
"last_sign_in_at": "2024-05-07 15:26:46.873409+00",
"raw_app_meta_data": {},
"raw_user_meta_data": {},
"is_super_admin": null,
"created_at": "2024-05-07 15:26:46.865084+00",
"updated_at": "2024-05-07 15:52:39.212126+00",
"phone": null,
"phone_confirmed_at": null,
"phone_change": "",
"phone_change_token": "",
"phone_change_sent_at": null,
"confirmed_at": "2024-05-07 15:52:39.207944+00",
"email_change_token_current": "",
"email_change_confirm_status": 0,
"banned_until": null,
"reauthentication_token": "",
"reauthentication_sent_at": null,
"is_sso_user": false,
"deleted_at": null,
"is_anonymous": true
}
Expected behavior
I would expect
const { data, error } = await supabase.auth.admin.updateUserById(user_id, {
email: response.email,
email_confirm: true,
})
called from the server to convert a user from anonymous to email with no need for a confirmation email.
Currently that call adds the email address AND confirms the user but leaves them as provider = anonymous which makes it impossible to set a password for the user.
Screenshots
If applicable, add screenshots to help explain your problem.
System information
- OS: MacOS
- Browser (if applies) Chrome but N/A I think in this case
- Version of supabase-js: 2.42.0
- Version of Supabase CLI - 1.165.0
- Version of Node.js: 20.11.1
Additional context
The only documented way to change the user from anonymous that I am aware of is listed here: https://supabase.com/docs/guides/auth/auth-anonymous
It seems to require email confirmations.
Regardless of the local setting for auth.email.enable_confirmations
using the supabase.auth.updateUser
sends the standard email confirmation to the user.
If I have anonymous users I might want to store their information for future reference (ecommerce guest checkout with downloadable products) but since they did not choose to make an account I shouldn't be emailing them about an account AND there is no way to send them a different email than the standard confirmation email. The typical way around sending a confirmation email without turning off email confirmation is to do server side supabase.auth.admin.updateUserById
however in this case it doesn't convert the user provider from Anonymous and there doesn't seem to be any documentation on how to change that in any other way.
More details can be found here: https://discord.com/channels/839993398554656828/1237139614486233119
Also running into this trying to transition from Firebase auth to Supabase auth. We always create anonymous accounts for new users then later let them link with social auth or enter an email and password without email verification. Currently with supabase auth it seems like it's impossible to set a password for an anonymous account without email verification.
IMO this is a bug. If email verification is disabled in the project it should not be required to verify email to link email/password credentials to an anonymous account. This may be a blocker to us releasing our transition to Supabase auth.
@hf @kangmingtay any thoughts on this? The current behavior makes it impossible to link an email/password to an anonymous account without email verification. That came as a big surprise given that there's a setting to disable email verification.