Open LouisDeconinck opened 1 month ago
scosman
commented
1 month ago Good find. Want to make a PR?
We need some way of making sure you can’t delete an account with UI access for 5 seconds.
see how we handle password reset. We require the “amr” to be “recovery” to verify they own the email. Can probably do the same here? Not sure about if it works with oauth but I think it should.
scosman
commented
1 month ago Edit: you can always set a password, even for oauth accounts. So not impossible. But not smooth either.
LouisDeconinck
commented
1 month ago What does AMR stand for and why must we prevent an account to be deleted that fast? Wouldn't simply having a confirmation button be sufficient?
When only using social OAuth the user does not have a password. When trying to delete an account you have to give a password as confirmation. Keep the confirmation but remove the need for a password.
Additionally, to remove email auth, you can set within the Auth component from @supabase/auth-ui-svelte: onlyThirdPartyProviders={true} This will remove the email and password fields, which will otherwise show up, even when disabling email auth within Supabase.