search

supabase / auth-js

An isomorphic Javascript library for Supabase Auth.
MIT License
319 stars 152 forks source link

Supabase password requirement breaks signUp through `signInWithOtp` function #835

Closed Unkn0wn0x closed 4 months ago

Unkn0wn0x commented 5 months ago

Bug report

Describe the bug

My supabase authentication settings regarding the password requirements were set to "Lowercase, uppercase letters, digits and symbols (recommended)". The minimum password length is set to "8".

I have a simple login form to signIn or signUp a user based on his email address. That flow worked fine as long as I had the password requirements set to "No required characters (default)". As soon as I changed this setting, it breaks the flow to create a new user account with the following error. It's really frustrating, as no potential user was able to sign up for my app and I just noticed it by coincidence.

POST URL: https://mycustomdomain.com/auth/v1/otp?redirect_to=https%3A%2F%mycustomdomain.com

Payload:

{
    "email": "email-does-not-exists@example.com",
    "data": {},
    "create_user": true,
    "gotrue_meta_security": {},
    "code_challenge": null,
    "code_challenge_method": null
}

Response:

{
    "code": 422,
    "msg": "Password should contain at least one character of each: abcdefghijklmnopqrstuvwxyz, ABCDEFGHIJKLMNOPQRSTUVWXYZ, 0123456789, !@#$%^\u0026*()_+-=[]{};\\'\\:\"|\u003c\u003e?,./`~.",
    "weak_password": {
        "reasons": [
            "characters"
        ]
    }
}

According to the docs it says:

If the user doesn't exist, signInWithOtp() will signup the user instead. To restrict this behaviour, you can set shouldCreateUser in SignInWithPasswordlessCredentials.options to false.

I explicitly set the shouldCreateUser value to true in the case that a new user should be created.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Go to https://supabase.com/dashboard/project/[PROJECT_REF]/settings/auth
  2. Enable the Password Requiements "Lowercase, uppercase letters, digits and symbols (recommended)"
  3. Try to signUp a not existent email address / user through signInWithOtp according to the docs.
  4. See the error logged in the console.

Expected behavior

If the password requirements are set in the supabase authentication configuration, the signInWithOtp should not check for a password / password requirement if the user account does not exist.

Additional information

kangmingtay commented 4 months ago

Hi @Unkn0wn0x, this issue has been fixed here and should be rolled out to your project already. If you are still facing the issue, please open a ticket at https://supabase.help