supabase / auth-js

An isomorphic Javascript library for Supabase Auth.
MIT License
372 stars 165 forks source link

auth.signUp accepts empty email and password when anonymous sign in is enabled #943

Closed 0reo closed 3 months ago

0reo commented 3 months ago

Bug report

Describe the bug

When anonymous sign ins are enabled, auth.signInAnonymously works as expected, but auth.signUp also accepts an empty email and password, and does an anonymous sign in. If no email is provided, the password field is completely ignored. Happens on self-hosted, can't comment on if this happens elsewhere

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. enable anonymous login (set 'GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED' to true on auth server using self hosted)
  2. try to sign in with email/passwording being empty
    // hard code or just don't enter anything into your input form
    const email = ''
    const password = ''
    const options =  { }
    supabase.auth.signUp({
    email, password, options
    })
  3. server will return an anonymous user
  4. sign out
  5. try again with an invalid password, and email still blank(for example, only enter 2 characters with minimum password length set to 6)
  6. server will still return an anonymous user
  7. disable anonymous logins
  8. try both test cases again, auth server will return appropriate error responses

Expected behavior

auth.signUp and auth.signInAnonymously should act independently of each other, otherwise auth.signInAnonymously is pretty well redundent. auth.signUp should always

If applicable, add screenshots to help explain your problem.

System information

Additional context

Posted this issue here first https://github.com/supabase/auth/issues/1735 but posted here as well because I noticed that GoTrueClient.ts check if an email(or phone number) was "provided", but doesn't actually check that they aren't empty. I suspect adjustments should be made on both repos, but feel free to move/consolidate/delete as needed

https://github.com/supabase/auth-js/blob/8222ee198a0ab10570e8b4c31ffb2aeafef86392/src/GoTrueClient.ts#L413-L456

J0 commented 3 months ago

Hey,

Thanks for taking the time to report the issue.

  1. server will return an anonymous user

Rest assured that this is expected. Auth server will disregard autoconfirm where necessary and still return an anonymous user.

  1. try again with an invalid password, and email still blank(for example, only enter 2 characters with minimum password length set to 6) The request should go through but rest assured that it is not saved as a valid encrypted password

Disallowing auth.signUp with an empty email is viable but unlikely something we can do at the moment as it would be a breaking change.

I'll file this as feedback. Going to close for now but let us know if there are any other issues in the meantime or anything I've missed or misunderstood and we can re-open