Users not getting merge when signing in first with Google and then with Apple

[ferrannp]

Bug report

Describe the bug

1. Sign in with Google first and then with Apple: It fails to merge users
2. Sign in with Apple first and then with Google: Everything is ok

To Reproduce

I use native sign in with Apple:

const result = await supabase.auth.signInWithIdToken({
  provider: 'apple',
  token <THE_ONE_I_GOT_NATIVELY>,
});

That works ok. For Google I use supabase.auth.signInWithOAuth. It also works ok.

Both using same email. If I sign in first with Apple and then with Google, everything is ok (users are merged because same email).

But If I sign in using Google first (user gets created) and then I try to sign in with Apple (same email), I get the following error:

duplicate key value violates unique constraint "users_email_partial_key"

Expected behavior

I think sign in method should not matter, if email is the same, users should get merged.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

• OS: macOS
• React Native: 0.70.7
• Version of supabase-js: 2.10.0
• Version of Node.js: 16.18.1

Additional context

Add any other context about the problem here.

[kangmingtay]

hey @ferrannp, can you email us at our support channel and we'll investigate the issue with your project

[ferrannp]

Hello @kangmingtay, I already open a ticket to the support channel. @hf came back with a response that this issue is a known problem and it has been reported a few times. To be honest this seems pretty critical to me. Basically:

1. If you sign it with Apple first, no problem to then sign in with Google or Apple again (on Android or iPhone)
2. If you sign it with Google, then I cannot sign in with Apple (forever stuck to Google). This is really bad for users that might change their devices

[kangmingtay]

hey @ferrannp, i've replied to your support ticket with a detailed explanation but for transparency, i'll also include my response here so the community can reference it:

This happens because only OAuth logins are automatically linked to existing accounts. The behaviour is similar for other auth flows as well. For example, if you use signInWithOAuth for google and then try to signUp with email and password or magiclink, it will return an error that a user is already registered. Perhaps we can make the error here more explicit instead of returning an error like "Database error saving user". We won't be allowing automatic linking for the flow you mentioned:

1. signInWithOAuth for google
2. signInWithIdToken for apple

If you signInWithIdToken first and signInWithOAuth, the 2 accounts will be automatically linked if they have the same email because signInWithOAuth uses the automatic linking logic here. The automatic linking logic was already implemented for some time and it makes it hard to remove it (for backward compatibility reasons). This is also a huge blocker for another issue which is to remove the requirement for emails on OAuth logins.

We also do not have docs around signInWithIdToken because it's experimental at this point and we will most likely change the API around it. I understand that this is a pretty common use case where you'd want a user to have access to both the web and mobile app but automatically linking accounts here is not the solution we are planning for. We plan to expose an API which allows developers the freedom to link accounts easily rather than deciding to automatically link them on the user's behalf.

[ferrannp]

Hello again 👋 . Posting my answer here for the community too:

Thanks for your explanation. Actually my use case is between iOS users and Android users.

Apple forces native sign in so my idea was to offer Apple and Google on iPhone and Google on Android. As far as I > understand, the only way to comply with Apple is using signInWithIdToken, correct?

What recommendation would you give to me then? Should I ditch Google authentication and only go with Apple + username and password?

[bigp34ch]

this is happening when users are created via inviteByEmail, then try to oauth into google

[kangmingtay]

hey @bigp34ch, can you please email us at support so we can look into the issue for your project?

[ferrannp]

@kangmingtay are there any plans that no matter how the user signs in, if they have the same email, we can choose the accounts to be merged? Like some setting in the Supabase dashboard?

[bigp34ch]

hey @bigp34ch, can you please email us at support so we can look into the issue for your project?

hey, @kangmingtay. we did.

[ksaitor]

Same problem here. User created with email+password, and can't log in with gmail. After reaching out to support we only received this:

Hey there​,

Thank you for reaching out to Supabase Support.

We appreciate your inquiry. While we would love to be able to assist with all aspects of your project, our support is primarily focused on addressing instance-related issues, such as server connectivity/bugs or configuration problems.

If need help with your code or a function you have written, we recommend contacting community support on GitHub Discussions or on Discord. The community is made up of experienced developers who may be able to provide guidance and support with code-related issues.

To get the most helpful response from the community, providing clear and detailed information about your problem and any error messages you may be encountering is important. Be sure to also include any relevant code snippets in your message.

If you have further questions, please don't hesitate to contact us again.

Thanks,
Kevin Brolly
Supabase Support Engineer

[hf]

Hey @ksaitor, sorry about that.

In general though we're now trying to address this in https://github.com/supabase/gotrue/pull/1108.

I'll transfer this issue to the backend repo.

[hf]

Duplicate of #313.