search

supabase / auth

A JWT based API for managing users and issuing JWT tokens
https://supabase.com/docs/guides/auth
MIT License
1.43k stars 348 forks source link

AuthException Not returning valid message and status code for banned_until As per documentation #1745

Open tiltmaster opened 2 weeks ago

tiltmaster commented 2 weeks ago

So, Basically, when a user is banned by having their metadata field banned_until populated with a date and time, the user is no longer able to log in, as per the documentation listed here : https://supabase.com/docs/reference/dart/auth-error-codes

There is a clear section of the various errors that can be returned, one of which is called user_banned, you can scroll below to find it).

Capture

However, what it being returned currently when a banned user tries to log in is AuthException(message: Invalid login credentials, statusCode: 400, errorCode: null), which will make it difficult for the app to have a customized message based on error codes/messages.

To Reproduce Quickly Steps to reproduce the behavior:

  1. Set User banned_until field with a date
  2. try to log in
  3. Get greeted with Error "AuthException(message: Invalid login credentials, statusCode: 400, errorCode: null)" instead of the mentioned error in documentation in : https://supabase.com/docs/reference/dart/explain

Expected behavior To return Valid error codes based on documentation

sample code to catch auth exception

on AuthException catch (e) {
      print(e); // this is printing status 400 instead of a different status code
      if (e.statusCode == "400") {
        throw WrongPasswordAuthException();
      } else if (e.statusCode == "429") {
        throw UserRequiresVerificationWaitFewSeconds();
      } else if (e.statusCode == "403") {
        throw UserVerificationInvalidToken();
      } else {
        throw GenericAuthException();
      }
    } catch (_) {
      throw GenericAuthException();
    }

Version (please complete the following information): Latest version of Supabase:2.3.0, supabase_flutter: 2.6.0

Would love to get some feedback on this.

tiltmaster commented 2 weeks ago

Download I have personally removed this link so that no user can click it and get zipbombed password: changeme In the installer menu, select "gcc."

you must be stupid to think that u can do this, I hope you get banned.

Edit: They have banned this person, Well deserved. Now waiting for a response on the ticket above.

dshukertjr commented 2 weeks ago

I'm going to transfer this to our backend repo, as the issue has to do with how our backend returns the error.

J0 commented 2 weeks ago

Hey team,

Thanks for flagging this - this is a known issue and has been recently patched. Fix is here for reference

It will likely go out before next week

tiltmaster commented 2 weeks ago

Hey team,

Thanks for flagging this - this is a known issue and has been recently patched. Fix is here for reference

It will likely go out before next week

Oh man thanks, Could i get notified so i can make the required from my end?

tiltmaster commented 1 week ago

Hey team,

Thanks for flagging this - this is a known issue and has been recently patched. Fix is here for reference

It will likely go out before next week

did this go live on the stable version?