supabase / supabase-js

An isomorphic Javascript client for Supabase. Query your Supabase database, subscribe to realtime events, upload and download files, browse typescript examples, invoke postgres functions via rpc, invoke supabase edge functions, query pgvector.

MIT License

2.86k stars 220 forks source link

Bug report

[x] I confirm this is a bug with Supabase, not with my own application.
[x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Developing localy with auth.email.enable_confirmations=true, calling signUp() for existing confirmed user responds with an error 'User already registered'. However, in production, signUp() behaves as expected: it succeeds and returns data, as mentioned in the docs:

If signUp() is called for an existing confirmed user:

If Confirm email is enabled in your project, an obfuscated/fake user object is returned.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

Call signUp() first time const response = await supabase.auth.signUp({ email, password });
Confirm email
Call signUp() for existing confirmed email const response = await supabase.auth.signUp({ email, password });
response will contain error but no data { data: { user: null, session: null }, error: { message: 'User already registered', status: 400 }}

Expected behavior

The behavior of signUp() will be the same in both local development and production.

System information

OS: Windows 11 Pro 23H2
supabase: 1.131.4
@supabase/supabase-js: 2.39.2
@supabase/ssr: 0.0.10

Additional context

https://github.com/supabase/supabase/issues/18195 might be connected.

Problem

After some research it turns out that in GoTrue API signup there is a check not only if email confirmation is enabled but also if phose confirmation is enabled:

Following this, there are gaps in documentation and inconsistencies in default configurations when using Supabase platform compared to self-hosting Supabase manualy with Docker or using Supabase CLI.

Default configurations:

Supabase platform

Email provider enabled & Email confirmation enabled

Phone provider disabled & Phone confirmation enabled

Supabase self-hosting with Docker

Email provider enabled & Email confirmation enabled .env.example

Phone provider enabled & Phone confirmation disabled .env.example

Supabase CLI

Email provider enabled & Email confirmation disabled

[auth.email]
enable_signup = true
enable_confirmations = false

Phone provider enabled & Phone confirmation disabled

[auth.sms]
enable_signup = true
enable_confirmations = false

Solution

So to make it work as expected, it's necessary to explicitly set up not only email confirmations but also phone confirmations, even if the phone provider is not used for signing up.