Unable to update user after anonymous sign-in

[paulofaria]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

After performing signInAnonymously, update(user:) fails with the following message:

Auth.AuthError.api(Auth.AuthError.APIError(msg: Optional("invalid claim: missing sub claim"), code: Optional(403), error: nil, errorDescription: nil, weakPassword: nil))

To Reproduce

mkdir supabase-auth-bug
cd supabase-auth-bug
swift package init --type executable

Edit Package.swift.

// swift-tools-version: 5.10

import PackageDescription

let package = Package(
    name: "supabase-auth-bug",
    platforms: [
        .macOS(.v11),
    ],
    dependencies: [
        .package(url: "https://github.com/supabase/supabase-swift.git", from: "2.9.0"),
    ],
    targets: [
        .executableTarget(
            name: "supabase-auth-bug",
            dependencies: [
                .product(name: "Supabase", package: "supabase-swift"),
            ]
        ),
    ]
)

Edit Sources/main.swift.

import Foundation
import Supabase

let supabaseURL = URL(string: "supabase-url")!
let supabaseKey = "supabase-key"
let phoneNumber = "+5511999999999"

let supabase = SupabaseClient(
    supabaseURL: supabaseURL,
    supabaseKey: supabaseKey
)

do {
    print("Signing in anonymously...")
    let session = try await supabase.auth.signInAnonymously()
    print("Created anonymous user with id: \(session.user.id)")
    print("Updating phone number...")
    try await supabase.auth.update(user: UserAttributes(phone: phoneNumber))
    print("Updated phone number")
} catch {
    print("Error: \(error)")
}

Run:

swift run

Output:

Building for debugging...
[7/7] Applying supabase-auth-bug
Build complete! (0.77s)
Signing in anonymously...
Created anonymous user with id: E89CD5D5-A02E-4187-BF73-2BF98ED38B34
Updating phone number...
Error: api(Auth.AuthError.APIError(msg: Optional("invalid claim: missing sub claim"), code: Optional(403), error: nil, errorDescription: nil, weakPassword: nil))

Expected behavior

I expect the call to update(user:) to succeed and send an SMS to the specified phone number.

System information

• OS: iOS 17.4.1 and macOS 14.4.1
• Version of supabase-swift: 2.9.0

Additional context

I tried the flow above using the supabase-js library and it worked as expected. Here's the JS script for reference:

import process from 'node:process';
import readline from 'node:readline';
import { createClient } from '@supabase/supabase-js'

const rl = readline.createInterface({
  input: process.stdin,
  output: process.stdout
});

async function promptForOTP() {
  const asyncIterator = rl[Symbol.asyncIterator]();
  console.log('Please, enter your OTP: ');
  const { value } = await asyncIterator.next();
  return value;
}

const supabase = createClient(
  'supabase-url', 
  'supabase-key'
)

console.log('Signing in anonymously...');

const { data: signInAnonymouslyData, error: signInAnonymouslyError } = await supabase.auth.signInAnonymously();

if (signInAnonymouslyError) {
  console.error(signInAnonymouslyError);
  process.exit(1);
} else {
  console.log('Signed in anonymously');

  if (signInAnonymouslyData) {
    console.log(signInAnonymouslyData);
  }
}

const phone = '+5511999999999';

console.log('Sending OTP to phone...');

const { data: updateUserData, error: updateUserError } = await supabase.auth.updateUser({
  phone 
});

if (updateUserError) {
  console.error(updateUserError);
  process.exit(1);
} else {
  console.log('OTP sent to phone');

  if (updateUserData) {
    console.log(updateUserData);
  }
}

const phoneChangeOTP = await promptForOTP();

console.log('Verifying OTP...');

const { data: verifyPhoneChangeOTPData, error: verifyPhoneChangeOTPError } = await supabase.auth.verifyOtp({ phone, token: phoneChangeOTP, type: 'phone_change'})

if (verifyPhoneChangeOTPError) {
  console.error(verifyPhoneChangeOTPError);
  process.exit(1);
} else {
  console.log('OTP verified');

  if (verifyPhoneChangeOTPData) {
    console.log(verifyPhoneChangeOTPData);
  }
}

console.log('Signing out...');

const { error: signOutError } = await supabase.auth.signOut()

if (signOutError) {
  console.error(signOutError);
  process.exit(1);
} else {
  console.log('Signed out');
}

console.log('Sending OTP to phone...');

const { data: signInWithPhoneData, error: signInWIthPhoneError } = await supabase.auth.signInWithOtp({
  phone,
})

if (signInWIthPhoneError) {
  console.error(signInWIthPhoneError);
  process.exit(1);
} else {
  console.log('OTP sent to phone');

  if (signInWithPhoneData) {
    console.log(signInWithPhoneData);
  }
}

const smsOTP = await promptForOTP();

console.log('Verifying OTP...');

const { data: verifySMSOTPData, error: verifySMSOTPError } = await supabase.auth.verifyOtp({ phone, token: smsOTP, type: 'sms'})

if (verifySMSOTPError) {
  console.error(verifySMSOTPError);
  process.exit(1);
} else {
  console.log('OTP verified');

  if (verifySMSOTPData) {
    console.log(verifySMSOTPData);
  }
}
  
rl.close();

[grdsdev]

Hi @paulofaria thanks for bring it up, I'll take a look.

[grdsdev]

Hi @paulofaria I was able to update the phone after anonymous sign-in. There was an issue with the auth service, fixed in supabase/auth#1580 but it is unrelated to your issue.

As it isn't an issue with the library, I suggest you open a ticket at https://supabase.com/dashboard/support/new there we can help you quickly.

Thanks.