Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question and potentially a proposal about signing in with phone/email when signups with those are disabled #315

Closed
TomasHubelbauer opened this issue Mar 5, 2022 · 1 comment
Closed

Question and potentially a proposal about signing in with phone/email when signups with those are disabled #315

TomasHubelbauer opened this issue Mar 5, 2022 · 1 comment

Comments

@TomasHubelbauer
Copy link

TomasHubelbauer commented Mar 5, 2022
edited
Loading

Hi, I have a question about a patch I am proposing to the Supabase GoTrue fork:
supabase/auth#324

The patch makes it possible to sign in with a phone or an email even when phone/email signups have been disabled. This means that existing users utilizing these sign in options would be able to continue to sign and new users would be prevented from signing up should these options be disabled.

My problem is that I implemented this by simply removing existing checks that prevented this in the first place. And now I am wondering whether GoTrue intentionally makes it so that one can't sign in with the phone or email when signups with such method are disabled, or whether maybe those conditions were there as a result of copy-paste and folks agree letting users sign in in this case is okay?

I am worried about introducing a security issue by missing an unintended consequence of removing these checks. I figured the best way to be sure that's not what this would do is to ask at the source.

Please let me know if the change I propose looks good to you. I will be happy to patch this upstream as well if it makes sense to everyone that the change should be the case.

- Do you want to request a feature or report a bug?

I think I am reporting a bug, but not sure if I might be missing something and this is actually an intended feature.

- What is the current behavior?

When disabling email and phone signup, users cannot sign in with an email or phone.

- If the current behavior is a bug, please provide the steps to reproduce.

Disable email and phone auth providers and attempt to sign in with either - you will receive the exception whose throw-site my patch is removing.

See here: supabase/auth#330.

- What is the expected behavior?

I think it should be possible to sign in with an email or a phone even if the sign ups are disabled. That's what I want for my single-user Supabase app. Supabase uses a fork of GoTrue and when I manually create a user for myself and then disable all ways to sign up for anyone else, I can't sign in myself any longer.

- Please mention your Go version, and operating system version.

N/A
This was referenced Mar 5, 2022
Closed
Closed
@TomasHubelbauer
Copy link
Author

Apologies, upon further inspection it appears as thought this code was never in this upstream and was only introduce in the fork!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TomasHubelbauer