Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Anonymous Sign-in #68

Closed
happy-san opened this issue Feb 16, 2021 · 142 comments
Closed

Anonymous Sign-in #68

happy-san opened this issue Feb 16, 2021 · 142 comments
Assignees
Labels
enhancement New feature or request

Comments

@happy-san
Copy link

Feature request

For letting users anonymously enter into the application, and then if they want to continue, they can upgrade their account.

Describe the solution you'd like

Ability to sign in without any credentials.

@happy-san happy-san added the enhancement New feature or request label Feb 16, 2021
@awalias
Copy link
Member

awalias commented Mar 10, 2021

btw this is possible today by choosing a random email address and disabling email confirmations

you can then later update the email address (this step I believe is currently only semi-functional)

@samtgarson
Copy link

I think this is only true for apps which use email/password authentication—I'm not sure it's currently possible to convert an "anonymous" email/password user to a OAuth provider user upon sign up?

@juliuscc
Copy link

We don't care about converting an anonymous user to a logged-in user, but we still want to be able to support anonymous users. So the workaround works for us.

But is it possible to somehow still require email confirmations when users create a real account? Would it be possible to have two user groups or something? Or is the best solution to have two different projects?

@juliuscc
Copy link

Our specific use case is that we want to offer a cart (with products) to our users. If they are logged in it is synced between devices, and otherwise it's just persistently available locally.

We would have to save the cart in our backend for logged-in users and would prefer to do so for non-logged-in users as well. To not make carts publicly available we would like our users to have a JWT token pair (refresh token and short-term token) so that they can securely access their cart, even if they are not logged in.

This will save us from having to store the cart in the frontend for non-logged-in users which would be duplicate work for us.

@mattWalters0
Copy link

mattWalters0 commented Oct 28, 2021

btw this is possible today by choosing a random email address and disabling email confirmations

you can then later update the email address (this step I believe is currently only semi-functional)

How does that work @awalias ? if I disable email confirmations and then call this method:
await supabase.auth.signIn({ email })

will the user be signed in at that point?

@juliuscc
Copy link

Yes. I have tried this and that is how it works. A good practice is to randomize the email in a way so that it should never be possible to have.

In our case we own the domain panprices.com so we could randomize an email that looks like this:
[random-hash]@anon-users.panprices.com

@mattWalters0
Copy link

I can't get this to work. This is my function:

  const handleLogin = async () => {
    try {
      loading = true
      const { user, session, error } = await supabase.auth.signIn({email})
      debugger
      if (error) throw error
    } catch (error) {
      alert(error.error_description || error.message)
    } finally {
      loading = false
    }
  }

But user does not get populated.

I have turned off the 'Enable email confirmations' setting.

@juliuscc
Copy link

I think I might have used supabase.auth.signUp({email, password})

From the docs:

If "Email Confirmations" is turned off, both a user and a session will be returned

@mattWalters0
Copy link

Hmm can't seem to get this to work. If I use signUp without a password I get an error saying
"Signup requires a valid password"

If I use the signIn method then there's no error but user and session are still null....

@juliuscc
Copy link

juliuscc commented Nov 1, 2021

Does it work if you do a signup with a random password?

@mattWalters0
Copy link

mattWalters0 commented Nov 2, 2021

Thanks @juliuscc! Yes, that does work!

I guess I can go with signing the user up with a random email and password and add the UID of the temporary profile to the user_id column for RLS.

If they eventually sign up with their real email then I'll update the user_id with the new profiles UID and delete the temporary profile.

@mattWalters0
Copy link

mattWalters0 commented Nov 2, 2021

It does add quite a bit of complexity though. @awalias,@kiwicopple any idea when the anonymous authentication feature might get implemented? Is there a roadmap somewhere? Thanks!!

@stoico
Copy link

stoico commented Mar 1, 2022

Is this feature being considered?

It is often absolutely necessary for mobile apps.

@dpelletier2017
Copy link

We 100% need this. It is the only thing that actually prevents me from using Supabase Auth in my mobile apps.

I have to use Firebase just for this feature, and then I always add a userID column with these informations.

One workaround could be to use Sign In With Apple on iOS because you can create an account literally with one single screen tap, but it still adds an unnecessary step (read : "wall") to the app, which can of course reduce user conversion.

@J0 J0 added the For discussion To discuss during next Auth catchup label May 17, 2022
@J0 J0 added p2 Priority 2 and removed For discussion To discuss during next Auth catchup labels Jun 2, 2022
@J0 J0 self-assigned this Jun 7, 2022
@leynier
Copy link

leynier commented Jul 3, 2022

I think this is only true for apps which use email/password authentication—I'm not sure it's currently possible to convert an "anonymous" email/password user to a OAuth provider user upon sign up?

I have the same issue, I want to offer anonymous login and then when user decide login with a "real" login don't lose the data. I found a way to do that for email/password login, but I not figure out how to do with external providers. Someone found a way to do it?

@Schnodderbalken
Copy link

Any update here? This is the only thing that still makes me use Firebase instead of Supabase in certain projects.

@J0 J0 removed the p2 Priority 2 label Sep 7, 2022
@kangmingtay kangmingtay pinned this issue Sep 7, 2022
@kangmingtay kangmingtay changed the title Support for anonymous sign in. Anonymous Sign-in Sep 7, 2022
@georgeselkhoury
Copy link

georgeselkhoury commented Nov 27, 2022

This is an important feature. I think it's only reason I won't go for supabase now. Sad to find out it's not available.

Any plans to implement this soon?

@ChauCM
Copy link

ChauCM commented Dec 16, 2022

please take a look at this

@pedromassango
Copy link

I've created an issue to add this to the Flutter SDK, please upvote:
supabase/supabase-flutter#874

@ekimcem
Copy link

ekimcem commented Mar 28, 2024

The supabase.auth.signInAnonymously() function isn't in the Node packages. I don't understand the documentation/API of how to get to this.

I have upgraded to supabase-js in to latest, and used yarn upgrade etc. I still can not reach the function yet.

@supabase/supabase-js@2.40.0
@supabase/gotrue-js@2.62.2

@geoffreygarrett
Copy link

@sameerxanand, @pedromassango, @ekimcem. I've been Googling to find this issue daily, I just happened to see this new result. I wasn't clear with my message of excitement - The point is that it's about to be available, their docs were updated first.

@kangmingtay
Copy link
Member

hey everyone, we've just bump the supabase-js version to contain the signInAnonymously method - we didn't want to release this to the supabase-js package before the docs and configuration option on the dashboard was released

with that said, you should be able to start using anonymous sign-ins in your projects today! 🎉

@mlukasik-dev
Copy link

@kangmingtay,
What about Supabase Dashboard. For me, the option to enable anonymous auth is still not available...
Is it also planned to be rolled out today?

@sameerxanand
Copy link

There is an option in the dashboard. It took me a while to find it. The docs link to the wrong place.

In your project, click the gear icon and go to "Authentication." You should see it there, not on the providers page.

Sorry if this image isn't too helpful - I'm on mobile right now and the site isn't very responsive.
image

@lucis
Copy link

lucis commented Mar 28, 2024

@kangmingtay and all, congrats on the new feature!

We're already testing it and unfortunately bumped into a 500 error from the Supabase Server supabase/supabase-js#999

Is there any upgrade we need to do on our database for this to work?

@utku-kaan
Copy link

I ran into a similar issue @lucis, and it turned out to be entirely related to my project. I discovered that I had a trigger set up to add a row to the public.profiles table every time a new user signs up that was using specific values in the form of options.data (which corresponds to the raw_user_meta_data column in auth.users). The problem was that I wasn't passing those values correctly when calling the signInAnonymously method. Once I fixed that, everything worked like a charm. I'd recommend checking your database triggers.

@kangmingtay
Copy link
Member

@lucis can you please reach out to https://supabase.help if you have any issues? it's hard for us to tell what went wrong just from a 500 error without any information about the project / logs

@lucis
Copy link

lucis commented Mar 28, 2024

That was it, @utku-kaan, thanks!

@kangmingtay I opened a ticket but also decided to share it here in case someone else was having the problem, which was the case. After fixing the trigger, it worked. Thanks

@geoffreygarrett
Copy link

Great that it's implemented. Small note: what about the missing setting in the config.toml for local development?

  1. https://supabase.com/docs/guides/auth/auth-anonymous
  2. https://supabase.com/docs/guides/self-hosting/auth/config

@Sun3
Copy link

Sun3 commented Mar 30, 2024

I have been waiting for this... awesome.

@kangmingtay
Copy link
Member

@geoffreygarrett it will be supported on the CLI soon (likely some time this week) for local development!

kangmingtay added a commit to supabase/auth-js that referenced this issue Apr 2, 2024
## What kind of change does this PR introduce?

Types update

## What is the current behavior?

User type is missing 'is_anonymous' property.

## What is the new behavior?

User type has the 'is_anonymous' property.

## Additional context

I'm not 100% certain if this property is optional or not, hoping
@kangmingtay can offer some insight as they implemented the feature in
supabase/auth#68

Fixes #872

---------

Co-authored-by: Kang Ming <kang.ming1996@gmail.com>
@thisisthemurph
Copy link

Hi, I'm looking to implement this in my app, but I am not using the JS library and the third-party libraries haven't had enough time to implement this feature yet. Is there somewhere I can view the API documentation for this so I can call it manually from my code? I have looked, but I am unable to find documentation for the auth/v1 endpoints.

@kangmingtay
Copy link
Member

@thisisthemurph good point, we'll update that - it uses the same endpoint as signup but without passing anything in the request body

curl -X POST 'https://project_ref.supabase.co/auth/v1/signup' \
-H 'apikey: YOUR_SUPABASE_ANON_KEY'
-H 'Content-Type: application/json' -d '{}'

@thisisthemurph
Copy link

thisisthemurph commented Apr 17, 2024

@kangmingtay thanks for the information, appreciate it! Do you know where these kinds of endpoints are generally documented?

@robertbodley
Copy link

Hi, I have enabled signInAnonymously

# config.toml
enable_anonymous_sign_ins = true

But when I call:

supabase.auth.signInAnonymously()

I get the following error:

{"code":422,"msg":"Signup requires a valid password"}

Request:

Request URL: http://127.0.0.1:54321/auth/v1/signup
Request Method: POST
Status Code: 422 Unprocessable Entity
Body: {"data":{},"gotrue_meta_security":{}}

@robertbodley
Copy link

Hi, I have enabled signInAnonymously

# config.toml
enable_anonymous_sign_ins = true

But when I call:

supabase.auth.signInAnonymously()

I get the following error:

{"code":422,"msg":"Signup requires a valid password"}

Request:

Request URL: http://127.0.0.1:54321/auth/v1/signup
Request Method: POST
Status Code: 422 Unprocessable Entity
Body: {"data":{},"gotrue_meta_security":{}}

I fixed this by upgrading the Supabase CLI (also the Supabase npm package). More info: https://github.com/supabase/supabase/blob/eadf3d5353f5de7613c90e11f9800a31df0726aa/apps/www/_blog/2024-04-17-anonymous-sign-ins.mdx#L58

@MohitKS5
Copy link

MohitKS5 commented Apr 27, 2024

Is this available on @supabase/ssr ? Or we have to use supabase-js in client side to achieve the functionality.

@kangmingtay
Copy link
Member

@MohitKS5 it's available, just upgrade your supabase-js library

@hf hf unpinned this issue Jun 6, 2024
uxodb pushed a commit to uxodb/auth that referenced this issue Nov 13, 2024
## What kind of change does this PR introduce?
* Implements supabase#68 
* An anonymous user is defined as a user that doesn't have an email or
phone in the `auth.users` table. This is tracked by using a generated
column called `auth.users.is_anonymous`
* When an anonymous user signs-in, the JWT payload will contain an
`is_anonymous` claim which can be used in RLS policies as mentioned in
[Option
3](supabase#68 (comment)).
```json
{
  ...
  "is_anonymous": true
}
```
* Allows anonymous sign-ins if `GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED`
is enabled
* Anonymous sign-ins are rate limited on a per hourly basis and
controlled by `GOTRUE_RATE_LIMIT_ANONYMOUS_USERS`. This is an ip-based
rate limit.
* You can also configure silent captcha / turnstile to prevent abuse
* There are 2 ways to upgrade an anonymous user to a permanent user:
  1. Link an email / phone identity to an anonymous user `PUT /user` 
2. Link an oauth identity using `GET
/user/identities/authorize?provider=xxx`

## Example
```bash
# Sign in as an anonymous user
curl -X POST 'http://localhost:9999/signup' \
-H 'Content-Type: application/json' \
-d '{}'

# Upgrade an anonymous user to a permanent user with an email identity
curl -X PUT 'http://localhost:9999/user' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>' \
-d '{"email": "user@example.com"}'

# Upgrade an anonymous to a permanent user with an oauth identity
curl -X GET 'http://localhost:9999/user/identities/authorize?provider=google' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>
```

## Follow-ups
* Cleanup logic for anonymous users will be made in a separate PR
LashaJini pushed a commit to LashaJini/auth that referenced this issue Nov 13, 2024
## What kind of change does this PR introduce?
* Implements supabase#68 
* An anonymous user is defined as a user that doesn't have an email or
phone in the `auth.users` table. This is tracked by using a generated
column called `auth.users.is_anonymous`
* When an anonymous user signs-in, the JWT payload will contain an
`is_anonymous` claim which can be used in RLS policies as mentioned in
[Option
3](supabase#68 (comment)).
```json
{
  ...
  "is_anonymous": true
}
```
* Allows anonymous sign-ins if `GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED`
is enabled
* Anonymous sign-ins are rate limited on a per hourly basis and
controlled by `GOTRUE_RATE_LIMIT_ANONYMOUS_USERS`. This is an ip-based
rate limit.
* You can also configure silent captcha / turnstile to prevent abuse
* There are 2 ways to upgrade an anonymous user to a permanent user:
  1. Link an email / phone identity to an anonymous user `PUT /user` 
2. Link an oauth identity using `GET
/user/identities/authorize?provider=xxx`

## Example
```bash
# Sign in as an anonymous user
curl -X POST 'http://localhost:9999/signup' \
-H 'Content-Type: application/json' \
-d '{}'

# Upgrade an anonymous user to a permanent user with an email identity
curl -X PUT 'http://localhost:9999/user' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>' \
-d '{"email": "user@example.com"}'

# Upgrade an anonymous to a permanent user with an oauth identity
curl -X GET 'http://localhost:9999/user/identities/authorize?provider=google' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>
```

## Follow-ups
* Cleanup logic for anonymous users will be made in a separate PR
LashaJini pushed a commit to LashaJini/auth that referenced this issue Nov 15, 2024
## What kind of change does this PR introduce?
* Implements supabase#68 
* An anonymous user is defined as a user that doesn't have an email or
phone in the `auth.users` table. This is tracked by using a generated
column called `auth.users.is_anonymous`
* When an anonymous user signs-in, the JWT payload will contain an
`is_anonymous` claim which can be used in RLS policies as mentioned in
[Option
3](supabase#68 (comment)).
```json
{
  ...
  "is_anonymous": true
}
```
* Allows anonymous sign-ins if `GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED`
is enabled
* Anonymous sign-ins are rate limited on a per hourly basis and
controlled by `GOTRUE_RATE_LIMIT_ANONYMOUS_USERS`. This is an ip-based
rate limit.
* You can also configure silent captcha / turnstile to prevent abuse
* There are 2 ways to upgrade an anonymous user to a permanent user:
  1. Link an email / phone identity to an anonymous user `PUT /user` 
2. Link an oauth identity using `GET
/user/identities/authorize?provider=xxx`

## Example
```bash
# Sign in as an anonymous user
curl -X POST 'http://localhost:9999/signup' \
-H 'Content-Type: application/json' \
-d '{}'

# Upgrade an anonymous user to a permanent user with an email identity
curl -X PUT 'http://localhost:9999/user' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>' \
-d '{"email": "user@example.com"}'

# Upgrade an anonymous to a permanent user with an oauth identity
curl -X GET 'http://localhost:9999/user/identities/authorize?provider=google' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>
```

## Follow-ups
* Cleanup logic for anonymous users will be made in a separate PR
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests