Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: initial fix for invite followed by signup. #1262

Merged
merged 3 commits into from
Oct 9, 2023
Merged

feat: initial fix for invite followed by signup. #1262

merged 3 commits into from
Oct 9, 2023

Conversation

J0
Copy link
Contributor

@J0 J0 commented Oct 2, 2023
edited
Loading

What kind of change does this PR introduce?

Currently, sending an invite request followed by a signup request w/o confirmation between invite and signup will expose metadata on UserMetadata and Identities which may be perceived as a leak of sensitive information.

This PR aims to clear out such metadata for cases where the dev has been invited before a signup

Testing Instructions

How to test locally:

Use this admin bearer jwt

  1. Call http://localhost:9999/invite to myemail@gmail.com
  2. Wait 60s
  3. Call http://localhost:9999/signup with myemail@gmail.com and check that identities field is blanked out

@J0 J0 marked this pull request as ready for review October 3, 2023 14:55
@J0 J0 requested a review from a team as a code owner October 3, 2023 14:55
hf
hf approved these changes Oct 9, 2023
View reviewed changes
Copy link
Contributor

@hf hf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks OK.

Can we use the feat: title prefix as that will create a new version, not bump a random one. There's really no use for fix: the way the repo is setup today.

internal/api/signup.go Outdated Show resolved Hide resolved
@J0 @hf
Update internal/api/signup.go
b4e4a82 
Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com>
@J0 J0 changed the title fix: initial fix for invite followed by signup. feat: initial fix for invite followed by signup. Oct 9, 2023
@J0 J0 merged commit 76c8eeb into master Oct 9, 2023
2 checks passed
@J0 J0 deleted the j0/remove_sensitive_fields_on_second_signup branch October 9, 2023 06:06
@github-actions
Copy link
Contributor

github-actions bot commented Oct 9, 2023

🎉 This PR is included in version 2.100.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

hoeseong19 pushed a commit to hoeseong19/gotrue that referenced this pull request Oct 16, 2023
@J0 @hf @hoeseong19
feat: initial fix for invite followed by signup. (supabase#1262)
c6d8f8e 
## What kind of change does this PR introduce?

Currently, sending an `invite` request followed by a `signup` request
w/o confirmation between invite and signup will expose metadata on
UserMetadata and Identities which may be perceived as a leak of
sensitive information.

This PR aims to clear out such metadata for cases where the dev has been
invited before a signup


## Testing Instructions
How to test locally:

Use this admin bearer `jwt` 

1. Call  http://localhost:9999/invite to `myemail@gmail.com`
2. Wait 60s 
3. Call http://localhost:9999/signup with `myemail@gmail.com` and check
that `identities` field is blanked out

---------

Co-authored-by: joel@joellee.org <joel@joellee.org>
Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hf hf hf approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@J0 @hf