Converting Anonymous users to regular users isn't working

[gitnik]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Converting anonymous users to full users as per the documentation (https://supabase.com/docs/guides/auth/auth-anonymous#convert-an-anonymous-user-to-a-permanent-user) is not working. Calling signInAnonymously does not seem to set a session resulting in an error when trying to "upgrade" the user by linking the identity (settting the email).

This doesn't work locally or on production so I don't think it's a config issue.

To Reproduce

const { data: login, error: loginError } = await supabase.auth.signInAnonymously();

// this throws 'AuthSessionMissingError: Auth session missing!'
const { data: user, error: userError } = await supabase.auth.updateUser({ email: 'foo@bar.com' });

Expected behavior

As per the documentation I would expect to get a regular user with that email.

System information

• Version of supabase-js: 2.43.1
• Version of supabase: 1.165.0
• Version of Node.js: 20

[r-southworth]

Are you trying to update the user on your server vs on the client? I can get this error when I try the updateUser when I am on the server because the session is stored in localStorage.

You can theoretically do it on the server with supabase.auth.admin.updateUserById(user_id, {email: usersNewEmail}) but that doesn't seem to be converting the users from being anonymous which I can't tell if that is by design or a bug - it adds the email fine but the user is still considered anonymous.

[encima]

Thanks @r-southworth, the call you mention is by design as this existed before anonymous users and is used in other user update operations. The method in the docs is the way to create a user from anonymouse

[r-southworth]

Yes I know that. I was trying to troubleshoot where the user was having issues because I can't reproduce. I'm using anonymous users and update user works just fine - the only way I've managed to get the posted error is trying to call the method from the server which returns that error (as expected) since there isn't a session on the server.

[r-southworth]

@encima Sorry I think I mis-read your comment this morning are you saying supabase.auth.admin.updateUserById is not supposed to convert a user from Anonymous to Email if you assign an email with email_confirm = true? If so why is that the design? How can a user be converted from anonymous to email without sending a confirmation email and without turning off email confirmation completely?

[encima]

@encima Sorry I think I mis-read your comment this morning are you saying supabase.auth.admin.updateUserById is not supposed to convert a user from Anonymous to Email if you assign an email with email_confirm = true? If so why is that the design? How can a user be converted from anonymous to email without sending a confirmation email and without turning off email confirmation completely?

That might be a separate discussion :)
Converting anonymous to user is done as you said, using the client side. The server side call is for generally updating a user (changing not just the email).

[r-southworth]

@encima new issue opened supabase/auth#1578 if you want to take a look.

[r-southworth]

@gitnik I can't reproduce with supabase-js 2.42.0 or 2.43.1 I am calling supabase.auth.getUser() between signInAnonymously and updateUser so in at least some situations it seems to be working. Maybe test if the getUser matters at all in your implementation? Also the session should be created in local storage as soon as you call signInAnonymously which is working for me - have you inspected your localStorage to see if the session is being created?

[gitnik]

If I execute the updateUser call on the client, it works as expected. This was not clear to me from the documentation.

[OmarGoubail]

I am running into an issue, that I am not sure is related or not, but I am using anonymous users on the server and they work as you'd expect, but I can't convert them to permanent user, using otp. The otp is always expired or is invalid, and i've made sure it's correct multiple times.

signing up normally works with otp.

Also I tried on the client and still have the same problem or is there something I am missing?

So far I am signing in anonymously on the server, updating on client and verifying the token on the client using supabase ssr, I also tried with the supabase-js with no ssr but still doesn't work. Updating on the server doesn't work either that was my initial approach, switched to client after reading this thread.

[r-southworth]

@OmarGoubail I think you might need to do something with linked identities to get Otp to work. Like sign up the user with otp then call a manual link method to combine that with the anonymous user - but that isn't really covered in the docs at this point so I am not entirely sure

[OmarGoubail]

@r-southworth Thanks for the quick reply, I wanted to to confirm all possible methods before replying.

Manual linking doesn't work like that as far as I can tell, it need oAuth, and I am trying to authenticate using email only.

My problem, which I am more confident now is a bug, is that otp is always expired or incorrect when using anonymous sign-ins. So far I've tried normal sign up in which otp works normally. I've tried using admin method to confirm email then re authenticating but otp is always expired. if I use {{ .ConfirmationURL }} with update user, then user is converted with no problems.

So I can't convert anonymous with otp in all cases I am aware of, I am hoping it's something am missing. So will open a detailed issue when I can.

[r-southworth]

@OmarGoubail Did you try a combo of signing up with otp then updateUser on the anonymous user with the same email? If I understand automatic linking correctly (which is dubious - but best guess anyway) then once the anonymous user confirms their email the otp user and the now not-anonymous user should get merged.

[OmarGoubail]

@r-southworth If I understand you correctly. First you sign-in anonymously then you sign up without pushing a cookie correct? then afterwards you just update the email with auth.updateUser(), and they will be automatically linked. But wouldn't that have the same problem because updating user requires an otp verification which will be also expired or incorrect?