Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

auth.signUp() doesn't error for existing accounts - security vulnerability

See original GitHub issue

Bug report

Describe the bug

supabase.auth.signUp() is not erroring for existing accounts. Right now, you can submit an existing email with any incorrect password, and supabase will return you the account metadata (without a jwt).

To Reproduce

Go to this example app Sign-up with an email and a password Log out Try to sign up again with the same email using any password you want. Try asdfasdfasdf if you want! You will get an alert saying you logged in, but you won’t get a working access token. Just the email you submitted. You can also view the request in the Network tab of the Dev Tools and see metadata about the account, like when it was created and what provider it uses.

Expected behavior

Attempting to sign up with an existing email should throw an error.

System information

Version of supabase-js: [1.2.1]
Version of Node.js: [14.17.4]

Issue Analytics

State:
Created 2 years ago
Comments:23 (7 by maintainers)

Top GitHub Comments

25reactions

naegelincommented, Nov 12, 2021

This ‘security fix’ seems like ‘security through obscurity’ . IMHO it doesn’t make sense for supabase to be opinionated about how a signup process should be handled by developers. There are many use cases where a back-end service may need to know if a user already exists and having to store an additional user profile table just to be able to figure this out seems to be an unnecessary extra step. Perhaps the ‘service key’ responses can be accurate while the ‘app key’ responds with a generic ‘invalid credentials’?

19reactions

silentworkscommented, Nov 12, 2021

I also agree that security through obscurity is not a good way to fix this as most services online do tell you if a user already exists, what they do have however is a rate limit on how many logins you can try within a certain time period to prevent brute force attacks. This fix should probably be reverted as the behaviour is unexpected and it seems to be confusing users more than anything.

Top Results From Across the Web

Is it unsafe to show message that username/account does not ...

According to the OWASP Auth Guidelines, "An application should respond with a generic error message regardless of whether the user ID or ...

KB5004442—Manage changes for Windows DCOM Server ...

The latest security update released in November 2022 includes the following capabilities to manage this migration easily: New DCOM Error Events - To...

Vulnerabilities in password-based login | Web Security Academy

In this section, we'll look more closely at some of the most common vulnerabilities that occur in password-based login mechanisms. We'll also suggest...

Authentication - OWASP Cheat Sheet Series

The user ID or password was incorrect. The account does not exist. The account is locked or disabled. The account registration feature should...

Vulnerability scanning for Docker local images

Sign in to Docker to start scanning your images for vulnerabilities. ... to review the security state of the container images and take...