fix: allow anonymous user to update password (#1739)

supabase · Aug 26, 2024 · 2d51956 · 2d51956
1 parent 10fa347
commit 2d51956
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 9 deletions.
diff --git a/internal/api/anonymous_test.go b/internal/api/anonymous_test.go
@@ -80,7 +80,7 @@ func (ts *AnonymousTestSuite) TestAnonymousLogins() {
 
 func (ts *AnonymousTestSuite) TestConvertAnonymousUserToPermanent() {
 	ts.Config.External.AnonymousUsers.Enabled = true
-	ts.Config.Sms.TestOTP = map[string]string{"1234567890": "000000"}
+	ts.Config.Sms.TestOTP = map[string]string{"1234567890": "000000", "1234560000": "000000"}
 	// test OTPs still require setting up an sms provider
 	ts.Config.Sms.Provider = "twilio"
 	ts.Config.Sms.Twilio.AccountSid = "fake-sid"
@@ -106,6 +106,22 @@ func (ts *AnonymousTestSuite) TestConvertAnonymousUserToPermanent() {
 			},
 			verificationType: "phone_change",
 		},
+		{
+			desc: "convert anonymous user to permanent user with email & password",
+			body: map[string]interface{}{
+				"email":    "test2@example.com",
+				"password": "test-password",
+			},
+			verificationType: "email_change",
+		},
+		{
+			desc: "convert anonymous user to permanent user with phone & password",
+			body: map[string]interface{}{
+				"phone":    "1234560000",
+				"password": "test-password",
+			},
+			verificationType: "phone_change",
+		},
 	}
 
 	for _, c := range cases {
@@ -142,6 +158,11 @@ func (ts *AnonymousTestSuite) TestConvertAnonymousUserToPermanent() {
 			require.NotEmpty(ts.T(), user)
 			require.True(ts.T(), user.IsAnonymous)
 
+			// Check if user has a password set
+			if c.body["password"] != nil {
+				require.True(ts.T(), user.HasPassword())
+			}
+
 			switch c.verificationType {
 			case mail.EmailChangeVerification:
 				require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(map[string]interface{}{
@@ -150,7 +171,7 @@ func (ts *AnonymousTestSuite) TestConvertAnonymousUserToPermanent() {
 				}))
 			case phoneChangeVerification:
 				require.NoError(ts.T(), json.NewEncoder(&buffer).Encode(map[string]interface{}{
-					"phone": "1234567890",
+					"phone": user.PhoneChange,
 					"token": "000000",
 					"type":  c.verificationType,
 				}))
@@ -176,11 +197,11 @@ func (ts *AnonymousTestSuite) TestConvertAnonymousUserToPermanent() {
 
 			switch c.verificationType {
 			case mail.EmailChangeVerification:
-				assert.Equal(ts.T(), "test@example.com", data.User.GetEmail())
+				assert.Equal(ts.T(), c.body["email"], data.User.GetEmail())
 				assert.Equal(ts.T(), models.JSONMap(models.JSONMap{"provider": "email", "providers": []interface{}{"email"}}), data.User.AppMetaData)
 				assert.NotEmpty(ts.T(), data.User.EmailConfirmedAt)
 			case phoneChangeVerification:
-				assert.Equal(ts.T(), "1234567890", data.User.GetPhone())
+				assert.Equal(ts.T(), c.body["phone"], data.User.GetPhone())
 				assert.Equal(ts.T(), models.JSONMap(models.JSONMap{"provider": "phone", "providers": []interface{}{"phone"}}), data.User.AppMetaData)
 				assert.NotEmpty(ts.T(), data.User.PhoneConfirmedAt)
 			}

diff --git a/internal/api/user.go b/internal/api/user.go
@@ -102,11 +102,10 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	if user.IsAnonymous {
-		updatingForbiddenFields := false
-		updatingForbiddenFields = updatingForbiddenFields || (params.Password != nil && *params.Password != "")
-		if updatingForbiddenFields {
-			// CHECK
-			return unprocessableEntityError(ErrorCodeUnknown, "Updating password of an anonymous user is not possible")
+		if params.Password != nil && *params.Password != "" {
+			if params.Email == "" && params.Phone == "" {
+				return unprocessableEntityError(ErrorCodeValidationFailed, "Updating password of an anonymous user without an email or phone is not allowed")
+			}
 		}
 	}