fix: remove unconfirmed identities on repeat signup

supabase · Mar 1, 2024 · af77f25 · af77f25
1 parent 766b5a9
commit af77f25
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 5 deletions.
diff --git a/internal/api/identity_test.go b/internal/api/identity_test.go
@@ -2,6 +2,8 @@ package api
 
 import (
 	"context"
+	"net/http"
+	"net/http/httptest"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -56,7 +58,9 @@ func (ts *IdentityTestSuite) TestLinkIdentityToUser() {
 			Subject: "test_subject",
 		},
 	}
-	u, err = ts.API.linkIdentityToUser(ctx, ts.API.db, testValidUserData, "test")
+	// request is just used as a placeholder in the function
+	r := httptest.NewRequest(http.MethodGet, "/identities", nil)
+	u, err = ts.API.linkIdentityToUser(r, ctx, ts.API.db, testValidUserData, "test")
 	require.NoError(ts.T(), err)
 
 	// load associated identities for the user
@@ -71,7 +75,7 @@ func (ts *IdentityTestSuite) TestLinkIdentityToUser() {
 			Subject: u.ID.String(),
 		},
 	}
-	u, err = ts.API.linkIdentityToUser(ctx, ts.API.db, testExistingUserData, "email")
+	u, err = ts.API.linkIdentityToUser(r, ctx, ts.API.db, testExistingUserData, "email")
 	require.ErrorIs(ts.T(), err, badRequestError("Identity is already linked"))
 	require.Nil(ts.T(), u)
 }
diff --git a/internal/api/signup.go b/internal/api/signup.go
@@ -199,22 +199,30 @@ func (a *API) Signup(w http.ResponseWriter, r *http.Request) error {
 			if (params.Provider == "email" && user.IsConfirmed()) || (params.Provider == "phone" && user.IsPhoneConfirmed()) {
 				return UserExistsError
 			}
-
 			// do not update the user because we can't be sure of their claimed identity
 		} else {
 			user, terr = a.signupNewUser(ctx, tx, signupUser)
 			if terr != nil {
 				return terr
 			}
-			identity, terr := a.createNewIdentity(tx, user, params.Provider, structs.Map(provider.Claims{
+		}
+		identity, terr := models.FindIdentityByIdAndProvider(tx, user.ID.String(), "email")
+		if terr != nil {
+			if !models.IsNotFoundError(terr) {
+				return terr
+			}
+			identity, terr = a.createNewIdentity(tx, user, params.Provider, structs.Map(provider.Claims{
 				Subject: user.ID.String(),
 				Email:   user.GetEmail(),
 			}))
 			if terr != nil {
 				return terr
 			}
-			user.Identities = []models.Identity{*identity}
 		}
+		if terr := user.RemoveUnconfirmedIdentities(tx, identity); terr != nil {
+			return terr
+		}
+		user.Identities = []models.Identity{*identity}
 
 		if params.Provider == "email" && !user.IsConfirmed() {
 			if config.Mailer.Autoconfirm {