Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Email Verification Not Reflected in Identities Table (and JWT) #1620

Open
2 tasks done
janekwunderlich opened this issue Jun 13, 2024 · 2 comments
Open
2 tasks done

Email Verification Not Reflected in Identities Table (and JWT) #1620

janekwunderlich opened this issue Jun 13, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@janekwunderlich
Copy link

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

When a user clicks on the email authentication link (causes a GET /verify request), the email_confirmed_at field gets updated in the users table and the one-time token gets cleared, but the email_verified field does not get changed to true in the identities table (and hence is not properly shown in the JWT).

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Go to 'Click on email authentication link'

  2. Observe the GET /verify request

  3. Check the users table and note that the email_confirmed_at field is updated and the one-time token is cleared.

  4. Check the identities table and note that the email_verified field is not updated to true.
    JWT does not reflect the email_verified status.

I was able to reproduce this on Supabase and on a self-hosted instance.

Expected behavior

The email_verified field in the identities table should be updated to true when the email is confirmed, and this should be properly reflected in the JWT.

Additional context

The ResourceServer cannot properly verify whether a users email address has been verified.
@janekwunderlich janekwunderlich added the bug Something isn't working label Jun 13, 2024
@janekwunderlich janekwunderlich mentioned this issue Jun 13, 2024
Closed
@kangmingtay
Copy link
Member

kangmingtay commented Jul 19, 2024
edited
Loading

@janekwunderlich is it possible to use the email_confirmed_at field instead? the email_verified field actually refers to the verification status of the email associated to the identity, so it depends on what the provider returns us (in the case of oauth)

but yeah, in the case or magiclinks you mentioned, this should be in-sync with the email_confirmed_at column

@janekwunderlich
Copy link
Author

@janekwunderlich is it possible to use the email_confirmed_at field instead? the email_verified field actually refers to the verification status of the email associated to the identity, so it depends on what the provider returns us (in the case of oauth)

but yeah, in the case or magiclinks you mentioned, this should be in-sync with the email_confirmed_at column

If you are referring to the email_confirmed_at field that is returned outside of the JWT token's access_token field, that is an unverifiable claim to whatever resource the user is trying to access.

@kangmingtay kangmingtay mentioned this issue Dec 11, 2024
Merged
kangmingtay added a commit that referenced this issue Dec 12, 2024
@kangmingtay
fix: email_verified field not being updated on signup confirmation (#…
483463e 
…1868)

## What kind of change does this PR introduce?
* Addresses #1620
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kangmingtay @janekwunderlich