send_email auth hook email_change does not contain token when anonymous users try to sign up using updateUser

[Ruud14]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

It is basically the exact same issue as #1744,
however the patch there does not cover anonymous users.

When using a send_email auth hook and using .updateUser to convert an anonymous user into an authenticated user (as described here) the email_data in the auth hook does not contain any token data.

{
  token: "",
  token_hash: "<my token hash>",
  redirect_to: "<my redirect url>",
  email_action_type: "email_change",
  site_url: "<my site url>",
  token_new: "",
  token_hash_new: ""
}

When looking at the source code here it seems like this is because here there is a check for empty email. Since the user is anonymous the email is empty and we won't get into the ìf` block, resulting in the new otp not being set.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

1. Create an anonymous user.
2. Set up an email auth hook
3. Try to upgrade the anonymous user to an authenticated user as described here
4. There is no OTP token data in the email data.

Expected behavior

There is OTP token data in the email data.
Something like

{
  token: "",
  token_hash: "<my token hash>",
  redirect_to: "<my redirect url>",
  email_action_type: "email_change",
  site_url: "<my site url>",
  token_new: "123456",
  token_hash_new: ""
}

System information

• supabase_flutter: ^2.9.0
• gotrue v2.173.0

[Ruud14]

I've found a hacky workaround.
One can call this function at the start of the auth hook to regenerate the OTP.

async function correctEmailData(user: any, email_data: any) {
  var token = email_data.token || email_data.token_new

  // Temporary fix for https://github.com/supabase/auth/issues/2042
  if (email_data.email_action_type == 'email_change' && token == '') {
    // Genearte a temporary email address.
    const tempEmail = `${crypto.randomUUID()}@<YOUR DOMAIN>`;
    
    // Update the email of the anonymous user to a temporary email address.
    await supabaseAdmin.auth.admin.updateUserById(
      user.id,
      { 
        email: tempEmail,
        email_confirm: false,
      }
    )

    // Generete a new OTP
    const { data, error } = await supabaseAdmin.auth.admin.generateLink({
      type: 'email_change_new',
      email: tempEmail,
      newEmail: user.new_email,
    })
    
    // Update the email data with the new token.
    if (data && data.properties) {
      token = data.properties.email_otp
      email_data.token = data.properties.email_otp
      email_data.token_hash = data.properties.hashed_token
    } else {
      throw new Error("Failed to generate new OTP: properties missing in response.");
    }
  }
}```

[cstockton]

In #2044 send-email hooks will now put the token in the email_data.token field. I did this to match the existing behavior of setting the token and token_hash instead of using the token_*_new fields when secure email change setting is false.

Ideally token + token_hash would be only set for existing email addresses with token_new and token_hash_new always being used for the user.new_email fields. To avoid breaking existing hooks I'm maintaining the existing behavior for now.

  {
    "user": {
      "id": "055fe557-2e67-4253-9cc6-3040d0613702",
      "aud": "authenticated",
      "role": "authenticated",
      "email": "",
      "phone": "",
      "new_email": "e2e_test_9a9d74cf-d62d-47c2-9cda-a89dd2ee0a52_new@localhost",
      "last_sign_in_at": "2025-06-02T14:39:30.737857-07:00",
      "app_metadata": {},
      "user_metadata": {},
      "identities": [],
      "created_at": "2025-06-02T14:39:30.735558-07:00",
      "updated_at": "2025-06-02T14:39:30.750196-07:00",
      "is_anonymous": true
    },
    "email_data": {
      "token": "414764",
      "token_hash": "ea525d78edc9894a98462229b7c34323384d904bda7fbf93f3cd80fe",
      "redirect_to": "https://example.netlify.com",
      "email_action_type": "email_change",
      "site_url": "http://localhost:9999",
      "token_new": "",
      "token_hash_new": ""
    }
  }

[cstockton]

This has been fixed & released, let me know if you run into any issues.

[AndrewMakeApp]

In our case, we tried to add email+password login for a phone auth user by calling updateUser. And token is missing while token_hash exists in email_data of webhook. I've mentioned the detail on this issue - #2100

I thought this fix should have covered my case, please let me know if it's something wrong on my side. Thanks

{
  user: {
    id: 'bc8d375c-e4da-4387-badc-138026f038b2',
    aud: 'authenticated',
    role: 'authenticated',
    email: '',
    phone: '*****',
    phone_confirmed_at: '2025-11-06T03:05:03.079551Z',
    confirmed_at: '2025-11-06T03:05:03.079551Z',
    new_email: '*****',
    last_sign_in_at: '2025-11-06T03:05:03.086149Z',
    app_metadata: { provider: 'phone', providers: [Array] },
    user_metadata: {
      email_verified: false,
      phone_verified: false,
      sub: 'bc8d375c-e4da-4387-badc-138026f038b2'
    },
    identities: [ [Object] ],
    created_at: '2025-10-03T03:58:43.528258Z',
    updated_at: '2025-11-06T03:05:42.410948Z',
    is_anonymous: false
  },
  email_data: {
    token: '',
    token_hash: '3d134d68cc281d219c8edae45abbc751da316b416cbe0cf08da218cc',
    redirect_to: '*****',
    email_action_type: 'email_change',
    site_url: '*****',
    token_new: '',
    token_hash_new: ''
  }
}