Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: anonymous sign-ins #1460

Merged
merged 16 commits into from
Mar 3, 2024
Merged

feat: anonymous sign-ins #1460

merged 16 commits into from
Mar 3, 2024

Conversation

kangmingtay
Copy link
Member

@kangmingtay kangmingtay commented Mar 1, 2024

What kind of change does this PR introduce?

  • Implements Anonymous Sign-in  #68
  • An anonymous user is defined as a user that doesn't have an email or phone in the auth.users table. This is tracked by using a generated column called auth.users.is_anonymous
  • When an anonymous user signs-in, the JWT payload will contain an is_anonymous claim which can be used in RLS policies as mentioned in Option 3.
{
  ...
  "is_anonymous": true
}
  • Allows anonymous sign-ins if GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED is enabled
  • Anonymous sign-ins are rate limited on a per hourly basis and controlled by GOTRUE_RATE_LIMIT_ANONYMOUS_USERS. This is an ip-based rate limit.
  • You can also configure silent captcha / turnstile to prevent abuse
  • There are 2 ways to upgrade an anonymous user to a permanent user:
    1. Link an email / phone identity to an anonymous user PUT /user
    2. Link an oauth identity using GET /user/identities/authorize?provider=xxx

Example

# Sign in as an anonymous user
curl -X POST 'http://localhost:9999/signup' \
-H 'Content-Type: application/json' \
-d '{}'

# Upgrade an anonymous user to a permanent user with an email identity
curl -X PUT 'http://localhost:9999/user' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>' \
-d '{"email": "user@example.com"}'

# Upgrade an anonymous to a permanent user with an oauth identity
curl -X GET 'http://localhost:9999/user/identities/authorize?provider=google' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>

Follow-ups

  • Cleanup logic for anonymous users will be made in a separate PR

@kangmingtay kangmingtay requested a review from a team as a code owner March 1, 2024 06:52
internal/api/identity.go Outdated Show resolved Hide resolved
internal/api/identity.go Show resolved Hide resolved
internal/api/api.go Outdated Show resolved Hide resolved
internal/api/api.go Show resolved Hide resolved
internal/api/auth.go Outdated Show resolved Hide resolved
internal/api/signup.go Outdated Show resolved Hide resolved
Copy link
Contributor

@hf hf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Left some readability and error code nits that generally don't have a major impact on the feature.

internal/api/anonymous.go Outdated Show resolved Hide resolved
@kangmingtay kangmingtay merged commit 130df16 into master Mar 3, 2024
3 checks passed
@kangmingtay kangmingtay deleted the km/feat-anonymous-logins branch March 3, 2024 03:51
hf pushed a commit that referenced this pull request Mar 5, 2024
🤖 I have created a release *beep* *boop*
---


##
[2.144.0](v2.143.0...v2.144.0)
(2024-03-04)


### Features

* add configuration for custom sms sender hook
([#1428](#1428))
([1ea56b6](1ea56b6))
* anonymous sign-ins
([#1460](#1460))
([130df16](130df16))
* clean up test setup in MFA tests
([#1452](#1452))
([7185af8](7185af8))
* pass transaction to `invokeHook`, fixing pool exhaustion
([#1465](#1465))
([b536d36](b536d36))
* refactor resource owner password grant
([#1443](#1443))
([e63ad6f](e63ad6f))
* use dummy instance id to improve performance on refresh token queries
([#1454](#1454))
([656474e](656474e))


### Bug Fixes

* expose `provider` under `amr` in access token
([#1456](#1456))
([e9f38e7](e9f38e7))
* improve MFA QR Code resilience so as to support providers like
1Password ([#1455](#1455))
([6522780](6522780))
* refactor request params to use generics
([#1464](#1464))
([e1cdf5c](e1cdf5c))
* revert refactor resource owner password grant
([#1466](#1466))
([fa21244](fa21244))
* update file name so migration to Drop IP Address is applied
([#1447](#1447))
([f29e89d](f29e89d))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
kangmingtay added a commit to supabase/auth-js that referenced this pull request Mar 6, 2024
## What kind of change does this PR introduce?
* supabase/auth#68
* Adds the `signInAnonymously` method to support
supabase/auth#1460
* Passing in user metadata / the captcha token in `signInAnonymously`
looks like:
    `signInAnonymously({ options: { data, captchaToken }})` 
which follows the same format as the other sign up / sign in methods
uxodb pushed a commit to uxodb/auth that referenced this pull request Nov 13, 2024
## What kind of change does this PR introduce?
* Implements supabase#68 
* An anonymous user is defined as a user that doesn't have an email or
phone in the `auth.users` table. This is tracked by using a generated
column called `auth.users.is_anonymous`
* When an anonymous user signs-in, the JWT payload will contain an
`is_anonymous` claim which can be used in RLS policies as mentioned in
[Option
3](supabase#68 (comment)).
```json
{
  ...
  "is_anonymous": true
}
```
* Allows anonymous sign-ins if `GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED`
is enabled
* Anonymous sign-ins are rate limited on a per hourly basis and
controlled by `GOTRUE_RATE_LIMIT_ANONYMOUS_USERS`. This is an ip-based
rate limit.
* You can also configure silent captcha / turnstile to prevent abuse
* There are 2 ways to upgrade an anonymous user to a permanent user:
  1. Link an email / phone identity to an anonymous user `PUT /user` 
2. Link an oauth identity using `GET
/user/identities/authorize?provider=xxx`

## Example
```bash
# Sign in as an anonymous user
curl -X POST 'http://localhost:9999/signup' \
-H 'Content-Type: application/json' \
-d '{}'

# Upgrade an anonymous user to a permanent user with an email identity
curl -X PUT 'http://localhost:9999/user' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>' \
-d '{"email": "user@example.com"}'

# Upgrade an anonymous to a permanent user with an oauth identity
curl -X GET 'http://localhost:9999/user/identities/authorize?provider=google' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>
```

## Follow-ups
* Cleanup logic for anonymous users will be made in a separate PR
uxodb pushed a commit to uxodb/auth that referenced this pull request Nov 13, 2024
🤖 I have created a release *beep* *boop*
---


##
[2.144.0](supabase/auth@v2.143.0...v2.144.0)
(2024-03-04)


### Features

* add configuration for custom sms sender hook
([supabase#1428](supabase#1428))
([1ea56b6](supabase@1ea56b6))
* anonymous sign-ins
([supabase#1460](supabase#1460))
([130df16](supabase@130df16))
* clean up test setup in MFA tests
([supabase#1452](supabase#1452))
([7185af8](supabase@7185af8))
* pass transaction to `invokeHook`, fixing pool exhaustion
([supabase#1465](supabase#1465))
([b536d36](supabase@b536d36))
* refactor resource owner password grant
([supabase#1443](supabase#1443))
([e63ad6f](supabase@e63ad6f))
* use dummy instance id to improve performance on refresh token queries
([supabase#1454](supabase#1454))
([656474e](supabase@656474e))


### Bug Fixes

* expose `provider` under `amr` in access token
([supabase#1456](supabase#1456))
([e9f38e7](supabase@e9f38e7))
* improve MFA QR Code resilience so as to support providers like
1Password ([supabase#1455](supabase#1455))
([6522780](supabase@6522780))
* refactor request params to use generics
([supabase#1464](supabase#1464))
([e1cdf5c](supabase@e1cdf5c))
* revert refactor resource owner password grant
([supabase#1466](supabase#1466))
([fa21244](supabase@fa21244))
* update file name so migration to Drop IP Address is applied
([supabase#1447](supabase#1447))
([f29e89d](supabase@f29e89d))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 13, 2024
## What kind of change does this PR introduce?
* Implements supabase#68 
* An anonymous user is defined as a user that doesn't have an email or
phone in the `auth.users` table. This is tracked by using a generated
column called `auth.users.is_anonymous`
* When an anonymous user signs-in, the JWT payload will contain an
`is_anonymous` claim which can be used in RLS policies as mentioned in
[Option
3](supabase#68 (comment)).
```json
{
  ...
  "is_anonymous": true
}
```
* Allows anonymous sign-ins if `GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED`
is enabled
* Anonymous sign-ins are rate limited on a per hourly basis and
controlled by `GOTRUE_RATE_LIMIT_ANONYMOUS_USERS`. This is an ip-based
rate limit.
* You can also configure silent captcha / turnstile to prevent abuse
* There are 2 ways to upgrade an anonymous user to a permanent user:
  1. Link an email / phone identity to an anonymous user `PUT /user` 
2. Link an oauth identity using `GET
/user/identities/authorize?provider=xxx`

## Example
```bash
# Sign in as an anonymous user
curl -X POST 'http://localhost:9999/signup' \
-H 'Content-Type: application/json' \
-d '{}'

# Upgrade an anonymous user to a permanent user with an email identity
curl -X PUT 'http://localhost:9999/user' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>' \
-d '{"email": "user@example.com"}'

# Upgrade an anonymous to a permanent user with an oauth identity
curl -X GET 'http://localhost:9999/user/identities/authorize?provider=google' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>
```

## Follow-ups
* Cleanup logic for anonymous users will be made in a separate PR
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 13, 2024
🤖 I have created a release *beep* *boop*
---


##
[2.144.0](supabase/auth@v2.143.0...v2.144.0)
(2024-03-04)


### Features

* add configuration for custom sms sender hook
([supabase#1428](supabase#1428))
([1ea56b6](supabase@1ea56b6))
* anonymous sign-ins
([supabase#1460](supabase#1460))
([130df16](supabase@130df16))
* clean up test setup in MFA tests
([supabase#1452](supabase#1452))
([7185af8](supabase@7185af8))
* pass transaction to `invokeHook`, fixing pool exhaustion
([supabase#1465](supabase#1465))
([b536d36](supabase@b536d36))
* refactor resource owner password grant
([supabase#1443](supabase#1443))
([e63ad6f](supabase@e63ad6f))
* use dummy instance id to improve performance on refresh token queries
([supabase#1454](supabase#1454))
([656474e](supabase@656474e))


### Bug Fixes

* expose `provider` under `amr` in access token
([supabase#1456](supabase#1456))
([e9f38e7](supabase@e9f38e7))
* improve MFA QR Code resilience so as to support providers like
1Password ([supabase#1455](supabase#1455))
([6522780](supabase@6522780))
* refactor request params to use generics
([supabase#1464](supabase#1464))
([e1cdf5c](supabase@e1cdf5c))
* revert refactor resource owner password grant
([supabase#1466](supabase#1466))
([fa21244](supabase@fa21244))
* update file name so migration to Drop IP Address is applied
([supabase#1447](supabase#1447))
([f29e89d](supabase@f29e89d))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 15, 2024
## What kind of change does this PR introduce?
* Implements supabase#68 
* An anonymous user is defined as a user that doesn't have an email or
phone in the `auth.users` table. This is tracked by using a generated
column called `auth.users.is_anonymous`
* When an anonymous user signs-in, the JWT payload will contain an
`is_anonymous` claim which can be used in RLS policies as mentioned in
[Option
3](supabase#68 (comment)).
```json
{
  ...
  "is_anonymous": true
}
```
* Allows anonymous sign-ins if `GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED`
is enabled
* Anonymous sign-ins are rate limited on a per hourly basis and
controlled by `GOTRUE_RATE_LIMIT_ANONYMOUS_USERS`. This is an ip-based
rate limit.
* You can also configure silent captcha / turnstile to prevent abuse
* There are 2 ways to upgrade an anonymous user to a permanent user:
  1. Link an email / phone identity to an anonymous user `PUT /user` 
2. Link an oauth identity using `GET
/user/identities/authorize?provider=xxx`

## Example
```bash
# Sign in as an anonymous user
curl -X POST 'http://localhost:9999/signup' \
-H 'Content-Type: application/json' \
-d '{}'

# Upgrade an anonymous user to a permanent user with an email identity
curl -X PUT 'http://localhost:9999/user' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>' \
-d '{"email": "user@example.com"}'

# Upgrade an anonymous to a permanent user with an oauth identity
curl -X GET 'http://localhost:9999/user/identities/authorize?provider=google' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>
```

## Follow-ups
* Cleanup logic for anonymous users will be made in a separate PR
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 15, 2024
🤖 I have created a release *beep* *boop*
---


##
[2.144.0](supabase/auth@v2.143.0...v2.144.0)
(2024-03-04)


### Features

* add configuration for custom sms sender hook
([supabase#1428](supabase#1428))
([1ea56b6](supabase@1ea56b6))
* anonymous sign-ins
([supabase#1460](supabase#1460))
([130df16](supabase@130df16))
* clean up test setup in MFA tests
([supabase#1452](supabase#1452))
([7185af8](supabase@7185af8))
* pass transaction to `invokeHook`, fixing pool exhaustion
([supabase#1465](supabase#1465))
([b536d36](supabase@b536d36))
* refactor resource owner password grant
([supabase#1443](supabase#1443))
([e63ad6f](supabase@e63ad6f))
* use dummy instance id to improve performance on refresh token queries
([supabase#1454](supabase#1454))
([656474e](supabase@656474e))


### Bug Fixes

* expose `provider` under `amr` in access token
([supabase#1456](supabase#1456))
([e9f38e7](supabase@e9f38e7))
* improve MFA QR Code resilience so as to support providers like
1Password ([supabase#1455](supabase#1455))
([6522780](supabase@6522780))
* refactor request params to use generics
([supabase#1464](supabase#1464))
([e1cdf5c](supabase@e1cdf5c))
* revert refactor resource owner password grant
([supabase#1466](supabase#1466))
([fa21244](supabase@fa21244))
* update file name so migration to Drop IP Address is applied
([supabase#1447](supabase#1447))
([f29e89d](supabase@f29e89d))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants