Security concern: Supabase auth table rows not getting overriden when existing email id user try to again signup with new data #29384
Unanswered
Prateek32177
asked this question in
Questions
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
This might be a security vulnerability and I am in need to address this scenario I came across due to which I am kinda block to proceed further,
Regenerate issue,
For example:
Step 1) Signup as new user With below data :
Email Id , password and any user metadata like firstname,
Step 2) don't confirm the email yet, keep it in status of waiting for verification in Supabase auth table
Step 3 ) again try to signup with same email Id but all other or some details different importantly keep password different,
Now here u will see the auth row is not updated with new data, and you got confirmation email as well , you confirmed but you can't login because password is not updated to latest one,
This can be a potential security vulnerability which must be addressed,
Please let me know if I am missing something here , but the auth user row must be overriden with new signup values of same email id ,
Think once if some person not the original person who owns email id signup with email Id and next time when actual owner of email id signup and confirm the mail that fake person can access the account as password is still the one which he set.
Beta Was this translation helpful? Give feedback.
All reactions