feat: anonymous sign-ins #1460

kangmingtay · 2024-03-01T06:52:11Z

What kind of change does this PR introduce?

Implements Anonymous Sign-in #68
An anonymous user is defined as a user that doesn't have an email or phone in the auth.users table. This is tracked by using a generated column called auth.users.is_anonymous
When an anonymous user signs-in, the JWT payload will contain an is_anonymous claim which can be used in RLS policies as mentioned in Option 3.

{
  ...
  "is_anonymous": true
}

Allows anonymous sign-ins if GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED is enabled
Anonymous sign-ins are rate limited on a per hourly basis and controlled by GOTRUE_RATE_LIMIT_ANONYMOUS_USERS. This is an ip-based rate limit.
You can also configure silent captcha / turnstile to prevent abuse
There are 2 ways to upgrade an anonymous user to a permanent user:
1. Link an email / phone identity to an anonymous user PUT /user
2. Link an oauth identity using GET /user/identities/authorize?provider=xxx

Example

# Sign in as an anonymous user
curl -X POST 'http://localhost:9999/signup' \
-H 'Content-Type: application/json' \
-d '{}'

# Upgrade an anonymous user to a permanent user with an email identity
curl -X PUT 'http://localhost:9999/user' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>' \
-d '{"email": "[email protected]"}'

# Upgrade an anonymous to a permanent user with an oauth identity
curl -X GET 'http://localhost:9999/user/identities/authorize?provider=google' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>

Follow-ups

Cleanup logic for anonymous users will be made in a separate PR

…entities

internal/api/identity.go

migrations/20240214120130_add_is_anonymous_column.up.sql

internal/api/api.go

internal/api/auth.go

internal/api/signup.go

migrations/20240214120130_add_is_anonymous_column.up.sql

hf

Looks good! Left some readability and error code nits that generally don't have a major impact on the feature.

internal/api/anonymous.go

🤖 I have created a release *beep* *boop* --- ## [2.144.0](v2.143.0...v2.144.0) (2024-03-04) ### Features * add configuration for custom sms sender hook ([#1428](#1428)) ([1ea56b6](1ea56b6)) * anonymous sign-ins ([#1460](#1460)) ([130df16](130df16)) * clean up test setup in MFA tests ([#1452](#1452)) ([7185af8](7185af8)) * pass transaction to `invokeHook`, fixing pool exhaustion ([#1465](#1465)) ([b536d36](b536d36)) * refactor resource owner password grant ([#1443](#1443)) ([e63ad6f](e63ad6f)) * use dummy instance id to improve performance on refresh token queries ([#1454](#1454)) ([656474e](656474e)) ### Bug Fixes * expose `provider` under `amr` in access token ([#1456](#1456)) ([e9f38e7](e9f38e7)) * improve MFA QR Code resilience so as to support providers like 1Password ([#1455](#1455)) ([6522780](6522780)) * refactor request params to use generics ([#1464](#1464)) ([e1cdf5c](e1cdf5c)) * revert refactor resource owner password grant ([#1466](#1466)) ([fa21244](fa21244)) * update file name so migration to Drop IP Address is applied ([#1447](#1447)) ([f29e89d](f29e89d)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

## What kind of change does this PR introduce? * supabase/auth#68 * Adds the `signInAnonymously` method to support supabase/auth#1460 * Passing in user metadata / the captcha token in `signInAnonymously` looks like: `signInAnonymously({ options: { data, captchaToken }})` which follows the same format as the other sign up / sign in methods

## What kind of change does this PR introduce? * Implements supabase#68 * An anonymous user is defined as a user that doesn't have an email or phone in the `auth.users` table. This is tracked by using a generated column called `auth.users.is_anonymous` * When an anonymous user signs-in, the JWT payload will contain an `is_anonymous` claim which can be used in RLS policies as mentioned in [Option 3](supabase#68 (comment)). ```json { ... "is_anonymous": true } ``` * Allows anonymous sign-ins if `GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED` is enabled * Anonymous sign-ins are rate limited on a per hourly basis and controlled by `GOTRUE_RATE_LIMIT_ANONYMOUS_USERS`. This is an ip-based rate limit. * You can also configure silent captcha / turnstile to prevent abuse * There are 2 ways to upgrade an anonymous user to a permanent user: 1. Link an email / phone identity to an anonymous user `PUT /user` 2. Link an oauth identity using `GET /user/identities/authorize?provider=xxx` ## Example ```bash # Sign in as an anonymous user curl -X POST 'http://localhost:9999/signup' \ -H 'Content-Type: application/json' \ -d '{}' # Upgrade an anonymous user to a permanent user with an email identity curl -X PUT 'http://localhost:9999/user' \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer <access_token_of_anonymous_user>' \ -d '{"email": "[email protected]"}' # Upgrade an anonymous to a permanent user with an oauth identity curl -X GET 'http://localhost:9999/user/identities/authorize?provider=google' \ -H 'Authorization: Bearer <access_token_of_anonymous_user> ``` ## Follow-ups * Cleanup logic for anonymous users will be made in a separate PR

🤖 I have created a release *beep* *boop* --- ## [2.144.0](supabase/auth@v2.143.0...v2.144.0) (2024-03-04) ### Features * add configuration for custom sms sender hook ([supabase#1428](supabase#1428)) ([1ea56b6](supabase@1ea56b6)) * anonymous sign-ins ([supabase#1460](supabase#1460)) ([130df16](supabase@130df16)) * clean up test setup in MFA tests ([supabase#1452](supabase#1452)) ([7185af8](supabase@7185af8)) * pass transaction to `invokeHook`, fixing pool exhaustion ([supabase#1465](supabase#1465)) ([b536d36](supabase@b536d36)) * refactor resource owner password grant ([supabase#1443](supabase#1443)) ([e63ad6f](supabase@e63ad6f)) * use dummy instance id to improve performance on refresh token queries ([supabase#1454](supabase#1454)) ([656474e](supabase@656474e)) ### Bug Fixes * expose `provider` under `amr` in access token ([supabase#1456](supabase#1456)) ([e9f38e7](supabase@e9f38e7)) * improve MFA QR Code resilience so as to support providers like 1Password ([supabase#1455](supabase#1455)) ([6522780](supabase@6522780)) * refactor request params to use generics ([supabase#1464](supabase#1464)) ([e1cdf5c](supabase@e1cdf5c)) * revert refactor resource owner password grant ([supabase#1466](supabase#1466)) ([fa21244](supabase@fa21244)) * update file name so migration to Drop IP Address is applied ([supabase#1447](supabase#1447)) ([f29e89d](supabase@f29e89d)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

## What kind of change does this PR introduce? * Implements supabase#68 * An anonymous user is defined as a user that doesn't have an email or phone in the `auth.users` table. This is tracked by using a generated column called `auth.users.is_anonymous` * When an anonymous user signs-in, the JWT payload will contain an `is_anonymous` claim which can be used in RLS policies as mentioned in [Option 3](supabase#68 (comment)). ```json { ... "is_anonymous": true } ``` * Allows anonymous sign-ins if `GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED` is enabled * Anonymous sign-ins are rate limited on a per hourly basis and controlled by `GOTRUE_RATE_LIMIT_ANONYMOUS_USERS`. This is an ip-based rate limit. * You can also configure silent captcha / turnstile to prevent abuse * There are 2 ways to upgrade an anonymous user to a permanent user: 1. Link an email / phone identity to an anonymous user `PUT /user` 2. Link an oauth identity using `GET /user/identities/authorize?provider=xxx` ## Example ```bash # Sign in as an anonymous user curl -X POST 'http://localhost:9999/signup' \ -H 'Content-Type: application/json' \ -d '{}' # Upgrade an anonymous user to a permanent user with an email identity curl -X PUT 'http://localhost:9999/user' \ -H 'Content-Type: application/json' \ -H 'Authorization: Bearer <access_token_of_anonymous_user>' \ -d '{"email": "[email protected]"}' # Upgrade an anonymous to a permanent user with an oauth identity curl -X GET 'http://localhost:9999/user/identities/authorize?provider=google' \ -H 'Authorization: Bearer <access_token_of_anonymous_user> ``` ## Follow-ups * Cleanup logic for anonymous users will be made in a separate PR

🤖 I have created a release *beep* *boop* --- ## [2.144.0](supabase/auth@v2.143.0...v2.144.0) (2024-03-04) ### Features * add configuration for custom sms sender hook ([supabase#1428](supabase#1428)) ([1ea56b6](supabase@1ea56b6)) * anonymous sign-ins ([supabase#1460](supabase#1460)) ([130df16](supabase@130df16)) * clean up test setup in MFA tests ([supabase#1452](supabase#1452)) ([7185af8](supabase@7185af8)) * pass transaction to `invokeHook`, fixing pool exhaustion ([supabase#1465](supabase#1465)) ([b536d36](supabase@b536d36)) * refactor resource owner password grant ([supabase#1443](supabase#1443)) ([e63ad6f](supabase@e63ad6f)) * use dummy instance id to improve performance on refresh token queries ([supabase#1454](supabase#1454)) ([656474e](supabase@656474e)) ### Bug Fixes * expose `provider` under `amr` in access token ([supabase#1456](supabase#1456)) ([e9f38e7](supabase@e9f38e7)) * improve MFA QR Code resilience so as to support providers like 1Password ([supabase#1455](supabase#1455)) ([6522780](supabase@6522780)) * refactor request params to use generics ([supabase#1464](supabase#1464)) ([e1cdf5c](supabase@e1cdf5c)) * revert refactor resource owner password grant ([supabase#1466](supabase#1466)) ([fa21244](supabase@fa21244)) * update file name so migration to Drop IP Address is applied ([supabase#1447](supabase#1447)) ([f29e89d](supabase@f29e89d)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

kangmingtay added 10 commits February 14, 2024 16:56

feat: add config for anonymous users

a9b2137

feat: add support for anonymous logins

1b21995

fix: prevent anonymous users from using mfa endpoints

95fb55f

fix: prevent anon users from updating password

4c799e2

fix: reload user model in signup and verify

4a0f329

chore: add tests for anonymous logins

20178ce

fix: add rate limit to anonymous signup

c46ca5d

chore: add test for rate limit

4a882a7

feat: allow linking oauth identity to anonymous user

ade0260

refactor: update app_metadata providers after removing unconfirmed id…

766b5a9

…entities

kangmingtay requested a review from a team as a code owner March 1, 2024 06:52

kangmingtay force-pushed the km/feat-anonymous-logins branch from af77f25 to b504885 Compare March 1, 2024 07:22

fix: remove unconfirmed identities on repeat signup

8f715b1

kangmingtay force-pushed the km/feat-anonymous-logins branch from b504885 to 8f715b1 Compare March 1, 2024 07:53

fix: add index to users table on is_anonymous

306be4c

kangmingtay force-pushed the km/feat-anonymous-logins branch from 66bd15f to 306be4c Compare March 1, 2024 08:52

Merge branch 'master' into km/feat-anonymous-logins

30e2be4