[Feature request] Disable auto login if sign up successful

[aditodkar]

I am using exact same code from here https://ruanmartinelli.com/posts/supabase-authentication-react but problem is when user sign up happens then user should be navigated to login page but instead user session is generated and it gets automatically logged in. I don't want user to be able to view private routes if sign up is success only show private route if login is success. How can I do that?

[mozeryansky]

This looked interesting so I tried figuring it out. Supabase uses GoTrue for the auth, so it's just calling GoTrue api endpoints. One of which is signUpWithEmail and that is called within the signUp function. Supabase's Auth exposes the GoTrueApi, so you can access those functions directly. To me, it seems the purpose of signUp() is to both sign up and login.

Try calling supabase.auth.api.signUpWithEmail(...) directly.

Here's how supabase's signUp function calls api.signUpWithEmail: https://github.com/supabase/gotrue-js/blob/5d2f65a3d8b565b47e277211e6a4c8054c0b8e97/src/GoTrueClient.ts#L123. And you can see how it saves the session too.

If Supabase does want to implement this feature (or from a pull request) then I think it could easily be done by adding a saveSession option to the existing options parameter and checking for that option before saving the session during the session check: if ((data as Session).access_token) { => if (options.saveSession && (data as Session).access_token) {.

[reck753]

Hi! 👋

I stumbled upon a similar issue.
In my use case one user can create another user, which resulted in session being replaced when using supabase.auth.signUp. Once supabase.auth.signUp completes successfully, the app would refresh and it would appear as newly created user is logged in, which I wanted to avoid.

Using @mozeryansky advice of using supabase.auth.api.signUpWithEmail(...) resolved my issue. Thanks!

[mutiuoyekunle]

Hi! @reck753 , how did you resolve this? .auth.api seems missing from the supabase-js library

[reck753]

Hi @mutiuoyekunle!

At the time of implementing this, I was using version 1.35.6 of @supabase/supabase-js. I paused this project for few months now, so I don't know if I could update the @supabase/supabase-js to the v2 and still have the same functionality.

Here is the code I had for it back then:

import { createClient } from "@supabase/supabase-js";

export const supabase = createClient(
  "SUPABASE_URL",
  "SUPABASE_ANON_KEY"
);

const registerNewUser = (email: string, password: string) => {
  supabase.auth.api
    .signUpWithEmail(email, password)
    .then(() => {
       // Do something more
    })
}

[reck753]

Thinking about it now, alternatively, if you are using Next.js for example, you can create an api route and call regular register from auth in the api route itself. That way, the user would be registered on the server and your session wouldn't be updated.

Or if you have a custom backend, you could expose an endpoint there and call regular supabase's auth register there for you.

[mutiuoyekunle]

thank you.

[arioberek]

Any updates on this?

[onlyargon]

I think with supabase-ssr you can call supabase.auth.admin.createUser({email,password}) for this. but the confirmation email seems not to be send with this. found this here

[joaodellarmelina]

many thanks! I worked for me

[AxelLR992]

I was able to keep my session, but in a very hacky way:

// First you have to obtain the current session
const { data: currentSession } = await supabase.auth.getSession();

// Then, you sign up the user
const { error: authError } = await supabase.auth.signUp({
  email,
  password,
});

// Finally, you set the previous session manually
supabase.auth.setSession(currentSession.session!);

Hope this helps someone.

[mozeryansky]

That is very hacky. I would expect a previous session to be invalidated so it could not be reused, seems like a bug. Why don't you read the source code and figure out a non-hacky solution? Does my earlier solution no longer work?: https://github.com/orgs/supabase/discussions/5784#discussioncomment-2621916

[AxelLR992]

It doesn't, because as @mutiuoyekunle said, supabase.auth.api is no longer available.

[mozeryansky]

Why do you believe your solution is hacky? Can you confirm in the source what's happening, or look at the call tree? That's how I found the original functions.

[matheusdamiao]

Thanks, @AxelLR992! It worked for me, too.

I guess it's a hacky @mozeryansky because with Axell's solution, we're actually re-authenticating with the previous session data,
instead of just keeping the previous one.
It worked here but the app clearly indicates that the user has just authenticated again, which is not ideal.

It seems that the official solution would be to follow what @onlyargon has pointed out above,
using supabase.auth.admin.createUser({email,password}).

But in my case, at least, I didn't want to create another client with supabase.auth.admin namespace only to create a user,
as the supabase.auth.signUp already does that.

[mozeryansky]

Yeah, I see the new GoTrue client has both the signup and session logic within the function, so there's nothing else to call on the client like before. Doing this on the server looks like the way to go.

[romanstetsyk]

For anyone stumbled upon missing auth.api from supabase-js library, all methods were moved to auth.admin (blog post)