Cannot Turn Off Automatic Account Merging

[wiverson]

Describe the bug

Supabase automatically merges different provider accounts by email address.

To Reproduce

1. Create an account using Supabase Auth with GitHub as provider, where the GitHub account has the email address [email protected].
2. Log out.
3. Log in again, but this time using Twitter as the provider. The Twitter account has the same email address [email protected].
4. When the user comes back, they now get the GitHub login information, not the Twitter information.

Expected behavior

Couple of different options - Firebase has a flow for this scenario, but it's a bit complicated IMHO:

https://firebase.google.com/docs/auth/web/account-linking

Suggestion:

Create a switch in Supabase UI that defaults to off - "Allow Account Merging". If it's off logging in with different providers creates different accounts - the end.

• If Account Merging is set to true, if a sign in with a duplicate is detected generate a new event "request account link" with a flow similar to a password reset.
• Add an auth query to request linked profiles.
• Add an auth operation to unlinked profiles.

[inian]

This is a good suggestion @wiverson. Just curious, why do you want to turn off automatic merging?

[wiverson]

Working on an entertainment title. User has a public professional profile for GitHub and a personal profile for Twitter. User creates account with GitHub, but now can't create account with Twitter.

People have different (public) identities on different services even if they have the same (private) email address.

[wiverson]

Also, seems like a potential security issue, although depends on how elaborate an attack scenario & trust levels for things like abandoned/semi-abandoned accounts. 🤷‍♂️

[wiverson]

This actually gets worse the more social accounts that are supported. For example, I'd like to support people logging in with Google, Discord, Twitch and email/pass. It's very easy to imagine people having very different avatars for those accounts that reflect very different identities - for example, they may have their work photo associated with their Google account, and a personal "fun" account photo for their Discord/Twitch identity.

It would be nice to be fancy and offer things like an API to allow users to select their preferred profile. I can offer custom avatars, but that's getting a bit further away from the simplicity.

My particular case is for a game for streamers, so I'd like users to be able to log in with an identity that matches the streamer's identity. For example, if the streamer is hosting a game on Twitch, I'd like folks to be able to use their twitch identity. If the streamer is hosting on Discord, I'd like to support that.

RIght now, once someone is registered with an email address, that's it. If they register on Twitter first, I can't get their Discord or Twitch id - I just get the Twitter account back.

Basically, supabase is just taking a very simple merge strategy - "hey, same email, same person, done" but unfortunately it's quite a bit more complicated than that. The short term solution is to just allow turning off merge - then if someone logs in with Twitter, I get their Twitter identity. Twitch, Discord, email/pass, whatever.

If supporting account linking in the future, add the needed APIs.

My two cents - let me know if there is anything I can do to help. :)

[sandbox-apps]

Somehow related to this: https://github.com/supabase/supabase/issues/2556

I also think of this somehow, where people nowadays try to create multiple account for example they use FB for personal things account and Google for maybe branding account that can be possible with same email address

[J0]

Hi everyone, we currently don't have plans to support manual linking of accounts in the near future. Currently, GoTrue only supports automatic linking of accounts based on the user's email.

We will revisit on the future though, so feel free to follow along on #313