supabase / gotrue / 8127579034

65%

Build Type

push

github

Committed by web-flow

Commit Message

feat: anonymous sign-ins  (#1460)

## What kind of change does this PR introduce?
* Implements #68 
* An anonymous user is defined as a user that doesn't have an email or
phone in the `auth.users` table. This is tracked by using a generated
column called `auth.users.is_anonymous`
* When an anonymous user signs-in, the JWT payload will contain an
`is_anonymous` claim which can be used in RLS policies as mentioned in
[Option
3](https://github.com/supabase/gotrue/issues/68#issuecomment-1836671954).
```json
{
  ...
  "is_anonymous": true
}
```
* Allows anonymous sign-ins if `GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED`
is enabled
* Anonymous sign-ins are rate limited on a per hourly basis and
controlled by `GOTRUE_RATE_LIMIT_ANONYMOUS_USERS`. This is an ip-based
rate limit.
* You can also configure silent captcha / turnstile to prevent abuse
* There are 2 ways to upgrade an anonymous user to a permanent user:
  1. Link an email / phone identity to an anonymous user `PUT /user` 
2. Link an oauth identity using `GET
/user/identities/authorize?provider=xxx`

## Example
```bash
# Sign in as an anonymous user
curl -X POST 'http://localhost:9999/signup' \
-H 'Content-Type: application/json' \
-d '{}'

# Upgrade an anonymous user to a permanent user with an email identity
curl -X PUT 'http://localhost:9999/user' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>' \
-d '{"email": "user@example.com"}'

# Upgrade an anonymous to a permanent user with an oauth identity
curl -X GET 'http://localhost:9999/user/identities/authorize?provider=google' \
-H 'Authorization: Bearer <access_token_of_anonymous_user>
```

## Follow-ups
* Cleanup logic for anonymous users will be made in a separate PR

Run Details

126 of 195 new or added lines in 12 files covered. (64.62%)

1 existing line in 1 file now uncovered.

7842 of 12071 relevant lines covered (64.97%)

58.78 hits per line