Bug report
When verifying a phone, auth.updateUser({ phone: '...' }) may link to a different auth.users record than the currently authenticated user during the verification process, even if auth.getUser() reports the correct user ID beforehand.
Describe the bug
Phone verification identifies the user by searching for the provided phone number in the phone_change column, rather than relying solely on the active session.
Unlike the phone column, the phone_change column does not enforce uniqueness. If multiple auth.users records contain the same phone number in phone_change due to uncompleted or abandoned verification attempts, auth may update another user's phone field upon successful OTP verification
This occurs because the lookup updates the first matching record in phone_change, which might not belong to the currently authenticated user.
To Reproduce
Leave an unverified phone number record for one user and assign the same phone number for another user.
Bug report
When verifying a phone,
auth.updateUser({ phone: '...' })may link to a differentauth.usersrecord than the currently authenticated user during the verification process, even ifauth.getUser()reports the correct user ID beforehand.Describe the bug
Phone verification identifies the user by searching for the provided phone number in the
phone_changecolumn, rather than relying solely on the active session.Unlike the
phonecolumn, thephone_changecolumn does not enforce uniqueness. If multipleauth.usersrecords contain the same phone number inphone_changedue to uncompleted or abandoned verification attempts, auth may update another user'sphonefield upon successful OTP verificationThis occurs because the lookup updates the first matching record in
phone_change, which might not belong to the currently authenticated user.To Reproduce
Leave an unverified phone number record for one user and assign the same phone number for another user.