feat: experimental own linking domains per provider (#2119)

Experimental feature internal to Supabase. Don't use outside of
Supabase.

Adds the ability to specify providers e.g. `google`, `apple`, whose
identities will not participate in the `default` email-similarity
identity linking algorithm but be on its own. You can do this by setting

```
GOTRUE_EXPERIMENTAL_PROVIDERS_WITH_OWN_LINKING_DOMAIN="google,apple,..."
```

This has the effect of setting the `is_sso_user` column on `auth.users`
to true, which is the only mechanism that allows the same email address
to appear in different linking domains. The column cannot be renamed as
that requires re-creating a partial index, which is not on the table for
this change. It will be revised in the future.

Author: hf

cmd/admin_cmd.go

@@ -66,7 +66,7 @@ func adminCreateUser(config *conf.GlobalConfiguration, args []string) {
 	defer db.Close()
 
 	aud := getAudience(config)
-	if user, err := models.IsDuplicatedEmail(db, args[0], aud, nil); user != nil {
+	if user, err := models.IsDuplicatedEmail(db, args[0], aud, nil, config.Experimental.ProvidersWithOwnLinkingDomain); user != nil {
 		logrus.Fatalf("Error creating new user: user already exists")
 	} else if err != nil {
 		logrus.Fatalf("Error checking user email: %+v", err)

internal/api/admin.go

@@ -348,7 +348,7 @@ func (a *API) adminUserCreate(w http.ResponseWriter, r *http.Request) error {
 		if err != nil {
 			return err
 		}
-		if user, err := models.IsDuplicatedEmail(db, params.Email, aud, nil); err != nil {
+		if user, err := models.IsDuplicatedEmail(db, params.Email, aud, nil, config.Experimental.ProvidersWithOwnLinkingDomain); err != nil {
 			return apierrors.NewInternalServerError("Database error checking email").WithInternalError(err)
 		} else if user != nil {
 			return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeEmailExists, DuplicateEmailMsg)

internal/api/external.go

@@ -334,10 +334,17 @@ func (a *API) createAccountFromExternalIdentity(tx *storage.Connection, r *http.
 			Data:     identityData,
 		}
 
-		isSSOUser := false
-		if strings.HasPrefix(decision.LinkingDomain, "sso:") {
-			isSSOUser = true
-		}
+		// This is a little bit of a hack. Let me explain: When
+		// is_sso_user == true, it allows there to be different user
+		// rows with the same email address. Initially it was added to
+		// support SSO accounts, but at this point renaming the column
+		// or adding a new one requires re-indexing the table which is
+		// expensive and introduces a potentially unnecessary API
+		// surface change. It therefore set to true for other linking
+		// domains, not just SSO ones. This enables different linking
+		// domains to co-exist, such as when using
+		// GOTRUE_EXPERIMENTAL_PROVIDERS_WITH_OWN_LINKING_DOMAIN="provider_a,provider_b".
+		isSSOUser := decision.LinkingDomain != "default"
 
 		// because params above sets no password, this method is not
 		// computationally hard so it can be used within a database

internal/api/mail.go

@@ -239,7 +239,7 @@ func (a *API) adminGenerateLink(w http.ResponseWriter, r *http.Request) error {
 			if terr != nil {
 				return terr
 			}
-			if duplicateUser, terr := models.IsDuplicatedEmail(tx, params.NewEmail, user.Aud, user); terr != nil {
+			if duplicateUser, terr := models.IsDuplicatedEmail(tx, params.NewEmail, user.Aud, user, config.Experimental.ProvidersWithOwnLinkingDomain); terr != nil {
 				return apierrors.NewInternalServerError("Database error checking email").WithInternalError(terr)
 			} else if duplicateUser != nil {
 				return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeEmailExists, DuplicateEmailMsg)

internal/api/signup.go

@@ -146,7 +146,7 @@ func (a *API) Signup(w http.ResponseWriter, r *http.Request) error {
 		if err != nil {
 			return err
 		}
-		user, err = models.IsDuplicatedEmail(db, params.Email, params.Aud, nil)
+		user, err = models.IsDuplicatedEmail(db, params.Email, params.Aud, nil, config.Experimental.ProvidersWithOwnLinkingDomain)
 	case "phone":
 		if !config.External.Phone.Enabled {
 			return apierrors.NewBadRequestError(apierrors.ErrorCodePhoneProviderDisabled, "Phone signups are disabled")

internal/api/user.go

@@ -115,6 +115,7 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
+	// TODO: Check if a user is SSO via rows in identities table, not via this flag.
 	if user.IsSSOUser {
 		updatingForbiddenFields := false
 
@@ -129,7 +130,7 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	if params.Email != "" && user.GetEmail() != params.Email {
-		if duplicateUser, err := models.IsDuplicatedEmail(db, params.Email, aud, user); err != nil {
+		if duplicateUser, err := models.IsDuplicatedEmail(db, params.Email, aud, user, config.Experimental.ProvidersWithOwnLinkingDomain); err != nil {
 			return apierrors.NewInternalServerError("Database error checking email").WithInternalError(err)
 		} else if duplicateUser != nil {
 			return apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeEmailExists, DuplicateEmailMsg)

internal/conf/configuration.go

@@ -254,6 +254,13 @@ type AuditLogConfiguration struct {
 	DisablePostgres bool `split_words:"true" default:"false"`
 }
 
+type ExperimentalConfiguration struct {
+	// Names of providers (e.g. "google") which have their own identity
+	// linking domain, meaning that the ones listed here _will not
+	// participate_ in email similarity linking with other accounts.
+	ProvidersWithOwnLinkingDomain []string `split_words:"true"`
+}
+
 // GlobalConfiguration holds all the configuration that applies to all instances.
 type GlobalConfiguration struct {
 	API           APIConfiguration
@@ -293,6 +300,8 @@ type GlobalConfiguration struct {
 	MFA             MFAConfiguration         `json:"MFA"`
 	SAML            SAMLConfiguration        `json:"saml"`
 	CORS            CORSConfiguration        `json:"cors"`
+
+	Experimental ExperimentalConfiguration `json:"experimental"`
 }
 
 type CORSConfiguration struct {

internal/models/linking.go

@@ -1,6 +1,7 @@
 package models
 
 import (
+	"slices"
 	"strings"
 
 	"github.com/supabase/auth/internal/api/provider"
@@ -13,8 +14,8 @@ import (
 // _should_ generally fall under the same User entity. It's just a runtime
 // string, and is not typically persisted in the database. This value can vary
 // across time.
-func GetAccountLinkingDomain(provider string) string {
-	if strings.HasPrefix(provider, "sso:") {
+func GetAccountLinkingDomain(provider string, ownLinkingDomains []string) string {
+	if strings.HasPrefix(provider, "sso:") || slices.Contains(ownLinkingDomains, provider) {
 		// when the provider ID is a SSO provider, then the linking
 		// domain is the provider itself i.e. there can only be one
 		// user + identity per identity provider
@@ -63,6 +64,9 @@ func DetermineAccountLinking(tx *storage.Connection, config *conf.GlobalConfigur
 		}
 	}
 
+	// this is the linking domain for the new identity
+	candidateLinkingDomain := GetAccountLinkingDomain(providerName, config.Experimental.ProvidersWithOwnLinkingDomain)
+
 	if identity, terr := FindIdentityByIdAndProvider(tx, sub, providerName); terr == nil {
 		// account exists
 
@@ -78,7 +82,7 @@ func DetermineAccountLinking(tx *storage.Connection, config *conf.GlobalConfigur
 			Decision:       AccountExists,
 			User:           user,
 			Identities:     []*Identity{identity},
-			LinkingDomain:  GetAccountLinkingDomain(providerName),
+			LinkingDomain:  candidateLinkingDomain,
 			CandidateEmail: candidateEmail,
 		}, nil
 	} else if !IsNotFoundError(terr) {
@@ -87,12 +91,9 @@ func DetermineAccountLinking(tx *storage.Connection, config *conf.GlobalConfigur
 
 	// the identity does not exist, so we need to check if we should create a new account
 	// or link to an existing one
-
-	// this is the linking domain for the new identity
-	candidateLinkingDomain := GetAccountLinkingDomain(providerName)
 	if len(verifiedEmails) == 0 {
 		// if there are no verified emails, we always decide to create a new account
-		user, terr := IsDuplicatedEmail(tx, candidateEmail.Email, aud, nil)
+		user, terr := IsDuplicatedEmail(tx, candidateEmail.Email, aud, nil, config.Experimental.ProvidersWithOwnLinkingDomain)
 		if terr != nil {
 			return AccountLinkingResult{}, terr
 		}
@@ -108,12 +109,13 @@ func DetermineAccountLinking(tx *storage.Connection, config *conf.GlobalConfigur
 
 	var similarIdentities []*Identity
 	var similarUsers []*User
+
 	// look for similar identities and users based on email
 	if terr := tx.Q().Eager().Where("email = any (?)", verifiedEmails).All(&similarIdentities); terr != nil {
 		return AccountLinkingResult{}, terr
 	}
 
-	if !strings.HasPrefix(providerName, "sso:") {
+	if candidateLinkingDomain == "default" {
 		// there can be multiple user accounts with the same email when is_sso_user is true
 		// so we just do not consider those similar user accounts
 		if terr := tx.Q().Eager().Where("email = any (?) and is_sso_user = false", verifiedEmails).All(&similarUsers); terr != nil {
@@ -129,7 +131,7 @@ func DetermineAccountLinking(tx *storage.Connection, config *conf.GlobalConfigur
 	// now let's see if there are any existing and similar identities in
 	// the same linking domain
 	for _, identity := range similarIdentities {
-		if GetAccountLinkingDomain(identity.Provider) == candidateLinkingDomain {
+		if GetAccountLinkingDomain(identity.Provider, config.Experimental.ProvidersWithOwnLinkingDomain) == candidateLinkingDomain {
 			linkingIdentities = append(linkingIdentities, identity)
 		}
 	}

internal/models/user.go

@@ -716,9 +716,11 @@ func FindUsersInAudience(tx *storage.Connection, aud string, pageParams *Paginat
 	return users, err
 }
 
-// IsDuplicatedEmail returns whether a user exists with a matching email and audience.
+// IsDuplicatedEmail returns whether a user exists with a matching email and
+// audience importantly in the *default* identity linking domain (meaning SSO
+// accounts and similar are not considered).
 // If a currentUser is provided, we will need to filter out any identities that belong to the current user.
-func IsDuplicatedEmail(tx *storage.Connection, email, aud string, currentUser *User) (*User, error) {
+func IsDuplicatedEmail(tx *storage.Connection, email, aud string, currentUser *User, ownDomainProviders []string) (*User, error) {
 	var identities []Identity
 
 	if err := tx.Eager().Q().Where("email = ?", strings.ToLower(email)).All(&identities); err != nil {
@@ -732,7 +734,7 @@ func IsDuplicatedEmail(tx *storage.Connection, email, aud string, currentUser *U
 	userIDs := make(map[string]uuid.UUID)
 	for _, identity := range identities {
 		if _, ok := userIDs[identity.UserID.String()]; !ok {
-			if !identity.IsForSSOProvider() {
+			if GetAccountLinkingDomain(identity.Provider, ownDomainProviders) == "default" {
 				userIDs[identity.UserID.String()] = identity.UserID
 			}
 		}

internal/models/user_test.go

@@ -163,19 +163,19 @@ func (ts *UserTestSuite) TestFindUserWithRefreshToken() {
 func (ts *UserTestSuite) TestIsDuplicatedEmail() {
 	_ = ts.createUserWithEmail("[email protected]")
 
-	e, err := IsDuplicatedEmail(ts.db, "[email protected]", "test", nil)
+	e, err := IsDuplicatedEmail(ts.db, "[email protected]", "test", nil, nil)
 	require.NoError(ts.T(), err)
 	require.NotNil(ts.T(), e, "expected email to be duplicated")
 
-	e, err = IsDuplicatedEmail(ts.db, "[email protected]", "test", nil)
+	e, err = IsDuplicatedEmail(ts.db, "[email protected]", "test", nil, nil)
 	require.NoError(ts.T(), err)
-	require.Nil(ts.T(), e, "expected email to not be duplicated", nil)
+	require.Nil(ts.T(), e, "expected email to not be duplicated", nil, nil)
 
-	e, err = IsDuplicatedEmail(ts.db, "[email protected]", "test", nil)
+	e, err = IsDuplicatedEmail(ts.db, "[email protected]", "test", nil, nil)
 	require.NoError(ts.T(), err)
-	require.Nil(ts.T(), e, "expected same email to not be duplicated", nil)
+	require.Nil(ts.T(), e, "expected same email to not be duplicated", nil, nil)
 
-	e, err = IsDuplicatedEmail(ts.db, "[email protected]", "other-aud", nil)
+	e, err = IsDuplicatedEmail(ts.db, "[email protected]", "other-aud", nil, nil)
 	require.NoError(ts.T(), err)
 	require.Nil(ts.T(), e, "expected same email to not be duplicated")
 }