fix(auth): sync pre-existing user passwords for new instant auth bypass

DongDuong2001 · DongDuong2001 · commit 143b45d29c55 · 2026-02-22T23:57:44.000+07:00
diff --git a/app/api/auth/instant/route.ts b/app/api/auth/instant/route.ts
@@ -0,0 +1,49 @@
+import { NextResponse } from 'next/server'
+import { createAdminClient } from '@/lib/database/supabase-admin'
+
+export async function POST(request: Request) {
+    try {
+        const { email, password } = await request.json()
+
+        if (!email || !password) {
+            return NextResponse.json({ success: false, error: 'Email and password are required' }, { status: 400 })
+        }
+
+        const supabaseAdmin = createAdminClient()
+        if (!supabaseAdmin) {
+            return NextResponse.json({ success: false, error: 'Server configuration error' }, { status: 500 })
+        }
+
+        // Since we need to bypass existing user passwords, we will search for the user by email
+        // and forcefully update their password.
+        // In @supabase/supabase-js recent versions, generating a link is easy or listing users handles it.
+
+        const { data: { users }, error: listError } = await supabaseAdmin.auth.admin.listUsers()
+
+        if (listError) {
+            return NextResponse.json({ success: false, error: listError.message }, { status: 400 })
+        }
+
+        const user = users.find((u: any) => u.email === email)
+
+        if (user) {
+            // User exists! Force update their password to the hidden password
+            const { error: updateError } = await supabaseAdmin.auth.admin.updateUserById(
+                user.id,
+                { password }
+            )
+
+            if (updateError) {
+                return NextResponse.json({ success: false, error: updateError.message }, { status: 400 })
+            }
+
+            return NextResponse.json({ success: true, message: 'Password synced' })
+        } else {
+            // User does not exist, standard signup will handle it in the client
+            return NextResponse.json({ success: false, error: 'User not found' }, { status: 404 })
+        }
+
+    } catch (error: any) {
+        return NextResponse.json({ success: false, error: error.message }, { status: 500 })
+    }
+}
diff --git a/lib/features/auth/auth-service.ts b/lib/features/auth/auth-service.ts
@@ -219,7 +219,29 @@ export async function signInOrSignUpWithEmailOnly(
       return signInResult; // Successfully logged in
     }
 
-    // 2. If sign in fails (likely because user doesn't exist), attempt to sign up
+    // 2. If sign in fails due to "Invalid login credentials", the user might exist but with a different password.
+    // We call our secure backend bypass to sync their password to the hidden instant auth password.
+    if (signInResult.error && signInResult.error.toLowerCase().includes("invalid login credentials")) {
+      try {
+        const syncRes = await fetch('/api/auth/instant', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ email, password: hiddenPassword })
+        });
+
+        if (syncRes.ok) {
+          const syncData = await syncRes.json();
+          if (syncData.success) {
+            // Password successfully synced! Retry sign in.
+            return await signIn(email, hiddenPassword, rememberMe);
+          }
+        }
+      } catch (err) {
+        console.error("Failed to sync instant auth password:", err);
+      }
+    }
+
+    // 3. If sign in fails and sync didn't resolve it (likely because user doesn't exist), attempt to sign up
     const signUpResult = await signUp(email, hiddenPassword);
 
     if (signUpResult.success) {
