Built-in Phone Number Recycling Support for Authentication by Supabase

[leonaburime-ucla]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Supabase Auth prevents phone number linking when the phone number was previously associated with another user account, even when the current user has legitimate access to that phone number. This creates issues with phone number recycling scenarios where phone numbers are reassigned to new users.

When attempting to link a recycled phone number to a new user account using auth.updateUser({ phone }), the operation fails with:

AuthApiError: A user with this phone number has already been registered

This occurs even when:

1. The previous user no longer has access to the phone number
2. The current user can receive SMS/OTP to that number
3. The current user successfully receives and enters the correct OTP

To Reproduce

Steps to reproduce the behavior:

1. Create User A and link phone number +1234567890 to their account
2. User A stops using the service/account becomes inactive
3. Phone carrier recycles the number and assigns +1234567890 to a new person
4. Create User B (new person with the recycled number)
5. Attempt to link +1234567890 to User B's account:

// This fails with "A user with this phone number has already been registered"

const { error } = await supabase.auth.updateUser({ 
  phone: '+1234567890' 
});

6. Even if you manually send OTP and user enters correct code, verification fails because the phone is still linked to User A

Expected behavior
One of the following should happen:

Option 1 (Preferred): When a user successfully verifies OTP for a phone number already linked to another account, Supabase should automatically unlink the phone from the previous account and link it to the current user (since OTP verification proves current ownership).

Option 2: Provide a configuration option to disable strict phone number uniqueness for projects that need to handle phone number recycling.

Option 3: Provide built-in admin methods to handle phone number conflicts when OTP verification succeeds.

Screenshots

Error in application logs:

AuthApiError: A user with this phone number has already been registered
    at AuthApiError.from (auth-helpers.js:89:5)
    at updateUser (auth-api.js:156:12)

System information
OS: macOS
Browser: Chrome, Safari (React Native app)
Version of supabase-js: 2.x (latest)
Version of Node.js: 18.x
Platform: React Native with TypeScript
Additional context
Current Workaround: We've implemented a server-side Edge Function with admin privileges to manually unlink phone numbers from previous users after successful OTP verification, but this requires:

Complex state management
Additional API calls
Admin-level permissions
Potential race conditions

Real-world Impact:

Phone number recycling is common globally
Creates poor UX for legitimate users
Forces developers to implement complex workarounds
Could affect user onboarding conversion rates
Business Context: Phone verification is critical for user trust and security in dating/social apps. Users expect seamless phone verification regardless of number history.

This appears to be a design limitation rather than intended behavior, as the phone number uniqueness constraint doesn't account for legitimate ownership transfer scenarios.

[hassan524]

is this open source now ? can i work on it

[Hallidayo]

Hi, I've moved this issue over from the supabase repo.