Migrating 125.000 users from Auth0 to Supabase

Backstory

Let me give you a little backstory first for you to understand why and how we even came to this point.

Our setup

Auth0 was tightly integrated into our system.

  • 125k users
  • Social logins (Google, Apple, Facebook) and Email+Password logins
  • Single-Sign-On for our Circle community
  • Two client apps (Nuxt Webapp and native iOS App)
  • Using pre-built hosted login/registration page from Auth0
  • Registration hooks to create users in our own database

Evaluation and requirements

Most requirements were quite obvious:

Why Supabase?

Supabase ticked a lot of boxes.

“Why didn’t you just build your own auth?”

Every time you post anything tech related, you get a few peepz asking this.

Preparing the migration

As we planned a rolling migration and no down-times, involving two clients (webapp and native iOS app), this was quite a challenge and lots of unknowns at first.

The basic plan

We introduce feature toggles for every login method (Google, Facebook, Apple, Email+Pw Auth) to switch from Auth0 and Supabase in our clients.

Adjusting our API

The first thing we did was extend our API to not only allow Auth0 JWTs, but also Supabase JWTs. So it wouldn’t matter, if the requesting user was logged in through Supabase or Auth0.

Adjusting the clients

As we wanted to do a rolling migration and we had two connected clients, we wanted to introduce feature toggles for each login method and gradually migrate each method. Keep in mind, with a native iOS app, we can’t just roll out releases — we need Apple employees to be in good spirits and approve our changes.

Matching user accounts

Initial social auth logins and new email+password registrations would both create new Supabase users. We set up a hook that would run BEFORE inserting a user and call our own API to do a user look-up.

Implementing OAuth 2.0 compatible SSO

Unfortunately, Supabase does not offer any OAuth compatible endpoints to easily do such integration and Circle has no direct integration with Supabase.

Writing migration scripts

We knew that not all of our 125k registered users would login within a short amount of time, so we knew we had to migrate the remaining users.

Duplicate email addresses

While Supabase allows linking accounts, like having an email+password login and adding Google social login (happens automatically when the email matches), Supabase does not allow having multiple accounts with the same email address — while Auth0 does.

Sending a welcome mail

While Supabase has a few built-in and configurable mail templates, there is no email triggered upon user registration to welcome a user. As we already had a Supabase hook that does an API call and notifies our API about a new user being created, we simply used our existing Mandrill integration to send a transactional mail.

Migrating user passwords

We were worried that users may have to change their password due to hash incompatibility.

Migration

After preparing the feature toggles, adjusting the API, building user matching, the Postgres trigger, adjusting both clients and releasing all of that and A LOT of testing, we were ready to pull the trigger.

Pitfalls

Apple app approvals

We integrated Supabase as secondary Auth provider and implemented remote toggles (using Firebase).

Duplicate emails

As described above, Supabase supports multiple identities for a single email, but not multiple accounts with the same email.

Linked Accounts

As if duplicate emails aren’t complex enough, we had the Auth0 link extension active for a while, which allowed others to link multiple login methods/providers to a single account.

Getting Password hashes

With Supabase, you get full access to the underlying Postgres database. Thus, you can also just get an export of all password hashes.

Resumé

Phew. I have to admit, I am glad the migration is done. It was a fun and exhausting challenge.

The end

I didn’t go into every nuance and detail, as this would likely fill an entire book.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kevin Grüneberg

Kevin Grüneberg

Developer by day and developer by night.