How to disable/deactivate a user

[dilly-sixmo]

I would like the ability to disable a user's account so that they can no longer sign in. I wish to keep the user's account as it will be referenced in other tables and I want to keep those records as history. So deleting a user and using cascading deletes for related data is not an option.

I've searched Google, the supabase docs, and this discussion forum and I haven't found any clear answer as to how to do this. While investigating, I noticed that there is a banned_until field within the auth.users table that I might be able to leverage to make this work, but this field is not documented whatsoever and I have no idea how to set a value to that field or if that field is even currently used to implement a banning mechanism.

The only way I can think to do this would be to use a server-side function with the service_key to change a user's password, while simultaneously adding a deactivate: true property to the user's metadata field. However, this seems kind of hacky. For example, the user could theoretically still sign in if they somehow got the password.

There doesn't seem to be a way to add additional logic to the Sign In process. If there was, I could simply check the user's metadata for deactivate true and prevent any login from there.

Does Supabase provide any mechanism for disabling/deactivating user accounts without deletion?

[GaryAustin1]

Using updateUserById you can now set a ban duration. This has been added to gotrue recently. I've not tested it.

 /**
   * Determines how long a user is banned for.
   *
   * The format for the ban duration follows a strict sequence of decimal numbers with a unit suffix.
   * Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
   *
   * For example, some possible durations include: '300ms', '2h45m'.
   *
   * Setting the ban duration to 'none' lifts the ban on the user.
   */
  ban_duration?: string | 'none'

ban_duration is used like the other attributes in the call.

I plan for this type of feature by using my user profiles table as the key for the foreign key links from other tables. I don't have a foreign key from profiles to auth.users table. Then when a user is deleted from auth.users I can use a trigger function to mark the profile table row as "guest" and clear out any private info, including email, etc. All other links are not affected by the auth.users delete.

Banning a user will still leave their personal email/phone/etc in the auth.users table.

[ekansh005]

This works perfectly.

[farzd]

@GaryAustin1 ban_duration works for me, when you try login after being banned, it doesn't return the user supabase.auth.user()
However i need to logout the user and show them an alert when they are banned, react native, only way to do this is to check the user metadata if the app is brought to the foreground but the metadata doesnt show the banned_until value,
you can see this value when you update the users ban_duration property.

the 'banned_until' doesn't exist here actually: https://github.com/supabase/gotrue-js/blob/master/src/lib/types.ts#L61

[Mayukhdevan]

How do I set the ban duration to infinite?

[ekansh005]

You can set to some very long durations like 100 years

[burggraf]

@farzd If you can't see the banned_until field, you can always write a simple postgres function to get this value from a separate call, or you can have your function return all the fields you need/want. Then call that function from .rpc().