[BUG] Kakao provider hardcodes account_email scope, blocking non-Biz Korean developers

[redhotsixbull]

[Auth] Kakao provider hardcodes account_email scope, blocking non-Biz Korean developers

Summary

The Supabase auth Kakao provider hardcodes account_email in oauthScopes, which is always sent to Kakao regardless of
client-side scopes option or dashboard Allow users without an email setting. This makes Kakao OAuth login impossible
for any developer without a Biz App approval, contradicting the official documentation.

Expected behavior

Per the official Kakao docs:

If you don't need an email address (or account_email isn't available for your app), you can omit account_email and
enable Allow users without an email in the Supabase Kakao provider settings.

This implies developers can authenticate Kakao users without requesting account_email.

Actual behavior

Calling supabase.auth.signInWithOAuth({ provider: 'kakao' }) fails with:

KOE205 — 설정하지 않은 카카오 로그인 동의 항목을 포함해 인가 코드를 요청했습니다.
설정하지 않은 동의 항목: account_email

The OAuth flow stops at step 1 (Kakao authorize URL), never reaches Supabase's user creation logic where
AllowUsersWithoutEmail would take effect.

Root cause

internal/api/provider/kakao.go:

func NewKakaoProvider(ext conf.OAuthProviderConfiguration, scopes string) (OAuthProvider, error) {
    // ...
    oauthScopes := []string{
        "account_email",       // hardcoded — always sent
        "profile_image",
        "profile_nickname",
    }

    if scopes != "" {
        oauthScopes = append(oauthScopes, strings.Split(scopes, ",")...)  // append only
    }
    // ...
}

1. account_email is hardcoded in the default slice
2. User-supplied scopes are appended, never replacing defaults
3. There is no conditional based on AllowUsersWithoutEmail here

Impact

In Korea, account_email consent requires Biz App registration with a business license. Many individual developers cannot
get a business license (or shouldn't be forced to for early-stage projects). The current implementation effectively gates
Kakao OAuth behind Korean business registration, which:

- Excludes hobbyist / indie / pre-revenue developers
- Contradicts the documented "Allow users without an email" workflow
- Has no documented workaround in the official guide

Reproduction

1. Create a Kakao Developers app without Biz App registration
2. Configure consent items: profile_nickname (필수 동의), profile_image (선택 동의)
3. account_email will show "권한 없음" (unavailable)
4. Set up Supabase Kakao provider with Client ID + Secret
5. Enable "Allow users without an email"
6. Call supabase.auth.signInWithOAuth({ provider: 'kakao' })
7. Observe KOE205 error from Kakao

Suggested fix

Make account_email opt-out. Options:

A. Add a provider config flag (e.g., KAKAO_REQUEST_EMAIL env var or dashboard toggle) that excludes account_email from the
default scope list:

oauthScopes := []string{"profile_image", "profile_nickname"}
if ext.RequestEmail {
    oauthScopes = append(oauthScopes, "account_email")
}

B. Treat client-supplied scopes as a replacement instead of append when non-empty.

C. Tie scope inclusion to AllowUsersWithoutEmail setting: when enabled, drop account_email from the default list.

Option A or C aligns best with the documentation's intent.

Environment

- @supabase/supabase-js: 2.x (latest)
- @supabase/auth-js: 2.108.0
- Supabase hosted (managed)
- Kakao Developers Console: standard (non-Biz) app