Manual identity linking doesn't update user_metadata properly in the newly issued token

[alexb-tellmira]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

On manual social identity linking, the user_metadata properties like iss, sub, provider_id in the newly issued token are reset to the first provider instead of getting the new provider's values.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

1. Create a user, say, using Google
2. (Optional for clarity) Logout and login using, say, an OTP or password. The token will have amr[0].method = "otp" (or "password"), but user_metadata.iss will still be "https://accounts.google.com" (along with Google's sub and provider_id). This is expected since user_metadata persists the OAuth provider data from signup, and amr[0].method correctly indicates the current authentication method.
3. Link another social identity by calling supabase.auth.linkIdentity({ provider: 'discord' })
4. This results in a new jwt token amr[0].method = "oauth", but user_metadata.iss, sub and provider_id still have the values of the google provider.
5. Logout and login with the new identity (discord) - user_metadata.iss is set to "https://discord.com/api" as expected (as well as sub and provider_id)

Expected behavior

After manual identity linking the newly issued token should be properly attributed to the new provider, the same as on a login with that provider.

Code Reference

Bug location: (presumably) linkIdentityToUser() function
Missing call: targetUser.UpdateUserMetaData(tx, identityData) should be added