diff --git a/CHANGELOG.md b/CHANGELOG.md index b81bccdcf..aeff2b7a1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,358 @@ # Changelog +## [2.186.0](https://github.com/daotl/gotrue/compare/v2.185.0...v2.186.0) (2026-02-01) + + +### Features + +* add `.well-known/openid-configuration` ([#2197](https://github.com/daotl/gotrue/issues/2197)) ([9a8d0df](https://github.com/daotl/gotrue/commit/9a8d0df63bb5089e1705f9d970669bfc97ed345e)) +* add `auth_migration` annotation for the migrations ([#2234](https://github.com/daotl/gotrue/issues/2234)) ([b276d0b](https://github.com/daotl/gotrue/commit/b276d0bcf4d1ee08fce8c2f7146423e9aaf34dfb)) +* add `password_hash` and `id` fields to admin create user ([#1641](https://github.com/daotl/gotrue/issues/1641)) ([20d59f1](https://github.com/daotl/gotrue/commit/20d59f10b601577683d05bcd7d2128ff4bc462a0)) +* add `x-sb-error-code` header, show error code in logs ([#1765](https://github.com/daotl/gotrue/issues/1765)) ([ed91c59](https://github.com/daotl/gotrue/commit/ed91c59aa332738bd0ac4b994aeec2cdf193a068)) +* add advisor to notify you when to double the max connection pool ([#2167](https://github.com/daotl/gotrue/issues/2167)) ([a72f5d9](https://github.com/daotl/gotrue/commit/a72f5d95795ac070e248007c0c38196f47ea5046)) +* add after-user-created hook ([#2169](https://github.com/daotl/gotrue/issues/2169)) ([bd80df8](https://github.com/daotl/gotrue/commit/bd80df8a888a7de023557a97b65b21419d3029e7)) +* add an optional burstable rate limiter ([#1924](https://github.com/daotl/gotrue/issues/1924)) ([1f06f58](https://github.com/daotl/gotrue/commit/1f06f58e1434b91612c0d96c8c0435d26570f3e2)) +* add array attribute mapping for SAML ([#1526](https://github.com/daotl/gotrue/issues/1526)) ([7326285](https://github.com/daotl/gotrue/commit/7326285c8af5c42e5c0c2d729ab224cf33ac3a1f)) +* add asymmetric jwt support ([#1674](https://github.com/daotl/gotrue/issues/1674)) ([c7a2be3](https://github.com/daotl/gotrue/commit/c7a2be347b301b666e99adc3d3fed78c5e287c82)) +* add authorized email address support ([#1757](https://github.com/daotl/gotrue/issues/1757)) ([f3a28d1](https://github.com/daotl/gotrue/commit/f3a28d182d193cf528cc72a985dfeaf7ecb67056)) +* add configuration for custom sms sender hook ([#1428](https://github.com/daotl/gotrue/issues/1428)) ([1ea56b6](https://github.com/daotl/gotrue/commit/1ea56b62d47edb0766d9e445406ecb43d387d920)) +* Add custom claims from Keycloak user token ([#1917](https://github.com/daotl/gotrue/issues/1917)) ([1365aaa](https://github.com/daotl/gotrue/commit/1365aaa45569fc9e7c3497e744e0e80cf237d617)) +* add custom sms hook ([#1474](https://github.com/daotl/gotrue/issues/1474)) ([0f6b29a](https://github.com/daotl/gotrue/commit/0f6b29a46f1dcbf92aa1f7cb702f42e7640f5f93)) +* Add email send operation metrics ([#2311](https://github.com/daotl/gotrue/issues/2311)) ([0096575](https://github.com/daotl/gotrue/commit/00965758762301875df2d7e4e552b2346bc09236)) +* add email validation function to lower bounce rates ([#1845](https://github.com/daotl/gotrue/issues/1845)) ([2c291f0](https://github.com/daotl/gotrue/commit/2c291f0356f3e91063b6b43bf2a21625b0ce0ebd)) +* add error codes ([#1377](https://github.com/daotl/gotrue/issues/1377)) ([e4beea1](https://github.com/daotl/gotrue/commit/e4beea1cdb80544b0581f1882696a698fdf64938)) +* add generic OAuth provider ([f4a60cf](https://github.com/daotl/gotrue/commit/f4a60cffee9b1e32e5764596563df26b32468cbf)) +* add hook log entry with `run_hook` action ([#1684](https://github.com/daotl/gotrue/issues/1684)) ([46491b8](https://github.com/daotl/gotrue/commit/46491b867a4f5896494417391392a373a453fa5f)) +* add is_anonymous claim to Auth hook jsonschema ([#1667](https://github.com/daotl/gotrue/issues/1667)) ([f9df65c](https://github.com/daotl/gotrue/commit/f9df65c91e226084abfa2e868ab6bab892d16d2f)) +* add kakao OIDC ([#1381](https://github.com/daotl/gotrue/issues/1381)) ([b5566e7](https://github.com/daotl/gotrue/commit/b5566e7ac001cc9f2bac128de0fcb908caf3a5ed)) +* add mail header support via `GOTRUE_SMTP_HEADERS` with `$messageType` ([#1804](https://github.com/daotl/gotrue/issues/1804)) ([99d6a13](https://github.com/daotl/gotrue/commit/99d6a134c44554a8ad06695e1dff54c942c8335d)) +* add max length check for email ([#1508](https://github.com/daotl/gotrue/issues/1508)) ([f9c13c0](https://github.com/daotl/gotrue/commit/f9c13c0ad5c556bede49d3e0f6e5f58ca26161c3)) +* add MFA for WebAuthn ([#1775](https://github.com/daotl/gotrue/issues/1775)) ([8cc2f0e](https://github.com/daotl/gotrue/commit/8cc2f0e14d06d0feb56b25a0278fda9e213b6b5a)) +* add OAuth client type ([#2152](https://github.com/daotl/gotrue/issues/2152)) ([b118f1f](https://github.com/daotl/gotrue/commit/b118f1f00c3c846095c25c34092e38aeebfdf2db)) +* add oauth2 client support ([#2098](https://github.com/daotl/gotrue/issues/2098)) ([8fae015](https://github.com/daotl/gotrue/commit/8fae01581d122bba95a3742dc212284f9a21dc4d)) +* add OIDC discovery support for generic OAuth providers ([b12b8f9](https://github.com/daotl/gotrue/commit/b12b8f9224182469ba12a073f3266ba262f21640)) +* add option to disable magic links ([#1756](https://github.com/daotl/gotrue/issues/1756)) ([2ad0737](https://github.com/daotl/gotrue/commit/2ad07373aa9239eba94abdabbb01c9abfa8c48de)) +* add option to disable writing to `audit_log_entries` ([#2073](https://github.com/daotl/gotrue/issues/2073)) ([80758dd](https://github.com/daotl/gotrue/commit/80758dd880b82e9b96d7185d9d0a0850b8c6f19d)) +* add phone to sms webhook payload ([#2160](https://github.com/daotl/gotrue/issues/2160)) ([d475ac1](https://github.com/daotl/gotrue/commit/d475ac1f20a0814f59d4bc1370801f915a9ba4d4)) +* add SAML specific external URL config ([#1599](https://github.com/daotl/gotrue/issues/1599)) ([b352719](https://github.com/daotl/gotrue/commit/b3527190560381fafe9ba2fae4adc3b73703024a)) +* Add Sb-Forwarded-For header and IP-based rate limiting ([#2295](https://github.com/daotl/gotrue/issues/2295)) ([e8f679b](https://github.com/daotl/gotrue/commit/e8f679b9e8fcd8cb543ed43cd9cd6a73bbbf4fa7)) +* add send email Hook ([#1512](https://github.com/daotl/gotrue/issues/1512)) ([cf42e02](https://github.com/daotl/gotrue/commit/cf42e02ec63779f52b1652a7413f64994964c82d)) +* add sign in with ethereum ([#2069](https://github.com/daotl/gotrue/issues/2069)) ([079b242](https://github.com/daotl/gotrue/commit/079b2427b8ed312880b60e89cc79b716fe9ae73d)) +* add sign in with solana (EIP-4361) support ([#1918](https://github.com/daotl/gotrue/issues/1918)) ([d121546](https://github.com/daotl/gotrue/commit/d1215464d4c81bb6e2e210df81ba0263d90ffb64)) +* add snapchat provider ([#2071](https://github.com/daotl/gotrue/issues/2071)) ([fca8ea4](https://github.com/daotl/gotrue/commit/fca8ea4a701eafb587438a159e19f5488c82a178)) +* add Supabase Auth identifier to OAuth redirect URLs ([#2299](https://github.com/daotl/gotrue/issues/2299)) ([2d3dbc6](https://github.com/daotl/gotrue/commit/2d3dbc652c1beb47c2eade28b45e94f6e2c56982)) +* add support for account changes notifications in email send hook ([#2192](https://github.com/daotl/gotrue/issues/2192)) ([6b382ae](https://github.com/daotl/gotrue/commit/6b382ae3a96bbe052395bdfa30fb49f717e5ad68)) +* add support for Azure CIAM login ([#1541](https://github.com/daotl/gotrue/issues/1541)) ([1cb4f96](https://github.com/daotl/gotrue/commit/1cb4f96bdc7ef3ef995781b4cf3c4364663a2bf3)) +* add support for managing SSO providers by resource_id ([#2081](https://github.com/daotl/gotrue/issues/2081)) ([5ca4489](https://github.com/daotl/gotrue/commit/5ca44893964d3b12a24ea26302b23f4976f768a0)) +* add support for migration of firebase scrypt passwords ([#1768](https://github.com/daotl/gotrue/issues/1768)) ([ba00f75](https://github.com/daotl/gotrue/commit/ba00f75c28d6708ddf8ee151ce18f2d6193689ef)) +* add support for saml encrypted assertions ([#1752](https://github.com/daotl/gotrue/issues/1752)) ([c5480ef](https://github.com/daotl/gotrue/commit/c5480ef83248ec2e7e3d3d87f92f43f17161ed25)) +* add support for Slack OAuth V2 ([#1591](https://github.com/daotl/gotrue/issues/1591)) ([bb99251](https://github.com/daotl/gotrue/commit/bb992519cdf7578dc02cd7de55e2e6aa09b4c0f3)) +* add support for verifying argon2i and argon2id passwords ([#1597](https://github.com/daotl/gotrue/issues/1597)) ([55409f7](https://github.com/daotl/gotrue/commit/55409f797bea55068a3fafdddd6cfdb78feba1b4)) +* add support packages for end-to-end testing ([#2021](https://github.com/daotl/gotrue/issues/2021)) ([269ddfe](https://github.com/daotl/gotrue/commit/269ddfe18718ae74535f7227eb75f67667275140)) +* add timeout middleware ([#1529](https://github.com/daotl/gotrue/issues/1529)) ([f96ff31](https://github.com/daotl/gotrue/commit/f96ff31040b28e3a7373b4fd41b7334eda1b413e)) +* add webauthn configuration variables ([#1773](https://github.com/daotl/gotrue/issues/1773)) ([77d5897](https://github.com/daotl/gotrue/commit/77d58976ae624dbb7f8abee041dd4557aab81109)) +* allow amr claim to be array of strings or objects ([#2274](https://github.com/daotl/gotrue/issues/2274)) ([607da43](https://github.com/daotl/gotrue/commit/607da43b697b0af1de0da5f966f5b63ff033fefb)) +* allow for postgres and http functions on each extensibility point ([#1528](https://github.com/daotl/gotrue/issues/1528)) ([348a1da](https://github.com/daotl/gotrue/commit/348a1daee24f6e44b14c018830b748e46d34b4c2)) +* allow invalid config directories ([#1969](https://github.com/daotl/gotrue/issues/1969)) ([6b842f6](https://github.com/daotl/gotrue/commit/6b842f6b304bba5f886c6bf8b5675d914f881a2d)) +* allow limiting lifespan of low-aal sessions ([#1942](https://github.com/daotl/gotrue/issues/1942)) ([d7a9ca6](https://github.com/daotl/gotrue/commit/d7a9ca62a7a09edd864f0b968c1882f5e464e662)) +* alter tag to use raw ([#1427](https://github.com/daotl/gotrue/issues/1427)) ([53cfe5d](https://github.com/daotl/gotrue/commit/53cfe5de57d4b5ab6e8e2915493856ecd96f4ede)) +* anonymous sign-ins ([#1460](https://github.com/daotl/gotrue/issues/1460)) ([130df16](https://github.com/daotl/gotrue/commit/130df165270c69c8e28aaa1b9421342f997c1ff3)) +* async, concurrent index creation for users table ([#2239](https://github.com/daotl/gotrue/issues/2239)) ([a1146bf](https://github.com/daotl/gotrue/commit/a1146bf7eecb35e237350dda7ae62328cbb5acfe)) +* background template reloading p1 - baseline decomposition ([#2148](https://github.com/daotl/gotrue/issues/2148)) ([746c937](https://github.com/daotl/gotrue/commit/746c937f7c57ba256d942df334ab9ee354509587)) +* Block specific outgoing mail servers ([#1971](https://github.com/daotl/gotrue/issues/1971)) ([091aef9](https://github.com/daotl/gotrue/commit/091aef945a764ee8d3b80ae8c5ed5d88dd582d03)) +* calculate aal without transaction ([#1437](https://github.com/daotl/gotrue/issues/1437)) ([8dae661](https://github.com/daotl/gotrue/commit/8dae6614f1a2b58819f94894cef01e9f99117769)) +* clean up expired factors ([#1371](https://github.com/daotl/gotrue/issues/1371)) ([5c94207](https://github.com/daotl/gotrue/commit/5c9420743a9aef0675f823c30aa4525b4933836e)) +* clean up test setup in MFA tests ([#1452](https://github.com/daotl/gotrue/issues/1452)) ([7185af8](https://github.com/daotl/gotrue/commit/7185af8de4a269cdde2629054d222333d3522ebe)) +* config reloading ([#1771](https://github.com/daotl/gotrue/issues/1771)) ([6ee0091](https://github.com/daotl/gotrue/commit/6ee009163bfe451e2a0b923705e073928a12c004)) +* config reloading with fsnotify, poller fallback, and signals ([#2161](https://github.com/daotl/gotrue/issues/2161)) ([c77d512](https://github.com/daotl/gotrue/commit/c77d51203fc52c1c9a9f7dc56ca1c076e018fc54)) +* configurable email and sms rate limiting ([#1800](https://github.com/daotl/gotrue/issues/1800)) ([5e94047](https://github.com/daotl/gotrue/commit/5e9404717e1c962ab729cde150ef5b40ea31a6e8)) +* configurable NameID format for SAML provider ([#1481](https://github.com/daotl/gotrue/issues/1481)) ([ef405d8](https://github.com/daotl/gotrue/commit/ef405d89e69e008640f275bc37f8ec02ad32da40)) +* cover 100% of crypto with tests ([#1892](https://github.com/daotl/gotrue/issues/1892)) ([174198e](https://github.com/daotl/gotrue/commit/174198e56f8e9b8470a717d0021c626130288d2e)) +* drop sha hash tag ([#1422](https://github.com/daotl/gotrue/issues/1422)) ([76853ce](https://github.com/daotl/gotrue/commit/76853ce6d45064de5608acc8100c67a8337ba791)) +* email address changed notification ([#2181](https://github.com/daotl/gotrue/issues/2181)) ([047f851](https://github.com/daotl/gotrue/commit/047f85136c9223ca99cb0169ba82343088fbbfd8)) +* encrypt sensitive columns ([#1593](https://github.com/daotl/gotrue/issues/1593)) ([e4a4758](https://github.com/daotl/gotrue/commit/e4a475820b2dc1f985bd37df15a8ab9e781626f5)) +* enhance issuer URL validation in OAuth server metadata ([#2164](https://github.com/daotl/gotrue/issues/2164)) ([a9424d2](https://github.com/daotl/gotrue/commit/a9424d25909e074db395b620dc9999724bf4a03c)) +* enhance login analytics ([#2078](https://github.com/daotl/gotrue/issues/2078)) ([1aed4a2](https://github.com/daotl/gotrue/commit/1aed4a27fdc54d9c4d01f17d49dcaadb25400f18)) +* experimental own linking domains per provider ([#2119](https://github.com/daotl/gotrue/issues/2119)) ([747bf3b](https://github.com/daotl/gotrue/commit/747bf3b15fd9e371c9330e75fe2e5de8b89ce14d)) +* fallback to jwt secret if alg is `HS256` and the `kid` is not recognized ([#2072](https://github.com/daotl/gotrue/issues/2072)) ([8fa99bd](https://github.com/daotl/gotrue/commit/8fa99bd6cab91c0bf093fdcdb912054113ea66ba)) +* fetch email from snapchat oauth provider if available for consistency ([#2110](https://github.com/daotl/gotrue/issues/2110)) ([7507822](https://github.com/daotl/gotrue/commit/750782246e736093131ba2eb1015fc73083d99ab)) +* fix argon2 parsing and comparison ([#1887](https://github.com/daotl/gotrue/issues/1887)) ([9dbe6ef](https://github.com/daotl/gotrue/commit/9dbe6ef931ae94e621d55a5f7aea4b7ee0449949)) +* fix large group claim handling in azure id tokens ([#1995](https://github.com/daotl/gotrue/issues/1995)) ([2f323fe](https://github.com/daotl/gotrue/commit/2f323fe3ce2c1d24343d822ac093f28fdda3a4a9)) +* forbid generating an access token without a session ([#1504](https://github.com/daotl/gotrue/issues/1504)) ([795e93d](https://github.com/daotl/gotrue/commit/795e93d0afbe94bcd78489a3319a970b7bf8e8bc)) +* **generic oauth:** use snake_case field names by default ([0d6dfb1](https://github.com/daotl/gotrue/commit/0d6dfb1b1a45406704e6b8be22401f45374f8709)) +* hooks round 2 - remove indirection and simplify error handling ([#2025](https://github.com/daotl/gotrue/issues/2025)) ([26e23f0](https://github.com/daotl/gotrue/commit/26e23f05acd1e1a959c3e04764a569ea0364d947)) +* hooks round 4 - update tests to use require package ([#2030](https://github.com/daotl/gotrue/issues/2030)) ([aaf93df](https://github.com/daotl/gotrue/commit/aaf93df50ebfb489c6335e2c1b846dc5cee18767)) +* hooks round 5 (Option 2) - add before-user-created hook ([#2034](https://github.com/daotl/gotrue/issues/2034)) ([b53f6b0](https://github.com/daotl/gotrue/commit/b53f6b0d0e056bf3e84884847ab4608ffc9efd61)) +* HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets ([#1467](https://github.com/daotl/gotrue/issues/1467)) ([5b24c4e](https://github.com/daotl/gotrue/commit/5b24c4eb05b2b52c4177d5f41cba30cb68495c8c)) +* identity linked/unlinked notifications ([#2185](https://github.com/daotl/gotrue/issues/2185)) ([7d46936](https://github.com/daotl/gotrue/commit/7d46936e145479be1e508b52549c7fca3c59fc2f)) +* ignore `aud` claim from admin jwt (`service_role` never had one) ([#2070](https://github.com/daotl/gotrue/issues/2070)) ([57eddcb](https://github.com/daotl/gotrue/commit/57eddcb45ce97004c26f6d65351447d7dc654162)) +* implement link identity with oidc / native sign in ([#2108](https://github.com/daotl/gotrue/issues/2108)) ([5f0ec87](https://github.com/daotl/gotrue/commit/5f0ec8709231c57b57aa06160e18bc9e52ec9002)) +* implement OAuth2 authorization endpoint ([#2107](https://github.com/daotl/gotrue/issues/2107)) ([5318552](https://github.com/daotl/gotrue/commit/53185526b07cb2c27f6a81782a6c24610e39d6fe)) +* implements email-less accounts with oauth ([#2105](https://github.com/daotl/gotrue/issues/2105)) ([9a61dae](https://github.com/daotl/gotrue/commit/9a61dae788311a086ce8e72b52c21e031857adf7)) +* improvements to config reloader, 100% coverage ([#1933](https://github.com/daotl/gotrue/issues/1933)) ([21c2256](https://github.com/daotl/gotrue/commit/21c2256806ab4950e9bfc0af0472a64f7d9112a7)) +* increase test coverage in conf package to 100% ([#1937](https://github.com/daotl/gotrue/issues/1937)) ([bc57c1c](https://github.com/daotl/gotrue/commit/bc57c1c25769905b29bfc9e89bf3d6b65b1030ea)) +* increment refresh token counter by 2 for mfa verify ([#2284](https://github.com/daotl/gotrue/issues/2284)) ([2a38668](https://github.com/daotl/gotrue/commit/2a3866854fe7cb58a6cb84e7a82ce5d07bb920ee)) +* **indexworker:** use `auth_trgm` extension if available ([#2263](https://github.com/daotl/gotrue/issues/2263)) ([05daa43](https://github.com/daotl/gotrue/commit/05daa437131bd220e01a0e33df75f4b9afa72bb6)) +* introduce request-scoped background tasks & async mail sending ([#2126](https://github.com/daotl/gotrue/issues/2126)) ([2c8ea61](https://github.com/daotl/gotrue/commit/2c8ea6113ae7381106ed7c67d7a45f7ef87195c7)) +* introduce v2 refresh token algorithm ([#2216](https://github.com/daotl/gotrue/issues/2216)) ([dea5b8e](https://github.com/daotl/gotrue/commit/dea5b8e5353ea240c658b030325432ce512f18a8)) +* load template cache at startup for fault tolerance ([#2261](https://github.com/daotl/gotrue/issues/2261)) ([511c3a4](https://github.com/daotl/gotrue/commit/511c3a4e12819d313840cd5342ae6a76d4708cfc)) +* log all audit events separately to prevent missing events ([#2086](https://github.com/daotl/gotrue/issues/2086)) ([3b666f5](https://github.com/daotl/gotrue/commit/3b666f51f56db778848730d74ac140f02b0cb522)) +* log sb-auth-user-id, sb-auth-session-id, ... on sign in not just refresh token ([#2342](https://github.com/daotl/gotrue/issues/2342)) ([a486ada](https://github.com/daotl/gotrue/commit/a486ada3683bb078b8f396a5ba2e606826f0044b)) +* mailer logging ([#1805](https://github.com/daotl/gotrue/issues/1805)) ([9354b83](https://github.com/daotl/gotrue/commit/9354b83a48a3edcb49197c997a1e96efc80c5383)) +* make the email client explicity set the format to be HTML ([#1149](https://github.com/daotl/gotrue/issues/1149)) ([53e223a](https://github.com/daotl/gotrue/commit/53e223abdf29f4abcad13f99baf00daedcb00c3f)) +* merge provider metadata on link account ([#1552](https://github.com/daotl/gotrue/issues/1552)) ([bd8b5c4](https://github.com/daotl/gotrue/commit/bd8b5c41dd544575e1a52ccf1ef3f0fdee67458c)) +* MFA (Phone) ([#1668](https://github.com/daotl/gotrue/issues/1668)) ([ae091aa](https://github.com/daotl/gotrue/commit/ae091aa942bdc5bc97481037508ec3bb4079d859)) +* MFA factor enrollment notifications ([#2183](https://github.com/daotl/gotrue/issues/2183)) ([53db712](https://github.com/daotl/gotrue/commit/53db712f0c3ffae6d61ea3ddcff5e8d7a33639b9)) +* new timeout writer implementation ([#1584](https://github.com/daotl/gotrue/issues/1584)) ([72614a1](https://github.com/daotl/gotrue/commit/72614a1fce27888f294772b512f8e31c55a36d87)) +* notify users when their phone number has changed ([#2184](https://github.com/daotl/gotrue/issues/2184)) ([21f3070](https://github.com/daotl/gotrue/commit/21f30702a62d722bce32972d4b2fcef1da6e2177)) +* **oauth-server:** store and enforce token_endpoint_auth_method ([#2300](https://github.com/daotl/gotrue/issues/2300)) ([bcd6cd5](https://github.com/daotl/gotrue/commit/bcd6cd590a47e963b7afe615c889f62d28cb94a2)) +* **oauth2:** add `/oauth/token` endpoint ([#2159](https://github.com/daotl/gotrue/issues/2159)) ([a89a0b0](https://github.com/daotl/gotrue/commit/a89a0b054e87fee4e193aab4fff7677b56775386)) +* **oauth2:** add admin endpoint to regenerate OAuth client secrets ([#2170](https://github.com/daotl/gotrue/issues/2170)) ([0bd1c28](https://github.com/daotl/gotrue/commit/0bd1c285aaf3bbb3f3d6e2e131aabfe5cabf0fa5)) +* **oauth2:** return redirect_uri on GET authorization ([#2175](https://github.com/daotl/gotrue/issues/2175)) ([b0a0c3e](https://github.com/daotl/gotrue/commit/b0a0c3e48c8c8686d4cc3f82abd2ed326c297614)) +* **oauth2:** use `id` field as the public client_id ([#2154](https://github.com/daotl/gotrue/issues/2154)) ([86b7de4](https://github.com/daotl/gotrue/commit/86b7de45c9432ea6ee9bd7c7e9cfe96e038fe2bc)) +* **oauth:** add support for X/Twitter v2 provider ([#2275](https://github.com/daotl/gotrue/issues/2275)) ([7f36eb0](https://github.com/daotl/gotrue/commit/7f36eb053286038d01ba1650dd48a15508550ce0)) +* **oauthserver:** add authorization list and revoke endpoints ([#2232](https://github.com/daotl/gotrue/issues/2232)) ([cc640b2](https://github.com/daotl/gotrue/commit/cc640b277989d57b39f3805cd9433ef4fe16bf83)) +* **oauthserver:** add OAuth client admin update endpoint ([#2231](https://github.com/daotl/gotrue/issues/2231)) ([6296a5a](https://github.com/daotl/gotrue/commit/6296a5a226b3c60bcd9d20786750a808af9cd529)) +* **oauthserver:** add OpenID Connect support ([#2250](https://github.com/daotl/gotrue/issues/2250)) ([162788f](https://github.com/daotl/gotrue/commit/162788ff960c060318324f11f673c09c0da41d5e)) +* **oauthserver:** update oauth grant list & authorization details response structure ([#2247](https://github.com/daotl/gotrue/issues/2247)) ([137ea92](https://github.com/daotl/gotrue/commit/137ea92c00a0c1a7654fb8bcf0c1b5313901349f)) +* **oauthserver:** use `NewOAuthServerAuthorizationParams` & configurable ttl for authorization ([#2254](https://github.com/daotl/gotrue/issues/2254)) ([61632f8](https://github.com/daotl/gotrue/commit/61632f8c0401b6c816ea7427d351ec623ce5258f)) +* **openapi:** add OAuth 2.1 server endpoints and clarify OAuth modes ([#2165](https://github.com/daotl/gotrue/issues/2165)) ([1f804a2](https://github.com/daotl/gotrue/commit/1f804a2795012a1a165ff07afdb9dd98ad8ff291)) +* pass transaction to `invokeHook`, fixing pool exhaustion ([#1465](https://github.com/daotl/gotrue/issues/1465)) ([b536d36](https://github.com/daotl/gotrue/commit/b536d368f35adb31f937169e3f093d28352fa7be)) +* password changed email notification ([#2176](https://github.com/daotl/gotrue/issues/2176)) ([fe0fd04](https://github.com/daotl/gotrue/commit/fe0fd04c9f5558d0165a94c7c080fb15c036d08f)) +* prefix release with v ([#1424](https://github.com/daotl/gotrue/issues/1424)) ([9d398cd](https://github.com/daotl/gotrue/commit/9d398cd75fca01fb848aa88b4f545552e8b5751a)) +* preserve rate limiters in memory across configuration reloads ([#1792](https://github.com/daotl/gotrue/issues/1792)) ([0a3968b](https://github.com/daotl/gotrue/commit/0a3968b02b9f044bfb7e5ebc71dca970d2bb7807)) +* properly handle redirect url fragments and unusual hostnames ([#2200](https://github.com/daotl/gotrue/issues/2200)) ([aa0ac5b](https://github.com/daotl/gotrue/commit/aa0ac5b9a8af26d4b779e48ec4da2ab06a6dc15e)) +* refactor generate accesss token to take in request ([#1531](https://github.com/daotl/gotrue/issues/1531)) ([e4f2b59](https://github.com/daotl/gotrue/commit/e4f2b59e8e1f8158b6461a384349f1a32cc1bf9a)) +* refactor hooks out of api package ([#1976](https://github.com/daotl/gotrue/issues/1976)) ([c5904c0](https://github.com/daotl/gotrue/commit/c5904c05d9dce4366e6527aa40e439a3c8c460bb)) +* refactor mailer client wiring and add validation wrapper ([#2130](https://github.com/daotl/gotrue/issues/2130)) ([68c40a6](https://github.com/daotl/gotrue/commit/68c40a6a494029d8d704b14abbe85171a7dc8d12)) +* refactor one-time tokens for performance ([#1558](https://github.com/daotl/gotrue/issues/1558)) ([d1cf8d9](https://github.com/daotl/gotrue/commit/d1cf8d9096e9183d7772b73031de8ecbd66e912b)) +* refactor PKCE FlowState to reduce duplicate code ([#1446](https://github.com/daotl/gotrue/issues/1446)) ([b8d0337](https://github.com/daotl/gotrue/commit/b8d0337922c6712380f6dc74f7eac9fb71b1ae48)) +* refactor resource owner password grant ([#1443](https://github.com/daotl/gotrue/issues/1443)) ([e63ad6f](https://github.com/daotl/gotrue/commit/e63ad6ff0f67d9a83456918a972ecb5109125628)) +* remove legacy lookup in users for one_time_tokens (phase II) ([#1569](https://github.com/daotl/gotrue/issues/1569)) ([39ca026](https://github.com/daotl/gotrue/commit/39ca026035f6c61d206d31772c661b326c2a424c)) +* replace JWT OAuth state with `flow_state.id` UUID ([#2331](https://github.com/daotl/gotrue/issues/2331)) ([645654d](https://github.com/daotl/gotrue/commit/645654df63a3da7929840659c065f6a9cdd4ba96)) +* reset main branch to 2.185.0 ([#2325](https://github.com/daotl/gotrue/issues/2325)) ([b9d0500](https://github.com/daotl/gotrue/commit/b9d050029ce90efc083f08a1e8df629faf20e8cd)) +* return validation failed error if captcha request was not json ([#1815](https://github.com/daotl/gotrue/issues/1815)) ([26d2e36](https://github.com/daotl/gotrue/commit/26d2e36bba29eb8a6ddba556acfd0820f3bfde5d)) +* send over user in SendSMS Hook instead of UserID ([#1551](https://github.com/daotl/gotrue/issues/1551)) ([d4d743c](https://github.com/daotl/gotrue/commit/d4d743c2ae9490e1b3249387e3b0d60df6913c68)) +* separate web3 rate limits from other `/token?grant_type=...` ([#1985](https://github.com/daotl/gotrue/issues/1985)) ([8b23382](https://github.com/daotl/gotrue/commit/8b233820e41fedd18338eb37345ecbb0beb350ce)) +* set `email_verified` to true on all identities with the verified email ([#1902](https://github.com/daotl/gotrue/issues/1902)) ([307892f](https://github.com/daotl/gotrue/commit/307892f85b39150074fbb80b9c8f45ac3312aae2)) +* skip nonce check for Facebook Limited Login auth ([#2082](https://github.com/daotl/gotrue/issues/2082)) ([f1b15ff](https://github.com/daotl/gotrue/commit/f1b15ffdb9b1f1af873a147fdb5d039382becb2e)) +* store latest challenge/attestation data ([#2179](https://github.com/daotl/gotrue/issues/2179)) ([01ebce1](https://github.com/daotl/gotrue/commit/01ebce1bf01b563105d653ff168a16e72c12d481)) +* support `transfer_sub` in apple id tokens ([#2162](https://github.com/daotl/gotrue/issues/2162)) ([8a71006](https://github.com/daotl/gotrue/commit/8a71006486027c0850a58ec6e94f62a1607d1d48)) +* support ledger solana offchain message signing ([#2093](https://github.com/daotl/gotrue/issues/2093)) ([4c94443](https://github.com/daotl/gotrue/commit/4c944431558aaca3c945c472dc5a27077f6dfa75)) +* support multiple `aud` for the external providers ([#2117](https://github.com/daotl/gotrue/issues/2117)) ([ca5792e](https://github.com/daotl/gotrue/commit/ca5792e41a48f20a395646015c28ce272355bf63)) +* support percentage based db limits with reload support ([#2177](https://github.com/daotl/gotrue/issues/2177)) ([1731466](https://github.com/daotl/gotrue/commit/1731466903539569ec5b308db4e39eb33c653b94)) +* switch to googleapis/release-please-action, bump to 2.166.0 ([#1883](https://github.com/daotl/gotrue/issues/1883)) ([11a312f](https://github.com/daotl/gotrue/commit/11a312fcf77771b3732f2f439078225895df7a85)) +* Treat rate limit header value as comma-separated list ([#2282](https://github.com/daotl/gotrue/issues/2282)) ([5f2e279](https://github.com/daotl/gotrue/commit/5f2e2792560d57dd14fbf3e69c133a7ec8518c4d)) +* update chi version ([#1581](https://github.com/daotl/gotrue/issues/1581)) ([c64ae3d](https://github.com/daotl/gotrue/commit/c64ae3dd775e8fb3022239252c31b4ee73893237)) +* update openapi spec with identity and is_anonymous fields ([#1573](https://github.com/daotl/gotrue/issues/1573)) ([86a79df](https://github.com/daotl/gotrue/commit/86a79df9ecfcf09fda0b8e07afbc41154fbb7d9d)) +* update README.md to trigger release ([#1425](https://github.com/daotl/gotrue/issues/1425)) ([91e0e24](https://github.com/daotl/gotrue/commit/91e0e245f5957ebce13370f79fd4a6be8108ed80)) +* upgrade otel to v1.26 ([#1585](https://github.com/daotl/gotrue/issues/1585)) ([cdd13ad](https://github.com/daotl/gotrue/commit/cdd13adec02eb0c9401bc55a2915c1005d50dea1)) +* use `global_user_id` over `sub` for `vercel_marketplace` issuer ([#1990](https://github.com/daotl/gotrue/issues/1990)) ([f94f97e](https://github.com/daotl/gotrue/commit/f94f97e8d3e530d730d9352a14b477fd33548df2)) +* use `slices.Contains` instead of for loops ([#2111](https://github.com/daotl/gotrue/issues/2111)) ([9f22682](https://github.com/daotl/gotrue/commit/9f2268263118713d3390ce4617ccf21bc2c031eb)) +* use dummy instance id to improve performance on refresh token queries ([#1454](https://github.com/daotl/gotrue/issues/1454)) ([656474e](https://github.com/daotl/gotrue/commit/656474e1b9ff3d5129190943e8c48e456625afe5)) +* use embedded migrations for `migrate` command ([#1843](https://github.com/daotl/gotrue/issues/1843)) ([e358da5](https://github.com/daotl/gotrue/commit/e358da5f0e267725a77308461d0a4126436fc537)) +* use largest avatar from spotify instead ([#1210](https://github.com/daotl/gotrue/issues/1210)) ([4f9994b](https://github.com/daotl/gotrue/commit/4f9994bf792c3887f2f45910b11a9c19ee3a896b)), closes [#1209](https://github.com/daotl/gotrue/issues/1209) +* Vercel marketplace OIDC ([#1731](https://github.com/daotl/gotrue/issues/1731)) ([a9ff361](https://github.com/daotl/gotrue/commit/a9ff3612196af4a228b53a8bfb9c11785bcfba8d)) +* webauthn support schema changes, update openapi.yaml ([#2163](https://github.com/daotl/gotrue/issues/2163)) ([68cb8d2](https://github.com/daotl/gotrue/commit/68cb8d2ba3ded878c68d7cb76465bfaaac58436a)) + + +### Bug Fixes + +* accept ID tokens from all `account.apple.com` and `appleid.apple.com` ([#2050](https://github.com/daotl/gotrue/issues/2050)) ([82aa167](https://github.com/daotl/gotrue/commit/82aa167cae01658b5319914f3412d78876955106)) +* add `id-token` permission to ci ([#2143](https://github.com/daotl/gotrue/issues/2143)) ([79209c0](https://github.com/daotl/gotrue/commit/79209c0e35afa82ec8822a343108d6a690e14229)) +* add `supafast` tarball for upgrading auth via supabase-admin-api ([#2009](https://github.com/daotl/gotrue/issues/2009)) ([9b55785](https://github.com/daotl/gotrue/commit/9b557855a3ab80ee93ab95159055a444bff53f01)) +* add additional information around errors for missing content type header ([#1576](https://github.com/daotl/gotrue/issues/1576)) ([c2b2f96](https://github.com/daotl/gotrue/commit/c2b2f96f07c97c15597cd972b1cd672238d87cdc)) +* add cleanup statement for anonymous users ([#1497](https://github.com/daotl/gotrue/issues/1497)) ([cf2372a](https://github.com/daotl/gotrue/commit/cf2372a177796b829b72454e7491ce768bf5a42f)) +* add db conn max idle time setting ([#1555](https://github.com/daotl/gotrue/issues/1555)) ([2caa7b4](https://github.com/daotl/gotrue/commit/2caa7b4d75d2ff54af20f3e7a30a8eeec8cbcda9)) +* add error codes to password login flow ([#1721](https://github.com/daotl/gotrue/issues/1721)) ([4351226](https://github.com/daotl/gotrue/commit/435122627a0784f1c5cb76d7e08caa1f6259423b)) +* add error codes to refresh token flow ([#1824](https://github.com/daotl/gotrue/issues/1824)) ([4614dc5](https://github.com/daotl/gotrue/commit/4614dc54ab1dcb5390cfed05441e7888af017d92)) +* add http support for https hooks on localhost ([#1484](https://github.com/daotl/gotrue/issues/1484)) ([5c04104](https://github.com/daotl/gotrue/commit/5c04104bf77a9c2db46d009764ec3ec3e484fc09)) +* add ip based limiter ([#1622](https://github.com/daotl/gotrue/issues/1622)) ([06464c0](https://github.com/daotl/gotrue/commit/06464c013571253d1f18f7ae5e840826c4bd84a7)) +* add last_challenged_at field to mfa factors ([#1705](https://github.com/daotl/gotrue/issues/1705)) ([29cbeb7](https://github.com/daotl/gotrue/commit/29cbeb799ff35ce528bfbd01b7103a24903d8061)) +* add missing param ([#2125](https://github.com/daotl/gotrue/issues/2125)) ([c0b75f6](https://github.com/daotl/gotrue/commit/c0b75f66229410e6e5fbc7cd1ae9066cec54c5d7)) +* add missing provider info to signedup audit logs ([#2061](https://github.com/daotl/gotrue/issues/2061)) ([c6e0cbe](https://github.com/daotl/gotrue/commit/c6e0cbefe5b609ac3362c23d0f7cb9d9bb04abc9)) +* add test coverage for rate limits with 0 permitted events ([#1834](https://github.com/daotl/gotrue/issues/1834)) ([7c3cf26](https://github.com/daotl/gotrue/commit/7c3cf26cfe2a3e4de579d10509945186ad719855)) +* add token to hook payload for non-secure email change ([#1763](https://github.com/daotl/gotrue/issues/1763)) ([7e472ad](https://github.com/daotl/gotrue/commit/7e472ad72042e86882dab3fddce9fafa66a8236c)) +* add twilio verify support on mfa ([#1714](https://github.com/daotl/gotrue/issues/1714)) ([aeb5d8f](https://github.com/daotl/gotrue/commit/aeb5d8f8f18af60ce369cab5714979ac0c208308)) +* add validation and proper decoding on send email hook ([#1520](https://github.com/daotl/gotrue/issues/1520)) ([e19e762](https://github.com/daotl/gotrue/commit/e19e762e3e29729a1d1164c65461427822cc87f1)) +* additional provider and issuer checks ([#2326](https://github.com/daotl/gotrue/issues/2326)) ([cb79a74](https://github.com/daotl/gotrue/commit/cb79a7414e8b2bff30113bdf2b9ec6d6e93c1146)) +* admin user update should update is_anonymous field ([#1623](https://github.com/daotl/gotrue/issues/1623)) ([f5c6fcd](https://github.com/daotl/gotrue/commit/f5c6fcd9c3fee0f793f96880a8caebc5b5cb0916)) +* allow anonymous user to update password ([#1739](https://github.com/daotl/gotrue/issues/1739)) ([2d51956](https://github.com/daotl/gotrue/commit/2d519569d7b8540886d0a64bf3e561ef5f91eb63)) +* allow enabling sms hook without setting up sms provider ([#1704](https://github.com/daotl/gotrue/issues/1704)) ([575e88a](https://github.com/daotl/gotrue/commit/575e88ac345adaeb76ab6aae077307fdab9cda3c)) +* allow HTTP with localhost in solana ([#2027](https://github.com/daotl/gotrue/issues/2027)) ([3ee02f0](https://github.com/daotl/gotrue/commit/3ee02f085df206dcd3e6fa79f2d583148ebc52b8)) +* amr claim should contain provider_id for sso method ([#2033](https://github.com/daotl/gotrue/issues/2033)) ([33741e1](https://github.com/daotl/gotrue/commit/33741e18d2e0adb691e650355337924f9ccfd91f)) +* apply authorized email restriction to non-admin routes ([#1778](https://github.com/daotl/gotrue/issues/1778)) ([1af203f](https://github.com/daotl/gotrue/commit/1af203f92372e6db12454a0d319aad8ce3d149e7)) +* apply mailer autoconfirm config to update user email ([#1646](https://github.com/daotl/gotrue/issues/1646)) ([a518505](https://github.com/daotl/gotrue/commit/a5185058e72509b0781e0eb59910ecdbb8676fee)) +* apply shared limiters before email / sms is sent ([#1748](https://github.com/daotl/gotrue/issues/1748)) ([bf276ab](https://github.com/daotl/gotrue/commit/bf276ab49753642793471815727559172fea4efc)) +* **auditlog:** keep writing to logs even postgres is disabled ([#2076](https://github.com/daotl/gotrue/issues/2076)) ([b89bc32](https://github.com/daotl/gotrue/commit/b89bc32de5adc9d458e7f95ad9b08a99604c70d8)) +* azure overage claims start with single `_` not two ([#1999](https://github.com/daotl/gotrue/issues/1999)) ([29f3440](https://github.com/daotl/gotrue/commit/29f3440d6376fac22568284d5b417836bf335a74)) +* bypass check for token & verify endpoints ([#1785](https://github.com/daotl/gotrue/issues/1785)) ([9ac2ea0](https://github.com/daotl/gotrue/commit/9ac2ea0180826cd2f65e679524aabfb10666e973)) +* call write header in write if not written ([#1598](https://github.com/daotl/gotrue/issues/1598)) ([0ef7eb3](https://github.com/daotl/gotrue/commit/0ef7eb30619d4c365e06a94a79b9cb0333d792da)) +* change phone constraint to per user ([#1713](https://github.com/daotl/gotrue/issues/1713)) ([b9bc769](https://github.com/daotl/gotrue/commit/b9bc769b93b6e700925fcbc1ebf8bf9678034205)) +* change s3 artifact upload role ([#2145](https://github.com/daotl/gotrue/issues/2145)) ([767e371](https://github.com/daotl/gotrue/commit/767e37131aa01bf6cb27dbc62b2928e7cc701893)) +* check each type independently ([#2290](https://github.com/daotl/gotrue/issues/2290)) ([d9de0af](https://github.com/daotl/gotrue/commit/d9de0af3a173ae3e9ab0219c07652675f8be1761)) +* check for empty aud string ([#1649](https://github.com/daotl/gotrue/issues/1649)) ([42c1d45](https://github.com/daotl/gotrue/commit/42c1d4526b98203664d4a22c23014ecd0b4951f9)) +* check if session is nil ([#1873](https://github.com/daotl/gotrue/issues/1873)) ([fd82601](https://github.com/daotl/gotrue/commit/fd82601917adcd9f8c38263953eb1ef098b26b7f)) +* check password max length in checkPasswordStrength ([#1659](https://github.com/daotl/gotrue/issues/1659)) ([1858c93](https://github.com/daotl/gotrue/commit/1858c93bba6f5bc41e4c65489f12c1a0786a1f2b)) +* cleanup panics due to bad inactivity timeout code ([#1471](https://github.com/daotl/gotrue/issues/1471)) ([548edf8](https://github.com/daotl/gotrue/commit/548edf898161c9ba9a136fc99ec2d52a8ba1f856)) +* convert refreshed_at to UTC before updating ([#1916](https://github.com/daotl/gotrue/issues/1916)) ([a4c692f](https://github.com/daotl/gotrue/commit/a4c692f6cb1b8bf4c47ea012872af5ce93382fbf)) +* correct casing of API key authentication in openapi.yaml ([0cfd177](https://github.com/daotl/gotrue/commit/0cfd177b8fb1df8f62e84fbd3761ef9f90c384de)) +* correct web authn aaguid column naming ([#1826](https://github.com/daotl/gotrue/issues/1826)) ([0a589d0](https://github.com/daotl/gotrue/commit/0a589d04e1cd9310cb260d329bc8beb050adf8da)) +* custom SMS does not work with Twilio Verify ([#1733](https://github.com/daotl/gotrue/issues/1733)) ([dc2391d](https://github.com/daotl/gotrue/commit/dc2391d15f2c0725710aa388cd32a18797e6769c)) +* deadlock issue with timeout middleware write ([#1595](https://github.com/daotl/gotrue/issues/1595)) ([6c9fbd4](https://github.com/daotl/gotrue/commit/6c9fbd4bd5623c729906fca7857ab508166a3056)) +* default to files:read scope for Figma provider ([#1831](https://github.com/daotl/gotrue/issues/1831)) ([9ce2857](https://github.com/daotl/gotrue/commit/9ce28570bf3da9571198d44d693c7ad7038cde33)) +* define search path in auth functions ([#1616](https://github.com/daotl/gotrue/issues/1616)) ([357bda2](https://github.com/daotl/gotrue/commit/357bda23cb2abd12748df80a9d27288aa548534d)) +* deprecate hooks ([#1421](https://github.com/daotl/gotrue/issues/1421)) ([effef1b](https://github.com/daotl/gotrue/commit/effef1b6ecc448b7927eff23df8d5b509cf16b5c)) +* do call send sms hook when SMS autoconfirm is enabled ([#1562](https://github.com/daotl/gotrue/issues/1562)) ([bfe4d98](https://github.com/daotl/gotrue/commit/bfe4d988f3768b0407526bcc7979fb21d8cbebb3)) +* do not log fatal when http server successfully closes ([#2065](https://github.com/daotl/gotrue/issues/2065)) ([1f7de6c](https://github.com/daotl/gotrue/commit/1f7de6c65f31ef0bbb80899369989b13ab5a517f)) +* **docs:** remove bracket on file name for broken link ([#1493](https://github.com/daotl/gotrue/issues/1493)) ([96f7a68](https://github.com/daotl/gotrue/commit/96f7a68a5479825e31106c2f55f82d5b2c007c0f)) +* don't update attribute mapping if nil ([#1665](https://github.com/daotl/gotrue/issues/1665)) ([7e67f3e](https://github.com/daotl/gotrue/commit/7e67f3edbf81766df297a66f52a8e472583438c6)) +* drop the MFA_ENABLED config ([#1701](https://github.com/daotl/gotrue/issues/1701)) ([078c3a8](https://github.com/daotl/gotrue/commit/078c3a8adcd51e57b68ab1b582549f5813cccd14)) +* email header setting no longer misleading ([#1802](https://github.com/daotl/gotrue/issues/1802)) ([3af03be](https://github.com/daotl/gotrue/commit/3af03be6b65c40f3f4f62ce9ab989a20d75ae53a)) +* email_verified field not being updated on signup confirmation ([#1868](https://github.com/daotl/gotrue/issues/1868)) ([483463e](https://github.com/daotl/gotrue/commit/483463e49eec7b2974cca05eadca6b933b2145b5)) +* email-sendhook - bug in email change verification ([#2044](https://github.com/daotl/gotrue/issues/2044)) ([be20654](https://github.com/daotl/gotrue/commit/be20654ec3af21b93a8d7482a5673b5c8c60ac8a)) +* enable rls & update grants for auth tables ([#1617](https://github.com/daotl/gotrue/issues/1617)) ([28967aa](https://github.com/daotl/gotrue/commit/28967aa4b5db2363cc581c9da0d64e974eb7b64c)) +* enable SO_REUSEPORT in listener config ([#1936](https://github.com/daotl/gotrue/issues/1936)) ([a474b80](https://github.com/daotl/gotrue/commit/a474b80cc1075eb32a7e72a05b0cdb561e61770b)) +* enforce authorized address checks on send email only ([#1806](https://github.com/daotl/gotrue/issues/1806)) ([c0c5b23](https://github.com/daotl/gotrue/commit/c0c5b23728c8fb633dae23aa4b29ed60e2691a2b)) +* enforce uniqueness on verified phone numbers ([#1693](https://github.com/daotl/gotrue/issues/1693)) ([70446cc](https://github.com/daotl/gotrue/commit/70446cc11d70b0493d742fe03f272330bb5b633e)) +* ensure request context exists in API db operations ([#2171](https://github.com/daotl/gotrue/issues/2171)) ([060a992](https://github.com/daotl/gotrue/commit/060a99278d8e3ec4a78ca61b95a9acf0e7052948)) +* error should be an IsNotFoundError ([#1432](https://github.com/daotl/gotrue/issues/1432)) ([7f40047](https://github.com/daotl/gotrue/commit/7f40047aec3577d876602444b1d88078b2237d66)) +* explicit permisions on actions ([#1978](https://github.com/daotl/gotrue/issues/1978)) ([06e9ead](https://github.com/daotl/gotrue/commit/06e9ead3e09e77631597a953a535cb93dd006c7f)) +* expose `provider` under `amr` in access token ([#1456](https://github.com/daotl/gotrue/issues/1456)) ([e9f38e7](https://github.com/daotl/gotrue/commit/e9f38e76d8a7b93c5c2bb0de918a9b156155f018)) +* expose `X-Supabase-Api-Version` header in CORS ([#1612](https://github.com/daotl/gotrue/issues/1612)) ([6ccd814](https://github.com/daotl/gotrue/commit/6ccd814309dca70a9e3585543887194b05d725d3)) +* expose factor type on challenge ([#1709](https://github.com/daotl/gotrue/issues/1709)) ([e1a21a3](https://github.com/daotl/gotrue/commit/e1a21a34779ca4b2254caf8b7578db4a50172751)) +* external host validation ([#1808](https://github.com/daotl/gotrue/issues/1808)) ([4f6a461](https://github.com/daotl/gotrue/commit/4f6a4617074e61ba3b31836ccb112014904ce97c)), closes [#1228](https://github.com/daotl/gotrue/issues/1228) +* fallback on btree indexes when hash is unavailable ([#1856](https://github.com/daotl/gotrue/issues/1856)) ([b33bc31](https://github.com/daotl/gotrue/commit/b33bc31c07549dc9dc221100995d6f6b6754fd3a)) +* fix `getExcludedColumns` slice allocation ([#1788](https://github.com/daotl/gotrue/issues/1788)) ([7f006b6](https://github.com/daotl/gotrue/commit/7f006b63c8d7e28e55a6d471881e9c118df80585)) +* fix `supafast` tarball generation ([#2011](https://github.com/daotl/gotrue/issues/2011)) ([88bb2c0](https://github.com/daotl/gotrue/commit/88bb2c0638863f94f9f0d7f4ca88ba04929dfd55)) +* Fix reqPath for bypass check for verify EP ([#1789](https://github.com/daotl/gotrue/issues/1789)) ([646dc66](https://github.com/daotl/gotrue/commit/646dc66ea8d59a7f78bf5a5e55d9b5065a718c23)) +* fix the wrong error return value ([#1950](https://github.com/daotl/gotrue/issues/1950)) ([e2dfb5d](https://github.com/daotl/gotrue/commit/e2dfb5d4222e5edc569b54d057db9ed4375a19d8)) +* format test otps ([#1567](https://github.com/daotl/gotrue/issues/1567)) ([434a59a](https://github.com/daotl/gotrue/commit/434a59ae387c35fd6629ec7c674d439537e344e5)) +* generate signup link should not error ([#1514](https://github.com/daotl/gotrue/issues/1514)) ([4fc3881](https://github.com/daotl/gotrue/commit/4fc388186ac7e7a9a32ca9b963a83d6ac2eb7603)) +* gosec incorrectly warns about accessing signature[64] ([#2222](https://github.com/daotl/gotrue/issues/2222)) ([bca6626](https://github.com/daotl/gotrue/commit/bca66268dc4f81821c194a26dcf76209d1c696de)) +* handle user banned error code ([#1851](https://github.com/daotl/gotrue/issues/1851)) ([a6918f4](https://github.com/daotl/gotrue/commit/a6918f49baee42899b3ae1b7b6bc126d84629c99)) +* hide hook name ([#1743](https://github.com/daotl/gotrue/issues/1743)) ([7e38f4c](https://github.com/daotl/gotrue/commit/7e38f4cf37768fe2adf92bbd0723d1d521b3d74c)) +* hostname can be empty with redirect urls ([#2241](https://github.com/daotl/gotrue/issues/2241)) ([f5a4cba](https://github.com/daotl/gotrue/commit/f5a4cbac73de28cc4b04c5c9725b70517cb131d3)) +* ignore errors if transaction has closed already ([#1726](https://github.com/daotl/gotrue/issues/1726)) ([53c11d1](https://github.com/daotl/gotrue/commit/53c11d173a79ae5c004871b1b5840c6f9425a080)) +* ignore not found error to check for pkce prefix later ([#1929](https://github.com/daotl/gotrue/issues/1929)) ([fbbebcc](https://github.com/daotl/gotrue/commit/fbbebccd5da21ea22323e6f8f853df9168c4c41e)) +* ignore rate limits for autoconfirm ([#1810](https://github.com/daotl/gotrue/issues/1810)) ([9ce2340](https://github.com/daotl/gotrue/commit/9ce23409f960a8efa55075931138624cb681eca5)) +* impose expiry on auth code instead of magic link ([#1440](https://github.com/daotl/gotrue/issues/1440)) ([35aeaf1](https://github.com/daotl/gotrue/commit/35aeaf1b60dd27a22662a6d1955d60cc907b55dd)) +* improve error messaging for http hooks ([#1821](https://github.com/daotl/gotrue/issues/1821)) ([fa020d0](https://github.com/daotl/gotrue/commit/fa020d0fc292d5c381c57ecac6666d9ff657e4c4)) +* improve invalid channel error message returned ([#1908](https://github.com/daotl/gotrue/issues/1908)) ([f72f0ee](https://github.com/daotl/gotrue/commit/f72f0eee328fa0aa041155f5f5dc305f0874d2bf)) +* improve logging structure ([#1583](https://github.com/daotl/gotrue/issues/1583)) ([c22fc15](https://github.com/daotl/gotrue/commit/c22fc15d2a8383e95a2364f383dfa7dce5f5df88)) +* improve MFA QR Code resilience so as to support providers like 1Password ([#1455](https://github.com/daotl/gotrue/issues/1455)) ([6522780](https://github.com/daotl/gotrue/commit/652278046c9dd92f5cecd778735b058ef3fb41c7)) +* improve mfa verify logs ([#1635](https://github.com/daotl/gotrue/issues/1635)) ([d8b47f9](https://github.com/daotl/gotrue/commit/d8b47f9d3f0dc8f97ad1de49e45f452ebc726481)) +* improve saml assertion logging ([#1915](https://github.com/daotl/gotrue/issues/1915)) ([d6030cc](https://github.com/daotl/gotrue/commit/d6030ccd271a381e2a6ababa11a5beae4b79e5c3)) +* improve session error logging ([#1655](https://github.com/daotl/gotrue/issues/1655)) ([5a6793e](https://github.com/daotl/gotrue/commit/5a6793ee8fce7a089750fe10b3b63bb0a19d6d21)) +* improve token OIDC logging ([#1606](https://github.com/daotl/gotrue/issues/1606)) ([5262683](https://github.com/daotl/gotrue/commit/526268311844467664e89c8329e5aaee817dbbaf)) +* include factor_id in query ([#1702](https://github.com/daotl/gotrue/issues/1702)) ([ac14e82](https://github.com/daotl/gotrue/commit/ac14e82b33545466184da99e99b9d3fe5f3876d9)) +* **indexworker:** detect which schema `pg_trgm` exists in ([#2260](https://github.com/daotl/gotrue/issues/2260)) ([4be12b3](https://github.com/daotl/gotrue/commit/4be12b3e7c0a30b1e289ab81348548f72ab32ba5)) +* **indexworker:** remove pg_trgm extension ([#2301](https://github.com/daotl/gotrue/issues/2301)) ([c553b10](https://github.com/daotl/gotrue/commit/c553b10e5f3b7a8c430b20babe0e7c96178b1c91)) +* inline mailme package for easy development ([#1803](https://github.com/daotl/gotrue/issues/1803)) ([fa6f729](https://github.com/daotl/gotrue/commit/fa6f729a027eff551db104550fa626088e00bc15)) +* invalidate email, phone OTPs on password change ([#1489](https://github.com/daotl/gotrue/issues/1489)) ([960a4f9](https://github.com/daotl/gotrue/commit/960a4f94f5500e33a0ec2f6afe0380bbc9562500)) +* invited users should have a temporary password generated ([#1644](https://github.com/daotl/gotrue/issues/1644)) ([3f70d9d](https://github.com/daotl/gotrue/commit/3f70d9d8974d0e9c437c51e1312ad17ce9056ec9)) +* invites should send another email when user exists ([#2058](https://github.com/daotl/gotrue/issues/2058)) ([96469bd](https://github.com/daotl/gotrue/commit/96469bd01b9c37f938aabdb0434a054a111cf963)) +* japanese dot example fix ([#2243](https://github.com/daotl/gotrue/issues/2243)) ([3a5f4b2](https://github.com/daotl/gotrue/commit/3a5f4b211a0f50bd1957f5a41467fc5aa6a01ca6)) +* linkedin_oidc provider error ([#1534](https://github.com/daotl/gotrue/issues/1534)) ([4f5e8e5](https://github.com/daotl/gotrue/commit/4f5e8e5120531e5a103fbdda91b51cabcb4e1a8c)) +* log final writer error instead of handling ([#1564](https://github.com/daotl/gotrue/issues/1564)) ([170bd66](https://github.com/daotl/gotrue/commit/170bd6615405afc852c7107f7358dfc837bad737)) +* log version & migration count ([#1934](https://github.com/daotl/gotrue/issues/1934)) ([8078cdc](https://github.com/daotl/gotrue/commit/8078cdc6f275c97d84c0ba20963327af900b84d0)) +* look for refresh token on mfa verification only in v1 ([#2249](https://github.com/daotl/gotrue/issues/2249)) ([2906b24](https://github.com/daotl/gotrue/commit/2906b2424d0aa804031e66cf92f008289b8a9c77)) +* magiclink failing due to passwordStrength check ([#1769](https://github.com/daotl/gotrue/issues/1769)) ([7a5411f](https://github.com/daotl/gotrue/commit/7a5411f1d4247478f91027bc4969cbbe95b7774c)) +* maintain backward compatibility for asymmetric JWTs ([#1690](https://github.com/daotl/gotrue/issues/1690)) ([0ad1402](https://github.com/daotl/gotrue/commit/0ad1402444348e47e1e42be186b3f052d31be824)) +* make drop_uniqueness_constraint_on_phone idempotent ([#1817](https://github.com/daotl/gotrue/issues/1817)) ([158e473](https://github.com/daotl/gotrue/commit/158e4732afa17620cdd89c85b7b57569feea5c21)) +* **makefile:** remove invalid @ symbol from shell commands ([#2168](https://github.com/daotl/gotrue/issues/2168)) ([e6afe45](https://github.com/daotl/gotrue/commit/e6afe4529859e1ee92ed5c259e04c9fe56de22cf)) +* MFA NewFactor to default to creating unverfied factors ([#1692](https://github.com/daotl/gotrue/issues/1692)) ([3d448fa](https://github.com/daotl/gotrue/commit/3d448fa73cb77eb8511dbc47bfafecce4a4a2150)) +* mfa verify now works with refresh token algorithm v2 ([#2246](https://github.com/daotl/gotrue/issues/2246)) ([4e8275f](https://github.com/daotl/gotrue/commit/4e8275f915c4d84186d17b41c86a9277055a55e4)) +* minor spelling errors ([#1688](https://github.com/daotl/gotrue/issues/1688)) ([6aca52b](https://github.com/daotl/gotrue/commit/6aca52b56f8a6254de7709c767b9a5649f1da248)), closes [#1682](https://github.com/daotl/gotrue/issues/1682) +* move all EmailActionTypes to mailer package ([#1510](https://github.com/daotl/gotrue/issues/1510)) ([765db08](https://github.com/daotl/gotrue/commit/765db08582669a1b7f054217fa8f0ed45804c0b5)) +* move creation of flow state into function ([#1470](https://github.com/daotl/gotrue/issues/1470)) ([4392a08](https://github.com/daotl/gotrue/commit/4392a08d68d18828005d11382730117a7b143635)) +* move is owned by check to load factor ([#1703](https://github.com/daotl/gotrue/issues/1703)) ([701a779](https://github.com/daotl/gotrue/commit/701a779cf092e777dd4ad4954dc650164b09ab32)) +* new `odic.Provider` for apple with insecure issuer url context ([#2055](https://github.com/daotl/gotrue/issues/2055)) ([23d69f1](https://github.com/daotl/gotrue/commit/23d69f1c450b4a24a262cb25112e68408857a3b2)) +* **oauth-server:** allow custom URI schemes in client redirect URIs ([#2298](https://github.com/daotl/gotrue/issues/2298)) ([ea72f57](https://github.com/daotl/gotrue/commit/ea72f57f99633b33cc7b30b4a0b74ed8314b71e6)) +* **oauth2:** switch to Origin header for request validation ([#2174](https://github.com/daotl/gotrue/issues/2174)) ([42bc9ab](https://github.com/daotl/gotrue/commit/42bc9ab7db24ce1902fef21ba5e90a2128617669)) +* omit empty string from name & use case-insensitive equality for comparing SAML attributes ([#1654](https://github.com/daotl/gotrue/issues/1654)) ([bf5381a](https://github.com/daotl/gotrue/commit/bf5381a6b1c686955dc4e39fe5fb806ffd309563)) +* **openapi:** add missing OAuth client registration fields ([#2227](https://github.com/daotl/gotrue/issues/2227)) ([cf39a8a](https://github.com/daotl/gotrue/commit/cf39a8ae2cc386f2672f0ecbb8d84dd77f04e56f)) +* populate password verification attempt hook ([#1436](https://github.com/daotl/gotrue/issues/1436)) ([f974bdb](https://github.com/daotl/gotrue/commit/f974bdb58340395955ca27bdd26d57062433ece9)) +* possible panic if refresh token has a null session_id ([#1822](https://github.com/daotl/gotrue/issues/1822)) ([a7129df](https://github.com/daotl/gotrue/commit/a7129df4e1d91a042b56ff1f041b9c6598825475)) +* prevent user email side-channel leak on verify ([#1472](https://github.com/daotl/gotrue/issues/1472)) ([311cde8](https://github.com/daotl/gotrue/commit/311cde8d1e82f823ae26a341e068034d60273864)) +* propagate error when when confirming phone ([#1939](https://github.com/daotl/gotrue/issues/1939)) ([e882b42](https://github.com/daotl/gotrue/commit/e882b42f3929ab2e587a41ba6593edaf237e5535)) +* publish to ghcr.io/supabase/auth ([#1626](https://github.com/daotl/gotrue/issues/1626)) ([930aa3e](https://github.com/daotl/gotrue/commit/930aa3edb633823d4510c2aff675672df06f1211)), closes [#1625](https://github.com/daotl/gotrue/issues/1625) +* rate limits of 0 take precedence over MAILER_AUTO_CONFIRM ([#1837](https://github.com/daotl/gotrue/issues/1837)) ([cb7894e](https://github.com/daotl/gotrue/commit/cb7894e1119d27d527dedcca22d8b3d433beddac)) +* redirect invalid state errors to site url ([#1722](https://github.com/daotl/gotrue/issues/1722)) ([b2b1123](https://github.com/daotl/gotrue/commit/b2b11239dc9f9bd3c85d76f6c23ee94beb3330bb)) +* redirects must not be to ip addresses ([#1984](https://github.com/daotl/gotrue/issues/1984)) ([347e23a](https://github.com/daotl/gotrue/commit/347e23a98c2ee362620d2711d12a76d7bc266a8f)) +* refactor email sending functions ([#1495](https://github.com/daotl/gotrue/issues/1495)) ([285c290](https://github.com/daotl/gotrue/commit/285c290adf231fea7ca1dff954491dc427cf18e2)) +* refactor factor_test to centralize setup ([#1473](https://github.com/daotl/gotrue/issues/1473)) ([c86007e](https://github.com/daotl/gotrue/commit/c86007e59684334b5e8c2285c36094b6eec89442)) +* refactor mfa and aal update methods ([#1503](https://github.com/daotl/gotrue/issues/1503)) ([31a5854](https://github.com/daotl/gotrue/commit/31a585429bf248aa919d94c82c7c9e0c1c695461)) +* refactor mfa challenge and tests ([#1469](https://github.com/daotl/gotrue/issues/1469)) ([6c76f21](https://github.com/daotl/gotrue/commit/6c76f21cee5dbef0562c37df6a546939affb2f8d)) +* refactor mfa models and add observability to loadFactor ([#1669](https://github.com/daotl/gotrue/issues/1669)) ([822fb93](https://github.com/daotl/gotrue/commit/822fb93faab325ba3d4bb628dff43381d68d0b5d)) +* refactor mfa validation into functions ([#1780](https://github.com/daotl/gotrue/issues/1780)) ([410b8ac](https://github.com/daotl/gotrue/commit/410b8acdd659fc4c929fe57a9e9dba4c76da305d)) +* refactor request params to use generics ([#1464](https://github.com/daotl/gotrue/issues/1464)) ([e1cdf5c](https://github.com/daotl/gotrue/commit/e1cdf5c4b5c1bf467094f4bdcaa2e42a5cc51c20)) +* refactor TOTP MFA into separate methods ([#1698](https://github.com/daotl/gotrue/issues/1698)) ([250d92f](https://github.com/daotl/gotrue/commit/250d92f9a18d38089d1bf262ef9088022a446965)) +* reloader unittest races on writeWg ([#2352](https://github.com/daotl/gotrue/issues/2352)) ([088b714](https://github.com/daotl/gotrue/commit/088b7149d6857cfe65e4338c1ee9e079688f8c92)) +* remove azure claim overage code. ([#2005](https://github.com/daotl/gotrue/issues/2005)) ([63dce14](https://github.com/daotl/gotrue/commit/63dce14488f92d9e0e67028cd0ae6e002ebf532a)) +* remove check for content-length ([#1700](https://github.com/daotl/gotrue/issues/1700)) ([81b332d](https://github.com/daotl/gotrue/commit/81b332d2f48622008469d2c5a9b130465a65f2a3)) +* remove deprecated LogoutAllRefreshTokens ([#1519](https://github.com/daotl/gotrue/issues/1519)) ([35533ea](https://github.com/daotl/gotrue/commit/35533ea100669559e1209ecc7b091db3657234d9)) +* remove FindFactorsByUser ([#1707](https://github.com/daotl/gotrue/issues/1707)) ([af8e2dd](https://github.com/daotl/gotrue/commit/af8e2dda15a1234a05e7d2d34d316eaa029e0912)) +* remove requirement of empty content-type on 204 ([#2128](https://github.com/daotl/gotrue/issues/2128)) ([ecc97e0](https://github.com/daotl/gotrue/commit/ecc97e0fac7cb1bd736ef6db435a0a5fb224e954)) +* remove server side cookie token methods ([#1742](https://github.com/daotl/gotrue/issues/1742)) ([c6efec4](https://github.com/daotl/gotrue/commit/c6efec4cbc950e01e1fd06d45ed821bd27c2ad08)) +* remove TOTP field for phone enroll response ([#1717](https://github.com/daotl/gotrue/issues/1717)) ([4b04327](https://github.com/daotl/gotrue/commit/4b043275dd2d94600a8138d4ebf4638754ed926b)) +* rename from CustomSMSProvider to SendSMS ([#1513](https://github.com/daotl/gotrue/issues/1513)) ([c0bc37b](https://github.com/daotl/gotrue/commit/c0bc37b44effaebb62ba85102f072db07fe57e48)) +* Resend SMS when duplicate SMS sign ups are made ([#1490](https://github.com/daotl/gotrue/issues/1490)) ([73240a0](https://github.com/daotl/gotrue/commit/73240a0b096977703e3c7d24a224b5641ce47c81)) +* resolving azure overage claim should include `api-version=1.6` query parameter ([#2000](https://github.com/daotl/gotrue/issues/2000)) ([44890d0](https://github.com/daotl/gotrue/commit/44890d0a6df903e765bcde509231a78f61890bec)) +* restrict autoconfirm email change to anonymous users ([#1679](https://github.com/daotl/gotrue/issues/1679)) ([b57e223](https://github.com/daotl/gotrue/commit/b57e2230102280ed873acf70be1aeb5a2f6f7a4f)) +* restrict mfa enrollment to aal2 if verified factors are present ([#1439](https://github.com/daotl/gotrue/issues/1439)) ([7e10d45](https://github.com/daotl/gotrue/commit/7e10d45e54010d38677f4c3f2f224127688eb9a2)) +* return error if session id does not exist ([#1538](https://github.com/daotl/gotrue/issues/1538)) ([91e9eca](https://github.com/daotl/gotrue/commit/91e9ecabe33a1c022f8e82a6050c22a7ca42de48)) +* return oauth identity when user is created ([#1736](https://github.com/daotl/gotrue/issues/1736)) ([60cfb60](https://github.com/daotl/gotrue/commit/60cfb6063afa574dfe4993df6b0e087d4df71309)) +* return proper error if sms rate limit is exceeded ([#1647](https://github.com/daotl/gotrue/issues/1647)) ([3c8d765](https://github.com/daotl/gotrue/commit/3c8d7656431ac4b2e80726b7c37adb8f0c778495)) +* return the error code instead of status code ([#1855](https://github.com/daotl/gotrue/issues/1855)) ([834a380](https://github.com/daotl/gotrue/commit/834a380d803ae9ce59ce5ee233fa3a78a984fe68)) +* Revert "fix: revert fallback on btree indexes when hash is unavailable" ([#1859](https://github.com/daotl/gotrue/issues/1859)) ([9fe5b1e](https://github.com/daotl/gotrue/commit/9fe5b1eebfafb385d6b5d10196aeb2a1964ab296)) +* revert define search path in auth functions ([#1634](https://github.com/daotl/gotrue/issues/1634)) ([155e87e](https://github.com/daotl/gotrue/commit/155e87ef8129366d665968f64d1fc66676d07e16)) +* revert fallback on btree indexes when hash is unavailable ([#1858](https://github.com/daotl/gotrue/issues/1858)) ([1c7202f](https://github.com/daotl/gotrue/commit/1c7202ff835856562ee66b33be131eca769acf1d)) +* revert patch for linkedin_oidc provider error ([#1535](https://github.com/daotl/gotrue/issues/1535)) ([58ef4af](https://github.com/daotl/gotrue/commit/58ef4af0b4224b78cd9e59428788d16a8d31e562)) +* revert refactor resource owner password grant ([#1466](https://github.com/daotl/gotrue/issues/1466)) ([fa21244](https://github.com/daotl/gotrue/commit/fa21244fa929709470c2e1fc4092a9ce947399e7)) +* run release-please again ([#2144](https://github.com/daotl/gotrue/issues/2144)) ([2560f14](https://github.com/daotl/gotrue/commit/2560f14ef6ee35f84b7c592290647e0d1c8a3932)) +* sanitize redirect URL (remove fragment, query) before pattern matching ([#1974](https://github.com/daotl/gotrue/issues/1974)) ([ccf20d7](https://github.com/daotl/gotrue/commit/ccf20d724f31871b71292e0ea867c48e2cdfdbcb)) +* serialize jwt as string ([#1657](https://github.com/daotl/gotrue/issues/1657)) ([98d8324](https://github.com/daotl/gotrue/commit/98d83245e40d606438eb0afdbf474276179fd91d)) +* set rate limit log level to warn ([#1652](https://github.com/daotl/gotrue/issues/1652)) ([10ca9c8](https://github.com/daotl/gotrue/commit/10ca9c806e4b67a371897f1b3f93c515764c4240)) +* simplify WaitForCleanup ([#1747](https://github.com/daotl/gotrue/issues/1747)) ([0084625](https://github.com/daotl/gotrue/commit/0084625ad0790dd7c14b412d932425f4b84bb4c8)) +* skip apple oidc issuer check ([#2053](https://github.com/daotl/gotrue/issues/2053)) ([1c6f18e](https://github.com/daotl/gotrue/commit/1c6f18e6e573ae1da6875f51d8613992ced057a2)) +* skip cleanup for non-2xx status ([#1877](https://github.com/daotl/gotrue/issues/1877)) ([f572ced](https://github.com/daotl/gotrue/commit/f572ced3699c7f920deccce1a3539299541ec94c)) +* sms verify should update is_anonymous field ([#1580](https://github.com/daotl/gotrue/issues/1580)) ([e5f98cb](https://github.com/daotl/gotrue/commit/e5f98cb9e24ecebb0b7dc88c495fd456cc73fcba)) +* **social-auth:** default to current_user:read for Figma provider ([#2195](https://github.com/daotl/gotrue/issues/2195)) ([f409d11](https://github.com/daotl/gotrue/commit/f409d118ebb958c12f2395c0bf4fb9590ab6c0af)) +* stripped binary now includes version ([#2147](https://github.com/daotl/gotrue/issues/2147)) ([609f169](https://github.com/daotl/gotrue/commit/609f169f505a1f5750fbbf5e9d477cfb4d879eff)) +* tighten email validation rules ([#2304](https://github.com/daotl/gotrue/issues/2304)) ([33bb372](https://github.com/daotl/gotrue/commit/33bb37203ae54c7ddecb6373122fae4b4fd38682)) +* treat `GOTRUE_MFA_ENABLED` as meaning TOTP enabled on enroll and verify ([#1694](https://github.com/daotl/gotrue/issues/1694)) ([8015251](https://github.com/daotl/gotrue/commit/8015251400bd52cbdad3ea28afb83b1cdfe816dd)) +* treat empty string as nil in `encrypted_password` ([#1663](https://github.com/daotl/gotrue/issues/1663)) ([f99286e](https://github.com/daotl/gotrue/commit/f99286eaed505daf3db6f381265ef6024e7e36d2)) +* unlink identity bugs ([#1475](https://github.com/daotl/gotrue/issues/1475)) ([73e8d87](https://github.com/daotl/gotrue/commit/73e8d8742de3575b3165a707b5d2f486b2598d9d)) +* update aal requirements to update user ([#1766](https://github.com/daotl/gotrue/issues/1766)) ([25d9874](https://github.com/daotl/gotrue/commit/25d98743f6cc2cca2b490a087f468c8556ec5e44)) +* update contributing to use v1.22 ([#1609](https://github.com/daotl/gotrue/issues/1609)) ([5894d9e](https://github.com/daotl/gotrue/commit/5894d9e41e7681512a9904ad47082a705e948c98)) +* update copyright year in LICENSE ([#2142](https://github.com/daotl/gotrue/issues/2142)) ([67fe0b0](https://github.com/daotl/gotrue/commit/67fe0b0230b147048dc2b9f546df72af5b3bc362)) +* update figma token endpoint ([#1952](https://github.com/daotl/gotrue/issues/1952)) ([18fbbb5](https://github.com/daotl/gotrue/commit/18fbbb53de04c024b6de829e390145a8452d7ab2)) +* update file name so migration to Drop IP Address is applied ([#1447](https://github.com/daotl/gotrue/issues/1447)) ([f29e89d](https://github.com/daotl/gotrue/commit/f29e89d7d2c48ee8fd5bf8279a7fa3db0ad4d842)) +* update ip mismatch error message ([#1849](https://github.com/daotl/gotrue/issues/1849)) ([49fbbf0](https://github.com/daotl/gotrue/commit/49fbbf03917a1085c58e9a1ff76c247ae6bb9ca7)) +* update linkedin issuer url ([#1536](https://github.com/daotl/gotrue/issues/1536)) ([10d6d8b](https://github.com/daotl/gotrue/commit/10d6d8b1eafa504da2b2a351d1f64a3a832ab1b9)) +* update MaxFrequency error message to reflect number of seconds ([#1540](https://github.com/daotl/gotrue/issues/1540)) ([e81c25d](https://github.com/daotl/gotrue/commit/e81c25d19551fdebfc5197d96bc220ddb0f8227b)) +* update mfa admin methods ([#1774](https://github.com/daotl/gotrue/issues/1774)) ([567ea7e](https://github.com/daotl/gotrue/commit/567ea7ebd18eacc5e6daea8adc72e59e94459991)) +* update mfa phone migration to be idempotent ([#1687](https://github.com/daotl/gotrue/issues/1687)) ([fdff1e7](https://github.com/daotl/gotrue/commit/fdff1e703bccf93217636266f1862bd0a9205edb)) +* update migration version ([#2343](https://github.com/daotl/gotrue/issues/2343)) ([61ef4db](https://github.com/daotl/gotrue/commit/61ef4dbb5146c4379d495c2fb77c7ade753d1f3b)) +* update OpenAPI schema to use 'minimum' instead of 'min' for integer ([5c1deb2](https://github.com/daotl/gotrue/commit/5c1deb2572143d14c309a1695fe2391e3c52388d)) +* update openapi spec for MFA (Phone) ([#1689](https://github.com/daotl/gotrue/issues/1689)) ([a3da4b8](https://github.com/daotl/gotrue/commit/a3da4b89820c37f03ea128889616aca598d99f68)) +* update phone if autoconfirm is enabled ([#1431](https://github.com/daotl/gotrue/issues/1431)) ([95db770](https://github.com/daotl/gotrue/commit/95db770c5d2ecca4a1e960a8cb28ded37cccc100)) +* upgrade ci Go version ([#1782](https://github.com/daotl/gotrue/issues/1782)) ([97a48f6](https://github.com/daotl/gotrue/commit/97a48f6daaa2edda5b568939cbb1007ccdf33cfc)) +* upgrade godotenv to v1.5.1 to fix multiline file loading ([#1997](https://github.com/daotl/gotrue/issues/1997)) ([f2af4b2](https://github.com/daotl/gotrue/commit/f2af4b250dc7d351ee8d0ede3a814439cac43fee)) +* upgrade golang-jwt to v5 ([#1639](https://github.com/daotl/gotrue/issues/1639)) ([2cb97f0](https://github.com/daotl/gotrue/commit/2cb97f080fa4695766985cc4792d09476534be68)) +* use `appleid.apple.com` as default issuer ([#2068](https://github.com/daotl/gotrue/issues/2068)) ([963a781](https://github.com/daotl/gotrue/commit/963a781ee525ef893ec545583e7d385c02995518)) +* use `split_words` config option for `AuditLog` ([#2075](https://github.com/daotl/gotrue/issues/2075)) ([7ecb234](https://github.com/daotl/gotrue/commit/7ecb234c3d66459c92ba16fd69ed7eb933c4b8a7)) +* use api_external_url domain as localname ([#1575](https://github.com/daotl/gotrue/issues/1575)) ([ed2b490](https://github.com/daotl/gotrue/commit/ed2b4907244281e4c54aaef74b1f4c8a8e3d97c9)) +* use deep equal ([#1672](https://github.com/daotl/gotrue/issues/1672)) ([8efd57d](https://github.com/daotl/gotrue/commit/8efd57dab40346762a04bac61b314ce05d6fa69c)) +* use email change email in identity ([#1429](https://github.com/daotl/gotrue/issues/1429)) ([4d3b9b8](https://github.com/daotl/gotrue/commit/4d3b9b8841b1a5fa8f3244825153cc81a73ba300)) +* use pointer for `user.EncryptedPassword` ([#1637](https://github.com/daotl/gotrue/issues/1637)) ([bbecbd6](https://github.com/daotl/gotrue/commit/bbecbd61a46b0c528b1191f48d51f166c06f4b16)) +* use redirect URL as-is for mobile apps ([#2007](https://github.com/daotl/gotrue/issues/2007)) ([b36cdcd](https://github.com/daotl/gotrue/commit/b36cdcdb90b8f0a96aba9572e2643c0dee3bdd9c)) +* use signing jwk to sign oauth state ([#1728](https://github.com/daotl/gotrue/issues/1728)) ([66fd0c8](https://github.com/daotl/gotrue/commit/66fd0c8434388bbff1e1bf02f40517aca0e9d339)) +* use sys/unix instead of syscall ([#1953](https://github.com/daotl/gotrue/issues/1953)) ([4a6d9bc](https://github.com/daotl/gotrue/commit/4a6d9bcade28db3c7a6c2c610600665190c9a925)) +* user sanitization should clean up email change info too ([#1759](https://github.com/daotl/gotrue/issues/1759)) ([9d419b4](https://github.com/daotl/gotrue/commit/9d419b400f0637b10e5c235b8fd5bac0d69352bd)) +* validateEmail should normalise emails ([#1790](https://github.com/daotl/gotrue/issues/1790)) ([2e9b144](https://github.com/daotl/gotrue/commit/2e9b144a0cbf2d26d3c4c2eafbff1899a36aeb3b)) + ## [2.185.0](https://github.com/supabase/auth/compare/v2.184.0...v2.185.0) (2026-01-12) diff --git a/README.md b/README.md index 5ff3a346c..6ec027610 100644 --- a/README.md +++ b/README.md @@ -466,20 +466,20 @@ The URI a OAuth2 provider will redirect to with the `code` and `state` values. The base URL used for constructing the URLs to request authorization and access tokens. Used by `gitlab` and `keycloak`. For `gitlab` it defaults to `https://gitlab.com`. For `keycloak` you need to set this to your instance, for example: `https://keycloak.example.com/realms/myrealm` -#### Generic OAuth +#### Generic OIDC -Supabase Auth supports three generic OAuth2/OIDC providers: `generic1`, `generic2`, and `generic3`. These allow you to configure any OAuth2 or OIDC-compatible identity provider that isn't explicitly supported. +Supabase Auth supports three generic OIDC providers: `generic_oidc_1`, `generic_oidc_2`, and `generic_oidc_3`. These allow you to configure any OIDC-compatible identity provider that isn't explicitly supported. **Option 1: OIDC Discovery (Recommended)** If your identity provider supports [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html), you can set a single discovery URL instead of configuring each endpoint separately: ```properties -GOTRUE_EXTERNAL_GENERIC1_ENABLED=true -GOTRUE_EXTERNAL_GENERIC1_CLIENT_ID=myappclientid -GOTRUE_EXTERNAL_GENERIC1_SECRET=clientsecretvaluessssh -GOTRUE_EXTERNAL_GENERIC1_REDIRECT_URI=http://localhost:3000/callback -GOTRUE_EXTERNAL_GENERIC1_DISCOVERY_URL=https://example.com/.well-known/openid-configuration +GOTRUE_EXTERNAL_GENERIC_OIDC_1_ENABLED=true +GOTRUE_EXTERNAL_GENERIC_OIDC_1_CLIENT_ID=myappclientid +GOTRUE_EXTERNAL_GENERIC_OIDC_1_SECRET=clientsecretvaluessssh +GOTRUE_EXTERNAL_GENERIC_OIDC_1_REDIRECT_URI=http://localhost:3000/callback +GOTRUE_EXTERNAL_GENERIC_OIDC_1_DISCOVERY_URL=https://example.com/.well-known/openid-configuration ``` When `DISCOVERY_URL` is set, the provider will automatically fetch the OIDC Discovery document to obtain: @@ -495,22 +495,22 @@ Note: If `DISCOVERY_URL` is set, it takes precedence over any explicitly configu Alternatively, you can configure each endpoint explicitly: ```properties -GOTRUE_EXTERNAL_GENERIC1_ENABLED=true -GOTRUE_EXTERNAL_GENERIC1_CLIENT_ID=myappclientid -GOTRUE_EXTERNAL_GENERIC1_SECRET=clientsecretvaluessssh -GOTRUE_EXTERNAL_GENERIC1_REDIRECT_URI=http://localhost:3000/callback -GOTRUE_EXTERNAL_GENERIC1_ISSUER=https://example.com -GOTRUE_EXTERNAL_GENERIC1_AUTH_URL=https://example.com/oauth/authorize -GOTRUE_EXTERNAL_GENERIC1_TOKEN_URL=https://example.com/oauth/token -GOTRUE_EXTERNAL_GENERIC1_PROFILE_URL=https://example.com/oauth/userinfo +GOTRUE_EXTERNAL_GENERIC_OIDC_1_ENABLED=true +GOTRUE_EXTERNAL_GENERIC_OIDC_1_CLIENT_ID=myappclientid +GOTRUE_EXTERNAL_GENERIC_OIDC_1_SECRET=clientsecretvaluessssh +GOTRUE_EXTERNAL_GENERIC_OIDC_1_REDIRECT_URI=http://localhost:3000/callback +GOTRUE_EXTERNAL_GENERIC_OIDC_1_ISSUER=https://example.com +GOTRUE_EXTERNAL_GENERIC_OIDC_1_AUTH_URL=https://example.com/oauth/authorize +GOTRUE_EXTERNAL_GENERIC_OIDC_1_TOKEN_URL=https://example.com/oauth/token +GOTRUE_EXTERNAL_GENERIC_OIDC_1_PROFILE_URL=https://example.com/oauth/userinfo ``` **User data mapping:** -The `GOTRUE_EXTERNAL_GENERIC1_USER_DATA_MAPPING` setting maps fields from the OAuth provider's userinfo response to Supabase Auth user claims. The format is `GotrueClaim:ProviderField` where `ProviderField` can use dot notation for nested fields. +The `GOTRUE_EXTERNAL_GENERIC_OIDC_1_USER_DATA_MAPPING` setting maps fields from the OAuth provider's userinfo response to Supabase Auth user claims. The format is `GotrueClaim:ProviderField` where `ProviderField` can use dot notation for nested fields. ```properties -GOTRUE_EXTERNAL_GENERIC1_USER_DATA_MAPPING=Email:email,Name:name,Avatar:picture,Subject:id +GOTRUE_EXTERNAL_GENERIC_OIDC_1_USER_DATA_MAPPING=Email:email,Name:name,Avatar:picture,Subject:id ``` If a field is not explicitly configured in `USER_DATA_MAPPING`, the provider will automatically look for the snake_case version of the field name. For example: diff --git a/hack/test.env b/hack/test.env index c88e159b5..0c155bbfa 100644 --- a/hack/test.env +++ b/hack/test.env @@ -60,36 +60,36 @@ GOTRUE_EXTERNAL_LINKEDIN_ENABLED=true GOTRUE_EXTERNAL_LINKEDIN_CLIENT_ID=testclientid GOTRUE_EXTERNAL_LINKEDIN_SECRET=testsecret GOTRUE_EXTERNAL_LINKEDIN_REDIRECT_URI=https://identity.services.netlify.com/callback -GOTRUE_EXTERNAL_GENERIC1_ENABLED=true -GOTRUE_EXTERNAL_GENERIC1_CLIENT_ID=generic1_client_id -GOTRUE_EXTERNAL_GENERIC1_SECRET=generic1_client_secret -GOTRUE_EXTERNAL_GENERIC1_REDIRECT_URI=http://localhost:8000/callback -GOTRUE_EXTERNAL_GENERIC1_REQUIRES_PKCE=false -GOTRUE_EXTERNAL_GENERIC1_ISSUER=https://identity.services.netlify.com -GOTRUE_EXTERNAL_GENERIC1_AUTH_URL=https://myidentityprovider.example.com/authorize -GOTRUE_EXTERNAL_GENERIC1_TOKEN_URL=https://myidentityprovider.example.com/token -GOTRUE_EXTERNAL_GENERIC1_PROFILE_URL=https://myidentityprovider.example.com/profile -GOTRUE_EXTERNAL_GENERIC1_USER_DATA_MAPPING=Subject:id,Email:generic_account.email,EmailVerified:generic_account.is_email_verified,Name:generic_account.profile.nickname,Picture:generic_account.profile.profile_image_url -GOTRUE_EXTERNAL_GENERIC2_ENABLED=true -GOTRUE_EXTERNAL_GENERIC2_CLIENT_ID=generic2_client_id -GOTRUE_EXTERNAL_GENERIC2_SECRET=generic2_client_secret -GOTRUE_EXTERNAL_GENERIC2_REDIRECT_URI=https://identity.services.netlify.com/callback -GOTRUE_EXTERNAL_GENERIC2_REQUIRES_PKCE=false -GOTRUE_EXTERNAL_GENERIC2_ISSUER=https://myidentityprovider.example.com -GOTRUE_EXTERNAL_GENERIC2_AUTH_URL=https://myidentityprovider.example.com/authorize -GOTRUE_EXTERNAL_GENERIC2_TOKEN_URL=https://myidentityprovider.example.com/token -GOTRUE_EXTERNAL_GENERIC2_PROFILE_URL=https://myidentityprovider.example.com/profile -GOTRUE_EXTERNAL_GENERIC2_USER_DATA_MAPPING=Subject:id,Email:generic_account.email,EmailVerified:generic_account.is_email_verified,Name:generic_account.profile.nickname,Picture:generic_account.profile.profile_image_url -GOTRUE_EXTERNAL_GENERIC3_ENABLED=true -GOTRUE_EXTERNAL_GENERIC3_CLIENT_ID=generic3_client_id -GOTRUE_EXTERNAL_GENERIC3_SECRET=generic3_client_secret -GOTRUE_EXTERNAL_GENERIC3_REDIRECT_URI=https://identity.services.netlify.com/callback -GOTRUE_EXTERNAL_GENERIC3_REQUIRES_PKCE=false -GOTRUE_EXTERNAL_GENERIC3_ISSUER=https://myidentityprovider.example.com -GOTRUE_EXTERNAL_GENERIC3_AUTH_URL=https://myidentityprovider.example.com/authorize -GOTRUE_EXTERNAL_GENERIC3_TOKEN_URL=https://myidentityprovider.example.com/token -GOTRUE_EXTERNAL_GENERIC3_PROFILE_URL=https://myidentityprovider.example.com/profile -GOTRUE_EXTERNAL_GENERIC3_USER_DATA_MAPPING=Subject:id,Email:generic_account.email,EmailVerified:generic_account.is_email_verified,Name:generic_account.profile.nickname,Picture:generic_account.profile.profile_image_url +GOTRUE_EXTERNAL_GENERIC_OIDC_1_ENABLED=true +GOTRUE_EXTERNAL_GENERIC_OIDC_1_CLIENT_ID=generic1_client_id +GOTRUE_EXTERNAL_GENERIC_OIDC_1_SECRET=generic1_client_secret +GOTRUE_EXTERNAL_GENERIC_OIDC_1_REDIRECT_URI=http://localhost:8000/callback +GOTRUE_EXTERNAL_GENERIC_OIDC_1_REQUIRES_PKCE=false +GOTRUE_EXTERNAL_GENERIC_OIDC_1_ISSUER=https://identity.services.netlify.com +GOTRUE_EXTERNAL_GENERIC_OIDC_1_AUTH_URL=https://myidentityprovider.example.com/authorize +GOTRUE_EXTERNAL_GENERIC_OIDC_1_TOKEN_URL=https://myidentityprovider.example.com/token +GOTRUE_EXTERNAL_GENERIC_OIDC_1_PROFILE_URL=https://myidentityprovider.example.com/profile +GOTRUE_EXTERNAL_GENERIC_OIDC_1_USER_DATA_MAPPING=Subject:id,Email:generic_account.email,EmailVerified:generic_account.is_email_verified,Name:generic_account.profile.nickname,Picture:generic_account.profile.profile_image_url +GOTRUE_EXTERNAL_GENERIC_OIDC_2_ENABLED=true +GOTRUE_EXTERNAL_GENERIC_OIDC_2_CLIENT_ID=generic2_client_id +GOTRUE_EXTERNAL_GENERIC_OIDC_2_SECRET=generic2_client_secret +GOTRUE_EXTERNAL_GENERIC_OIDC_2_REDIRECT_URI=https://identity.services.netlify.com/callback +GOTRUE_EXTERNAL_GENERIC_OIDC_2_REQUIRES_PKCE=false +GOTRUE_EXTERNAL_GENERIC_OIDC_2_ISSUER=https://myidentityprovider.example.com +GOTRUE_EXTERNAL_GENERIC_OIDC_2_AUTH_URL=https://myidentityprovider.example.com/authorize +GOTRUE_EXTERNAL_GENERIC_OIDC_2_TOKEN_URL=https://myidentityprovider.example.com/token +GOTRUE_EXTERNAL_GENERIC_OIDC_2_PROFILE_URL=https://myidentityprovider.example.com/profile +GOTRUE_EXTERNAL_GENERIC_OIDC_2_USER_DATA_MAPPING=Subject:id,Email:generic_account.email,EmailVerified:generic_account.is_email_verified,Name:generic_account.profile.nickname,Picture:generic_account.profile.profile_image_url +GOTRUE_EXTERNAL_GENERIC_OIDC_3_ENABLED=true +GOTRUE_EXTERNAL_GENERIC_OIDC_3_CLIENT_ID=generic3_client_id +GOTRUE_EXTERNAL_GENERIC_OIDC_3_SECRET=generic3_client_secret +GOTRUE_EXTERNAL_GENERIC_OIDC_3_REDIRECT_URI=https://identity.services.netlify.com/callback +GOTRUE_EXTERNAL_GENERIC_OIDC_3_REQUIRES_PKCE=false +GOTRUE_EXTERNAL_GENERIC_OIDC_3_ISSUER=https://myidentityprovider.example.com +GOTRUE_EXTERNAL_GENERIC_OIDC_3_AUTH_URL=https://myidentityprovider.example.com/authorize +GOTRUE_EXTERNAL_GENERIC_OIDC_3_TOKEN_URL=https://myidentityprovider.example.com/token +GOTRUE_EXTERNAL_GENERIC_OIDC_3_PROFILE_URL=https://myidentityprovider.example.com/profile +GOTRUE_EXTERNAL_GENERIC_OIDC_3_USER_DATA_MAPPING=Subject:id,Email:generic_account.email,EmailVerified:generic_account.is_email_verified,Name:generic_account.profile.nickname,Picture:generic_account.profile.profile_image_url GOTRUE_EXTERNAL_LINKEDIN_OIDC_ENABLED=true GOTRUE_EXTERNAL_LINKEDIN_OIDC_CLIENT_ID=testclientid GOTRUE_EXTERNAL_LINKEDIN_OIDC_SECRET=testsecret diff --git a/internal/api/external.go b/internal/api/external.go index 4dcbc69db..46db4936a 100644 --- a/internal/api/external.go +++ b/internal/api/external.go @@ -698,15 +698,15 @@ func (a *API) Provider(ctx context.Context, name string, scopes string) (provide case "fly": pConfig = config.External.Fly p, err = provider.NewFlyProvider(pConfig, scopes) - case "generic1": - pConfig = *config.External.Generic1.OAuthProviderConfiguration - p, err = provider.NewGenericProvider(config.External.Generic1, scopes) - case "generic2": - pConfig = *config.External.Generic2.OAuthProviderConfiguration - p, err = provider.NewGenericProvider(config.External.Generic2, scopes) - case "generic3": - pConfig = *config.External.Generic3.OAuthProviderConfiguration - p, err = provider.NewGenericProvider(config.External.Generic3, scopes) + case "generic_oidc_1": + pConfig = *config.External.GenericOIDC1.OAuthProviderConfiguration + p, err = provider.NewGenericProvider(config.External.GenericOIDC1, scopes) + case "generic_oidc_2": + pConfig = *config.External.GenericOIDC2.OAuthProviderConfiguration + p, err = provider.NewGenericProvider(config.External.GenericOIDC2, scopes) + case "generic_oidc_3": + pConfig = *config.External.GenericOIDC3.OAuthProviderConfiguration + p, err = provider.NewGenericProvider(config.External.GenericOIDC3, scopes) case "github": pConfig = config.External.Github p, err = provider.NewGithubProvider(pConfig, scopes) diff --git a/internal/api/external_generic_test.go b/internal/api/external_generic_test.go index 6f66ab53d..424e89ec0 100644 --- a/internal/api/external_generic_test.go +++ b/internal/api/external_generic_test.go @@ -14,25 +14,25 @@ import ( ) func (ts *ExternalTestSuite) TestSignupExternalGeneric() { - req := httptest.NewRequest(http.MethodGet, "http://localhost/authorize?provider=generic1", nil) + req := httptest.NewRequest(http.MethodGet, "http://localhost/authorize?provider=generic_oidc_1", nil) w := httptest.NewRecorder() ts.API.handler.ServeHTTP(w, req) ts.Require().Equal(http.StatusFound, w.Code) u, err := url.Parse(w.Header().Get("Location")) ts.Require().NoError(err, "redirect url parse failed") q := u.Query() - ts.Equal(ts.Config.External.Generic1.RedirectURI, q.Get("redirect_uri")) - ts.Equal(ts.Config.External.Generic1.ClientID, []string{q.Get("client_id")}) + ts.Equal(ts.Config.External.GenericOIDC1.RedirectURI, q.Get("redirect_uri")) + ts.Equal(ts.Config.External.GenericOIDC1.ClientID, []string{q.Get("client_id")}) ts.Equal("code", q.Get("response_type")) // Verify state is a valid flow state UUID - assertValidOAuthState(ts, q.Get("state"), "generic1") + assertValidOAuthState(ts, q.Get("state"), "generic_oidc_1") // Verify flow state was created with correct params in database stateUUID := q.Get("state") flowState, err := models.FindFlowStateByID(ts.API.db, stateUUID) ts.Require().NoError(err) - ts.Equal("generic1", flowState.ProviderType) + ts.Equal("generic_oidc_1", flowState.ProviderType) ts.Equal("oauth", flowState.AuthenticationMethod) } @@ -41,7 +41,7 @@ func (ts *ExternalTestSuite) TestSignupExternalGenericWithInviteToken() { token := "test_invite_token" ts.createUser("123", "generic@example.com", "", "", token) - req := httptest.NewRequest(http.MethodGet, "http://localhost/authorize?provider=generic1&invite_token="+token, nil) + req := httptest.NewRequest(http.MethodGet, "http://localhost/authorize?provider=generic_oidc_1&invite_token="+token, nil) w := httptest.NewRecorder() ts.API.handler.ServeHTTP(w, req) ts.Require().Equal(http.StatusFound, w.Code) @@ -54,7 +54,7 @@ func (ts *ExternalTestSuite) TestSignupExternalGenericWithInviteToken() { stateUUID := q.Get("state") flowState, err := models.FindFlowStateByID(ts.API.db, stateUUID) ts.Require().NoError(err) - ts.Equal("generic1", flowState.ProviderType) + ts.Equal("generic_oidc_1", flowState.ProviderType) ts.Equal("oauth", flowState.AuthenticationMethod) ts.NotNil(flowState.InviteToken) ts.Equal(token, *flowState.InviteToken) @@ -63,7 +63,7 @@ func (ts *ExternalTestSuite) TestSignupExternalGenericWithInviteToken() { func (ts *ExternalTestSuite) TestSignupExternalGenericWithPKCE() { // PKCE code challenge must be 43-128 characters codeChallenge := "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk" - req := httptest.NewRequest(http.MethodGet, "http://localhost/authorize?provider=generic1&code_challenge="+codeChallenge+"&code_challenge_method=S256", nil) + req := httptest.NewRequest(http.MethodGet, "http://localhost/authorize?provider=generic_oidc_1&code_challenge="+codeChallenge+"&code_challenge_method=S256", nil) w := httptest.NewRecorder() ts.API.handler.ServeHTTP(w, req) ts.Require().Equal(http.StatusFound, w.Code) @@ -76,7 +76,7 @@ func (ts *ExternalTestSuite) TestSignupExternalGenericWithPKCE() { stateUUID := q.Get("state") flowState, err := models.FindFlowStateByID(ts.API.db, stateUUID) ts.Require().NoError(err) - ts.Equal("generic1", flowState.ProviderType) + ts.Equal("generic_oidc_1", flowState.ProviderType) ts.NotNil(flowState.CodeChallenge) ts.Equal("s256", *flowState.CodeChallengeMethod) } @@ -84,7 +84,7 @@ func (ts *ExternalTestSuite) TestSignupExternalGenericWithPKCE() { func (ts *ExternalTestSuite) TestSignupExternalGenericWithOIDCDiscovery() { // This test uses the actual DISCOVERY_URL from hack/test.env // which should point to a real OIDC discovery endpoint - discoveryURL := ts.Config.External.Generic1.DiscoveryURL + discoveryURL := ts.Config.External.GenericOIDC1.DiscoveryURL if discoveryURL == "" { // Skip test when DISCOVERY_URL is not configured (e.g., in CI) ts.T().Skip("DISCOVERY_URL not configured - requires external OIDC provider") @@ -92,7 +92,7 @@ func (ts *ExternalTestSuite) TestSignupExternalGenericWithOIDCDiscovery() { } // Test authorization flow - should redirect to discovered auth URL - req := httptest.NewRequest(http.MethodGet, "http://localhost/authorize?provider=generic1", nil) + req := httptest.NewRequest(http.MethodGet, "http://localhost/authorize?provider=generic_oidc_1", nil) w := httptest.NewRecorder() ts.API.handler.ServeHTTP(w, req) ts.Require().Equal(http.StatusFound, w.Code) @@ -107,7 +107,7 @@ func (ts *ExternalTestSuite) TestSignupExternalGenericWithOIDCDiscovery() { ts.NotEmpty(q.Get("state")) // The redirect URL should contain client_id from config - ts.Equal(ts.Config.External.Generic1.ClientID[0], q.Get("client_id")) + ts.Equal(ts.Config.External.GenericOIDC1.ClientID[0], q.Get("client_id")) } func GenericTestSignupSetup(ts *ExternalTestSuite, tokenCount *int, userCount *int, code string, emails string) *httptest.Server { @@ -121,7 +121,7 @@ func GenericTestSignupSetupWithDiscovery(ts *ExternalTestSuite, tokenCount *int, *tokenCount++ ts.Equal(code, r.FormValue("code")) ts.Equal("authorization_code", r.FormValue("grant_type")) - ts.Equal(ts.Config.External.Generic1.RedirectURI, r.FormValue("redirect_uri")) + ts.Equal(ts.Config.External.GenericOIDC1.RedirectURI, r.FormValue("redirect_uri")) w.Header().Add("Content-Type", "application/json") fmt.Fprint(w, `{"access_token":"generic_token","expires_in":100000}`) case "/profile": @@ -167,10 +167,10 @@ func GenericTestSignupSetupWithDiscovery(ts *ExternalTestSuite, tokenCount *int, if !useDiscovery { // Use mock server endpoints (clear discovery URL and set explicit URLs) - ts.Config.External.Generic1.DiscoveryURL = "" - ts.Config.External.Generic1.AuthURL = server.URL + "/authorize" - ts.Config.External.Generic1.TokenURL = server.URL + "/token" - ts.Config.External.Generic1.ProfileURL = server.URL + "/profile" + ts.Config.External.GenericOIDC1.DiscoveryURL = "" + ts.Config.External.GenericOIDC1.AuthURL = server.URL + "/authorize" + ts.Config.External.GenericOIDC1.TokenURL = server.URL + "/token" + ts.Config.External.GenericOIDC1.ProfileURL = server.URL + "/profile" } return server @@ -182,7 +182,7 @@ func (ts *ExternalTestSuite) TestSignupExternalGeneric_AuthorizationCode() { emails := `[{"email":"generic@example.com", "primary": true, "verified": true}]` server := GenericTestSignupSetup(ts, &tokenCount, &userCount, code, emails) defer server.Close() - u := performAuthorization(ts, "generic1", code, "") + u := performAuthorization(ts, "generic_oidc_1", code, "") assertAuthorizationSuccess(ts, u, tokenCount, userCount, "generic@example.com", "Generic Test", "123", "http://example.com/avatar") } @@ -195,7 +195,7 @@ func (ts *ExternalTestSuite) TestSignupExternalGenericDisableSignupErrorWhenNoUs server := GenericTestSignupSetup(ts, &tokenCount, &userCount, code, emails) defer server.Close() - u := performAuthorization(ts, "generic1", code, "") + u := performAuthorization(ts, "generic_oidc_1", code, "") assertAuthorizationFailure(ts, u, "Signups not allowed for this instance", "access_denied", "generic@example.com") } @@ -208,7 +208,7 @@ func (ts *ExternalTestSuite) TestSignupExternalGenericDisableSignupErrorWhenEmpt server := GenericTestSignupSetup(ts, &tokenCount, &userCount, code, emails) defer server.Close() - u := performAuthorization(ts, "generic1", code, "") + u := performAuthorization(ts, "generic_oidc_1", code, "") assertAuthorizationFailure(ts, u, "Error getting user profile from external provider", "server_error", "generic@example.com") } @@ -224,7 +224,7 @@ func (ts *ExternalTestSuite) TestSignupExternalGenericDisableSignupSuccessWithPr server := GenericTestSignupSetup(ts, &tokenCount, &userCount, code, emails) defer server.Close() - u := performAuthorization(ts, "generic1", code, "") + u := performAuthorization(ts, "generic_oidc_1", code, "") assertAuthorizationSuccess(ts, u, tokenCount, userCount, "generic@example.com", "Generic Test", "123", "http://example.com/avatar") @@ -240,7 +240,7 @@ func (ts *ExternalTestSuite) TestInviteTokenExternalGenericSuccessWhenMatchingTo server := GenericTestSignupSetup(ts, &tokenCount, &userCount, code, emails) defer server.Close() - u := performAuthorization(ts, "generic1", code, "invite_token") + u := performAuthorization(ts, "generic_oidc_1", code, "invite_token") assertAuthorizationSuccess(ts, u, tokenCount, userCount, "generic@example.com", "Generic Test", "123", "http://example.com/avatar") @@ -253,7 +253,7 @@ func (ts *ExternalTestSuite) TestInviteTokenExternalGenericErrorWhenNoMatchingTo server := GenericTestSignupSetup(ts, &tokenCount, &userCount, code, emails) defer server.Close() - w := performAuthorizationRequest(ts, "generic1", "invite_token") + w := performAuthorizationRequest(ts, "generic_oidc_1", "invite_token") ts.Require().Equal(http.StatusNotFound, w.Code) } @@ -266,7 +266,7 @@ func (ts *ExternalTestSuite) TestInviteTokenExternalGenericErrorWhenWrongToken() server := GenericTestSignupSetup(ts, &tokenCount, &userCount, code, emails) defer server.Close() - w := performAuthorizationRequest(ts, "generic1", "wrong_token") + w := performAuthorizationRequest(ts, "generic_oidc_1", "wrong_token") ts.Require().Equal(http.StatusNotFound, w.Code) } @@ -279,7 +279,7 @@ func (ts *ExternalTestSuite) TestInviteTokenExternalGenericErrorWhenEmailDoesntM server := GenericTestSignupSetup(ts, &tokenCount, &userCount, code, emails) defer server.Close() - u := performAuthorization(ts, "generic1", code, "invite_token") + u := performAuthorization(ts, "generic_oidc_1", code, "invite_token") assertAuthorizationFailure(ts, u, "Invited email does not match emails from external provider", "invalid_request", "") } @@ -291,13 +291,13 @@ func (ts *ExternalTestSuite) TestSignupExternalGenericErrorWhenVerifiedFalse() { server := GenericTestSignupSetup(ts, &tokenCount, &userCount, code, emails) defer server.Close() - u := performAuthorization(ts, "generic1", code, "") + u := performAuthorization(ts, "generic_oidc_1", code, "") v, err := url.ParseQuery(u.Fragment) ts.Require().NoError(err) ts.Equal("access_denied", v.Get("error")) ts.Equal("provider_email_needs_verification", v.Get("error_code")) - ts.Equal("Unverified email with generic1. A confirmation email has been sent to your generic1 email", v.Get("error_description")) + ts.Equal("Unverified email with generic_oidc_1. A confirmation email has been sent to your generic_oidc_1 email", v.Get("error_description")) } func (ts *ExternalTestSuite) TestSignupExternalGenericErrorWhenUserBanned() { @@ -307,7 +307,7 @@ func (ts *ExternalTestSuite) TestSignupExternalGenericErrorWhenUserBanned() { server := GenericTestSignupSetup(ts, &tokenCount, &userCount, code, emails) defer server.Close() - u := performAuthorization(ts, "generic1", code, "") + u := performAuthorization(ts, "generic_oidc_1", code, "") assertAuthorizationSuccess(ts, u, tokenCount, userCount, "generic@example.com", "Generic Test", "123", "http://example.com/avatar") @@ -317,6 +317,6 @@ func (ts *ExternalTestSuite) TestSignupExternalGenericErrorWhenUserBanned() { user.BannedUntil = &t require.NoError(ts.T(), ts.API.db.UpdateOnly(user, "banned_until")) - u = performAuthorization(ts, "generic1", code, "") + u = performAuthorization(ts, "generic_oidc_1", code, "") assertAuthorizationFailure(ts, u, "User is banned", "access_denied", "") } diff --git a/internal/api/settings.go b/internal/api/settings.go index b91badf34..7301e0b91 100644 --- a/internal/api/settings.go +++ b/internal/api/settings.go @@ -12,9 +12,9 @@ type ProviderSettings struct { Snapchat bool `json:"snapchat"` Figma bool `json:"figma"` Fly bool `json:"fly"` - Generic1 bool `json:"generic1"` - Generic2 bool `json:"generic2"` - Generic3 bool `json:"generic3"` + GenericOIDC1 bool `json:"generic_oidc_1"` + GenericOIDC2 bool `json:"generic_oidc_2"` + GenericOIDC3 bool `json:"generic_oidc_3"` GitHub bool `json:"github"` GitLab bool `json:"gitlab"` Google bool `json:"google"` @@ -57,9 +57,9 @@ func (a *API) Settings(w http.ResponseWriter, r *http.Request) error { Snapchat: config.External.Snapchat.Enabled, Figma: config.External.Figma.Enabled, Fly: config.External.Fly.Enabled, - Generic1: config.External.Generic1.Enabled, - Generic2: config.External.Generic2.Enabled, - Generic3: config.External.Generic3.Enabled, + GenericOIDC1: config.External.GenericOIDC1.Enabled, + GenericOIDC2: config.External.GenericOIDC2.Enabled, + GenericOIDC3: config.External.GenericOIDC3.Enabled, GitHub: config.External.Github.Enabled, GitLab: config.External.Gitlab.Enabled, Google: config.External.Google.Enabled, diff --git a/internal/api/settings_test.go b/internal/api/settings_test.go index 893d5d6a8..2942462c0 100644 --- a/internal/api/settings_test.go +++ b/internal/api/settings_test.go @@ -47,9 +47,9 @@ func TestSettings_DefaultProviders(t *testing.T) { require.True(t, p.Twitch) require.True(t, p.WorkOS) require.True(t, p.Zoom) - require.True(t, p.Generic1) - require.True(t, p.Generic2) - require.True(t, p.Generic3) + require.True(t, p.GenericOIDC1) + require.True(t, p.GenericOIDC2) + require.True(t, p.GenericOIDC3) } diff --git a/internal/conf/configuration.go b/internal/conf/configuration.go index e995ce2a0..71425db7a 100644 --- a/internal/conf/configuration.go +++ b/internal/conf/configuration.go @@ -437,9 +437,9 @@ type ProviderConfiguration struct { Snapchat OAuthProviderConfiguration `json:"snapchat"` Figma OAuthProviderConfiguration `json:"figma"` Fly OAuthProviderConfiguration `json:"fly"` - Generic1 GenericOAuthProviderConfiguration `json:"generic1"` - Generic2 GenericOAuthProviderConfiguration `json:"generic2"` - Generic3 GenericOAuthProviderConfiguration `json:"generic3"` + GenericOIDC1 GenericOAuthProviderConfiguration `json:"generic_oidc_1" envconfig:"GENERIC_OIDC_1"` + GenericOIDC2 GenericOAuthProviderConfiguration `json:"generic_oidc_2" envconfig:"GENERIC_OIDC_2"` + GenericOIDC3 GenericOAuthProviderConfiguration `json:"generic_oidc_3" envconfig:"GENERIC_OIDC_3"` Github OAuthProviderConfiguration `json:"github"` Gitlab OAuthProviderConfiguration `json:"gitlab"` Google OAuthProviderConfiguration `json:"google"`