CHANGELOG.md

Changelog

2.163.2 (2024-10-22)

Bug Fixes

• ignore rate limits for autoconfirm (#1810) (9ce2340)

2.163.1 (2024-10-22)

Bug Fixes

• external host validation (#1808) (4f6a461), closes #1228

2.163.0 (2024-10-15)

Features

• add mail header support via GOTRUE_SMTP_HEADERS with $messageType (#1804) (99d6a13)
• add MFA for WebAuthn (#1775) (8cc2f0e)
• configurable email and sms rate limiting (#1800) (5e94047)
• mailer logging (#1805) (9354b83)
• preserve rate limiters in memory across configuration reloads (#1792) (0a3968b)

Bug Fixes

• add twilio verify support on mfa (#1714) (aeb5d8f)
• email header setting no longer misleading (#1802) (3af03be)
• enforce authorized address checks on send email only (#1806) (c0c5b23)
• fix getExcludedColumns slice allocation (#1788) (7f006b6)
• Fix reqPath for bypass check for verify EP (#1789) (646dc66)
• inline mailme package for easy development (#1803) (fa6f729)

2.162.2 (2024-10-05)

Bug Fixes

• refactor mfa validation into functions (#1780) (410b8ac)
• upgrade ci Go version (#1782) (97a48f6)
• validateEmail should normalise emails (#1790) (2e9b144)

2.162.1 (2024-10-03)

Bug Fixes

• bypass check for token & verify endpoints (#1785) (9ac2ea0)

2.162.0 (2024-09-27)

Features

• add support for migration of firebase scrypt passwords (#1768) (ba00f75)

Bug Fixes

• apply authorized email restriction to non-admin routes (#1778) (1af203f)
• magiclink failing due to passwordStrength check (#1769) (7a5411f)

2.161.0 (2024-09-24)

Features

• add x-sb-error-code header, show error code in logs (#1765) (ed91c59)
• add webauthn configuration variables (#1773) (77d5897)
• config reloading (#1771) (6ee0091)

Bug Fixes

• add additional information around errors for missing content type header (#1576) (c2b2f96)
• add token to hook payload for non-secure email change (#1763) (7e472ad)
• update aal requirements to update user (#1766) (25d9874)
• update mfa admin methods (#1774) (567ea7e)
• user sanitization should clean up email change info too (#1759) (9d419b4)

2.160.0 (2024-09-02)

Features

• add authorized email address support (#1757) (f3a28d1)
• add option to disable magic links (#1756) (2ad0737)
• add support for saml encrypted assertions (#1752) (c5480ef)

Bug Fixes

• apply shared limiters before email / sms is sent (#1748) (bf276ab)
• simplify WaitForCleanup (#1747) (0084625)

2.159.2 (2024-08-28)

Bug Fixes

• allow anonymous user to update password (#1739) (2d51956)
• hide hook name (#1743) (7e38f4c)
• remove server side cookie token methods (#1742) (c6efec4)

2.159.1 (2024-08-23)

Bug Fixes

• return oauth identity when user is created (#1736) (60cfb60)

2.159.0 (2024-08-21)

Features

• Vercel marketplace OIDC (#1731) (a9ff361)

Bug Fixes

• add error codes to password login flow (#1721) (4351226)
• change phone constraint to per user (#1713) (b9bc769)
• custom SMS does not work with Twilio Verify (#1733) (dc2391d)
• ignore errors if transaction has closed already (#1726) (53c11d1)
• redirect invalid state errors to site url (#1722) (b2b1123)
• remove TOTP field for phone enroll response (#1717) (4b04327)
• use signing jwk to sign oauth state (#1728) (66fd0c8)

2.158.1 (2024-08-05)

Bug Fixes

• add last_challenged_at field to mfa factors (#1705) (29cbeb7)
• allow enabling sms hook without setting up sms provider (#1704) (575e88a)
• drop the MFA_ENABLED config (#1701) (078c3a8)
• enforce uniqueness on verified phone numbers (#1693) (70446cc)
• expose X-Supabase-Api-Version header in CORS (#1612) (6ccd814)
• include factor_id in query (#1702) (ac14e82)
• move is owned by check to load factor (#1703) (701a779)
• refactor TOTP MFA into separate methods (#1698) (250d92f)
• remove check for content-length (#1700) (81b332d)
• remove FindFactorsByUser (#1707) (af8e2dd)
• update openapi spec for MFA (Phone) (#1689) (a3da4b8)

2.158.0 (2024-07-31)

Features

• add hook log entry with run_hook action (#1684) (46491b8)
• MFA (Phone) (#1668) (ae091aa)

Bug Fixes

• maintain backward compatibility for asymmetric JWTs (#1690) (0ad1402)
• MFA NewFactor to default to creating unverfied factors (#1692) (3d448fa)
• minor spelling errors (#1688) (6aca52b), closes #1682
• treat GOTRUE_MFA_ENABLED as meaning TOTP enabled on enroll and verify (#1694) (8015251)
• update mfa phone migration to be idempotent (#1687) (fdff1e7)

2.157.0 (2024-07-26)

Features

• add asymmetric jwt support (#1674) (c7a2be3)

2.156.0 (2024-07-25)

Features

• add is_anonymous claim to Auth hook jsonschema (#1667) (f9df65c)

Bug Fixes

• restrict autoconfirm email change to anonymous users (#1679) (b57e223)

2.155.6 (2024-07-22)

Bug Fixes

• use deep equal (#1672) (8efd57d)

2.155.5 (2024-07-19)

Bug Fixes

• check password max length in checkPasswordStrength (#1659) (1858c93)
• don't update attribute mapping if nil (#1665) (7e67f3e)
• refactor mfa models and add observability to loadFactor (#1669) (822fb93)

2.155.4 (2024-07-17)

Bug Fixes

• treat empty string as nil in encrypted_password (#1663) (f99286e)

2.155.3 (2024-07-12)

Bug Fixes

• serialize jwt as string (#1657) (98d8324)

2.155.2 (2024-07-12)

Bug Fixes

• improve session error logging (#1655) (5a6793e)
• omit empty string from name & use case-insensitive equality for comparing SAML attributes (#1654) (bf5381a)
• set rate limit log level to warn (#1652) (10ca9c8)

2.155.1 (2024-07-04)

Bug Fixes

• apply mailer autoconfirm config to update user email (#1646) (a518505)
• check for empty aud string (#1649) (42c1d45)
• return proper error if sms rate limit is exceeded (#1647) (3c8d765)

2.155.0 (2024-07-03)

Features

• add password_hash and id fields to admin create user (#1641) (20d59f1)

Bug Fixes

• improve mfa verify logs (#1635) (d8b47f9)
• invited users should have a temporary password generated (#1644) (3f70d9d)
• upgrade golang-jwt to v5 (#1639) (2cb97f0)
• use pointer for user.EncryptedPassword (#1637) (bbecbd6)

2.154.2 (2024-06-24)

Bug Fixes

• publish to ghcr.io/supabase/auth (#1626) (930aa3e), closes #1625
• revert define search path in auth functions (#1634) (155e87e)
• update MaxFrequency error message to reflect number of seconds (#1540) (e81c25d)

2.154.1 (2024-06-17)

Bug Fixes

• add ip based limiter (#1622) (06464c0)
• admin user update should update is_anonymous field (#1623) (f5c6fcd)

2.154.0 (2024-06-12)

Features

• add max length check for email (#1508) (f9c13c0)
• add support for Slack OAuth V2 (#1591) (bb99251)
• encrypt sensitive columns (#1593) (e4a4758)
• upgrade otel to v1.26 (#1585) (cdd13ad)
• use largest avatar from spotify instead (#1210) (4f9994b), closes #1209

Bug Fixes

• define search path in auth functions (#1616) (357bda2)
• enable rls & update grants for auth tables (#1617) (28967aa)

2.153.0 (2024-06-04)

Features

• add SAML specific external URL config (#1599) (b352719)
• add support for verifying argon2i and argon2id passwords (#1597) (55409f7)
• make the email client explicity set the format to be HTML (#1149) (53e223a)

Bug Fixes

• call write header in write if not written (#1598) (0ef7eb3)
• deadlock issue with timeout middleware write (#1595) (6c9fbd4)
• improve token OIDC logging (#1606) (5262683)
• update contributing to use v1.22 (#1609) (5894d9e)

2.152.0 (2024-05-22)

Features

• new timeout writer implementation (#1584) (72614a1)
• remove legacy lookup in users for one_time_tokens (phase II) (#1569) (39ca026)
• update chi version (#1581) (c64ae3d)
• update openapi spec with identity and is_anonymous fields (#1573) (86a79df)

Bug Fixes

• improve logging structure (#1583) (c22fc15)
• sms verify should update is_anonymous field (#1580) (e5f98cb)
• use api_external_url domain as localname (#1575) (ed2b490)

2.151.0 (2024-05-06)

Features

• refactor one-time tokens for performance (#1558) (d1cf8d9)

Bug Fixes

• do call send sms hook when SMS autoconfirm is enabled (#1562) (bfe4d98)
• format test otps (#1567) (434a59a)
• log final writer error instead of handling (#1564) (170bd66)

2.150.1 (2024-04-28)

Bug Fixes

• add db conn max idle time setting (#1555) (2caa7b4)

2.150.0 (2024-04-25)

Features

• add support for Azure CIAM login (#1541) (1cb4f96)
• add timeout middleware (#1529) (f96ff31)
• allow for postgres and http functions on each extensibility point (#1528) (348a1da)
• merge provider metadata on link account (#1552) (bd8b5c4)
• send over user in SendSMS Hook instead of UserID (#1551) (d4d743c)

Bug Fixes

• return error if session id does not exist (#1538) (91e9eca)

2.149.0 (2024-04-15)

Features

• refactor generate accesss token to take in request (#1531) (e4f2b59)

Bug Fixes

• linkedin_oidc provider error (#1534) (4f5e8e5)
• revert patch for linkedin_oidc provider error (#1535) (58ef4af)
• update linkedin issuer url (#1536) (10d6d8b)

2.148.0 (2024-04-10)

Features

• add array attribute mapping for SAML (#1526) (7326285)

2.147.1 (2024-04-09)

Bug Fixes

• add validation and proper decoding on send email hook (#1520) (e19e762)
• remove deprecated LogoutAllRefreshTokens (#1519) (35533ea)

2.147.0 (2024-04-05)

Features

• add send email Hook (#1512) (cf42e02)

2.146.0 (2024-04-03)

Features

• add custom sms hook (#1474) (0f6b29a)
• forbid generating an access token without a session (#1504) (795e93d)

Bug Fixes

• add cleanup statement for anonymous users (#1497) (cf2372a)
• generate signup link should not error (#1514) (4fc3881)
• move all EmailActionTypes to mailer package (#1510) (765db08)
• refactor mfa and aal update methods (#1503) (31a5854)
• rename from CustomSMSProvider to SendSMS (#1513) (c0bc37b)

2.145.0 (2024-03-26)

Features

• add error codes (#1377) (e4beea1)
• add kakao OIDC (#1381) (b5566e7)
• clean up expired factors (#1371) (5c94207)
• configurable NameID format for SAML provider (#1481) (ef405d8)
• HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets (#1467) (5b24c4e)
• refactor PKCE FlowState to reduce duplicate code (#1446) (b8d0337)

Bug Fixes

• add http support for https hooks on localhost (#1484) (5c04104)
• cleanup panics due to bad inactivity timeout code (#1471) (548edf8)
• docs: remove bracket on file name for broken link (#1493) (96f7a68)
• impose expiry on auth code instead of magic link (#1440) (35aeaf1)
• invalidate email, phone OTPs on password change (#1489) (960a4f9)
• move creation of flow state into function (#1470) (4392a08)
• prevent user email side-channel leak on verify (#1472) (311cde8)
• refactor email sending functions (#1495) (285c290)
• refactor factor_test to centralize setup (#1473) (c86007e)
• refactor mfa challenge and tests (#1469) (6c76f21)
• Resend SMS when duplicate SMS sign ups are made (#1490) (73240a0)
• unlink identity bugs (#1475) (73e8d87)

2.144.0 (2024-03-04)

Features

• add configuration for custom sms sender hook (#1428) (1ea56b6)
• anonymous sign-ins (#1460) (130df16)
• clean up test setup in MFA tests (#1452) (7185af8)
• pass transaction to invokeHook, fixing pool exhaustion (#1465) (b536d36)
• refactor resource owner password grant (#1443) (e63ad6f)
• use dummy instance id to improve performance on refresh token queries (#1454) (656474e)

Bug Fixes

• expose provider under amr in access token (#1456) (e9f38e7)
• improve MFA QR Code resilience so as to support providers like 1Password (#1455) (6522780)
• refactor request params to use generics (#1464) (e1cdf5c)
• revert refactor resource owner password grant (#1466) (fa21244)
• update file name so migration to Drop IP Address is applied (#1447) (f29e89d)

2.143.0 (2024-02-19)

Features

• calculate aal without transaction (#1437) (8dae661)

Bug Fixes

• deprecate hooks (#1421) (effef1b)
• error should be an IsNotFoundError (#1432) (7f40047)
• populate password verification attempt hook (#1436) (f974bdb)
• restrict mfa enrollment to aal2 if verified factors are present (#1439) (7e10d45)
• update phone if autoconfirm is enabled (#1431) (95db770)
• use email change email in identity (#1429) (4d3b9b8)

2.142.0 (2024-02-14)

Features

• alter tag to use raw (#1427) (53cfe5d)
• update README.md to trigger release (#1425) (91e0e24)

2.141.0 (2024-02-13)

Features

• drop sha hash tag (#1422) (76853ce)
• prefix release with v (#1424) (9d398cd)

2.140.0 (2024-02-13)

Features

• deprecate existing webhook implementation (#1417) (5301e48)
• update publish.yml checkout repository so there is access to Dockerfile (#1419) (7cce351)

2.139.2 (2024-02-08)

Bug Fixes

• improve perf in account linking (#1394) (8eedb95)
• OIDC provider validation log message (#1380) (27e6b1f)
• only create or update the email / phone identity after it's been verified (#1403) (2d20729)
• only create or update the email / phone identity after it's been verified (again) (#1409) (bc6a5b8)
• unmarshal is_private_email correctly (#1402) (47df151)
• use pattern for semver docker image tags (#1411) (14a3aeb)

Reverts

• "fix: only create or update the email / phone identity after i… (#1407) (ff86849)