v2.26.0

2.26.0 (2023-12-31)

Bug Fixes

• add check for max password length (#1368) (41aac69)
• add error handling for hook (#1339) (7ac7586)
• check linking domain prefix (#1336) (9194ffc)
• handle oauth email check separately (#1348) (757989c)
• include symbols in generated password (#1364) (f81a748)
• return correct sms otp error (#1351) (5b06680)
• sanitizeUser leaks user role (#1366) (8ce9d3f), closes #1365
• show proper error message on textlocal (#1338) (44e2466)
• update suggested Go version for contributors to 1.21 (#1331) (9feeec4)

Features

• add custom access token hook (#1332) (312f871)
• add haveibeenpwned.org password strength check (#1324) (c3acfe7)
• add manual linking APIs (#1317) (80172a1)
• add mfa verification postgres hook (#1314) (db344d5)
• add required characters password strength check (#1323) (3991bdb)
• add session id to required claim for output of custom access token hook (#1360) (31222d5)
• add weak password check on sign in (#1346) (8785527)
• azure oidc fix (#1349) (97b3595)
• password sign-up no longer blocks the db connection (#1319) (84d4b75)
• properly return hook error (#1355) (890663f)
• refactor for central password strength check (#1321) (5524653)
• refactor hook error handling (#1329) (72fdb16)
• rename gotrue to auth (#1340) (8430113)
• split validation and population of hook name (#1337) (c03ae09)
• unlinking primary identity should update email (#1326) (bdc3300)

v2.25.0

2.25.0 (2023-11-24)

Bug Fixes

• allow transactions to be committed while returning a custom error (#1310) (8565d26)
• check for pkce prefix (#1291) (05c629b), closes #798
• disable allow unverified email sign ins if autoconfirm enabled (#1313) (9b93ac1)
• log clearer internal error messages for verify (#1292) (aafad5c)
• Revert "fix: remove organizations from fly provider" (#1287) (84e16ed)
• update dependencies (1/2) (#1304) (accccee)

Features

• add cleanup for session timebox and inactivity timeout (#1298) (9226979), closes #1288
• add endpoint to unlink identity from user (#1315) (af83b34)
• add friendly name to enroll factor response (#1277) (3c72faf)
• add inactivity-timeout to sessions (#1288) (6c8a96e)
• add single session per user with tags support (#1297) (69feebc)
• add time-boxed sessions (#1286) (9a1f461)
• allow unverified email signins (#1301) (94293b7)
• fix refresh token reuse revocation (#1312) (6e313f8)
• remove opentracing (#1307) (93e5f82)
• spotify oauth (#1296) (cc07b4a)
• strip user-agent from otel tracing (#1309) (d76f439)
• update primary key for identities table (#1311) (d8ec801)

v2.24.0

2.24.0 (2023-10-23)

Bug Fixes

• #1218 fixes existing migrations to allow namespaces!="auth" (#1279) (206fc09)
• add redirectTo to email templates (#1276) (40aed62)
• improve default settings used (4745451)
• include /organizations in expected issuer exemption (#1275) (47cbe6e), closes #1274
• pass through redirect query parameters (#1224) (577e320), closes #1150
• patch secure email change (double confirm) response format. (#1241) (064e8a1), closes #1240
• preserve backward compatibility with Twilio Existing API (#1260) (71fb156)
• remove organizations from fly provider (#1267) (c79fc6e)
• set the otp if it's not a test otp (#1223) (3afc8a9)
• support message IDs for Twilio Whatsapp (#1203) (77e85c8)
• take into account test otp for twilio verify (#1255) (18b4291), closes #1252
• test otp with twilio verify (#1259) (ab2aba6)
• use linkedin oidc endpoint (#1254) (6d5c8eb), closes #1216

Features

• add GOTRUE_<PROVIDER>_SKIP_NONCE_CHECK to skip nonce checks in ODIC flow (#1264) (4291959)
• add email rate limit breach metric (#1208) (4ff1fe0), closes #1213
• add fly oauth provider (#1261) (0fe4285)
• add idempotent refresh token algorithm (#1278) (b0426c6)
• add index on user_id of mfa_factors (#1247) (6ea135a)
• add new Linkedin OIDC due to deprecated scopes for new linkedin applications (#1248) (f40acfe), closes /github.com/supabase/gotrue/issues/1216#issuecomment-1688943690
• add sso pkce (#1137) (2c0e0a1)
• expose email address being sent to for email change flow (#1231) (f7308ad), closes /github.com/supabase/supabase/blob/master/studio/stores/authConfig/schema/AuthProviders/AuthTemplatesValidation.tsx#L128
• fix empty string parsing for GOTRUE_SMS_TEST_OTP_VALID_UNTIL (#1234) (25f2dcb)
• ignore common Azure issuer for ID tokens (#1272) (4c50357)
• initial fix for invite followed by signup. (#1262) (76c8eeb)
• reinstate upgrade whatsapp support on Twilio Programmable Messaging to support Content API (#1266) (00ee75c)
• retry concurrent refresh token attempts (#1202) (d894012), closes #1190
• upgrade whatsapp support on Twilio Programmable Messaging (#1249) (c58febe)
• use template/text instead of strings.Replace for phone OTP messages (#1188) (5caacc1)
• use OIDC ID token for Azure (#1269) (57e336e)

Reverts

• Revert "feat: upgrade whatsapp support on Twilio Programmable Messagi… (supabase#1263) (12bfe1e), closes #1263 #1249

v2.23.0

2.23.0 (2023-08-02)

Bug Fixes

• change email update flow to return both ? messages and # messages (#1129) (77afd28)
• log correct referer value (#1178) (a6950a0)
• only apply rate limit if autoconfirm is false (#1184) (46932da)
• remove captcha on id_token grant (#1175) (910079c), closes #1172
• remove redundant queries to get session (#1204) (669ce97)
• return error if user not found but identity exists (#1200) (1802ff3)
• support email verification type on token hash verification (#1177) (ffa5efa)
• use started transaction, not a new one (#1196) (0b5b656), closes /github.com/supabase/gotrue/pull/1190#discussion_r1270861390

Features

• add CORS allowed headers config (#1197) (7134000)
• add test OTP support for mobile app reviews (#1166) (2fb0cf5)
• allow whatsapp channels with Twilio Verify (#1207) (ff98d2f)
• drop restriction that PKCE cannot be used with autoconfirm (#1176) (0a6f218)
• remove flow state expiry on Magic Links (PKCE) (#1179) (caa9393)
• return expires_at in addition to expires_in (#1183) (3cd4bd5)
• serialized access to session in refresh_token grant (#1190) (a8f1712)
• update github.com/rs/cors to v1.9.0 (#1198) (27d3a7f)

v2.22.0

2.22.0 (2023-07-06)

Bug Fixes

• add discord global_name to custom_claims (#1171) (3b1a5b9)
• add profiler server (#1158) (58552d6)
• check err before using user (#1154) (53e1b3a)
• don't encode query fragment (#1153) (e414cb3)
• duplicate identity error on update user (#1141) (39ca89c)
• maintain query params order (#1161) (c925065)
• resend email change (#1151) (ddad10f)
• respect last_sign_in_at on secure password update (#1164) (963df37)

Features

• add kid, iss, iat claims to the JWT (#1148) (3446197)
• add different logout scopes (#1112) (df07540)
• add Figma provider (#1139) (007324c), closes /www.figma.com/developers/api#oauth2
• add support for Twilio Verify (#1124) (7e240f8)
• allow POST /verify to accept a token hash (#1165) (e9ab555)
• complete OIDC support for Apple and Google providers (#1108) (aab7c34)
• fix SAML metadata XML update on fetched metadata (#1135) (aba0e24)
• infer Mail in SAML assertion and allow deleting SSO user (#1132) (47ad9de)
• refactor password changes and logout (#1162) (b079c35)
• remove SafeRoundTripper and allow private-IP HTTP connections (#1152) (773e45e)
• require different passwords on update (#1163) (154dd91)
• return SMS ID when possible (#1145) (02cb927)
• set updated_at on refresh_tokens when revoking family (#1167) (bebd27a)
• switch to github.com/supabase/mailme package (#1159) (dbb9cf7), closes #870
• use otherMails with Azure (#1130) (fba1988)

v2.21.0

2.21.0 (2023-06-06)

Bug Fixes

• add guard check in case factor, session, or user are missing (#1099) (b4a3fec)
• allow gotrue to work with multiple custom domains (#999) (91a82ed), closes #725
• ignore exchangeCodeForSession when captcha is enabled (#1121) (4970bbc), closes #1120
• lowercase oauth emails for account linking (#1125) (df22915)
• make migration idempotent (#1079) (2be90c7)
• resend email change & phone change issues (#1100) (184fa38), closes #1095
• use configured redirect URL for external providers (#1114) (42bb1e0), closes #999

Features

• add database cleanup logic, runs after each request (#875) (aaad5bd)
• add log entries for pkce (#1068) (9c3ba87)
• add mfa cleanup (#1105) (f5c9afb), closes #875
• Add new Kakao Provider (#834) (bafb89b), closes /github.com/supabase/gotrue/issues/451#issuecomment-1101928384
• add saml metadata force update every 24 hours (#1020) (965feb9)
• allow updating saml providers metadata_xml (#1096) (20e503e)
• fix account linking (#1098) (93d12d9)
• update github.com/coreos/go-oidc/[email protected] (#1115) (23c8b45), closes #1108

v2.20.0

2.20.0 (2023-05-05)

Bug Fixes

• account linking logic (#990) (17162c9)
• check freq on email change (#1090) (659ca66)
• confirm email on email change (#1084) (0624655)
• correct pkce redirect generation (#1097) (bdf93b4)
• enforce code challenge validity across endpoints (#1026) (be7c082)
• expose x-total-count and link (#991) (e6dac54), closes #980
• fix flow state expiry check (#1088) (6000e70)
• IsDuplicatedEmail should filter out identities for the currentUser (#1092) (dd2b688), closes #1060 #988
• make flow_state migrations idempotent, add index (#1086) (7ca755a)
• pkce bug with magiclink (#1074) (4b84129)
• pkce issues (#1083) (eb50ba1)
• POST /verify should check pkce case (#1085) (7f42eaa)
• remove duplicated index on refresh_tokens table (#1058) (1aa8447)
• return the latest flow state (#1076) (00c9a11)
• update from oauth_pkce to pkce (#1017) (63bc007), closes /github.com/supabase/gotrue/blob/master/internal/api/token.go#L630
• update settings & route for SAML (#1009) (f405615)
• upgrade pop version (#1069) (969691f)

Features

• add actor_via_sso to audit log (#1002) (c52de4a)
• add PKCE (OAuth) (#891) (cf47ec2)
• add pkce recovery (#1022) (1954560)
• add pkce to email_change routes (#1082) (0f8548f)
• add turnstile support (#1094) (b1d2f1c)
• make dropping users_email_key backward compatible (#995) (aff2fe6)
• make phone data type alter backward compatible (#994) (551793e), closes #489
• PKCE magic link (#1016) (6fdad13)
• remove saml beta warning (#1003) (794dab0)
• simplify token reuse algorithm (#1072) (9ee3ab6)
• support for whatsapp as a channel for sending OTPs (#981) (d0d079f)
• use unique message IDs for emails to prevent grouping (#986) (aaf2765)

v2.19.1

2.19.1 (2023-02-18)

Bug Fixes

• add missing namespace prefix to index targets (#892) (3961c55), closes #669
• Change Dockerfile.dev target from netlify to Supabase (#973) (ee74d52)
• garbled text in sms message when message contains unicode (#971) (55544e2)
• nil pointer dereference in stale SAML metadata check (#977) (bb21c93), closes #833

v2.19.0

2.19.0 (2023-02-14)

Bug Fixes

• admin user create & update (#929) (5526627)
• backfill email identities for invited users (#914) (f7286dd), closes #895
• create identity for invited user (#895) (8ddf54b), closes /github.com/supabase/gotrue/blob/65817282f2ed05bae19b57f85d4c09cf20b7780c/models/linking.go#L73-L79
• fetch new IDP metadata if stale (#833) (be3766d)
• make migration idempotent (#923) (c792443)
• set emailChange to email (#920) (c23b6ce), closes #897

Features

• add endpoint to resend email confirmation (#912) (a50b5a7), closes #312
• add generated admin client (#924) (3ee3f34)
• add safe deferred closing (#945) (29c431f)
• deprecate and explicitly allow freeform ID token issuers (#934) (99df661)
• internalize implementation (#925) (1a52eb6)
• remove id_token flow with freeform provider (#927) (2646967)
• remove unused API NewAPIFromConfigFile (#909) (f91a450)
• rename package to supabase from netlify (#947) (4f5c2f6)
• revert "remove id_token flow with freeform provider" (#933) (4d98e30), closes supabase/gotrue#927
• update github.com/lestrrat-go/jwx/jwk to 1.2.25 (#926) (ff8ee5a)

v2.18.1

2.18.1 (2023-01-19)

Bug Fixes

• return signup confirmation if signup is incomplete for magiclink / otp (#889) (8137dd8)
• switch to aws roles (#893) (76c8710)
• update soft deletion (#894) (6581728)