2.164.0 (2024-11-13)
- add error codes to refresh token flow (#1824) (4614dc5)
- add test coverage for rate limits with 0 permitted events (#1834) (7c3cf26)
- correct web authn aaguid column naming (#1826) (0a589d0)
- default to files:read scope for Figma provider (#1831) (9ce2857)
- improve error messaging for http hooks (#1821) (fa020d0)
- make drop_uniqueness_constraint_on_phone idempotent (#1817) (158e473)
- possible panic if refresh token has a null session_id (#1822) (a7129df)
- rate limits of 0 take precedence over MAILER_AUTO_CONFIRM (#1837) (cb7894e)
2.163.2 (2024-10-22)
2.163.1 (2024-10-22)
2.163.0 (2024-10-15)
- add mail header support via
GOTRUE_SMTP_HEADERS
with$messageType
(#1804) (99d6a13) - add MFA for WebAuthn (#1775) (8cc2f0e)
- configurable email and sms rate limiting (#1800) (5e94047)
- mailer logging (#1805) (9354b83)
- preserve rate limiters in memory across configuration reloads (#1792) (0a3968b)
- add twilio verify support on mfa (#1714) (aeb5d8f)
- email header setting no longer misleading (#1802) (3af03be)
- enforce authorized address checks on send email only (#1806) (c0c5b23)
- fix
getExcludedColumns
slice allocation (#1788) (7f006b6) - Fix reqPath for bypass check for verify EP (#1789) (646dc66)
- inline mailme package for easy development (#1803) (fa6f729)
2.162.2 (2024-10-05)
- refactor mfa validation into functions (#1780) (410b8ac)
- upgrade ci Go version (#1782) (97a48f6)
- validateEmail should normalise emails (#1790) (2e9b144)
2.162.1 (2024-10-03)
2.162.0 (2024-09-27)
- apply authorized email restriction to non-admin routes (#1778) (1af203f)
- magiclink failing due to passwordStrength check (#1769) (7a5411f)
2.161.0 (2024-09-24)
- add
x-sb-error-code
header, show error code in logs (#1765) (ed91c59) - add webauthn configuration variables (#1773) (77d5897)
- config reloading (#1771) (6ee0091)
- add additional information around errors for missing content type header (#1576) (c2b2f96)
- add token to hook payload for non-secure email change (#1763) (7e472ad)
- update aal requirements to update user (#1766) (25d9874)
- update mfa admin methods (#1774) (567ea7e)
- user sanitization should clean up email change info too (#1759) (9d419b4)
2.160.0 (2024-09-02)
- add authorized email address support (#1757) (f3a28d1)
- add option to disable magic links (#1756) (2ad0737)
- add support for saml encrypted assertions (#1752) (c5480ef)
- apply shared limiters before email / sms is sent (#1748) (bf276ab)
- simplify WaitForCleanup (#1747) (0084625)
2.159.2 (2024-08-28)
- allow anonymous user to update password (#1739) (2d51956)
- hide hook name (#1743) (7e38f4c)
- remove server side cookie token methods (#1742) (c6efec4)
2.159.1 (2024-08-23)
2.159.0 (2024-08-21)
- add error codes to password login flow (#1721) (4351226)
- change phone constraint to per user (#1713) (b9bc769)
- custom SMS does not work with Twilio Verify (#1733) (dc2391d)
- ignore errors if transaction has closed already (#1726) (53c11d1)
- redirect invalid state errors to site url (#1722) (b2b1123)
- remove TOTP field for phone enroll response (#1717) (4b04327)
- use signing jwk to sign oauth state (#1728) (66fd0c8)
2.158.1 (2024-08-05)
- add last_challenged_at field to mfa factors (#1705) (29cbeb7)
- allow enabling sms hook without setting up sms provider (#1704) (575e88a)
- drop the MFA_ENABLED config (#1701) (078c3a8)
- enforce uniqueness on verified phone numbers (#1693) (70446cc)
- expose
X-Supabase-Api-Version
header in CORS (#1612) (6ccd814) - include factor_id in query (#1702) (ac14e82)
- move is owned by check to load factor (#1703) (701a779)
- refactor TOTP MFA into separate methods (#1698) (250d92f)
- remove check for content-length (#1700) (81b332d)
- remove FindFactorsByUser (#1707) (af8e2dd)
- update openapi spec for MFA (Phone) (#1689) (a3da4b8)
2.158.0 (2024-07-31)
- maintain backward compatibility for asymmetric JWTs (#1690) (0ad1402)
- MFA NewFactor to default to creating unverfied factors (#1692) (3d448fa)
- minor spelling errors (#1688) (6aca52b), closes #1682
- treat
GOTRUE_MFA_ENABLED
as meaning TOTP enabled on enroll and verify (#1694) (8015251) - update mfa phone migration to be idempotent (#1687) (fdff1e7)
2.157.0 (2024-07-26)
2.156.0 (2024-07-25)
2.155.6 (2024-07-22)
2.155.5 (2024-07-19)
- check password max length in checkPasswordStrength (#1659) (1858c93)
- don't update attribute mapping if nil (#1665) (7e67f3e)
- refactor mfa models and add observability to loadFactor (#1669) (822fb93)
2.155.4 (2024-07-17)
2.155.3 (2024-07-12)
2.155.2 (2024-07-12)
- improve session error logging (#1655) (5a6793e)
- omit empty string from name & use case-insensitive equality for comparing SAML attributes (#1654) (bf5381a)
- set rate limit log level to warn (#1652) (10ca9c8)
2.155.1 (2024-07-04)
- apply mailer autoconfirm config to update user email (#1646) (a518505)
- check for empty aud string (#1649) (42c1d45)
- return proper error if sms rate limit is exceeded (#1647) (3c8d765)
2.155.0 (2024-07-03)
- improve mfa verify logs (#1635) (d8b47f9)
- invited users should have a temporary password generated (#1644) (3f70d9d)
- upgrade golang-jwt to v5 (#1639) (2cb97f0)
- use pointer for
user.EncryptedPassword
(#1637) (bbecbd6)
2.154.2 (2024-06-24)
- publish to ghcr.io/supabase/auth (#1626) (930aa3e), closes #1625
- revert define search path in auth functions (#1634) (155e87e)
- update MaxFrequency error message to reflect number of seconds (#1540) (e81c25d)
2.154.1 (2024-06-17)
- add ip based limiter (#1622) (06464c0)
- admin user update should update is_anonymous field (#1623) (f5c6fcd)
2.154.0 (2024-06-12)
- add max length check for email (#1508) (f9c13c0)
- add support for Slack OAuth V2 (#1591) (bb99251)
- encrypt sensitive columns (#1593) (e4a4758)
- upgrade otel to v1.26 (#1585) (cdd13ad)
- use largest avatar from spotify instead (#1210) (4f9994b), closes #1209
- define search path in auth functions (#1616) (357bda2)
- enable rls & update grants for auth tables (#1617) (28967aa)
2.153.0 (2024-06-04)
- add SAML specific external URL config (#1599) (b352719)
- add support for verifying argon2i and argon2id passwords (#1597) (55409f7)
- make the email client explicity set the format to be HTML (#1149) (53e223a)
- call write header in write if not written (#1598) (0ef7eb3)
- deadlock issue with timeout middleware write (#1595) (6c9fbd4)
- improve token OIDC logging (#1606) (5262683)
- update contributing to use v1.22 (#1609) (5894d9e)
2.152.0 (2024-05-22)
- new timeout writer implementation (#1584) (72614a1)
- remove legacy lookup in users for one_time_tokens (phase II) (#1569) (39ca026)
- update chi version (#1581) (c64ae3d)
- update openapi spec with identity and is_anonymous fields (#1573) (86a79df)
- improve logging structure (#1583) (c22fc15)
- sms verify should update is_anonymous field (#1580) (e5f98cb)
- use api_external_url domain as localname (#1575) (ed2b490)
2.151.0 (2024-05-06)
- do call send sms hook when SMS autoconfirm is enabled (#1562) (bfe4d98)
- format test otps (#1567) (434a59a)
- log final writer error instead of handling (#1564) (170bd66)
2.150.1 (2024-04-28)
2.150.0 (2024-04-25)
- add support for Azure CIAM login (#1541) (1cb4f96)
- add timeout middleware (#1529) (f96ff31)
- allow for postgres and http functions on each extensibility point (#1528) (348a1da)
- merge provider metadata on link account (#1552) (bd8b5c4)
- send over user in SendSMS Hook instead of UserID (#1551) (d4d743c)
2.149.0 (2024-04-15)
- linkedin_oidc provider error (#1534) (4f5e8e5)
- revert patch for linkedin_oidc provider error (#1535) (58ef4af)
- update linkedin issuer url (#1536) (10d6d8b)
2.148.0 (2024-04-10)
2.147.1 (2024-04-09)
- add validation and proper decoding on send email hook (#1520) (e19e762)
- remove deprecated LogoutAllRefreshTokens (#1519) (35533ea)
2.147.0 (2024-04-05)
2.146.0 (2024-04-03)
- add custom sms hook (#1474) (0f6b29a)
- forbid generating an access token without a session (#1504) (795e93d)
- add cleanup statement for anonymous users (#1497) (cf2372a)
- generate signup link should not error (#1514) (4fc3881)
- move all EmailActionTypes to mailer package (#1510) (765db08)
- refactor mfa and aal update methods (#1503) (31a5854)
- rename from CustomSMSProvider to SendSMS (#1513) (c0bc37b)
2.145.0 (2024-03-26)
- add error codes (#1377) (e4beea1)
- add kakao OIDC (#1381) (b5566e7)
- clean up expired factors (#1371) (5c94207)
- configurable NameID format for SAML provider (#1481) (ef405d8)
- HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets (#1467) (5b24c4e)
- refactor PKCE FlowState to reduce duplicate code (#1446) (b8d0337)
- add http support for https hooks on localhost (#1484) (5c04104)
- cleanup panics due to bad inactivity timeout code (#1471) (548edf8)
- docs: remove bracket on file name for broken link (#1493) (96f7a68)
- impose expiry on auth code instead of magic link (#1440) (35aeaf1)
- invalidate email, phone OTPs on password change (#1489) (960a4f9)
- move creation of flow state into function (#1470) (4392a08)
- prevent user email side-channel leak on verify (#1472) (311cde8)
- refactor email sending functions (#1495) (285c290)
- refactor factor_test to centralize setup (#1473) (c86007e)
- refactor mfa challenge and tests (#1469) (6c76f21)
- Resend SMS when duplicate SMS sign ups are made (#1490) (73240a0)
- unlink identity bugs (#1475) (73e8d87)
2.144.0 (2024-03-04)
- add configuration for custom sms sender hook (#1428) (1ea56b6)
- anonymous sign-ins (#1460) (130df16)
- clean up test setup in MFA tests (#1452) (7185af8)
- pass transaction to
invokeHook
, fixing pool exhaustion (#1465) (b536d36) - refactor resource owner password grant (#1443) (e63ad6f)
- use dummy instance id to improve performance on refresh token queries (#1454) (656474e)
- expose
provider
underamr
in access token (#1456) (e9f38e7) - improve MFA QR Code resilience so as to support providers like 1Password (#1455) (6522780)
- refactor request params to use generics (#1464) (e1cdf5c)
- revert refactor resource owner password grant (#1466) (fa21244)
- update file name so migration to Drop IP Address is applied (#1447) (f29e89d)
2.143.0 (2024-02-19)
- deprecate hooks (#1421) (effef1b)
- error should be an IsNotFoundError (#1432) (7f40047)
- populate password verification attempt hook (#1436) (f974bdb)
- restrict mfa enrollment to aal2 if verified factors are present (#1439) (7e10d45)
- update phone if autoconfirm is enabled (#1431) (95db770)
- use email change email in identity (#1429) (4d3b9b8)
2.142.0 (2024-02-14)
2.141.0 (2024-02-13)
2.140.0 (2024-02-13)
- deprecate existing webhook implementation (#1417) (5301e48)
- update publish.yml checkout repository so there is access to Dockerfile (#1419) (7cce351)
2.139.2 (2024-02-08)
- improve perf in account linking (#1394) (8eedb95)
- OIDC provider validation log message (#1380) (27e6b1f)
- only create or update the email / phone identity after it's been verified (#1403) (2d20729)
- only create or update the email / phone identity after it's been verified (again) (#1409) (bc6a5b8)
- unmarshal is_private_email correctly (#1402) (47df151)
- use
pattern
for semver docker image tags (#1411) (14a3aeb)