Draft
Conversation
We have an existing `UNIQUE` index on the `phone` column (`users_phone_key`) that can be reused for: 1. Exact match queries 2. Prefixed search queries (`phone LIKE '123%'`) or range-based queries (`phone > '123' AND phone < '123'`) 3. Order by clauses `ORDER BY phone` `text_pattern_ops` indexes do not support ordering.
Uses structured logging in the indexworker to make it easier to query events.
When template reloading is disabled start a goroutine to warm the template cache early in startup. --------- Co-authored-by: Chris Stockton <chris.stockton@supabase.io>
Adds support for X (formerly Twitter) v2 as an external OAuth provider. - Introduces an `oauth_client_states` table to persist the `code_verifier`s as X mandates the use of PKCE - Uses SHA256 challenge for PKCE - Updates the `GetOAuthToken` signature to accept a `code_verifier` as the second parameter - Uses the existing cleanup middleware to delete states - Adds the provider as `x` rather than `x_v2` as `twitter` is already used in old OAuth 1.0a provider to better align with the rebrand - The state is a UUIDv4 NOTE: today the `flow_states` table is overloaded, containing states, auth codes, provider tokens...the goal is to decouple that table eventually and the `oauth_states` table is the first step towards that.
Adds timing obfuscation to password authentication to prevent user enumeration. Configurable via GOTRUE_SECURITY_TIMING_OBFUSCATION_DELAY (default: 0, disabled). Recommended value: 40ms for typical workloads.
…caching Token endpoints (password grant, refresh token, PKCE, MFA, etc.) were missing Cache-Control headers, allowing browsers to cache JWT tokens in memory. This violates RFC 6749 Section 5.1 which requires token responses to include 'Cache-Control: no-store'. Security Impact: - Browsers like Firefox cache token responses in about:cache - Attackers with physical access can extract cached JWT tokens - Leads to potential session hijacking Changes: - Add sendTokenJSON helper function with no-store cache headers - Update all token-returning endpoints to use sendTokenJSON - Covers password, refresh, PKCE, MFA, OIDC, Web3, anonymous, signup, and verify flows Fixes discovered during professional security audit (OWASP OTG-AUTHN-006).
…pdates Adds a new configuration option GOTRUE_SECURITY_UPDATE_PASSWORD_REQUIRE_CURRENT_PASSWORD that addresses session hijacking vulnerabilities by requiring users to provide their current password when changing to a new password. When enabled, the PUT /user endpoint requires a current_password field in the request body alongside the new password. The current password is verified before allowing the password change, preventing attackers with stolen session tokens from changing passwords without knowledge of the current password. This security feature works alongside the existing UpdatePasswordRequireReauthentication option and is disabled by default for backwards compatibility. Related to discussion #32972
- Add attempt_count and invalidated_at columns to auth.one_time_tokens - Track failed OTP verification attempts (max 3) - Invalidate token after 3 failed attempts - Add Email field to VerifyParams for user lookup - Implement protection in signupVerify and recoverVerify - Helper functions: checkOTPTokenInvalidated, recordOTPAttempt, clearOTPAttempts
- Remove GOTRUE_SECURITY_TIMING_OBFUSCATION_DELAY config option - Keep bcrypt-based timing obfuscation (provides ~100ms constant time) - Simplify implementation while maintaining protection against basic timing attacks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Delos Custom Security Patches
This PR tracks our custom security patches on top of upstream Supabase Auth rc2.184.0-rc.4.
Patches Included
1. 🛡️ Timing Attack Prevention
GOTRUE_SECURITY_TIMING_OBFUSCATION_DELAY2. 🔒 Cache-Control Headers
3. 🔑 Require Current Password
GOTRUE_SECURITY_UPDATE_PASSWORD_REQUIRE_CURRENT_PASSWORD4. 🚫 OTP Brute Force Protection
attempt_countandinvalidated_atcolumns toauth.one_time_tokensChanged Files
```
13 files changed, 173 insertions(+), 12 deletions(-)
```
Maintenance
When syncing with new upstream releases:
mainbranch:git fetch upstream && git merge upstream/maingit rebase main delos-productiongit push origin delos-production --force-with-leaseTesting Checklist
GOTRUE_SECURITY_TIMING_OBFUSCATION_DELAY=40