·
2 commits
to master
since this release
Exempt recovery sessions from current password requirement
When updating a password via the recovery (password reset) flow,
the user cannot know their current password — that is the whole point
of the flow. This commit:
-
verifyPost: issues refresh tokens with models.Recovery auth method
for RecoveryVerification type, so the AMR claim is correctly stored
as "recovery" instead of "otp". -
user.go: checks for the recovery AMR claim when
GOTRUE_SECURITY_UPDATE_PASSWORD_REQUIRE_CURRENT_PASSWORD is enabled,
and skips the current-password check for recovery sessions.
Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com