CHANGELOG.md

Changelog

2.178.0 (2025-08-05)

Features

• add sign in with ethereum (#2069) (079b242)
• add support for managing SSO providers by resource_id (#2081) (5ca4489)
• log all audit events separately to prevent missing events (#2086) (3b666f5)
• skip nonce check for Facebook Limited Login auth (#2082) (f1b15ff)
• support ledger solana offchain message signing (#2093) (4c94443)

2.177.0 (2025-07-05)

Features

• add option to disable writing to audit_log_entries (#2073) (80758dd)
• add snapchat provider (#2071) (fca8ea4)
• enhance login analytics (#2078) (1aed4a2)
• fallback to jwt secret if alg is HS256 and the kid is not recognized (#2072) (8fa99bd)
• ignore aud claim from admin jwt (service_role never had one) (#2070) (57eddcb)

Bug Fixes

• add missing provider info to signedup audit logs (#2061) (c6e0cbe)
• auditlog: keep writing to logs even postgres is disabled (#2076) (b89bc32)
• do not log fatal when http server successfully closes (#2065) (1f7de6c)
• invites should send another email when user exists (#2058) (96469bd)
• use appleid.apple.com as default issuer (#2068) (963a781)
• use split_words config option for AuditLog (#2075) (7ecb234)

2.176.1 (2025-06-11)

Bug Fixes

• new odic.Provider for apple with insecure issuer url context (#2055) (23d69f1)
• skip apple oidc issuer check (#2053) (1c6f18e)

2.176.0 (2025-06-11)

Features

• Add custom claims from Keycloak user token (#1917) (1365aaa)

Bug Fixes

• accept ID tokens from all account.apple.com and appleid.apple.com (#2050) (82aa167)

2.175.0 (2025-06-03)

Features

• hooks round 5 (Option 2) - add before-user-created hook (#2034) (b53f6b0)

Bug Fixes

• email-sendhook - bug in email change verification (#2044) (be20654)

2.174.0 (2025-05-23)

Features

• hooks round 2 - remove indirection and simplify error handling (#2025) (26e23f0)
• hooks round 4 - update tests to use require package (#2030) (aaf93df)

Bug Fixes

• amr claim should contain provider_id for sso method (#2033) (33741e1)

2.173.0 (2025-05-17)

Features

• add support packages for end-to-end testing (#2021) (269ddfe)

Bug Fixes

• add supafast tarball for upgrading auth via supabase-admin-api (#2009) (9b55785)
• allow HTTP with localhost in solana (#2027) (3ee02f0)
• fix supafast tarball generation (#2011) (88bb2c0)

2.172.1 (2025-05-05)

Bug Fixes

• use redirect URL as-is for mobile apps (#2007) (b36cdcd)

2.172.0 (2025-05-04)

Features

• fix large group claim handling in azure id tokens (#1995) (2f323fe)
• use global_user_id over sub for vercel_marketplace issuer (#1990) (f94f97e)

Bug Fixes

• azure overage claims start with single _ not two (#1999) (29f3440)
• remove azure claim overage code. (#2005) (63dce14)
• resolving azure overage claim should include api-version=1.6 query parameter (#2000) (44890d0)
• upgrade godotenv to v1.5.1 to fix multiline file loading (#1997) (f2af4b2)

2.171.0 (2025-04-14)

Features

• add sign in with solana (EIP-4361) support (#1918) (d121546)
• allow invalid config directories (#1969) (6b842f6)
• allow limiting lifespan of low-aal sessions (#1942) (d7a9ca6)
• Block specific outgoing mail servers (#1971) (091aef9)
• refactor hooks out of api package (#1976) (c5904c0)
• separate web3 rate limits from other /token?grant_type=... (#1985) (8b23382)

Bug Fixes

• explicit permisions on actions (#1978) (06e9ead)
• propagate error when when confirming phone (#1939) (e882b42)
• redirects must not be to ip addresses (#1984) (347e23a)
• sanitize redirect URL (remove fragment, query) before pattern matching (#1974) (ccf20d7)

2.170.0 (2025-03-06)

Features

• improvements to config reloader, 100% coverage (#1933) (21c2256)
• increase test coverage in conf package to 100% (#1937) (bc57c1c)

Bug Fixes

• enable SO_REUSEPORT in listener config (#1936) (a474b80)
• ignore not found error to check for pkce prefix later (#1929) (fbbebcc)
• log version & migration count (#1934) (8078cdc)
• update figma token endpoint (#1952) (18fbbb5)
• use sys/unix instead of syscall (#1953) (4a6d9bc)

2.169.0 (2025-01-27)

Features

• add an optional burstable rate limiter (#1924) (1f06f58)
• cover 100% of crypto with tests (#1892) (174198e)

Bug Fixes

• convert refreshed_at to UTC before updating (#1916) (a4c692f)
• correct casing of API key authentication in openapi.yaml (0cfd177)
• improve invalid channel error message returned (#1908) (f72f0ee)
• improve saml assertion logging (#1915) (d6030cc)

2.168.0 (2025-01-06)

Features

• set email_verified to true on all identities with the verified email (#1902) (307892f)

2.167.0 (2024-12-24)

Features

• fix argon2 parsing and comparison (#1887) (9dbe6ef)

2.166.0 (2024-12-23)

Features

• switch to googleapis/release-please-action, bump to 2.166.0 (#1883) (11a312f)

Bug Fixes

• check if session is nil (#1873) (fd82601)
• email_verified field not being updated on signup confirmation (#1868) (483463e)
• handle user banned error code (#1851) (a6918f4)
• Revert "fix: revert fallback on btree indexes when hash is unavailable" (#1859) (9fe5b1e)
• skip cleanup for non-2xx status (#1877) (f572ced)

2.165.1 (2024-12-06)

Bug Fixes

• allow setting the mailer service headers as strings (#1861) (7907b56)

2.165.0 (2024-12-05)

Features

• add email validation function to lower bounce rates (#1845) (2c291f0)
• use embedded migrations for migrate command (#1843) (e358da5)

Bug Fixes

• fallback on btree indexes when hash is unavailable (#1856) (b33bc31)
• return the error code instead of status code (#1855) (834a380)
• revert fallback on btree indexes when hash is unavailable (#1858) (1c7202f)
• update ip mismatch error message (#1849) (49fbbf0)

2.164.0 (2024-11-13)

Features

• return validation failed error if captcha request was not json (#1815) (26d2e36)

Bug Fixes

• add error codes to refresh token flow (#1824) (4614dc5)
• add test coverage for rate limits with 0 permitted events (#1834) (7c3cf26)
• correct web authn aaguid column naming (#1826) (0a589d0)
• default to files:read scope for Figma provider (#1831) (9ce2857)
• improve error messaging for http hooks (#1821) (fa020d0)
• make drop_uniqueness_constraint_on_phone idempotent (#1817) (158e473)
• possible panic if refresh token has a null session_id (#1822) (a7129df)
• rate limits of 0 take precedence over MAILER_AUTO_CONFIRM (#1837) (cb7894e)

2.163.2 (2024-10-22)

Bug Fixes

• ignore rate limits for autoconfirm (#1810) (9ce2340)

2.163.1 (2024-10-22)

Bug Fixes

• external host validation (#1808) (4f6a461), closes #1228

2.163.0 (2024-10-15)

Features

• add mail header support via GOTRUE_SMTP_HEADERS with $messageType (#1804) (99d6a13)
• add MFA for WebAuthn (#1775) (8cc2f0e)
• configurable email and sms rate limiting (#1800) (5e94047)
• mailer logging (#1805) (9354b83)
• preserve rate limiters in memory across configuration reloads (#1792) (0a3968b)

Bug Fixes

• add twilio verify support on mfa (#1714) (aeb5d8f)
• email header setting no longer misleading (#1802) (3af03be)
• enforce authorized address checks on send email only (#1806) (c0c5b23)
• fix getExcludedColumns slice allocation (#1788) (7f006b6)
• Fix reqPath for bypass check for verify EP (#1789) (646dc66)
• inline mailme package for easy development (#1803) (fa6f729)

2.162.2 (2024-10-05)

Bug Fixes

• refactor mfa validation into functions (#1780) (410b8ac)
• upgrade ci Go version (#1782) (97a48f6)
• validateEmail should normalise emails (#1790) (2e9b144)

2.162.1 (2024-10-03)

Bug Fixes

• bypass check for token & verify endpoints (#1785) (9ac2ea0)

2.162.0 (2024-09-27)

Features

• add support for migration of firebase scrypt passwords (#1768) (ba00f75)

Bug Fixes

• apply authorized email restriction to non-admin routes (#1778) (1af203f)
• magiclink failing due to passwordStrength check (#1769) (7a5411f)

2.161.0 (2024-09-24)

Features

• add x-sb-error-code header, show error code in logs (#1765) (ed91c59)
• add webauthn configuration variables (#1773) (77d5897)
• config reloading (#1771) (6ee0091)

Bug Fixes

• add additional information around errors for missing content type header (#1576) (c2b2f96)
• add token to hook payload for non-secure email change (#1763) (7e472ad)
• update aal requirements to update user (#1766) (25d9874)
• update mfa admin methods (#1774) (567ea7e)
• user sanitization should clean up email change info too (#1759) (9d419b4)

2.160.0 (2024-09-02)

Features

• add authorized email address support (#1757) (f3a28d1)
• add option to disable magic links (#1756) (2ad0737)
• add support for saml encrypted assertions (#1752) (c5480ef)

Bug Fixes

• apply shared limiters before email / sms is sent (#1748) (bf276ab)
• simplify WaitForCleanup (#1747) (0084625)

2.159.2 (2024-08-28)

Bug Fixes

• allow anonymous user to update password (#1739) (2d51956)
• hide hook name (#1743) (7e38f4c)
• remove server side cookie token methods (#1742) (c6efec4)

2.159.1 (2024-08-23)

Bug Fixes

• return oauth identity when user is created (#1736) (60cfb60)

2.159.0 (2024-08-21)

Features

• Vercel marketplace OIDC (#1731) (a9ff361)

Bug Fixes

• add error codes to password login flow (#1721) (4351226)
• change phone constraint to per user (#1713) (b9bc769)
• custom SMS does not work with Twilio Verify (#1733) (dc2391d)
• ignore errors if transaction has closed already (#1726) (53c11d1)
• redirect invalid state errors to site url (#1722) (b2b1123)
• remove TOTP field for phone enroll response (#1717) (4b04327)
• use signing jwk to sign oauth state (#1728) (66fd0c8)

2.158.1 (2024-08-05)

Bug Fixes

• add last_challenged_at field to mfa factors (#1705) (29cbeb7)
• allow enabling sms hook without setting up sms provider (#1704) (575e88a)
• drop the MFA_ENABLED config (#1701) (078c3a8)
• enforce uniqueness on verified phone numbers (#1693) (70446cc)
• expose X-Supabase-Api-Version header in CORS (#1612) (6ccd814)
• include factor_id in query (#1702) (ac14e82)
• move is owned by check to load factor (#1703) (701a779)
• refactor TOTP MFA into separate methods (#1698) (250d92f)
• remove check for content-length (#1700) (81b332d)
• remove FindFactorsByUser (#1707) (af8e2dd)
• update openapi spec for MFA (Phone) (#1689) (a3da4b8)

2.158.0 (2024-07-31)

Features

• add hook log entry with run_hook action (#1684) (46491b8)
• MFA (Phone) (#1668) (ae091aa)

Bug Fixes

• maintain backward compatibility for asymmetric JWTs (#1690) (0ad1402)
• MFA NewFactor to default to creating unverfied factors (#1692) (3d448fa)
• minor spelling errors (#1688) (6aca52b), closes #1682
• treat GOTRUE_MFA_ENABLED as meaning TOTP enabled on enroll and verify (#1694) (8015251)
• update mfa phone migration to be idempotent (#1687) (fdff1e7)

2.157.0 (2024-07-26)

Features

• add asymmetric jwt support (#1674) (c7a2be3)

2.156.0 (2024-07-25)

Features

• add is_anonymous claim to Auth hook jsonschema (#1667) (f9df65c)

Bug Fixes

• restrict autoconfirm email change to anonymous users (#1679) (b57e223)

2.155.6 (2024-07-22)

Bug Fixes

• use deep equal (#1672) (8efd57d)

2.155.5 (2024-07-19)

Bug Fixes

• check password max length in checkPasswordStrength (#1659) (1858c93)
• don't update attribute mapping if nil (#1665) (7e67f3e)
• refactor mfa models and add observability to loadFactor (#1669) (822fb93)

2.155.4 (2024-07-17)

Bug Fixes

• treat empty string as nil in encrypted_password (#1663) (f99286e)

2.155.3 (2024-07-12)

Bug Fixes

• serialize jwt as string (#1657) (98d8324)

2.155.2 (2024-07-12)

Bug Fixes

• improve session error logging (#1655) (5a6793e)
• omit empty string from name & use case-insensitive equality for comparing SAML attributes (#1654) (bf5381a)
• set rate limit log level to warn (#1652) (10ca9c8)

2.155.1 (2024-07-04)

Bug Fixes

• apply mailer autoconfirm config to update user email (#1646) (a518505)
• check for empty aud string (#1649) (42c1d45)
• return proper error if sms rate limit is exceeded (#1647) (3c8d765)

2.155.0 (2024-07-03)

Features

• add password_hash and id fields to admin create user (#1641) (20d59f1)

Bug Fixes

• improve mfa verify logs (#1635) (d8b47f9)
• invited users should have a temporary password generated (#1644) (3f70d9d)
• upgrade golang-jwt to v5 (#1639) (2cb97f0)
• use pointer for user.EncryptedPassword (#1637) (bbecbd6)

2.154.2 (2024-06-24)

Bug Fixes

• publish to ghcr.io/supabase/auth (#1626) (930aa3e), closes #1625
• revert define search path in auth functions (#1634) (155e87e)
• update MaxFrequency error message to reflect number of seconds (#1540) (e81c25d)

2.154.1 (2024-06-17)

Bug Fixes

• add ip based limiter (#1622) (06464c0)
• admin user update should update is_anonymous field (#1623) (f5c6fcd)

2.154.0 (2024-06-12)

Features

• add max length check for email (#1508) (f9c13c0)
• add support for Slack OAuth V2 (#1591) (bb99251)
• encrypt sensitive columns (#1593) (e4a4758)
• upgrade otel to v1.26 (#1585) (cdd13ad)
• use largest avatar from spotify instead (#1210) (4f9994b), closes #1209

Bug Fixes

• define search path in auth functions (#1616) (357bda2)
• enable rls & update grants for auth tables (#1617) (28967aa)

2.153.0 (2024-06-04)

Features

• add SAML specific external URL config (#1599) (b352719)
• add support for verifying argon2i and argon2id passwords (#1597) (55409f7)
• make the email client explicity set the format to be HTML (#1149) (53e223a)

Bug Fixes

• call write header in write if not written (#1598) (0ef7eb3)
• deadlock issue with timeout middleware write (#1595) (6c9fbd4)
• improve token OIDC logging (#1606) (5262683)
• update contributing to use v1.22 (#1609) (5894d9e)

2.152.0 (2024-05-22)

Features

• new timeout writer implementation (#1584) (72614a1)
• remove legacy lookup in users for one_time_tokens (phase II) (#1569) (39ca026)
• update chi version (#1581) (c64ae3d)
• update openapi spec with identity and is_anonymous fields (#1573) (86a79df)

Bug Fixes

• improve logging structure (#1583) (c22fc15)
• sms verify should update is_anonymous field (#1580) (e5f98cb)
• use api_external_url domain as localname (#1575) (ed2b490)

2.151.0 (2024-05-06)

Features

• refactor one-time tokens for performance (#1558) (d1cf8d9)

Bug Fixes

• do call send sms hook when SMS autoconfirm is enabled (#1562) (bfe4d98)
• format test otps (#1567) (434a59a)
• log final writer error instead of handling (#1564) (170bd66)

2.150.1 (2024-04-28)

Bug Fixes

• add db conn max idle time setting (#1555) (2caa7b4)

2.150.0 (2024-04-25)

Features

• add support for Azure CIAM login (#1541) (1cb4f96)
• add timeout middleware (#1529) (f96ff31)
• allow for postgres and http functions on each extensibility point (#1528) (348a1da)
• merge provider metadata on link account (#1552) (bd8b5c4)
• send over user in SendSMS Hook instead of UserID (#1551) (d4d743c)

Bug Fixes

• return error if session id does not exist (#1538) (91e9eca)

2.149.0 (2024-04-15)

Features

• refactor generate accesss token to take in request (#1531) (e4f2b59)

Bug Fixes

• linkedin_oidc provider error (#1534) (4f5e8e5)
• revert patch for linkedin_oidc provider error (#1535) (58ef4af)
• update linkedin issuer url (#1536) (10d6d8b)

2.148.0 (2024-04-10)

Features

• add array attribute mapping for SAML (#1526) (7326285)

2.147.1 (2024-04-09)

Bug Fixes

• add validation and proper decoding on send email hook (#1520) (e19e762)
• remove deprecated LogoutAllRefreshTokens (#1519) (35533ea)

2.147.0 (2024-04-05)

Features

• add send email Hook (#1512) (cf42e02)

2.146.0 (2024-04-03)

Features

• add custom sms hook (#1474) (0f6b29a)
• forbid generating an access token without a session (#1504) (795e93d)

Bug Fixes

• add cleanup statement for anonymous users (#1497) (cf2372a)
• generate signup link should not error (#1514) (4fc3881)
• move all EmailActionTypes to mailer package (#1510) (765db08)
• refactor mfa and aal update methods (#1503) (31a5854)
• rename from CustomSMSProvider to SendSMS (#1513) (c0bc37b)

2.145.0 (2024-03-26)

Features

• add error codes (#1377) (e4beea1)
• add kakao OIDC (#1381) (b5566e7)
• clean up expired factors (#1371) (5c94207)
• configurable NameID format for SAML provider (#1481) (ef405d8)
• HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets (#1467) (5b24c4e)
• refactor PKCE FlowState to reduce duplicate code (#1446) (b8d0337)

Bug Fixes

• add http support for https hooks on localhost (#1484) (5c04104)
• cleanup panics due to bad inactivity timeout code (#1471) (548edf8)
• docs: remove bracket on file name for broken link (#1493) (96f7a68)
• impose expiry on auth code instead of magic link (#1440) (35aeaf1)
• invalidate email, phone OTPs on password change (#1489) (960a4f9)
• move creation of flow state into function (#1470) (4392a08)
• prevent user email side-channel leak on verify (#1472) (311cde8)
• refactor email sending functions (#1495) (285c290)
• refactor factor_test to centralize setup (#1473) (c86007e)
• refactor mfa challenge and tests (#1469) (6c76f21)
• Resend SMS when duplicate SMS sign ups are made (#1490) (73240a0)
• unlink identity bugs (#1475) (73e8d87)

2.144.0 (2024-03-04)

Features

• add configuration for custom sms sender hook (#1428) (1ea56b6)
• anonymous sign-ins (#1460) (130df16)
• clean up test setup in MFA tests (#1452) (7185af8)
• pass transaction to invokeHook, fixing pool exhaustion (#1465) (b536d36)
• refactor resource owner password grant (#1443) (e63ad6f)
• use dummy instance id to improve performance on refresh token queries (#1454) (656474e)

Bug Fixes

• expose provider under amr in access token (#1456) (e9f38e7)
• improve MFA QR Code resilience so as to support providers like 1Password (#1455) (6522780)
• refactor request params to use generics (#1464) (e1cdf5c)
• revert refactor resource owner password grant (#1466) (fa21244)
• update file name so migration to Drop IP Address is applied (#1447) (f29e89d)

2.143.0 (2024-02-19)

Features

• calculate aal without transaction (#1437) (8dae661)

Bug Fixes

• deprecate hooks (#1421) (effef1b)
• error should be an IsNotFoundError (#1432) (7f40047)
• populate password verification attempt hook (#1436) (f974bdb)
• restrict mfa enrollment to aal2 if verified factors are present (#1439) (7e10d45)
• update phone if autoconfirm is enabled (#1431) (95db770)
• use email change email in identity (#1429) (4d3b9b8)

2.142.0 (2024-02-14)

Features

• alter tag to use raw (#1427) (53cfe5d)
• update README.md to trigger release (#1425) (91e0e24)

2.141.0 (2024-02-13)

Features

• drop sha hash tag (#1422) (76853ce)
• prefix release with v (#1424) (9d398cd)

2.140.0 (2024-02-13)

Features

• deprecate existing webhook implementation (#1417) (5301e48)
• update publish.yml checkout repository so there is access to Dockerfile (#1419) (7cce351)

2.139.2 (2024-02-08)

Bug Fixes

• improve perf in account linking (#1394) (8eedb95)
• OIDC provider validation log message (#1380) (27e6b1f)
• only create or update the email / phone identity after it's been verified (#1403) (2d20729)
• only create or update the email / phone identity after it's been verified (again) (#1409) (bc6a5b8)
• unmarshal is_private_email correctly (#1402) (47df151)
• use pattern for semver docker image tags (#1411) (14a3aeb)

Reverts

• "fix: only create or update the email / phone identity after i… (#1407) (ff86849)