chore(master): release 2.176.0

[github-actions]

🤖 I have created a release beep boop

2.176.0 (2025-05-14)

Features

• add GOTRUE_<PROVIDER>_SKIP_NONCE_CHECK to skip nonce checks in ODIC flow (#1264) (4291959)
• add password_hash and id fields to admin create user (#1641) (20d59f1)
• add x-sb-error-code header, show error code in logs (#1765) (ed91c59)
• add an optional burstable rate limiter (#1924) (1f06f58)
• add array attribute mapping for SAML (#1526) (7326285)
• add asymmetric jwt support (#1674) (c7a2be3)
• add authorized email address support (#1757) (f3a28d1)
• add cleanup for session timebox and inactivity timeout (#1298) (9226979)
• add cleanup of unverified factors in 24 hour window (#1379) (0100a80)
• add configuration for custom sms sender hook (#1428) (1ea56b6)
• add CORS allowed headers config (#1197) (7134000)
• add custom access token hook (#1332) (312f871)
• add custom sms hook (#1474) (0f6b29a)
• add email rate limit breach metric (#1208) (4ff1fe0)
• add email validation function to lower bounce rates (#1845) (2c291f0)
• add endpoint to unlink identity from user (#1315) (af83b34)
• add error codes (#1377) (e4beea1)
• add fly oauth provider (#1261) (0fe4285)
• add friendly name to enroll factor response (#1277) (3c72faf)
• add haveibeenpwned.org password strength check (#1324) (c3acfe7)
• add hook log entry with run_hook action (#1684) (46491b8)
• add idempotent refresh token algorithm (#1278) (b0426c6)
• add inactivity-timeout to sessions (#1288) (6c8a96e)
• add index on user_id of mfa_factors (#1247) (6ea135a)
• add is_anonymous claim to Auth hook jsonschema (#1667) (f9df65c)
• add kakao OIDC (#1381) (b5566e7)
• add mail header support via GOTRUE_SMTP_HEADERS with $messageType (#1804) (99d6a13)
• add manual linking APIs (#1317) (80172a1)
• add max length check for email (#1508) (f9c13c0)
• add MFA for WebAuthn (#1775) (8cc2f0e)
• add mfa verification postgres hook (#1314) (db344d5)
• add new Linkedin OIDC due to deprecated scopes for new linkedin applications (#1248) (f40acfe)
• add option to disable magic links (#1756) (2ad0737)
• add required characters password strength check (#1323) (3991bdb)
• add SAML specific external URL config (#1599) (b352719)
• add send email Hook (#1512) (cf42e02)
• add session id to required claim for output of custom access token hook (#1360) (31222d5)
• add sign in with solana (EIP-4361) support (#1918) (d121546)
• add single session per user with tags support (#1297) (69feebc)
• add sso pkce (#1137) (2c0e0a1)
• add support for Azure CIAM login (#1541) (1cb4f96)
• add support for migration of firebase scrypt passwords (#1768) (ba00f75)
• add support for saml encrypted assertions (#1752) (c5480ef)
• add support for Slack OAuth V2 (#1591) (bb99251)
• add support for verifying argon2i and argon2id passwords (#1597) (55409f7)
• add support packages for end-to-end testing (#2021) (269ddfe)
• add test OTP support for mobile app reviews (#1166) (2fb0cf5)
• add time-boxed sessions (#1286) (9a1f461)
• add timeout middleware (#1529) (f96ff31)
• add weak password check on sign in (#1346) (8785527)
• add webauthn configuration variables (#1773) (77d5897)
• allow whatsapp channels with Twilio Verify (#1207) (ff98d2f)
• allow for postgres and http functions on each extensibility point (#1528) (348a1da)
• allow invalid config directories (#1969) (6b842f6)
• allow limiting lifespan of low-aal sessions (#1942) (d7a9ca6)
• allow unverified email signins (#1301) (94293b7)
• alter tag to use raw (#1427) (53cfe5d)
• anonymous sign-ins (#1460) (130df16)
• azure oidc fix (#1349) (97b3595)
• Block specific outgoing mail servers (#1971) (091aef9)
• calculate aal without transaction (#1437) (8dae661)
• clean up expired factors (#1371) (5c94207)
• clean up test setup in MFA tests (#1452) (7185af8)
• config reloading (#1771) (6ee0091)
• configurable email and sms rate limiting (#1800) (5e94047)
• configurable NameID format for SAML provider (#1481) (ef405d8)
• cover 100% of crypto with tests (#1892) (174198e)
• deprecate existing webhook implementation (#1417) (5301e48)
• drop restriction that PKCE cannot be used with autoconfirm (#1176) (0a6f218)
• drop SAML RelayState IP address check (#1376) (6284d99)
• drop sha hash tag (#1422) (76853ce)
• encrypt sensitive columns (#1593) (e4a4758)
• expose email address being sent to for email change flow (#1231) (f7308ad)
• fix argon2 parsing and comparison (#1887) (9dbe6ef)
• fix empty string parsing for GOTRUE_SMS_TEST_OTP_VALID_UNTIL (#1234) (25f2dcb)
• fix large group claim handling in azure id tokens (#1995) (2f323fe)
• fix refresh token reuse revocation (#1312) (6e313f8)
• forbid generating an access token without a session (#1504) (795e93d)
• HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets (#1467) (5b24c4e)
• ignore common Azure issuer for ID tokens (#1272) (4c50357)
• improvements to config reloader, 100% coverage (#1933) (21c2256)
• increase test coverage in conf package to 100% (#1937) (bc57c1c)
• initial fix for invite followed by signup. (#1262) (76c8eeb)
• mailer logging (#1805) (9354b83)
• make error message in factor creation more obvious (#1374) (74af993)
• make the email client explicity set the format to be HTML (#1149) (53e223a)
• merge provider metadata on link account (#1552) (bd8b5c4)
• MFA (Phone) (#1668) (ae091aa)
• new timeout writer implementation (#1584) (72614a1)
• pass transaction to invokeHook, fixing pool exhaustion (#1465) (b536d36)
• password sign-up no longer blocks the db connection (#1319) (84d4b75)
• prefix release with v (#1424) (9d398cd)
• preserve rate limiters in memory across configuration reloads (#1792) (0a3968b)
• properly return hook error (#1355) (890663f)
• refactor for central password strength check (#1321) (5524653)
• refactor generate accesss token to take in request (#1531) (e4f2b59)
• refactor hook error handling (#1329) (72fdb16)
• refactor hooks out of api package (#1976) (c5904c0)
• refactor one-time tokens for performance (#1558) (d1cf8d9)
• refactor PKCE FlowState to reduce duplicate code (#1446) (b8d0337)
• refactor resource owner password grant (#1443) (e63ad6f)
• reinstate upgrade whatsapp support on Twilio Programmable Messaging to support Content API (#1266) (00ee75c)
• remove flow state expiry on Magic Links (PKCE) (#1179) (caa9393)
• remove legacy lookup in users for one_time_tokens (phase II) (#1569) (39ca026)
• remove non-SSO restriction for MFA (#1378) (9ca6970)
• remove opentracing (#1307) (93e5f82)
• rename gotrue to auth (#1340) (8430113)
• retry concurrent refresh token attempts (#1202) (d894012)
• return expires_at in addition to expires_in (#1183) (3cd4bd5)
• return bad request error when factor with duplicate friendly name is registered (#1375) (55febd2)
• return validation failed error if captcha request was not json (#1815) (26d2e36)
• send over user in SendSMS Hook instead of UserID (#1551) (d4d743c)
• separate web3 rate limits from other /token?grant_type=... (#1985) (8b23382)
• serialized access to session in refresh_token grant (#1190) (a8f1712)
• set email_verified to true on all identities with the verified email (#1902) (307892f)
• split validation and population of hook name (#1337) (c03ae09)
• spotify oauth (#1296) (cc07b4a)
• strip user-agent from otel tracing (#1309) (d76f439)
• switch to googleapis/release-please-action, bump to 2.166.0 (#1883) (11a312f)
• unlinking primary identity should update email (#1326) (bdc3300)
• update chi version (#1581) (c64ae3d)
• update github.com/rs/cors to v1.9.0 (#1198) (27d3a7f)
• update oauth1.a flow (#1382) (4f39d2e)
• update openapi spec with identity and is_anonymous fields (#1573) (86a79df)
• update primary key for identities table (#1311) (d8ec801)
• update publish.yml checkout repository so there is access to Dockerfile (#1419) (7cce351)
• update README.md to trigger release (#1425) (91e0e24)
• upgrade otel to v1.26 (#1585) (cdd13ad)
• upgrade whatsapp support on Twilio Programmable Messaging (#1249) (c58febe)
• use DO blocks around SQL statements in migrations (#1335) (061391a)
• use global_user_id over sub for vercel_marketplace issuer (#1990) (f94f97e)
• use template/text instead of strings.Replace for phone OTP messages (#1188) (5caacc1)
• use dummy instance id to improve performance on refresh token queries (#1454) (656474e)
• use embedded migrations for migrate command (#1843) (e358da5)
• use largest avatar from spotify instead (#1210) (4f9994b), closes #1209
• use OIDC ID token for Azure (#1269) (57e336e)
• Vercel marketplace OIDC (#1731) (a9ff361)

Bug Fixes

• #1218 fixes existing migrations to allow namespaces!="auth" (#1279) (206fc09)
• add supafast tarball for upgrading auth via supabase-admin-api (#2009) (9b55785)
• add additional information around errors for missing content type header (#1576) (c2b2f96)
• add check for max password length (#1368) (41aac69)
• add cleanup statement for anonymous users (#1497) (cf2372a)
• add db conn max idle time setting (#1555) (2caa7b4)
• add discord global_name to custom_claims (#1171) (3b1a5b9)
• add error codes to password login flow (#1721) (4351226)
• add error codes to refresh token flow (#1824) (4614dc5)
• add error handling for hook (#1339) (7ac7586)
• add http support for https hooks on localhost (#1484) (5c04104)
• add ip based limiter (#1622) (06464c0)
• add last_challenged_at field to mfa factors (#1705) (29cbeb7)
• add redirectTo to email templates (#1276) (40aed62)
• add test coverage for rate limits with 0 permitted events (#1834) (7c3cf26)
• add token to hook payload for non-secure email change (#1763) (7e472ad)
• add twilio verify support on mfa (#1714) (aeb5d8f)
• add validation and proper decoding on send email hook (#1520) (e19e762)
• admin user update should update is_anonymous field (#1623) (f5c6fcd)
• allow anonymous user to update password (#1739) (2d51956)
• allow enabling sms hook without setting up sms provider (#1704) (575e88a)
• allow transactions to be committed while returning a custom error (#1310) (8565d26)
• apply authorized email restriction to non-admin routes (#1778) (1af203f)
• apply mailer autoconfirm config to update user email (#1646) (a518505)
• apply shared limiters before email / sms is sent (#1748) (bf276ab)
• azure overage claims start with single _ not two (#1999) (29f3440)
• bypass check for token & verify endpoints (#1785) (9ac2ea0)
• call write header in write if not written (#1598) (0ef7eb3)
• change email update flow to return both ? messages and # messages (#1129) (77afd28)
• change phone constraint to per user (#1713) (b9bc769)
• check for empty aud string (#1649) (42c1d45)
• check for pkce prefix (#1291) (05c629b)
• check if session is nil (#1873) (fd82601)
• check linking domain prefix (#1336) (9194ffc)
• check password max length in checkPasswordStrength (#1659) (1858c93)
• cleanup panics due to bad inactivity timeout code (#1471) (548edf8)
• convert refreshed_at to UTC before updating (#1916) (a4c692f)
• correct casing of API key authentication in openapi.yaml (0cfd177)
• correct web authn aaguid column naming (#1826) (0a589d0)
• custom SMS does not work with Twilio Verify (#1733) (dc2391d)
• deadlock issue with timeout middleware write (#1595) (6c9fbd4)
• default to files:read scope for Figma provider (#1831) (9ce2857)
• define search path in auth functions (#1616) (357bda2)
• deprecate hooks (#1421) (effef1b)
• disable allow unverified email sign ins if autoconfirm enabled (#1313) (9b93ac1)
• do call send sms hook when SMS autoconfirm is enabled (#1562) (bfe4d98)
• docs: remove bracket on file name for broken link (#1493) (96f7a68)
• don't update attribute mapping if nil (#1665) (7e67f3e)
• drop the MFA_ENABLED config (#1701) (078c3a8)
• email header setting no longer misleading (#1802) (3af03be)
• email_verified field not being updated on signup confirmation (#1868) (483463e)
• enable rls & update grants for auth tables (#1617) (28967aa)
• enable SO_REUSEPORT in listener config (#1936) (a474b80)
• enforce authorized address checks on send email only (#1806) (c0c5b23)
• enforce uniqueness on verified phone numbers (#1693) (70446cc)
• error should be an IsNotFoundError (#1432) (7f40047)
• explicit permisions on actions (#1978) (06e9ead)
• expose provider under amr in access token (#1456) (e9f38e7)
• expose X-Supabase-Api-Version header in CORS (#1612) (6ccd814)
• expose factor type on challenge (#1709) (e1a21a3)
• external host validation (#1808) (4f6a461), closes #1228
• fallback on btree indexes when hash is unavailable (#1856) (b33bc31)
• fix getExcludedColumns slice allocation (#1788) (7f006b6)
• fix supafast tarball generation (#2011) (88bb2c0)
• Fix reqPath for bypass check for verify EP (#1789) (646dc66)
• format test otps (#1567) (434a59a)
• generate signup link should not error (#1514) (4fc3881)
• handle oauth email check separately (#1348) (757989c)
• handle user banned error code (#1851) (a6918f4)
• hide hook name (#1743) (7e38f4c)
• ignore errors if transaction has closed already (#1726) (53c11d1)
• ignore not found error to check for pkce prefix later (#1929) (fbbebcc)
• ignore rate limits for autoconfirm (#1810) (9ce2340)
• impose expiry on auth code instead of magic link (#1440) (35aeaf1)
• improve default settings used (4745451)
• improve error messaging for http hooks (#1821) (fa020d0)
• improve invalid channel error message returned (#1908) (f72f0ee)
• improve logging structure (#1583) (c22fc15)
• improve MFA QR Code resilience so as to support providers like 1Password (#1455) (6522780)
• improve mfa verify logs (#1635) (d8b47f9)
• improve perf in account linking (#1394) (8eedb95)
• improve saml assertion logging (#1915) (d6030cc)
• improve session error logging (#1655) (5a6793e)
• improve token OIDC logging (#1606) (5262683)
• include /organizations in expected issuer exemption (#1275) (47cbe6e)
• include factor_id in query (#1702) (ac14e82)
• include symbols in generated password (#1364) (f81a748)
• inline mailme package for easy development (#1803) (fa6f729)
• invalidate email, phone OTPs on password change (#1489) (960a4f9)
• invited users should have a temporary password generated (#1644) (3f70d9d)
• linkedin_oidc provider error (#1534) (4f5e8e5)
• log clearer internal error messages for verify (#1292) (aafad5c)
• log correct referer value (#1178) (a6950a0)
• log final writer error instead of handling (#1564) (170bd66)
• log version & migration count (#1934) (8078cdc)
• magiclink failing due to passwordStrength check (#1769) (7a5411f)
• maintain backward compatibility for asymmetric JWTs (#1690) (0ad1402)
• make drop_uniqueness_constraint_on_phone idempotent (#1817) (158e473)
• MFA NewFactor to default to creating unverfied factors (#1692) (3d448fa)
• minor spelling errors (#1688) (6aca52b), closes #1682
• move all EmailActionTypes to mailer package (#1510) (765db08)
• move creation of flow state into function (#1470) (4392a08)
• move is owned by check to load factor (#1703) (701a779)
• OIDC provider validation log message (#1380) (27e6b1f)
• omit empty string from name & use case-insensitive equality for comparing SAML attributes (#1654) (bf5381a)
• only apply rate limit if autoconfirm is false (#1184) (46932da)
• only create or update the email / phone identity after it's been verified (#1403) (2d20729)
• only create or update the email / phone identity after it's been verified (again) (#1409) (bc6a5b8)
• pass through redirect query parameters (#1224) (577e320)
• patch secure email change (double confirm) response format. (#1241) (064e8a1)
• populate password verification attempt hook (#1436) (f974bdb)
• possible panic if refresh token has a null session_id (#1822) (a7129df)
• potential panics on error (#1389) (5ad703b)
• preserve backward compatibility with Twilio Existing API (#1260) (71fb156)
• prevent user email side-channel leak on verify (#1472) (311cde8)
• propagate error when when confirming phone (#1939) (e882b42)
• publish to ghcr.io/supabase/auth (#1626) (930aa3e), closes #1625
• rate limits of 0 take precedence over MAILER_AUTO_CONFIRM (#1837) (cb7894e)
• redirect invalid state errors to site url (#1722) (b2b1123)
• redirects must not be to ip addresses (#1984) (347e23a)
• refactor email sending functions (#1495) (285c290)
• refactor factor_test to centralize setup (#1473) (c86007e)
• refactor mfa and aal update methods (#1503) (31a5854)
• refactor mfa challenge and tests (#1469) (6c76f21)
• refactor mfa models and add observability to loadFactor (#1669) (822fb93)
• refactor mfa validation into functions (#1780) (410b8ac)
• refactor request params to use generics (#1464) (e1cdf5c)
• refactor TOTP MFA into separate methods (#1698) (250d92f)
• remove azure claim overage code. (#2005) (63dce14)
• remove captcha on id_token grant (#1175) (910079c)
• remove check for content-length (#1700) (81b332d)
• remove deprecated LogoutAllRefreshTokens (#1519) (35533ea)
• remove FindFactorsByUser (#1707) (af8e2dd)
• remove organizations from fly provider (#1267) (c79fc6e)
• remove redundant queries to get session (#1204) (669ce97)
• remove server side cookie token methods (#1742) (c6efec4)
• remove TOTP field for phone enroll response (#1717) (4b04327)
• rename from CustomSMSProvider to SendSMS (#1513) (c0bc37b)
• Resend SMS when duplicate SMS sign ups are made (#1490) (73240a0)
• resolving azure overage claim should include api-version=1.6 query parameter (#2000) (44890d0)
• restrict autoconfirm email change to anonymous users (#1679) (b57e223)
• restrict mfa enrollment to aal2 if verified factors are present (#1439) (7e10d45)
• return correct sms otp error (#1351) (5b06680)
• return error if session id does not exist (#1538) (91e9eca)
• return error if user not found but identity exists (#1200) (1802ff3)
• return oauth identity when user is created (#1736) (60cfb60)
• return proper error if sms rate limit is exceeded (#1647) (3c8d765)
• return the error code instead of status code (#1855) (834a380)
• Revert "fix: remove organizations from fly provider" (#1287) (84e16ed)
• Revert "fix: revert fallback on btree indexes when hash is unavailable" (#1859) (9fe5b1e)
• revert define search path in auth functions (#1634) (155e87e)
• revert fallback on btree indexes when hash is unavailable (#1858) (1c7202f)
• revert patch for linkedin_oidc provider error (#1535) (58ef4af)
• revert refactor resource owner password grant (#1466) (fa21244)
• sanitize redirect URL (remove fragment, query) before pattern matching (#1974) (ccf20d7)
• sanitizeUser leaks user role (#1366) (8ce9d3f)
• serialize jwt as string (#1657) (98d8324)
• set rate limit log level to warn (#1652) (10ca9c8)
• set the otp if it's not a test otp (#1223) (3afc8a9)
• show proper error message on textlocal (#1338) (44e2466)
• simplify WaitForCleanup (#1747) (0084625)
• skip cleanup for non-2xx status (#1877) (f572ced)
• sms verify should update is_anonymous field (#1580) (e5f98cb)
• support email verification type on token hash verification (#1177) (ffa5efa)
• support message IDs for Twilio Whatsapp (#1203) (77e85c8)
• take into account test otp for twilio verify (#1255) (18b4291)
• test otp with twilio verify (#1259) (ab2aba6)
• treat GOTRUE_MFA_ENABLED as meaning TOTP enabled on enroll and verify (#1694) (8015251)
• treat empty string as nil in encrypted_password (#1663) (f99286e)
• unlink identity bugs (#1475) (73e8d87)
• unmarshal is_private_email correctly (#1402) (47df151)
• update aal requirements to update user (#1766) (25d9874)
• update contributing to use v1.22 (#1609) (5894d9e)
• update dependencies (1/2) (#1304) (accccee)
• update figma token endpoint (#1952) (18fbbb5)
• update file name so migration to Drop IP Address is applied (#1447) (f29e89d)
• update ip mismatch error message (#1849) (49fbbf0)
• update linkedin issuer url (#1536) (10d6d8b)
• update MaxFrequency error message to reflect number of seconds (#1540) (e81c25d)
• update mfa admin methods (#1774) (567ea7e)
• update mfa phone migration to be idempotent (#1687) (fdff1e7)
• update OpenAPI schema to use 'minimum' instead of 'min' for integer (5c1deb2)
• update openapi spec for MFA (Phone) (#1689) (a3da4b8)
• update phone if autoconfirm is enabled (#1431) (95db770)
• update suggested Go version for contributors to 1.21 (#1331) (9feeec4)
• upgrade ci Go version (#1782) (97a48f6)
• upgrade godotenv to v1.5.1 to fix multiline file loading (#1997) (f2af4b2)
• upgrade golang-jwt to v5 (#1639) (2cb97f0)
• use pattern for semver docker image tags (#1411) (14a3aeb)
• use api_external_url domain as localname (#1575) (ed2b490)
• use deep equal (#1672) (8efd57d)
• use email change email in identity (#1429) (4d3b9b8)
• use linkedin oidc endpoint (#1254) (6d5c8eb)
• use pointer for user.EncryptedPassword (#1637) (bbecbd6)
• use redirect URL as-is for mobile apps (#2007) (b36cdcd)
• use signing jwk to sign oauth state (#1728) (66fd0c8)
• use started transaction, not a new one (#1196) (0b5b656)
• use sys/unix instead of syscall (#1953) (4a6d9bc)
• user sanitization should clean up email change info too (#1759) (9d419b4)
• validateEmail should normalise emails (#1790) (2e9b144)

Reverts

• "fix: only create or update the email / phone identity after i… (#1407) (ff86849)

---

This PR was generated with Release Please. See documentation.