fix: enforce email confirmation requirement for sign-ins with unverified emails #1982
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## What kind of change does this PR introduce? In support of the use of HTTP Hook with Custom Access Token Extension Point. We need to take in a request in order to support the Custom Access Token Hook. We use the request in the Custom access hook depends on the request to fetch the global logger. We refactor `generateAccessToken` and a wrapping method, `issueRefreshToken`, to take in a request to support this. We also add a dummy request to the tests to support this change. Supports supabase#1528 - branched out as a separate PR so as not to bloat the main PR with peripheral changes.
## What kind of change does this PR introduce? Fixes supabase#1533 ## What is the current behavior? Attempting to signInWithOAuth with linkedin_iodc provider results in error 500 ## What is the new behavior? Attempting to signInWithOAuth with linkedin_iodc results in a successful login ## Additional context Error from Supabase Auth Logs: `oidc: id token issued by a different provider, expected \"https://www.linkedin.com\" got \"https://www.linkedin.com/oauth\"`
Reverts supabase#1534 Doesn't seem to work as expected. Directly testing against the API by calling `https://localhost:9999/?provider=linkedin_oidc will return a 404 error.
## What kind of change does this PR introduce? * Linkedin introduced a breaking change by changing the issuer url in their discover document from `https://linkedin.com` to `https://linkedin.com/oauth` * Fixes supabase#1533, supabase#1534, [#22711](https://github.com/orgs/supabase/discussions/22711), [#22708](https://github.com/orgs/supabase/discussions/22708) ## What is the current behavior? Please link any relevant issues here. ## What is the new behavior? Feel free to include screenshots if it includes visual changes. ## Additional context Add any other context or screenshots.
🤖 I have created a release *beep* *boop* --- ## [2.149.0](supabase/auth@v2.148.0...v2.149.0) (2024-04-15) ### Features * refactor generate accesss token to take in request ([supabase#1531](supabase#1531)) ([e4f2b59](supabase@e4f2b59)) ### Bug Fixes * linkedin_oidc provider error ([supabase#1534](supabase#1534)) ([4f5e8e5](supabase@4f5e8e5)) * revert patch for linkedin_oidc provider error ([supabase#1535](supabase#1535)) ([58ef4af](supabase@58ef4af)) * update linkedin issuer url ([supabase#1536](supabase#1536)) ([10d6d8b](supabase@10d6d8b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…nt (supabase#1528) ## What kind of change does this PR introduce? After this change, users can opt to use either Postgres or HTTP functions on each extensibility/extension point. From an implementation standpoint, all new extension points must support both HTTP and Postgres functions
## What kind of change does this PR introduce? * return error if session id doesn't exist in the db ## What is the current behavior? Please link any relevant issues here. ## What is the new behavior? Feel free to include screenshots if it includes visual changes. ## Additional context Add any other context or screenshots.
## What kind of change does this PR introduce? We align convention with `SendEmail` and send over a user to avoid having the user make an additional `getUser` call. Also allows access to `app_metadata` and `user_metadata` which would be useful for internationalization where you may want the locale of the user to determine which template to send. We also introduce a `PhoneData` struct through which we can introduce any potential phone related fields. This struct currently lives under the `hooks` package as there is no `phone` package currently and introducing one might require a significant refactor. Importing it as as is under `api` package would cause a circular dependency between `hooks` and `api` packages. --------- Co-authored-by: Stojan Dimitrovski <[email protected]>
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.21.0 to 0.23.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/net/commit/c48da131589f122489348be5dfbcb6457640046f"><code>c48da13</code></a> http2: fix TestServerContinuationFlood flakes</li> <li><a href="https://github.com/golang/net/commit/762b58d1cf6e0779780decad89c6c1523386638d"><code>762b58d</code></a> http2: fix tipos in comment</li> <li><a href="https://github.com/golang/net/commit/ba872109ef2dc8f1da778651bd1fd3792d0e4587"><code>ba87210</code></a> http2: close connections when receiving too many headers</li> <li><a href="https://github.com/golang/net/commit/ebc8168ac8ac742194df729305175940790c55a2"><code>ebc8168</code></a> all: fix some typos</li> <li><a href="https://github.com/golang/net/commit/3678185f8a652e52864c44049a9ea96b7bcc066a"><code>3678185</code></a> http2: make TestCanonicalHeaderCacheGrowth faster</li> <li><a href="https://github.com/golang/net/commit/448c44f9287b6745f958d74aa2a17ec7761c2f13"><code>448c44f</code></a> http2: remove clientTester</li> <li><a href="https://github.com/golang/net/commit/c7877ac4213b2f859831366f5a35b353e0dc9f66"><code>c7877ac</code></a> http2: convert the remaining clientTester tests to testClientConn</li> <li><a href="https://github.com/golang/net/commit/d8870b0bf2f2426fc8d19a9332f652da5c25418f"><code>d8870b0</code></a> http2: use synthetic time in TestIdleConnTimeout</li> <li><a href="https://github.com/golang/net/commit/d73acffdc9493532acb85777105bb4a351eea702"><code>d73acff</code></a> http2: only set up deadline when Server.IdleTimeout is positive</li> <li><a href="https://github.com/golang/net/commit/89f602b7bbf237abe0467031a18b42fc742ced08"><code>89f602b</code></a> http2: validate client/outgoing trailers</li> <li>Additional commits viewable in <a href="https://github.com/golang/net/compare/v0.21.0...v0.23.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/supabase/auth/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Adds support for [Azure's CIAM](https://learn.microsoft.com/en-us/entra/external-id/customers/overview-customers-ciam) login. This is a special B2B Azure account separate from the typical tenant accounts and is meant to be used only when the expected issuer is set to the CIAM tenant. --------- Co-authored-by: Kang Ming <[email protected]>
It merges back the identity data into user metadata on link account. This is safe because the user can just sign-in again and have the identity data merged back (AccountExists case).
A new middleware is introduced that enforces a strict timeout by using `context.WithTimeout()`. When the timeout is reached, a 504 JSON error with the `request_timeout` error code is sent. Anything that depends on the context is cancelled. --------- Co-authored-by: Kang Ming <[email protected]>
🤖 I have created a release *beep* *boop* --- ## [2.150.0](supabase/auth@v2.149.0...v2.150.0) (2024-04-25) ### Features * add support for Azure CIAM login ([supabase#1541](supabase#1541)) ([1cb4f96](supabase@1cb4f96)) * add timeout middleware ([supabase#1529](supabase#1529)) ([f96ff31](supabase@f96ff31)) * allow for postgres and http functions on each extensibility point ([supabase#1528](supabase#1528)) ([348a1da](supabase@348a1da)) * merge provider metadata on link account ([supabase#1552](supabase#1552)) ([bd8b5c4](supabase@bd8b5c4)) * send over user in SendSMS Hook instead of UserID ([supabase#1551](supabase#1551)) ([d4d743c](supabase@d4d743c)) ### Bug Fixes * return error if session id does not exist ([supabase#1538](supabase#1538)) ([91e9eca](supabase@91e9eca)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Adds the `GOTRUE_DB_CONN_MAX_IDLE_TIME` setting that allows setting the max idle time for a connection.
Adds [a linter that checks for non-exhaustive `switch` statements](https://github.com/nishanths/exhaustive).
🤖 I have created a release *beep* *boop* --- ## [2.150.1](supabase/auth@v2.150.0...v2.150.1) (2024-04-28) ### Bug Fixes * add db conn max idle time setting ([supabase#1555](supabase#1555)) ([2caa7b4](supabase@2caa7b4)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
If writing to the ResponseWriter fails, then there's no point in trying to handle the error recursively and write again. Just log with a warning. Should deal with some endless-recursion edge cases.
## What kind of change does this PR introduce? * Apply basic formatting on test OTPs when config is loaded * Fixes supabase#1566 ## What is the current behavior? Please link any relevant issues here. ## What is the new behavior? Feel free to include screenshots if it includes visual changes. ## Additional context Add any other context or screenshots.
…1562) ## What kind of change does this PR introduce? Small quirk discovered while testing - it currently looks like when SMS Autoconfirm is set ``` GOTRUE_SMS_AUTOCONFIRM="true" ``` and an OTP request is made: ``` curl -X POST http://localhost:9999/otp -H "Content-Type: application/json" -d '{"phone": "<phone>"}' ``` an OTP is still sent. There's a substantial number projects (see internal for exact number) using this so probably will preserve this behaviour. This affects the edge case where `SMS_AUTOCONFIRM` is enabled but the Hook returns an error which may leave the developer puzzled since one might expect an SMS not to be sent with autoconfirm similar to `MAILER_AUTOCONFIRM` Before: - Enable Send SMS and autoconfirm, make a request with faulty URI - request should fail After: - Enable Send SMS and autoconfirm, make a request - message is sent as per current behaviour --------- Co-authored-by: Kang Ming <[email protected]>
Refactors all One-Time Tokens (OTP) used for sign-in with email, SMS, email confirmation, phone confirmation, change... to achieve: - Performance (as current method does not use an index due to the use of [partial indexes](https://github.com/supabase/auth/blob/master/migrations/20220429102000_add_unique_idx.up.sql#L10-L14) which [cannot be used in practice](https://www.postgresql.org/docs/current/indexes-partial.html)) - Future enhancements (such as OTP verification counters, adaptive OTP lengths, etc.) Summary of the change: - A new `one_time_tokens` table is added which uses a double-write mechanism with `users`. - Each new OTP is both written in the corresponding `users` column and as a new row in `one_time_tokens`. - Lookup for an OTP hash is performed first in `one_time_tokens` and if not found, using the traditional `users` approach. - In a few days, once all OTPs using the `users` columns have expired, a new change will be deployed which removes the `users` lookup. This completely solves the performance issue for looking up OTPs. - In a future change, the `one_time_tokens` table can be used to add a verification counter based on lookups on the `relates_to` (email or phone number) column, enabling new security features. --------- Co-authored-by: Joel Lee <[email protected]>
🤖 I have created a release *beep* *boop* --- ## [2.151.0](supabase/auth@v2.150.1...v2.151.0) (2024-05-06) ### Features * refactor one-time tokens for performance ([supabase#1558](supabase#1558)) ([d1cf8d9](supabase@d1cf8d9)) ### Bug Fixes * do call send sms hook when SMS autoconfirm is enabled ([supabase#1562](supabase#1562)) ([bfe4d98](supabase@bfe4d98)) * format test otps ([supabase#1567](supabase#1567)) ([434a59a](supabase@434a59a)) * log final writer error instead of handling ([supabase#1564](supabase#1564)) ([170bd66](supabase@170bd66)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…base#1573) ## What kind of change does this PR introduce? Adds the `Identity` and `is_anonymous` fields to OpenAPI spec. This is so we can use the `openapi.yml` as a sgeneral reference from which to generate Hook Payloads, which contain `User` objects. Identity Fields taken from the [identity model](https://github.com/supabase/auth/blob/master/internal/api/identity.go) ## More Context User objects are generated by: 1. Converting the `openapi.yml` into JSONSchema. Currently this is done via OpenAI though a modified version of [a yml to jsonschema converter should work with modifications as well](https://www.npmjs.com/package/yaml-to-json-schema). We don't use the latter as there's an additional step of converting the output jsonschema into a format that JSON Faker can accept (adding the JSONSchema version etc) 2. Using [JSONSchema to generate a fake payload](https://json-schema-faker.js.org/) ## Use The plan is to embed the JSONSchema into each Hook example so developers can copy paste into JSONSchema Faker or similar tool to generate a fake payload.
## What kind of change does this PR introduce? * Fixes an issue where some SMTP providers reject requests when the SMTP client uses a Local Name that is identical to the SMTP Host name.
## What kind of change does this PR introduce? * verifying the phone number of a user should update the `is_anonymous` field to false * add test to prevent any future regression --------- Co-authored-by: Joel Lee <[email protected]>
## What kind of change does this PR introduce?
* Remove unformatted logs which do not confirm to JSON
* Previously, we were logging both `time` (not UTC) and `timestamp` (in
UTC) which is redundant. I've opted to remove `timestamp` and just log
the UTC time as the `time` field, which is supported by logrus
* Previously, the `request_id` was not being logged because it was
unable to retrieve the context properly. Now, the `request_id` field is
added to every log entry, which allows us to filter by `request_id` to
see the entire lifecycle of the request
* Previously, panics weren't being handled properly and they were just
logged as text instead of JSON. The server would return an empty reply,
which leads to ugly responses like "Unexpected token < in JSON..." if
using fetch in JS. Now, the server returns a proper 500 error response:
`{"code":500,"error_code":"unexpected_failure","msg":"Internal Server
Error"}`
* Added tests for `recoverer` and `NewStructuredLogger` to prevent
regression
* Remove "request started" log since the `request_id` can be used to
keep track of the entire request lifecycle. This cuts down on the noise
to signal ratio as well.
## Log format
* Panics are now logged like this (note the additional fields like
`panic` and `stack` - which is a dump of the stack trace):
```json
{
"component":"api",
"duration":6065700500,
"level":"info",
"method":"GET",
"msg":"request completed",
"panic":"test panic",
"path":"/panic",
"referer":"http://localhost:3001",
"remote_addr":"127.0.0.1",
"request_id":"4cde5f20-2c3c-4645-bc75-52d6231e22e2",
"stack":"goroutine 82 [running]:...rest of stack trace omitted for brevity",
"status":500,
"time":"2024-05-15T09:37:42Z"
}
```
* Requests that call `NewAuditLogEntry` will be logged with the
`auth_event` payload in this format (note that the timestamp field no
longer exists)
```json
{
"auth_event": {
"action": "token_refreshed",
"actor_id": "733fb34d-a6f2-43e1-976a-8e6a456b6889",
"actor_name": "Kang Ming Tay",
"actor_username": "[email protected]",
"actor_via_sso": false,
"log_type": "token"
},
"component": "api",
"duration": 75945042,
"level": "info",
"method": "POST",
"msg": "request completed",
"path": "/token",
"referer": "http://localhost:3001",
"remote_addr": "127.0.0.1",
"request_id": "08c7e47b-42f4-44dc-a39b-7275ef5bbb45",
"status": 200,
"time": "2024-05-15T09:40:09Z"
}
```
## What kind of change does this PR introduce? * Upgrades [chi](https://github.com/go-chi/chi) from v4 to v5
…upabase#1569) Removes legacy lookups in `auth.users` for when a corresponding entry in `one_time_tokens` is not found. Phase II of the refactor, based on supabase#1558, to be released after it's deployed for a few days. --------- Co-authored-by: Kang Ming <[email protected]>
supabase#1529 introduced timeout middleware, but it appears from working in the wild it has some race conditions that are not particularly helpful. This PR rewrites the implementation to get rid of race conditions, at the expense of slightly higher RAM usage. It follows the implementation of `http.TimeoutHandler` closely. --------- Co-authored-by: Kang Ming <[email protected]>
🤖 I have created a release *beep* *boop* --- ## [2.152.0](supabase/auth@v2.151.0...v2.152.0) (2024-05-22) ### Features * new timeout writer implementation ([supabase#1584](supabase#1584)) ([72614a1](supabase@72614a1)) * remove legacy lookup in users for one_time_tokens (phase II) ([supabase#1569](supabase#1569)) ([39ca026](supabase@39ca026)) * update chi version ([supabase#1581](supabase#1581)) ([c64ae3d](supabase@c64ae3d)) * update openapi spec with identity and is_anonymous fields ([supabase#1573](supabase#1573)) ([86a79df](supabase@86a79df)) ### Bug Fixes * improve logging structure ([supabase#1583](supabase#1583)) ([c22fc15](supabase@c22fc15)) * sms verify should update is_anonymous field ([supabase#1580](supabase#1580)) ([e5f98cb](supabase@e5f98cb)) * use api_external_url domain as localname ([supabase#1575](supabase#1575)) ([ed2b490](supabase@ed2b490)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
## What kind of change does this PR introduce? * clean up unused args in various functions
## What kind of change does this PR introduce? chore: support both `docker compose` or `docker-compose` command ## What is the current behavior? no issue link ## What is the new behavior? before this commit, dev can have error if install docker-compose as plugin. After this commit, dev can run `make docker-x` without errros ## Additional context no
The existing rate limiter was moved to a separate package and renamed to IntervalLimiter. Added BurstLimiter which is a wrapper around the "golang.org/x/time/rate" package. The conf.Rate type now has a private `typ` field that indicates if it is a `"interval"` or `"burst"` rate limiter. If the config value is in the form of `"<burst>/<rate>"` we set it to `"burst"`, otherwise `"interval"`. The `conf.Rate.GetRateType()` method is then called from the `ratelimit.New` function to determine the underlying type of `ratelimit.Limiter` it returns. Then changed `api.NewLimiterOptions` to call `ratelimit.New` instead of creating a specific type of rate limiter. --------- Co-authored-by: Chris Stockton <[email protected]>
Increased test coverage of reloader to 100%. --------- Co-authored-by: Chris Stockton <[email protected]>
…ase#1935) ## What kind of change does this PR introduce? This PR is to update `README` to use better syntax for `json` code block. ## What is the current behavior? Some of `json` code blocks aren't valid json format, e.g it shows comments in red: <img width="844" alt="image" src="https://github.com/user-attachments/assets/a4a9a8ec-a8f3-4204-a212-605f7d9924f3" /> ## What is the new behavior? Use `js` syntax for `json` code block for better looking. ## Additional context N/A
Increase test coverage in internal/conf to 100%. --------- Co-authored-by: Chris Stockton <[email protected]>
## What kind of change does this PR introduce? * Enables `SO_REUSEPORT` which allows multiple sockets to bind to the same address and port - this is useful when the auth service needs to be restarted and the port is still being held by a reverse proxy (i.e. envoy) until all the connections are drained
## What kind of change does this PR introduce? * Use the latest version of oapi-codegen * Regenerate the go client using oapi-codegen
…upabase#1949) Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.3 to 3.0.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/go-jose/go-jose/releases">github.com/go-jose/go-jose/v3's releases</a>.</em></p> <blockquote> <h2>v3.0.4</h2> <h2>What's Changed</h2> <p>Backport fix for GHSA-c6gw-w398-hv78 CVE-2025-27144 <a href="https://redirect.github.com/go-jose/go-jose/pull/174">go-jose/go-jose#174</a></p> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-jose/go-jose/compare/v3.0.3...v3.0.4">https://github.com/go-jose/go-jose/compare/v3.0.3...v3.0.4</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/go-jose/go-jose/commit/5253038e3b5f64a2200b5b6c72107bf9823f4358"><code>5253038</code></a> Backport fix 167 to v3 (<a href="https://redirect.github.com/go-jose/go-jose/issues/174">#174</a>)</li> <li><a href="https://github.com/go-jose/go-jose/commit/047dc99758ca176080217a26d0f8a95a3350e7fb"><code>047dc99</code></a> CI: Update github actions and go version (<a href="https://redirect.github.com/go-jose/go-jose/issues/173">#173</a>)</li> <li><a href="https://github.com/go-jose/go-jose/commit/0f017e9bc3fd4ee0ca9171c131d6eb3d196ab05b"><code>0f017e9</code></a> Revert <a href="https://redirect.github.com/go-jose/go-jose/issues/26">#26</a> (ignore unsupported JWKs in Sets) (<a href="https://redirect.github.com/go-jose/go-jose/issues/131">#131</a>)</li> <li><a href="https://github.com/go-jose/go-jose/commit/3e2bbef724ae666f9e6691659bd46bc0c3e0c7aa"><code>3e2bbef</code></a> Unmarshal jwk keys with unsupported key type or algorithm into empty … (<a href="https://redirect.github.com/go-jose/go-jose/issues/26">#26</a>)</li> <li>See full diff in <a href="https://github.com/go-jose/go-jose/compare/v3.0.3...v3.0.4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/supabase/auth/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## What kind of change does this PR introduce? * Migrate figma oauth to use endpoint as listed in https://www.figma.com/developers/api#oauth_migration_guide
## What kind of change does this PR introduce? * Use `syscall.SO_REUSEPORT` instead of hardcoding the syscall to deal with cases where it's not supported * Upgrade go to version 1.23.7
## What kind of change does this PR introduce? * Force the release ci to use 1.23.7 - for some reason, the gh runner cache only contains 1.23.6
🤖 I have created a release *beep* *boop* --- ## [2.170.0](supabase/auth@v2.169.0...v2.170.0) (2025-03-06) ### Features * improvements to config reloader, 100% coverage ([supabase#1933](supabase#1933)) ([21c2256](supabase@21c2256)) * increase test coverage in conf package to 100% ([supabase#1937](supabase#1937)) ([bc57c1c](supabase@bc57c1c)) ### Bug Fixes * enable SO_REUSEPORT in listener config ([supabase#1936](supabase#1936)) ([a474b80](supabase@a474b80)) * ignore not found error to check for pkce prefix later ([supabase#1929](supabase#1929)) ([fbbebcc](supabase@fbbebcc)) * log version & migration count ([supabase#1934](supabase#1934)) ([8078cdc](supabase@8078cdc)) * update figma token endpoint ([supabase#1952](supabase#1952)) ([18fbbb5](supabase@18fbbb5)) * use sys/unix instead of syscall ([supabase#1953](supabase#1953)) ([4a6d9bc](supabase@4a6d9bc)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…upabase#1967) Bumps [github.com/golang-jwt/jwt/v4](https://github.com/golang-jwt/jwt) from 4.5.1 to 4.5.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/golang-jwt/jwt/releases">github.com/golang-jwt/jwt/v4's releases</a>.</em></p> <blockquote> <h2>v4.5.2</h2> <p>See <a href="https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp">https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp</a></p> <p><strong>Full Changelog</strong>: <a href="https://github.com/golang-jwt/jwt/compare/v4.5.1...v4.5.2">https://github.com/golang-jwt/jwt/compare/v4.5.1...v4.5.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84"><code>2f0e9ad</code></a> Backporting 0951d18 to v4</li> <li>See full diff in <a href="https://github.com/golang-jwt/jwt/compare/v4.5.1...v4.5.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/supabase/auth/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…upabase#1966) Bumps [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt) from 5.2.1 to 5.2.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/golang-jwt/jwt/releases">github.com/golang-jwt/jwt/v5's releases</a>.</em></p> <blockquote> <h2>v5.2.2</h2> <h2>What's Changed</h2> <ul> <li>Fixed <a href="https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp">https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp</a> by <a href="https://github.com/mfridman"><code>@mfridman</code></a></li> <li>Fixed some typos by <a href="https://github.com/Ashikpaul"><code>@Ashikpaul</code></a> in <a href="https://redirect.github.com/golang-jwt/jwt/pull/382">golang-jwt/jwt#382</a></li> <li>build: add go1.22 to ci workflows by <a href="https://github.com/mfridman"><code>@mfridman</code></a> in <a href="https://redirect.github.com/golang-jwt/jwt/pull/383">golang-jwt/jwt#383</a></li> <li>Bump golangci/golangci-lint-action from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/golang-jwt/jwt/pull/387">golang-jwt/jwt#387</a></li> <li>Bump golangci/golangci-lint-action from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/golang-jwt/jwt/pull/389">golang-jwt/jwt#389</a></li> <li>chore: bump ci tests to include go1.23 by <a href="https://github.com/mfridman"><code>@mfridman</code></a> in <a href="https://redirect.github.com/golang-jwt/jwt/pull/405">golang-jwt/jwt#405</a></li> <li>Fix jwt -show by <a href="https://github.com/AlexanderYastrebov"><code>@AlexanderYastrebov</code></a> in <a href="https://redirect.github.com/golang-jwt/jwt/pull/406">golang-jwt/jwt#406</a></li> <li>docs: typo by <a href="https://github.com/kvii"><code>@kvii</code></a> in <a href="https://redirect.github.com/golang-jwt/jwt/pull/407">golang-jwt/jwt#407</a></li> <li>Update SECURITY.md by <a href="https://github.com/oxisto"><code>@oxisto</code></a> in <a href="https://redirect.github.com/golang-jwt/jwt/pull/416">golang-jwt/jwt#416</a></li> <li>Update <code>jwt.Parse</code> example to use <code>jwt.WithValidMethods</code> by <a href="https://github.com/mattt"><code>@mattt</code></a> in <a href="https://redirect.github.com/golang-jwt/jwt/pull/425">golang-jwt/jwt#425</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Ashikpaul"><code>@Ashikpaul</code></a> made their first contribution in <a href="https://redirect.github.com/golang-jwt/jwt/pull/382">golang-jwt/jwt#382</a></li> <li><a href="https://github.com/kvii"><code>@kvii</code></a> made their first contribution in <a href="https://redirect.github.com/golang-jwt/jwt/pull/407">golang-jwt/jwt#407</a></li> <li><a href="https://github.com/mattt"><code>@mattt</code></a> made their first contribution in <a href="https://redirect.github.com/golang-jwt/jwt/pull/425">golang-jwt/jwt#425</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2">https://github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3"><code>0951d18</code></a> Merge commit from fork</li> <li><a href="https://github.com/golang-jwt/jwt/commit/c035977d9e11c351f4c05dfeae193923cbab49ee"><code>c035977</code></a> Update Parse example to use WithValidMethods (<a href="https://redirect.github.com/golang-jwt/jwt/issues/425">#425</a>)</li> <li><a href="https://github.com/golang-jwt/jwt/commit/bc8bdca5cced1caa9787e4a1c313a3538544c877"><code>bc8bdca</code></a> Update SECURITY.md (<a href="https://redirect.github.com/golang-jwt/jwt/issues/416">#416</a>)</li> <li><a href="https://github.com/golang-jwt/jwt/commit/5ec246c074b71790eec1f2e05b54daf6ec29ec5f"><code>5ec246c</code></a> docs: typo (<a href="https://redirect.github.com/golang-jwt/jwt/issues/407">#407</a>)</li> <li><a href="https://github.com/golang-jwt/jwt/commit/0123f1ad66cbc45013dbfba6eff0cd81472bfc12"><code>0123f1a</code></a> Fix jwt -show (<a href="https://redirect.github.com/golang-jwt/jwt/issues/406">#406</a>)</li> <li><a href="https://github.com/golang-jwt/jwt/commit/f961c72abd3b91442a9ab3d3e356bf547636e89b"><code>f961c72</code></a> chore: bump ci tests to include go1.23 (<a href="https://redirect.github.com/golang-jwt/jwt/issues/405">#405</a>)</li> <li><a href="https://github.com/golang-jwt/jwt/commit/62e504c2810b67f6b97313424411cfffb25e41b0"><code>62e504c</code></a> Bump golangci/golangci-lint-action from 5 to 6 (<a href="https://redirect.github.com/golang-jwt/jwt/issues/389">#389</a>)</li> <li><a href="https://github.com/golang-jwt/jwt/commit/1a56dcf532089fc2bb723a3cb4076a4e45cb1c1a"><code>1a56dcf</code></a> Bump golangci/golangci-lint-action from 4 to 5 (<a href="https://redirect.github.com/golang-jwt/jwt/issues/387">#387</a>)</li> <li><a href="https://github.com/golang-jwt/jwt/commit/c8043eab61f0ec5bdd924c1c30caf164a9bb2c66"><code>c8043ea</code></a> build: add go1.22 to ci workflows (<a href="https://redirect.github.com/golang-jwt/jwt/issues/383">#383</a>)</li> <li><a href="https://github.com/golang-jwt/jwt/commit/7c3f6dc56316e5e222a9df9612ec04243189a989"><code>7c3f6dc</code></a> Update README.md (<a href="https://redirect.github.com/golang-jwt/jwt/issues/382">#382</a>)</li> <li>See full diff in <a href="https://github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/supabase/auth/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.25.0 to 0.36.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/net/commit/85d1d54551b68719346cb9fec24b911da4e452a1"><code>85d1d54</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/net/commit/cde1dda944dcf6350753df966bb5bda87a544842"><code>cde1dda</code></a> proxy, http/httpproxy: do not mismatch IPv6 zone ids against hosts</li> <li><a href="https://github.com/golang/net/commit/fe7f0391aa994a401c82d829183c1efab7a64df4"><code>fe7f039</code></a> publicsuffix: spruce up code gen and speed up PublicSuffix</li> <li><a href="https://github.com/golang/net/commit/459513d1f8abff01b4854c93ff0bff7e87985a0a"><code>459513d</code></a> internal/http3: move more common stream processing to genericConn</li> <li><a href="https://github.com/golang/net/commit/aad0180cad195ab7bcd14347e7ab51bece53f61d"><code>aad0180</code></a> http2: fix flakiness from t.Log when GOOS=js</li> <li><a href="https://github.com/golang/net/commit/b73e5746f64471c22097f07593643a743e7cfb0f"><code>b73e574</code></a> http2: don't log expected errors from writing invalid trailers</li> <li><a href="https://github.com/golang/net/commit/5f45c776a9c4d415cbe67d6c22c06fd704f8c9f1"><code>5f45c77</code></a> internal/http3: make read-data tests usable for server handlers</li> <li><a href="https://github.com/golang/net/commit/43c2540165a4d1bc9a81e06a86eb1e22ece64145"><code>43c2540</code></a> http2, internal/httpcommon: reject userinfo in :authority</li> <li><a href="https://github.com/golang/net/commit/1d78a085008d9fedfe3f303591058325f99727d7"><code>1d78a08</code></a> http2, internal/httpcommon: factor out server header logic for h2/h3</li> <li><a href="https://github.com/golang/net/commit/0d7dc54a591c12b4bd03bcd745024178d03d9218"><code>0d7dc54</code></a> quic: add Conn.ConnectionState</li> <li>Additional commits viewable in <a href="https://github.com/golang/net/compare/v0.25.0...v0.36.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/supabase/auth/network/alerts). </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This change will prevent an invalid config directory from shutting down the auth server. To prevent spamming the logs we wait for the reloadInterval between each attempt to check the config dir. --------- Co-authored-by: Chris Stockton <[email protected]>
This change will allow moving code out of the api into smaller packages without creating cyclic dependencies. --------- Co-authored-by: Chris Stockton <[email protected]>
Propagate errors that occur when calling tx.UpdateOnly in internal/models/user.go:ConfirmPhone. Previously this line returned nil: https://github.com/supabase/auth/blob/097f01f39fa79d5e8e4e9c399a14e14405e3a142/internal/models/user.go#L471 Meaning that the next call to ClearAllOneTimeTokensForUser was ran even when the confirmation token could not be updated. https://github.com/supabase/auth/blob/master/internal/models/one_time_token.go#L119 Co-authored-by: Chris Stockton <[email protected]>
Adds sign in with Solana (SIWS). ## Configuration - `GOTRUE_EXTERNAL_WEB3_SOLANA_ENABLED` whether the Solana web3 provider is enabled or not - `GOTRUE_EXTERNAL_WEB3_SOLANA_MAXIMUM_VALIDITY_DURATION` (default 10 minutes) how long after issue time the SIWS message is regarded as valid ## API ``` https://ref.supabase.co/auth/v1/token?grant_type=web3 { "chain": "solana", "message": "supabase.com wants to ...", "signature": "base64" } ```
…tching (supabase#1974) Redirect URL was not being sanitized (query and fragment not being stripped) before being pattern matched on the allowed URL globs. This made it possible in some cases to produce an insecure redirect.
## What kind of change does this PR introduce? Feature that gives configuration option to block an email address event if the mx server of the domain is on a blocklist ## What is the current behavior? Existing behavior only checks for syntax issues and single email addresses against a message stream. ## What is the new behavior? This is called on every sent email event, the mx server of the email addresses domain is queried and checked against a hard-coded blocklist ## Additional context Functionality to allow for the long term blocking of bot and spam behavior. Resolves SEC-245
Found nothing vulnerable found in actions, just tightening up the permissions across all our publicly facing repos. Not clear why pull_request_target is being used. Ready to revert if needed
…ied emails Updated the ResourceOwnerPasswordGrant function to check if email sign-ins are allowed for unverified users based on the Mailer configuration. This ensures that only confirmed users can sign in with their email if the configuration disallows unverified email sign-ins.
⛔ Snyk checks have failed. 2 issues have been found so far.
⛔ code/snyk check is complete. 2 issues have been found. (View Details) 💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![snyk-io[bot]](https://avatars.githubusercontent.com/in/372950?s=60&v=4){kind=small}
|
|
||
| const ( | ||
| DefaultMFAHookRejectionMessage = "Further MFA verification attempts will be rejected." | ||
| DefaultPasswordHookRejectionMessage = "Further password verification attempts will be rejected." |
There was a problem hiding this comment.
Use of Hardcoded Credentials
Do not hardcode passwords in code. Found hardcoded saved in DefaultPasswordHookRejectionMessage.
Line 219 | CWE-798 | CWE-259 | Priority score 512
| ]; | ||
|
|
||
| const object = process.argv[2]; | ||
| const payload = JSON.parse(fs.readFileSync(process.argv[3], "utf-8")); |
There was a problem hiding this comment.
Path Traversal
Unsanitized input from a command line argument flows into fs.readFileSync, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.
Line 20 | CWE-23 | Priority score 512 | Learn more about this vulnerability
Data flow: 5 steps
Step 1 - 5
Introduced a new field `PhoneConfirmationSentAt` in the User model to track when a phone confirmation was sent. Updated the API to utilize this new field for sending phone confirmations, ensuring accurate timestamps are recorded for phone-related actions.
|
Hi there! Please try to clean up this PR before we are able to see it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updated the ResourceOwnerPasswordGrant function to check if email sign-ins are allowed for unverified users based on the Mailer configuration. This ensures that only confirmed users can sign in with their email if the configuration disallows unverified email sign-ins.