Tags: supabase/auth
Tags
chore(master): release 2.176.1 (#2054) 🤖 I have created a release *beep* *boop* --- ## [2.176.1](v2.176.0...v2.176.1) (2025-06-11) ### Bug Fixes * new `odic.Provider` for apple with insecure issuer url context ([#2055](#2055)) ([23d69f1](23d69f1)) * skip apple oidc issuer check ([#2053](#2053)) ([1c6f18e](1c6f18e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
chore(master): release 2.176.0 (#2045) 🤖 I have created a release *beep* *boop* --- ## [2.176.0](v2.175.0...v2.176.0) (2025-06-11) ### Features * Add custom claims from Keycloak user token ([#1917](#1917)) ([1365aaa](1365aaa)) ### Bug Fixes * accept ID tokens from all `account.apple.com` and `appleid.apple.com` ([#2050](#2050)) ([82aa167](82aa167)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
fix: new `odic.Provider` for apple with insecure issuer url context (#… …2055) Apple's ID tokens sometimes say `https://appleid.apple.com` but the well-known URL returns that the issuer should be `https://account.apple.com`.
chore(master): release 2.176.0 (#2045) 🤖 I have created a release *beep* *boop* --- ## [2.176.0](v2.175.0...v2.176.0) (2025-06-11) ### Features * Add custom claims from Keycloak user token ([#1917](#1917)) ([1365aaa](1365aaa)) ### Bug Fixes * accept ID tokens from all `account.apple.com` and `appleid.apple.com` ([#2050](#2050)) ([82aa167](82aa167)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
chore(master): release 2.175.0 (#2043) 🤖 I have created a release *beep* *boop* --- ## [2.175.0](v2.174.0...v2.175.0) (2025-06-03) ### Features * hooks round 5 (Option 2) - add before-user-created hook ([#2034](#2034)) ([b53f6b0](b53f6b0)) ### Bug Fixes * email-sendhook - bug in email change verification ([#2044](#2044)) ([be20654](be20654)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
feat: Add custom claims from Keycloak user token (#1917) ## What kind of change does this PR introduce? This change will populate the `CustomClaims` field from the `Claims` struct with 'other' claims from the Keycloak user token. ## What is the current behavior? Currently only `Name`, `Sub`, `Email`, and `EmailVerified` are taken from the Keycloak user token. ## What is the new behavior? The "custom_claims" field in the retrieved JWT is populated. ## Additional context * https://github.com/orgs/supabase/discussions/18909
fix: email-sendhook - bug in email change verification (#2044) This change sets EmailData.Token to the new OTP when the secure email change setting is set to true. This should fix: #1744 #2042 Note: I am fixing this bug in a way that is consistent with what I view to be the current bug. I believe for email changes token_new and token_hash_new should always contain the values for the users new_email field. This should be fixed in the future in a way that doesn't break BC. --------- Co-authored-by: Chris Stockton <chris.stockton@supabase.io>
feat: hooks round 5 (Option 2) - add before-user-created hook (#2034) ## Hooks Round 5 - Option 2 This PR contains Option 1 for implementing the `before-user-created` hook. See #2032 for option 1. ### Summary This commit explores one possible implementation of this hook by: - Adding a `triggerBeforeUserCreated` method to the `*API` object in `internal/api/hooks.go` - Adding a `triggerBeforeUserCreatedExternal` method to the `*API` object in `internal/api/hooks.go` - Updating callers of `signupNewUser` to first call `triggerBeforeUserCreated` in: - internal/api/anonymous.go - internal/api/external.go - internal/api/invite.go - internal/api/mail.go - internal/api/signup.go - Updating callers of `signupNewUser` to first call `triggerBeforeUserCreatedExternal` in: - internal/api/external.go - internal/api/samlacs.go - internal/api/token_oidc.go - internal/api/web3.go - Add end to end tests in `internal/api/e2e_test.go` This has the benefit of being outside the transaction, but is a bit more complex. I make a best-effort to ensure I only trigger before-user-created when the user doesn't exist, but being outside the transaction there is a small chance for duplicate calls or calls that happen when a user already has been created. The main thought here is that we can document this behavior and the tradeoff is worth the benefits. ### Depends on [feat: hooks round 1](#2023) - prepare package structure * renamed pkg `internal/hooks/v0hooks/v0http` -> `internal/hooks/hookshttp` [8a398ab](8a398ab) * renamed pkg `internal/hooks/v0hooks/v0pgfunc` -> `internal/hooks/hookspgfunc` [8a398ab](8a398ab) * use pkg `internal/e2e` for test setup in: * pkg `internal/hooks/hookspgfunc` [4d60288](4d60288) * pkg `internal/hooks/v0hooks` [4a7432b](4a7432b) [feat: hooks round 2](#2025) - remove indirection and simplify error handling * update pkg `internal/api` to: * uses `internal/hooks/v0hooks.Manager` instead of `internal/hooks/hooks.Manager` [aec5995](aec5995) * remove pkg `internal/hooks/hooks.Manager` [062da5d](062da5d) * add pkg `internal/hooks/hookserrors` [7e80afc](7e80afc) * use pkg `internal/hooks/hookserrors` in `internal/hooks/v0hooks` [57744e8](57744e8) * update pkg `internal/hooks/v0hooks` with an `Enabled` method [16cc4c9](16cc4c9) [feat: hooks round 3](#2028) - begin adding the Before and After user created hooks * update pkg ` 54B7 internal/conf` [d5f5436](d5f5436) * add `BeforeUserCreated` and `AfterUserCreated` to `HookConfiguration` struct * add test cases for `EmailValidationBlockedMX` to restore 100% test coverage * update pkg `internal/hooks/v0hooks` [bd37fe2](bd37fe2) * add `BeforeUserCreated` method to `v0hooks.Manager` struct * add `AfterUserCreated` method to `v0hooks.Manager` struct * add tests to reach 100% coverage * add pkg `internal/e2e/e2ehooks` [903e623](903e623) * add `HookCall` to record calls to hooks * add `Hook` struct to hold `[]*HookCall` for a given hook name * add `HookRecorder` to hold one `Hook` object per hook name * add `Instance` struct to hold the `httptest.Server` and `HookRecorder` * add `AfterUserCreated` method to `v0hooks.Manager` struct * add tests to reach 100% coverage in all `internal/e2e` packages * update pkg `internal/hooks/v0hooks` [829aec6](829aec6) * fix struct and json tag to match to match the Metadata type * update pkg `internal/hooks/v0hooks` [ca67be0](ca67be0) * remove `BeforeUserCreated` and `AfterUserCreated` methods * add Before & After user created hooks in `InvokeHook` * update pkg `internal/e2e/e2eapi` [46c144e](46c144e) * add comments in IOError tests involving `http.RoundTripper` * update calls to `t.Fatal` to use `require` [feat: hooks round 4](#2030) - update tests to use require package * use pkg `require` for tests in: [f2b3600](f2b3600) * pkg `internal/e2e/...` * pkg `internal/hooks/...` --------- Co-authored-by: Chris Stockton <chris.stockton@supabase.io>
PreviousNext