Disable the template pre-fetching at startup.

Co-authored-by: Chris Stockton <[email protected]>

- Migrate OAuth state parameter from JWT to UUID (`flow_state.id`)
- Add OAuth context fields to flow_state table (invite_token, referrer,
oauth_client_state_id, linking_target_id, email_optional)
- Make PKCE fields nullable to support implicit flow
- Always create flow_state record for all OAuth flows, not just PKCE
- Add IsPKCE() method to distinguish PKCE vs implicit flows
- Backward compatible: callback still accepts legacy JWT state format
- Update all external provider tests to verify UUID state format

In a follow-up release, the legacy JWT state support will be removed;
ensuring there are no breaking changes.

This reverts commit b9d0500

## Summary

Adds a Supabase Auth identifier (`sb`) to URL fragments in all OAuth
redirect responses to help clients distinguish Supabase Auth redirects
from third-party OAuth flows.

## Problem

auth-js GoTrueClient currently intercepts all URL fragments containing
`access_token`, including those from non-Supabase OAuth providers. This
causes unintended logouts and authentication issues when users have
other OAuth flows in their applications.

Related issue: supabase/supabase-js#1697

## Solution

Added an empty `sb` parameter to the URL fragment in all redirect
responses:
  - Success redirects with tokens (via `AsRedirectURL`)
- Error redirects in OAuth callbacks ([supabase-js
has](https://github.com/supabase/supabase-js/blob/a66387e9923255160031a1c55545cf7ab27b3aaf/packages/core/auth-js/src/lib/errors.ts#L14-L38)
a `__isAuthError`, but adding it for error to be fault-tolerant, and
non-supabase-sdk cases)
  - Error redirects in verification flows
  - Message redirects in verification flows

Example redirect URL:

`https://example.com/callback#access_token=xxx&refresh_token=yyy&expires_in=3600&sb`

Clients can now check for the presence of `sb` in the fragment to
confirm the redirect originated from Supabase Auth.

## Problem

I noticed there was a TODO for storing the `token_endpoint_auth_method`
value. While integrating with Claude.ai's OAuth flow, we discovered that
returning `client_secret_basic` for all clients (regardless of their
actual registration) was breaking the authentication flow. Claude.ai
strictly validates the auth method returned during client registration,
so it was critical for us to return the correct value.

Per [RFC 7591 Section
2](https://datatracker.ietf.org/doc/html/rfc7591#section-2):

> If unspecified or omitted, the default is "client_secret_basic"

For public clients, the default is `none` since they don't have a client
secret.

## Solution

Added proper storage and enforcement of `token_endpoint_auth_method`:

### Database Changes
- Added `token_endpoint_auth_method` TEXT column (NOT NULL) to
`oauth_clients` table
- Migration sets default values for existing clients based on their
`client_type`:
  - `confidential` → `client_secret_basic`
  - `public` → `none`

### Behavior
- New clients get `token_endpoint_auth_method` persisted during
registration
- Token endpoint validates that the authentication method used matches
the registered method
- Returns the correct `token_endpoint_auth_method` in client
registration responses

---------

Signed-off-by: Pierre Dulac <[email protected]>
Signed-off-by: Pierre Dulac <[email protected]>
Co-authored-by: Cemal Kılıç <[email protected]>

## Summary
This migration was added in #2300, however we couldn't merge in time.
Now updating the migration version (hence filename) to prevent any
possible issues.

…t refresh token (#2342)

In #2216 some new headers were added to responses that are able to track
the user ID, session and other data which cannot be extracted from JWTs.
This aids in debugging and correlation of all requests made by a
specific user.

## What kind of change does this PR introduce?

This PR adds two new metrics,
`gotrue_email_send_operations_counter_total` and
`gotrue_email_send_errors_counter_total`, for tracking email send
operations and errors respectively. The purpose of these metrics is to
track email delivery independently of the various API handlers that may
send email within Auth.

## What is the current behavior?

Users who want to track email sending operations in Auth must use
indirect metrics like HTTP status codes to determine whether an email
was successfully sent.

## What is the new behavior?

The `gotrue_email_send_operations_counter_total` counter will increment
each time Auth attempts to send an email after performing validation and
checking rate limits. The `gotrue_email_send_errors_counter_total`
counter will increment each time an email send attempt fails.

It's possible for `writerWg.Add(1)` to race with the `notifyFn` passed
in `eg.Go`'s call to `pr.watch`. Simple fix is incrementing after
writeWg is initialized.

Co-authored-by: Chris Stockton <[email protected]>

## Summary

Upgrade GitHub Actions to their latest versions to ensure compatibility
with Node 24, as Node 20 will reach end-of-life in April 2026.

## Changes

| Action | Old Version(s) | New Version | Release | Files |
|--------|---------------|-------------|---------|-------|
| `actions/checkout` |
[`v4`](https://github.com/actions/checkout/releases/tag/v4) |
[`v6`](https://github.com/actions/checkout/releases/tag/v6) |
[Release](https://github.com/actions/checkout/releases/tag/v6) |
conventional-commits.yml, dogfooding.yml, publish.yml, release.yml,
test.yml |
| `actions/setup-go` |
[`v5`](https://github.com/actions/setup-go/releases/tag/v5) |
[`v6`](https://github.com/actions/setup-go/releases/tag/v6) |
[Release](https://github.com/actions/setup-go/releases/tag/v6) |
release.yml, test.yml |

## Context

Per [GitHub's
announcement](https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/),
Node 20 is being deprecated and runners will begin using Node 24 by
default starting March 4th, 2026.

### Why this matters

- **Node 20 EOL**: April 2026
- **Node 24 default**: March 4th, 2026
- **Action**: Update to latest action versions that support Node 24

### Security Note

Actions that were previously pinned to commit SHAs remain pinned to SHAs
(updated to the latest release SHA) to maintain the security benefits of
immutable references.

### Testing

These changes only affect CI/CD workflow configurations and should not
impact application functionality. The workflows should be tested by
running them on a branch before merging.

Signed-off-by: Salman Muin Kayser Chishti <[email protected]>

## Summary

Upgrade GitHub Actions to their latest versions for improved features,
bug fixes, and security updates.

## Changes

| Action | Old Version(s) | New Version | Release | Files |
|--------|---------------|-------------|---------|-------|
| `aws-actions/configure-aws-credentials` |
[`v1`](https://github.com/aws-actions/configure-aws-credentials/releases/tag/v1),
[`v4.1.0`](https://github.com/aws-actions/configure-aws-credentials/releases/tag/v4.1.0)
|
[`v5.1.1`](https://github.com/aws-actions/configure-aws-credentials/releases/tag/v5.1.1)
|
[Release](https://github.com/aws-actions/configure-aws-credentials/releases/tag/v5)
| publish.yml, release.yml |
| `docker/build-push-action` |
[`v3`](https://github.com/docker/build-push-action/releases/tag/v3) |
[`v6`](https://github.com/docker/build-push-action/releases/tag/v6) |
[Release](https://github.com/docker/build-push-action/releases/tag/v6) |
publish.yml |
| `docker/login-action` |
[`v2`](https://github.com/docker/login-action/releases/tag/v2) |
[`v3`](https://github.com/docker/login-action/releases/tag/v3) |
[Release](https://github.com/docker/login-action/releases/tag/v3) |
publish.yml |
| `docker/metadata-action` |
[`v4`](https://github.com/docker/metadata-action/releases/tag/v4) |
[`v5`](https://github.com/docker/metadata-action/releases/tag/v5) |
[Release](https://github.com/docker/metadata-action/releases/tag/v5) |
publish.yml |
| `docker/setup-buildx-action` |
[`v2`](https://github.com/docker/setup-buildx-action/releases/tag/v2) |
[`v3`](https://github.com/docker/setup-buildx-action/releases/tag/v3) |
[Release](https://github.com/docker/setup-buildx-action/releases/tag/v3)
| publish.yml |
| `docker/setup-qemu-action` |
[`v2`](https://github.com/docker/setup-qemu-action/releases/tag/v2) |
[`v3`](https://github.com/docker/setup-qemu-action/releases/tag/v3) |
[Release](https://github.com/docker/setup-qemu-action/releases/tag/v3) |
publish.yml |

## Why upgrade?

Keeping GitHub Actions up to date ensures:
- **Security**: Latest security patches and fixes
- **Features**: Access to new functionality and improvements
- **Compatibility**: Better support for current GitHub features
- **Performance**: Optimizations and efficiency improvements

### Security Note

Actions that were previously pinned to commit SHAs remain pinned to SHAs
(updated to the latest release SHA) to maintain the security benefits of
immutable references.

### Testing

These changes only affect CI/CD workflow configurations and should not
impact application functionality. The workflows should be tested by
running them on a branch before merging.

Signed-off-by: Salman Muin Kayser Chishti <[email protected]>

## What kind of change does this PR introduce?

This PR cleans up various issues and inconsistencies in IP address
tracking in Auth, including:

* Fixing middleware ordering so request logs respect `Sb-Forwarded-For`
as the canonical IP address source if the user enables it
* Replacing all usage of request `RemoteAddr` values with
`utilities.GetIPAddress` calls

## What is the current behavior?

Request logs do not show the correct IP address when passing the
`Sb-Forwarded-For` header with `SbForwardedForEnabled` set to true.
Similarly, audit logs only show the value of the request's `RemoteAddr`
struct field, which is populated by the `github.com/sebest/xff`
middleware.

## What is the new behavior?

IP address tracking should be consistent across all Auth code paths.

…lue (#2356)

If the refresh token algorithm version is set to 2, only new sessions
would be using these. By setting
`GOTRUE_SECURITY_REFRESH_TOKEN_UPGRADE_PERCENTAGE` to a value between 0
and 100 inclusive, on the next refresh token request a session using a
v1 refresh token will switch to using a v2 refresh token.

The percentage is to allow for gradual rollout, as the upgrade step can
result in some concurrent refreshes to terminate the session early.

## What kind of change does this PR introduce?

This PR adds the `http_route` label to standard HTTP server metrics
collected by the otelhttp package. This enables users to collect HTTP
metrics per route.

Because `WithMetricAttributesFn` is only available in newer versions of
otelhttp, this commit also upgrades the otelhttp package to v0.63.0. As
a result, HTTP request metrics now use the newer `http_server_request_`
naming convention rather than just `http_server_`.

## What is the current behavior?

Currently, the `http_server_duration_milliseconds_bucket` metric does
not include HTTP route labels. This means HTTP duration metrics are
heavily skewed towards fast, frequently accessed API routes such as
/user.

## What is the new behavior?

There are two changes introduced in this PR:

* The `http_server_duration_milliseconds_bucket` metric is renamed to
`http_server_request_duration_seconds_bucket`
* The `http_server_request_duration_seconds_bucket` metric has an
additional label, `http_route`, that matches the `http_route` label in
the `http_status_codes_total` metric

🤖 I have created a release *beep* *boop*
---


##
[2.186.0](v2.185.0...v2.186.0)
(2026-01-28)


### Features

* Add email send operation metrics
([#2311](#2311))
([0096575](0096575))
* add Supabase Auth identifier to OAuth redirect URLs
([#2299](#2299))
([2d3dbc6](2d3dbc6))
* log sb-auth-user-id, sb-auth-session-id, ... on sign in not just
refresh token ([#2342](#2342))
([a486ada](a486ada))
* **oauth-server:** store and enforce token_endpoint_auth_method
([#2300](#2300))
([bcd6cd5](bcd6cd5))
* replace JWT OAuth state with `flow_state.id` UUID
([#2331](#2331))
([645654d](645654d))
* upgrade existing sessions to v2 refresh tokens though config value
([#2356](#2356))
([6fb0e8a](6fb0e8a))


### Bug Fixes

* reloader unittest races on writeWg
([#2352](#2352))
([088b714](088b714))
* update migration version
([#2343](#2343))
([61ef4db](61ef4db))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>