Comparing changes

Fixes assertions for concurrent index worker test which led to them being flakey

Adds constructors for all hook input types: * MFAVerificationAttemptInput * PasswordVerificationAttemptInput * CustomAccessTokenInput * SendSMSInput, * SendEmailInput To consistently populate metadata fields: * `name` - Hook Name * `uuid` - Request UUID * `time` - Request Time * `ip_address` Request IP Address This improves observability and security auditing by guaranteeing that all hook invocations include request metadata. It also enables new use cases by passing the request IP address. For example more advanced methods for rate limiting login or MFA attempts may now be implemented. Co-authored-by: Chris Stockton <[email protected]>

With `v2.186.0`, we introduced an opaque state to migrate away from the JWT-based state parameter. This PR removes the graceful fallback to the JWT-based state as the UUID state handling should be available to all projects.

…st (#2371) In #2356 a session would be upgraded to v2 refresh tokens based on the number of requests for that session. If you set a percentage value of 10% and there's 100 refresh token requests per session, all sessions would be upgraded within 1 day. This is rectified here by converting the session ID to a value in the `[0, 100)` range making sure that a random selection of sessions would be upgraded consistently.

…#2373) Added missing verification type options to the API documentation: - POST /verify: add magiclink, email_change, sms, phone_change types - GET /verify: add email_change type - POST /admin/generate_link: add email_change_current, email_change_new types All type options verified against actual source code in verify.go, mail.go, and mailer.go. Closes #1710 ## What kind of change does this PR introduce? Bug fix, feature, docs update, ...

## What kind of change does this PR introduce? feature - allows requiring current password when changing the password ## What is the new behavior? Adds config flag `update_password_require_current_password` When set, the currentPassword must be sent in the user update request.

Exclude G117 (secret field names) and G704 (SSRF) globally in Makefile, and add #nosec annotations for G115, G602, G705, G706.

Adds max users threshold config value to allow for a managed rollout.

This adds the 4 gauges seen below: ``` # HELP global_auth_version_major Set to this auth servers major version number. # TYPE global_auth_version_major gauge global_auth_version_major{otel_scope_name="gotrue",otel_scope_version=""} 2 # HELP global_auth_version_minor Set to this auth servers minor version number. # TYPE global_auth_version_minor gauge global_auth_version_minor{otel_scope_name="gotrue",otel_scope_version=""} 187 # HELP global_auth_version_patch Set to this auth servers patch version number. # TYPE global_auth_version_patch gauge global_auth_version_patch{otel_scope_name="gotrue",otel_scope_version=""} 0 # HELP global_auth_version_rc Set to this auth servers rc version number. # TYPE global_auth_version_rc gauge global_auth_version_rc{otel_scope_name="gotrue",otel_scope_version=""} 5 ``` --------- Co-authored-by: Chris Stockton <[email protected]>

Improves error messages and adds some unit tests to bring code coverage to 100%. Co-authored-by: Chris Stockton <[email protected]>

Package `hookerrors` was meant to introduce consistent error handling across `hookshttp` and `hookspgfunc`. However it was not being used within the `hookshttp` package. This change fixes that to have one consistent error mechanism supported across all hooks. For http hooks specifically there is an error in the supabase docs that I will resolve in a follow up pr. The status code from the invoked hook should indicate the response status only for the auth server. This means a response of 500 will be treated as a failed invocation of the hook and the response body will not be ready. Responses will only be read when the status code is 200 or 202. If so it will read the body, if it is the body will be checked by the hookserrors package for an error object. If present it will be propagated to the original client. Co-authored-by: Chris Stockton <[email protected]>

I missed that the build-strip Makefile step wrote a new version.go file. Moving this code around is easier then messing with build system right now. Co-authored-by: Chris Stockton <[email protected]>

#2334) ## What kind of change does this PR introduce? Bug fix ## What is the current behavior? JWT ValidMethods not parsed from env because split_words was missing on the struct tag, causing envconfig to look for `GOTRUE_JWT_VALIDMETHODS` instead of `GOTRUE_JWT_VALID_METHODS`. Since v2.71.1, cli defaults to asymmetric keys, which caused valid HS256 tokens to be rejected. ## What is the new behavior? This change adds `split_words` to ensure the correct env var is used. I assume that `GOTRUE_JWT_VALID_METHODS` is the correct env var but if it isn't, then this issue can also be solved by updating the env var passed to auth service in [supabase cli](https://github.com/supabase/cli/blob/5122df4f64490526e3b90852c221e9ff4f6492f6/internal/start/start.go#L629) to ``` env = append(env, "GOTRUE_JWT_VALIDMETHODS=HS256,RS256,ES256") ``` ## Additional context The following screenshots are from print statements I added 1. config.JWT.ValidMethods was nil because it was looking for wrong env var. It defaulted to jwk key algorithm (ES256). https://github.com/supabase/auth/blob/645654df63a3da7929840659c065f6a9cdd4ba96/internal/conf/configuration.go#L1092-L1097 <img width="1289" height="61" alt="Screenshot 2026-01-17 041756" src="https://github.com/user-attachments/assets/00d0e883-cec8-472a-946b-0ac65b6c140d" /> <img width="622" height="122" alt="Screenshot 2026-01-17 042002" src="https://github.com/user-attachments/assets/844bcb38-cd45-4e11-992a-e230ade6cb1e" /> 2. After <img width="977" height="82" alt="image" src="https://github.com/user-attachments/assets/55271d4a-16cf-4ec7-923e-f581d0f5c15d" />

## Summary Add configurable custom OAuth/OIDC providers (phase 1) so projects can integrate self‑hosted/regional identity providers without requiring code changes. ## Problem Current OAuth/OIDC providers are hardcoded, require provider-specific code and env vars, and block customers who need self‑hosted or custom IdPs (e.g. GitHub Enterprise, LINE, internal OIDC servers). ## Solution Introduce database‑backed `oauth_providers` with custom:{identifier} IDs, OIDC discovery + OAuth2 manual configuration, admin CRUD APIs, and tier‑gated quotas, reusing existing /authorize and /callback flows with JWT state + PKCE.

## fix: case-insensitive Bearer token scheme matching `bearerRegexp` only accepted `Bearer` and `bearer` [RFC 7235 §2.1](https://datatracker.ietf.org/doc/html/rfc7235#section-2.1) requires auth scheme names to be case-insensitive. Changed the regex to use the `(?i)` flag so all capitalizations (e.g. `BEARER`) are accepted. ### Test plan - Added `TestExtractBearerTokenCaseInsensitive` covering `Bearer`, `bearer`, `BEARER`, `bEaReR`, `BeArEr`

🤖 I have created a release *beep* *boop* --- ## [2.187.0](v2.186.0...v2.187.0) (2026-02-23) ### Features * add metadata field to all hooks ([#2365](#2365)) ([c675749](c675749)) * check current password on change ([#2364](#2364)) ([33b87ae](33b87ae)) * **indexworker:** add max users threshold for rollout ([#2374](#2374)) ([a2066c6](a2066c6)) * **metrics:** added a gauge with version information ([#2375](#2375)) ([911ad0b](911ad0b)) * support custom oauth & oidc providers ([#2357](#2357)) ([53021f6](53021f6)) ### Bug Fixes * case-insensitive Bearer token scheme matching ([#2387](#2387)) ([36d712d](36d712d)) * correctly parse JWT ValidMethods from env by enabling split_words ([#2334](#2334)) ([a6076bc](a6076bc)) * flaky index worker test ([#2366](#2366)) ([961a7e6](961a7e6)) * **hooks:** propagate error objects from hook calls ([#2380](#2380)) ([3ca1e88](3ca1e88)) * session upgrade percentage should be based on session, not request ([#2371](#2371)) ([510e68b](510e68b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comparing changes

Open a pull request

Commits on Feb 5, 2026

Commits on Feb 7, 2026

Commits on Feb 9, 2026

Commits on Feb 10, 2026

Commits on Feb 11, 2026

Commits on Feb 16, 2026

Commits on Feb 17, 2026

Commits on Feb 18, 2026

Commits on Feb 19, 2026

Commits on Feb 23, 2026

Commits on Feb 24, 2026

This comparison is taking too long to generate.

Uh oh!