Skip to content

feat: upgrade existing sessions to v2 refresh tokens though config value#2356

Merged
hf merged 4 commits intomasterfrom
hf/upgrade-refresh-tokens-v2
Jan 28, 2026
Merged

feat: upgrade existing sessions to v2 refresh tokens though config value#2356
hf merged 4 commits intomasterfrom
hf/upgrade-refresh-tokens-v2

Conversation

@hf
Copy link
Contributor

@hf hf commented Jan 28, 2026

If the refresh token algorithm version is set to 2, only new sessions would be using these. By setting GOTRUE_SECURITY_REFRESH_TOKEN_UPGRADE_PERCENTAGE to a value between 0 and 100 inclusive, on the next refresh token request a session using a v1 refresh token will switch to using a v2 refresh token.

The percentage is to allow for gradual rollout, as the upgrade step can result in some concurrent refreshes to terminate the session early.

@hf hf requested a review from a team as a code owner January 28, 2026 10:48
@hf hf force-pushed the hf/upgrade-refresh-tokens-v2 branch 2 times, most recently from 7607b3d to f84f272 Compare January 28, 2026 10:54
@hf hf force-pushed the hf/upgrade-refresh-tokens-v2 branch from f84f272 to 384f769 Compare January 28, 2026 11:17
depthfirst-app[bot]
depthfirst-app bot reviewed Jan 28, 2026
View reviewed changes
@coveralls
Copy link

coveralls commented Jan 28, 2026
edited
Loading

Pull Request Test Coverage Report for Build 21438517549

Details

  • 27 of 44 (61.36%) changed or added relevant lines in 3 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.02%) to 68.803%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/conf/configuration.go 2 6 33.33%
internal/tokens/service.go 22 35 62.86%
Totals Coverage Status
Change from base Build 21407255753: -0.02%
Covered Lines: 14876
Relevant Lines: 21621
💛 - Coveralls

fadymak
fadymak reviewed Jan 28, 2026
View reviewed changes
@hf hf merged commit 6fb0e8a into master Jan 28, 2026
6 checks passed
@hf hf deleted the hf/upgrade-refresh-tokens-v2 branch January 28, 2026 13:01
@supabase-releaser supabase-releaser bot mentioned this pull request Jan 27, 2026
Merged
cstockton pushed a commit that referenced this pull request Jan 28, 2026
@supabase-releaser
chore(master): release 2.186.0 (#2337)
effd662 
🤖 I have created a release *beep* *boop*
---


##
[2.186.0](v2.185.0...v2.186.0)
(2026-01-28)


### Features

* Add email send operation metrics
([#2311](#2311))
([0096575](0096575))
* add Supabase Auth identifier to OAuth redirect URLs
([#2299](#2299))
([2d3dbc6](2d3dbc6))
* log sb-auth-user-id, sb-auth-session-id, ... on sign in not just
refresh token ([#2342](#2342))
([a486ada](a486ada))
* **oauth-server:** store and enforce token_endpoint_auth_method
([#2300](#2300))
([bcd6cd5](bcd6cd5))
* replace JWT OAuth state with `flow_state.id` UUID
([#2331](#2331))
([645654d](645654d))
* upgrade existing sessions to v2 refresh tokens though config value
([#2356](#2356))
([6fb0e8a](6fb0e8a))


### Bug Fixes

* reloader unittest races on writeWg
([#2352](#2352))
([088b714](088b714))
* update migration version
([#2343](#2343))
([61ef4db](61ef4db))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>
@hf hf mentioned this pull request Feb 9, 2026
Merged
hf added a commit that referenced this pull request Feb 9, 2026
@hf
fix: session upgrade percentage should be based on session, not reque…
510e68b 
…st (#2371)

In #2356 a session would be upgraded to v2 refresh tokens based on the
number of requests for that session. If you set a percentage value of
10% and there's 100 refresh token requests per session, all sessions
would be upgraded within 1 day.

This is rectified here by converting the session ID to a value in the
`[0, 100)` range making sure that a random selection of sessions would
be upgraded consistently.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@depthfirst-app depthfirst-app[bot] depthfirst-app[bot] left review comments

@fadymak fadymak fadymak approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hf @coveralls @fadymak