Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: supabase/auth
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v2.177.0
Choose a base ref
...
head repository: supabase/auth
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v2.178.0
Choose a head ref
  • 6 commits
  • 26 files changed
  • 7 contributors

Commits on Jul 17, 2025

  1. feat: skip nonce check for Facebook Limited Login auth (#2082) 

    ## What kind of change does this PR introduce?

nonce matching isn't supported for facebook limited login, skipping it
during OIDC login. finalizes #2046
    @cemalkilic
    cemalkilic authored Jul 17, 2025
    Configuration menu
    Copy the full SHA
    f1b15ff View commit details
    Browse the repository at this point in the history

Commits on Jul 21, 2025

  1. feat: add support for managing SSO providers by resource_id (#2081) 

    Some time ago a `resource_id` was added to the `sso_providers` table to
support infrastructure as code use cases down the road. This change adds
basic support for utilizing this field to manage SSO providers.

Key changes:
- Updated API for SSO providers to allow get, put, delete by
`resource_id`
- Extended `loadSSOProvider` to accept `resource_`-prefixed `idp_id`
values
- Added optional `resource_id` field to `SSOProvider` model
- Implemented `FindSSOProviderByResourceID` in model layer
- Renamed `FindAllSAMLProviders` to `FindAllSSOProviders`
- Added filtering to the `/admin/sso/providers` via
`?resource_id{,_prefix}=`
- Included full E2E test coverage for SSO provider api

---------

Co-authored-by: Chris Stockton <chris.stockton@supabase.io>
    @cstockton
    cstockton and Chris Stockton authored Jul 21, 2025
    Configuration menu
    Copy the full SHA
    5ca4489 View commit details
    Browse the repository at this point in the history

Commits on Jul 24, 2025

  1. feat: add sign in with ethereum (#2069) 

    Adds Sign in with Ethereum. Configure it by:

```
GOTRUE_EXTERNAL_WEB3_ETHEREUM_ENABLED="true"
GOTRUE_EXTERNAL_WEB3_ETHEREUM_MAXIMUM_VALIDITY_DURATION="10m"
```

SIWS & SIWE are based off of EIP-4361, which is referenced here:
https://eips.ethereum.org/EIPS/eip-4361, so they are close in
implementation with slight differences between address/signature
verification format & algorithm.

For Ethereum, specifically the signature verification part, It requires
recovering the public address from the signature, and then testing the
signature against it, with the algorithm Ethereum uses, this is tedious
to implement without using the https://github.com/ethereum/go-ethereum
package, as the verification has some error correction that it does,
would be hard to test/maintain without the dependency, let me know what
you think.
    @Bewinxed
    Bewinxed authored Jul 24, 2025
    Configuration menu
    Copy the full SHA
    079b242 View commit details
    Browse the repository at this point in the history

Commits on Jul 30, 2025

  1. feat: log all audit events separately to prevent missing events (#2086) 

    ## Problem
The `observability.LogEntrySetFields()` adds to request context, causing
multiple audit events in the same request to overwrite each other. For
example, refresh token requests call `NewAuditLogEntry()` twice
(`token_refreshed`, then
`token_revoked`) but only the last event (`token_revoked`) was logged.

## Solution
Create immediate separate log entries with "auth_audit_event" key. This
ensures all audit events are captured without overwriting.

## Example log output:

```sh
{"auth_audit_event":{"action":"token_refreshed","actor_id":"2670aa55-6f6f-465b-a749-2e75f61e1e8a","actor_username":"","actor_via_sso":false,"audit_log_id":"3e07849b-1784-451b-af99-1fbd455681e7","created_at":"2025-07-23T13:34:29.88400603Z","ip_address":"","log_type":"token","request_id":"3bd2f2fd-8b2a-434f-93da-656c9083762b","user_agent":"insomnia/11.1.0"},"level":"info","msg":"audit_event","time":"2025-07-23T13:34:29Z"}
{"auth_audit_event":{"action":"token_revoked","actor_id":"2670aa55-6f6f-465b-a749-2e75f61e1e8a","actor_username":"","actor_via_sso":false,"audit_log_id":"9dd3621b-9fd2-4e1d-a3a6-2236a16653c8","created_at":"2025-07-23T13:34:29.886232214Z","ip_address":"","log_type":"token","request_id":"3bd2f2fd-8b2a-434f-93da-656c9083762b","user_agent":"insomnia/11.1.0"},"level":"info","msg":"audit_event","time":"2025-07-23T13:34:29Z"}
{"action":"login","instance_id":"00000000-0000-0000-0000-000000000000","level":"info","login_method":"token","metering":true,"msg":"Login","time":"2025-07-23T13:34:29Z","user_id":"2670aa55-6f6f-465b-a749-2e75f61e1e8a"}
{"auth_event":{"action":"token_revoked","actor_id":"2670aa55-6f6f-465b-a749-2e75f61e1e8a","actor_username":"","actor_via_sso":false,"log_type":"token"},"component":"api","duration":21772353,"grant_type":"refresh_token","level":"info","method":"POST","msg":"request completed","path":"/token","referer":"http://localhost:3000","remote_addr":"192.168.117.1","request_id":"3bd2f2fd-8b2a-434f-93da-656c9083762b","status":200,"time":"2025-07-23T13:34:29Z"}
```

The first two are the _new_ audit events(added with this PR), the third
is the login metric and the last one was the request logging (containing
the only last audit event). Eventually, we're going to remove the audit
event from the request log (the last one)
    @cemalkilic
    cemalkilic authored Jul 30, 2025
    Configuration menu
    Copy the full SHA
    3b666f5 View commit details
    Browse the repository at this point in the history

Commits on Aug 5, 2025

  1. feat: support ledger solana offchain message signing (#2093) 

    Supports Solana off-chain messages signed with Ledger, as described in
this issue: #2092

---------

Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com>
    @etodanik @hf
    etodanik and hf authored Aug 5, 2025
    Configuration menu
    Copy the full SHA
    4c94443 View commit details
    Browse the repository at this point in the history

Commits on Aug 6, 2025

  1. chore(master): release 2.178.0 (#2083) 

    🤖 I have created a release *beep* *boop*
---


##
[2.178.0](v2.177.0...v2.178.0)
(2025-08-05)


### Features

* add sign in with ethereum
([#2069](#2069))
([079b242](079b242))
* add support for managing SSO providers by resource_id
([#2081](#2081))
([5ca4489](5ca4489))
* log all audit events separately to prevent missing events
([#2086](#2086))
([3b666f5](3b666f5))
* skip nonce check for Facebook Limited Login auth
([#2082](#2082))
([f1b15ff](f1b15ff))
* support ledger solana offchain message signing
([#2093](#2093))
([4c94443](4c94443))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
    @github-actions
    github-actions[bot] authored Aug 6, 2025
    Configuration menu
    Copy the full SHA
    dbaccd4 View commit details
    Browse the repository at this point in the history
Loading