Merge branch 'master' into etienne/prodsec-76

Author: staaldraad

.github/workflows/conventional-commits.yml

@@ -21,7 +21,7 @@ permissions:
 
 jobs:
   check-conventional-commits:
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
     if: github.actor != 'dependabot[bot]' # skip for dependabot PRs
     env:
       EVENT: ${{ toJSON(github.event) }}

.github/workflows/dogfooding.yml

@@ -13,7 +13,7 @@ permissions:
 
 jobs:
   check_dogfooding:
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: github.event.pull_request.base.ref == 'master' && github.event.pull_request.head.ref == 'release-please--branches--master'

.github/workflows/publish.yml

@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   publish:
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-4vcpu-ubuntu-2404
     permissions:
       contents: read
       packages: write

.github/workflows/release.yml

@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   release_please:
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-4vcpu-ubuntu-2404
     permissions:
       contents: write
       pull-requests: write
@@ -190,9 +190,15 @@ jobs:
           FULL_NOTES=$(printf "%s\n\n%s\n" "$EXISTING_NOTES" "$CHECKSUM_CONTENT")
           GH_TOKEN='${{ github.token }}' gh release edit $RELEASE_NAME -n "$FULL_NOTES"
 
-          GH_TOKEN='${{ github.token }}' gh release upload $RELEASE_NAME ./auth-v$RELEASE_VERSION-x86.tar.gz ./auth-v$RELEASE_VERSION-arm64.tar.gz ./auth-v$RELEASE_VERSION-arm64.tar.xz ./auth-v$RELEASE_VERSION-darwin-arm64.tar.gz
+          GH_TOKEN='${{ github.token }}' gh release upload $RELEASE_NAME \
+            ./auth-v$RELEASE_VERSION-x86.tar.gz \
+            ./auth-v$RELEASE_VERSION-arm64.tar.gz \
+            ./auth-v$RELEASE_VERSION-darwin-arm64.tar.gz \
+            ./auth-v$RELEASE_VERSION-amd64.tar.xz \
+            ./auth-v$RELEASE_VERSION-arm64.tar.xz
 
           # Upload to Supabase internal bucket
+          aws s3 cp ./auth-v$RELEASE_VERSION-amd64.tar.xz s3://supabase-internal-artifacts/auth/$RELEASE_VERSION/
           aws s3 cp ./auth-v$RELEASE_VERSION-arm64.tar.xz s3://supabase-internal-artifacts/auth/$RELEASE_VERSION/
 
   publish:

.github/workflows/test.yml

@@ -11,8 +11,9 @@ permissions:
   contents: read
 
 jobs:
-  test:
-    runs-on: ubuntu-latest
+  test_postgres:
+    name: Test / Postgres
+    runs-on: blacksmith-4vcpu-ubuntu-2404
     services:
       postgres:
         image: postgres:15
@@ -69,3 +70,35 @@ jobs:
       - uses: shogo82148/actions-goveralls@25f5320d970fb565100cf1993ada29be1bb196a1 # v1.10.0
         with:
           path-to-profile: coverage.out
+
+  test_oriole:
+    name: Test / OrioleDB
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    services:
+      postgres:
+        image: orioledb/orioledb:latest-pg17
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: root
+          POSTGRES_DB: postgres
+          POSTGRES_INITDB_ARGS: "--locale=C"
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Install Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        with:
+          go-version-file: go.mod
+      - name: Init Database
+        run: psql -f hack/init_postgres.sql postgresql://postgres:root@localhost:5432/postgres
+      - name: Run migrations
+        run: make migrate_dev
+      - name: Run tests
+        run: go test ./... -p 1 -race -v -count=1

.gitignore

@@ -1,5 +1,6 @@
 .env*
 vendor/
+tools/bin/
 gotrue
 gotrue-arm64
 gotrue.exe

CHANGELOG.md

@@ -1,5 +1,26 @@
 # Changelog
 
+## [2.189.0](https://github.com/supabase/auth/compare/v2.188.1...v2.189.0) (2026-04-23)
+
+
+### Features
+
+* add PKCE support for `/resend` ([#2401](https://github.com/supabase/auth/issues/2401)) ([2af904a](https://github.com/supabase/auth/commit/2af904a2bcd78ee3b64b9e29424dfa78e9616233))
+* improve parallelization in github workflows and Makefile ([#2436](https://github.com/supabase/auth/issues/2436)) ([9d0c4b3](https://github.com/supabase/auth/commit/9d0c4b3f8859a4d1b5a48ce5962a5fa9accdae61))
+* **passkeys:** add CAPTCHA to options endpoint for authentication ([#2416](https://github.com/supabase/auth/issues/2416)) ([c7b58be](https://github.com/supabase/auth/commit/c7b58be5cc520dcc0963ec3346807561c176624b))
+* support live reloading of individual rate limits ([#2469](https://github.com/supabase/auth/issues/2469)) ([d03d796](https://github.com/supabase/auth/commit/d03d796162779d51ce58bf1b56b0991ec86700bc))
+
+
+### Bug Fixes
+
+* ensure identities are returned in a consistent order across DB engines ([#2465](https://github.com/supabase/auth/issues/2465)) ([e49a3e5](https://github.com/supabase/auth/commit/e49a3e5e5dd5a75abdaa0a52a62f644470737e3a))
+* ensure SSO providers tests are order-independent ([#2466](https://github.com/supabase/auth/issues/2466)) ([983ade6](https://github.com/supabase/auth/commit/983ade65789fce94cb632d154905d594181389a2))
+* exempt PKCE recovery sessions from require-current-password check ([#2502](https://github.com/supabase/auth/issues/2502)) ([7f88985](https://github.com/supabase/auth/commit/7f889859787c72f59ea8b820d9d0f388965252ff))
+* **indexworker:** skip index creation on OrioleDB ([#2481](https://github.com/supabase/auth/issues/2481)) ([dd56ae9](https://github.com/supabase/auth/commit/dd56ae91eb5bf64519ff650b58066338fd1a9b20))
+* **passkeys:** modify the passkeys request and response shapes ([#2475](https://github.com/supabase/auth/issues/2475)) ([2d8f2b6](https://github.com/supabase/auth/commit/2d8f2b6168cfc753f55c7bd157bfda6ef05af007))
+* prevent reuse of flow state ([#2483](https://github.com/supabase/auth/issues/2483)) ([88dcb2d](https://github.com/supabase/auth/commit/88dcb2d290a7c06cfff707ddf918b08f25ec141c))
+* return JSON response for unmatched routes instead of plain text ([#2457](https://github.com/supabase/auth/issues/2457)) ([7337e21](https://github.com/supabase/auth/commit/7337e21c288c93951cfef3b60c1988ead296c4b7))
+
 ## [2.188.1](https://github.com/supabase/auth/compare/v2.188.0...v2.188.1) (2026-03-19)
 
 

Makefile

@@ -23,35 +23,48 @@ BUILD_CMD = go build \
 	-buildvcs=false \
 	-ldflags "$(BUILD_LD_FLAGS)$(2)"
 
-RELEASE_TARGETS = x86 arm64 darwin-arm64 arm64-strip
+RELEASE_TARGETS = x86 arm64 darwin-arm64 amd64-strip arm64-strip
 RELEASE_ARCHIVES = \
 	auth-$(VERSION)-x86.tar.gz \
 	auth-$(VERSION)-arm64.tar.gz \
 	auth-$(VERSION)-darwin-arm64.tar.gz \
+	auth-$(VERSION)-amd64.tar.xz \
 	auth-$(VERSION)-arm64.tar.xz
 
+TOOL_BIN_DIR = tools/bin
+TOOL_TARGETS = \
+	$(TOOL_BIN_DIR)/gosec \
+	$(TOOL_BIN_DIR)/staticcheck \
+	$(TOOL_BIN_DIR)/govulncheck
+
 
 help: ## Show this help.
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
 
 all: vet sec static build ## Run the tests and build the binary.
 
-build: auth auth-arm64 auth-darwin-arm64 ## Build the binaries.
+build: auth auth-amd64 auth-arm64 auth-darwin-arm64 ## Build the binaries.
 
-build-strip: auth-arm64-strip ## Build a stripped binary, for which the version file needs to be rewritten.
+build-strip: auth-amd64-strip auth-arm64-strip ## Build a stripped binary, for which the version file needs to be rewritten.
 
 auth: deps
 	CGO_ENABLED=0 $(call BUILD_CMD,$(@),)
 
 auth-x86: deps
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 $(call BUILD_CMD,$(@),)
 
+auth-amd64: deps
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 $(call BUILD_CMD,$(@),)
+
 auth-arm64: deps
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 $(call BUILD_CMD,$(@),)
 
 auth-darwin-arm64: deps
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 $(call BUILD_CMD,$(@),)
 
+auth-amd64-strip: deps
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 $(call BUILD_CMD,$(@), -s)
+
 auth-arm64-strip: deps
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 $(call BUILD_CMD,$(@), -s)
 
@@ -73,6 +86,12 @@ auth-$(VERSION)-%.tar.gz: \
 		release-%/gotrue | migrations
 	tar -C $(<D) -czvf $(@) auth gotrue -C ../ migrations/
 
+auth-$(VERSION)-amd64.tar.xz: \
+		release-amd64-strip/auth \
+		release-amd64-strip/gotrue | migrations
+	tar -C $(<D) -cf - auth gotrue -C ../ migrations/ \
+		| xz -T0 -9e -C crc64 > $(@)
+
 auth-$(VERSION)-arm64.tar.xz: \
 		release-arm64-strip/auth \
 		release-arm64-strip/gotrue | migrations
@@ -99,34 +118,35 @@ test: auth ## Run tests.
 vet: # Vet the code
 	go vet $(CHECK_FILES)
 
-sec: check-gosec # Check for security vulnerabilities
-	gosec -quiet -exclude-generated -exclude=G117,G120,G704 $(CHECK_FILES)
-	gosec -quiet -tests -exclude-generated -exclude=G101,G104,G117,G120,G704 $(CHECK_FILES)
-
-check-gosec:
-	@command -v gosec >/dev/null 2>&1 \
-		|| go install github.com/securego/gosec/v2/cmd/gosec@latest
-
-vulncheck: check-govulncheck # Check for known vulnerabilities
-	govulncheck -format json $(CHECK_FILES) | go run ./hack/vulncheck-filter
-
-check-govulncheck:
-	@command -v govulncheck >/dev/null 2>&1 \
-		|| go install golang.org/x/vuln/cmd/govulncheck@latest
-
-unused: | check-staticcheck # Look for unused code
+.NOTPARALLEL: $(TOOL_TARGETS)
+$(TOOL_TARGETS):
+	$(MAKE) -C tools
+
+sec: | $(TOOL_BIN_DIR)/gosec # Check for security vulnerabilities
+	$(TOOL_BIN_DIR)/gosec \
+		-quiet \
+		-exclude-generated \
+		-exclude=G117,G120,G704 \
+		$(CHECK_FILES)
+	$(TOOL_BIN_DIR)/gosec \
+		-quiet \
+		-tests \
+		-exclude-generated \
+		-exclude=G101,G104,G117,G120,G704 \
+		$(CHECK_FILES)
+
+vulncheck: $(TOOL_BIN_DIR)/govulncheck # Check for known vulnerabilities
+	$(TOOL_BIN_DIR)/govulncheck -format json $(CHECK_FILES) | go run ./hack/vulncheck-filter
+
+unused: | $(TOOL_BIN_DIR)/staticcheck # Look for unused code
 	@echo "Unused code:"
-	staticcheck -checks U1000 $(CHECK_FILES)
+	$(TOOL_BIN_DIR)/staticcheck -checks U1000 $(CHECK_FILES)
 	@echo
 	@echo "Code used only in _test.go (do move it in those files):"
-	staticcheck -checks U1000 -tests=false $(CHECK_FILES)
-
-static: | check-staticcheck
-	staticcheck ./...
+	$(TOOL_BIN_DIR)/staticcheck -checks U1000 -tests=false $(CHECK_FILES)
 
-check-staticcheck:
-	@command -v staticcheck >/dev/null 2>&1 \
-		|| go install honnef.co/go/tools/cmd/staticcheck@latest
+static: | $(TOOL_BIN_DIR)/staticcheck
+	$(TOOL_BIN_DIR)/staticcheck ./...
 
 generate: | check-oapi-codegen
 	go generate ./...

cmd/serve_cmd.go

@@ -14,6 +14,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/supabase/auth/internal/api"
+	"github.com/supabase/auth/internal/api/apilimiter"
 	"github.com/supabase/auth/internal/api/apiworker"
 	"github.com/supabase/auth/internal/conf"
 	"github.com/supabase/auth/internal/mailer/templatemailer"
@@ -63,10 +64,10 @@ func serve(ctx context.Context) {
 	defer wg.Wait() // Do not return to caller until this goroutine is done.
 
 	mrCache := templatemailer.NewCache()
-	limiterOpts := api.NewLimiterOptions(config)
+	initialLim := apilimiter.New(config)
 	initialAPI := api.NewAPIWithVersion(
 		config, db, utilities.Version,
-		limiterOpts,
+		api.WithLimiter(initialLim),
 		api.WithMailer(templatemailer.FromConfig(config, mrCache)),
 	)
 
@@ -92,11 +93,11 @@ func serve(ctx context.Context) {
 
 		var err error
 		defer func() {
-			logFn := wrkLog.Info
-			if err != nil {
-				logFn = wrkLog.WithError(err).Error
+			exitFn := wrkLog.Info
+			if err != nil && !errors.Is(err, context.Canceled) {
+				exitFn = wrkLog.WithError(err).Error
 			}
-			logFn("background apiworker is exiting")
+			exitFn("background apiworker is exiting")
 		}()
 
 		// Work exits when ctx is done as in-flight requests do not depend
@@ -124,17 +125,18 @@ func serve(ctx context.Context) {
 			var err error
 			defer func() {
 				exitFn := le.Info
-				if err != nil {
+				if err != nil && !errors.Is(err, context.Canceled) {
 					exitFn = le.WithError(err).Error
 				}
 				exitFn("config reloader is exiting")
 			}()
 
+			previousLim := initialLim
 			fn := func(latestCfg *conf.GlobalConfiguration) {
 				le.Info("reloading api with new configuration")
 
-				// When config is updated we notify the apiworker.
-				wrk.ReloadConfig(latestCfg)
+				// Update the previous limiter with the latest config
+				latestLim := previousLim.Update(le, latestCfg)
 
 				// Create a new API version with the updated config.
 				latestAPI := api.NewAPIWithVersion(
@@ -146,19 +148,21 @@ func serve(ctx context.Context) {
 					),
 
 					// Persist existing rate limiters.
-					//
-					// TODO(cstockton): we should consider updating these, if we
-					// rely on hot config reloads 100% then rate limiter changes
-					// won't be picked up.
-					limiterOpts,
+					api.WithLimiter(latestLim),
 				)
+
+				// Assign this config as the latest configuration
 				ah.Store(latestAPI)
+
+				// When config is updated we notify the apiworker.
+				wrk.ReloadConfig(latestCfg)
+
+				// Update previous limiter
+				previousLim = latestLim
 			}
 
 			rl := reloader.NewReloader(rc, watchDir)
-			if err = rl.Watch(ctx, fn); err != nil {
-				log.WithError(err).Error("config reloader is exiting")
-			}
+			err = rl.Watch(ctx, fn)
 		}()
 	}