supabase
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 29 additions & 8 deletions b/‎.github/workflows/release.yml‎
Lines changed: 29 additions & 8 deletions
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 26 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 3 additions & 8 deletions b/‎CONTRIBUTING.md‎
Lines changed: 3 additions & 8 deletions
diff --git a/‎LICENSE‎
Lines changed: 1 addition & 1 deletion b/‎LICENSE‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Makefile‎
Lines changed: 12 additions & 2 deletions b/‎Makefile‎
Lines changed: 12 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cmd/admin_cmd.go‎
Lines changed: 1 addition & 1 deletion b/‎cmd/admin_cmd.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎cmd/serve_cmd.go‎
Lines changed: 11 additions & 7 deletions b/‎cmd/serve_cmd.go‎
Lines changed: 11 additions & 7 deletions
diff --git a/‎docker-compose-dev.yml‎
Lines changed: 0 additions & 3 deletions b/‎docker-compose-dev.yml‎
Lines changed: 0 additions & 3 deletions
@@ -18,6 +18,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      id-token: write
     outputs:
       MAIN_RELEASE_VERSION: ${{ steps.versions.outputs.MAIN_RELEASE_VERSION }}
       RELEASE_VERSION: ${{ steps.versions.outputs.RELEASE_VERSION }}
@@ -90,16 +91,15 @@ jobs:
           set -ex
 
           RELEASE_VERSION=$RELEASE_VERSION make deps
-          RELEASE_VERSION=$RELEASE_VERSION make all
+          RELEASE_VERSION=$RELEASE_VERSION make all build-strip
+
           ln -s auth gotrue
           tar -czvf auth-v$RELEASE_VERSION-x86.tar.gz auth gotrue migrations/
           mv auth-arm64 auth
           tar -czvf auth-v$RELEASE_VERSION-arm64.tar.gz auth gotrue migrations/
 
-          # Create a "supafast" tarball that can be used by supabase-admin-api to upgrade Auth quickly
-          rm gotrue
-          mv auth gotrue
-          tar -czvf auth-v$RELEASE_VERSION.supafast-arm64.tar.gz gotrue migrations/
+          mv auth-arm64-strip auth
+          tar -cf - auth gotrue migrations/ | xz -T0 -9e -C crc64 > auth-v$RELEASE_VERSION-arm64.tar.xz
 
       - name: Generate checksums
         if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }}
@@ -110,7 +110,7 @@ jobs:
             local hash_type=$1
             local hash_cmd=$2
             echo "### ${hash_type}" >> checksums.txt
-            for file in auth-v$RELEASE_VERSION*.tar.gz; do
+            for file in auth-v$RELEASE_VERSION*.tar.{gz,xz}; do
               echo "\`$file\`:" >> checksums.txt
               echo "\`\`\`" >> checksums.txt
               $hash_cmd "$file" | awk '{print $1}' >> checksums.txt
@@ -124,6 +124,24 @@ jobs:
           generate_checksums "SHA1" "sha1sum"
           generate_checksums "SHA256" "sha256sum"
 
+      - name: GitHub OIDC Auth
+        if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }}
+        uses: aws-actions/[email protected]
+        with:
+          aws-region: ap-southeast-1
+          role-to-assume: arn:aws:iam::${{ secrets.SHARED_SERVICES_AWS_ACCOUNT_ID }}:role/supabase-github-oidc-role
+          role-session-name: shared-services-jump
+
+      - name: Assume destination role
+        uses: aws-actions/[email protected]
+        if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }}
+        with:
+          aws-region: ap-southeast-1
+          role-to-assume: arn:aws:iam::${{ secrets.SHARED_SERVICES_AWS_ACCOUNT_ID }}:role/supabase-auth-artifacts-role-7656c95
+          role-skip-session-tagging: true
+          role-session-name: upload-assets
+          role-chaining: true
+
       - name: Upload release artifacts
         if: ${{ steps.release.outputs.release_created == 'true' || steps.release.outputs.prs_created == 'true' }}
         run: |
@@ -135,7 +153,7 @@ jobs:
             CHECKSUM_CONTENT=$(cat checksums.txt)
 
             RELEASE_NOTES=$(printf "This is a release candidate. See release-please PR #%s for context.\n\n%s\n" "$PR_NUMBER" "$CHECKSUM_CONTENT")
-            
+
             GH_TOKEN='${{ github.token }}' gh release \
               create $RELEASE_NAME \
               --title "v$RELEASE_VERSION" \
@@ -171,7 +189,10 @@ jobs:
           FULL_NOTES=$(printf "%s\n\n%s\n" "$EXISTING_NOTES" "$CHECKSUM_CONTENT")
           GH_TOKEN='${{ github.token }}' gh release edit $RELEASE_NAME -n "$FULL_NOTES"
 
-          GH_TOKEN='${{ github.token }}' gh release upload $RELEASE_NAME ./auth-v$RELEASE_VERSION-x86.tar.gz ./auth-v$RELEASE_VERSION-arm64.tar.gz ./auth-v$RELEASE_VERSION.supafast-arm64.tar.gz
+          GH_TOKEN='${{ github.token }}' gh release upload $RELEASE_NAME ./auth-v$RELEASE_VERSION-x86.tar.gz ./auth-v$RELEASE_VERSION-arm64.tar.gz ./auth-v$RELEASE_VERSION-arm64.tar.xz
+
+          # Upload to Supabase internal bucket
+          aws s3 cp ./auth-v$RELEASE_VERSION-arm64.tar.xz s3://supabase-internal-artifacts/auth/$RELEASE_VERSION/
 
   publish:
     needs:
 
@@ -5,6 +5,7 @@ gotrue-arm64
 gotrue.exe
 auth
 auth-arm64
+auth-arm64-strip
 auth.exe
 
 coverage.out
 
@@ -1,5 +1,31 @@
 # Changelog
 
+## [2.179.0](https://github.com/supabase/auth/compare/v2.178.0...v2.179.0) (2025-08-28)
+
+
+### Features
+
+* add oauth2 client support ([#2098](https://github.com/supabase/auth/issues/2098)) ([8fae015](https://github.com/supabase/auth/commit/8fae01581d122bba95a3742dc212284f9a21dc4d))
+* experimental own linking domains per provider ([#2119](https://github.com/supabase/auth/issues/2119)) ([747bf3b](https://github.com/supabase/auth/commit/747bf3b15fd9e371c9330e75fe2e5de8b89ce14d))
+* fetch email from snapchat oauth provider if available for consistency ([#2110](https://github.com/supabase/auth/issues/2110)) ([7507822](https://github.com/supabase/auth/commit/750782246e736093131ba2eb1015fc73083d99ab))
+* implement link identity with oidc / native sign in ([#2108](https://github.com/supabase/auth/issues/2108)) ([5f0ec87](https://github.com/supabase/auth/commit/5f0ec8709231c57b57aa06160e18bc9e52ec9002))
+* implements email-less accounts with oauth ([#2105](https://github.com/supabase/auth/issues/2105)) ([9a61dae](https://github.com/supabase/auth/commit/9a61dae788311a086ce8e72b52c21e031857adf7))
+* introduce request-scoped background tasks & async mail sending ([#2126](https://github.com/supabase/auth/issues/2126)) ([2c8ea61](https://github.com/supabase/auth/commit/2c8ea6113ae7381106ed7c67d7a45f7ef87195c7))
+* refactor mailer client wiring and add validation wrapper ([#2130](https://github.com/supabase/auth/issues/2130)) ([68c40a6](https://github.com/supabase/auth/commit/68c40a6a494029d8d704b14abbe85171a7dc8d12))
+* support multiple `aud` for the external providers ([#2117](https://github.com/supabase/auth/issues/2117)) ([ca5792e](https://github.com/supabase/auth/commit/ca5792e41a48f20a395646015c28ce272355bf63))
+* use `slices.Contains` instead of for loops ([#2111](https://github.com/supabase/auth/issues/2111)) ([9f22682](https://github.com/supabase/auth/commit/9f2268263118713d3390ce4617ccf21bc2c031eb))
+
+
+### Bug Fixes
+
+* add `id-token` permission to ci ([#2143](https://github.com/supabase/auth/issues/2143)) ([79209c0](https://github.com/supabase/auth/commit/79209c0e35afa82ec8822a343108d6a690e14229))
+* add missing param ([#2125](https://github.com/supabase/auth/issues/2125)) ([c0b75f6](https://github.com/supabase/auth/commit/c0b75f66229410e6e5fbc7cd1ae9066cec54c5d7))
+* change s3 artifact upload role ([#2145](https://github.com/supabase/auth/issues/2145)) ([767e371](https://github.com/supabase/auth/commit/767e37131aa01bf6cb27dbc62b2928e7cc701893))
+* remove requirement of empty content-type on 204 ([#2128](https://github.com/supabase/auth/issues/2128)) ([ecc97e0](https://github.com/supabase/auth/commit/ecc97e0fac7cb1bd736ef6db435a0a5fb224e954))
+* run release-please again ([#2144](https://github.com/supabase/auth/issues/2144)) ([2560f14](https://github.com/supabase/auth/commit/2560f14ef6ee35f84b7c592290647e0d1c8a3932))
+* stripped binary now includes version ([#2147](https://github.com/supabase/auth/issues/2147)) ([609f169](https://github.com/supabase/auth/commit/609f169f505a1f5750fbbf5e9d477cfb4d879eff))
+* update copyright year in LICENSE ([#2142](https://github.com/supabase/auth/issues/2142)) ([67fe0b0](https://github.com/supabase/auth/commit/67fe0b0230b147048dc2b9f546df72af5b3bc362))
+
 ## [2.178.0](https://github.com/supabase/auth/compare/v2.177.0...v2.178.0) (2025-08-05)
 
 
 
@@ -122,7 +122,7 @@ docker-compose -f docker-compose-dev.yml build postgres
 docker-compose -f docker-compose-dev.yml up postgres
 ```
 
-You should then see in Docker that `auth_postgresql` is running on `port: 5432`.
+You should then see in Docker that `auth-postgres-1` is running on `port: 5432`.
 
 > **Important** If you happen to already have a local running instance of Postgres running on the port `5432` because you
 > may have installed via [homebrew on macOS](https://formulae.brew.sh/formula/postgresql) then be certain to stop the process using:
@@ -461,17 +461,12 @@ export GOTRUE_DB_DATABASE_URL="postgres://supabase_auth_admin:root@localhost:743
 
 ## Helpful Docker Commands
 
-```
-// file: docker-compose-dev.yml
-container_name: auth_postgres
-```
-
 ```zsh
 # Command line into bash on the PostgreSQL container
-docker exec -it auth_postgres bash
+docker exec -it auth-postgres-1 bash
 
 # Removes Container
-docker container rm -f auth_postgres
+docker container rm -f auth-postgres-1
 
 # Removes volume
 docker volume rm postgres_data
 
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021 Supabase <[email protected]>
+Copyright (c) 2021-2025 Supabase <[email protected]>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 
@@ -1,11 +1,14 @@
 .PHONY: all build deps dev-deps image migrate test vet sec format unused
 CHECK_FILES?=./...
 
-FLAGS=-ldflags "-X github.com/supabase/auth/internal/utilities.Version=`git describe --tags`" -buildvcs=false
 ifdef RELEASE_VERSION
-	FLAGS=-ldflags "-X github.com/supabase/auth/internal/utilities.Version=v$(RELEASE_VERSION)" -buildvcs=false
+	VERSION=v$(RELEASE_VERSION)
+else
+	VERSION=$(shell git describe --tags)
 endif
 
+FLAGS=-ldflags "-X github.com/supabase/auth/internal/utilities.Version=$(VERSION)" -buildvcs=false
+
 ifneq ($(shell docker compose version 2>/dev/null),)
   DOCKER_COMPOSE=docker compose
 else
@@ -23,6 +26,13 @@ build: deps ## Build the binary.
 	CGO_ENABLED=0 go build $(FLAGS)
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build $(FLAGS) -o auth-arm64
 
+build-strip: deps ## Build a stripped binary, for which the version file needs to be rewritten.
+	echo "package utilities" > internal/utilities/version.go
+	echo "const Version = \"$(VERSION)\"" >> internal/utilities/version.go
+
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build \
+		$(FLAGS) -ldflags "-s -w" -o auth-arm64-strip
+
 dev-deps: ## Install developer dependencies
 	@go install github.com/gobuffalo/pop/soda@latest
 	@go install github.com/securego/gosec/v2/cmd/gosec@latest
 
@@ -43,7 +43,7 @@ Create a `.env.docker` file to store your own custom env vars. See [`example.doc
 
 1. `make build`
 2. `make dev`
-3. `docker ps` should show 2 docker containers (`auth_postgresql` and `gotrue_gotrue`)
+3. `docker ps` should show 2 docker containers (`auth-auth-1` and `auth-postgres-1`)
 4. That's it! Visit the [health checkendpoint](http://localhost:9999/health) to confirm that auth is running.
 
 ## Running in production
 
@@ -66,7 +66,7 @@ func adminCreateUser(config *conf.GlobalConfiguration, args []string) {
 	defer db.Close()
 
 	aud := getAudience(config)
-	if user, err := models.IsDuplicatedEmail(db, args[0], aud, nil); user != nil {
+	if user, err := models.IsDuplicatedEmail(db, args[0], aud, nil, config.Experimental.ProvidersWithOwnLinkingDomain); user != nil {
 		logrus.Fatalf("Error creating new user: user already exists")
 	} else if err != nil {
 		logrus.Fatalf("Error checking user email: %+v", err)
 
@@ -53,13 +53,17 @@ func serve(ctx context.Context) {
 	opts := []api.Option{
 		api.NewLimiterOptions(config),
 	}
-	a := api.NewAPIWithVersion(config, db, utilities.Version, opts...)
-	ah := reloader.NewAtomicHandler(a)
-	logrus.WithField("version", a.Version()).Infof("GoTrue API started on: %s", addr)
 
 	baseCtx, baseCancel := context.WithCancel(context.Background())
 	defer baseCancel()
 
+	var wg sync.WaitGroup
+	defer wg.Wait() // Do not return to caller until this goroutine is done.
+
+	a := api.NewAPIWithVersion(config, db, utilities.Version, opts...)
+	ah := reloader.NewAtomicHandler(a)
+	logrus.WithField("version", a.Version()).Infof("GoTrue API started on: %s", addr)
+
 	httpSrv := &http.Server{
 		Addr:              addr,
 		Handler:           ah,
@@ -70,9 +74,6 @@ func serve(ctx context.Context) {
 	}
 	log := logrus.WithField("component", "api")
 
-	var wg sync.WaitGroup
-	defer wg.Wait() // Do not return to caller until this goroutine is done.
-
 	if watchDir != "" {
 		wg.Add(1)
 		go func() {
@@ -98,7 +99,10 @@ func serve(ctx context.Context) {
 
 		<-ctx.Done()
 
-		defer baseCancel() // close baseContext
+		// This must be done after httpSrv exits, otherwise you may potentially
+		// have 1 or more inflight http requests blocked until the shutdownCtx
+		// is canceled.
+		defer baseCancel()
 
 		shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), time.Minute)
 		defer shutdownCancel()
 
@@ -1,7 +1,5 @@
-version: "3.9"
 services:
   auth:
-    container_name: auth
     depends_on:
       - postgres
     build:
@@ -19,7 +17,6 @@ services:
     build:
       context: .
       dockerfile: Dockerfile.postgres.dev
-    container_name: auth_postgres
     ports:
       - '5432:5432'
     volumes: