refactor: encode auth external url explicitly#5092
Merged
Conversation
Coverage Report for CI Build 25065367127Coverage decreased (-0.02%) to 63.734%Details
Uncovered Changes
Coverage Regressions5 previously-covered lines in 1 file lost coverage.
Coverage Stats
💛 - Coveralls |
…pdates (#5108) Bumps the actions-major group with 4 updates in the / directory: [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata), [t1m0thyj/unlock-keyring](https://github.com/t1m0thyj/unlock-keyring), [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) and [actions/setup-node](https://github.com/actions/setup-node). Updates `dependabot/fetch-metadata` from 3.0.0 to 3.1.0 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@ffa630c...25dd0e3) Updates `t1m0thyj/unlock-keyring` from 1.1.0 to 1.2.0 - [Release notes](https://github.com/t1m0thyj/unlock-keyring/releases) - [Commits](t1m0thyj/unlock-keyring@728cc71...cbcf205) Updates `goreleaser/goreleaser-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@ec59f47...e24998b) Updates `actions/setup-node` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@53b8394...48b55a0) --- updated-dependencies: - dependency-name: dependabot/fetch-metadata dependency-version: 3.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: t1m0thyj/unlock-keyring dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: goreleaser/goreleaser-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com>
…dates (#5079) * fix(docker): bump the docker-minor group across 1 directory with 6 updates Bumps the docker-minor group with 6 updates in the /pkg/config/templates directory: | Package | From | To | | --- | --- | --- | | postgrest/postgrest | `v14.8` | `v14.9` | | supabase/studio | `2026.04.08-sha-205cbe7` | `2026.04.13-sha-e95f1cc` | | supabase/edge-runtime | `v1.73.3` | `v1.73.5` | | supabase/realtime | `v2.82.0` | `v2.83.1` | | supabase/storage-api | `v1.48.28` | `v1.51.0` | | supabase/logflare | `1.37.1` | `1.38.2` | Updates `postgrest/postgrest` from v14.8 to v14.9 Updates `supabase/studio` from 2026.04.08-sha-205cbe7 to 2026.04.13-sha-e95f1cc Updates `supabase/edge-runtime` from v1.73.3 to v1.73.5 Updates `supabase/realtime` from v2.82.0 to v2.83.1 Updates `supabase/storage-api` from v1.48.28 to v1.51.0 Updates `supabase/logflare` from 1.37.1 to 1.38.2 --- updated-dependencies: - dependency-name: postgrest/postgrest dependency-version: v14.9 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/studio dependency-version: 2026.04.13-sha-e95f1cc dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/edge-runtime dependency-version: v1.73.5 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/realtime dependency-version: v2.83.1 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/storage-api dependency-version: v1.51.0 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/logflare dependency-version: 1.38.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Downgrade postgrest version from 14.9 to 14.8 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com>
…#5111) chore(workflows): enable install scripts for supabase package in Yarn Berry setup This change sets the YARN_ENABLE_SCRIPTS environment variable to true during the installation of the supabase package, allowing its postinstall script to run as required by Yarn Berry 4.14+. This adjustment ensures the necessary binary is fetched correctly.
…h 6 updates (#5113) fix(docker): bump the docker-minor group Bumps the docker-minor group in /pkg/config/templates with 6 updates: | Package | From | To | | --- | --- | --- | | postgrest/postgrest | `v14.8` | `v14.10` | | supabase/studio | `2026.04.13-sha-e95f1cc` | `2026.04.20-sha-b721a2d` | | supabase/edge-runtime | `v1.73.5` | `v1.73.13` | | supabase/realtime | `v2.83.1` | `v2.86.3` | | supabase/storage-api | `v1.51.0` | `v1.54.1` | | supabase/logflare | `1.38.2` | `1.39.1` | Updates `postgrest/postgrest` from v14.8 to v14.10 Updates `supabase/studio` from 2026.04.13-sha-e95f1cc to 2026.04.20-sha-b721a2d Updates `supabase/edge-runtime` from v1.73.5 to v1.73.13 Updates `supabase/realtime` from v2.83.1 to v2.86.3 Updates `supabase/storage-api` from v1.51.0 to v1.54.1 Updates `supabase/logflare` from 1.38.2 to 1.39.1 --- updated-dependencies: - dependency-name: postgrest/postgrest dependency-version: v14.10 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/studio dependency-version: 2026.04.20-sha-b721a2d dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/edge-runtime dependency-version: v1.73.13 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/realtime dependency-version: v2.86.3 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/storage-api dependency-version: v1.54.1 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/logflare dependency-version: 1.39.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com>
Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com>
fix: honor pinned storage version offline Remove the version comparison that only pinned storage when the local version was newer than the default. This prevented `supabase start` from using an already-downloaded image offline, since Docker would still try to pull the default newer image. Fixes CLI-1393. Co-authored-by: Claude <noreply@anthropic.com>
…rocess (#5120) - Updated the `runDeclarativeSync` function to avoid wrapping SQL output with `utils.Bold`, preventing excessive whitespace in multi-line SQL. - Changed the result accumulation in `migra.ts` from string concatenation to an array for better performance and clarity. - Enhanced the `ApplyResult` struct to include `ValidationErrors` and `Diagnostics`, allowing for more detailed error reporting. - Modified the `formatApplyFailure` function to include validation errors and diagnostics in the output, improving user feedback on apply failures. - Added tests for validation error handling in `apply_test.go` to ensure robustness against various error scenarios.
…#5126) The `db_logs` transform aborts with `expected string, got null` in `upcase!()` when `parse_regex` matches an event message but the `level` named group resolves to null. The fallback branch only covers regex failure (`err != null || parsed == null`), leaving a third path where the match succeeds but the capture is null. That path overwrites the would-be fallback with null and crashes on upcase. Observed under routine local dev load (Next.js dev server issuing service-role Postgres queries): 3,000+ aborted transforms in two minutes, cascading into Vector retry storms and Logflare `ErlSysMon` message-queue backpressure. Extend the fallback condition to also fire when `parsed.level` is null, and guard the assignment in the match branch, so `error_severity` always has a non-null string before `upcase!`. Co-authored-by: rebasecase <rebasecase@localhost>
Prod deploy (#5109) * fix(pg-delta): declarative-sync-no-declarative-dir-set (#5078) * feat(declarative): add tests for skipping config updates when PgDelta is enabled - These tests verify that the configuration remains unchanged when PgDelta is enabled, ensuring the declarative directory is the source of truth. - Updated the WriteDeclarativeSchemas function to reflect the new behavior regarding PgDelta configuration. * fix(declarative): DSL change due to upgrade * feat(auth): add support for configuring passkeys and webauthn (#5077) * fix: atomic parser (#5064) * fix * test --------- * fix(pg-delta): declarative apply error results (#5082) * fix(pg-delta): declarative apply error results Improve readability report for decalrative appy errors wrapping * chore: upgrade pg-delta to alpha 13 * feat(telemetry): attach org/project groups to all CLI events Only ~19% of CLI events had PostHog group properties ($group_0, $group_1) because groups were only set during `supabase link`. Commands using --project-ref without linking sent events invisible to group analytics. Add EnsureProjectGroupsCached which resolves and caches project metadata (including org ID) in linked-project.json when a project ref is available. The cache is checked before every cli_command_executed event, so the API call only happens once per unique project ref. Closes GROWTH-761 * fix: address code review feedback - Guard against log.Fatalln crash: check auth token before calling GetSupabase(), and move the API call to cmd/root.go where it belongs - Don't overwrite existing linked-project.json cache — supabase link is the authoritative source, we only fill the gap when no cache exists - Fire GroupIdentify for org and project after caching, matching the link flow so PostHog has group metadata - Restructure so telemetry package has no API dependencies (pure caching + PostHog calls), making tests reliable without gock/mocks * fix: adds etl to managed schema (#5090) * chore: sync API types from infrastructure (#5093) * chore(deps): bump the actions-major group across 1 directory with 5 updates (#5088) Bumps the actions-major group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `3.0.0` | `3.1.1` | | [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) | `8.1.0` | `8.1.1` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.35.1` | `4.35.2` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `7.0.0` | `7.1.0` | Updates `actions/create-github-app-token` from 3.0.0 to 3.1.1 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@f8d387b...1b10c78) Updates `peter-evans/create-pull-request` from 8.1.0 to 8.1.1 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@c0f553f...5f6978f) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) Updates `github/codeql-action` from 4.35.1 to 4.35.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@c10b806...95e58e9) Updates `docker/build-push-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@d08e5c3...bcafcac) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: peter-evans/create-pull-request dependency-version: 8.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-major - dependency-name: docker/build-push-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major ... * fix: functions download (#5096) * fix * test --------- * feat(db): strengthen RLS advisory message for stronger agent compliance * chore(deps): upgrade pg-delta to alpha.17 (#5110) Closes: #5094 * chore(deps): bump the actions-major group across 1 directory with 4 updates (#5108) Bumps the actions-major group with 4 updates in the / directory: [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata), [t1m0thyj/unlock-keyring](https://github.com/t1m0thyj/unlock-keyring), [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) and [actions/setup-node](https://github.com/actions/setup-node). Updates `dependabot/fetch-metadata` from 3.0.0 to 3.1.0 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@ffa630c...25dd0e3) Updates `t1m0thyj/unlock-keyring` from 1.1.0 to 1.2.0 - [Release notes](https://github.com/t1m0thyj/unlock-keyring/releases) - [Commits](t1m0thyj/unlock-keyring@728cc71...cbcf205) Updates `goreleaser/goreleaser-action` from 7.0.0 to 7.1.0 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@ec59f47...e24998b) Updates `actions/setup-node` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@53b8394...48b55a0) --- updated-dependencies: - dependency-name: dependabot/fetch-metadata dependency-version: 3.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: t1m0thyj/unlock-keyring dependency-version: 1.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: goreleaser/goreleaser-action dependency-version: 7.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-major ... * fix(docker): bump the docker-minor group across 1 directory with 6 updates (#5079) * fix(docker): bump the docker-minor group across 1 directory with 6 updates Bumps the docker-minor group with 6 updates in the /pkg/config/templates directory: | Package | From | To | | --- | --- | --- | | postgrest/postgrest | `v14.8` | `v14.9` | | supabase/studio | `2026.04.08-sha-205cbe7` | `2026.04.13-sha-e95f1cc` | | supabase/edge-runtime | `v1.73.3` | `v1.73.5` | | supabase/realtime | `v2.82.0` | `v2.83.1` | | supabase/storage-api | `v1.48.28` | `v1.51.0` | | supabase/logflare | `1.37.1` | `1.38.2` | Updates `postgrest/postgrest` from v14.8 to v14.9 Updates `supabase/studio` from 2026.04.08-sha-205cbe7 to 2026.04.13-sha-e95f1cc Updates `supabase/edge-runtime` from v1.73.3 to v1.73.5 Updates `supabase/realtime` from v2.82.0 to v2.83.1 Updates `supabase/storage-api` from v1.48.28 to v1.51.0 Updates `supabase/logflare` from 1.37.1 to 1.38.2 --- updated-dependencies: - dependency-name: postgrest/postgrest dependency-version: v14.9 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/studio dependency-version: 2026.04.13-sha-e95f1cc dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/edge-runtime dependency-version: v1.73.5 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/realtime dependency-version: v2.83.1 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/storage-api dependency-version: v1.51.0 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/logflare dependency-version: 1.38.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-minor ... * Downgrade postgrest version from 14.9 to 14.8 --------- * chore(workflows): enable install scripts for supabase package in Yarn (#5111) chore(workflows): enable install scripts for supabase package in Yarn Berry setup This change sets the YARN_ENABLE_SCRIPTS environment variable to true during the installation of the supabase package, allowing its postinstall script to run as required by Yarn Berry 4.14+. This adjustment ensures the necessary binary is fetched correctly. * feat: --diff-engine flag on db pull * fix(docker): bump the docker-minor group in /pkg/config/templates with 6 updates (#5113) fix(docker): bump the docker-minor group Bumps the docker-minor group in /pkg/config/templates with 6 updates: | Package | From | To | | --- | --- | --- | | postgrest/postgrest | `v14.8` | `v14.10` | | supabase/studio | `2026.04.13-sha-e95f1cc` | `2026.04.20-sha-b721a2d` | | supabase/edge-runtime | `v1.73.5` | `v1.73.13` | | supabase/realtime | `v2.83.1` | `v2.86.3` | | supabase/storage-api | `v1.51.0` | `v1.54.1` | | supabase/logflare | `1.38.2` | `1.39.1` | Updates `postgrest/postgrest` from v14.8 to v14.10 Updates `supabase/studio` from 2026.04.13-sha-e95f1cc to 2026.04.20-sha-b721a2d Updates `supabase/edge-runtime` from v1.73.5 to v1.73.13 Updates `supabase/realtime` from v2.83.1 to v2.86.3 Updates `supabase/storage-api` from v1.51.0 to v1.54.1 Updates `supabase/logflare` from 1.38.2 to 1.39.1 --- updated-dependencies: - dependency-name: postgrest/postgrest dependency-version: v14.10 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/studio dependency-version: 2026.04.20-sha-b721a2d dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/edge-runtime dependency-version: v1.73.13 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/realtime dependency-version: v2.86.3 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/storage-api dependency-version: v1.54.1 dependency-type: direct:production dependency-group: docker-minor - dependency-name: supabase/logflare dependency-version: 1.39.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker-minor ... * feat: exposing new api keys to functions (#4946) * chore: upgrade pg-delta to alpha.20 in multiple templates * fix: remove version comparison check for storage image updates (#5118) fix: honor pinned storage version offline Remove the version comparison that only pinned storage when the local version was newer than the default. This prevented `supabase start` from using an already-downloaded image offline, since Docker would still try to pull the default newer image. Fixes CLI-1393. * fix: improve error handling and output formatting in pg-delta apply process (#5120) - Updated the `runDeclarativeSync` function to avoid wrapping SQL output with `utils.Bold`, preventing excessive whitespace in multi-line SQL. - Changed the result accumulation in `migra.ts` from string concatenation to an array for better performance and clarity. - Enhanced the `ApplyResult` struct to include `ValidationErrors` and `Diagnostics`, allowing for more detailed error reporting. - Modified the `formatApplyFailure` function to include validation errors and diagnostics in the output, improving user feedback on apply failures. - Added tests for validation error handling in `apply_test.go` to ensure robustness against various error scenarios. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com> Co-authored-by: fadymak <dev@fadymak.com> Co-authored-by: Vaibhav <117663341+7ttp@users.noreply.github.com> Co-authored-by: Sean Oliver <882952+seanoliver@users.noreply.github.com> Co-authored-by: Han Qiao <sweatybridge@gmail.com> Co-authored-by: Julien Goux <hi@jgoux.dev> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Mert YEREKAPAN <mertyerekapan@gmail.com> Co-authored-by: Mert YEREKAPAN <33198490+myerekapan@users.noreply.github.com> Co-authored-by: Kalleby Santos <105971119+kallebysantos@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>
…tive sync (#5128) * fix(windows): json unmarshal errors in telemetry and pg-delta declarative sync Three Windows-only failures, all surfacing as JSON parse errors: 1. telemetry: any field-level unmarshal error (e.g. session_last_active stored as a number) now recreates state instead of propagating, since identity fields aren't worth surfacing an error for. 2. pg-delta declarative sync: containerRef now normalises Windows path separators with filepath.ToSlash so paths like supabase\.temp\pgdelta\catalog-baseline.json resolve correctly inside the Linux edge-runtime container. 3. pg-delta export/diff: parse callers (DeclarativeExportPgDeltaRef, ExportCatalogPgDelta, pgcache.exportCatalog) now surface stderr when stdout is empty, instead of failing later with "unexpected end of JSON input". DiffPgDeltaRef intentionally still accepts empty stdout as a legitimate "no schema changes" result. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: only run test on windows and fix lint --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
avallete
force-pushed
the
refactor--encode-auth-external-url-explicitly
branch
from
ddc1628 to
03d3544
Compare
avallete
approved these changes
Apr 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR simplifies how the CLI wires Supabase Auth / GoTrue URLs in local development so the values we pass match what upstream
supabase/authactually expects.Before this change, the CLI passed the bare API external URL as
API_EXTERNAL_URL, then separately prebuilt auth-specific URLs in several places by appending/auth/v1,/verify, and/callback. Upstream Auth already knows how to derive those paths from its external URL, so this created duplicated logic in the CLI and made the setup easier to misconfigure.This PR introduces a single canonical auth external URL, uses it consistently for GoTrue, and stops precomputing auth callback / mailer URLs that Auth can derive on its own.
What changed
1. Added
auth.external_urlA new optional config field was added:
Its purpose is to represent the public URL that Auth serves on, including the
/auth/v1prefix in the local stack.Behavior:
auth.external_urlis unset, it now defaults toapi.external_url + "/auth/v1".auth.external_urlis explicitly set, that value is preserved as-is.auth.jwt_issuerstill remains a separate explicit override and is preserved as-is when set.2. GoTrue now receives the auth-scoped external URL
The CLI now passes:
API_EXTERNAL_URL=<auth external url>GOTRUE_JWT_ISSUER=<auth.jwt_issuer>instead of using the bare API external URL for
API_EXTERNAL_URL.This matches upstream
supabase/authbehavior more closely, where:API_EXTERNAL_URLis the public base URL GoTrue thinks it lives atAPI_EXTERNAL_URL + "/callback"API_EXTERNAL_URLplus configured relative pathsAPI_EXTERNAL_URLThis change was applied both to the long-running GoTrue container and the auth migration job so the behavior stays consistent.
3. Stopped prebuilding mailer URLs in the CLI
The CLI no longer sends fully-qualified mailer paths like:
<jwt_issuer>/verifyInstead, it now sends the relative values GoTrue expects:
/verifyfor:
GOTRUE_MAILER_URLPATHS_INVITEGOTRUE_MAILER_URLPATHS_CONFIRMATIONGOTRUE_MAILER_URLPATHS_RECOVERYGOTRUE_MAILER_URLPATHS_EMAIL_CHANGEThis lets Auth resolve them against its own external URL instead of the CLI building those URLs itself.
4. Provider redirect overrides are now opt-in only
For built-in external providers, the CLI used to always send
GOTRUE_EXTERNAL_<PROVIDER>_REDIRECT_URI, defaulting it to<jwt_issuer>/callbackwhenredirect_uriwas empty.Now:
[auth.external.<provider>].redirect_uriis explicitly set, the CLI passes it through unchangedAPI_EXTERNAL_URLThis keeps explicit user overrides working while removing duplicated default callback logic from the CLI.
5. Updated docs/comments
auth.external_urlto the generated config templatejwt_issuercomment to reflect the new defaulting behaviorredirect_uricomment for providers/auth/v1/*/verify,/callback,/authorizeWhy this helps
This reduces duplicated URL construction logic in the CLI and aligns the local stack with upstream Auth’s contract.
Benefits:
/auth/v1,/verify, and/callback/auth/v1/auth/v1auth.external_url)auth.jwt_issuer)redirect_uri)supabase/authis designed to workCompatibility / behavior notes
This PR preserves existing explicit overrides:
auth.jwt_issueris still authoritative when set[auth.external.<provider>].redirect_uriis still authoritative when seturloverrides are unchangedThis PR does not remove Kong path stripping. That remains necessary because upstream Auth still serves routes at root paths like
/verify,/callback, and/authorize, rather than under a configurable base path such as/auth/v1.Ref: supabase/auth#2477