chore: improve test coverage with refactor of hooks (#1994)

- Moved http hooks to v0http with added test coverage
- Move pgfunc hooks to v0pgfunc with added test coverage
- Added tests to cover all paths in v0hooks

---------

Co-authored-by: Chris Stockton <chris.stockton@supabase.io>

fix: upgrade godotenv to v1.5.1 to fix multiline file loading (#1997)

Fixes multiline loading in env files.

Co-authored-by: Chris Stockton <chris.stockton@supabase.io>

feat: fix large group claim handling in azure id tokens (#1995)

Handles [large `group` claims in Azure ID
tokens](https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#groups-overage-claim)
by fetching them from the
([usually](https://learn.microsoft.com/en-us/graph/api/directoryobject-getmemberobjects?view=graph-rest-1.0&tabs=http))
designated Azure endpoint.

feat: use `global_user_id` over `sub` for `vercel_marketplace` issuer (…

…#1990)

If [Vercel
Marketplace](https://vercel.com/docs/integrations/create-integration/marketplace-api#user-authentication)
issues an OIDC JWT with `global_user_id` prefer that over `sub`.

chore(master): release 2.171.0 (#1972)

🤖 I have created a release *beep* *boop*
---


##
[2.171.0](v2.170.0...v2.171.0)
(2025-04-14)


### Features

* add sign in with solana (EIP-4361) support
([#1918](#1918))
([d121546](d121546))
* allow invalid config directories
([#1969](#1969))
([6b842f6](6b842f6))
* allow limiting lifespan of low-aal sessions
([#1942](#1942))
([d7a9ca6](d7a9ca6))
* Block specific outgoing mail servers
([#1971](#1971))
([091aef9](091aef9))
* refactor hooks out of api package
([#1976](#1976))
([c5904c0](c5904c0))
* separate web3 rate limits from other `/token?grant_type=...`
([#1985](#1985))
([8b23382](8b23382))


### Bug Fixes

* explicit permisions on actions
([#1978](#1978))
([06e9ead](06e9ead))
* propagate error when when confirming phone
([#1939](#1939))
([e882b42](e882b42))
* redirects must not be to ip addresses
([#1984](#1984))
([347e23a](347e23a))
* sanitize redirect URL (remove fragment, query) before pattern matching
([#1974](#1974))
([ccf20d7](ccf20d7))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

feat: refactor hooks out of api package (#1976)

These changes refactor hooks out of the api package into
`internal/hooks/v0hooks`. To do this we needed to move errors from
`internal/api` to `internal/api/apierrors`. This required updating the
`New*Error` functions and updating all existing references to errors in
the `internal/api` package.

---------

Co-authored-by: Chris Stockton <chris.stockton@supabase.io>

ci: fix github actions permissions (#1987)

feat: Block specific outgoing mail servers (#1971)

## What kind of change does this PR introduce?

Feature that gives configuration option to block an email address event
if the mx server of the domain is on a blocklist

## What is the current behavior?

Existing behavior only checks for syntax issues and single email
addresses against a message stream.

## What is the new behavior?

This is called on every sent email event, the mx server of the email
addresses domain is queried and checked against a hard-coded blocklist

## Additional context

Functionality to allow for the long term blocking of bot and spam
behavior.

Resolves SEC-245

feat: Block specific outgoing mail servers (#1971)

## What kind of change does this PR introduce?

Feature that gives configuration option to block an email address event
if the mx server of the domain is on a blocklist

## What is the current behavior?

Existing behavior only checks for syntax issues and single email
addresses against a message stream.

## What is the new behavior?

This is called on every sent email event, the mx server of the email
addresses domain is queried and checked against a hard-coded blocklist

## Additional context

Functionality to allow for the long term blocking of bot and spam
behavior.

Resolves SEC-245

fix: propagate error when when confirming phone (#1939)

Propagate errors that occur when calling tx.UpdateOnly in
internal/models/user.go:ConfirmPhone.

Previously this line returned nil:

https://github.com/supabase/auth/blob/097f01f39fa79d5e8e4e9c399a14e14405e3a142/internal/models/user.go#L471

Meaning that the next call to ClearAllOneTimeTokensForUser was ran even
when the confirmation token could not be updated.

https://github.com/supabase/auth/blob/master/internal/models/one_time_token.go#L119

Co-authored-by: Chris Stockton <chris.stockton@supabase.io>