Merge branch 'develop' into jpa

Author: jpargudo

pkg/config/auth.go

@@ -552,6 +552,57 @@ func TestEmailDiff(t *testing.T) {
 					Content: cast.Ptr("reauthentication-content"),
 				},
 			},
+			Notification: map[string]notification{
+				"password_changed": {
+					Enabled: true,
+					emailTemplate: emailTemplate{
+						Subject: cast.Ptr("password-changed-subject"),
+						Content: cast.Ptr("password-changed-content"),
+					},
+				},
+				"email_changed": {
+					Enabled: true,
+					emailTemplate: emailTemplate{
+						Subject: cast.Ptr("email-changed-subject"),
+						Content: cast.Ptr("email-changed-content"),
+					},
+				},
+				"phone_changed": {
+					Enabled: true,
+					emailTemplate: emailTemplate{
+						Subject: cast.Ptr("phone-changed-subject"),
+						Content: cast.Ptr("phone-changed-content"),
+					},
+				},
+				"identity_linked": {
+					Enabled: true,
+					emailTemplate: emailTemplate{
+						Subject: cast.Ptr("identity-linked-subject"),
+						Content: cast.Ptr("identity-linked-content"),
+					},
+				},
+				"identity_unlinked": {
+					Enabled: true,
+					emailTemplate: emailTemplate{
+						Subject: cast.Ptr("identity-unlinked-subject"),
+						Content: cast.Ptr("identity-unlinked-content"),
+					},
+				},
+				"mfa_factor_enrolled": {
+					Enabled: true,
+					emailTemplate: emailTemplate{
+						Subject: cast.Ptr("mfa-enrolled-subject"),
+						Content: cast.Ptr("mfa-enrolled-content"),
+					},
+				},
+				"mfa_factor_unenrolled": {
+					Enabled: true,
+					emailTemplate: emailTemplate{
+						Subject: cast.Ptr("mfa-unenrolled-subject"),
+						Content: cast.Ptr("mfa-unenrolled-content"),
+					},
+				},
+			},
 			Smtp: &smtp{
 				Enabled: true,
 				Host:    "smtp.sendgrid.net",
@@ -596,6 +647,28 @@ func TestEmailDiff(t *testing.T) {
 			MailerTemplatesEmailChangeContent:      nullable.NewNullableWithValue("email-change-content"),
 			MailerSubjectsReauthentication:         nullable.NewNullableWithValue("reauthentication-subject"),
 			MailerTemplatesReauthenticationContent: nullable.NewNullableWithValue("reauthentication-content"),
+			// Notifications
+			MailerNotificationsPasswordChangedEnabled:             nullable.NewNullableWithValue(true),
+			MailerSubjectsPasswordChangedNotification:             nullable.NewNullableWithValue("password-changed-subject"),
+			MailerTemplatesPasswordChangedNotificationContent:     nullable.NewNullableWithValue("password-changed-content"),
+			MailerNotificationsEmailChangedEnabled:                nullable.NewNullableWithValue(true),
+			MailerSubjectsEmailChangedNotification:                nullable.NewNullableWithValue("email-changed-subject"),
+			MailerTemplatesEmailChangedNotificationContent:        nullable.NewNullableWithValue("email-changed-content"),
+			MailerNotificationsPhoneChangedEnabled:                nullable.NewNullableWithValue(true),
+			MailerSubjectsPhoneChangedNotification:                nullable.NewNullableWithValue("phone-changed-subject"),
+			MailerTemplatesPhoneChangedNotificationContent:        nullable.NewNullableWithValue("phone-changed-content"),
+			MailerNotificationsIdentityLinkedEnabled:              nullable.NewNullableWithValue(true),
+			MailerSubjectsIdentityLinkedNotification:              nullable.NewNullableWithValue("identity-linked-subject"),
+			MailerTemplatesIdentityLinkedNotificationContent:      nullable.NewNullableWithValue("identity-linked-content"),
+			MailerNotificationsIdentityUnlinkedEnabled:            nullable.NewNullableWithValue(true),
+			MailerSubjectsIdentityUnlinkedNotification:            nullable.NewNullableWithValue("identity-unlinked-subject"),
+			MailerTemplatesIdentityUnlinkedNotificationContent:    nullable.NewNullableWithValue("identity-unlinked-content"),
+			MailerNotificationsMfaFactorEnrolledEnabled:           nullable.NewNullableWithValue(true),
+			MailerSubjectsMfaFactorEnrolledNotification:           nullable.NewNullableWithValue("mfa-enrolled-subject"),
+			MailerTemplatesMfaFactorEnrolledNotificationContent:   nullable.NewNullableWithValue("mfa-enrolled-content"),
+			MailerNotificationsMfaFactorUnenrolledEnabled:         nullable.NewNullableWithValue(true),
+			MailerSubjectsMfaFactorUnenrolledNotification:         nullable.NewNullableWithValue("mfa-unenrolled-subject"),
+			MailerTemplatesMfaFactorUnenrolledNotificationContent: nullable.NewNullableWithValue("mfa-unenrolled-content"),
 		})
 		// Check error
 		assert.NoError(t, err)
@@ -633,6 +706,45 @@ func TestEmailDiff(t *testing.T) {
 					Content: cast.Ptr(""),
 				},
 			},
+			Notification: map[string]notification{
+				"password_changed": {
+					Enabled: true,
+					emailTemplate: emailTemplate{
+						Subject: cast.Ptr("password-changed-subject"),
+						Content: cast.Ptr("password-changed-content"),
+					},
+				},
+				"email_changed": {
+					Enabled: true,
+					emailTemplate: emailTemplate{
+						Subject: cast.Ptr("email-changed-subject"),
+						Content: cast.Ptr("email-changed-content"),
+					},
+				},
+				"phone_changed": {
+					Enabled: true,
+					emailTemplate: emailTemplate{
+						Subject: cast.Ptr("phone-changed-subject"),
+						Content: cast.Ptr("phone-changed-content"),
+					},
+				},
+				"identity_linked": {
+					Enabled: true,
+					emailTemplate: emailTemplate{
+						Subject: cast.Ptr("identity-linked-subject"),
+						Content: cast.Ptr("identity-linked-content"),
+					},
+				},
+				"identity_unlinked": {
+					Enabled: true,
+				},
+				"mfa_factor_enrolled": {
+					Enabled: true,
+				},
+				"mfa_factor_unenrolled": {
+					Enabled: true,
+				},
+			},
 			Smtp: &smtp{
 				Enabled: true,
 				Host:    "smtp.sendgrid.net",
@@ -663,6 +775,21 @@ func TestEmailDiff(t *testing.T) {
 			MailerSubjectsRecovery:             nullable.NewNullableWithValue("recovery-subject"),
 			MailerSubjectsMagicLink:            nullable.NewNullableWithValue("magic-link-subject"),
 			MailerTemplatesEmailChangeContent:  nullable.NewNullableWithValue("email-change-content"),
+			// Notifications
+			MailerNotificationsPasswordChangedEnabled:          nullable.NewNullableWithValue(false),
+			MailerSubjectsPasswordChangedNotification:          nullable.NewNullableWithValue("password-changed-subject"),
+			MailerTemplatesPasswordChangedNotificationContent:  nullable.NewNullableWithValue("password-changed-content"),
+			MailerNotificationsEmailChangedEnabled:             nullable.NewNullableWithValue(false),
+			MailerSubjectsEmailChangedNotification:             nullable.NewNullableWithValue("email-changed-subject"),
+			MailerNotificationsPhoneChangedEnabled:             nullable.NewNullableWithValue(false),
+			MailerTemplatesPhoneChangedNotificationContent:     nullable.NewNullableWithValue("phone-changed-content"),
+			MailerNotificationsIdentityLinkedEnabled:           nullable.NewNullableWithValue(false),
+			MailerNotificationsIdentityUnlinkedEnabled:         nullable.NewNullableWithValue(false),
+			MailerSubjectsIdentityUnlinkedNotification:         nullable.NewNullableWithValue("identity-unlinked-subject"),
+			MailerTemplatesIdentityUnlinkedNotificationContent: nullable.NewNullableWithValue("identity-unlinked-content"),
+			MailerNotificationsMfaFactorEnrolledEnabled:        nullable.NewNullableWithValue(false),
+			MailerSubjectsMfaFactorEnrolledNotification:        nullable.NewNullableWithValue("mfa-enrolled-subject"),
+			MailerNotificationsMfaFactorUnenrolledEnabled:      nullable.NewNullableWithValue(false),
 		})
 		// Check error
 		assert.NoError(t, err)
@@ -681,6 +808,15 @@ func TestEmailDiff(t *testing.T) {
 				"email_change":     {},
 				"reauthentication": {},
 			},
+			Notification: map[string]notification{
+				"password_changed":      {},
+				"email_changed":         {},
+				"phone_changed":         {},
+				"identity_linked":       {},
+				"identity_unlinked":     {},
+				"mfa_factor_enrolled":   {},
+				"mfa_factor_unenrolled": {},
+			},
 			MaxFrequency: time.Minute,
 			OtpLength:    8,
 			OtpExpiry:    86400,
@@ -713,6 +849,24 @@ func TestEmailDiff(t *testing.T) {
 			MailerTemplatesEmailChangeContent:      nullable.NewNullableWithValue("email-change-content"),
 			MailerSubjectsReauthentication:         nullable.NewNullableWithValue("reauthentication-subject"),
 			MailerTemplatesReauthenticationContent: nullable.NewNullableWithValue("reauthentication-content"),
+			// Notifications
+			MailerNotificationsPasswordChangedEnabled:             nullable.NewNullableWithValue(true),
+			MailerSubjectsPasswordChangedNotification:             nullable.NewNullableWithValue("password-changed-subject"),
+			MailerTemplatesPasswordChangedNotificationContent:     nullable.NewNullableWithValue("password-changed-content"),
+			MailerNotificationsEmailChangedEnabled:                nullable.NewNullableWithValue(true),
+			MailerSubjectsEmailChangedNotification:                nullable.NewNullableWithValue("email-changed-subject"),
+			MailerNotificationsPhoneChangedEnabled:                nullable.NewNullableWithValue(true),
+			MailerTemplatesPhoneChangedNotificationContent:        nullable.NewNullableWithValue("phone-changed-content"),
+			MailerNotificationsIdentityLinkedEnabled:              nullable.NewNullableWithValue(true),
+			MailerNotificationsIdentityUnlinkedEnabled:            nullable.NewNullableWithValue(true),
+			MailerSubjectsIdentityUnlinkedNotification:            nullable.NewNullableWithValue("identity-unlinked-subject"),
+			MailerTemplatesIdentityUnlinkedNotificationContent:    nullable.NewNullableWithValue("identity-unlinked-content"),
+			MailerNotificationsMfaFactorEnrolledEnabled:           nullable.NewNullableWithValue(true),
+			MailerSubjectsMfaFactorEnrolledNotification:           nullable.NewNullableWithValue("mfa-enrolled-subject"),
+			MailerTemplatesMfaFactorEnrolledNotificationContent:   nullable.NewNullableWithValue("mfa-enrolled-content"),
+			MailerNotificationsMfaFactorUnenrolledEnabled:         nullable.NewNullableWithValue(true),
+			MailerSubjectsMfaFactorUnenrolledNotification:         nullable.NewNullableWithValue("mfa-unenrolled-subject"),
+			MailerTemplatesMfaFactorUnenrolledNotificationContent: nullable.NewNullableWithValue("mfa-unenrolled-content"),
 		})
 		// Check error
 		assert.NoError(t, err)
@@ -731,6 +885,15 @@ func TestEmailDiff(t *testing.T) {
 				"email_change":     {},
 				"reauthentication": {},
 			},
+			Notification: map[string]notification{
+				"password_changed":      {},
+				"email_changed":         {},
+				"phone_changed":         {},
+				"identity_linked":       {},
+				"identity_unlinked":     {},
+				"mfa_factor_enrolled":   {},
+				"mfa_factor_unenrolled": {},
+			},
 			Smtp: &smtp{
 				Enabled: false,
 				Host:    "smtp.sendgrid.net",

pkg/config/auth_test.go

@@ -259,6 +259,7 @@ func (a *auth) Clone() auth {
 		copy.Email.Smtp = &mailer
 	}
 	copy.Email.Template = maps.Clone(a.Email.Template)
+	copy.Email.Notification = maps.Clone(a.Email.Notification)
 	if a.Hook.MFAVerificationAttempt != nil {
 		hook := *a.Hook.MFAVerificationAttempt
 		copy.Hook.MFAVerificationAttempt = &hook
@@ -372,7 +373,8 @@ func NewConfig(editors ...ConfigEditor) config {
 		Auth: auth{
 			Image: Images.Gotrue,
 			Email: email{
-				Template: map[string]emailTemplate{},
+				Template:     map[string]emailTemplate{},
+				Notification: map[string]notification{},
 			},
 			Sms: sms{
 				TestOTP: map[string]string{},
@@ -673,6 +675,12 @@ func (c *baseConfig) resolve(builder pathBuilder, fsys fs.FS) error {
 		}
 		c.Auth.Email.Template[name] = tmpl
 	}
+	for name, tmpl := range c.Auth.Email.Notification {
+		if len(tmpl.ContentPath) > 0 && !filepath.IsAbs(tmpl.ContentPath) {
+			tmpl.ContentPath = filepath.Join(builder.SupabaseDirPath, tmpl.ContentPath)
+		}
+		c.Auth.Email.Notification[name] = tmpl
+	}
 	// Update fallback configs
 	for name, bucket := range c.Storage.Buckets {
 		if bucket.FileSizeLimit == 0 {
@@ -1026,17 +1034,34 @@ func (e *email) validate(fsys fs.FS) (err error) {
 	for name, tmpl := range e.Template {
 		if len(tmpl.ContentPath) == 0 {
 			if tmpl.Content != nil {
-				return errors.Errorf("Invalid config for auth.email.%s.content: please use content_path instead", name)
+				return errors.Errorf("Invalid config for auth.email.template.%s.content: please use content_path instead", name)
 			}
 			continue
 		}
 		if content, err := fs.ReadFile(fsys, tmpl.ContentPath); err != nil {
-			return errors.Errorf("Invalid config for auth.email.%s.content_path: %w", name, err)
+			return errors.Errorf("Invalid config for auth.email.template.%s.content_path: %w", name, err)
 		} else {
 			tmpl.Content = cast.Ptr(string(content))
 		}
 		e.Template[name] = tmpl
 	}
+	for name, tmpl := range e.Notification {
+		if !tmpl.Enabled {
+			continue
+		}
+		if len(tmpl.ContentPath) == 0 {
+			if tmpl.Content != nil {
+				return errors.Errorf("Invalid config for auth.email.notification.%s.content: please use content_path instead", name)
+			}
+			continue
+		}
+		if content, err := fs.ReadFile(fsys, tmpl.ContentPath); err != nil {
+			return errors.Errorf("Invalid config for auth.email.notification.%s.content_path: %w", name, err)
+		} else {
+			tmpl.Content = cast.Ptr(string(content))
+		}
+		e.Notification[name] = tmpl
+	}
 	if e.Smtp != nil && e.Smtp.Enabled {
 		if len(e.Smtp.Host) == 0 {
 			return errors.New("Missing required field in config: auth.email.smtp.host")

pkg/config/config.go

@@ -7,13 +7,13 @@ FROM postgrest/postgrest:v13.0.7 AS postgrest
 FROM supabase/postgres-meta:v0.93.1 AS pgmeta
 FROM supabase/studio:2025.11.03-sha-ddedae5 AS studio
 FROM darthsim/imgproxy:v3.8.0 AS imgproxy
-FROM supabase/edge-runtime:v1.69.20 AS edgeruntime
+FROM supabase/edge-runtime:v1.69.21 AS edgeruntime
 FROM timberio/vector:0.28.1-alpine AS vector
 FROM supabase/supavisor:2.7.4 AS supavisor
-FROM supabase/gotrue:v2.180.0 AS gotrue
-FROM supabase/realtime:v2.60.0 AS realtime
+FROM supabase/gotrue:v2.181.0 AS gotrue
+FROM supabase/realtime:v2.61.0 AS realtime
 FROM supabase/storage-api:v1.28.5 AS storage
-FROM supabase/logflare:1.23.3 AS logflare
+FROM supabase/logflare:1.22.6 AS logflare
 # Append to JobImages when adding new dependencies below
 FROM supabase/pgadmin-schema-diff:cli-0.0.5 AS differ
 FROM supabase/migra:3.0.1663481299 AS migra

pkg/config/templates/Dockerfile

@@ -200,6 +200,12 @@ otp_expiry = 3600
 # subject = "You have been invited"
 # content_path = "./supabase/templates/invite.html"
 
+# Uncomment to customize notification email template
+# [auth.email.notification.password_changed]
+# enabled = true
+# subject = "Your password has been changed"
+# content_path = "./templates/password_changed_notification.html"
+
 [auth.sms]
 # Allow/disallow new user signups via SMS to your project.
 enable_signup = false

pkg/config/templates/config.toml

@@ -1,7 +1,7 @@
 diff remote[auth] local[auth]
 --- remote[auth]
 +++ local[auth]
-@@ -44,13 +44,13 @@
+@@ -47,13 +47,13 @@
  inactivity_timeout = "0s"
 
  [email]
@@ -22,3 +22,36 @@ diff remote[auth] local[auth]
  [email.template]
  [email.template.confirmation]
  content_path = ""
+@@ -69,25 +69,25 @@
+ content_path = ""
+ [email.notification]
+ [email.notification.email_changed]
+-enabled = true
++enabled = false
+ content_path = ""
+ [email.notification.identity_linked]
+-enabled = true
++enabled = false
+ content_path = ""
+ [email.notification.identity_unlinked]
+-enabled = true
++enabled = false
+ content_path = ""
+ [email.notification.mfa_factor_enrolled]
+-enabled = true
++enabled = false
+ content_path = ""
+ [email.notification.mfa_factor_unenrolled]
+-enabled = true
++enabled = false
+ content_path = ""
+ [email.notification.password_changed]
+-enabled = true
++enabled = false
+ content_path = ""
+ [email.notification.phone_changed]
+-enabled = true
++enabled = false
+ content_path = ""
+ 
+ [sms]