-
Notifications
You must be signed in to change notification settings - Fork 378
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: update aal requirements to update user #1766
Conversation
Pull Request Test Coverage Report for Build 10812950524Warning: This coverage report may be inaccurate.This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.
Details
💛 - Coveralls |
Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code wise I see no issues long as the logic behind the added checks is sound.
🤖 I have created a release *beep* *boop* --- ## [2.161.0](v2.160.0...v2.161.0) (2024-09-24) ### Features * add `x-sb-error-code` header, show error code in logs ([#1765](#1765)) ([ed91c59](ed91c59)) * add webauthn configuration variables ([#1773](#1773)) ([77d5897](77d5897)) * config reloading ([#1771](#1771)) ([6ee0091](6ee0091)) ### Bug Fixes * add additional information around errors for missing content type header ([#1576](#1576)) ([c2b2f96](c2b2f96)) * add token to hook payload for non-secure email change ([#1763](#1763)) ([7e472ad](7e472ad)) * update aal requirements to update user ([#1766](#1766)) ([25d9874](25d9874)) * update mfa admin methods ([#1774](#1774)) ([567ea7e](567ea7e)) * user sanitization should clean up email change info too ([#1759](#1759)) ([9d419b4](9d419b4)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This can break password reset workflows. 😓 Be sure to update your flow to elevate to AAL2 before asking the user to set their new password. |
## What kind of change does this PR introduce? If a user has verified factors (mfa enabled) we should require an AAL2 session in order to proceed with any operation We restrict phone, email, and password from updates as we consider those as sensitive fields Context: https://supabase.slack.com/archives/C02AK9166FR/p1725466764804889 --------- Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com>
What kind of change does this PR introduce?
If a user has verified factors (mfa enabled) we should require an AAL2 session in order to proceed with any operation
We restrict phone, email, and password from updates as we consider those as sensitive fields
Context: https://supabase.slack.com/archives/C02AK9166FR/p1725466764804889