Skip to content

v2.0.3

Compare
Choose a tag to compare
@olivermrbl olivermrbl released this 11 Nov 10:21
· 417 commits to develop since this release
5c22c57

Highlights

Replaced email with sub for Google entity ID

The Google authentication provider incorrectly used the email as the entity_id, which is an issue in case a Google account has multiple emails attached to it. This release fixes that and switches the usage to the sub field as a globally unique identifier.

If you have been using the Google authentication provider, the easiest way to migrate existing data is to hot patch @medusajs/auth-google using https://www.npmjs.com/package/patch-package so that when validating the callback, both the email and sub fields are used to retrieve the user, but only the sub is written.

See this PR for more.

Patched security issue

This release contains an important security fix for the email-password authentication provider. Please update your project as soon as possible.

The security issue was found in the password reset flow when using the email-password authentication provider. By obtaining a password reset token, it was possible to update the provider_metadata of other users’ provider identities by including a specific payload in the password reset request. To minimize risk to affected users, we will not disclose the structure of the payload.

Bugs

Documentation

Chores

Other Changes

New Contributors

Full Changelog: v2.0.2...v2.0.3