Highlights
Replaced email with sub for Google entity ID
The Google authentication provider incorrectly used the email as the entity_id, which is an issue in case a Google account has multiple emails attached to it. This release fixes that and switches the usage to the sub field as a globally unique identifier.
If you have been using the Google authentication provider, the easiest way to migrate existing data is to hot patch @medusajs/auth-google using https://www.npmjs.com/package/patch-package so that when validating the callback, both the email and sub fields are used to retrieve the user, but only the sub is written.
See this PR for more.
Patched security issue
This release contains an important security fix for the email-password authentication provider. Please update your project as soon as possible.
The security issue was found in the password reset flow when using the email-password authentication provider. By obtaining a password reset token, it was possible to update the provider_metadata of other users’ provider identities by including a specific payload in the password reset request. To minimize risk to affected users, we will not disclose the structure of the payload.
Bugs
- fix: Use sub instead of email for google entity ID by @sradevski in #9949
- fix: commands to run from within the
.medusa/serverdirectory by @thetutlage in #9941 - fix(dashboard): user invite search by @fPolic in #9973
- fix(core-flows): pass metadata on order fulfillment create by @fPolic in #9974
- fix(framework): exclude nested fields when excluding requested field by @carlos-r-l-rodrigues in #9979
- fix(link-modules): generate graphql type of read only links by @carlos-r-l-rodrigues in #9955
- fix: define ssl options when specified in the connection string by @thetutlage in #9992
- fix(dashboard): Reduce data loaded by product details page by @kasperkristensen in #9991
- fix(core-flows): keep same customer on cart update by @carlos-r-l-rodrigues in #9977
Documentation
- docs: add common redirects to v1 docs by @shahednasser in #9832
- docs: fix resolve of custom file module guide by @shahednasser in #9840
- docs: remove upgrade guides doc by @shahednasser in #9845
- docs: add instructions on how to roll back a migration by @shahednasser in #9870
- docs: add more context and description to recipe steps by @shahednasser in #9861
- docs: fix server worker mode in railway deployment by @shahednasser in #9842
Chores
- chore: remove husky by @thetutlage in #9967
- chore: Add new i18n validation workflows for the admin by @adrien2p in #9948
- chore: update doc links in README by @shahednasser in #9860
Other Changes
- feat(stripe): add promptpay by @oDestroyeRo in #9789
New Contributors
- @oDestroyeRo made their first contribution in #9789
Full Changelog: v2.0.2...v2.0.3