From bf2322a181cf5ae9a992f009982086509e103d40 Mon Sep 17 00:00:00 2001
From: Nancy <9d.24.nancy.sangani@gmail.com>
Date: Thu, 12 Mar 2026 18:25:10 +0530
Subject: [PATCH] feat: add GOTRUE_DB_DEFAULT_ROLE to make default user role
 configurable

---
 internal/api/admin.go          | 2 +-
 internal/api/api.go            | 2 +-
 internal/api/signup.go         | 2 +-
 internal/conf/configuration.go | 9 +++++++++
 4 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/internal/api/admin.go b/internal/api/admin.go
index e75fbb3537..a3b7aef5ee 100644
--- a/internal/api/admin.go
+++ b/internal/api/admin.go
@@ -466,7 +466,7 @@ func (a *API) adminUserCreate(w http.ResponseWriter, r *http.Request) error {
 			return terr
 		}
 
-		role := config.JWT.DefaultGroupName
+		role := config.DB.DefaultRole
 		if params.Role != "" {
 			role = params.Role
 		}
diff --git a/internal/api/api.go b/internal/api/api.go
index c9f3792007..2ece8a6ba9 100644
--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -86,7 +86,7 @@ func (a *API) deprecationNotices() {
 	}
 
 	if config.JWT.DefaultGroupName != "" {
-		log.Warn("DEPRECATION NOTICE: GOTRUE_JWT_DEFAULT_GROUP_NAME not supported by Supabase's GoTrue, will be removed soon")
+		log.Warn("DEPRECATION NOTICE: GOTRUE_JWT_DEFAULT_GROUP_NAME is deprecated, use GOTRUE_DB_DEFAULT_ROLE instead")
 	}
 }
 
diff --git a/internal/api/signup.go b/internal/api/signup.go
index fcc3877ed7..01a84df074 100644
--- a/internal/api/signup.go
+++ b/internal/api/signup.go
@@ -385,7 +385,7 @@ func (a *API) signupNewUser(conn *storage.Connection, user *models.User) (*model
 		if terr = tx.Create(user); terr != nil {
 			return apierrors.NewInternalServerError("Database error saving new user").WithInternalError(terr)
 		}
-		if terr = user.SetRole(tx, config.JWT.DefaultGroupName); terr != nil {
+		if terr = user.SetRole(tx, config.DB.DefaultRole); terr != nil {
 			return apierrors.NewInternalServerError("Database error updating user").WithInternalError(terr)
 		}
 		return nil
diff --git a/internal/conf/configuration.go b/internal/conf/configuration.go
index bbd143db2e..bdf5f27434 100644
--- a/internal/conf/configuration.go
+++ b/internal/conf/configuration.go
@@ -110,6 +110,7 @@ type DBConfiguration struct {
 	Driver    string `json:"driver" required:"true"`
 	URL       string `json:"url" envconfig:"DATABASE_URL" required:"true"`
 	Namespace string `json:"namespace" envconfig:"DB_NAMESPACE" default:"auth"`
+	DefaultRole string `json:"default_role" split_words:"true"`
 
 	// Percentage of DB conns the auth server may use in
 	// integer form i.e.: [1, 100] -> [1%, 100%]
@@ -1141,6 +1142,14 @@ func (config *GlobalConfiguration) ApplyDefaults() error {
 		config.JWT.AdminGroupName = "admin"
 	}
 
+	if config.DB.DefaultRole == "" {
+		if config.JWT.DefaultGroupName != "" {
+			config.DB.DefaultRole = config.JWT.DefaultGroupName
+		} else {
+			config.DB.DefaultRole = "authenticated"
+		}
+	}
+
 	if len(config.JWT.AdminRoles) == 0 {
 		config.JWT.AdminRoles = []string{"service_role", "supabase_admin"}
 	}