fix(custom-session): use coerced boolean for disableRefresh query param validation (#9214)

2026-05-29 18:36:34 -05:00 · 2026-04-21 20:22:32 +10:00
parent ab4c10fbc0
commit 4debfb600f
3 changed files with 19 additions and 24 deletions
--- a/.changeset/fix-custom-session-disable-refresh.md
+++ b/.changeset/fix-custom-session-disable-refresh.md
@@ -0,0 +1,5 @@
+---
+"better-auth": patch
+---
+
+fix(custom-session): use coerced boolean for disableRefresh query param validation
--- a/packages/better-auth/src/plugins/custom-session/custom-session.test.ts
+++ b/packages/better-auth/src/plugins/custom-session/custom-session.test.ts
@@ -214,6 +214,19 @@ describe("Custom Session Plugin Tests", async () => {
 		});
 	});

+	/**
+	 * @see https://github.com/better-auth/better-auth/issues/9195
+	 */
+	it("should accept disableRefresh as a query string without validation error", async () => {
+		const { headers } = await signInWithTestUser();
+		const session = await client.getSession({
+			query: { disableRefresh: true },
+			fetchOptions: { headers },
+		});
+		expect(session.data).not.toBeNull();
+		expect(session.error).toBeNull();
+	});
+
 	it("should not comma-join Set-Cookie headers", async () => {
 		const { headers } = await signInWithTestUser();
 		await client.getSession({
--- a/packages/better-auth/src/plugins/custom-session/index.ts
+++ b/packages/better-auth/src/plugins/custom-session/index.ts
@@ -8,9 +8,9 @@ import {
 	createAuthMiddleware,
 } from "@better-auth/core/api";
 import type { Session, User } from "@better-auth/core/db";
-import * as z from "zod";
 import { getSession } from "../../api";
 import { parseSetCookieHeader } from "../../cookies/cookie-utils";
+import { getSessionQuerySchema } from "../../cookies/session-store";
 import { getEndpointResponse } from "../../utils/plugin-helper";
 import { PACKAGE_VERSION } from "../../version";

@@ -22,29 +22,6 @@ declare module "@better-auth/core" {
 	}
 }

-const getSessionQuerySchema = z.optional(
-	z.object({
-		/**
-		 * If cookie cache is enabled, it will disable the cache
-		 * and fetch the session from the database
-		 */
-		disableCookieCache: z
-			.boolean()
-			.meta({
-				description: "Disable cookie cache and fetch session from database",
-			})
-			.or(z.string().transform((v) => v === "true"))
-			.optional(),
-		disableRefresh: z
-			.boolean()
-			.meta({
-				description:
-					"Disable session refresh. Useful for checking session status, without updating the session",
-			})
-			.optional(),
-	}),
-);
-
 export type CustomSessionPluginOptions = {
 	/**
 	 * This option is used to determine if the list-device-sessions endpoint should be mutated to the custom session data.