diff --git a/.changeset/dcr-graceful-override-confidential.md b/.changeset/dcr-graceful-override-confidential.md deleted file mode 100644 index 48054e861e..0000000000 --- a/.changeset/dcr-graceful-override-confidential.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -"@better-auth/oauth-provider": patch ---- - -fix(oauth-provider): override confidential auth methods to public in unauthenticated DCR - -When `allowUnauthenticatedClientRegistration` is enabled, unauthenticated DCR -requests that specify `client_secret_post`, `client_secret_basic`, or omit -`token_endpoint_auth_method` (which defaults to `client_secret_basic` per -[RFC 7591 §2](https://datatracker.ietf.org/doc/html/rfc7591#section-2)) are -now silently overridden to `token_endpoint_auth_method: "none"` (public client) -instead of being rejected with HTTP 401. - -This follows [RFC 7591 §3.2.1](https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1), -which allows the server to "reject or replace any of the client's requested -metadata values submitted during the registration and substitute them with -suitable values." The registration response communicates the actual method -back to the client, allowing compliant clients to adjust. - -This fixes interoperability with real-world MCP clients (Claude, Codex, Factory -Droid, and others) that send `token_endpoint_auth_method: "client_secret_post"` -in their DCR payload because the server metadata advertises it in -`token_endpoint_auth_methods_supported`. - -Closes #8588 diff --git a/.changeset/dynamic-baseurl-hardening.md b/.changeset/dynamic-baseurl-hardening.md deleted file mode 100644 index b25df42cd5..0000000000 --- a/.changeset/dynamic-baseurl-hardening.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -"better-auth": patch -"@better-auth/oauth-provider": patch ---- - -harden dynamic `baseURL` handling for direct `auth.api.*` calls and plugin metadata helpers - -**Direct `auth.api.*` calls** - -- Throw `APIError` with a clear message when the baseURL can't be resolved (no source and no `fallback`), instead of leaving `ctx.context.baseURL = ""` for downstream plugins to crash on. -- Convert `allowedHosts` mismatches on the direct-API path to `APIError`. -- Honor `advanced.trustedProxyHeaders` on the dynamic path (default `true`, unchanged). Previously `x-forwarded-host` / `-proto` were unconditionally trusted with `allowedHosts`; they now go through the same gate as the static path. The default flip to `false` ships in a follow-up PR. -- `resolveRequestContext` rehydrates `trustedProviders` and cookies per call (in addition to `trustedOrigins`). User-defined `trustedOrigins(req)` / `trustedProviders(req)` callbacks receive a `Request` synthesized from forwarded headers when no full `Request` is available. -- Infer `http` for loopback hosts (`localhost`, `127.0.0.1`, `[::1]`, `0.0.0.0`) on the headers-only protocol fallback, so local-dev calls don't silently resolve to `https://localhost:3000`. -- `hasRequest` uses `isRequestLike`, which now rejects objects that spoof `Symbol.toStringTag` without a real `url` / `headers.get` shape. - -**Plugin metadata helpers** - -- `oauthProviderAuthServerMetadata`, `oauthProviderOpenIdConfigMetadata`, `oAuthDiscoveryMetadata`, and `oAuthProtectedResourceMetadata` forward the incoming request to their chained `auth.api` calls, so `issuer` and discovery URLs reflect the request host on dynamic configs. -- `withMcpAuth` forwards the incoming request to `getMcpSession`, threads `trustedProxyHeaders`, and emits a bare `Bearer` challenge when `baseURL` can't be resolved (instead of `Bearer resource_metadata="undefined/..."`). -- `metadataResponse` in `@better-auth/oauth-provider` normalizes headers via `new Headers()` so callers can pass `Headers`, tuple arrays, or records without silently dropping entries. diff --git a/.changeset/fix-2fa-bypass.md b/.changeset/fix-2fa-bypass.md deleted file mode 100644 index aa2f7a9f20..0000000000 --- a/.changeset/fix-2fa-bypass.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -"better-auth": patch ---- - -fix(two-factor): enforce 2FA on all sign-in paths - -The 2FA after-hook now triggers on any endpoint that creates a new session, covering magic-link, OAuth, passkey, email-OTP, SIWE, and all future sign-in methods. Authenticated requests (session refreshes, profile updates) are excluded. diff --git a/.changeset/fix-backup-codes-storage.md b/.changeset/fix-backup-codes-storage.md deleted file mode 100644 index 6199dbaffe..0000000000 --- a/.changeset/fix-backup-codes-storage.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -"better-auth": patch ---- - -fix(two-factor): preserve backup codes storage format after verification - -After using a backup code, remaining codes are now re-saved using the same `storeBackupCodes` strategy (plain, encrypted, or custom) configured by the user. Previously, codes were always re-encrypted with the built-in symmetric encryption, breaking subsequent verifications for plain or custom storage modes. diff --git a/.changeset/fix-password-reset-callback-operation-id.md b/.changeset/fix-password-reset-callback-operation-id.md deleted file mode 100644 index 54e7f97697..0000000000 --- a/.changeset/fix-password-reset-callback-operation-id.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"better-auth": patch ---- - -fix(api): align top-level `operationId` on `requestPasswordResetCallback` with the OpenAPI `resetPasswordCallback` diff --git a/.changeset/fix-stripe-defu-prototype-pollution.md b/.changeset/fix-stripe-defu-prototype-pollution.md deleted file mode 100644 index ebd69f8c5f..0000000000 --- a/.changeset/fix-stripe-defu-prototype-pollution.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -"@better-auth/stripe": patch ---- - -fix(stripe): drop unsafe keys when merging user-supplied metadata - -The Stripe plugin previously merged `ctx.body.metadata` through `defu`, which was vulnerable to prototype pollution when attacker-controlled `__proto__` keys reached the second argument. Since Stripe metadata is a flat `Record`, the deep-merge was never exercised on that path. The merge now ignores `__proto__`, `constructor`, and `prototype`, so the user-controlled surface no longer depends on `defu`. The remaining `defu` call sites (deep-merging developer-supplied `CustomerCreateParams`) also receive the patched range. diff --git a/.changeset/honest-regions-jam.md b/.changeset/honest-regions-jam.md deleted file mode 100644 index d0e0f03b28..0000000000 --- a/.changeset/honest-regions-jam.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"better-auth": patch ---- - -fix(open-api): correct get-session nullable schema for OAS 3.1 diff --git a/.changeset/honest-symbols-stick.md b/.changeset/honest-symbols-stick.md deleted file mode 100644 index 4a8f12a7bb..0000000000 --- a/.changeset/honest-symbols-stick.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"better-auth": patch ---- - -fix(client): prevent isMounted race condition causing many rps diff --git a/.changeset/lovely-toes-swim.md b/.changeset/lovely-toes-swim.md deleted file mode 100644 index 2bc5e858ac..0000000000 --- a/.changeset/lovely-toes-swim.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"better-auth": patch ---- - -resolve dynamic `baseURL` from request headers on direct `auth.api` calls diff --git a/.changeset/oauth-provider-token-refactor.md b/.changeset/oauth-provider-token-refactor.md deleted file mode 100644 index ddf1f731bc..0000000000 --- a/.changeset/oauth-provider-token-refactor.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -"@better-auth/oauth-provider": patch ---- - -feat(oauth-provider): add `customTokenResponseFields` callback and Zod validation for authorization codes - -Add `customTokenResponseFields` callback to `OAuthOptions` for injecting custom fields into token endpoint responses across all grant types. Standard OAuth fields (`access_token`, `token_type`, etc.) cannot be overridden. Follows the same pattern as `customAccessTokenClaims` and `customIdTokenClaims`. - -Authorization code verification values are now validated with a Zod schema at deserialization, consistently returning `invalid_verification` errors for malformed or corrupted values instead of potential 500s. diff --git a/.changeset/pr-8926.md b/.changeset/pr-8926.md deleted file mode 100644 index f9bcbe4808..0000000000 --- a/.changeset/pr-8926.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"better-auth": patch ---- - -omit quantity for metered prices in checkout and upgrades diff --git a/.changeset/pr-9032.md b/.changeset/pr-9032.md deleted file mode 100644 index 06407bac83..0000000000 --- a/.changeset/pr-9032.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"auth": patch ---- - -fix tsconfig path alias resolution for extended configs and mid-path wildcards \ No newline at end of file diff --git a/.changeset/pr-9084.md b/.changeset/pr-9084.md deleted file mode 100644 index 55e3770ce6..0000000000 --- a/.changeset/pr-9084.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"better-auth": patch ---- - -support Stripe SDK v21 and v22 diff --git a/.changeset/sso-saml-hardening.md b/.changeset/sso-saml-hardening.md deleted file mode 100644 index 26df51e73d..0000000000 --- a/.changeset/sso-saml-hardening.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -"@better-auth/sso": patch ---- - -fix(sso): unify SAML response processing and fix provider/config bugs - -**Bug fixes:** - -- Fix SP metadata endpoint using internal row ID instead of `providerId` in ACS URL -- Fix `acsEndpoint` skipping DB provider lookup when `defaultSSO` is configured -- Fix `acsEndpoint` missing encryption fields (`isAssertionEncrypted`, `encPrivateKey`), which caused silent decryption failures -- Fix `defaultSSO` config parsing in callback path (`safeJsonParse` on already-parsed objects) -- Fix `createSP` missing `callbackUrl` fallback to auto-generated ACS URL -- Complete `createSP`/`createIdP` helpers with all encryption and signing fields - -**Behavioral changes:** - -- ACS error redirect query parameters now use uppercase error codes (e.g. `error=SAML_MULTIPLE_ASSERTIONS` instead of `error=multiple_assertions`). If your application parses these error codes from the redirect URL, update the expected values. -- SAML provider registration now rejects configs with no usable IdP entry point (no valid `entryPoint` URL, no `idpMetadata.metadata`, and no `idpMetadata.singleSignOnService`). Previously these would register successfully but fail at sign-in. -- `entryPoint` validation tightened from `startsWith("http")` to `new URL()` parsing, rejecting malformed URLs like `http:evil` or `http//missing-colon`. - -**Refactoring (no API changes):** - -- Extract shared `processSAMLResponse` pipeline to eliminate ~500 lines of duplicated logic between `callbackSSOSAML` and `acsEndpoint` -- Move `validateSAMLTimestamp` to `saml/timestamp.ts` (re-exported from original location for compatibility) diff --git a/packages/api-key/CHANGELOG.md b/packages/api-key/CHANGELOG.md index 773d9ce958..d35bd8719b 100644 --- a/packages/api-key/CHANGELOG.md +++ b/packages/api-key/CHANGELOG.md @@ -1,5 +1,13 @@ # @better-auth/api-key +## 1.6.3 + +### Patch Changes + +- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: + - better-auth@1.6.3 + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/api-key/package.json b/packages/api-key/package.json index 7940ac0b26..ce7e17d5d1 100644 --- a/packages/api-key/package.json +++ b/packages/api-key/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/api-key", - "version": "1.6.2", + "version": "1.6.3", "description": "API Key plugin for Better Auth.", "type": "module", "license": "MIT", diff --git a/packages/better-auth/CHANGELOG.md b/packages/better-auth/CHANGELOG.md index 25cefbb586..aed85b226b 100644 --- a/packages/better-auth/CHANGELOG.md +++ b/packages/better-auth/CHANGELOG.md @@ -1,5 +1,53 @@ # better-auth +## 1.6.3 + +### Patch Changes + +- [#9131](https://github.com/better-auth/better-auth/pull/9131) [`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - harden dynamic `baseURL` handling for direct `auth.api.*` calls and plugin metadata helpers + + **Direct `auth.api.*` calls** + - Throw `APIError` with a clear message when the baseURL can't be resolved (no source and no `fallback`), instead of leaving `ctx.context.baseURL = ""` for downstream plugins to crash on. + - Convert `allowedHosts` mismatches on the direct-API path to `APIError`. + - Honor `advanced.trustedProxyHeaders` on the dynamic path (default `true`, unchanged). Previously `x-forwarded-host` / `-proto` were unconditionally trusted with `allowedHosts`; they now go through the same gate as the static path. The default flip to `false` ships in a follow-up PR. + - `resolveRequestContext` rehydrates `trustedProviders` and cookies per call (in addition to `trustedOrigins`). User-defined `trustedOrigins(req)` / `trustedProviders(req)` callbacks receive a `Request` synthesized from forwarded headers when no full `Request` is available. + - Infer `http` for loopback hosts (`localhost`, `127.0.0.1`, `[::1]`, `0.0.0.0`) on the headers-only protocol fallback, so local-dev calls don't silently resolve to `https://localhost:3000`. + - `hasRequest` uses `isRequestLike`, which now rejects objects that spoof `Symbol.toStringTag` without a real `url` / `headers.get` shape. + + **Plugin metadata helpers** + - `oauthProviderAuthServerMetadata`, `oauthProviderOpenIdConfigMetadata`, `oAuthDiscoveryMetadata`, and `oAuthProtectedResourceMetadata` forward the incoming request to their chained `auth.api` calls, so `issuer` and discovery URLs reflect the request host on dynamic configs. + - `withMcpAuth` forwards the incoming request to `getMcpSession`, threads `trustedProxyHeaders`, and emits a bare `Bearer` challenge when `baseURL` can't be resolved (instead of `Bearer resource_metadata="undefined/..."`). + - `metadataResponse` in `@better-auth/oauth-provider` normalizes headers via `new Headers()` so callers can pass `Headers`, tuple arrays, or records without silently dropping entries. + +- [#9122](https://github.com/better-auth/better-auth/pull/9122) [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - fix(two-factor): enforce 2FA on all sign-in paths + + The 2FA after-hook now triggers on any endpoint that creates a new session, covering magic-link, OAuth, passkey, email-OTP, SIWE, and all future sign-in methods. Authenticated requests (session refreshes, profile updates) are excluded. + +- [#7231](https://github.com/better-auth/better-auth/pull/7231) [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f) Thanks [@Byte-Biscuit](https://github.com/Byte-Biscuit)! - fix(two-factor): preserve backup codes storage format after verification + + After using a backup code, remaining codes are now re-saved using the same `storeBackupCodes` strategy (plain, encrypted, or custom) configured by the user. Previously, codes were always re-encrypted with the built-in symmetric encryption, breaking subsequent verifications for plain or custom storage modes. + +- [#9072](https://github.com/better-auth/better-auth/pull/9072) [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d) Thanks [@ramonclaudio](https://github.com/ramonclaudio)! - fix(api): align top-level `operationId` on `requestPasswordResetCallback` with the OpenAPI `resetPasswordCallback` + +- [#8389](https://github.com/better-auth/better-auth/pull/8389) [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649) Thanks [@Oluwatobi-Mustapha](https://github.com/Oluwatobi-Mustapha)! - fix(open-api): correct get-session nullable schema for OAS 3.1 + +- [#9078](https://github.com/better-auth/better-auth/pull/9078) [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7) Thanks [@ping-maxwell](https://github.com/ping-maxwell)! - fix(client): prevent isMounted race condition causing many rps + +- [#9113](https://github.com/better-auth/better-auth/pull/9113) [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af) Thanks [@bytaesu](https://github.com/bytaesu)! - resolve dynamic `baseURL` from request headers on direct `auth.api` calls + +- [#8926](https://github.com/better-auth/better-auth/pull/8926) [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463) Thanks [@bytaesu](https://github.com/bytaesu)! - omit quantity for metered prices in checkout and upgrades + +- [#9084](https://github.com/better-auth/better-auth/pull/9084) [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f) Thanks [@bytaesu](https://github.com/bytaesu)! - support Stripe SDK v21 and v22 + +- Updated dependencies []: + - @better-auth/core@1.6.3 + - @better-auth/drizzle-adapter@1.6.3 + - @better-auth/kysely-adapter@1.6.3 + - @better-auth/memory-adapter@1.6.3 + - @better-auth/mongo-adapter@1.6.3 + - @better-auth/prisma-adapter@1.6.3 + - @better-auth/telemetry@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/better-auth/package.json b/packages/better-auth/package.json index 31e502f889..05ceb9fc3a 100644 --- a/packages/better-auth/package.json +++ b/packages/better-auth/package.json @@ -1,6 +1,6 @@ { "name": "better-auth", - "version": "1.6.2", + "version": "1.6.3", "description": "The most comprehensive authentication framework for TypeScript.", "type": "module", "license": "MIT", diff --git a/packages/cli/CHANGELOG.md b/packages/cli/CHANGELOG.md index b2c50246c5..0c7fcc7dcb 100644 --- a/packages/cli/CHANGELOG.md +++ b/packages/cli/CHANGELOG.md @@ -1,5 +1,16 @@ # auth +## 1.6.3 + +### Patch Changes + +- [#9032](https://github.com/better-auth/better-auth/pull/9032) [`4673c6d`](https://github.com/better-auth/better-auth/commit/4673c6d83ce0710e8875e81539b376ee408e28b3) Thanks [@bytaesu](https://github.com/bytaesu)! - fix tsconfig path alias resolution for extended configs and mid-path wildcards + +- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: + - better-auth@1.6.3 + - @better-auth/core@1.6.3 + - @better-auth/telemetry@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/cli/package.json b/packages/cli/package.json index 93cbdae181..a269abd9e8 100644 --- a/packages/cli/package.json +++ b/packages/cli/package.json @@ -1,6 +1,6 @@ { "name": "auth", - "version": "1.6.2", + "version": "1.6.3", "description": "The CLI for Better Auth", "type": "module", "license": "MIT", diff --git a/packages/core/CHANGELOG.md b/packages/core/CHANGELOG.md index b6dac2e997..6777f5f58f 100644 --- a/packages/core/CHANGELOG.md +++ b/packages/core/CHANGELOG.md @@ -1,5 +1,7 @@ # @better-auth/core +## 1.6.3 + ## 1.6.2 ## 1.6.1 diff --git a/packages/core/package.json b/packages/core/package.json index ccc5695f13..78929b6c68 100644 --- a/packages/core/package.json +++ b/packages/core/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/core", - "version": "1.6.2", + "version": "1.6.3", "description": "The most comprehensive authentication framework for TypeScript.", "type": "module", "license": "MIT", diff --git a/packages/drizzle-adapter/CHANGELOG.md b/packages/drizzle-adapter/CHANGELOG.md index 1b1f1ba4fb..b55ca95a3d 100644 --- a/packages/drizzle-adapter/CHANGELOG.md +++ b/packages/drizzle-adapter/CHANGELOG.md @@ -1,5 +1,12 @@ # @better-auth/drizzle-adapter +## 1.6.3 + +### Patch Changes + +- Updated dependencies []: + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/drizzle-adapter/package.json b/packages/drizzle-adapter/package.json index 70c5128f64..03d9fe2fca 100644 --- a/packages/drizzle-adapter/package.json +++ b/packages/drizzle-adapter/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/drizzle-adapter", - "version": "1.6.2", + "version": "1.6.3", "description": "Drizzle adapter for Better Auth", "type": "module", "license": "MIT", diff --git a/packages/electron/CHANGELOG.md b/packages/electron/CHANGELOG.md index 9a8973a9b0..480e2495f6 100644 --- a/packages/electron/CHANGELOG.md +++ b/packages/electron/CHANGELOG.md @@ -1,5 +1,13 @@ # @better-auth/electron +## 1.6.3 + +### Patch Changes + +- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: + - better-auth@1.6.3 + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/electron/package.json b/packages/electron/package.json index e12ab048e9..0caa8dad6f 100644 --- a/packages/electron/package.json +++ b/packages/electron/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/electron", - "version": "1.6.2", + "version": "1.6.3", "description": "Better Auth integration for Electron applications.", "type": "module", "license": "MIT", diff --git a/packages/expo/CHANGELOG.md b/packages/expo/CHANGELOG.md index 4dffe425d2..4dd0287d6b 100644 --- a/packages/expo/CHANGELOG.md +++ b/packages/expo/CHANGELOG.md @@ -1,5 +1,13 @@ # @better-auth/expo +## 1.6.3 + +### Patch Changes + +- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: + - better-auth@1.6.3 + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/expo/package.json b/packages/expo/package.json index a4d1910778..82d06a89ba 100644 --- a/packages/expo/package.json +++ b/packages/expo/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/expo", - "version": "1.6.2", + "version": "1.6.3", "description": "Better Auth integration for Expo and React Native applications.", "type": "module", "license": "MIT", diff --git a/packages/i18n/CHANGELOG.md b/packages/i18n/CHANGELOG.md index be8381b9b5..d805c607e0 100644 --- a/packages/i18n/CHANGELOG.md +++ b/packages/i18n/CHANGELOG.md @@ -1,5 +1,13 @@ # @better-auth/i18n +## 1.6.3 + +### Patch Changes + +- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: + - better-auth@1.6.3 + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/i18n/package.json b/packages/i18n/package.json index 060d9b5ade..f02fc9fc24 100644 --- a/packages/i18n/package.json +++ b/packages/i18n/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/i18n", - "version": "1.6.2", + "version": "1.6.3", "description": "i18n plugin for Better Auth - translate error messages", "type": "module", "license": "MIT", diff --git a/packages/kysely-adapter/CHANGELOG.md b/packages/kysely-adapter/CHANGELOG.md index 3d49bae1d9..93f3291173 100644 --- a/packages/kysely-adapter/CHANGELOG.md +++ b/packages/kysely-adapter/CHANGELOG.md @@ -1,5 +1,12 @@ # @better-auth/kysely-adapter +## 1.6.3 + +### Patch Changes + +- Updated dependencies []: + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/kysely-adapter/package.json b/packages/kysely-adapter/package.json index 82ce758f2d..7b2dc59fc8 100644 --- a/packages/kysely-adapter/package.json +++ b/packages/kysely-adapter/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/kysely-adapter", - "version": "1.6.2", + "version": "1.6.3", "description": "Kysely adapter for Better Auth", "type": "module", "license": "MIT", diff --git a/packages/memory-adapter/CHANGELOG.md b/packages/memory-adapter/CHANGELOG.md index b0118764ce..094b44a3b4 100644 --- a/packages/memory-adapter/CHANGELOG.md +++ b/packages/memory-adapter/CHANGELOG.md @@ -1,5 +1,12 @@ # @better-auth/memory-adapter +## 1.6.3 + +### Patch Changes + +- Updated dependencies []: + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/memory-adapter/package.json b/packages/memory-adapter/package.json index 37e53e4a77..57255b7ae0 100644 --- a/packages/memory-adapter/package.json +++ b/packages/memory-adapter/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/memory-adapter", - "version": "1.6.2", + "version": "1.6.3", "description": "Memory adapter for Better Auth", "type": "module", "license": "MIT", diff --git a/packages/mongo-adapter/CHANGELOG.md b/packages/mongo-adapter/CHANGELOG.md index 902da73568..687799c80c 100644 --- a/packages/mongo-adapter/CHANGELOG.md +++ b/packages/mongo-adapter/CHANGELOG.md @@ -1,5 +1,12 @@ # @better-auth/mongo-adapter +## 1.6.3 + +### Patch Changes + +- Updated dependencies []: + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/mongo-adapter/package.json b/packages/mongo-adapter/package.json index 0153bac5c2..e92d13e269 100644 --- a/packages/mongo-adapter/package.json +++ b/packages/mongo-adapter/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/mongo-adapter", - "version": "1.6.2", + "version": "1.6.3", "description": "Mongo adapter for Better Auth", "type": "module", "license": "MIT", diff --git a/packages/oauth-provider/CHANGELOG.md b/packages/oauth-provider/CHANGELOG.md index 29c23516bf..383832ec92 100644 --- a/packages/oauth-provider/CHANGELOG.md +++ b/packages/oauth-provider/CHANGELOG.md @@ -1,5 +1,56 @@ # @better-auth/oauth-provider +## 1.6.3 + +### Patch Changes + +- [#9123](https://github.com/better-auth/better-auth/pull/9123) [`e2e25a4`](https://github.com/better-auth/better-auth/commit/e2e25a49545f3e386cfcc4e86b33c1796a1430b1) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - fix(oauth-provider): override confidential auth methods to public in unauthenticated DCR + + When `allowUnauthenticatedClientRegistration` is enabled, unauthenticated DCR + requests that specify `client_secret_post`, `client_secret_basic`, or omit + `token_endpoint_auth_method` (which defaults to `client_secret_basic` per + [RFC 7591 §2](https://datatracker.ietf.org/doc/html/rfc7591#section-2)) are + now silently overridden to `token_endpoint_auth_method: "none"` (public client) + instead of being rejected with HTTP 401. + + This follows [RFC 7591 §3.2.1](https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1), + which allows the server to "reject or replace any of the client's requested + metadata values submitted during the registration and substitute them with + suitable values." The registration response communicates the actual method + back to the client, allowing compliant clients to adjust. + + This fixes interoperability with real-world MCP clients (Claude, Codex, Factory + Droid, and others) that send `token_endpoint_auth_method: "client_secret_post"` + in their DCR payload because the server metadata advertises it in + `token_endpoint_auth_methods_supported`. + + Closes [#8588](https://github.com/better-auth/better-auth/issues/8588) + +- [#9131](https://github.com/better-auth/better-auth/pull/9131) [`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - harden dynamic `baseURL` handling for direct `auth.api.*` calls and plugin metadata helpers + + **Direct `auth.api.*` calls** + - Throw `APIError` with a clear message when the baseURL can't be resolved (no source and no `fallback`), instead of leaving `ctx.context.baseURL = ""` for downstream plugins to crash on. + - Convert `allowedHosts` mismatches on the direct-API path to `APIError`. + - Honor `advanced.trustedProxyHeaders` on the dynamic path (default `true`, unchanged). Previously `x-forwarded-host` / `-proto` were unconditionally trusted with `allowedHosts`; they now go through the same gate as the static path. The default flip to `false` ships in a follow-up PR. + - `resolveRequestContext` rehydrates `trustedProviders` and cookies per call (in addition to `trustedOrigins`). User-defined `trustedOrigins(req)` / `trustedProviders(req)` callbacks receive a `Request` synthesized from forwarded headers when no full `Request` is available. + - Infer `http` for loopback hosts (`localhost`, `127.0.0.1`, `[::1]`, `0.0.0.0`) on the headers-only protocol fallback, so local-dev calls don't silently resolve to `https://localhost:3000`. + - `hasRequest` uses `isRequestLike`, which now rejects objects that spoof `Symbol.toStringTag` without a real `url` / `headers.get` shape. + + **Plugin metadata helpers** + - `oauthProviderAuthServerMetadata`, `oauthProviderOpenIdConfigMetadata`, `oAuthDiscoveryMetadata`, and `oAuthProtectedResourceMetadata` forward the incoming request to their chained `auth.api` calls, so `issuer` and discovery URLs reflect the request host on dynamic configs. + - `withMcpAuth` forwards the incoming request to `getMcpSession`, threads `trustedProxyHeaders`, and emits a bare `Bearer` challenge when `baseURL` can't be resolved (instead of `Bearer resource_metadata="undefined/..."`). + - `metadataResponse` in `@better-auth/oauth-provider` normalizes headers via `new Headers()` so callers can pass `Headers`, tuple arrays, or records without silently dropping entries. + +- [#9118](https://github.com/better-auth/better-auth/pull/9118) [`314e06f`](https://github.com/better-auth/better-auth/commit/314e06f0fd84ac90b55b5430624a74c5a8d62bfd) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - feat(oauth-provider): add `customTokenResponseFields` callback and Zod validation for authorization codes + + Add `customTokenResponseFields` callback to `OAuthOptions` for injecting custom fields into token endpoint responses across all grant types. Standard OAuth fields (`access_token`, `token_type`, etc.) cannot be overridden. Follows the same pattern as `customAccessTokenClaims` and `customIdTokenClaims`. + + Authorization code verification values are now validated with a Zod schema at deserialization, consistently returning `invalid_verification` errors for malformed or corrupted values instead of potential 500s. + +- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: + - better-auth@1.6.3 + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/oauth-provider/package.json b/packages/oauth-provider/package.json index 3e52a04882..d577f61e3d 100644 --- a/packages/oauth-provider/package.json +++ b/packages/oauth-provider/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/oauth-provider", - "version": "1.6.2", + "version": "1.6.3", "description": "An oauth provider plugin for Better Auth", "type": "module", "license": "MIT", diff --git a/packages/passkey/CHANGELOG.md b/packages/passkey/CHANGELOG.md index ba88a22d5f..eb8979089a 100644 --- a/packages/passkey/CHANGELOG.md +++ b/packages/passkey/CHANGELOG.md @@ -1,5 +1,13 @@ # @better-auth/passkey +## 1.6.3 + +### Patch Changes + +- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: + - better-auth@1.6.3 + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/passkey/package.json b/packages/passkey/package.json index 766e6ef55b..17654d4eaf 100644 --- a/packages/passkey/package.json +++ b/packages/passkey/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/passkey", - "version": "1.6.2", + "version": "1.6.3", "description": "Passkey plugin for Better Auth", "type": "module", "license": "MIT", diff --git a/packages/prisma-adapter/CHANGELOG.md b/packages/prisma-adapter/CHANGELOG.md index 94747e592a..9505c065c7 100644 --- a/packages/prisma-adapter/CHANGELOG.md +++ b/packages/prisma-adapter/CHANGELOG.md @@ -1,5 +1,12 @@ # @better-auth/prisma-adapter +## 1.6.3 + +### Patch Changes + +- Updated dependencies []: + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/prisma-adapter/package.json b/packages/prisma-adapter/package.json index cd0b0ed497..226ce87c57 100644 --- a/packages/prisma-adapter/package.json +++ b/packages/prisma-adapter/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/prisma-adapter", - "version": "1.6.2", + "version": "1.6.3", "description": "Prisma adapter for Better Auth", "type": "module", "license": "MIT", diff --git a/packages/redis-storage/CHANGELOG.md b/packages/redis-storage/CHANGELOG.md index 1c4fff462a..c21d57d2f3 100644 --- a/packages/redis-storage/CHANGELOG.md +++ b/packages/redis-storage/CHANGELOG.md @@ -1,5 +1,12 @@ # @better-auth/redis-storage +## 1.6.3 + +### Patch Changes + +- Updated dependencies []: + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/redis-storage/package.json b/packages/redis-storage/package.json index 3bc5fa4eca..c971e39fe5 100644 --- a/packages/redis-storage/package.json +++ b/packages/redis-storage/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/redis-storage", - "version": "1.6.2", + "version": "1.6.3", "description": "Redis storage for Better Auth secondary storage", "type": "module", "license": "MIT", diff --git a/packages/scim/CHANGELOG.md b/packages/scim/CHANGELOG.md index 37361bb3af..bbf91cae04 100644 --- a/packages/scim/CHANGELOG.md +++ b/packages/scim/CHANGELOG.md @@ -1,5 +1,13 @@ # @better-auth/scim +## 1.6.3 + +### Patch Changes + +- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: + - better-auth@1.6.3 + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/scim/package.json b/packages/scim/package.json index a558c2a076..9ed8517250 100644 --- a/packages/scim/package.json +++ b/packages/scim/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/scim", - "version": "1.6.2", + "version": "1.6.3", "description": "SCIM plugin for Better Auth", "type": "module", "license": "MIT", diff --git a/packages/sso/CHANGELOG.md b/packages/sso/CHANGELOG.md index 5752be20bf..6815d1a9e3 100644 --- a/packages/sso/CHANGELOG.md +++ b/packages/sso/CHANGELOG.md @@ -1,5 +1,32 @@ # @better-auth/sso +## 1.6.3 + +### Patch Changes + +- [#9097](https://github.com/better-auth/better-auth/pull/9097) [`52c4751`](https://github.com/better-auth/better-auth/commit/52c47517a21600d40a3e82c427409083b4a0a9ec) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - fix(sso): unify SAML response processing and fix provider/config bugs + + **Bug fixes:** + - Fix SP metadata endpoint using internal row ID instead of `providerId` in ACS URL + - Fix `acsEndpoint` skipping DB provider lookup when `defaultSSO` is configured + - Fix `acsEndpoint` missing encryption fields (`isAssertionEncrypted`, `encPrivateKey`), which caused silent decryption failures + - Fix `defaultSSO` config parsing in callback path (`safeJsonParse` on already-parsed objects) + - Fix `createSP` missing `callbackUrl` fallback to auto-generated ACS URL + - Complete `createSP`/`createIdP` helpers with all encryption and signing fields + + **Behavioral changes:** + - ACS error redirect query parameters now use uppercase error codes (e.g. `error=SAML_MULTIPLE_ASSERTIONS` instead of `error=multiple_assertions`). If your application parses these error codes from the redirect URL, update the expected values. + - SAML provider registration now rejects configs with no usable IdP entry point (no valid `entryPoint` URL, no `idpMetadata.metadata`, and no `idpMetadata.singleSignOnService`). Previously these would register successfully but fail at sign-in. + - `entryPoint` validation tightened from `startsWith("http")` to `new URL()` parsing, rejecting malformed URLs like `http:evil` or `http//missing-colon`. + + **Refactoring (no API changes):** + - Extract shared `processSAMLResponse` pipeline to eliminate ~500 lines of duplicated logic between `callbackSSOSAML` and `acsEndpoint` + - Move `validateSAMLTimestamp` to `saml/timestamp.ts` (re-exported from original location for compatibility) + +- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: + - better-auth@1.6.3 + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/sso/package.json b/packages/sso/package.json index 5c4133744c..c99cbef575 100644 --- a/packages/sso/package.json +++ b/packages/sso/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/sso", - "version": "1.6.2", + "version": "1.6.3", "description": "SSO plugin for Better Auth", "type": "module", "license": "MIT", diff --git a/packages/stripe/CHANGELOG.md b/packages/stripe/CHANGELOG.md index 4c5c3a3ed8..bf09467d7b 100644 --- a/packages/stripe/CHANGELOG.md +++ b/packages/stripe/CHANGELOG.md @@ -1,5 +1,17 @@ # @better-auth/stripe +## 1.6.3 + +### Patch Changes + +- [#9164](https://github.com/better-auth/better-auth/pull/9164) [`390a031`](https://github.com/better-auth/better-auth/commit/390a03190c988776e53c5e64cf6c2f60db1c5415) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - fix(stripe): drop unsafe keys when merging user-supplied metadata + + The Stripe plugin previously merged `ctx.body.metadata` through `defu`, which was vulnerable to prototype pollution when attacker-controlled `__proto__` keys reached the second argument. Since Stripe metadata is a flat `Record`, the deep-merge was never exercised on that path. The merge now ignores `__proto__`, `constructor`, and `prototype`, so the user-controlled surface no longer depends on `defu`. The remaining `defu` call sites (deep-merging developer-supplied `CustomerCreateParams`) also receive the patched range. + +- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: + - better-auth@1.6.3 + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/stripe/package.json b/packages/stripe/package.json index 4f07c8afc9..5f681c6912 100644 --- a/packages/stripe/package.json +++ b/packages/stripe/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/stripe", - "version": "1.6.2", + "version": "1.6.3", "description": "Stripe plugin for Better Auth", "type": "module", "license": "MIT", diff --git a/packages/telemetry/CHANGELOG.md b/packages/telemetry/CHANGELOG.md index 032d0965a3..a7b19b2545 100644 --- a/packages/telemetry/CHANGELOG.md +++ b/packages/telemetry/CHANGELOG.md @@ -1,5 +1,12 @@ # @better-auth/telemetry +## 1.6.3 + +### Patch Changes + +- Updated dependencies []: + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/telemetry/package.json b/packages/telemetry/package.json index 70e0de7716..fe9cf454f5 100644 --- a/packages/telemetry/package.json +++ b/packages/telemetry/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/telemetry", - "version": "1.6.2", + "version": "1.6.3", "description": "Telemetry package for Better Auth", "type": "module", "license": "MIT", diff --git a/packages/test-utils/CHANGELOG.md b/packages/test-utils/CHANGELOG.md index f3c89ed330..c425c1b6fc 100644 --- a/packages/test-utils/CHANGELOG.md +++ b/packages/test-utils/CHANGELOG.md @@ -1,5 +1,13 @@ # @better-auth/test-utils +## 1.6.3 + +### Patch Changes + +- Updated dependencies [[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: + - better-auth@1.6.3 + - @better-auth/core@1.6.3 + ## 1.6.2 ### Patch Changes diff --git a/packages/test-utils/package.json b/packages/test-utils/package.json index ad2d0eab35..7b9cd0f7e0 100644 --- a/packages/test-utils/package.json +++ b/packages/test-utils/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/test-utils", - "version": "1.6.2", + "version": "1.6.3", "description": "Testing utilities for Better Auth adapter development", "type": "module", "license": "MIT",