From 84dc11bb3e183df31cbca4b5a6f930157392460c Mon Sep 17 00:00:00 2001 From: Zohaib Akber Date: Mon, 24 Feb 2025 10:10:11 +0500 Subject: [PATCH 1/8] docs(fix): session secondary storage value for redis (#1359) --- docs/content/docs/concepts/database.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/docs/concepts/database.mdx b/docs/content/docs/concepts/database.mdx index 54b368479b..4cf4e8725a 100644 --- a/docs/content/docs/concepts/database.mdx +++ b/docs/content/docs/concepts/database.mdx @@ -234,7 +234,7 @@ export const auth = betterAuth({ secondaryStorage: { get: async (key) => { const value = await redis.get(key); - return value ? value : null; + return value ? JSON.stringify(value) : null; }, set: async (key, value, ttl) => { if (ttl) await redis.set(key, value, { EX: ttl }); From d9c57e1f567300701706bccccdf26d50f709b0d7 Mon Sep 17 00:00:00 2001 From: Bereket Engida Date: Mon, 24 Feb 2025 12:24:36 +0300 Subject: [PATCH 2/8] fix(origin-check): exclude URLs with double slashes --- packages/better-auth/src/api/middlewares/origin-check.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/packages/better-auth/src/api/middlewares/origin-check.ts b/packages/better-auth/src/api/middlewares/origin-check.ts index 08ed84a998..93e5c8ab9b 100644 --- a/packages/better-auth/src/api/middlewares/origin-check.ts +++ b/packages/better-auth/src/api/middlewares/origin-check.ts @@ -102,7 +102,10 @@ export const originCheck = ( const isTrustedOrigin = trustedOrigins.some( (origin) => matchesPattern(url, origin) || - (url?.startsWith("/") && label !== "origin" && !url.includes(":")), + (url?.startsWith("/") && + label !== "origin" && + !url.includes(":") && + !url.includes("//")), ); if (!isTrustedOrigin) { ctx.context.logger.error(`Invalid ${label}: ${url}`); From 24659aefc35a536b95ea4e5347e52c8803910153 Mon Sep 17 00:00:00 2001 From: Bereket Engida Date: Mon, 24 Feb 2025 12:25:04 +0300 Subject: [PATCH 3/8] fix(origin-check): prevent URLs with double slashes from being trusted --- packages/better-auth/src/api/middlewares/origin-check.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/packages/better-auth/src/api/middlewares/origin-check.ts b/packages/better-auth/src/api/middlewares/origin-check.ts index 93e5c8ab9b..6d0a85370a 100644 --- a/packages/better-auth/src/api/middlewares/origin-check.ts +++ b/packages/better-auth/src/api/middlewares/origin-check.ts @@ -47,7 +47,10 @@ export const originCheckMiddleware = createAuthMiddleware(async (ctx) => { const isTrustedOrigin = trustedOrigins.some( (origin) => matchesPattern(url, origin) || - (url?.startsWith("/") && label !== "origin" && !url.includes(":")), + (url?.startsWith("/") && + label !== "origin" && + !url.includes(":") && + !url.includes("//")), ); if (!isTrustedOrigin) { ctx.context.logger.error(`Invalid ${label}: ${url}`); From 795ff4269a3200b733a09e85d38ab8f8ee390be2 Mon Sep 17 00:00:00 2001 From: Bereket Engida Date: Mon, 24 Feb 2025 12:28:41 +0300 Subject: [PATCH 4/8] test(origin-check): add test for callback URL with double slashes --- .../src/api/middlewares/origin-check.test.ts | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/packages/better-auth/src/api/middlewares/origin-check.test.ts b/packages/better-auth/src/api/middlewares/origin-check.test.ts index 79c38d68bb..ebcae1ae9e 100644 --- a/packages/better-auth/src/api/middlewares/origin-check.test.ts +++ b/packages/better-auth/src/api/middlewares/origin-check.test.ts @@ -188,6 +188,24 @@ describe("Origin Check", async (it) => { expect(res.data?.user).toBeDefined(); }); + it("shouldn't work with callback url with double slash", async (ctx) => { + const client = createAuthClient({ + baseURL: "http://localhost:3000", + fetchOptions: { + customFetchImpl, + headers: { + origin: "https://localhost:3000", + }, + }, + }); + const res = await client.signIn.email({ + email: testUser.email, + password: testUser.password, + callbackURL: "//evil.com", + }); + expect(res.error?.status).toBe(403); + }); + it("should work with GET requests", async (ctx) => { const client = createAuthClient({ baseURL: "https://sub-domain.my-site.com", From 790a942933e551e9996c27f97b955426d3c5b410 Mon Sep 17 00:00:00 2001 From: Bereket Engida Date: Mon, 24 Feb 2025 12:28:50 +0300 Subject: [PATCH 5/8] chore: release v1.1.20-beta.4 --- packages/better-auth/package.json | 2 +- packages/cli/package.json | 2 +- packages/expo/package.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/better-auth/package.json b/packages/better-auth/package.json index 794b52c5c5..19ba6a917c 100644 --- a/packages/better-auth/package.json +++ b/packages/better-auth/package.json @@ -1,6 +1,6 @@ { "name": "better-auth", - "version": "1.1.20-beta.3", + "version": "1.1.20-beta.4", "description": "The most comprehensive authentication library for TypeScript.", "type": "module", "repository": { diff --git a/packages/cli/package.json b/packages/cli/package.json index 4820e0aee3..95c2f6b702 100644 --- a/packages/cli/package.json +++ b/packages/cli/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/cli", - "version": "1.1.20-beta.3", + "version": "1.1.20-beta.4", "description": "The CLI for Better Auth", "module": "dist/index.mjs", "repository": { diff --git a/packages/expo/package.json b/packages/expo/package.json index f848c15d34..db5b92417f 100644 --- a/packages/expo/package.json +++ b/packages/expo/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/expo", - "version": "1.1.20-beta.3", + "version": "1.1.20-beta.4", "description": "", "main": "dist/index.js", "module": "dist/index.mjs", From 1fadaeecfa6a6d4332380d29edf7856b6eb4b6a7 Mon Sep 17 00:00:00 2001 From: Bereket Engida Date: Mon, 24 Feb 2025 12:28:59 +0300 Subject: [PATCH 6/8] chore: release v1.1.20-beta.5 --- packages/better-auth/package.json | 2 +- packages/cli/package.json | 2 +- packages/expo/package.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/better-auth/package.json b/packages/better-auth/package.json index 19ba6a917c..cd5ed7a802 100644 --- a/packages/better-auth/package.json +++ b/packages/better-auth/package.json @@ -1,6 +1,6 @@ { "name": "better-auth", - "version": "1.1.20-beta.4", + "version": "1.1.20-beta.5", "description": "The most comprehensive authentication library for TypeScript.", "type": "module", "repository": { diff --git a/packages/cli/package.json b/packages/cli/package.json index 95c2f6b702..6ef886dc77 100644 --- a/packages/cli/package.json +++ b/packages/cli/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/cli", - "version": "1.1.20-beta.4", + "version": "1.1.20-beta.5", "description": "The CLI for Better Auth", "module": "dist/index.mjs", "repository": { diff --git a/packages/expo/package.json b/packages/expo/package.json index db5b92417f..58498c5ca4 100644 --- a/packages/expo/package.json +++ b/packages/expo/package.json @@ -1,6 +1,6 @@ { "name": "@better-auth/expo", - "version": "1.1.20-beta.4", + "version": "1.1.20-beta.5", "description": "", "main": "dist/index.js", "module": "dist/index.mjs", From da62e635bee4fb1d0d246686dd6020f255634438 Mon Sep 17 00:00:00 2001 From: Bereket Engida Date: Mon, 24 Feb 2025 12:38:25 +0300 Subject: [PATCH 7/8] fix(session): include expiresAt in session data for HMAC verification --- packages/better-auth/src/api/routes/session.ts | 5 ++++- packages/better-auth/src/cookies/index.ts | 8 +++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/packages/better-auth/src/api/routes/session.ts b/packages/better-auth/src/api/routes/session.ts index dd5529846a..7a7607db62 100644 --- a/packages/better-auth/src/api/routes/session.ts +++ b/packages/better-auth/src/api/routes/session.ts @@ -119,7 +119,10 @@ export const getSession =