Commit Graph

7042 Commits

Author SHA1 Message Date
Taesu
39c2d59b34 docs: centralize font setup (#10256) 2026-06-26 22:45:44 +00:00
better-release[bot]
a90d061de7 chore: release v1.6.22 (#10245) v1.6.22 2026-06-26 13:43:23 +01:00
Gustavo Valverde
3a035e968e fix(two-factor): add account-level verification lockout (#10240) 2026-06-26 13:40:00 +01:00
Gustavo Valverde
7c126dcd1a fix(scim): scope write-path operations and honor the active attribute (#10242) 2026-06-26 12:29:00 +00:00
Gustavo Valverde
8bd43d9d83 fix(core): refuse redirects on server-side OAuth requests (#10241) 2026-06-26 12:28:17 +00:00
Gustavo Valverde
c06a56d83a fix: revoke unproven credentials on magic-link/email-OTP sign-in (#10239) 2026-06-26 13:20:07 +01:00
better-release[bot]
414169d95a chore: release v1.6.21 (#10184) v1.6.21 2026-06-26 05:52:50 +01:00
Ben Snyder
f52e1ab50b fix(device-authorization): make schema option optional under Zod v4 (#9939)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com>
2026-06-26 05:48:15 +01:00
Gustavo Valverde
f395c30e95 ci(release): skip pre-commit hooks for the release bot commit (#10233) 2026-06-26 05:33:13 +01:00
Maxwell
882cf9e592 fix(admin): use authoritative session reads for authorization (#10187)
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 04:09:16 +00:00
Paola Estefanía de Campos
b5bec193a5 fix(oauth): apply user input rules to provider profiles (#10196)
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 04:06:54 +00:00
Taesu
471f81c1ab refactor: centralize request IP resolver in core (#10216) 2026-06-26 05:05:00 +01:00
Maxwell
90d509e0b9 fix(adapter): fail closed on update misses (#10180)
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 03:56:39 +00:00
Paola Estefanía de Campos
816d7f9252 fix(one-tap): apply configured Google hosted domain (hd) on the callback (#10197)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 03:56:20 +00:00
Bereket Engida
fa1e036ae7 fix(sso): validate SAML response binding against the Service Provider (#10226)
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 03:07:43 +00:00
Bereket Engida
7a7a7b311a fix(sso): delete linked account rows when an SSO provider is deleted (#10224)
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 03:07:21 +00:00
Bereket Engida
fcabaaffcb fix(sso): require DNS proof for every domain listed on a provider (#10227)
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 02:49:15 +00:00
Bereket Engida
1a8b7ccc83 fix(sso): restrict SAML SLO POST form action to http(s) schemes (#10225)
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 02:27:12 +00:00
Gustavo Valverde
1bc370aef5 fix(siwe): reject sign-in when the provided email already belongs to another account (#10228) 2026-06-26 02:21:45 +00:00
Taesu
5f86c3bed7 docs: restore lubiah community adapter (#10230) 2026-06-25 13:44:27 -07:00
Taesu
29fbcb5732 Merge commit from fork
Organization subscription actions re-derived the reference id in the handler
instead of consuming the value the middleware resolved, so an action could run
against a different organization than the one resolved for the request. The
middleware now resolves the reference id once and exposes it on the context, and
the handlers read it from there.
2026-06-25 11:21:12 -07:00
Maxwell
82cbbd6f1d docs: add missing disable-implicit-linking docs (#10218) 2026-06-25 10:59:14 +00:00
Gustavo Valverde
ae647b4abe fix(two-factor): cap verification attempts on TOTP and backup codes (#10210) 2026-06-25 06:49:09 +00:00
Taesu
5953157acf fix: harden forwarded client IP resolution (#10203)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-06-25 04:55:10 +00:00
Taesu
5af69e4b50 test: cover base path leading-prefix enforcement (#10211) 2026-06-25 00:51:21 +00:00
Taesu
e0762a127c chore: bump better-call to 1.3.7 (#10212) 2026-06-25 00:30:07 +00:00
moonevm
452bd03f74 fix(cli): increase generated BETTER_AUTH_SECRET length from 16 to 32 … (#10186)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-06-24 21:52:53 +00:00
Taesu
88409b0078 fix(oauth-proxy): reject profile callbacks with missing or expired OAuth state (#10183) 2026-06-24 19:41:43 +00:00
Taesu
b046f9ec11 fix: apply rate limits before plugin requests (#10191)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-06-24 11:51:11 +00:00
Rachit mittal
570267cd5e fix: honor disableMigration on plugin schema tables (#10198) 2026-06-24 00:19:25 +00:00
Taesu
239bcc836c fix(paypal): bind userinfo subject to verified id token subject (#10192) 2026-06-23 00:23:56 +00:00
Taesu
e7c8066cf1 docs: refine warning guidance across plugin docs (#10185) 2026-06-21 22:39:30 -07:00
Taesu
461ca6fd24 fix(username): only store valid displayUsername fallbacks as usernames (#10182) 2026-06-22 05:16:44 +00:00
moonevm
6e5f7e656b docs: fix the code block format on the Stripe plugin page (#10181) 2026-06-21 02:31:43 -07:00
moonevm
bdda5162f9 docs: remove extra spaces in documentation (#10174)
Co-authored-by: Taesu <166604494+bytaesu@users.noreply.github.com>
2026-06-20 22:48:59 -07:00
better-release[bot]
c342f42fff chore: release v1.6.20 (#10108) v1.6.20 2026-06-19 19:42:38 -07:00
Taesu
6909ddfdf6 ci(cspell): add custom words for tracked files (#10168) 2026-06-19 19:39:22 -07:00
Taesu
0017ec0186 ci: check spelling on tracked files (#10167) 2026-06-19 19:18:54 -07:00
Roman Sirokov
58549652dd docs: fix open in markdown url (#10162) 2026-06-20 02:06:21 +00:00
Taesu
40138db6ed chore: add coverage script to adapter packages (#10158) 2026-06-19 13:48:34 -07:00
Cal
21448b1b77 fix: route account-linking logs through the configured logger (#10121)
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Taesu <bytaesu@gmail.com>
2026-06-18 22:19:18 +00:00
Khairul Haziq
fb11c98930 fix(docs): add missing mode config to Drizzle bigint codegen (#10114) 2026-06-17 22:55:41 +10:00
Wilson Angelie Tan
3965752b5a fix(i18n): i18n en fallback and i18n documentation (#9872)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
2026-06-16 20:51:48 +00:00
Dipan Chakraborty
8ecf23817f fix(session): cap refresh cookie Max-Age at expiresIn (#9621)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-06-16 20:40:41 +00:00
stephen
930f5341d9 fix(core): declare inherited APIError props to fix ts inference error (#8734)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com>
2026-06-16 19:57:27 +00:00
Taesu
d032ad6088 chore(deps): update esbuild tooling resolutions (#10091) 2026-06-16 01:36:35 +00:00
Taesu
d3c9630238 chore: tune greptile review config (#10097) 2026-06-15 17:59:14 -07:00
better-release[bot]
ac4d81df74 chore: release v1.6.19 (#10034) v1.6.19 2026-06-15 17:40:36 -07:00
dependabot[bot]
cac8d2ae7b chore(deps): bump the github-actions group across 1 directory with 3 updates (#10049)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-16 00:30:29 +00:00
Taesu
91202774a8 chore: bump @better-auth/utils and better-fetch (#10090) 2026-06-16 00:21:18 +00:00