Taesu
39c2d59b34
docs: centralize font setup ( #10256 )
2026-06-26 22:45:44 +00:00
better-release[bot]
a90d061de7
chore: release v1.6.22 ( #10245 )
v1.6.22
2026-06-26 13:43:23 +01:00
Gustavo Valverde
3a035e968e
fix(two-factor): add account-level verification lockout ( #10240 )
2026-06-26 13:40:00 +01:00
Gustavo Valverde
7c126dcd1a
fix(scim): scope write-path operations and honor the active attribute ( #10242 )
2026-06-26 12:29:00 +00:00
Gustavo Valverde
8bd43d9d83
fix(core): refuse redirects on server-side OAuth requests ( #10241 )
2026-06-26 12:28:17 +00:00
Gustavo Valverde
c06a56d83a
fix: revoke unproven credentials on magic-link/email-OTP sign-in ( #10239 )
2026-06-26 13:20:07 +01:00
better-release[bot]
414169d95a
chore: release v1.6.21 ( #10184 )
v1.6.21
2026-06-26 05:52:50 +01:00
Ben Snyder
f52e1ab50b
fix(device-authorization): make schema option optional under Zod v4 ( #9939 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com >
2026-06-26 05:48:15 +01:00
Gustavo Valverde
f395c30e95
ci(release): skip pre-commit hooks for the release bot commit ( #10233 )
2026-06-26 05:33:13 +01:00
Maxwell
882cf9e592
fix(admin): use authoritative session reads for authorization ( #10187 )
...
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com >
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 04:09:16 +00:00
Paola Estefanía de Campos
b5bec193a5
fix(oauth): apply user input rules to provider profiles ( #10196 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 04:06:54 +00:00
Taesu
471f81c1ab
refactor: centralize request IP resolver in core ( #10216 )
2026-06-26 05:05:00 +01:00
Maxwell
90d509e0b9
fix(adapter): fail closed on update misses ( #10180 )
...
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com >
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 03:56:39 +00:00
Paola Estefanía de Campos
816d7f9252
fix(one-tap): apply configured Google hosted domain (hd) on the callback ( #10197 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 03:56:20 +00:00
Bereket Engida
fa1e036ae7
fix(sso): validate SAML response binding against the Service Provider ( #10226 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 03:07:43 +00:00
Bereket Engida
7a7a7b311a
fix(sso): delete linked account rows when an SSO provider is deleted ( #10224 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 03:07:21 +00:00
Bereket Engida
fcabaaffcb
fix(sso): require DNS proof for every domain listed on a provider ( #10227 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 02:49:15 +00:00
Bereket Engida
1a8b7ccc83
fix(sso): restrict SAML SLO POST form action to http(s) schemes ( #10225 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 02:27:12 +00:00
Gustavo Valverde
1bc370aef5
fix(siwe): reject sign-in when the provided email already belongs to another account ( #10228 )
2026-06-26 02:21:45 +00:00
Taesu
5f86c3bed7
docs: restore lubiah community adapter ( #10230 )
2026-06-25 13:44:27 -07:00
Taesu
29fbcb5732
Merge commit from fork
...
Organization subscription actions re-derived the reference id in the handler
instead of consuming the value the middleware resolved, so an action could run
against a different organization than the one resolved for the request. The
middleware now resolves the reference id once and exposes it on the context, and
the handlers read it from there.
2026-06-25 11:21:12 -07:00
Maxwell
82cbbd6f1d
docs: add missing disable-implicit-linking docs ( #10218 )
2026-06-25 10:59:14 +00:00
Gustavo Valverde
ae647b4abe
fix(two-factor): cap verification attempts on TOTP and backup codes ( #10210 )
2026-06-25 06:49:09 +00:00
Taesu
5953157acf
fix: harden forwarded client IP resolution ( #10203 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
2026-06-25 04:55:10 +00:00
Taesu
5af69e4b50
test: cover base path leading-prefix enforcement ( #10211 )
2026-06-25 00:51:21 +00:00
Taesu
e0762a127c
chore: bump better-call to 1.3.7 ( #10212 )
2026-06-25 00:30:07 +00:00
moonevm
452bd03f74
fix(cli): increase generated BETTER_AUTH_SECRET length from 16 to 32 … ( #10186 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
2026-06-24 21:52:53 +00:00
Taesu
88409b0078
fix(oauth-proxy): reject profile callbacks with missing or expired OAuth state ( #10183 )
2026-06-24 19:41:43 +00:00
Taesu
b046f9ec11
fix: apply rate limits before plugin requests ( #10191 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
2026-06-24 11:51:11 +00:00
Rachit mittal
570267cd5e
fix: honor disableMigration on plugin schema tables ( #10198 )
2026-06-24 00:19:25 +00:00
Taesu
239bcc836c
fix(paypal): bind userinfo subject to verified id token subject ( #10192 )
2026-06-23 00:23:56 +00:00
Taesu
e7c8066cf1
docs: refine warning guidance across plugin docs ( #10185 )
2026-06-21 22:39:30 -07:00
Taesu
461ca6fd24
fix(username): only store valid displayUsername fallbacks as usernames ( #10182 )
2026-06-22 05:16:44 +00:00
moonevm
6e5f7e656b
docs: fix the code block format on the Stripe plugin page ( #10181 )
2026-06-21 02:31:43 -07:00
moonevm
bdda5162f9
docs: remove extra spaces in documentation ( #10174 )
...
Co-authored-by: Taesu <166604494+bytaesu@users.noreply.github.com >
2026-06-20 22:48:59 -07:00
better-release[bot]
c342f42fff
chore: release v1.6.20 ( #10108 )
v1.6.20
2026-06-19 19:42:38 -07:00
Taesu
6909ddfdf6
ci(cspell): add custom words for tracked files ( #10168 )
2026-06-19 19:39:22 -07:00
Taesu
0017ec0186
ci: check spelling on tracked files ( #10167 )
2026-06-19 19:18:54 -07:00
Roman Sirokov
58549652dd
docs: fix open in markdown url ( #10162 )
2026-06-20 02:06:21 +00:00
Taesu
40138db6ed
chore: add coverage script to adapter packages ( #10158 )
2026-06-19 13:48:34 -07:00
Cal
21448b1b77
fix: route account-linking logs through the configured logger ( #10121 )
...
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com >
Co-authored-by: Taesu <bytaesu@gmail.com >
2026-06-18 22:19:18 +00:00
Khairul Haziq
fb11c98930
fix(docs): add missing mode config to Drizzle bigint codegen ( #10114 )
2026-06-17 22:55:41 +10:00
Wilson Angelie Tan
3965752b5a
fix(i18n): i18n en fallback and i18n documentation ( #9872 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
2026-06-16 20:51:48 +00:00
Dipan Chakraborty
8ecf23817f
fix(session): cap refresh cookie Max-Age at expiresIn ( #9621 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
2026-06-16 20:40:41 +00:00
stephen
930f5341d9
fix(core): declare inherited APIError props to fix ts inference error ( #8734 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com >
2026-06-16 19:57:27 +00:00
Taesu
d032ad6088
chore(deps): update esbuild tooling resolutions ( #10091 )
2026-06-16 01:36:35 +00:00
Taesu
d3c9630238
chore: tune greptile review config ( #10097 )
2026-06-15 17:59:14 -07:00
better-release[bot]
ac4d81df74
chore: release v1.6.19 ( #10034 )
v1.6.19
2026-06-15 17:40:36 -07:00
dependabot[bot]
cac8d2ae7b
chore(deps): bump the github-actions group across 1 directory with 3 updates ( #10049 )
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-16 00:30:29 +00:00
Taesu
91202774a8
chore: bump @better-auth/utils and better-fetch ( #10090 )
2026-06-16 00:21:18 +00:00