github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-22 06:16:18 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity
6,850 Commits 102 Branches 1,251 Tags
56214540e24e5ade83ffbd9d9907e600431d1b7a
Commit Graph

6850 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
github-actions[bot]
56214540e2 chore: release 2026-05-19 23:54:30 +00:00
Taesu
4cbc823e69 docs: add active state to products nav tab (#9698) 2026-05-19 23:47:20 +00:00
Maxwell
2d73ffff44 fix(core): respect dynamic baseURL protocol option in getTrustedOrigins (#9644) 
Co-authored-by: Taesu <166604494+bytaesu@users.noreply.github.com>
 2026-05-19 19:27:09 +00:00
Yug Bhatia
04303a92ac fix(deps): widen Kysely peer dependency range for 0.29 support (#9683) 
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com>
 2026-05-19 17:28:38 +00:00
Maxwell
276d67fad5 fix: build synthetic user safely without including extra fields (#9347) 2026-05-19 17:17:54 +00:00
Maxwell
9d91eb77f5 fix: getMigration field index order (#9691) 2026-05-19 16:42:19 +00:00
Maxwell
adc8d7f1af docs: microsoft base64 profile image warning (#9692) 2026-05-19 16:41:44 +00:00
Taesu
f77060af3a fix: consumeVerificationValue returns null for expired rows (#9624) 
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-19 16:37:55 +00:00
Taesu
dcb2e6d29c fix(cookies): percent-encode values on Cookie header serialize (#9631) 2026-05-19 16:35:44 +00:00
MonoBit
314ea2887d docs: add ton-better-auth plugin information (#9637) 2026-05-19 07:14:38 +09:00
Taesu
f5e29eaf1e fix(organization): wrap delete cascades in a transaction (#9630) 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
 2026-05-18 21:44:09 +00:00
Taesu
a6f144ad0a fix(client): decode escape sequences in parseJSON quoted strings (#9617) 2026-05-18 18:45:39 +00:00
Taesu
1d372bbab9 fix(organization): reject invitation team ids containing a comma (#9616) 2026-05-18 18:41:32 +00:00
Taesu
09a1d50a80 fix: tighten changeEmail config gate and encode callbackURL (#9614) 2026-05-18 18:40:45 +00:00
Taesu
9bd53e191c fix(access): reject empty action lists and continue "OR" evaluation on unknown resources (#9603) 2026-05-18 18:40:03 +00:00
Gustavo Valverde
e637c7d8ff fix(deps): resolve dependabot security alerts (#9662) 2026-05-18 01:41:47 +00:00
Gustavo Valverde
62dabf6678 fix: harden URL and Stripe escaping (#9661) 2026-05-17 21:25:32 +00:00
Gustavo Valverde
b56b42a0e7 ci(workflows): harden GitHub workflow configuration (#9659) 2026-05-17 19:20:59 +00:00
Paola Estefanía de Campos
c01b2f1321 fix(two-factor): delete session cookie cache on 2fa response (#9639) 
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
 2026-05-17 16:40:50 +00:00
Taesu
ab5422f2f8 docs: simplify landing navbar (#9650) 2026-05-17 02:52:51 +09:00
Maxwell
f5fcc9d37f fix(admin): export AdminClientOptions and OrganizationClientOptions (#9642) 2026-05-16 02:46:57 +00:00
Roman
db4263cd3d chore: use correct auth cli (#9638) 
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-16 02:27:55 +00:00
Taesu
160d132752 fix(kysely-adapter): report SQLite tables as non-views in introspector (#9615) 2026-05-16 00:18:06 +00:00
Taesu
938efee305 fix(oauth-provider): preserve colons in Basic Auth client secret (#9601) 2026-05-15 15:48:59 +00:00
Taesu
87f5a8fd27 fix(oauth-provider): return NOT_FOUND when consent update references a missing client (#9600) 2026-05-15 15:48:25 +00:00
Taesu
53d4138fc6 ci(test): force native rebuild across workspace for matrix node (#9633) 2026-05-15 06:43:33 +00:00
Taesu
0699fae7ea ci(test): rebuild better-sqlite3 for each matrix node (#9623) 2026-05-14 17:37:03 +00:00
Taesu
1b40dac22e fix(cookies): relax Cookie separator and centralize parsing (#9543) 
Co-authored-by: sbougerel <5677149+sbougerel@users.noreply.github.com>
 2026-05-14 15:59:39 +00:00
Maxwell
ad9ad82496 fix(email-verification): clone request before passing to sendVerificationEmail callback (#9619) 2026-05-14 13:05:27 +00:00
Gautam Manchandani
95765cfedd docs: clarify 2fa sign-in enforcement scope (#9607) 2026-05-14 08:45:10 +00:00
Taesu
7a120724c5 fix(captcha): exempt /sign-in/email-otp from captcha enforcement (#9596) 2026-05-12 23:59:38 +00:00
Taesu
6290b5c3db docs(pricing): refine plan unit notation (#9602) 2026-05-12 23:46:52 +00:00
dependabot[bot]
45d7cb8ad6 chore(deps): bump next from 16.2.3 to 16.2.6 (#9580) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Taesu <166604494+bytaesu@users.noreply.github.com>
Co-authored-by: Taesu <bytaesu@gmail.com>
 2026-05-12 23:44:51 +00:00
Taesu
c0afab040b chore(pnpm): set minimumReleaseAge to 1440 minutes (#9594) 2026-05-12 19:25:21 +00:00
Taesu
8cd6fc5136 chore: restore pnpm v11 upgrade and bump to v11.1.1 (#9541) 2026-05-12 19:12:14 +00:00
Taesu
d09128a23d chore(ci): harden release cache usage (#9588) 2026-05-12 18:13:02 +00:00
Taesu
501f27402c chore: add Dependabot configuration (#9586) 2026-05-12 18:04:31 +00:00
Maxwell
6b44606b7d fix(username): validate username on admin createUser endpoint (#9464) 2026-05-12 18:01:11 +00:00
better-release[bot]
f41514ef07 chore: release v1.6.11 (#9532) @better-auth/passkey@1.6.11 @better-auth/prisma-adapter@1.6.11 @better-auth/drizzle-adapter@1.6.11 @better-auth/electron@1.6.11 @better-auth/expo@1.6.11 @better-auth/i18n@1.6.11 @better-auth/kysely-adapter@1.6.11 @better-auth/memory-adapter@1.6.11 @better-auth/mongo-adapter@1.6.11 @better-auth/oauth-provider@1.6.11 @better-auth/core@1.6.11 @better-auth/redis-storage@1.6.11 @better-auth/api-key@1.6.11 @better-auth/scim@1.6.11 @better-auth/sso@1.6.11 @better-auth/stripe@1.6.11 @better-auth/telemetry@1.6.11 @better-auth/test-utils@1.6.11 auth@1.6.11 better-auth@1.6.11 v1.6.11 2026-05-12 17:30:34 +01:00
Gustavo Valverde
699b09a206 fix(oidc-provider, mcp): drop "none" alg, default plain PKCE off, reject missing PKCE method (#9575) 2026-05-12 16:04:54 +00:00
Gustavo Valverde
b4bc65a007 Merge commit from fork 
The `authorization_code` grant's verification step was a `findOne` + `deleteOne` pair, so two concurrent `POST /oauth2/token` requests sharing the same `code` both pass the find, both delete, and both mint independent access/refresh/id token sets: a CAS gap that lets an authorization code be redeemed twice. The legacy `oidc-provider` and `mcp` plugins in `better-auth` share the same primitive on their `authorization_code` paths and have the same gap.

All three call sites now use `internalAdapter.consumeVerificationValue` (the atomic primitive added in better-auth#9560 and renamed in better-auth#9568): the first concurrent caller receives the row and mints tokens, subsequent racers receive `null`. The consumed and expired paths return RFC 6749 §5.2 `invalid_grant` instead of the better-auth-internal `invalid_verification`, so spec-compliant clients can branch on the standard code. The redundant second `deleteVerificationByIdentifier` call after PKCE validation in the legacy paths is removed.

Closes GHSA-7w99-5wm4-3g79.

Co-authored-by: chdanielmueller <4051999+chdanielmueller@users.noreply.github.com>
 2026-05-12 16:53:45 +01:00
Gustavo Valverde
c6918ecc9e Merge commit from fork 
The `authorization_code`-grant rotation in `createRefreshToken` and the explicit `revokeRefreshToken` path both updated the parent `oauthRefreshToken` row using an `id`-only predicate, so two concurrent rotations (or a rotation racing a revoke) both pass the `revoked` check and last-write-wins. Each surviving request mints a fresh refresh token, producing a forked family from one parent.

Both call sites now perform a compare-and-swap (`UPDATE ... WHERE id = ? AND revoked IS NULL`) and short-circuit with `invalid_grant` when the row was already consumed. The parent stays marked revoked, so any subsequent replay trips the existing family-invalidation guard in `handleRefreshTokenGrant`. The shared family-delete is centralized in `invalidateRefreshFamily`, which clears child access tokens before refresh rows to honor the schema's foreign-key direction; the `oauthRefreshToken.token` column also gains a `unique` constraint for parity with `oauthAccessToken.token`. Strict family invalidation on contested rotations (RFC 9700 §4.14) is tracked in a FIXME for a follow-up minor that opts into transactional rotation in the adapter contract.

Closes GHSA-392p-2q2v-4372.

Co-authored-by: chdanielmueller <4051999+chdanielmueller@users.noreply.github.com>
 2026-05-12 16:36:32 +01:00
Gautam Manchandani
a1c9f3c08e fix(access): preserve exact role statement types (#9507) 
Signed-off-by: Gautam Manchandani <manchandanigautam@gmail.com>
 2026-05-12 15:17:44 +00:00
Maxwell
b0ef96fd8e fix: invalid instrumentation import list (#9582) 2026-05-12 15:03:15 +00:00
Gustavo Valverde
da7e50beee fix(oauth): block OAuth linking to unverified local accounts (#9578) 2026-05-12 14:20:19 +00:00
Gautam Manchandani
29599d32b5 docs: document account storeStateStrategy (#9557) 2026-05-12 13:16:23 +00:00
Gustavo Valverde
37f60cb176 fix(sso): validate user-supplied OIDC endpoint URLs at registration and update (#9574) 
Co-authored-by: vaadata-poyetont <poyetont@vaadata.com>
 2026-05-12 13:12:42 +00:00
Gustavo Valverde
23094a628f fix(organization): default-on requireEmailVerificationOnInvitation & extend gate to get/list (#9577) 2026-05-12 13:12:03 +00:00
Gustavo Valverde
1f2ff4215c fix(oidc-provider, mcp): authenticate confidential clients on refresh_token grant (#9576) 2026-05-12 13:09:27 +00:00
Gustavo Valverde
5f09d566a6 fix(magic-link): consume verification token atomically on verify (#9572) 2026-05-12 12:50:38 +00:00