Commit Graph

138 Commits

Author SHA1 Message Date
better-release[bot]
1a3c8c478a chore: release v1.6.16 (#9958) 2026-06-09 22:32:25 -07:00
Bereket Engida
cb1cbfa4cc fix: address bug findings across packages (#9974) 2026-06-09 19:46:12 -07:00
better-release[bot]
03e0e36a98 chore: release v1.6.15 (#9886) 2026-06-08 06:57:06 -07:00
Gustavo Valverde
fe9600bc07 feat(oauth-provider): accept POST on the userinfo endpoint (#9937) 2026-06-07 21:09:27 -07:00
Gustavo Valverde
b0ddfd3433 fix(oauth-provider): run configured hooks when authorize resumes (#9919)
Co-authored-by: Gautam Manchandani <manchandanigautam@gmail.com>
2026-06-07 14:43:47 -07:00
better-release[bot]
5038d41ca2 chore: release v1.6.14 (#9846) 2026-06-02 16:56:28 -04:00
better-release[bot]
a6f38c72ee chore: release v1.6.13 (#9804) 2026-05-31 12:41:17 +01:00
Gustavo Valverde
17ab66c3a4 fix(oauth-provider): enforce clientPrivileges on dynamic client registration (#9837) 2026-05-31 11:02:27 +00:00
Gustavo Valverde
be32012ca3 fix(oauth): validate redirect_uri schemes in oidc-provider and mcp (#9838) 2026-05-31 11:38:52 +01:00
better-release[bot]
c0c574ea50 chore: release v1.6.12 (#9590) 2026-05-29 22:28:58 +01:00
Daniel Müller
d64174ec86 fix(oauth-provider): hide DCR endpoint unless enabled (#9448)
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-05-27 13:18:16 +00:00
Krish Garg
8401d11f43 fix(oauth-provider): serve path-prefixed issuer metadata aliases (#9668)
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-05-27 12:38:27 +00:00
Taesu
f77060af3a fix: consumeVerificationValue returns null for expired rows (#9624)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-05-19 16:37:55 +00:00
Taesu
938efee305 fix(oauth-provider): preserve colons in Basic Auth client secret (#9601) 2026-05-15 15:48:59 +00:00
Taesu
87f5a8fd27 fix(oauth-provider): return NOT_FOUND when consent update references a missing client (#9600) 2026-05-15 15:48:25 +00:00
better-release[bot]
f41514ef07 chore: release v1.6.11 (#9532) 2026-05-12 17:30:34 +01:00
Gustavo Valverde
b4bc65a007 Merge commit from fork
The `authorization_code` grant's verification step was a `findOne` + `deleteOne` pair, so two concurrent `POST /oauth2/token` requests sharing the same `code` both pass the find, both delete, and both mint independent access/refresh/id token sets: a CAS gap that lets an authorization code be redeemed twice. The legacy `oidc-provider` and `mcp` plugins in `better-auth` share the same primitive on their `authorization_code` paths and have the same gap.

All three call sites now use `internalAdapter.consumeVerificationValue` (the atomic primitive added in better-auth#9560 and renamed in better-auth#9568): the first concurrent caller receives the row and mints tokens, subsequent racers receive `null`. The consumed and expired paths return RFC 6749 §5.2 `invalid_grant` instead of the better-auth-internal `invalid_verification`, so spec-compliant clients can branch on the standard code. The redundant second `deleteVerificationByIdentifier` call after PKCE validation in the legacy paths is removed.

Closes GHSA-7w99-5wm4-3g79.

Co-authored-by: chdanielmueller <4051999+chdanielmueller@users.noreply.github.com>
2026-05-12 16:53:45 +01:00
Gustavo Valverde
c6918ecc9e Merge commit from fork
The `authorization_code`-grant rotation in `createRefreshToken` and the explicit `revokeRefreshToken` path both updated the parent `oauthRefreshToken` row using an `id`-only predicate, so two concurrent rotations (or a rotation racing a revoke) both pass the `revoked` check and last-write-wins. Each surviving request mints a fresh refresh token, producing a forked family from one parent.

Both call sites now perform a compare-and-swap (`UPDATE ... WHERE id = ? AND revoked IS NULL`) and short-circuit with `invalid_grant` when the row was already consumed. The parent stays marked revoked, so any subsequent replay trips the existing family-invalidation guard in `handleRefreshTokenGrant`. The shared family-delete is centralized in `invalidateRefreshFamily`, which clears child access tokens before refresh rows to honor the schema's foreign-key direction; the `oauthRefreshToken.token` column also gains a `unique` constraint for parity with `oauthAccessToken.token`. Strict family invalidation on contested rotations (RFC 9700 §4.14) is tracked in a FIXME for a follow-up minor that opts into transactional rotation in the adapter contract.

Closes GHSA-392p-2q2v-4372.

Co-authored-by: chdanielmueller <4051999+chdanielmueller@users.noreply.github.com>
2026-05-12 16:36:32 +01:00
Gustavo Valverde
da7e50beee fix(oauth): block OAuth linking to unverified local accounts (#9578) 2026-05-12 14:20:19 +00:00
better-release[bot]
cbb5014cdf chore: release v1.6.10 (#9350)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-05-09 14:31:47 +00:00
Rachel Chen
f7bc1c7349 fix(oauth-provider): index OAuth foreign keys (#9389)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-05-06 05:22:28 +00:00
Rayan Salhab
d427d1dba9 fix(oauth-provider): export declaration helper types (#9406)
Co-authored-by: cyphercodes <7407177+cyphercodes@users.noreply.github.com>
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-05-06 05:20:44 +00:00
Dylan Vanmali
6b03a45a14 chore(oauth-provider): correct optional typing for refreshToken sessionId field (#9324)
Co-authored-by: Taesu <bytaesu@gmail.com>
2026-05-03 19:12:23 +00:00
Gustavo Valverde
408a3076bd fix(oauth-provider): honor prompt=login across consent continuation (#9344) 2026-04-27 08:49:55 +00:00
better-release[bot]
f484269228 chore: release v1.6.9 (#9341) 2026-04-24 06:25:08 +01:00
better-release[bot]
b289ac6c4b chore: release v1.6.8 (#9316) 2026-04-23 11:31:03 +01:00
Gustavo Valverde
8e3cc3453c fix(oauth-provider): accept authorization flows without state (#9328) 2026-04-23 07:00:05 +00:00
better-release[bot]
f8076d141a chore: release v1.6.7 (#9289) 2026-04-22 12:36:30 +01:00
Tanish Valesha
4e0e6e1fd3 fix(oauth-provider): userinfo Authorization from ctx.headers for auth.api (#9244)
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-04-22 09:20:54 +00:00
better-release[bot]
0290077760 chore: release v1.6.6 (#9222) 2026-04-21 17:42:18 +01:00
Gustavo Valverde
e64ff720fb fix: unify host classification and close SSRF gaps across packages (#9226) 2026-04-17 23:25:25 +00:00
better-release[bot]
c8a91f4167 chore: release v1.6.5 (#9209) 2026-04-16 11:05:30 +01:00
Daniel Müller
5b900a2b43 Merge commit from fork
* Add tests reproducing GHSA-xr8f-h2gw-9xh6

* Fix GHSA-xr8f-h2gw-9xh6

* Move clientPrivilege assertion to shared helper

* chore: add oauth-provider changeset for GHSA-xr8f-h2gw-9xh6

---------

Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-04-16 10:52:33 +01:00
better-release[bot]
9ec849ff71 chore: release v1.6.4 (#9175) 2026-04-15 13:00:42 +01:00
better-release[bot]
6f17bb3ebd chore: release v1.6.3 (#9081) 2026-04-14 12:04:31 +01:00
Gustavo Valverde
5142e9cec5 fix(auth): harden dynamic baseURL resolution (#9131) 2026-04-14 08:01:13 +00:00
Gustavo Valverde
e2e25a4954 fix(oauth-provider): graceful DCR override for unauthenticated confidential clients (#9123) 2026-04-11 15:25:06 +00:00
Gustavo Valverde
314e06f0fd feat(oauth-provider): add customTokenResponseFields and harden authorization code validation (#9118) 2026-04-11 09:54:48 +00:00
better-release[bot]
700d298e1e chore: version packages (#9052) 2026-04-09 15:19:07 +01:00
Gustavo Valverde
4c829bf289 fix(oauth-provider): preserve multi-valued query params through prompt redirects (#9060) 2026-04-09 13:13:39 +00:00
Dylan Vanmali
c6922dce8e refactor(oauth-provider): reject skip_consent at schema level in DCR (#8998) 2026-04-09 11:56:29 +00:00
better-release[bot]
85bb710edc chore: version packages (#9018)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-04-08 19:22:59 +00:00
better-release[bot]
d666a03372 chore: exit pre-release mode for v1.6.0 2026-04-06 14:41:56 +00:00
Gustavo Valverde
29d197e688 chore: sync main to next (#8976)
chore: sync main to next
2026-04-06 15:31:29 +01:00
Gustavo Valverde
e5091ee1e6 fix(oauth-provider): scope loss on PAR, loopback redirect matching, DCR skip_consent (#8632) 2026-04-06 14:14:39 +00:00
better-auth-releases[bot]
73beda26f9 chore: version packages (beta) (#8945)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-04-04 15:52:24 +00:00
Gustavo Valverde
1eec2e8090 chore: use caret ranges for internal peerDependencies (#8937) 2026-04-03 19:05:37 +00:00
Gustavo Valverde
77ead28455 chore: reset package versions to 1.5.6 (#8930) 2026-04-03 10:57:28 +00:00
Gustavo Valverde
e089ce127d chore(knip): fix CI blind spots and remove dead code (#8888) 2026-04-02 19:28:30 +00:00
Gautam Manchandani
c83a6c22ea fix(oauth-provider): enforce DB-backed sessions with secondary storage (#8894)
Signed-off-by: Gautam Manchandani <manchandanigautam@gmail.com>
2026-04-02 10:20:48 +00:00