Commit Graph

6933 Commits

Author SHA1 Message Date
Gustavo Valverde
b56b42a0e7 ci(workflows): harden GitHub workflow configuration (#9659) 2026-05-17 19:20:59 +00:00
Paola Estefanía de Campos
c01b2f1321 fix(two-factor): delete session cookie cache on 2fa response (#9639)
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-05-17 16:40:50 +00:00
Taesu
ab5422f2f8 docs: simplify landing navbar (#9650) 2026-05-17 02:52:51 +09:00
Maxwell
f5fcc9d37f fix(admin): export AdminClientOptions and OrganizationClientOptions (#9642) 2026-05-16 02:46:57 +00:00
Roman
db4263cd3d chore: use correct auth cli (#9638)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-05-16 02:27:55 +00:00
Taesu
160d132752 fix(kysely-adapter): report SQLite tables as non-views in introspector (#9615) 2026-05-16 00:18:06 +00:00
Taesu
938efee305 fix(oauth-provider): preserve colons in Basic Auth client secret (#9601) 2026-05-15 15:48:59 +00:00
Taesu
87f5a8fd27 fix(oauth-provider): return NOT_FOUND when consent update references a missing client (#9600) 2026-05-15 15:48:25 +00:00
Taesu
53d4138fc6 ci(test): force native rebuild across workspace for matrix node (#9633) 2026-05-15 06:43:33 +00:00
Taesu
0699fae7ea ci(test): rebuild better-sqlite3 for each matrix node (#9623) 2026-05-14 17:37:03 +00:00
Taesu
1b40dac22e fix(cookies): relax Cookie separator and centralize parsing (#9543)
Co-authored-by: sbougerel <5677149+sbougerel@users.noreply.github.com>
2026-05-14 15:59:39 +00:00
Maxwell
ad9ad82496 fix(email-verification): clone request before passing to sendVerificationEmail callback (#9619) 2026-05-14 13:05:27 +00:00
Gautam Manchandani
95765cfedd docs: clarify 2fa sign-in enforcement scope (#9607) 2026-05-14 08:45:10 +00:00
Taesu
7a120724c5 fix(captcha): exempt /sign-in/email-otp from captcha enforcement (#9596) 2026-05-12 23:59:38 +00:00
Taesu
6290b5c3db docs(pricing): refine plan unit notation (#9602) 2026-05-12 23:46:52 +00:00
dependabot[bot]
45d7cb8ad6 chore(deps): bump next from 16.2.3 to 16.2.6 (#9580)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Taesu <166604494+bytaesu@users.noreply.github.com>
Co-authored-by: Taesu <bytaesu@gmail.com>
2026-05-12 23:44:51 +00:00
Taesu
c0afab040b chore(pnpm): set minimumReleaseAge to 1440 minutes (#9594) 2026-05-12 19:25:21 +00:00
Taesu
8cd6fc5136 chore: restore pnpm v11 upgrade and bump to v11.1.1 (#9541) 2026-05-12 19:12:14 +00:00
Taesu
d09128a23d chore(ci): harden release cache usage (#9588) 2026-05-12 18:13:02 +00:00
Taesu
501f27402c chore: add Dependabot configuration (#9586) 2026-05-12 18:04:31 +00:00
Maxwell
6b44606b7d fix(username): validate username on admin createUser endpoint (#9464) 2026-05-12 18:01:11 +00:00
better-release[bot]
f41514ef07 chore: release v1.6.11 (#9532) @better-auth/passkey@1.6.11 @better-auth/prisma-adapter@1.6.11 @better-auth/drizzle-adapter@1.6.11 @better-auth/electron@1.6.11 @better-auth/expo@1.6.11 @better-auth/i18n@1.6.11 @better-auth/kysely-adapter@1.6.11 @better-auth/memory-adapter@1.6.11 @better-auth/mongo-adapter@1.6.11 @better-auth/oauth-provider@1.6.11 @better-auth/core@1.6.11 @better-auth/redis-storage@1.6.11 @better-auth/api-key@1.6.11 @better-auth/scim@1.6.11 @better-auth/sso@1.6.11 @better-auth/stripe@1.6.11 @better-auth/telemetry@1.6.11 @better-auth/test-utils@1.6.11 auth@1.6.11 better-auth@1.6.11 v1.6.11 2026-05-12 17:30:34 +01:00
Gustavo Valverde
699b09a206 fix(oidc-provider, mcp): drop "none" alg, default plain PKCE off, reject missing PKCE method (#9575) 2026-05-12 16:04:54 +00:00
Gustavo Valverde
b4bc65a007 Merge commit from fork
The `authorization_code` grant's verification step was a `findOne` + `deleteOne` pair, so two concurrent `POST /oauth2/token` requests sharing the same `code` both pass the find, both delete, and both mint independent access/refresh/id token sets: a CAS gap that lets an authorization code be redeemed twice. The legacy `oidc-provider` and `mcp` plugins in `better-auth` share the same primitive on their `authorization_code` paths and have the same gap.

All three call sites now use `internalAdapter.consumeVerificationValue` (the atomic primitive added in better-auth#9560 and renamed in better-auth#9568): the first concurrent caller receives the row and mints tokens, subsequent racers receive `null`. The consumed and expired paths return RFC 6749 §5.2 `invalid_grant` instead of the better-auth-internal `invalid_verification`, so spec-compliant clients can branch on the standard code. The redundant second `deleteVerificationByIdentifier` call after PKCE validation in the legacy paths is removed.

Closes GHSA-7w99-5wm4-3g79.

Co-authored-by: chdanielmueller <4051999+chdanielmueller@users.noreply.github.com>
2026-05-12 16:53:45 +01:00
Gustavo Valverde
c6918ecc9e Merge commit from fork
The `authorization_code`-grant rotation in `createRefreshToken` and the explicit `revokeRefreshToken` path both updated the parent `oauthRefreshToken` row using an `id`-only predicate, so two concurrent rotations (or a rotation racing a revoke) both pass the `revoked` check and last-write-wins. Each surviving request mints a fresh refresh token, producing a forked family from one parent.

Both call sites now perform a compare-and-swap (`UPDATE ... WHERE id = ? AND revoked IS NULL`) and short-circuit with `invalid_grant` when the row was already consumed. The parent stays marked revoked, so any subsequent replay trips the existing family-invalidation guard in `handleRefreshTokenGrant`. The shared family-delete is centralized in `invalidateRefreshFamily`, which clears child access tokens before refresh rows to honor the schema's foreign-key direction; the `oauthRefreshToken.token` column also gains a `unique` constraint for parity with `oauthAccessToken.token`. Strict family invalidation on contested rotations (RFC 9700 §4.14) is tracked in a FIXME for a follow-up minor that opts into transactional rotation in the adapter contract.

Closes GHSA-392p-2q2v-4372.

Co-authored-by: chdanielmueller <4051999+chdanielmueller@users.noreply.github.com>
2026-05-12 16:36:32 +01:00
Gautam Manchandani
a1c9f3c08e fix(access): preserve exact role statement types (#9507)
Signed-off-by: Gautam Manchandani <manchandanigautam@gmail.com>
2026-05-12 15:17:44 +00:00
Maxwell
b0ef96fd8e fix: invalid instrumentation import list (#9582) 2026-05-12 15:03:15 +00:00
Gustavo Valverde
da7e50beee fix(oauth): block OAuth linking to unverified local accounts (#9578) 2026-05-12 14:20:19 +00:00
Gautam Manchandani
29599d32b5 docs: document account storeStateStrategy (#9557) 2026-05-12 13:16:23 +00:00
Gustavo Valverde
37f60cb176 fix(sso): validate user-supplied OIDC endpoint URLs at registration and update (#9574)
Co-authored-by: vaadata-poyetont <poyetont@vaadata.com>
2026-05-12 13:12:42 +00:00
Gustavo Valverde
23094a628f fix(organization): default-on requireEmailVerificationOnInvitation & extend gate to get/list (#9577) 2026-05-12 13:12:03 +00:00
Gustavo Valverde
1f2ff4215c fix(oidc-provider, mcp): authenticate confidential clients on refresh_token grant (#9576) 2026-05-12 13:09:27 +00:00
Gustavo Valverde
5f09d566a6 fix(magic-link): consume verification token atomically on verify (#9572) 2026-05-12 12:50:38 +00:00
Gustavo Valverde
2f5d91c5bb fix(scim): reject built-in provider id collisions on SCIM token issuance (#9579) 2026-05-12 12:44:41 +00:00
Gustavo Valverde
99a254a79b fix(device-authorization): bind approval to verifier session (#9573) 2026-05-12 11:40:18 +00:00
Taesu
455efb67b7 docs: add per-ip rate limit to enterprise contact form (#9570) 2026-05-12 08:16:40 +00:00
dependabot[bot]
e0f94294a5 chore(deps): bump mermaid from 11.13.0 to 11.15.0 (#9566)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Taesu <166604494+bytaesu@users.noreply.github.com>
2026-05-12 08:15:35 +00:00
Taesu
98e7e38867 test(stripe): restructure test suite with typed Stripe factories (#9542) 2026-05-12 08:06:52 +00:00
Gustavo Valverde
0cbddb8fa4 refactor(db): rename claimOne adapter primitive to consumeOne (#9568) 2026-05-12 07:44:07 +00:00
Taesu
62b8793c11 chore(deps): consolidate kysely into pnpm catalog (#9569) 2026-05-12 07:38:59 +00:00
dependabot[bot]
3bec284c4f chore(deps): bump kysely from 0.28.14 to 0.28.17 (#9567)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Taesu <bytaesu@gmail.com>
2026-05-12 06:25:23 +00:00
Gustavo Valverde
a2c0c9346e feat(db): add atomic claimOne adapter primitive (#9560) 2026-05-11 20:10:29 +00:00
Maxwell
a26333b5fb fix: cleanup sessions when deleting users (#9162)
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-05-11 19:14:18 +00:00
Jarod Stewart
86765f1597 fix(sso): require org admin role to register SSO providers (#9220)
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-05-11 17:04:01 +00:00
Jonathan Samines
eae63a9aff docs: add docs for infra timeout options (#9559) 2026-05-11 08:59:03 -06:00
Maxwell
ee93485499 fix: add error code to change-email-disabled (#8948) 2026-05-11 11:49:38 +00:00
Vishesh Verma
c20796fd7d chore(ci): use ubuntu-24.04 fallback runner for forks (#9544)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-05-11 11:07:24 +00:00
Dipan Chakraborty
142b86c43d fix(anonymous): call onLinkAccount on email verification sign-in (#9548)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-05-11 10:58:53 +00:00
Gustavo Valverde
e21d744987 fix(rate-limit): widen ipv6Subnet type and correct default in docs (#9545) 2026-05-11 07:04:16 +00:00
Adomas
b03998586a fix(api-key): return 429 instead of 401 when API key is rate limited (#9505)
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Taesu <166604494+bytaesu@users.noreply.github.com>
Co-authored-by: Taesu <bytaesu@gmail.com>
2026-05-09 20:09:43 +00:00