Gustavo Valverde
b56b42a0e7
ci(workflows): harden GitHub workflow configuration ( #9659 )
2026-05-17 19:20:59 +00:00
Paola Estefanía de Campos
c01b2f1321
fix(two-factor): delete session cookie cache on 2fa response ( #9639 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-05-17 16:40:50 +00:00
Taesu
ab5422f2f8
docs: simplify landing navbar ( #9650 )
2026-05-17 02:52:51 +09:00
Maxwell
f5fcc9d37f
fix(admin): export AdminClientOptions and OrganizationClientOptions ( #9642 )
2026-05-16 02:46:57 +00:00
Roman
db4263cd3d
chore: use correct auth cli ( #9638 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
2026-05-16 02:27:55 +00:00
Taesu
160d132752
fix(kysely-adapter): report SQLite tables as non-views in introspector ( #9615 )
2026-05-16 00:18:06 +00:00
Taesu
938efee305
fix(oauth-provider): preserve colons in Basic Auth client secret ( #9601 )
2026-05-15 15:48:59 +00:00
Taesu
87f5a8fd27
fix(oauth-provider): return NOT_FOUND when consent update references a missing client ( #9600 )
2026-05-15 15:48:25 +00:00
Taesu
53d4138fc6
ci(test): force native rebuild across workspace for matrix node ( #9633 )
2026-05-15 06:43:33 +00:00
Taesu
0699fae7ea
ci(test): rebuild better-sqlite3 for each matrix node ( #9623 )
2026-05-14 17:37:03 +00:00
Taesu
1b40dac22e
fix(cookies): relax Cookie separator and centralize parsing ( #9543 )
...
Co-authored-by: sbougerel <5677149+sbougerel@users.noreply.github.com >
2026-05-14 15:59:39 +00:00
Maxwell
ad9ad82496
fix(email-verification): clone request before passing to sendVerificationEmail callback ( #9619 )
2026-05-14 13:05:27 +00:00
Gautam Manchandani
95765cfedd
docs: clarify 2fa sign-in enforcement scope ( #9607 )
2026-05-14 08:45:10 +00:00
Taesu
7a120724c5
fix(captcha): exempt /sign-in/email-otp from captcha enforcement ( #9596 )
2026-05-12 23:59:38 +00:00
Taesu
6290b5c3db
docs(pricing): refine plan unit notation ( #9602 )
2026-05-12 23:46:52 +00:00
dependabot[bot]
45d7cb8ad6
chore(deps): bump next from 16.2.3 to 16.2.6 ( #9580 )
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Taesu <166604494+bytaesu@users.noreply.github.com >
Co-authored-by: Taesu <bytaesu@gmail.com >
2026-05-12 23:44:51 +00:00
Taesu
c0afab040b
chore(pnpm): set minimumReleaseAge to 1440 minutes ( #9594 )
2026-05-12 19:25:21 +00:00
Taesu
8cd6fc5136
chore: restore pnpm v11 upgrade and bump to v11.1.1 ( #9541 )
2026-05-12 19:12:14 +00:00
Taesu
d09128a23d
chore(ci): harden release cache usage ( #9588 )
2026-05-12 18:13:02 +00:00
Taesu
501f27402c
chore: add Dependabot configuration ( #9586 )
2026-05-12 18:04:31 +00:00
Maxwell
6b44606b7d
fix(username): validate username on admin createUser endpoint ( #9464 )
2026-05-12 18:01:11 +00:00
better-release[bot]
f41514ef07
chore: release v1.6.11 ( #9532 )
@better-auth/passkey@1.6.11
@better-auth/prisma-adapter@1.6.11
@better-auth/drizzle-adapter@1.6.11
@better-auth/electron@1.6.11
@better-auth/expo@1.6.11
@better-auth/i18n@1.6.11
@better-auth/kysely-adapter@1.6.11
@better-auth/memory-adapter@1.6.11
@better-auth/mongo-adapter@1.6.11
@better-auth/oauth-provider@1.6.11
@better-auth/core@1.6.11
@better-auth/redis-storage@1.6.11
@better-auth/api-key@1.6.11
@better-auth/scim@1.6.11
@better-auth/sso@1.6.11
@better-auth/stripe@1.6.11
@better-auth/telemetry@1.6.11
@better-auth/test-utils@1.6.11
auth@1.6.11
better-auth@1.6.11
v1.6.11
2026-05-12 17:30:34 +01:00
Gustavo Valverde
699b09a206
fix(oidc-provider, mcp): drop "none" alg, default plain PKCE off, reject missing PKCE method ( #9575 )
2026-05-12 16:04:54 +00:00
Gustavo Valverde
b4bc65a007
Merge commit from fork
...
The `authorization_code` grant's verification step was a `findOne` + `deleteOne` pair, so two concurrent `POST /oauth2/token` requests sharing the same `code` both pass the find, both delete, and both mint independent access/refresh/id token sets: a CAS gap that lets an authorization code be redeemed twice. The legacy `oidc-provider` and `mcp` plugins in `better-auth` share the same primitive on their `authorization_code` paths and have the same gap.
All three call sites now use `internalAdapter.consumeVerificationValue` (the atomic primitive added in better-auth#9560 and renamed in better-auth#9568): the first concurrent caller receives the row and mints tokens, subsequent racers receive `null`. The consumed and expired paths return RFC 6749 §5.2 `invalid_grant` instead of the better-auth-internal `invalid_verification`, so spec-compliant clients can branch on the standard code. The redundant second `deleteVerificationByIdentifier` call after PKCE validation in the legacy paths is removed.
Closes GHSA-7w99-5wm4-3g79.
Co-authored-by: chdanielmueller <4051999+chdanielmueller@users.noreply.github.com >
2026-05-12 16:53:45 +01:00
Gustavo Valverde
c6918ecc9e
Merge commit from fork
...
The `authorization_code`-grant rotation in `createRefreshToken` and the explicit `revokeRefreshToken` path both updated the parent `oauthRefreshToken` row using an `id`-only predicate, so two concurrent rotations (or a rotation racing a revoke) both pass the `revoked` check and last-write-wins. Each surviving request mints a fresh refresh token, producing a forked family from one parent.
Both call sites now perform a compare-and-swap (`UPDATE ... WHERE id = ? AND revoked IS NULL`) and short-circuit with `invalid_grant` when the row was already consumed. The parent stays marked revoked, so any subsequent replay trips the existing family-invalidation guard in `handleRefreshTokenGrant`. The shared family-delete is centralized in `invalidateRefreshFamily`, which clears child access tokens before refresh rows to honor the schema's foreign-key direction; the `oauthRefreshToken.token` column also gains a `unique` constraint for parity with `oauthAccessToken.token`. Strict family invalidation on contested rotations (RFC 9700 §4.14) is tracked in a FIXME for a follow-up minor that opts into transactional rotation in the adapter contract.
Closes GHSA-392p-2q2v-4372.
Co-authored-by: chdanielmueller <4051999+chdanielmueller@users.noreply.github.com >
2026-05-12 16:36:32 +01:00
Gautam Manchandani
a1c9f3c08e
fix(access): preserve exact role statement types ( #9507 )
...
Signed-off-by: Gautam Manchandani <manchandanigautam@gmail.com >
2026-05-12 15:17:44 +00:00
Maxwell
b0ef96fd8e
fix: invalid instrumentation import list ( #9582 )
2026-05-12 15:03:15 +00:00
Gustavo Valverde
da7e50beee
fix(oauth): block OAuth linking to unverified local accounts ( #9578 )
2026-05-12 14:20:19 +00:00
Gautam Manchandani
29599d32b5
docs: document account storeStateStrategy ( #9557 )
2026-05-12 13:16:23 +00:00
Gustavo Valverde
37f60cb176
fix(sso): validate user-supplied OIDC endpoint URLs at registration and update ( #9574 )
...
Co-authored-by: vaadata-poyetont <poyetont@vaadata.com >
2026-05-12 13:12:42 +00:00
Gustavo Valverde
23094a628f
fix(organization): default-on requireEmailVerificationOnInvitation & extend gate to get/list ( #9577 )
2026-05-12 13:12:03 +00:00
Gustavo Valverde
1f2ff4215c
fix(oidc-provider, mcp): authenticate confidential clients on refresh_token grant ( #9576 )
2026-05-12 13:09:27 +00:00
Gustavo Valverde
5f09d566a6
fix(magic-link): consume verification token atomically on verify ( #9572 )
2026-05-12 12:50:38 +00:00
Gustavo Valverde
2f5d91c5bb
fix(scim): reject built-in provider id collisions on SCIM token issuance ( #9579 )
2026-05-12 12:44:41 +00:00
Gustavo Valverde
99a254a79b
fix(device-authorization): bind approval to verifier session ( #9573 )
2026-05-12 11:40:18 +00:00
Taesu
455efb67b7
docs: add per-ip rate limit to enterprise contact form ( #9570 )
2026-05-12 08:16:40 +00:00
dependabot[bot]
e0f94294a5
chore(deps): bump mermaid from 11.13.0 to 11.15.0 ( #9566 )
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Taesu <166604494+bytaesu@users.noreply.github.com >
2026-05-12 08:15:35 +00:00
Taesu
98e7e38867
test(stripe): restructure test suite with typed Stripe factories ( #9542 )
2026-05-12 08:06:52 +00:00
Gustavo Valverde
0cbddb8fa4
refactor(db): rename claimOne adapter primitive to consumeOne ( #9568 )
2026-05-12 07:44:07 +00:00
Taesu
62b8793c11
chore(deps): consolidate kysely into pnpm catalog ( #9569 )
2026-05-12 07:38:59 +00:00
dependabot[bot]
3bec284c4f
chore(deps): bump kysely from 0.28.14 to 0.28.17 ( #9567 )
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Taesu <bytaesu@gmail.com >
2026-05-12 06:25:23 +00:00
Gustavo Valverde
a2c0c9346e
feat(db): add atomic claimOne adapter primitive ( #9560 )
2026-05-11 20:10:29 +00:00
Maxwell
a26333b5fb
fix: cleanup sessions when deleting users ( #9162 )
...
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-05-11 19:14:18 +00:00
Jarod Stewart
86765f1597
fix(sso): require org admin role to register SSO providers ( #9220 )
...
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-05-11 17:04:01 +00:00
Jonathan Samines
eae63a9aff
docs: add docs for infra timeout options ( #9559 )
2026-05-11 08:59:03 -06:00
Maxwell
ee93485499
fix: add error code to change-email-disabled ( #8948 )
2026-05-11 11:49:38 +00:00
Vishesh Verma
c20796fd7d
chore(ci): use ubuntu-24.04 fallback runner for forks ( #9544 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
2026-05-11 11:07:24 +00:00
Dipan Chakraborty
142b86c43d
fix(anonymous): call onLinkAccount on email verification sign-in ( #9548 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
2026-05-11 10:58:53 +00:00
Gustavo Valverde
e21d744987
fix(rate-limit): widen ipv6Subnet type and correct default in docs ( #9545 )
2026-05-11 07:04:16 +00:00
Adomas
b03998586a
fix(api-key): return 429 instead of 401 when API key is rate limited ( #9505 )
...
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com >
Co-authored-by: Taesu <166604494+bytaesu@users.noreply.github.com >
Co-authored-by: Taesu <bytaesu@gmail.com >
2026-05-09 20:09:43 +00:00