better-release[bot]
c0c574ea50
chore: release v1.6.12 ( #9590 )
2026-05-29 22:28:58 +01:00
Gustavo Valverde
c5b9f93498
fix(generic-oauth): add accessTokenExpiresIn for providers that omit expires_in ( #9799 )
2026-05-29 20:49:59 +00:00
Maxwell
17cd433c66
fix(oauth-proxy): missing state-cookie skip for oauth-proxy ( #9385 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-05-29 15:06:34 +00:00
Gustavo Valverde
c92cd74162
fix: URL-encode callbackURL in verify-email links ( #9792 )
2026-05-29 08:08:42 +00:00
Taesu
2b7937fc2f
chore: bump @better-auth/utils ( #9791 )
2026-05-28 23:25:57 +00:00
Gustavo Valverde
0a7cb70647
fix(oauth): honor per-flow errorCallbackURL when state validation fails ( #9789 )
2026-05-28 23:24:40 +00:00
Gustavo Valverde
ac96316af3
fix(oauth): forward specific callback error codes via shared redirectOnError ( #9788 )
...
Co-authored-by: Gautam Manchandani <manchandanigautam@gmail.com >
2026-05-28 21:42:16 +00:00
James Jackson
a3b0c63de9
fix: accept hashed nonces for native iOS sign-in with Apple ( #8870 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-05-28 12:35:09 +00:00
reslear
33a3632731
fix: hotfix passkey handle undefined transports ( #9746 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com >
2026-05-28 01:11:45 +00:00
Daniel Müller
d64174ec86
fix(oauth-provider): hide DCR endpoint unless enabled ( #9448 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-05-27 13:18:16 +00:00
Krish Garg
8401d11f43
fix(oauth-provider): serve path-prefixed issuer metadata aliases ( #9668 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-05-27 12:38:27 +00:00
Rayan Salhab
7bf5449b11
fix(oauth2): map jose token verification errors ( #9655 )
...
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com >
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-05-27 09:45:02 +00:00
Maxwell
f6bf45123f
fix(api-key): add better-call as peer dependency to fix TS4023 declaration emit ( #9759 )
2026-05-27 00:05:31 +00:00
Maxwell
85ca603eec
fix: drizzle mixed and/or ( #9756 )
2026-05-26 14:08:11 +00:00
Taesu
8907c7df9c
fix(passkey): consume challenge atomically and propagate inner verify errors ( #9622 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
2026-05-24 23:40:52 +00:00
Taesu
83fa3695e7
feat(core): add string case conversion utilities ( #9727 )
2026-05-24 23:40:22 +00:00
Taesu
015f96bc63
fix(oauth-proxy): forward result.error verbatim in callback redirect ( #9723 )
2026-05-22 02:52:48 +00:00
Taesu
f47aa4aa96
fix(sso): url-encode error query value in OIDC callback redirect ( #9722 )
2026-05-22 02:52:32 +00:00
Taesu
43cc49c640
fix(open-api): emit unique operationIds for multi-method endpoints ( #9721 )
2026-05-22 01:16:56 +00:00
Taesu
23dbe1ad0e
fix: redirect hook rejections to errorCallbackURL across auth callback flows ( #9702 )
2026-05-22 00:14:48 +00:00
Krish Garg
5190c2658f
fix: fail fast on unsafe MySQL insert returns ( #9665 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com >
2026-05-21 22:14:04 +00:00
Krish Garg
5626e1b437
fix: forward session cookie refresh headers ( #9667 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
2026-05-21 20:17:19 +00:00
Rayan Salhab
3f8f310a0f
fix(session): preserve real session expiry during stateless cache refresh ( #8817 )
...
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com >
Co-authored-by: cyphercodes <7407177+cyphercodes@users.noreply.github.com >
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
2026-05-21 20:12:04 +00:00
Maxwell
2d73ffff44
fix(core): respect dynamic baseURL protocol option in getTrustedOrigins ( #9644 )
...
Co-authored-by: Taesu <166604494+bytaesu@users.noreply.github.com >
2026-05-19 19:27:09 +00:00
Yug Bhatia
04303a92ac
fix(deps): widen Kysely peer dependency range for 0.29 support ( #9683 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com >
2026-05-19 17:28:38 +00:00
Maxwell
276d67fad5
fix: build synthetic user safely without including extra fields ( #9347 )
2026-05-19 17:17:54 +00:00
Maxwell
9d91eb77f5
fix: getMigration field index order ( #9691 )
2026-05-19 16:42:19 +00:00
Taesu
f77060af3a
fix: consumeVerificationValue returns null for expired rows ( #9624 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
2026-05-19 16:37:55 +00:00
Taesu
dcb2e6d29c
fix(cookies): percent-encode values on Cookie header serialize ( #9631 )
2026-05-19 16:35:44 +00:00
Taesu
f5e29eaf1e
fix(organization): wrap delete cascades in a transaction ( #9630 )
...
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com >
2026-05-18 21:44:09 +00:00
Taesu
a6f144ad0a
fix(client): decode escape sequences in parseJSON quoted strings ( #9617 )
2026-05-18 18:45:39 +00:00
Taesu
1d372bbab9
fix(organization): reject invitation team ids containing a comma ( #9616 )
2026-05-18 18:41:32 +00:00
Taesu
09a1d50a80
fix: tighten changeEmail config gate and encode callbackURL ( #9614 )
2026-05-18 18:40:45 +00:00
Taesu
9bd53e191c
fix(access): reject empty action lists and continue "OR" evaluation on unknown resources ( #9603 )
2026-05-18 18:40:03 +00:00
Gustavo Valverde
e637c7d8ff
fix(deps): resolve dependabot security alerts ( #9662 )
2026-05-18 01:41:47 +00:00
Gustavo Valverde
62dabf6678
fix: harden URL and Stripe escaping ( #9661 )
2026-05-17 21:25:32 +00:00
Paola Estefanía de Campos
c01b2f1321
fix(two-factor): delete session cookie cache on 2fa response ( #9639 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-05-17 16:40:50 +00:00
Maxwell
f5fcc9d37f
fix(admin): export AdminClientOptions and OrganizationClientOptions ( #9642 )
2026-05-16 02:46:57 +00:00
Taesu
160d132752
fix(kysely-adapter): report SQLite tables as non-views in introspector ( #9615 )
2026-05-16 00:18:06 +00:00
Taesu
938efee305
fix(oauth-provider): preserve colons in Basic Auth client secret ( #9601 )
2026-05-15 15:48:59 +00:00
Taesu
87f5a8fd27
fix(oauth-provider): return NOT_FOUND when consent update references a missing client ( #9600 )
2026-05-15 15:48:25 +00:00
Taesu
1b40dac22e
fix(cookies): relax Cookie separator and centralize parsing ( #9543 )
...
Co-authored-by: sbougerel <5677149+sbougerel@users.noreply.github.com >
2026-05-14 15:59:39 +00:00
Maxwell
ad9ad82496
fix(email-verification): clone request before passing to sendVerificationEmail callback ( #9619 )
2026-05-14 13:05:27 +00:00
Taesu
7a120724c5
fix(captcha): exempt /sign-in/email-otp from captcha enforcement ( #9596 )
2026-05-12 23:59:38 +00:00
Maxwell
6b44606b7d
fix(username): validate username on admin createUser endpoint ( #9464 )
2026-05-12 18:01:11 +00:00
better-release[bot]
f41514ef07
chore: release v1.6.11 ( #9532 )
2026-05-12 17:30:34 +01:00
Gustavo Valverde
699b09a206
fix(oidc-provider, mcp): drop "none" alg, default plain PKCE off, reject missing PKCE method ( #9575 )
2026-05-12 16:04:54 +00:00
Gustavo Valverde
b4bc65a007
Merge commit from fork
...
The `authorization_code` grant's verification step was a `findOne` + `deleteOne` pair, so two concurrent `POST /oauth2/token` requests sharing the same `code` both pass the find, both delete, and both mint independent access/refresh/id token sets: a CAS gap that lets an authorization code be redeemed twice. The legacy `oidc-provider` and `mcp` plugins in `better-auth` share the same primitive on their `authorization_code` paths and have the same gap.
All three call sites now use `internalAdapter.consumeVerificationValue` (the atomic primitive added in better-auth#9560 and renamed in better-auth#9568): the first concurrent caller receives the row and mints tokens, subsequent racers receive `null`. The consumed and expired paths return RFC 6749 §5.2 `invalid_grant` instead of the better-auth-internal `invalid_verification`, so spec-compliant clients can branch on the standard code. The redundant second `deleteVerificationByIdentifier` call after PKCE validation in the legacy paths is removed.
Closes GHSA-7w99-5wm4-3g79.
Co-authored-by: chdanielmueller <4051999+chdanielmueller@users.noreply.github.com >
2026-05-12 16:53:45 +01:00
Gustavo Valverde
c6918ecc9e
Merge commit from fork
...
The `authorization_code`-grant rotation in `createRefreshToken` and the explicit `revokeRefreshToken` path both updated the parent `oauthRefreshToken` row using an `id`-only predicate, so two concurrent rotations (or a rotation racing a revoke) both pass the `revoked` check and last-write-wins. Each surviving request mints a fresh refresh token, producing a forked family from one parent.
Both call sites now perform a compare-and-swap (`UPDATE ... WHERE id = ? AND revoked IS NULL`) and short-circuit with `invalid_grant` when the row was already consumed. The parent stays marked revoked, so any subsequent replay trips the existing family-invalidation guard in `handleRefreshTokenGrant`. The shared family-delete is centralized in `invalidateRefreshFamily`, which clears child access tokens before refresh rows to honor the schema's foreign-key direction; the `oauthRefreshToken.token` column also gains a `unique` constraint for parity with `oauthAccessToken.token`. Strict family invalidation on contested rotations (RFC 9700 §4.14) is tracked in a FIXME for a follow-up minor that opts into transactional rotation in the adapter contract.
Closes GHSA-392p-2q2v-4372.
Co-authored-by: chdanielmueller <4051999+chdanielmueller@users.noreply.github.com >
2026-05-12 16:36:32 +01:00
Gautam Manchandani
a1c9f3c08e
fix(access): preserve exact role statement types ( #9507 )
...
Signed-off-by: Gautam Manchandani <manchandanigautam@gmail.com >
2026-05-12 15:17:44 +00:00