4244 Commits

Author	SHA1	Message	Date
better-release[bot]	9ec849ff71	chore: release v1.6.4 (#9175)	2026-04-15 13:00:42 +01:00
Gustavo Valverde	39d6af2a39	chore(adapters): require patched drizzle-orm and kysely peer versions (#9165) ... Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>	2026-04-15 11:37:50 +00:00
Gustavo Valverde	ba03fb59f4	chore(deps): bump electron and next devDependencies to patched versions (#9166)	2026-04-15 11:24:20 +00:00
Gustavo Valverde	9aed910499	fix(two-factor): revert enforcement broadening from #9122 (#9205)	2026-04-15 10:59:53 +00:00
Gautam Manchandani	acbd6ef69f	fix: honor forceAllowId UUIDs on postgres adapters (#9068) ... Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>	2026-04-14 13:05:11 +00:00
better-release[bot]	6f17bb3ebd	chore: release v1.6.3 (#9081)	2026-04-14 12:04:31 +01:00
Maxwell	9a6d4759cd	fix(client): prevent isMounted race condition causing many rps (#9078) ... Co-authored-by: Taesu <bytaesu@gmail.com> Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>	2026-04-14 09:36:59 +00:00
Gustavo Valverde	390a03190c	fix(stripe): prevent prototype pollution via user-supplied metadata (#9164)	2026-04-14 08:05:31 +00:00
Gustavo Valverde	5142e9cec5	fix(auth): harden dynamic baseURL resolution (#9131)	2026-04-14 08:01:13 +00:00
Gustavo Valverde	92256a2d0d	chore: minor review followups on recent main commits (#9163)	2026-04-14 07:22:10 +00:00
Taesu	513dabb132	fix: resolve dynamic baseURL for direct auth.api calls (#9113)	2026-04-14 06:16:53 +00:00
dependabot[bot]	504ea253ac	chore(deps-dev): bump @sveltejs/kit from 2.53.3 to 2.57.1 (#9109) ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-12 08:24:12 +00:00
Gustavo Valverde	e2e25a4954	fix(oauth-provider): graceful DCR override for unauthenticated confidential clients (#9123)	2026-04-11 15:25:06 +00:00
Byte-Biscuit	f8758975ae	fix(two-factor): updated backup codes respect storeBackupCodes option (#7231) ... Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>	2026-04-11 13:19:46 +00:00
Gustavo Valverde	484ce6a262	fix(two-factor): enforce 2FA on all sign-in paths (#9122)	2026-04-11 12:33:58 +00:00
Gustavo Valverde	314e06f0fd	feat(oauth-provider): add customTokenResponseFields and harden authorization code validation (#9118)	2026-04-11 09:54:48 +00:00
Taesu	4673c6d83c	fix(cli): handle extends and mid-path wildcards in tsconfig paths (#9032)	2026-04-10 16:26:53 +00:00
Gustavo Valverde	52c47517a2	fix(sso): unify SAML response processing and fix bugs (#9097)	2026-04-10 15:00:26 +00:00
Taesu	c5066fe5d6	fix(stripe): omit quantity for metered prices in checkout and upgrades (#8926) ... Co-authored-by: better-release[bot] <273320539+better-release[bot]@users.noreply.github.com>	2026-04-10 12:55:44 +00:00
SAI YASWANTH	684154d3d1	chore: replace z.union with z.xor for permission schemas in admin plugin (#8982) ... Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com> Co-authored-by: Taesu <bytaesu@gmail.com> Co-authored-by: Taesu <166604494+bytaesu@users.noreply.github.com>	2026-04-10 12:47:23 +00:00
Taesu	5f84335815	feat(stripe): support Stripe SDK v21 and v22 (#9084) ... Co-authored-by: leonardo2204 <1509421+leonardo2204@users.noreply.github.com> Co-authored-by: better-release[bot] <273320539+better-release[bot]@users.noreply.github.com>	2026-04-10 06:19:34 +00:00
Oluwatobi Mustapha	f6428d02fc	fix(open-api): correct get-session nullable schema for OAS 3.1 (#8389) ... Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com> Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com>	2026-04-09 20:44:35 +00:00
Ray	6ce30cf138	fix: incorrect operationId in password reset callback endpoint (#9072) ... Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>	2026-04-09 20:13:06 +00:00
better-release[bot]	700d298e1e	chore: version packages (#9052)	2026-04-09 15:19:07 +01:00
Gustavo Valverde	4c829bf289	fix(oauth-provider): preserve multi-valued query params through prompt redirects (#9060)	2026-04-09 13:13:39 +00:00
Gustavo Valverde	b20fa424c3	fix(next-js): replace cookie probe with header-based RSC detection in nextCookies (#9059) ... Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>	2026-04-09 12:41:10 +00:00
Gustavo Valverde	608d8c3082	fix(sso): include RelayState in signed SAML AuthnRequests (#9058)	2026-04-09 12:05:02 +00:00
Dylan Vanmali	c6922dce8e	refactor(oauth-provider): reject skip_consent at schema level in DCR (#8998)	2026-04-09 11:56:29 +00:00
Rayan Salhab	5e5d3f62fc	fix(sso): normalize SAMLResponse whitespace at request boundary (#8968) ... Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>	2026-04-09 11:04:10 +00:00
Jaydeep pipaliya	2cbcb9baac	fix(oauth2): prevent cross-provider account collision in link-social callback (#8983) ... Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>	2026-04-09 10:17:42 +00:00
Maxwell	9deb7936ab	fix: cookie store strategy should verify oauth state (#8949) ... Co-authored-by: Bereket Engida <86073083+Bekacru@users.noreply.github.com> Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>	2026-04-09 09:26:36 +00:00
armful	84098432ad	feat(two-factor): include enabled 2fa methods in sign-in redirect response (#8772) ... Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>	2026-04-09 09:25:49 +00:00
armful	e78a7b120d	fix(two-factor): prevent unverified TOTP enrollment from gating sign-in (#8711) ... Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>	2026-04-09 08:48:10 +00:00
better-release[bot]	85bb710edc	chore: version packages (#9018) ... Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-08 19:22:59 +00:00
Taesu	7495830659	fix(api): restore getSession accessibility in generic Auth<O> context (#9017)	2026-04-08 17:34:12 +00:00
dependabot[bot]	8ad1995077	chore(deps): bump drizzle-orm from 0.45.1 to 0.45.2 (#9033) ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-08 07:40:52 +00:00
Jonathan Samines	2e537df5f7	fix: endpoint instrumentation to always use route template (#9023)	2026-04-08 08:41:31 +10:00
Maxwell	f61ad1cab7	fix: use INVALID_PASSWORD for all checkPassword failures (#8902)	2026-04-07 18:17:10 +00:00
Gustavo Valverde	d9b16d2551	chore: sync main to next ... chore: sync main to next	2026-04-06 16:47:42 +01:00
Taesu	141781d6fc	fix: generate session id when using secondary storage without database (#8927)	2026-04-06 14:43:47 +00:00
better-release[bot]	d666a03372	chore: exit pre-release mode for v1.6.0	2026-04-06 14:41:56 +00:00
Gustavo Valverde	29d197e688	chore: sync main to next (#8976) ... chore: sync main to next	2026-04-06 15:31:29 +01:00
Gustavo Valverde	e5091ee1e6	fix(oauth-provider): scope loss on PAR, loopback redirect matching, DCR skip_consent (#8632)	2026-04-06 14:14:39 +00:00
Gustavo Valverde	bd9bd58f87	fix(security): enforce authorization on SCIM management endpoints and normalize passkey ownership (#8843)	2026-04-06 13:47:24 +00:00
Gustavo Valverde	ee8b40d502	fix(deps): patch Dependabot security issues (#8838) ... Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-04-06 13:16:45 +00:00
Taesu	560230f751	fix(types): prevent any from collapsing base type and client inference (#8981)	2026-04-06 12:18:58 +00:00
Gustavo Valverde	dd537cbdeb	chore(oidc-provider): deprecate plugin in favor of @better-auth/oauth-provider (#8985)	2026-04-06 12:13:35 +00:00
Taesu	469eee6d84	fix(oauth): prevent double-hashing of state when storeIdentifier is hashed (#8980) ... Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>	2026-04-06 11:14:55 +00:00
Taesu	475d512376	chore: revert better-call v2 migration, downgrade to v1.3.5 (#8973)	2026-04-05 23:18:54 +00:00
better-auth-releases[bot]	73beda26f9	chore: version packages (beta) (#8945) ... Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-04 15:52:24 +00:00