github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-22 22:32:01 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity
6,812 Commits 102 Branches 1,251 Tags
@better-auth/telemetry@1.6.11
Commit Graph

170 Commits

Author SHA1 Message Date
better-release[bot]
f41514ef07 chore: release v1.6.11 (#9532) 2026-05-12 17:30:34 +01:00
Gustavo Valverde
699b09a206 fix(oidc-provider, mcp): drop "none" alg, default plain PKCE off, reject missing PKCE method (#9575) 2026-05-12 16:04:54 +00:00
Gustavo Valverde
b4bc65a007 Merge commit from fork 
The `authorization_code` grant's verification step was a `findOne` + `deleteOne` pair, so two concurrent `POST /oauth2/token` requests sharing the same `code` both pass the find, both delete, and both mint independent access/refresh/id token sets: a CAS gap that lets an authorization code be redeemed twice. The legacy `oidc-provider` and `mcp` plugins in `better-auth` share the same primitive on their `authorization_code` paths and have the same gap.

All three call sites now use `internalAdapter.consumeVerificationValue` (the atomic primitive added in better-auth#9560 and renamed in better-auth#9568): the first concurrent caller receives the row and mints tokens, subsequent racers receive `null`. The consumed and expired paths return RFC 6749 §5.2 `invalid_grant` instead of the better-auth-internal `invalid_verification`, so spec-compliant clients can branch on the standard code. The redundant second `deleteVerificationByIdentifier` call after PKCE validation in the legacy paths is removed.

Closes GHSA-7w99-5wm4-3g79.

Co-authored-by: chdanielmueller <4051999+chdanielmueller@users.noreply.github.com>
 2026-05-12 16:53:45 +01:00
Gustavo Valverde
c6918ecc9e Merge commit from fork 
The `authorization_code`-grant rotation in `createRefreshToken` and the explicit `revokeRefreshToken` path both updated the parent `oauthRefreshToken` row using an `id`-only predicate, so two concurrent rotations (or a rotation racing a revoke) both pass the `revoked` check and last-write-wins. Each surviving request mints a fresh refresh token, producing a forked family from one parent.

Both call sites now perform a compare-and-swap (`UPDATE ... WHERE id = ? AND revoked IS NULL`) and short-circuit with `invalid_grant` when the row was already consumed. The parent stays marked revoked, so any subsequent replay trips the existing family-invalidation guard in `handleRefreshTokenGrant`. The shared family-delete is centralized in `invalidateRefreshFamily`, which clears child access tokens before refresh rows to honor the schema's foreign-key direction; the `oauthRefreshToken.token` column also gains a `unique` constraint for parity with `oauthAccessToken.token`. Strict family invalidation on contested rotations (RFC 9700 §4.14) is tracked in a FIXME for a follow-up minor that opts into transactional rotation in the adapter contract.

Closes GHSA-392p-2q2v-4372.

Co-authored-by: chdanielmueller <4051999+chdanielmueller@users.noreply.github.com>
 2026-05-12 16:36:32 +01:00
Gautam Manchandani
a1c9f3c08e fix(access): preserve exact role statement types (#9507) 
Signed-off-by: Gautam Manchandani <manchandanigautam@gmail.com>
 2026-05-12 15:17:44 +00:00
Maxwell
b0ef96fd8e fix: invalid instrumentation import list (#9582) 2026-05-12 15:03:15 +00:00
Gustavo Valverde
da7e50beee fix(oauth): block OAuth linking to unverified local accounts (#9578) 2026-05-12 14:20:19 +00:00
Gustavo Valverde
37f60cb176 fix(sso): validate user-supplied OIDC endpoint URLs at registration and update (#9574) 
Co-authored-by: vaadata-poyetont <poyetont@vaadata.com>
 2026-05-12 13:12:42 +00:00
Gustavo Valverde
23094a628f fix(organization): default-on requireEmailVerificationOnInvitation & extend gate to get/list (#9577) 2026-05-12 13:12:03 +00:00
Gustavo Valverde
1f2ff4215c fix(oidc-provider, mcp): authenticate confidential clients on refresh_token grant (#9576) 2026-05-12 13:09:27 +00:00
Gustavo Valverde
5f09d566a6 fix(magic-link): consume verification token atomically on verify (#9572) 2026-05-12 12:50:38 +00:00
Gustavo Valverde
2f5d91c5bb fix(scim): reject built-in provider id collisions on SCIM token issuance (#9579) 2026-05-12 12:44:41 +00:00
Gustavo Valverde
99a254a79b fix(device-authorization): bind approval to verifier session (#9573) 2026-05-12 11:40:18 +00:00
Gustavo Valverde
0cbddb8fa4 refactor(db): rename claimOne adapter primitive to consumeOne (#9568) 2026-05-12 07:44:07 +00:00
Gustavo Valverde
a2c0c9346e feat(db): add atomic claimOne adapter primitive (#9560) 2026-05-11 20:10:29 +00:00
Maxwell
a26333b5fb fix: cleanup sessions when deleting users (#9162) 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
 2026-05-11 19:14:18 +00:00
Jarod Stewart
86765f1597 fix(sso): require org admin role to register SSO providers (#9220) 
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
 2026-05-11 17:04:01 +00:00
Maxwell
ee93485499 fix: add error code to change-email-disabled (#8948) 2026-05-11 11:49:38 +00:00
Dipan Chakraborty
142b86c43d fix(anonymous): call onLinkAccount on email verification sign-in (#9548) 
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-11 10:58:53 +00:00
Gustavo Valverde
e21d744987 fix(rate-limit): widen ipv6Subnet type and correct default in docs (#9545) 2026-05-11 07:04:16 +00:00
Adomas
b03998586a fix(api-key): return 429 instead of 401 when API key is rate limited (#9505) 
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Taesu <166604494+bytaesu@users.noreply.github.com>
Co-authored-by: Taesu <bytaesu@gmail.com>
 2026-05-09 20:09:43 +00:00
better-release[bot]
cbb5014cdf chore: release v1.6.10 (#9350) 
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
 2026-05-09 14:31:47 +00:00
Taesu
09f1327acb fix(api): prevent duplicate set-cookie on redirect (#9497) 2026-05-09 13:50:46 +00:00
Taesu
15ff28a957 fix(internal-adapter): rename deleteAccount param from accountId to id (#9503) 2026-05-09 13:50:32 +00:00
Maxwell
fde043207e fix: improve link accessibility issues (#9521) 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Co-authored-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
 2026-05-09 11:31:27 +00:00
Maxwell
cf591360e7 fix(organization): re-export field types to prevent TS2742 with additionalFields (#9349) 2026-05-08 06:47:33 +00:00
Maxwell
8c1e91757d fix: warn for cookie-plugin being last in array (#9484) 2026-05-08 02:55:33 +00:00
oimmi
3a9a2c37ee chore: expose refreshUserSessions on internal adapter (#7764) 
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com>
 2026-05-07 10:17:56 +00:00
Jaydeep pipaliya
e9c978e2af fix(username): respect callbackURL on sign-in (#9475) 
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-07 05:56:00 +00:00
Taesu
51de32e1e8 fix(stripe): lock library-owned Checkout Session fields against getCheckoutSessionParams (#9481) 2026-05-07 04:47:02 +00:00
Maxwell
36ef808c6c fix: incorrect email casing across one-tap, email-otp & email-verification (#9369) 2026-05-06 18:42:13 +00:00
Samuel Hurel
62c4050850 fix(api-keys): api.verifyApiKey does not check against the configId (#9393) 
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-06 18:22:10 +00:00
Dipan Chakraborty
9a7b51d0d3 fix(credential): apply enumeration protection when autoSignIn is false (#8839) 
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-06 18:17:46 +00:00
Rayan Salhab
e71aad3b6d fix(organization): refresh active role on sign out (#9440) 
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-06 18:08:22 +00:00
Rayan Salhab
fc02cedb70 fix(oauth): reject callbacks missing provider account id (#9456) 
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-06 17:57:15 +00:00
Gautam Manchandani
e44427b373 fix(cli): emit working Kysely init configs (#9455) 
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-06 17:45:32 +00:00
Rayan Salhab
9f1ef1f7e5 fix(siwe): add getNonce client alias (#9461) 
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-06 17:36:35 +00:00
Taesu
07b52cbb79 fix(stripe): preserve freeTrial and internal metadata in getCheckoutSessionParams merge (#9474) 2026-05-06 15:36:52 +00:00
Maxwell
1b259024dc fix(generic-oauth): non-ASCII error_description causes TypeError on redirect (#9065) 2026-05-06 11:25:56 +00:00
Rayan Salhab
b2d655c77c fix: allow dynamic organization invitation roles (#9437) 
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-06 08:15:02 +00:00
Rayan Salhab
ddae5817c8 fix(passkey): handle autofill ceremony failures (#9429) 
Co-authored-by: cyphercodes <7407177+cyphercodes@users.noreply.github.com>
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-06 05:23:37 +00:00
Rachel Chen
f7bc1c7349 fix(oauth-provider): index OAuth foreign keys (#9389) 
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-06 05:22:28 +00:00
Rayan Salhab
d427d1dba9 fix(oauth-provider): export declaration helper types (#9406) 
Co-authored-by: cyphercodes <7407177+cyphercodes@users.noreply.github.com>
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-06 05:20:44 +00:00
Max
80a655d271 fix(admin): revalidate useSession after impersonation (#9402) 
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-06 05:19:54 +00:00
Maksym Ryndia
a597ee01ed fix(organization): cancelPendingInvitationsOnReInvite is unreachable — re-invite returns 400 (#9452) (#9453) 
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
 2026-05-06 03:13:32 +00:00
Dylan Vanmali
6b03a45a14 chore(oauth-provider): correct optional typing for refreshToken sessionId field (#9324) 
Co-authored-by: Taesu <bytaesu@gmail.com>
 2026-05-03 19:12:23 +00:00
Taesu
906b7b34a7 fix(bearer): write one entry per cookie name when merging session token (#9387) 2026-05-01 02:13:16 +00:00
Rayan Salhab
2220a6d6c2 fix(core): use pure instrumentation entry for workerd (#9395) 
Co-authored-by: cyphercodes <7407177+cyphercodes@users.noreply.github.com>
 2026-04-29 12:59:31 -07:00
Craig (Michael) Thompson
006e809b92 fix(sso): use findSAMLProvider in spMetadata so defaultSSO works (#9398) 2026-04-29 12:56:44 -07:00
Gustavo Valverde
408a3076bd fix(oauth-provider): honor prompt=login across consent continuation (#9344) 2026-04-27 08:49:55 +00:00