Commit Graph

4400 Commits

Author SHA1 Message Date
Taesu
160d132752 fix(kysely-adapter): report SQLite tables as non-views in introspector (#9615) 2026-05-16 00:18:06 +00:00
Taesu
938efee305 fix(oauth-provider): preserve colons in Basic Auth client secret (#9601) 2026-05-15 15:48:59 +00:00
Taesu
87f5a8fd27 fix(oauth-provider): return NOT_FOUND when consent update references a missing client (#9600) 2026-05-15 15:48:25 +00:00
Taesu
1b40dac22e fix(cookies): relax Cookie separator and centralize parsing (#9543)
Co-authored-by: sbougerel <5677149+sbougerel@users.noreply.github.com>
2026-05-14 15:59:39 +00:00
Maxwell
ad9ad82496 fix(email-verification): clone request before passing to sendVerificationEmail callback (#9619) 2026-05-14 13:05:27 +00:00
Taesu
7a120724c5 fix(captcha): exempt /sign-in/email-otp from captcha enforcement (#9596) 2026-05-12 23:59:38 +00:00
dependabot[bot]
45d7cb8ad6 chore(deps): bump next from 16.2.3 to 16.2.6 (#9580)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Taesu <166604494+bytaesu@users.noreply.github.com>
Co-authored-by: Taesu <bytaesu@gmail.com>
2026-05-12 23:44:51 +00:00
Maxwell
6b44606b7d fix(username): validate username on admin createUser endpoint (#9464) 2026-05-12 18:01:11 +00:00
better-release[bot]
f41514ef07 chore: release v1.6.11 (#9532) 2026-05-12 17:30:34 +01:00
Gustavo Valverde
699b09a206 fix(oidc-provider, mcp): drop "none" alg, default plain PKCE off, reject missing PKCE method (#9575) 2026-05-12 16:04:54 +00:00
Gustavo Valverde
b4bc65a007 Merge commit from fork
The `authorization_code` grant's verification step was a `findOne` + `deleteOne` pair, so two concurrent `POST /oauth2/token` requests sharing the same `code` both pass the find, both delete, and both mint independent access/refresh/id token sets: a CAS gap that lets an authorization code be redeemed twice. The legacy `oidc-provider` and `mcp` plugins in `better-auth` share the same primitive on their `authorization_code` paths and have the same gap.

All three call sites now use `internalAdapter.consumeVerificationValue` (the atomic primitive added in better-auth#9560 and renamed in better-auth#9568): the first concurrent caller receives the row and mints tokens, subsequent racers receive `null`. The consumed and expired paths return RFC 6749 §5.2 `invalid_grant` instead of the better-auth-internal `invalid_verification`, so spec-compliant clients can branch on the standard code. The redundant second `deleteVerificationByIdentifier` call after PKCE validation in the legacy paths is removed.

Closes GHSA-7w99-5wm4-3g79.

Co-authored-by: chdanielmueller <4051999+chdanielmueller@users.noreply.github.com>
2026-05-12 16:53:45 +01:00
Gustavo Valverde
c6918ecc9e Merge commit from fork
The `authorization_code`-grant rotation in `createRefreshToken` and the explicit `revokeRefreshToken` path both updated the parent `oauthRefreshToken` row using an `id`-only predicate, so two concurrent rotations (or a rotation racing a revoke) both pass the `revoked` check and last-write-wins. Each surviving request mints a fresh refresh token, producing a forked family from one parent.

Both call sites now perform a compare-and-swap (`UPDATE ... WHERE id = ? AND revoked IS NULL`) and short-circuit with `invalid_grant` when the row was already consumed. The parent stays marked revoked, so any subsequent replay trips the existing family-invalidation guard in `handleRefreshTokenGrant`. The shared family-delete is centralized in `invalidateRefreshFamily`, which clears child access tokens before refresh rows to honor the schema's foreign-key direction; the `oauthRefreshToken.token` column also gains a `unique` constraint for parity with `oauthAccessToken.token`. Strict family invalidation on contested rotations (RFC 9700 §4.14) is tracked in a FIXME for a follow-up minor that opts into transactional rotation in the adapter contract.

Closes GHSA-392p-2q2v-4372.

Co-authored-by: chdanielmueller <4051999+chdanielmueller@users.noreply.github.com>
2026-05-12 16:36:32 +01:00
Gautam Manchandani
a1c9f3c08e fix(access): preserve exact role statement types (#9507)
Signed-off-by: Gautam Manchandani <manchandanigautam@gmail.com>
2026-05-12 15:17:44 +00:00
Maxwell
b0ef96fd8e fix: invalid instrumentation import list (#9582) 2026-05-12 15:03:15 +00:00
Gustavo Valverde
da7e50beee fix(oauth): block OAuth linking to unverified local accounts (#9578) 2026-05-12 14:20:19 +00:00
Gustavo Valverde
37f60cb176 fix(sso): validate user-supplied OIDC endpoint URLs at registration and update (#9574)
Co-authored-by: vaadata-poyetont <poyetont@vaadata.com>
2026-05-12 13:12:42 +00:00
Gustavo Valverde
23094a628f fix(organization): default-on requireEmailVerificationOnInvitation & extend gate to get/list (#9577) 2026-05-12 13:12:03 +00:00
Gustavo Valverde
1f2ff4215c fix(oidc-provider, mcp): authenticate confidential clients on refresh_token grant (#9576) 2026-05-12 13:09:27 +00:00
Gustavo Valverde
5f09d566a6 fix(magic-link): consume verification token atomically on verify (#9572) 2026-05-12 12:50:38 +00:00
Gustavo Valverde
2f5d91c5bb fix(scim): reject built-in provider id collisions on SCIM token issuance (#9579) 2026-05-12 12:44:41 +00:00
Gustavo Valverde
99a254a79b fix(device-authorization): bind approval to verifier session (#9573) 2026-05-12 11:40:18 +00:00
Taesu
98e7e38867 test(stripe): restructure test suite with typed Stripe factories (#9542) 2026-05-12 08:06:52 +00:00
Gustavo Valverde
0cbddb8fa4 refactor(db): rename claimOne adapter primitive to consumeOne (#9568) 2026-05-12 07:44:07 +00:00
Taesu
62b8793c11 chore(deps): consolidate kysely into pnpm catalog (#9569) 2026-05-12 07:38:59 +00:00
dependabot[bot]
3bec284c4f chore(deps): bump kysely from 0.28.14 to 0.28.17 (#9567)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Taesu <bytaesu@gmail.com>
2026-05-12 06:25:23 +00:00
Gustavo Valverde
a2c0c9346e feat(db): add atomic claimOne adapter primitive (#9560) 2026-05-11 20:10:29 +00:00
Maxwell
a26333b5fb fix: cleanup sessions when deleting users (#9162)
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-05-11 19:14:18 +00:00
Jarod Stewart
86765f1597 fix(sso): require org admin role to register SSO providers (#9220)
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-05-11 17:04:01 +00:00
Maxwell
ee93485499 fix: add error code to change-email-disabled (#8948) 2026-05-11 11:49:38 +00:00
Dipan Chakraborty
142b86c43d fix(anonymous): call onLinkAccount on email verification sign-in (#9548)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-05-11 10:58:53 +00:00
Gustavo Valverde
e21d744987 fix(rate-limit): widen ipv6Subnet type and correct default in docs (#9545) 2026-05-11 07:04:16 +00:00
Adomas
b03998586a fix(api-key): return 429 instead of 401 when API key is rate limited (#9505)
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Taesu <166604494+bytaesu@users.noreply.github.com>
Co-authored-by: Taesu <bytaesu@gmail.com>
2026-05-09 20:09:43 +00:00
better-release[bot]
cbb5014cdf chore: release v1.6.10 (#9350)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-05-09 14:31:47 +00:00
Taesu
09f1327acb fix(api): prevent duplicate set-cookie on redirect (#9497) 2026-05-09 13:50:46 +00:00
Taesu
15ff28a957 fix(internal-adapter): rename deleteAccount param from accountId to id (#9503) 2026-05-09 13:50:32 +00:00
Maxwell
fde043207e fix: improve link accessibility issues (#9521)
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Co-authored-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
2026-05-09 11:31:27 +00:00
Muzzaiyyan Hussain
5e52aa0352 chore(adapters): add shared coverage for empty update where conditions (#9104)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-05-09 10:57:03 +00:00
Maxwell
cf591360e7 fix(organization): re-export field types to prevent TS2742 with additionalFields (#9349) 2026-05-08 06:47:33 +00:00
Maxwell
8c1e91757d fix: warn for cookie-plugin being last in array (#9484) 2026-05-08 02:55:33 +00:00
oimmi
3a9a2c37ee chore: expose refreshUserSessions on internal adapter (#7764)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com>
2026-05-07 10:17:56 +00:00
Jaydeep pipaliya
e9c978e2af fix(username): respect callbackURL on sign-in (#9475)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-05-07 05:56:00 +00:00
Taesu
51de32e1e8 fix(stripe): lock library-owned Checkout Session fields against getCheckoutSessionParams (#9481) 2026-05-07 04:47:02 +00:00
Maxwell
36ef808c6c fix: incorrect email casing across one-tap, email-otp & email-verification (#9369) 2026-05-06 18:42:13 +00:00
Samuel Hurel
62c4050850 fix(api-keys): api.verifyApiKey does not check against the configId (#9393)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-05-06 18:22:10 +00:00
Dipan Chakraborty
9a7b51d0d3 fix(credential): apply enumeration protection when autoSignIn is false (#8839)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-05-06 18:17:46 +00:00
Rayan Salhab
e71aad3b6d fix(organization): refresh active role on sign out (#9440)
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-05-06 18:08:22 +00:00
Rayan Salhab
fc02cedb70 fix(oauth): reject callbacks missing provider account id (#9456)
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-05-06 17:57:15 +00:00
Gautam Manchandani
e44427b373 fix(cli): emit working Kysely init configs (#9455)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-05-06 17:45:32 +00:00
Rayan Salhab
9f1ef1f7e5 fix(siwe): add getNonce client alias (#9461)
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-05-06 17:36:35 +00:00
Taesu
07b52cbb79 fix(stripe): preserve freeTrial and internal metadata in getCheckoutSessionParams merge (#9474) 2026-05-06 15:36:52 +00:00