better-release[bot]
414169d95a
chore: release v1.6.21 ( #10184 )
2026-06-26 05:52:50 +01:00
Ben Snyder
f52e1ab50b
fix(device-authorization): make schema option optional under Zod v4 ( #9939 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com >
2026-06-26 05:48:15 +01:00
Maxwell
882cf9e592
fix(admin): use authoritative session reads for authorization ( #10187 )
...
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com >
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 04:09:16 +00:00
Paola Estefanía de Campos
b5bec193a5
fix(oauth): apply user input rules to provider profiles ( #10196 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 04:06:54 +00:00
Taesu
471f81c1ab
refactor: centralize request IP resolver in core ( #10216 )
2026-06-26 05:05:00 +01:00
Maxwell
90d509e0b9
fix(adapter): fail closed on update misses ( #10180 )
...
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com >
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 03:56:39 +00:00
Paola Estefanía de Campos
816d7f9252
fix(one-tap): apply configured Google hosted domain (hd) on the callback ( #10197 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 03:56:20 +00:00
Bereket Engida
fa1e036ae7
fix(sso): validate SAML response binding against the Service Provider ( #10226 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 03:07:43 +00:00
Bereket Engida
7a7a7b311a
fix(sso): delete linked account rows when an SSO provider is deleted ( #10224 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 03:07:21 +00:00
Bereket Engida
fcabaaffcb
fix(sso): require DNS proof for every domain listed on a provider ( #10227 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 02:49:15 +00:00
Bereket Engida
1a8b7ccc83
fix(sso): restrict SAML SLO POST form action to http(s) schemes ( #10225 )
...
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com >
2026-06-26 02:27:12 +00:00
Gustavo Valverde
1bc370aef5
fix(siwe): reject sign-in when the provided email already belongs to another account ( #10228 )
2026-06-26 02:21:45 +00:00
Taesu
29fbcb5732
Merge commit from fork
...
Organization subscription actions re-derived the reference id in the handler
instead of consuming the value the middleware resolved, so an action could run
against a different organization than the one resolved for the request. The
middleware now resolves the reference id once and exposes it on the context, and
the handlers read it from there.
2026-06-25 11:21:12 -07:00
Gustavo Valverde
ae647b4abe
fix(two-factor): cap verification attempts on TOTP and backup codes ( #10210 )
2026-06-25 06:49:09 +00:00
Taesu
5953157acf
fix: harden forwarded client IP resolution ( #10203 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
2026-06-25 04:55:10 +00:00
Taesu
5af69e4b50
test: cover base path leading-prefix enforcement ( #10211 )
2026-06-25 00:51:21 +00:00
moonevm
452bd03f74
fix(cli): increase generated BETTER_AUTH_SECRET length from 16 to 32 … ( #10186 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
2026-06-24 21:52:53 +00:00
Taesu
88409b0078
fix(oauth-proxy): reject profile callbacks with missing or expired OAuth state ( #10183 )
2026-06-24 19:41:43 +00:00
Taesu
b046f9ec11
fix: apply rate limits before plugin requests ( #10191 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
2026-06-24 11:51:11 +00:00
Rachit mittal
570267cd5e
fix: honor disableMigration on plugin schema tables ( #10198 )
2026-06-24 00:19:25 +00:00
Taesu
239bcc836c
fix(paypal): bind userinfo subject to verified id token subject ( #10192 )
2026-06-23 00:23:56 +00:00
Taesu
e7c8066cf1
docs: refine warning guidance across plugin docs ( #10185 )
2026-06-21 22:39:30 -07:00
Taesu
461ca6fd24
fix(username): only store valid displayUsername fallbacks as usernames ( #10182 )
2026-06-22 05:16:44 +00:00
better-release[bot]
c342f42fff
chore: release v1.6.20 ( #10108 )
2026-06-19 19:42:38 -07:00
Taesu
40138db6ed
chore: add coverage script to adapter packages ( #10158 )
2026-06-19 13:48:34 -07:00
Cal
21448b1b77
fix: route account-linking logs through the configured logger ( #10121 )
...
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com >
Co-authored-by: Taesu <bytaesu@gmail.com >
2026-06-18 22:19:18 +00:00
Wilson Angelie Tan
3965752b5a
fix(i18n): i18n en fallback and i18n documentation ( #9872 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
2026-06-16 20:51:48 +00:00
Dipan Chakraborty
8ecf23817f
fix(session): cap refresh cookie Max-Age at expiresIn ( #9621 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
2026-06-16 20:40:41 +00:00
stephen
930f5341d9
fix(core): declare inherited APIError props to fix ts inference error ( #8734 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com >
2026-06-16 19:57:27 +00:00
better-release[bot]
ac4d81df74
chore: release v1.6.19 ( #10034 )
2026-06-15 17:40:36 -07:00
Gustavo Valverde
1e69725027
docs: clarify stateless Cognito token refresh ( #10092 )
2026-06-15 17:06:35 -07:00
Taesu
de4aa52e99
fix(cookies): chunk session and account cookies near the browser size limit ( #10088 )
2026-06-15 21:50:03 +00:00
Gustavo Valverde
5bd5e1cc73
fix: make guarded state transitions portable on Prisma ( #10086 )
2026-06-15 14:03:33 -07:00
Taesu
8b2ef2c40e
test(cli): avoid shell interpolation in info tests ( #10089 )
2026-06-15 19:48:47 +00:00
Taesu
f3e1a405cd
chore(scim): remove filter values from list users log ( #10087 )
2026-06-15 18:36:44 +00:00
Gustavo Valverde
08959936d2
fix(drizzle-adapter): return consumed MySQL rows ( #10081 )
2026-06-15 15:05:01 +00:00
Gustavo Valverde
36f345b1bc
revert: fix: allow headerless get session checks ( #10053 ) ( #10074 )
2026-06-15 00:10:22 -07:00
Gustavo Valverde
635f190870
fix(client): name auth client return types ( #10071 )
2026-06-15 06:45:35 +00:00
Gustavo Valverde
a787e0b66b
fix(core): reuse active transactions ( #10070 )
2026-06-15 06:29:21 +00:00
Tushar
d009daedc7
fix: allow headerless get session checks ( #10053 )
2026-06-15 06:14:34 +00:00
Taesu
840788502a
fix(oauth-popup): filter internal state keys from additionalData ( #10067 )
2026-06-15 05:12:13 +00:00
BWM0223
30f6a78129
chore: add missing metadata fields to package.json ( #10047 )
2026-06-14 00:45:14 +00:00
tsushanth
d6aec123d8
fix(cli): serialize array additionalField defaultValue in drizzle generator ( #10048 )
...
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com >
2026-06-14 00:41:09 +00:00
Maxwell
c2f718fcde
fix: cookie cache fallback lookup ( #9348 )
2026-06-13 14:53:33 +00:00
Maxwell
581f8271fb
fix(last-login-method): include domain when clearing cross-subdomain cookies ( #9319 )
2026-06-13 11:52:33 +00:00
brone1323
cfbb9a0524
fix(cli): handle directory path passed to --output in generate command ( #9564 )
...
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com >
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com >
2026-06-13 11:47:44 +00:00
ElGauchooooo
b4b02660c7
feat(device-authorization): allow pre-binding device codes to a user ( #9995 )
...
Co-authored-by: Taesu <bytaesu@gmail.com >
2026-06-12 22:57:37 +00:00
Chris George
c1a8a64c14
fix(open-api): generate valid OpenAPI schemas for client generators ( #9555 )
...
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com >
2026-06-12 22:24:56 +00:00
Maxwell
7d18175637
fix: propagate sendVerificationEmail errors ( #8863 )
...
Co-authored-by: Bereket Engida <86073083+Bekacru@users.noreply.github.com >
2026-06-12 21:49:10 +00:00
better-release[bot]
04debbff04
chore: release v1.6.18 ( #10026 )
2026-06-12 10:15:14 -07:00