4499 Commits

Author SHA1 Message Date
better-release[bot]
414169d95a chore: release v1.6.21 (#10184) 2026-06-26 05:52:50 +01:00
Ben Snyder
f52e1ab50b fix(device-authorization): make schema option optional under Zod v4 (#9939)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com>
2026-06-26 05:48:15 +01:00
Maxwell
882cf9e592 fix(admin): use authoritative session reads for authorization (#10187)
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 04:09:16 +00:00
Paola Estefanía de Campos
b5bec193a5 fix(oauth): apply user input rules to provider profiles (#10196)
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 04:06:54 +00:00
Taesu
471f81c1ab refactor: centralize request IP resolver in core (#10216) 2026-06-26 05:05:00 +01:00
Maxwell
90d509e0b9 fix(adapter): fail closed on update misses (#10180)
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 03:56:39 +00:00
Paola Estefanía de Campos
816d7f9252 fix(one-tap): apply configured Google hosted domain (hd) on the callback (#10197)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 03:56:20 +00:00
Bereket Engida
fa1e036ae7 fix(sso): validate SAML response binding against the Service Provider (#10226)
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 03:07:43 +00:00
Bereket Engida
7a7a7b311a fix(sso): delete linked account rows when an SSO provider is deleted (#10224)
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 03:07:21 +00:00
Bereket Engida
fcabaaffcb fix(sso): require DNS proof for every domain listed on a provider (#10227)
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 02:49:15 +00:00
Bereket Engida
1a8b7ccc83 fix(sso): restrict SAML SLO POST form action to http(s) schemes (#10225)
Co-authored-by: Gustavo Valverde <g.valverde02@gmail.com>
2026-06-26 02:27:12 +00:00
Gustavo Valverde
1bc370aef5 fix(siwe): reject sign-in when the provided email already belongs to another account (#10228) 2026-06-26 02:21:45 +00:00
Taesu
29fbcb5732 Merge commit from fork
Organization subscription actions re-derived the reference id in the handler
instead of consuming the value the middleware resolved, so an action could run
against a different organization than the one resolved for the request. The
middleware now resolves the reference id once and exposes it on the context, and
the handlers read it from there.
2026-06-25 11:21:12 -07:00
Gustavo Valverde
ae647b4abe fix(two-factor): cap verification attempts on TOTP and backup codes (#10210) 2026-06-25 06:49:09 +00:00
Taesu
5953157acf fix: harden forwarded client IP resolution (#10203)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-06-25 04:55:10 +00:00
Taesu
5af69e4b50 test: cover base path leading-prefix enforcement (#10211) 2026-06-25 00:51:21 +00:00
moonevm
452bd03f74 fix(cli): increase generated BETTER_AUTH_SECRET length from 16 to 32 … (#10186)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-06-24 21:52:53 +00:00
Taesu
88409b0078 fix(oauth-proxy): reject profile callbacks with missing or expired OAuth state (#10183) 2026-06-24 19:41:43 +00:00
Taesu
b046f9ec11 fix: apply rate limits before plugin requests (#10191)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-06-24 11:51:11 +00:00
Rachit mittal
570267cd5e fix: honor disableMigration on plugin schema tables (#10198) 2026-06-24 00:19:25 +00:00
Taesu
239bcc836c fix(paypal): bind userinfo subject to verified id token subject (#10192) 2026-06-23 00:23:56 +00:00
Taesu
e7c8066cf1 docs: refine warning guidance across plugin docs (#10185) 2026-06-21 22:39:30 -07:00
Taesu
461ca6fd24 fix(username): only store valid displayUsername fallbacks as usernames (#10182) 2026-06-22 05:16:44 +00:00
better-release[bot]
c342f42fff chore: release v1.6.20 (#10108) 2026-06-19 19:42:38 -07:00
Taesu
40138db6ed chore: add coverage script to adapter packages (#10158) 2026-06-19 13:48:34 -07:00
Cal
21448b1b77 fix: route account-linking logs through the configured logger (#10121)
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Taesu <bytaesu@gmail.com>
2026-06-18 22:19:18 +00:00
Wilson Angelie Tan
3965752b5a fix(i18n): i18n en fallback and i18n documentation (#9872)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
2026-06-16 20:51:48 +00:00
Dipan Chakraborty
8ecf23817f fix(session): cap refresh cookie Max-Age at expiresIn (#9621)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
2026-06-16 20:40:41 +00:00
stephen
930f5341d9 fix(core): declare inherited APIError props to fix ts inference error (#8734)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com>
2026-06-16 19:57:27 +00:00
better-release[bot]
ac4d81df74 chore: release v1.6.19 (#10034) 2026-06-15 17:40:36 -07:00
Gustavo Valverde
1e69725027 docs: clarify stateless Cognito token refresh (#10092) 2026-06-15 17:06:35 -07:00
Taesu
de4aa52e99 fix(cookies): chunk session and account cookies near the browser size limit (#10088) 2026-06-15 21:50:03 +00:00
Gustavo Valverde
5bd5e1cc73 fix: make guarded state transitions portable on Prisma (#10086) 2026-06-15 14:03:33 -07:00
Taesu
8b2ef2c40e test(cli): avoid shell interpolation in info tests (#10089) 2026-06-15 19:48:47 +00:00
Taesu
f3e1a405cd chore(scim): remove filter values from list users log (#10087) 2026-06-15 18:36:44 +00:00
Gustavo Valverde
08959936d2 fix(drizzle-adapter): return consumed MySQL rows (#10081) 2026-06-15 15:05:01 +00:00
Gustavo Valverde
36f345b1bc revert: fix: allow headerless get session checks (#10053) (#10074) 2026-06-15 00:10:22 -07:00
Gustavo Valverde
635f190870 fix(client): name auth client return types (#10071) 2026-06-15 06:45:35 +00:00
Gustavo Valverde
a787e0b66b fix(core): reuse active transactions (#10070) 2026-06-15 06:29:21 +00:00
Tushar
d009daedc7 fix: allow headerless get session checks (#10053) 2026-06-15 06:14:34 +00:00
Taesu
840788502a fix(oauth-popup): filter internal state keys from additionalData (#10067) 2026-06-15 05:12:13 +00:00
BWM0223
30f6a78129 chore: add missing metadata fields to package.json (#10047) 2026-06-14 00:45:14 +00:00
tsushanth
d6aec123d8 fix(cli): serialize array additionalField defaultValue in drizzle generator (#10048)
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com>
2026-06-14 00:41:09 +00:00
Maxwell
c2f718fcde fix: cookie cache fallback lookup (#9348) 2026-06-13 14:53:33 +00:00
Maxwell
581f8271fb fix(last-login-method): include domain when clearing cross-subdomain cookies (#9319) 2026-06-13 11:52:33 +00:00
brone1323
cfbb9a0524 fix(cli): handle directory path passed to --output in generate command (#9564)
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com>
2026-06-13 11:47:44 +00:00
ElGauchooooo
b4b02660c7 feat(device-authorization): allow pre-binding device codes to a user (#9995)
Co-authored-by: Taesu <bytaesu@gmail.com>
2026-06-12 22:57:37 +00:00
Chris George
c1a8a64c14 fix(open-api): generate valid OpenAPI schemas for client generators (#9555)
Co-authored-by: ping-maxwell <maxwell.multinite@gmail.com>
2026-06-12 22:24:56 +00:00
Maxwell
7d18175637 fix: propagate sendVerificationEmail errors (#8863)
Co-authored-by: Bereket Engida <86073083+Bekacru@users.noreply.github.com>
2026-06-12 21:49:10 +00:00
better-release[bot]
04debbff04 chore: release v1.6.18 (#10026) 2026-06-12 10:15:14 -07:00