[PR #9081] chore: release v1.6.3 #16670

New Issue

GiteaMirror · 2026-04-13T10:38:20-05:00

GiteaMirror commented

2026-04-13 10:38:20 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/9081
Author: @better-release[bot]
Created: 4/9/2026
Status: 🔄 Open

Base: main ← Head: changeset-release/main

📝 Commits (1)

d99c357 chore: release

📊 Changes

50 files changed (+238 additions, -118 deletions)

View changed files

➖ .changeset/dcr-graceful-override-confidential.md (+0 -25)
➖ .changeset/fix-2fa-bypass.md (+0 -7)
➖ .changeset/fix-backup-codes-storage.md (+0 -7)
➖ .changeset/fix-password-reset-callback-operation-id.md (+0 -5)
➖ .changeset/honest-regions-jam.md (+0 -5)
➖ .changeset/oauth-provider-token-refactor.md (+0 -9)
➖ .changeset/pr-8926.md (+0 -5)
➖ .changeset/pr-9032.md (+0 -5)
➖ .changeset/pr-9084.md (+0 -5)
➖ .changeset/sso-saml-hardening.md (+0 -25)
📝 packages/api-key/CHANGELOG.md (+8 -0)
📝 packages/api-key/package.json (+1 -1)
📝 packages/better-auth/CHANGELOG.md (+29 -0)
📝 packages/better-auth/package.json (+1 -1)
📝 packages/cli/CHANGELOG.md (+11 -0)
📝 packages/cli/package.json (+1 -1)
📝 packages/core/CHANGELOG.md (+2 -0)
📝 packages/core/package.json (+1 -1)
📝 packages/drizzle-adapter/CHANGELOG.md (+7 -0)
📝 packages/drizzle-adapter/package.json (+1 -1)

...and 30 more files

📄 Description

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@better-auth/api-key@1.6.3

Patch Changes

Updated dependencies [484ce6a, f875897, 6ce30cf, f6428d0, c5066fe, 5f84335]:
- better-auth@1.6.3
- @better-auth/core@1.6.3

better-auth@1.6.3

Patch Changes

#9122 484ce6a Thanks @gustavovalverde! - fix(two-factor): enforce 2FA on all sign-in paths

The 2FA after-hook now triggers on any endpoint that creates a new session, covering magic-link, OAuth, passkey, email-OTP, SIWE, and all future sign-in methods. Authenticated requests (session refreshes, profile updates) are excluded.
#7231 f875897 Thanks @Byte-Biscuit! - fix(two-factor): preserve backup codes storage format after verification

After using a backup code, remaining codes are now re-saved using the same storeBackupCodes strategy (plain, encrypted, or custom) configured by the user. Previously, codes were always re-encrypted with the built-in symmetric encryption, breaking subsequent verifications for plain or custom storage modes.
#9072 6ce30cf Thanks @ramonclaudio! - fix(api): align top-level operationId on requestPasswordResetCallback with the OpenAPI resetPasswordCallback
#8389 f6428d0 Thanks @Oluwatobi-Mustapha! - fix(open-api): correct get-session nullable schema for OAS 3.1
#8926 c5066fe Thanks @bytaesu! - omit quantity for metered prices in checkout and upgrades
#9084 5f84335 Thanks @bytaesu! - support Stripe SDK v21 and v22
Updated dependencies []:
- @better-auth/core@1.6.3
- @better-auth/drizzle-adapter@1.6.3
- @better-auth/kysely-adapter@1.6.3
- @better-auth/memory-adapter@1.6.3
- @better-auth/mongo-adapter@1.6.3
- @better-auth/prisma-adapter@1.6.3
- @better-auth/telemetry@1.6.3

auth@1.6.3

Patch Changes

#9032 4673c6d Thanks @bytaesu! - fix tsconfig path alias resolution for extended configs and mid-path wildcards
Updated dependencies [484ce6a, f875897, 6ce30cf, f6428d0, c5066fe, 5f84335]:
- better-auth@1.6.3
- @better-auth/core@1.6.3
- @better-auth/telemetry@1.6.3

@better-auth/drizzle-adapter@1.6.3

Patch Changes

Updated dependencies []:
- @better-auth/core@1.6.3

@better-auth/electron@1.6.3

Patch Changes

Updated dependencies [484ce6a, f875897, 6ce30cf, f6428d0, c5066fe, 5f84335]:
- better-auth@1.6.3
- @better-auth/core@1.6.3

@better-auth/expo@1.6.3

Patch Changes

Updated dependencies [484ce6a, f875897, 6ce30cf, f6428d0, c5066fe, 5f84335]:
- better-auth@1.6.3
- @better-auth/core@1.6.3

@better-auth/i18n@1.6.3

Patch Changes

Updated dependencies [484ce6a, f875897, 6ce30cf, f6428d0, c5066fe, 5f84335]:
- better-auth@1.6.3
- @better-auth/core@1.6.3

@better-auth/kysely-adapter@1.6.3

Patch Changes

Updated dependencies []:
- @better-auth/core@1.6.3

@better-auth/memory-adapter@1.6.3

Patch Changes

Updated dependencies []:
- @better-auth/core@1.6.3

@better-auth/mongo-adapter@1.6.3

Patch Changes

Updated dependencies []:
- @better-auth/core@1.6.3

@better-auth/oauth-provider@1.6.3

Patch Changes

#9123 e2e25a4 Thanks @gustavovalverde! - fix(oauth-provider): override confidential auth methods to public in unauthenticated DCR

When allowUnauthenticatedClientRegistration is enabled, unauthenticated DCR
requests that specify client_secret_post, client_secret_basic, or omit
token_endpoint_auth_method (which defaults to client_secret_basic per
RFC 7591 §2) are
now silently overridden to token_endpoint_auth_method: "none" (public client)
instead of being rejected with HTTP 401.

This follows RFC 7591 §3.2.1,
which allows the server to "reject or replace any of the client's requested
metadata values submitted during the registration and substitute them with
suitable values." The registration response communicates the actual method
back to the client, allowing compliant clients to adjust.

This fixes interoperability with real-world MCP clients (Claude, Codex, Factory
Droid, and others) that send token_endpoint_auth_method: "client_secret_post"
in their DCR payload because the server metadata advertises it in
token_endpoint_auth_methods_supported.

Closes #8588
#9118 314e06f Thanks @gustavovalverde! - feat(oauth-provider): add customTokenResponseFields callback and Zod validation for authorization codes

Add customTokenResponseFields callback to OAuthOptions for injecting custom fields into token endpoint responses across all grant types. Standard OAuth fields (access_token, token_type, etc.) cannot be overridden. Follows the same pattern as customAccessTokenClaims and customIdTokenClaims.

Authorization code verification values are now validated with a Zod schema at deserialization, consistently returning invalid_verification errors for malformed or corrupted values instead of potential 500s.
Updated dependencies [484ce6a, f875897, 6ce30cf, f6428d0, c5066fe, 5f84335]:
- better-auth@1.6.3
- @better-auth/core@1.6.3

@better-auth/passkey@1.6.3

Patch Changes

Updated dependencies [484ce6a, f875897, 6ce30cf, f6428d0, c5066fe, 5f84335]:
- better-auth@1.6.3
- @better-auth/core@1.6.3

@better-auth/prisma-adapter@1.6.3

Patch Changes

Updated dependencies []:
- @better-auth/core@1.6.3

@better-auth/redis-storage@1.6.3

Patch Changes

Updated dependencies []:
- @better-auth/core@1.6.3

@better-auth/scim@1.6.3

Patch Changes

Updated dependencies [484ce6a, f875897, 6ce30cf, f6428d0, c5066fe, 5f84335]:
- better-auth@1.6.3
- @better-auth/core@1.6.3

@better-auth/sso@1.6.3

Patch Changes

#9097 52c4751 Thanks @gustavovalverde! - fix(sso): unify SAML response processing and fix provider/config bugs

Bug fixes:
- Fix SP metadata endpoint using internal row ID instead of providerId in ACS URL
- Fix acsEndpoint skipping DB provider lookup when defaultSSO is configured
- Fix acsEndpoint missing encryption fields (isAssertionEncrypted, encPrivateKey), which caused silent decryption failures
- Fix defaultSSO config parsing in callback path (safeJsonParse on already-parsed objects)
- Fix createSP missing callbackUrl fallback to auto-generated ACS URL
- Complete createSP/createIdP helpers with all encryption and signing fields
Behavioral changes:
- ACS error redirect query parameters now use uppercase error codes (e.g. error=SAML_MULTIPLE_ASSERTIONS instead of error=multiple_assertions). If your application parses these error codes from the redirect URL, update the expected values.
- SAML provider registration now rejects configs with no usable IdP entry point (no valid entryPoint URL, no idpMetadata.metadata, and no idpMetadata.singleSignOnService). Previously these would register successfully but fail at sign-in.
- entryPoint validation tightened from startsWith("http") to new URL() parsing, rejecting malformed URLs like http:evil or http//missing-colon.
Refactoring (no API changes):
- Extract shared processSAMLResponse pipeline to eliminate ~500 lines of duplicated logic between callbackSSOSAML and acsEndpoint
- Move validateSAMLTimestamp to saml/timestamp.ts (re-exported from original location for compatibility)
Updated dependencies [484ce6a, f875897, 6ce30cf, f6428d0, c5066fe, 5f84335]:
- better-auth@1.6.3
- @better-auth/core@1.6.3

@better-auth/stripe@1.6.3

Patch Changes

Updated dependencies [484ce6a, f875897, 6ce30cf, f6428d0, c5066fe, 5f84335]:
- better-auth@1.6.3
- @better-auth/core@1.6.3

@better-auth/telemetry@1.6.3

Patch Changes

Updated dependencies []:
- @better-auth/core@1.6.3

@better-auth/test-utils@1.6.3

Patch Changes

Updated dependencies [484ce6a, f875897, 6ce30cf, f6428d0, c5066fe, 5f84335]:
- better-auth@1.6.3
- @better-auth/core@1.6.3

@better-auth/core@1.6.3

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/9081 **Author:** [@better-release[bot]](https://github.com/apps/better-release) **Created:** 4/9/2026 **Status:** 🔄 Open **Base:** `main` ← **Head:** `changeset-release/main` --- ### 📝 Commits (1) - [`d99c357`](https://github.com/better-auth/better-auth/commit/d99c357a72304bd15941ea454df287ebb40be37e) chore: release ### 📊 Changes **50 files changed** (+238 additions, -118 deletions) <details> <summary>View changed files</summary> ➖ `.changeset/dcr-graceful-override-confidential.md` (+0 -25) ➖ `.changeset/fix-2fa-bypass.md` (+0 -7) ➖ `.changeset/fix-backup-codes-storage.md` (+0 -7) ➖ `.changeset/fix-password-reset-callback-operation-id.md` (+0 -5) ➖ `.changeset/honest-regions-jam.md` (+0 -5) ➖ `.changeset/oauth-provider-token-refactor.md` (+0 -9) ➖ `.changeset/pr-8926.md` (+0 -5) ➖ `.changeset/pr-9032.md` (+0 -5) ➖ `.changeset/pr-9084.md` (+0 -5) ➖ `.changeset/sso-saml-hardening.md` (+0 -25) 📝 `packages/api-key/CHANGELOG.md` (+8 -0) 📝 `packages/api-key/package.json` (+1 -1) 📝 `packages/better-auth/CHANGELOG.md` (+29 -0) 📝 `packages/better-auth/package.json` (+1 -1) 📝 `packages/cli/CHANGELOG.md` (+11 -0) 📝 `packages/cli/package.json` (+1 -1) 📝 `packages/core/CHANGELOG.md` (+2 -0) 📝 `packages/core/package.json` (+1 -1) 📝 `packages/drizzle-adapter/CHANGELOG.md` (+7 -0) 📝 `packages/drizzle-adapter/package.json` (+1 -1) _...and 30 more files_ </details> ### 📄 Description This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated. # Releases ## @better-auth/api-key@1.6.3 ### Patch Changes - Updated dependencies \[[`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## better-auth@1.6.3 ### Patch Changes - [#9122](https://github.com/better-auth/better-auth/pull/9122) [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - fix(two-factor): enforce 2FA on all sign-in paths The 2FA after-hook now triggers on any endpoint that creates a new session, covering magic-link, OAuth, passkey, email-OTP, SIWE, and all future sign-in methods. Authenticated requests (session refreshes, profile updates) are excluded. - [#7231](https://github.com/better-auth/better-auth/pull/7231) [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f) Thanks [@Byte-Biscuit](https://github.com/Byte-Biscuit)! - fix(two-factor): preserve backup codes storage format after verification After using a backup code, remaining codes are now re-saved using the same `storeBackupCodes` strategy (plain, encrypted, or custom) configured by the user. Previously, codes were always re-encrypted with the built-in symmetric encryption, breaking subsequent verifications for plain or custom storage modes. - [#9072](https://github.com/better-auth/better-auth/pull/9072) [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d) Thanks [@ramonclaudio](https://github.com/ramonclaudio)! - fix(api): align top-level `operationId` on `requestPasswordResetCallback` with the OpenAPI `resetPasswordCallback` - [#8389](https://github.com/better-auth/better-auth/pull/8389) [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649) Thanks [@Oluwatobi-Mustapha](https://github.com/Oluwatobi-Mustapha)! - fix(open-api): correct get-session nullable schema for OAS 3.1 - [#8926](https://github.com/better-auth/better-auth/pull/8926) [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463) Thanks [@bytaesu](https://github.com/bytaesu)! - omit quantity for metered prices in checkout and upgrades - [#9084](https://github.com/better-auth/better-auth/pull/9084) [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f) Thanks [@bytaesu](https://github.com/bytaesu)! - support Stripe SDK v21 and v22 - Updated dependencies \[]: - @better-auth/core@1.6.3 - @better-auth/drizzle-adapter@1.6.3 - @better-auth/kysely-adapter@1.6.3 - @better-auth/memory-adapter@1.6.3 - @better-auth/mongo-adapter@1.6.3 - @better-auth/prisma-adapter@1.6.3 - @better-auth/telemetry@1.6.3 ## auth@1.6.3 ### Patch Changes - [#9032](https://github.com/better-auth/better-auth/pull/9032) [`4673c6d`](https://github.com/better-auth/better-auth/commit/4673c6d83ce0710e8875e81539b376ee408e28b3) Thanks [@bytaesu](https://github.com/bytaesu)! - fix tsconfig path alias resolution for extended configs and mid-path wildcards - Updated dependencies \[[`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 - @better-auth/telemetry@1.6.3 ## @better-auth/drizzle-adapter@1.6.3 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.6.3 ## @better-auth/electron@1.6.3 ### Patch Changes - Updated dependencies \[[`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/expo@1.6.3 ### Patch Changes - Updated dependencies \[[`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/i18n@1.6.3 ### Patch Changes - Updated dependencies \[[`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/kysely-adapter@1.6.3 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.6.3 ## @better-auth/memory-adapter@1.6.3 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.6.3 ## @better-auth/mongo-adapter@1.6.3 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.6.3 ## @better-auth/oauth-provider@1.6.3 ### Patch Changes - [#9123](https://github.com/better-auth/better-auth/pull/9123) [`e2e25a4`](https://github.com/better-auth/better-auth/commit/e2e25a49545f3e386cfcc4e86b33c1796a1430b1) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - fix(oauth-provider): override confidential auth methods to public in unauthenticated DCR When `allowUnauthenticatedClientRegistration` is enabled, unauthenticated DCR requests that specify `client_secret_post`, `client_secret_basic`, or omit `token_endpoint_auth_method` (which defaults to `client_secret_basic` per [RFC 7591 §2](https://datatracker.ietf.org/doc/html/rfc7591#section-2)) are now silently overridden to `token_endpoint_auth_method: "none"` (public client) instead of being rejected with HTTP 401. This follows [RFC 7591 §3.2.1](https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1), which allows the server to "reject or replace any of the client's requested metadata values submitted during the registration and substitute them with suitable values." The registration response communicates the actual method back to the client, allowing compliant clients to adjust. This fixes interoperability with real-world MCP clients (Claude, Codex, Factory Droid, and others) that send `token_endpoint_auth_method: "client_secret_post"` in their DCR payload because the server metadata advertises it in `token_endpoint_auth_methods_supported`. Closes [#8588](https://github.com/better-auth/better-auth/issues/8588) - [#9118](https://github.com/better-auth/better-auth/pull/9118) [`314e06f`](https://github.com/better-auth/better-auth/commit/314e06f0fd84ac90b55b5430624a74c5a8d62bfd) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - feat(oauth-provider): add `customTokenResponseFields` callback and Zod validation for authorization codes Add `customTokenResponseFields` callback to `OAuthOptions` for injecting custom fields into token endpoint responses across all grant types. Standard OAuth fields (`access_token`, `token_type`, etc.) cannot be overridden. Follows the same pattern as `customAccessTokenClaims` and `customIdTokenClaims`. Authorization code verification values are now validated with a Zod schema at deserialization, consistently returning `invalid_verification` errors for malformed or corrupted values instead of potential 500s. - Updated dependencies \[[`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/passkey@1.6.3 ### Patch Changes - Updated dependencies \[[`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/prisma-adapter@1.6.3 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.6.3 ## @better-auth/redis-storage@1.6.3 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.6.3 ## @better-auth/scim@1.6.3 ### Patch Changes - Updated dependencies \[[`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/sso@1.6.3 ### Patch Changes - [#9097](https://github.com/better-auth/better-auth/pull/9097) [`52c4751`](https://github.com/better-auth/better-auth/commit/52c47517a21600d40a3e82c427409083b4a0a9ec) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - fix(sso): unify SAML response processing and fix provider/config bugs **Bug fixes:** - Fix SP metadata endpoint using internal row ID instead of `providerId` in ACS URL - Fix `acsEndpoint` skipping DB provider lookup when `defaultSSO` is configured - Fix `acsEndpoint` missing encryption fields (`isAssertionEncrypted`, `encPrivateKey`), which caused silent decryption failures - Fix `defaultSSO` config parsing in callback path (`safeJsonParse` on already-parsed objects) - Fix `createSP` missing `callbackUrl` fallback to auto-generated ACS URL - Complete `createSP`/`createIdP` helpers with all encryption and signing fields **Behavioral changes:** - ACS error redirect query parameters now use uppercase error codes (e.g. `error=SAML_MULTIPLE_ASSERTIONS` instead of `error=multiple_assertions`). If your application parses these error codes from the redirect URL, update the expected values. - SAML provider registration now rejects configs with no usable IdP entry point (no valid `entryPoint` URL, no `idpMetadata.metadata`, and no `idpMetadata.singleSignOnService`). Previously these would register successfully but fail at sign-in. - `entryPoint` validation tightened from `startsWith("http")` to `new URL()` parsing, rejecting malformed URLs like `http:evil` or `http//missing-colon`. **Refactoring (no API changes):** - Extract shared `processSAMLResponse` pipeline to eliminate ~500 lines of duplicated logic between `callbackSSOSAML` and `acsEndpoint` - Move `validateSAMLTimestamp` to `saml/timestamp.ts` (re-exported from original location for compatibility) - Updated dependencies \[[`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/stripe@1.6.3 ### Patch Changes - Updated dependencies \[[`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/telemetry@1.6.3 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.6.3 ## @better-auth/test-utils@1.6.3 ### Patch Changes - Updated dependencies \[[`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/core@1.6.3 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-13 10:38:20 -05:00

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#16670