[PR #9106] [MERGED] chore: sync main to next #16685

New Issue

GiteaMirror · 2026-04-13T10:38:40-05:00

GiteaMirror commented

2026-04-13 10:38:40 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/9106
Author: @gustavovalverde
Created: 4/10/2026
Status: ✅ Merged
Merged: 4/10/2026
Merged by: @gustavovalverde

Base: next ← Head: chore/sync-main-to-next

📝 Commits (10+)

83ed1fe fix(ci): prevent label explosion on PRs targeting the next branch (#9071)
a2fbe07 refactor(ci): simplify release notes to one-line entries (#9067)
41679fa docs: add database table names (#9062)
6ce30cf fix: incorrect operationId in password reset callback endpoint (#9072)
f6428d0 fix(open-api): correct get-session nullable schema for OAS 3.1 (#8389)
099ee48 chore(docs): format markdown including mdx files (#9085)
d141a3b docs: fix PostgreSQL Prisma native type typo (#9090)
5f84335 feat(stripe): support Stripe SDK v21 and v22 (#9084)
684154d chore: replace z.union with z.xor for permission schemas in admin plugin (#8982)
c5066fe fix(stripe): omit quantity for metered prices in checkout and upgrades (#8926)

📊 Changes

219 files changed (+18609 additions, -16988 deletions)

View changed files

➕ .changeset/fix-password-reset-callback-operation-id.md (+5 -0)
➕ .changeset/honest-regions-jam.md (+5 -0)
➕ .changeset/pr-8926.md (+5 -0)
➕ .changeset/pr-9032.md (+5 -0)
➕ .changeset/pr-9084.md (+5 -0)
➕ .changeset/sso-saml-hardening.md (+25 -0)
📝 .github/prompts/release-notes-rewrite.md (+51 -67)
📝 .github/scripts/release-notes.ts (+91 -52)
📝 .github/workflows/auto-label.yml (+7 -1)
📝 .github/workflows/release.yml (+59 -24)
📝 .vscode/settings.json (+2 -1)
📝 demo/expo/src/app/forgot-password.tsx (+3 -3)
📝 demo/expo/src/app/index.tsx (+2 -2)
📝 demo/nextjs/app/(auth)/forgot-password/page.tsx (+2 -2)
📝 demo/nextjs/components/forms/forgot-password-form.tsx (+10 -10)
📝 demo/nextjs/components/forms/sign-in-form.tsx (+1 -1)
📝 demo/nextjs/package.json (+1 -1)
📝 demo/nextjs/pnpm-lock.yaml (+41 -27)
📝 docs/README.md (+6 -6)
📝 docs/app/legal/privacy/page.mdx (+68 -68)

...and 80 more files

📄 Description

Summary

Resolves merge conflicts in the automated main-to-next sync (replaces #9074).

Doc files (2fa, oauth-provider, sso): kept next's feature content (OTP enablement, private_key_jwt, SAML options), applied main's formatting pass and database table name pattern where applicable
packages/sso/src/routes/sso.ts: kept next's version, which has all 4 security fixes from #9055 and private_key_jwt from #8836

Note: main's saml-pipeline.ts arrives as a new file but is not wired into sso.ts yet. A follow-up PR should port the security fixes into the pipeline and adopt it, replacing the current inline approach.

Closes #9074

Summary by cubic

Syncs main into next, adopts the SAML pipeline in SSO with private_key_jwt, and preserves next’s SSO/SAML settings. Brings over docs formatting and table names, CI/release improvements, OpenAPI alignment changesets, SAML hardening in @better-auth/sso, Stripe SDK v21–v22 support, and renames demos to “Forgot Password” using requestPasswordReset.

Bug Fixes
- SSO/SAML: switched to saml-pipeline.ts; ported security fixes (InResponseTo path, audience restriction, SessionIndex as string, default allowIdpInitiated=false); unified response handling; fixed ACS URL identifier, provider lookup, missing encryption fields; completed createSP/createIdP; corrected defaultSSO parsing; added private_key_jwt; guarded toLowerCase() against falsy email/nameID; used validated samlRedirectUrl for error redirects.
- OpenAPI: aligned password reset callback operationId; fixed get-session nullable schema for OAS 3.1.
- Tooling/CI/Release: omitted quantity for metered stripe prices; fixed tsconfig path alias resolution; skipped auto-label on next/bot PRs; renamed release PRs with version; simplified one‑line release notes; fixed release validation grep count fallback.
Migration
- SAML ACS error redirects now use UPPERCASE codes (e.g., SAML_MULTIPLE_ASSERTIONS) — update any URL parsing.
- Demo routes and labels use “Forgot Password” and the requestPasswordReset method; update any copied examples.

^{Written for commit 2e0ad30369. Summary will update on new commits.}

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/9106 **Author:** [@gustavovalverde](https://github.com/gustavovalverde) **Created:** 4/10/2026 **Status:** ✅ Merged **Merged:** 4/10/2026 **Merged by:** [@gustavovalverde](https://github.com/gustavovalverde) **Base:** `next` ← **Head:** `chore/sync-main-to-next` --- ### 📝 Commits (10+) - [`83ed1fe`](https://github.com/better-auth/better-auth/commit/83ed1fe3604a2cb20426e76c9eb34a2fc2b22b22) fix(ci): prevent label explosion on PRs targeting the next branch (#9071) - [`a2fbe07`](https://github.com/better-auth/better-auth/commit/a2fbe079f8eccc9dd9d9593f0d7706a6893c765a) refactor(ci): simplify release notes to one-line entries (#9067) - [`41679fa`](https://github.com/better-auth/better-auth/commit/41679fa81795a2305ddf5f70a9cba27ea483f33e) docs: add database table names (#9062) - [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d) fix: incorrect `operationId` in password reset callback endpoint (#9072) - [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649) fix(open-api): correct get-session nullable schema for OAS 3.1 (#8389) - [`099ee48`](https://github.com/better-auth/better-auth/commit/099ee48c4147bf0bacbb9cc9ae7ed35bed8f6589) chore(docs): format markdown including mdx files (#9085) - [`d141a3b`](https://github.com/better-auth/better-auth/commit/d141a3b190f710918f7f25298e94d58473a96253) docs: fix PostgreSQL Prisma native type typo (#9090) - [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f) feat(stripe): support Stripe SDK v21 and v22 (#9084) - [`684154d`](https://github.com/better-auth/better-auth/commit/684154d3d10072b25a3f07aab7c2c24b43ca5a9e) chore: replace z.union with z.xor for permission schemas in admin plugin (#8982) - [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463) fix(stripe): omit quantity for metered prices in checkout and upgrades (#8926) ### 📊 Changes **219 files changed** (+18609 additions, -16988 deletions) <details> <summary>View changed files</summary> ➕ `.changeset/fix-password-reset-callback-operation-id.md` (+5 -0) ➕ `.changeset/honest-regions-jam.md` (+5 -0) ➕ `.changeset/pr-8926.md` (+5 -0) ➕ `.changeset/pr-9032.md` (+5 -0) ➕ `.changeset/pr-9084.md` (+5 -0) ➕ `.changeset/sso-saml-hardening.md` (+25 -0) 📝 `.github/prompts/release-notes-rewrite.md` (+51 -67) 📝 `.github/scripts/release-notes.ts` (+91 -52) 📝 `.github/workflows/auto-label.yml` (+7 -1) 📝 `.github/workflows/release.yml` (+59 -24) 📝 `.vscode/settings.json` (+2 -1) 📝 `demo/expo/src/app/forgot-password.tsx` (+3 -3) 📝 `demo/expo/src/app/index.tsx` (+2 -2) 📝 `demo/nextjs/app/(auth)/forgot-password/page.tsx` (+2 -2) 📝 `demo/nextjs/components/forms/forgot-password-form.tsx` (+10 -10) 📝 `demo/nextjs/components/forms/sign-in-form.tsx` (+1 -1) 📝 `demo/nextjs/package.json` (+1 -1) 📝 `demo/nextjs/pnpm-lock.yaml` (+41 -27) 📝 `docs/README.md` (+6 -6) 📝 `docs/app/legal/privacy/page.mdx` (+68 -68) _...and 80 more files_ </details> ### 📄 Description ## Summary Resolves merge conflicts in the automated main-to-next sync (replaces #9074). - **Doc files** (2fa, oauth-provider, sso): kept next's feature content (OTP enablement, private_key_jwt, SAML options), applied main's formatting pass and database table name pattern where applicable - **`packages/sso/src/routes/sso.ts`**: kept next's version, which has all 4 security fixes from #9055 and private_key_jwt from #8836 Note: main's `saml-pipeline.ts` arrives as a new file but is not wired into `sso.ts` yet. A follow-up PR should port the security fixes into the pipeline and adopt it, replacing the current inline approach. Closes #9074  --- ## Summary by cubic Syncs `main` into `next`, adopts the SAML pipeline in SSO with `private_key_jwt`, and preserves `next`’s SSO/SAML settings. Brings over docs formatting and table names, CI/release improvements, OpenAPI alignment changesets, SAML hardening in `@better-auth/sso`, Stripe SDK v21–v22 support, and renames demos to “Forgot Password” using `requestPasswordReset`. - **Bug Fixes** - SSO/SAML: switched to `saml-pipeline.ts`; ported security fixes (InResponseTo path, audience restriction, SessionIndex as string, default `allowIdpInitiated=false`); unified response handling; fixed ACS URL identifier, provider lookup, missing encryption fields; completed `createSP`/`createIdP`; corrected `defaultSSO` parsing; added private_key_jwt; guarded `toLowerCase()` against falsy email/nameID; used validated `samlRedirectUrl` for error redirects. - OpenAPI: aligned password reset callback `operationId`; fixed get-session nullable schema for OAS 3.1. - Tooling/CI/Release: omitted quantity for metered `stripe` prices; fixed tsconfig path alias resolution; skipped auto-label on `next`/bot PRs; renamed release PRs with version; simplified one‑line release notes; fixed release validation grep count fallback. - **Migration** - SAML ACS error redirects now use UPPERCASE codes (e.g., `SAML_MULTIPLE_ASSERTIONS`) — update any URL parsing. - Demo routes and labels use “Forgot Password” and the `requestPasswordReset` method; update any copied examples. <sup>Written for commit 2e0ad3036966c962dae96de13b48f01eda070d41. Summary will update on new commits.</sup>  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-13 10:38:40 -05:00

GiteaMirror closed this issue

2026-04-13 10:38:40 -05:00

Sign in to join this conversation.

Branches Tags

changeset-release/main

main

dependabot/npm_and_yarn/hono-4.12.18

dependabot/npm_and_yarn/fast-xml-parser-5.7.0

2026-05-13/fix/access-authorize-edge-cases

fix/oauth-provider-consent-missing-client

fix/oauth-provider-basic-auth-secret-colon

2026-05-13/feat/captcha-wildcard-endpoints

dependabot/github_actions/github-actions-98f3470200

dependabot/npm_and_yarn/demo/nextjs/hono-4.12.18

dependabot/npm_and_yarn/demo/electron/postcss-8.5.13

2026-05-13/ci/stabilize-docker-startup

changeset-release/next

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/lenient-cookie-parser

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

dependabot/npm_and_yarn/demo/expo/babel/plugin-transform-modules-systemjs-7.29.4

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

dependabot/npm_and_yarn/demo/nextjs/fast-uri-3.1.2

dependabot/npm_and_yarn/demo/electron/fast-uri-3.1.2

2026-05-08/feat/register-before-send

dependabot/npm_and_yarn/demo/electron/ip-address-10.2.0

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-additional-params

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#16685