github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-06-04 21:36:39 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[PR #9120] chore: release v1.7.0-beta.1 #16698

New Issue
Open
opened 2026-04-13 10:38:56 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-13 10:38:56 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/9120
Author: @better-release[bot]
Created: 4/11/2026
Status: 🔄 Open

Base: nextHead: changeset-release/next

📝 Commits (1)

📊 Changes

41 files changed (+285 additions, -20 deletions)

View changed files

📝 .changeset/pre.json (+4 -0)
📝 packages/api-key/CHANGELOG.md (+8 -0)
📝 packages/api-key/package.json (+1 -1)
📝 packages/better-auth/CHANGELOG.md (+33 -0)
📝 packages/better-auth/package.json (+1 -1)
📝 packages/cli/CHANGELOG.md (+9 -0)
📝 packages/cli/package.json (+1 -1)
📝 packages/core/CHANGELOG.md (+2 -0)
📝 packages/core/package.json (+1 -1)
📝 packages/drizzle-adapter/CHANGELOG.md (+7 -0)
📝 packages/drizzle-adapter/package.json (+1 -1)
📝 packages/electron/CHANGELOG.md (+22 -0)
📝 packages/electron/package.json (+1 -1)
📝 packages/expo/CHANGELOG.md (+22 -0)
📝 packages/expo/package.json (+1 -1)
📝 packages/i18n/CHANGELOG.md (+8 -0)
📝 packages/i18n/package.json (+1 -1)
📝 packages/kysely-adapter/CHANGELOG.md (+7 -0)
📝 packages/kysely-adapter/package.json (+1 -1)
📝 packages/memory-adapter/CHANGELOG.md (+7 -0)

...and 21 more files

📄 Description

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to next, this PR will be updated.

⚠️⚠️⚠️⚠️⚠️⚠️

next is currently in pre mode so this branch has prereleases rather than normal releases. If you want to exit prereleases, run changeset pre exit on next.

⚠️⚠️⚠️⚠️⚠️⚠️

Releases

better-auth@1.7.0-beta.1

Minor Changes

  • #9069 c7d2253 Thanks @gustavovalverde! - Rewrite the generic OAuth plugin as a first-class social provider with OAuth 2.1 security defaults. Providers now use signIn.social + callback/:id instead of dedicated plugin endpoints, with PKCE required by default (OAuth 2.1), RFC 9207 issuer validation, OIDC auto-discovery with openid scope injection, and typed provider IDs.

    Breaking changes:

    • signIn.oauth2({ providerId }) replaced by signIn.social({ provider })
    • oauth2.link() replaced by linkSocial()
    • Callback URL changed from /api/auth/oauth2/callback/:id to /api/auth/callback/:id
    • genericOAuthClient() deprecated (no longer needed)
    • pkce defaults to true (was false); set pkce: false for providers that reject PKCE
    • authorizationUrlParams and tokenUrlParams only accept Record<string, string>
    • issuer and requireIssuerValidation config fields removed; issuer validation is automatic via OIDC discovery
    • mapProfileToUser profile typed as OAuth2UserInfo & Record<string, unknown>

  • #9079 6f2948e Thanks @gustavovalverde! - feat(oauth-provider): compute at_hash in ID tokens per OIDC Core §3.1.3.6

    ID tokens issued alongside an access token now include the at_hash claim, which cryptographically binds the two tokens to prevent token substitution attacks. The hash algorithm is selected based on the actual signing key's algorithm (EdDSA/Ed25519 uses SHA-512, RS/ES/PS384 uses SHA-384, RS/ES/PS512 uses SHA-512, all others use SHA-256).

    A new resolveSigningKey() export is available from better-auth/plugins to resolve the current JWKS signing key (including its algorithm). When using a custom jwt.sign callback, the signed ID token's header is validated against the declared algorithm to prevent at_hash mismatches.

Patch Changes

  • Updated dependencies []:
    • @better-auth/core@1.7.0-beta.1
    • @better-auth/drizzle-adapter@1.7.0-beta.1
    • @better-auth/kysely-adapter@1.7.0-beta.1
    • @better-auth/memory-adapter@1.7.0-beta.1
    • @better-auth/mongo-adapter@1.7.0-beta.1
    • @better-auth/prisma-adapter@1.7.0-beta.1
    • @better-auth/telemetry@1.7.0-beta.1

@better-auth/electron@1.7.0-beta.1

Minor Changes

  • #9069 c7d2253 Thanks @gustavovalverde! - Rewrite the generic OAuth plugin as a first-class social provider with OAuth 2.1 security defaults. Providers now use signIn.social + callback/:id instead of dedicated plugin endpoints, with PKCE required by default (OAuth 2.1), RFC 9207 issuer validation, OIDC auto-discovery with openid scope injection, and typed provider IDs.

    Breaking changes:

    • signIn.oauth2({ providerId }) replaced by signIn.social({ provider })
    • oauth2.link() replaced by linkSocial()
    • Callback URL changed from /api/auth/oauth2/callback/:id to /api/auth/callback/:id
    • genericOAuthClient() deprecated (no longer needed)
    • pkce defaults to true (was false); set pkce: false for providers that reject PKCE
    • authorizationUrlParams and tokenUrlParams only accept Record<string, string>
    • issuer and requireIssuerValidation config fields removed; issuer validation is automatic via OIDC discovery
    • mapProfileToUser profile typed as OAuth2UserInfo & Record<string, unknown>

Patch Changes

  • Updated dependencies [c7d2253, 6f2948e]:
    • better-auth@1.7.0-beta.1
    • @better-auth/core@1.7.0-beta.1

@better-auth/expo@1.7.0-beta.1

Minor Changes

  • #9069 c7d2253 Thanks @gustavovalverde! - Rewrite the generic OAuth plugin as a first-class social provider with OAuth 2.1 security defaults. Providers now use signIn.social + callback/:id instead of dedicated plugin endpoints, with PKCE required by default (OAuth 2.1), RFC 9207 issuer validation, OIDC auto-discovery with openid scope injection, and typed provider IDs.

    Breaking changes:

    • signIn.oauth2({ providerId }) replaced by signIn.social({ provider })
    • oauth2.link() replaced by linkSocial()
    • Callback URL changed from /api/auth/oauth2/callback/:id to /api/auth/callback/:id
    • genericOAuthClient() deprecated (no longer needed)
    • pkce defaults to true (was false); set pkce: false for providers that reject PKCE
    • authorizationUrlParams and tokenUrlParams only accept Record<string, string>
    • issuer and requireIssuerValidation config fields removed; issuer validation is automatic via OIDC discovery
    • mapProfileToUser profile typed as OAuth2UserInfo & Record<string, unknown>

Patch Changes

  • Updated dependencies [c7d2253, 6f2948e]:
    • better-auth@1.7.0-beta.1
    • @better-auth/core@1.7.0-beta.1

@better-auth/oauth-provider@1.7.0-beta.1

Minor Changes

  • #9069 c7d2253 Thanks @gustavovalverde! - Rewrite the generic OAuth plugin as a first-class social provider with OAuth 2.1 security defaults. Providers now use signIn.social + callback/:id instead of dedicated plugin endpoints, with PKCE required by default (OAuth 2.1), RFC 9207 issuer validation, OIDC auto-discovery with openid scope injection, and typed provider IDs.

    Breaking changes:

    • signIn.oauth2({ providerId }) replaced by signIn.social({ provider })
    • oauth2.link() replaced by linkSocial()
    • Callback URL changed from /api/auth/oauth2/callback/:id to /api/auth/callback/:id
    • genericOAuthClient() deprecated (no longer needed)
    • pkce defaults to true (was false); set pkce: false for providers that reject PKCE
    • authorizationUrlParams and tokenUrlParams only accept Record<string, string>
    • issuer and requireIssuerValidation config fields removed; issuer validation is automatic via OIDC discovery
    • mapProfileToUser profile typed as OAuth2UserInfo & Record<string, unknown>

  • #9079 6f2948e Thanks @gustavovalverde! - feat(oauth-provider): compute at_hash in ID tokens per OIDC Core §3.1.3.6

    ID tokens issued alongside an access token now include the at_hash claim, which cryptographically binds the two tokens to prevent token substitution attacks. The hash algorithm is selected based on the actual signing key's algorithm (EdDSA/Ed25519 uses SHA-512, RS/ES/PS384 uses SHA-384, RS/ES/PS512 uses SHA-512, all others use SHA-256).

    A new resolveSigningKey() export is available from better-auth/plugins to resolve the current JWKS signing key (including its algorithm). When using a custom jwt.sign callback, the signed ID token's header is validated against the declared algorithm to prevent at_hash mismatches.

Patch Changes

  • Updated dependencies [c7d2253, 6f2948e]:
    • better-auth@1.7.0-beta.1
    • @better-auth/core@1.7.0-beta.1

@better-auth/sso@1.7.0-beta.1

Minor Changes

  • #9117 b70f025 Thanks @gustavovalverde! - ### Breaking: SAML configuration changes

    callbackUrl removed from samlConfig.
    The ACS URL is now always derived from your baseURL and providerId. Remove callbackUrl from your SAML provider configuration. The post-login redirect destination is set per sign-in via callbackURL in signIn.sso():

    await authClient.signIn.sso({
  providerId: "my-provider",
  callbackURL: "/dashboard",
});

    /sso/saml2/callback/:providerId endpoint removed.
    Update your IdP's ACS URL to /sso/saml2/sp/acs/:providerId. This endpoint handles both GET and POST requests.

    spMetadata is now optional.
    You no longer need to pass spMetadata: {} when registering a provider. SP metadata is auto-generated from your configuration.

    Removed unused fields from SAMLConfig:
    decryptionPvk, additionalParams, idpMetadata.entityURL, idpMetadata.redirectURL. These were stored but never read. Remove them from your configuration if present.

    Bug fixes

    • Fix SLO SessionIndex matching: LogoutRequests with a SessionIndex were silently failing to delete the correct session.
    • Audience validation now defaults to the SP entity ID when audience is not configured, per SAML Core section 2.5.1.
    • Restore AllowCreate in AuthnRequests, required by IdPs that use JIT provisioning.
    • SP metadata endpoint now reflects actual SP capabilities (encryption, signing, SLO).

Patch Changes

  • #9121 9603043 Thanks @gustavovalverde! - ### Security: upgrade samlify to 2.12.0

    Upgrades the SAML XML processing library from 2.10.2 to 2.12.0:

    • XPath injection protection: all XPath expressions now use value escaping instead of string interpolation
    • XXE prevention: the XML parser defaults to strict mode that rejects entity references
    • Dependency reduction: removes node-forge, pako, uuid, and camelcase in favor of Node built-ins

    PEM keys and certificates with leading whitespace are now normalized automatically before being passed to samlify. This prevents DECODER routines::unsupported errors when keys are copied from indented config files or environment variables.

    Requires Node 20+.

  • Updated dependencies [c7d2253, 6f2948e]:

    • better-auth@1.7.0-beta.1
    • @better-auth/core@1.7.0-beta.1

@better-auth/api-key@1.7.0-beta.1

Patch Changes

  • Updated dependencies [c7d2253, 6f2948e]:
    • better-auth@1.7.0-beta.1
    • @better-auth/core@1.7.0-beta.1

auth@1.7.0-beta.1

Patch Changes

  • Updated dependencies [c7d2253, 6f2948e]:
    • better-auth@1.7.0-beta.1
    • @better-auth/core@1.7.0-beta.1
    • @better-auth/telemetry@1.7.0-beta.1

@better-auth/drizzle-adapter@1.7.0-beta.1

Patch Changes

  • Updated dependencies []:
    • @better-auth/core@1.7.0-beta.1

@better-auth/i18n@1.7.0-beta.1

Patch Changes

  • Updated dependencies [c7d2253, 6f2948e]:
    • better-auth@1.7.0-beta.1
    • @better-auth/core@1.7.0-beta.1

@better-auth/kysely-adapter@1.7.0-beta.1

Patch Changes

  • Updated dependencies []:
    • @better-auth/core@1.7.0-beta.1

@better-auth/memory-adapter@1.7.0-beta.1

Patch Changes

  • Updated dependencies []:
    • @better-auth/core@1.7.0-beta.1

@better-auth/mongo-adapter@1.7.0-beta.1

Patch Changes

  • Updated dependencies []:
    • @better-auth/core@1.7.0-beta.1

@better-auth/passkey@1.7.0-beta.1

Patch Changes

  • Updated dependencies [c7d2253, 6f2948e]:
    • better-auth@1.7.0-beta.1
    • @better-auth/core@1.7.0-beta.1

@better-auth/prisma-adapter@1.7.0-beta.1

Patch Changes

  • Updated dependencies []:
    • @better-auth/core@1.7.0-beta.1

@better-auth/redis-storage@1.7.0-beta.1

Patch Changes

  • Updated dependencies []:
    • @better-auth/core@1.7.0-beta.1

@better-auth/scim@1.7.0-beta.1

Patch Changes

  • Updated dependencies [c7d2253, 6f2948e]:
    • better-auth@1.7.0-beta.1
    • @better-auth/core@1.7.0-beta.1

@better-auth/stripe@1.7.0-beta.1

Patch Changes

  • Updated dependencies [c7d2253, 6f2948e]:
    • better-auth@1.7.0-beta.1
    • @better-auth/core@1.7.0-beta.1

@better-auth/telemetry@1.7.0-beta.1

Patch Changes

  • Updated dependencies []:
    • @better-auth/core@1.7.0-beta.1

@better-auth/test-utils@1.7.0-beta.1

Patch Changes

  • Updated dependencies [c7d2253, 6f2948e]:
    • better-auth@1.7.0-beta.1
    • @better-auth/core@1.7.0-beta.1

@better-auth/core@1.7.0-beta.1

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/9120 **Author:** [@better-release[bot]](https://github.com/apps/better-release) **Created:** 4/11/2026 **Status:** 🔄 Open **Base:** `next` ← **Head:** `changeset-release/next` --- ### 📝 Commits (1) - [`3b67f1e`](https://github.com/better-auth/better-auth/commit/3b67f1e965671c834ff7c09c361d373938078ff1) chore: release (beta) ### 📊 Changes **41 files changed** (+285 additions, -20 deletions) <details> <summary>View changed files</summary> 📝 `.changeset/pre.json` (+4 -0) 📝 `packages/api-key/CHANGELOG.md` (+8 -0) 📝 `packages/api-key/package.json` (+1 -1) 📝 `packages/better-auth/CHANGELOG.md` (+33 -0) 📝 `packages/better-auth/package.json` (+1 -1) 📝 `packages/cli/CHANGELOG.md` (+9 -0) 📝 `packages/cli/package.json` (+1 -1) 📝 `packages/core/CHANGELOG.md` (+2 -0) 📝 `packages/core/package.json` (+1 -1) 📝 `packages/drizzle-adapter/CHANGELOG.md` (+7 -0) 📝 `packages/drizzle-adapter/package.json` (+1 -1) 📝 `packages/electron/CHANGELOG.md` (+22 -0) 📝 `packages/electron/package.json` (+1 -1) 📝 `packages/expo/CHANGELOG.md` (+22 -0) 📝 `packages/expo/package.json` (+1 -1) 📝 `packages/i18n/CHANGELOG.md` (+8 -0) 📝 `packages/i18n/package.json` (+1 -1) 📝 `packages/kysely-adapter/CHANGELOG.md` (+7 -0) 📝 `packages/kysely-adapter/package.json` (+1 -1) 📝 `packages/memory-adapter/CHANGELOG.md` (+7 -0) _...and 21 more files_ </details> ### 📄 Description This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to next, this PR will be updated. ⚠️⚠️⚠️⚠️⚠️⚠️ `next` is currently in **pre mode** so this branch has prereleases rather than normal releases. If you want to exit prereleases, run `changeset pre exit` on `next`. ⚠️⚠️⚠️⚠️⚠️⚠️ # Releases ## better-auth@1.7.0-beta.1 ### Minor Changes - [#9069](https://github.com/better-auth/better-auth/pull/9069) [`c7d2253`](https://github.com/better-auth/better-auth/commit/c7d22539ec4f7322d9625ae2953d397c3863d097) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - Rewrite the generic OAuth plugin as a first-class social provider with OAuth 2.1 security defaults. Providers now use `signIn.social` + `callback/:id` instead of dedicated plugin endpoints, with PKCE required by default (OAuth 2.1), RFC 9207 issuer validation, OIDC auto-discovery with `openid` scope injection, and typed provider IDs. **Breaking changes:** - `signIn.oauth2({ providerId })` replaced by `signIn.social({ provider })` - `oauth2.link()` replaced by `linkSocial()` - Callback URL changed from `/api/auth/oauth2/callback/:id` to `/api/auth/callback/:id` - `genericOAuthClient()` deprecated (no longer needed) - `pkce` defaults to `true` (was `false`); set `pkce: false` for providers that reject PKCE - `authorizationUrlParams` and `tokenUrlParams` only accept `Record<string, string>` - `issuer` and `requireIssuerValidation` config fields removed; issuer validation is automatic via OIDC discovery - `mapProfileToUser` profile typed as `OAuth2UserInfo & Record<string, unknown>` - [#9079](https://github.com/better-auth/better-auth/pull/9079) [`6f2948e`](https://github.com/better-auth/better-auth/commit/6f2948e87bb5fa14bd2174a91f7143e1eced1b87) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - feat(oauth-provider): compute `at_hash` in ID tokens per OIDC Core §3.1.3.6 ID tokens issued alongside an access token now include the `at_hash` claim, which cryptographically binds the two tokens to prevent token substitution attacks. The hash algorithm is selected based on the actual signing key's algorithm (EdDSA/Ed25519 uses SHA-512, RS/ES/PS384 uses SHA-384, RS/ES/PS512 uses SHA-512, all others use SHA-256). A new `resolveSigningKey()` export is available from `better-auth/plugins` to resolve the current JWKS signing key (including its algorithm). When using a custom `jwt.sign` callback, the signed ID token's header is validated against the declared algorithm to prevent `at_hash` mismatches. ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.7.0-beta.1 - @better-auth/drizzle-adapter@1.7.0-beta.1 - @better-auth/kysely-adapter@1.7.0-beta.1 - @better-auth/memory-adapter@1.7.0-beta.1 - @better-auth/mongo-adapter@1.7.0-beta.1 - @better-auth/prisma-adapter@1.7.0-beta.1 - @better-auth/telemetry@1.7.0-beta.1 ## @better-auth/electron@1.7.0-beta.1 ### Minor Changes - [#9069](https://github.com/better-auth/better-auth/pull/9069) [`c7d2253`](https://github.com/better-auth/better-auth/commit/c7d22539ec4f7322d9625ae2953d397c3863d097) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - Rewrite the generic OAuth plugin as a first-class social provider with OAuth 2.1 security defaults. Providers now use `signIn.social` + `callback/:id` instead of dedicated plugin endpoints, with PKCE required by default (OAuth 2.1), RFC 9207 issuer validation, OIDC auto-discovery with `openid` scope injection, and typed provider IDs. **Breaking changes:** - `signIn.oauth2({ providerId })` replaced by `signIn.social({ provider })` - `oauth2.link()` replaced by `linkSocial()` - Callback URL changed from `/api/auth/oauth2/callback/:id` to `/api/auth/callback/:id` - `genericOAuthClient()` deprecated (no longer needed) - `pkce` defaults to `true` (was `false`); set `pkce: false` for providers that reject PKCE - `authorizationUrlParams` and `tokenUrlParams` only accept `Record<string, string>` - `issuer` and `requireIssuerValidation` config fields removed; issuer validation is automatic via OIDC discovery - `mapProfileToUser` profile typed as `OAuth2UserInfo & Record<string, unknown>` ### Patch Changes - Updated dependencies \[[`c7d2253`](https://github.com/better-auth/better-auth/commit/c7d22539ec4f7322d9625ae2953d397c3863d097), [`6f2948e`](https://github.com/better-auth/better-auth/commit/6f2948e87bb5fa14bd2174a91f7143e1eced1b87)]: - better-auth@1.7.0-beta.1 - @better-auth/core@1.7.0-beta.1 ## @better-auth/expo@1.7.0-beta.1 ### Minor Changes - [#9069](https://github.com/better-auth/better-auth/pull/9069) [`c7d2253`](https://github.com/better-auth/better-auth/commit/c7d22539ec4f7322d9625ae2953d397c3863d097) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - Rewrite the generic OAuth plugin as a first-class social provider with OAuth 2.1 security defaults. Providers now use `signIn.social` + `callback/:id` instead of dedicated plugin endpoints, with PKCE required by default (OAuth 2.1), RFC 9207 issuer validation, OIDC auto-discovery with `openid` scope injection, and typed provider IDs. **Breaking changes:** - `signIn.oauth2({ providerId })` replaced by `signIn.social({ provider })` - `oauth2.link()` replaced by `linkSocial()` - Callback URL changed from `/api/auth/oauth2/callback/:id` to `/api/auth/callback/:id` - `genericOAuthClient()` deprecated (no longer needed) - `pkce` defaults to `true` (was `false`); set `pkce: false` for providers that reject PKCE - `authorizationUrlParams` and `tokenUrlParams` only accept `Record<string, string>` - `issuer` and `requireIssuerValidation` config fields removed; issuer validation is automatic via OIDC discovery - `mapProfileToUser` profile typed as `OAuth2UserInfo & Record<string, unknown>` ### Patch Changes - Updated dependencies \[[`c7d2253`](https://github.com/better-auth/better-auth/commit/c7d22539ec4f7322d9625ae2953d397c3863d097), [`6f2948e`](https://github.com/better-auth/better-auth/commit/6f2948e87bb5fa14bd2174a91f7143e1eced1b87)]: - better-auth@1.7.0-beta.1 - @better-auth/core@1.7.0-beta.1 ## @better-auth/oauth-provider@1.7.0-beta.1 ### Minor Changes - [#9069](https://github.com/better-auth/better-auth/pull/9069) [`c7d2253`](https://github.com/better-auth/better-auth/commit/c7d22539ec4f7322d9625ae2953d397c3863d097) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - Rewrite the generic OAuth plugin as a first-class social provider with OAuth 2.1 security defaults. Providers now use `signIn.social` + `callback/:id` instead of dedicated plugin endpoints, with PKCE required by default (OAuth 2.1), RFC 9207 issuer validation, OIDC auto-discovery with `openid` scope injection, and typed provider IDs. **Breaking changes:** - `signIn.oauth2({ providerId })` replaced by `signIn.social({ provider })` - `oauth2.link()` replaced by `linkSocial()` - Callback URL changed from `/api/auth/oauth2/callback/:id` to `/api/auth/callback/:id` - `genericOAuthClient()` deprecated (no longer needed) - `pkce` defaults to `true` (was `false`); set `pkce: false` for providers that reject PKCE - `authorizationUrlParams` and `tokenUrlParams` only accept `Record<string, string>` - `issuer` and `requireIssuerValidation` config fields removed; issuer validation is automatic via OIDC discovery - `mapProfileToUser` profile typed as `OAuth2UserInfo & Record<string, unknown>` - [#9079](https://github.com/better-auth/better-auth/pull/9079) [`6f2948e`](https://github.com/better-auth/better-auth/commit/6f2948e87bb5fa14bd2174a91f7143e1eced1b87) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - feat(oauth-provider): compute `at_hash` in ID tokens per OIDC Core §3.1.3.6 ID tokens issued alongside an access token now include the `at_hash` claim, which cryptographically binds the two tokens to prevent token substitution attacks. The hash algorithm is selected based on the actual signing key's algorithm (EdDSA/Ed25519 uses SHA-512, RS/ES/PS384 uses SHA-384, RS/ES/PS512 uses SHA-512, all others use SHA-256). A new `resolveSigningKey()` export is available from `better-auth/plugins` to resolve the current JWKS signing key (including its algorithm). When using a custom `jwt.sign` callback, the signed ID token's header is validated against the declared algorithm to prevent `at_hash` mismatches. ### Patch Changes - Updated dependencies \[[`c7d2253`](https://github.com/better-auth/better-auth/commit/c7d22539ec4f7322d9625ae2953d397c3863d097), [`6f2948e`](https://github.com/better-auth/better-auth/commit/6f2948e87bb5fa14bd2174a91f7143e1eced1b87)]: - better-auth@1.7.0-beta.1 - @better-auth/core@1.7.0-beta.1 ## @better-auth/sso@1.7.0-beta.1 ### Minor Changes - [#9117](https://github.com/better-auth/better-auth/pull/9117) [`b70f025`](https://github.com/better-auth/better-auth/commit/b70f025bfaad38c229305a25e87e08bc176f9503) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - ### Breaking: SAML configuration changes **`callbackUrl` removed from `samlConfig`.** The ACS URL is now always derived from your `baseURL` and `providerId`. Remove `callbackUrl` from your SAML provider configuration. The post-login redirect destination is set per sign-in via `callbackURL` in `signIn.sso()`: ```ts await authClient.signIn.sso({ providerId: "my-provider", callbackURL: "/dashboard", }); ``` **`/sso/saml2/callback/:providerId` endpoint removed.** Update your IdP's ACS URL to `/sso/saml2/sp/acs/:providerId`. This endpoint handles both GET and POST requests. **`spMetadata` is now optional.** You no longer need to pass `spMetadata: {}` when registering a provider. SP metadata is auto-generated from your configuration. **Removed unused fields from `SAMLConfig`:** `decryptionPvk`, `additionalParams`, `idpMetadata.entityURL`, `idpMetadata.redirectURL`. These were stored but never read. Remove them from your configuration if present. ### Bug fixes - Fix SLO SessionIndex matching: LogoutRequests with a SessionIndex were silently failing to delete the correct session. - Audience validation now defaults to the SP entity ID when `audience` is not configured, per SAML Core section 2.5.1. - Restore `AllowCreate` in AuthnRequests, required by IdPs that use JIT provisioning. - SP metadata endpoint now reflects actual SP capabilities (encryption, signing, SLO). ### Patch Changes - [#9121](https://github.com/better-auth/better-auth/pull/9121) [`9603043`](https://github.com/better-auth/better-auth/commit/960304354aebab2f03c0fadd0d7bfd02febfd246) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - ### Security: upgrade samlify to 2.12.0 Upgrades the SAML XML processing library from 2.10.2 to 2.12.0: - **XPath injection protection**: all XPath expressions now use value escaping instead of string interpolation - **XXE prevention**: the XML parser defaults to strict mode that rejects entity references - **Dependency reduction**: removes `node-forge`, `pako`, `uuid`, and `camelcase` in favor of Node built-ins PEM keys and certificates with leading whitespace are now normalized automatically before being passed to samlify. This prevents `DECODER routines::unsupported` errors when keys are copied from indented config files or environment variables. Requires Node 20+. - Updated dependencies \[[`c7d2253`](https://github.com/better-auth/better-auth/commit/c7d22539ec4f7322d9625ae2953d397c3863d097), [`6f2948e`](https://github.com/better-auth/better-auth/commit/6f2948e87bb5fa14bd2174a91f7143e1eced1b87)]: - better-auth@1.7.0-beta.1 - @better-auth/core@1.7.0-beta.1 ## @better-auth/api-key@1.7.0-beta.1 ### Patch Changes - Updated dependencies \[[`c7d2253`](https://github.com/better-auth/better-auth/commit/c7d22539ec4f7322d9625ae2953d397c3863d097), [`6f2948e`](https://github.com/better-auth/better-auth/commit/6f2948e87bb5fa14bd2174a91f7143e1eced1b87)]: - better-auth@1.7.0-beta.1 - @better-auth/core@1.7.0-beta.1 ## auth@1.7.0-beta.1 ### Patch Changes - Updated dependencies \[[`c7d2253`](https://github.com/better-auth/better-auth/commit/c7d22539ec4f7322d9625ae2953d397c3863d097), [`6f2948e`](https://github.com/better-auth/better-auth/commit/6f2948e87bb5fa14bd2174a91f7143e1eced1b87)]: - better-auth@1.7.0-beta.1 - @better-auth/core@1.7.0-beta.1 - @better-auth/telemetry@1.7.0-beta.1 ## @better-auth/drizzle-adapter@1.7.0-beta.1 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.7.0-beta.1 ## @better-auth/i18n@1.7.0-beta.1 ### Patch Changes - Updated dependencies \[[`c7d2253`](https://github.com/better-auth/better-auth/commit/c7d22539ec4f7322d9625ae2953d397c3863d097), [`6f2948e`](https://github.com/better-auth/better-auth/commit/6f2948e87bb5fa14bd2174a91f7143e1eced1b87)]: - better-auth@1.7.0-beta.1 - @better-auth/core@1.7.0-beta.1 ## @better-auth/kysely-adapter@1.7.0-beta.1 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.7.0-beta.1 ## @better-auth/memory-adapter@1.7.0-beta.1 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.7.0-beta.1 ## @better-auth/mongo-adapter@1.7.0-beta.1 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.7.0-beta.1 ## @better-auth/passkey@1.7.0-beta.1 ### Patch Changes - Updated dependencies \[[`c7d2253`](https://github.com/better-auth/better-auth/commit/c7d22539ec4f7322d9625ae2953d397c3863d097), [`6f2948e`](https://github.com/better-auth/better-auth/commit/6f2948e87bb5fa14bd2174a91f7143e1eced1b87)]: - better-auth@1.7.0-beta.1 - @better-auth/core@1.7.0-beta.1 ## @better-auth/prisma-adapter@1.7.0-beta.1 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.7.0-beta.1 ## @better-auth/redis-storage@1.7.0-beta.1 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.7.0-beta.1 ## @better-auth/scim@1.7.0-beta.1 ### Patch Changes - Updated dependencies \[[`c7d2253`](https://github.com/better-auth/better-auth/commit/c7d22539ec4f7322d9625ae2953d397c3863d097), [`6f2948e`](https://github.com/better-auth/better-auth/commit/6f2948e87bb5fa14bd2174a91f7143e1eced1b87)]: - better-auth@1.7.0-beta.1 - @better-auth/core@1.7.0-beta.1 ## @better-auth/stripe@1.7.0-beta.1 ### Patch Changes - Updated dependencies \[[`c7d2253`](https://github.com/better-auth/better-auth/commit/c7d22539ec4f7322d9625ae2953d397c3863d097), [`6f2948e`](https://github.com/better-auth/better-auth/commit/6f2948e87bb5fa14bd2174a91f7143e1eced1b87)]: - better-auth@1.7.0-beta.1 - @better-auth/core@1.7.0-beta.1 ## @better-auth/telemetry@1.7.0-beta.1 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.7.0-beta.1 ## @better-auth/test-utils@1.7.0-beta.1 ### Patch Changes - Updated dependencies \[[`c7d2253`](https://github.com/better-auth/better-auth/commit/c7d22539ec4f7322d9625ae2953d397c3863d097), [`6f2948e`](https://github.com/better-auth/better-auth/commit/6f2948e87bb5fa14bd2174a91f7143e1eced1b87)]: - better-auth@1.7.0-beta.1 - @better-auth/core@1.7.0-beta.1 ## @better-auth/core@1.7.0-beta.1 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-13 10:38:56 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#16698
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?