[PR #4847] [CLOSED] feat: added device binding Fixes PR: #4274 #22512

New Issue

GiteaMirror · 2026-04-15T21:05:57-05:00

GiteaMirror commented

2026-04-15 21:05:57 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/4847
Author: @walosha
Created: 9/23/2025
Status: ❌ Closed

Base: canary ← Head: feat/device-binding

📝 Commits (10+)

a036cf5 feat: added device binding
5a6e71e import to index
27b8f61 fix errors
736a3f1 undo demo files
69e27fa added docs for device binding
cad8387 Merge branch 'canary' into feat/device-binding
cc112ca Merge branch 'canary' into feat/device-binding
2423cca Merge branch 'canary' into feat/device-binding
ceaea44 Merge branch 'better-auth:canary' into feat/device-binding
719f0d1 Merge branch 'canary' into feat/device-binding

📊 Changes

14 files changed (+2085 additions, -20 deletions)

View changed files

📝 docs/components/sidebar-content.tsx (+11 -0)
➕ docs/content/docs/plugins/device-binding.mdx (+676 -0)
📝 packages/better-auth/package.json (+8 -8)
➕ packages/better-auth/src/plugins/device-binding/client.ts (+236 -0)
➕ packages/better-auth/src/plugins/device-binding/index.ts (+917 -0)
➕ packages/better-auth/src/plugins/device-binding/schema.ts (+146 -0)
➕ packages/better-auth/src/plugins/device-binding/types.ts (+78 -0)
📝 packages/better-auth/src/plugins/index.ts (+1 -0)
📝 packages/cli/package.json (+2 -2)
📝 packages/core/package.json (+2 -2)
📝 packages/expo/package.json (+2 -2)
📝 packages/sso/package.json (+2 -2)
📝 packages/stripe/package.json (+2 -2)
📝 packages/telemetry/package.json (+2 -2)

📄 Description

Summary by cubic

Add device binding to verify and trust user devices, block sign-ins from unknown devices, and manage trusted devices. Includes new server endpoints, a client plugin with helpers, cookie-based trust, and schema updates.

New Features
- Server endpoints: /device-binding/register (OTP flow), /device-binding/trust, /device-binding/list, /device-binding/remove, /device-binding/status.
- Strict mode: block login on untrusted devices; first device can auto-trust; limits and expiry for trusted devices.
- Options: trustDuration, maxTrustedDevices, autoRegisterDevice, custom fingerprint, sendOTP, verifyTOTP/OTP.
- Cookie-based trust (better_auth_device_binding) tied to deviceId and fingerprint; auto-renewed on login.
- Fingerprinting combines headers and provided deviceInfo; rate limits added for all device-binding routes.
- Client plugin and helpers for register, request/verify OTP, trust, list, remove, and status checks.
Migration
- Apply schema changes: add user fields (deviceBindingEnabled, hasRegisteredDevice) and create deviceBinding and deviceVerificationOTP tables.
- Configure sendOTP and 2FA verification functions in plugin options.
- Initialize deviceBindingClient and handle onDeviceVerificationRequired/OTP flows in the app; ensure first-device registration if strict mode is enabled.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/4847 **Author:** [@walosha](https://github.com/walosha) **Created:** 9/23/2025 **Status:** ❌ Closed **Base:** `canary` ← **Head:** `feat/device-binding` --- ### 📝 Commits (10+) - [`a036cf5`](https://github.com/better-auth/better-auth/commit/a036cf5bd2cf4720f35a529305d21cb9528d3607) feat: added device binding - [`5a6e71e`](https://github.com/better-auth/better-auth/commit/5a6e71e43efe988b59b73df4a8a62b837187b8bd) import to index - [`27b8f61`](https://github.com/better-auth/better-auth/commit/27b8f61f8a31af037edf8f3edd1d03d8959c89a5) fix errors - [`736a3f1`](https://github.com/better-auth/better-auth/commit/736a3f1abd2c561e6c8151ae867a3ed77e3638d9) undo demo files - [`69e27fa`](https://github.com/better-auth/better-auth/commit/69e27fa6d81628f2a0b603cd04d2d5d79de388c3) added docs for device binding - [`cad8387`](https://github.com/better-auth/better-auth/commit/cad8387166cceca93f4c4fb965d60298f2f26a56) Merge branch 'canary' into feat/device-binding - [`cc112ca`](https://github.com/better-auth/better-auth/commit/cc112ca5fe9081bda60754f08367cbdd81442a54) Merge branch 'canary' into feat/device-binding - [`2423cca`](https://github.com/better-auth/better-auth/commit/2423cca931118d623545f5faee3eb86467305c76) Merge branch 'canary' into feat/device-binding - [`ceaea44`](https://github.com/better-auth/better-auth/commit/ceaea44c5ee29ba0f3fd01ab7555d2721abd1749) Merge branch 'better-auth:canary' into feat/device-binding - [`719f0d1`](https://github.com/better-auth/better-auth/commit/719f0d143a4c81abbda7076c3f0ab165ab5c1613) Merge branch 'canary' into feat/device-binding ### 📊 Changes **14 files changed** (+2085 additions, -20 deletions) <details> <summary>View changed files</summary> 📝 `docs/components/sidebar-content.tsx` (+11 -0) ➕ `docs/content/docs/plugins/device-binding.mdx` (+676 -0) 📝 `packages/better-auth/package.json` (+8 -8) ➕ `packages/better-auth/src/plugins/device-binding/client.ts` (+236 -0) ➕ `packages/better-auth/src/plugins/device-binding/index.ts` (+917 -0) ➕ `packages/better-auth/src/plugins/device-binding/schema.ts` (+146 -0) ➕ `packages/better-auth/src/plugins/device-binding/types.ts` (+78 -0) 📝 `packages/better-auth/src/plugins/index.ts` (+1 -0) 📝 `packages/cli/package.json` (+2 -2) 📝 `packages/core/package.json` (+2 -2) 📝 `packages/expo/package.json` (+2 -2) 📝 `packages/sso/package.json` (+2 -2) 📝 `packages/stripe/package.json` (+2 -2) 📝 `packages/telemetry/package.json` (+2 -2) </details> ### 📄 Description  ## Summary by cubic Add device binding to verify and trust user devices, block sign-ins from unknown devices, and manage trusted devices. Includes new server endpoints, a client plugin with helpers, cookie-based trust, and schema updates. - **New Features** - Server endpoints: /device-binding/register (OTP flow), /device-binding/trust, /device-binding/list, /device-binding/remove, /device-binding/status. - Strict mode: block login on untrusted devices; first device can auto-trust; limits and expiry for trusted devices. - Options: trustDuration, maxTrustedDevices, autoRegisterDevice, custom fingerprint, sendOTP, verifyTOTP/OTP. - Cookie-based trust (better_auth_device_binding) tied to deviceId and fingerprint; auto-renewed on login. - Fingerprinting combines headers and provided deviceInfo; rate limits added for all device-binding routes. - Client plugin and helpers for register, request/verify OTP, trust, list, remove, and status checks. - **Migration** - Apply schema changes: add user fields (deviceBindingEnabled, hasRegisteredDevice) and create deviceBinding and deviceVerificationOTP tables. - Configure sendOTP and 2FA verification functions in plugin options. - Initialize deviceBindingClient and handle onDeviceVerificationRequired/OTP flows in the app; ensure first-device registration if strict mode is enabled.  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-15 21:05:57 -05:00

GiteaMirror closed this issue

2026-04-15 21:05:58 -05:00

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#22512