github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 07:18:56 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[PR #6086] fix(update-user): properly encode callbackURL parameters in update-user flows #23334

New Issue
Open
opened 2026-04-15 21:38:27 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-15 21:38:27 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/6086
Author: @hsklnet
Created: 11/19/2025
Status: 🔄 Open

Base: mainHead: fix/encode-callbackURL-all-routes

📝 Commits (5)

  • a9eceb9 fix(update-user): properly encode callbackURL parameters
  • 59c2b72 test(sign-in): add callbackURL encoding test
  • 2d57796 test(sign-up): add callbackURL encoding test
  • 0e2607c test: use comprehensive callbackURL with special characters
  • 5ca6bcb Merge branch 'canary' into fix/encode-callbackURL-all-routes

📊 Changes

5 files changed (+249 additions, -38 deletions)

View changed files

📝 packages/better-auth/src/api/routes/email-verification.test.ts (+4 -25)
📝 packages/better-auth/src/api/routes/sign-in.test.ts (+45 -0)
📝 packages/better-auth/src/api/routes/sign-up.test.ts (+45 -0)
📝 packages/better-auth/src/api/routes/update-user.test.ts (+143 -0)
📝 packages/better-auth/src/api/routes/update-user.ts (+12 -13)

📄 Description

Description

Completes the callbackURL encoding fixes started in #5052 by addressing the remaining instances in update-user.ts.

Also adds test coverage for the existing fixes in sign-in.ts and sign-up.ts to prevent regression.

Related Issue

Fixes #5340

Changes

Fixes

  • update-user.ts: Encode callbackURL in deleteUser verification flow
  • update-user.ts: Encode callbackURL in changeEmail flow (unverified email)
  • update-user.ts: Encode callbackURL in changeEmail flow (verified email)

Tests Added

  • update-user.test.ts: Test for deleteUser callbackURL encoding
  • update-user.test.ts: Test for changeEmail callbackURL encoding (unverified)
  • update-user.test.ts: Test for changeEmail callbackURL encoding (verified)
  • sign-in.test.ts: Test for sign-in callbackURL encoding
  • sign-up.test.ts: Test for sign-up callbackURL encoding

Testing

All tests pass:

  • 19 tests in update-user.test.ts
  • 5 tests in sign-in.test.ts
  • 5 tests in sign-up.test.ts

Notes

This PR focuses on routes only. The following files with similar issues are out of scope:

  • oauth2/link-account.ts - Shared utility with complex OAuth flow
  • plugins/username/index.ts - Plugin, not a core route

Summary by cubic

Encode callbackURL in update-user verification links so URLs with query params or special characters are preserved. Adds tests in sign-in, sign-up, update-user, and email verification to prevent regressions.

  • Bug Fixes
    • update-user: Encode callbackURL in deleteUser verification flow.
    • update-user: Encode callbackURL in changeEmail when current email is unverified.
    • update-user: Encode callbackURL in changeEmail when current email is verified.

Written for commit 5ca6bcb3d4. Summary will update automatically on new commits.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/6086 **Author:** [@hsklnet](https://github.com/hsklnet) **Created:** 11/19/2025 **Status:** 🔄 Open **Base:** `main` ← **Head:** `fix/encode-callbackURL-all-routes` --- ### 📝 Commits (5) - [`a9eceb9`](https://github.com/better-auth/better-auth/commit/a9eceb9c208318db544913921e9d3bba1a3b09b7) fix(update-user): properly encode callbackURL parameters - [`59c2b72`](https://github.com/better-auth/better-auth/commit/59c2b72ad0dae0b0a99ee4cebe1b00b66ce79e3a) test(sign-in): add callbackURL encoding test - [`2d57796`](https://github.com/better-auth/better-auth/commit/2d57796f75f258ee62531fded722fa64683e597b) test(sign-up): add callbackURL encoding test - [`0e2607c`](https://github.com/better-auth/better-auth/commit/0e2607cf9239af7cc39c8894ea36c1dc241ec5f5) test: use comprehensive callbackURL with special characters - [`5ca6bcb`](https://github.com/better-auth/better-auth/commit/5ca6bcb3d443a33d2039f97d91450b7e96ca0148) Merge branch 'canary' into fix/encode-callbackURL-all-routes ### 📊 Changes **5 files changed** (+249 additions, -38 deletions) <details> <summary>View changed files</summary> 📝 `packages/better-auth/src/api/routes/email-verification.test.ts` (+4 -25) 📝 `packages/better-auth/src/api/routes/sign-in.test.ts` (+45 -0) 📝 `packages/better-auth/src/api/routes/sign-up.test.ts` (+45 -0) 📝 `packages/better-auth/src/api/routes/update-user.test.ts` (+143 -0) 📝 `packages/better-auth/src/api/routes/update-user.ts` (+12 -13) </details> ### 📄 Description ## Description Completes the `callbackURL` encoding fixes started in #5052 by addressing the remaining instances in `update-user.ts`. Also adds test coverage for the existing fixes in `sign-in.ts` and `sign-up.ts` to prevent regression. ## Related Issue Fixes #5340 ## Changes ### Fixes - **update-user.ts**: Encode `callbackURL` in deleteUser verification flow - **update-user.ts**: Encode `callbackURL` in changeEmail flow (unverified email) - **update-user.ts**: Encode `callbackURL` in changeEmail flow (verified email) ### Tests Added - **update-user.test.ts**: Test for deleteUser callbackURL encoding - **update-user.test.ts**: Test for changeEmail callbackURL encoding (unverified) - **update-user.test.ts**: Test for changeEmail callbackURL encoding (verified) - **sign-in.test.ts**: Test for sign-in callbackURL encoding - **sign-up.test.ts**: Test for sign-up callbackURL encoding ## Testing All tests pass: - ✅ 19 tests in update-user.test.ts - ✅ 5 tests in sign-in.test.ts - ✅ 5 tests in sign-up.test.ts ## Notes This PR focuses on **routes only**. The following files with similar issues are out of scope: - `oauth2/link-account.ts` - Shared utility with complex OAuth flow - `plugins/username/index.ts` - Plugin, not a core route <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Encode callbackURL in update-user verification links so URLs with query params or special characters are preserved. Adds tests in sign-in, sign-up, update-user, and email verification to prevent regressions. - **Bug Fixes** - update-user: Encode callbackURL in deleteUser verification flow. - update-user: Encode callbackURL in changeEmail when current email is unverified. - update-user: Encode callbackURL in changeEmail when current email is verified. <sup>Written for commit 5ca6bcb3d443a33d2039f97d91450b7e96ca0148. Summary will update automatically on new commits.</sup> <!-- End of auto-generated description by cubic. --> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-15 21:38:27 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#23334
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?