[PR #6359] feat: implement cross-subdomain cookies plugin and fix TODOs #23515

New Issue

GiteaMirror · 2026-04-15T21:47:04-05:00

GiteaMirror commented

2026-04-15 21:47:04 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/6359
Author: @CodewithEvilxd
Created: 11/27/2025
Status: 🔄 Open

Base: main ← Head: canary

📝 Commits (4)

65d7af9 feat: implement cross-subdomain cookies plugin and fix TODOs
865aa36 fix: address security and type issues in cross-subdomain plugin
5a6b931 style: fix linting issues
fb01ab2 fix: restore bun types in tsconfig

📊 Changes

11 files changed (+121 additions, -33 deletions)

View changed files

📝 demo/nextjs/package.json (+3 -1)
📝 demo/stateless/package.json (+3 -1)
📝 docs/content/docs/plugins/2fa.mdx (+0 -1)
📝 docs/package.json (+3 -1)
📝 packages/better-auth/package.json (+2 -0)
📝 packages/better-auth/src/context/helpers.ts (+2 -1)
➕ packages/better-auth/src/plugins/cross-subdomain.ts (+67 -0)
📝 packages/better-auth/src/plugins/jwt/jwt.test.ts (+28 -20)
📝 packages/better-auth/src/social.test.ts (+1 -2)
📝 pnpm-lock.yaml (+11 -5)
📝 tsconfig.base.json (+1 -1)

📄 Description

Summary

This pull request adds a new cross-subdomain cookies plugin and includes several code quality improvements to the Better Auth library.

Changes Made

New Features

Cross-Subdomain Cookies Plugin

Implemented a new internal plugin for handling cross-subdomain cookie authentication
Added automatic CORS header management for secure cookie sharing across subdomains
Created middleware that validates requests from subdomains and sets appropriate CORS headers
Included proper error handling for invalid URLs and edge cases

Bug Fixes and Improvements

JWT Test Optimization

Removed unnecessary API call in the JWKS test that was forcing JWK generation
The getJwks endpoint already handles JWK creation automatically, making the extra call redundant
Improved test performance by eliminating unnecessary operations

Type Safety Enhancements

Fixed type casting issues in social provider tests by removing 'as any' usage
Added proper type annotations to callback functions in JWT tests
Improved overall TypeScript compliance and code reliability

Documentation Corrections

Fixed incorrect parameter in 2FA plugin documentation
Removed non-existent callbackURL parameter from verifyTotp method example
Ensured documentation accurately reflects the actual API

Technical Details

Files Modified:

packages/better-auth/src/plugins/cross-subdomain.ts (new file)
packages/better-auth/src/context/helpers.ts
packages/better-auth/src/plugins/jwt/jwt.test.ts
packages/better-auth/src/social.test.ts
docs/content/docs/plugins/2fa.mdx

Testing:

All existing tests pass (1192 tests)
No breaking changes introduced
Maintains backward compatibility
Follows existing code patterns and conventions

Benefits

Enhanced security through cross-subdomain cookie support
Better developer experience with accurate documentation
Improved performance in test suite
Higher code quality with better type safety

Summary by cubic

Adds cross-subdomain cookie support with an internal plugin that sets safe CORS headers for subdomain requests. Also cleans up tests and types, and fixes 2FA docs to match the API.

New Features
- Added cross-subdomain cookies plugin to share auth cookies across subdomains.
- Middleware validates subdomain requests and applies CORS headers.
- Graceful handling of invalid Origin/Referer URLs.
Bug Fixes
- Removed redundant token call in JWKS test; the JWKS endpoint generates keys automatically.
- Improved type safety in JWT and social provider tests; no more as any.
- Corrected 2FA docs by removing the non-existent callbackURL from verifyTotp.
- Updated TS config and dev types to align with Node usage.

^{Written for commit fb01ab2c24. Summary will update automatically on new commits.}

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/6359 **Author:** [@CodewithEvilxd](https://github.com/CodewithEvilxd) **Created:** 11/27/2025 **Status:** 🔄 Open **Base:** `main` ← **Head:** `canary` --- ### 📝 Commits (4) - [`65d7af9`](https://github.com/better-auth/better-auth/commit/65d7af99ffa5e64ddfb730571f3391e219824a1a) feat: implement cross-subdomain cookies plugin and fix TODOs - [`865aa36`](https://github.com/better-auth/better-auth/commit/865aa36aac6de9413e1672fe552296b8547bf6dd) fix: address security and type issues in cross-subdomain plugin - [`5a6b931`](https://github.com/better-auth/better-auth/commit/5a6b9316120a1144cb418d1dc82b48ff3ea890b8) style: fix linting issues - [`fb01ab2`](https://github.com/better-auth/better-auth/commit/fb01ab2c246993012f44661aa47d94731c30348e) fix: restore bun types in tsconfig ### 📊 Changes **11 files changed** (+121 additions, -33 deletions) <details> <summary>View changed files</summary> 📝 `demo/nextjs/package.json` (+3 -1) 📝 `demo/stateless/package.json` (+3 -1) 📝 `docs/content/docs/plugins/2fa.mdx` (+0 -1) 📝 `docs/package.json` (+3 -1) 📝 `packages/better-auth/package.json` (+2 -0) 📝 `packages/better-auth/src/context/helpers.ts` (+2 -1) ➕ `packages/better-auth/src/plugins/cross-subdomain.ts` (+67 -0) 📝 `packages/better-auth/src/plugins/jwt/jwt.test.ts` (+28 -20) 📝 `packages/better-auth/src/social.test.ts` (+1 -2) 📝 `pnpm-lock.yaml` (+11 -5) 📝 `tsconfig.base.json` (+1 -1) </details> ### 📄 Description ## Summary This pull request adds a new cross-subdomain cookies plugin and includes several code quality improvements to the Better Auth library. ## Changes Made ### New Features **Cross-Subdomain Cookies Plugin** - Implemented a new internal plugin for handling cross-subdomain cookie authentication - Added automatic CORS header management for secure cookie sharing across subdomains - Created middleware that validates requests from subdomains and sets appropriate CORS headers - Included proper error handling for invalid URLs and edge cases ### Bug Fixes and Improvements **JWT Test Optimization** - Removed unnecessary API call in the JWKS test that was forcing JWK generation - The getJwks endpoint already handles JWK creation automatically, making the extra call redundant - Improved test performance by eliminating unnecessary operations **Type Safety Enhancements** - Fixed type casting issues in social provider tests by removing 'as any' usage - Added proper type annotations to callback functions in JWT tests - Improved overall TypeScript compliance and code reliability **Documentation Corrections** - Fixed incorrect parameter in 2FA plugin documentation - Removed non-existent callbackURL parameter from verifyTotp method example - Ensured documentation accurately reflects the actual API ## Technical Details **Files Modified:** - packages/better-auth/src/plugins/cross-subdomain.ts (new file) - packages/better-auth/src/context/helpers.ts - packages/better-auth/src/plugins/jwt/jwt.test.ts - packages/better-auth/src/social.test.ts - docs/content/docs/plugins/2fa.mdx **Testing:** - All existing tests pass (1192 tests) - No breaking changes introduced - Maintains backward compatibility - Follows existing code patterns and conventions ## Benefits - Enhanced security through cross-subdomain cookie support - Better developer experience with accurate documentation - Improved performance in test suite - Higher code quality with better type safety  --- ## Summary by cubic Adds cross-subdomain cookie support with an internal plugin that sets safe CORS headers for subdomain requests. Also cleans up tests and types, and fixes 2FA docs to match the API. - New Features - Added cross-subdomain cookies plugin to share auth cookies across subdomains. - Middleware validates subdomain requests and applies CORS headers. - Graceful handling of invalid Origin/Referer URLs. - Bug Fixes - Removed redundant token call in JWKS test; the JWKS endpoint generates keys automatically. - Improved type safety in JWT and social provider tests; no more `as any`. - Corrected 2FA docs by removing the non-existent `callbackURL` from `verifyTotp`. - Updated TS config and dev types to align with Node usage. <sup>Written for commit fb01ab2c246993012f44661aa47d94731c30348e. Summary will update automatically on new commits.</sup>  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-15 21:47:04 -05:00

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#23515