github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 07:18:56 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[PR #9081] [MERGED] chore: release v1.6.3 #25324

New Issue
Closed
opened 2026-04-15 22:50:09 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-15 22:50:09 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/9081
Author: @better-release[bot]
Created: 4/9/2026
Status: Merged
Merged: 4/14/2026
Merged by: @gustavovalverde

Base: mainHead: changeset-release/main

📝 Commits (1)

📊 Changes

54 files changed (+276 additions, -156 deletions)

View changed files

.changeset/dcr-graceful-override-confidential.md (+0 -25)
.changeset/dynamic-baseurl-hardening.md (+0 -21)
.changeset/fix-2fa-bypass.md (+0 -7)
.changeset/fix-backup-codes-storage.md (+0 -7)
.changeset/fix-password-reset-callback-operation-id.md (+0 -5)
.changeset/fix-stripe-defu-prototype-pollution.md (+0 -7)
.changeset/honest-regions-jam.md (+0 -5)
.changeset/honest-symbols-stick.md (+0 -5)
.changeset/lovely-toes-swim.md (+0 -5)
.changeset/oauth-provider-token-refactor.md (+0 -9)
.changeset/pr-8926.md (+0 -5)
.changeset/pr-9032.md (+0 -5)
.changeset/pr-9084.md (+0 -5)
.changeset/sso-saml-hardening.md (+0 -25)
📝 packages/api-key/CHANGELOG.md (+8 -0)
📝 packages/api-key/package.json (+1 -1)
📝 packages/better-auth/CHANGELOG.md (+48 -0)
📝 packages/better-auth/package.json (+1 -1)
📝 packages/cli/CHANGELOG.md (+11 -0)
📝 packages/cli/package.json (+1 -1)

...and 34 more files

📄 Description

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@better-auth/api-key@1.6.3

Patch Changes

better-auth@1.6.3

Patch Changes

  • #9131 5142e9c Thanks @gustavovalverde! - harden dynamic baseURL handling for direct auth.api.* calls and plugin metadata helpers

    Direct auth.api.* calls

    • Throw APIError with a clear message when the baseURL can't be resolved (no source and no fallback), instead of leaving ctx.context.baseURL = "" for downstream plugins to crash on.
    • Convert allowedHosts mismatches on the direct-API path to APIError.
    • Honor advanced.trustedProxyHeaders on the dynamic path (default true, unchanged). Previously x-forwarded-host / -proto were unconditionally trusted with allowedHosts; they now go through the same gate as the static path. The default flip to false ships in a follow-up PR.
    • resolveRequestContext rehydrates trustedProviders and cookies per call (in addition to trustedOrigins). User-defined trustedOrigins(req) / trustedProviders(req) callbacks receive a Request synthesized from forwarded headers when no full Request is available.
    • Infer http for loopback hosts (localhost, 127.0.0.1, [::1], 0.0.0.0) on the headers-only protocol fallback, so local-dev calls don't silently resolve to https://localhost:3000.
    • hasRequest uses isRequestLike, which now rejects objects that spoof Symbol.toStringTag without a real url / headers.get shape.

    Plugin metadata helpers

    • oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oAuthDiscoveryMetadata, and oAuthProtectedResourceMetadata forward the incoming request to their chained auth.api calls, so issuer and discovery URLs reflect the request host on dynamic configs.
    • withMcpAuth forwards the incoming request to getMcpSession, threads trustedProxyHeaders, and emits a bare Bearer challenge when baseURL can't be resolved (instead of Bearer resource_metadata="undefined/...").
    • metadataResponse in @better-auth/oauth-provider normalizes headers via new Headers() so callers can pass Headers, tuple arrays, or records without silently dropping entries.

  • #9122 484ce6a Thanks @gustavovalverde! - fix(two-factor): enforce 2FA on all sign-in paths

    The 2FA after-hook now triggers on any endpoint that creates a new session, covering magic-link, OAuth, passkey, email-OTP, SIWE, and all future sign-in methods. Authenticated requests (session refreshes, profile updates) are excluded.

  • #7231 f875897 Thanks @Byte-Biscuit! - fix(two-factor): preserve backup codes storage format after verification

    After using a backup code, remaining codes are now re-saved using the same storeBackupCodes strategy (plain, encrypted, or custom) configured by the user. Previously, codes were always re-encrypted with the built-in symmetric encryption, breaking subsequent verifications for plain or custom storage modes.

  • #9072 6ce30cf Thanks @ramonclaudio! - fix(api): align top-level operationId on requestPasswordResetCallback with the OpenAPI resetPasswordCallback

  • #8389 f6428d0 Thanks @Oluwatobi-Mustapha! - fix(open-api): correct get-session nullable schema for OAS 3.1

  • #9078 9a6d475 Thanks @ping-maxwell! - fix(client): prevent isMounted race condition causing many rps

  • #9113 513dabb Thanks @bytaesu! - resolve dynamic baseURL from request headers on direct auth.api calls

  • #8926 c5066fe Thanks @bytaesu! - omit quantity for metered prices in checkout and upgrades

  • #9084 5f84335 Thanks @bytaesu! - support Stripe SDK v21 and v22

  • Updated dependencies []:

    • @better-auth/core@1.6.3
    • @better-auth/drizzle-adapter@1.6.3
    • @better-auth/kysely-adapter@1.6.3
    • @better-auth/memory-adapter@1.6.3
    • @better-auth/mongo-adapter@1.6.3
    • @better-auth/prisma-adapter@1.6.3
    • @better-auth/telemetry@1.6.3

auth@1.6.3

Patch Changes

@better-auth/drizzle-adapter@1.6.3

Patch Changes

  • Updated dependencies []:
    • @better-auth/core@1.6.3

@better-auth/electron@1.6.3

Patch Changes

@better-auth/expo@1.6.3

Patch Changes

@better-auth/i18n@1.6.3

Patch Changes

@better-auth/kysely-adapter@1.6.3

Patch Changes

  • Updated dependencies []:
    • @better-auth/core@1.6.3

@better-auth/memory-adapter@1.6.3

Patch Changes

  • Updated dependencies []:
    • @better-auth/core@1.6.3

@better-auth/mongo-adapter@1.6.3

Patch Changes

  • Updated dependencies []:
    • @better-auth/core@1.6.3

@better-auth/oauth-provider@1.6.3

Patch Changes

  • #9123 e2e25a4 Thanks @gustavovalverde! - fix(oauth-provider): override confidential auth methods to public in unauthenticated DCR

    When allowUnauthenticatedClientRegistration is enabled, unauthenticated DCR
    requests that specify client_secret_post, client_secret_basic, or omit
    token_endpoint_auth_method (which defaults to client_secret_basic per
    RFC 7591 §2) are
    now silently overridden to token_endpoint_auth_method: "none" (public client)
    instead of being rejected with HTTP 401.

    This follows RFC 7591 §3.2.1,
    which allows the server to "reject or replace any of the client's requested
    metadata values submitted during the registration and substitute them with
    suitable values." The registration response communicates the actual method
    back to the client, allowing compliant clients to adjust.

    This fixes interoperability with real-world MCP clients (Claude, Codex, Factory
    Droid, and others) that send token_endpoint_auth_method: "client_secret_post"
    in their DCR payload because the server metadata advertises it in
    token_endpoint_auth_methods_supported.

    Closes #8588

  • #9131 5142e9c Thanks @gustavovalverde! - harden dynamic baseURL handling for direct auth.api.* calls and plugin metadata helpers

    Direct auth.api.* calls

    • Throw APIError with a clear message when the baseURL can't be resolved (no source and no fallback), instead of leaving ctx.context.baseURL = "" for downstream plugins to crash on.
    • Convert allowedHosts mismatches on the direct-API path to APIError.
    • Honor advanced.trustedProxyHeaders on the dynamic path (default true, unchanged). Previously x-forwarded-host / -proto were unconditionally trusted with allowedHosts; they now go through the same gate as the static path. The default flip to false ships in a follow-up PR.
    • resolveRequestContext rehydrates trustedProviders and cookies per call (in addition to trustedOrigins). User-defined trustedOrigins(req) / trustedProviders(req) callbacks receive a Request synthesized from forwarded headers when no full Request is available.
    • Infer http for loopback hosts (localhost, 127.0.0.1, [::1], 0.0.0.0) on the headers-only protocol fallback, so local-dev calls don't silently resolve to https://localhost:3000.
    • hasRequest uses isRequestLike, which now rejects objects that spoof Symbol.toStringTag without a real url / headers.get shape.

    Plugin metadata helpers

    • oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oAuthDiscoveryMetadata, and oAuthProtectedResourceMetadata forward the incoming request to their chained auth.api calls, so issuer and discovery URLs reflect the request host on dynamic configs.
    • withMcpAuth forwards the incoming request to getMcpSession, threads trustedProxyHeaders, and emits a bare Bearer challenge when baseURL can't be resolved (instead of Bearer resource_metadata="undefined/...").
    • metadataResponse in @better-auth/oauth-provider normalizes headers via new Headers() so callers can pass Headers, tuple arrays, or records without silently dropping entries.

  • #9118 314e06f Thanks @gustavovalverde! - feat(oauth-provider): add customTokenResponseFields callback and Zod validation for authorization codes

    Add customTokenResponseFields callback to OAuthOptions for injecting custom fields into token endpoint responses across all grant types. Standard OAuth fields (access_token, token_type, etc.) cannot be overridden. Follows the same pattern as customAccessTokenClaims and customIdTokenClaims.

    Authorization code verification values are now validated with a Zod schema at deserialization, consistently returning invalid_verification errors for malformed or corrupted values instead of potential 500s.

  • Updated dependencies [5142e9c, 484ce6a, f875897, 6ce30cf, f6428d0, 9a6d475, 513dabb, c5066fe, 5f84335]:

    • better-auth@1.6.3
    • @better-auth/core@1.6.3

@better-auth/passkey@1.6.3

Patch Changes

@better-auth/prisma-adapter@1.6.3

Patch Changes

  • Updated dependencies []:
    • @better-auth/core@1.6.3

@better-auth/redis-storage@1.6.3

Patch Changes

  • Updated dependencies []:
    • @better-auth/core@1.6.3

@better-auth/scim@1.6.3

Patch Changes

@better-auth/sso@1.6.3

Patch Changes

  • #9097 52c4751 Thanks @gustavovalverde! - fix(sso): unify SAML response processing and fix provider/config bugs

    Bug fixes:

    • Fix SP metadata endpoint using internal row ID instead of providerId in ACS URL
    • Fix acsEndpoint skipping DB provider lookup when defaultSSO is configured
    • Fix acsEndpoint missing encryption fields (isAssertionEncrypted, encPrivateKey), which caused silent decryption failures
    • Fix defaultSSO config parsing in callback path (safeJsonParse on already-parsed objects)
    • Fix createSP missing callbackUrl fallback to auto-generated ACS URL
    • Complete createSP/createIdP helpers with all encryption and signing fields

    Behavioral changes:

    • ACS error redirect query parameters now use uppercase error codes (e.g. error=SAML_MULTIPLE_ASSERTIONS instead of error=multiple_assertions). If your application parses these error codes from the redirect URL, update the expected values.
    • SAML provider registration now rejects configs with no usable IdP entry point (no valid entryPoint URL, no idpMetadata.metadata, and no idpMetadata.singleSignOnService). Previously these would register successfully but fail at sign-in.
    • entryPoint validation tightened from startsWith("http") to new URL() parsing, rejecting malformed URLs like http:evil or http//missing-colon.

    Refactoring (no API changes):

    • Extract shared processSAMLResponse pipeline to eliminate ~500 lines of duplicated logic between callbackSSOSAML and acsEndpoint
    • Move validateSAMLTimestamp to saml/timestamp.ts (re-exported from original location for compatibility)

  • Updated dependencies [5142e9c, 484ce6a, f875897, 6ce30cf, f6428d0, 9a6d475, 513dabb, c5066fe, 5f84335]:

    • better-auth@1.6.3
    • @better-auth/core@1.6.3

@better-auth/stripe@1.6.3

Patch Changes

  • #9164 390a031 Thanks @gustavovalverde! - fix(stripe): drop unsafe keys when merging user-supplied metadata

    The Stripe plugin previously merged ctx.body.metadata through defu, which was vulnerable to prototype pollution when attacker-controlled __proto__ keys reached the second argument. Since Stripe metadata is a flat Record<string, string>, the deep-merge was never exercised on that path. The merge now ignores __proto__, constructor, and prototype, so the user-controlled surface no longer depends on defu. The remaining defu call sites (deep-merging developer-supplied CustomerCreateParams) also receive the patched range.

  • Updated dependencies [5142e9c, 484ce6a, f875897, 6ce30cf, f6428d0, 9a6d475, 513dabb, c5066fe, 5f84335]:

    • better-auth@1.6.3
    • @better-auth/core@1.6.3

@better-auth/telemetry@1.6.3

Patch Changes

  • Updated dependencies []:
    • @better-auth/core@1.6.3

@better-auth/test-utils@1.6.3

Patch Changes

@better-auth/core@1.6.3

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/9081 **Author:** [@better-release[bot]](https://github.com/apps/better-release) **Created:** 4/9/2026 **Status:** ✅ Merged **Merged:** 4/14/2026 **Merged by:** [@gustavovalverde](https://github.com/gustavovalverde) **Base:** `main` ← **Head:** `changeset-release/main` --- ### 📝 Commits (1) - [`948029f`](https://github.com/better-auth/better-auth/commit/948029faf1e62bf70fe248b05114e246a1353902) chore: release ### 📊 Changes **54 files changed** (+276 additions, -156 deletions) <details> <summary>View changed files</summary> ➖ `.changeset/dcr-graceful-override-confidential.md` (+0 -25) ➖ `.changeset/dynamic-baseurl-hardening.md` (+0 -21) ➖ `.changeset/fix-2fa-bypass.md` (+0 -7) ➖ `.changeset/fix-backup-codes-storage.md` (+0 -7) ➖ `.changeset/fix-password-reset-callback-operation-id.md` (+0 -5) ➖ `.changeset/fix-stripe-defu-prototype-pollution.md` (+0 -7) ➖ `.changeset/honest-regions-jam.md` (+0 -5) ➖ `.changeset/honest-symbols-stick.md` (+0 -5) ➖ `.changeset/lovely-toes-swim.md` (+0 -5) ➖ `.changeset/oauth-provider-token-refactor.md` (+0 -9) ➖ `.changeset/pr-8926.md` (+0 -5) ➖ `.changeset/pr-9032.md` (+0 -5) ➖ `.changeset/pr-9084.md` (+0 -5) ➖ `.changeset/sso-saml-hardening.md` (+0 -25) 📝 `packages/api-key/CHANGELOG.md` (+8 -0) 📝 `packages/api-key/package.json` (+1 -1) 📝 `packages/better-auth/CHANGELOG.md` (+48 -0) 📝 `packages/better-auth/package.json` (+1 -1) 📝 `packages/cli/CHANGELOG.md` (+11 -0) 📝 `packages/cli/package.json` (+1 -1) _...and 34 more files_ </details> ### 📄 Description This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated. # Releases ## @better-auth/api-key@1.6.3 ### Patch Changes - Updated dependencies \[[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## better-auth@1.6.3 ### Patch Changes - [#9131](https://github.com/better-auth/better-auth/pull/9131) [`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - harden dynamic `baseURL` handling for direct `auth.api.*` calls and plugin metadata helpers **Direct `auth.api.*` calls** - Throw `APIError` with a clear message when the baseURL can't be resolved (no source and no `fallback`), instead of leaving `ctx.context.baseURL = ""` for downstream plugins to crash on. - Convert `allowedHosts` mismatches on the direct-API path to `APIError`. - Honor `advanced.trustedProxyHeaders` on the dynamic path (default `true`, unchanged). Previously `x-forwarded-host` / `-proto` were unconditionally trusted with `allowedHosts`; they now go through the same gate as the static path. The default flip to `false` ships in a follow-up PR. - `resolveRequestContext` rehydrates `trustedProviders` and cookies per call (in addition to `trustedOrigins`). User-defined `trustedOrigins(req)` / `trustedProviders(req)` callbacks receive a `Request` synthesized from forwarded headers when no full `Request` is available. - Infer `http` for loopback hosts (`localhost`, `127.0.0.1`, `[::1]`, `0.0.0.0`) on the headers-only protocol fallback, so local-dev calls don't silently resolve to `https://localhost:3000`. - `hasRequest` uses `isRequestLike`, which now rejects objects that spoof `Symbol.toStringTag` without a real `url` / `headers.get` shape. **Plugin metadata helpers** - `oauthProviderAuthServerMetadata`, `oauthProviderOpenIdConfigMetadata`, `oAuthDiscoveryMetadata`, and `oAuthProtectedResourceMetadata` forward the incoming request to their chained `auth.api` calls, so `issuer` and discovery URLs reflect the request host on dynamic configs. - `withMcpAuth` forwards the incoming request to `getMcpSession`, threads `trustedProxyHeaders`, and emits a bare `Bearer` challenge when `baseURL` can't be resolved (instead of `Bearer resource_metadata="undefined/..."`). - `metadataResponse` in `@better-auth/oauth-provider` normalizes headers via `new Headers()` so callers can pass `Headers`, tuple arrays, or records without silently dropping entries. - [#9122](https://github.com/better-auth/better-auth/pull/9122) [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - fix(two-factor): enforce 2FA on all sign-in paths The 2FA after-hook now triggers on any endpoint that creates a new session, covering magic-link, OAuth, passkey, email-OTP, SIWE, and all future sign-in methods. Authenticated requests (session refreshes, profile updates) are excluded. - [#7231](https://github.com/better-auth/better-auth/pull/7231) [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f) Thanks [@Byte-Biscuit](https://github.com/Byte-Biscuit)! - fix(two-factor): preserve backup codes storage format after verification After using a backup code, remaining codes are now re-saved using the same `storeBackupCodes` strategy (plain, encrypted, or custom) configured by the user. Previously, codes were always re-encrypted with the built-in symmetric encryption, breaking subsequent verifications for plain or custom storage modes. - [#9072](https://github.com/better-auth/better-auth/pull/9072) [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d) Thanks [@ramonclaudio](https://github.com/ramonclaudio)! - fix(api): align top-level `operationId` on `requestPasswordResetCallback` with the OpenAPI `resetPasswordCallback` - [#8389](https://github.com/better-auth/better-auth/pull/8389) [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649) Thanks [@Oluwatobi-Mustapha](https://github.com/Oluwatobi-Mustapha)! - fix(open-api): correct get-session nullable schema for OAS 3.1 - [#9078](https://github.com/better-auth/better-auth/pull/9078) [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7) Thanks [@ping-maxwell](https://github.com/ping-maxwell)! - fix(client): prevent isMounted race condition causing many rps - [#9113](https://github.com/better-auth/better-auth/pull/9113) [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af) Thanks [@bytaesu](https://github.com/bytaesu)! - resolve dynamic `baseURL` from request headers on direct `auth.api` calls - [#8926](https://github.com/better-auth/better-auth/pull/8926) [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463) Thanks [@bytaesu](https://github.com/bytaesu)! - omit quantity for metered prices in checkout and upgrades - [#9084](https://github.com/better-auth/better-auth/pull/9084) [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f) Thanks [@bytaesu](https://github.com/bytaesu)! - support Stripe SDK v21 and v22 - Updated dependencies \[]: - @better-auth/core@1.6.3 - @better-auth/drizzle-adapter@1.6.3 - @better-auth/kysely-adapter@1.6.3 - @better-auth/memory-adapter@1.6.3 - @better-auth/mongo-adapter@1.6.3 - @better-auth/prisma-adapter@1.6.3 - @better-auth/telemetry@1.6.3 ## auth@1.6.3 ### Patch Changes - [#9032](https://github.com/better-auth/better-auth/pull/9032) [`4673c6d`](https://github.com/better-auth/better-auth/commit/4673c6d83ce0710e8875e81539b376ee408e28b3) Thanks [@bytaesu](https://github.com/bytaesu)! - fix tsconfig path alias resolution for extended configs and mid-path wildcards - Updated dependencies \[[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 - @better-auth/telemetry@1.6.3 ## @better-auth/drizzle-adapter@1.6.3 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.6.3 ## @better-auth/electron@1.6.3 ### Patch Changes - Updated dependencies \[[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/expo@1.6.3 ### Patch Changes - Updated dependencies \[[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/i18n@1.6.3 ### Patch Changes - Updated dependencies \[[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/kysely-adapter@1.6.3 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.6.3 ## @better-auth/memory-adapter@1.6.3 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.6.3 ## @better-auth/mongo-adapter@1.6.3 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.6.3 ## @better-auth/oauth-provider@1.6.3 ### Patch Changes - [#9123](https://github.com/better-auth/better-auth/pull/9123) [`e2e25a4`](https://github.com/better-auth/better-auth/commit/e2e25a49545f3e386cfcc4e86b33c1796a1430b1) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - fix(oauth-provider): override confidential auth methods to public in unauthenticated DCR When `allowUnauthenticatedClientRegistration` is enabled, unauthenticated DCR requests that specify `client_secret_post`, `client_secret_basic`, or omit `token_endpoint_auth_method` (which defaults to `client_secret_basic` per [RFC 7591 §2](https://datatracker.ietf.org/doc/html/rfc7591#section-2)) are now silently overridden to `token_endpoint_auth_method: "none"` (public client) instead of being rejected with HTTP 401. This follows [RFC 7591 §3.2.1](https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1), which allows the server to "reject or replace any of the client's requested metadata values submitted during the registration and substitute them with suitable values." The registration response communicates the actual method back to the client, allowing compliant clients to adjust. This fixes interoperability with real-world MCP clients (Claude, Codex, Factory Droid, and others) that send `token_endpoint_auth_method: "client_secret_post"` in their DCR payload because the server metadata advertises it in `token_endpoint_auth_methods_supported`. Closes [#8588](https://github.com/better-auth/better-auth/issues/8588) - [#9131](https://github.com/better-auth/better-auth/pull/9131) [`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - harden dynamic `baseURL` handling for direct `auth.api.*` calls and plugin metadata helpers **Direct `auth.api.*` calls** - Throw `APIError` with a clear message when the baseURL can't be resolved (no source and no `fallback`), instead of leaving `ctx.context.baseURL = ""` for downstream plugins to crash on. - Convert `allowedHosts` mismatches on the direct-API path to `APIError`. - Honor `advanced.trustedProxyHeaders` on the dynamic path (default `true`, unchanged). Previously `x-forwarded-host` / `-proto` were unconditionally trusted with `allowedHosts`; they now go through the same gate as the static path. The default flip to `false` ships in a follow-up PR. - `resolveRequestContext` rehydrates `trustedProviders` and cookies per call (in addition to `trustedOrigins`). User-defined `trustedOrigins(req)` / `trustedProviders(req)` callbacks receive a `Request` synthesized from forwarded headers when no full `Request` is available. - Infer `http` for loopback hosts (`localhost`, `127.0.0.1`, `[::1]`, `0.0.0.0`) on the headers-only protocol fallback, so local-dev calls don't silently resolve to `https://localhost:3000`. - `hasRequest` uses `isRequestLike`, which now rejects objects that spoof `Symbol.toStringTag` without a real `url` / `headers.get` shape. **Plugin metadata helpers** - `oauthProviderAuthServerMetadata`, `oauthProviderOpenIdConfigMetadata`, `oAuthDiscoveryMetadata`, and `oAuthProtectedResourceMetadata` forward the incoming request to their chained `auth.api` calls, so `issuer` and discovery URLs reflect the request host on dynamic configs. - `withMcpAuth` forwards the incoming request to `getMcpSession`, threads `trustedProxyHeaders`, and emits a bare `Bearer` challenge when `baseURL` can't be resolved (instead of `Bearer resource_metadata="undefined/..."`). - `metadataResponse` in `@better-auth/oauth-provider` normalizes headers via `new Headers()` so callers can pass `Headers`, tuple arrays, or records without silently dropping entries. - [#9118](https://github.com/better-auth/better-auth/pull/9118) [`314e06f`](https://github.com/better-auth/better-auth/commit/314e06f0fd84ac90b55b5430624a74c5a8d62bfd) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - feat(oauth-provider): add `customTokenResponseFields` callback and Zod validation for authorization codes Add `customTokenResponseFields` callback to `OAuthOptions` for injecting custom fields into token endpoint responses across all grant types. Standard OAuth fields (`access_token`, `token_type`, etc.) cannot be overridden. Follows the same pattern as `customAccessTokenClaims` and `customIdTokenClaims`. Authorization code verification values are now validated with a Zod schema at deserialization, consistently returning `invalid_verification` errors for malformed or corrupted values instead of potential 500s. - Updated dependencies \[[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/passkey@1.6.3 ### Patch Changes - Updated dependencies \[[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/prisma-adapter@1.6.3 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.6.3 ## @better-auth/redis-storage@1.6.3 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.6.3 ## @better-auth/scim@1.6.3 ### Patch Changes - Updated dependencies \[[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/sso@1.6.3 ### Patch Changes - [#9097](https://github.com/better-auth/better-auth/pull/9097) [`52c4751`](https://github.com/better-auth/better-auth/commit/52c47517a21600d40a3e82c427409083b4a0a9ec) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - fix(sso): unify SAML response processing and fix provider/config bugs **Bug fixes:** - Fix SP metadata endpoint using internal row ID instead of `providerId` in ACS URL - Fix `acsEndpoint` skipping DB provider lookup when `defaultSSO` is configured - Fix `acsEndpoint` missing encryption fields (`isAssertionEncrypted`, `encPrivateKey`), which caused silent decryption failures - Fix `defaultSSO` config parsing in callback path (`safeJsonParse` on already-parsed objects) - Fix `createSP` missing `callbackUrl` fallback to auto-generated ACS URL - Complete `createSP`/`createIdP` helpers with all encryption and signing fields **Behavioral changes:** - ACS error redirect query parameters now use uppercase error codes (e.g. `error=SAML_MULTIPLE_ASSERTIONS` instead of `error=multiple_assertions`). If your application parses these error codes from the redirect URL, update the expected values. - SAML provider registration now rejects configs with no usable IdP entry point (no valid `entryPoint` URL, no `idpMetadata.metadata`, and no `idpMetadata.singleSignOnService`). Previously these would register successfully but fail at sign-in. - `entryPoint` validation tightened from `startsWith("http")` to `new URL()` parsing, rejecting malformed URLs like `http:evil` or `http//missing-colon`. **Refactoring (no API changes):** - Extract shared `processSAMLResponse` pipeline to eliminate ~500 lines of duplicated logic between `callbackSSOSAML` and `acsEndpoint` - Move `validateSAMLTimestamp` to `saml/timestamp.ts` (re-exported from original location for compatibility) - Updated dependencies \[[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/stripe@1.6.3 ### Patch Changes - [#9164](https://github.com/better-auth/better-auth/pull/9164) [`390a031`](https://github.com/better-auth/better-auth/commit/390a03190c988776e53c5e64cf6c2f60db1c5415) Thanks [@gustavovalverde](https://github.com/gustavovalverde)! - fix(stripe): drop unsafe keys when merging user-supplied metadata The Stripe plugin previously merged `ctx.body.metadata` through `defu`, which was vulnerable to prototype pollution when attacker-controlled `__proto__` keys reached the second argument. Since Stripe metadata is a flat `Record<string, string>`, the deep-merge was never exercised on that path. The merge now ignores `__proto__`, `constructor`, and `prototype`, so the user-controlled surface no longer depends on `defu`. The remaining `defu` call sites (deep-merging developer-supplied `CustomerCreateParams`) also receive the patched range. - Updated dependencies \[[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/telemetry@1.6.3 ### Patch Changes - Updated dependencies \[]: - @better-auth/core@1.6.3 ## @better-auth/test-utils@1.6.3 ### Patch Changes - Updated dependencies \[[`5142e9c`](https://github.com/better-auth/better-auth/commit/5142e9cec55825eb14da0f14022ae02d3c9dfd45), [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f), [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f), [`6ce30cf`](https://github.com/better-auth/better-auth/commit/6ce30cf13853619b9022e93bd6ecb956bc32482d), [`f6428d0`](https://github.com/better-auth/better-auth/commit/f6428d02fcabc2e628f39b0e402f1a6eb0602649), [`9a6d475`](https://github.com/better-auth/better-auth/commit/9a6d4759cd4451f0535d53f171bcfc8891c41db7), [`513dabb`](https://github.com/better-auth/better-auth/commit/513dabb132e2c08a5b6d3b7e88dd397fcd66c1af), [`c5066fe`](https://github.com/better-auth/better-auth/commit/c5066fe5d68babf2376cfc63d813de5542eca463), [`5f84335`](https://github.com/better-auth/better-auth/commit/5f84335815d75410320bdfa665a6712d3416b04f)]: - better-auth@1.6.3 - @better-auth/core@1.6.3 ## @better-auth/core@1.6.3 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-15 22:50:09 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#25324
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?