[PR #9172] [MERGED] chore: sync main to next #25385

New Issue

GiteaMirror · 2026-04-15T22:51:48-05:00

GiteaMirror commented

2026-04-15 22:51:48 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/9172
Author: @gustavovalverde
Created: 4/14/2026
Status: ✅ Merged
Merged: 4/14/2026
Merged by: @gustavovalverde

Base: next ← Head: chore/sync-main-to-next

📝 Commits (10+)

f320994 chore: fix typecheck command in CLAUDE.md (#9110)
9fd0192 fix(ci): fix grep -c fallback producing invalid integer in release validation
314e06f feat(oauth-provider): add customTokenResponseFields and harden authorization code validation (#9118)
484ce6a fix(two-factor): enforce 2FA on all sign-in paths (#9122)
f875897 fix(two-factor): updated backup codes respect storeBackupCodes option (#7231)
e2e25a4 fix(oauth-provider): graceful DCR override for unauthenticated confidential clients (#9123)
504ea25 chore(deps-dev): bump @sveltejs/kit from 2.53.3 to 2.57.1 (#9109)
a6e9b94 docs: improve enterprise contact form (#9128)
ed2c18d chore(deps): bump next from 16.2.2 to 16.2.3 in /docs (#9112)
a6f3197 docs(landing): polish sentinel section (#9142)

📊 Changes

87 files changed (+3871 additions, -1398 deletions)

View changed files

➕ .changeset/dcr-graceful-override-confidential.md (+25 -0)
➕ .changeset/dynamic-baseurl-hardening.md (+21 -0)
➕ .changeset/fix-2fa-bypass.md (+7 -0)
➕ .changeset/fix-backup-codes-storage.md (+7 -0)
➕ .changeset/fix-stripe-defu-prototype-pollution.md (+7 -0)
➕ .changeset/honest-symbols-stick.md (+5 -0)
➕ .changeset/lovely-toes-swim.md (+5 -0)
➕ .changeset/oauth-provider-token-refactor.md (+9 -0)
📝 .github/workflows/release.yml (+4 -2)
📝 CLAUDE.md (+2 -2)
📝 demo/nextjs/package.json (+1 -1)
📝 demo/nextjs/pnpm-lock.yaml (+47 -47)
📝 demo/stateless/package.json (+1 -1)
📝 demo/stateless/pnpm-lock.yaml (+41 -41)
📝 docs/app/api/enterprise/contact/route.ts (+73 -58)
📝 docs/app/enterprise/enterprise-client.tsx (+182 -157)
📝 docs/app/not-found.tsx (+12 -7)
📝 docs/components/docs/mdx-components.tsx (+14 -4)
📝 docs/components/landing/hero-readme.tsx (+103 -85)
➕ docs/components/ui/form.tsx (+165 -0)

...and 67 more files

📄 Description

Replaces #9115, which the release bot cannot auto-merge because main and next have diverged around two parallel oauth-provider features and a 2FA refactor. Merge commit here preserves main's individual commit signatures in next's history, same intent as the bot's PR.

Must be merged with "Create a merge commit" (not squash, not rebase).

Conflict resolutions

.github/workflows/release.yml: take main's hardened grep fallback (2>/dev/null + ${VAR:-0}), which is the cubic review followup from 92256a2d0.
docs/content/docs/plugins/sso.mdx: take main's named-exports refactor verbatim (#9144). All of next's added SAML options land in the refactored shape via the existing ssoOptionsType const.
packages/oauth-provider/src/token.ts: keep next's at_hash sequencing (#9079) so the id token hashes the access token, and add main's customTokenResponseFields spread plus the credential-helper rename from #9118. The two features are orthogonal; only the Promise.all region overlapped textually.
packages/oauth-provider/src/token.test.ts: keep both new describe blocks side-by-side (at_hash in id tokens from next, customTokenResponseFields and verificationValueSchema from main). The textual conflict was caused only by adjacent insertion.

Semantic fixes on auto-merged files

Git's three-way merge silently dropped parts of main's skipVerificationOnEnable feature where next's discriminated-response refactor touched the surrounding code. No conflict markers, but main's test suites (which shipped alongside the feature) failed on the merge. Fixes:

packages/better-auth/src/plugins/two-factor/index.ts: restore the skipVerificationOnEnable branch in the method=totp enablement path, and fold || !!options?.skipVerificationOnEnable into totpData.verified.
packages/better-auth/src/plugins/two-factor/types.ts: restore the skipVerificationOnEnable?: boolean field on TwoFactorOptions.
packages/better-auth/src/plugins/two-factor/two-factor.test.ts: narrow the discriminated enable response via method === "totp" before accessing backupCodes (the as! assertion stopped compiling after PR #9057).

Validation

pnpm typecheck clean.
biome check . clean on tracked files.
pnpm build succeeds across all 21 packages.
Vitest: better-auth 1758/1758, oauth-provider 306/306, sso 358/358, stripe 152/152.
pnpm e2e:smoke matches pristine next behavior; no regressions from this merge.

Close #9115 once this lands.

Summary by cubic

Sync main into next to bring recent v1.6.3 fixes and features: 2FA enforcement across all sign-in paths, dynamic baseURL hardening, unauthenticated DCR override to public clients, customTokenResponseFields in @better-auth/oauth-provider, and Stripe metadata pollution guard. Must be merged with “Create a merge commit” to preserve history.

Refactors
- Resolved conflicts:
  - .github/workflows/release.yml: kept main’s hardened grep fallback.
  - docs/plugins/sso.mdx: took main’s named-exports refactor and updated callback paths to /sso/saml2/sp/acs to match next.
  - packages/oauth-provider/src/token.ts: kept next’s at_hash sequencing and added main’s customTokenResponseFields and credential helper rename.
  - packages/oauth-provider/src/token.test.ts: kept both new test blocks.
- Synced the v1.6.3 release into next: kept 1.7.0-beta.0 versions and restored .changeset/* for pre-release accumulation.
Bug Fixes
- Restored skipVerificationOnEnable handling and type in 2FA; enforced 2FA across all sign-in paths and fixed backup-codes re-save strategy.
- Hardened dynamic baseURL resolution for direct auth.api.* calls; respects advanced.trustedProxyHeaders, yields clear APIErrors, and adds E2E coverage.
- Secured @better-auth/stripe metadata merging against prototype pollution; fixed client race in useAuthQuery to prevent extra requests.
- Relaxed OAuth authorization code validation by making state optional in verificationValueSchema (spec-aligned), fixing CI flows that omit state.

^{Written for commit 834841fbc9. Summary will update on new commits.}

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/9172 **Author:** [@gustavovalverde](https://github.com/gustavovalverde) **Created:** 4/14/2026 **Status:** ✅ Merged **Merged:** 4/14/2026 **Merged by:** [@gustavovalverde](https://github.com/gustavovalverde) **Base:** `next` ← **Head:** `chore/sync-main-to-next` --- ### 📝 Commits (10+) - [`f320994`](https://github.com/better-auth/better-auth/commit/f32099449ed7ab1e1e558feae2a51d9b148c8ceb) chore: fix typecheck command in `CLAUDE.md` (#9110) - [`9fd0192`](https://github.com/better-auth/better-auth/commit/9fd0192d0efaf5bdacc8f3a22674bffed2854e32) fix(ci): fix grep -c fallback producing invalid integer in release validation - [`314e06f`](https://github.com/better-auth/better-auth/commit/314e06f0fd84ac90b55b5430624a74c5a8d62bfd) feat(oauth-provider): add `customTokenResponseFields` and harden authorization code validation (#9118) - [`484ce6a`](https://github.com/better-auth/better-auth/commit/484ce6a262c39b9c1be91d37774a2a13de3a5a1f) fix(two-factor): enforce 2FA on all sign-in paths (#9122) - [`f875897`](https://github.com/better-auth/better-auth/commit/f8758975ae475429d56b34aa6067e304ee973c8f) fix(two-factor): updated backup codes respect `storeBackupCodes` option (#7231) - [`e2e25a4`](https://github.com/better-auth/better-auth/commit/e2e25a49545f3e386cfcc4e86b33c1796a1430b1) fix(oauth-provider): graceful DCR override for unauthenticated confidential clients (#9123) - [`504ea25`](https://github.com/better-auth/better-auth/commit/504ea253ac84691cb1ba7b83598eee4ad037d6d6) chore(deps-dev): bump @sveltejs/kit from 2.53.3 to 2.57.1 (#9109) - [`a6e9b94`](https://github.com/better-auth/better-auth/commit/a6e9b943184c6f6c899dcced591c97199a991670) docs: improve enterprise contact form (#9128) - [`ed2c18d`](https://github.com/better-auth/better-auth/commit/ed2c18df3150ab3a024f7d14a5b5fa58719332f2) chore(deps): bump next from 16.2.2 to 16.2.3 in /docs (#9112) - [`a6f3197`](https://github.com/better-auth/better-auth/commit/a6f31972cadde34a5b0feb5184300b69bd629231) docs(landing): polish sentinel section (#9142) ### 📊 Changes **87 files changed** (+3871 additions, -1398 deletions) <details> <summary>View changed files</summary> ➕ `.changeset/dcr-graceful-override-confidential.md` (+25 -0) ➕ `.changeset/dynamic-baseurl-hardening.md` (+21 -0) ➕ `.changeset/fix-2fa-bypass.md` (+7 -0) ➕ `.changeset/fix-backup-codes-storage.md` (+7 -0) ➕ `.changeset/fix-stripe-defu-prototype-pollution.md` (+7 -0) ➕ `.changeset/honest-symbols-stick.md` (+5 -0) ➕ `.changeset/lovely-toes-swim.md` (+5 -0) ➕ `.changeset/oauth-provider-token-refactor.md` (+9 -0) 📝 `.github/workflows/release.yml` (+4 -2) 📝 `CLAUDE.md` (+2 -2) 📝 `demo/nextjs/package.json` (+1 -1) 📝 `demo/nextjs/pnpm-lock.yaml` (+47 -47) 📝 `demo/stateless/package.json` (+1 -1) 📝 `demo/stateless/pnpm-lock.yaml` (+41 -41) 📝 `docs/app/api/enterprise/contact/route.ts` (+73 -58) 📝 `docs/app/enterprise/enterprise-client.tsx` (+182 -157) 📝 `docs/app/not-found.tsx` (+12 -7) 📝 `docs/components/docs/mdx-components.tsx` (+14 -4) 📝 `docs/components/landing/hero-readme.tsx` (+103 -85) ➕ `docs/components/ui/form.tsx` (+165 -0) _...and 67 more files_ </details> ### 📄 Description Replaces #9115, which the release bot cannot auto-merge because `main` and `next` have diverged around two parallel oauth-provider features and a 2FA refactor. Merge commit here preserves main's individual commit signatures in next's history, same intent as the bot's PR. Must be merged with **"Create a merge commit"** (not squash, not rebase). ### Conflict resolutions - `.github/workflows/release.yml`: take main's hardened grep fallback (`2>/dev/null` + `${VAR:-0}`), which is the cubic review followup from 92256a2d0. - `docs/content/docs/plugins/sso.mdx`: take main's named-exports refactor verbatim (#9144). All of next's added SAML options land in the refactored shape via the existing `ssoOptionsType` const. - `packages/oauth-provider/src/token.ts`: keep next's at_hash sequencing (#9079) so the id token hashes the access token, and add main's `customTokenResponseFields` spread plus the credential-helper rename from #9118. The two features are orthogonal; only the `Promise.all` region overlapped textually. - `packages/oauth-provider/src/token.test.ts`: keep both new describe blocks side-by-side (`at_hash in id tokens` from next, `customTokenResponseFields` and `verificationValueSchema` from main). The textual conflict was caused only by adjacent insertion. ### Semantic fixes on auto-merged files Git's three-way merge silently dropped parts of main's `skipVerificationOnEnable` feature where next's discriminated-response refactor touched the surrounding code. No conflict markers, but main's test suites (which shipped alongside the feature) failed on the merge. Fixes: - `packages/better-auth/src/plugins/two-factor/index.ts`: restore the `skipVerificationOnEnable` branch in the `method=totp` enablement path, and fold `|| !!options?.skipVerificationOnEnable` into `totpData.verified`. - `packages/better-auth/src/plugins/two-factor/types.ts`: restore the `skipVerificationOnEnable?: boolean` field on `TwoFactorOptions`. - `packages/better-auth/src/plugins/two-factor/two-factor.test.ts`: narrow the discriminated `enable` response via `method === "totp"` before accessing `backupCodes` (the `as!` assertion stopped compiling after PR #9057). ### Validation - `pnpm typecheck` clean. - `biome check .` clean on tracked files. - `pnpm build` succeeds across all 21 packages. - Vitest: `better-auth` 1758/1758, `oauth-provider` 306/306, `sso` 358/358, `stripe` 152/152. - `pnpm e2e:smoke` matches pristine `next` behavior; no regressions from this merge. Close #9115 once this lands.  --- ## Summary by cubic Sync `main` into `next` to bring recent v1.6.3 fixes and features: 2FA enforcement across all sign-in paths, dynamic baseURL hardening, unauthenticated DCR override to public clients, `customTokenResponseFields` in `@better-auth/oauth-provider`, and Stripe metadata pollution guard. Must be merged with “Create a merge commit” to preserve history. - **Refactors** - Resolved conflicts: - `.github/workflows/release.yml`: kept `main`’s hardened grep fallback. - `docs/plugins/sso.mdx`: took `main`’s named-exports refactor and updated callback paths to `/sso/saml2/sp/acs` to match `next`. - `packages/oauth-provider/src/token.ts`: kept `next`’s `at_hash` sequencing and added `main`’s `customTokenResponseFields` and credential helper rename. - `packages/oauth-provider/src/token.test.ts`: kept both new test blocks. - Synced the `v1.6.3` release into `next`: kept `1.7.0-beta.0` versions and restored `.changeset/*` for pre-release accumulation. - **Bug Fixes** - Restored `skipVerificationOnEnable` handling and type in 2FA; enforced 2FA across all sign-in paths and fixed backup-codes re-save strategy. - Hardened dynamic `baseURL` resolution for direct `auth.api.*` calls; respects `advanced.trustedProxyHeaders`, yields clear `APIError`s, and adds E2E coverage. - Secured `@better-auth/stripe` metadata merging against prototype pollution; fixed client race in `useAuthQuery` to prevent extra requests. - Relaxed OAuth authorization code validation by making `state` optional in `verificationValueSchema` (spec-aligned), fixing CI flows that omit `state`. <sup>Written for commit 834841fbc9a06343815a74ba9a09f8627d5b4572. Summary will update on new commits.</sup>  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-15 22:51:48 -05:00

GiteaMirror closed this issue

2026-04-15 22:51:49 -05:00

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#25385