github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 07:18:56 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[PR #7656] [MERGED] v1.4.18 #33072

New Issue
Closed
opened 2026-04-17 23:44:35 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-17 23:44:35 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/7656
Author: @himself65
Created: 1/28/2026
Status: Merged
Merged: 1/29/2026
Merged by: @himself65

Base: mainHead: v1.4.x-staging

📝 Commits (10+)

  • 6c5ead7 fix: correctly handle OAuth callback and Apple email field (#7181)
  • 00e3bbc docs: fix @hookform/resolvers issue (#7511)
  • 5ee600f docs: add a comment (#7512)
  • eb2472d chore: update .postmortem (#7536)
  • 263e562 fix(cli): use inkeep remote mcp url (#7543)
  • d941ff3 fix(organization): filter returned: false fields from API responses (#7531)
  • 85a4e26 test: fix case attempting signin before signup (#7548)
  • 6016a5b fix(stripe): allow billing interval change for same plan (#7542)
  • c7d4914 chore(core): improve runInBackground API type (#7533)
  • ecedf13 fix(expo): prevent null cookie key when redirect URL has no cookie param (#7555)

📊 Changes

186 files changed (+9205 additions, -4816 deletions)

View changed files

📝 .github/workflows/ci.yml (+6 -11)
📝 .github/workflows/e2e.yml (+9 -23)
📝 .github/workflows/preview.yml (+6 -4)
📝 .github/workflows/release.yml (+7 -0)
.postmortem/client-side-import-server.md (+141 -0)
📝 docs/app/docs/[[...slug]]/page.tsx (+6 -1)
📝 docs/app/global.css (+3 -2)
docs/components/back-link.tsx (+21 -0)
📝 docs/components/community-plugins-table.tsx (+10 -0)
📝 docs/components/docs/page.tsx (+1 -1)
📝 docs/components/generate-apple-jwt.tsx (+3 -2)
📝 docs/components/mdx/add-to-cursor.tsx (+2 -2)
📝 docs/components/nav-bar.tsx (+1 -0)
📝 docs/components/side-bar.tsx (+6 -1)
📝 docs/components/sidebar-content.tsx (+8 -0)
📝 docs/components/ui/aside-link.tsx (+5 -2)
📝 docs/content/blogs/1-4.mdx (+1 -1)
📝 docs/content/docs/concepts/plugins.mdx (+1 -1)
docs/content/docs/errors/index.mdx (+0 -21)
📝 docs/content/docs/guides/saml-sso-with-okta.mdx (+6 -1)

...and 80 more files

📄 Description

Summary by cubic

Filters organization additionalFields marked returned: false across all API responses and aligns client-side types. Adds multi-domain SSO with provider management and IdP-initiated SAML callback support, One Tap Google button mode, optional disableImplicitLinking, a new email-otp request-password-reset endpoint, and now includes Stripe organization customer support, an anonymous delete-user endpoint, and a custom OAuth authorizationEndpoint option.

  • New Features

    • SSO: support comma-separated domains, add provider list/detail/update/delete endpoints (client paths included), and support IdP-initiated SAML callbacks.
    • One Tap: add configurable “Sign in with Google” button mode.
    • Account Linking: add disableImplicitLinking option to block implicit linking on sign-in.
    • Email OTP: add /email-otp/request-password-reset endpoint and deprecate /forget-password/email-otp.
    • Stripe/Anonymous/OAuth/Client-Core: add Stripe organization customer support; new /delete-anonymous-user endpoint; support authorizationEndpoint override; expose version in AuthContext and add useSession().refetch to all clients.

  • Bug Fixes

    • Organization: filter returned: false fields across organizations, members, invitations, and teams; update adapter, routes, client types, and tests.
    • Stripe: prevent duplicates by Stripe price ID; allow monthly→annual upgrades; correctly resolve active subscriptions; centralize internal metadata keys; add tests.
    • Cookies/Expo: centralize Set-Cookie parsing with correct Expires handling; refresh account_data cookie on session refresh; fix Expo redirect with missing cookie param; prevent duplicate focus/online notifications; avoid duplicate secondary storage writes; add tests.
    • OAuth Provider: parse metadata consistently (string/object), spread metadata in registration response, use ctx.headers in endpoints, fix Okta userinfo route, update Google/Facebook endpoints, and surface GitHub token exchange errors; add tests.
    • Core/Telemetry: fix sqlite ConnectionMutex; relax background task types to Promise; consolidate rateLimit table schema; move telemetry endpoint to env and use noop when unset; default logger level to “warn”; log misconfiguration for memory DB when generateId is false; skip invalid sessions in list.
    • Device Authorization: enforce user ID checks and add error codes; tests.
    • Multi-Session: replace old multi-session cookie when the same user signs in again to prevent duplicates.
    • Email OTP: add stricter default rate limits for password reset endpoints.
    • Two-Factor: rotate trusted-device records on sign-in and make trustDeviceMaxAge configurable; tests.
    • Docs/CLI: move error docs to /docs/reference/errors and update links; rewrite Convex integration; replace zodResolver with standardSchemaResolver in Apple JWT tool; clarify Stripe subscription behavior; switch CLI to Inkeep remote MCP and remove local MCP package; use type-only client imports.
    • Additional: allow rejecting expired organization invites and filter pending; separate CSRF vs origin checks; clean up expired in-memory rate-limit entries; preserve cookie attributes on expiry; return Date types for expiration fields; prevent duplicate tokens in active sessions; fix Expo OAuth state with authorization proxy; set Location header on redirects; add missing Two-Factor POST client paths; improve OpenAPI ZodDefault typing; API key verification and logging fixes; respect One Tap dismiss actions; add passkey verification error logs; restore ctx.query in MCP OAuth flow; respect explicit emailVerification.sendOnSignUp.

Written for commit 3faaf5fce6. Summary will update on new commits.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/7656 **Author:** [@himself65](https://github.com/himself65) **Created:** 1/28/2026 **Status:** ✅ Merged **Merged:** 1/29/2026 **Merged by:** [@himself65](https://github.com/himself65) **Base:** `main` ← **Head:** `v1.4.x-staging` --- ### 📝 Commits (10+) - [`6c5ead7`](https://github.com/better-auth/better-auth/commit/6c5ead7e93309eea56864102dd0a9aab161722ae) fix: correctly handle OAuth callback and Apple email field (#7181) - [`00e3bbc`](https://github.com/better-auth/better-auth/commit/00e3bbcdb41c14028420189e026b7d2b65cefd02) docs: fix `@hookform/resolvers` issue (#7511) - [`5ee600f`](https://github.com/better-auth/better-auth/commit/5ee600f43bb0df366c126abd8de8b3e4f45a8e1e) docs: add a comment (#7512) - [`eb2472d`](https://github.com/better-auth/better-auth/commit/eb2472d503b6ac4aeab0a6199853d538072338a3) chore: update `.postmortem` (#7536) - [`263e562`](https://github.com/better-auth/better-auth/commit/263e5620f8e07860a973dc3548895c9e85c47595) fix(cli): use inkeep remote mcp url (#7543) - [`d941ff3`](https://github.com/better-auth/better-auth/commit/d941ff3249c3eaac4fa4839b1885e79b38000473) fix(organization): filter `returned: false` fields from API responses (#7531) - [`85a4e26`](https://github.com/better-auth/better-auth/commit/85a4e266094f518c2e304aa3031259715fe0462d) test: fix case attempting signin before signup (#7548) - [`6016a5b`](https://github.com/better-auth/better-auth/commit/6016a5be3f017c6f4372d4d19d857af31cefb7f8) fix(stripe): allow billing interval change for same plan (#7542) - [`c7d4914`](https://github.com/better-auth/better-auth/commit/c7d491437d693f54975f5787822daaad03be02ac) chore(core): improve `runInBackground` API type (#7533) - [`ecedf13`](https://github.com/better-auth/better-auth/commit/ecedf13a6a1898695e1592d6a9ebf4c08a0246f6) fix(expo): prevent null cookie key when redirect URL has no cookie param (#7555) ### 📊 Changes **186 files changed** (+9205 additions, -4816 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/ci.yml` (+6 -11) 📝 `.github/workflows/e2e.yml` (+9 -23) 📝 `.github/workflows/preview.yml` (+6 -4) 📝 `.github/workflows/release.yml` (+7 -0) ➕ `.postmortem/client-side-import-server.md` (+141 -0) 📝 `docs/app/docs/[[...slug]]/page.tsx` (+6 -1) 📝 `docs/app/global.css` (+3 -2) ➕ `docs/components/back-link.tsx` (+21 -0) 📝 `docs/components/community-plugins-table.tsx` (+10 -0) 📝 `docs/components/docs/page.tsx` (+1 -1) 📝 `docs/components/generate-apple-jwt.tsx` (+3 -2) 📝 `docs/components/mdx/add-to-cursor.tsx` (+2 -2) 📝 `docs/components/nav-bar.tsx` (+1 -0) 📝 `docs/components/side-bar.tsx` (+6 -1) 📝 `docs/components/sidebar-content.tsx` (+8 -0) 📝 `docs/components/ui/aside-link.tsx` (+5 -2) 📝 `docs/content/blogs/1-4.mdx` (+1 -1) 📝 `docs/content/docs/concepts/plugins.mdx` (+1 -1) ➖ `docs/content/docs/errors/index.mdx` (+0 -21) 📝 `docs/content/docs/guides/saml-sso-with-okta.mdx` (+6 -1) _...and 80 more files_ </details> ### 📄 Description <!-- This is an auto-generated description by cubic. --> ## Summary by cubic Filters organization additionalFields marked returned: false across all API responses and aligns client-side types. Adds multi-domain SSO with provider management and IdP-initiated SAML callback support, One Tap Google button mode, optional disableImplicitLinking, a new email-otp request-password-reset endpoint, and now includes Stripe organization customer support, an anonymous delete-user endpoint, and a custom OAuth authorizationEndpoint option. - New Features - SSO: support comma-separated domains, add provider list/detail/update/delete endpoints (client paths included), and support IdP-initiated SAML callbacks. - One Tap: add configurable “Sign in with Google” button mode. - Account Linking: add `disableImplicitLinking` option to block implicit linking on sign-in. - Email OTP: add `/email-otp/request-password-reset` endpoint and deprecate `/forget-password/email-otp`. - Stripe/Anonymous/OAuth/Client-Core: add Stripe organization customer support; new `/delete-anonymous-user` endpoint; support `authorizationEndpoint` override; expose version in `AuthContext` and add `useSession().refetch` to all clients. - Bug Fixes - Organization: filter returned: false fields across organizations, members, invitations, and teams; update adapter, routes, client types, and tests. - Stripe: prevent duplicates by Stripe price ID; allow monthly→annual upgrades; correctly resolve active subscriptions; centralize internal metadata keys; add tests. - Cookies/Expo: centralize Set-Cookie parsing with correct Expires handling; refresh account_data cookie on session refresh; fix Expo redirect with missing cookie param; prevent duplicate focus/online notifications; avoid duplicate secondary storage writes; add tests. - OAuth Provider: parse metadata consistently (string/object), spread metadata in registration response, use ctx.headers in endpoints, fix Okta userinfo route, update Google/Facebook endpoints, and surface GitHub token exchange errors; add tests. - Core/Telemetry: fix sqlite ConnectionMutex; relax background task types to Promise<unknown>; consolidate rateLimit table schema; move telemetry endpoint to env and use noop when unset; default logger level to “warn”; log misconfiguration for memory DB when generateId is false; skip invalid sessions in list. - Device Authorization: enforce user ID checks and add error codes; tests. - Multi-Session: replace old multi-session cookie when the same user signs in again to prevent duplicates. - Email OTP: add stricter default rate limits for password reset endpoints. - Two-Factor: rotate trusted-device records on sign-in and make `trustDeviceMaxAge` configurable; tests. - Docs/CLI: move error docs to /docs/reference/errors and update links; rewrite Convex integration; replace zodResolver with standardSchemaResolver in Apple JWT tool; clarify Stripe subscription behavior; switch CLI to Inkeep remote MCP and remove local MCP package; use type-only client imports. - Additional: allow rejecting expired organization invites and filter pending; separate CSRF vs origin checks; clean up expired in-memory rate-limit entries; preserve cookie attributes on expiry; return Date types for expiration fields; prevent duplicate tokens in active sessions; fix Expo OAuth state with authorization proxy; set Location header on redirects; add missing Two-Factor POST client paths; improve OpenAPI `ZodDefault` typing; API key verification and logging fixes; respect One Tap dismiss actions; add passkey verification error logs; restore `ctx.query` in MCP OAuth flow; respect explicit `emailVerification.sendOnSignUp`. <sup>Written for commit 3faaf5fce669ab507ceec8203c38647878102163. Summary will update on new commits.</sup> <!-- End of auto-generated description by cubic. --> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-17 23:44:35 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#33072
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?