github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-22 22:32:01 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[PR #6314] [MERGED] feat: support form data for email sign-in/sign-up and fallback to checking fetch Metadata for first login #6586

New Issue
Closed
opened 2026-03-13 13:04:19 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-03-13 13:04:19 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/6314
Author: @Paola3stefania
Created: 11/25/2025
Status: Merged
Merged: 12/25/2025
Merged by: @Bekacru

Base: canaryHead: feat/metadata-csrf-proteccion

📝 Commits (10+)

📊 Changes

14 files changed (+826 additions, -19 deletions)

View changed files

📝 docs/content/docs/reference/security.mdx (+21 -2)
📝 e2e/integration/solid-vinxi/src/lib/auth.ts (+3 -0)
📝 e2e/integration/vanilla-node/e2e/app.ts (+5 -0)
📝 e2e/smoke/test/bun.spec.ts (+1 -0)
📝 e2e/smoke/test/deno.spec.ts (+1 -0)
📝 e2e/smoke/test/fixtures/bun-simple.ts (+3 -0)
📝 e2e/smoke/test/fixtures/deno-simple.ts (+3 -0)
📝 packages/better-auth/src/api/middlewares/origin-check.test.ts (+251 -0)
📝 packages/better-auth/src/api/middlewares/origin-check.ts (+118 -15)
📝 packages/better-auth/src/api/routes/sign-in.test.ts (+191 -0)
📝 packages/better-auth/src/api/routes/sign-in.ts (+6 -0)
📝 packages/better-auth/src/api/routes/sign-up.test.ts (+210 -1)
📝 packages/better-auth/src/api/routes/sign-up.ts (+11 -1)
📝 packages/core/src/error/codes.ts (+2 -0)

📄 Description

Summary by cubic

Add Fetch Metadata CSRF protection for first login. Blocks cross-site navigation during email sign-in/sign-up when the request has no cookies, while preserving origin checks and backward compatibility.

  • New Features

    • Use Sec-Fetch-Site/Mode/Dest to detect cross-site navigation on first login to email sign-in/sign-up and return 403 with CROSS_SITE_NAVIGATION_LOGIN_BLOCKED.
    • Allow same-origin/same-site navigation and fetch/XHR requests (mode=cors).
    • Cookies/metadata handling: with cookies, use Origin/Referer validation; without cookies and with Fetch Metadata, also validate Origin/Referer against trustedOrigins; without cookies and no Fetch Metadata, fall back to previous behavior.
    • Accept application/x-www-form-urlencoded on email sign-in/sign-up to support browser form submissions.

  • Refactors

    • Added formCsrf middleware and a stronger validateOrigin with wildcard and dynamic trustedOrigins; applied to email sign-in/sign-up routes.
    • Updated security docs and added tests covering email sign-in/sign-up flows, form submissions, and metadata scenarios.

Written for commit 108d1988cc. Summary will update automatically on new commits.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/6314 **Author:** [@Paola3stefania](https://github.com/Paola3stefania) **Created:** 11/25/2025 **Status:** ✅ Merged **Merged:** 12/25/2025 **Merged by:** [@Bekacru](https://github.com/Bekacru) **Base:** `canary` ← **Head:** `feat/metadata-csrf-proteccion` --- ### 📝 Commits (10+) - [`3ce25fc`](https://github.com/better-auth/better-auth/commit/3ce25fc3472d80c7a943f78eb761a0095db4e3eb) feat: csrf protection - [`6835d1e`](https://github.com/better-auth/better-auth/commit/6835d1ec2093e89bf19d4062142de9184c12b415) Merge branch 'canary' into feat/metadata-csrf-proteccion - [`064cd8b`](https://github.com/better-auth/better-auth/commit/064cd8bc7c1fde85319d0a6587b4cf9681488b0e) fix: jsut for sing in and sign up email - [`90f294b`](https://github.com/better-auth/better-auth/commit/90f294bc4fcabd4c83c0d6db740fef3e37ddc300) fix validation - [`373612e`](https://github.com/better-auth/better-auth/commit/373612e2a2db9e31650e35d3f54855137d82a162) If any cookies are present (but not Better Auth) use standard origin validation - [`c4f5fde`](https://github.com/better-auth/better-auth/commit/c4f5fde6c25c47a140c0c0a9ac380d96fd5e9447) fix: metadata check - [`994c388`](https://github.com/better-auth/better-auth/commit/994c388b81e323ec6673b148a7bc6ee4d4d767a1) fix; mathc browser config - [`efd4a34`](https://github.com/better-auth/better-auth/commit/efd4a341e4db34af6862280813f3da34224154de) Merge branch 'canary' into feat/metadata-csrf-proteccion - [`340e2d1`](https://github.com/better-auth/better-auth/commit/340e2d1948b21738875e46f37102b7941fc8000e) fix : add trusted origins for tests - [`3baf2cd`](https://github.com/better-auth/better-auth/commit/3baf2cdcfcc213cb44747d057ac0e03994d32227) Merge branch 'feat/metadata-csrf-proteccion' of https://github.com/Paola3stefania/better-auth into feat/metadata-csrf-proteccion ### 📊 Changes **14 files changed** (+826 additions, -19 deletions) <details> <summary>View changed files</summary> 📝 `docs/content/docs/reference/security.mdx` (+21 -2) 📝 `e2e/integration/solid-vinxi/src/lib/auth.ts` (+3 -0) 📝 `e2e/integration/vanilla-node/e2e/app.ts` (+5 -0) 📝 `e2e/smoke/test/bun.spec.ts` (+1 -0) 📝 `e2e/smoke/test/deno.spec.ts` (+1 -0) 📝 `e2e/smoke/test/fixtures/bun-simple.ts` (+3 -0) 📝 `e2e/smoke/test/fixtures/deno-simple.ts` (+3 -0) 📝 `packages/better-auth/src/api/middlewares/origin-check.test.ts` (+251 -0) 📝 `packages/better-auth/src/api/middlewares/origin-check.ts` (+118 -15) 📝 `packages/better-auth/src/api/routes/sign-in.test.ts` (+191 -0) 📝 `packages/better-auth/src/api/routes/sign-in.ts` (+6 -0) 📝 `packages/better-auth/src/api/routes/sign-up.test.ts` (+210 -1) 📝 `packages/better-auth/src/api/routes/sign-up.ts` (+11 -1) 📝 `packages/core/src/error/codes.ts` (+2 -0) </details> ### 📄 Description <!-- This is an auto-generated description by cubic. --> ## Summary by cubic Add Fetch Metadata CSRF protection for first login. Blocks cross-site navigation during email sign-in/sign-up when the request has no cookies, while preserving origin checks and backward compatibility. - **New Features** - Use Sec-Fetch-Site/Mode/Dest to detect cross-site navigation on first login to email sign-in/sign-up and return 403 with CROSS_SITE_NAVIGATION_LOGIN_BLOCKED. - Allow same-origin/same-site navigation and fetch/XHR requests (mode=cors). - Cookies/metadata handling: with cookies, use Origin/Referer validation; without cookies and with Fetch Metadata, also validate Origin/Referer against trustedOrigins; without cookies and no Fetch Metadata, fall back to previous behavior. - Accept application/x-www-form-urlencoded on email sign-in/sign-up to support browser form submissions. - **Refactors** - Added formCsrf middleware and a stronger validateOrigin with wildcard and dynamic trustedOrigins; applied to email sign-in/sign-up routes. - Updated security docs and added tests covering email sign-in/sign-up flows, form submissions, and metadata scenarios. <sup>Written for commit 108d1988cc20dc3ff2a44bdeb80694641acf6ffc. Summary will update automatically on new commits.</sup> <!-- End of auto-generated description by cubic. --> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-03-13 13:04:19 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#6586
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?