github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-22 06:16:18 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity
6,810 Commits 102 Branches 1,251 Tags
b4bc65a007784b2eb0efb459e5fa6fd8055d3ec9
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Gustavo Valverde b4bc65a007 Merge commit from fork 
The `authorization_code` grant's verification step was a `findOne` + `deleteOne` pair, so two concurrent `POST /oauth2/token` requests sharing the same `code` both pass the find, both delete, and both mint independent access/refresh/id token sets: a CAS gap that lets an authorization code be redeemed twice. The legacy `oidc-provider` and `mcp` plugins in `better-auth` share the same primitive on their `authorization_code` paths and have the same gap.

All three call sites now use `internalAdapter.consumeVerificationValue` (the atomic primitive added in better-auth#9560 and renamed in better-auth#9568): the first concurrent caller receives the row and mints tokens, subsequent racers receive `null`. The consumed and expired paths return RFC 6749 §5.2 `invalid_grant` instead of the better-auth-internal `invalid_verification`, so spec-compliant clients can branch on the standard code. The redundant second `deleteVerificationByIdentifier` call after PKCE validation in the legacy paths is removed.

Closes GHSA-7w99-5wm4-3g79.

Co-authored-by: chdanielmueller <4051999+chdanielmueller@users.noreply.github.com>
2026-05-12 16:53:45 +01:00
.changeset
Merge commit from fork
2026-05-12 16:53:45 +01:00
.cspell
fix(magic-link): consume verification token atomically on verify (#9572)
2026-05-12 12:50:38 +00:00
.github
.postmortem
.vscode
demo
docs
docs: document account storeStateStrategy (#9557)
2026-05-12 13:16:23 +00:00
e2e
packages
Merge commit from fork
2026-05-12 16:53:45 +01:00
patches
test
fix(magic-link): consume verification token atomically on verify (#9572)
2026-05-12 12:50:38 +00:00
.cspell.jsonc
.gitattributes
.gitignore
.nvmrc
banner-dark.png
banner-light.png
biome.json
CLAUDE.md
CODE_OF_CONDUCT.md
context7.json
CONTRIBUTING.md
docker-compose.yml
knip.jsonc
lefthook.yml
LICENSE.md
package.json
pnpm-lock.yaml
chore(deps): bump mermaid from 11.13.0 to 11.15.0 (#9566)
2026-05-12 08:15:35 +00:00
pnpm-workspace.yaml
README.md
SECURITY.md
tsconfig.base.json
tsconfig.dist-check.json
tsconfig.json
turbo.json
vitest.config.ts

README.md

Better Auth

Better Auth is a framework-agnostic authentication (and authorization) framework for TypeScript. It provides a comprehensive set of features out of the box and includes a plugin ecosystem that simplifies adding advanced functionalities with minimal code in a short amount of time. Whether you need 2FA, multi-tenant support, or other complex features, it lets you focus on building your actual application instead of reinventing the wheel.

Why Better Auth

Authentication in the TypeScript ecosystem is a half-solved problem. Other open-source libraries often require a lot of additional code for anything beyond basic authentication. Rather than just pushing third-party services as the solution, I believe we can do better as a community—hence, Better Auth.

Contribution

Better Auth is a free and open source project licensed under the MIT License. You are free to do whatever you want with it.

You could help continuing its development by:

Security

If you discover a security vulnerability within Better Auth, please send an e-mail to security@better-auth.com.

All reports will be promptly addressed, and you'll be credited accordingly.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 281 MiB
Releases 112
Latest
2026-04-16 05:05:30 -05:00
Languages
TypeScript 99.4%
CSS 0.3%
MDX 0.2%