21 KiB
@better-auth/electron
1.6.14
Patch Changes
- Updated dependencies [
2d9781a,5a2d642,13abc79,9d3450a]:- better-auth@1.6.14
- @better-auth/core@1.6.14
1.6.13
Patch Changes
- Updated dependencies [
d3919dc,5f282bd,43c08a2,43c08a2,be32012,87c1a0c,5c3e248,9c8ded6,23d7cbf]:- better-auth@1.6.13
- @better-auth/core@1.6.13
1.6.12
Patch Changes
-
#9631
dcb2e6dThanks @bytaesu! - Cookie values containing characters outside the bare cookie-octet range (such as;,", or\) are now percent-encoded into theCookieheader. They were previously dropped on re-serialization, which could break flows that store structured values in cookies. -
Updated dependencies [
9bd53e1,23dbe1a,7a12072,09a1d50,a6f144a,f77060a,dcb2e6d,c92cd74,f5fcc9d,9d91eb7,a3b0c63,1b40dac,5626e1b,ad9ad82,62dabf6,276d67f,2d73fff,c5b9f93,ac96316,0a7cb70,015f96b,43cc49c,f5e29ea,1d372bb,3f8f310,83fa369,17cd433,c01b2f1,6b44606,04303a9,7bf5449,2b7937f]:- better-auth@1.6.12
- @better-auth/core@1.6.12
1.6.11
Patch Changes
- Updated dependencies [
0cbddb8,a26333b,99a254a,ee93485,5f09d56,b4bc65a,da7e50b,a1c9f3c,23094a6,142b86c,1f2ff42,b0ef96f,699b09a,e21d744]:- @better-auth/core@1.6.11
- better-auth@1.6.11
1.6.10
Patch Changes
- Updated dependencies [
1e0f26d,8c1e917,b2d655c,09f1327,906b7b3,e9c978e,e71aad3,80a655d,15ff28a,88a7c67,9a7b51d,1b25902,cf59136,a597ee0,fc02ced,9f1ef1f,36ef808,c1336c5,3a9a2c3,fde0432,2220a6d]:- better-auth@1.6.10
- @better-auth/core@1.6.10
1.6.9
Patch Changes
- Updated dependencies [
815ecf6]:- @better-auth/core@1.6.9
- better-auth@1.6.9
1.6.8
Patch Changes
1.6.7
Patch Changes
- Updated dependencies [
307196a,4a180f0,4f373ee,e1b1cfc,d053a45]:- better-auth@1.6.7
- @better-auth/core@1.6.7
1.6.6
Patch Changes
-
#9226
e64ff72Thanks @gustavovalverde! - Consolidate host/IP classification behind@better-auth/core/utils/hostand close several loopback/SSRF bypasses that the previous per-package regex checks missed.Electron user-image proxy: SSRF bypasses closed (
@better-auth/electron).fetchUserImagepreviously gated outbound requests with a bespoke IPv4/IPv6 regex that missed multiple vectors. All of the following were reachable in production and are now blocked:http://tenant.localhost/and other*.localhostnames (RFC 6761 reserves the entire TLD for loopback).http://[::ffff:169.254.169.254]/(IPv4-mapped IPv6 to AWS IMDS, the classic SSRF bypass).http://metadata.google.internal/,http://metadata.goog/(GCP instance metadata).http://instance-data/,http://instance-data.ec2.internal/(AWS IMDS alternate FQDNs).http://100.100.100.200/(Alibaba Cloud IMDS; lives in RFC 6598 shared address space100.64/10, which the old regex did not cover).http://0.0.0.0:PORT/(the Linux/macOS kernel routes the unspecified address to loopback: Oligo's "0.0.0.0 Day").http://[fc00::...]/,http://[fd00::...]/(IPv6 ULA per RFC 4193) and IPv6 link-localfe80::/10, neither of which the regex recognized.
Documentation ranges (RFC 5737 / RFC 3849), benchmarking (
198.18/15), multicast, and broadcast are also now rejected.better-auth:0.0.0.0is no longer treated as loopback. The previousisLoopbackHostimplementation inpackages/better-auth/src/utils/url.tsclassified0.0.0.0alongside127.0.0.1/::1/localhost.0.0.0.0is the unspecified address, not loopback; treating it as such lets browser-origin requests reach localhost-bound dev services (Oligo's "0.0.0.0 Day"). The helper now accepts the full127.0.0.0/8range and any*.localhostname, and rejects0.0.0.0.better-auth: trusted-origin substring hardening.getTrustedOriginspreviously usedhost.includes("localhost") || host.includes("127.0.0.1")when deciding whether to add anhttp://variant for a dynamicbaseURL.allowedHostsentry. Misconfigurations likeevil-localhost.comor127.0.0.1.nip.iowould incorrectly gain an HTTP origin in the trust list. The check now uses the shared classifier, so only real loopback hosts get the HTTP variant.@better-auth/oauth-provider: RFC 8252 compliance.- §7.3 redirect URI matching now accepts the full
127.0.0.0/8range (not just127.0.0.1) plus[::1], with port-flexible comparison. Port-flexible matching is limited to IP literals; DNS names such aslocalhostcontinue to use exact-string matching per §8.3 ("NOT RECOMMENDED" for loopback). validateIssuerUrluses the shared loopback check rather than a two-hostname literal comparison.
New module:
@better-auth/core/utils/host. ExposesclassifyHost,isLoopbackIP,isLoopbackHost, andisPublicRoutableHost. One RFC 6890 / RFC 6761 / RFC 8252 implementation that handles IPv4, IPv6 (including bracketed literals, zone IDs, IPv4-mapped addresses, and 6to4 / NAT64 / Teredo tunnel forms with embedded-IPv4 recursion), and FQDNs, with a curated cloud-metadata FQDN set. All bespoke loopback/private/link-local checks across the monorepo now route through it. -
Updated dependencies [
b5742f9,4debfb6,9ea7eb1,a844c7d,ab4c10f,a61083e,e64ff72]:- @better-auth/core@1.6.6
- better-auth@1.6.6
1.6.5
Patch Changes
1.6.4
Patch Changes
1.6.3
Patch Changes
- Updated dependencies [
5142e9c,484ce6a,f875897,6ce30cf,f6428d0,9a6d475,513dabb,c5066fe,5f84335]:- better-auth@1.6.3
- @better-auth/core@1.6.3
1.6.2
Patch Changes
- Updated dependencies [
9deb793,2cbcb9b,b20fa42,608d8c3,8409843,e78a7b1]:- better-auth@1.6.2
- @better-auth/core@1.6.2
1.6.1
Patch Changes
1.6.0
Minor Changes
- #8836
5dd9e44Thanks @gustavovalverde! - Add optional version field to the plugin interface and expose version from all built-in plugins
Patch Changes
- Updated dependencies [
dd537cb,bd9bd58,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,5dd9e44,469eee6,560230f]:- better-auth@1.6.0
- @better-auth/core@1.6.0
1.6.0-beta.0
Minor Changes
28b1291Thanks @gustavovalverde! - Add optional version field to the plugin interface and expose version from all built-in plugins