better-auth 1.4.9

v1.4.9

on Node.js NPM

   🚀 Features

• Add ctx.isTrustedDomain helper  -  by @jonathansamines in #6462 (d09c5)
• Drizzle pg supports JSON  -  by @dvanmali in #6518 (7d5f1)
• Add Refresh Token Support to Kick OAuth Provider  -  by @CesarRodrigu in #6263 (b1102)
• Add additionalFields option in verification table schema  -  by @noctarius in #6747 (eab5b)
• Add patreon social provider  -  by @Spuffynism, benkingcode and Kinfe123 in #6245 (07cdd)
• Add a global backgroundTasks config option to defer actions like sending email and updates to run after response is sent  -  by @nexxeln and @Bekacru in #6713 (d544b)
• admin:
  • Prevent impersonating admins by default [breaking]  -  by @jslno and @Bekacru in #6454 (5fb83)
  • Add support role with permissions for user updates and enforce role change validation  -  by @Bekacru and Copilot in #6699 (a0a16)
• expo:
  • Last-login-method client plugin  -  by @jslno and @himself65 in #6413 (381f2)
• multi-session:
  • Allow to infer additional fields  -  by @jslno in #6585 (13786)
  • Allow to infer additional fields "  -  by @Bekacru in #6585 (e26fc)
• oauth-provider:
  • An oauth 2.1 compliant plugin  -  by @dvanmali in #4163 (686fb)
• oauth-proxy:
  • Add expirty timestamp for encrypted tokens  -  by @Bekacru and Copilot in #6538 (9f6b8)
• one-time-token:
  • Support setting session cookie on ott verify  -  by @Bekacru in #3659 (08e05)
• organization:
  • Allow invited users to see organization name  -  by @GautamBytes and Copilot in #6602 (a2476)
• phone-number:
  • Add password length validation for reset functionality  -  by @Bekacru in #6674 (4cdf8)
• saml:
  • Assertion timestamp validation with per-provider clock skew  -  by @Paola3stefania in #6706 (90c59)
  • Validate SAML crypto algorithms during initial phase  -  by @Paola3stefania in #6785 (b56d7)
  • Enforce one-time use of SAML assertions  -  by @Paola3stefania in #6719 (2053f)
  • Reject deprecated SAML signature and digest algorithms  -  by @Paola3stefania in #6784 (1f171)
  • Reject deprecated SAML signature and digest algorithms  -  by @Paola3stefania in #6784 (5bab6)
• sso:
  • Use domain verified flag to trust providers automatically  -  by @Paola3stefania (6f283)
  • Add InResponseTo validation  -  by @Paola3stefania in #6557 (50ffe)
  • Add OIDC discovery  -  by @Paola3stefania and @Bekacru in #6395 (57400)
  • Add URL normalization and validation to all discovery URLs  -  by @jonathansamines, Paola Estefanía de Campos, @Paola3stefania and @Bekacru in #6503 (17ff1)

   🐞 Bug Fixes

• Add helper types to exports  -  by @himself65 in #6479 (9b556)
• Avoid throwing on client side  -  by @landoncolburn and @Bekacru in #6361 (b4f45)
• Export organization plugin types  -  by @pffigueiredo in #6490 (8efd5)
• Pathname should be normalized when basePath is set to root  -  by @Bekacru (9228c)
• Prematurely deleting active sessions in secondary storage  -  by @DevDuki in #3885 (45cf4)
• Make sure non-chunked session data cookie is cleared  -  by @Bekacru (26b2b)
• Array field handling across adapters and schema generation  -  by @ping-maxwell and @Bekacru in #6601 (9d3d1)
• StoreStateStrategy default to database if provided  -  by @himself65 in #6619 (880e7)
• Should always remove 2FA verification token after successful verification  -  by @delfortrie in #6604 (13efb)
• Prevent stateless refresh with database configured  -  by @Bekacru in #6700 (a5e7c)
• Revert token masking in listSessions route  -  by @bytaesu in #6749 (f659c)
• Compatible with openapi 3.1  -  by @himself65 and Copilot in #6705 (81eec)
• Properly merge updated data in account cookie  -  by @jslno in #6758 (5d303)
• Preserve = padding in parsed cookies  -  by @Shridhad in #6789 (47884)
• Unify SSO/OAuth account linking and add domain-based org assignment to all sign-in flows  -  by @Paola3stefania in #6652 (dd8a5)
• Respect BETTER_AUTH_TRUSTED_ORIGINS env variable  -  by @Paola3stefania in #6809 (47682)
• Delete verifications with hooks  -  by @jonathansamines in #6803 (059b5)
• Respect IP headers in dev/test environments  -  by @bytaesu in #6854 (d3ebf)
• Trusted origins resolving  -  by @Bekacru in #6887 (94697)
• Update-user breaking during stateless auth  -  by @ping-maxwell in #6894 (3d8ee)
• Export necessary adapter types  -  by @himself65 in #6903 (cbd21)
• Use operator in list members where clause  -  by @Diabl0570 in #6850 (da820)
• Don't set state query param if state is not provided  -  by @paoloricciuti in #6822 (cd772)
• Correct wildcard pattern matching for trustedOrigins  -  by @bytaesu in #6904 (ae90b)
• adapter:
  • Add logger creation in adapter factory  -  by @ping-maxwell in #6597 (aed7a)
  • Allow run internal adapter outside context  -  by @himself65 in #6617 (98f51)
  • Apply customTransformInput to where clause values  -  by @erquhart, ping-maxwell and @ping-maxwell in #6914 (525f0)
• admin:
  • Clear admin session cookie on stopImpersonating  -  by @jslno in #6568 (6e614)
• api-key:
  • Check metadata is enabled for api key update endpoint  -  by @Bekacru in #6632 (b2af3)
  • Prevent id update error with MongoDB adapter  -  by @balbuzar in #6752 (c5731)
• auth:
  • Respect trustedOrigins when baseURL is inferred  -  by @Paola3stefania in #6882 (19d2b)
• cli:
  • secret generates empty  -  by @himself65 in #6504 (dd254)
  • Deduplicate drizzle schema relationships  -  by @ping-maxwell in #6547 (5ce4d)
  • Cmd info --json unexpected exit with 1  -  by @himself65 in #6949 (54712)
  • Cmd info --json unexpected exit with 1  -  by @himself65 in #6949 (bc8ac)
• client:
  • Set session data on refreshManager  -  by @himself65 and Copilot in #6932 (93216)
• cognito:
  • Use %20 encoding for scopes instead of +  -  by @nathannewyen in #6929 (840d0)
• core:
  • Allow returning null in getUserInfo in provider options  -  by @Zollerboy1 in #6528 (088db)
• db:
  • Correctly unwrap validator result in schema parsing  -  by @GautamBytes in #6488 (99d3e)
• deps:
  • Update dependency next to v16.0.7 [security]  -  in #6501 (4ec31)
  • Update dependency @react-email/components to v1  -  in #6600 (67ab6)
• expo:
  • Add missing matcher paths  -  by @bytaesu in #6939 (ec38c)
• generic-oauth:
  • Ensure encryptOAuthTokens is respected in account linking flow  -  by @DevanAbinaya in #6874 (fbafa)
• kysely:
  • Wrong affected row count in updateMany & deleteMany  -  by @jslno in #6572 (56abd)
• line:
  • Enforce nonce  -  by @Bekacru in #6631 (12a97)
• magic-link:
  • Handle query params in errorCallbackUrl  -  by @martinriviere in #6383 (a3086)
• oidc:
  • Compatibility with exact-optional-property  -  by @ping-maxwell in #6502 (2fc58)
• openapi:
  • Mark /get-session response as nullable  -  by @GautamBytes in #6540 (6066f)
• organization:
  • Validate role existence in inviteMember endpoint  -  by @GautamBytes and Gautam Manchandani in #6774 (c0c94)
  • Allow internal organization creation when disabled for client  -  by @GautamBytes and Gautam Manchandani in #6857 (4b092)
• passkey:
  • Use deleteVerificationByIdentifier instead of deleteVerificationValue  -  by @bytaesu in #6821 (8c1f7)
• prisma:
  • Use findFirst instead of findMany for findOne  -  by @Bekacru in #6429 (e8a55)
• prisma-adapter:
  • Extract id to root level for delete operations  -  by @ping-maxwell in #6425 (c3eda)
• saml:
  • Enforce trusted provider check  -  by @Paola3stefania in #6551 (69db1)
  • Remove signature validation bypass  -  by @Paola3stefania in #6682 (dce3c)
• sso:
  • Safely parse provider configs on registration  -  by @Paola3stefania and @Bekacru in #6550 (e8cc7)
  • Deprecate trustEmailVerified  -  by @Paola3stefania in #6616 (c5662)
  • Enforce domain verification in assignOrganizationByDomain  -  by @Paola3stefania in #6868 (fc78c)
• stripe:
  • Update subscriptionId to use Stripe id  -  by @bytaesu in #6920 (1c9a0)
• username:
  • Await username validator  -  by @jslno in #6611 (f45d5)

   🏎 Performance

• Add index on organizations slug field  -  by @matteobad and matteobadini in #6303 (a9c98)

    View changes on GitHub