🚨 Breaking Changes
- oauth-provider: Keep auth_time across id_token refresh - by @grant0417 in #8134 (c41d1)
🚀 Features
- Add built-in support for D1Database - by @bytaesu in #7519 (37608)
- Support non-destructive key rotation for BETTER_AUTH_SECRET - by @jzila in #7738 (07b83)
- blog:
- cli:
- Add
upgradecommand to update better-auth packages - by @himself65 in #8204 (00b54) - Generate schema from adapter CLI flag - by @ping-maxwell and Bereket Engida in #7316 (3485e)
- Add
- client:
- Add fallback support for VERCEL_URL and NEXTAUTH_URL - by @GautamBytes in #6421 (d727c)
- email-otp:
- Add change email flow with OTP - by @cdy-peters in #7968 (4eec4)
- layout:
🐞 Bug Fixes
- Persist refreshed idToken in getAccessToken - by @GautamBytes in #8211 (d3f3e)
- Prevent email enumeration on /change-email, add customSyntheticUser - by @nphlp in #8097 (c9f6e)
- UpdateAge should extend session_token cookie on stateless mode - by @himself65 in #7995 (af9e0)
- Preserve refresh token when provider omits it on refresh - by @async3619 and Bereket Engida in #8001 (81d83)
- Session listing endpoints returning empty arrays when >100 inactive sessions exist - by @ping-maxwell in #7166 (e2e56)
- Update sign-in link to use absolute URL for better accessibility - by @Bekacru (9619e)
- Revert npm downloads label to "/ year" to match API data - by @bytaesu (e61fd)
- bearer:
- ci:
- Increase test timeout for sso, api-key, oauth-provider and add CI job timeout - by @himself65 in #8210 (2bd46)
- client:
- Use direct imports to fix bundler re-export type resolution - by @himself65 in #8261 (ed7d6)
- core:
- Avoid throwing on required session fields when collecting defaults - by @AlexStrNik in #8146 (f3c33)
- Revive date strings in safeJSONParse for pre-parsed objects - by @himself65 in #8248 (0db2d)
- db:
- Support verification operations with secondary storage - by @himself65 in #8247 (d3418)
- docs:
- drizzle-adapter:
- expo:
- Support Expo SDK 55 new versioning scheme - by @himself65 in #8213 (3b502)
- Use default scheme for callbackURL and document native navigation - by @bytaesu in #7867 (8c94b)
- Skip cookie/expo-origin headers for ID token requests - by @kimchi-developer and Bereket Engida in #7069 (fefbd)
- Avoid shim
require- by @himself65 in #8253 (35412)
- generic-oauth:
- Use discovery userinfo endpoint instead of hardcoded URLs - by @himself65 in #8223 (feb83)
- kysely:
- Edge case aliased joined table names - by @ping-maxwell and @Bekacru in #7171 (55100)
- last-login-method:
- Tracks magic-link auth by default - by @simonfelding and @himself65 in #8135 (2f468)
- Correctly handle multiple Set-Cookie headers - by @dngpng in #7133 (a63d3)
- next-cookies:
- Leaks unnecessary cookie - by @ping-maxwell in #8193 (7ccf9)
- oauth-proxy:
- Add generic OAuth support to proxy - by @Diabl0570 and @cursoragent in #8082 (0deaa)
- Add generic OAuth support to proxy " - by @Bekacru in #8082 (33094)
- organization:
- Merge DB permissions with built-in roles in dynamic access control - by @bytaesu and @ping-maxwell in #7863 (ad1ec)
- Update path matching for active member signals - by @LovelessCodes and Bereket Engida in #7732 (3fc0d)
- sso:
- stripe:
- Increase test timeout to fix CI flaky failures - by @himself65 in #8209 (0a1ef)