better-auth 1.6.0

v1.6.0

on Node.js NPM

Install: npm i better-auth@latest

Core

• BREAKING: align fresh age with session creation time (#8762) by @bytaesu
• compare account cookie by provider accountId instead of internal id (#8786) by @bytaesu
• don't mark redirect APIErrors as span errors (#8850) by @GoPro16
• enforce authorization on SCIM management endpoints and normalize passkey ownership (#8843) by @gustavovalverde
• expose plugin version (#8750) by @jonathansamines
• normalize missing resolver path (#8589) by @mrgrauel
• prevent any from collapsing base type and client inference (#8981) by @bytaesu
• set stateless cookieCache maxAge to match session expiresIn (#8648) by @himself65
• turbo caching, enforce lockfile integrity, expand pre-commit hooks (#8892) by @gustavovalverde
• use non-blocking scrypt from @better-auth/utils (#8685) by @bytaesu

Database

• add case insensitive queries support (#8556) by @jonathansamines
• drizzle-adapter failing date transformation (#8289) by @ping-maxwell
• generate session id when using secondary storage without database (#8927) by @bytaesu
• remove deprecated numUpdatedOrDeletedRows from D1 dialect (#8798) by @bytaesu
• use IS NULL / IS NOT NULL for null value comparisons (#8660) by @olliethedev

OAuth

• add dedicated secret option to reduce shared key exposure surface (#8699) by @bytaesu
• opt into FedCM to suppress Google GSI deprecation warnings (#8720) by @himself65
• prevent double-hashing of state when storeIdentifier is hashed (#8980) by @bytaesu
• read callback params from body for form_post (#8895) by @bytaesu

Credentials

• add pre-auth registration and extensions (#7154) by @gustavovalverde
• dont set other username prop in updateUser (#7570) by @ping-maxwell
• enforce username uniqueness in updateUser (#8731) by @aarmful
• rethrow phone sendOTP failures (#8842) by @GautamBytes
• return additional fields in /magic-link/verify (#7223) by @himself65
• trigger sessionSignal on req-email-change (#8816) by @ping-maxwell
• use message (#8751) by @okisdev

Identity

• enforce DB-backed sessions with secondary storage (#8894) by @GautamBytes
• handle dynamic baseURL config in init (#8649) by @himself65
• let customIdTokenClaims override acr and auth_time (#8633) by @gustavovalverde
• normalize auth_time timestamps (#8761) by @gustavovalverde
• provisionUser inconsistency and option to run on every login (#8818) by @formatlos
• return JSON redirects from post-login OAuth continuation (#8815) by @gustavovalverde
• scope loss on PAR, loopback redirect matching, DCR skip_consent (#8632) by @gustavovalverde

Organization

• resolve duplicate operationId in admin plugin endpoints (#8570) by @Sigmabrogz

Security

• add enable option (#8728) by @aarmful
• allow passwordless 2FA management (#7243) by @gustavovalverde
• misleading rate limit IP warning (#8617) by @GautamBytes

Enterprise

• BREAKING: enable InResponseTo validation by default for SAML flows (#8736) by @bytaesu
• Add logging for when code validation fails in oidc callback (#8693) by @OscarCornish
• patch Dependabot security issues (#8838) by @gustavovalverde
• skip state cookie check for SAML ACS cross-site POST (#8735) by @bytaesu

Payments

• return correct priceId for annual subscriptions in list (#8810) by @bytaesu

Devtools

• migrate MCP server URL to mcp.better-auth.com (#8747) by @bytaesu
• remove using keyword (#8756) by @ping-maxwell
• treat omitted required as true in Drizzle and Prisma generators (#8614) by @bytaesu

Full changelog: v1.5.6...v1.6.0