npm better-auth 1.6.12
v1.6.12
on Node.js NPM

4 hours ago

better-auth

Bug Fixes

  • Fixed field index ordering in getMigration migrations. (#9691)
  • Fixed synthetic user construction to exclude extra fields. (#9347)
  • Fixed session cookie refresh headers not being forwarded when resolving sessions. (#9667)
  • Fixed changeEmail to return an error when emailVerification.sendVerificationEmail is missing, and URL-encoded callbackURL in verify-email links. (#9614)
  • Fixed callbackURL URL-encoding in verify-email links for OAuth account linking and username sign-in. (#9792)
  • Fixed role.authorize to reject empty action lists and correctly evaluate OR conditions on unknown resources. (#9603)
  • Fixed missing exports of AdminClientOptions and OrganizationClientOptions. (#9642)
  • Fixed email OTP sign-in failing with captcha errors under default captcha settings. (#9596)
  • Fixed parseJSON to properly decode escape sequences in quoted strings. (#9617)
  • Fixed cookie parsing to tolerate missing spaces after ; separators, preventing users behind certain proxies from being treated as logged-out. (#9543)
  • Fixed getTrustedOrigins to respect the dynamic baseURL protocol option. (#9644)
  • Fixed request mutation by cloning the request before passing it to the sendVerificationEmail callback. (#9619)
  • Added accessTokenExpiresIn config option to genericOAuth for providers that omit expires_in in their token response. (#9799)
  • Fixed oauth-proxy to forward specific error codes instead of collapsing all errors into user_creation_failed. (#9723)
  • Fixed oauth-proxy flows failing with state_mismatch when production and preview environments use different secrets. (#9385)
  • Fixed OAuth callback errors to forward specific error codes (state_not_found, state_invalid, state_mismatch) instead of the generic please_restart_the_process code. (#9788)
  • Fixed OAuth state validation failures to redirect to the per-flow errorCallbackURL instead of the default error page. (#9789)
  • Fixed OpenAPI schema generation to emit unique operationIds for endpoints that expose multiple HTTP methods. (#9721)
  • Fixed organization invitations silently routing users to the wrong team when team IDs contained a comma. (#9616)
  • Fixed deleteOrganization and removeMember to roll back on failure instead of leaving orphaned rows. (#9630)
  • Fixed stateless session cache refresh to preserve the real session expiry instead of resetting it. (#8817)
  • Fixed a session cookie leak that allowed session_token and session_data cookies to be captured and replayed to bypass 2FA when cookie caching is enabled. (#9639)
  • Fixed missing username validation on the admin createUser endpoint. (#9464)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed expired magic-link tokens and OAuth authorization codes to be reliably rejected, and corrected their error codes. (#9624)
  • Fixed the registration_endpoint to be hidden from .well-known metadata unless dynamic client registration is enabled. (#9448)
  • Fixed Basic Auth credential parsing to accept client_secret values containing colons. (#9601)
  • Fixed the consent update endpoint to return NOT_FOUND when the referenced client no longer exists. (#9600)
  • Fixed OAuth and OIDC metadata discovery for path-prefixed issuers. (#9668)

For detailed changes, see CHANGELOG

@better-auth/core

Features

  • Added toCamelCase, toSnakeCase, toPascalCase, and toKebabCase utilities to @better-auth/core/utils/string. (#9727)

Bug Fixes

  • Fixed Sign in with Apple to accept hashed nonces for native iOS sign-in. (#8870)
  • Fixed verifyAccessToken to return proper unauthorized errors for invalid token verification failures. (#9655)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

  • Fixed hook rejections in SSO OIDC and SAML callbacks to redirect to errorCallbackURL instead of returning a JSON error. (#9702)
  • Updated XML parser dependency to a patched release to resolve security alerts. (#9662)
  • Fixed SSO OIDC callback to URL-encode error values in redirect query strings. (#9722)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

  • Fixed the Drizzle adapter dropping OR clauses when mixed with AND conditions in where queries. (#9756)
  • Fixed MySQL insert-return handling with a robust cascading fallback strategy wrapped in a transaction. (#9665)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

  • Fixed a crash when passkey transports is undefined. (#9746)
  • Fixed passkey challenges to be consumed atomically, preventing replay attacks, and improved error status codes for failed registrations and authentications. (#9622)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

  • Fixed TypeScript TS4023 declaration emit errors by adding better-call as a peer dependency. (#9759)

For detailed changes, see CHANGELOG

@better-auth/electron

Bug Fixes

  • Fixed cookie serialization to percent-encode values containing special characters like ;, ", or \. (#9631)

For detailed changes, see CHANGELOG

@better-auth/kysely-adapter

Bug Fixes

  • Fixed SQLite introspectors (BunSqliteDialect, NodeSqliteDialect) incorrectly reporting tables as views. (#9615)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Improved URL normalization and Stripe search query escaping to handle edge cases correctly. (#9661)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @chdanielmueller, @cyphercodes, @gustavovalverde, @jsj, @kgarg2468, @Paola3stefania, @ping-maxwell, @reslear

Full changelog: v1.6.11...v1.6.12

Check out latest releases or
releases around better-auth 1.6.12

Don't miss a new better-auth release

NewReleases is sending notifications on new releases.

Get notifications