npm better-auth 1.6.18
v1.6.18
on Node.js NPM

6 hours ago

better-auth

Bug Fixes

  • Fixed getCookieCache to return null for expired sessions instead of treating stale signed cookies as live sessions.
  • Fixed the delete-account confirmation link to prevent duplicate account deletions from concurrent callback requests.
  • Fixed one-time tokens from being redeemable multiple times under concurrent requests.
  • Fixed password reset tokens from changing a password more than once under concurrent requests.
  • Fixed Reddit sign-in to assign a non-routable placeholder address (<id>@reddit.invalid) to users with no email, preventing accidental matches with real mailboxes.
  • Fixed Sign-In with Ethereum nonces from being accepted multiple times under concurrent sign-in requests.
  • Added internalAdapter.reserveVerificationValue to atomically record single-use markers, ensuring only one concurrent caller succeeds for replay-protected operations.
  • Added the incrementOne adapter method and SecondaryStorage.increment for atomic counter updates, enabling strict rate-limit and usage-counter enforcement under concurrent load.
  • Fixed expired two-factor challenges from completing login and prevented duplicate session creation from concurrent verifications.
  • Fixed captcha verification to time out after 10 seconds, preventing slow or unreachable captcha providers from hanging requests indefinitely.
  • Fixed /delete-user/callback to reject account deletion when the session has been revoked server-side (cookie-only session deployments are unaffected).
  • Fixed rate limiting to prevent concurrent requests from slipping past configured limits, with a new optional consume method for custom storage backends to opt into strict enforcement.
  • Fixed team deletion to preserve pending invitations by removing only the deleted team's reference rather than invalidating the invitations entirely.
  • Fixed expected authentication validation failures to log as warnings instead of errors.
  • Fixed MCP bearer token validation to reject expired access tokens and require the offline_access scope for refresh token usage.
  • Fixed plugin API inference in composite monorepo setups where the core package resolved through multiple paths (#9583)
  • Fixed OpenAPI generation to accurately serialize Zod request schemas, including optional, nullable, intersected, and record-shaped types (#9315)
  • Fixed a memory leak where the JWKS cache could grow on every access token verification.
  • Fixed Google One Tap to require a configured client ID (set via the oneTap plugin or socialProviders.google) and reject tokens issued for other applications.
  • Fixed device-authorization token polling to prevent the same approved device code from being redeemed multiple times under concurrent polls.
  • Fixed account cookie preservation when switching users in the same browser session.
  • Fixed email OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.
  • Fixed phone-number OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.
  • Fixed two-factor OTP sign-in to prevent concurrent requests from signing in multiple times or exceeding the attempt limit.
  • Fixed the Have I Been Pwned plugin to check breached passwords on additional endpoints, including email-OTP and phone-number reset-password routes and admin password-setting routes.
  • Fixed the multi-session set-active and revoke endpoints to only act on sessions the caller holds a signed cookie for, preventing unauthorized session manipulation.
  • Fixed the OIDC /oauth2/endsession endpoint to reject cross-site logout requests that carry only a session cookie without a valid id_token_hint.
  • Fixed WeChat sign-in to work without an email address by assigning a stable placeholder email, with mapProfileToUser available to supply a real one.

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

  • Fixed SAML assertion replay protection to hold under concurrent requests, preventing a duplicate submission from being accepted more than once.
  • Fixed organization admins and owners to verify domain ownership for SSO providers their organization owns, not just the member who originally registered the provider.
  • Fixed trustEmailVerified to treat only a boolean true or the string "true" as a verified email, rejecting the string "false" as unverified.

For detailed changes, see CHANGELOG

@better-auth/memory-adapter

Bug Fixes

  • Fixed the memory adapter to not discard concurrent writes when a transaction fails, and made update and delete no-ops on empty filters instead of modifying every row.
  • Fixed counter updates on the memory, Kysely, Drizzle, Prisma, and MongoDB adapters to be atomic on the default configuration, preventing race conditions in rate limiting and API-key usage limits.

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

  • Fixed signed OAuth redirect parameters to be canonicalized by key and value, preventing CDN or proxy reordering from breaking signature verification (#9941)
  • Fixed token introspection and revocation endpoints to cache signing keys per auth instance rather than fetching them from the database on every request.

For detailed changes, see CHANGELOG

@better-auth/scim

Bug Fixes

  • Fixed organization-scoped SCIM deletes to remove user membership through the organization adapter, so team memberships and member-removal hooks are applied correctly.
  • Fixed SCIM bearer token comparison to use constant-time comparison during request authentication, closing a timing side channel across all storage modes.

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

  • Fixed concurrent API key verification to prevent the remaining-uses count from going below zero or the rate limit from being exceeded.

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

  • Fixed updateMany to return the number of rows it affected, as the adapter contract specifies.

For detailed changes, see CHANGELOG

@better-auth/electron

Bug Fixes

  • Fixed Electron authorization codes from being exchangeable for a session more than once under concurrent exchange attempts.

For detailed changes, see CHANGELOG

@better-auth/kysely-adapter

Bug Fixes

  • Fixed SQLite mutations through the Bun and Node drivers to correctly report affected row counts and inserted row IDs, fixed multi-parameter binding on the Bun driver, and fixed consumeOne compatibility with SQL Server.

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

  • Fixed passkey challenge validation to reject cross-purpose challenges, preventing an authentication challenge from being used to complete registration and vice versa.

For detailed changes, see CHANGELOG

@better-auth/prisma-adapter

Bug Fixes

  • Fixed the Prisma adapter's delete operation to surface errors instead of silently reporting success when the failure is not a missing-record error.

For detailed changes, see CHANGELOG

@better-auth/redis-storage

Bug Fixes

  • Fixed Redis-backed rate-limit windows to set expiry only when the window first opens, preventing continued traffic from extending the window, and added an atomic increment method for strict enforcement.

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@GautamBytes

Full changelog: v1.6.17...v1.6.18

Check out latest releases or
releases around better-auth 1.6.18

Don't miss a new better-auth release

NewReleases is sending notifications on new releases.

Get notifications