better-auth
Features
- Added support for Stripe SDK v21 and v22 (#9084)
Bug Fixes
- Fixed incorrect
operationIdfor therequestPasswordResetCallbackendpoint in the OpenAPI spec (#9072) - Fixed dynamic
baseURLresolution from request headers for directauth.apicalls (#9113) - Fixed
isMountedrace condition that caused excessive requests per second in the client (#9078) - Fixed nullable schema for the get-session endpoint in the OpenAPI 3.1 spec (#8389)
- Fixed checkout and upgrade flows to omit quantity for metered prices (#8926)
- Fixed 2FA enforcement to trigger on all sign-in paths, including magic-link, OAuth, passkey, email-OTP, and SIWE (#9122)
- Fixed backup code updates to respect the configured
storeBackupCodesstorage strategy after verification (#7231)
For detailed changes, see CHANGELOG
@better-auth/oauth-provider
Features
- Added
customTokenResponseFieldscallback for injecting custom fields into token endpoint responses, and hardened authorization code validation (#9118)
Bug Fixes
- Hardened dynamic
baseURLresolution for directauth.apicalls and plugin metadata helpers (#9131) - Fixed unauthenticated dynamic client registration to silently override confidential auth methods to public, improving compatibility with MCP clients (#9123)
For detailed changes, see CHANGELOG
@better-auth/sso
Bug Fixes
- Fixed multiple SAML response processing bugs, including ACS URL generation, encryption field handling, and provider config parsing (#9097)
For detailed changes, see CHANGELOG
@better-auth/stripe
Bug Fixes
- Fixed prototype pollution vulnerability when merging user-supplied metadata in the Stripe plugin (#9164)
For detailed changes, see CHANGELOG
auth
Bug Fixes
- Fixed tsconfig path alias resolution for extended configs and mid-path wildcards in the CLI (#9032)
For detailed changes, see CHANGELOG
Contributors
Thanks to everyone who contributed to this release:
@bytaesu, @Byte-Biscuit, @gustavovalverde, @Oluwatobi-Mustapha, @ping-maxwell, @ramonclaudio
Full changelog: v1.6.2...v1.6.3