npm better-auth 1.7.0-beta.1
v1.7.0-beta.1
on Node.js NPM

latest releases: 1.6.5, 1.6.4
4 days ago

better-auth

Bug Fixes

  • Fixed dynamic baseURL resolution from request headers for direct auth.api calls (#9113)
  • Fixed a race condition in the client that caused excessive requests due to isMounted timing issues (#9078)
  • Fixed 2FA enforcement to apply across all sign-in paths, including magic link, OAuth, passkey, and email OTP (#9122)
  • Fixed backup code updates to respect the configured storeBackupCodes storage strategy after verification (#7231)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

❗ Breaking Changes

  • Rewrote the generic OAuth plugin as a first-class social provider with OAuth 2.1 security defaults (#9069)

Migration: Replace signIn.oauth2({ providerId }) with signIn.social({ provider }), oauth2.link() with linkSocial(), and update your IdP callback URLs from /api/auth/oauth2/callback/:id to /api/auth/callback/:id. Remove genericOAuthClient(), issuer, and requireIssuerValidation from your config. Set pkce: false for providers that reject PKCE challenges.

Features

  • Added the @better-auth/cimd plugin for Client ID Metadata Document support, enabling URL-based client identification for MCP and dynamic client discovery flows (#9159)
  • Added customTokenResponseFields callback to inject custom fields into token endpoint responses, and hardened authorization code validation (#9118)
  • Added at_hash claim to ID tokens to cryptographically bind them to their access tokens, per OIDC Core §3.1.3.6 (#9079)

Bug Fixes

  • Fixed dynamic baseURL resolution to correctly handle trusted proxy headers, loopback addresses, and forwarded requests in plugin metadata helpers (#9131)
  • Fixed unauthenticated dynamic client registration to automatically downgrade confidential auth methods to public client, improving compatibility with MCP clients (#9123)

For detailed changes, see CHANGELOG

@better-auth/sso

❗ Breaking Changes

  • Consolidated the SAML ACS endpoint, removed callbackUrl from samlConfig, and fixed SLO session matching (#9117)

Migration: Remove callbackUrl from samlConfig (the ACS URL is now auto-derived from baseURL and providerId) and update your IdP's ACS URL to /sso/saml2/sp/acs/:providerId. Remove decryptionPvk, additionalParams, idpMetadata.entityURL, and idpMetadata.redirectURL from SAMLConfig if present. The spMetadata field is now optional and can be removed.

Bug Fixes

  • Upgraded samlify to 2.12.0, adding XPath injection protection and XXE prevention for SAML XML processing (#9121)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed a prototype pollution vulnerability in the Stripe plugin when handling user-supplied metadata (#9164)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @Byte-Biscuit, @gustavovalverde, @ping-maxwell

Full changelog: v1.7.0-beta.0...v1.7.0-beta.1

Check out latest releases or
releases around better-auth 1.7.0-beta.1

Don't miss a new better-auth release

NewReleases is sending notifications on new releases.

Get notifications