better-auth
Bug Fixes
- Bundled dependencies were refreshed to their latest compatible releases, including jose, nanostores, the noble crypto packages, and SimpleWebAuthn. These updates are backward compatible and require no changes to existing projects.
- Fixed rate limiting to be applied before plugin request handlers run (#10191)
- Fixed unproven credentials to be revoked when signing in via magic link or email OTP (#10239)
- Fixed account-linking logs to be routed through the configured logger (#10121)
- Fixed admin authorization to use authoritative session reads (#10187)
- Fixed TypeScript inference errors by declaring inherited
APIErrorproperties (#8734) - Fixed server-side OAuth requests to no longer follow redirects (#10241)
- Fixed the
schemaoption in device authorization to be optional under Zod v4 (#9939) - Fixed hosted-domain validation to be applied consistently across all Google sign-in flows (#10197)
- Fixed OAuth proxy to reject profile callbacks when OAuth state is missing or expired (#10183)
- Fixed OAuth provider profiles to respect user input rules (#10196)
- Fixed PayPal userinfo subject to be bound to the verified ID token subject (#10192)
- Fixed refresh cookie
Max-Ageto be capped at the configuredexpiresInvalue (#9621) - Fixed SIWE sign-in to reject when the provided email already belongs to another account (#10228)
- Fixed TOTP and backup code verification to cap the number of allowed attempts (#10210)
- Fixed username storage to only accept valid
displayUsernamefallbacks (#10182)
For detailed changes, see CHANGELOG
@better-auth/sso
Bug Fixes
- Fixed SSO provider deletion to also remove associated linked account rows (#10224)
- Fixed SSO provider domain verification to require DNS proof for every listed domain (#10227)
- Fixed SAML SLO POST form action to be restricted to
httpandhttpsschemes (#10225) - Fixed SAML response binding to be validated against the Service Provider configuration (#10226)
For detailed changes, see CHANGELOG
auth
Bug Fixes
- Fixed
disableMigrationto be honored for plugin schema tables (#10198) - Fixed generated
BETTER_AUTH_SECRETto use 32 characters instead of 16 (#10186) - Fixed two-factor verification to enforce account-level lockout after repeated failed attempts (#10240)
For detailed changes, see CHANGELOG
@better-auth/api-key
Bug Fixes
- Fixed client IP resolution from forwarded headers to be more robust (#10203)
- Refactored IP resolution logic into a shared core utility (#10216)
For detailed changes, see CHANGELOG
@better-auth/drizzle-adapter
Features
- Added support for Drizzle Relations v2 via a new
@better-auth/drizzle-adapter/relations-v2entry point (#9489)
For detailed changes, see CHANGELOG
@better-auth/i18n
Bug Fixes
- Fixed the English language fallback and updated i18n documentation (#9872)
For detailed changes, see CHANGELOG
@better-auth/kysely-adapter
Bug Fixes
- Fixed the Kysely adapter to return
nullwhen an update matches no rows (#10180)
For detailed changes, see CHANGELOG
@better-auth/mcp
Features
- Added a
refreshTokenReuseIntervaloption, defaulting to 30 seconds, so native/public clients can retry a refresh if a prior token rotation raced against it (#10145)
For detailed changes, see CHANGELOG
@better-auth/oauth-provider
Features
- Added
refreshTokenReuseIntervalto allow the OAuth provider to replay refresh token responses for duplicate requests within a configurable time window (#10145)
For detailed changes, see CHANGELOG
@better-auth/scim
Bug Fixes
- Fixed SCIM write operations to be properly scoped and to honor the
activeattribute (#10242)
For detailed changes, see CHANGELOG
Contributors
Thanks to everyone who contributed to this release:
@adityachaudhary99, @Bekacru, @benpsnyder, @bytaesu, @dipan-ck, @gustavovalverde, @moonevm, @Paola3stefania, @ping-maxwell, @rachit367, @sleepe229, @WilsonnnTan
Full changelog: v1.7.0-beta.9...v1.7.0-beta.10