npm better-auth 1.7.0-beta.2
v1.7.0-beta.2
on Node.js NPM

7 hours ago

better-auth

Features

  • Added userId and organizationId parameters to the listUserTeams API for scoped team lookups without switching the active organization (#8977)
  • Added support for passing an array of client IDs as the ID token audience in social providers (#9292)

Bug Fixes

  • Fixed forceAllowId UUIDs being ignored on PostgreSQL adapters when advanced.database.generateId is set to "uuid" (#9068)
  • Fixed response headers being lost when an APIError is thrown (#9211)
  • Fixed $sessionSignal not being triggered for session-rotating endpoints (#9087)
  • Fixed the partitioned cookie attribute being dropped on set-cookie round-trips (#9235)
  • Fixed the ./instrumentation module to export a no-op in browser and edge environments (#9281)
  • Fixed disableRefresh query parameter validation in custom sessions to correctly coerce string values to booleans (#9214)
  • Fixed a crash when the request body is undefined during OAuth2 state parsing (#9293)
  • Fixed team additional fields not being inferred correctly in the organization plugin (#9266)
  • Fixed updateUser to allow removing a phone number (#9219)
  • Fixed callbackOnVerification not being called when updatePhoneNumber is enabled (#4894)
  • Reverted two-factor enforcement to credential sign-in flows only, removing the unintended challenge on magic link, OAuth, passkey, and other non-credential sign-in methods (#9205)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

❗ Breaking Changes

  • Updated all OAuth 2.0 endpoints to return RFC-compliant { error, error_description } error envelopes for validation failures (#9277)

Migration: All six OAuth endpoints (/oauth2/token, /oauth2/authorize, /oauth2/revoke, /oauth2/introspect, /oauth2/register, /oauth2/end-session) now emit structured { error, error_description } responses per RFC 6749 §5.2. Update any client code that previously parsed the raw validation error format from these endpoints.

Bug Fixes

  • Fixed host classification inconsistencies across packages that could allow SSRF attacks (#9226)
  • Fixed the userinfo endpoint to correctly read the Authorization header when called via auth.api (#9244)

For detailed changes, see CHANGELOG

@better-auth/api-key

Features

  • Added mapConcurrent utility for bounded-concurrency iteration (#9227)

Bug Fixes

  • Fixed secondary-storage API key operations to run in parallel, improving performance (#9187)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

  • Required patched drizzle-orm ^0.45.2 and kysely ^0.28.14 peer versions to track vulnerability fixes (#9165)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

  • Fixed cached session data not being read from SecureStore on app startup (#8953)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

  • Fixed passkey authentication verification not returning the authenticated user (#5209)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @GautamBytes, @gustavovalverde, @Kinfe123, @ouwargui, @ping-maxwell, @ramonclaudio, @ruban-s, @stewartjarod, @TanishValesha, @terijaki

Full changelog: v1.7.0-beta.1...v1.7.0-beta.2

Check out latest releases or
releases around better-auth 1.7.0-beta.2

Don't miss a new better-auth release

NewReleases is sending notifications on new releases.

Get notifications