npm better-auth 1.7.0-beta.4
v1.7.0-beta.4
on Node.js NPM

3 hours ago

better-auth

Features

  • Added server-side accountInfo calls without requiring session headers (#9813)

Bug Fixes

  • Fixed getMigration field index order (#9691)
  • Fixed acceptance of hashed nonces for native iOS Sign in with Apple (#8870)
  • Added error code to the change-email-disabled response (#8948)
  • Fixed synthetic user construction to avoid including extra fields (#9347)
  • Fixed forwarding of session cookie refresh headers (#9667)
  • Fixed invalid instrumentation import list (#9582)
  • Fixed changeEmail config gate and URL-encoded the callbackURL (#9614)
  • Fixed URL-encoding of callbackURL in verify-email links (#9792)
  • Fixed role statement types to preserve exact type information (#9507)
  • Fixed access control to reject empty action lists and continue OR evaluation on unknown resources (#9603)
  • Fixed storeStateStrategy to default to "database" when using secondaryStorage (#9591)
  • Fixed missing exports for AdminClientOptions and OrganizationClientOptions (#9642)
  • Fixed onLinkAccount callback not being called during email verification sign-in (#9548)
  • Fixed captcha enforcement to exempt the /sign-in/email-otp endpoint (#9596)
  • Fixed parseJSON to correctly decode escape sequences in quoted strings (#9617)
  • Fixed cookie parsing to handle relaxed separators (#9543)
  • Fixed redirect URI validation to be runtime-safe and reject fragment components (#9845)
  • Fixed getTrustedOrigins to respect the dynamic baseURL protocol option (#9644)
  • Fixed consumeOne fallback to throw on non-numeric deleteMany results (#9831)
  • Fixed device authorization to bind approval to the verifier session (#9573)
  • Fixed sendVerificationEmail callback to receive a cloned request (#9619)
  • Fixed accessTokenExpiresIn for OAuth providers that omit expires_in (#9799)
  • Fixed magic link verification to consume the token atomically (#9572)
  • Fixed OAuth proxy to forward result.error verbatim in callback redirects (#9723)
  • Fixed missing state-cookie skip in the OAuth proxy flow (#9385)
  • Fixed updateUserInfoOnLink not being applied during OAuth account linking (#8758)
  • Fixed OAuth callback to forward specific error codes via redirectOnError (#9788)
  • Fixed OAuth to honor the per-flow errorCallbackURL when state validation fails (#9789)
  • Fixed mapping of jose token verification errors (#9655)
  • Fixed confidential client authentication on the refresh_token grant (#9576)
  • Fixed OIDC provider to drop the none algorithm, disable plain PKCE by default, and reject requests missing a PKCE method (#9575)
  • Fixed OpenAPI spec to emit unique operationIds for multi-method endpoints (#9721)
  • Fixed organization creation and update to allow a null logo (#9842)
  • Fixed organization invitations to reject team IDs containing a comma (#9616)
  • Fixed organization deletion to wrap cascade deletes in a transaction (#9630)
  • Fixed ipv6Subnet type to accept wider values (#9545)
  • Fixed session expiry to be preserved correctly during stateless cache refresh (#8817)
  • Fixed two-factor authentication to clear the session cookie cache on response (#9639)
  • Fixed username validation on the admin createUser endpoint (#9464)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

❗ Breaking Changes

  • Bound RFC 8707 resource indicators to the authorization grant (#9836)

Migration: The customAccessTokenClaims callback now receives a resources array instead of a resource string. Run npx @better-auth/cli migrate (or generate if you manage the schema yourself) to add the new resource columns.

Features

  • Added token endpoint client authentication support (#9625)

Bug Fixes

  • Fixed consumeVerificationValue to return null for expired rows (#9624)
  • Fixed dynamic client registration to enforce clientPrivileges (#9837)
  • Fixed DCR endpoint to be hidden unless explicitly enabled (#9448)
  • Fixed Basic Auth to preserve colons in client secrets (#9601)
  • Fixed consent update to return NOT_FOUND when referencing a missing client (#9600)
  • Fixed issuer metadata aliases to be served at path-prefixed URLs (#9668)
  • Fixed OAuth linking to block connections to unverified local accounts (#9578)
  • Fixed redirect_uri scheme validation in OIDC provider and MCP (#9838)
  • Refactored Basic credential handling to use a single source of truth (#9657)

For detailed changes, see CHANGELOG

@better-auth/sso

❗ Breaking Changes

  • Added support for multiple IdP signing certificates (#8805)

Migration: samlConfig.certificate from getSSOProvider, listSSOProviders, and updateSSOProvider now always returns an array, even when a single certificate is configured. Update consumers to read an array unconditionally.

Features

  • Added support for IDP-initiated OAuth flows via a secure server-side bounce (#9301)
  • Added per-request additionalParams and loginHint to signIn.social, linkSocial, and signIn.sso (#9305)

Bug Fixes

  • Fixed hook rejections to redirect to errorCallbackURL across auth callback flows (#9702)
  • Fixed OAuth account identity scoping and corrected buggy internalAdapter helpers (#9818)
  • Fixed security vulnerabilities flagged by Dependabot (#9662)
  • Fixed SSO provider registration to require the org admin role (#9220)
  • Fixed signed-assertion XML injection vulnerability by updating samlify to 2.13.1 (#9821)
  • Fixed URL-encoding of error values in OIDC callback redirects (#9722)
  • Fixed OIDC endpoint URL validation at provider registration and update (#9574)

For detailed changes, see CHANGELOG

@better-auth/scim

❗ Breaking Changes

  • Fixed personal SCIM connections to always be bound to their creator (#9840)

Migration: The providerOwnership option has been removed and owner binding is now always enforced. Run npx auth migrate or npx auth generate to add the scimProvider.userId column. Connections created before this release with no owner are no longer reachable via management endpoints; reclaim them by setting userId at the database level, then regenerate tokens as needed.

Bug Fixes

  • Fixed user deletion to clean up associated sessions (#9162)
  • Fixed SCIM token issuance to reject collisions with built-in provider IDs (#9579)

For detailed changes, see CHANGELOG

@better-auth/stripe

❗ Breaking Changes

  • Made onSubscriptionCancel event parameter required (#9531)

Migration: Update your onSubscriptionCancel callback to declare event as a required parameter and remove any undefined guards around it.

Bug Fixes

  • Fixed URL and Stripe value escaping (#9661)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

  • Synced changes from main to next (#9533)
  • Fixed TypeScript declaration emit errors (TS4023) by adding better-call as a peer dependency (#9759)
  • Fixed rate-limited API key requests to return 429 instead of 401 (#9505)
  • Fixed verification of non-default API keys when configId is omitted (#9794)
  • Fixed requireEmailVerificationOnInvitation to be enabled by default and extended the gate to get and list endpoints (#9577)

For detailed changes, see CHANGELOG

auth

Features

  • Added create-admin CLI command for creating an initial admin user (#9547)
  • Added string case conversion utilities (#9727)
  • Added atomic claimOne adapter primitive (#9560)

Bug Fixes

  • Renamed claimOne adapter primitive to consumeOne (#9568)

For detailed changes, see CHANGELOG

@better-auth/drizzle-adapter

Bug Fixes

  • Fixed mixed AND/OR query handling in the Drizzle adapter (#9756)
  • Fixed MySQL adapter to fail fast on unsafe insert return values (#9665)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

  • Fixed passkey handling of undefined transports (#9746)
  • Fixed passkey challenge consumption to be atomic and propagate inner verification errors (#9622)

For detailed changes, see CHANGELOG

@better-auth/electron

Bug Fixes

  • Fixed cookie header serialization to percent-encode values (#9631)

For detailed changes, see CHANGELOG

@better-auth/expo

Bug Fixes

  • Fixed large account cookies to be persisted by chunking device storage (#9815)

For detailed changes, see CHANGELOG

@better-auth/kysely-adapter

Bug Fixes

  • Fixed Kysely introspector to report SQLite tables as non-views (#9615)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@app/better-release, @bytaesu, @chdanielmueller, @cyphercodes, @dipan-ck, @GautamBytes, @gustavovalverde, @ItalyPaleAle, @jsj, @kgarg2468, @Kvizas, @OscarCornish, @Paola3stefania, @ping-maxwell, @reslear, @stewartjarod, @Vishesh-Verma-07

Full changelog: v1.7.0-beta.3...v1.7.0-beta.4

Check out latest releases or
releases around better-auth 1.7.0-beta.4

Don't miss a new better-auth release

NewReleases is sending notifications on new releases.

Get notifications