Better Auth Updates & Release Notes

better-auth

Bug Fixes

Added an error code to the change-email-disabled response to help clients identify the rejection reason (#8948)

Fixed access-control role statement types so predefined organization roles expose only their configured permissions in TypeScript (#9507)

Fixed the anonymous plugin to correctly call onLinkAccount when email verification triggers auto sign-in (#9548)

Fixed device authorization to bind pending codes to the verifying session, preventing any authenticated user from approving or denying another user's device code (#9573)

Fixed a race condition in the magic-link plugin that allowed concurrent requests to mint multiple sessions from the same single-use token (#9572)

Fixed the oidc-provider and mcp plugins to require client_secret for confidential clients on refresh token grants and use constant-time secret comparison (#9576)

Hardened oidc-provider and mcp plugins to follow OAuth 2.1: removed "none" from advertised signing algorithms, defaulted plain PKCE off, and rejected incomplete PKCE parameters (#9575)

Fixed an invitation takeover vulnerability by enabling requireEmailVerificationOnInvitation by default and extending the verification gate to getInvitation and listUserInvitations (#9577)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

Fixed a race condition in the OAuth authorization-code grant that allowed concurrent token-exchange requests to mint multiple token sets from the same authorization code

Fixed a race condition in OAuth refresh-token rotation that allowed concurrent requests to fork refresh token families, and added a unique constraint on oauthRefreshToken.token

Fixed OAuth account linking to require a verified local email before linking an OAuth identity to a local account (#9578)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

Fixed an invalid import list in the instrumentation module (#9582)

Widened advanced.ipAddress.ipv6Subnet to accept any valid IPv6 prefix length (0-128) instead of a narrow set of values (#9545)

For detailed changes, see CHANGELOG

@better-auth/scim

Bug Fixes

Fixed session cleanup to run when admin, anonymous, or SCIM operations delete a user (#9162)

Fixed generateSCIMToken to reject providerId values that collide with built-in account providers, preventing tokens from authenticating against unintended accounts (#9579)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

Fixed SSO provider registration to require an org admin or owner role, preventing any organization member from registering providers (#9220)

Fixed an SSRF vulnerability by validating user-supplied OIDC endpoint URLs against a public-routable host allowlist at provider registration and update (#9574)

For detailed changes, see CHANGELOG

auth

Features

Added an atomic claimOne adapter primitive for consuming database rows without race conditions (#9560)

Bug Fixes

Renamed the claimOne adapter primitive to consumeOne and added internalAdapter.consumeVerificationValue for atomically consuming verification rows (#9568)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

Fixed API key rate-limited responses to return HTTP 429 instead of 401, so clients can distinguish throttling from authentication failures (#9505)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@dipan-ck, @GautamBytes, @gustavovalverde, @Kvizas, @ping-maxwell, @stewartjarod

Full changelog: v1.6.10...v1.6.11

Original source

better-auth

Features

• Made the Auth instance directly fetchable (#9431)
• Added hydrateSession to seed the client with a server-fetched session so useSession returns data on the first render (#8733)
• Added an immutable username option that locks a username after it is first set, while still allowing other profile fields to be updated (#9240)

Bug Fixes

• Fixed organization invitation roles to support dynamic values (#9437)
• Fixed link accessibility issues (#9521)
• Fixed incorrect email casing in one-tap, email-OTP, and email-verification flows (#9369)
• Fixed the OpenAPI schema for POST /sign-in/social which incorrectly declared required fields (#9268)
• Added a warning when the cookie plugin is placed last in the plugins array (#9484)
• Fixed useSession to revalidate correctly after admin impersonation (#9402)
• Fixed duplicate Set-Cookie headers being sent on redirect responses (#9497)
• Fixed the bearer plugin to write only one entry per cookie name when merging session tokens (#9387)
• Fixed the captcha plugin breaking the email-OTP flow (#8339)
• Fixed instrumentation resolution in the adapter factory via package self-reference (#9340)
• Fixed instrumentation to use the pure entry point in Cloudflare Workers environments (#9395)
• Fixed enumeration protection to apply correctly when autoSignIn is disabled (#8839)
• Fixed a TypeError caused by non-ASCII characters in an OAuth error_description during redirect (#9065)
• Fixed the deleteAccount parameter name from accountId to id in the internal adapter (#9503)
• Fixed OAuth callbacks to reject responses that are missing a provider account ID (#9456)
• Fixed mapProfileToUser to serve as a fallback for OAuth providers that may omit the email field (#9331)
• Fixed beforeCreateTeam and beforeCreateInvitation hooks to allow passing a custom id (#9253)
• Fixed cancelPendingInvitationsOnReInvite being unreachable because re-invite incorrectly returned 400 (#9453)
• Fixed a TS2742 error by re-exporting field types when using additionalFields (#9349)
• Fixed the active organization role not being refreshed on sign-out (#9440)
• Fixed setActiveTeam to correctly scope team selection to the active organization (#9239)
• Fixed a missing getNonce client alias in the SIWE plugin (#9461)
• Fixed the username plugin to respect callbackURL on sign-in (#9475)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

• Fixed onSubscriptionUpdate to expose the stripeSubscription object and corrected a stale snapshot issue (#9354)
• Fixed library-owned Checkout Session fields to no longer be overridable via getCheckoutSessionParams (#9481)
• Fixed onSubscriptionDeleted and trial callbacks to receive the post-update subscription instead of the stale one (#9356)
• Fixed getCheckoutSessionParams to preserve freeTrial and internal metadata during merging (#9474)
• Renamed internal subscription webhook variables for improved clarity (#9355)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed authorization flows to work correctly when no state parameter is provided (#9328)
• Fixed missing exports for declaration helper types (#9406)
• Fixed prompt=login to be honored correctly throughout the consent continuation flow (#9344)
• Fixed missing database indexes on OAuth foreign keys (#9389)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

• Fixed unhandled failures during the passkey autofill ceremony (#9429)
• Fixed a TypeScript exactOptionalPropertyTypes incompatibility in the passkey plugin (#9270)

For detailed changes, see CHANGELOG

auth

Bug Fixes

• Fixed the CLI to emit valid Kysely initialization configs (#9455)
• Improved CLI auth config loading by using c12 v4's resolveModule for more reliable module resolution (#9477)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed api.verifyApiKey to correctly validate keys against the configId (#9393)

For detailed changes, see CHANGELOG

@better-auth/i18n

Features

• Added built-in translations for 22 languages (#9157)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed spMetadata to use findSAMLProvider so that the default SSO configuration works correctly (#9398)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@adrianmxb, @baptisteArno, @bytaesu, @Craga89, @cyphercodes, @dipan-ck, @erquhart, @GautamBytes, @gustavovalverde, @IcanDivideBy0, @jaydeep-pipaliya, @mausic, @onmax, @pi0, @ping-maxwell, @sovetski, @zllovesuki

Full changelog: v1.7.0-beta.2...v1.7.0-beta.3

Original source

better-auth

Bug Fixes

• Exposed refreshUserSessions on the internal adapter (#7764)
• Fixed organization invitation roles to accept dynamic access control roles (#9437)
• Improved link accessibility (#9521)
• Fixed incorrect email casing in one-tap, email-otp, and email-verification flows (#9369)
• Fixed OpenAPI schema for POST /sign-in/social mis-declaring required fields (#9268)
• Added a warning when the cookie plugin is placed last in the plugins array (#9484)
• Fixed useSession not revalidating after admin impersonation starts or stops (#9402)
• Fixed duplicate Set-Cookie headers being emitted on redirect responses from social sign-in and magic-link endpoints (#9497)
• Fixed the bearer plugin writing duplicate cookie entries when merging the session token into request headers (#9387)
• Fixed captcha plugin breaking the email-otp flow (#8339)
• Fixed email enumeration protection not applying when emailAndPassword.autoSignIn is false (#8839)
• Fixed a TypeError caused by non-ASCII characters in OAuth error descriptions on redirect (#9065)
• Renamed internalAdapter.deleteAccount parameter from accountId to id to reflect that it queries by primary key (#9503)
• Fixed OAuth callbacks accepting a missing provider account ID, which could link accounts under an undefined id (#9456)
• Fixed cancelPendingInvitationsOnReInvite having no effect, where re-inviting the same email always returned USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION (#9453)
• Fixed a TS2742 type error caused by missing re-exports when using additionalFields in the organization plugin (#9349)
• Fixed useActiveMemberRole retaining a previous user's role after sign-out in SPA flows (#9440)
• Fixed setActiveTeam to only accept teams from the currently active organization (#9239)
• Added authClient.siwe.getNonce() as a compatibility alias for the SIWE nonce endpoint (#9461)
• Fixed callbackURL being ignored on signIn.username, so it now redirects correctly like signIn.email (#9475)

For detailed changes, see CHANGELOG

@better-auth/oauth-provider

Bug Fixes

• Fixed sessionId typing in refresh token types to be optional, matching the schema (#9324)
• Fixed stale prompt=login consent continuations not completing after a forced login
• Exported OAuth provider helper types needed for portable downstream TypeScript declaration emit (#9406)
• Fixed prompt=login not being honored after consent continuation, preventing session bypass (#9344)
• Added database indexes to OAuth provider foreign-key fields in generated schemas (#9389)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

• Fixed onSubscriptionUpdate to receive the raw stripeSubscription object, and fixed onSubscriptionCancel to receive the post-update subscription row instead of a stale snapshot (#9354)
• Fixed getCheckoutSessionParams overriding internally managed Stripe Checkout Session fields such as success_url, cancel_url, customer, and line_items (#9481)
• Fixed onSubscriptionDeleted, onTrialEnd, and onTrialExpired receiving a stale pre-update subscription snapshot instead of the post-update row (#9356)
• Fixed getCheckoutSessionParams overriding free trial and internal metadata, which could hide trial periods and create duplicate subscription rows on webhook (#9474)
• Renamed internal subscription webhook variables for clarity (#9355)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

• Fixed api.verifyApiKey not validating the key's configId against the request body (#9393)

For detailed changes, see CHANGELOG

@better-auth/core

Bug Fixes

• Fixed Cloudflare Workers instrumentation imports to use a no-op entry when OpenTelemetry is not installed (#9395)

For detailed changes, see CHANGELOG

@better-auth/passkey

Bug Fixes

• Fixed passkey autofill authentication to return a handled cancellation instead of an unhandled error when it cannot start (#9429)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

• Fixed /sso/saml2/sp/metadata throwing NOT_FOUND for providers configured via defaultSSO (#9398)

For detailed changes, see CHANGELOG

auth

Bug Fixes

• Fixed auth init generating broken MySQL and PostgreSQL Kysely database configs (#9455)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@bytaesu, @Craga89, @cyphercodes, @dipan-ck, @dvanmali, @GautamBytes, @gustavovalverde, @IcanDivideBy0, @jaydeep-pipaliya, @mausic, @onmax, @ping-maxwell, @programming-with-ia, @zllovesuki

Full changelog: v1.6.9...v1.6.10

Original source