All of the changes made will be available here.

Better Auth is the most comprehensive authentication framework for TypeScript that provides a wide range of features to make authentication easier and more secure.

DocumentationGitHubCommunity

BETTER-AUTH.

v1.4.9

🚀 Features

  • Add ctx.isTrustedDomain helper – @jonathansamines
  • Drizzle pg supports JSON – @dvanmali
  • Add Refresh Token Support to Kick OAuth Provider – @CesarRodrigu
  • Add additionalFields option in verification table schema – @noctarius
  • Add patreon social provider – @Spuffynism
  • Add a global backgroundTasks config option to defer actions like sending email and updates to run after response is sent – @nexxeln @Bekacru
  • admin:
    • Prevent impersonating admins by default [breaking] – @jslno @Bekacru
    • Add support role with permissions for user updates and enforce role change validation – @Bekacru
  • expo:
    • Last-login-method client plugin – @jslno @himself65
  • multi-session:
    • Allow to infer additional fields – @jslno
    • Allow to infer additional fields " – @Bekacru
  • oauth-provider:
    • An oauth 2.1 compliant plugin – @dvanmali
  • oauth-proxy:
    • Add expirty timestamp for encrypted tokens – @Bekacru
  • one-time-token:
    • Support setting session cookie on ott verify – @Bekacru
  • organization:
    • Allow invited users to see organization name – @GautamBytes
  • phone-number:
    • Add password length validation for reset functionality – @Bekacru
  • saml:
    • Assertion timestamp validation with per-provider clock skew – @Paola3stefania
    • Validate SAML crypto algorithms during initial phase – @Paola3stefania
    • Enforce one-time use of SAML assertions – @Paola3stefania
    • Reject deprecated SAML signature and digest algorithms – @Paola3stefania
    • Reject deprecated SAML signature and digest algorithms – @Paola3stefania
  • sso:
    • Use domain verified flag to trust providers automatically – @Paola3stefania
    • Add InResponseTo validation – @Paola3stefania
    • Add OIDC discovery – @Paola3stefania @Bekacru
    • Add URL normalization and validation to all discovery URLs – @jonathansamines @Paola3stefania @Bekacru

🐞 Bug Fixes

  • Add helper types to exports – @himself65
  • Avoid throwing on client side – @landoncolburn @Bekacru
  • Export organization plugin types – @pffigueiredo
  • Pathname should be normalized when basePath is set to root – @Bekacru
  • Prematurely deleting active sessions in secondary storage – @DevDuki
  • Make sure non-chunked session data cookie is cleared – @Bekacru
  • Array field handling across adapters and schema generation – @ping-maxwell @Bekacru
  • StoreStateStrategy default to database if provided – @himself65
  • Should always remove 2FA verification token after successful verification – @delfortrie
  • Prevent stateless refresh with database configured – @Bekacru
  • Revert token masking in listSessions route – @bytaesu
  • Compatible with openapi 3.1 – @himself65
  • Properly merge updated data in account cookie – @jslno
  • Preserve = padding in parsed cookies – @Shridhad
  • Unify SSO/OAuth account linking and add domain-based org assignment to all sign-in flows – @Paola3stefania
  • Respect BETTER_AUTH_TRUSTED_ORIGINS env variable – @Paola3stefania
  • Delete verifications with hooks – @jonathansamines
  • Respect IP headers in dev/test environments – @bytaesu
  • Trusted origins resolving – @Bekacru
  • Update-user breaking during stateless auth – @ping-maxwell
  • Export necessary adapter types – @himself65
  • Use operator in list members where clause – @Diabl0570
  • Don't set state query param if state is not provided – @paoloricciuti
  • Correct wildcard pattern matching for trustedOrigins@bytaesu
  • adapter:
    • Add logger creation in adapter factory – @ping-maxwell
    • Allow run internal adapter outside context – @himself65
    • Apply customTransformInput to where clause values – @erquhart @ping-maxwell
  • admin:
    • Clear admin session cookie on stopImpersonating@jslno
  • api-key:
    • Check metadata is enabled for api key update endpoint – @Bekacru
    • Prevent id update error with MongoDB adapter – @balbuzar
  • auth:
    • Respect trustedOrigins when baseURL is inferred – @Paola3stefania
  • cli:
    • secret generates empty – @himself65
    • Deduplicate drizzle schema relationships – @ping-maxwell
    • Cmd info --json unexpected exit with 1 – @himself65
    • Cmd info --json unexpected exit with 1 – @himself65
  • client:
    • Set session data on refreshManager – @himself65
  • cognito:
    • Use %20 encoding for scopes instead of + – @nathannewyen
  • core:
    • Allow returning null in getUserInfo in provider options – @Zollerboy1
  • db:
    • Correctly unwrap validator result in schema parsing – @GautamBytes
  • deps:
    • Update dependency next to v16.0.7 [security]
    • Update dependency @react-email/components to v1
  • expo:
    • Add missing matcher paths – @bytaesu
  • generic-oauth:
    • Ensure encryptOAuthTokens is respected in account linking flow – @DevanAbinaya
  • kysely:
    • Wrong affected row count in updateMany & deleteMany – @jslno
  • line:
    • Enforce nonce – @Bekacru
  • magic-link:
    • Handle query params in errorCallbackUrl – @martinriviere
  • oidc:
    • Compatibility with exact-optional-property – @ping-maxwell
  • openapi:
    • Mark /get-session response as nullable – @GautamBytes
  • organization:
    • Validate role existence in inviteMember endpoint – @GautamBytes
    • Allow internal organization creation when disabled for client – @GautamBytes
  • passkey:
    • Use deleteVerificationByIdentifier instead of deleteVerificationValue – @bytaesu
  • prisma:
    • Use findFirst instead of findMany for findOne – @Bekacru
  • prisma-adapter:
    • Extract id to root level for delete operations – @ping-maxwell
  • saml:
    • Enforce trusted provider check – @Paola3stefania
    • Remove signature validation bypass – @Paola3stefania
  • sso:
    • Safely parse provider configs on registration – @Paola3stefania @Bekacru
    • Deprecate trustEmailVerified – @Paola3stefania
    • Enforce domain verification in assignOrganizationByDomain – @Paola3stefania
  • stripe:
    • Update subscriptionId to use Stripe id – @bytaesu
  • username:
    • Await username validator – @jslno

🏎 Performance

  • Add index on organizations slug field – @matteobad
    View changes on GitHub

v1.4.7

🚀 Features

  • admin:
    • Add support role with permissions for user updates and enforce role change validation – @Bekacru
  • one-time-token:
    • Support setting session cookie on ott verify – @Bekacru
  • phone-number:
    • Add password length validation for reset functionality – @Bekacru
  • saml:
    • Assertion timestamp validation with per-provider clock skew – @Paola3stefania
  • sso:
    • Add InResponseTo validation – @Paola3stefania
    • Add OIDC discovery – @Paola3stefania @Bekacru
    • Add URL normalization and validation to all discovery URLs – @jonathansamines @Paola3stefania @Bekacru

🐞 Bug Fixes

  • Prevent stateless refresh with database configured – @Bekacru
  • api-key: Check metadata is enabled for api key update endpoint – @Bekacru
  • line: Enforce nonce – @Bekacru
  • saml: Remove signature validation bypass – @Paola3stefania

🏎 Performance

  • Add index on organizations slug field – @matteobad
    View changes on GitHub

v1.4.6

🚀 Features

  • Add ctx.isTrustedDomain helper – @jonathansamines
  • Drizzle pg supports JSON – @dvanmali
  • Add Refresh Token Support to Kick OAuth Provider – @CesarRodrigu
  • admin: Prevent impersonating admins by default [breaking] – @jslno @Bekacru
  • expo: Last-login-method client plugin – @jslno @himself65
  • multi-session: Allow to infer additional fields – @jslno
  • organization: Allow invited users to see organization name – @GautamBytes
  • sso: Use domain verified flag to trust providers automatically – @Paola3stefania

🐞 Bug Fixes

  • Avoid throwing on client side – @landoncolburn @Bekacru
  • Export organization plugin types – @pffigueiredo
  • Prematurely deleting active sessions in secondary storage – @DevDuki
  • Pathname should be normalized when basePath is set to root – @Bekacru
  • Make sure non-chunked session data cookie is cleared – @Bekacru
  • Array field handling across adapters and schema generation – @ping-maxwell @Bekacru
  • StoreStateStrategy default to database if provided – @himself65
  • Should always remove 2FA verification token after successful verification – @delfortrie
  • adapter:
    • Add logger creation in adapter factory – @ping-maxwell
    • Allow run internal adapter outside context – @himself65
  • admin:
    • Clear admin session cookie on stopImpersonating@jslno
  • cli:
    • secret generates empty – @himself65
    • Deduplicate drizzle schema relationships – @ping-maxwell
  • core:
    • Allow returning null in getUserInfo in provider options – @Zollerboy1
  • db:
    • Correctly unwrap validator result in schema parsing – @GautamBytes
  • deps:
    • Update dependency next to v16.0.7 [security]
    • Update dependency @react-email/components to v1
  • kysely:
    • Wrong affected row count in updateMany & deleteMany – @jslno
  • magic-link:
    • Handle query params in errorCallbackUrl – @martinriviere
  • oidc:
    • Compatibility with exact-optional-property – @ping-maxwell
  • openapi:
    • Mark /get-session response as nullable – @GautamBytes
  • prisma:
    • Use findFirst instead of findMany for findOne – @Bekacru
  • saml:
    • Enforce trusted provider check – @Paola3stefania
  • sso:
    • Safely parse provider configs on registration – @Paola3stefania @Bekacru
  • username:
    • Await username validator – @jslno
    View changes on GitHub

v1.4.4

🚀 Features

  • cli: Better-auth-command – @Ridhim-RR
  • scim: Add support to parse custom scim+json media type – @jonathansamines

🐞 Bug Fixes

  • Customizing fields should be optional for rate limit options – @ceolinwill
  • Chunk account data cookie when exceeding limit – @jslno
  • Remove applying user-agent by default – @Bekacru
  • Additional fields default values should apply when creating session – @Bekacru
  • Return null early if userid isn't defined – @Bekacru
  • logger: Log level priority – @danielfinke
  • mcp: Return origin url as authorization server – @jslno
  • multi-session: Endpoints breaks with invalid signatures – @ping-maxwell
  • oidc-provider: Resolve getSignedCookie return type – @bytaesu
    View changes on GitHub

v1.4.3

🚀 Features

  • Add Vercel as OAuth provider – @anatrajkovska
  • Add support for trusted proxy headers in base URL inference – @Bekacru

🐞 Bug Fixes

  • Support @tanstack/solid-start in tanstackStartCookies plugin " – @Bekacru
  • open-api: Clean up incorrect null type in OpenAPI – @bytaesu
  • two-factor: Remove incorrect blocking logic in OTP setup and verification – @isaacriehm
    View changes on GitHub

v1.4.2

🚀 Features

  • cli: Check /auth for auth.ts@ping-maxwell
  • github: Add PKCE support for Github – @Shridhad
  • jwt: Allow custom jwks endpoint – @luist18

🐞 Bug Fixes

  • Support @tanstack/solid-start in tanstackStartCookies plugin – @jakst
  • SignIn/signUp API returns user additional field – @himself65
  • cli:
    • Kysely migration fails due to chaining addIndex and addColumn on the same alterTable builder – @ping-maxwell
    • Prevent duplicate index creation in Prisma schema generation – @rovertrack
  • client:
    • Get-session gets triggered twice on foucs – @Bekacru
  • email-otp:
    • Sign-in email-otp bugs with capitalized emails – @ping-maxwell
  • oidc-provider:
    • Session shouldn't be required – @Bekacru
  • organization:
    • Have deleteOrganization use adapter.deleteMany instead of delete – @kefimoto
    View changes on GitHub