All of the changes made will be available here.

Apr 13, 2025

v1.2.7

Apr 13, 2025

🚀 Features

---

• Error code support for haveibeenpwned –
• plugin: Error code support for haveibeenpwned plugin –

🐞 Bug Fixes

---

• Added c.authentication to refresh token –
• Authentication type missing on refershToken options –
• Prevent a user from created on haveibeenpwned –
• adapter:
  • Improve field lookup logic in createAdapter  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2245 <samp>(53c71)</samp>
• cli:
  • Schema gen with Drizzle for PG to generate text instead of uuid  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2248 <samp>(c6eb1)</samp>
• drizzle-adapter:
  • Correct count retrieval in the update function  -  by @okxiaoliang4 in https://github.com/better-auth/better-auth/issues/2244 <samp>(f5b86)</samp>
• haveIBeenPwned:
  • Add proper error code  -  by @JE4GLE in https://github.com/better-auth/better-auth/issues/2255 <samp>(adecf)</samp>
• organization:
  • Checking if User is intended recipient of Invite is casesensetive  -  by @SNRSE in https://github.com/better-auth/better-auth/issues/2251 <samp>(5689d)</samp>
• plugin:
  • Prevent user from being created on compromised password  -  by @Kinfe123 <samp>(e777b)</samp>
• stripe:
  • Force post method for subscription restore  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2259 <samp>(ffde0)</samp>
  • Adding ability to restore cancelled trialing subscriptions  -  by @Konixy in https://github.com/better-auth/better-auth/issues/2262 <samp>(d341f)</samp>

    View changes on GitHub

Apr 12, 2025

v1.2.6

Apr 12, 2025

🚀 Features

---

• MapProfileToUser in vk social-provider –
• One-time token plugin –
• createAdapter and useNumberId –
• Support user data mapping in id token social sign-in –
• Update hover style for light mode in community page –
• Zoom social provider –
• (captcha plugin) adding support for Google ReCAPTCHA v3 and hCaptcha –
• Openapi spec update –
• Have-i-been-pwned plugin –
• Support custom issuer totp –
• Delete token expiry configuration –
• Add option to disable session refresh on use –
• admin:
  • Add support for passing multiple roles as array  -  by @Netrifier in https://github.com/better-auth/better-auth/issues/1907 <samp>(df727)</samp>
• email-otp:
  • Support attempt numbers for email-otp  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2146 <samp>(880a5)</samp>
• facebook:
  • Add support for business login using config ids  -  by @arlyon in https://github.com/better-auth/better-auth/issues/1990 <samp>(6b22e)</samp>
• generic-oauth:
  • Added field discoveryHeaders to GenericOAuthConfig  -  by @RyanWSweeney in https://github.com/better-auth/better-auth/issues/2205 <samp>(c6d59)</samp>
• jwt:
  • Add sub claim and getSubject  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2194 <samp>(04937)</samp>
• oauth2:
  • Override user info on provider sign-in  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2148 <samp>(f9b96)</samp>
• organization:
  • Add invitation limit  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2014 <samp>(81e45)</samp>
  • Support multiple permissions check  -  by @rxri in https://github.com/better-auth/better-auth/issues/2227 <samp>(cb900)</samp>
• phone-number:
  • Add attempts check  -  by @Bekacru <samp>(1369d)</samp>
  • Add number of attempts configuration  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2046 <samp>(5591e)</samp>
  • Add phone number verification requirement before sign-in  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/1984 <samp>(e24a6)</samp>
• provider:
  • Twitter email support  -  by @Kinfe123 in https://github.com/better-auth/better-auth/issues/2176 <samp>(48efd)</samp>
• react-start:
  • Add react-start integration for cookie handling  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2119 <samp>(06ddd)</samp>
• socialLink:
  • Add support for custom scopes in social account linking  -  by @leoleducq in https://github.com/better-auth/better-auth/issues/2074 <samp>(c14f1)</samp>
• stripe:
  • Restore subscription  -  by @JNLei in https://github.com/better-auth/better-auth/issues/1705 <samp>(82633)</samp>
• two-factor:
  • Refactor two-factor authentication with better error handling, configurable otp limits and verification  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2234 <samp>(de91c)</samp>
• username:
  • Export the correct error codes for the plugin  -  by @Bekacru <samp>(e09ce)</samp>

🐞 Bug Fixes

---

• Import orders and alias to avoid conflict in ac code examples –
• Fallback to checking main db on session retrieval when storeSessionInDatabase is enabled –
• Export oAuth types –
• Og image compat –
• Og image compatibility on multiple link previews –
• Tooltip arrow –
• Tooltip arrow pointer –
• Forget password flow failing because of id conversion –
• Dep issue –
• Deployment compat issue –
• Verify github email when profile has an email –
• Docs syntax spacing –
• GenericOAuth default redirectURI for account linking –
• Missing disableRefresh type in server side getSession –
• Redirect to defaultErrorURL if errorURL doens't exist –
• Plugin middleware docs –
• Improve header value retrieval for IP address extraction –
• Prisma client docs –
• Community page interaction –
• Community page interaction –
• Hover style for light mode in community page –
• IpAddress and userAgent missing on server authentication –
• Missing export one time token plugin –
• Delete from session table when stopImpersonate called –
• Filter out fields with returned: false from session cookie cache –
• Rethrow error from db hooks if it is APIError instances –
• admin:
  • Pass where clause to adapter.count to fix total value on listUser  -  by @Netrifier in https://github.com/better-auth/better-auth/issues/2109 <samp>(38128)</samp>
  • DefaultRoles, adminRoles + others not applying user config  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2128 <samp>(4dcb9)</samp>
  • 'dontRememberMe' cookie handling during impersonation  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2236 <samp>(2249f)</samp>
• api-key:
  • Return value of permissions should be object, not string  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/1757 <samp>(f633d)</samp>
  • Update rateLimitEnabled default to consider options  -  by @ismael-iskauskas in https://github.com/better-auth/better-auth/issues/1887 <samp>(b2def)</samp>
• apple:
  • Update responseType to include code and id_token  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2091 <samp>(c0f15)</samp>
• custom-session:
  • Custom session failing to set cookies  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2124 <samp>(61dc4)</samp>
• generic-oauth:
  • Should check for email after mapProfileToUser  -  by @Bekacru <samp>(0b5c1)</samp>
• oauth:
  • Encode clientId and clientSecret in authorization header  -  by @xinyao27 in https://github.com/better-auth/better-auth/issues/2120 <samp>(ffa24)</samp>
• oauth-proxy:
  • Extend callback and sign-in path matchers to include /oauth2/callback and /sign-in/oauth2  -  by @Bekacru <samp>(7987d)</samp>
• oidc-provider:
  • Add cookie options for path and sameSite in authorize  -  by @Bekacru <samp>(dbe66)</samp>
• open-api:
  • Hide disabled paths  -  by @CrutchTheClutch in https://github.com/better-auth/better-auth/issues/2144 <samp>(f257f)</samp>
• organization:
  • Update default invitation expiration time to use seconds  -  by @Bekacru <samp>(834e3)</samp>
  • Fix conditional teamId inference  -  by @Netrifier in https://github.com/better-auth/better-auth/issues/2133 <samp>(a6860)</samp>
  • UpdateMemberRole failing if issuer has multiple roles  -  by @dustin-we in https://github.com/better-auth/better-auth/issues/2104 <samp>(72631)</samp>
• stripe:
  • Allow customizing subscription schema  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2105 <samp>(10893)</samp>
  • Throw err if passed referenceId when no subscription authorizeReference` is defined  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2129 <samp>(9efcd)</samp>
  • Update referenceId in checkout session to use client_reference_id instead of metadata  -  by @Bekacru <samp>(08130)</samp>
• two-factor:
  • 2fa error codes failing to infer  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2102 <samp>(f7199)</samp>

    View changes on GitHub

Mar 26, 2025

v1.2.5

Mar 26, 2025

🚀 Features

---

• Add onEmailVerification callback –
• Disabled paths –
• Refresh token endpoint –
• account: Add option to allow unlinking all accounts –
• admin: Allow creating users without admin session on server api –
• oidc: Allow passing additional user claims –

🐞 Bug Fixes

---

• Allow plus signs in relative callback URLs –
• Multiple issues with openapi types and references –
• Typescript cannot be named without reference error –
• Get session cookie helper should use better url retrieval and read config overrides –
• Get session cookie should check for both secure and non secure cookies –
• Access of undefined in runtime that does have great support of instanceof –
• Use instead of relying on instanceOf for incoming request type checks –
• Double matcher on username plugin –
• Trigger session refetch on verify email –
• Support numeric user IDs –
• UnlinkAccount should support optional accountId –
• Respect disable signup on social providers –
• Only delete verification token on password reset after succesful db query –
• Additional fields type inference breaking on default value –
• admin:
  • Remove undefined type from list-users openapi documentation  -  by @Ehesp in https://github.com/better-auth/better-auth/issues/1845 <samp>(a2748)</samp>
• api-key:
  • Delete keys on client should use POST method instead  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/1858 <samp>(cd828)</samp>
• cli:
  • Invalid prisma init config  -  by @pnodet in https://github.com/better-auth/better-auth/issues/1964 <samp>(43ab2)</samp>
• expo:
  • Better fetch type mismatch causing type error on expo client plugin  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/1825 <samp>(54bdb)</samp>
• generic-oauth:
  • Added basic auth param in oAuth2Callback  -  by @beermonsterdota in https://github.com/better-auth/better-auth/issues/1810 <samp>(765dd)</samp>
• oauth:
  • Support passing prompt, access_type, type_hint and additional params when constructing authorization URL  -  by @waleedlatif1 in https://github.com/better-auth/better-auth/issues/1888 <samp>(3d36a)</samp>
• organization:
  • Trigger session refetch on set-active  -  by @Bekacru <samp>(d7890)</samp>
  • Client infer for Member is using incorrect type  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/1857 <samp>(cc688)</samp>
  • Membership limit incorrect usage breaks list organizations  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/1961 <samp>(ae78d)</samp>
• rate-limiter:
  • Handle missing IP address in rate limit function  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/1959 <samp>(4a310)</samp>
  • Custom rate limiing table name breaking db query  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/1960 <samp>(09830)</samp>
• stripe:
  • Allow plan retrieval by annual discount price ID  -  by @Lionvsx in https://github.com/better-auth/better-auth/issues/1941 <samp>(3c60c)</samp>
• username:
  • Update validator to allow dots in usernames  -  by @Bekacru <samp>(7ea59)</samp>
• web:
  • Project metadata  -  by @Kinfe123 <samp>(b1f3a)</samp>

    View changes on GitHub

Mar 13, 2025

v1.2.4

Mar 13, 2025

🚀 Features

---

• Support promise return trusted origins –
• Support reverse proxied base URLs –
• Add Kick social provider –
• account: Multiple account with the same provider –
• admin: Custom banned user error message –
• generic-oauth: Allow basic auth –
• oidc-provider: Implement OIDC rfc7591 compliant /register endpoint –
• organization: Allow passing teamId in addMember –

🐞 Bug Fixes

---

• Update session cookie after in place email change –
• Lowercase email in change email process, find as it is –
• Should consitently use defaultErrorURL for fallback error redirections –
• Use account ID instead of compound key for account unlinking –
• Accept secure cookie flag on getSessionCookie helper –
• Remove otp code from the response of send phone number otp –
• Use subscription Id to fetch the current active subscription from stripe –
• On change email request for unverified emails should use the newEmail on verification token payload –
• admin:
  • Fetch session on has permission checks  -  by @Bekacru <samp>(e4f15)</samp>
  • Only evaluate permissions for access control  -  by @Bekacru <samp>(388dd)</samp>
• api-key:
  • Creating API keys metadata always returns null  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/1698 <samp>(0ffbb)</samp>
  • Results of verify endpoint's metadata isn't parsed  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/1719 <samp>(e4aa6)</samp>
• drizzle-adapter:
  • Add lt and lte query operators  -  by @Bekacru <samp>(c71ca)</samp>
• jwt:
  • Use context.secret instead of relying on user passed secret to not fail on build  -  by @Bekacru <samp>(ea81d)</samp>
  • Improve private key decryption error handling  -  by @Bekacru <samp>(4d5bc)</samp>
• multi-session:
  • Return only unique user sessions  -  by @Bekacru <samp>(97a4c)</samp>
  • Use small cased cookie name inside revoke endpoint  -  by @ahmed-m-abbass in https://github.com/better-auth/better-auth/issues/1783 <samp>(284d4)</samp>
• oauth:
  • Remove state value on expiry  -  by @Bekacru <samp>(45dab)</samp>
• organization:
  • Remove unused schema type and make team creator optional  -  by @Bekacru <samp>(c5c5b)</samp>
  • Custom permissions access control type inference breaking on the client  -  by @Bekacru <samp>(c051c)</samp>
  • Use membership limit to fetch members user data  -  by @Bekacru <samp>(535c9)</samp>
  • Properly throw error on update organization  -  by @Bekacru <samp>(e9993)</samp>
  • Check permission types and support multiple permission on hasPermissions checks  -  by @Bekacru <samp>(59765)</samp>
  • Multiple role array not referenced properly  -  by @Netrifier in https://github.com/better-auth/better-auth/issues/1792 <samp>(3af31)</samp>
• phone-number:
  • Prevent duplicate phone number update  -  by @Bekacru <samp>(f7edb)</samp>
• rate-limiter:
  • Use better path extraction for rate limiting  -  by @Bekacru <samp>(b6e17)</samp>
• roblox:
  • MapProfileToUser should run before returning user info  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/1706 <samp>(5c94c)</samp>
• stripe:
  • Convert subscription period timestamps to Date objects  -  by @Bekacru <samp>(0d6b4)</samp>
  • Webhook constructor should use async version  -  by @BlueLightStudio in https://github.com/better-auth/better-auth/issues/1664 <samp>(46dcd)</samp>
  • Add origin check on success callback  -  by @Bekacru <samp>(d3d10)</samp>
  • Inconsistent referenceId usage  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/1736 <samp>(0ce3f)</samp>
  • Call onCustomerCreate callback handle error logging  -  by @Bekacru <samp>(21fea)</samp>
  • Rely on subscription Id instead of reference ID for subscriptions  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/1789 <samp>(35fe9)</samp>
• two-factor:
  • Custom user options should be passed to backup code generator  -  by @Wundero in https://github.com/better-auth/better-auth/issues/1688 <samp>(88bab)</samp>
• types:
  • Passing body breaking fetchOptions throw:true inference  -  by @Bekacru <samp>(3ae3c)</samp>

    View changes on GitHub