All of the changes made will be available here.

Better Auth is comprehensive authentication library for TypeScript that provides a wide range of features to make authentication easier and more secure.


BETTER-AUTH.

v1.3.27

🐞 Bug Fixes

  • Session update database hook should expect partial session type – @Bekacru
  • Deprecate options.advanced.generateId type – @himself65
  • Api keys should properly check if a request is from client or server – @Bekacru
  • Improve username transformation logic – @ping-maxwell
  • api-key:
    • Shouldn't issue api key a mock session by default – @Bekacru
  • organization:
    • Prevent empty name and slug in create/update – @kira-1011
  • sso:
    • OIDC scopes should fallback to provider scopes – @Bekacru
    • Add deprecated flag to the old sso plugin export – @Bekacru
  • stripe:
    • Throw error if event failed to be constructed – @Bekacru
  • telemetry:
    • Avoid async import if telemetry disabled, fix for esbuild – @erquhart
  • url:
    • Handle empty and root path in withPath, prevent double slashes, add tests – @surafel58
    View changes on GitHub

v1.3.26

🐞 Bug Fixes

  • [security] api keys should properly check if a request is from client or server – @Bekacru
  • api-key: Shouldn't issue api key a mock session by default – @Bekacru
    View changes on GitHub

v1.3.25

🚀 Features

  • Additional fields on account – @dvanmali
  • Add support for custom callback for token url – @acusti
  • captcha: Add support for CaptchaFox – @tgrassl
  • cli: Add mcp client configs from cli@Kinfe123 @himself65

🐞 Bug Fixes

  • Support compressed ipv6 format – @Velka-DEV
  • Add required constraint to slug filed in org plugin – @bytaesu
  • Use consistent messaging on requestPasswordReset@Eazash
  • Cookie size limit shouldn't throw error – @Bekacru @himself65
  • Handle symbols in proxy get trap to prevent TypeError – @zbeyens @himself65
  • Ttl for rate limited secondary storage – @dvanmali
  • adapter:
    • Use updated field values in WHERE clause during update – @QuintenStr @ping-maxwell
    • Foreign keys that are nullable on number ids can return string of null@ping-maxwell
  • api-key:
    • Correct refill interval time calculation – @Pankaj3112 @himself65
  • client:
    • Add lynx client exports – @JagritGumber
  • device-authorization:
    • Fix client error type for deny device – @3ddelano
  • last-login-method:
    • Custom resolver method default logic – @ThibautCuchet
  • oauth-proxy:
    • Should skip state check for oauth proxy – @Bekacru
  • oidc:
    • Properly enforce consent requirements per OIDC spec – @himself65
  • org:
    • Update type to include undefined – @himself65
  • sso:
    • Safe json parsing for saml/oidc configs – @natetewelde @himself65
    • Prevent duplicate SSO provider creation with same providerId – @xiaoyu2er
  • stripe:
    • Update with an existing subscription – @himself65
    • Sync customer email on db change – @himself65
    • getCustomerCreateParams not actually being called – @ebalo55 @himself65

🏎 Performance

  • Lazy load create telemetry – @himself65
    View changes on GitHub

v1.3.24

🚀 Features

  • Add support for custom callback for authorization url – @Bekacru

🐞 Bug Fixes

  • Refresh secondary storage sessions on user update – @frectonz
  • cli: Timestamp in schema for Drizzle with SQLite – @zy1p
  • db: onDelete is ignored – @himself65
  • deps: Update dependency @nanostores/react to v1

🏎 Performance

  • Improve type Auth@himself65
    View changes on GitHub

v1.3.19

🐞 Bug Fixes

  • getSession shouldn't expose options and path types – @Bekacru
    View changes on GitHub

v1.3.18

🐞 Bug Fixes

  • Ttl sessions list expiration – @dvanmali
  • Tests failing due to clock drift – @dvanmali
  • Moved email verification check after password check – @QuintenStr
  • cli: DefaultNow is deprecated in schema for Drizzle with SQLite – @himself65
  • custom-session: Don't overwrite the Set-Cookie header – @frectonz
  • email-otp: Call reset password callback – @HoshangDEV
    View changes on GitHub

v1.3.17

🚀 Features

  • sso: Provide default service provider metadata – @dvanmali

🐞 Bug Fixes

  • nuxt: Avoid load env base url for SSR – @himself65
    View changes on GitHub

v1.3.16

No significant changes

    View changes on GitHub

v1.3.15

🐞 Bug Fixes

  • types: Include null in getSession return type – @jcajuab
    View changes on GitHub

v1.3.14

🚀 Features

  • passkey: Allow multiple passkey origins – @kevcube
  • sso: DefaultSSO options and ACS endpoint – @Kinfe123

🐞 Bug Fixes

  • Wrap Math.floor around the division when calculating TTL – @DevDuki @himself65
  • api-key:
    • Calling client on server side – @himself65
  • mcp:
    • Missing Content-Type header for mcp DCR – @Berndwl
  • organization:
    • Pass ctx to DB hooks – @ping-maxwell
    • Allow passing id through beforeCreateOrganization@ping-maxwell
  • username:
    • Username should respect send on sign config – @QuintenStr
    View changes on GitHub

v1.3.13

🚀 Features

  • Add returnHeaders to getSession@frectonz
  • last-login-method: Update OAuth login method tracking for multiple auth type – @Kinfe123

🐞 Bug Fixes

  • client: BaseURL is undefined for SSR – @himself65
  • organization: Remove autoCreateOnSignUp option as it's not implemented yet – @Bekacru
  • passkey: Remove email from query – @himself65
    View changes on GitHub

v1.3.12

🚀 Features

  • discord: Allow specification of permissions – @TheUntraceable @Bekacru
  • email-otp: Allow returning undefined in generateOTP@ping-maxwell

🐞 Bug Fixes

  • Device authorization plugin – @bytaesu
  • Reduce any type in generator.ts – @himself65
  • Refresh secondary storage sessions on user update – @frectonz
  • Allow disable database transaction – @himself65
  • adapter:
    • Returning null as string for optional id references – @jslno
  • api-key:
    • Cascade api keys on user deletion – @ping-maxwell
  • create-adapter:
    • Disable transaction by default – @ping-maxwell
  • organization:
    • Decouple client and server permission checks – @Bekacru
    • Membership check for organizations with large member counts – @Badbird5907 @himself65
  • stripe:
    • OnCustomerCreate should be called even if update user isn't returned – @Bekacru
    View changes on GitHub

v1.3.11

🚀 Features

  • Flip emailVerified when link the account – @himself65

🐞 Bug Fixes

  • Check if user exists before banning the user – @anmol-fzr @himself65
  • Timestamp issues in kysely – @frectonz @himself65
  • Respect errorCallbackURL in failed oauth flows – @frectonz
  • plugins: Asynchronous init@LightTab2 @himself65
    View changes on GitHub

v1.3.10

   Maintenance update: We fixed lots of issues from the community. Thanks to everyone for contributing to better-auth.

🚀 Features

  • Add getActiveRoleMember – @fathisiddiqi @Kinfe123 @himself65
  • Database transaction support – @himself65
  • logger: Option to disable colors – @martiinii @himself65
  • passkey: Error codes in passkey client – @frectonz @Kinfe123 @Bekacru
  • sqlite: Remove autoincrement for SQLite – @pspeter3

🐞 Bug Fixes

  • Ignore cookiecache on auth sensitive functions – @Kinfe123
  • Custom field for refreshTokenExpiresAt@himself65
  • Return local IP in development mode – @DiiiaZoTe @himself65
  • Make cookie cache respect dontRememberMe mode – @frectonz
  • Normalize zod imports – @gabrielmar
  • Check endpoint conflicts respect method@himself65
  • Respect username validator – @azaek @himself65
  • Set clientId in ProviderOptions to unknown by default – @himself65
  • Pick the first clientId for oauth provider – @himself65
  • Remove use of global.crypto@himself65
  • Should infer types correctly when empty list of plugins is provided – @frectonz
  • Correct MongoDB adapter import path in CLI – @aajeeth-m
  • Make sure fetch function doesn't get called repeatedly on onMount@frectonz
  • Prevent lastLoginMethod plugin from setting cookie on failed auth – @Kinfe123
  • admin:
    • Change the order of role and user id check when both are provider on userHasPermission – @Bekacru
  • anonymous:
    • Prevent false positive error on first anonymous sign-in – @ajanraj @himself65
  • cli:
    • info shows the correct version – @himself65
    • Add missing JSON type to schema generation – @TheGB0077 @Kinfe123
  • demo:
    • Update forgot password link to /forget-password – @GivenBY
  • docs:
    • Remove duplicated RFC compliance mention – @TheUntraceable
  • expo:
    • window.crypto is undefined – @himself65
    • Missing peer deps – @himself65
  • lastLoginMethod:
    • Inherit cross-subdomain cookie settings in lastLoginMethod plugin – @lumpinif
  • memory-adapter:
    • Should respect where connector – @jslno
  • multi-session:
    • Multi-session cookie name preface preventing multiple accounts signed in – @PacifismPostMortem
  • one-time-token:
    • Typo and clean – @gabrielmar
  • organization:
    • checkRolePermission shouldn't be a promise – @ping-maxwell
    • Member and team hooks should apply on create organization – @Bekacru
    • Before org create hooks not applying customized data – @Bekacru
    • [security] updateOrgRole should check for userId properly – @Bekacru
    • Restrict role check by user id – @himself65
  • prisma:
    • Handle optional field relation types correctly – @LiYulin-s
  • stripe:
    • Properly resolve plans by lookup keys – @AlexProgrammerDE
    • Subscription is created without completing payment – @himself65
    • Prevent multiple free trials for same user – @RikhiSingh
    • Use correct request method for billing-portal – @danielepintore
  • tiktok:
    • Remove client_secrect from authorizationUrl – @arslan2012
  • username:
    • Add missing normalization – @bortoz @himself65
    • Sign in should work with post normalization – @Bekacru @himself65
  • vue:
    • Correct baseURL – @himself65
    View changes on GitHub