Better Auth

v1.6.13 and v1.7.0-beta.4 shipped on the same day, bringing server-side account info calls and a run of OAuth and session correctness fixes.

Server-side account info without session headers — accountInfo now accepts an optional userId parameter, letting trusted server callers read provider profiles directly.¹ Available in both the stable v1.6.13 and the v1.7.0-beta.4 prerelease.

OAuth and session correctness across the stable line — fixes across v1.6.10 through v1.6.13 addressed:

• Google One Tap authenticating the wrong user when the presented account was already linked to a different local user²
• storeStateStrategy defaulting to "cookie" instead of "database" when only secondaryStorage is configured, causing oversized-cookie errors on AWS Lambda³
• Duplicate Set-Cookie headers on social sign-in redirects
• Session cookie refresh headers not being forwarded when resolving sessions
• callbackURL encoding in verify-email and OAuth account-linking links

Security fixes in v1.6.11 — device authorization now binds pending codes to the verifying session, blocking any authenticated user from approving another user's device code.⁴ A race condition in the magic-link plugin that let concurrent requests mint multiple sessions from one single-use token was closed.⁵

Role and access-control corrections — role.authorize was fixed to reject empty action lists and correctly evaluate OR conditions on unknown resources.⁶ Organization invitation roles now accept dynamic access-control values. TypeScript types for predefined organization roles were corrected to expose only their configured permissions.

Beta.3 and beta.4 additions — hydrateSession seeds the client with a server-fetched session so useSession returns data on first render.⁷ An immutable username option locks a username after first set. The Auth instance is now directly fetchable.⁸