Session and account cache cookies near the browser's per-cookie size limit are now split into chunks instead of being silently dropped. Fixed headerless session checks, verification email errors not surfacing to clients, and TypeScript declaration build issues for auth client return types.
Multiple issues related to concurrent requests have been fixed, preventing duplicate account deletions, multiple redemptions of one-time tokens and password reset tokens, and duplicate sign-ins for various providers. It also improves rate limiting, JWT validation, and SCIM security.
An experimental oauthPopup plugin was added for popup-based OAuth sign-in, enabling sign-in inside cross-site iframes. Dozens of race conditions and replay vulnerabilities were fixed across various authentication flows, including email OTP, password resets, and API key verification, to ensure atomicity under concurrent requests.
Fixed SIWE verification to bind signed messages to server state before session creation, preventing acceptance of signatures for different messages or domains. Fixed PayPal ID token signature validation (RS256/HS256), Google hosted domain enforcement, and remote token introspection to reject missing or mismatching audience claims. Fixed session race conditions when cookie cache is enabled, /update-session to reject plugin-managed fields, /refresh-token to validate account cookie claims, and email sign-in to validate Origin and Referer headers. Also fixed admin plugin permission enforcement, generic OAuth account collision prevention, JWKS cache isolation, Reddit provider email collision, Facebook token validation, SAML replay prevention, SSO provider ID isolation, OIDC SSRF protection, API key concurrent update handling, Electron PKCE enforcement, and SCIM user provisioning deduplication.
Fixed the listSessions endpoint to properly enforce fresh-age session checks, and OAuth hooks to run correctly when authorization resumes after sign-in, account selection, or consent. Also fixed admin endpoints to return USER_NOT_FOUND instead of a generic 500 error, Kysely migration compatibility, passkey authenticator name resolution, and SAML validation clock skew handling.
Fixed Google One Tap authenticating the wrong user when the presented Google account was already linked to a different local user. Fixed getSessionCookie to prefer the __Secure- prefixed cookie over a non-secure leftover, preventing a stale cookie from shadowing the current session. Also fixed null values being rejected for optional database schema fields, redirect URI validation across runtimes, SAML Single Logout leaving users signed in, and organization invitation verification to restore the normal emailed-invitation flow.
Fixed a high-severity XML injection vulnerability in signed SAML assertions and a stateStrategy defaulting bug that caused oversized-cookie errors on AWS Lambda. Also fixed Google One Tap authenticating the wrong user when the account was already linked, unauthorized dynamic OAuth client registration, SAML Single Logout leaving users signed in, and several account-linking and key-verification regressions across plugins.
Fixed a session cookie leak that allowed session_token and session_data cookies to be captured and replayed to bypass 2FA when cookie caching is enabled. Passkey challenges are now consumed atomically to prevent replay attacks. Also fixed organization invitations silently routing users to wrong teams when IDs contained commas, OAuth state validation failures, and email verification callbackURL encoding across multiple flows.
Fixed an invitation takeover vulnerability by enabling email verification on invitation by default and extending the verification gate to invitation retrieval and listing endpoints. Patched race conditions in magic-link, OAuth authorization-code, and refresh-token-rotation flows that could mint multiple sessions or tokens from single-use credentials, and fixed device authorization to bind pending codes to the verifying session. Also closed an SSRF vulnerability in SSO provider registration by validating OIDC endpoint URLs against a public-routable host allowlist.
Fixed OAuth callbacks accepting missing provider account IDs, which could link accounts under an undefined id, and duplicate Set-Cookie headers on social sign-in and magic-link redirects. Fixed bearer plugin writing duplicate cookie entries, useSession not revalidating after admin impersonation, and useActiveMemberRole retaining a previous user's role after sign-out. In @better-auth/stripe, subscription webhook callbacks now receive post-update rows instead of stale snapshots, and getCheckoutSessionParams no longer overrides internal fields or metadata. Plus fixes across passkey autofill, SAML metadata discovery, email casing, organization invitations, and CLI database config generation.
better-authbetter-authmapProfileToUser fallback for OAuth providers that may omit email from their profile response ([#9331](http...better-authbetter-authPartitioned attribute when forwarding Set-Cookie headers ([#9235](https://github.com/...better-authbetter-authforceAllowId UUIDs set in database hooks being ignored on PostgreSQL adapters when `advanced.database.gener...better-authbetter-authFixed SIWE verification to bind signed messages to server state before session creation, preventing acceptance of signatures for different…
Better Auth · better-authMultiple issues related to concurrent requests have been fixed, preventing duplicate account deletions, multiple redemptions of one-time to…
Better Auth · better-authPreserves a valid session on auth refresh failure and repeat cooldown failures. Clarifies httpSend() 404 error and server migration note fo…
Supabase · Client SDKPreserves a valid session on auth refresh failure and cooldown repeat failures. Clarified a realtime httpSend() 404 error and server migrat…
Supabase · Client SDK