releases.shpreview
Better AuthBetter Auth/better-auth

Session cache bypass fixed; OAuth state rejection hardened; 2FA lockout after 5 wrong codes

v1.6.21

June 26, 2026better-authView original ↗
12 fixesThis release12 fixesBug fixesAI-tallied from the release notes

better-auth

Bug Fixes

  • Fixed rate limits to be enforced before plugin request handlers run (#10191)
  • Fixed admin permission changes and bans to take effect immediately, even when session cookie cache is enabled (#10187)
  • Fixed deviceAuthorization() throwing a ZodError when called without a schema option under Zod v4 (#9939)
  • Fixed Google hosted-domain validation to apply consistently across all sign-in flows, including Google One Tap (#10197)
  • Fixed OAuth proxy to reject profile callbacks that do not match an issued OAuth state, preventing session creation with stale state (#10183)
  • Fixed OAuth sign-up and account linking to ignore provider profile values for fields marked input: false (#10196)
  • Fixed PayPal sign-in to validate user info against the verified ID token subject (#10192)
  • Fixed SIWE sign-in to reject emails that already belong to another account, preventing one email from being attached to two accounts (#10228)
  • Fixed two-factor verification to lock out after five wrong codes for TOTP and backup codes, returning TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE (#10210)
  • Fixed the username plugin to only store displayUsername fallbacks that pass username validation during email sign-up (#10182)

For detailed changes, see CHANGELOG

@better-auth/sso

Bug Fixes

  • Fixed SSO provider deletion to also remove linked accounts, preventing reuse by a later provider with the same ID (#10224)
  • Fixed SSO domain verification to require DNS proof for every domain listed on a provider (#10227)
  • Fixed SAML single logout to reject IdP SLO POST URLs that use non-http(s) schemes such as javascript: or data: (#10225)
  • Fixed SAML SSO to reject responses whose audience, recipient, or destination does not match the configured Service Provider (#10226)

For detailed changes, see CHANGELOG

@better-auth/api-key

Bug Fixes

  • Fixed client IP resolution to prevent X-Forwarded-For spoofing in multi-hop proxy chains (#10203)
  • Refactored request IP resolution into a centralized core resolver (#10216)

For detailed changes, see CHANGELOG

auth

Bug Fixes

  • Fixed disableMigration: true to be respected on plugin schema tables during generation and runtime migration (#10198)
  • Fixed the CLI to generate BETTER_AUTH_SECRET values with 32 characters instead of 16 (#10186)

For detailed changes, see CHANGELOG

@better-auth/kysely-adapter

Bug Fixes

  • Fixed adapter.update to return null when no matching row is found (#10180)

For detailed changes, see CHANGELOG

@better-auth/stripe

Bug Fixes

  • Fixed organization subscription actions (cancel, upgrade, restore, and the billing portal) that could act on the wrong organization.

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@Bekacru, @benpsnyder, @bytaesu, @gustavovalverde, @moonevm, @Paola3stefania, @ping-maxwell, @rachit367

Full changelog: v1.6.20...v1.6.21

Fetched June 26, 2026