chore(deps): update better-auth monorepo to v1.6.19

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
better-auth (source)	1.6.11 → 1.6.19

---

Release Notes

better-auth/better-auth (better-auth)

v1.6.19

Compare Source

Patch Changes

• #​10088 de4aa52 Thanks @​bytaesu! - Session and account cache cookies near the browser's per-cookie size limit (for example with a long cookiePrefix or many cached fields) are now split into chunks instead of being silently dropped by the browser. A cache too large to fit even when chunked is skipped with a warning rather than failing the request, so reads fall back to the database.

• #​9995 b4b0266 Thanks @​ElGauchooooo! - The device authorization plugin now accepts an optional user_id when issuing a device code via /device/code, pre-binding the code to that user. Only the bound user can approve or deny the code, so a publicly visible user code can no longer be claimed by someone else.

• #​10086 5bd5e1c Thanks @​gustavovalverde! - Refresh-token rotation and token revocation, two-factor backup-code regeneration, device-code claiming, and organization invitation acceptance now work on Prisma. Concurrent or repeat requests in these flows could previously return an error on Prisma instead of the expected result.

  On MongoDB servers older than 5.0, these flows and other guarded value updates (rate-limit window resets, API-key refills) no longer fail with an empty-update error.

  @better-auth/core: incrementOne now reports a clear error when called with no increment and no set.

• #​9319 581f827 Thanks @​ping-maxwell! - fix(last-login-method): include domain when clearing cross-subdomain cookies

• #​10067 8407885 Thanks @​bytaesu! - The oauth-popup plugin now ignores internal OAuth state fields passed through its additionalData parameter, so additionalData only ever carries your own custom values.

• #​9555 c1a8a64 Thanks @​ChrisMGeo! - Fix invalid OpenAPI output for Better Auth callback, session, and passkey routes so client generators can consume the schema.

• #​10071 635f190 Thanks @​gustavovalverde! - Auth clients exported from wrapper packages can now be emitted in TypeScript declaration builds without extra type annotations.

• #​10070 a787e0b Thanks @​gustavovalverde! - Single-use verification flows no longer hang on database adapters that use a one-connection pool. This fixes magic-link verification and similar token checks in connection-limited serverless database setups.

• #​9348 c2f718f Thanks @​ping-maxwell! - fix: cookie cache fallback lookup

• #​8863 7d18175 Thanks @​ping-maxwell! - sendVerificationEmail was invoked via runInBackgroundOrAwait, which could defer work when advanced.backgroundTasks.handler is configured (so the handler could return 200 before the email callback finished) and, in the default path, caught and logged errors without rethrowing. User callbacks that throw APIError (e.g. 429 from a rate limiter) were therefore not reliably reflected in the HTTP response (better-auth/better-auth#8757).

  Now we await sendVerificationEmailFn so failures surface to the client with the correct status. The unauthenticated /send-verification-email path enforces a constant-time floor (500 ms) so that the response duration does not reveal whether the email belongs to a real unverified user.

• Updated dependencies [0895993, 5bd5e1c, a787e0b]:

  • @​better-auth/drizzle-adapter@​1.6.19
  • @​better-auth/core@​1.6.19
  • @​better-auth/mongo-adapter@​1.6.19
  • @​better-auth/kysely-adapter@​1.6.19
  • @​better-auth/memory-adapter@​1.6.19
  • @​better-auth/prisma-adapter@​1.6.19
  • @​better-auth/telemetry@​1.6.19

v1.6.18

Compare Source

Patch Changes

• #​9315 9ef7240 Thanks @​GautamBytes! - fix OpenAPI requestBody generation for intersected and default-wrapped body schemas

• #​9583 b21a5f7 Thanks @​GautamBytes! - Fix plugin-provided client methods and additional session fields not being inferred in composite monorepos.

• Updated dependencies [b21a5f7]:

  • @​better-auth/core@​1.6.18
  • @​better-auth/drizzle-adapter@​1.6.18
  • @​better-auth/kysely-adapter@​1.6.18
  • @​better-auth/memory-adapter@​1.6.18
  • @​better-auth/mongo-adapter@​1.6.18
  • @​better-auth/prisma-adapter@​1.6.18
  • @​better-auth/telemetry@​1.6.18

v1.6.17

Compare Source

Patch Changes

• #​9993 baeaa00 Thanks @​gustavovalverde! - When a team had a single open slot, accepting an invitation into it was wrongly rejected as over the member limit and left a dangling membership record. Two invitations accepted into a nearly-full team at the same time could also push it past its limit. Both are fixed.

• #​9482 3e99e6c Thanks @​bytaesu! - admin.setUserPassword now creates a credential account when the target user does not have one, matching the behavior of resetPassword. Previously the call returned status: true without doing anything for users without an existing credential account (e.g., social-only or magic-link signups), so admins migrating users from another auth system or assigning an initial password to a social-only user can now do so directly without poking the account table.

• 96c78c3 Thanks @​GautamBytes! - Downgrade expected auth validation failures from error logs to warnings.

• #​9993 baeaa00 Thanks @​gustavovalverde! - Captcha provider verification requests now time out after 10 seconds and fail closed, so a slow or unreachable captcha provider can no longer tie up a request indefinitely.

• #​9993 baeaa00 Thanks @​gustavovalverde! - A delete-account confirmation link can no longer delete the account more than once when its callback is opened concurrently.

• #​9991 0c3856f Thanks @​gustavovalverde! - Completing account deletion through /delete-user/callback now fails when the session has been revoked server-side, instead of proceeding within the cookie-cache window. Deployments that keep sessions only in the cookie are unaffected.

• #​9993 baeaa00 Thanks @​gustavovalverde! - Polling for a device-authorization token can no longer redeem the same approved device code more than once when several polls arrive together.

• #​9993 baeaa00 Thanks @​gustavovalverde! - Submitting the same email OTP from several requests at once can no longer sign in more than once or gain extra tries beyond the attempt limit.

• #​10002 ed7b6c9 Thanks @​gustavovalverde! - Adding a member to a team that is already at its maximumMembersPerTeam limit is now rejected on every path. addMember with a teamId and add-team-member previously skipped the limit that invitation acceptance enforced, so they could push a team over its cap. A rejected addMember no longer creates the organization member.

• #​9677 e0a768c Thanks @​GautamBytes! - Refactor role.authorize control flow while preserving existing authorization behavior.

• #​9987 7343284 Thanks @​bytaesu! - Generic OAuth sign-in works again for providers whose userinfo response has no sub or id field when mapProfileToUser derives the account id. An empty id field now falls back to sub.

• #​9991 0c3856f Thanks @​gustavovalverde! - getCookieCache now returns null for an expired session instead of the stale session data. Middleware that calls it to gate access no longer treats an expired signed cookie as a live session.

• #​9993 baeaa00 Thanks @​gustavovalverde! - The Have I Been Pwned plugin now checks submitted passwords against the breach database on more password-setting endpoints by default, including the email-OTP and phone-number reset-password routes and the admin create-user and set-user-password routes. A breached password can no longer be set through those routes when the plugin is enabled with its default paths.

• #​9987 7343284 Thanks @​bytaesu! - Preserve the fresh account cookie issued while switching users in the same browser instead of expiring it from stale request cookie state.

• #​9991 0c3856f Thanks @​gustavovalverde! - Expired MCP access tokens are no longer accepted. A protected MCP resource now rejects a bearer token once it has expired, both on the server and through the remote client. A refresh token is accepted only when the original authorization included the offline_access scope.

• #​9991 0c3856f Thanks @​gustavovalverde! - The multi-session set-active and revoke endpoints now act only on the session the caller holds a signed cookie for. A request could previously activate or revoke a different session by naming its token in the request body without holding that session's cookie.

• #​9890 d9c526b Thanks @​bytaesu! - Add an experimental oauthPopup plugin (with oauthPopupClient and signIn.popup) for popup-based OAuth sign-in. It lets an app sign in inside a cross-site iframe by completing OAuth in a popup and handing the session token back to the opener, where the bearer plugin authenticates with it. The API may change while it is experimental.

• #​9991 0c3856f Thanks @​gustavovalverde! - The OIDC provider's RP-initiated logout endpoint (/oauth2/endsession) no longer logs a user out, or revokes their OAuth tokens, in response to a cross-site GET that carries only a session cookie. Logout authenticated by a valid id_token_hint is unaffected.

• #​10003 fdef997 Thanks @​gustavovalverde! - Google One Tap now requires a configured Google client ID and rejects the sign-in callback when none is set. A Google ID token issued for a different application is no longer accepted. Set the client ID on the oneTap plugin or on socialProviders.google.

• #​9993 baeaa00 Thanks @​gustavovalverde! - A one-time token can no longer be redeemed for a session more than once when redeemed concurrently.

• #​9993 baeaa00 Thanks @​gustavovalverde! - A password reset token can no longer change the password more than once when used from several requests at the same time.

• #​9993 baeaa00 Thanks @​gustavovalverde! - Submitting the same phone-number OTP from several requests at once can no longer sign in more than once or gain extra tries beyond the attempt limit.

• #​9993 baeaa00 Thanks @​gustavovalverde! - Concurrent requests can no longer slip past the configured rate limit. The in-memory rate-limit store no longer grows without bound, and the database backend removes expired entries on its own. A custom rate-limit storage may implement a new optional consume method for strict enforcement; without it, the previous behavior is kept and a one-time warning is logged.

• #​9987 7343284 Thanks @​bytaesu! - Deleting a team no longer breaks its pending invitations. The removed team is dropped from those invitations, which stay valid for their remaining teams or as plain organization-level invitations. Accepting an invitation that still references a missing team fails without consuming the invitation.

• #​9993 baeaa00 Thanks @​gustavovalverde! - Add internalAdapter.reserveVerificationValue. It atomically records a single-use marker (such as a replay tombstone) so that exactly one of several concurrent callers succeeds and the rest observe that the marker is already taken. Database-backed verification storage is atomic; secondary-storage-only verification is best-effort.

• #​8760 8960f5f Thanks @​gustavovalverde! - Session refreshes now avoid duplicate /get-session requests from focus and other browser session events. Client hooks keep stable data references when refetches return unchanged data, reducing unnecessary renders. Unmounting during an in-flight session request no longer leaves session state stuck in a loading state.

• #​9993 baeaa00 Thanks @​gustavovalverde! - A Sign-In with Ethereum nonce can no longer be used to sign in more than once when submitted from several requests at the same time.

• #​9979 5c289b5 Thanks @​SferaDev! - Stateless OAuth deployments can now read account info, access tokens, and refresh tokens after different server instances handle sign-in and later requests. Session refresh also keeps the OAuth account cookie instead of clearing it in that case.

• #​9990 1dbf5bb Thanks @​gustavovalverde! - Hardens how requests are trusted across several flows. Rate limiting is now enforced even when a client IP cannot be determined, instead of being skipped. When baseURL is not configured, password-reset and verification links use the current request's host rather than the host of the first request the server handled, and a request-scoped trustedOrigins callback no longer affects other concurrent requests. The OAuth proxy, Google One Tap, and the Expo authorization proxy reject redirect and callback targets that are not in trustedOrigins. Google reCAPTCHA and Cloudflare Turnstile accept optional expectedAction and allowedHostnames to reject tokens minted for a different action or hostname. Server-side fetches reject additional reserved IPv6 ranges, and malformed redirect parameters return a 400 instead of a 500.

• #​9993 baeaa00 Thanks @​gustavovalverde! - An expired two-factor sign-in challenge can no longer complete login with a valid TOTP, OTP, or backup code, and the same challenge can no longer create more than one session when verified concurrently.

• #​9993 baeaa00 Thanks @​gustavovalverde! - Submitting the same two-factor OTP from several requests at once can no longer sign in more than once or gain extra tries beyond the attempt limit.

• #​9777 59e0ccb Thanks @​GautamBytes! - Client updateSession calls now accept inferred custom session fields from inferAdditionalFields.

• #​9962 b803c61 Thanks @​Bekacru! - Validate roles when updating an organization member. Roles are now normalized into individual tokens and checked against the configured static and dynamic roles, so unknown or malformed role values are rejected instead of being persisted.

• Updated dependencies [baeaa00, baeaa00, baeaa00, 7343284, baeaa00, baeaa00, fdef997, baeaa00, baeaa00, fdef997, baeaa00, 1dbf5bb, fdef997]:

  • @​better-auth/memory-adapter@​1.6.17
  • @​better-auth/kysely-adapter@​1.6.17
  • @​better-auth/drizzle-adapter@​1.6.17
  • @​better-auth/prisma-adapter@​1.6.17
  • @​better-auth/mongo-adapter@​1.6.17
  • @​better-auth/core@​1.6.17
  • @​better-auth/telemetry@​1.6.17

v1.6.16

Compare Source

Patch Changes

• #​9974 cb1cbfa Thanks @​Bekacru! - Guard protected user fields in the admin plugin behind their dedicated permissions. /admin/create-user now requires user:set-role when a role is supplied (top-level or via data.role), validates requested roles against the configured roles, requires user:ban for ban fields passed in data, and no longer lets data override email, name, or role. /admin/update-user now requires user:ban for banned/banReason/banExpires (revoking the user's sessions when banning and rejecting self-bans), requires the new user:set-email permission for email/emailVerified (with email validation, lowercasing, and uniqueness checks), and rejects password updates in favor of /admin/set-user-password. If you use a custom access control, add set-email to your statements and grant it (and ban) to roles that should be able to change those fields through update-user.

• #​9974 cb1cbfa Thanks @​Bekacru! - Require a provider account id when signing in through generic OAuth. The default userinfo handler previously fell back to an empty string when the provider response had no sub (or id), and the callback never checked the resolved account id. With certain non-OIDC providers that omit sub, accounts could be stored under the same empty id and a later sign-in could resolve to an existing account. The generic OAuth callback now rejects sign-in when no account id can be resolved, the default userinfo handler returns no profile when neither sub nor id is present, and the built-in OAuth callback also rejects an empty account id.

• #​9974 cb1cbfa Thanks @​Bekacru! - Scope organization invitation team IDs to the invited organization. createInvitation now validates that every requested teamId belongs to the invitation's organization regardless of whether teams.maximumMembersPerTeam is set, and acceptInvitation re-checks each stored team's organization before adding team membership. Previously, with the default unlimited team size, a team ID from another organization could be stored on an invitation and applied on acceptance.

• #​9973 87e7aa5 Thanks @​gustavovalverde! - Email sign-in and sign-up now validate the Origin or Referer header against trustedOrigins even when the request carries no cookies. Requests that send no Origin/Referer header and no Fetch Metadata (such as curl or server-to-server clients) are unaffected. A non-browser client that sends an untrusted Origin/Referer without cookies now receives a 403 and must add that origin to trustedOrigins.

• #​9974 cb1cbfa Thanks @​Bekacru! - Require /refresh-token to only trust the account cookie when its userId, providerId and (when supplied) accountId match the resolved session user.

• #​9967 893cf6c Thanks @​gustavovalverde! - Deleting a session now immediately stops /update-session and the account token endpoints (/get-access-token, /refresh-token, /account-info) from accepting it, when cookie cache is enabled alongside a database or secondary storage. Before, these routes kept serving the deleted session from the cached cookie until the cache expired. Deployments that store the session only in the cookie are unaffected.

• #​9974 cb1cbfa Thanks @​Bekacru! - Bind the SIWE signed message to server state before creating a session. Previously /siwe/verify only checked that a nonce row existed for the wallet address and then delegated entirely to verifyMessage. Since the documented verifyMessage (viem) performs signature recovery only — without inspecting the message body — a signature the wallet produced for a different message (an earlier nonce, another domain, or arbitrary content) could also satisfy verification against a freshly minted nonce.

  The plugin now parses the ERC-4361 message itself and requires its nonce, domain, address, and chain ID to match the server-issued nonce and configured domain, and enforces the message's Expiration Time / Not Before bounds, before verifying the signature. message must now be a valid ERC-4361 message (which all standard SIWE clients produce); non-conforming or mismatched messages are rejected with a 401 (UNAUTHORIZED_SIWE_MESSAGE_MISMATCH, UNAUTHORIZED_SIWE_MESSAGE_EXPIRED, or UNAUTHORIZED_SIWE_MESSAGE_NOT_YET_VALID). verifyMessage implementations should continue to perform signature recovery only.

• #​9974 cb1cbfa Thanks @​Bekacru! - Separate SSO provider ids from the account-linking provider namespace used for social/OAuth providers. Previously an SSO provider registered with an id matching a configured accountLinking.trustedProviders entry (e.g. google) was treated as a trusted provider and could implicitly link to an existing verified account with the same email.

  SSO registration now rejects provider ids that collide with a configured social provider, a trustedProviders entry, or a reserved built-in id. In addition, the OIDC and SAML callbacks no longer derive trust from a trustedProviders name match — SSO trust comes solely from verified domain ownership (domainVerified). handleOAuthUserInfo gains a trustProviderByName option (default true, preserving social-provider behavior) that the SSO plugin sets to false.

• #​9965 5e49c56 Thanks @​gustavovalverde! - Passing activeOrganizationId, activeTeamId, or impersonatedBy to /update-session now returns a 400. Change these plugin-managed session fields through their dedicated endpoints instead, such as organization.setActive.

• Updated dependencies [cb1cbfa, cb1cbfa, cb1cbfa, cb1cbfa, cb1cbfa, cb1cbfa]:

  • @​better-auth/core@​1.6.16
  • @​better-auth/drizzle-adapter@​1.6.16
  • @​better-auth/kysely-adapter@​1.6.16
  • @​better-auth/memory-adapter@​1.6.16
  • @​better-auth/mongo-adapter@​1.6.16
  • @​better-auth/prisma-adapter@​1.6.16
  • @​better-auth/telemetry@​1.6.16

v1.6.15

Compare Source

Patch Changes

• #​9875 1012b69 Thanks @​WilsonnnTan! - The admin plugin's unbanUser, setRole and adminUpdateUser endpoints used to call internalAdapter.updateUser without checking that the target user existed, so when the caller passed an unknown id the underlying database error (for example Prisma's P2025) bubbled up as a generic HTTP 500. those endpoints now mirror the existing guard in banUser: look the user up via findUserById, and throw a clean NOT_FOUND (USER_NOT_FOUND) when no row is returned. Closes #​9800.

• #​9865 ad60333 Thanks @​ping-maxwell! - list-session endpoint now requires a fresh-age session check.

• #​9811 0933c05 Thanks @​zeroknowledge0x! - Restore Kysely 0.28 and 0.29 compatibility for SQLite dialect introspection. The dialects now mirror Kysely's stable migration table names locally, avoiding strict ESM build failures in Turbopack without forcing consumers onto Kysely 0.29.

• #​9919 b0ddfd3 Thanks @​gustavovalverde! - Run configured hooks through the whole OAuth sign-in flow

  hooks.before / hooks.after configured on the auth instance now run for the OAuth authorization that continues after a user signs in, selects an account, or consents. They were being skipped there.

  Headers or cookies a hooks.before sets before returning its own response are no longer dropped, and a hooks.after that throws an APIError no longer loses either its cookies or the error's headers.

• Updated dependencies []:

  • @​better-auth/core@​1.6.15
  • @​better-auth/drizzle-adapter@​1.6.15
  • @​better-auth/kysely-adapter@​1.6.15
  • @​better-auth/memory-adapter@​1.6.15
  • @​better-auth/mongo-adapter@​1.6.15
  • @​better-auth/prisma-adapter@​1.6.15
  • @​better-auth/telemetry@​1.6.15

v1.6.14

Compare Source

Patch Changes

• #​9877 2d9781a Thanks @​gustavovalverde! - Restore the normal emailed-invitation flow while documenting the stricter verification posture for organization invitations.

  Client-side listUserInvitations now always requires a verified session email because it enumerates invitation IDs from session.user.email. The requireEmailVerificationOnInvitation option now controls recipient calls that carry an invitation ID (acceptInvitation, rejectInvitation, getInvitation). When unset, Better Auth keeps the emailed-invitation sign-up flow for built-in opaque invitation IDs, including the default generator or advanced.database.generateId: "uuid", and requires verified email when invitation IDs are externally controlled or predictable, such as advanced.database.generateId: "serial" / false or custom ID generation. Apps that expose invitation IDs outside the invited user's mailbox, expose organization invitation lists to members, or require stricter ownership proof should set requireEmailVerificationOnInvitation: true or require verified email before sign-in.

• #​9841 5a2d642 Thanks @​bytaesu! - Optional fields (required: false) now accept null, not just omission. The
  generated input validation previously rejected null even though the column is
  nullable, so a nullable field could not be cleared by passing null.

• #​9845 13abc79 Thanks @​gustavovalverde! - Harden redirect-URI validation across the OAuth provider plugins. isSafeUrlScheme and SafeUrlSchema no longer call URL.canParse, which is absent on some supported runtimes and could throw or silently disable the dangerous-scheme check. They now parse with a try/catch fallback. SafeUrlSchema also rejects redirect URIs that contain a fragment component, per RFC 6749 §3.1.2.

• #​9806 9d3450a Thanks @​bytaesu! - getSessionCookie now prefers the __Secure- cookie when both it and a non-secure cookie are present, so the non-secure cookie no longer shadows the current session cookie.

• Updated dependencies [13abc79]:

  • @​better-auth/core@​1.6.14
  • @​better-auth/drizzle-adapter@​1.6.14
  • @​better-auth/kysely-adapter@​1.6.14
  • @​better-auth/memory-adapter@​1.6.14
  • @​better-auth/mongo-adapter@​1.6.14
  • @​better-auth/prisma-adapter@​1.6.14
  • @​better-auth/telemetry@​1.6.14

v1.6.13

Compare Source

Patch Changes

• #​9813 d3919dc Thanks @​gustavovalverde! - Support server-side accountInfo calls without session headers.

  auth.api.accountInfo now accepts an optional userId, so a trusted server-side caller can read a user's provider profile without constructing session headers. This mirrors getAccessToken and refreshToken. HTTP callers still require a valid session, and a session always takes precedence over a supplied userId.

  The shared "resolve the target user, then fetch a valid access token" logic behind these three endpoints now lives in one place. As part of that, a server-side call that supplies neither a session nor a userId reports USER_ID_OR_SESSION_REQUIRED (400) consistently, rather than UNAUTHORIZED on some endpoints.

• #​9591 5f282bd Thanks @​Vishesh-Verma-07! - When only secondaryStorage is configured (no primary database), storeStateStrategy now defaults to "database" instead of "cookie", preventing oversized-cookie errors on platforms like AWS Lambda. The account cookie that holds OAuth tokens in database-less setups stays enabled, so getAccessToken keeps working.

• #​9818 43c08a2 Thanks @​gustavovalverde! - Fix two buggy internalAdapter helpers.

  Remove findAccount(accountId). It looked accounts up by account ID alone, which is unique neither across providers nor across users, so it returned a non-deterministic match. All callers now use a user-scoped or provider-scoped lookup.

  Replace the ambiguous deleteSessions(string | string[]) with two explicit methods. deleteUserSessions(userId) revokes every session for a user, and deleteSessions(tokens) revokes sessions by token. The old single-string overload silently treated its argument as a user ID, so a caller that meant to delete one session token could instead wipe all of a user's sessions or quietly match nothing.

• #​9818 43c08a2 Thanks @​gustavovalverde! - Fix Google One Tap signing in the wrong user when the presented Google account is already linked to someone else. One Tap now resolves identity through the shared OAuth path, so the user who owns the Google subject is signed in, matching the redirect and signIn.social flows. Previously it matched a local user by the token's email and used the subject only to decide linking, so a Google credential owned by one user could authenticate a different user who happened to share that email.

  /account-info now resolves the account from the signed-in user's own linked accounts and accepts an optional providerId to disambiguate when two providers issue the same account ID. A colliding account ID returns a distinct AMBIGUOUS_ACCOUNT error instead of a misleading "not found", and an account with no configured social provider returns a 400 rather than a 500.

• #​9838 be32012 Thanks @​gustavovalverde! - Validate the scheme of OAuth redirect_uris in the oidc-provider and mcp plugins.

  Both plugins previously accepted any string as a redirect_uri at registration. They now reject the javascript:, data:, and vbscript: schemes, which are never valid OAuth redirect targets. The @better-auth/oauth-provider package already applied this check, so this change brings the two older plugins in line with it.

  The redirect-URI scheme policy now lives in @better-auth/core as a single SafeUrlSchema and an isSafeUrlScheme helper, and the OAuth provider plugins share that one implementation. The client navigation helpers (redirectPlugin, one-tap, and two-factor) also skip navigation when the target uses one of these schemes.

  The change is non-breaking. The http, https, loopback, and custom application schemes still register unchanged. Both oidc-provider and mcp are on the migration path to @better-auth/oauth-provider, which remains the route to its stricter HTTPS-or-loopback policy.

• #​9842 87c1a0c Thanks @​bytaesu! - You can now clear an organization's logo by passing logo: null to createOrganization and updateOrganization. Previously only a string was accepted, so an existing logo could not be removed.

• #​9822 9c8ded6 Thanks @​gustavovalverde! - Document viewBackupCodes as a server-only function so its API comment no longer reads like an HTTP route.

  The JSDoc above auth.api.viewBackupCodes advertised POST /two-factor/view-backup-codes, but the endpoint is server-only: it is not registered on the HTTP router and has no client method. The comment now states that it is callable only from trusted server code and that the userId should come from an authenticated session.

• #​8758 23d7cbf Thanks @​bytaesu! - Apply accountLinking.updateUserInfoOnLink across every OAuth link flow.

  Enabling updateUserInfoOnLink only synced the user's profile when linking through a direct ID token. Linking through the standard OAuth redirect (linkSocial, the generic OAuth oauth2.link endpoint, and implicit linking on social sign-in) ignored the option, so the name and image never changed. Every link path now honors it.

  The synced fields match the sign-up path: name, image, and any fields your mapProfileToUser adds. The local email and emailVerified are never changed on a link, so linking a provider cannot rebind the account's identity.

  Implicit linking on social sign-in also returned the pre-update user, so the freshly issued session served stale profile data from its cookie cache until the cache expired. The new session now carries the updated profile.

• Updated dependencies [43c08a2, 5c3e248]:

  • @​better-auth/core@​1.6.13
  • @​better-auth/drizzle-adapter@​1.6.13
  • @​better-auth/kysely-adapter@​1.6.13
  • @​better-auth/memory-adapter@​1.6.13
  • @​better-auth/mongo-adapter@​1.6.13
  • @​better-auth/prisma-adapter@​1.6.13
  • @​better-auth/telemetry@​1.6.13

v1.6.12

Compare Source

Patch Changes

• #​9603 9bd53e1 Thanks @​bytaesu! - role.authorize now treats empty action lists ([] or { actions: [] }) as unauthorized, and evaluates each requested resource under the OR connector before returning the result.

• #​9702 23dbe1a Thanks @​bytaesu! - Banned users signing in with an OAuth provider now redirect to the errorCallbackURL passed to signIn.social, with ?error=BANNED_USER&error_description=<message> in the query string. Previously the redirect went to the auth server's default error page with ?error=banned, which broke multi-domain deployments where the auth host and frontend host differ. The oauth-proxy, SSO OIDC, and SAML callbacks now also redirect hook rejections to the error URL (previously returned JSON 403), and oauth-proxy URL-encodes the error query value across all its redirects.

• #​9596 7a12072 Thanks @​bytaesu! - Email OTP sign-in no longer fails with a missing-captcha-token error under the default captcha settings. If you intentionally want captcha on email OTP sign-in, add /sign-in/email-otp to captcha({ endpoints }).

• #​9614 09a1d50 Thanks @​bytaesu! - changeEmail no longer silently returns { status: true } when the flow cannot complete: if emailVerification.sendVerificationEmail is missing for a verified user, the request now fails with a 400 error. callbackURL values are also URL-encoded, so callbacks that carry their own query string survive the round trip through verify-email links.

• #​9617 [a6f144a](https://redirect.github.com/better-auth/b

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.