All of the changes made will be available here.

May 16, 2025

v1.2.8

May 16, 2025

🚀 Features

---

• Make update account on signin optional –
• Add getAccessToken api for oauth accounts –
• getActions from client plugins to include clientOptions in get user client config –
• Add one time token generator –
• adapter:
  • Allow providing id in create method  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2518 <samp>(79ff4)</samp>
• anonymous:
  • Custom anonymous names  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2361 <samp>(f9201)</samp>
• api-key:
  • Disable hashing API Keys  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2373 <samp>(cb1cb)</samp>
• custom-session:
  • Add ctx on custom session callback fn  -  by @Bekacru <samp>(57e2b)</samp>
• generic-oauth:
  • Support same provider account linking  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2332 <samp>(c417e)</samp>
  • Authorization request headers  -  by @KGALLET in https://github.com/better-auth/better-auth/issues/2507 <samp>(4bdeb)</samp>
• stripe:
  • Migrate to stripe sdk v18.0.0  -  by @kkMihai in https://github.com/better-auth/better-auth/issues/2366 <samp>(86b19)</samp>

🐞 Bug Fixes

---

• Username empty field on update guard –
• Docs on oauth refresh token fn –
• MapProfileToUser getting called twice during idToken login –
• Awaitable calls –
• Enforce override user info on oauth signin –
• Join waitlist banner styling –
• Fields for custom schema should be optional –
• UpdateAt field on banning/unbanning users –
• Improve signin builder and tabs functionality –
• Add a default value for generated fields –
• Resolve type error caused by incorrect plugin import –
• Resolve custom ts config path –
• Core schema model name definition on api-key –
• Username error code export –
• Resolve logo assets redirection and toaster styling issues –
• Remove unnecessary password hashing –
• Revoke session on password reset –
• Added password hashing to prevent timing attacks –
• Add default refreshAccessToken for microsoft provider –
• Pass context into createVerificationValue –
• Origin check failing when there is symbol in a query param –
• Remove userInfoUrl check to allow using custom function without url –
• getAccessToken should be available on the client –
• admin:
  • Handle redirecting banned users properly  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2273 <samp>(9f7ea)</samp>
• api-key:
  • Pass real rateLimitvalue from ctx.body  -  by @Siumauricio in https://github.com/better-auth/better-auth/issues/2432 <samp>(b5537)</samp>
• create-adapter:
  • Get default model ingetModelname  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2647 <samp>(c717d)</samp>
• drizzle-adapter:
  • Missing operators  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2408 <samp>(05770)</samp>
• generic-oauth:
  • On link account make sure to match provider Id before updating existing account  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2460 <samp>(36599)</samp>
  • Include missing tokens in account linking  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2461 <samp>(e333b)</samp>
• open-api:
  • Misplaced requires properties  -  by @cwstra in https://github.com/better-auth/better-auth/issues/2597 <samp>(fdf3e)</samp>
• organization:
  • Incorrect delete team error message  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2563 <samp>(947c4)</samp>
• passkey:
  • Add userDisplayName to the simplewebauthn generateRegistrationOptions call  -  by @EugeneDraitsev in https://github.com/better-auth/better-auth/issues/2344 <samp>(7a84a)</samp>
• stripe:
  • Include priceId on list active subscriptions  -  by @Bekacru <samp>(20bb8)</samp>
  • Reactivate subcrition filtering to only active or trialing subscription  -  by @Konixy in https://github.com/better-auth/better-auth/issues/2268 <samp>(aef13)</samp>
• two-factor:
  • Verification deletion on otp should use the correct ID  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2425 <samp>(b9823)</samp>

    View changes on GitHub

Apr 13, 2025

v1.2.7

Apr 13, 2025

🚀 Features

---

• Error code support for haveibeenpwned –
• plugin: Error code support for haveibeenpwned plugin –

🐞 Bug Fixes

---

• Added c.authentication to refresh token –
• Authentication type missing on refershToken options –
• Prevent a user from created on haveibeenpwned –
• adapter:
  • Improve field lookup logic in createAdapter  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2245 <samp>(53c71)</samp>
• cli:
  • Schema gen with Drizzle for PG to generate text instead of uuid  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2248 <samp>(c6eb1)</samp>
• drizzle-adapter:
  • Correct count retrieval in the update function  -  by @okxiaoliang4 in https://github.com/better-auth/better-auth/issues/2244 <samp>(f5b86)</samp>
• haveIBeenPwned:
  • Add proper error code  -  by @JE4GLE in https://github.com/better-auth/better-auth/issues/2255 <samp>(adecf)</samp>
• organization:
  • Checking if User is intended recipient of Invite is casesensetive  -  by @SNRSE in https://github.com/better-auth/better-auth/issues/2251 <samp>(5689d)</samp>
• plugin:
  • Prevent user from being created on compromised password  -  by @Kinfe123 <samp>(e777b)</samp>
• stripe:
  • Force post method for subscription restore  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2259 <samp>(ffde0)</samp>
  • Adding ability to restore cancelled trialing subscriptions  -  by @Konixy in https://github.com/better-auth/better-auth/issues/2262 <samp>(d341f)</samp>

    View changes on GitHub

Apr 12, 2025

v1.2.6

Apr 12, 2025

🚀 Features

---

• MapProfileToUser in vk social-provider –
• One-time token plugin –
• createAdapter and useNumberId –
• Support user data mapping in id token social sign-in –
• Update hover style for light mode in community page –
• Zoom social provider –
• (captcha plugin) adding support for Google ReCAPTCHA v3 and hCaptcha –
• Openapi spec update –
• Have-i-been-pwned plugin –
• Support custom issuer totp –
• Delete token expiry configuration –
• Add option to disable session refresh on use –
• admin:
  • Add support for passing multiple roles as array  -  by @Netrifier in https://github.com/better-auth/better-auth/issues/1907 <samp>(df727)</samp>
• email-otp:
  • Support attempt numbers for email-otp  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2146 <samp>(880a5)</samp>
• facebook:
  • Add support for business login using config ids  -  by @arlyon in https://github.com/better-auth/better-auth/issues/1990 <samp>(6b22e)</samp>
• generic-oauth:
  • Added field discoveryHeaders to GenericOAuthConfig  -  by @RyanWSweeney in https://github.com/better-auth/better-auth/issues/2205 <samp>(c6d59)</samp>
• jwt:
  • Add sub claim and getSubject  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2194 <samp>(04937)</samp>
• oauth2:
  • Override user info on provider sign-in  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2148 <samp>(f9b96)</samp>
• organization:
  • Add invitation limit  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2014 <samp>(81e45)</samp>
  • Support multiple permissions check  -  by @rxri in https://github.com/better-auth/better-auth/issues/2227 <samp>(cb900)</samp>
• phone-number:
  • Add attempts check  -  by @Bekacru <samp>(1369d)</samp>
  • Add number of attempts configuration  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2046 <samp>(5591e)</samp>
  • Add phone number verification requirement before sign-in  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/1984 <samp>(e24a6)</samp>
• provider:
  • Twitter email support  -  by @Kinfe123 in https://github.com/better-auth/better-auth/issues/2176 <samp>(48efd)</samp>
• react-start:
  • Add react-start integration for cookie handling  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2119 <samp>(06ddd)</samp>
• socialLink:
  • Add support for custom scopes in social account linking  -  by @leoleducq in https://github.com/better-auth/better-auth/issues/2074 <samp>(c14f1)</samp>
• stripe:
  • Restore subscription  -  by @JNLei in https://github.com/better-auth/better-auth/issues/1705 <samp>(82633)</samp>
• two-factor:
  • Refactor two-factor authentication with better error handling, configurable otp limits and verification  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2234 <samp>(de91c)</samp>
• username:
  • Export the correct error codes for the plugin  -  by @Bekacru <samp>(e09ce)</samp>

🐞 Bug Fixes

---

• Import orders and alias to avoid conflict in ac code examples –
• Fallback to checking main db on session retrieval when storeSessionInDatabase is enabled –
• Export oAuth types –
• Og image compat –
• Og image compatibility on multiple link previews –
• Tooltip arrow –
• Tooltip arrow pointer –
• Forget password flow failing because of id conversion –
• Dep issue –
• Deployment compat issue –
• Verify github email when profile has an email –
• Docs syntax spacing –
• GenericOAuth default redirectURI for account linking –
• Missing disableRefresh type in server side getSession –
• Redirect to defaultErrorURL if errorURL doens't exist –
• Plugin middleware docs –
• Improve header value retrieval for IP address extraction –
• Prisma client docs –
• Community page interaction –
• Community page interaction –
• Hover style for light mode in community page –
• IpAddress and userAgent missing on server authentication –
• Missing export one time token plugin –
• Delete from session table when stopImpersonate called –
• Filter out fields with returned: false from session cookie cache –
• Rethrow error from db hooks if it is APIError instances –
• admin:
  • Pass where clause to adapter.count to fix total value on listUser  -  by @Netrifier in https://github.com/better-auth/better-auth/issues/2109 <samp>(38128)</samp>
  • DefaultRoles, adminRoles + others not applying user config  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2128 <samp>(4dcb9)</samp>
  • 'dontRememberMe' cookie handling during impersonation  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2236 <samp>(2249f)</samp>
• api-key:
  • Return value of permissions should be object, not string  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/1757 <samp>(f633d)</samp>
  • Update rateLimitEnabled default to consider options  -  by @ismael-iskauskas in https://github.com/better-auth/better-auth/issues/1887 <samp>(b2def)</samp>
• apple:
  • Update responseType to include code and id_token  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2091 <samp>(c0f15)</samp>
• custom-session:
  • Custom session failing to set cookies  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/2124 <samp>(61dc4)</samp>
• generic-oauth:
  • Should check for email after mapProfileToUser  -  by @Bekacru <samp>(0b5c1)</samp>
• oauth:
  • Encode clientId and clientSecret in authorization header  -  by @xinyao27 in https://github.com/better-auth/better-auth/issues/2120 <samp>(ffa24)</samp>
• oauth-proxy:
  • Extend callback and sign-in path matchers to include /oauth2/callback and /sign-in/oauth2  -  by @Bekacru <samp>(7987d)</samp>
• oidc-provider:
  • Add cookie options for path and sameSite in authorize  -  by @Bekacru <samp>(dbe66)</samp>
• open-api:
  • Hide disabled paths  -  by @CrutchTheClutch in https://github.com/better-auth/better-auth/issues/2144 <samp>(f257f)</samp>
• organization:
  • Update default invitation expiration time to use seconds  -  by @Bekacru <samp>(834e3)</samp>
  • Fix conditional teamId inference  -  by @Netrifier in https://github.com/better-auth/better-auth/issues/2133 <samp>(a6860)</samp>
  • UpdateMemberRole failing if issuer has multiple roles  -  by @dustin-we in https://github.com/better-auth/better-auth/issues/2104 <samp>(72631)</samp>
• stripe:
  • Allow customizing subscription schema  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2105 <samp>(10893)</samp>
  • Throw err if passed referenceId when no subscription authorizeReference` is defined  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2129 <samp>(9efcd)</samp>
  • Update referenceId in checkout session to use client_reference_id instead of metadata  -  by @Bekacru <samp>(08130)</samp>
• two-factor:
  • 2fa error codes failing to infer  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/2102 <samp>(f7199)</samp>

    View changes on GitHub

Mar 26, 2025

v1.2.5

Mar 26, 2025

🚀 Features

---

• Add onEmailVerification callback –
• Disabled paths –
• Refresh token endpoint –
• account: Add option to allow unlinking all accounts –
• admin: Allow creating users without admin session on server api –
• oidc: Allow passing additional user claims –

🐞 Bug Fixes

---

• Allow plus signs in relative callback URLs –
• Multiple issues with openapi types and references –
• Typescript cannot be named without reference error –
• Get session cookie helper should use better url retrieval and read config overrides –
• Get session cookie should check for both secure and non secure cookies –
• Access of undefined in runtime that does have great support of instanceof –
• Use instead of relying on instanceOf for incoming request type checks –
• Double matcher on username plugin –
• Trigger session refetch on verify email –
• Support numeric user IDs –
• UnlinkAccount should support optional accountId –
• Respect disable signup on social providers –
• Only delete verification token on password reset after succesful db query –
• Additional fields type inference breaking on default value –
• admin:
  • Remove undefined type from list-users openapi documentation  -  by @Ehesp in https://github.com/better-auth/better-auth/issues/1845 <samp>(a2748)</samp>
• api-key:
  • Delete keys on client should use POST method instead  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/1858 <samp>(cd828)</samp>
• cli:
  • Invalid prisma init config  -  by @pnodet in https://github.com/better-auth/better-auth/issues/1964 <samp>(43ab2)</samp>
• expo:
  • Better fetch type mismatch causing type error on expo client plugin  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/1825 <samp>(54bdb)</samp>
• generic-oauth:
  • Added basic auth param in oAuth2Callback  -  by @beermonsterdota in https://github.com/better-auth/better-auth/issues/1810 <samp>(765dd)</samp>
• oauth:
  • Support passing prompt, access_type, type_hint and additional params when constructing authorization URL  -  by @waleedlatif1 in https://github.com/better-auth/better-auth/issues/1888 <samp>(3d36a)</samp>
• organization:
  • Trigger session refetch on set-active  -  by @Bekacru <samp>(d7890)</samp>
  • Client infer for Member is using incorrect type  -  by @ping-maxwell in https://github.com/better-auth/better-auth/issues/1857 <samp>(cc688)</samp>
  • Membership limit incorrect usage breaks list organizations  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/1961 <samp>(ae78d)</samp>
• rate-limiter:
  • Handle missing IP address in rate limit function  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/1959 <samp>(4a310)</samp>
  • Custom rate limiing table name breaking db query  -  by @Bekacru in https://github.com/better-auth/better-auth/issues/1960 <samp>(09830)</samp>
• stripe:
  • Allow plan retrieval by annual discount price ID  -  by @Lionvsx in https://github.com/better-auth/better-auth/issues/1941 <samp>(3c60c)</samp>
• username:
  • Update validator to allow dots in usernames  -  by @Bekacru <samp>(7ea59)</samp>
• web:
  • Project metadata  -  by @Kinfe123 <samp>(b1f3a)</samp>

    View changes on GitHub