@better-auth/core 1.6.13 → 1.6.14

package/dist/context/global.mjs

@@ -2,7 +2,7 @@
 const symbol = Symbol.for("better-auth:global");
 let bind = null;
 const __context = {};
-const __betterAuthVersion = "1.6.13";
+const __betterAuthVersion = "1.6.14";
 /**
 * We store context instance in the globalThis.
 *

package/dist/instrumentation/tracer.mjs

@@ -2,7 +2,7 @@ import { ATTR_HTTP_RESPONSE_STATUS_CODE } from "./attributes.mjs";
 import { getOpenTelemetryAPI } from "./api.mjs";
 //#region src/instrumentation/tracer.ts
 const INSTRUMENTATION_SCOPE = "better-auth";
-const INSTRUMENTATION_VERSION = "1.6.13";
+const INSTRUMENTATION_VERSION = "1.6.14";
 /**
 * Better-auth uses `throw ctx.redirect(url)` for flow control (e.g. OAuth
 * callbacks). These are APIErrors with 3xx status codes and should not be

package/dist/utils/redirect-uri.d.mts

@@ -6,6 +6,7 @@ import * as z from "zod";
  * server stores and later hands back to a browser.
  *
  * - Rejects dangerous schemes (`javascript:`, `data:`, `vbscript:`).
+ * - Rejects URIs with a fragment component (`#...`) per RFC 6749 §3.1.2.
  * - Requires HTTPS, except for loopback hosts (`127.0.0.0/8`, `[::1]`,
  *   `*.localhost` per RFC 6761), where HTTP is allowed for local development.
  * - Allows custom schemes for mobile apps (e.g. `myapp://callback`).

package/dist/utils/redirect-uri.mjs

@@ -7,6 +7,7 @@ import * as z from "zod";
 * server stores and later hands back to a browser.
 *
 * - Rejects dangerous schemes (`javascript:`, `data:`, `vbscript:`).
+* - Rejects URIs with a fragment component (`#...`) per RFC 6749 §3.1.2.
 * - Requires HTTPS, except for loopback hosts (`127.0.0.0/8`, `[::1]`,
 *   `*.localhost` per RFC 6761), where HTTP is allowed for local development.
 * - Allows custom schemes for mobile apps (e.g. `myapp://callback`).
@@ -16,7 +17,10 @@ import * as z from "zod";
 * rather than re-implementing the scheme policy per plugin.
 */
 const SafeUrlSchema = z.url().superRefine((val, ctx) => {
-	if (!URL.canParse(val)) {
+	let u;
+	try {
+		u = new URL(val);
+	} catch {
 		ctx.addIssue({
 			code: "custom",
 			message: "URL must be parseable",
@@ -24,7 +28,6 @@ const SafeUrlSchema = z.url().superRefine((val, ctx) => {
 		});
 		return z.NEVER;
 	}
-	const u = new URL(val);
 	if (DANGEROUS_URL_SCHEMES.includes(u.protocol)) {
 		ctx.addIssue({
 			code: "custom",
@@ -32,6 +35,10 @@ const SafeUrlSchema = z.url().superRefine((val, ctx) => {
 		});
 		return;
 	}
+	if (val.includes("#")) ctx.addIssue({
+		code: "custom",
+		message: "Redirect URI must not contain a fragment component"
+	});
 	if (u.protocol === "http:" && !isLoopbackHost(u.host)) ctx.addIssue({
 		code: "custom",
 		message: "Redirect URI must use HTTPS (HTTP allowed only for loopback hosts)"

package/dist/utils/url.mjs

@@ -48,8 +48,13 @@ const DANGEROUS_URL_SCHEMES = [
 * execution schemes without rejecting relative paths or mobile deep links.
 */
 function isSafeUrlScheme(value) {
-	if (!URL.canParse(value)) return true;
-	return !DANGEROUS_URL_SCHEMES.includes(new URL(value).protocol);
+	let parsed;
+	try {
+		parsed = new URL(value);
+	} catch {
+		return true;
+	}
+	return !DANGEROUS_URL_SCHEMES.includes(parsed.protocol);
 }
 //#endregion
 export { DANGEROUS_URL_SCHEMES, isSafeUrlScheme, normalizePathname };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.6.13",
+  "version": "1.6.14",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",

package/src/utils/redirect-uri.ts

@@ -7,6 +7,7 @@ import { DANGEROUS_URL_SCHEMES } from "./url";
  * server stores and later hands back to a browser.
  *
  * - Rejects dangerous schemes (`javascript:`, `data:`, `vbscript:`).
+ * - Rejects URIs with a fragment component (`#...`) per RFC 6749 §3.1.2.
  * - Requires HTTPS, except for loopback hosts (`127.0.0.0/8`, `[::1]`,
  *   `*.localhost` per RFC 6761), where HTTP is allowed for local development.
  * - Allows custom schemes for mobile apps (e.g. `myapp://callback`).
@@ -16,7 +17,10 @@ import { DANGEROUS_URL_SCHEMES } from "./url";
  * rather than re-implementing the scheme policy per plugin.
  */
 export const SafeUrlSchema = z.url().superRefine((val, ctx) => {
-	if (!URL.canParse(val)) {
+	let u: URL;
+	try {
+		u = new URL(val);
+	} catch {
 		ctx.addIssue({
 			code: "custom",
 			message: "URL must be parseable",
@@ -25,8 +29,6 @@ export const SafeUrlSchema = z.url().superRefine((val, ctx) => {
 		return z.NEVER;
 	}
 
-	const u = new URL(val);
-
 	if (DANGEROUS_URL_SCHEMES.includes(u.protocol)) {
 		ctx.addIssue({
 			code: "custom",
@@ -35,6 +37,13 @@ export const SafeUrlSchema = z.url().superRefine((val, ctx) => {
 		return;
 	}
 
+	if (val.includes("#")) {
+		ctx.addIssue({
+			code: "custom",
+			message: "Redirect URI must not contain a fragment component",
+		});
+	}
+
 	if (u.protocol === "http:" && !isLoopbackHost(u.host)) {
 		ctx.addIssue({
 			code: "custom",

package/src/utils/url.ts

@@ -60,9 +60,12 @@ export const DANGEROUS_URL_SCHEMES = ["javascript:", "data:", "vbscript:"];
  * execution schemes without rejecting relative paths or mobile deep links.
  */
 export function isSafeUrlScheme(value: string): boolean {
-	if (!URL.canParse(value)) {
+	let parsed: URL;
+	try {
+		parsed = new URL(value);
+	} catch {
 		// Relative URLs carry no scheme to abuse.
 		return true;
 	}
-	return !DANGEROUS_URL_SCHEMES.includes(new URL(value).protocol);
+	return !DANGEROUS_URL_SCHEMES.includes(parsed.protocol);
 }