@better-auth/core 1.6.16 → 1.6.17

package/src/social-providers/wechat.ts

@@ -200,7 +200,14 @@ export const wechat = (options: WeChatOptions) => {
 				user: {
 					id: profile.unionid || profile.openid || openid,
 					name: profile.nickname,
-					email: profile.email || null,
+					// WeChat does not return an email, and the OAuth callback rejects a
+					// missing one, so the default sign-in would always fail. Synthesize a
+					// stable, non-routable placeholder (RFC 2606 `.invalid`) keyed to the
+					// user's WeChat id, left unverified. Applications that collect a real
+					// email override it via `mapProfileToUser`.
+					email:
+						profile.email ||
+						`${profile.unionid || profile.openid || openid}@wechat.invalid`,
 					image: profile.headimgurl,
 					emailVerified: false,
 					...userMap,

package/src/types/context.ts

@@ -237,6 +237,23 @@ export interface InternalAdapter<
 	 */
 	consumeVerificationValue(identifier: string): Promise<Verification | null>;
 
+	/**
+	 * First-writer-wins create keyed by a deterministic primary key derived from
+	 * `identifier`. Returns `true` when this caller created the row and `false`
+	 * when a row for the same identifier already existed.
+	 *
+	 * The dual of `consumeVerificationValue`: reserve races to create a marker
+	 * exactly once, where consume races to delete one exactly once. Use it for
+	 * replay tombstones (a SAML assertion id, a JWT `jti`) where the first caller
+	 * wins. The database path is atomic via the primary key; the
+	 * secondary-storage-only path is best-effort under concurrency.
+	 */
+	reserveVerificationValue(data: {
+		identifier: string;
+		value: string;
+		expiresAt: Date;
+	}): Promise<boolean>;
+
 	updateVerificationByIdentifier(
 		identifier: string,
 		data: Partial<Verification>,

package/src/types/init-options.ts

@@ -101,6 +101,32 @@ export interface BetterAuthRateLimitStorage {
 		value: RateLimit,
 		update?: boolean | undefined,
 	) => Promise<void>;
+	/**
+	 * Atomically records one request against `key` within the `window`
+	 * (in seconds) and reports whether it is allowed.
+	 *
+	 * When `allowed` is true the request was counted within the active window;
+	 * when `allowed` is false the limit was already reached and `retryAfter` is
+	 * the number of seconds until the window frees up. Whether the window slides
+	 * or is fixed depends on the backing storage: the database backend resets
+	 * once the window elapses, while secondary storage uses a fixed time-to-live
+	 * set when the window first opens.
+	 *
+	 * Performing the check and the increment in a single step closes the
+	 * concurrent-bypass gap of the separate `get`/`set` path: N simultaneous
+	 * requests can no longer all pass a stale read before any increment lands.
+	 *
+	 * Optional for backwards compatibility. A storage without it falls back to
+	 * the legacy non-atomic `get`/`set` path, which is best-effort under
+	 * concurrency.
+	 *
+	 * TODO(rate-limit-consume-required): make this the sole required member on
+	 * `next`, dropping `get`/`set` and the non-atomic fallback.
+	 */
+	consume?: (
+		key: string,
+		rule: { window: number; max: number },
+	) => Promise<{ allowed: boolean; retryAfter: number | null }>;
 }
 
 export type BetterAuthRateLimitRule = {

package/src/utils/host.ts

@@ -235,6 +235,10 @@ function classifyIPv6(expanded: string): HostKind {
 
 	if (expanded.startsWith("2001:0db8:")) return "documentation";
 
+	// 2001:2::/48 — Benchmarking (RFC 5180). A specific non-globally-reachable
+	// block inside the otherwise-mixed 2001::/23 protocol-assignments space.
+	if (expanded.startsWith("2001:0002:0000:")) return "benchmarking";
+
 	if (expanded.startsWith("2002:")) {
 		const embedded = extractEmbeddedIPv4(expanded, 1);
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
@@ -247,6 +251,10 @@ function classifyIPv6(expanded: string): HostKind {
 		return "reserved";
 	}
 
+	// 64:ff9b:1::/48 — Local-Use IPv4/IPv6 Translation (RFC 8215). Distinct from
+	// the well-known NAT64 /96 prefix above and not globally reachable.
+	if (expanded.startsWith("0064:ff9b:0001:")) return "reserved";
+
 	if (expanded.startsWith("2001:0000:")) {
 		const embedded = extractEmbeddedIPv4(expanded, 6, { xor: true });
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
@@ -255,6 +263,13 @@ function classifyIPv6(expanded: string): HostKind {
 
 	if (expanded.startsWith("0100:0000:0000:0000:")) return "reserved";
 
+	// 3fff::/20 — Documentation (RFC 9637). The /20 fixes the first 16 bits to
+	// `3fff` and the next nibble to 0, so only `3fff:0xxx` is in range.
+	if (expanded.startsWith("3fff:0")) return "documentation";
+
+	// 5f00::/16 — SRv6 SIDs (RFC 9602), not globally reachable.
+	if (expanded.startsWith("5f00:")) return "reserved";
+
 	return "public";
 }
 

package/src/utils/url.ts

@@ -25,18 +25,24 @@ export function normalizePathname(
 		return "/";
 	}
 
-	if (basePath === "/" || basePath === "") {
+	// Canonicalize the basePath the same way as the request pathname. A baseURL
+	// with a trailing slash yields a basePath like "/api/auth/"; without this it
+	// would never match the slash-stripped pathname and the prefix would leak
+	// through to disabledPaths and rate-limit special-rule matching.
+	const normalizedBasePath = basePath.replace(/\/+$/, "");
+
+	if (normalizedBasePath === "") {
 		return pathname;
 	}
 
 	// Check for exact match or proper path boundary (basePath followed by "/" or end)
 	// This prevents "/api/auth" from matching "/api/authevil/..."
-	if (pathname === basePath) {
+	if (pathname === normalizedBasePath) {
 		return "/";
 	}
 
-	if (pathname.startsWith(basePath + "/")) {
-		return pathname.slice(basePath.length).replace(/\/+$/, "") || "/";
+	if (pathname.startsWith(normalizedBasePath + "/")) {
+		return pathname.slice(normalizedBasePath.length).replace(/\/+$/, "") || "/";
 	}
 
 	return pathname;