npm - @better-auth/core - Versions diffs - 1.7.0-beta.5 → 1.7.0-beta.6 - Mend

@better-auth/core 1.7.0-beta.5 → 1.7.0-beta.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (44) hide show

package/dist/api/index.d.mts +44 -1
package/dist/api/index.mjs +40 -1
package/dist/context/global.mjs +1 -1
package/dist/context/transaction.d.mts +7 -4
package/dist/context/transaction.mjs +6 -3
package/dist/db/adapter/factory.mjs +56 -30
package/dist/db/adapter/index.d.mts +54 -10
package/dist/db/adapter/types.d.mts +1 -1
package/dist/db/type.d.mts +12 -7
package/dist/instrumentation/tracer.mjs +1 -1
package/dist/oauth2/dpop.d.mts +142 -0
package/dist/oauth2/dpop.mjs +246 -0
package/dist/oauth2/index.d.mts +3 -2
package/dist/oauth2/index.mjs +3 -2
package/dist/oauth2/verify.d.mts +74 -15
package/dist/oauth2/verify.mjs +172 -20
package/dist/social-providers/index.d.mts +1 -0
package/dist/social-providers/microsoft-entra-id.d.mts +10 -0
package/dist/social-providers/microsoft-entra-id.mjs +17 -2
package/dist/social-providers/reddit.mjs +1 -1
package/dist/social-providers/wechat.mjs +1 -1
package/dist/types/context.d.mts +17 -0
package/dist/types/init-options.d.mts +45 -5
package/dist/types/plugin-client.d.mts +12 -2
package/dist/utils/host.mjs +4 -0
package/dist/utils/url.mjs +4 -3
package/package.json +5 -5
package/src/api/index.ts +82 -0
package/src/context/transaction.ts +45 -12
package/src/db/adapter/factory.ts +127 -72
package/src/db/adapter/index.ts +54 -9
package/src/db/adapter/types.ts +1 -0
package/src/db/type.ts +12 -7
package/src/oauth2/dpop.ts +568 -0
package/src/oauth2/index.ts +44 -1
package/src/oauth2/verify.ts +329 -66
package/src/social-providers/microsoft-entra-id.ts +44 -1
package/src/social-providers/reddit.ts +5 -1
package/src/social-providers/wechat.ts +8 -1
package/src/types/context.ts +18 -0
package/src/types/init-options.ts +40 -8
package/src/types/plugin-client.ts +16 -2
package/src/utils/host.ts +15 -0
package/src/utils/url.ts +10 -4

package/src/types/plugin-client.ts CHANGED Viewed

@@ -6,7 +6,21 @@ import type {
 import type { Atom, WritableAtom } from "nanostores";
 import type { LiteralString } from "./helper";
 import type { BetterAuthOptions } from "./init-options";
-import type { BetterAuthPlugin } from "./plugin";
+type InferableServerPlugin = {
+	id?: LiteralString | undefined;
+	endpoints?: Record<string, unknown> | undefined;
+	schema?: Record<string, { fields: Record<string, unknown> }> | undefined;
+	$ERROR_CODES?:
+		| Record<
+				string,
+				{
+					readonly code: string;
+					message: string;
+				}
+		  >
+		| undefined;
+};
 export interface ClientStore {
 	notify: (signal: string) => void;
@@ -84,7 +98,7 @@ export interface BetterAuthClientPlugin {
 	 * only used for type inference. don't pass the
 	 * actual plugin
 	 */
-	$InferServerPlugin?: BetterAuthPlugin | undefined;
+	$InferServerPlugin?: InferableServerPlugin | undefined;
 	/**
 	 * Custom actions
 	 */

package/src/utils/host.ts CHANGED Viewed

@@ -235,6 +235,10 @@ function classifyIPv6(expanded: string): HostKind {
 	if (expanded.startsWith("2001:0db8:")) return "documentation";
+	// 2001:2::/48 — Benchmarking (RFC 5180). A specific non-globally-reachable
+	// block inside the otherwise-mixed 2001::/23 protocol-assignments space.
+	if (expanded.startsWith("2001:0002:0000:")) return "benchmarking";
 	if (expanded.startsWith("2002:")) {
 		const embedded = extractEmbeddedIPv4(expanded, 1);
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
@@ -247,6 +251,10 @@ function classifyIPv6(expanded: string): HostKind {
 		return "reserved";
 	}
+	// 64:ff9b:1::/48 — Local-Use IPv4/IPv6 Translation (RFC 8215). Distinct from
+	// the well-known NAT64 /96 prefix above and not globally reachable.
+	if (expanded.startsWith("0064:ff9b:0001:")) return "reserved";
 	if (expanded.startsWith("2001:0000:")) {
 		const embedded = extractEmbeddedIPv4(expanded, 6, { xor: true });
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
@@ -255,6 +263,13 @@ function classifyIPv6(expanded: string): HostKind {
 	if (expanded.startsWith("0100:0000:0000:0000:")) return "reserved";
+	// 3fff::/20 — Documentation (RFC 9637). The /20 fixes the first 16 bits to
+	// `3fff` and the next nibble to 0, so only `3fff:0xxx` is in range.
+	if (expanded.startsWith("3fff:0")) return "documentation";
+	// 5f00::/16 — SRv6 SIDs (RFC 9602), not globally reachable.
+	if (expanded.startsWith("5f00:")) return "reserved";
 	return "public";
 }

package/src/utils/url.ts CHANGED Viewed

@@ -25,18 +25,24 @@ export function normalizePathname(
 		return "/";
 	}
-	if (basePath === "/" || basePath === "") {
+	// Canonicalize the basePath the same way as the request pathname. A baseURL
+	// with a trailing slash yields a basePath like "/api/auth/"; without this it
+	// would never match the slash-stripped pathname and the prefix would leak
+	// through to disabledPaths and rate-limit special-rule matching.
+	const normalizedBasePath = basePath.replace(/\/+$/, "");
+	if (normalizedBasePath === "") {
 		return pathname;
 	}
 	// Check for exact match or proper path boundary (basePath followed by "/" or end)
 	// This prevents "/api/auth" from matching "/api/authevil/..."
-	if (pathname === basePath) {
+	if (pathname === normalizedBasePath) {
 		return "/";
 	}
-	if (pathname.startsWith(basePath + "/")) {
-		return pathname.slice(basePath.length).replace(/\/+$/, "") || "/";
+	if (pathname.startsWith(normalizedBasePath + "/")) {
+		return pathname.slice(normalizedBasePath.length).replace(/\/+$/, "") || "/";
 	}
 	return pathname;