@better-auth/sso 1.6.16 → 1.6.18

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-DbZYHOJt.mjs";
+import { t as SSOPlugin } from "./index-D9brFUE1.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-KncHedVM.mjs";
+import { t as PACKAGE_VERSION } from "./version-DMVLEsxG.mjs";
 //#region src/client.ts
 const ssoClient = (options) => {
 	return {

package/dist/{index-DbZYHOJt.d.mts → index-D9brFUE1.d.mts}

@@ -1359,7 +1359,7 @@ declare const callbackSSOShared: (options?: SSOOptions) => better_call0.StrictEn
   allowedMediaTypes: readonly ["application/x-www-form-urlencoded", "application/json"];
 }, void>;
 declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
-  method: ("POST" | "GET")[];
+  method: ("GET" | "POST")[];
   body: z.ZodOptional<z.ZodObject<{
     SAMLResponse: z.ZodString;
     RelayState: z.ZodOptional<z.ZodString>;
@@ -1410,7 +1410,7 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint
   };
 }, never>;
 declare const sloEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/slo/:providerId", {
-  method: ("POST" | "GET")[];
+  method: ("GET" | "POST")[];
   body: z.ZodOptional<z.ZodObject<{
     SAMLRequest: z.ZodOptional<z.ZodString>;
     SAMLResponse: z.ZodOptional<z.ZodString>;

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-DbZYHOJt.mjs";
+import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-D9brFUE1.mjs";
 export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-KncHedVM.mjs";
+import { t as PACKAGE_VERSION } from "./version-DMVLEsxG.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
 import { X509Certificate } from "node:crypto";
@@ -24,8 +24,6 @@ import samlifyDefault from "samlify";
 */
 /** Prefix for AuthnRequest IDs used in InResponseTo validation */
 const AUTHN_REQUEST_KEY_PREFIX = "saml-authn-request:";
-/** Prefix for used Assertion IDs used in replay protection */
-const USED_ASSERTION_KEY_PREFIX = "saml-used-assertion:";
 /** Prefix for SAML session data (NameID + SessionIndex) for SLO */
 const SAML_SESSION_KEY_PREFIX = "saml-session:";
 /** Prefix for reverse lookup of SAML session by Better Auth session ID */
@@ -86,6 +84,16 @@ const domainMatches = (searchDomain, domainList) => {
 	return domainList.split(",").map((d) => d.trim().toLowerCase()).filter(Boolean).some((d) => search === d || search.endsWith(`.${d}`));
 };
 /**
+* Strictly parse a provider-supplied email-verification claim.
+*
+* OIDC userInfo, OIDC id-token, and SAML attribute values are frequently
+* strings, so a loose `Boolean(value)` or truthy fallback treats the string
+* `"false"` as verified. Only a boolean `true` or the exact string `"true"`
+* count as verified; every other value, including `"false"`, `"0"`, `""`,
+* numbers, arrays, and objects, is unverified.
+*/
+const parseProviderEmailVerified = (value) => value === true || value === "true";
+/**
 * Validates email domain against allowed domain(s).
 * Supports comma-separated domains for multi-domain SSO.
 */
@@ -211,171 +219,6 @@ async function assignOrganizationByDomain(ctx, options) {
 	});
 }
 //#endregion
-//#region src/routes/domain-verification.ts
-const DNS_LABEL_MAX_LENGTH = 63;
-const DEFAULT_TOKEN_PREFIX = "better-auth-token";
-const domainVerificationBodySchema = z.object({ providerId: z.string() });
-function getVerificationIdentifier(options, providerId) {
-	return `_${options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX}-${providerId}`;
-}
-const requestDomainVerification = (options) => {
-	return createAuthEndpoint("/sso/request-domain-verification", {
-		method: "POST",
-		body: domainVerificationBodySchema,
-		metadata: { openapi: {
-			summary: "Request a domain verification",
-			description: "Request a domain verification for the given SSO provider",
-			responses: {
-				"404": { description: "Provider not found" },
-				"409": { description: "Domain has already been verified" },
-				"201": { description: "Domain submitted for verification" }
-			}
-		} },
-		use: [sessionMiddleware]
-	}, async (ctx) => {
-		const body = ctx.body;
-		const provider = await ctx.context.adapter.findOne({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: body.providerId
-			}]
-		});
-		if (!provider) throw new APIError("NOT_FOUND", {
-			message: "Provider not found",
-			code: "PROVIDER_NOT_FOUND"
-		});
-		const userId = ctx.context.session.user.id;
-		let isOrgMember = true;
-		if (provider.organizationId) isOrgMember = await ctx.context.adapter.count({
-			model: "member",
-			where: [{
-				field: "userId",
-				value: userId
-			}, {
-				field: "organizationId",
-				value: provider.organizationId
-			}]
-		}) > 0;
-		if (provider.userId !== userId || !isOrgMember) throw new APIError("FORBIDDEN", {
-			message: "User must be owner of or belong to the SSO provider organization",
-			code: "INSUFICCIENT_ACCESS"
-		});
-		if ("domainVerified" in provider && provider.domainVerified) throw new APIError("CONFLICT", {
-			message: "Domain has already been verified",
-			code: "DOMAIN_VERIFIED"
-		});
-		const identifier = getVerificationIdentifier(options, provider.providerId);
-		const activeVerification = await ctx.context.internalAdapter.findVerificationValue(identifier);
-		if (activeVerification && new Date(activeVerification.expiresAt) > /* @__PURE__ */ new Date()) {
-			ctx.setStatus(201);
-			return ctx.json({ domainVerificationToken: activeVerification.value });
-		}
-		const domainVerificationToken = generateRandomString(24);
-		await ctx.context.internalAdapter.createVerificationValue({
-			identifier,
-			value: domainVerificationToken,
-			expiresAt: new Date(Date.now() + 3600 * 24 * 7 * 1e3)
-		});
-		ctx.setStatus(201);
-		return ctx.json({ domainVerificationToken });
-	});
-};
-const verifyDomain = (options) => {
-	return createAuthEndpoint("/sso/verify-domain", {
-		method: "POST",
-		body: domainVerificationBodySchema,
-		metadata: { openapi: {
-			summary: "Verify the provider domain ownership",
-			description: "Verify the provider domain ownership via DNS records",
-			responses: {
-				"404": { description: "Provider not found" },
-				"409": { description: "Domain has already been verified or no pending verification exists" },
-				"502": { description: "Unable to verify domain ownership due to upstream validator error" },
-				"204": { description: "Domain ownership was verified" }
-			}
-		} },
-		use: [sessionMiddleware]
-	}, async (ctx) => {
-		const body = ctx.body;
-		const provider = await ctx.context.adapter.findOne({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: body.providerId
-			}]
-		});
-		if (!provider) throw new APIError("NOT_FOUND", {
-			message: "Provider not found",
-			code: "PROVIDER_NOT_FOUND"
-		});
-		const userId = ctx.context.session.user.id;
-		let isOrgMember = true;
-		if (provider.organizationId) isOrgMember = await ctx.context.adapter.count({
-			model: "member",
-			where: [{
-				field: "userId",
-				value: userId
-			}, {
-				field: "organizationId",
-				value: provider.organizationId
-			}]
-		}) > 0;
-		if (provider.userId !== userId || !isOrgMember) throw new APIError("FORBIDDEN", {
-			message: "User must be owner of or belong to the SSO provider organization",
-			code: "INSUFICCIENT_ACCESS"
-		});
-		if ("domainVerified" in provider && provider.domainVerified) throw new APIError("CONFLICT", {
-			message: "Domain has already been verified",
-			code: "DOMAIN_VERIFIED"
-		});
-		const identifier = getVerificationIdentifier(options, provider.providerId);
-		if (identifier.length > DNS_LABEL_MAX_LENGTH) throw new APIError("BAD_REQUEST", {
-			message: `Verification identifier exceeds the DNS label limit of ${DNS_LABEL_MAX_LENGTH} characters`,
-			code: "IDENTIFIER_TOO_LONG"
-		});
-		const activeVerification = await ctx.context.internalAdapter.findVerificationValue(identifier);
-		if (!activeVerification || new Date(activeVerification.expiresAt) <= /* @__PURE__ */ new Date()) throw new APIError("NOT_FOUND", {
-			message: "No pending domain verification exists",
-			code: "NO_PENDING_VERIFICATION"
-		});
-		let records = [];
-		let dns;
-		try {
-			dns = await import("node:dns/promises");
-		} catch (error) {
-			ctx.context.logger.error("The core node:dns module is required for the domain verification feature", error);
-			throw new APIError("INTERNAL_SERVER_ERROR", {
-				message: "Unable to verify domain ownership due to server error",
-				code: "DOMAIN_VERIFICATION_FAILED"
-			});
-		}
-		const hostname = getHostnameFromDomain(provider.domain);
-		if (!hostname) throw new APIError("BAD_REQUEST", {
-			message: "Invalid domain",
-			code: "INVALID_DOMAIN"
-		});
-		try {
-			records = (await dns.resolveTxt(`${identifier}.${hostname}`)).flat();
-		} catch (error) {
-			ctx.context.logger.warn("DNS resolution failure while validating domain ownership", error);
-		}
-		if (!records.find((record) => record.includes(`${activeVerification.identifier}=${activeVerification.value}`))) throw new APIError("BAD_GATEWAY", {
-			message: "Unable to verify domain ownership. Try again later",
-			code: "DOMAIN_VERIFICATION_FAILED"
-		});
-		await ctx.context.adapter.update({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: provider.providerId
-			}],
-			update: { domainVerified: true }
-		});
-		ctx.setStatus(204);
-	});
-};
-//#endregion
 //#region src/oidc/types.ts
 /**
 * Custom error class for OIDC discovery failures.
@@ -1505,6 +1348,119 @@ const deleteSSOProvider = () => {
 	});
 };
 //#endregion
+//#region src/routes/domain-verification.ts
+const DNS_LABEL_MAX_LENGTH = 63;
+const DEFAULT_TOKEN_PREFIX = "better-auth-token";
+const domainVerificationBodySchema = z.object({ providerId: z.string() });
+function getVerificationIdentifier(options, providerId) {
+	return `_${options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX}-${providerId}`;
+}
+const requestDomainVerification = (options) => {
+	return createAuthEndpoint("/sso/request-domain-verification", {
+		method: "POST",
+		body: domainVerificationBodySchema,
+		metadata: { openapi: {
+			summary: "Request a domain verification",
+			description: "Request a domain verification for the given SSO provider",
+			responses: {
+				"404": { description: "Provider not found" },
+				"409": { description: "Domain has already been verified" },
+				"201": { description: "Domain submitted for verification" }
+			}
+		} },
+		use: [sessionMiddleware]
+	}, async (ctx) => {
+		const body = ctx.body;
+		const provider = await checkProviderAccess(ctx, body.providerId);
+		if (provider.domainVerified) throw new APIError("CONFLICT", {
+			message: "Domain has already been verified",
+			code: "DOMAIN_VERIFIED"
+		});
+		const identifier = getVerificationIdentifier(options, provider.providerId);
+		const activeVerification = await ctx.context.internalAdapter.findVerificationValue(identifier);
+		if (activeVerification && new Date(activeVerification.expiresAt) > /* @__PURE__ */ new Date()) {
+			ctx.setStatus(201);
+			return ctx.json({ domainVerificationToken: activeVerification.value });
+		}
+		const domainVerificationToken = generateRandomString(24);
+		await ctx.context.internalAdapter.createVerificationValue({
+			identifier,
+			value: domainVerificationToken,
+			expiresAt: new Date(Date.now() + 3600 * 24 * 7 * 1e3)
+		});
+		ctx.setStatus(201);
+		return ctx.json({ domainVerificationToken });
+	});
+};
+const verifyDomain = (options) => {
+	return createAuthEndpoint("/sso/verify-domain", {
+		method: "POST",
+		body: domainVerificationBodySchema,
+		metadata: { openapi: {
+			summary: "Verify the provider domain ownership",
+			description: "Verify the provider domain ownership via DNS records",
+			responses: {
+				"404": { description: "Provider not found" },
+				"409": { description: "Domain has already been verified or no pending verification exists" },
+				"502": { description: "Unable to verify domain ownership due to upstream validator error" },
+				"204": { description: "Domain ownership was verified" }
+			}
+		} },
+		use: [sessionMiddleware]
+	}, async (ctx) => {
+		const body = ctx.body;
+		const provider = await checkProviderAccess(ctx, body.providerId);
+		if (provider.domainVerified) throw new APIError("CONFLICT", {
+			message: "Domain has already been verified",
+			code: "DOMAIN_VERIFIED"
+		});
+		const identifier = getVerificationIdentifier(options, provider.providerId);
+		if (identifier.length > DNS_LABEL_MAX_LENGTH) throw new APIError("BAD_REQUEST", {
+			message: `Verification identifier exceeds the DNS label limit of ${DNS_LABEL_MAX_LENGTH} characters`,
+			code: "IDENTIFIER_TOO_LONG"
+		});
+		const activeVerification = await ctx.context.internalAdapter.findVerificationValue(identifier);
+		if (!activeVerification || new Date(activeVerification.expiresAt) <= /* @__PURE__ */ new Date()) throw new APIError("NOT_FOUND", {
+			message: "No pending domain verification exists",
+			code: "NO_PENDING_VERIFICATION"
+		});
+		let records = [];
+		let dns;
+		try {
+			dns = await import("node:dns/promises");
+		} catch (error) {
+			ctx.context.logger.error("The core node:dns module is required for the domain verification feature", error);
+			throw new APIError("INTERNAL_SERVER_ERROR", {
+				message: "Unable to verify domain ownership due to server error",
+				code: "DOMAIN_VERIFICATION_FAILED"
+			});
+		}
+		const hostname = getHostnameFromDomain(provider.domain);
+		if (!hostname) throw new APIError("BAD_REQUEST", {
+			message: "Invalid domain",
+			code: "INVALID_DOMAIN"
+		});
+		try {
+			records = (await dns.resolveTxt(`${identifier}.${hostname}`)).flat();
+		} catch (error) {
+			ctx.context.logger.warn("DNS resolution failure while validating domain ownership", error);
+		}
+		if (!records.find((record) => record.includes(`${activeVerification.identifier}=${activeVerification.value}`))) throw new APIError("BAD_GATEWAY", {
+			message: "Unable to verify domain ownership. Try again later",
+			code: "DOMAIN_VERIFICATION_FAILED"
+		});
+		await ctx.context.adapter.update({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: provider.providerId
+			}],
+			update: { domainVerified: true }
+		});
+		ctx.setStatus(204);
+	});
+};
+//#endregion
 //#region src/saml/error-codes.ts
 const SAML_ERROR_CODES = defineErrorCodes({
 	SINGLE_LOGOUT_NOT_ENABLED: "Single Logout is not enabled",
@@ -1835,26 +1791,8 @@ async function processSAMLResponse(ctx, params, options) {
 		const conditions = extract.conditions;
 		const clockSkew = options?.saml?.clockSkew ?? 3e5;
 		const expiresAt = conditions?.notOnOrAfter ? new Date(conditions.notOnOrAfter).getTime() + clockSkew : Date.now() + DEFAULT_ASSERTION_TTL_MS;
-		const existingAssertion = await ctx.context.internalAdapter.findVerificationValue(`${USED_ASSERTION_KEY_PREFIX}${assertionId}`);
-		let isReplay = false;
-		if (existingAssertion) try {
-			if (JSON.parse(existingAssertion.value).expiresAt >= Date.now()) isReplay = true;
-		} catch (error) {
-			ctx.context.logger.warn("Failed to parse stored assertion record", {
-				assertionId,
-				error
-			});
-		}
-		if (isReplay) {
-			ctx.context.logger.error("SAML assertion replay detected: assertion ID already used", {
-				assertionId,
-				issuer,
-				providerId
-			});
-			throw ctx.redirect(`${samlRedirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
-		}
-		await ctx.context.internalAdapter.createVerificationValue({
-			identifier: `${USED_ASSERTION_KEY_PREFIX}${assertionId}`,
+		if (!await ctx.context.internalAdapter.reserveVerificationValue({
+			identifier: `saml-used-assertion:${assertionId}`,
 			value: JSON.stringify({
 				assertionId,
 				issuer,
@@ -1863,7 +1801,14 @@ async function processSAMLResponse(ctx, params, options) {
 				expiresAt
 			}),
 			expiresAt: new Date(expiresAt)
-		});
+		})) {
+			ctx.context.logger.error("SAML assertion replay detected: assertion ID already used", {
+				assertionId,
+				issuer,
+				providerId
+			});
+			throw ctx.redirect(`${samlRedirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
+		}
 	} else ctx.context.logger.warn("Could not extract assertion ID for replay protection", { providerId });
 	const attributes = extract.attributes || {};
 	const mapping = parsedSamlConfig.mapping ?? {};
@@ -1876,7 +1821,7 @@ async function processSAMLResponse(ctx, params, options) {
 		id: attr(mapping.id || "nameID") || extract.nameID,
 		email: (attr(mapping.email || "email") || extract.nameID || "").toLowerCase(),
 		name: [attr(mapping.firstName || "givenName"), attr(mapping.lastName || "surname")].filter(Boolean).join(" ") || attr(mapping.name || "displayName") || extract.nameID,
-		emailVerified: options?.trustEmailVerified && mapping.emailVerified ? attr(mapping.emailVerified) || false : false
+		emailVerified: options?.trustEmailVerified && mapping.emailVerified ? parseProviderEmailVerified(attr(mapping.emailVerified)) : false
 	};
 	if (!userInfo.id || !userInfo.email) {
 		ctx.context.logger.error("Missing essential user info from SAML response", {
@@ -1897,7 +1842,7 @@ async function processSAMLResponse(ctx, params, options) {
 				email: userInfo.email,
 				name: userInfo.name || userInfo.email,
 				id: userInfo.id,
-				emailVerified: Boolean(userInfo.emailVerified)
+				emailVerified: userInfo.emailVerified
 			},
 			account: {
 				providerId,
@@ -1933,7 +1878,7 @@ async function processSAMLResponse(ctx, params, options) {
 			providerId,
 			accountId: userInfo.id,
 			email: userInfo.email,
-			emailVerified: Boolean(userInfo.emailVerified),
+			emailVerified: userInfo.emailVerified,
 			rawAttributes: attributes
 		},
 		provider,
@@ -2777,7 +2722,7 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, rawUserInfo[value]])),
 			id: rawUserInfo[mapping.id || "sub"],
 			email: rawUserInfo[mapping.email || "email"],
-			emailVerified: options?.trustEmailVerified ? rawUserInfo[mapping.emailVerified || "email_verified"] : false,
+			emailVerified: options?.trustEmailVerified ? parseProviderEmailVerified(rawUserInfo[mapping.emailVerified || "email_verified"]) : false,
 			name: rawUserInfo[mapping.name || "name"],
 			image: rawUserInfo[mapping.image || "picture"]
 		};
@@ -2796,7 +2741,7 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, verified.payload[value]])),
 			id: idToken[mapping.id || "sub"],
 			email: idToken[mapping.email || "email"],
-			emailVerified: options?.trustEmailVerified ? idToken[mapping.emailVerified || "email_verified"] : false,
+			emailVerified: options?.trustEmailVerified ? parseProviderEmailVerified(idToken[mapping.emailVerified || "email_verified"]) : false,
 			name: idToken[mapping.name || "name"],
 			image: idToken[mapping.image || "picture"]
 		};

package/dist/{version-KncHedVM.mjs → version-DMVLEsxG.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.16";
+const PACKAGE_VERSION = "1.6.18";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/sso",
-  "version": "1.6.16",
+  "version": "1.6.18",
   "description": "SSO plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -70,15 +70,15 @@
     "express": "^5.2.1",
     "oauth2-mock-server": "^8.2.2",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.16",
-    "better-auth": "1.6.16"
+    "better-auth": "1.6.18",
+    "@better-auth/core": "1.6.18"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.2.2",
+    "@better-fetch/fetch": "1.3.0",
     "better-call": "1.3.6",
-    "@better-auth/core": "^1.6.16",
-    "better-auth": "^1.6.16"
+    "better-auth": "^1.6.18",
+    "@better-auth/core": "^1.6.18"
   },
   "scripts": {
     "build": "tsdown",