better-auth 1.6.3 → 1.6.5

package/dist/client/config.mjs

@@ -67,7 +67,7 @@ const getClientConfig = (options, loadEnv) => {
 	const atomListeners = [{
 		signal: "$sessionSignal",
 		matcher(path) {
-			return path === "/sign-out" || path === "/update-user" || path === "/update-session" || path === "/sign-up/email" || path === "/sign-in/email" || path === "/delete-user" || path === "/verify-email" || path === "/revoke-sessions" || path === "/revoke-session" || path === "/change-email";
+			return path === "/sign-out" || path === "/update-user" || path === "/update-session" || path === "/sign-up/email" || path === "/sign-in/email" || path === "/delete-user" || path === "/verify-email" || path === "/revoke-sessions" || path === "/revoke-session" || path === "/revoke-other-sessions" || path === "/change-email" || path === "/change-password";
 		},
 		callback(path) {
 			if (path === "/sign-out") broadcastSessionUpdate("signout");

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.3";
+var version = "1.6.5";
 //#endregion
 export { version };

package/dist/plugins/test-utils/index.d.mts

@@ -18,19 +18,28 @@ declare module "@better-auth/core" {
  * - Auth helpers (login, getAuthHeaders, getCookies)
  * - OTP capture (when captureOTP: true)
  *
+ * This plugin does not register public HTTP routes or API endpoints, but it does
+ * expose privileged helpers on `ctx.test` for creating sessions and mutating data.
+ * Prefer including it in a test-only auth instance such as `auth.test.ts` instead
+ * of a production auth config.
+ *
+ * If you conditionally spread it into `plugins`, TypeScript may stop inferring
+ * `ctx.test` correctly. A separate test-only auth instance keeps the helpers
+ * typed without adding the plugin to your production auth config.
+ *
  * @example
  * ```ts
  * import { betterAuth } from "better-auth";
  * import { testUtils } from "better-auth/plugins";
  *
- * export const auth = betterAuth({
+ * export const testAuth = betterAuth({
  *   plugins: [
  *     testUtils({ captureOTP: true }),
  *   ],
  * });
  *
  * // In tests, access helpers via context:
- * const ctx = await auth.$context;
+ * const ctx = await testAuth.$context;
  * const test = ctx.test;
  *
  * const user = test.createUser({ email: "test@example.com" });

package/dist/plugins/test-utils/index.mjs

@@ -13,19 +13,28 @@ import { createOTPStore } from "./otp-sink.mjs";
 * - Auth helpers (login, getAuthHeaders, getCookies)
 * - OTP capture (when captureOTP: true)
 *
+* This plugin does not register public HTTP routes or API endpoints, but it does
+* expose privileged helpers on `ctx.test` for creating sessions and mutating data.
+* Prefer including it in a test-only auth instance such as `auth.test.ts` instead
+* of a production auth config.
+*
+* If you conditionally spread it into `plugins`, TypeScript may stop inferring
+* `ctx.test` correctly. A separate test-only auth instance keeps the helpers
+* typed without adding the plugin to your production auth config.
+*
 * @example
 * ```ts
 * import { betterAuth } from "better-auth";
 * import { testUtils } from "better-auth/plugins";
 *
-* export const auth = betterAuth({
+* export const testAuth = betterAuth({
 *   plugins: [
 *     testUtils({ captureOTP: true }),
 *   ],
 * });
 *
 * // In tests, access helpers via context:
-* const ctx = await auth.$context;
+* const ctx = await testAuth.$context;
 * const test = ctx.test;
 *
 * const user = test.createUser({ email: "test@example.com" });

package/dist/plugins/two-factor/index.mjs

@@ -189,13 +189,12 @@ const twoFactor = (options) => {
 		options,
 		hooks: { after: [{
 			matcher(context) {
-				return context.context.newSession != null && !context.path?.startsWith("/two-factor/");
+				return context.path === "/sign-in/email" || context.path === "/sign-in/username" || context.path === "/sign-in/phone-number";
 			},
 			handler: createAuthMiddleware(async (ctx) => {
 				const data = ctx.context.newSession;
 				if (!data) return;
 				if (!data?.user.twoFactorEnabled) return;
-				if (ctx.context.session) return;
 				const trustDeviceCookieAttrs = ctx.context.createAuthCookie(TRUST_DEVICE_COOKIE_NAME, { maxAge: trustDeviceMaxAge });
 				const trustDeviceCookie = await ctx.getSignedCookie(trustDeviceCookieAttrs.name, ctx.context.secret);
 				if (trustDeviceCookie) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.3",
+  "version": "1.6.5",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -489,13 +489,13 @@
     "kysely": "^0.28.14",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.6.3",
-    "@better-auth/drizzle-adapter": "1.6.3",
-    "@better-auth/kysely-adapter": "1.6.3",
-    "@better-auth/memory-adapter": "1.6.3",
-    "@better-auth/mongo-adapter": "1.6.3",
-    "@better-auth/prisma-adapter": "1.6.3",
-    "@better-auth/telemetry": "1.6.3"
+    "@better-auth/core": "1.6.5",
+    "@better-auth/drizzle-adapter": "1.6.5",
+    "@better-auth/kysely-adapter": "1.6.5",
+    "@better-auth/memory-adapter": "1.6.5",
+    "@better-auth/mongo-adapter": "1.6.5",
+    "@better-auth/prisma-adapter": "1.6.5",
+    "@better-auth/telemetry": "1.6.5"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",
@@ -512,7 +512,7 @@
     "happy-dom": "^20.8.9",
     "listhen": "^1.9.0",
     "msw": "^2.12.10",
-    "next": "^16.2.0",
+    "next": "^16.2.3",
     "oauth2-mock-server": "^8.2.2",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
@@ -531,7 +531,7 @@
     "@tanstack/solid-start": "^1.0.0",
     "better-sqlite3": "^12.0.0",
     "drizzle-kit": ">=0.31.4",
-    "drizzle-orm": ">=0.41.0",
+    "drizzle-orm": "^0.45.2",
     "mongodb": "^6.0.0 || ^7.0.0",
     "mysql2": "^3.0.0",
     "next": "^14.0.0 || ^15.0.0 || ^16.0.0",