npm - better-auth - Versions diffs - 1.6.4 → 1.6.6 - Mend

better-auth 1.6.4 → 1.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/dist/client/config.mjs +1 -1
package/dist/context/helpers.mjs +2 -1
package/dist/cookies/cookie-utils.d.mts +13 -1
package/dist/cookies/cookie-utils.mjs +16 -1
package/dist/cookies/index.d.mts +2 -2
package/dist/cookies/index.mjs +2 -2
package/dist/integrations/next-js.mjs +2 -10
package/dist/integrations/svelte-kit.mjs +5 -10
package/dist/integrations/tanstack-start-solid.mjs +2 -10
package/dist/integrations/tanstack-start.mjs +2 -10
package/dist/package.mjs +1 -1
package/dist/plugins/custom-session/index.d.mts +6 -5
package/dist/plugins/custom-session/index.mjs +3 -15
package/dist/plugins/organization/organization.d.mts +6 -6
package/dist/plugins/phone-number/index.d.mts +30 -0
package/dist/plugins/phone-number/index.mjs +9 -1
package/dist/plugins/test-utils/index.d.mts +11 -2
package/dist/plugins/test-utils/index.mjs +11 -2
package/dist/utils/url.mjs +16 -5
package/package.json +8 -8

package/dist/client/config.mjs CHANGED Viewed

@@ -67,7 +67,7 @@ const getClientConfig = (options, loadEnv) => {
 	const atomListeners = [{
 		signal: "$sessionSignal",
 		matcher(path) {
-			return path === "/sign-out" || path === "/update-user" || path === "/update-session" || path === "/sign-up/email" || path === "/sign-in/email" || path === "/delete-user" || path === "/verify-email" || path === "/revoke-sessions" || path === "/revoke-session" || path === "/change-email";
+			return path === "/sign-out" || path === "/update-user" || path === "/update-session" || path === "/sign-up/email" || path === "/sign-in/email" || path === "/delete-user" || path === "/verify-email" || path === "/revoke-sessions" || path === "/revoke-session" || path === "/revoke-other-sessions" || path === "/change-email" || path === "/change-password";
 		},
 		callback(path) {
 			if (path === "/sign-out") broadcastSessionUpdate("signout");

package/dist/context/helpers.mjs CHANGED Viewed

@@ -5,6 +5,7 @@ import { createInternalAdapter } from "../db/internal-adapter.mjs";
 import { env } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
 import { defu } from "defu";
+import { isLoopbackHost } from "@better-auth/core/utils/host";
 //#region src/context/helpers.ts
 async function runPluginInit(context) {
 	let options = context.options;
@@ -62,7 +63,7 @@ async function getTrustedOrigins(options, request) {
 		const allowedHosts = options.baseURL.allowedHosts;
 		for (const host of allowedHosts) if (!host.includes("://")) {
 			trustedOrigins.push(`https://${host}`);
-			if (host.includes("localhost") || host.includes("127.0.0.1")) trustedOrigins.push(`http://${host}`);
+			if (isLoopbackHost(host)) trustedOrigins.push(`http://${host}`);
 		} else trustedOrigins.push(host);
 		if (options.baseURL.fallback) try {
 			trustedOrigins.push(new URL(options.baseURL.fallback).origin);

package/dist/cookies/cookie-utils.d.mts CHANGED Viewed

@@ -7,9 +7,20 @@ interface CookieAttributes {
   path?: string | undefined;
   secure?: boolean | undefined;
   httponly?: boolean | undefined;
+  partitioned?: boolean | undefined;
   samesite?: ("strict" | "lax" | "none") | undefined;
   [key: string]: any;
 }
+interface ParsedCookieOptions {
+  maxAge?: number | undefined;
+  expires?: Date | undefined;
+  domain?: string | undefined;
+  path?: string | undefined;
+  secure?: boolean | undefined;
+  httpOnly?: boolean | undefined;
+  partitioned?: boolean | undefined;
+  sameSite?: CookieAttributes["samesite"];
+}
 declare const SECURE_COOKIE_PREFIX = "__Secure-";
 declare const HOST_COOKIE_PREFIX = "__Host-";
 /**
@@ -21,8 +32,9 @@ declare function stripSecureCookiePrefix(cookieName: string): string;
  */
 declare function splitSetCookieHeader(setCookie: string): string[];
 declare function parseSetCookieHeader(setCookie: string): Map<string, CookieAttributes>;
+declare function toCookieOptions(attributes: CookieAttributes): ParsedCookieOptions;
 declare function setCookieToHeader(headers: Headers): (context: {
   response: Response;
 }) => void;
 //#endregion
-export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix };
+export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/cookie-utils.mjs CHANGED Viewed

@@ -78,6 +78,9 @@ function parseSetCookieHeader(setCookie) {
 				case "samesite":
 					attrObj.samesite = attrValue ? attrValue.trim().toLowerCase() : void 0;
 					break;
+				case "partitioned":
+					attrObj.partitioned = true;
+					break;
 				default:
 					attrObj[normalizedAttrName] = attrValue ? attrValue.trim() : true;
 					break;
@@ -87,6 +90,18 @@ function parseSetCookieHeader(setCookie) {
 	});
 	return cookies;
 }
+function toCookieOptions(attributes) {
+	return {
+		maxAge: attributes["max-age"],
+		expires: attributes.expires,
+		domain: attributes.domain,
+		path: attributes.path,
+		secure: attributes.secure,
+		httpOnly: attributes.httponly,
+		sameSite: attributes.samesite,
+		partitioned: attributes.partitioned
+	};
+}
 function setCookieToHeader(headers) {
 	return (context) => {
 		const setCookieHeader = context.response.headers.get("set-cookie");
@@ -104,4 +119,4 @@ function setCookieToHeader(headers) {
 	};
 }
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.d.mts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { Session, User } from "../types/models.mjs";
-import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix } from "./cookie-utils.mjs";
+import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createSessionStore, getAccountCookie, getChunkedCookie } from "./session-store.mjs";
 import { BetterAuthCookie, BetterAuthCookies, BetterAuthOptions, GenericEndpointContext } from "@better-auth/core";
 import * as better_call0 from "better-call";
@@ -116,4 +116,4 @@ declare const getCookieCache: <S extends {
   version?: string | ((session: Session & Record<string, any>, user: User & Record<string, any>) => string) | ((session: Session & Record<string, any>, user: User & Record<string, any>) => Promise<string>);
 } | undefined) => Promise<S | null>;
 //#endregion
-export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix };
+export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.mjs CHANGED Viewed

@@ -4,7 +4,7 @@ import { parseUserOutput } from "../db/schema.mjs";
 import { getDate } from "../utils/date.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
 import { sec } from "../utils/time.mjs";
-import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix } from "./cookie-utils.mjs";
+import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createAccountStore, createSessionStore, getAccountCookie, getChunkedCookie, setAccountCookie } from "./session-store.mjs";
 import { env, isProduction } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
@@ -258,4 +258,4 @@ const getCookieCache = async (request, config) => {
 	return null;
 };
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/integrations/next-js.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { parseSetCookieHeader } from "../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { setShouldSkipSessionRefresh } from "../api/state/should-session-refresh.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
@@ -70,16 +70,8 @@ const nextCookies = () => {
 						}
 						parsed.forEach((value, key) => {
 							if (!key) return;
-							const opts = {
-								sameSite: value.samesite,
-								secure: value.secure,
-								maxAge: value["max-age"],
-								httpOnly: value.httponly,
-								domain: value.domain,
-								path: value.path
-							};
 							try {
-								cookieHelper.set(key, value.value, opts);
+								cookieHelper.set(key, value.value, toCookieOptions(value));
 							} catch {}
 						});
 						return;

package/dist/integrations/svelte-kit.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { parseSetCookieHeader } from "../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/svelte-kit.ts
@@ -36,15 +36,10 @@ const sveltekitCookies = (getRequestEvent) => {
 					const event = getRequestEvent();
 					if (!event) return;
 					const parsed = parseSetCookieHeader(setCookies);
-					for (const [name, { value, ...ops }] of parsed) try {
-						event.cookies.set(name, value, {
-							sameSite: ops.samesite,
-							path: ops.path || "/",
-							expires: ops.expires,
-							secure: ops.secure,
-							httpOnly: ops.httponly,
-							domain: ops.domain,
-							maxAge: ops["max-age"]
+					for (const [name, attributes] of parsed) try {
+						event.cookies.set(name, attributes.value, {
+							...toCookieOptions(attributes),
+							path: attributes.path || "/"
 						});
 					} catch {}
 				}

package/dist/integrations/tanstack-start-solid.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { parseSetCookieHeader } from "../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/tanstack-start-solid.ts
@@ -37,16 +37,8 @@ const tanstackStartCookies = () => {
 					const { setCookie } = await import("@tanstack/solid-start/server");
 					parsed.forEach((value, key) => {
 						if (!key) return;
-						const opts = {
-							sameSite: value.samesite,
-							secure: value.secure,
-							maxAge: value["max-age"],
-							httpOnly: value.httponly,
-							domain: value.domain,
-							path: value.path
-						};
 						try {
-							setCookie(key, value.value, opts);
+							setCookie(key, value.value, toCookieOptions(value));
 						} catch {}
 					});
 					return;

package/dist/integrations/tanstack-start.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-import { parseSetCookieHeader } from "../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, toCookieOptions } from "../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../version.mjs";
 import { createAuthMiddleware } from "@better-auth/core/api";
 //#region src/integrations/tanstack-start.ts
@@ -37,16 +37,8 @@ const tanstackStartCookies = () => {
 					const { setCookie } = await import("@tanstack/react-start/server");
 					parsed.forEach((value, key) => {
 						if (!key) return;
-						const opts = {
-							sameSite: value.samesite,
-							secure: value.secure,
-							maxAge: value["max-age"],
-							httpOnly: value.httponly,
-							domain: value.domain,
-							path: value.path
-						};
 						try {
-							setCookie(key, value.value, opts);
+							setCookie(key, value.value, toCookieOptions(value));
 						} catch {}
 					});
 					return;

package/dist/package.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.4";
+var version = "1.6.6";
 //#endregion
 export { version };

package/dist/plugins/custom-session/index.d.mts CHANGED Viewed

@@ -2,7 +2,8 @@ import * as _better_auth_core0 from "@better-auth/core";
 import { BetterAuthOptions, GenericEndpointContext } from "@better-auth/core";
 import { Session, User } from "@better-auth/core/db";
 import * as better_call0 from "better-call";
-import * as z from "zod";
+import * as zod from "zod";
+import * as zod_v4_core0 from "zod/v4/core";
 //#region src/plugins/custom-session/index.d.ts
 declare module "@better-auth/core" {
@@ -34,10 +35,10 @@ declare const customSession: <Returns extends Record<string, any>, O extends Bet
   endpoints: {
     getSession: better_call0.StrictEndpoint<"/get-session", {
       method: "GET";
-      query: z.ZodOptional<z.ZodObject<{
-        disableCookieCache: z.ZodOptional<z.ZodUnion<[z.ZodBoolean, z.ZodPipe<z.ZodString, z.ZodTransform<boolean, string>>]>>;
-        disableRefresh: z.ZodOptional<z.ZodBoolean>;
-      }, z.core.$strip>>;
+      query: zod.ZodOptional<zod.ZodObject<{
+        disableCookieCache: zod.ZodOptional<zod.ZodCoercedBoolean<unknown>>;
+        disableRefresh: zod.ZodOptional<zod.ZodCoercedBoolean<unknown>>;
+      }, zod_v4_core0.$strip>>;
       metadata: {
         CUSTOM_SESSION: boolean;
         openapi: {

package/dist/plugins/custom-session/index.mjs CHANGED Viewed

@@ -1,14 +1,10 @@
-import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { parseSetCookieHeader, toCookieOptions } from "../../cookies/cookie-utils.mjs";
+import { getSessionQuerySchema } from "../../cookies/session-store.mjs";
 import { getSession } from "../../api/routes/session.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { getEndpointResponse } from "../../utils/plugin-helper.mjs";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
-import * as z from "zod";
 //#region src/plugins/custom-session/index.ts
-const getSessionQuerySchema = z.optional(z.object({
-	disableCookieCache: z.boolean().meta({ description: "Disable cookie cache and fetch session from database" }).or(z.string().transform((v) => v === "true")).optional(),
-	disableRefresh: z.boolean().meta({ description: "Disable session refresh. Useful for checking session status, without updating the session" }).optional()
-}));
 const customSession = (fn, options, pluginOptions) => {
 	return {
 		id: "custom-session",
@@ -53,15 +49,7 @@ const customSession = (fn, options, pluginOptions) => {
 			if (!session?.response) return ctx.json(null);
 			const fnResult = await fn(session.response, ctx);
 			for (const cookieStr of session.headers.getSetCookie()) parseSetCookieHeader(cookieStr).forEach((attrs, name) => {
-				ctx.setCookie(name, attrs.value, {
-					maxAge: attrs["max-age"],
-					expires: attrs.expires,
-					domain: attrs.domain,
-					path: attrs.path,
-					secure: attrs.secure,
-					httpOnly: attrs.httponly,
-					sameSite: attrs.samesite
-				});
+				ctx.setCookie(name, attrs.value, toCookieOptions(attrs));
 			});
 			session.headers.delete("set-cookie");
 			session.headers.forEach((value, key) => {

package/dist/plugins/organization/organization.d.mts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { AccessControl, ArrayElement, Statements } from "../access/types.mjs";
 import { OrganizationOptions } from "./types.mjs";
-import { InferInvitation, InferMember, InferOrganization, InferTeam, OrganizationSchema, Team, TeamMember } from "./schema.mjs";
+import { InferInvitation, InferMember, InferOrganization, InferTeam, OrganizationSchema, TeamMember } from "./schema.mjs";
 import { ORGANIZATION_ERROR_CODES } from "./error-codes.mjs";
 import { createOrgRole, deleteOrgRole, getOrgRole, listOrgRoles, updateOrgRole } from "./routes/crud-access-control.mjs";
 import { acceptInvitation, cancelInvitation, createInvitation, getInvitation, listInvitations, listUserInvitations, rejectInvitation } from "./routes/crud-invites.mjs";
@@ -30,7 +30,7 @@ type DefaultOrganizationPlugin<Options extends OrganizationOptions> = {
     Member: InferMember<Options>;
     Team: Options["teams"] extends {
       enabled: true;
-    } ? Team : never;
+    } ? InferTeam<Options> : never;
     TeamMember: Options["teams"] extends {
       enabled: true;
     } ? TeamMember : never;
@@ -249,7 +249,7 @@ type OrganizationPlugin<O extends OrganizationOptions> = {
     Member: InferMember<O>;
     Team: O["teams"] extends {
       enabled: true;
-    } ? Team : never;
+    } ? InferTeam<O> : never;
     TeamMember: O["teams"] extends {
       enabled: true;
     } ? TeamMember : never;
@@ -300,7 +300,7 @@ declare function organization<O extends OrganizationOptions & {
     Member: InferMember<O>;
     Team: O["teams"] extends {
       enabled: true;
-    } ? Team : never;
+    } ? InferTeam<O> : never;
     TeamMember: O["teams"] extends {
       enabled: true;
     } ? TeamMember : never;
@@ -336,7 +336,7 @@ declare function organization<O extends OrganizationOptions & {
     Member: InferMember<O>;
     Team: O["teams"] extends {
       enabled: true;
-    } ? Team : never;
+    } ? InferTeam<O> : never;
     TeamMember: O["teams"] extends {
       enabled: true;
     } ? TeamMember : never;
@@ -372,7 +372,7 @@ declare function organization<O extends OrganizationOptions & {
     Member: InferMember<O>;
     Team: O["teams"] extends {
       enabled: true;
-    } ? Team : never;
+    } ? InferTeam<O> : never;
     TeamMember: O["teams"] extends {
       enabled: true;
     } ? TeamMember : never;

package/dist/plugins/phone-number/index.d.mts CHANGED Viewed

@@ -16,6 +16,36 @@ declare module "@better-auth/core" {
 declare const phoneNumber: (options?: PhoneNumberOptions | undefined) => {
   id: "phone-number";
   version: string;
+  init(): {
+    options: {
+      databaseHooks: {
+        user: {
+          update: {
+            before(data: Partial<{
+              id: string;
+              createdAt: Date;
+              updatedAt: Date;
+              email: string;
+              emailVerified: boolean;
+              name: string;
+              image?: string | null | undefined;
+            }> & Record<string, unknown>): Promise<{
+              data: {
+                [x: string]: unknown;
+                id?: string | undefined;
+                createdAt?: Date | undefined;
+                updatedAt?: Date | undefined;
+                email?: string | undefined;
+                emailVerified?: boolean | undefined;
+                name?: string | undefined;
+                image?: string | null | undefined;
+              };
+            } | undefined>;
+          };
+        };
+      };
+    };
+  };
   hooks: {
     before: {
       matcher: (ctx: _better_auth_core0.HookEndpointContext) => boolean;

package/dist/plugins/phone-number/index.mjs CHANGED Viewed

@@ -19,8 +19,16 @@ const phoneNumber = (options) => {
 	return {
 		id: "phone-number",
 		version: PACKAGE_VERSION,
+		init() {
+			return { options: { databaseHooks: { user: { update: { async before(data) {
+				if (opts.phoneNumber in data && data[opts.phoneNumber] === null) return { data: {
+					...data,
+					[opts.phoneNumberVerified]: false
+				} };
+			} } } } } };
+		},
 		hooks: { before: [{
-			matcher: (ctx) => ctx.path === "/update-user" && "phoneNumber" in ctx.body,
+			matcher: (ctx) => ctx.path === "/update-user" && "phoneNumber" in ctx.body && ctx.body.phoneNumber !== null,
 			handler: createAuthMiddleware(async (_ctx) => {
 				throw APIError.from("BAD_REQUEST", PHONE_NUMBER_ERROR_CODES.PHONE_NUMBER_CANNOT_BE_UPDATED);
 			})

package/dist/plugins/test-utils/index.d.mts CHANGED Viewed

@@ -18,19 +18,28 @@ declare module "@better-auth/core" {
  * - Auth helpers (login, getAuthHeaders, getCookies)
  * - OTP capture (when captureOTP: true)
  *
+ * This plugin does not register public HTTP routes or API endpoints, but it does
+ * expose privileged helpers on `ctx.test` for creating sessions and mutating data.
+ * Prefer including it in a test-only auth instance such as `auth.test.ts` instead
+ * of a production auth config.
+ *
+ * If you conditionally spread it into `plugins`, TypeScript may stop inferring
+ * `ctx.test` correctly. A separate test-only auth instance keeps the helpers
+ * typed without adding the plugin to your production auth config.
+ *
  * @example
  * ```ts
  * import { betterAuth } from "better-auth";
  * import { testUtils } from "better-auth/plugins";
  *
- * export const auth = betterAuth({
+ * export const testAuth = betterAuth({
  *   plugins: [
  *     testUtils({ captureOTP: true }),
  *   ],
  * });
  *
  * // In tests, access helpers via context:
- * const ctx = await auth.$context;
+ * const ctx = await testAuth.$context;
  * const test = ctx.test;
  *
  * const user = test.createUser({ email: "test@example.com" });

package/dist/plugins/test-utils/index.mjs CHANGED Viewed

@@ -13,19 +13,28 @@ import { createOTPStore } from "./otp-sink.mjs";
 * - Auth helpers (login, getAuthHeaders, getCookies)
 * - OTP capture (when captureOTP: true)
 *
+* This plugin does not register public HTTP routes or API endpoints, but it does
+* expose privileged helpers on `ctx.test` for creating sessions and mutating data.
+* Prefer including it in a test-only auth instance such as `auth.test.ts` instead
+* of a production auth config.
+*
+* If you conditionally spread it into `plugins`, TypeScript may stop inferring
+* `ctx.test` correctly. A separate test-only auth instance keeps the helpers
+* typed without adding the plugin to your production auth config.
+*
 * @example
 * ```ts
 * import { betterAuth } from "better-auth";
 * import { testUtils } from "better-auth/plugins";
 *
-* export const auth = betterAuth({
+* export const testAuth = betterAuth({
 *   plugins: [
 *     testUtils({ captureOTP: true }),
 *   ],
 * });
 *
 * // In tests, access helpers via context:
-* const ctx = await auth.$context;
+* const ctx = await testAuth.$context;
 * const test = ctx.test;
 *
 * const user = test.createUser({ email: "test@example.com" });

package/dist/utils/url.mjs CHANGED Viewed

@@ -2,6 +2,21 @@ import { wildcardMatch } from "./wildcard.mjs";
 import { env } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
 //#region src/utils/url.ts
+/**
+* Minimal loopback check for dev scheme inference only. Reachable from
+* `client/config.ts` via `getBaseURL`, so we MUST NOT import the full
+* `@better-auth/core/utils/host` classifier here: its `utils/ip` dependency
+* on zod would leak into the client bundle (see `e2e/smoke/test/vite.spec.ts`).
+*
+* Server-side SSRF/loopback checks (oauth redirect matching, trusted-origin
+* resolution, electron fetch gate) continue to use the authoritative
+* `isLoopbackHost` from `@better-auth/core/utils/host`. This helper's only
+* job is picking `http` vs `https` for dev ergonomics.
+*/
+function isLoopbackForDevScheme(host) {
+	const hostname = host.replace(/:\d+$/, "").replace(/^\[|\]$/g, "").toLowerCase();
+	return hostname === "localhost" || hostname.endsWith(".localhost") || hostname === "::1" || hostname.startsWith("127.");
+}
 function checkHasPath(url) {
 	try {
 		return (new URL(url).pathname.replace(/\/+$/, "") || "/") !== "/";
@@ -146,13 +161,9 @@ function getProtocolFromSource(source, configProtocol, trustedProxyHeaders) {
 		if (url.protocol === "http:" || url.protocol === "https:") return url.protocol.slice(0, -1);
 	} catch {}
 	const host = getHostFromSource(source, trustedProxyHeaders);
-	if (host && isLoopbackHost(host)) return "http";
+	if (host && isLoopbackForDevScheme(host)) return "http";
 	return "https";
 }
-function isLoopbackHost(host) {
-	const h = host.toLowerCase();
-	return h === "localhost" || h.startsWith("localhost:") || h === "127.0.0.1" || h.startsWith("127.0.0.1:") || h === "[::1]" || h.startsWith("[::1]:") || h === "0.0.0.0" || h.startsWith("0.0.0.0:");
-}
 /**
 * Matches a hostname against a host pattern.
 * Supports wildcard patterns like `*.vercel.app` or `preview-*.myapp.com`.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.4",
+  "version": "1.6.6",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -489,13 +489,13 @@
     "kysely": "^0.28.14",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.6.4",
-    "@better-auth/drizzle-adapter": "1.6.4",
-    "@better-auth/kysely-adapter": "1.6.4",
-    "@better-auth/memory-adapter": "1.6.4",
-    "@better-auth/mongo-adapter": "1.6.4",
-    "@better-auth/prisma-adapter": "1.6.4",
-    "@better-auth/telemetry": "1.6.4"
+    "@better-auth/core": "1.6.6",
+    "@better-auth/drizzle-adapter": "1.6.6",
+    "@better-auth/kysely-adapter": "1.6.6",
+    "@better-auth/memory-adapter": "1.6.6",
+    "@better-auth/mongo-adapter": "1.6.6",
+    "@better-auth/prisma-adapter": "1.6.6",
+    "@better-auth/telemetry": "1.6.6"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",