fix(deps): update dependency better-auth to v1.1.6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
better-auth (source)	1.0.22 -> 1.1.6

GitHub Vulnerability Alerts

CVE-2024-56734

Summary

An open redirect vulnerability has been identified in the verify email endpoint of Better Auth, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library.

Affected Versions

• All versions prior to v1.1.6.

Impact

Attackers could craft malicious email verification links that exploit the redirect functionality to send users to untrusted domains. This can result in:

• Phishing attacks – Users may unknowingly enter sensitive information on fake login pages.
• Reputation damage – Trust issues for applications using Better Auth.

Vulnerability Details

The verify email callback endpoint accepts a callbackURL parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for POST requests. An attacker can manipulate this parameter to redirect users to arbitrary URLs controlled by the attacker.

Example Exploit:

https://example.com/auth/verify-email?token=abcd1234&callbackURL=https://malicious-site.com

Patches

Upgrade to Better Auth v1.1.6 or later. This version enforces domain validation for callbackURL for /verify-email path and for all other GET endpoints.

Workarounds

You can also use hooks to pre-check URLs in your auth instance to prevent this without upgrading:

const auth = betterAuth({
    hooks: {
         before: (ctx) => {
            if (ctx.path === "/verify-email") {
               const callbackURL = ctx.query.callbackURL; // Check if this is a trusted callback URL or not
            }
         }
    }
})

---

Release Notes

better-auth/better-auth (better-auth)

v1.1.6

Compare Source

    🔓 Security Fixes

• Enforce origin checker for all GET methods  -  by @​Bekacru (deb3d)

    View changes on GitHub

v1.1.5

Compare Source

   🐞 Bug Fixes

• Upgrade better-auth utils and use subtle from better-auth utils  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1021 (2b685)
• Disallow the creator role as a possible invitation role for all inviter roles other than itself  -  by @​Bekacru (6ab16)
• Throw error in multiple resource permission checks  -  by @​Bekacru (ceea5)
• email-otp:
  • Apply user configration for expiresIn properly  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1033 (f9fdf)
  • It shouldn't send email if user doesn't exist on forget password  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1034 (71713)
• passkey:
  • User verification shouldn't be required on passkey registration  -  by @​canstand in https://github.com/better-auth/better-auth/issues/1053 (00996)

    View changes on GitHub

v1.1.4

Compare Source

   🐞 Bug Fixes

• drizzle: Default to snake-case  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1012 (bfc8f)
• email-otp: Reset password should create credential account  -  by @​Bekacru (d2788)
• expo: Local session cache should be scopped  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1020 (ef2ff)
• vue: Auth path should account for double slash on ssr  -  by @​Bekacru (78b6b)

    View changes on GitHub

v1.1.3

Compare Source

   🚀 Features

• Support building type declaration with tsc  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1005 (2885d)

   🐞 Bug Fixes

• Default to 1 day for session freshness  -  by @​Bekacru (59c1e)
• Create a new session on email verification if current session email doesn't match  -  by @​Bekacru (a71e9)
• Secondary storage should return modified value  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/995 (95096)

    View changes on GitHub

v1.1.2

Compare Source

   🐞 Bug Fixes

• Hydration mismatch on isPending  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/976 (809f6)
• Verify passkey should find by credentialID instead of pk  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/979 (7ef5e)
• Delete user failing when token is directly passed  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/992 (0f1fe)
• Secondary storage should use the value after hooks have been evaluated  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/994 (bb2ef)
• Send email on signUp if email verification is required  -  by @​Bekacru (8b372)

    View changes on GitHub

v1.1.1

Compare Source

    Refactor (API Change)

• passkey: Add a credentialID field to replace generated IDs and prevent storing invalid IDs when the ID is database-generated and removes webAuthnUserId since it's duplicate property with userId. If you were using passkeys, migrate to this change by renaming the existing id field to credentialID for existing users. After that, the current webauthnUserID field can be renamed to id (primary key).  -  by @​masterjanic and @​Bekacru in https://github.com/better-auth/better-auth/issues/865 (f3acd)

   🐞 Bug Fixes

• Remove oslo reference  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/973 (16bb1)
• Generic OAuth overriding social providers  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/974 (e9535)

    View changes on GitHub

v1.1.0

Compare Source

    🚀 New Features

• OIDC Plugin: An experimental new plugin that lets you create your own OIDC-compliant server. Checkout plugin docs  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/765 (4555f)
• Enterprise SSO Provider: A new plugin that allows you to sign in users with OIDC servers configured by users. It handles provisioning new users, integrates with the organization plugin, and more. (SAML support coming soon!) Checkout plugin docs  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/951 (f9102)
• Hooks: a new API for hook. You no longer need to create a plugin—these allow you to modify any requests and responses within Better Auth. Check out Hook Docs  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/916 (384ef)
• Better Auth Utils: We made a typescript auth utility and Better Auth now depends on that for auth related utility needs.  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/852 (74b6e)
• Stop Impersonating API: Admins can now stop impersonating a user and return to their session without logging out and back in. .  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/883 (97725)

    ✨ Improvements and API Changes

• Endpoints that previously returned the entire user object now only return a token. This change allows for storing sensitive fields in the user table and eliminates unnecessary returned data. As a result, all endpoints, except /get-session, now enforce this.  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/968 (eacf0)
• Expo plugin now requires a storage to be passed instead of defaulting to secure storage.  -  by @​hyoban in https://github.com/better-auth/better-auth/issues/931 (d8a26)
• By default the bearer plugin now accepts unsigned tokens and provides an option to require signed tokens only.  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/953 (9ab5d)
• User deletion now offers an improved user experience. It introduces a callback URL to redirect users to custom pages after their account is removed. Additionally, it accepts a token, to enable custom flows.  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/929 (cfd24)
• Replaced Consola with a custom logger for better compatibility with Cloudflare deployments.  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/948 (e6dc7)
• Export available provider types  -  by @​TinsFox in https://github.com/better-auth/better-auth/issues/936 (b4594)

   🐞 Bug Fixes

• Get-config paths for missing slash for /lib/server  -  by @​xKesvaL in https://github.com/better-auth/better-auth/issues/919 (74fff)
• Remove nanoid dependcy and genreate id manually  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/922 (ea482)
• Export passkey only on its own route  -  by @​Bekacru (30d40)
• Ensure that error messages thrown from a DB hook are returned unchanged on social callback  -  by @​Bekacru (ba552)
• Skip updating userinfo on oauth callback  -  by @​Bekacru (fe30a)
• Protect phone number login with 2fa  -  by @​Bekacru (52eaa)
• Email-otp on signup breaking when emailVerification is requried  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/964 (5e84b)
• Sign In with Apple With ID Token not work  -  by @​hyoban in https://github.com/better-auth/better-auth/issues/966 (b4ff5)
• Type seralization error  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/962 (14575)
• ActiveOrgId should always refer to the ID instead of the slug  -  by @​Bekacru (79625)
• bearer: Pre-check token signature to ignore if invalid  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/933 (5f823)
• jwt: Pass session on definePayload callback  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/921 (0b473)
• social: OAuth should find a user based on a provider returned account id  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/963 (de1b7)

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.