The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	May 28, 2026 1:27am

PR Summary

High Risk
Touches core authentication (sessions, email verification, password reset, OAuth account linking, org invites, Stripe checkout hooks) across a major library upgrade; regression risk is mitigated by tests and explicit opt-outs for new defaults.

Overview
Upgrades better-auth (and @better-auth/sso / @better-auth/stripe) from 1.3.12 → 1.6.11 and aligns the app with renamed APIs and new defaults.

Auth integration: forgetPassword → requestPasswordReset on the forget-password route and tests; onEmailVerification → afterEmailVerification; organization organizationCreation.afterCreate → organizationHooks.afterCreateOrganization. createAuthMiddleware is imported from better-auth/api instead of plugins. nextCookies() is moved to the end of the plugins list so later plugins’ Set-Cookie headers are not dropped. Removed invalid pages config and unused signIn / signUp re-exports from auth.ts.

Behavior-preserving config: session.freshAge set to 0 (1.6 freshness semantics); accountLinking.requireLocalEmailVerified: false; requireEmailVerificationOnInvitation tied to isEmailVerificationEnabled; dropped custom Stripe getCheckoutSessionParams line_items (rely on default + existing seat UI); removed throwOnMissingCredentials / throwOnInvalidCredentials.

Email: OTP/subject types extended with change-email for 1.6 flows.

Database: Migration 0216_* adds nullable Stripe subscription and JWKS columns expected by 1.6.

Lockfile: bun.lock updated for the new better-auth package graph (core, adapters, telemetry, etc.).

^{Reviewed by Cursor Bugbot for commit 6d360b4. Configure here.}

Greptile Summary

Upgrades better-auth, @better-auth/sso, and @better-auth/stripe from 1.3.12 to 1.6.11, applying all required API renames and behavioral opt-outs documented in the 1.6 migration guide.

• API renames: onEmailVerification → afterEmailVerification, forgetPassword → requestPasswordReset, organizationCreation.afterCreate → organizationHooks.afterCreateOrganization; nextCookies() moved to last position in the plugins array to fix the 1.6.10 Set-Cookie regression; createAuthMiddleware import path updated from the plugins barrel to better-auth/api.
• Behavioral adjustments: requireLocalEmailVerified: false opts out of the new account-linking default; requireEmailVerificationOnInvitation gated on isEmailVerificationEnabled to preserve self-hosted invite flow; freshAge: 0 adopted per the 1.6 createdAt-based session freshness semantics; getCheckoutSessionParams line_items override dropped since 1.6.10 strips it and a pre-checkout seat picker already handles quantity.
• OTP change-email type: EmailSubjectType, OTPVerificationEmailProps.type, and renderOTPEmail's parameter union all extended to cover the new OTP type added in 1.6, replacing the previous silent fallthrough; migration 0216 adds 6 nullable columns for new Stripe subscription and JWKS expiry fields.

Confidence Score: 5/5

Safe to merge — all changes are additive API renames, behavioral opt-outs explicitly documented in the 1.6 migration guide, and a nullable-only DB migration.

Every deprecated API is correctly renamed, the plugin ordering fix resolves a real cookie-propagation bug from 1.6.10, all email type unions are fully closed with change-email, and the migration is purely additive. The PR author reports 60/60 auth route tests passing and a clean type-check run, consistent with the diff.

No files require special attention.

Important Files Changed

_{Reviews (2): Last reviewed commit: "chore(auth): address Greptile review — b..." | Re-trigger Greptile}

@greptile

@cursor review