Skip to content

chore(auth): upgrade better-auth 1.3.12 → 1.6.11#4766

Open
waleedlatif1 wants to merge 3 commits into
stagingfrom
waleedlatif1/better-auth-upgrade-audit
Open

chore(auth): upgrade better-auth 1.3.12 → 1.6.11#4766
waleedlatif1 wants to merge 3 commits into
stagingfrom
waleedlatif1/better-auth-upgrade-audit

Conversation

@waleedlatif1
Copy link
Copy Markdown
Collaborator

@waleedlatif1 waleedlatif1 commented May 28, 2026

Summary

  • Bump better-auth, @better-auth/sso, @better-auth/stripe from 1.3.12 → 1.6.11
  • Rename deprecated APIs: onEmailVerificationafterEmailVerification, forgetPasswordrequestPasswordReset, organizationCreation.afterCreateorganizationHooks.afterCreateOrganization
  • Move nextCookies() to end of plugins array (1.6.10 fix — earlier position dropped Set-Cookie headers from later plugins' hooks.after)
  • Opt out of new requireLocalEmailVerified default to preserve OAuth-linking behavior
  • Gate requireEmailVerificationOnInvitation on isEmailVerificationEnabled so self-hosted invite flow still works without SMTP
  • Set freshAge: 0 (1.6 recalculates freshness from createdAt, not last activity)
  • Drop Stripe getCheckoutSessionParams line_items override (1.6.10 strips it; pre-checkout seat picker already exists)
  • Drop dead pages config (never a valid option) and unused signIn/signUp re-exports
  • Migration 0216_* adds 6 nullable columns for new better-auth Stripe + JWKS fields

Type of Change

  • Improvement (dependency upgrade)

Testing

  • Auth route tests: 60/60 passing
  • type-check and check:api-validation clean
  • Smoke-tested dev server: /api/auth/get-session, /api/auth/jwks, /api/auth/forget-password, OIDC discovery — all 200
  • Migration is 6 nullable ADD COLUMN only — no destructive ops

Follow-up (separate PR)

  • oidcProvider@better-auth/oauth-provider migration — requires data migration of live OAuth client rows + one-way client_secret hashing. Plan documented in .context/better-auth-upgrade/OAUTH-PROVIDER-MIGRATION.md.

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link
Copy Markdown

vercel Bot commented May 28, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped May 28, 2026 4:13pm

Request Review

@cursor
Copy link
Copy Markdown

cursor Bot commented May 28, 2026
edited
Loading

PR Summary

High Risk
Touches core authentication, sessions, OAuth linking, Stripe checkout, and org invites; incorrect config could break login, cookies, or billing flows despite nullable DB changes.

Overview
Upgrades better-auth (and @better-auth/sso / @better-auth/stripe) from 1.3.12 → 1.6.11 and aligns the app with renamed or stricter library behavior.

API renames: forgetPasswordrequestPasswordReset on the forget-password route and tests; onEmailVerificationafterEmailVerification; organization organizationCreation.afterCreateorganizationHooks.afterCreateOrganization. createAuthMiddleware is imported from better-auth/api instead of better-auth/plugins.

Auth behavior tweaks: session.freshAge set to 0; requireLocalEmailVerified: false on account linking; requireEmailVerificationOnInvitation tied to isEmailVerificationEnabled; oneTimeToken.expiresIn corrected to minutes (24 * 60). Removed invalid pages config, unused signIn/signUp exports, throwOnMissingCredentials / throwOnInvalidCredentials, and Stripe checkout line_items override (promo codes only). nextCookies() moved to the end of the plugins array so later plugins’ cookies are not dropped.

Email: OTP templates/subjects add change-email for better-auth’s expanded OTP types.

Data: Migration 0216_* adds nullable Stripe subscription and JWKS columns expected by 1.6.

Reviewed by Cursor Bugbot for commit 5a8b8ab. Configure here.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented May 28, 2026
edited
Loading

Greptile Summary

Upgrades better-auth, @better-auth/sso, and @better-auth/stripe from 1.3.12 to 1.6.11, applying all required API renames and behavioral opt-outs documented in the 1.6 migration guide.

  • API renames: onEmailVerificationafterEmailVerification, forgetPasswordrequestPasswordReset, organizationCreation.afterCreateorganizationHooks.afterCreateOrganization; nextCookies() moved to last position in the plugins array to fix the 1.6.10 Set-Cookie regression; createAuthMiddleware import path updated from the plugins barrel to better-auth/api.
  • Behavioral adjustments: requireLocalEmailVerified: false opts out of the new account-linking default; requireEmailVerificationOnInvitation gated on isEmailVerificationEnabled to preserve self-hosted invite flow; freshAge: 0 adopted per the 1.6 createdAt-based session freshness semantics; getCheckoutSessionParams line_items override dropped since 1.6.10 strips it and a pre-checkout seat picker already handles quantity.
  • OTP change-email type: EmailSubjectType, OTPVerificationEmailProps.type, and renderOTPEmail's parameter union all extended to cover the new OTP type added in 1.6, replacing the previous silent fallthrough; migration 0216 adds 6 nullable columns for new Stripe subscription and JWKS expiry fields.

Confidence Score: 5/5

Safe to merge — all changes are additive API renames, behavioral opt-outs explicitly documented in the 1.6 migration guide, and a nullable-only DB migration.

Every deprecated API is correctly renamed, the plugin ordering fix resolves a real cookie-propagation bug from 1.6.10, all email type unions are fully closed with change-email, and the migration is purely additive. The PR author reports 60/60 auth route tests passing and a clean type-check run, consistent with the diff.

No files require special attention.

Important Files Changed

Filename Overview
apps/sim/lib/auth/auth.ts Core auth config updated with 1.6.11 API renames (afterEmailVerification, requestPasswordReset, organizationHooks), nextCookies() moved to last position, requireLocalEmailVerified: false added, freshAge: 0 set, and getCheckoutSessionParams simplified to drop the already-stripped line_items override.
apps/sim/app/api/auth/forget-password/route.ts Single-line rename from auth.api.forgetPassword to auth.api.requestPasswordReset, matching the better-auth 1.6 API.
apps/sim/app/api/auth/forget-password/route.test.ts All test mock references updated from mockForgetPassword to mockRequestPasswordReset; 60/60 tests passing.
apps/sim/components/emails/subjects.ts Added 'change-email' to EmailSubjectType union and corresponding subject line, covering the new OTP type added in better-auth 1.6.
apps/sim/components/emails/render.ts renderOTPEmail type parameter broadened to include 'change-email', making TypeScript catch any future unhandled OTP types at the call site.
packages/db/migrations/0216_colorful_cobalt_man.sql Additive migration adding 6 nullable columns to subscription and jwks — no destructive operations.
packages/db/schema.ts Schema updated to match the migration: 5 new nullable fields on subscription and expires_at on jwks, aligned with better-auth Stripe and JWKS plugin changes in 1.6.
apps/sim/components/emails/auth/otp-verification-email.tsx OTPVerificationEmailProps.type union extended with 'change-email' and a dedicated subject line added to getSubjectByType.

Reviews (2): Last reviewed commit: "chore(auth): address Greptile review — b..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed May 28, 2026
View reviewed changes
Comment thread apps/sim/lib/auth/auth.ts
Comment thread apps/sim/lib/auth/auth.ts
Comment thread packages/db/migrations/0216_colorful_cobalt_man.sql Outdated
@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented May 28, 2026

@greptile

@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented May 28, 2026

@cursor review

cursor[bot]
cursor Bot reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 6d360b4. Configure here.

@waleedlatif1
fix(auth): correct oneTimeToken expiresIn unit (minutes, not seconds)
5a8b8ab 
Better-auth's oneTimeToken expiresIn is in minutes (multiplied by 60_000ms
internally). Sim's existing 24*60*60 evaluated to ~60 days of token
lifetime instead of the intended 24 hours. Tokens are one-time-use and
typically consumed within seconds of generation (Socket.IO handshake),
so this tightens an unused security window without affecting UX.
@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented May 28, 2026

@greptile

@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented May 28, 2026

@cursor review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@waleedlatif1