From f511095fded8b89b85c4893b6bb550dad90290f2 Mon Sep 17 00:00:00 2001 From: Nico <47644445+nicotsx@users.noreply.github.com> Date: Tue, 3 Mar 2026 20:27:50 +0100 Subject: [PATCH] fix(sso): prevent auto-linking with an existing account in a different org (#607) * fix(sso): prevent auto-linking with an existing account in a different org * chore: lint issue * chore: bump @better-auth/sso --- .../modules/settings/routes/settings.tsx | 6 ++- app/routes/(dashboard)/settings/index.tsx | 2 +- .../__tests__/create-default-org.test.ts | 41 ++++++++++++++++++- .../lib/auth/helpers/create-default-org.ts | 31 +++++++++++--- .../__tests__/require-sso-invitation.test.ts | 2 +- .../validate-sso-callback-urls.test.ts | 18 ++++++++ .../middlewares/require-sso-invitation.ts | 2 +- .../middlewares/validate-sso-callback-urls.ts | 10 ++++- app/server/lib/auth/utils/sso-context.ts | 2 +- app/server/modules/auth/auth.controller.ts | 20 +++++---- bun.lock | 22 +++++----- package.json | 4 +- 12 files changed, 124 insertions(+), 36 deletions(-) diff --git a/app/client/modules/settings/routes/settings.tsx b/app/client/modules/settings/routes/settings.tsx index 3a304c8b..f348e826 100644 --- a/app/client/modules/settings/routes/settings.tsx +++ b/app/client/modules/settings/routes/settings.tsx @@ -165,7 +165,11 @@ export function SettingsPage({ appContext, initialMembers, initialSsoSettings, i
- + +
+
+ +
diff --git a/app/routes/(dashboard)/settings/index.tsx b/app/routes/(dashboard)/settings/index.tsx index f7816c2e..9034d40b 100644 --- a/app/routes/(dashboard)/settings/index.tsx +++ b/app/routes/(dashboard)/settings/index.tsx @@ -20,7 +20,7 @@ export const Route = createFileRoute("/(dashboard)/settings/")({ }), ]); const orgRole = orgContext.activeMember?.role; - const shouldPrefetchOrgQueries = authContext.user?.role === "admin" || orgRole === "owner" || orgRole === "admin"; + const shouldPrefetchOrgQueries = orgRole === "owner" || orgRole === "admin"; if (shouldPrefetchOrgQueries) { const [org, members, appOrigin] = await Promise.all([ diff --git a/app/server/lib/auth/helpers/__tests__/create-default-org.test.ts b/app/server/lib/auth/helpers/__tests__/create-default-org.test.ts index 7c649f0d..74d7fa0a 100644 --- a/app/server/lib/auth/helpers/__tests__/create-default-org.test.ts +++ b/app/server/lib/auth/helpers/__tests__/create-default-org.test.ts @@ -1,5 +1,5 @@ import { beforeEach, describe, expect, test } from "bun:test"; -import type { GenericEndpointContext } from "@better-auth/core"; +import type { GenericEndpointContext } from "better-auth"; import { eq } from "drizzle-orm"; import { db } from "~/server/db/db"; import { account, invitation, member, organization, ssoProvider, usersTable } from "~/server/db/schema"; @@ -119,6 +119,45 @@ describe("createUserDefaultOrg", () => { expect(createUserDefaultOrg(userId, ctx)).rejects.toThrow("invite-only"); }); + test("blocks existing users with a personal org from SSO orgs they were not invited to", async () => { + const userId = await createUser("alice@example.com", randomSlug("alice")); + const inviterId = await createUser("inviter@example.com", randomSlug("inviter")); + + const personalOrgId = randomId(); + await db.insert(organization).values({ + id: personalOrgId, + name: "Alice's Workspace", + slug: randomSlug("alice"), + createdAt: new Date(), + }); + await db.insert(member).values({ + id: randomId(), + userId, + organizationId: personalOrgId, + role: "owner", + createdAt: new Date(), + }); + + const ssoOrgId = randomId(); + await db.insert(organization).values({ + id: ssoOrgId, + name: "Acme Corp", + slug: randomSlug("acme"), + createdAt: new Date(), + }); + await db.insert(ssoProvider).values({ + id: randomId(), + providerId: "oidc-acme", + organizationId: ssoOrgId, + userId: inviterId, + issuer: "https://issuer.example.com", + domain: "example.com", + }); + + const ctx = createMockSsoCallbackContext("oidc-acme"); + await expect(createUserDefaultOrg(userId, ctx)).rejects.toThrow("invite-only"); + }); + test("returns existing membership without creating another workspace", async () => { const userId = await createUser("existing-member@example.com", randomSlug("existing-member")); const organizationId = randomId(); diff --git a/app/server/lib/auth/helpers/create-default-org.ts b/app/server/lib/auth/helpers/create-default-org.ts index ca8a1551..aac6e3f2 100644 --- a/app/server/lib/auth/helpers/create-default-org.ts +++ b/app/server/lib/auth/helpers/create-default-org.ts @@ -1,6 +1,6 @@ import { and, eq, gt } from "drizzle-orm"; import { UnauthorizedError } from "http-errors-enhanced"; -import type { GenericEndpointContext } from "@better-auth/core"; +import type { GenericEndpointContext } from "better-auth"; import { db } from "~/server/db/db"; import { invitation, member, organization, ssoProvider, usersTable, type User } from "~/server/db/schema"; import { cryptoUtils } from "~/server/utils/crypto"; @@ -150,17 +150,36 @@ export async function createUserDefaultOrg(userId: string, ctx: GenericEndpointC throw new UnauthorizedError("User not found"); } + const providerId = extractProviderIdFromContext(ctx); + if (providerId) { + const [ssoProviderRecord] = await db + .select() + .from(ssoProvider) + .where(eq(ssoProvider.providerId, providerId)) + .limit(1); + + if (ssoProviderRecord) { + // If the user is already a member of this SSO org (accepted a past invitation), let them through + const existingSsoMembership = await findMembershipWithOrganization(user.id, ssoProviderRecord.organizationId); + if (existingSsoMembership) { + return existingSsoMembership; + } + + // Not yet a member of this SSO org, a valid pending invitation is required. + const invitedMembership = await tryCreateInvitedMembership(userId, normalizeEmail(user.email), ctx); + if (invitedMembership) { + return invitedMembership; + } + } + } + + // Non-SSO path: check for any existing membership before creating a personal org. const existingMembership = await findMembershipWithOrganization(user.id); if (existingMembership) { logger.debug("User already has an organization membership, skipping default org creation", { userId }); return existingMembership; } - const invitedMembership = await tryCreateInvitedMembership(userId, normalizeEmail(user.email), ctx); - if (invitedMembership) { - return invitedMembership; - } - await createDefaultOrganizationMembership(user); const newMembership = await findMembershipWithOrganization(userId); diff --git a/app/server/lib/auth/middlewares/__tests__/require-sso-invitation.test.ts b/app/server/lib/auth/middlewares/__tests__/require-sso-invitation.test.ts index 4c43386f..7346490a 100644 --- a/app/server/lib/auth/middlewares/__tests__/require-sso-invitation.test.ts +++ b/app/server/lib/auth/middlewares/__tests__/require-sso-invitation.test.ts @@ -1,5 +1,5 @@ import { beforeEach, describe, expect, test } from "bun:test"; -import type { GenericEndpointContext } from "@better-auth/core"; +import type { GenericEndpointContext } from "better-auth"; import { db } from "~/server/db/db"; import { account, invitation, member, organization, ssoProvider, usersTable } from "~/server/db/schema"; import { isSsoCallbackRequest, requireSsoInvitation } from "../require-sso-invitation"; diff --git a/app/server/lib/auth/middlewares/__tests__/validate-sso-callback-urls.test.ts b/app/server/lib/auth/middlewares/__tests__/validate-sso-callback-urls.test.ts index c8e3524b..f6f30a3d 100644 --- a/app/server/lib/auth/middlewares/__tests__/validate-sso-callback-urls.test.ts +++ b/app/server/lib/auth/middlewares/__tests__/validate-sso-callback-urls.test.ts @@ -71,4 +71,22 @@ describe("validateSsoCallbackUrls", () => { expect(validateSsoCallbackUrls(ctx)).resolves.toBeUndefined(); }); + + test("rejects URL-encoded external URL (%2F%2Fevil.example)", async () => { + const ctx = createContext("/sign-in/sso", { callbackURL: "%2F%2Fevil.example" }); + + expect(validateSsoCallbackUrls(ctx)).rejects.toThrow("callbackURL"); + }); + + test("rejects URL-encoded reserved path (%2Fsso%2Fcallback%2Ffoo)", async () => { + const ctx = createContext("/sign-in/sso", { callbackURL: "%2Fsso%2Fcallback%2Ffoo" }); + + expect(validateSsoCallbackUrls(ctx)).rejects.toThrow("callbackURL"); + }); + + test("rejects invalid URL encoding (malformed)", async () => { + const ctx = createContext("/sign-in/sso", { callbackURL: "%ZZ" }); + + expect(validateSsoCallbackUrls(ctx)).rejects.toThrow("callbackURL"); + }); }); diff --git a/app/server/lib/auth/middlewares/require-sso-invitation.ts b/app/server/lib/auth/middlewares/require-sso-invitation.ts index fef083f7..7e7ac3bd 100644 --- a/app/server/lib/auth/middlewares/require-sso-invitation.ts +++ b/app/server/lib/auth/middlewares/require-sso-invitation.ts @@ -1,5 +1,5 @@ import { APIError } from "better-auth/api"; -import type { GenericEndpointContext } from "@better-auth/core"; +import type { GenericEndpointContext } from "better-auth"; import { db } from "~/server/db/db"; import { logger } from "~/server/utils/logger"; import { extractProviderIdFromContext, extractProviderIdFromUrl, normalizeEmail } from "../utils/sso-context"; diff --git a/app/server/lib/auth/middlewares/validate-sso-callback-urls.ts b/app/server/lib/auth/middlewares/validate-sso-callback-urls.ts index 48f306f2..2f0d3974 100644 --- a/app/server/lib/auth/middlewares/validate-sso-callback-urls.ts +++ b/app/server/lib/auth/middlewares/validate-sso-callback-urls.ts @@ -2,11 +2,17 @@ import { APIError } from "better-auth/api"; import type { AuthMiddlewareContext } from "~/server/lib/auth"; function isValidCallbackPath(value: string): boolean { - if (!value.startsWith("/") || value.startsWith("//") || value.includes("\\")) { + let decoded: string; + try { + decoded = decodeURIComponent(value); + } catch { + return false; + } + if (!decoded.startsWith("/") || decoded.startsWith("//") || decoded.includes("\\")) { return false; } - if (value.startsWith("/sso/callback/") || value.startsWith("/sso/saml2/")) { + if (decoded.startsWith("/sso/callback/") || decoded.startsWith("/sso/saml2/")) { return false; } diff --git a/app/server/lib/auth/utils/sso-context.ts b/app/server/lib/auth/utils/sso-context.ts index 7c8edac1..1565c8ba 100644 --- a/app/server/lib/auth/utils/sso-context.ts +++ b/app/server/lib/auth/utils/sso-context.ts @@ -1,4 +1,4 @@ -import type { GenericEndpointContext } from "@better-auth/core"; +import type { GenericEndpointContext } from "better-auth"; const SSO_CALLBACK_PATH_SEGMENTS = ["/sso/callback/", "/sso/saml2/callback/", "/sso/saml2/sp/acs/"] as const; diff --git a/app/server/modules/auth/auth.controller.ts b/app/server/modules/auth/auth.controller.ts index 476c66a2..2d5dbef6 100644 --- a/app/server/modules/auth/auth.controller.ts +++ b/app/server/modules/auth/auth.controller.ts @@ -46,20 +46,22 @@ export const authController = new Hono() } const [providersData, invitationsData, autoLinkingSettings] = await Promise.all([ - auth.api.listSSOProviders({ headers }), + auth.api.listSSOProviders({ headers, query: { organizationId: activeOrganizationId } }), auth.api.listInvitations({ headers, query: { organizationId: activeOrganizationId } }), authService.getSsoProviderAutoLinkingSettings(activeOrganizationId), ]); return c.json({ - providers: providersData.providers.map((provider) => ({ - providerId: provider.providerId, - type: provider.type, - issuer: provider.issuer, - domain: provider.domain, - autoLinkMatchingEmails: autoLinkingSettings[provider.providerId] ?? false, - organizationId: provider.organizationId, - })), + providers: providersData.providers + .map((provider) => ({ + providerId: provider.providerId, + type: provider.type, + issuer: provider.issuer, + domain: provider.domain, + autoLinkMatchingEmails: autoLinkingSettings[provider.providerId] ?? false, + organizationId: provider.organizationId, + })) + .filter((p) => p.organizationId === activeOrganizationId), invitations: invitationsData.map((invitation) => ({ id: invitation.id, email: invitation.email, diff --git a/bun.lock b/bun.lock index 9ffb58f0..ee828fc8 100644 --- a/bun.lock +++ b/bun.lock @@ -5,7 +5,7 @@ "": { "name": "zerobyte", "dependencies": { - "@better-auth/sso": "1.5.0", + "@better-auth/sso": "^1.5.2", "@dnd-kit/core": "^6.3.1", "@dnd-kit/sortable": "^10.0.0", "@dnd-kit/utilities": "^3.2.2", @@ -35,7 +35,7 @@ "@tanstack/react-router-ssr-query": "^1.162.9", "@tanstack/react-start": "^1.162.9", "arktype": "^2.1.28", - "better-auth": "1.5.0", + "better-auth": "^1.5.2", "class-variance-authority": "^0.7.1", "clsx": "^2.1.1", "commander": "^14.0.2", @@ -216,21 +216,21 @@ "@babel/types": ["@babel/types@7.29.0", "", { "dependencies": { "@babel/helper-string-parser": "^7.27.1", "@babel/helper-validator-identifier": "^7.28.5" } }, "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A=="], - "@better-auth/core": ["@better-auth/core@1.5.0", "", { "dependencies": { "@standard-schema/spec": "^1.1.0", "zod": "^4.3.6" }, "peerDependencies": { "@better-auth/utils": "0.3.1", "@better-fetch/fetch": "1.1.21", "@cloudflare/workers-types": ">=4", "better-call": "1.3.2", "jose": "^6.1.0", "kysely": "^0.28.5", "nanostores": "^1.0.1" }, "optionalPeers": ["@cloudflare/workers-types"] }, "sha512-nDPmW7I9VGRACEei31fHaZxGwD/yICraDllZ/f25jbWXYaxDaW88RuH1ZhbOUKmGJlZtDxcjN1+YmcVIc1ioNw=="], + "@better-auth/core": ["@better-auth/core@1.5.2", "", { "dependencies": { "@standard-schema/spec": "^1.1.0", "zod": "^4.3.6" }, "peerDependencies": { "@better-auth/utils": "0.3.1", "@better-fetch/fetch": "1.1.21", "@cloudflare/workers-types": ">=4", "better-call": "1.3.2", "jose": "^6.1.0", "kysely": "^0.28.5", "nanostores": "^1.0.1" }, "optionalPeers": ["@cloudflare/workers-types"] }, "sha512-svaKRVN/p3+g++kljLEedHC+RgDlGsVr87tKiATr5xIE7xqLO1If906pMTNMfhF08N5r7pMbix/mRYdObuPKHA=="], - "@better-auth/drizzle-adapter": ["@better-auth/drizzle-adapter@1.5.0", "", { "peerDependencies": { "@better-auth/core": "1.5.0", "@better-auth/utils": "^0.3.0", "drizzle-orm": ">=0.41.0" } }, "sha512-qNKAoe+ViiHznipkoOCLo3pDvQo4/6mYbCwnfo2mNbjjopqIn0c3IKW2t+e/Mg4Y18PJcEFeOiIRoY9pUyTtAg=="], + "@better-auth/drizzle-adapter": ["@better-auth/drizzle-adapter@1.5.2", "", { "peerDependencies": { "@better-auth/core": "1.5.2", "@better-auth/utils": "^0.3.0", "drizzle-orm": ">=0.41.0" } }, "sha512-29e7UCwqTriIuDdEr1xbSx4qGg6Ag3aTopzRavPyOCYJyzTwePw8iZ9zaJF1fsLmLeany7LW069NMDf6+3tz/w=="], - "@better-auth/kysely-adapter": ["@better-auth/kysely-adapter@1.5.0", "", { "peerDependencies": { "@better-auth/core": "1.5.0", "@better-auth/utils": "^0.3.0", "kysely": "^0.27.0 || ^0.28.0" } }, "sha512-dSC7yzF58YMrn39srrX/LwMLjd11PtTORjn3RKFwuzVCS07mqMZpPkk3XbQW/ZXxXbdUByrgYQo9z9zFCF37RQ=="], + "@better-auth/kysely-adapter": ["@better-auth/kysely-adapter@1.5.2", "", { "peerDependencies": { "@better-auth/core": "1.5.2", "@better-auth/utils": "^0.3.0", "kysely": "^0.27.0 || ^0.28.0" } }, "sha512-PaP+KPJ6Cw0DxzuZLH6eR0oFhS5Iq/KjYvmZt76fCl5Q7Ys9Cct0kXVVlrD1bftiznTpV+UKMfwjcCWvtc1l4w=="], - "@better-auth/memory-adapter": ["@better-auth/memory-adapter@1.5.0", "", { "peerDependencies": { "@better-auth/core": "1.5.0", "@better-auth/utils": "^0.3.0" } }, "sha512-fp0OtEpWi4RgfxrhhAI8tKW8yHTHx49V12UW1XyuUKrEK0jbu+CzVJSzoMkv/q3fJfjGqDe/vNvWtVBtpIRpQw=="], + "@better-auth/memory-adapter": ["@better-auth/memory-adapter@1.5.2", "", { "peerDependencies": { "@better-auth/core": "1.5.2", "@better-auth/utils": "^0.3.0" } }, "sha512-vCbmMpUAisISRVxzNFIxkvO3wm63fzwSxAOO9Xktl77VyEyh8zliBNcW8S6+9DOeolVRKhjWEg7UaBOtIhFX/Q=="], - "@better-auth/mongo-adapter": ["@better-auth/mongo-adapter@1.5.0", "", { "peerDependencies": { "@better-auth/core": "1.5.0", "@better-auth/utils": "^0.3.0", "mongodb": "^6.0.0 || ^7.0.0" } }, "sha512-qI+MiewH6kzUbNkKBX4fdhPl1MkIXq8V7v3TEt/DLAHC4/QxmPqhxQHEDeZBxO+NH8+Zekr2sQzKRRFfbaQKbw=="], + "@better-auth/mongo-adapter": ["@better-auth/mongo-adapter@1.5.2", "", { "peerDependencies": { "@better-auth/core": "1.5.2", "@better-auth/utils": "^0.3.0", "mongodb": "^6.0.0 || ^7.0.0" } }, "sha512-fJd+Z7fgRFgK2W7oxbFYM9K10yEUs/hlALzihCdDgSyRg9XFLBMJkMcECRqBsop/cZUjwZxLBTQPsIpgx9ix1g=="], - "@better-auth/prisma-adapter": ["@better-auth/prisma-adapter@1.5.0", "", { "dependencies": { "@prisma/client": "^7.4.1" }, "peerDependencies": { "@better-auth/core": "1.5.0", "@better-auth/utils": "^0.3.0", "prisma": "^5.0.0 || ^6.0.0 || ^7.0.0" } }, "sha512-Sga8DTeCCsamGZ7/54kH0HKlrCrgW4EApadAgsufsIcRqHteeKC5rNCLIppfyRa/xJxm5xImUeks6Nvz3zL1tw=="], + "@better-auth/prisma-adapter": ["@better-auth/prisma-adapter@1.5.2", "", { "dependencies": { "@prisma/client": "^7.4.1" }, "peerDependencies": { "@better-auth/core": "1.5.2", "@better-auth/utils": "^0.3.0", "prisma": "^5.0.0 || ^6.0.0 || ^7.0.0" } }, "sha512-9GB4q91Q16wSSsi1vFP/RZNW0GNmdxTiDcE2MX1fC4Hlmo6UuT4WRv+94YPYs3/tPhsJ17k5Lt+rKTOK8S6Kbw=="], - "@better-auth/sso": ["@better-auth/sso@1.5.0", "", { "dependencies": { "@better-auth/utils": "0.3.1", "@better-fetch/fetch": "1.1.21", "fast-xml-parser": "^5.4.1", "jose": "^6.1.3", "samlify": "^2.10.2", "zod": "^4.3.6" }, "peerDependencies": { "@better-auth/core": "1.5.0", "better-auth": "1.5.0", "better-call": "1.3.2" } }, "sha512-HuomPV25de9y2A/8WX4UtDHdHj4OUlwbnTH/NAuhmqUGyj7VZrOBwUaZhmD6roVhF18+YigOmGPetajukMZrQQ=="], + "@better-auth/sso": ["@better-auth/sso@1.5.2", "", { "dependencies": { "@better-auth/utils": "0.3.1", "@better-fetch/fetch": "1.1.21", "fast-xml-parser": "^5.4.1", "jose": "^6.1.3", "samlify": "^2.10.2", "zod": "^4.3.6" }, "peerDependencies": { "@better-auth/core": "1.5.2", "better-auth": "1.5.2", "better-call": "1.3.2" } }, "sha512-qPOkai2aBjJzwee3RuSYc17R5OPB9P1IONpKFHiAXBmp1RkUUwMwwN/QZC7PuJaecaZYSgKwRQ4+Ip4XYqYTeA=="], - "@better-auth/telemetry": ["@better-auth/telemetry@1.5.0", "", { "dependencies": { "@better-auth/utils": "0.3.1", "@better-fetch/fetch": "1.1.21" }, "peerDependencies": { "@better-auth/core": "1.5.0" } }, "sha512-/6ThGSnGPVTR4A/6F8kv65UomDHtM24y2yRZuJfWYbqkve0jn8+WVsxOfQN9bx7J16zIvYw5hJAYCwxoj20BTQ=="], + "@better-auth/telemetry": ["@better-auth/telemetry@1.5.2", "", { "dependencies": { "@better-auth/utils": "0.3.1", "@better-fetch/fetch": "1.1.21" }, "peerDependencies": { "@better-auth/core": "1.5.2" } }, "sha512-Cukyj5yciFNGtx5SkQCop2wOjpHuq2ZHL3V7ydVFe51WUNCXd+v1Sbed2sIfT/8hOcSB+NefALXNv1yTSxKkAQ=="], "@better-auth/utils": ["@better-auth/utils@0.3.1", "", {}, "sha512-+CGp4UmZSUrHHnpHhLPYu6cV+wSUSvVbZbNykxhUDocpVNTo9uFFxw/NqJlh1iC4wQ9HKKWGCKuZ5wUgS0v6Kg=="], @@ -1000,7 +1000,7 @@ "baseline-browser-mapping": ["baseline-browser-mapping@2.10.0", "", { "bin": { "baseline-browser-mapping": "dist/cli.cjs" } }, "sha512-lIyg0szRfYbiy67j9KN8IyeD7q7hcmqnJ1ddWmNt19ItGpNN64mnllmxUNFIOdOm6by97jlL6wfpTTJrmnjWAA=="], - "better-auth": ["better-auth@1.5.0", "", { "dependencies": { "@better-auth/core": "1.5.0", "@better-auth/drizzle-adapter": "1.5.0", "@better-auth/kysely-adapter": "1.5.0", "@better-auth/memory-adapter": "1.5.0", "@better-auth/mongo-adapter": "1.5.0", "@better-auth/prisma-adapter": "1.5.0", "@better-auth/telemetry": "1.5.0", "@better-auth/utils": "0.3.1", "@better-fetch/fetch": "1.1.21", "@noble/ciphers": "^2.1.1", "@noble/hashes": "^2.0.1", "better-call": "1.3.2", "defu": "^6.1.4", "jose": "^6.1.3", "kysely": "^0.28.11", "nanostores": "^1.1.1", "zod": "^4.3.6" }, "peerDependencies": { "@lynx-js/react": "*", "@prisma/client": "^5.0.0 || ^6.0.0 || ^7.0.0", "@sveltejs/kit": "^2.0.0", "@tanstack/react-start": "^1.0.0", "@tanstack/solid-start": "^1.0.0", "better-sqlite3": "^12.0.0", "drizzle-kit": ">=0.31.4", "drizzle-orm": ">=0.41.0", "mongodb": "^6.0.0 || ^7.0.0", "mysql2": "^3.0.0", "next": "^14.0.0 || ^15.0.0 || ^16.0.0", "pg": "^8.0.0", "prisma": "^5.0.0 || ^6.0.0 || ^7.0.0", "react": "^18.0.0 || ^19.0.0", "react-dom": "^18.0.0 || ^19.0.0", "solid-js": "^1.0.0", "svelte": "^4.0.0 || ^5.0.0", "vitest": "^2.0.0 || ^3.0.0 || ^4.0.0", "vue": "^3.0.0" }, "optionalPeers": ["@lynx-js/react", "@prisma/client", "@sveltejs/kit", "@tanstack/react-start", "@tanstack/solid-start", "better-sqlite3", "drizzle-kit", "drizzle-orm", "mongodb", "mysql2", "next", "pg", "prisma", "react", "react-dom", "solid-js", "svelte", "vitest", "vue"] }, "sha512-vbRKSxDa1vwXzEmR7+kXJMDs2pRXLOvD4MiqQwL4r6kkjzok5kOyLD200ZUg24Jtx2Xho1oA2drlxT6GqknH1A=="], + "better-auth": ["better-auth@1.5.2", "", { "dependencies": { "@better-auth/core": "1.5.2", "@better-auth/drizzle-adapter": "1.5.2", "@better-auth/kysely-adapter": "1.5.2", "@better-auth/memory-adapter": "1.5.2", "@better-auth/mongo-adapter": "1.5.2", "@better-auth/prisma-adapter": "1.5.2", "@better-auth/telemetry": "1.5.2", "@better-auth/utils": "0.3.1", "@better-fetch/fetch": "1.1.21", "@noble/ciphers": "^2.1.1", "@noble/hashes": "^2.0.1", "better-call": "1.3.2", "defu": "^6.1.4", "jose": "^6.1.3", "kysely": "^0.28.11", "nanostores": "^1.1.1", "zod": "^4.3.6" }, "peerDependencies": { "@lynx-js/react": "*", "@prisma/client": "^5.0.0 || ^6.0.0 || ^7.0.0", "@sveltejs/kit": "^2.0.0", "@tanstack/react-start": "^1.0.0", "@tanstack/solid-start": "^1.0.0", "better-sqlite3": "^12.0.0", "drizzle-kit": ">=0.31.4", "drizzle-orm": ">=0.41.0", "mongodb": "^6.0.0 || ^7.0.0", "mysql2": "^3.0.0", "next": "^14.0.0 || ^15.0.0 || ^16.0.0", "pg": "^8.0.0", "prisma": "^5.0.0 || ^6.0.0 || ^7.0.0", "react": "^18.0.0 || ^19.0.0", "react-dom": "^18.0.0 || ^19.0.0", "solid-js": "^1.0.0", "svelte": "^4.0.0 || ^5.0.0", "vitest": "^2.0.0 || ^3.0.0 || ^4.0.0", "vue": "^3.0.0" }, "optionalPeers": ["@lynx-js/react", "@prisma/client", "@sveltejs/kit", "@tanstack/react-start", "@tanstack/solid-start", "better-sqlite3", "drizzle-kit", "drizzle-orm", "mongodb", "mysql2", "next", "pg", "prisma", "react", "react-dom", "solid-js", "svelte", "vitest", "vue"] }, "sha512-xEnt/RBsu/cjcN+IEsgeBqka/6QRaGzPFl5hnnJfZU/JxRGnDsVUDHXvJQRfecj8qA/1nPJOQjZ6qQL1Z7aN+Q=="], "better-call": ["better-call@1.3.2", "", { "dependencies": { "@better-auth/utils": "^0.3.1", "@better-fetch/fetch": "^1.1.21", "rou3": "^0.7.12", "set-cookie-parser": "^3.0.1" }, "peerDependencies": { "zod": "^4.0.0" }, "optionalPeers": ["zod"] }, "sha512-4cZIfrerDsNTn3cm+MhLbUePN0gdwkhSXEuG7r/zuQ8c/H7iU0/jSK5TD3FW7U0MgKHce/8jGpPYNO4Ve+4NBw=="], diff --git a/package.json b/package.json index 3f001fcd..4a945970 100644 --- a/package.json +++ b/package.json @@ -26,7 +26,7 @@ "test:codegen": "playwright codegen localhost:4096" }, "dependencies": { - "@better-auth/sso": "1.5.0", + "@better-auth/sso": "^1.5.2", "@dnd-kit/core": "^6.3.1", "@dnd-kit/sortable": "^10.0.0", "@dnd-kit/utilities": "^3.2.2", @@ -56,7 +56,7 @@ "@tanstack/react-router-ssr-query": "^1.162.9", "@tanstack/react-start": "^1.162.9", "arktype": "^2.1.28", - "better-auth": "1.5.0", + "better-auth": "^1.5.2", "class-variance-authority": "^0.7.1", "clsx": "^2.1.1", "commander": "^14.0.2",