Update dependency better-auth to ~1.6.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
better-auth (source)	~1.5.6 → ~1.6.0

---

Release Notes

better-auth/better-auth (better-auth)

v1.6.2

Compare Source

Patch Changes

• #​8949 9deb793 Thanks @​ping-maxwell! - security: verify OAuth state parameter against cookie-stored nonce to prevent CSRF on cookie-backed flows

• #​8983 2cbcb9b Thanks @​jaydeep-pipaliya! - fix(oauth2): prevent cross-provider account collision in link-social callback

  The link-social callback used findAccount(accountId) which matched by account ID across all providers. When two providers return the same numeric ID (e.g. both Google and GitHub assign 99999), the lookup could match the wrong provider's account, causing a spurious account_already_linked_to_different_user error or silently updating the wrong account's tokens.

  Replaced with findAccountByProviderId(accountId, providerId) to scope the lookup to the correct provider, matching the pattern already used in the generic OAuth plugin.

• #​9059 b20fa42 Thanks @​gustavovalverde! - fix(next-js): replace cookie probe with header-based RSC detection in nextCookies() to prevent infinite router refresh loops and eliminate leaked __better-auth-cookie-store cookie. Also fix two-factor enrollment flows to set the new session cookie before deleting the old session.

• #​9058 608d8c3 Thanks @​gustavovalverde! - fix(sso): include RelayState in signed SAML AuthnRequests per SAML 2.0 Bindings §3.4.4.1

  • RelayState is now passed to samlify's ServiceProvider constructor so it is included in the redirect binding signature. Previously it was appended after the signature, causing spec-compliant IdPs to reject signed AuthnRequests.
  • authnRequestsSigned: true without a private key now throws instead of silently sending unsigned requests.

• #​8772 8409843 Thanks @​aarmful! - feat(two-factor): include enabled 2fa methods in sign-in redirect response

  The 2FA sign-in redirect now returns twoFactorMethods (e.g. ["totp", "otp"]) so frontends can render the correct verification UI without guessing. The onTwoFactorRedirect client callback receives twoFactorMethods as a context parameter.

  • TOTP is included only when the user has a verified TOTP secret and TOTP is not disabled in config.
  • OTP is included when otpOptions.sendOTP is configured.
  • Unverified TOTP enrollments are excluded from the methods list.

• #​8711 e78a7b1 Thanks @​aarmful! - fix(two-factor): prevent unverified TOTP enrollment from gating sign-in

  Adds a verified boolean column to the twoFactor table that tracks whether a TOTP secret has been confirmed by the user.

  • First-time enrollment: enableTwoFactor creates the row with verified: false. The row is promoted to verified: true only after verifyTOTP succeeds with a valid code.
  • Re-enrollment (calling enableTwoFactor when TOTP is already verified): the new row preserves verified: true, so the user is never locked out of sign-in while rotating their TOTP secret.
  • Sign-in: verifyTOTP rejects rows where verified === false, preventing abandoned enrollments from blocking authentication. Backup codes and OTP are unaffected and work as fallbacks during unfinished enrollment.

  Migration: The new column defaults to true, so existing twoFactor rows are treated as verified. No data migration is required. skipVerificationOnEnable: true is also unaffected — the row is created as verified: true in that mode.

• Updated dependencies []:

  • @​better-auth/core@​1.6.2
  • @​better-auth/drizzle-adapter@​1.6.2
  • @​better-auth/kysely-adapter@​1.6.2
  • @​better-auth/memory-adapter@​1.6.2
  • @​better-auth/mongo-adapter@​1.6.2
  • @​better-auth/prisma-adapter@​1.6.2
  • @​better-auth/telemetry@​1.6.2

v1.6.1

Compare Source

Patch Changes

• #​9023 2e537df Thanks @​jonathansamines! - Update endpoint instrumentation to always use endpoint routes

• #​8902 f61ad1c Thanks @​ping-maxwell! - use INVALID_PASSWORD for all checkPassword failures

• #​9017 7495830 Thanks @​bytaesu! - restore getSession accessibility in generic Auth context

• Updated dependencies []:

  • @​better-auth/core@​1.6.1
  • @​better-auth/drizzle-adapter@​1.6.1
  • @​better-auth/kysely-adapter@​1.6.1
  • @​better-auth/memory-adapter@​1.6.1
  • @​better-auth/mongo-adapter@​1.6.1
  • @​better-auth/prisma-adapter@​1.6.1
  • @​better-auth/telemetry@​1.6.1

v1.6.0

Compare Source

Minor Changes

• #​8836 5dd9e44 Thanks @​gustavovalverde! - Add case-insensitive query support for database adapters

• #​8836 5dd9e44 Thanks @​gustavovalverde! - Add optional version field to the plugin interface and expose version from all built-in plugins

Patch Changes

• #​8985 dd537cb Thanks @​gustavovalverde! - deprecate oidc-provider plugin in favor of @better-auth/oauth-provider

  The oidc-provider plugin now emits a one-time runtime deprecation warning when instantiated and is marked as @deprecated in TypeScript. It will be removed in the next major version. Migrate to @better-auth/oauth-provider.

• #​8843 bd9bd58 Thanks @​gustavovalverde! - enforce role-based authorization on SCIM management endpoints and normalize passkey ownership checks via shared authorization middleware

• #​8836 5dd9e44 Thanks @​gustavovalverde! - Return additional user fields and session data from the magic-link verify endpoint

• #​8836 5dd9e44 Thanks @​gustavovalverde! - Allow passwordless users to enable, disable, and manage two-factor authentication

• #​8836 5dd9e44 Thanks @​gustavovalverde! - Prevent updateUser from overwriting unrelated username or displayUsername fields

• #​8836 5dd9e44 Thanks @​gustavovalverde! - Use non-blocking scrypt for password hashing to avoid blocking the event loop

• #​8836 5dd9e44 Thanks @​gustavovalverde! - Enforce username uniqueness when updating a user profile

• #​8836 5dd9e44 Thanks @​gustavovalverde! - Align session fresh age calculation with creation time instead of update time

• #​8836 5dd9e44 Thanks @​gustavovalverde! - Compare account cookie by provider accountId instead of internal id

• #​8836 5dd9e44 Thanks @​gustavovalverde! - Trigger session signal after requesting email change in email-otp plugin

• #​8836 5dd9e44 Thanks @​gustavovalverde! - Rethrow sendOTP failures in phone-number plugin instead of silently swallowing them

• #​8836 5dd9e44 Thanks @​gustavovalverde! - Read OAuth proxy callback parameters from request body when using form_post response mode

• #​8980 469eee6 Thanks @​bytaesu! - fix oauth state double-hashing when verification storeIdentifier is set to hashed

• #​8981 560230f Thanks @​bytaesu! - Prevent any from collapsing auth.$Infer and auth.$ERROR_CODES. Preserve client query typing when body is any.

• Updated dependencies [5dd9e44, 5dd9e44, 5dd9e44]:

  • @​better-auth/drizzle-adapter@​1.6.0
  • @​better-auth/kysely-adapter@​1.6.0
  • @​better-auth/memory-adapter@​1.6.0
  • @​better-auth/mongo-adapter@​1.6.0
  • @​better-auth/prisma-adapter@​1.6.0
  • @​better-auth/core@​1.6.0
  • @​better-auth/telemetry@​1.6.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
respondeo	Error		Apr 13, 2026 2:22pm
respondeo-docs	Ready	Preview, Comment	Apr 13, 2026 2:22pm