* feat(mcp): add support for public clients with PKCE authentication
- Add conditional client authentication based on client type
- Support public clients using PKCE without client_secret requirement
- Add "none" to supported token endpoint authentication methods
- Make clientSecret optional in database schema for public clients
- Update client registration to handle public clients automatically
- Maintain backward compatibility with confidential clients
Fixes authentication issues with Claude.ai and other public OAuth clients
that use PKCE (Proof Key for Code Exchange) without client secrets.
Resolves#2813
* style: format code with prettier and fix trailing commas
* fix: resolve TypeScript errors in MCP plugin and tests
- Fix missing loginPage in oidcConfig for MCP tests
- Add type assertions for unknown response data types
- Handle optional clientSecret with null coalescing operators
- Update OIDC provider to support "none" auth method in metadata
- Fix type compatibility issues between public and confidential clients
* fix: resolve TypeScript, Vitest, and CI compatibility issues
- Fix missing loginPage in oidcConfig for MCP tests
- Add type assertions for unknown response data types
- Handle optional clientSecret with null coalescing operators
- Update OIDC provider to support "none" auth method in metadata
- Fix async describe callback to use synchronous setup with beforeAll
- Use ephemeral port allocation to prevent CI port conflicts
- Add explicit type annotations to avoid implicit any errors
* OpenAPI Schema Contract Fixed
* fix: resolve lint
* fix: ensure OAuth 2.0 spec compliance for public client registration
- Fix public client registration to omit client_secret field entirely
- Public clients now receive no client_secret property (was empty string)
- Maintains backward compatibility with confidential clients
- Addresses OAuth 2.0 Dynamic Client Registration (RFC 7591) requirements
* update docs
* remove any
* dont return secret on public client oidc
* remove any
* conditionally verify client secret
* update test
---------
Co-authored-by: Bereket Engida <Bekacru@gmail.com>
* refactor: remove useless variable assignment
* refactor: remove unused param
* docs: extend rate limit docs to include info about connecting ip address and how it's used
* fix: linting
* docs: Add guide for Sign In with Apple
* docs-feat: add apple JWT generator
* fix-lint: ran lint:fix to fix CI test
* chore: refactor to remove jose
* update docs
* chore: lock file
* fix test
---------
Co-authored-by: Bereket Engida <Bekacru@gmail.com>
* fix(email-verification): improve email verification logic to check session and user email consistency (#3042)
* docs(passkey): Fixed signIn passkey props (#3014)
callbackURL doesn't exist.
* fix(email-otp): auto-verify on email otp reset (#3022)
* fix: delete user should respect freshAge config (#3075)
* fix: delete user needs to enforced through fresh age
* cleanup
* cleanup
* chore(org): add comments explaining what shimContext does (#3098)
* feat: Allow passing `id` in DB hook `create` (#3048)
* feat(database-hooks): Allow passing `id` in DB hook `create`
It's the same to using a custom `idGenerator`, except configurable by the database hook which would in theory provide more data.
A use-case is to generate the id based on user info in the user before DB hook.
Solves https://discord.com/channels/1288403910284935179/1379190465588367540/1384217435535835216
* chore: lint
* fix: tests failing
* docs: basic errs with svg props (#3102)
* docs: corrected github user email scope name (#3099)
* docs: corrected github user email scope name
* docs: cubic dev suggestion
* fix: use correct refresh token endpoint for github (#3095)
* chore: fix typo in authorize comment (#3106)
* docs: fix session parameter spelling (#3108)
* docs: input field usage on additional fields (#2991)
* fix: onLinkAccount trigger on phone number verification (#3007)
* fix: expose headers override in jwt plugin (#3019)
* expose headers override in jwt plugin
* clean up
* lint
* fix(expo): remove duplicated trusted origins
* feat: link account with idToken (#1830)
* add idToken to link account
* add docs
* Implemented linking accounts based on idToken
* fix: tests
* docs: prevent diff
* docs: prevent diff
---------
Co-authored-by: kzlar <120426485+kzlar@users.noreply.github.com>
* feat: add Hugging Face provider (#3089)
* feat: add huggingface provider
* Add hugging face to doc
* chore: update hugging face logo
* chore: release v1.2.10
* docs: fix builder failing to open
* docs(NextJS): Improve middleware example to be more secure (#3135)
* docs(NextJS): Improve middleware example to be more secure
Users can skim code without reading the text, and LLMs can read code and miss-understand context correctly. Our current middleware example only checks for existence of a cookie, and doesn't validate it.
While we do warn users this isn't secure, some users has raised concern in a Github issue saying it's not obvious enough for users who skim.
Also we don't provide examples on how to authenticate users on each route, we only show middleware optimistic check examples.
* Update docs/content/docs/integrations/next.mdx
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
---------
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* fix(username): log the correct username (#3127)
* docs: fix typo in plugin (#3122)
* typo
* typo
* typo
* typo
* typo
* docs: fix typos on mcp guide (#3146)
* docs: update TanStack Start integration guide (#3142)
* fix(sveltekit): only dynamic import $app/environment once (#3152)
Co-authored-by: Work <work@Jasons-MacBook-Pro.local>
* docs: fix typo in oauth proxy documentation (#3151)
* blog: seed round announcement (#3168)
* init
* cleanup
* fix seed round announcemnt
* fix seed round announcemnt
* seed round blog
* add nav mobile
* fix typo
* Update docs/content/blogs/seed-round.mdx
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* Update docs/app/blog/[[...slug]]/page.tsx
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* Update docs/app/blog/[[...slug]]/page.tsx
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* update og
* cleanup
---------
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* docs: fix email address
* refactor(mongo-adapter): migrate to createAdapter (#3170)
In the past we didn't have mongoDb adapter move over to createAdapter since we've seen users running into issues.
However some time ago I've merged a PR which I believe fixed the issue, and after testing the org plugin with the mongo adapter that uses `createAdapter` I don't see any issues.
* fix(api-key): update should only use by ID
* docs: fix blog page layout (#3176)
* fix/blog-page-layouts
* clean up
* docs: update contact email in seed round blog
* init
* cleanup
* feat(better-auth): add test utilities and update dependencies
- Introduced a new test utility module in `src/test-utils/index.ts` for better testing support.
- Updated `package.json` to include new test utilities in the build configuration.
- Added `oauth2-mock-server` dependency to `pnpm-lock.yaml` and `sso/package.json` for OAuth2 testing.
- Enhanced the SSO provider registration process with improved error handling.
* docs update
---------
Co-authored-by: Maxwell <145994855+ping-maxwell@users.noreply.github.com>
Co-authored-by: KinfeMichael Tariku <65047246+Kinfe123@users.noreply.github.com>
Co-authored-by: Undefined Ninja <74867549+0xCodeMaieutics@users.noreply.github.com>
Co-authored-by: artemoire <18062266+artemoire@users.noreply.github.com>
Co-authored-by: reslear <12596485+reslear@users.noreply.github.com>
Co-authored-by: kzlar <120426485+kzlar@users.noreply.github.com>
Co-authored-by: Eliott C. <coyotte508@protonmail.com>
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
Co-authored-by: Alessandro Bortolin <bortolin.alessandro@outlook.it>
Co-authored-by: Lakshya Thakur <lapstjup@gmail.com>
Co-authored-by: Usman S. (Max Programming) <51731966+max-programming@users.noreply.github.com>
Co-authored-by: Jason Venable <jason.venable@gmail.com>
Co-authored-by: Work <work@Jasons-MacBook-Pro.local>
Co-authored-by: Dan McGrath <daniel.mcgrath9@gmail.com>
