@better-auth/core - npm Package Compare versions

Comparing version

+1

-1

dist/context/global.mjs

 @@ -5,3 +5,3 @@ //#region src/context/global.ts
 const __context = {};
 const __betterAuthVersion = "1.6.13";
 const __betterAuthVersion = "1.6.14";
 /**
 @@ -8,0 +8,0 @@ * We store context instance in the globalThis.

+1

-1

dist/instrumentation/tracer.mjs

		@@ -5,3 +5,3 @@ import { ATTR_HTTP_RESPONSE_STATUS_CODE } from "./attributes.mjs";
		const INSTRUMENTATION_SCOPE = "better-auth";
		const INSTRUMENTATION_VERSION = "1.6.13";
		const INSTRUMENTATION_VERSION = "1.6.14";
		/**
		@@ -8,0 +8,0 @@ * Better-auth uses `throw ctx.redirect(url)` for flow control (e.g. OAuth

+1

-0

dist/utils/redirect-uri.d.mts

		@@ -9,2 +9,3 @@ import * as z from "zod";
		* - Rejects dangerous schemes (`javascript:`, `data:`, `vbscript:`).
		* - Rejects URIs with a fragment component (`#...`) per RFC 6749 §3.1.2.
		* - Requires HTTPS, except for loopback hosts (`127.0.0.0/8`, `[::1]`,
		@@ -11,0 +12,0 @@ * `*.localhost` per RFC 6761), where HTTP is allowed for local development.

+9

-2

dist/utils/redirect-uri.mjs

		@@ -10,2 +10,3 @@ import { isLoopbackHost } from "./host.mjs";
		* - Rejects dangerous schemes (`javascript:`, `data:`, `vbscript:`).
		* - Rejects URIs with a fragment component (`#...`) per RFC 6749 §3.1.2.
		* - Requires HTTPS, except for loopback hosts (`127.0.0.0/8`, `[::1]`,
		@@ -20,3 +21,6 @@ * `*.localhost` per RFC 6761), where HTTP is allowed for local development.
		const SafeUrlSchema = z.url().superRefine((val, ctx) => {
		if (!URL.canParse(val)) {
		let u;
		try {
		u = new URL(val);
		} catch {
		ctx.addIssue({
		@@ -29,3 +33,2 @@ code: "custom",
		}
		const u = new URL(val);
		if (DANGEROUS_URL_SCHEMES.includes(u.protocol)) {
		@@ -38,2 +41,6 @@ ctx.addIssue({
		}
		if (val.includes("#")) ctx.addIssue({
		code: "custom",
		message: "Redirect URI must not contain a fragment component"
		});
		if (u.protocol === "http:" && !isLoopbackHost(u.host)) ctx.addIssue({
		@@ -40,0 +47,0 @@ code: "custom",

+7

-2

dist/utils/url.mjs

		@@ -51,6 +51,11 @@ //#region src/utils/url.ts
		function isSafeUrlScheme(value) {
		if (!URL.canParse(value)) return true;
		return !DANGEROUS_URL_SCHEMES.includes(new URL(value).protocol);
		let parsed;
		try {
		parsed = new URL(value);
		} catch {
		return true;
		}
		return !DANGEROUS_URL_SCHEMES.includes(parsed.protocol);
		}
		//#endregion
		export { DANGEROUS_URL_SCHEMES, isSafeUrlScheme, normalizePathname };

+1

-1

package.json

		{
		"name": "@better-auth/core",
		"version": "1.6.13",
		"version": "1.6.14",
		"description": "The most comprehensive authentication framework for TypeScript.",
		@@ -5,0 +5,0 @@ "type": "module",

+12

-3

src/utils/redirect-uri.ts

		@@ -10,2 +10,3 @@ import * as z from "zod";
		* - Rejects dangerous schemes (`javascript:`, `data:`, `vbscript:`).
		* - Rejects URIs with a fragment component (`#...`) per RFC 6749 §3.1.2.
		* - Requires HTTPS, except for loopback hosts (`127.0.0.0/8`, `[::1]`,
		@@ -20,3 +21,6 @@ * `*.localhost` per RFC 6761), where HTTP is allowed for local development.
		export const SafeUrlSchema = z.url().superRefine((val, ctx) => {
		if (!URL.canParse(val)) {
		let u: URL;
		try {
		u = new URL(val);
		} catch {
		ctx.addIssue({
		@@ -30,4 +34,2 @@ code: "custom",

		const u = new URL(val);

		if (DANGEROUS_URL_SCHEMES.includes(u.protocol)) {
		@@ -41,2 +43,9 @@ ctx.addIssue({

		if (val.includes("#")) {
		ctx.addIssue({
		code: "custom",
		message: "Redirect URI must not contain a fragment component",
		});
		}

		if (u.protocol === "http:" && !isLoopbackHost(u.host)) {
		@@ -43,0 +52,0 @@ ctx.addIssue({

+5

-2

src/utils/url.ts

		@@ -63,7 +63,10 @@ /**
		export function isSafeUrlScheme(value: string): boolean {
		if (!URL.canParse(value)) {
		let parsed: URL;
		try {
		parsed = new URL(value);
		} catch {
		// Relative URLs carry no scheme to abuse.
		return true;
		}
		return !DANGEROUS_URL_SCHEMES.includes(new URL(value).protocol);
		return !DANGEROUS_URL_SCHEMES.includes(parsed.protocol);
		}

New alerts