From b381cac7aafd6aa53ef78b6ab771ebfa24643c80 Mon Sep 17 00:00:00 2001
From: Bereket Engida <bekacru@gmail.com>
Date: Mon, 24 Feb 2025 21:56:39 +0300
Subject: [PATCH 1/4] fix(origin-check): add tests for callback URLs with
 malicious patterns

---
 .../src/api/middlewares/origin-check.test.ts  | 30 +++++++++++++++++++
 .../src/api/middlewares/origin-check.ts       |  6 ++--
 2 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/packages/better-auth/src/api/middlewares/origin-check.test.ts b/packages/better-auth/src/api/middlewares/origin-check.test.ts
index ebcae1ae9e..55a0c641d4 100644
--- a/packages/better-auth/src/api/middlewares/origin-check.test.ts
+++ b/packages/better-auth/src/api/middlewares/origin-check.test.ts
@@ -206,6 +206,36 @@ describe("Origin Check", async (it) => {
 		expect(res.error?.status).toBe(403);
 	});
 
+	it("shouldn't work with callback url with malicious", async (ctx) => {
+		const client = createAuthClient({
+			baseURL: "http://localhost:3000",
+			fetchOptions: {
+				customFetchImpl,
+				headers: {
+					origin: "https://localhost:3000",
+				},
+			},
+		});
+		const res = await client.signIn.email({
+			email: testUser.email,
+			password: testUser.password,
+			callbackURL: "/%5C/evil.com",
+		});
+		expect(res.error?.status).toBe(403);
+		const res2 = await client.signIn.email({
+			email: testUser.email,
+			password: testUser.password,
+			callbackURL: `/\/\/evil.com`,
+		});
+		expect(res2.error?.status).toBe(403);
+		const res3 = await client.signIn.email({
+			email: testUser.email,
+			password: testUser.password,
+			callbackURL: "/%5C/evil.com",
+		});
+		expect(res3.error?.status).toBe(403);
+	});
+
 	it("should work with GET requests", async (ctx) => {
 		const client = createAuthClient({
 			baseURL: "https://sub-domain.my-site.com",
diff --git a/packages/better-auth/src/api/middlewares/origin-check.ts b/packages/better-auth/src/api/middlewares/origin-check.ts
index 6d0a85370a..b3144bd16f 100644
--- a/packages/better-auth/src/api/middlewares/origin-check.ts
+++ b/packages/better-auth/src/api/middlewares/origin-check.ts
@@ -49,8 +49,7 @@ export const originCheckMiddleware = createAuthMiddleware(async (ctx) => {
 				matchesPattern(url, origin) ||
 				(url?.startsWith("/") &&
 					label !== "origin" &&
-					!url.includes(":") &&
-					!url.includes("//")),
+					/^\/(?![\\/%])[\w\-./]*$/.test(url)),
 		);
 		if (!isTrustedOrigin) {
 			ctx.context.logger.error(`Invalid ${label}: ${url}`);
@@ -107,8 +106,7 @@ export const originCheck = (
 					matchesPattern(url, origin) ||
 					(url?.startsWith("/") &&
 						label !== "origin" &&
-						!url.includes(":") &&
-						!url.includes("//")),
+						/^\/(?![\\/%])[\w\-./]*$/.test(url)),
 			);
 			if (!isTrustedOrigin) {
 				ctx.context.logger.error(`Invalid ${label}: ${url}`);

From ade3974ed55190dea167457ba3e1b3d885ce23b1 Mon Sep 17 00:00:00 2001
From: Bereket Engida <bekacru@gmail.com>
Date: Mon, 24 Feb 2025 21:57:18 +0300
Subject: [PATCH 2/4] chore: release v1.1.21-beta.1

---
 packages/better-auth/package.json | 2 +-
 packages/cli/package.json         | 2 +-
 packages/expo/package.json        | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/better-auth/package.json b/packages/better-auth/package.json
index 1cd516ef49..d782f6cbcc 100644
--- a/packages/better-auth/package.json
+++ b/packages/better-auth/package.json
@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.1.20",
+  "version": "1.1.21-beta.1",
   "description": "The most comprehensive authentication library for TypeScript.",
   "type": "module",
   "repository": {
diff --git a/packages/cli/package.json b/packages/cli/package.json
index 47e1295295..cbda8c8175 100644
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/cli",
-  "version": "1.1.20",
+  "version": "1.1.21-beta.1",
   "description": "The CLI for Better Auth",
   "module": "dist/index.mjs",
   "repository": {
diff --git a/packages/expo/package.json b/packages/expo/package.json
index ce402d9ff0..93052138ef 100644
--- a/packages/expo/package.json
+++ b/packages/expo/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/expo",
-  "version": "1.1.20",
+  "version": "1.1.21-beta.1",
   "description": "",
   "main": "dist/index.js",
   "module": "dist/index.mjs",

From ee0d6be5697f9633443f1fd7d4c32e80068edf71 Mon Sep 17 00:00:00 2001
From: Bereket Engida <bekacru@gmail.com>
Date: Mon, 24 Feb 2025 22:11:55 +0300
Subject: [PATCH 3/4] fix(open-api): add authentication schemes

---
 .../src/plugins/open-api/generator.ts          | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/packages/better-auth/src/plugins/open-api/generator.ts b/packages/better-auth/src/plugins/open-api/generator.ts
index 2f8fffce9e..0f33e70f9a 100644
--- a/packages/better-auth/src/plugins/open-api/generator.ts
+++ b/packages/better-auth/src/plugins/open-api/generator.ts
@@ -426,10 +426,26 @@ export async function generator(ctx: AuthContext, options: BetterAuthOptions) {
 			description: "API Reference for your Better Auth Instance",
 			version: "1.1.0",
 		},
-		components,
+		components: {
+			...components,
+			securitySchemes: {
+				apiKeyCookie: {
+					type: "apiKey",
+					in: "cookie",
+					name: "apiKeyCookie",
+					description: "API Key authentication via cookie",
+				},
+				bearerAuth: {
+					type: "http",
+					scheme: "bearer",
+					description: "Bearer token authentication",
+				},
+			},
+		},
 		security: [
 			{
 				apiKeyCookie: [],
+				bearerAuth: [],
 			},
 		],
 		servers: [

From 4c5f0c279f2c6ebb97df8b1be01fade4d08d9f26 Mon Sep 17 00:00:00 2001
From: Bereket Engida <bekacru@gmail.com>
Date: Mon, 24 Feb 2025 22:13:05 +0300
Subject: [PATCH 4/4] chore: release v1.1.21

---
 packages/better-auth/package.json | 2 +-
 packages/cli/package.json         | 2 +-
 packages/expo/package.json        | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/better-auth/package.json b/packages/better-auth/package.json
index d782f6cbcc..cfc6b5a8fb 100644
--- a/packages/better-auth/package.json
+++ b/packages/better-auth/package.json
@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.1.21-beta.1",
+  "version": "1.1.21",
   "description": "The most comprehensive authentication library for TypeScript.",
   "type": "module",
   "repository": {
diff --git a/packages/cli/package.json b/packages/cli/package.json
index cbda8c8175..832a99f78d 100644
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/cli",
-  "version": "1.1.21-beta.1",
+  "version": "1.1.21",
   "description": "The CLI for Better Auth",
   "module": "dist/index.mjs",
   "repository": {
diff --git a/packages/expo/package.json b/packages/expo/package.json
index 93052138ef..48a3687f46 100644
--- a/packages/expo/package.json
+++ b/packages/expo/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/expo",
-  "version": "1.1.21-beta.1",
+  "version": "1.1.21",
   "description": "",
   "main": "dist/index.js",
   "module": "dist/index.mjs",