Skip to content

[VW-364] Upgrade better-auth to 1.6.23 to clear critical audit advisory#153

Open
markglose-bc wants to merge 2 commits into
mainfrom
audit-fix
Open

[VW-364] Upgrade better-auth to 1.6.23 to clear critical audit advisory#153
markglose-bc wants to merge 2 commits into
mainfrom
audit-fix

Conversation

@markglose-bc

@markglose-bc markglose-bc commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

better-auth advisory was resolved in 1.6.11

upgrading from 1.4.9 to 1.6.23 had breaking changes, so I split it out into this PR

mainly

Extracted the API-key plugin into a separate package → @better-auth/api-key
Renamed the key's owner column userId → referenceId and added a required configId

Summary by CodeRabbit

  • New Features

    • Added support for the latest API key authentication package.
  • Bug Fixes

    • Updated API key ownership and listing to use the latest account linkage fields.
    • Improved API key deletion so only the owning account can remove a key.
    • Kept existing API key data intact while updating the underlying schema.
  • Chores

    • Upgraded authentication-related dependencies to newer versions.

@vercel

vercel Bot commented Jul 8, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
viper Ready Ready Preview, Comment Jul 8, 2026 8:30pm
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
viper-demo Ignored Ignored Jul 8, 2026 8:30pm

Request Review

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR upgrades better-auth to 1.6.23 and adds the @better-auth/api-key package. It renames the Apikey model's userId field to referenceId, adds a configId field with a migration, and updates auth imports, tRPC context, and router ownership checks accordingly.

Changes

Better-auth v1.6.x api-key migration

Layer / File(s) Summary
Dependency upgrade
package.json
Adds @better-auth/api-key at version 1.6.23 and bumps better-auth from 1.4.9 to 1.6.23.
Apikey schema and migration
prisma/schema.prisma, prisma/migrations/20260709120000_apikey_reference_id/migration.sql
Renames userId to referenceId in the Apikey model and underlying table, renames the foreign key, adds a configId field/column defaulting to "default", and adds an index on referenceId.
Plugin import updates
src/lib/auth.ts, src/lib/auth-client.ts
Updates apiKey and apiKeyClient imports to come from @better-auth/api-key and @better-auth/api-key/client respectively.
Application usage of referenceId
src/trpc/init.ts, src/features/user/server/routers.ts, scripts/create-test-api-key.ts
Updates protectedProcedure to set ctx.auth.user.id from key.referenceId, changes userRouter filters and ownership checks (getManyApiTokens, removeApiToken) to use referenceId, and updates the test script's cleanup filter.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related PRs

  • PATCH-UPGRADE/viper#20: Both PRs modify the API-key authentication logic in src/trpc/init.ts's protectedProcedure, related to injecting auth context from a verified API key.

Suggested reviewers: 0xcad, timrcm

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: upgrading better-auth to 1.6.23 to address a critical audit advisory.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch audit-fix

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@markglose-bc markglose-bc changed the title [VW-0] ci: trigger pipeline to verify audit issue [VW-364] Upgrade better-auth to 1.6.23 to clear critical audit advisory Jul 8, 2026
@markglose-bc markglose-bc marked this pull request as ready for review July 8, 2026 20:30

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
prisma/migrations/20260709120000_apikey_reference_id/migration.sql (1)

15-15: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Consider CREATE INDEX CONCURRENTLY for production deployments.

The standard CREATE INDEX blocks writes for the duration of index creation. If the apikey table is large in production, use CONCURRENTLY to avoid write blocking. Since Prisma wraps migrations in a transaction by default, you'll need to add the -- -- prisma-migrate-disable-transaction directive at the top of the file.

♻️ Proposed refactor for concurrent index creation
+-- -- prisma-migrate-disable-transaction
 -- better-auth's `@better-auth/api-key` 1.6.x plugin renames the owner column
 -- `userId` -> `referenceId` and adds a required `configId`. Rename (not
 -- drop/add) so existing keys are preserved.
 
 -- RenameColumn
 ALTER TABLE "apikey" RENAME COLUMN "userId" TO "referenceId";
 
 -- RenameForeignKey
 ALTER TABLE "apikey" RENAME CONSTRAINT "apikey_userId_fkey" TO "apikey_referenceId_fkey";
 
 -- AddColumn
 ALTER TABLE "apikey" ADD COLUMN "configId" TEXT NOT NULL DEFAULT 'default';
 
 -- CreateIndex
-CREATE INDEX "apikey_referenceId_idx" ON "apikey"("referenceId");
+CREATE INDEX CONCURRENTLY "apikey_referenceId_idx" ON "apikey"("referenceId");

Note: CONCURRENTLY cannot run inside a transaction, so the directive is required. Also, if a previous apikey_userId_idx exists, add DROP INDEX "apikey_userId_idx"; before creating the new index.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@prisma/migrations/20260709120000_apikey_reference_id/migration.sql` at line
15, The index creation for the apikey referenceId migration should be made
non-blocking for production by switching the existing `CREATE INDEX` in the
migration to a concurrent index build. Update the migration file to include the
Prisma transaction-disabling directive, use `CREATE INDEX CONCURRENTLY` for
`apikey_referenceId_idx`, and if the old `apikey_userId_idx` still exists, drop
it before creating the new index so the migration can run safely outside a
transaction.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@prisma/migrations/20260709120000_apikey_reference_id/migration.sql`:
- Line 15: The index creation for the apikey referenceId migration should be
made non-blocking for production by switching the existing `CREATE INDEX` in the
migration to a concurrent index build. Update the migration file to include the
Prisma transaction-disabling directive, use `CREATE INDEX CONCURRENTLY` for
`apikey_referenceId_idx`, and if the old `apikey_userId_idx` still exists, drop
it before creating the new index so the migration can run safely outside a
transaction.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ab143c92-1e13-43f7-b27e-53eabbc066a7

📥 Commits

Reviewing files that changed from the base of the PR and between 8a6406d and 18db60f.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (8)
  • package.json
  • prisma/migrations/20260709120000_apikey_reference_id/migration.sql
  • prisma/schema.prisma
  • scripts/create-test-api-key.ts
  • src/features/user/server/routers.ts
  • src/lib/auth-client.ts
  • src/lib/auth.ts
  • src/trpc/init.ts

@markglose-bc markglose-bc self-assigned this Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant