Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Symfony Bundle
Changelog

Symfony Bundle Laravel Package

betterauth/symfony-bundle

View on GitHub
Deep Wiki
Context7
0.0.20

Security

  • Brute-force protection on login. CredentialsController::login() and login2fa() are now rate-limited (5 attempts / 15 min per IP+email) before the manual password/TOTP checks. Previously the rate limiter was only reached after a successful password, leaving password and TOTP brute-force unbounded.
  • Open-redirect / token exfiltration fixed. Magic-link and email-verification endpoints validate the user-supplied callbackUrl against the trusted frontend origin before embedding it in the emailed link (returns 400 on a foreign host).
  • Session tokens hashed at rest. DoctrineSessionRepository stores sha256(token) and looks up by hash. A DB read no longer yields usable session tokens.
  • TOTP secret encryption at rest. DoctrineTotpRepository encrypts the TOTP seed with AES-256-GCM, keyed from %better_auth.secret%.
  • Refresh token replaced_by hashed for consistency (no raw replacement token stored).
  • Cookie security flags declared. cookie_secure / cookie_http_only / cookie_same_site are now part of the configuration tree (the recipe shipped them but they were undeclared, which could break boot or silently drop them). Secure defaults: true / true / lax.

Changed

  • Session-mode auth responses no longer duplicate the session token as refresh_token (it is now null — session mode has no separate rotatable credential).
  • Emails are masked in failure logs (ke***[@domain](https://github.com/domain)) to avoid leaking PII into centralized logs.
  • QueryParameterTokenExtractor documentation strengthened; it remains off by default (not part of the default ChainTokenExtractor).

Migration notes

  • Existing data migrates automatically and transparently after deploy — no manual step, no forced logout. When the patched code goes live (e.g. via composer update):
    • legacy plaintext session rows are rehashed in place on first access;
    • legacy plaintext TOTP secrets are re-encrypted in place on first access (the enc:v1: marker distinguishes encrypted from legacy values).
  • A literal composer install hook is intentionally not used: dependency composer scripts do not run in the consumer project, and auto-running DB migrations at build time would break CI. The self-migrating repositories achieve the same result safely.
  • Keep BETTER_AUTH_SECRET stable — rotating it makes already-encrypted TOTP secrets unreadable.
0.0.19
  • See git history.
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
directorytree/privacy-filter-classifier
directorytree/privacy-filter
datacore/hub-sdk
develia/commons
cuci/prototurk-sdk
cuci/prototurk-sdk-symfony
develia/geo-bundle
dreamzy/livewire-charts
touchestate-sdk/php-sdk
22h/doctrine-garbage-collection-bundle
agtp/agtp-php
agtp/mod-php
splash/sonata-admin
splash/metadata
splash/openapi
splash/scopes
splash/toolkit
testo/output-teamcity
testo/bridge-symfony
spatie/flare-daemon-runtime