Skip to content

feat(core): add publicEndpoints plugin capability for well-known endpoints#7524

Closed
gustavovalverde wants to merge 1 commit intobetter-auth:canaryfrom
gustavovalverde:feat/public-endpoints-infrastructure
Closed

feat(core): add publicEndpoints plugin capability for well-known endpoints#7524
gustavovalverde wants to merge 1 commit intobetter-auth:canaryfrom
gustavovalverde:feat/public-endpoints-infrastructure

Conversation

@gustavovalverde
Copy link
Contributor

@gustavovalverde gustavovalverde commented Jan 21, 2026
edited by cubic-dev-ai bot
Loading

Summary

Adds publicEndpoints plugin capability for RFC 8414 / OIDC Discovery compliance.

This allows plugins to register endpoints at the origin root (e.g., /.well-known/openid-configuration) instead of under the basePath (e.g., /api/auth/.well-known/...).

Important clarification: This does NOT mount Better Auth at root. Only /.well-known/* paths are intercepted by the main handler and routed to the public router. All other endpoints remain at the configured basePath.

Closes #7453

Changes

  • Add publicEndpoints field to BetterAuthPlugin type
  • Add publicRouter that mounts at / instead of basePath
  • Auto-route /.well-known/* in main handler to publicRouter
  • Export optional publicHandler and publicApi on auth object
  • Add conflict detection for public endpoints

How It Works

  1. Plugins can define publicEndpoints alongside regular endpoints
  2. The main handler automatically routes /.well-known/* requests to the public router
  3. publicHandler and publicApi are only defined when plugins actually use publicEndpoints
  4. Existing behavior is completely unchanged - no breaking changes

Example Usage

const myPlugin = {
  id: "my-plugin",
  // Regular endpoints at basePath (e.g., /api/auth/my-endpoint)
  endpoints: {
    myEndpoint: createAuthEndpoint("/my-endpoint", ...)
  },
  // Public endpoints at root (e.g., /.well-known/my-config)  
  publicEndpoints: {
    wellKnownConfig: createAuthEndpoint("/.well-known/my-config", ...)
  }
};

Test Plan

  • New tests for publicEndpoints functionality (11 tests)
  • Existing to-auth-endpoints tests pass (34 tests)
  • Existing check-endpoint-conflicts tests pass (13 tests)
  • TypeScript types check
  • Lint passes

Summary by cubic

Adds publicEndpoints so plugins can serve well-known routes at the origin root (/.well-known/*) while keeping all other endpoints under basePath. When used, the auth instance exposes a dedicated public router and API.

  • New Features

    • publicEndpoints on BetterAuthPlugin; new publicRouter mounts at /, and the main handler auto-routes /.well-known/*.
    • publicHandler and publicApi are exposed only when at least one plugin defines publicEndpoints.
    • Detects and logs conflicts for public paths and HTTP methods; types updated to include publicEndpoints, publicHandler, and publicApi.

  • Bug Fixes

    • After hooks can return void/null/undefined without modifying the response.
    • Safer per-request context for dynamic baseURL (recomputes trusted origins/providers and cookies; resolves base URL on first request for static configs).

Written for commit 8f0116d. Summary will update on new commits.

Copilot AI review requested due to automatic review settings January 21, 2026 11:58
@vercel
Copy link

vercel bot commented Jan 21, 2026

@gustavovalverde is attempting to deploy a commit to the better-auth Team on Vercel.

A member of the Team first needs to authorize it.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Jan 21, 2026
edited
Loading

Open in StackBlitz

@better-auth/api-key

npm i https://pkg.pr.new/@better-auth/api-key@7524

better-auth

npm i https://pkg.pr.new/better-auth@7524

auth

npm i https://pkg.pr.new/auth@7524

@better-auth/core

npm i https://pkg.pr.new/@better-auth/core@7524

@better-auth/drizzle-adapter

npm i https://pkg.pr.new/@better-auth/drizzle-adapter@7524

@better-auth/electron

npm i https://pkg.pr.new/@better-auth/electron@7524

@better-auth/expo

npm i https://pkg.pr.new/@better-auth/expo@7524

@better-auth/i18n

npm i https://pkg.pr.new/@better-auth/i18n@7524

@better-auth/kysely-adapter

npm i https://pkg.pr.new/@better-auth/kysely-adapter@7524

@better-auth/memory-adapter

npm i https://pkg.pr.new/@better-auth/memory-adapter@7524

@better-auth/mongo-adapter

npm i https://pkg.pr.new/@better-auth/mongo-adapter@7524

@better-auth/oauth-provider

npm i https://pkg.pr.new/@better-auth/oauth-provider@7524

@better-auth/passkey

npm i https://pkg.pr.new/@better-auth/passkey@7524

@better-auth/prisma-adapter

npm i https://pkg.pr.new/@better-auth/prisma-adapter@7524

@better-auth/redis-storage

npm i https://pkg.pr.new/@better-auth/redis-storage@7524

@better-auth/scim

npm i https://pkg.pr.new/@better-auth/scim@7524

@better-auth/sso

npm i https://pkg.pr.new/@better-auth/sso@7524

@better-auth/stripe

npm i https://pkg.pr.new/@better-auth/stripe@7524

@better-auth/telemetry

npm i https://pkg.pr.new/@better-auth/telemetry@7524

@better-auth/test-utils

npm i https://pkg.pr.new/@better-auth/test-utils@7524

commit: 8f0116d

Copilot AI reviewed Jan 21, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a publicEndpoints capability to the Better Auth plugin system, enabling plugins to register endpoints at the origin root (e.g., /.well-known/openid-configuration) instead of under the configured basePath. This is necessary for RFC 8414 / OIDC Discovery compliance which requires well-known endpoints at specific root-level paths.

Changes:

  • Added publicEndpoints field to BetterAuthPlugin type for defining root-level endpoints
  • Implemented publicRouter that mounts at / and auto-routing logic in main handler for /.well-known/* paths
  • Exposed optional publicHandler and publicApi on auth object when plugins use public endpoints
  • Added conflict detection for public endpoints with proper error messaging
  • Refactored context resolution into reusable function

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 9 comments.

Show a summary per file
File Description
packages/core/src/types/plugin.ts Added publicEndpoints optional field to BetterAuthPlugin type definition
packages/better-auth/src/types/auth.ts Added optional publicHandler and publicApi fields to Auth type, imported publicRouter type
packages/better-auth/src/auth/base.ts Implemented auto-routing for .well-known/* paths, added publicHandler initialization, refactored context resolution
packages/better-auth/src/api/to-auth-endpoints.ts Enhanced response detection logic and added null check for hook results
packages/better-auth/src/api/index.ts Added publicRouter function, enhanced conflict detection for public endpoints, refactored router creation
packages/better-auth/src/api/public-endpoints.test.ts Comprehensive test suite (11 tests) covering public endpoint functionality

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Jan 21, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 6 files

@gustavovalverde gustavovalverde mentioned this pull request Jan 21, 2026
Closed
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Jan 21, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 7 files

Copilot AI reviewed Jan 21, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@gustavovalverde gustavovalverde force-pushed the feat/public-endpoints-infrastructure branch 3 times, most recently from 1e50cb0 to 71d8fd1 Compare February 6, 2026 11:18
@gustavovalverde gustavovalverde force-pushed the feat/public-endpoints-infrastructure branch 3 times, most recently from 0d28aca to 1952da7 Compare February 24, 2026 14:10
@CLAassistant
Copy link

CLAassistant commented Feb 25, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@dosubot dosubot bot mentioned this pull request Mar 3, 2026
Open
@gustavovalverde gustavovalverde force-pushed the feat/public-endpoints-infrastructure branch from 1952da7 to 737971a Compare March 7, 2026 22:29
@vercel vercel bot temporarily deployed to Preview – better-auth March 7, 2026 22:29 Inactive
@vercel
Copy link

vercel bot commented Mar 7, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
better-auth Skipped Skipped Mar 7, 2026 10:29pm

Request Review

@gustavovalverde gustavovalverde force-pushed the feat/public-endpoints-infrastructure branch from 737971a to b56f307 Compare March 20, 2026 01:25
@gustavovalverde gustavovalverde force-pushed the feat/public-endpoints-infrastructure branch from b56f307 to 8f0116d Compare March 20, 2026 20:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@Bekacru Bekacru Awaiting requested review from Bekacru Bekacru is a code owner

@himself65 himself65 Awaiting requested review from himself65

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

oauth-provider: well-known endpoints should be mountable at origin root for spec compliance

4 participants

@gustavovalverde @CLAassistant @himself65