Sync Convex Better Auth fixes and support Better Auth 1.6.5

[zbeyens]

Summary

• add the sync-convex-auth audit skill for fork/upstream review work
• bump @convex-dev/better-auth to 0.11.4
• make registerRoutes lazy by default and require explicit basePath for non-default auth routes
• support better-auth@1.6.5 across kitcn, example, docs, and auth fixtures
• add local structural wrappers around Convex Better Auth plugin/client surfaces so Better Auth 1.6.x compiles before upstream catches up
• fix auth adapter composite index matching and accept Better Auth 1.6 Where.mode

Breaking changes

1. Custom auth routes now need an explicit basePath when using registerRoutes.
2. Supported Better Auth version moves from 1.5.3 to 1.6.5.

// Before
import { registerRoutes } from "kitcn/auth/http";

registerRoutes(http, getAuth, {
  cors: {
    allowedOrigins: [process.env.SITE_URL!],
  },
});

// After
import { registerRoutes } from "kitcn/auth/http";

registerRoutes(http, getAuth, {
  basePath: "/custom-auth",
  cors: {
    allowedOrigins: [process.env.SITE_URL!],
  },
});

# Before
bun add better-auth@1.5.3

# After
bun add better-auth@1.6.5

Notes

• auth scaffold and runtime lanes still print Better Auth's upstream oidc-provider deprecation warning through @convex-dev/better-auth@0.11.4
• the branch keeps the current published Convex Better Auth runtime and bypasses the stale type coupling locally inside kitcn

Verification

• bun test packages/kitcn/src/cli/supported-dependencies.test.ts packages/kitcn/src/cli/registry/dependencies.test.ts
• bun test packages/kitcn/src/auth-client/package-entrypoints.integration.test.tsx packages/kitcn/src/react/auth-mutations.test.tsx
• bun typecheck
• bun run fixtures:sync
• bun run fixtures:check
• bun check

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
better-convex	Ready	Preview, Comment	Apr 17, 2026 9:35am

[changeset-bot]

⚠️ No Changeset found

Latest commit: 10472f7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes changesets to release 2 packages

Name	Type
kitcn	Minor
@kitcn/resend	Minor

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 165e8fb35e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 909b10b426

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 544f0a9e72

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[zbeyens]

"No Changeset found"

Addressed: the PR now includes an updated unreleased changeset. The bot comment is stale and still reflects an earlier draft.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 85d34f9f3e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3c7cc2e78a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 20ae262dd5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f83601b54e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9e020b50d1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ec9f84518e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Ignore client-supplied forwarded-host override headers

restoreOriginalForwardedHeaders trusts x-better-auth-forwarded-host/proto from the incoming request and copies them into x-forwarded-host/proto without validating the request source. Because these headers are client-controllable on direct requests to the Convex auth endpoint, an attacker can spoof the effective origin seen by Better Auth (for redirects/callback URL construction and related host-based logic), which is a security regression introduced by this proxy-restore path.

Useful? React with 👍 / 👎.

[zbeyens]

an attacker can spoof the effective origin seen by Better Auth ... which is a security regression introduced by this proxy-restore path

Valid concern. I fixed the correctness regressions in this pass, but I’m leaving this thread open because the safe fix needs a real trust boundary for those preserved headers, not a heuristic that only looks secure.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 17f483784a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b5ddefe8c3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 10472f72ca

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve root basePath when resolving token endpoint

resolveConvexTokenPath currently treats basePath: "/" as the default case and rewrites it to "/api/auth", so token fetches go to /api/auth/convex/token instead of /convex/token. In deployments that intentionally mount Better Auth at root, server-side token refresh will hit the wrong route (404/unauthorized), breaking authenticated Next.js/TanStack Start calls despite an explicit basePath configuration.

Useful? React with 👍 / 👎.