Better-Auth Security Overhaul: Shared Authorization Middleware Fixes IDOR Pattern Across Plugins

A critical security refactor within the Better-Auth library exposes a systemic vulnerability pattern: the core `createAuthEndpoint` function provides authentication but lacks built-in authorization primitives. This architectural gap has forced every plugin to independently—and inconsistently—reinvent ownership and role checks, leading to a series of Insecure Direct Object Reference (IDOR) vulnerabilities. The current fix directly addresses two remaining unpatched flaws and normalizes a previous patch in the passkey plugin, aiming to eliminate this recurring risk at its source.

The solution introduces a canonical, shared authorization layer. Two new composable middleware functions are now exported from `better-auth/api`: `requireResourceOwnership` and `requireOrgRole`. The ownership middleware fetches a resource by ID from the request, verifies the `ownerField` matches the session user's ID, and attaches the verified resource to the context. The organization role middleware looks up the user's membership and validates it against a comma-delimited list of permitted roles. Both are designed with customization in mind, allowing plugins to preserve domain-specific error codes while adhering to a unified security model.

This structural fix represents a fundamental shift from fragmented, plugin-specific security logic to a centralized, enforceable standard. By providing these primitives, the library forces future plugin development onto a secure path, significantly reducing the risk of new IDOR variants emerging from inconsistent authorization checks. The move normalizes the security posture across critical management endpoints for SCIM and Stripe subscriptions, closing a door that has repeatedly led to advisories.