Summary
Two related OAuth changes shipped in edge-auth v0.7.25 that need documentation updates:
1. Better Auth 1.5.6 — GET shim behavior change (edge-auth)
Better Auth 1.5.6 changed GET /auth/sign-in/social (internal POST) to return a direct Response.redirect() (immutable headers) instead of 200 JSON { url, redirect: true }.
The edge-auth GET shim at app.ts:/auth/sign-in/:provider was updated (commit 278f7eb) to:
- Handle the 302 case by reconstructing a mutable
new Response(null, { headers: new Headers(...) }) so Hono middleware can safely append security headers
- Copy all
Set-Cookie headers via getSetCookie() (multi-value safe)
- Fall back to JSON
{ url } check for older Better Auth versions
Why it matters for docs: Any integration guide that describes the social sign-in response format or suggests consuming { url, redirect: true } is now incorrect. The redirect: true field is dropped in 1.5.6+.
2. img-forge MCP — OAuth 2.1/PKCE state_mismatch on reconnect
All error paths in handleSocialOAuthCallback (oauth.ts, commit 42c5a1b) now return RFC 6749-compliant error redirects (redirect_uri?error=access_denied&state=<original>) instead of falling through to / or a dead-end login page. This is required for MCP clients (Claude.ai) to recover gracefully on reconnect.
Also: handleAuthorize identity token expiry now redirects to redirect_uri?error=access_denied instead of returning 400.
Docs to update
References
- Wiki:
edge-auth-social-oauth-login-flow (new, 2026-06-23)
- Wiki:
img-forge-mcp-oauth-pkce (updated, 2026-06-23)
- edge-auth commit:
278f7eb
- img-forge commit:
42c5a1b
Summary
Two related OAuth changes shipped in edge-auth v0.7.25 that need documentation updates:
1. Better Auth 1.5.6 — GET shim behavior change (
edge-auth)Better Auth 1.5.6 changed
GET /auth/sign-in/social(internal POST) to return a directResponse.redirect()(immutable headers) instead of200 JSON { url, redirect: true }.The edge-auth GET shim at
app.ts:/auth/sign-in/:providerwas updated (commit278f7eb) to:new Response(null, { headers: new Headers(...) })so Hono middleware can safely append security headersSet-Cookieheaders viagetSetCookie()(multi-value safe){ url }check for older Better Auth versionsWhy it matters for docs: Any integration guide that describes the social sign-in response format or suggests consuming
{ url, redirect: true }is now incorrect. Theredirect: truefield is dropped in 1.5.6+.2. img-forge MCP — OAuth 2.1/PKCE state_mismatch on reconnect
All error paths in
handleSocialOAuthCallback(oauth.ts, commit42c5a1b) now return RFC 6749-compliant error redirects (redirect_uri?error=access_denied&state=<original>) instead of falling through to/or a dead-end login page. This is required for MCP clients (Claude.ai) to recover gracefully on reconnect.Also:
handleAuthorizeidentity token expiry now redirects toredirect_uri?error=access_deniedinstead of returning 400.Docs to update
{ url, redirect: true }References
edge-auth-social-oauth-login-flow(new, 2026-06-23)img-forge-mcp-oauth-pkce(updated, 2026-06-23)278f7eb42c5a1b