@better-auth/core 1.4.12 → 1.4.14

package/src/db/adapter/factory.ts

@@ -200,7 +200,7 @@ export const createAdapterFactory =
 				let value = data[field];
 				const fieldAttributes = fields[field];
 
-				let newFieldName: string =
+				const newFieldName: string =
 					newMappedKeys[field] || fields[field]!.fieldName || field;
 				if (
 					value === undefined &&
@@ -335,7 +335,7 @@ export const createAdapterFactory =
 							newValue = await field.transform.output(newValue);
 						}
 
-						let newFieldName: string = newMappedKeys[key] || key;
+						const newFieldName: string = newMappedKeys[key] || key;
 
 						if (originalKey === "id" || field.references?.field === "id") {
 							// Even if `useNumberId` is true, we must always return a string `id` output.
@@ -392,7 +392,7 @@ export const createAdapterFactory =
 			unsafe_model = getDefaultModelName(unsafe_model);
 			// for now we just transform the base model
 			// later we append the joined models to this object.
-			let transformedData: Record<string, any> = await transformSingleOutput(
+			const transformedData: Record<string, any> = await transformSingleOutput(
 				data,
 				unsafe_model,
 				select,
@@ -443,7 +443,7 @@ export const createAdapterFactory =
 					joinedData = [joinedData];
 				}
 
-				let transformed = [];
+				const transformed = [];
 
 				if (Array.isArray(joinedData)) {
 					for (const item of joinedData) {
@@ -822,7 +822,7 @@ export const createAdapterFactory =
 				forceAllowId?: boolean;
 			}): Promise<R> => {
 				transactionId++;
-				let thisTransactionId = transactionId;
+				const thisTransactionId = transactionId;
 				const model = getModelName(unsafeModel);
 				unsafeModel = getDefaultModelName(unsafeModel);
 				if (
@@ -903,7 +903,7 @@ export const createAdapterFactory =
 				update: Record<string, any>;
 			}): Promise<T | null> => {
 				transactionId++;
-				let thisTransactionId = transactionId;
+				const thisTransactionId = transactionId;
 				unsafeModel = getDefaultModelName(unsafeModel);
 				const model = getModelName(unsafeModel);
 				const where = transformWhereClause({
@@ -965,7 +965,7 @@ export const createAdapterFactory =
 				update: Record<string, any>;
 			}) => {
 				transactionId++;
-				let thisTransactionId = transactionId;
+				const thisTransactionId = transactionId;
 				const model = getModelName(unsafeModel);
 				const where = transformWhereClause({
 					model: unsafeModel,
@@ -1021,7 +1021,7 @@ export const createAdapterFactory =
 				join?: JoinOption;
 			}) => {
 				transactionId++;
-				let thisTransactionId = transactionId;
+				const thisTransactionId = transactionId;
 				const model = getModelName(unsafeModel);
 				const where = transformWhereClause({
 					model: unsafeModel,
@@ -1095,7 +1095,7 @@ export const createAdapterFactory =
 				join?: JoinOption;
 			}) => {
 				transactionId++;
-				let thisTransactionId = transactionId;
+				const thisTransactionId = transactionId;
 				const limit =
 					unsafeLimit ??
 					options.advanced?.database?.defaultFindManyLimit ??
@@ -1173,7 +1173,7 @@ export const createAdapterFactory =
 				where: Where[];
 			}) => {
 				transactionId++;
-				let thisTransactionId = transactionId;
+				const thisTransactionId = transactionId;
 				const model = getModelName(unsafeModel);
 				const where = transformWhereClause({
 					model: unsafeModel,
@@ -1206,7 +1206,7 @@ export const createAdapterFactory =
 				where: Where[];
 			}) => {
 				transactionId++;
-				let thisTransactionId = transactionId;
+				const thisTransactionId = transactionId;
 				const model = getModelName(unsafeModel);
 				const where = transformWhereClause({
 					model: unsafeModel,
@@ -1240,7 +1240,7 @@ export const createAdapterFactory =
 				where?: Where[];
 			}) => {
 				transactionId++;
-				let thisTransactionId = transactionId;
+				const thisTransactionId = transactionId;
 				const model = getModelName(unsafeModel);
 				const where = transformWhereClause({
 					model: unsafeModel,
@@ -1350,7 +1350,7 @@ export const createAdapterFactory =
 								}
 
 								//`${colors.fg.blue}|${colors.reset} `,
-								let log: any[] = logs
+								const log: any[] = logs
 									.reverse()
 									.map((log) => {
 										log.args[0] = `\n${log.args[0]}`;

package/src/db/adapter/get-default-model-name.ts

@@ -23,7 +23,7 @@ export const initGetDefaultModelName = ({
 		// It's possible this `model` could had applied `usePlural`.
 		// Thus we'll try the search but without the trailing `s`.
 		if (usePlural && model.charAt(model.length - 1) === "s") {
-			let pluralessModel = model.slice(0, -1);
+			const pluralessModel = model.slice(0, -1);
 			let m = schema[pluralessModel] ? pluralessModel : undefined;
 			if (!m) {
 				m = Object.entries(schema).find(

package/src/db/adapter/get-id-field.ts

@@ -36,7 +36,7 @@ export const initGetIdField = ({
 			options.advanced?.database?.generateId === "serial";
 		const useUUIDs = options.advanced?.database?.generateId === "uuid";
 
-		let shouldGenerateId: boolean = (() => {
+		const shouldGenerateId: boolean = (() => {
 			if (disableIdGeneration) {
 				return false;
 			} else if (useNumberId && !forceAllowId) {
@@ -58,7 +58,7 @@ export const initGetIdField = ({
 				? {
 						defaultValue() {
 							if (disableIdGeneration) return undefined;
-							let generateId = options.advanced?.database?.generateId;
+							const generateId = options.advanced?.database?.generateId;
 							if (generateId === false || useNumberId) return undefined;
 							if (typeof generateId === "function") {
 								return generateId({

package/src/db/get-tables.ts

@@ -183,21 +183,25 @@ export const getAuthTables = (
 				accessToken: {
 					type: "string",
 					required: false,
+					returned: false,
 					fieldName: options.account?.fields?.accessToken || "accessToken",
 				},
 				refreshToken: {
 					type: "string",
 					required: false,
+					returned: false,
 					fieldName: options.account?.fields?.refreshToken || "refreshToken",
 				},
 				idToken: {
 					type: "string",
 					required: false,
+					returned: false,
 					fieldName: options.account?.fields?.idToken || "idToken",
 				},
 				accessTokenExpiresAt: {
 					type: "date",
 					required: false,
+					returned: false,
 					fieldName:
 						options.account?.fields?.accessTokenExpiresAt ||
 						"accessTokenExpiresAt",
@@ -205,6 +209,7 @@ export const getAuthTables = (
 				refreshTokenExpiresAt: {
 					type: "date",
 					required: false,
+					returned: false,
 					fieldName:
 						options.account?.fields?.refreshTokenExpiresAt ||
 						"refreshTokenExpiresAt",
@@ -217,6 +222,7 @@ export const getAuthTables = (
 				password: {
 					type: "string",
 					required: false,
+					returned: false,
 					fieldName: options.account?.fields?.password || "password",
 				},
 				createdAt: {

package/src/error/index.ts

@@ -1,9 +1,8 @@
 export class BetterAuthError extends Error {
-	constructor(message: string, cause?: string | undefined) {
-		super(message);
+	constructor(message: string, options?: { cause?: unknown | undefined }) {
+		super(message, options);
 		this.name = "BetterAuthError";
 		this.message = message;
-		this.cause = cause;
 		this.stack = "";
 	}
 }

package/src/social-providers/figma.ts

@@ -34,7 +34,7 @@ export const figma = (options: FigmaOptions) => {
 				throw new BetterAuthError("codeVerifier is required for Figma");
 			}
 
-			const _scopes = options.disableDefaultScope ? [] : ["file_read"];
+			const _scopes = options.disableDefaultScope ? [] : ["current_user:read"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
 
@@ -56,7 +56,8 @@ export const figma = (options: FigmaOptions) => {
 				codeVerifier,
 				redirectURI,
 				options,
-				tokenEndpoint: "https://www.figma.com/api/oauth/token",
+				tokenEndpoint: "https://api.figma.com/v1/oauth/token",
+				authentication: "basic",
 			});
 		},
 		refreshAccessToken: options.refreshAccessToken
@@ -69,7 +70,8 @@ export const figma = (options: FigmaOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://www.figma.com/api/oauth/token",
+						tokenEndpoint: "https://api.figma.com/v1/oauth/token",
+						authentication: "basic",
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/gitlab.ts

@@ -65,7 +65,7 @@ const cleanDoubleSlashes = (input: string = "") => {
 };
 
 const issuerToEndpoints = (issuer?: string | undefined) => {
-	let baseUrl = issuer || "https://gitlab.com";
+	const baseUrl = issuer || "https://gitlab.com";
 	return {
 		authorizationEndpoint: cleanDoubleSlashes(`${baseUrl}/oauth/authorize`),
 		tokenEndpoint: cleanDoubleSlashes(`${baseUrl}/oauth/token`),

package/src/types/context.ts

@@ -11,7 +11,7 @@ import type {
 import type { DBAdapter, Where } from "../db/adapter";
 import type { createLogger } from "../env";
 import type { OAuthProvider } from "../oauth2";
-import type { BetterAuthCookies } from "./cookie";
+import type { BetterAuthCookie, BetterAuthCookies } from "./cookie";
 import type {
 	BetterAuthOptions,
 	BetterAuthRateLimitOptions,
@@ -150,10 +150,7 @@ export interface InternalAdapter<
 type CreateCookieGetterFn = (
 	cookieName: string,
 	overrideAttributes?: Partial<CookieOptions> | undefined,
-) => {
-	name: string;
-	attributes: CookieOptions;
-};
+) => BetterAuthCookie;
 
 type CheckPasswordFn<Options extends BetterAuthOptions = BetterAuthOptions> = (
 	userId: string,
@@ -166,139 +163,148 @@ export type PluginContext = {
 	) => Plugin | null;
 };
 
+export type InfoContext = {
+	appName: string;
+	baseURL: string;
+	version: string;
+};
+
 export type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> =
-	PluginContext & {
-		options: Options;
-		appName: string;
-		baseURL: string;
-		trustedOrigins: string[];
-		/**
-		 * Verifies whether url is a trusted origin according to the "trustedOrigins" configuration
-		 * @param url The url to verify against the "trustedOrigins" configuration
-		 * @param settings Specify supported pattern matching settings
-		 * @returns {boolean} true if the URL matches the origin pattern, false otherwise.
-		 */
-		isTrustedOrigin: (
-			url: string,
-			settings?: { allowRelativePaths: boolean },
-		) => boolean;
-		oauthConfig: {
+	PluginContext &
+		InfoContext & {
+			options: Options;
+			trustedOrigins: string[];
 			/**
-			 * This is dangerous and should only be used in dev or staging environments.
+			 * Verifies whether url is a trusted origin according to the "trustedOrigins" configuration
+			 * @param url The url to verify against the "trustedOrigins" configuration
+			 * @param settings Specify supported pattern matching settings
+			 * @returns {boolean} true if the URL matches the origin pattern, false otherwise.
 			 */
-			skipStateCookieCheck?: boolean | undefined;
+			isTrustedOrigin: (
+				url: string,
+				settings?: { allowRelativePaths: boolean },
+			) => boolean;
+			oauthConfig: {
+				/**
+				 * This is dangerous and should only be used in dev or staging environments.
+				 */
+				skipStateCookieCheck?: boolean | undefined;
+				/**
+				 * Strategy for storing OAuth state
+				 *
+				 * - "cookie": Store state in an encrypted cookie (stateless)
+				 * - "database": Store state in the database
+				 *
+				 * @default "cookie"
+				 */
+				storeStateStrategy: "database" | "cookie";
+			};
 			/**
-			 * Strategy for storing OAuth state
-			 *
-			 * - "cookie": Store state in an encrypted cookie (stateless)
-			 * - "database": Store state in the database
-			 *
-			 * @default "cookie"
+			 * New session that will be set after the request
+			 * meaning: there is a `set-cookie` header that will set
+			 * the session cookie. This is the fetched session. And it's set
+			 * by `setNewSession` method.
 			 */
-			storeStateStrategy: "database" | "cookie";
-		};
-		/**
-		 * New session that will be set after the request
-		 * meaning: there is a `set-cookie` header that will set
-		 * the session cookie. This is the fetched session. And it's set
-		 * by `setNewSession` method.
-		 */
-		newSession: {
-			session: Session & Record<string, any>;
-			user: User & Record<string, any>;
-		} | null;
-		session: {
-			session: Session & Record<string, any>;
-			user: User & Record<string, any>;
-		} | null;
-		setNewSession: (
+			newSession: {
+				session: Session & Record<string, any>;
+				user: User & Record<string, any>;
+			} | null;
 			session: {
 				session: Session & Record<string, any>;
 				user: User & Record<string, any>;
-			} | null,
-		) => void;
-		socialProviders: OAuthProvider[];
-		authCookies: BetterAuthCookies;
-		logger: ReturnType<typeof createLogger>;
-		rateLimit: {
-			enabled: boolean;
-			window: number;
-			max: number;
-			storage: "memory" | "database" | "secondary-storage";
-		} & BetterAuthRateLimitOptions;
-		adapter: DBAdapter<Options>;
-		internalAdapter: InternalAdapter<Options>;
-		createAuthCookie: CreateCookieGetterFn;
-		secret: string;
-		sessionConfig: {
-			updateAge: number;
-			expiresIn: number;
-			freshAge: number;
-			cookieRefreshCache:
-				| false
-				| {
-						enabled: true;
-						updateAge: number;
-				  };
-		};
-		generateId: (options: {
-			model: ModelNames;
-			size?: number | undefined;
-		}) => string | false;
-		secondaryStorage: SecondaryStorage | undefined;
-		password: {
-			hash: (password: string) => Promise<string>;
-			verify: (data: { password: string; hash: string }) => Promise<boolean>;
-			config: {
-				minPasswordLength: number;
-				maxPasswordLength: number;
+			} | null;
+			setNewSession: (
+				session: {
+					session: Session & Record<string, any>;
+					user: User & Record<string, any>;
+				} | null,
+			) => void;
+			socialProviders: OAuthProvider[];
+			authCookies: BetterAuthCookies;
+			logger: ReturnType<typeof createLogger>;
+			rateLimit: {
+				enabled: boolean;
+				window: number;
+				max: number;
+				storage: "memory" | "database" | "secondary-storage";
+			} & Omit<
+				BetterAuthRateLimitOptions,
+				"enabled" | "window" | "max" | "storage"
+			>;
+			adapter: DBAdapter<Options>;
+			internalAdapter: InternalAdapter<Options>;
+			createAuthCookie: CreateCookieGetterFn;
+			secret: string;
+			sessionConfig: {
+				updateAge: number;
+				expiresIn: number;
+				freshAge: number;
+				cookieRefreshCache:
+					| false
+					| {
+							enabled: true;
+							updateAge: number;
+					  };
 			};
-			checkPassword: CheckPasswordFn<Options>;
+			generateId: (options: {
+				model: ModelNames;
+				size?: number | undefined;
+			}) => string | false;
+			secondaryStorage: SecondaryStorage | undefined;
+			password: {
+				hash: (password: string) => Promise<string>;
+				verify: (data: { password: string; hash: string }) => Promise<boolean>;
+				config: {
+					minPasswordLength: number;
+					maxPasswordLength: number;
+				};
+				checkPassword: CheckPasswordFn<Options>;
+			};
+			tables: BetterAuthDBSchema;
+			runMigrations: () => Promise<void>;
+			publishTelemetry: (event: {
+				type: string;
+				anonymousId?: string | undefined;
+				payload: Record<string, any>;
+			}) => Promise<void>;
+			/**
+			 * Skip origin check for requests.
+			 *
+			 * - `true`: Skip for ALL requests (DANGEROUS - disables CSRF protection)
+			 * - `string[]`: Skip only for specific paths (e.g., SAML callbacks)
+			 * - `false`: Enable origin check (default)
+			 *
+			 * Paths support prefix matching (e.g., "/sso/saml2/callback" matches
+			 * "/sso/saml2/callback/provider-name").
+			 *
+			 * @default false (true in test environments)
+			 */
+			skipOriginCheck: boolean | string[];
+			/**
+			 * This skips the CSRF check for all requests.
+			 *
+			 * This is inferred from the `options.advanced?.
+			 * disableCSRFCheck` option.
+			 *
+			 * @default false
+			 */
+			skipCSRFCheck: boolean;
+			/**
+			 * Background task handler for deferred operations.
+			 *
+			 * This is inferred from the `options.advanced?.backgroundTasks?.handler` option.
+			 * Defaults to a no-op that just runs the promise.
+			 */
+			runInBackground: (promise: Promise<void>) => void;
+			/**
+			 * Runs a task in the background if `runInBackground` is configured,
+			 * otherwise awaits the task directly.
+			 *
+			 * This is useful for operations like sending emails where we want
+			 * to avoid blocking the response when possible (for timing attack
+			 * mitigation), but still ensure the operation completes.
+			 */
+			runInBackgroundOrAwait: (
+				promise: Promise<unknown> | Promise<void> | void | unknown,
+			) => Promise<unknown>;
 		};
-		tables: BetterAuthDBSchema;
-		runMigrations: () => Promise<void>;
-		publishTelemetry: (event: {
-			type: string;
-			anonymousId?: string | undefined;
-			payload: Record<string, any>;
-		}) => Promise<void>;
-		/**
-		 * This skips the origin check for all requests.
-		 *
-		 * set to true by default for `test` environments and `false`
-		 * for other environments.
-		 *
-		 * It's inferred from the `options.advanced?.disableCSRFCheck`
-		 * option or `options.advanced?.disableOriginCheck` option.
-		 *
-		 * @default false
-		 */
-		skipOriginCheck: boolean;
-		/**
-		 * This skips the CSRF check for all requests.
-		 *
-		 * This is inferred from the `options.advanced?.
-		 * disableCSRFCheck` option.
-		 *
-		 * @default false
-		 */
-		skipCSRFCheck: boolean;
-		/**
-		 * Background task handler for deferred operations.
-		 *
-		 * This is inferred from the `options.advanced?.backgroundTasks?.handler` option.
-		 * Defaults to a no-op that just runs the promise.
-		 */
-		runInBackground: (promise: Promise<void>) => void;
-		/**
-		 * Runs a task in the background if `runInBackground` is configured,
-		 * otherwise awaits the task directly.
-		 *
-		 * This is useful for operations like sending emails where we want
-		 * to avoid blocking the response when possible (for timing attack
-		 * mitigation), but still ensure the operation completes.
-		 */
-		runInBackgroundOrAwait: (
-			promise: Promise<unknown> | Promise<void> | void | unknown,
-		) => Promise<unknown>;
-	};

package/src/types/cookie.ts

@@ -1,8 +1,10 @@
 import type { CookieOptions } from "better-call";
 
+export type BetterAuthCookie = { name: string; attributes: CookieOptions };
+
 export type BetterAuthCookies = {
-	sessionToken: { name: string; options: CookieOptions };
-	sessionData: { name: string; options: CookieOptions };
-	accountData: { name: string; options: CookieOptions };
-	dontRememberToken: { name: string; options: CookieOptions };
+	sessionToken: BetterAuthCookie;
+	sessionData: BetterAuthCookie;
+	accountData: BetterAuthCookie;
+	dontRememberToken: BetterAuthCookie;
 };

package/src/types/index.ts

@@ -2,10 +2,11 @@ export type { StandardSchemaV1 } from "@standard-schema/spec";
 export type {
 	AuthContext,
 	GenericEndpointContext,
+	InfoContext,
 	InternalAdapter,
 	PluginContext,
 } from "./context";
-export type { BetterAuthCookies } from "./cookie";
+export type { BetterAuthCookie, BetterAuthCookies } from "./cookie";
 export type * from "./helper";
 export type {
 	BetterAuthAdvancedOptions,

package/src/types/init-options.ts

@@ -311,6 +311,12 @@ export type BetterAuthAdvancedOptions = {
 	backgroundTasks?: {
 		handler: (promise: Promise<void>) => void;
 	};
+	/**
+	 * Skip trailing slash validation in route matching
+	 *
+	 * @default false
+	 */
+	skipTrailingSlashes?: boolean | undefined;
 };
 
 export type BetterAuthOptions = {

package/tsdown.config.ts

@@ -1,5 +1,10 @@
+import { readFile } from "node:fs/promises";
 import { defineConfig } from "tsdown";
 
+const packageJson = JSON.parse(
+	await readFile(new URL("./package.json", import.meta.url), "utf-8"),
+);
+
 export default defineConfig({
 	dts: { build: true, incremental: true },
 	format: ["esm"],
@@ -18,5 +23,9 @@ export default defineConfig({
 		"./src/error/index.ts",
 	],
 	external: ["@better-auth/core/async_hooks"],
+	env: {
+		BETTER_AUTH_VERSION: packageJson.version,
+	},
+	unbundle: true,
 	clean: true,
 });