@better-auth/core 1.4.17 → 1.4.18

package/src/db/get-tables.ts

@@ -32,16 +32,21 @@ export const getAuthTables = (
 			fields: {
 				key: {
 					type: "string",
+					unique: true,
+					required: true,
 					fieldName: options.rateLimit?.fields?.key || "key",
 				},
 				count: {
 					type: "number",
+					required: true,
 					fieldName: options.rateLimit?.fields?.count || "count",
 				},
 				lastRequest: {
 					type: "number",
 					bigint: true,
+					required: true,
 					fieldName: options.rateLimit?.fields?.lastRequest || "lastRequest",
+					defaultValue: () => Date.now(),
 				},
 			},
 		},

package/src/env/env-impl.ts

@@ -115,10 +115,10 @@ export const ENV = Object.freeze({
 	get PACKAGE_VERSION() {
 		return getEnvVar("PACKAGE_VERSION", "0.0.0");
 	},
-	get BETTER_AUTH_TELEMETRY_ENDPOINT() {
+	get BETTER_AUTH_TELEMETRY_ENDPOINT(): string | undefined {
 		return getEnvVar(
 			"BETTER_AUTH_TELEMETRY_ENDPOINT",
-			"https://telemetry.better-auth.com/v1/track",
+			import.meta.env.BETTER_AUTH_TELEMETRY_ENDPOINT,
 		);
 	},
 });

package/src/env/logger.ts

@@ -94,7 +94,7 @@ export type InternalLogger = {
 
 export const createLogger = (options?: Logger | undefined): InternalLogger => {
 	const enabled = options?.disabled !== true;
-	const logLevel = options?.level ?? "error";
+	const logLevel = options?.level ?? "warn";
 
 	const isDisableColorsSpecified = options?.disableColors !== undefined;
 	const colorsEnabled = isDisableColorsSpecified

package/src/oauth2/oauth-provider.ts

@@ -42,7 +42,7 @@ export interface OAuthProvider<
 		redirectURI: string;
 		codeVerifier?: string | undefined;
 		deviceId?: string | undefined;
-	}) => Promise<OAuth2Tokens>;
+	}) => Promise<OAuth2Tokens | null>;
 	getUserInfo: (
 		token: OAuth2Tokens & {
 			/**

package/src/social-providers/apple.ts

@@ -160,9 +160,18 @@ export const apple = (options: AppleOptions) => {
 			if (!profile) {
 				return null;
 			}
-			const name = token.user
-				? `${token.user.name?.firstName} ${token.user.name?.lastName}`
-				: profile.name || profile.email;
+
+			// TODO: " " masking will be removed when the name field is made optional
+			let name: string;
+			if (token.user?.name) {
+				const firstName = token.user.name.firstName || "";
+				const lastName = token.user.name.lastName || "";
+				const fullName = `${firstName} ${lastName}`.trim();
+				name = fullName || " ";
+			} else {
+				name = profile.name || " ";
+			}
+
 			const emailVerified =
 				typeof profile.email_verified === "boolean"
 					? profile.email_verified

package/src/social-providers/facebook.ts

@@ -49,7 +49,7 @@ export const facebook = (options: FacebookOptions) => {
 			return await createAuthorizationURL({
 				id: "facebook",
 				options,
-				authorizationEndpoint: "https://www.facebook.com/v21.0/dialog/oauth",
+				authorizationEndpoint: "https://www.facebook.com/v24.0/dialog/oauth",
 				scopes: _scopes,
 				state,
 				redirectURI,
@@ -66,7 +66,7 @@ export const facebook = (options: FacebookOptions) => {
 				code,
 				redirectURI,
 				options,
-				tokenEndpoint: "https://graph.facebook.com/oauth/access_token",
+				tokenEndpoint: "https://graph.facebook.com/v24.0/oauth/access_token",
 			});
 		},
 		async verifyIdToken(token, nonce) {
@@ -121,7 +121,7 @@ export const facebook = (options: FacebookOptions) => {
 							clientSecret: options.clientSecret,
 						},
 						tokenEndpoint:
-							"https://graph.facebook.com/v18.0/oauth/access_token",
+							"https://graph.facebook.com/v24.0/oauth/access_token",
 					});
 				},
 		async getUserInfo(token) {

package/src/social-providers/github.ts

@@ -1,10 +1,12 @@
 import { betterFetch } from "@better-fetch/fetch";
+import { logger } from "../env";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	getOAuth2Tokens,
 	refreshAccessToken,
-	validateAuthorizationCode,
 } from "../oauth2";
+import { createAuthorizationCodeRequest } from "../oauth2/validate-authorization-code";
 
 export interface GithubProfile {
 	login: string;
@@ -86,13 +88,33 @@ export const github = (options: GithubOptions) => {
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
-			return validateAuthorizationCode({
+			const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
 				code,
 				codeVerifier,
 				redirectURI,
 				options,
-				tokenEndpoint,
 			});
+
+			const { data, error } = await betterFetch<
+				| { access_token: string; token_type: string; scope: string }
+				| { error: string; error_description?: string; error_uri?: string }
+			>(tokenEndpoint, {
+				method: "POST",
+				body: body,
+				headers: requestHeaders,
+			});
+
+			if (error) {
+				logger.error("GitHub OAuth token exchange failed:", error);
+				return null;
+			}
+
+			if ("error" in data) {
+				logger.error("GitHub OAuth token exchange failed:", data);
+				return null;
+			}
+
+			return getOAuth2Tokens(data);
 		},
 		refreshAccessToken: options.refreshAccessToken
 			? options.refreshAccessToken

package/src/social-providers/google.ts

@@ -82,7 +82,7 @@ export const google = (options: GoogleOptions) => {
 			const url = await createAuthorizationURL({
 				id: "google",
 				options,
-				authorizationEndpoint: "https://accounts.google.com/o/oauth2/auth",
+				authorizationEndpoint: "https://accounts.google.com/o/oauth2/v2/auth",
 				scopes: _scopes,
 				state,
 				codeVerifier,
@@ -117,7 +117,7 @@ export const google = (options: GoogleOptions) => {
 							clientKey: options.clientKey,
 							clientSecret: options.clientSecret,
 						},
-						tokenEndpoint: "https://www.googleapis.com/oauth2/v4/token",
+						tokenEndpoint: "https://oauth2.googleapis.com/token",
 					});
 				},
 		async verifyIdToken(token, nonce) {

package/src/types/context.ts

@@ -12,6 +12,7 @@ import type { DBAdapter, Where } from "../db/adapter";
 import type { createLogger } from "../env";
 import type { OAuthProvider } from "../oauth2";
 import type { BetterAuthCookie, BetterAuthCookies } from "./cookie";
+import type { Awaitable } from "./helper";
 import type {
 	BetterAuthOptions,
 	BetterAuthRateLimitOptions,
@@ -177,6 +178,8 @@ export type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> =
 	PluginContext &
 		InfoContext & {
 			options: Options;
+			appName: string;
+			baseURL: string;
 			trustedOrigins: string[];
 			/**
 			 * Verifies whether url is a trusted origin according to the "trustedOrigins" configuration
@@ -299,7 +302,7 @@ export type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> =
 			 * This is inferred from the `options.advanced?.backgroundTasks?.handler` option.
 			 * Defaults to a no-op that just runs the promise.
 			 */
-			runInBackground: (promise: Promise<void>) => void;
+			runInBackground: (promise: Promise<unknown>) => void;
 			/**
 			 * Runs a task in the background if `runInBackground` is configured,
 			 * otherwise awaits the task directly.
@@ -309,6 +312,6 @@ export type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> =
 			 * mitigation), but still ensure the operation completes.
 			 */
 			runInBackgroundOrAwait: (
-				promise: Promise<unknown> | Promise<void> | void | unknown,
-			) => Promise<unknown>;
+				promise: Promise<unknown> | void,
+			) => Awaitable<unknown>;
 		};

package/src/types/index.ts

@@ -6,12 +6,17 @@ export type {
 	InternalAdapter,
 	PluginContext,
 } from "./context";
-export type { BetterAuthCookie, BetterAuthCookies } from "./cookie";
+export type {
+	BetterAuthCookie,
+	BetterAuthCookies,
+} from "./cookie";
 export type * from "./helper";
 export type {
 	BetterAuthAdvancedOptions,
 	BetterAuthOptions,
 	BetterAuthRateLimitOptions,
+	BetterAuthRateLimitRule,
+	BetterAuthRateLimitStorage,
 	GenerateIdFn,
 } from "./init-options";
 export type { BetterAuthPlugin, HookEndpointContext } from "./plugin";

package/src/types/init-options.ts

@@ -37,25 +37,37 @@ export type GenerateIdFn = (options: {
 	size?: number | undefined;
 }) => string | false;
 
-export type BetterAuthRateLimitOptions = {
-	/**
-	 * By default, rate limiting is only
-	 * enabled on production.
-	 */
-	enabled?: boolean | undefined;
+export interface BetterAuthRateLimitStorage {
+	get: (key: string) => Promise<RateLimit | null | undefined>;
+	set: (
+		key: string,
+		value: RateLimit,
+		update?: boolean | undefined,
+	) => Promise<void>;
+}
+
+export type BetterAuthRateLimitRule = {
 	/**
 	 * Default window to use for rate limiting. The value
 	 * should be in seconds.
 	 *
 	 * @default 10 seconds
 	 */
-	window?: number | undefined;
+	window: number;
 	/**
 	 * The default maximum number of requests allowed within the window.
 	 *
 	 * @default 100 requests
 	 */
-	max?: number | undefined;
+	max: number;
+};
+
+export type BetterAuthRateLimitOptions = Optional<BetterAuthRateLimitRule> & {
+	/**
+	 * By default, rate limiting is only
+	 * enabled on production.
+	 */
+	enabled?: boolean | undefined;
 	/**
 	 * Custom rate limit rules to apply to
 	 * specific paths.
@@ -63,27 +75,12 @@ export type BetterAuthRateLimitOptions = {
 	customRules?:
 		| {
 				[key: string]:
-					| {
-							/**
-							 * The window to use for the custom rule.
-							 */
-							window: number;
-							/**
-							 * The maximum number of requests allowed within the window.
-							 */
-							max: number;
-					  }
+					| BetterAuthRateLimitRule
 					| false
-					| ((request: Request) =>
-							| { window: number; max: number }
-							| false
-							| Promise<
-									| {
-											window: number;
-											max: number;
-									  }
-									| false
-							  >);
+					| ((
+							request: Request,
+							currentRule: BetterAuthRateLimitRule,
+					  ) => Awaitable<false | BetterAuthRateLimitRule>);
 		  }
 		| undefined;
 	/**
@@ -113,10 +110,7 @@ export type BetterAuthRateLimitOptions = {
 	 * NOTE: If custom storage is used storage
 	 * is ignored
 	 */
-	customStorage?: {
-		get: (key: string) => Promise<RateLimit | undefined>;
-		set: (key: string, value: RateLimit) => Promise<void>;
-	};
+	customStorage?: BetterAuthRateLimitStorage;
 };
 
 export type BetterAuthAdvancedOptions = {
@@ -328,7 +322,7 @@ export type BetterAuthAdvancedOptions = {
 	 * }
 	 */
 	backgroundTasks?: {
-		handler: (promise: Promise<void>) => void;
+		handler: (promise: Promise<unknown>) => void;
 	};
 	/**
 	 * Skip trailing slash validation in route matching
@@ -491,10 +485,13 @@ export type BetterAuthOptions = {
 					request?: Request,
 				) => Promise<void>;
 				/**
-				 * Send a verification email automatically
-				 * after sign up
+				 * Send a verification email automatically after sign up.
 				 *
-				 * @default false
+				 * - `true`: Always send verification email on sign up
+				 * - `false`: Never send verification email on sign up
+				 * - `undefined`: Follows `requireEmailVerification` behavior
+				 *
+				 * @default undefined
 				 */
 				sendOnSignUp?: boolean;
 				/**
@@ -947,6 +944,17 @@ export type BetterAuthOptions = {
 					 * @default true
 					 */
 					enabled?: boolean;
+					/**
+					 * Disable implicit account linking on sign-in.
+					 *
+					 * When enabled, accounts will not be automatically linked
+					 * during OAuth sign-in, even if the email is verified or
+					 * the provider is trusted. Users must explicitly link
+					 * accounts using `linkSocial()` while authenticated.
+					 *
+					 * @default false
+					 */
+					disableImplicitLinking?: boolean;
 					/**
 					 * List of trusted providers
 					 */

package/src/utils/db.ts

@@ -0,0 +1,20 @@
+import type { DBFieldAttribute } from "../db";
+
+/**
+ * Filters output data by removing fields with the `returned: false` attribute.
+ * This ensures sensitive fields are not exposed in API responses.
+ */
+export function filterOutputFields<T extends Record<string, unknown> | null>(
+	data: T,
+	additionalFields: Record<string, DBFieldAttribute> | undefined,
+): T {
+	if (!data || !additionalFields) {
+		return data;
+	}
+	const returnFiltered = Object.entries(additionalFields)
+		.filter(([, { returned }]) => returned === false)
+		.map(([key]) => key);
+	return Object.entries(structuredClone(data))
+		.filter(([key]) => !returnFiltered.includes(key))
+		.reduce((acc, [key, value]) => ({ ...acc, [key]: value }), {} as T);
+}

package/src/utils/index.ts

@@ -1,3 +1,4 @@
+export { filterOutputFields } from "./db";
 export { deprecate } from "./deprecate";
 export { defineErrorCodes } from "./error-codes";
 export { generateId } from "./id";

package/tsdown.config.ts

@@ -25,7 +25,10 @@ export default defineConfig({
 	external: ["@better-auth/core/async_hooks"],
 	env: {
 		BETTER_AUTH_VERSION: packageJson.version,
+		BETTER_AUTH_TELEMETRY_ENDPOINT:
+			process.env.BETTER_AUTH_TELEMETRY_ENDPOINT ?? "",
 	},
+	sourcemap: true,
 	unbundle: true,
 	clean: true,
 });