@better-auth/core 1.4.8-beta.6 → 1.4.8

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @better-auth/core@1.4.8-beta.6 build /home/runner/work/better-auth/better-auth/packages/core
+> @better-auth/core@1.4.8 build /home/runner/work/better-auth/better-auth/packages/core
 > tsdown
 
 ℹ tsdown v0.17.2 powered by rolldown v1.0.0-beta.53
@@ -7,19 +7,19 @@
 ℹ entry: src/index.ts, src/db/index.ts, src/db/adapter/index.ts, src/async_hooks/index.ts, src/async_hooks/pure.index.ts, src/context/index.ts, src/env/index.ts, src/oauth2/index.ts, src/api/index.ts, src/social-providers/index.ts, src/utils/index.ts, src/error/index.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/social-providers/index.mjs     80.60 kB │ gzip: 10.30 kB
-ℹ dist/db/adapter/index.mjs           38.13 kB │ gzip:  7.79 kB
+ℹ dist/social-providers/index.mjs     80.96 kB │ gzip: 10.43 kB
+ℹ dist/db/adapter/index.mjs           38.55 kB │ gzip:  7.86 kB
 ℹ dist/db/index.mjs                    1.66 kB │ gzip:  0.54 kB
 ℹ dist/api/index.mjs                   1.23 kB │ gzip:  0.48 kB
 ℹ dist/async_hooks/index.mjs           1.03 kB │ gzip:  0.54 kB
 ℹ dist/async_hooks/pure.index.mjs      0.99 kB │ gzip:  0.49 kB
+ℹ dist/oauth2/index.mjs                0.75 kB │ gzip:  0.28 kB
 ℹ dist/context/index.mjs               0.70 kB │ gzip:  0.24 kB
-ℹ dist/oauth2/index.mjs                0.61 kB │ gzip:  0.24 kB
 ℹ dist/env/index.mjs                   0.44 kB │ gzip:  0.25 kB
 ℹ dist/utils/index.mjs                 0.24 kB │ gzip:  0.17 kB
 ℹ dist/error/index.mjs                 0.19 kB │ gzip:  0.14 kB
 ℹ dist/index.mjs                       0.01 kB │ gzip:  0.03 kB
-ℹ dist/oauth2-D2y9ALiO.mjs             9.19 kB │ gzip:  2.13 kB
+ℹ dist/oauth2-BjWM15hm.mjs            12.82 kB │ gzip:  3.16 kB
 ℹ dist/env-DbssmzoK.mjs                7.67 kB │ gzip:  2.54 kB
 ℹ dist/get-tables-CMc_Emww.mjs         6.76 kB │ gzip:  1.30 kB
 ℹ dist/context-DblZrIwO.mjs            3.89 kB │ gzip:  1.00 kB
@@ -30,14 +30,14 @@
 ℹ dist/error/index.d.mts               1.84 kB │ gzip:  0.72 kB
 ℹ dist/db/adapter/index.d.mts          1.34 kB │ gzip:  0.43 kB
 ℹ dist/utils/index.d.mts               1.19 kB │ gzip:  0.55 kB
-ℹ dist/index.d.mts                     0.92 kB │ gzip:  0.35 kB
+ℹ dist/index.d.mts                     0.92 kB │ gzip:  0.36 kB
+ℹ dist/oauth2/index.d.mts              0.88 kB │ gzip:  0.32 kB
 ℹ dist/db/index.d.mts                  0.81 kB │ gzip:  0.34 kB
-ℹ dist/oauth2/index.d.mts              0.76 kB │ gzip:  0.28 kB
 ℹ dist/env/index.d.mts                 0.59 kB │ gzip:  0.30 kB
 ℹ dist/api/index.d.mts                 0.26 kB │ gzip:  0.14 kB
 ℹ dist/async_hooks/index.d.mts         0.24 kB │ gzip:  0.16 kB
 ℹ dist/async_hooks/pure.index.d.mts    0.22 kB │ gzip:  0.16 kB
-ℹ dist/index-D0VJf1xh.d.mts          219.53 kB │ gzip: 34.87 kB
+ℹ dist/index-CBdZH5fV.d.mts          221.21 kB │ gzip: 35.26 kB
 ℹ dist/index-BRBu0-5h.d.mts            3.31 kB │ gzip:  1.11 kB
-ℹ 32 files, total: 394.13 kB
-✔ Build complete in 4813ms
+ℹ 32 files, total: 400.50 kB
+✔ Build complete in 4838ms

package/dist/api/index.d.mts

@@ -1,2 +1,2 @@
-import { a as optionsMiddleware, i as createAuthMiddleware, n as AuthMiddleware, r as createAuthEndpoint, t as AuthEndpoint } from "../index-D0VJf1xh.mjs";
+import { a as optionsMiddleware, i as createAuthMiddleware, n as AuthMiddleware, r as createAuthEndpoint, t as AuthEndpoint } from "../index-CBdZH5fV.mjs";
 export { AuthEndpoint, AuthMiddleware, createAuthEndpoint, createAuthMiddleware, optionsMiddleware };

package/dist/context/index.d.mts

@@ -1,4 +1,4 @@
-import { Kn as DBAdapter, Zn as DBTransactionAdapter, f as AuthContext } from "../index-D0VJf1xh.mjs";
+import { Yn as DBAdapter, er as DBTransactionAdapter, f as AuthContext } from "../index-CBdZH5fV.mjs";
 import { AsyncLocalStorage } from "@better-auth/core/async_hooks";
 import { EndpointContext, InputContext } from "better-call";
 

package/dist/db/adapter/index.d.mts

@@ -1,2 +1,2 @@
-import { $n as JoinOption, Cr as initGetDefaultFieldName, Gn as CustomAdapter, Jn as DBAdapterFactoryConfig, Kn as DBAdapter, Qn as JoinConfig, Sr as initGetDefaultModelName, Wn as CleanedWhere, Xn as DBAdapterSchemaCreation, Yn as DBAdapterInstance, Zn as DBTransactionAdapter, ar as createAdapterFactory, br as initGetFieldName, cr as AdapterFactoryCustomizeAdapterCreator, dr as CreateAdapterOptions, er as Where, fr as CreateCustomAdapter, ir as createAdapter, lr as AdapterFactoryOptions, nr as withApplyDefault, or as AdapterConfig, qn as DBAdapterDebugLogOption, rr as AdapterFactory, sr as AdapterFactoryConfig, tr as deepmerge, ur as AdapterTestDebugLogs, vr as initGetModelName, xr as initGetFieldAttributes, yr as initGetIdField } from "../../index-D0VJf1xh.mjs";
+import { $n as DBAdapterSchemaCreation, Cr as initGetFieldName, Er as initGetDefaultFieldName, Jn as CustomAdapter, Qn as DBAdapterInstance, Sr as initGetIdField, Tr as initGetDefaultModelName, Xn as DBAdapterDebugLogOption, Yn as DBAdapter, Zn as DBAdapterFactoryConfig, ar as withApplyDefault, cr as createAdapterFactory, dr as AdapterFactoryCustomizeAdapterCreator, er as DBTransactionAdapter, fr as AdapterFactoryOptions, hr as CreateCustomAdapter, ir as deepmerge, lr as AdapterConfig, mr as CreateAdapterOptions, nr as JoinOption, or as AdapterFactory, pr as AdapterTestDebugLogs, qn as CleanedWhere, rr as Where, sr as createAdapter, tr as JoinConfig, ur as AdapterFactoryConfig, wr as initGetFieldAttributes, xr as initGetModelName } from "../../index-CBdZH5fV.mjs";
 export { AdapterConfig, AdapterFactory, AdapterFactoryConfig, AdapterFactoryCustomizeAdapterCreator, AdapterFactoryOptions, AdapterTestDebugLogs, CleanedWhere, CreateAdapterOptions, CreateCustomAdapter, CustomAdapter, DBAdapter, DBAdapterDebugLogOption, DBAdapterFactoryConfig, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, JoinConfig, JoinOption, Where, createAdapter, createAdapterFactory, deepmerge, initGetDefaultFieldName, initGetDefaultModelName, initGetFieldAttributes, initGetFieldName, initGetIdField, initGetModelName, withApplyDefault };

package/dist/db/adapter/index.mjs

@@ -443,7 +443,7 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 		}
 		return transformedData;
 	};
-	const transformWhereClause = ({ model, where }) => {
+	const transformWhereClause = ({ model, where, action }) => {
 		if (!where) return void 0;
 		const newMappedKeys = config.mapKeysTransformInput ?? {};
 		return where.map((w) => {
@@ -477,6 +477,15 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 			} catch (error) {
 				throw new Error(`Failed to stringify JSON value for field ${fieldName}`, { cause: error });
 			}
+			if (config.customTransformInput) newValue = config.customTransformInput({
+				data: newValue,
+				fieldAttributes: fieldAttr,
+				field: fieldName,
+				model: getModelName(model),
+				schema,
+				options,
+				action
+			});
 			return {
 				operator,
 				connector,
@@ -566,7 +575,8 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 				value,
 				operator: "eq",
 				connector: "AND"
-			}]
+			}],
+			action: "findOne"
 		});
 		try {
 			if (joinConfig.relation === "one-to-one") result = await adapterInstance.findOne({
@@ -658,7 +668,8 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 			const model = getModelName(unsafeModel);
 			const where = transformWhereClause({
 				model: unsafeModel,
-				where: unsafeWhere
+				where: unsafeWhere,
+				action: "update"
 			});
 			debugLog({ method: "update" }, `${formatTransactionId(thisTransactionId)} ${formatStep(1, 4)}`, `${formatMethod("update")} ${formatAction("Unsafe Input")}:`, {
 				model,
@@ -693,7 +704,8 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 			const model = getModelName(unsafeModel);
 			const where = transformWhereClause({
 				model: unsafeModel,
-				where: unsafeWhere
+				where: unsafeWhere,
+				action: "updateMany"
 			});
 			unsafeModel = getDefaultModelName(unsafeModel);
 			debugLog({ method: "updateMany" }, `${formatTransactionId(thisTransactionId)} ${formatStep(1, 4)}`, `${formatMethod("updateMany")} ${formatAction("Unsafe Input")}:`, {
@@ -727,7 +739,8 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 			const model = getModelName(unsafeModel);
 			const where = transformWhereClause({
 				model: unsafeModel,
-				where: unsafeWhere
+				where: unsafeWhere,
+				action: "findOne"
 			});
 			unsafeModel = getDefaultModelName(unsafeModel);
 			let join;
@@ -771,7 +784,8 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 			const model = getModelName(unsafeModel);
 			const where = transformWhereClause({
 				model: unsafeModel,
-				where: unsafeWhere
+				where: unsafeWhere,
+				action: "findMany"
 			});
 			unsafeModel = getDefaultModelName(unsafeModel);
 			let join;
@@ -817,7 +831,8 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 			const model = getModelName(unsafeModel);
 			const where = transformWhereClause({
 				model: unsafeModel,
-				where: unsafeWhere
+				where: unsafeWhere,
+				action: "delete"
 			});
 			unsafeModel = getDefaultModelName(unsafeModel);
 			debugLog({ method: "delete" }, `${formatTransactionId(thisTransactionId)} ${formatStep(1, 2)}`, `${formatMethod("delete")}:`, {
@@ -836,7 +851,8 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 			const model = getModelName(unsafeModel);
 			const where = transformWhereClause({
 				model: unsafeModel,
-				where: unsafeWhere
+				where: unsafeWhere,
+				action: "deleteMany"
 			});
 			unsafeModel = getDefaultModelName(unsafeModel);
 			debugLog({ method: "deleteMany" }, `${formatTransactionId(thisTransactionId)} ${formatStep(1, 2)}`, `${formatMethod("deleteMany")} ${formatAction("DeleteMany")}:`, {
@@ -859,7 +875,8 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 			const model = getModelName(unsafeModel);
 			const where = transformWhereClause({
 				model: unsafeModel,
-				where: unsafeWhere
+				where: unsafeWhere,
+				action: "count"
 			});
 			unsafeModel = getDefaultModelName(unsafeModel);
 			debugLog({ method: "count" }, `${formatTransactionId(thisTransactionId)} ${formatStep(1, 2)}`, `${formatMethod("count")}:`, {

package/dist/db/index.d.mts

@@ -1,2 +1,2 @@
-import { Ar as sessionSchema, Br as DBFieldAttributeConfig, Dr as userSchema, Er as User, Fr as BetterAuthPluginDBSchema, Hr as DBPrimitive, Ir as getAuthTables, Lr as BaseModelNames, Mr as rateLimitSchema, Nr as Account, Or as coreSchema, Pr as accountSchema, Rr as BetterAuthDBSchema, Tr as verificationSchema, Ur as ModelNames, Vr as DBFieldType, Wr as SecondaryStorage, jr as RateLimit, kr as Session, wr as Verification, zr as DBFieldAttribute } from "../index-D0VJf1xh.mjs";
+import { Ar as userSchema, Br as BaseModelNames, Dr as Verification, Fr as rateLimitSchema, Gr as DBPrimitive, Hr as DBFieldAttribute, Ir as Account, Kr as ModelNames, Lr as accountSchema, Mr as Session, Nr as sessionSchema, Or as verificationSchema, Pr as RateLimit, Rr as BetterAuthPluginDBSchema, Ur as DBFieldAttributeConfig, Vr as BetterAuthDBSchema, Wr as DBFieldType, jr as coreSchema, kr as User, qr as SecondaryStorage, zr as getAuthTables } from "../index-CBdZH5fV.mjs";
 export { Account, BaseModelNames, BetterAuthDBSchema, BetterAuthPluginDBSchema, DBFieldAttribute, DBFieldAttributeConfig, DBFieldType, DBPrimitive, ModelNames, RateLimit, SecondaryStorage, Session, User, Verification, accountSchema, coreSchema, getAuthTables, rateLimitSchema, sessionSchema, userSchema, verificationSchema };

package/dist/{index-D0VJf1xh.d.mts → index-CBdZH5fV.d.mts}

@@ -2,6 +2,7 @@ import { i as Logger, o as createLogger } from "./index-BRBu0-5h.mjs";
 import * as z from "zod";
 import { BetterFetch, BetterFetchOption, BetterFetchPlugin } from "@better-fetch/fetch";
 import * as jose0 from "jose";
+import { JSONWebKeySet, JWTPayload, JWTVerifyOptions } from "jose";
 import * as better_call0 from "better-call";
 import { CookieOptions, Endpoint, EndpointContext, EndpointOptions, InputContext, Middleware, StrictEndpoint } from "better-call";
 import { StandardSchemaV1, StandardSchemaV1 as StandardSchemaV1$1 } from "@standard-schema/spec";
@@ -451,10 +452,12 @@ type AdapterFactoryCustomizeAdapterCreator = (config: {
   transformOutput: (data: Record<string, unknown>, defaultModelName: string, select?: string[] | undefined, joinConfig?: JoinConfig | undefined) => Promise<Record<string, unknown>>;
   transformWhereClause: <W extends Where[] | undefined>({
     model,
-    where
+    where,
+    action
   }: {
     where: W;
     model: string;
+    action: "create" | "update" | "findOne" | "findMany" | "updateMany" | "delete" | "deleteMany" | "count";
   }) => W extends undefined ? undefined : CleanedWhere$1[];
 }) => CustomAdapter$1;
 /**
@@ -700,7 +703,7 @@ interface DBAdapterFactoryConfig<Options extends BetterAuthOptions = BetterAuthO
     /**
      * The action which was called from the adapter.
      */
-    action: "create" | "update" | "findOne" | "findMany";
+    action: "create" | "update" | "findOne" | "findMany" | "updateMany" | "delete" | "deleteMany" | "count";
     /**
      * The model name.
      */
@@ -1357,6 +1360,52 @@ declare function validateAuthorizationCode({
 }): Promise<OAuth2Tokens>;
 declare function validateToken(token: string, jwksEndpoint: string): Promise<jose0.JWTVerifyResult<jose0.JWTPayload>>;
 //#endregion
+//#region src/oauth2/verify.d.ts
+interface VerifyAccessTokenRemote {
+  /** Full url of the introspect endpoint. Should end with `/oauth2/introspect` */
+  introspectUrl: string;
+  /** Client Secret */
+  clientId: string;
+  /** Client Secret */
+  clientSecret: string;
+  /**
+   * Forces remote verification of a token.
+   * This ensures attached session (if applicable)
+   * is also still active.
+   */
+  force?: boolean;
+}
+/**
+ * Performs local verification of an access token for your APIs.
+ *
+ * Can also be configured for remote verification.
+ */
+declare function verifyJwsAccessToken(token: string, opts: {
+  /** Jwks url or promise of a Jwks */
+  jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
+  /** Verify options */
+  verifyOptions: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
+}): Promise<JWTPayload>;
+declare function getJwks(token: string, opts: {
+  /** Jwks url or promise of a Jwks */
+  jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
+}): Promise<JSONWebKeySet>;
+/**
+ * Performs local verification of an access token for your API.
+ *
+ * Can also be configured for remote verification.
+ */
+declare function verifyAccessToken(token: string, opts: {
+  /** Verify options */
+  verifyOptions: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
+  /** Scopes to additionally verify. Token must include all but not exact. */
+  scopes?: string[];
+  /** Required to verify access token locally */
+  jwksUrl?: string;
+  /** If provided, can verify a token remotely */
+  remoteVerify?: VerifyAccessTokenRemote;
+}): Promise<JWTPayload>;
+//#endregion
 //#region src/types/cookie.d.ts
 type BetterAuthCookies = {
   sessionToken: {
@@ -7139,16 +7188,8 @@ type BetterAuthOptions = {
   } | undefined;
   /**
    * List of trusted origins.
-   *
-   * @param request - The request object.
-   * It'll be undefined if no request was
-   * made. Like during a create context call
-   * or `auth.api` call.
-   *
-   * Trusted origins will be dynamically
-   * calculated based on the request.
    */
-  trustedOrigins?: (string[] | ((request?: Request | undefined) => Awaitable<string[]>)) | undefined;
+  trustedOrigins?: (string[] | ((request: Request) => Awaitable<string[]>)) | undefined;
   /**
    * Rate limiting configuration
    */
@@ -7771,4 +7812,4 @@ declare function createAuthEndpoint<Path extends string, Options extends Endpoin
 type AuthEndpoint<Path extends string, Opts extends EndpointOptions, R> = ReturnType<typeof createAuthEndpoint<Path, Opts, R>>;
 type AuthMiddleware = ReturnType<typeof createAuthMiddleware>;
 //#endregion
-export { AccountStatus as $, JoinOption as $n, GoogleProfile as $t, PolarOptions as A, createAuthorizationCodeRequest as An, sessionSchema as Ar, linear as At, LineIdTokenPayload as B, OAuth2Tokens as Bn, DBFieldAttributeConfig as Br, TwitchOptions as Bt, SocialProviderListEnum as C, atlassian as Cn, initGetDefaultFieldName as Cr, gitlab as Ct, VercelOptions as D, apple as Dn, userSchema as Dr, LinearOptions as Dt, socialProviders as E, AppleProfile as En, User as Er, linkedin as Et, PayPalTokenResponse as F, createRefreshAccessTokenRequest as Fn, BetterAuthPluginDBSchema as Fr, DropboxProfile as Ft, NaverProfile as G, CustomAdapter as Gn, spotify as Gt, LineUserInfo as H, OAuthProvider as Hn, DBPrimitive as Hr, twitch as Ht, paypal as I, refreshAccessToken as In, getAuthTables as Ir, dropbox as It, KakaoProfile as J, DBAdapterFactoryConfig as Jn, slack as Jt, naver as K, DBAdapter as Kn, SlackOptions as Kt, PaybinOptions as L, createAuthorizationURL as Ln, BaseModelNames as Lr, TwitterOption as Lt, polar as M, validateToken as Mn, rateLimitSchema as Mr, KickProfile as Mt, PayPalOptions as N, generateCodeChallenge as Nn, Account as Nr, kick as Nt, VercelProfile as O, getApplePublicKey as On, coreSchema as Or, LinearProfile as Ot, PayPalProfile as P, getOAuth2Tokens as Pn, accountSchema as Pr, DropboxOptions as Pt, notion as Q, JoinConfig as Qn, GoogleOptions as Qt, PaybinProfile as R, clientCredentialsToken as Rn, BetterAuthDBSchema as Rr, TwitterProfile as Rt, SocialProviderList as S, AtlassianProfile as Sn, initGetDefaultModelName as Sr, GitlabProfile as St, socialProviderList as T, AppleOptions as Tn, verificationSchema as Tr, LinkedInProfile as Tt, line as U, ProviderOptions as Un, ModelNames as Ur, SpotifyOptions as Ut, LineOptions as V, OAuth2UserInfo as Vn, DBFieldType as Vr, TwitchProfile as Vt, NaverOptions as W, CleanedWhere as Wn, SecondaryStorage as Wr, SpotifyProfile as Wt, NotionOptions as X, DBAdapterSchemaCreation as Xn, HuggingFaceProfile as Xt, kakao as Y, DBAdapterInstance as Yn, HuggingFaceOptions as Yt, NotionProfile as Z, DBTransactionAdapter as Zn, huggingface as Zt, BetterAuthRateLimitOptions as _, CognitoOptions as _n, Primitive as _r, reddit as _t, optionsMiddleware as a, GithubOptions as an, createAdapterFactory as ar, zoom as at, HookEndpointContext as b, getCognitoPublicKey as bn, initGetFieldName as br, tiktok as bt, BetterAuthClientPlugin as c, FigmaOptions as cn, AdapterFactoryCustomizeAdapterCreator as cr, vk as ct, ClientStore as d, FacebookOptions as dn, CreateAdapterOptions as dr, salesforce as dt, getGooglePublicKey as en, Where as er, LoginType as et, AuthContext as f, FacebookProfile as fn, CreateCustomAdapter as fr, RobloxOptions as ft, BetterAuthOptions as g, discord as gn, Prettify as gr, RedditProfile as gt, BetterAuthAdvancedOptions as h, DiscordProfile as hn, LiteralUnion as hr, RedditOptions as ht, createAuthMiddleware as i, microsoft as in, createAdapter as ir, ZoomProfile as it, PolarProfile as j, validateAuthorizationCode as jn, RateLimit as jr, KickOptions as jt, vercel as k, BetterAuthCookies as kn, Session as kr, LinearUser as kt, ClientAtomListener as l, FigmaProfile as ln, AdapterFactoryOptions as lr, SalesforceOptions as lt, InternalAdapter as m, DiscordOptions as mn, LiteralString as mr, roblox as mt, AuthMiddleware as n, MicrosoftEntraIDProfile as nn, withApplyDefault as nr, PronounOption as nt, StandardSchemaV1$1 as o, GithubProfile as on, AdapterConfig as or, VkOption as ot, GenericEndpointContext as p, facebook as pn, Awaitable as pr, RobloxProfile as pt, KakaoOptions as q, DBAdapterDebugLogOption as qn, SlackProfile as qt, createAuthEndpoint as r, MicrosoftOptions as rn, AdapterFactory as rr, ZoomOptions as rt, BetterAuthClientOptions as s, github as sn, AdapterFactoryConfig as sr, VkProfile as st, AuthEndpoint as t, google as tn, deepmerge as tr, PhoneNumber as tt, ClientFetchOption as u, figma as un, AdapterTestDebugLogs as ur, SalesforceProfile as ut, GenerateIdFn as v, CognitoProfile as vn, initGetModelName as vr, TiktokOptions as vt, SocialProviders as w, AppleNonConformUser as wn, Verification as wr, LinkedInOptions as wt, SocialProvider as x, AtlassianOptions as xn, initGetFieldAttributes as xr, GitlabOptions as xt, BetterAuthPlugin as y, cognito as yn, initGetIdField as yr, TiktokProfile as yt, paybin as z, createClientCredentialsTokenRequest as zn, DBFieldAttribute as zr, twitter as zt };
+export { AccountStatus as $, DBAdapterSchemaCreation as $n, GoogleProfile as $t, PolarOptions as A, getJwks as An, userSchema as Ar, linear as At, LineIdTokenPayload as B, createAuthorizationURL as Bn, BaseModelNames as Br, TwitchOptions as Bt, SocialProviderListEnum as C, atlassian as Cn, initGetFieldName as Cr, gitlab as Ct, VercelOptions as D, apple as Dn, Verification as Dr, LinearOptions as Dt, socialProviders as E, AppleProfile as En, initGetDefaultFieldName as Er, linkedin as Et, PayPalTokenResponse as F, validateToken as Fn, rateLimitSchema as Fr, DropboxProfile as Ft, NaverProfile as G, OAuthProvider as Gn, DBPrimitive as Gr, spotify as Gt, LineUserInfo as H, createClientCredentialsTokenRequest as Hn, DBFieldAttribute as Hr, twitch as Ht, paypal as I, generateCodeChallenge as In, Account as Ir, dropbox as It, KakaoProfile as J, CustomAdapter as Jn, slack as Jt, naver as K, ProviderOptions as Kn, ModelNames as Kr, SlackOptions as Kt, PaybinOptions as L, getOAuth2Tokens as Ln, accountSchema as Lr, TwitterOption as Lt, polar as M, verifyJwsAccessToken as Mn, Session as Mr, KickProfile as Mt, PayPalOptions as N, createAuthorizationCodeRequest as Nn, sessionSchema as Nr, kick as Nt, VercelProfile as O, getApplePublicKey as On, verificationSchema as Or, LinearProfile as Ot, PayPalProfile as P, validateAuthorizationCode as Pn, RateLimit as Pr, DropboxOptions as Pt, notion as Q, DBAdapterInstance as Qn, GoogleOptions as Qt, PaybinProfile as R, createRefreshAccessTokenRequest as Rn, BetterAuthPluginDBSchema as Rr, TwitterProfile as Rt, SocialProviderList as S, AtlassianProfile as Sn, initGetIdField as Sr, GitlabProfile as St, socialProviderList as T, AppleOptions as Tn, initGetDefaultModelName as Tr, LinkedInProfile as Tt, line as U, OAuth2Tokens as Un, DBFieldAttributeConfig as Ur, SpotifyOptions as Ut, LineOptions as V, clientCredentialsToken as Vn, BetterAuthDBSchema as Vr, TwitchProfile as Vt, NaverOptions as W, OAuth2UserInfo as Wn, DBFieldType as Wr, SpotifyProfile as Wt, NotionOptions as X, DBAdapterDebugLogOption as Xn, HuggingFaceProfile as Xt, kakao as Y, DBAdapter as Yn, HuggingFaceOptions as Yt, NotionProfile as Z, DBAdapterFactoryConfig as Zn, huggingface as Zt, BetterAuthRateLimitOptions as _, CognitoOptions as _n, LiteralString as _r, reddit as _t, optionsMiddleware as a, GithubOptions as an, withApplyDefault as ar, zoom as at, HookEndpointContext as b, getCognitoPublicKey as bn, Primitive as br, tiktok as bt, BetterAuthClientPlugin as c, FigmaOptions as cn, createAdapterFactory as cr, vk as ct, ClientStore as d, FacebookOptions as dn, AdapterFactoryCustomizeAdapterCreator as dr, salesforce as dt, getGooglePublicKey as en, DBTransactionAdapter as er, LoginType as et, AuthContext as f, FacebookProfile as fn, AdapterFactoryOptions as fr, RobloxOptions as ft, BetterAuthOptions as g, discord as gn, Awaitable as gr, RedditProfile as gt, BetterAuthAdvancedOptions as h, DiscordProfile as hn, CreateCustomAdapter as hr, RedditOptions as ht, createAuthMiddleware as i, microsoft as in, deepmerge as ir, ZoomProfile as it, PolarProfile as j, verifyAccessToken as jn, coreSchema as jr, KickOptions as jt, vercel as k, BetterAuthCookies as kn, User as kr, LinearUser as kt, ClientAtomListener as l, FigmaProfile as ln, AdapterConfig as lr, SalesforceOptions as lt, InternalAdapter as m, DiscordOptions as mn, CreateAdapterOptions as mr, roblox as mt, AuthMiddleware as n, MicrosoftEntraIDProfile as nn, JoinOption as nr, PronounOption as nt, StandardSchemaV1$1 as o, GithubProfile as on, AdapterFactory as or, VkOption as ot, GenericEndpointContext as p, facebook as pn, AdapterTestDebugLogs as pr, RobloxProfile as pt, KakaoOptions as q, CleanedWhere as qn, SecondaryStorage as qr, SlackProfile as qt, createAuthEndpoint as r, MicrosoftOptions as rn, Where as rr, ZoomOptions as rt, BetterAuthClientOptions as s, github as sn, createAdapter as sr, VkProfile as st, AuthEndpoint as t, google as tn, JoinConfig as tr, PhoneNumber as tt, ClientFetchOption as u, figma as un, AdapterFactoryConfig as ur, SalesforceProfile as ut, GenerateIdFn as v, CognitoProfile as vn, LiteralUnion as vr, TiktokOptions as vt, SocialProviders as w, AppleNonConformUser as wn, initGetFieldAttributes as wr, LinkedInOptions as wt, SocialProvider as x, AtlassianOptions as xn, initGetModelName as xr, GitlabOptions as xt, BetterAuthPlugin as y, cognito as yn, Prettify as yr, TiktokProfile as yt, paybin as z, refreshAccessToken as zn, getAuthTables as zr, twitter as zt };

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { _ as BetterAuthRateLimitOptions, _r as Primitive, b as HookEndpointContext, c as BetterAuthClientPlugin, d as ClientStore, f as AuthContext, g as BetterAuthOptions, gr as Prettify, h as BetterAuthAdvancedOptions, hr as LiteralUnion, kn as BetterAuthCookies, l as ClientAtomListener, m as InternalAdapter, mr as LiteralString, o as StandardSchemaV1, p as GenericEndpointContext, pr as Awaitable, s as BetterAuthClientOptions, u as ClientFetchOption, v as GenerateIdFn, y as BetterAuthPlugin } from "./index-D0VJf1xh.mjs";
+import { _ as BetterAuthRateLimitOptions, _r as LiteralString, b as HookEndpointContext, br as Primitive, c as BetterAuthClientPlugin, d as ClientStore, f as AuthContext, g as BetterAuthOptions, gr as Awaitable, h as BetterAuthAdvancedOptions, kn as BetterAuthCookies, l as ClientAtomListener, m as InternalAdapter, o as StandardSchemaV1, p as GenericEndpointContext, s as BetterAuthClientOptions, u as ClientFetchOption, v as GenerateIdFn, vr as LiteralUnion, y as BetterAuthPlugin, yr as Prettify } from "./index-CBdZH5fV.mjs";
 export { AuthContext, Awaitable, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientFetchOption, ClientStore, GenerateIdFn, GenericEndpointContext, HookEndpointContext, InternalAdapter, LiteralString, LiteralUnion, Prettify, Primitive, StandardSchemaV1 };

package/dist/oauth2/index.d.mts

@@ -1,2 +1,2 @@
-import { An as createAuthorizationCodeRequest, Bn as OAuth2Tokens, Fn as createRefreshAccessTokenRequest, Hn as OAuthProvider, In as refreshAccessToken, Ln as createAuthorizationURL, Mn as validateToken, Nn as generateCodeChallenge, Pn as getOAuth2Tokens, Rn as clientCredentialsToken, Un as ProviderOptions, Vn as OAuth2UserInfo, jn as validateAuthorizationCode, zn as createClientCredentialsTokenRequest } from "../index-D0VJf1xh.mjs";
-export { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions, clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken };
+import { An as getJwks, Bn as createAuthorizationURL, Fn as validateToken, Gn as OAuthProvider, Hn as createClientCredentialsTokenRequest, In as generateCodeChallenge, Kn as ProviderOptions, Ln as getOAuth2Tokens, Mn as verifyJwsAccessToken, Nn as createAuthorizationCodeRequest, Pn as validateAuthorizationCode, Rn as createRefreshAccessTokenRequest, Un as OAuth2Tokens, Vn as clientCredentialsToken, Wn as OAuth2UserInfo, jn as verifyAccessToken, zn as refreshAccessToken } from "../index-CBdZH5fV.mjs";
+export { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions, clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/oauth2/index.mjs

@@ -1,3 +1,4 @@
-import { a as refreshAccessToken, c as getOAuth2Tokens, i as createRefreshAccessTokenRequest, l as clientCredentialsToken, n as validateAuthorizationCode, o as createAuthorizationURL, r as validateToken, s as generateCodeChallenge, t as createAuthorizationCodeRequest, u as createClientCredentialsTokenRequest } from "../oauth2-D2y9ALiO.mjs";
+import "../env-DbssmzoK.mjs";
+import { a as validateAuthorizationCode, c as refreshAccessToken, d as getOAuth2Tokens, f as clientCredentialsToken, i as createAuthorizationCodeRequest, l as createAuthorizationURL, n as verifyAccessToken, o as validateToken, p as createClientCredentialsTokenRequest, r as verifyJwsAccessToken, s as createRefreshAccessTokenRequest, t as getJwks, u as generateCodeChallenge } from "../oauth2-BjWM15hm.mjs";
 
-export { clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken };
+export { clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/{oauth2-D2y9ALiO.mjs → oauth2-BjWM15hm.mjs}

@@ -1,6 +1,8 @@
+import { i as logger } from "./env-DbssmzoK.mjs";
 import { base64, base64Url } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import { jwtVerify } from "jose";
+import { UnsecuredJWT, createLocalJWKSet, decodeProtectedHeader, jwtVerify } from "jose";
+import { APIError } from "better-call";
 
 //#region src/oauth2/client-credentials-token.ts
 function createClientCredentialsTokenRequest({ options, scope, authentication, resource }) {
@@ -233,4 +235,92 @@ async function validateToken(token, jwksEndpoint) {
 }
 
 //#endregion
-export { refreshAccessToken as a, getOAuth2Tokens as c, createRefreshAccessTokenRequest as i, clientCredentialsToken as l, validateAuthorizationCode as n, createAuthorizationURL as o, validateToken as r, generateCodeChallenge as s, createAuthorizationCodeRequest as t, createClientCredentialsTokenRequest as u };
+//#region src/oauth2/verify.ts
+/** Last fetched jwks used locally in getJwks @internal */
+let jwks;
+/**
+* Performs local verification of an access token for your APIs.
+*
+* Can also be configured for remote verification.
+*/
+async function verifyJwsAccessToken(token, opts) {
+	try {
+		const jwt = await jwtVerify(token, createLocalJWKSet(await getJwks(token, opts)), opts.verifyOptions);
+		if (jwt.payload.azp) jwt.payload.client_id = jwt.payload.azp;
+		return jwt.payload;
+	} catch (error) {
+		if (error instanceof Error) throw error;
+		throw new Error(error);
+	}
+}
+async function getJwks(token, opts) {
+	let jwtHeaders;
+	try {
+		jwtHeaders = decodeProtectedHeader(token);
+	} catch (error) {
+		if (error instanceof Error) throw error;
+		throw new Error(error);
+	}
+	if (!jwtHeaders.kid) throw new Error("Missing jwt kid");
+	if (!jwks || !jwks.keys.find((jwk) => jwk.kid === jwtHeaders.kid)) {
+		jwks = typeof opts.jwksFetch === "string" ? await betterFetch(opts.jwksFetch, { headers: { Accept: "application/json" } }).then(async (res) => {
+			if (res.error) throw new Error(`Jwks failed: ${res.error.message ?? res.error.statusText}`);
+			return res.data;
+		}) : await opts.jwksFetch();
+		if (!jwks) throw new Error("No jwks found");
+	}
+	return jwks;
+}
+/**
+* Performs local verification of an access token for your API.
+*
+* Can also be configured for remote verification.
+*/
+async function verifyAccessToken(token, opts) {
+	let payload;
+	if (opts.jwksUrl && !opts?.remoteVerify?.force) try {
+		payload = await verifyJwsAccessToken(token, {
+			jwksFetch: opts.jwksUrl,
+			verifyOptions: opts.verifyOptions
+		});
+	} catch (error) {
+		if (error instanceof Error) if (error.name === "TypeError" || error.name === "JWSInvalid") {} else if (error.name === "JWTExpired") throw new APIError("UNAUTHORIZED", { message: "token expired" });
+		else if (error.name === "JWTInvalid") throw new APIError("UNAUTHORIZED", { message: "token invalid" });
+		else throw error;
+		else throw new Error(error);
+	}
+	if (opts?.remoteVerify) {
+		const { data: introspect, error: introspectError } = await betterFetch(opts.remoteVerify.introspectUrl, {
+			method: "POST",
+			headers: {
+				Accept: "application/json",
+				"Content-Type": "application/x-www-form-urlencoded"
+			},
+			body: new URLSearchParams({
+				client_id: opts.remoteVerify.clientId,
+				client_secret: opts.remoteVerify.clientSecret,
+				token,
+				token_type_hint: "access_token"
+			}).toString()
+		});
+		if (introspectError) logger.error(`Introspection failed: ${introspectError.message ?? introspectError.statusText}`);
+		if (!introspect) throw new APIError("INTERNAL_SERVER_ERROR", { message: "introspection failed" });
+		if (!introspect.active) throw new APIError("UNAUTHORIZED", { message: "token inactive" });
+		try {
+			const unsecuredJwt = new UnsecuredJWT(introspect).encode();
+			const { audience: _audience, ...verifyOptions } = opts.verifyOptions;
+			payload = (introspect.aud ? UnsecuredJWT.decode(unsecuredJwt, opts.verifyOptions) : UnsecuredJWT.decode(unsecuredJwt, verifyOptions)).payload;
+		} catch (error) {
+			throw new Error(error);
+		}
+	}
+	if (!payload) throw new APIError("UNAUTHORIZED", { message: `no token payload` });
+	if (opts.scopes) {
+		const validScopes = new Set(payload.scope?.split(" "));
+		for (const sc of opts.scopes) if (!validScopes.has(sc)) throw new APIError("FORBIDDEN", { message: `invalid scope ${sc}` });
+	}
+	return payload;
+}
+
+//#endregion
+export { validateAuthorizationCode as a, refreshAccessToken as c, getOAuth2Tokens as d, clientCredentialsToken as f, createAuthorizationCodeRequest as i, createAuthorizationURL as l, verifyAccessToken as n, validateToken as o, createClientCredentialsTokenRequest as p, verifyJwsAccessToken as r, createRefreshAccessTokenRequest as s, getJwks as t, generateCodeChallenge as u };

package/dist/social-providers/index.d.mts

@@ -1,2 +1,2 @@
-import { $ as AccountStatus, $t as GoogleProfile, A as PolarOptions, At as linear, B as LineIdTokenPayload, Bt as TwitchOptions, C as SocialProviderListEnum, Cn as atlassian, Ct as gitlab, D as VercelOptions, Dn as apple, Dt as LinearOptions, E as socialProviders, En as AppleProfile, Et as linkedin, F as PayPalTokenResponse, Ft as DropboxProfile, G as NaverProfile, Gt as spotify, H as LineUserInfo, Ht as twitch, I as paypal, It as dropbox, J as KakaoProfile, Jt as slack, K as naver, Kt as SlackOptions, L as PaybinOptions, Lt as TwitterOption, M as polar, Mt as KickProfile, N as PayPalOptions, Nt as kick, O as VercelProfile, On as getApplePublicKey, Ot as LinearProfile, P as PayPalProfile, Pt as DropboxOptions, Q as notion, Qt as GoogleOptions, R as PaybinProfile, Rt as TwitterProfile, S as SocialProviderList, Sn as AtlassianProfile, St as GitlabProfile, T as socialProviderList, Tn as AppleOptions, Tt as LinkedInProfile, U as line, Ut as SpotifyOptions, V as LineOptions, Vt as TwitchProfile, W as NaverOptions, Wt as SpotifyProfile, X as NotionOptions, Xt as HuggingFaceProfile, Y as kakao, Yt as HuggingFaceOptions, Z as NotionProfile, Zt as huggingface, _n as CognitoOptions, _t as reddit, an as GithubOptions, at as zoom, bn as getCognitoPublicKey, bt as tiktok, cn as FigmaOptions, ct as vk, dn as FacebookOptions, dt as salesforce, en as getGooglePublicKey, et as LoginType, fn as FacebookProfile, ft as RobloxOptions, gn as discord, gt as RedditProfile, hn as DiscordProfile, ht as RedditOptions, in as microsoft, it as ZoomProfile, j as PolarProfile, jt as KickOptions, k as vercel, kt as LinearUser, ln as FigmaProfile, lt as SalesforceOptions, mn as DiscordOptions, mt as roblox, nn as MicrosoftEntraIDProfile, nt as PronounOption, on as GithubProfile, ot as VkOption, pn as facebook, pt as RobloxProfile, q as KakaoOptions, qt as SlackProfile, rn as MicrosoftOptions, rt as ZoomOptions, sn as github, st as VkProfile, tn as google, tt as PhoneNumber, un as figma, ut as SalesforceProfile, vn as CognitoProfile, vt as TiktokOptions, w as SocialProviders, wn as AppleNonConformUser, wt as LinkedInOptions, x as SocialProvider, xn as AtlassianOptions, xt as GitlabOptions, yn as cognito, yt as TiktokProfile, z as paybin, zt as twitter } from "../index-D0VJf1xh.mjs";
+import { $ as AccountStatus, $t as GoogleProfile, A as PolarOptions, At as linear, B as LineIdTokenPayload, Bt as TwitchOptions, C as SocialProviderListEnum, Cn as atlassian, Ct as gitlab, D as VercelOptions, Dn as apple, Dt as LinearOptions, E as socialProviders, En as AppleProfile, Et as linkedin, F as PayPalTokenResponse, Ft as DropboxProfile, G as NaverProfile, Gt as spotify, H as LineUserInfo, Ht as twitch, I as paypal, It as dropbox, J as KakaoProfile, Jt as slack, K as naver, Kt as SlackOptions, L as PaybinOptions, Lt as TwitterOption, M as polar, Mt as KickProfile, N as PayPalOptions, Nt as kick, O as VercelProfile, On as getApplePublicKey, Ot as LinearProfile, P as PayPalProfile, Pt as DropboxOptions, Q as notion, Qt as GoogleOptions, R as PaybinProfile, Rt as TwitterProfile, S as SocialProviderList, Sn as AtlassianProfile, St as GitlabProfile, T as socialProviderList, Tn as AppleOptions, Tt as LinkedInProfile, U as line, Ut as SpotifyOptions, V as LineOptions, Vt as TwitchProfile, W as NaverOptions, Wt as SpotifyProfile, X as NotionOptions, Xt as HuggingFaceProfile, Y as kakao, Yt as HuggingFaceOptions, Z as NotionProfile, Zt as huggingface, _n as CognitoOptions, _t as reddit, an as GithubOptions, at as zoom, bn as getCognitoPublicKey, bt as tiktok, cn as FigmaOptions, ct as vk, dn as FacebookOptions, dt as salesforce, en as getGooglePublicKey, et as LoginType, fn as FacebookProfile, ft as RobloxOptions, gn as discord, gt as RedditProfile, hn as DiscordProfile, ht as RedditOptions, in as microsoft, it as ZoomProfile, j as PolarProfile, jt as KickOptions, k as vercel, kt as LinearUser, ln as FigmaProfile, lt as SalesforceOptions, mn as DiscordOptions, mt as roblox, nn as MicrosoftEntraIDProfile, nt as PronounOption, on as GithubProfile, ot as VkOption, pn as facebook, pt as RobloxProfile, q as KakaoOptions, qt as SlackProfile, rn as MicrosoftOptions, rt as ZoomOptions, sn as github, st as VkProfile, tn as google, tt as PhoneNumber, un as figma, ut as SalesforceProfile, vn as CognitoProfile, vt as TiktokOptions, w as SocialProviders, wn as AppleNonConformUser, wt as LinkedInOptions, x as SocialProvider, xn as AtlassianOptions, xt as GitlabOptions, yn as cognito, yt as TiktokProfile, z as paybin, zt as twitter } from "../index-CBdZH5fV.mjs";
 export { AccountStatus, AppleNonConformUser, AppleOptions, AppleProfile, AtlassianOptions, AtlassianProfile, CognitoOptions, CognitoProfile, DiscordOptions, DiscordProfile, DropboxOptions, DropboxProfile, FacebookOptions, FacebookProfile, FigmaOptions, FigmaProfile, GithubOptions, GithubProfile, GitlabOptions, GitlabProfile, GoogleOptions, GoogleProfile, HuggingFaceOptions, HuggingFaceProfile, KakaoOptions, KakaoProfile, KickOptions, KickProfile, LineIdTokenPayload, LineOptions, LineUserInfo, LinearOptions, LinearProfile, LinearUser, LinkedInOptions, LinkedInProfile, LoginType, MicrosoftEntraIDProfile, MicrosoftOptions, NaverOptions, NaverProfile, NotionOptions, NotionProfile, PayPalOptions, PayPalProfile, PayPalTokenResponse, PaybinOptions, PaybinProfile, PhoneNumber, PolarOptions, PolarProfile, PronounOption, RedditOptions, RedditProfile, RobloxOptions, RobloxProfile, SalesforceOptions, SalesforceProfile, SlackOptions, SlackProfile, SocialProvider, SocialProviderList, SocialProviderListEnum, SocialProviders, SpotifyOptions, SpotifyProfile, TiktokOptions, TiktokProfile, TwitchOptions, TwitchProfile, TwitterOption, TwitterProfile, VercelOptions, VercelProfile, VkOption, VkProfile, ZoomOptions, ZoomProfile, apple, atlassian, cognito, discord, dropbox, facebook, figma, getApplePublicKey, getCognitoPublicKey, getGooglePublicKey, github, gitlab, google, huggingface, kakao, kick, line, linear, linkedin, microsoft, naver, notion, paybin, paypal, polar, reddit, roblox, salesforce, slack, socialProviderList, socialProviders, spotify, tiktok, twitch, twitter, vercel, vk, zoom };

package/dist/social-providers/index.mjs

@@ -1,7 +1,7 @@
 import { i as logger } from "../env-DbssmzoK.mjs";
 import "../utils-NloIXYE0.mjs";
 import { t as BetterAuthError } from "../error-CzMAIrPb.mjs";
-import { a as refreshAccessToken, c as getOAuth2Tokens, n as validateAuthorizationCode, o as createAuthorizationURL, s as generateCodeChallenge } from "../oauth2-D2y9ALiO.mjs";
+import { a as validateAuthorizationCode, c as refreshAccessToken, d as getOAuth2Tokens, l as createAuthorizationURL, u as generateCodeChallenge } from "../oauth2-BjWM15hm.mjs";
 import * as z from "zod";
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
@@ -203,7 +203,7 @@ const cognito = (options) => {
 			];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
-			return await createAuthorizationURL({
+			const url = await createAuthorizationURL({
 				id: "cognito",
 				options: { ...options },
 				authorizationEndpoint,
@@ -213,6 +213,15 @@ const cognito = (options) => {
 				redirectURI,
 				prompt: options.prompt
 			});
+			const scopeValue = url.searchParams.get("scope");
+			if (scopeValue) {
+				url.searchParams.delete("scope");
+				const encodedScope = encodeURIComponent(scopeValue);
+				const urlString = url.toString();
+				const separator = urlString.includes("?") ? "&" : "?";
+				return new URL(`${urlString}${separator}scope=${encodedScope}`);
+			}
+			return url;
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
 			return validateAuthorizationCode({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.4.8-beta.6",
+  "version": "1.4.8",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "repository": {

package/src/db/adapter/factory.ts

@@ -474,9 +474,19 @@ export const createAdapterFactory =
 		const transformWhereClause = <W extends Where[] | undefined>({
 			model,
 			where,
+			action,
 		}: {
 			where: W;
 			model: string;
+			action:
+				| "create"
+				| "update"
+				| "findOne"
+				| "findMany"
+				| "updateMany"
+				| "delete"
+				| "deleteMany"
+				| "count";
 		}): W extends undefined ? undefined : CleanedWhere[] => {
 			if (!where) return undefined as any;
 			const newMappedKeys = config.mapKeysTransformInput ?? {};
@@ -562,6 +572,18 @@ export const createAdapterFactory =
 					}
 				}
 
+				if (config.customTransformInput) {
+					newValue = config.customTransformInput({
+						data: newValue,
+						fieldAttributes: fieldAttr,
+						field: fieldName,
+						model: getModelName(model),
+						schema,
+						options,
+						action,
+					});
+				}
+
 				return {
 					operator,
 					connector,
@@ -727,6 +749,7 @@ export const createAdapterFactory =
 						connector: "AND",
 					},
 				],
+				action: "findOne",
 			});
 			try {
 				if (joinConfig.relation === "one-to-one") {
@@ -886,6 +909,7 @@ export const createAdapterFactory =
 				const where = transformWhereClause({
 					model: unsafeModel,
 					where: unsafeWhere,
+					action: "update",
 				});
 				debugLog(
 					{ method: "update" },
@@ -946,6 +970,7 @@ export const createAdapterFactory =
 				const where = transformWhereClause({
 					model: unsafeModel,
 					where: unsafeWhere,
+					action: "updateMany",
 				});
 				unsafeModel = getDefaultModelName(unsafeModel);
 				debugLog(
@@ -1001,6 +1026,7 @@ export const createAdapterFactory =
 				const where = transformWhereClause({
 					model: unsafeModel,
 					where: unsafeWhere,
+					action: "findOne",
 				});
 				unsafeModel = getDefaultModelName(unsafeModel);
 				let join: JoinConfig | undefined;
@@ -1078,6 +1104,7 @@ export const createAdapterFactory =
 				const where = transformWhereClause({
 					model: unsafeModel,
 					where: unsafeWhere,
+					action: "findMany",
 				});
 				unsafeModel = getDefaultModelName(unsafeModel);
 				let join: JoinConfig | undefined;
@@ -1151,6 +1178,7 @@ export const createAdapterFactory =
 				const where = transformWhereClause({
 					model: unsafeModel,
 					where: unsafeWhere,
+					action: "delete",
 				});
 				unsafeModel = getDefaultModelName(unsafeModel);
 				debugLog(
@@ -1183,6 +1211,7 @@ export const createAdapterFactory =
 				const where = transformWhereClause({
 					model: unsafeModel,
 					where: unsafeWhere,
+					action: "deleteMany",
 				});
 				unsafeModel = getDefaultModelName(unsafeModel);
 				debugLog(
@@ -1216,6 +1245,7 @@ export const createAdapterFactory =
 				const where = transformWhereClause({
 					model: unsafeModel,
 					where: unsafeWhere,
+					action: "count",
 				});
 				unsafeModel = getDefaultModelName(unsafeModel);
 				debugLog(

package/src/db/adapter/index.ts

@@ -203,7 +203,15 @@ export interface DBAdapterFactoryConfig<
 				/**
 				 * The action which was called from the adapter.
 				 */
-				action: "create" | "update" | "findOne" | "findMany";
+				action:
+					| "create"
+					| "update"
+					| "findOne"
+					| "findMany"
+					| "updateMany"
+					| "delete"
+					| "deleteMany"
+					| "count";
 				/**
 				 * The model name.
 				 */

package/src/db/adapter/types.ts

@@ -111,9 +111,19 @@ export type AdapterFactoryCustomizeAdapterCreator = (config: {
 	transformWhereClause: <W extends Where[] | undefined>({
 		model,
 		where,
+		action,
 	}: {
 		where: W;
 		model: string;
+		action:
+			| "create"
+			| "update"
+			| "findOne"
+			| "findMany"
+			| "updateMany"
+			| "delete"
+			| "deleteMany"
+			| "count";
 	}) => W extends undefined ? undefined : CleanedWhere[];
 }) => CustomAdapter;
 

package/src/oauth2/index.ts

@@ -19,3 +19,8 @@ export {
 	validateAuthorizationCode,
 	validateToken,
 } from "./validate-authorization-code";
+export {
+	getJwks,
+	verifyAccessToken,
+	verifyJwsAccessToken,
+} from "./verify";

package/src/oauth2/verify.ts

@@ -0,0 +1,221 @@
+import { betterFetch } from "@better-fetch/fetch";
+import { APIError } from "better-call";
+import type {
+	JSONWebKeySet,
+	JWTPayload,
+	JWTVerifyOptions,
+	ProtectedHeaderParameters,
+} from "jose";
+import {
+	createLocalJWKSet,
+	decodeProtectedHeader,
+	jwtVerify,
+	UnsecuredJWT,
+} from "jose";
+import { logger } from "../env";
+
+/** Last fetched jwks used locally in getJwks @internal */
+let jwks: JSONWebKeySet | undefined;
+
+export interface VerifyAccessTokenRemote {
+	/** Full url of the introspect endpoint. Should end with `/oauth2/introspect` */
+	introspectUrl: string;
+	/** Client Secret */
+	clientId: string;
+	/** Client Secret */
+	clientSecret: string;
+	/**
+	 * Forces remote verification of a token.
+	 * This ensures attached session (if applicable)
+	 * is also still active.
+	 */
+	force?: boolean;
+}
+
+/**
+ * Performs local verification of an access token for your APIs.
+ *
+ * Can also be configured for remote verification.
+ */
+export async function verifyJwsAccessToken(
+	token: string,
+	opts: {
+		/** Jwks url or promise of a Jwks */
+		jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
+		/** Verify options */
+		verifyOptions: JWTVerifyOptions &
+			Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
+	},
+) {
+	try {
+		const jwks = await getJwks(token, opts);
+		const jwt = await jwtVerify<JWTPayload>(
+			token,
+			createLocalJWKSet(jwks),
+			opts.verifyOptions,
+		);
+		// Return the JWT payload in introspection format
+		// https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
+		if (jwt.payload.azp) {
+			jwt.payload.client_id = jwt.payload.azp;
+		}
+		return jwt.payload;
+	} catch (error) {
+		if (error instanceof Error) throw error;
+		throw new Error(error as unknown as string);
+	}
+}
+
+export async function getJwks(
+	token: string,
+	opts: {
+		/** Jwks url or promise of a Jwks */
+		jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
+	},
+) {
+	// Attempt to decode the token and find a matching kid in jwks
+	let jwtHeaders: ProtectedHeaderParameters | undefined;
+	try {
+		jwtHeaders = decodeProtectedHeader(token);
+	} catch (error) {
+		if (error instanceof Error) throw error;
+		throw new Error(error as unknown as string);
+	}
+
+	if (!jwtHeaders.kid) throw new Error("Missing jwt kid");
+
+	// Fetch jwks if not set or has a different kid than the one stored
+	if (!jwks || !jwks.keys.find((jwk) => jwk.kid === jwtHeaders.kid)) {
+		jwks =
+			typeof opts.jwksFetch === "string"
+				? await betterFetch<JSONWebKeySet>(opts.jwksFetch, {
+						headers: {
+							Accept: "application/json",
+						},
+					}).then(async (res) => {
+						if (res.error)
+							throw new Error(
+								`Jwks failed: ${res.error.message ?? res.error.statusText}`,
+							);
+						return res.data;
+					})
+				: await opts.jwksFetch();
+		if (!jwks) throw new Error("No jwks found");
+	}
+
+	return jwks;
+}
+
+/**
+ * Performs local verification of an access token for your API.
+ *
+ * Can also be configured for remote verification.
+ */
+export async function verifyAccessToken(
+	token: string,
+	opts: {
+		/** Verify options */
+		verifyOptions: JWTVerifyOptions &
+			Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
+		/** Scopes to additionally verify. Token must include all but not exact. */
+		scopes?: string[];
+		/** Required to verify access token locally */
+		jwksUrl?: string;
+		/** If provided, can verify a token remotely */
+		remoteVerify?: VerifyAccessTokenRemote;
+	},
+) {
+	let payload: JWTPayload | undefined;
+	// Locally verify
+	if (opts.jwksUrl && !opts?.remoteVerify?.force) {
+		try {
+			payload = await verifyJwsAccessToken(token, {
+				jwksFetch: opts.jwksUrl,
+				verifyOptions: opts.verifyOptions,
+			});
+		} catch (error) {
+			if (error instanceof Error) {
+				if (error.name === "TypeError" || error.name === "JWSInvalid") {
+					// likely an opaque token (continue)
+				} else if (error.name === "JWTExpired") {
+					throw new APIError("UNAUTHORIZED", {
+						message: "token expired",
+					});
+				} else if (error.name === "JWTInvalid") {
+					throw new APIError("UNAUTHORIZED", {
+						message: "token invalid",
+					});
+				} else {
+					throw error;
+				}
+			} else {
+				throw new Error(error as unknown as string);
+			}
+		}
+	}
+
+	// Remote verify
+	if (opts?.remoteVerify) {
+		const { data: introspect, error: introspectError } = await betterFetch<
+			JWTPayload & {
+				active: boolean;
+			}
+		>(opts.remoteVerify.introspectUrl, {
+			method: "POST",
+			headers: {
+				Accept: "application/json",
+				"Content-Type": "application/x-www-form-urlencoded",
+			},
+			body: new URLSearchParams({
+				client_id: opts.remoteVerify.clientId,
+				client_secret: opts.remoteVerify.clientSecret,
+				token,
+				token_type_hint: "access_token",
+			}).toString(),
+		});
+		if (introspectError)
+			logger.error(
+				`Introspection failed: ${introspectError.message ?? introspectError.statusText}`,
+			);
+		if (!introspect)
+			throw new APIError("INTERNAL_SERVER_ERROR", {
+				message: "introspection failed",
+			});
+		if (!introspect.active)
+			throw new APIError("UNAUTHORIZED", {
+				message: "token inactive",
+			});
+		// Verifies payload using verify options (token valid through introspect)
+		try {
+			const unsecuredJwt = new UnsecuredJWT(introspect).encode();
+			const { audience: _audience, ...verifyOptions } = opts.verifyOptions;
+			const verify = introspect.aud
+				? UnsecuredJWT.decode(unsecuredJwt, opts.verifyOptions)
+				: UnsecuredJWT.decode(unsecuredJwt, verifyOptions);
+			payload = verify.payload;
+		} catch (error) {
+			throw new Error(error as unknown as string);
+		}
+	}
+
+	if (!payload)
+		throw new APIError("UNAUTHORIZED", {
+			message: `no token payload`,
+		});
+
+	// Check scopes if provided
+	if (opts.scopes) {
+		const validScopes = new Set(
+			(payload.scope as string | undefined)?.split(" "),
+		);
+		for (const sc of opts.scopes) {
+			if (!validScopes.has(sc)) {
+				throw new APIError("FORBIDDEN", {
+					message: `invalid scope ${sc}`,
+				});
+			}
+		}
+	}
+
+	return payload;
+}

package/src/social-providers/cognito.ts

@@ -92,6 +92,17 @@ export const cognito = (options: CognitoOptions) => {
 				redirectURI,
 				prompt: options.prompt,
 			});
+			// AWS Cognito requires scopes to be encoded with %20 instead of +
+			// URLSearchParams encodes spaces as + by default, so we need to fix this
+			const scopeValue = url.searchParams.get("scope");
+			if (scopeValue) {
+				url.searchParams.delete("scope");
+				const encodedScope = encodeURIComponent(scopeValue);
+				// Manually append the scope with proper encoding to the URL
+				const urlString = url.toString();
+				const separator = urlString.includes("?") ? "&" : "?";
+				return new URL(`${urlString}${separator}scope=${encodedScope}`);
+			}
 			return url;
 		},
 

package/src/types/init-options.ts

@@ -994,17 +994,9 @@ export type BetterAuthOptions = {
 		| undefined;
 	/**
 	 * List of trusted origins.
-	 *
-	 * @param request - The request object.
-	 * It'll be undefined if no request was
-	 * made. Like during a create context call
-	 * or `auth.api` call.
-	 *
-	 * Trusted origins will be dynamically
-	 * calculated based on the request.
 	 */
 	trustedOrigins?:
-		| (string[] | ((request?: Request | undefined) => Awaitable<string[]>))
+		| (string[] | ((request: Request) => Awaitable<string[]>))
 		| undefined;
 	/**
 	 * Rate limiting configuration