@better-auth/core 1.5.0-beta.2 → 1.5.0-beta.20

package/src/types/init-options.ts

@@ -20,105 +20,168 @@ import type {
 	Verification,
 } from "../db";
 import type { DBAdapterDebugLogOption, DBAdapterInstance } from "../db/adapter";
+import type { BaseAccount } from "../db/schema/account";
+import type { BaseRateLimit } from "../db/schema/rate-limit";
+import type { BaseSession } from "../db/schema/session";
+import type { BaseUser } from "../db/schema/user";
+import type { BaseVerification } from "../db/schema/verification";
 import type { Logger } from "../env";
 import type { SocialProviderList, SocialProviders } from "../social-providers";
 import type { AuthContext, GenericEndpointContext } from "./context";
-import type { Awaitable, LiteralUnion } from "./helper";
+import type { Awaitable, LiteralString, LiteralUnion } from "./helper";
 import type { BetterAuthPlugin } from "./plugin";
 
 type KyselyDatabaseType = "postgres" | "mysql" | "sqlite" | "mssql";
-type OmitId<T extends { id: unknown }> = Omit<T, "id">;
 type Optional<T> = {
 	[P in keyof T]?: T[P] | undefined;
 };
 
+export type StoreIdentifierOption =
+	| "plain"
+	| "hashed"
+	| { hash: (identifier: string) => Promise<string> };
+
 export type GenerateIdFn = (options: {
 	model: ModelNames;
 	size?: number | undefined;
 }) => string | false;
 
-export type BetterAuthRateLimitOptions = {
+/**
+ * Configuration for dynamic base URL resolution.
+ * Allows Better Auth to work with multiple domains (e.g., Vercel preview deployments).
+ */
+export type DynamicBaseURLConfig = {
 	/**
-	 * By default, rate limiting is only
-	 * enabled on production.
+	 * List of allowed hostnames. Supports wildcard patterns.
+	 *
+	 * The derived host from the request will be validated against this list.
+	 * Uses the same wildcard matching as `trustedOrigins`.
+	 *
+	 * @example
+	 * ```ts
+	 * allowedHosts: [
+	 *   "myapp.com",           // Exact match
+	 *   "*.vercel.app",        // Any Vercel preview
+	 *   "preview-*.myapp.com"  // Pattern match
+	 * ]
+	 * ```
 	 */
-	enabled?: boolean | undefined;
+	allowedHosts: string[];
+
 	/**
-	 * Default window to use for rate limiting. The value
-	 * should be in seconds.
+	 * Fallback URL to use if the derived host doesn't match any allowed host.
+	 * If not set, Better Auth will throw an error when the host doesn't match.
 	 *
-	 * @default 10 seconds
+	 * @example "https://myapp.com"
 	 */
-	window?: number | undefined;
+	fallback?: string | undefined;
+
 	/**
-	 * The default maximum number of requests allowed within the window.
+	 * Protocol to use when constructing the URL.
+	 * - `"https"`: Always use HTTPS (recommended for production)
+	 * - `"http"`: Always use HTTP (for local development)
+	 * - `"auto"`: Derive from `x-forwarded-proto` header or default to HTTPS
 	 *
-	 * @default 100 requests
+	 * @default "auto"
 	 */
-	max?: number | undefined;
+	protocol?: "http" | "https" | "auto" | undefined;
+};
+
+/**
+ * Base URL configuration.
+ * Can be a static string or a dynamic config for multi-domain deployments.
+ */
+export type BaseURLConfig = string | DynamicBaseURLConfig;
+
+export interface BetterAuthRateLimitStorage {
+	get: (key: string) => Promise<RateLimit | null | undefined>;
+	set: (
+		key: string,
+		value: RateLimit,
+		update?: boolean | undefined,
+	) => Promise<void>;
+}
+
+export type BetterAuthRateLimitRule = {
 	/**
-	 * Custom rate limit rules to apply to
-	 * specific paths.
+	 * Default window to use for rate limiting. The value
+	 * should be in seconds.
+	 *
+	 * @default 10 seconds
 	 */
-	customRules?:
-		| {
-				[key: string]:
-					| {
-							/**
-							 * The window to use for the custom rule.
-							 */
-							window: number;
-							/**
-							 * The maximum number of requests allowed within the window.
-							 */
-							max: number;
-					  }
-					| false
-					| ((request: Request) =>
-							| { window: number; max: number }
-							| false
-							| Promise<
-									| {
-											window: number;
-											max: number;
-									  }
-									| false
-							  >);
-		  }
-		| undefined;
+	window: number;
 	/**
-	 * Storage configuration
-	 *
-	 * By default, rate limiting is stored in memory. If you passed a
-	 * secondary storage, rate limiting will be stored in the secondary
-	 * storage.
+	 * The default maximum number of requests allowed within the window.
 	 *
-	 * @default "memory"
+	 * @default 100 requests
 	 */
-	storage?: ("memory" | "database" | "secondary-storage") | undefined;
+	max: number;
+};
+
+export type BetterAuthDBOptions<
+	ModelName extends string,
+	Keys extends string = string,
+> = {
 	/**
-	 * If database is used as storage, the name of the table to
-	 * use for rate limiting.
-	 *
-	 * @default "rateLimit"
+	 * The name of the model. Defaults to the model name.
 	 */
-	modelName?: string | undefined;
+	modelName?: ModelName | LiteralString;
 	/**
-	 * Custom field names for the rate limit table
+	 * Map fields to database columns
 	 */
-	fields?: Partial<Record<keyof RateLimit, string>> | undefined;
+	fields?: Partial<Record<Exclude<Keys, "id">, string>>;
 	/**
-	 * custom storage configuration.
-	 *
-	 * NOTE: If custom storage is used storage
-	 * is ignored
+	 * Additional fields for the model
 	 */
-	customStorage?: {
-		get: (key: string) => Promise<RateLimit | undefined>;
-		set: (key: string, value: RateLimit) => Promise<void>;
+	additionalFields?: {
+		[Key in Exclude<string, Keys | "id">]: DBFieldAttribute;
 	};
 };
 
+export type BetterAuthRateLimitOptions = Optional<BetterAuthRateLimitRule> &
+	Omit<
+		BetterAuthDBOptions<"rateLimit", keyof BaseRateLimit>,
+		"additionalFields"
+	> & {
+		/**
+		 * By default, rate limiting is only
+		 * enabled on production.
+		 */
+		enabled?: boolean | undefined;
+		/**
+		 * Custom rate limit rules to apply to
+		 * specific paths.
+		 */
+		customRules?:
+			| {
+					[key: string]:
+						| BetterAuthRateLimitRule
+						| false
+						| ((
+								request: Request,
+								currentRule: BetterAuthRateLimitRule,
+						  ) => Awaitable<false | BetterAuthRateLimitRule>);
+			  }
+			| undefined;
+		/**
+		 * Storage configuration
+		 *
+		 * By default, rate limiting is stored in memory. If you passed a
+		 * secondary storage, rate limiting will be stored in the secondary
+		 * storage.
+		 *
+		 * @default "memory"
+		 */
+		storage?: ("memory" | "database" | "secondary-storage") | undefined;
+		/**
+		 * custom storage configuration.
+		 *
+		 * NOTE: If custom storage is used storage
+		 * is ignored
+		 */
+		customStorage?: BetterAuthRateLimitStorage;
+	};
+
 export type BetterAuthAdvancedOptions = {
 	/**
 	 * Ip address configuration
@@ -142,6 +205,13 @@ export type BetterAuthAdvancedOptions = {
 				 * ⚠︎ This is a security risk and it may expose your application to abuse
 				 */
 				disableIpTracking?: boolean;
+				/**
+				 * IPv6 subnet prefix length for rate limiting.
+				 * IPv6 addresses will be normalized to this subnet.
+				 *
+				 * @default 64
+				 */
+				ipv6Subnet?: 128 | 64 | 48 | 32;
 		  }
 		| undefined;
 	/**
@@ -151,17 +221,32 @@ export type BetterAuthAdvancedOptions = {
 	 */
 	useSecureCookies?: boolean | undefined;
 	/**
-	 * Disable trusted origins check
+	 * Disable all CSRF protection.
+	 *
+	 * When enabled, this disables:
+	 * - Origin header validation when cookies are present
+	 * - Fetch Metadata checks (Sec-Fetch-Site, Sec-Fetch-Mode, Sec-Fetch-Dest)
+	 * - Cross-site navigation blocking for first-login scenarios
 	 *
 	 * ⚠︎ This is a security risk and it may expose your application to
 	 * CSRF attacks
+	 *
+	 * @default false
 	 */
 	disableCSRFCheck?: boolean | undefined;
 	/**
-	 * Disable origin check
+	 * Disable URL validation against trustedOrigins.
+	 *
+	 * When enabled, this disables validation of:
+	 * - callbackURL
+	 * - redirectTo
+	 * - errorCallbackURL
+	 * - newUserCallbackURL
+	 *
+	 * ⚠︎ This may allow open redirects and could lead to security
+	 * vulnerabilities.
 	 *
-	 * ⚠︎ This may allow requests from any origin to be processed by
-	 * Better Auth. And could lead to security vulnerabilities.
+	 * @default false
 	 */
 	disableOriginCheck?: boolean | undefined;
 	/**
@@ -228,17 +313,6 @@ export type BetterAuthAdvancedOptions = {
 				 * @default 100
 				 */
 				defaultFindManyLimit?: number;
-				/**
-				 * If your database auto increments number ids, set this to `true`.
-				 *
-				 * Note: If enabled, we will not handle ID generation (including if you use `generateId`), and it would be expected that your database will provide the ID automatically.
-				 *
-				 * @default false
-				 *
-				 * @deprecated Please use `generateId` instead. This will be removed in future
-				 * releases.
-				 */
-				useNumberId?: boolean;
 				/**
 				 * Custom generateId function.
 				 *
@@ -294,8 +368,17 @@ export type BetterAuthAdvancedOptions = {
 	 * }
 	 */
 	backgroundTasks?: {
-		handler: (promise: Promise<void>) => void;
+		handler: (promise: Promise<unknown>) => void;
 	};
+	/**
+	 * Skip trailing slashes in API routes.
+	 *
+	 * When enabled, requests with trailing slashes (e.g., `/api/auth/session/`)
+	 * will be handled the same as requests without (e.g., `/api/auth/session`).
+	 *
+	 * @default false
+	 */
+	skipTrailingSlashes?: boolean;
 };
 
 export type BetterAuthOptions = {
@@ -310,12 +393,27 @@ export type BetterAuthOptions = {
 	/**
 	 * Base URL for the Better Auth. This is typically the
 	 * root URL where your application server is hosted.
-	 * If not explicitly set,
-	 * the system will check the following environment variable:
 	 *
-	 * process.env.BETTER_AUTH_URL
+	 * Can be configured as:
+	 * - A static string: `"https://myapp.com"`
+	 * - A dynamic config with allowed hosts for multi-domain deployments
+	 *
+	 * If not explicitly set, the system will check environment variables:
+	 * `BETTER_AUTH_URL`, `NEXT_PUBLIC_BETTER_AUTH_URL`, etc.
+	 *
+	 * @example
+	 * ```ts
+	 * // Static URL
+	 * baseURL: "https://myapp.com"
+	 *
+	 * // Dynamic with allowed hosts (for Vercel, multi-domain, etc.)
+	 * baseURL: {
+	 *   allowedHosts: ["myapp.com", "*.vercel.app", "preview-*.myapp.com"],
+	 *   fallback: "https://myapp.com"
+	 * }
+	 * ```
 	 */
-	baseURL?: string | undefined;
+	baseURL?: BaseURLConfig | undefined;
 	/**
 	 * Base path for the Better Auth. This is typically
 	 * the path where the
@@ -451,10 +549,13 @@ export type BetterAuthOptions = {
 					request?: Request,
 				) => Promise<void>;
 				/**
-				 * Send a verification email automatically
-				 * after sign up
+				 * Send a verification email automatically after sign up.
 				 *
-				 * @default false
+				 * - `true`: Always send verification email on sign up
+				 * - `false`: Never send verification email on sign up
+				 * - `undefined`: Follows `requireEmailVerification` behavior
+				 *
+				 * @default undefined
 				 */
 				sendOnSignUp?: boolean;
 				/**
@@ -475,11 +576,14 @@ export type BetterAuthOptions = {
 				 */
 				expiresIn?: number;
 				/**
-				 * A function that is called when a user verifies their email
+				 * A function that is called before a user verifies their email
 				 * @param user the user that verified their email
 				 * @param request the request object
 				 */
-				onEmailVerification?: (user: User, request?: Request) => Promise<void>;
+				beforeEmailVerification?: (
+					user: User,
+					request?: Request,
+				) => Promise<void>;
 				/**
 				 * A function that is called when a user's email is updated to verified
 				 * @param user the user that verified their email
@@ -585,6 +689,20 @@ export type BetterAuthOptions = {
 				 * @default false
 				 */
 				revokeSessionsOnPasswordReset?: boolean;
+				/**
+				 * A callback function that is triggered when a user tries to sign up
+				 * with an email that already exists. Useful for notifying the existing user
+				 * that someone attempted to register with their email.
+				 *
+				 * This is only called when `requireEmailVerification: true` or `autoSignIn: false`.
+				 */
+				onExistingUserSignUp?: (
+					/**
+					 * @param user the existing user from the database
+					 */
+					data: { user: User },
+					request?: Request,
+				) => Promise<void>;
 		  }
 		| undefined;
 	/**
@@ -599,28 +717,7 @@ export type BetterAuthOptions = {
 	 * User configuration
 	 */
 	user?:
-		| {
-				/**
-				 * The model name for the user. Defaults to "user".
-				 */
-				modelName?: string;
-				/**
-				 * Map fields
-				 *
-				 * @example
-				 * ```ts
-				 * {
-				 *  userId: "user_id"
-				 * }
-				 * ```
-				 */
-				fields?: Partial<Record<keyof OmitId<User>, string>>;
-				/**
-				 * Additional fields for the user
-				 */
-				additionalFields?: {
-					[key: string]: DBFieldAttribute;
-				};
+		| (BetterAuthDBOptions<"user", keyof BaseUser> & {
 				/**
 				 * Changing email configuration
 				 */
@@ -630,21 +727,6 @@ export type BetterAuthOptions = {
 					 * @default false
 					 */
 					enabled: boolean;
-					/**
-					 * Send a verification email when the user changes their email.
-					 * @param data the data object
-					 * @param request the request object
-					 * @deprecated Use `sendChangeEmailConfirmation` instead
-					 */
-					sendChangeEmailVerification?: (
-						data: {
-							user: User;
-							newEmail: string;
-							url: string;
-							token: string;
-						},
-						request?: Request,
-					) => Promise<void>;
 					/**
 					 * Send a confirmation email to the old email address when the user changes their email.
 					 * @param data the data object
@@ -707,26 +789,10 @@ export type BetterAuthOptions = {
 					 */
 					deleteTokenExpiresIn?: number;
 				};
-		  }
+		  })
 		| undefined;
 	session?:
-		| {
-				/**
-				 * The model name for the session.
-				 *
-				 * @default "session"
-				 */
-				modelName?: string;
-				/**
-				 * Map fields
-				 *
-				 * @example
-				 * ```ts
-				 * {
-				 *  userId: "user_id"
-				 * }
-				 */
-				fields?: Partial<Record<keyof OmitId<Session>, string>>;
+		| (BetterAuthDBOptions<"session", keyof BaseSession> & {
 				/**
 				 * Expiration time for the session token. The value
 				 * should be in seconds.
@@ -748,11 +814,13 @@ export type BetterAuthOptions = {
 				 */
 				disableSessionRefresh?: boolean;
 				/**
-				 * Additional fields for the session
+				 * Defer session refresh writes to POST requests.
+				 * When enabled, GET is read-only and POST performs refresh.
+				 * Useful for read-replica database setups.
+				 *
+				 * @default false
 				 */
-				additionalFields?: {
-					[key: string]: DBFieldAttribute;
-				};
+				deferSessionRefresh?: boolean;
 				/**
 				 * By default if secondary storage is provided
 				 * the session is stored in the secondary storage.
@@ -862,24 +930,10 @@ export type BetterAuthOptions = {
 				 * @default 1 day (60 * 60 * 24)
 				 */
 				freshAge?: number;
-		  }
+		  })
 		| undefined;
 	account?:
-		| {
-				/**
-				 * The model name for the account. Defaults to "account".
-				 */
-				modelName?: string;
-				/**
-				 * Map fields
-				 */
-				fields?: Partial<Record<keyof OmitId<Account>, string>>;
-				/**
-				 * Additional fields for the account
-				 */
-				additionalFields?: {
-					[key: string]: DBFieldAttribute;
-				};
+		| (BetterAuthDBOptions<"account", keyof BaseAccount> & {
 				/**
 				 * When enabled (true), the user account data (accessToken, idToken, refreshToken, etc.)
 				 * will be updated on sign in with the latest data from the provider.
@@ -898,11 +952,54 @@ export type BetterAuthOptions = {
 					 */
 					enabled?: boolean;
 					/**
-					 * List of trusted providers
+					 * Disable implicit account linking on sign-in.
+					 *
+					 * When enabled, accounts will not be automatically linked
+					 * during OAuth sign-in, even if the email is verified or
+					 * the provider is trusted. Users must explicitly link
+					 * accounts using `linkSocial()` while authenticated.
+					 *
+					 * @default false
+					 */
+					disableImplicitLinking?: boolean;
+					/**
+					 * List of trusted providers. Can be a static array or a function
+					 * that returns providers dynamically. The function is called
+					 * during context init (with `request` undefined) and again
+					 * on each request (with the incoming Request). It must be
+					 * resilient to `request` being undefined.
+					 *
+					 * @example
+					 * ```ts
+					 * trustedProviders: ["google", "github"]
+					 * ```
+					 *
+					 * @example
+					 * ```ts
+					 * trustedProviders: async (request) => {
+					 *   if (!request) return [];
+					 *   const providers = await getTrustedProvidersForTenant(request);
+					 *   return providers;
+					 * }
+					 * ```
 					 */
-					trustedProviders?: Array<
-						LiteralUnion<SocialProviderList[number] | "email-password", string>
-					>;
+					trustedProviders?:
+						| Array<
+								LiteralUnion<
+									SocialProviderList[number] | "email-password",
+									string
+								>
+						  >
+						| ((
+								request?: Request | undefined,
+						  ) => Awaitable<
+								Array<
+									LiteralUnion<
+										SocialProviderList[number] | "email-password",
+										string
+									>
+								>
+						  >);
 					/**
 					 * If enabled (true), this will allow users to manually linking accounts with different email addresses than the main user.
 					 *
@@ -964,33 +1061,34 @@ export type BetterAuthOptions = {
 				 * @note This is automatically set to true if you haven't passed a database
 				 */
 				storeAccountCookie?: boolean;
-		  }
+		  })
 		| undefined;
-	/**
-	 * Verification configuration
-	 */
 	verification?:
-		| {
+		| (BetterAuthDBOptions<"verification", keyof BaseVerification> & {
 				/**
-				 * Change the modelName of the verification table
-				 */
-				modelName?: string;
-				/**
-				 * Map verification fields
+				 * disable cleaning up expired values when a verification value is
+				 * fetched
 				 */
-				fields?: Partial<Record<keyof OmitId<Verification>, string>>;
+				disableCleanup?: boolean;
 				/**
-				 * Additional fields for the verification
+				 * How to store verification identifiers (tokens, OTPs, etc.)
+				 *
+				 * @example "hashed"
+				 *
+				 * @default "plain"
 				 */
-				additionalFields?: {
-					[key: string]: DBFieldAttribute;
-				};
+				storeIdentifier?:
+					| StoreIdentifierOption
+					| {
+							default: StoreIdentifierOption;
+							overrides?: Record<string, StoreIdentifierOption>;
+					  };
 				/**
-				 * disable cleaning up expired values when a verification value is
-				 * fetched
+				 * Store verification data in database even when secondary storage is configured.
+				 * @default false
 				 */
-				disableCleanup?: boolean;
-		  }
+				storeInDatabase?: boolean;
+		  })
 		| undefined;
 	/**
 	 * List of trusted origins.
@@ -1002,9 +1100,26 @@ export type BetterAuthOptions = {
 	 *
 	 * Trusted origins will be dynamically
 	 * calculated based on the request.
+	 *
+	 * @example
+	 * ```ts
+	 * trustedOrigins: async (request) => {
+	 *   return [
+	 *    "https://better-auth.com",
+	 *    "https://*.better-auth.com",
+	 *    request.headers.get("x-custom-origin")
+	 *   ];
+	 * }
+	 * ```
+	 * @returns An array of trusted origins.
 	 */
 	trustedOrigins?:
-		| (string[] | ((request?: Request | undefined) => Awaitable<string[]>))
+		| (
+				| string[]
+				| ((
+						request?: Request | undefined,
+				  ) => Awaitable<(string | undefined | null)[]>)
+		  )
 		| undefined;
 	/**
 	 * Rate limiting configuration

package/src/types/plugin-client.ts

@@ -17,6 +17,7 @@ export interface ClientStore {
 export type ClientAtomListener = {
 	matcher: (path: string) => boolean;
 	signal: "$sessionSignal" | Omit<string, "$sessionSignal">;
+	callback?: (path: string) => void;
 };
 
 /**