@better-auth/core 1.5.0-beta.2 → 1.5.0-beta.4

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @better-auth/core@1.5.0-beta.2 build /home/runner/work/better-auth/better-auth/packages/core
+> @better-auth/core@1.5.0-beta.4 build /home/runner/work/better-auth/better-auth/packages/core
 > tsdown
 
 ℹ tsdown v0.17.2 powered by rolldown v1.0.0-beta.53
@@ -16,28 +16,28 @@
 ℹ dist/oauth2/index.mjs                0.75 kB │ gzip:  0.28 kB
 ℹ dist/context/index.mjs               0.70 kB │ gzip:  0.24 kB
 ℹ dist/env/index.mjs                   0.44 kB │ gzip:  0.25 kB
-ℹ dist/utils/index.mjs                 0.24 kB │ gzip:  0.17 kB
+ℹ dist/utils/index.mjs                 0.26 kB │ gzip:  0.18 kB
 ℹ dist/error/index.mjs                 0.22 kB │ gzip:  0.16 kB
 ℹ dist/index.mjs                       0.01 kB │ gzip:  0.03 kB
 ℹ dist/oauth2-BjWM15hm.mjs            12.82 kB │ gzip:  3.16 kB
 ℹ dist/env-DbssmzoK.mjs                7.67 kB │ gzip:  2.54 kB
 ℹ dist/get-tables-CMc_Emww.mjs         6.76 kB │ gzip:  1.30 kB
-ℹ dist/context-DblZrIwO.mjs            3.89 kB │ gzip:  1.00 kB
-ℹ dist/error-C7mY-p0f.mjs              3.19 kB │ gzip:  1.30 kB
-ℹ dist/utils-s65Fz0OM.mjs              1.22 kB │ gzip:  0.61 kB
+ℹ dist/context-BBNwughv.mjs            4.87 kB │ gzip:  1.40 kB
+ℹ dist/error-GNtLPYaS.mjs              3.19 kB │ gzip:  1.30 kB
+ℹ dist/utils-puAL36Bz.mjs              1.58 kB │ gzip:  0.76 kB
 ℹ dist/error/index.d.mts               6.11 kB │ gzip:  1.50 kB
-ℹ dist/social-providers/index.d.mts    3.88 kB │ gzip:  1.19 kB
+ℹ dist/social-providers/index.d.mts    3.89 kB │ gzip:  1.20 kB
 ℹ dist/context/index.d.mts             3.02 kB │ gzip:  0.96 kB
+ℹ dist/utils/index.d.mts               1.55 kB │ gzip:  0.70 kB
 ℹ dist/db/adapter/index.d.mts          1.34 kB │ gzip:  0.43 kB
-ℹ dist/utils/index.d.mts               1.24 kB │ gzip:  0.56 kB
-ℹ dist/index.d.mts                     0.92 kB │ gzip:  0.35 kB
+ℹ dist/index.d.mts                     1.09 kB │ gzip:  0.39 kB
 ℹ dist/oauth2/index.d.mts              0.88 kB │ gzip:  0.32 kB
 ℹ dist/db/index.d.mts                  0.81 kB │ gzip:  0.34 kB
 ℹ dist/env/index.d.mts                 0.59 kB │ gzip:  0.30 kB
 ℹ dist/api/index.d.mts                 0.26 kB │ gzip:  0.14 kB
 ℹ dist/async_hooks/index.d.mts         0.24 kB │ gzip:  0.16 kB
 ℹ dist/async_hooks/pure.index.d.mts    0.22 kB │ gzip:  0.16 kB
-ℹ dist/index-BpRqx5_q.d.mts          221.64 kB │ gzip: 35.40 kB
+ℹ dist/index-B5x_W0dM.d.mts          228.92 kB │ gzip: 36.28 kB
 ℹ dist/index-BRBu0-5h.d.mts            3.31 kB │ gzip:  1.11 kB
-ℹ 32 files, total: 406.80 kB
-✔ Build complete in 4834ms
+ℹ 32 files, total: 415.92 kB
+✔ Build complete in 5286ms

package/LICENSE.md

@@ -1,17 +1,20 @@
 The MIT License (MIT)
 Copyright (c) 2024 - present, Bereket Engida
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software
-and associated documentation files (the "Software"), to deal in the Software without restriction,
-including without limitation the rights to use, copy, modify, merge, publish, distribute,
-sublicense, and/or sell copies of the Software, and to permit persons to whom the Software
-is furnished to do so, subject to the following conditions:
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the “Software”), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all copies or
-substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
-BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
-DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.

package/dist/api/index.d.mts

@@ -1,2 +1,2 @@
-import { a as optionsMiddleware, i as createAuthMiddleware, n as AuthMiddleware, r as createAuthEndpoint, t as AuthEndpoint } from "../index-BpRqx5_q.mjs";
+import { a as optionsMiddleware, i as createAuthMiddleware, n as AuthMiddleware, r as createAuthEndpoint, t as AuthEndpoint } from "../index-B5x_W0dM.mjs";
 export { AuthEndpoint, AuthMiddleware, createAuthEndpoint, createAuthMiddleware, optionsMiddleware };

package/dist/api/index.mjs

@@ -1,4 +1,4 @@
-import { f as runWithEndpointContext } from "../context-DblZrIwO.mjs";
+import { f as runWithEndpointContext } from "../context-BBNwughv.mjs";
 import { createEndpoint, createMiddleware } from "better-call";
 
 //#region src/api/index.ts

package/dist/context/index.d.mts

@@ -1,4 +1,4 @@
-import { Yn as DBAdapter, er as DBTransactionAdapter, f as AuthContext } from "../index-BpRqx5_q.mjs";
+import { Qn as DBAdapter, f as AuthContext, rr as DBTransactionAdapter } from "../index-B5x_W0dM.mjs";
 import { AsyncLocalStorage } from "@better-auth/core/async_hooks";
 import { EndpointContext, InputContext } from "better-call";
 

package/dist/context/index.mjs

@@ -1,3 +1,3 @@
-import { a as defineRequestState, c as hasRequestState, d as getCurrentAuthContextAsyncLocalStorage, f as runWithEndpointContext, i as runWithTransaction, l as runWithRequestState, n as getCurrentDBAdapterAsyncLocalStorage, o as getCurrentRequestState, r as runWithAdapter, s as getRequestStateAsyncLocalStorage, t as getCurrentAdapter, u as getCurrentAuthContext } from "../context-DblZrIwO.mjs";
+import { a as defineRequestState, c as hasRequestState, d as getCurrentAuthContextAsyncLocalStorage, f as runWithEndpointContext, i as runWithTransaction, l as runWithRequestState, n as getCurrentDBAdapterAsyncLocalStorage, o as getCurrentRequestState, r as runWithAdapter, s as getRequestStateAsyncLocalStorage, t as getCurrentAdapter, u as getCurrentAuthContext } from "../context-BBNwughv.mjs";
 
 export { defineRequestState, getCurrentAdapter, getCurrentAuthContext, getCurrentAuthContextAsyncLocalStorage, getCurrentDBAdapterAsyncLocalStorage, getCurrentRequestState, getRequestStateAsyncLocalStorage, hasRequestState, runWithAdapter, runWithEndpointContext, runWithRequestState, runWithTransaction };

package/dist/{context-DblZrIwO.mjs → context-BBNwughv.mjs}

@@ -110,5 +110,24 @@ const runWithTransaction = async (adapter, fn) => {
 	});
 };
 
+//#endregion
+//#region src/context/index.ts
+const glo = typeof globalThis !== "undefined" ? globalThis : typeof window !== "undefined" ? window : typeof global !== "undefined" ? global : {};
+const importIdentifier = "__ $BETTER_AUTH$ __";
+if (glo[importIdentifier] === true)
+ /**
+* Dear reader of this message. Please take this seriously.
+*
+* If you see this message, make sure that you only import one version of Better Auth. In many cases,
+* your package manager installs two versions of Better Auth that are used by different packages within your project.
+*
+* This often leads to issues that are hard to debug. We often need to ensure async local storage instance,
+* If you imported different versions of Better Auth, it is impossible for us to
+* do status synchronization per request anymore - which might break the states.
+*
+*/
+console.error("Better Auth was already imported. This breaks async local storage instance and will lead to issues!");
+glo[importIdentifier] = true;
+
 //#endregion
 export { defineRequestState as a, hasRequestState as c, getCurrentAuthContextAsyncLocalStorage as d, runWithEndpointContext as f, runWithTransaction as i, runWithRequestState as l, getCurrentDBAdapterAsyncLocalStorage as n, getCurrentRequestState as o, runWithAdapter as r, getRequestStateAsyncLocalStorage as s, getCurrentAdapter as t, getCurrentAuthContext as u };

package/dist/db/adapter/index.d.mts

@@ -1,2 +1,2 @@
-import { $n as DBAdapterSchemaCreation, Cr as initGetFieldName, Er as initGetDefaultFieldName, Jn as CustomAdapter, Qn as DBAdapterInstance, Sr as initGetIdField, Tr as initGetDefaultModelName, Xn as DBAdapterDebugLogOption, Yn as DBAdapter, Zn as DBAdapterFactoryConfig, ar as withApplyDefault, cr as createAdapterFactory, dr as AdapterFactoryCustomizeAdapterCreator, er as DBTransactionAdapter, fr as AdapterFactoryOptions, hr as CreateCustomAdapter, ir as deepmerge, lr as AdapterConfig, mr as CreateAdapterOptions, nr as JoinOption, or as AdapterFactory, pr as AdapterTestDebugLogs, qn as CleanedWhere, rr as Where, sr as createAdapter, tr as JoinConfig, ur as AdapterFactoryConfig, wr as initGetFieldAttributes, xr as initGetModelName } from "../../index-BpRqx5_q.mjs";
+import { $n as DBAdapterDebugLogOption, Dr as initGetFieldAttributes, Er as initGetFieldName, Or as initGetDefaultModelName, Qn as DBAdapter, Tr as initGetIdField, Xn as CleanedWhere, Zn as CustomAdapter, _r as CreateAdapterOptions, ar as JoinOption, cr as withApplyDefault, dr as createAdapterFactory, er as DBAdapterFactoryConfig, fr as AdapterConfig, gr as AdapterTestDebugLogs, hr as AdapterFactoryOptions, ir as JoinConfig, kr as initGetDefaultFieldName, lr as AdapterFactory, mr as AdapterFactoryCustomizeAdapterCreator, nr as DBAdapterSchemaCreation, or as Where, pr as AdapterFactoryConfig, rr as DBTransactionAdapter, sr as deepmerge, tr as DBAdapterInstance, ur as createAdapter, vr as CreateCustomAdapter, wr as initGetModelName } from "../../index-B5x_W0dM.mjs";
 export { AdapterConfig, AdapterFactory, AdapterFactoryConfig, AdapterFactoryCustomizeAdapterCreator, AdapterFactoryOptions, AdapterTestDebugLogs, CleanedWhere, CreateAdapterOptions, CreateCustomAdapter, CustomAdapter, DBAdapter, DBAdapterDebugLogOption, DBAdapterFactoryConfig, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, JoinConfig, JoinOption, Where, createAdapter, createAdapterFactory, deepmerge, initGetDefaultFieldName, initGetDefaultModelName, initGetFieldAttributes, initGetFieldName, initGetIdField, initGetModelName, withApplyDefault };

package/dist/db/adapter/index.mjs

@@ -1,7 +1,7 @@
 import { t as getAuthTables } from "../../get-tables-CMc_Emww.mjs";
 import { i as logger, n as createLogger, o as getColorDepth, t as TTY_COLORS } from "../../env-DbssmzoK.mjs";
-import { n as safeJSONParse, r as generateId } from "../../utils-s65Fz0OM.mjs";
-import { n as BetterAuthError } from "../../error-C7mY-p0f.mjs";
+import { n as safeJSONParse, r as generateId } from "../../utils-puAL36Bz.mjs";
+import { n as BetterAuthError } from "../../error-GNtLPYaS.mjs";
 
 //#region src/db/adapter/get-default-model-name.ts
 const initGetDefaultModelName = ({ usePlural, schema }) => {

package/dist/db/index.d.mts

@@ -1,2 +1,2 @@
-import { Ar as userSchema, Br as BaseModelNames, Dr as Verification, Fr as rateLimitSchema, Gr as DBPrimitive, Hr as DBFieldAttribute, Ir as Account, Kr as ModelNames, Lr as accountSchema, Mr as Session, Nr as sessionSchema, Or as verificationSchema, Pr as RateLimit, Rr as BetterAuthPluginDBSchema, Ur as DBFieldAttributeConfig, Vr as BetterAuthDBSchema, Wr as DBFieldType, jr as coreSchema, kr as User, qr as SecondaryStorage, zr as getAuthTables } from "../index-BpRqx5_q.mjs";
+import { Ar as Verification, Br as accountSchema, Fr as Session, Gr as DBFieldAttribute, Hr as getAuthTables, Ir as sessionSchema, Jr as DBPrimitive, Kr as DBFieldAttributeConfig, Lr as RateLimit, Mr as User, Nr as userSchema, Pr as coreSchema, Rr as rateLimitSchema, Ur as BaseModelNames, Vr as BetterAuthPluginDBSchema, Wr as BetterAuthDBSchema, Xr as SecondaryStorage, Yr as ModelNames, jr as verificationSchema, qr as DBFieldType, zr as Account } from "../index-B5x_W0dM.mjs";
 export { Account, BaseModelNames, BetterAuthDBSchema, BetterAuthPluginDBSchema, DBFieldAttribute, DBFieldAttributeConfig, DBFieldType, DBPrimitive, ModelNames, RateLimit, SecondaryStorage, Session, User, Verification, accountSchema, coreSchema, getAuthTables, rateLimitSchema, sessionSchema, userSchema, verificationSchema };

package/dist/error/index.mjs

@@ -1,5 +1,5 @@
 import "../env-DbssmzoK.mjs";
-import "../utils-s65Fz0OM.mjs";
-import { n as BetterAuthError, r as BASE_ERROR_CODES, t as APIError } from "../error-C7mY-p0f.mjs";
+import "../utils-puAL36Bz.mjs";
+import { n as BetterAuthError, r as BASE_ERROR_CODES, t as APIError } from "../error-GNtLPYaS.mjs";
 
 export { APIError, BASE_ERROR_CODES, BetterAuthError };

package/dist/{error-C7mY-p0f.mjs → error-GNtLPYaS.mjs}

@@ -1,4 +1,4 @@
-import { i as defineErrorCodes } from "./utils-s65Fz0OM.mjs";
+import { i as defineErrorCodes } from "./utils-puAL36Bz.mjs";
 import { APIError } from "better-call/error";
 
 //#region src/error/codes.ts

package/dist/{index-BpRqx5_q.d.mts → index-B5x_W0dM.d.mts}

@@ -6415,17 +6415,32 @@ type BetterAuthAdvancedOptions = {
    */
   useSecureCookies?: boolean | undefined;
   /**
-   * Disable trusted origins check
+   * Disable all CSRF protection.
+   *
+   * When enabled, this disables:
+   * - Origin header validation when cookies are present
+   * - Fetch Metadata checks (Sec-Fetch-Site, Sec-Fetch-Mode, Sec-Fetch-Dest)
+   * - Cross-site navigation blocking for first-login scenarios
    *
    * ⚠︎ This is a security risk and it may expose your application to
    * CSRF attacks
+   *
+   * @default false
    */
   disableCSRFCheck?: boolean | undefined;
   /**
-   * Disable origin check
+   * Disable URL validation against trustedOrigins.
+   *
+   * When enabled, this disables validation of:
+   * - callbackURL
+   * - redirectTo
+   * - errorCallbackURL
+   * - newUserCallbackURL
    *
-   * ⚠︎ This may allow requests from any origin to be processed by
-   * Better Auth. And could lead to security vulnerabilities.
+   * ⚠︎ This may allow open redirects and could lead to security
+   * vulnerabilities.
+   *
+   * @default false
    */
   disableOriginCheck?: boolean | undefined;
   /**
@@ -6709,8 +6724,15 @@ type BetterAuthOptions = {
      * A function that is called when a user verifies their email
      * @param user the user that verified their email
      * @param request the request object
+     * @deprecated Use `beforeEmailVerification` or `afterEmailVerification` instead. This will be removed in 1.5
      */
     onEmailVerification?: (user: User, request?: Request) => Promise<void>;
+    /**
+     * A function that is called before a user verifies their email
+     * @param user the user that verified their email
+     * @param request the request object
+     */
+    beforeEmailVerification?: (user: User, request?: Request) => Promise<void>;
     /**
      * A function that is called when a user's email is updated to verified
      * @param user the user that verified their email
@@ -7199,8 +7221,20 @@ type BetterAuthOptions = {
    *
    * Trusted origins will be dynamically
    * calculated based on the request.
+   *
+   * @example
+   * ```ts
+   * trustedOrigins: async (request) => {
+   *   return [
+   *    "https://better-auth.com",
+   *    "https://*.better-auth.com",
+   *    request.headers.get("x-custom-origin")
+   *   ];
+   * }
+   * ```
+   * @returns An array of trusted origins.
    */
-  trustedOrigins?: (string[] | ((request?: Request | undefined) => Awaitable<string[]>)) | undefined;
+  trustedOrigins?: (string[] | ((request?: Request | undefined) => Awaitable<(string | undefined | null)[]>)) | undefined;
   /**
    * Rate limiting configuration
    */
@@ -7515,6 +7549,22 @@ type BetterAuthOptions = {
 };
 //#endregion
 //#region src/types/context.d.ts
+/**
+ * Mutators are defined in each plugin
+ *
+ * @example
+ * ```ts
+ * declare module "@better-auth/core" {
+ *  interface BetterAuthPluginRegistry<Auth, Context> {
+ *    'jwt': {
+ *      creator: typeof jwt
+ *    }
+ *  }
+ * }
+ * ```
+ */
+interface BetterAuthPluginRegistry<Auth, Context> {}
+type BetterAuthPluginRegistryIdentifier = keyof BetterAuthPluginRegistry<unknown, unknown>;
 type GenericEndpointContext<Options extends BetterAuthOptions = BetterAuthOptions> = EndpointContext<string, any> & {
   context: AuthContext<Options>;
 };
@@ -7577,7 +7627,24 @@ type CreateCookieGetterFn = (cookieName: string, overrideAttributes?: Partial<Co
   attributes: CookieOptions;
 };
 type CheckPasswordFn<Options extends BetterAuthOptions = BetterAuthOptions> = (userId: string, ctx: GenericEndpointContext<Options>) => Promise<boolean>;
-type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> = {
+type PluginContext = {
+  getPlugin: <ID extends BetterAuthPluginRegistryIdentifier | LiteralString>(pluginId: ID) => (ID extends BetterAuthPluginRegistryIdentifier ? ReturnType<BetterAuthPluginRegistry<unknown, unknown>[ID]["creator"]> : BetterAuthPlugin) | null;
+  /**
+   * Checks if a plugin is enabled by its ID.
+   *
+   * @param pluginId - The ID of the plugin to check
+   * @returns `true` if the plugin is enabled, `false` otherwise
+   *
+   * @example
+   * ```ts
+   * if (ctx.context.hasPlugin("organization")) {
+   *   // organization plugin is enabled
+   * }
+   * ```
+   */
+  hasPlugin: <ID extends BetterAuthPluginRegistryIdentifier | LiteralString>(pluginId: ID) => boolean;
+};
+type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> = PluginContext & {
   options: Options;
   appName: string;
   baseURL: string;
@@ -7815,13 +7882,167 @@ interface BetterAuthClientPlugin {
 //#region src/api/index.d.ts
 declare const optionsMiddleware: <InputCtx extends better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>>(inputContext: InputCtx) => Promise<AuthContext>;
 declare const createAuthMiddleware: {
-  <Options extends better_call0.MiddlewareOptions, R>(options: Options, handler: (ctx: better_call0.MiddlewareContext<Options, AuthContext & {
+  <Options extends better_call0.MiddlewareOptions, R>(options: Options, handler: (ctx: better_call0.MiddlewareContext<Options, {
     returned?: unknown | undefined;
     responseHeaders?: Headers | undefined;
+  } & PluginContext & {
+    options: BetterAuthOptions;
+    appName: string;
+    baseURL: string;
+    trustedOrigins: string[];
+    isTrustedOrigin: (url: string, settings?: {
+      allowRelativePaths: boolean;
+    }) => boolean;
+    oauthConfig: {
+      skipStateCookieCheck?: boolean | undefined;
+      storeStateStrategy: "database" | "cookie";
+    };
+    newSession: {
+      session: Session & Record<string, any>;
+      user: User & Record<string, any>;
+    } | null;
+    session: {
+      session: Session & Record<string, any>;
+      user: User & Record<string, any>;
+    } | null;
+    setNewSession: (session: {
+      session: Session & Record<string, any>;
+      user: User & Record<string, any>;
+    } | null) => void;
+    socialProviders: OAuthProvider[];
+    authCookies: BetterAuthCookies;
+    logger: ReturnType<typeof createLogger>;
+    rateLimit: {
+      enabled: boolean;
+      window: number;
+      max: number;
+      storage: "memory" | "database" | "secondary-storage";
+    } & BetterAuthRateLimitOptions;
+    adapter: DBAdapter<BetterAuthOptions>;
+    internalAdapter: InternalAdapter<BetterAuthOptions>;
+    createAuthCookie: (cookieName: string, overrideAttributes?: Partial<better_call0.CookieOptions> | undefined) => {
+      name: string;
+      attributes: better_call0.CookieOptions;
+    };
+    secret: string;
+    sessionConfig: {
+      updateAge: number;
+      expiresIn: number;
+      freshAge: number;
+      cookieRefreshCache: false | {
+        enabled: true;
+        updateAge: number;
+      };
+    };
+    generateId: (options: {
+      model: ModelNames;
+      size?: number | undefined;
+    }) => string | false;
+    secondaryStorage: SecondaryStorage | undefined;
+    password: {
+      hash: (password: string) => Promise<string>;
+      verify: (data: {
+        password: string;
+        hash: string;
+      }) => Promise<boolean>;
+      config: {
+        minPasswordLength: number;
+        maxPasswordLength: number;
+      };
+      checkPassword: (userId: string, ctx: GenericEndpointContext<BetterAuthOptions>) => Promise<boolean>;
+    };
+    tables: BetterAuthDBSchema;
+    runMigrations: () => Promise<void>;
+    publishTelemetry: (event: {
+      type: string;
+      anonymousId?: string | undefined;
+      payload: Record<string, any>;
+    }) => Promise<void>;
+    skipOriginCheck: boolean;
+    skipCSRFCheck: boolean;
+    runInBackground: (promise: Promise<void>) => void;
+    runInBackgroundOrAwait: (promise: Promise<unknown> | Promise<void> | void | unknown) => Promise<unknown>;
   }>) => Promise<R>): (inputContext: better_call0.MiddlewareInputContext<Options>) => Promise<R>;
-  <Options extends better_call0.MiddlewareOptions, R_1>(handler: (ctx: better_call0.MiddlewareContext<Options, AuthContext & {
+  <Options extends better_call0.MiddlewareOptions, R_1>(handler: (ctx: better_call0.MiddlewareContext<Options, {
     returned?: unknown | undefined;
     responseHeaders?: Headers | undefined;
+  } & PluginContext & {
+    options: BetterAuthOptions;
+    appName: string;
+    baseURL: string;
+    trustedOrigins: string[];
+    isTrustedOrigin: (url: string, settings?: {
+      allowRelativePaths: boolean;
+    }) => boolean;
+    oauthConfig: {
+      skipStateCookieCheck?: boolean | undefined;
+      storeStateStrategy: "database" | "cookie";
+    };
+    newSession: {
+      session: Session & Record<string, any>;
+      user: User & Record<string, any>;
+    } | null;
+    session: {
+      session: Session & Record<string, any>;
+      user: User & Record<string, any>;
+    } | null;
+    setNewSession: (session: {
+      session: Session & Record<string, any>;
+      user: User & Record<string, any>;
+    } | null) => void;
+    socialProviders: OAuthProvider[];
+    authCookies: BetterAuthCookies;
+    logger: ReturnType<typeof createLogger>;
+    rateLimit: {
+      enabled: boolean;
+      window: number;
+      max: number;
+      storage: "memory" | "database" | "secondary-storage";
+    } & BetterAuthRateLimitOptions;
+    adapter: DBAdapter<BetterAuthOptions>;
+    internalAdapter: InternalAdapter<BetterAuthOptions>;
+    createAuthCookie: (cookieName: string, overrideAttributes?: Partial<better_call0.CookieOptions> | undefined) => {
+      name: string;
+      attributes: better_call0.CookieOptions;
+    };
+    secret: string;
+    sessionConfig: {
+      updateAge: number;
+      expiresIn: number;
+      freshAge: number;
+      cookieRefreshCache: false | {
+        enabled: true;
+        updateAge: number;
+      };
+    };
+    generateId: (options: {
+      model: ModelNames;
+      size?: number | undefined;
+    }) => string | false;
+    secondaryStorage: SecondaryStorage | undefined;
+    password: {
+      hash: (password: string) => Promise<string>;
+      verify: (data: {
+        password: string;
+        hash: string;
+      }) => Promise<boolean>;
+      config: {
+        minPasswordLength: number;
+        maxPasswordLength: number;
+      };
+      checkPassword: (userId: string, ctx: GenericEndpointContext<BetterAuthOptions>) => Promise<boolean>;
+    };
+    tables: BetterAuthDBSchema;
+    runMigrations: () => Promise<void>;
+    publishTelemetry: (event: {
+      type: string;
+      anonymousId?: string | undefined;
+      payload: Record<string, any>;
+    }) => Promise<void>;
+    skipOriginCheck: boolean;
+    skipCSRFCheck: boolean;
+    runInBackground: (promise: Promise<void>) => void;
+    runInBackgroundOrAwait: (promise: Promise<unknown> | Promise<void> | void | unknown) => Promise<unknown>;
   }>) => Promise<R_1>): (inputContext: better_call0.MiddlewareInputContext<Options>) => Promise<R_1>;
 };
 type EndpointHandler<Path extends string, Options extends EndpointOptions, R> = (context: EndpointContext<Path, Options, AuthContext>) => Promise<R>;
@@ -7830,4 +8051,4 @@ declare function createAuthEndpoint<Path extends string, Options extends Endpoin
 type AuthEndpoint<Path extends string, Opts extends EndpointOptions, R> = ReturnType<typeof createAuthEndpoint<Path, Opts, R>>;
 type AuthMiddleware = ReturnType<typeof createAuthMiddleware>;
 //#endregion
-export { AccountStatus as $, DBAdapterSchemaCreation as $n, GoogleProfile as $t, PolarOptions as A, getJwks as An, userSchema as Ar, linear as At, LineIdTokenPayload as B, createAuthorizationURL as Bn, BaseModelNames as Br, TwitchOptions as Bt, SocialProviderListEnum as C, atlassian as Cn, initGetFieldName as Cr, gitlab as Ct, VercelOptions as D, apple as Dn, Verification as Dr, LinearOptions as Dt, socialProviders as E, AppleProfile as En, initGetDefaultFieldName as Er, linkedin as Et, PayPalTokenResponse as F, validateToken as Fn, rateLimitSchema as Fr, DropboxProfile as Ft, NaverProfile as G, OAuthProvider as Gn, DBPrimitive as Gr, spotify as Gt, LineUserInfo as H, createClientCredentialsTokenRequest as Hn, DBFieldAttribute as Hr, twitch as Ht, paypal as I, generateCodeChallenge as In, Account as Ir, dropbox as It, KakaoProfile as J, CustomAdapter as Jn, slack as Jt, naver as K, ProviderOptions as Kn, ModelNames as Kr, SlackOptions as Kt, PaybinOptions as L, getOAuth2Tokens as Ln, accountSchema as Lr, TwitterOption as Lt, polar as M, verifyJwsAccessToken as Mn, Session as Mr, KickProfile as Mt, PayPalOptions as N, createAuthorizationCodeRequest as Nn, sessionSchema as Nr, kick as Nt, VercelProfile as O, getApplePublicKey as On, verificationSchema as Or, LinearProfile as Ot, PayPalProfile as P, validateAuthorizationCode as Pn, RateLimit as Pr, DropboxOptions as Pt, notion as Q, DBAdapterInstance as Qn, GoogleOptions as Qt, PaybinProfile as R, createRefreshAccessTokenRequest as Rn, BetterAuthPluginDBSchema as Rr, TwitterProfile as Rt, SocialProviderList as S, AtlassianProfile as Sn, initGetIdField as Sr, GitlabProfile as St, socialProviderList as T, AppleOptions as Tn, initGetDefaultModelName as Tr, LinkedInProfile as Tt, line as U, OAuth2Tokens as Un, DBFieldAttributeConfig as Ur, SpotifyOptions as Ut, LineOptions as V, clientCredentialsToken as Vn, BetterAuthDBSchema as Vr, TwitchProfile as Vt, NaverOptions as W, OAuth2UserInfo as Wn, DBFieldType as Wr, SpotifyProfile as Wt, NotionOptions as X, DBAdapterDebugLogOption as Xn, HuggingFaceProfile as Xt, kakao as Y, DBAdapter as Yn, HuggingFaceOptions as Yt, NotionProfile as Z, DBAdapterFactoryConfig as Zn, huggingface as Zt, BetterAuthRateLimitOptions as _, CognitoOptions as _n, LiteralString as _r, reddit as _t, optionsMiddleware as a, GithubOptions as an, withApplyDefault as ar, zoom as at, HookEndpointContext as b, getCognitoPublicKey as bn, Primitive as br, tiktok as bt, BetterAuthClientPlugin as c, FigmaOptions as cn, createAdapterFactory as cr, vk as ct, ClientStore as d, FacebookOptions as dn, AdapterFactoryCustomizeAdapterCreator as dr, salesforce as dt, getGooglePublicKey as en, DBTransactionAdapter as er, LoginType as et, AuthContext as f, FacebookProfile as fn, AdapterFactoryOptions as fr, RobloxOptions as ft, BetterAuthOptions as g, discord as gn, Awaitable as gr, RedditProfile as gt, BetterAuthAdvancedOptions as h, DiscordProfile as hn, CreateCustomAdapter as hr, RedditOptions as ht, createAuthMiddleware as i, microsoft as in, deepmerge as ir, ZoomProfile as it, PolarProfile as j, verifyAccessToken as jn, coreSchema as jr, KickOptions as jt, vercel as k, BetterAuthCookies as kn, User as kr, LinearUser as kt, ClientAtomListener as l, FigmaProfile as ln, AdapterConfig as lr, SalesforceOptions as lt, InternalAdapter as m, DiscordOptions as mn, CreateAdapterOptions as mr, roblox as mt, AuthMiddleware as n, MicrosoftEntraIDProfile as nn, JoinOption as nr, PronounOption as nt, StandardSchemaV1$1 as o, GithubProfile as on, AdapterFactory as or, VkOption as ot, GenericEndpointContext as p, facebook as pn, AdapterTestDebugLogs as pr, RobloxProfile as pt, KakaoOptions as q, CleanedWhere as qn, SecondaryStorage as qr, SlackProfile as qt, createAuthEndpoint as r, MicrosoftOptions as rn, Where as rr, ZoomOptions as rt, BetterAuthClientOptions as s, github as sn, createAdapter as sr, VkProfile as st, AuthEndpoint as t, google as tn, JoinConfig as tr, PhoneNumber as tt, ClientFetchOption as u, figma as un, AdapterFactoryConfig as ur, SalesforceProfile as ut, GenerateIdFn as v, CognitoProfile as vn, LiteralUnion as vr, TiktokOptions as vt, SocialProviders as w, AppleNonConformUser as wn, initGetFieldAttributes as wr, LinkedInOptions as wt, SocialProvider as x, AtlassianOptions as xn, initGetModelName as xr, GitlabOptions as xt, BetterAuthPlugin as y, cognito as yn, Prettify as yr, TiktokProfile as yt, paybin as z, refreshAccessToken as zn, getAuthTables as zr, twitter as zt };
+export { NotionOptions as $, DBAdapterDebugLogOption as $n, HuggingFaceProfile as $t, VercelOptions as A, apple as An, Verification as Ar, LinearOptions as At, PaybinOptions as B, getOAuth2Tokens as Bn, accountSchema as Br, TwitterOption as Bt, HookEndpointContext as C, getCognitoPublicKey as Cn, Primitive as Cr, tiktok as Ct, SocialProviders as D, AppleNonConformUser as Dn, initGetFieldAttributes as Dr, LinkedInOptions as Dt, SocialProviderListEnum as E, atlassian as En, initGetFieldName as Er, gitlab as Et, polar as F, verifyJwsAccessToken as Fn, Session as Fr, KickProfile as Ft, LineUserInfo as G, createClientCredentialsTokenRequest as Gn, DBFieldAttribute as Gr, twitch as Gt, paybin as H, refreshAccessToken as Hn, getAuthTables as Hr, twitter as Ht, PayPalOptions as I, createAuthorizationCodeRequest as In, sessionSchema as Ir, kick as It, NaverProfile as J, OAuthProvider as Jn, DBPrimitive as Jr, spotify as Jt, line as K, OAuth2Tokens as Kn, DBFieldAttributeConfig as Kr, SpotifyOptions as Kt, PayPalProfile as L, validateAuthorizationCode as Ln, RateLimit as Lr, DropboxOptions as Lt, vercel as M, BetterAuthCookies as Mn, User as Mr, LinearUser as Mt, PolarOptions as N, getJwks as Nn, userSchema as Nr, linear as Nt, socialProviderList as O, AppleOptions as On, initGetDefaultModelName as Or, LinkedInProfile as Ot, PolarProfile as P, verifyAccessToken as Pn, coreSchema as Pr, KickOptions as Pt, kakao as Q, DBAdapter as Qn, HuggingFaceOptions as Qt, PayPalTokenResponse as R, validateToken as Rn, rateLimitSchema as Rr, DropboxProfile as Rt, BetterAuthPlugin as S, cognito as Sn, Prettify as Sr, TiktokProfile as St, SocialProviderList as T, AtlassianProfile as Tn, initGetIdField as Tr, GitlabProfile as Tt, LineIdTokenPayload as U, createAuthorizationURL as Un, BaseModelNames as Ur, TwitchOptions as Ut, PaybinProfile as V, createRefreshAccessTokenRequest as Vn, BetterAuthPluginDBSchema as Vr, TwitterProfile as Vt, LineOptions as W, clientCredentialsToken as Wn, BetterAuthDBSchema as Wr, TwitchProfile as Wt, KakaoOptions as X, CleanedWhere as Xn, SecondaryStorage as Xr, SlackProfile as Xt, naver as Y, ProviderOptions as Yn, ModelNames as Yr, SlackOptions as Yt, KakaoProfile as Z, CustomAdapter as Zn, slack as Zt, PluginContext as _, DiscordOptions as _n, CreateAdapterOptions as _r, roblox as _t, optionsMiddleware as a, MicrosoftEntraIDProfile as an, JoinOption as ar, PronounOption as at, BetterAuthRateLimitOptions as b, CognitoOptions as bn, LiteralString as br, reddit as bt, BetterAuthClientPlugin as c, GithubOptions as cn, withApplyDefault as cr, zoom as ct, ClientStore as d, FigmaOptions as dn, createAdapterFactory as dr, vk as dt, huggingface as en, DBAdapterFactoryConfig as er, NotionProfile as et, AuthContext as f, FigmaProfile as fn, AdapterConfig as fr, SalesforceOptions as ft, InternalAdapter as g, facebook as gn, AdapterTestDebugLogs as gr, RobloxProfile as gt, GenericEndpointContext as h, FacebookProfile as hn, AdapterFactoryOptions as hr, RobloxOptions as ht, createAuthMiddleware as i, google as in, JoinConfig as ir, PhoneNumber as it, VercelProfile as j, getApplePublicKey as jn, verificationSchema as jr, LinearProfile as jt, socialProviders as k, AppleProfile as kn, initGetDefaultFieldName as kr, linkedin as kt, ClientAtomListener as l, GithubProfile as ln, AdapterFactory as lr, VkOption as lt, BetterAuthPluginRegistryIdentifier as m, FacebookOptions as mn, AdapterFactoryCustomizeAdapterCreator as mr, salesforce as mt, AuthMiddleware as n, GoogleProfile as nn, DBAdapterSchemaCreation as nr, AccountStatus as nt, StandardSchemaV1$1 as o, MicrosoftOptions as on, Where as or, ZoomOptions as ot, BetterAuthPluginRegistry as p, figma as pn, AdapterFactoryConfig as pr, SalesforceProfile as pt, NaverOptions as q, OAuth2UserInfo as qn, DBFieldType as qr, SpotifyProfile as qt, createAuthEndpoint as r, getGooglePublicKey as rn, DBTransactionAdapter as rr, LoginType as rt, BetterAuthClientOptions as s, microsoft as sn, deepmerge as sr, ZoomProfile as st, AuthEndpoint as t, GoogleOptions as tn, DBAdapterInstance as tr, notion as tt, ClientFetchOption as u, github as un, createAdapter as ur, VkProfile as ut, BetterAuthAdvancedOptions as v, DiscordProfile as vn, CreateCustomAdapter as vr, RedditOptions as vt, SocialProvider as w, AtlassianOptions as wn, initGetModelName as wr, GitlabOptions as wt, GenerateIdFn as x, CognitoProfile as xn, LiteralUnion as xr, TiktokOptions as xt, BetterAuthOptions as y, discord as yn, Awaitable as yr, RedditProfile as yt, paypal as z, generateCodeChallenge as zn, Account as zr, dropbox as zt };

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { _ as BetterAuthRateLimitOptions, _r as LiteralString, b as HookEndpointContext, br as Primitive, c as BetterAuthClientPlugin, d as ClientStore, f as AuthContext, g as BetterAuthOptions, gr as Awaitable, h as BetterAuthAdvancedOptions, kn as BetterAuthCookies, l as ClientAtomListener, m as InternalAdapter, o as StandardSchemaV1, p as GenericEndpointContext, s as BetterAuthClientOptions, u as ClientFetchOption, v as GenerateIdFn, vr as LiteralUnion, y as BetterAuthPlugin, yr as Prettify } from "./index-BpRqx5_q.mjs";
-export { AuthContext, Awaitable, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientFetchOption, ClientStore, GenerateIdFn, GenericEndpointContext, HookEndpointContext, InternalAdapter, LiteralString, LiteralUnion, Prettify, Primitive, StandardSchemaV1 };
+import { C as HookEndpointContext, Cr as Primitive, Mn as BetterAuthCookies, S as BetterAuthPlugin, Sr as Prettify, _ as PluginContext, b as BetterAuthRateLimitOptions, br as LiteralString, c as BetterAuthClientPlugin, d as ClientStore, f as AuthContext, g as InternalAdapter, h as GenericEndpointContext, l as ClientAtomListener, m as BetterAuthPluginRegistryIdentifier, o as StandardSchemaV1, p as BetterAuthPluginRegistry, s as BetterAuthClientOptions, u as ClientFetchOption, v as BetterAuthAdvancedOptions, x as GenerateIdFn, xr as LiteralUnion, y as BetterAuthOptions, yr as Awaitable } from "./index-B5x_W0dM.mjs";
+export { AuthContext, Awaitable, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthPluginRegistry, BetterAuthPluginRegistryIdentifier, BetterAuthRateLimitOptions, ClientAtomListener, ClientFetchOption, ClientStore, GenerateIdFn, GenericEndpointContext, HookEndpointContext, InternalAdapter, LiteralString, LiteralUnion, PluginContext, Prettify, Primitive, StandardSchemaV1 };

package/dist/oauth2/index.d.mts

@@ -1,2 +1,2 @@
-import { An as getJwks, Bn as createAuthorizationURL, Fn as validateToken, Gn as OAuthProvider, Hn as createClientCredentialsTokenRequest, In as generateCodeChallenge, Kn as ProviderOptions, Ln as getOAuth2Tokens, Mn as verifyJwsAccessToken, Nn as createAuthorizationCodeRequest, Pn as validateAuthorizationCode, Rn as createRefreshAccessTokenRequest, Un as OAuth2Tokens, Vn as clientCredentialsToken, Wn as OAuth2UserInfo, jn as verifyAccessToken, zn as refreshAccessToken } from "../index-BpRqx5_q.mjs";
+import { Bn as getOAuth2Tokens, Fn as verifyJwsAccessToken, Gn as createClientCredentialsTokenRequest, Hn as refreshAccessToken, In as createAuthorizationCodeRequest, Jn as OAuthProvider, Kn as OAuth2Tokens, Ln as validateAuthorizationCode, Nn as getJwks, Pn as verifyAccessToken, Rn as validateToken, Un as createAuthorizationURL, Vn as createRefreshAccessTokenRequest, Wn as clientCredentialsToken, Yn as ProviderOptions, qn as OAuth2UserInfo, zn as generateCodeChallenge } from "../index-B5x_W0dM.mjs";
 export { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions, clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/social-providers/index.d.mts

@@ -1,2 +1,2 @@
-import { $ as AccountStatus, $t as GoogleProfile, A as PolarOptions, At as linear, B as LineIdTokenPayload, Bt as TwitchOptions, C as SocialProviderListEnum, Cn as atlassian, Ct as gitlab, D as VercelOptions, Dn as apple, Dt as LinearOptions, E as socialProviders, En as AppleProfile, Et as linkedin, F as PayPalTokenResponse, Ft as DropboxProfile, G as NaverProfile, Gt as spotify, H as LineUserInfo, Ht as twitch, I as paypal, It as dropbox, J as KakaoProfile, Jt as slack, K as naver, Kt as SlackOptions, L as PaybinOptions, Lt as TwitterOption, M as polar, Mt as KickProfile, N as PayPalOptions, Nt as kick, O as VercelProfile, On as getApplePublicKey, Ot as LinearProfile, P as PayPalProfile, Pt as DropboxOptions, Q as notion, Qt as GoogleOptions, R as PaybinProfile, Rt as TwitterProfile, S as SocialProviderList, Sn as AtlassianProfile, St as GitlabProfile, T as socialProviderList, Tn as AppleOptions, Tt as LinkedInProfile, U as line, Ut as SpotifyOptions, V as LineOptions, Vt as TwitchProfile, W as NaverOptions, Wt as SpotifyProfile, X as NotionOptions, Xt as HuggingFaceProfile, Y as kakao, Yt as HuggingFaceOptions, Z as NotionProfile, Zt as huggingface, _n as CognitoOptions, _t as reddit, an as GithubOptions, at as zoom, bn as getCognitoPublicKey, bt as tiktok, cn as FigmaOptions, ct as vk, dn as FacebookOptions, dt as salesforce, en as getGooglePublicKey, et as LoginType, fn as FacebookProfile, ft as RobloxOptions, gn as discord, gt as RedditProfile, hn as DiscordProfile, ht as RedditOptions, in as microsoft, it as ZoomProfile, j as PolarProfile, jt as KickOptions, k as vercel, kt as LinearUser, ln as FigmaProfile, lt as SalesforceOptions, mn as DiscordOptions, mt as roblox, nn as MicrosoftEntraIDProfile, nt as PronounOption, on as GithubProfile, ot as VkOption, pn as facebook, pt as RobloxProfile, q as KakaoOptions, qt as SlackProfile, rn as MicrosoftOptions, rt as ZoomOptions, sn as github, st as VkProfile, tn as google, tt as PhoneNumber, un as figma, ut as SalesforceProfile, vn as CognitoProfile, vt as TiktokOptions, w as SocialProviders, wn as AppleNonConformUser, wt as LinkedInOptions, x as SocialProvider, xn as AtlassianOptions, xt as GitlabOptions, yn as cognito, yt as TiktokProfile, z as paybin, zt as twitter } from "../index-BpRqx5_q.mjs";
+import { $ as NotionOptions, $t as HuggingFaceProfile, A as VercelOptions, An as apple, At as LinearOptions, B as PaybinOptions, Bt as TwitterOption, Cn as getCognitoPublicKey, Ct as tiktok, D as SocialProviders, Dn as AppleNonConformUser, Dt as LinkedInOptions, E as SocialProviderListEnum, En as atlassian, Et as gitlab, F as polar, Ft as KickProfile, G as LineUserInfo, Gt as twitch, H as paybin, Ht as twitter, I as PayPalOptions, It as kick, J as NaverProfile, Jt as spotify, K as line, Kt as SpotifyOptions, L as PayPalProfile, Lt as DropboxOptions, M as vercel, Mt as LinearUser, N as PolarOptions, Nt as linear, O as socialProviderList, On as AppleOptions, Ot as LinkedInProfile, P as PolarProfile, Pt as KickOptions, Q as kakao, Qt as HuggingFaceOptions, R as PayPalTokenResponse, Rt as DropboxProfile, Sn as cognito, St as TiktokProfile, T as SocialProviderList, Tn as AtlassianProfile, Tt as GitlabProfile, U as LineIdTokenPayload, Ut as TwitchOptions, V as PaybinProfile, Vt as TwitterProfile, W as LineOptions, Wt as TwitchProfile, X as KakaoOptions, Xt as SlackProfile, Y as naver, Yt as SlackOptions, Z as KakaoProfile, Zt as slack, _n as DiscordOptions, _t as roblox, an as MicrosoftEntraIDProfile, at as PronounOption, bn as CognitoOptions, bt as reddit, cn as GithubOptions, ct as zoom, dn as FigmaOptions, dt as vk, en as huggingface, et as NotionProfile, fn as FigmaProfile, ft as SalesforceOptions, gn as facebook, gt as RobloxProfile, hn as FacebookProfile, ht as RobloxOptions, in as google, it as PhoneNumber, j as VercelProfile, jn as getApplePublicKey, jt as LinearProfile, k as socialProviders, kn as AppleProfile, kt as linkedin, ln as GithubProfile, lt as VkOption, mn as FacebookOptions, mt as salesforce, nn as GoogleProfile, nt as AccountStatus, on as MicrosoftOptions, ot as ZoomOptions, pn as figma, pt as SalesforceProfile, q as NaverOptions, qt as SpotifyProfile, rn as getGooglePublicKey, rt as LoginType, sn as microsoft, st as ZoomProfile, tn as GoogleOptions, tt as notion, un as github, ut as VkProfile, vn as DiscordProfile, vt as RedditOptions, w as SocialProvider, wn as AtlassianOptions, wt as GitlabOptions, xn as CognitoProfile, xt as TiktokOptions, yn as discord, yt as RedditProfile, z as paypal, zt as dropbox } from "../index-B5x_W0dM.mjs";
 export { AccountStatus, AppleNonConformUser, AppleOptions, AppleProfile, AtlassianOptions, AtlassianProfile, CognitoOptions, CognitoProfile, DiscordOptions, DiscordProfile, DropboxOptions, DropboxProfile, FacebookOptions, FacebookProfile, FigmaOptions, FigmaProfile, GithubOptions, GithubProfile, GitlabOptions, GitlabProfile, GoogleOptions, GoogleProfile, HuggingFaceOptions, HuggingFaceProfile, KakaoOptions, KakaoProfile, KickOptions, KickProfile, LineIdTokenPayload, LineOptions, LineUserInfo, LinearOptions, LinearProfile, LinearUser, LinkedInOptions, LinkedInProfile, LoginType, MicrosoftEntraIDProfile, MicrosoftOptions, NaverOptions, NaverProfile, NotionOptions, NotionProfile, PayPalOptions, PayPalProfile, PayPalTokenResponse, PaybinOptions, PaybinProfile, PhoneNumber, PolarOptions, PolarProfile, PronounOption, RedditOptions, RedditProfile, RobloxOptions, RobloxProfile, SalesforceOptions, SalesforceProfile, SlackOptions, SlackProfile, SocialProvider, SocialProviderList, SocialProviderListEnum, SocialProviders, SpotifyOptions, SpotifyProfile, TiktokOptions, TiktokProfile, TwitchOptions, TwitchProfile, TwitterOption, TwitterProfile, VercelOptions, VercelProfile, VkOption, VkProfile, ZoomOptions, ZoomProfile, apple, atlassian, cognito, discord, dropbox, facebook, figma, getApplePublicKey, getCognitoPublicKey, getGooglePublicKey, github, gitlab, google, huggingface, kakao, kick, line, linear, linkedin, microsoft, naver, notion, paybin, paypal, polar, reddit, roblox, salesforce, slack, socialProviderList, socialProviders, spotify, tiktok, twitch, twitter, vercel, vk, zoom };

package/dist/social-providers/index.mjs

@@ -1,6 +1,6 @@
 import { i as logger } from "../env-DbssmzoK.mjs";
-import "../utils-s65Fz0OM.mjs";
-import { n as BetterAuthError, t as APIError } from "../error-C7mY-p0f.mjs";
+import "../utils-puAL36Bz.mjs";
+import { n as BetterAuthError, t as APIError } from "../error-GNtLPYaS.mjs";
 import { a as validateAuthorizationCode, c as refreshAccessToken, d as getOAuth2Tokens, l as createAuthorizationURL, u as generateCodeChallenge } from "../oauth2-BjWM15hm.mjs";
 import * as z from "zod";
 import { base64 } from "@better-auth/utils/base64";

package/dist/utils/index.d.mts

@@ -1,3 +1,12 @@
+import { t as InternalLogger } from "../index-BRBu0-5h.mjs";
+
+//#region src/utils/deprecate.d.ts
+
+/**
+ * Wraps a function to log a deprecation warning at once.
+ */
+declare function deprecate<T extends (...args: any[]) => any>(fn: T, message: string, logger?: InternalLogger): T;
+//#endregion
 //#region src/utils/error-codes.d.ts
 type UpperLetter = "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "J" | "K" | "L" | "M" | "N" | "O" | "P" | "Q" | "R" | "S" | "T" | "U" | "V" | "W" | "X" | "Y" | "Z";
 type SpecialCharacter = "_";
@@ -18,4 +27,4 @@ declare function safeJSONParse<T>(data: unknown): T | null;
 //#region src/utils/string.d.ts
 declare function capitalizeFirstLetter(str: string): string;
 //#endregion
-export { capitalizeFirstLetter, defineErrorCodes, generateId, safeJSONParse };
+export { capitalizeFirstLetter, defineErrorCodes, deprecate, generateId, safeJSONParse };

package/dist/utils/index.mjs

@@ -1,4 +1,4 @@
 import "../env-DbssmzoK.mjs";
-import { i as defineErrorCodes, n as safeJSONParse, r as generateId, t as capitalizeFirstLetter } from "../utils-s65Fz0OM.mjs";
+import { a as deprecate, i as defineErrorCodes, n as safeJSONParse, r as generateId, t as capitalizeFirstLetter } from "../utils-puAL36Bz.mjs";
 
-export { capitalizeFirstLetter, defineErrorCodes, generateId, safeJSONParse };
+export { capitalizeFirstLetter, defineErrorCodes, deprecate, generateId, safeJSONParse };

package/dist/{utils-s65Fz0OM.mjs → utils-puAL36Bz.mjs}

@@ -1,6 +1,22 @@
 import { i as logger } from "./env-DbssmzoK.mjs";
 import { createRandomStringGenerator } from "@better-auth/utils/random";
 
+//#region src/utils/deprecate.ts
+/**
+* Wraps a function to log a deprecation warning at once.
+*/
+function deprecate(fn, message, logger$1) {
+	let warned = false;
+	return function(...args) {
+		if (!warned) {
+			(logger$1?.warn ?? console.warn)(`[Deprecation] ${message}`);
+			warned = true;
+		}
+		return fn.apply(this, args);
+	};
+}
+
+//#endregion
 //#region src/utils/error-codes.ts
 function defineErrorCodes(codes) {
 	return Object.fromEntries(Object.entries(codes).map(([key, value]) => [key, {
@@ -44,4 +60,4 @@ function capitalizeFirstLetter(str) {
 }
 
 //#endregion
-export { defineErrorCodes as i, safeJSONParse as n, generateId as r, capitalizeFirstLetter as t };
+export { deprecate as a, defineErrorCodes as i, safeJSONParse as n, generateId as r, capitalizeFirstLetter as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.5.0-beta.2",
+  "version": "1.5.0-beta.4",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "repository": {
@@ -114,7 +114,7 @@
   "devDependencies": {
     "@better-auth/utils": "0.3.0",
     "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.1.7",
+    "better-call": "1.1.8",
     "jose": "^6.1.0",
     "kysely": "^0.28.5",
     "nanostores": "^1.0.1",
@@ -127,7 +127,7 @@
   "peerDependencies": {
     "@better-auth/utils": "0.3.0",
     "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.1.7",
+    "better-call": "1.1.8",
     "jose": "^6.1.0",
     "kysely": "^0.28.5",
     "nanostores": "^1.0.1"
@@ -139,6 +139,6 @@
     "lint:types": "attw --profile esm-only --pack .",
     "typecheck": "tsc --project tsconfig.json",
     "test": "vitest",
-    "coverage": "vitest run --coverage"
+    "coverage": "vitest run --coverage --coverage.provider=istanbul"
   }
 }

package/src/context/index.ts

@@ -19,3 +19,32 @@ export {
 	runWithAdapter,
 	runWithTransaction,
 } from "./transaction";
+
+const glo: any =
+	typeof globalThis !== "undefined"
+		? globalThis
+		: typeof window !== "undefined"
+			? window
+			: typeof global !== "undefined"
+				? global
+				: {};
+
+const importIdentifier = "__ $BETTER_AUTH$ __";
+
+if (glo[importIdentifier] === true) {
+	/**
+	 * Dear reader of this message. Please take this seriously.
+	 *
+	 * If you see this message, make sure that you only import one version of Better Auth. In many cases,
+	 * your package manager installs two versions of Better Auth that are used by different packages within your project.
+	 *
+	 * This often leads to issues that are hard to debug. We often need to ensure async local storage instance,
+	 * If you imported different versions of Better Auth, it is impossible for us to
+	 * do status synchronization per request anymore - which might break the states.
+	 *
+	 */
+	console.error(
+		"Better Auth was already imported. This breaks async local storage instance and will lead to issues!",
+	);
+}
+glo[importIdentifier] = true;

package/src/types/context.ts

@@ -12,10 +12,33 @@ import type { DBAdapter, Where } from "../db/adapter";
 import type { createLogger } from "../env";
 import type { OAuthProvider } from "../oauth2";
 import type { BetterAuthCookies } from "./cookie";
+import type { LiteralString } from "./helper";
 import type {
 	BetterAuthOptions,
 	BetterAuthRateLimitOptions,
 } from "./init-options";
+import type { BetterAuthPlugin } from "./plugin";
+
+/**
+ * Mutators are defined in each plugin
+ *
+ * @example
+ * ```ts
+ * declare module "@better-auth/core" {
+ *  interface BetterAuthPluginRegistry<Auth, Context> {
+ *    'jwt': {
+ *      creator: typeof jwt
+ *    }
+ *  }
+ * }
+ * ```
+ */
+// biome-ignore lint/correctness/noUnusedVariables: Auth and Context is used in the declaration merging
+export interface BetterAuthPluginRegistry<Auth, Context> {}
+export type BetterAuthPluginRegistryIdentifier = keyof BetterAuthPluginRegistry<
+	unknown,
+	unknown
+>;
 
 export type GenericEndpointContext<
 	Options extends BetterAuthOptions = BetterAuthOptions,
@@ -159,8 +182,34 @@ type CheckPasswordFn<Options extends BetterAuthOptions = BetterAuthOptions> = (
 	ctx: GenericEndpointContext<Options>,
 ) => Promise<boolean>;
 
+export type PluginContext = {
+	getPlugin: <ID extends BetterAuthPluginRegistryIdentifier | LiteralString>(
+		pluginId: ID,
+	) =>
+		| (ID extends BetterAuthPluginRegistryIdentifier
+				? ReturnType<BetterAuthPluginRegistry<unknown, unknown>[ID]["creator"]>
+				: BetterAuthPlugin)
+		| null;
+	/**
+	 * Checks if a plugin is enabled by its ID.
+	 *
+	 * @param pluginId - The ID of the plugin to check
+	 * @returns `true` if the plugin is enabled, `false` otherwise
+	 *
+	 * @example
+	 * ```ts
+	 * if (ctx.context.hasPlugin("organization")) {
+	 *   // organization plugin is enabled
+	 * }
+	 * ```
+	 */
+	hasPlugin: <ID extends BetterAuthPluginRegistryIdentifier | LiteralString>(
+		pluginId: ID,
+	) => boolean;
+};
+
 export type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> =
-	{
+	PluginContext & {
 		options: Options;
 		appName: string;
 		baseURL: string;

package/src/types/index.ts

@@ -1,8 +1,11 @@
 export type { StandardSchemaV1 } from "@standard-schema/spec";
 export type {
 	AuthContext,
+	BetterAuthPluginRegistry,
+	BetterAuthPluginRegistryIdentifier,
 	GenericEndpointContext,
 	InternalAdapter,
+	PluginContext,
 } from "./context";
 export type { BetterAuthCookies } from "./cookie";
 export type * from "./helper";

package/src/types/init-options.ts

@@ -151,17 +151,32 @@ export type BetterAuthAdvancedOptions = {
 	 */
 	useSecureCookies?: boolean | undefined;
 	/**
-	 * Disable trusted origins check
+	 * Disable all CSRF protection.
+	 *
+	 * When enabled, this disables:
+	 * - Origin header validation when cookies are present
+	 * - Fetch Metadata checks (Sec-Fetch-Site, Sec-Fetch-Mode, Sec-Fetch-Dest)
+	 * - Cross-site navigation blocking for first-login scenarios
 	 *
 	 * ⚠︎ This is a security risk and it may expose your application to
 	 * CSRF attacks
+	 *
+	 * @default false
 	 */
 	disableCSRFCheck?: boolean | undefined;
 	/**
-	 * Disable origin check
+	 * Disable URL validation against trustedOrigins.
+	 *
+	 * When enabled, this disables validation of:
+	 * - callbackURL
+	 * - redirectTo
+	 * - errorCallbackURL
+	 * - newUserCallbackURL
+	 *
+	 * ⚠︎ This may allow open redirects and could lead to security
+	 * vulnerabilities.
 	 *
-	 * ⚠︎ This may allow requests from any origin to be processed by
-	 * Better Auth. And could lead to security vulnerabilities.
+	 * @default false
 	 */
 	disableOriginCheck?: boolean | undefined;
 	/**
@@ -478,8 +493,18 @@ export type BetterAuthOptions = {
 				 * A function that is called when a user verifies their email
 				 * @param user the user that verified their email
 				 * @param request the request object
+				 * @deprecated Use `beforeEmailVerification` or `afterEmailVerification` instead. This will be removed in 1.5
 				 */
 				onEmailVerification?: (user: User, request?: Request) => Promise<void>;
+				/**
+				 * A function that is called before a user verifies their email
+				 * @param user the user that verified their email
+				 * @param request the request object
+				 */
+				beforeEmailVerification?: (
+					user: User,
+					request?: Request,
+				) => Promise<void>;
 				/**
 				 * A function that is called when a user's email is updated to verified
 				 * @param user the user that verified their email
@@ -1002,9 +1027,26 @@ export type BetterAuthOptions = {
 	 *
 	 * Trusted origins will be dynamically
 	 * calculated based on the request.
+	 *
+	 * @example
+	 * ```ts
+	 * trustedOrigins: async (request) => {
+	 *   return [
+	 *    "https://better-auth.com",
+	 *    "https://*.better-auth.com",
+	 *    request.headers.get("x-custom-origin")
+	 *   ];
+	 * }
+	 * ```
+	 * @returns An array of trusted origins.
 	 */
 	trustedOrigins?:
-		| (string[] | ((request?: Request | undefined) => Awaitable<string[]>))
+		| (
+				| string[]
+				| ((
+						request?: Request | undefined,
+				  ) => Awaitable<(string | undefined | null)[]>)
+		  )
 		| undefined;
 	/**
 	 * Rate limiting configuration

package/src/utils/deprecate.test.ts

@@ -0,0 +1,72 @@
+import { describe, expect, it, vi } from "vitest";
+import { deprecate } from "./deprecate";
+
+describe("deprecate", () => {
+	it("should warn once when called multiple times", () => {
+		const warn = vi.fn();
+		const logger = { warn } as any;
+		const fn = vi.fn();
+		const deprecatedFn = deprecate(fn, "test message", logger);
+
+		deprecatedFn();
+		deprecatedFn();
+		deprecatedFn();
+
+		expect(warn).toHaveBeenCalledTimes(1);
+		expect(warn).toHaveBeenCalledWith("[Deprecation] test message");
+		expect(fn).toHaveBeenCalledTimes(3);
+	});
+
+	it("should use provided logger if available", () => {
+		const warn = vi.fn();
+		const logger = { warn } as any;
+		const fn = vi.fn();
+		const deprecatedFn = deprecate(fn, "test message", logger);
+
+		deprecatedFn();
+
+		expect(warn).toHaveBeenCalledWith("[Deprecation] test message");
+	});
+
+	it("should fall back to console.warn if no logger provided", () => {
+		const consoleWarn = vi.spyOn(console, "warn").mockImplementation(() => {});
+		const fn = vi.fn();
+		const deprecatedFn = deprecate(fn, "test message");
+
+		deprecatedFn();
+
+		expect(consoleWarn).toHaveBeenCalledWith("[Deprecation] test message");
+		consoleWarn.mockRestore();
+	});
+
+	it("should pass arguments and return value correctly", () => {
+		const fn = vi.fn((a: number, b: number) => a + b);
+		const deprecatedFn = deprecate(fn, "test message", {
+			warn: vi.fn(),
+		} as any);
+
+		const result = deprecatedFn(1, 2);
+
+		expect(result).toBe(3);
+		expect(fn).toHaveBeenCalledWith(1, 2);
+	});
+
+	it("should preserve this context", () => {
+		class TestClass {
+			value = 10;
+			method(a: number) {
+				return this.value + a;
+			}
+		}
+
+		const instance = new TestClass();
+		const originalMethod = instance.method;
+		instance.method = deprecate(originalMethod, "test message", {
+			warn: vi.fn(),
+		} as any);
+
+		const result = instance.method(5);
+
+		expect(result).toBe(15);
+	});
+});

package/src/utils/deprecate.ts

@@ -0,0 +1,21 @@
+import type { InternalLogger } from "../env";
+
+/**
+ * Wraps a function to log a deprecation warning at once.
+ */
+export function deprecate<T extends (...args: any[]) => any>(
+	fn: T,
+	message: string,
+	logger?: InternalLogger,
+): T {
+	let warned = false;
+
+	return function (this: any, ...args: Parameters<T>): ReturnType<T> {
+		if (!warned) {
+			const warn = logger?.warn ?? console.warn;
+			warn(`[Deprecation] ${message}`);
+			warned = true;
+		}
+		return fn.apply(this, args);
+	} as T;
+}

package/src/utils/index.ts

@@ -1,3 +1,4 @@
+export { deprecate } from "./deprecate";
 export { defineErrorCodes } from "./error-codes";
 export { generateId } from "./id";
 export { safeJSONParse } from "./json";