@better-auth/core 1.5.0-beta.3 → 1.5.0-beta.4

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @better-auth/core@1.5.0-beta.3 build /home/runner/work/better-auth/better-auth/packages/core
+> @better-auth/core@1.5.0-beta.4 build /home/runner/work/better-auth/better-auth/packages/core
 > tsdown
 
 ℹ tsdown v0.17.2 powered by rolldown v1.0.0-beta.53
@@ -37,7 +37,7 @@
 ℹ dist/api/index.d.mts                 0.26 kB │ gzip:  0.14 kB
 ℹ dist/async_hooks/index.d.mts         0.24 kB │ gzip:  0.16 kB
 ℹ dist/async_hooks/pure.index.d.mts    0.22 kB │ gzip:  0.16 kB
-ℹ dist/index-CGr4Qrv8.d.mts          228.51 kB │ gzip: 36.16 kB
+ℹ dist/index-B5x_W0dM.d.mts          228.92 kB │ gzip: 36.28 kB
 ℹ dist/index-BRBu0-5h.d.mts            3.31 kB │ gzip:  1.11 kB
-ℹ 32 files, total: 415.51 kB
-✔ Build complete in 5246ms
+ℹ 32 files, total: 415.92 kB
+✔ Build complete in 5286ms

package/dist/api/index.d.mts

@@ -1,2 +1,2 @@
-import { a as optionsMiddleware, i as createAuthMiddleware, n as AuthMiddleware, r as createAuthEndpoint, t as AuthEndpoint } from "../index-CGr4Qrv8.mjs";
+import { a as optionsMiddleware, i as createAuthMiddleware, n as AuthMiddleware, r as createAuthEndpoint, t as AuthEndpoint } from "../index-B5x_W0dM.mjs";
 export { AuthEndpoint, AuthMiddleware, createAuthEndpoint, createAuthMiddleware, optionsMiddleware };

package/dist/context/index.d.mts

@@ -1,4 +1,4 @@
-import { Qn as DBAdapter, f as AuthContext, rr as DBTransactionAdapter } from "../index-CGr4Qrv8.mjs";
+import { Qn as DBAdapter, f as AuthContext, rr as DBTransactionAdapter } from "../index-B5x_W0dM.mjs";
 import { AsyncLocalStorage } from "@better-auth/core/async_hooks";
 import { EndpointContext, InputContext } from "better-call";
 

package/dist/db/adapter/index.d.mts

@@ -1,2 +1,2 @@
-import { $n as DBAdapterDebugLogOption, Dr as initGetFieldAttributes, Er as initGetFieldName, Or as initGetDefaultModelName, Qn as DBAdapter, Tr as initGetIdField, Xn as CleanedWhere, Zn as CustomAdapter, _r as CreateAdapterOptions, ar as JoinOption, cr as withApplyDefault, dr as createAdapterFactory, er as DBAdapterFactoryConfig, fr as AdapterConfig, gr as AdapterTestDebugLogs, hr as AdapterFactoryOptions, ir as JoinConfig, kr as initGetDefaultFieldName, lr as AdapterFactory, mr as AdapterFactoryCustomizeAdapterCreator, nr as DBAdapterSchemaCreation, or as Where, pr as AdapterFactoryConfig, rr as DBTransactionAdapter, sr as deepmerge, tr as DBAdapterInstance, ur as createAdapter, vr as CreateCustomAdapter, wr as initGetModelName } from "../../index-CGr4Qrv8.mjs";
+import { $n as DBAdapterDebugLogOption, Dr as initGetFieldAttributes, Er as initGetFieldName, Or as initGetDefaultModelName, Qn as DBAdapter, Tr as initGetIdField, Xn as CleanedWhere, Zn as CustomAdapter, _r as CreateAdapterOptions, ar as JoinOption, cr as withApplyDefault, dr as createAdapterFactory, er as DBAdapterFactoryConfig, fr as AdapterConfig, gr as AdapterTestDebugLogs, hr as AdapterFactoryOptions, ir as JoinConfig, kr as initGetDefaultFieldName, lr as AdapterFactory, mr as AdapterFactoryCustomizeAdapterCreator, nr as DBAdapterSchemaCreation, or as Where, pr as AdapterFactoryConfig, rr as DBTransactionAdapter, sr as deepmerge, tr as DBAdapterInstance, ur as createAdapter, vr as CreateCustomAdapter, wr as initGetModelName } from "../../index-B5x_W0dM.mjs";
 export { AdapterConfig, AdapterFactory, AdapterFactoryConfig, AdapterFactoryCustomizeAdapterCreator, AdapterFactoryOptions, AdapterTestDebugLogs, CleanedWhere, CreateAdapterOptions, CreateCustomAdapter, CustomAdapter, DBAdapter, DBAdapterDebugLogOption, DBAdapterFactoryConfig, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, JoinConfig, JoinOption, Where, createAdapter, createAdapterFactory, deepmerge, initGetDefaultFieldName, initGetDefaultModelName, initGetFieldAttributes, initGetFieldName, initGetIdField, initGetModelName, withApplyDefault };

package/dist/db/index.d.mts

@@ -1,2 +1,2 @@
-import { Ar as Verification, Br as accountSchema, Fr as Session, Gr as DBFieldAttribute, Hr as getAuthTables, Ir as sessionSchema, Jr as DBPrimitive, Kr as DBFieldAttributeConfig, Lr as RateLimit, Mr as User, Nr as userSchema, Pr as coreSchema, Rr as rateLimitSchema, Ur as BaseModelNames, Vr as BetterAuthPluginDBSchema, Wr as BetterAuthDBSchema, Xr as SecondaryStorage, Yr as ModelNames, jr as verificationSchema, qr as DBFieldType, zr as Account } from "../index-CGr4Qrv8.mjs";
+import { Ar as Verification, Br as accountSchema, Fr as Session, Gr as DBFieldAttribute, Hr as getAuthTables, Ir as sessionSchema, Jr as DBPrimitive, Kr as DBFieldAttributeConfig, Lr as RateLimit, Mr as User, Nr as userSchema, Pr as coreSchema, Rr as rateLimitSchema, Ur as BaseModelNames, Vr as BetterAuthPluginDBSchema, Wr as BetterAuthDBSchema, Xr as SecondaryStorage, Yr as ModelNames, jr as verificationSchema, qr as DBFieldType, zr as Account } from "../index-B5x_W0dM.mjs";
 export { Account, BaseModelNames, BetterAuthDBSchema, BetterAuthPluginDBSchema, DBFieldAttribute, DBFieldAttributeConfig, DBFieldType, DBPrimitive, ModelNames, RateLimit, SecondaryStorage, Session, User, Verification, accountSchema, coreSchema, getAuthTables, rateLimitSchema, sessionSchema, userSchema, verificationSchema };

package/dist/{index-CGr4Qrv8.d.mts → index-B5x_W0dM.d.mts}

@@ -6415,17 +6415,32 @@ type BetterAuthAdvancedOptions = {
    */
   useSecureCookies?: boolean | undefined;
   /**
-   * Disable trusted origins check
+   * Disable all CSRF protection.
+   *
+   * When enabled, this disables:
+   * - Origin header validation when cookies are present
+   * - Fetch Metadata checks (Sec-Fetch-Site, Sec-Fetch-Mode, Sec-Fetch-Dest)
+   * - Cross-site navigation blocking for first-login scenarios
    *
    * ⚠︎ This is a security risk and it may expose your application to
    * CSRF attacks
+   *
+   * @default false
    */
   disableCSRFCheck?: boolean | undefined;
   /**
-   * Disable origin check
+   * Disable URL validation against trustedOrigins.
    *
-   * ⚠︎ This may allow requests from any origin to be processed by
-   * Better Auth. And could lead to security vulnerabilities.
+   * When enabled, this disables validation of:
+   * - callbackURL
+   * - redirectTo
+   * - errorCallbackURL
+   * - newUserCallbackURL
+   *
+   * ⚠︎ This may allow open redirects and could lead to security
+   * vulnerabilities.
+   *
+   * @default false
    */
   disableOriginCheck?: boolean | undefined;
   /**

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { C as HookEndpointContext, Cr as Primitive, Mn as BetterAuthCookies, S as BetterAuthPlugin, Sr as Prettify, _ as PluginContext, b as BetterAuthRateLimitOptions, br as LiteralString, c as BetterAuthClientPlugin, d as ClientStore, f as AuthContext, g as InternalAdapter, h as GenericEndpointContext, l as ClientAtomListener, m as BetterAuthPluginRegistryIdentifier, o as StandardSchemaV1, p as BetterAuthPluginRegistry, s as BetterAuthClientOptions, u as ClientFetchOption, v as BetterAuthAdvancedOptions, x as GenerateIdFn, xr as LiteralUnion, y as BetterAuthOptions, yr as Awaitable } from "./index-CGr4Qrv8.mjs";
+import { C as HookEndpointContext, Cr as Primitive, Mn as BetterAuthCookies, S as BetterAuthPlugin, Sr as Prettify, _ as PluginContext, b as BetterAuthRateLimitOptions, br as LiteralString, c as BetterAuthClientPlugin, d as ClientStore, f as AuthContext, g as InternalAdapter, h as GenericEndpointContext, l as ClientAtomListener, m as BetterAuthPluginRegistryIdentifier, o as StandardSchemaV1, p as BetterAuthPluginRegistry, s as BetterAuthClientOptions, u as ClientFetchOption, v as BetterAuthAdvancedOptions, x as GenerateIdFn, xr as LiteralUnion, y as BetterAuthOptions, yr as Awaitable } from "./index-B5x_W0dM.mjs";
 export { AuthContext, Awaitable, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthPluginRegistry, BetterAuthPluginRegistryIdentifier, BetterAuthRateLimitOptions, ClientAtomListener, ClientFetchOption, ClientStore, GenerateIdFn, GenericEndpointContext, HookEndpointContext, InternalAdapter, LiteralString, LiteralUnion, PluginContext, Prettify, Primitive, StandardSchemaV1 };

package/dist/oauth2/index.d.mts

@@ -1,2 +1,2 @@
-import { Bn as getOAuth2Tokens, Fn as verifyJwsAccessToken, Gn as createClientCredentialsTokenRequest, Hn as refreshAccessToken, In as createAuthorizationCodeRequest, Jn as OAuthProvider, Kn as OAuth2Tokens, Ln as validateAuthorizationCode, Nn as getJwks, Pn as verifyAccessToken, Rn as validateToken, Un as createAuthorizationURL, Vn as createRefreshAccessTokenRequest, Wn as clientCredentialsToken, Yn as ProviderOptions, qn as OAuth2UserInfo, zn as generateCodeChallenge } from "../index-CGr4Qrv8.mjs";
+import { Bn as getOAuth2Tokens, Fn as verifyJwsAccessToken, Gn as createClientCredentialsTokenRequest, Hn as refreshAccessToken, In as createAuthorizationCodeRequest, Jn as OAuthProvider, Kn as OAuth2Tokens, Ln as validateAuthorizationCode, Nn as getJwks, Pn as verifyAccessToken, Rn as validateToken, Un as createAuthorizationURL, Vn as createRefreshAccessTokenRequest, Wn as clientCredentialsToken, Yn as ProviderOptions, qn as OAuth2UserInfo, zn as generateCodeChallenge } from "../index-B5x_W0dM.mjs";
 export { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions, clientCredentialsToken, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/social-providers/index.d.mts

@@ -1,2 +1,2 @@
-import { $ as NotionOptions, $t as HuggingFaceProfile, A as VercelOptions, An as apple, At as LinearOptions, B as PaybinOptions, Bt as TwitterOption, Cn as getCognitoPublicKey, Ct as tiktok, D as SocialProviders, Dn as AppleNonConformUser, Dt as LinkedInOptions, E as SocialProviderListEnum, En as atlassian, Et as gitlab, F as polar, Ft as KickProfile, G as LineUserInfo, Gt as twitch, H as paybin, Ht as twitter, I as PayPalOptions, It as kick, J as NaverProfile, Jt as spotify, K as line, Kt as SpotifyOptions, L as PayPalProfile, Lt as DropboxOptions, M as vercel, Mt as LinearUser, N as PolarOptions, Nt as linear, O as socialProviderList, On as AppleOptions, Ot as LinkedInProfile, P as PolarProfile, Pt as KickOptions, Q as kakao, Qt as HuggingFaceOptions, R as PayPalTokenResponse, Rt as DropboxProfile, Sn as cognito, St as TiktokProfile, T as SocialProviderList, Tn as AtlassianProfile, Tt as GitlabProfile, U as LineIdTokenPayload, Ut as TwitchOptions, V as PaybinProfile, Vt as TwitterProfile, W as LineOptions, Wt as TwitchProfile, X as KakaoOptions, Xt as SlackProfile, Y as naver, Yt as SlackOptions, Z as KakaoProfile, Zt as slack, _n as DiscordOptions, _t as roblox, an as MicrosoftEntraIDProfile, at as PronounOption, bn as CognitoOptions, bt as reddit, cn as GithubOptions, ct as zoom, dn as FigmaOptions, dt as vk, en as huggingface, et as NotionProfile, fn as FigmaProfile, ft as SalesforceOptions, gn as facebook, gt as RobloxProfile, hn as FacebookProfile, ht as RobloxOptions, in as google, it as PhoneNumber, j as VercelProfile, jn as getApplePublicKey, jt as LinearProfile, k as socialProviders, kn as AppleProfile, kt as linkedin, ln as GithubProfile, lt as VkOption, mn as FacebookOptions, mt as salesforce, nn as GoogleProfile, nt as AccountStatus, on as MicrosoftOptions, ot as ZoomOptions, pn as figma, pt as SalesforceProfile, q as NaverOptions, qt as SpotifyProfile, rn as getGooglePublicKey, rt as LoginType, sn as microsoft, st as ZoomProfile, tn as GoogleOptions, tt as notion, un as github, ut as VkProfile, vn as DiscordProfile, vt as RedditOptions, w as SocialProvider, wn as AtlassianOptions, wt as GitlabOptions, xn as CognitoProfile, xt as TiktokOptions, yn as discord, yt as RedditProfile, z as paypal, zt as dropbox } from "../index-CGr4Qrv8.mjs";
+import { $ as NotionOptions, $t as HuggingFaceProfile, A as VercelOptions, An as apple, At as LinearOptions, B as PaybinOptions, Bt as TwitterOption, Cn as getCognitoPublicKey, Ct as tiktok, D as SocialProviders, Dn as AppleNonConformUser, Dt as LinkedInOptions, E as SocialProviderListEnum, En as atlassian, Et as gitlab, F as polar, Ft as KickProfile, G as LineUserInfo, Gt as twitch, H as paybin, Ht as twitter, I as PayPalOptions, It as kick, J as NaverProfile, Jt as spotify, K as line, Kt as SpotifyOptions, L as PayPalProfile, Lt as DropboxOptions, M as vercel, Mt as LinearUser, N as PolarOptions, Nt as linear, O as socialProviderList, On as AppleOptions, Ot as LinkedInProfile, P as PolarProfile, Pt as KickOptions, Q as kakao, Qt as HuggingFaceOptions, R as PayPalTokenResponse, Rt as DropboxProfile, Sn as cognito, St as TiktokProfile, T as SocialProviderList, Tn as AtlassianProfile, Tt as GitlabProfile, U as LineIdTokenPayload, Ut as TwitchOptions, V as PaybinProfile, Vt as TwitterProfile, W as LineOptions, Wt as TwitchProfile, X as KakaoOptions, Xt as SlackProfile, Y as naver, Yt as SlackOptions, Z as KakaoProfile, Zt as slack, _n as DiscordOptions, _t as roblox, an as MicrosoftEntraIDProfile, at as PronounOption, bn as CognitoOptions, bt as reddit, cn as GithubOptions, ct as zoom, dn as FigmaOptions, dt as vk, en as huggingface, et as NotionProfile, fn as FigmaProfile, ft as SalesforceOptions, gn as facebook, gt as RobloxProfile, hn as FacebookProfile, ht as RobloxOptions, in as google, it as PhoneNumber, j as VercelProfile, jn as getApplePublicKey, jt as LinearProfile, k as socialProviders, kn as AppleProfile, kt as linkedin, ln as GithubProfile, lt as VkOption, mn as FacebookOptions, mt as salesforce, nn as GoogleProfile, nt as AccountStatus, on as MicrosoftOptions, ot as ZoomOptions, pn as figma, pt as SalesforceProfile, q as NaverOptions, qt as SpotifyProfile, rn as getGooglePublicKey, rt as LoginType, sn as microsoft, st as ZoomProfile, tn as GoogleOptions, tt as notion, un as github, ut as VkProfile, vn as DiscordProfile, vt as RedditOptions, w as SocialProvider, wn as AtlassianOptions, wt as GitlabOptions, xn as CognitoProfile, xt as TiktokOptions, yn as discord, yt as RedditProfile, z as paypal, zt as dropbox } from "../index-B5x_W0dM.mjs";
 export { AccountStatus, AppleNonConformUser, AppleOptions, AppleProfile, AtlassianOptions, AtlassianProfile, CognitoOptions, CognitoProfile, DiscordOptions, DiscordProfile, DropboxOptions, DropboxProfile, FacebookOptions, FacebookProfile, FigmaOptions, FigmaProfile, GithubOptions, GithubProfile, GitlabOptions, GitlabProfile, GoogleOptions, GoogleProfile, HuggingFaceOptions, HuggingFaceProfile, KakaoOptions, KakaoProfile, KickOptions, KickProfile, LineIdTokenPayload, LineOptions, LineUserInfo, LinearOptions, LinearProfile, LinearUser, LinkedInOptions, LinkedInProfile, LoginType, MicrosoftEntraIDProfile, MicrosoftOptions, NaverOptions, NaverProfile, NotionOptions, NotionProfile, PayPalOptions, PayPalProfile, PayPalTokenResponse, PaybinOptions, PaybinProfile, PhoneNumber, PolarOptions, PolarProfile, PronounOption, RedditOptions, RedditProfile, RobloxOptions, RobloxProfile, SalesforceOptions, SalesforceProfile, SlackOptions, SlackProfile, SocialProvider, SocialProviderList, SocialProviderListEnum, SocialProviders, SpotifyOptions, SpotifyProfile, TiktokOptions, TiktokProfile, TwitchOptions, TwitchProfile, TwitterOption, TwitterProfile, VercelOptions, VercelProfile, VkOption, VkProfile, ZoomOptions, ZoomProfile, apple, atlassian, cognito, discord, dropbox, facebook, figma, getApplePublicKey, getCognitoPublicKey, getGooglePublicKey, github, gitlab, google, huggingface, kakao, kick, line, linear, linkedin, microsoft, naver, notion, paybin, paypal, polar, reddit, roblox, salesforce, slack, socialProviderList, socialProviders, spotify, tiktok, twitch, twitter, vercel, vk, zoom };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.5.0-beta.3",
+  "version": "1.5.0-beta.4",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "repository": {
@@ -139,6 +139,6 @@
     "lint:types": "attw --profile esm-only --pack .",
     "typecheck": "tsc --project tsconfig.json",
     "test": "vitest",
-    "coverage": "vitest run --coverage"
+    "coverage": "vitest run --coverage --coverage.provider=istanbul"
   }
 }

package/src/types/init-options.ts

@@ -151,17 +151,32 @@ export type BetterAuthAdvancedOptions = {
 	 */
 	useSecureCookies?: boolean | undefined;
 	/**
-	 * Disable trusted origins check
+	 * Disable all CSRF protection.
+	 *
+	 * When enabled, this disables:
+	 * - Origin header validation when cookies are present
+	 * - Fetch Metadata checks (Sec-Fetch-Site, Sec-Fetch-Mode, Sec-Fetch-Dest)
+	 * - Cross-site navigation blocking for first-login scenarios
 	 *
 	 * ⚠︎ This is a security risk and it may expose your application to
 	 * CSRF attacks
+	 *
+	 * @default false
 	 */
 	disableCSRFCheck?: boolean | undefined;
 	/**
-	 * Disable origin check
+	 * Disable URL validation against trustedOrigins.
 	 *
-	 * ⚠︎ This may allow requests from any origin to be processed by
-	 * Better Auth. And could lead to security vulnerabilities.
+	 * When enabled, this disables validation of:
+	 * - callbackURL
+	 * - redirectTo
+	 * - errorCallbackURL
+	 * - newUserCallbackURL
+	 *
+	 * ⚠︎ This may allow open redirects and could lead to security
+	 * vulnerabilities.
+	 *
+	 * @default false
 	 */
 	disableOriginCheck?: boolean | undefined;
 	/**