@better-auth/core 1.5.0-beta.5 → 1.5.0-beta.7

package/src/types/context.ts

@@ -11,7 +11,7 @@ import type {
 import type { DBAdapter, Where } from "../db/adapter";
 import type { createLogger } from "../env";
 import type { OAuthProvider } from "../oauth2";
-import type { BetterAuthCookies } from "./cookie";
+import type { BetterAuthCookie, BetterAuthCookies } from "./cookie";
 import type { LiteralString } from "./helper";
 import type {
 	BetterAuthOptions,
@@ -172,10 +172,7 @@ export interface InternalAdapter<
 type CreateCookieGetterFn = (
 	cookieName: string,
 	overrideAttributes?: Partial<CookieOptions> | undefined,
-) => {
-	name: string;
-	attributes: CookieOptions;
-};
+) => BetterAuthCookie;
 
 type CheckPasswordFn<Options extends BetterAuthOptions = BetterAuthOptions> = (
 	userId: string,
@@ -208,139 +205,148 @@ export type PluginContext = {
 	) => boolean;
 };
 
+export type InfoContext = {
+	appName: string;
+	baseURL: string;
+	version: string;
+};
+
 export type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> =
-	PluginContext & {
-		options: Options;
-		appName: string;
-		baseURL: string;
-		trustedOrigins: string[];
-		/**
-		 * Verifies whether url is a trusted origin according to the "trustedOrigins" configuration
-		 * @param url The url to verify against the "trustedOrigins" configuration
-		 * @param settings Specify supported pattern matching settings
-		 * @returns {boolean} true if the URL matches the origin pattern, false otherwise.
-		 */
-		isTrustedOrigin: (
-			url: string,
-			settings?: { allowRelativePaths: boolean },
-		) => boolean;
-		oauthConfig: {
+	PluginContext &
+		InfoContext & {
+			options: Options;
+			trustedOrigins: string[];
 			/**
-			 * This is dangerous and should only be used in dev or staging environments.
+			 * Verifies whether url is a trusted origin according to the "trustedOrigins" configuration
+			 * @param url The url to verify against the "trustedOrigins" configuration
+			 * @param settings Specify supported pattern matching settings
+			 * @returns {boolean} true if the URL matches the origin pattern, false otherwise.
 			 */
-			skipStateCookieCheck?: boolean | undefined;
+			isTrustedOrigin: (
+				url: string,
+				settings?: { allowRelativePaths: boolean },
+			) => boolean;
+			oauthConfig: {
+				/**
+				 * This is dangerous and should only be used in dev or staging environments.
+				 */
+				skipStateCookieCheck?: boolean | undefined;
+				/**
+				 * Strategy for storing OAuth state
+				 *
+				 * - "cookie": Store state in an encrypted cookie (stateless)
+				 * - "database": Store state in the database
+				 *
+				 * @default "cookie"
+				 */
+				storeStateStrategy: "database" | "cookie";
+			};
 			/**
-			 * Strategy for storing OAuth state
-			 *
-			 * - "cookie": Store state in an encrypted cookie (stateless)
-			 * - "database": Store state in the database
-			 *
-			 * @default "cookie"
+			 * New session that will be set after the request
+			 * meaning: there is a `set-cookie` header that will set
+			 * the session cookie. This is the fetched session. And it's set
+			 * by `setNewSession` method.
 			 */
-			storeStateStrategy: "database" | "cookie";
-		};
-		/**
-		 * New session that will be set after the request
-		 * meaning: there is a `set-cookie` header that will set
-		 * the session cookie. This is the fetched session. And it's set
-		 * by `setNewSession` method.
-		 */
-		newSession: {
-			session: Session & Record<string, any>;
-			user: User & Record<string, any>;
-		} | null;
-		session: {
-			session: Session & Record<string, any>;
-			user: User & Record<string, any>;
-		} | null;
-		setNewSession: (
+			newSession: {
+				session: Session & Record<string, any>;
+				user: User & Record<string, any>;
+			} | null;
 			session: {
 				session: Session & Record<string, any>;
 				user: User & Record<string, any>;
-			} | null,
-		) => void;
-		socialProviders: OAuthProvider[];
-		authCookies: BetterAuthCookies;
-		logger: ReturnType<typeof createLogger>;
-		rateLimit: {
-			enabled: boolean;
-			window: number;
-			max: number;
-			storage: "memory" | "database" | "secondary-storage";
-		} & BetterAuthRateLimitOptions;
-		adapter: DBAdapter<Options>;
-		internalAdapter: InternalAdapter<Options>;
-		createAuthCookie: CreateCookieGetterFn;
-		secret: string;
-		sessionConfig: {
-			updateAge: number;
-			expiresIn: number;
-			freshAge: number;
-			cookieRefreshCache:
-				| false
-				| {
-						enabled: true;
-						updateAge: number;
-				  };
-		};
-		generateId: (options: {
-			model: ModelNames;
-			size?: number | undefined;
-		}) => string | false;
-		secondaryStorage: SecondaryStorage | undefined;
-		password: {
-			hash: (password: string) => Promise<string>;
-			verify: (data: { password: string; hash: string }) => Promise<boolean>;
-			config: {
-				minPasswordLength: number;
-				maxPasswordLength: number;
+			} | null;
+			setNewSession: (
+				session: {
+					session: Session & Record<string, any>;
+					user: User & Record<string, any>;
+				} | null,
+			) => void;
+			socialProviders: OAuthProvider[];
+			authCookies: BetterAuthCookies;
+			logger: ReturnType<typeof createLogger>;
+			rateLimit: {
+				enabled: boolean;
+				window: number;
+				max: number;
+				storage: "memory" | "database" | "secondary-storage";
+			} & Omit<
+				BetterAuthRateLimitOptions,
+				"enabled" | "window" | "max" | "storage"
+			>;
+			adapter: DBAdapter<Options>;
+			internalAdapter: InternalAdapter<Options>;
+			createAuthCookie: CreateCookieGetterFn;
+			secret: string;
+			sessionConfig: {
+				updateAge: number;
+				expiresIn: number;
+				freshAge: number;
+				cookieRefreshCache:
+					| false
+					| {
+							enabled: true;
+							updateAge: number;
+					  };
 			};
-			checkPassword: CheckPasswordFn<Options>;
+			generateId: (options: {
+				model: ModelNames;
+				size?: number | undefined;
+			}) => string | false;
+			secondaryStorage: SecondaryStorage | undefined;
+			password: {
+				hash: (password: string) => Promise<string>;
+				verify: (data: { password: string; hash: string }) => Promise<boolean>;
+				config: {
+					minPasswordLength: number;
+					maxPasswordLength: number;
+				};
+				checkPassword: CheckPasswordFn<Options>;
+			};
+			tables: BetterAuthDBSchema;
+			runMigrations: () => Promise<void>;
+			publishTelemetry: (event: {
+				type: string;
+				anonymousId?: string | undefined;
+				payload: Record<string, any>;
+			}) => Promise<void>;
+			/**
+			 * Skip origin check for requests.
+			 *
+			 * - `true`: Skip for ALL requests (DANGEROUS - disables CSRF protection)
+			 * - `string[]`: Skip only for specific paths (e.g., SAML callbacks)
+			 * - `false`: Enable origin check (default)
+			 *
+			 * Paths support prefix matching (e.g., "/sso/saml2/callback" matches
+			 * "/sso/saml2/callback/provider-name").
+			 *
+			 * @default false (true in test environments)
+			 */
+			skipOriginCheck: boolean | string[];
+			/**
+			 * This skips the CSRF check for all requests.
+			 *
+			 * This is inferred from the `options.advanced?.
+			 * disableCSRFCheck` option.
+			 *
+			 * @default false
+			 */
+			skipCSRFCheck: boolean;
+			/**
+			 * Background task handler for deferred operations.
+			 *
+			 * This is inferred from the `options.advanced?.backgroundTasks?.handler` option.
+			 * Defaults to a no-op that just runs the promise.
+			 */
+			runInBackground: (promise: Promise<void>) => void;
+			/**
+			 * Runs a task in the background if `runInBackground` is configured,
+			 * otherwise awaits the task directly.
+			 *
+			 * This is useful for operations like sending emails where we want
+			 * to avoid blocking the response when possible (for timing attack
+			 * mitigation), but still ensure the operation completes.
+			 */
+			runInBackgroundOrAwait: (
+				promise: Promise<unknown> | Promise<void> | void | unknown,
+			) => Promise<unknown>;
 		};
-		tables: BetterAuthDBSchema;
-		runMigrations: () => Promise<void>;
-		publishTelemetry: (event: {
-			type: string;
-			anonymousId?: string | undefined;
-			payload: Record<string, any>;
-		}) => Promise<void>;
-		/**
-		 * This skips the origin check for all requests.
-		 *
-		 * set to true by default for `test` environments and `false`
-		 * for other environments.
-		 *
-		 * It's inferred from the `options.advanced?.disableCSRFCheck`
-		 * option or `options.advanced?.disableOriginCheck` option.
-		 *
-		 * @default false
-		 */
-		skipOriginCheck: boolean;
-		/**
-		 * This skips the CSRF check for all requests.
-		 *
-		 * This is inferred from the `options.advanced?.
-		 * disableCSRFCheck` option.
-		 *
-		 * @default false
-		 */
-		skipCSRFCheck: boolean;
-		/**
-		 * Background task handler for deferred operations.
-		 *
-		 * This is inferred from the `options.advanced?.backgroundTasks?.handler` option.
-		 * Defaults to a no-op that just runs the promise.
-		 */
-		runInBackground: (promise: Promise<void>) => void;
-		/**
-		 * Runs a task in the background if `runInBackground` is configured,
-		 * otherwise awaits the task directly.
-		 *
-		 * This is useful for operations like sending emails where we want
-		 * to avoid blocking the response when possible (for timing attack
-		 * mitigation), but still ensure the operation completes.
-		 */
-		runInBackgroundOrAwait: (
-			promise: Promise<unknown> | Promise<void> | void | unknown,
-		) => Promise<unknown>;
-	};

package/src/types/cookie.ts

@@ -1,8 +1,10 @@
 import type { CookieOptions } from "better-call";
 
+export type BetterAuthCookie = { name: string; attributes: CookieOptions };
+
 export type BetterAuthCookies = {
-	sessionToken: { name: string; options: CookieOptions };
-	sessionData: { name: string; options: CookieOptions };
-	accountData: { name: string; options: CookieOptions };
-	dontRememberToken: { name: string; options: CookieOptions };
+	sessionToken: BetterAuthCookie;
+	sessionData: BetterAuthCookie;
+	accountData: BetterAuthCookie;
+	dontRememberToken: BetterAuthCookie;
 };

package/src/types/index.ts

@@ -4,15 +4,18 @@ export type {
 	BetterAuthPluginRegistry,
 	BetterAuthPluginRegistryIdentifier,
 	GenericEndpointContext,
+	InfoContext,
 	InternalAdapter,
 	PluginContext,
 } from "./context";
-export type { BetterAuthCookies } from "./cookie";
+export type { BetterAuthCookie, BetterAuthCookies } from "./cookie";
 export type * from "./helper";
 export type {
 	BetterAuthAdvancedOptions,
 	BetterAuthOptions,
 	BetterAuthRateLimitOptions,
+	BetterAuthRateLimitRule,
+	BetterAuthRateLimitStorage,
 	GenerateIdFn,
 } from "./init-options";
 export type { BetterAuthPlugin, HookEndpointContext } from "./plugin";

package/src/types/init-options.ts

@@ -37,25 +37,37 @@ export type GenerateIdFn = (options: {
 	size?: number | undefined;
 }) => string | false;
 
-export type BetterAuthRateLimitOptions = {
-	/**
-	 * By default, rate limiting is only
-	 * enabled on production.
-	 */
-	enabled?: boolean | undefined;
+export interface BetterAuthRateLimitStorage {
+	get: (key: string) => Promise<RateLimit | null | undefined>;
+	set: (
+		key: string,
+		value: RateLimit,
+		update?: boolean | undefined,
+	) => Promise<void>;
+}
+
+export type BetterAuthRateLimitRule = {
 	/**
 	 * Default window to use for rate limiting. The value
 	 * should be in seconds.
 	 *
 	 * @default 10 seconds
 	 */
-	window?: number | undefined;
+	window: number;
 	/**
 	 * The default maximum number of requests allowed within the window.
 	 *
 	 * @default 100 requests
 	 */
-	max?: number | undefined;
+	max: number;
+};
+
+export type BetterAuthRateLimitOptions = Optional<BetterAuthRateLimitRule> & {
+	/**
+	 * By default, rate limiting is only
+	 * enabled on production.
+	 */
+	enabled?: boolean | undefined;
 	/**
 	 * Custom rate limit rules to apply to
 	 * specific paths.
@@ -63,27 +75,12 @@ export type BetterAuthRateLimitOptions = {
 	customRules?:
 		| {
 				[key: string]:
-					| {
-							/**
-							 * The window to use for the custom rule.
-							 */
-							window: number;
-							/**
-							 * The maximum number of requests allowed within the window.
-							 */
-							max: number;
-					  }
+					| BetterAuthRateLimitRule
 					| false
-					| ((request: Request) =>
-							| { window: number; max: number }
-							| false
-							| Promise<
-									| {
-											window: number;
-											max: number;
-									  }
-									| false
-							  >);
+					| ((
+							request: Request,
+							currentRule: BetterAuthRateLimitRule,
+					  ) => Awaitable<false | BetterAuthRateLimitRule>);
 		  }
 		| undefined;
 	/**
@@ -113,10 +110,7 @@ export type BetterAuthRateLimitOptions = {
 	 * NOTE: If custom storage is used storage
 	 * is ignored
 	 */
-	customStorage?: {
-		get: (key: string) => Promise<RateLimit | undefined>;
-		set: (key: string, value: RateLimit) => Promise<void>;
-	};
+	customStorage?: BetterAuthRateLimitStorage;
 };
 
 export type BetterAuthAdvancedOptions = {

package/src/utils/url.ts

@@ -0,0 +1,43 @@
+/**
+ * Normalizes a request pathname by removing the basePath prefix and trailing slashes.
+ * This is useful for matching paths against configured path lists.
+ *
+ * @param requestUrl - The full request URL
+ * @param basePath - The base path of the auth API (e.g., "/api/auth")
+ * @returns The normalized path without basePath prefix or trailing slashes,
+ *          or "/" if URL parsing fails
+ *
+ * @example
+ * normalizePathname("http://localhost:3000/api/auth/sso/saml2/callback/provider1", "/api/auth")
+ * // Returns: "/sso/saml2/callback/provider1"
+ *
+ * normalizePathname("http://localhost:3000/sso/saml2/callback/provider1/", "/")
+ * // Returns: "/sso/saml2/callback/provider1"
+ */
+export function normalizePathname(
+	requestUrl: string,
+	basePath: string,
+): string {
+	let pathname: string;
+	try {
+		pathname = new URL(requestUrl).pathname.replace(/\/+$/, "") || "/";
+	} catch {
+		return "/";
+	}
+
+	if (basePath === "/" || basePath === "") {
+		return pathname;
+	}
+
+	// Check for exact match or proper path boundary (basePath followed by "/" or end)
+	// This prevents "/api/auth" from matching "/api/authevil/..."
+	if (pathname === basePath) {
+		return "/";
+	}
+
+	if (pathname.startsWith(basePath + "/")) {
+		return pathname.slice(basePath.length).replace(/\/+$/, "") || "/";
+	}
+
+	return pathname;
+}

package/tsdown.config.ts

@@ -1,5 +1,10 @@
+import { readFile } from "node:fs/promises";
 import { defineConfig } from "tsdown";
 
+const packageJson = JSON.parse(
+	await readFile(new URL("./package.json", import.meta.url), "utf-8"),
+);
+
 export default defineConfig({
 	dts: { build: true, incremental: true },
 	format: ["esm"],
@@ -19,6 +24,9 @@ export default defineConfig({
 		"./src/error/index.ts",
 	],
 	external: ["@better-auth/core/async_hooks"],
+	env: {
+		BETTER_AUTH_VERSION: packageJson.version,
+	},
 	unbundle: true,
 	clean: true,
 });