@better-auth/core 1.5.0-beta.8 → 1.5.0-beta.9

package/.turbo/turbo-build.log

@@ -1,19 +1,20 @@
 
-> @better-auth/core@1.5.0-beta.8 build /home/runner/work/better-auth/better-auth/packages/core
+> @better-auth/core@1.5.0-beta.9 build /home/runner/work/better-auth/better-auth/packages/core
 > tsdown
 
 ℹ tsdown v0.19.0 powered by rolldown v1.0.0-beta.59
 ℹ config file: /home/runner/work/better-auth/better-auth/packages/core/tsdown.config.ts 
-ℹ entry: src/index.ts, src/api/index.ts, src/async_hooks/index.ts, src/async_hooks/pure.index.ts, src/context/index.ts, src/db/index.ts, src/env/index.ts, src/error/index.ts, src/oauth2/index.ts, src/social-providers/index.ts, src/utils/deprecate.ts, src/utils/error-codes.ts, src/utils/id.ts, src/utils/json.ts, src/utils/string.ts, src/utils/url.ts, src/db/adapter/index.ts
+ℹ entry: src/index.ts, src/api/index.ts, src/async_hooks/index.ts, src/async_hooks/pure.index.ts, src/context/index.ts, src/db/index.ts, src/env/index.ts, src/error/index.ts, src/oauth2/index.ts, src/social-providers/index.ts, src/utils/deprecate.ts, src/utils/error-codes.ts, src/utils/id.ts, src/utils/ip.ts, src/utils/json.ts, src/utils/string.ts, src/utils/url.ts, src/db/adapter/index.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
+ℹ dist/utils/ip.mjs                                3.81 kB │ gzip: 1.29 kB
 ℹ dist/social-providers/index.mjs                  2.32 kB │ gzip: 0.72 kB
 ℹ dist/api/index.mjs                               1.27 kB │ gzip: 0.48 kB
 ℹ dist/utils/url.mjs                               1.14 kB │ gzip: 0.51 kB
 ℹ dist/async_hooks/index.mjs                       1.03 kB │ gzip: 0.54 kB
 ℹ dist/async_hooks/pure.index.mjs                  0.99 kB │ gzip: 0.49 kB
 ℹ dist/oauth2/index.mjs                            0.87 kB │ gzip: 0.27 kB
-ℹ dist/context/index.mjs                           0.79 kB │ gzip: 0.23 kB
+ℹ dist/context/index.mjs                           0.85 kB │ gzip: 0.25 kB
 ℹ dist/db/adapter/index.mjs                        0.71 kB │ gzip: 0.22 kB
 ℹ dist/error/index.mjs                             0.69 kB │ gzip: 0.33 kB
 ℹ dist/utils/json.mjs                              0.59 kB │ gzip: 0.35 kB
@@ -35,8 +36,8 @@
 ℹ dist/social-providers/line.mjs                   3.57 kB │ gzip: 1.20 kB
 ℹ dist/social-providers/salesforce.mjs             3.50 kB │ gzip: 1.12 kB
 ℹ dist/social-providers/microsoft-entra-id.mjs     3.46 kB │ gzip: 1.22 kB
+ℹ dist/oauth2/validate-authorization-code.mjs      2.80 kB │ gzip: 1.03 kB
 ℹ dist/social-providers/figma.mjs                  2.78 kB │ gzip: 0.99 kB
-ℹ dist/oauth2/validate-authorization-code.mjs      2.76 kB │ gzip: 1.03 kB
 ℹ dist/social-providers/atlassian.mjs              2.75 kB │ gzip: 0.99 kB
 ℹ dist/social-providers/twitter.mjs                2.74 kB │ gzip: 0.92 kB
 ℹ dist/env/color-depth.mjs                         2.72 kB │ gzip: 0.99 kB
@@ -46,12 +47,13 @@
 ℹ dist/social-providers/reddit.mjs                 2.63 kB │ gzip: 1.01 kB
 ℹ dist/social-providers/discord.mjs                2.62 kB │ gzip: 1.04 kB
 ℹ dist/social-providers/github.mjs                 2.61 kB │ gzip: 0.91 kB
+ℹ dist/context/transaction.mjs                     2.59 kB │ gzip: 0.83 kB
 ℹ dist/social-providers/vk.mjs                     2.59 kB │ gzip: 0.94 kB
 ℹ dist/env/env-impl.mjs                            2.58 kB │ gzip: 0.90 kB
 ℹ dist/error/codes.mjs                             2.56 kB │ gzip: 1.05 kB
 ℹ dist/env/logger.mjs                              2.42 kB │ gzip: 0.94 kB
 ℹ dist/social-providers/linear.mjs                 2.42 kB │ gzip: 0.90 kB
-ℹ dist/social-providers/dropbox.mjs                2.38 kB │ gzip: 0.87 kB
+ℹ dist/social-providers/dropbox.mjs                2.35 kB │ gzip: 0.86 kB
 ℹ dist/social-providers/kakao.mjs                  2.31 kB │ gzip: 0.84 kB
 ℹ dist/social-providers/notion.mjs                 2.28 kB │ gzip: 0.86 kB
 ℹ dist/social-providers/zoom.mjs                   2.27 kB │ gzip: 0.89 kB
@@ -70,7 +72,6 @@
 ℹ dist/oauth2/create-authorization-url.mjs         1.86 kB │ gzip: 0.73 kB
 ℹ dist/oauth2/client-credentials-token.mjs         1.83 kB │ gzip: 0.77 kB
 ℹ dist/context/request-state.mjs                   1.63 kB │ gzip: 0.59 kB
-ℹ dist/context/transaction.mjs                     1.60 kB │ gzip: 0.55 kB
 ℹ dist/db/adapter/get-default-field-name.mjs       1.41 kB │ gzip: 0.66 kB
 ℹ dist/db/adapter/get-default-model-name.mjs       1.40 kB │ gzip: 0.65 kB
 ℹ dist/context/endpoint-context.mjs                1.31 kB │ gzip: 0.53 kB
@@ -89,10 +90,11 @@
 ℹ dist/social-providers/index.d.mts               45.59 kB │ gzip: 3.09 kB
 ℹ dist/db/adapter/index.d.mts                     15.17 kB │ gzip: 3.60 kB
 ℹ dist/api/index.d.mts                             7.54 kB │ gzip: 1.45 kB
+ℹ dist/utils/ip.d.mts                              1.58 kB │ gzip: 0.68 kB
 ℹ dist/index.d.mts                                 1.36 kB │ gzip: 0.38 kB
 ℹ dist/oauth2/index.d.mts                          1.05 kB │ gzip: 0.32 kB
 ℹ dist/db/index.d.mts                              1.04 kB │ gzip: 0.34 kB
-ℹ dist/context/index.d.mts                         0.92 kB │ gzip: 0.27 kB
+ℹ dist/context/index.d.mts                         0.97 kB │ gzip: 0.28 kB
 ℹ dist/utils/error-codes.d.mts                     0.89 kB │ gzip: 0.45 kB
 ℹ dist/utils/url.d.mts                             0.84 kB │ gzip: 0.40 kB
 ℹ dist/error/index.d.mts                           0.75 kB │ gzip: 0.34 kB
@@ -103,8 +105,8 @@
 ℹ dist/utils/string.d.mts                          0.14 kB │ gzip: 0.12 kB
 ℹ dist/utils/json.d.mts                            0.13 kB │ gzip: 0.13 kB
 ℹ dist/utils/id.d.mts                              0.12 kB │ gzip: 0.12 kB
-ℹ dist/types/init-options.d.mts                   38.29 kB │ gzip: 8.53 kB
-ℹ dist/types/context.d.mts                        10.12 kB │ gzip: 2.96 kB
+ℹ dist/types/init-options.d.mts                   38.97 kB │ gzip: 8.80 kB
+ℹ dist/types/context.d.mts                        10.15 kB │ gzip: 2.97 kB
 ℹ dist/social-providers/zoom.d.mts                 6.71 kB │ gzip: 2.29 kB
 ℹ dist/oauth2/oauth-provider.d.mts                 5.92 kB │ gzip: 1.67 kB
 ℹ dist/social-providers/microsoft-entra-id.d.mts   5.59 kB │ gzip: 1.96 kB
@@ -150,13 +152,13 @@
 ℹ dist/context/request-state.d.mts                 1.35 kB │ gzip: 0.59 kB
 ℹ dist/db/adapter/factory.d.mts                    1.30 kB │ gzip: 0.45 kB
 ℹ dist/env/env-impl.d.mts                          1.26 kB │ gzip: 0.47 kB
+ℹ dist/context/transaction.d.mts                   1.21 kB │ gzip: 0.51 kB
 ℹ dist/oauth2/create-authorization-url.d.mts       1.05 kB │ gzip: 0.41 kB
 ℹ dist/db/schema/account.d.mts                     1.05 kB │ gzip: 0.43 kB
 ℹ dist/db/adapter/get-id-field.d.mts               1.04 kB │ gzip: 0.47 kB
 ℹ dist/oauth2/refresh-access-token.d.mts           1.01 kB │ gzip: 0.41 kB
 ℹ dist/context/endpoint-context.d.mts              0.99 kB │ gzip: 0.43 kB
 ℹ dist/oauth2/client-credentials-token.d.mts       0.91 kB │ gzip: 0.36 kB
-ℹ dist/context/transaction.d.mts                   0.86 kB │ gzip: 0.38 kB
 ℹ dist/types/index.d.mts                           0.86 kB │ gzip: 0.34 kB
 ℹ dist/db/schema/session.d.mts                     0.75 kB │ gzip: 0.40 kB
 ℹ dist/db/adapter/get-field-attributes.d.mts       0.72 kB │ gzip: 0.34 kB
@@ -176,5 +178,5 @@
 ℹ dist/db/schema/shared.d.mts                      0.25 kB │ gzip: 0.18 kB
 ℹ dist/context/global.d.mts                        0.20 kB │ gzip: 0.16 kB
 ℹ dist/env/color-depth.d.mts                       0.12 kB │ gzip: 0.11 kB
-ℹ 169 files, total: 447.03 kB
-✔ Build complete in 6053ms
+ℹ 171 files, total: 454.58 kB
+✔ Build complete in 6303ms

package/dist/context/global.mjs

@@ -2,7 +2,7 @@
 const symbol = Symbol.for("better-auth:global");
 let bind = null;
 const __context = {};
-const __betterAuthVersion = "1.5.0-beta.8";
+const __betterAuthVersion = "1.5.0-beta.9";
 /**
 * We store context instance in the globalThis.
 *

package/dist/context/index.d.mts

@@ -1,5 +1,5 @@
 import { AuthEndpointContext, getCurrentAuthContext, getCurrentAuthContextAsyncLocalStorage, runWithEndpointContext } from "./endpoint-context.mjs";
 import { getBetterAuthVersion } from "./global.mjs";
 import { RequestState, RequestStateWeakMap, defineRequestState, getCurrentRequestState, getRequestStateAsyncLocalStorage, hasRequestState, runWithRequestState } from "./request-state.mjs";
-import { getCurrentAdapter, getCurrentDBAdapterAsyncLocalStorage, runWithAdapter, runWithTransaction } from "./transaction.mjs";
-export { type AuthEndpointContext, type RequestState, type RequestStateWeakMap, defineRequestState, getBetterAuthVersion, getCurrentAdapter, getCurrentAuthContext, getCurrentAuthContextAsyncLocalStorage, getCurrentDBAdapterAsyncLocalStorage, getCurrentRequestState, getRequestStateAsyncLocalStorage, hasRequestState, runWithAdapter, runWithEndpointContext, runWithRequestState, runWithTransaction };
+import { getCurrentAdapter, getCurrentDBAdapterAsyncLocalStorage, queueAfterTransactionHook, runWithAdapter, runWithTransaction } from "./transaction.mjs";
+export { type AuthEndpointContext, type RequestState, type RequestStateWeakMap, defineRequestState, getBetterAuthVersion, getCurrentAdapter, getCurrentAuthContext, getCurrentAuthContextAsyncLocalStorage, getCurrentDBAdapterAsyncLocalStorage, getCurrentRequestState, getRequestStateAsyncLocalStorage, hasRequestState, queueAfterTransactionHook, runWithAdapter, runWithEndpointContext, runWithRequestState, runWithTransaction };

package/dist/context/index.mjs

@@ -1,6 +1,6 @@
 import { getBetterAuthVersion } from "./global.mjs";
 import { getCurrentAuthContext, getCurrentAuthContextAsyncLocalStorage, runWithEndpointContext } from "./endpoint-context.mjs";
 import { defineRequestState, getCurrentRequestState, getRequestStateAsyncLocalStorage, hasRequestState, runWithRequestState } from "./request-state.mjs";
-import { getCurrentAdapter, getCurrentDBAdapterAsyncLocalStorage, runWithAdapter, runWithTransaction } from "./transaction.mjs";
+import { getCurrentAdapter, getCurrentDBAdapterAsyncLocalStorage, queueAfterTransactionHook, runWithAdapter, runWithTransaction } from "./transaction.mjs";
 
-export { defineRequestState, getBetterAuthVersion, getCurrentAdapter, getCurrentAuthContext, getCurrentAuthContextAsyncLocalStorage, getCurrentDBAdapterAsyncLocalStorage, getCurrentRequestState, getRequestStateAsyncLocalStorage, hasRequestState, runWithAdapter, runWithEndpointContext, runWithRequestState, runWithTransaction };
+export { defineRequestState, getBetterAuthVersion, getCurrentAdapter, getCurrentAuthContext, getCurrentAuthContextAsyncLocalStorage, getCurrentDBAdapterAsyncLocalStorage, getCurrentRequestState, getRequestStateAsyncLocalStorage, hasRequestState, queueAfterTransactionHook, runWithAdapter, runWithEndpointContext, runWithRequestState, runWithTransaction };

package/dist/context/transaction.d.mts

@@ -2,15 +2,23 @@ import { DBAdapter, DBTransactionAdapter } from "../db/adapter/index.mjs";
 import { AsyncLocalStorage } from "node:async_hooks";
 
 //#region src/context/transaction.d.ts
-
+type HookContext = {
+  adapter: DBTransactionAdapter;
+  pendingHooks: Array<() => Promise<void>>;
+};
 /**
  * This is for internal use only. Most users should use `getCurrentAdapter` instead.
  *
  * It is exposed for advanced use cases where you need direct access to the AsyncLocalStorage instance.
  */
-declare const getCurrentDBAdapterAsyncLocalStorage: () => Promise<AsyncLocalStorage<DBTransactionAdapter>>;
+declare const getCurrentDBAdapterAsyncLocalStorage: () => Promise<AsyncLocalStorage<HookContext>>;
 declare const getCurrentAdapter: (fallback: DBTransactionAdapter) => Promise<DBTransactionAdapter>;
 declare const runWithAdapter: <R>(adapter: DBAdapter, fn: () => R) => Promise<R>;
 declare const runWithTransaction: <R>(adapter: DBAdapter, fn: () => R) => Promise<R>;
+/**
+ * Queue a hook to be executed after the current transaction commits.
+ * If not in a transaction, the hook will execute immediately.
+ */
+declare const queueAfterTransactionHook: (hook: () => Promise<void>) => Promise<void>;
 //#endregion
-export { getCurrentAdapter, getCurrentDBAdapterAsyncLocalStorage, runWithAdapter, runWithTransaction };
+export { getCurrentAdapter, getCurrentDBAdapterAsyncLocalStorage, queueAfterTransactionHook, runWithAdapter, runWithTransaction };

package/dist/context/transaction.mjs

@@ -20,16 +20,31 @@ const getCurrentDBAdapterAsyncLocalStorage = async () => {
 };
 const getCurrentAdapter = async (fallback) => {
 	return ensureAsyncStorage().then((als) => {
-		return als.getStore() || fallback;
+		return als.getStore()?.adapter || fallback;
 	}).catch(() => {
 		return fallback;
 	});
 };
 const runWithAdapter = async (adapter, fn) => {
-	let called = true;
-	return ensureAsyncStorage().then((als) => {
+	let called = false;
+	return ensureAsyncStorage().then(async (als) => {
 		called = true;
-		return als.run(adapter, fn);
+		const pendingHooks = [];
+		let result;
+		let error;
+		let hasError = false;
+		try {
+			result = await als.run({
+				adapter,
+				pendingHooks
+			}, fn);
+		} catch (err) {
+			error = err;
+			hasError = true;
+		}
+		for (const hook of pendingHooks) await hook();
+		if (hasError) throw error;
+		return result;
 	}).catch((err) => {
 		if (!called) return fn();
 		throw err;
@@ -37,16 +52,44 @@ const runWithAdapter = async (adapter, fn) => {
 };
 const runWithTransaction = async (adapter, fn) => {
 	let called = true;
-	return ensureAsyncStorage().then((als) => {
+	return ensureAsyncStorage().then(async (als) => {
 		called = true;
-		return adapter.transaction(async (trx) => {
-			return als.run(trx, fn);
-		});
+		const pendingHooks = [];
+		let result;
+		let error;
+		let hasError = false;
+		try {
+			result = await adapter.transaction(async (trx) => {
+				return als.run({
+					adapter: trx,
+					pendingHooks
+				}, fn);
+			});
+		} catch (e) {
+			hasError = true;
+			error = e;
+		}
+		for (const hook of pendingHooks) await hook();
+		if (hasError) throw error;
+		return result;
 	}).catch((err) => {
 		if (!called) return fn();
 		throw err;
 	});
 };
+/**
+* Queue a hook to be executed after the current transaction commits.
+* If not in a transaction, the hook will execute immediately.
+*/
+const queueAfterTransactionHook = async (hook) => {
+	return ensureAsyncStorage().then((als) => {
+		const store = als.getStore();
+		if (store) store.pendingHooks.push(hook);
+		else return hook();
+	}).catch(() => {
+		return hook();
+	});
+};
 
 //#endregion
-export { getCurrentAdapter, getCurrentDBAdapterAsyncLocalStorage, runWithAdapter, runWithTransaction };
+export { getCurrentAdapter, getCurrentDBAdapterAsyncLocalStorage, queueAfterTransactionHook, runWithAdapter, runWithTransaction };

package/dist/oauth2/validate-authorization-code.mjs

@@ -2,7 +2,7 @@ import { getOAuth2Tokens } from "./utils.mjs";
 import "./index.mjs";
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import { jwtVerify } from "jose";
+import { decodeProtectedHeader, importJWK, jwtVerify } from "jose";
 
 //#region src/oauth2/validate-authorization-code.ts
 function createAuthorizationCodeRequest({ code, codeVerifier, redirectURI, options, authentication, deviceId, headers, additionalParams = {}, resource }) {
@@ -61,10 +61,10 @@ async function validateToken(token, jwksEndpoint) {
 	});
 	if (error) throw error;
 	const keys = data["keys"];
-	const header = JSON.parse(atob(token.split(".")[0]));
-	const key = keys.find((key$1) => key$1.kid === header.kid);
+	const header = decodeProtectedHeader(token);
+	const key = keys.find((k) => k.kid === header.kid);
 	if (!key) throw new Error("Key not found");
-	return await jwtVerify(token, key);
+	return await jwtVerify(token, await importJWK(key, header.alg));
 }
 
 //#endregion

package/dist/social-providers/dropbox.mjs

@@ -44,7 +44,7 @@ const dropbox = (options) => {
 					clientKey: options.clientKey,
 					clientSecret: options.clientSecret
 				},
-				tokenEndpoint: "https://api.dropbox.com/oauth2/token"
+				tokenEndpoint
 			});
 		},
 		async getUserInfo(token) {

package/dist/types/context.d.mts

@@ -65,6 +65,7 @@ interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions
   deleteSessions(userIdOrSessionTokens: string | string[]): Promise<void>;
   findOAuthUser(email: string, accountId: string, providerId: string): Promise<{
     user: User;
+    linkedAccount: Account | null;
     accounts: Account[];
   } | null>;
   findUserByEmail(email: string, options?: {

package/dist/types/init-options.d.mts

@@ -110,6 +110,25 @@ type BetterAuthAdvancedOptions = {
      * ⚠︎ This is a security risk and it may expose your application to abuse
      */
     disableIpTracking?: boolean;
+    /**
+     * IPv6 subnet prefix length for rate limiting.
+     *
+     * IPv6 addresses can be grouped by subnet to prevent attackers from
+     * bypassing rate limits by rotating through multiple addresses in
+     * their allocation.
+     *
+     * Common values:
+     * - 128 (default): Individual IPv6 address
+     * - 64: /64 subnet (typical home/business allocation)
+     * - 48: /48 subnet (larger network allocation)
+     * - 32: /32 subnet (ISP allocation)
+     *
+     * Note: This only affects IPv6 addresses. IPv4 addresses are always
+     * rate limited individually.
+     *
+     * @default 64 (/64 subnet)
+     */
+    ipv6Subnet?: 128 | 64 | 48 | 32 | undefined;
   } | undefined;
   /**
    * Use secure cookies

package/dist/utils/ip.d.mts

@@ -0,0 +1,54 @@
+//#region src/utils/ip.d.ts
+/**
+ * Normalizes an IP address for consistent rate limiting.
+ *
+ * Features:
+ * - Normalizes IPv6 to canonical lowercase form
+ * - Converts IPv4-mapped IPv6 to IPv4
+ * - Supports IPv6 subnet extraction
+ * - Handles all edge cases (::1, ::, etc.)
+ */
+interface NormalizeIPOptions {
+  /**
+   * For IPv6 addresses, extract the subnet prefix instead of full address.
+   * Common values: 32, 48, 64, 128 (default: 128 = full address)
+   *
+   * @default 128
+   */
+  ipv6Subnet?: 128 | 64 | 48 | 32;
+}
+/**
+ * Checks if an IP is valid IPv4 or IPv6
+ */
+declare function isValidIP(ip: string): boolean;
+/**
+ * Normalizes an IP address (IPv4 or IPv6) for consistent rate limiting.
+ *
+ * @param ip - The IP address to normalize
+ * @param options - Normalization options
+ * @returns Normalized IP address
+ *
+ * @example
+ * normalizeIP("2001:DB8::1")
+ * // -> "2001:0db8:0000:0000:0000:0000:0000:0000"
+ *
+ * @example
+ * normalizeIP("::ffff:192.0.2.1")
+ * // -> "192.0.2.1" (converted to IPv4)
+ *
+ * @example
+ * normalizeIP("2001:db8::1", { ipv6Subnet: 64 })
+ * // -> "2001:0db8:0000:0000:0000:0000:0000:0000" (subnet /64)
+ */
+declare function normalizeIP(ip: string, options?: NormalizeIPOptions): string;
+/**
+ * Creates a rate limit key from IP and path
+ * Uses a separator to prevent collision attacks
+ *
+ * @param ip - The IP address (should be normalized)
+ * @param path - The request path
+ * @returns Rate limit key
+ */
+declare function createRateLimitKey(ip: string, path: string): string;
+//#endregion
+export { createRateLimitKey, isValidIP, normalizeIP };

package/dist/utils/ip.mjs

@@ -0,0 +1,118 @@
+import * as z from "zod";
+
+//#region src/utils/ip.ts
+/**
+* Checks if an IP is valid IPv4 or IPv6
+*/
+function isValidIP(ip) {
+	return z.ipv4().safeParse(ip).success || z.ipv6().safeParse(ip).success;
+}
+/**
+* Checks if an IP is IPv6
+*/
+function isIPv6(ip) {
+	return z.ipv6().safeParse(ip).success;
+}
+/**
+* Converts IPv4-mapped IPv6 address to IPv4
+* e.g., "::ffff:192.0.2.1" -> "192.0.2.1"
+*/
+function extractIPv4FromMapped(ipv6) {
+	const lower = ipv6.toLowerCase();
+	if (lower.startsWith("::ffff:")) {
+		const ipv4Part = lower.substring(7);
+		if (z.ipv4().safeParse(ipv4Part).success) return ipv4Part;
+	}
+	const parts = ipv6.split(":");
+	if (parts.length === 7 && parts[5]?.toLowerCase() === "ffff") {
+		const ipv4Part = parts[6];
+		if (ipv4Part && z.ipv4().safeParse(ipv4Part).success) return ipv4Part;
+	}
+	if (lower.includes("::ffff:") || lower.includes(":ffff:")) {
+		const groups = expandIPv6(ipv6);
+		if (groups.length === 8 && groups[0] === "0000" && groups[1] === "0000" && groups[2] === "0000" && groups[3] === "0000" && groups[4] === "0000" && groups[5] === "ffff" && groups[6] && groups[7]) return `${Number.parseInt(groups[6].substring(0, 2), 16)}.${Number.parseInt(groups[6].substring(2, 4), 16)}.${Number.parseInt(groups[7].substring(0, 2), 16)}.${Number.parseInt(groups[7].substring(2, 4), 16)}`;
+	}
+	return null;
+}
+/**
+* Expands a compressed IPv6 address to full form
+* e.g., "2001:db8::1" -> ["2001", "0db8", "0000", "0000", "0000", "0000", "0000", "0001"]
+*/
+function expandIPv6(ipv6) {
+	if (ipv6.includes("::")) {
+		const sides = ipv6.split("::");
+		const left = sides[0] ? sides[0].split(":") : [];
+		const right = sides[1] ? sides[1].split(":") : [];
+		const missingGroups = 8 - left.length - right.length;
+		const zeros = Array(missingGroups).fill("0000");
+		const paddedLeft = left.map((g) => g.padStart(4, "0"));
+		const paddedRight = right.map((g) => g.padStart(4, "0"));
+		return [
+			...paddedLeft,
+			...zeros,
+			...paddedRight
+		];
+	}
+	return ipv6.split(":").map((g) => g.padStart(4, "0"));
+}
+/**
+* Normalizes an IPv6 address to canonical form
+* e.g., "2001:DB8::1" -> "2001:0db8:0000:0000:0000:0000:0000:0001"
+*/
+function normalizeIPv6(ipv6, subnetPrefix) {
+	const groups = expandIPv6(ipv6);
+	if (subnetPrefix && subnetPrefix < 128) {
+		let bitsRemaining = subnetPrefix;
+		return groups.map((group) => {
+			if (bitsRemaining <= 0) return "0000";
+			if (bitsRemaining >= 16) {
+				bitsRemaining -= 16;
+				return group;
+			}
+			const masked = Number.parseInt(group, 16) & (65535 << 16 - bitsRemaining & 65535);
+			bitsRemaining = 0;
+			return masked.toString(16).padStart(4, "0");
+		}).join(":").toLowerCase();
+	}
+	return groups.join(":").toLowerCase();
+}
+/**
+* Normalizes an IP address (IPv4 or IPv6) for consistent rate limiting.
+*
+* @param ip - The IP address to normalize
+* @param options - Normalization options
+* @returns Normalized IP address
+*
+* @example
+* normalizeIP("2001:DB8::1")
+* // -> "2001:0db8:0000:0000:0000:0000:0000:0000"
+*
+* @example
+* normalizeIP("::ffff:192.0.2.1")
+* // -> "192.0.2.1" (converted to IPv4)
+*
+* @example
+* normalizeIP("2001:db8::1", { ipv6Subnet: 64 })
+* // -> "2001:0db8:0000:0000:0000:0000:0000:0000" (subnet /64)
+*/
+function normalizeIP(ip, options = {}) {
+	if (z.ipv4().safeParse(ip).success) return ip.toLowerCase();
+	if (!isIPv6(ip)) return ip.toLowerCase();
+	const ipv4 = extractIPv4FromMapped(ip);
+	if (ipv4) return ipv4.toLowerCase();
+	return normalizeIPv6(ip, options.ipv6Subnet || 64);
+}
+/**
+* Creates a rate limit key from IP and path
+* Uses a separator to prevent collision attacks
+*
+* @param ip - The IP address (should be normalized)
+* @param path - The request path
+* @returns Rate limit key
+*/
+function createRateLimitKey(ip, path) {
+	return `${ip}|${path}`;
+}
+
+//#endregion
+export { createRateLimitKey, isValidIP, normalizeIP };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.5.0-beta.8",
+  "version": "1.5.0-beta.9",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "repository": {
@@ -117,20 +117,20 @@
   "devDependencies": {
     "@better-auth/utils": "0.3.0",
     "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.1.8",
+    "better-call": "1.2.0",
     "jose": "^6.1.0",
-    "kysely": "^0.28.5",
-    "nanostores": "^1.0.1",
+    "kysely": "^0.28.10",
+    "nanostores": "^1.1.0",
     "tsdown": "^0.19.0"
   },
   "dependencies": {
     "@standard-schema/spec": "^1.0.0",
-    "zod": "^4.1.12"
+    "zod": "^4.3.5"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.3.0",
     "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.1.8",
+    "better-call": "1.2.0",
     "jose": "^6.1.0",
     "kysely": "^0.28.5",
     "nanostores": "^1.0.1"

package/src/context/index.ts

@@ -17,6 +17,7 @@ export {
 export {
 	getCurrentAdapter,
 	getCurrentDBAdapterAsyncLocalStorage,
+	queueAfterTransactionHook,
 	runWithAdapter,
 	runWithTransaction,
 } from "./transaction";

package/src/context/transaction.ts

@@ -3,6 +3,11 @@ import { getAsyncLocalStorage } from "@better-auth/core/async_hooks";
 import type { DBAdapter, DBTransactionAdapter } from "../db/adapter";
 import { __getBetterAuthGlobal } from "./global";
 
+type HookContext = {
+	adapter: DBTransactionAdapter;
+	pendingHooks: Array<() => Promise<void>>;
+};
+
 const ensureAsyncStorage = async () => {
 	const betterAuthGlobal = __getBetterAuthGlobal();
 	if (!betterAuthGlobal.context.adapterAsyncStorage) {
@@ -10,7 +15,7 @@ const ensureAsyncStorage = async () => {
 		betterAuthGlobal.context.adapterAsyncStorage = new AsyncLocalStorage();
 	}
 	return betterAuthGlobal.context
-		.adapterAsyncStorage as AsyncLocalStorage<DBTransactionAdapter>;
+		.adapterAsyncStorage as AsyncLocalStorage<HookContext>;
 };
 
 /**
@@ -27,7 +32,8 @@ export const getCurrentAdapter = async (
 ): Promise<DBTransactionAdapter> => {
 	return ensureAsyncStorage()
 		.then((als) => {
-			return als.getStore() || fallback;
+			const store = als.getStore();
+			return store?.adapter || fallback;
 		})
 		.catch(() => {
 			return fallback;
@@ -38,11 +44,28 @@ export const runWithAdapter = async <R>(
 	adapter: DBAdapter,
 	fn: () => R,
 ): Promise<R> => {
-	let called = true;
+	let called = false;
 	return ensureAsyncStorage()
-		.then((als) => {
+		.then(async (als) => {
 			called = true;
-			return als.run(adapter, fn);
+			const pendingHooks: Array<() => Promise<void>> = [];
+			let result: Awaited<R>;
+			let error: unknown;
+			let hasError = false;
+			try {
+				result = await als.run({ adapter, pendingHooks }, fn);
+			} catch (err) {
+				error = err;
+				hasError = true;
+			}
+			// Execute pending hooks after the function completes (even if it threw)
+			for (const hook of pendingHooks) {
+				await hook();
+			}
+			if (hasError) {
+				throw error;
+			}
+			return result!;
 		})
 		.catch((err) => {
 			if (!called) {
@@ -58,11 +81,27 @@ export const runWithTransaction = async <R>(
 ): Promise<R> => {
 	let called = true;
 	return ensureAsyncStorage()
-		.then((als) => {
+		.then(async (als) => {
 			called = true;
-			return adapter.transaction(async (trx) => {
-				return als.run(trx, fn);
-			});
+			const pendingHooks: Array<() => Promise<void>> = [];
+			let result: Awaited<R>;
+			let error: unknown;
+			let hasError = false;
+			try {
+				result = await adapter.transaction(async (trx) => {
+					return als.run({ adapter: trx, pendingHooks }, fn);
+				});
+			} catch (e) {
+				hasError = true;
+				error = e;
+			}
+			for (const hook of pendingHooks) {
+				await hook();
+			}
+			if (hasError) {
+				throw error;
+			}
+			return result!;
 		})
 		.catch((err) => {
 			if (!called) {
@@ -71,3 +110,27 @@ export const runWithTransaction = async <R>(
 			throw err;
 		});
 };
+
+/**
+ * Queue a hook to be executed after the current transaction commits.
+ * If not in a transaction, the hook will execute immediately.
+ */
+export const queueAfterTransactionHook = async (
+	hook: () => Promise<void>,
+): Promise<void> => {
+	return ensureAsyncStorage()
+		.then((als) => {
+			const store = als.getStore();
+			if (store) {
+				// We're in a transaction context, queue the hook
+				store.pendingHooks.push(hook);
+			} else {
+				// Not in a transaction, execute immediately
+				return hook();
+			}
+		})
+		.catch(() => {
+			// No async storage available, execute immediately
+			return hook();
+		});
+};