@better-auth/core 1.6.12 → 1.6.14

package/dist/context/global.mjs

@@ -2,7 +2,7 @@
 const symbol = Symbol.for("better-auth:global");
 let bind = null;
 const __context = {};
-const __betterAuthVersion = "1.6.12";
+const __betterAuthVersion = "1.6.14";
 /**
 * We store context instance in the globalThis.
 *

package/dist/db/adapter/factory.mjs

@@ -711,7 +711,7 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 						limit: 1
 					}))[0];
 					if (!target) return null;
-					return await trx.deleteMany({
+					const deleted = await trx.deleteMany({
 						model: unsafeModel,
 						where: [...unsafeWhere, {
 							field: "id",
@@ -720,7 +720,9 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 							connector: "AND",
 							mode: "sensitive"
 						}]
-					}) > 0 ? target : null;
+					});
+					if (typeof deleted !== "number") throw new BetterAuthError(`Adapter "${config.adapterId}" returned a non-numeric value from deleteMany during the consumeOne fallback. Return the number of deleted rows, or implement a native consumeOne for atomic single-use consumption.`);
+					return deleted > 0 ? target : null;
 				}));
 				resultNeedsOutputTransform = false;
 			}

package/dist/instrumentation/tracer.mjs

@@ -2,7 +2,7 @@ import { ATTR_HTTP_RESPONSE_STATUS_CODE } from "./attributes.mjs";
 import { getOpenTelemetryAPI } from "./api.mjs";
 //#region src/instrumentation/tracer.ts
 const INSTRUMENTATION_SCOPE = "better-auth";
-const INSTRUMENTATION_VERSION = "1.6.12";
+const INSTRUMENTATION_VERSION = "1.6.14";
 /**
 * Better-auth uses `throw ctx.redirect(url)` for flow control (e.g. OAuth
 * callbacks). These are APIErrors with 3xx status codes and should not be

package/dist/types/context.d.mts

@@ -89,7 +89,14 @@ interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions
    * @param id - The account row's primary key (the `id` column, not the `accountId` column).
    */
   deleteAccount(id: string): Promise<void>;
-  deleteSessions(userIdOrSessionTokens: string | string[]): Promise<void>;
+  /**
+   * Delete every session belonging to a user.
+   */
+  deleteUserSessions(userId: string): Promise<void>;
+  /**
+   * Delete sessions by their session tokens.
+   */
+  deleteSessions(sessionTokens: string[]): Promise<void>;
   findOAuthUser(email: string, accountId: string, providerId: string): Promise<{
     user: User;
     linkedAccount: Account | null;
@@ -107,7 +114,6 @@ interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions
   updateUserByEmail<T extends Record<string, any>>(email: string, data: Partial<User & Record<string, any>>): Promise<User & T>;
   updatePassword(userId: string, password: string): Promise<void>;
   findAccounts(userId: string): Promise<Account[]>;
-  findAccount(accountId: string): Promise<Account | null>;
   findAccountByProviderId(accountId: string, providerId: string): Promise<Account | null>;
   findAccountByUserId(userId: string): Promise<Account[]>;
   updateAccount(id: string, data: Partial<Account>): Promise<Account>;
@@ -185,7 +191,7 @@ type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> = Plugin
      * - "cookie": Store state in an encrypted cookie (stateless)
      * - "database": Store state in the database
      *
-     * @default "cookie"
+     * @default "database" when `database` or `secondaryStorage` is configured, "cookie" otherwise
      */
     storeStateStrategy: "database" | "cookie";
   };

package/dist/types/init-options.d.mts

@@ -963,7 +963,11 @@ type BetterAuthOptions = {
        */
       allowUnlinkingAll?: boolean;
       /**
-       * If enabled (true), this will update the user information based on the newly linked account
+       * When enabled, linking an account copies the provider's profile onto
+       * the local user, matching the fields persisted on sign-up (`name`,
+       * `image`, and any `mapProfileToUser` fields). The local `email` and
+       * `emailVerified` are never changed, so a link cannot rebind the
+       * account's identity.
        *
        * @default false
        */
@@ -996,7 +1000,7 @@ type BetterAuthOptions = {
      * - "cookie": Store state in an encrypted cookie (stateless)
      * - "database": Store state in the database
      *
-     * @default "cookie"
+     * @default "database" when `database` or `secondaryStorage` is configured, "cookie" otherwise
      */
     storeStateStrategy?: "database" | "cookie";
     /**

package/dist/utils/redirect-uri.d.mts

@@ -0,0 +1,20 @@
+import * as z from "zod";
+
+//#region src/utils/redirect-uri.d.ts
+/**
+ * Zod schema for OAuth redirect URIs and other developer-supplied URLs that the
+ * server stores and later hands back to a browser.
+ *
+ * - Rejects dangerous schemes (`javascript:`, `data:`, `vbscript:`).
+ * - Rejects URIs with a fragment component (`#...`) per RFC 6749 §3.1.2.
+ * - Requires HTTPS, except for loopback hosts (`127.0.0.0/8`, `[::1]`,
+ *   `*.localhost` per RFC 6761), where HTTP is allowed for local development.
+ * - Allows custom schemes for mobile apps (e.g. `myapp://callback`).
+ *
+ * This is the single source of truth for redirect-URI validation across the
+ * OAuth provider plugins. Consume it from `@better-auth/core/utils/redirect-uri`
+ * rather than re-implementing the scheme policy per plugin.
+ */
+declare const SafeUrlSchema: z.ZodURL;
+//#endregion
+export { SafeUrlSchema };

package/dist/utils/redirect-uri.mjs

@@ -0,0 +1,48 @@
+import { isLoopbackHost } from "./host.mjs";
+import { DANGEROUS_URL_SCHEMES } from "./url.mjs";
+import * as z from "zod";
+//#region src/utils/redirect-uri.ts
+/**
+* Zod schema for OAuth redirect URIs and other developer-supplied URLs that the
+* server stores and later hands back to a browser.
+*
+* - Rejects dangerous schemes (`javascript:`, `data:`, `vbscript:`).
+* - Rejects URIs with a fragment component (`#...`) per RFC 6749 §3.1.2.
+* - Requires HTTPS, except for loopback hosts (`127.0.0.0/8`, `[::1]`,
+*   `*.localhost` per RFC 6761), where HTTP is allowed for local development.
+* - Allows custom schemes for mobile apps (e.g. `myapp://callback`).
+*
+* This is the single source of truth for redirect-URI validation across the
+* OAuth provider plugins. Consume it from `@better-auth/core/utils/redirect-uri`
+* rather than re-implementing the scheme policy per plugin.
+*/
+const SafeUrlSchema = z.url().superRefine((val, ctx) => {
+	let u;
+	try {
+		u = new URL(val);
+	} catch {
+		ctx.addIssue({
+			code: "custom",
+			message: "URL must be parseable",
+			fatal: true
+		});
+		return z.NEVER;
+	}
+	if (DANGEROUS_URL_SCHEMES.includes(u.protocol)) {
+		ctx.addIssue({
+			code: "custom",
+			message: "URL cannot use javascript:, data:, or vbscript: scheme"
+		});
+		return;
+	}
+	if (val.includes("#")) ctx.addIssue({
+		code: "custom",
+		message: "Redirect URI must not contain a fragment component"
+	});
+	if (u.protocol === "http:" && !isLoopbackHost(u.host)) ctx.addIssue({
+		code: "custom",
+		message: "Redirect URI must use HTTPS (HTTP allowed only for loopback hosts)"
+	});
+});
+//#endregion
+export { SafeUrlSchema };

package/dist/utils/url.d.mts

@@ -16,5 +16,22 @@
  * // Returns: "/sso/saml2/callback/provider1"
  */
 declare function normalizePathname(requestUrl: string, basePath: string): string;
+/**
+ * Schemes that execute or embed code when navigated to or accepted as a
+ * redirect target. These are never safe as an OAuth `redirect_uri` or as a
+ * client-side navigation target (`window.location.href`, `location.assign`, ...).
+ */
+declare const DANGEROUS_URL_SCHEMES: string[];
+/**
+ * Returns `false` only when `value` is an absolute URL using a dangerous scheme
+ * (`javascript:`, `data:`, `vbscript:`). Relative URLs (e.g. `/dashboard`) and
+ * safe absolute schemes (`http`, `https`, custom app schemes such as
+ * `myapp://`) return `true`.
+ *
+ * Use this to guard browser navigation sinks and any redirect target that may
+ * originate from untrusted input. It is intentionally narrow: it blocks code
+ * execution schemes without rejecting relative paths or mobile deep links.
+ */
+declare function isSafeUrlScheme(value: string): boolean;
 //#endregion
-export { normalizePathname };
+export { DANGEROUS_URL_SCHEMES, isSafeUrlScheme, normalizePathname };

package/dist/utils/url.mjs

@@ -27,5 +27,34 @@ function normalizePathname(requestUrl, basePath) {
 	if (pathname.startsWith(basePath + "/")) return pathname.slice(basePath.length).replace(/\/+$/, "") || "/";
 	return pathname;
 }
+/**
+* Schemes that execute or embed code when navigated to or accepted as a
+* redirect target. These are never safe as an OAuth `redirect_uri` or as a
+* client-side navigation target (`window.location.href`, `location.assign`, ...).
+*/
+const DANGEROUS_URL_SCHEMES = [
+	"javascript:",
+	"data:",
+	"vbscript:"
+];
+/**
+* Returns `false` only when `value` is an absolute URL using a dangerous scheme
+* (`javascript:`, `data:`, `vbscript:`). Relative URLs (e.g. `/dashboard`) and
+* safe absolute schemes (`http`, `https`, custom app schemes such as
+* `myapp://`) return `true`.
+*
+* Use this to guard browser navigation sinks and any redirect target that may
+* originate from untrusted input. It is intentionally narrow: it blocks code
+* execution schemes without rejecting relative paths or mobile deep links.
+*/
+function isSafeUrlScheme(value) {
+	let parsed;
+	try {
+		parsed = new URL(value);
+	} catch {
+		return true;
+	}
+	return !DANGEROUS_URL_SCHEMES.includes(parsed.protocol);
+}
 //#endregion
-export { normalizePathname };
+export { DANGEROUS_URL_SCHEMES, isSafeUrlScheme, normalizePathname };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.6.12",
+  "version": "1.6.14",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",

package/src/db/adapter/factory.ts

@@ -1391,6 +1391,12 @@ export const createAdapterFactory =
 										},
 									],
 								});
+								// A non-numeric count coerces to a false miss, so fail loud.
+								if (typeof deleted !== "number") {
+									throw new BetterAuthError(
+										`Adapter "${config.adapterId}" returned a non-numeric value from deleteMany during the consumeOne fallback. Return the number of deleted rows, or implement a native consumeOne for atomic single-use consumption.`,
+									);
+								}
 								return deleted > 0 ? (target as T) : null;
 							}),
 					);

package/src/types/context.ts

@@ -158,7 +158,15 @@ export interface InternalAdapter<
 	 */
 	deleteAccount(id: string): Promise<void>;
 
-	deleteSessions(userIdOrSessionTokens: string | string[]): Promise<void>;
+	/**
+	 * Delete every session belonging to a user.
+	 */
+	deleteUserSessions(userId: string): Promise<void>;
+
+	/**
+	 * Delete sessions by their session tokens.
+	 */
+	deleteSessions(sessionTokens: string[]): Promise<void>;
 
 	findOAuthUser(
 		email: string,
@@ -196,8 +204,6 @@ export interface InternalAdapter<
 
 	findAccounts(userId: string): Promise<Account[]>;
 
-	findAccount(accountId: string): Promise<Account | null>;
-
 	findAccountByProviderId(
 		accountId: string,
 		providerId: string,
@@ -321,7 +327,7 @@ export type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> =
 				 * - "cookie": Store state in an encrypted cookie (stateless)
 				 * - "database": Store state in the database
 				 *
-				 * @default "cookie"
+				 * @default "database" when `database` or `secondaryStorage` is configured, "cookie" otherwise
 				 */
 				storeStateStrategy: "database" | "cookie";
 			};

package/src/types/init-options.ts

@@ -1093,7 +1093,11 @@ export type BetterAuthOptions = {
 					 */
 					allowUnlinkingAll?: boolean;
 					/**
-					 * If enabled (true), this will update the user information based on the newly linked account
+					 * When enabled, linking an account copies the provider's profile onto
+					 * the local user, matching the fields persisted on sign-up (`name`,
+					 * `image`, and any `mapProfileToUser` fields). The local `email` and
+					 * `emailVerified` are never changed, so a link cannot rebind the
+					 * account's identity.
 					 *
 					 * @default false
 					 */
@@ -1126,7 +1130,7 @@ export type BetterAuthOptions = {
 				 * - "cookie": Store state in an encrypted cookie (stateless)
 				 * - "database": Store state in the database
 				 *
-				 * @default "cookie"
+				 * @default "database" when `database` or `secondaryStorage` is configured, "cookie" otherwise
 				 */
 				storeStateStrategy?: "database" | "cookie";
 				/**

package/src/utils/redirect-uri.ts

@@ -0,0 +1,54 @@
+import * as z from "zod";
+import { isLoopbackHost } from "./host";
+import { DANGEROUS_URL_SCHEMES } from "./url";
+
+/**
+ * Zod schema for OAuth redirect URIs and other developer-supplied URLs that the
+ * server stores and later hands back to a browser.
+ *
+ * - Rejects dangerous schemes (`javascript:`, `data:`, `vbscript:`).
+ * - Rejects URIs with a fragment component (`#...`) per RFC 6749 §3.1.2.
+ * - Requires HTTPS, except for loopback hosts (`127.0.0.0/8`, `[::1]`,
+ *   `*.localhost` per RFC 6761), where HTTP is allowed for local development.
+ * - Allows custom schemes for mobile apps (e.g. `myapp://callback`).
+ *
+ * This is the single source of truth for redirect-URI validation across the
+ * OAuth provider plugins. Consume it from `@better-auth/core/utils/redirect-uri`
+ * rather than re-implementing the scheme policy per plugin.
+ */
+export const SafeUrlSchema = z.url().superRefine((val, ctx) => {
+	let u: URL;
+	try {
+		u = new URL(val);
+	} catch {
+		ctx.addIssue({
+			code: "custom",
+			message: "URL must be parseable",
+			fatal: true,
+		});
+		return z.NEVER;
+	}
+
+	if (DANGEROUS_URL_SCHEMES.includes(u.protocol)) {
+		ctx.addIssue({
+			code: "custom",
+			message: "URL cannot use javascript:, data:, or vbscript: scheme",
+		});
+		return;
+	}
+
+	if (val.includes("#")) {
+		ctx.addIssue({
+			code: "custom",
+			message: "Redirect URI must not contain a fragment component",
+		});
+	}
+
+	if (u.protocol === "http:" && !isLoopbackHost(u.host)) {
+		ctx.addIssue({
+			code: "custom",
+			message:
+				"Redirect URI must use HTTPS (HTTP allowed only for loopback hosts)",
+		});
+	}
+});

package/src/utils/url.ts

@@ -41,3 +41,31 @@ export function normalizePathname(
 
 	return pathname;
 }
+
+/**
+ * Schemes that execute or embed code when navigated to or accepted as a
+ * redirect target. These are never safe as an OAuth `redirect_uri` or as a
+ * client-side navigation target (`window.location.href`, `location.assign`, ...).
+ */
+export const DANGEROUS_URL_SCHEMES = ["javascript:", "data:", "vbscript:"];
+
+/**
+ * Returns `false` only when `value` is an absolute URL using a dangerous scheme
+ * (`javascript:`, `data:`, `vbscript:`). Relative URLs (e.g. `/dashboard`) and
+ * safe absolute schemes (`http`, `https`, custom app schemes such as
+ * `myapp://`) return `true`.
+ *
+ * Use this to guard browser navigation sinks and any redirect target that may
+ * originate from untrusted input. It is intentionally narrow: it blocks code
+ * execution schemes without rejecting relative paths or mobile deep links.
+ */
+export function isSafeUrlScheme(value: string): boolean {
+	let parsed: URL;
+	try {
+		parsed = new URL(value);
+	} catch {
+		// Relative URLs carry no scheme to abuse.
+		return true;
+	}
+	return !DANGEROUS_URL_SCHEMES.includes(parsed.protocol);
+}