@better-auth/core 1.6.15 → 1.6.17

package/dist/social-providers/microsoft-entra-id.mjs

@@ -8,9 +8,17 @@ import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
 import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
 //#region src/social-providers/microsoft-entra-id.ts
+/**
+* Microsoft's fixed tenant id for personal (consumer) Microsoft accounts. Every
+* personal-account token carries it as the `tid` claim, so it distinguishes the
+* consumer account class from work/school tenants.
+* @see https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
+*/
+const MICROSOFT_CONSUMER_TENANT_ID = "9188040d-6c67-4c5b-b112-36a304b66dad";
 const microsoft = (options) => {
 	const tenant = options.tenantId || "common";
-	const authority = options.authority || "https://login.microsoftonline.com";
+	let authority = options.authority || "https://login.microsoftonline.com";
+	while (authority.endsWith("/")) authority = authority.slice(0, -1);
 	const authorizationEndpoint = `${authority}/${tenant}/oauth2/v2.0/authorize`;
 	const tokenEndpoint = `${authority}/${tenant}/oauth2/v2.0/token`;
 	return {
@@ -70,6 +78,10 @@ const microsoft = (options) => {
 				if (tenant !== "common" && tenant !== "organizations" && tenant !== "consumers") verifyOptions.issuer = `${authority}/${tenant}/v2.0`;
 				const { payload: jwtClaims } = await jwtVerify(token, publicKey, verifyOptions);
 				if (nonce && jwtClaims.nonce !== nonce) return false;
+				const tid = jwtClaims.tid;
+				if (typeof tid !== "string" || jwtClaims.iss !== `${authority}/${tid}/v2.0`) return false;
+				if (tenant === "organizations" && tid === MICROSOFT_CONSUMER_TENANT_ID) return false;
+				if (tenant === "consumers" && tid !== MICROSOFT_CONSUMER_TENANT_ID) return false;
 				return true;
 			} catch (error) {
 				logger.error("Failed to verify ID token:", error);

package/dist/social-providers/paypal.d.mts

@@ -125,5 +125,6 @@ declare const paypal: (options: PayPalOptions) => {
   } | null>;
   options: PayPalOptions;
 };
+declare const getPayPalPublicKey: (kid: string, jwksUri: string) => Promise<Uint8Array<ArrayBufferLike> | CryptoKey>;
 //#endregion
-export { PayPalOptions, PayPalProfile, PayPalTokenResponse, paypal };
+export { PayPalOptions, PayPalProfile, PayPalTokenResponse, getPayPalPublicKey, paypal };

package/dist/social-providers/paypal.mjs

@@ -1,15 +1,30 @@
-import { BetterAuthError } from "../error/index.mjs";
+import { APIError, BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import { decodeJwt } from "jose";
+import { decodeProtectedHeader, importJWK, jwtVerify } from "jose";
 //#region src/social-providers/paypal.ts
+/**
+* ID token signing algorithms advertised by PayPal's OpenID configuration.
+* Anything outside this allowlist is rejected so each token is only ever
+* verified with the algorithm it was issued for.
+*
+* @see https://www.paypal.com/.well-known/openid-configuration
+*/
+const PAYPAL_ID_TOKEN_ALGORITHMS = ["RS256", "HS256"];
 const paypal = (options) => {
 	const isSandbox = (options.environment || "sandbox") === "sandbox";
 	const authorizationEndpoint = isSandbox ? "https://www.sandbox.paypal.com/signin/authorize" : "https://www.paypal.com/signin/authorize";
 	const tokenEndpoint = isSandbox ? "https://api-m.sandbox.paypal.com/v1/oauth2/token" : "https://api-m.paypal.com/v1/oauth2/token";
 	const userInfoEndpoint = isSandbox ? "https://api-m.sandbox.paypal.com/v1/identity/oauth2/userinfo" : "https://api-m.paypal.com/v1/identity/oauth2/userinfo";
+	/**
+	* Issuer and JWKS endpoints used to cryptographically verify ID tokens.
+	*
+	* @see https://www.paypal.com/.well-known/openid-configuration
+	*/
+	const issuer = isSandbox ? "https://www.sandbox.paypal.com" : "https://www.paypal.com";
+	const jwksEndpoint = isSandbox ? "https://api.sandbox.paypal.com/v1/oauth2/certs" : "https://api.paypal.com/v1/oauth2/certs";
 	return {
 		id: "paypal",
 		name: "PayPal",
@@ -94,7 +109,19 @@ const paypal = (options) => {
 			if (options.disableIdTokenSignIn) return false;
 			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
 			try {
-				return !!decodeJwt(token).sub;
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!jwtAlg) return false;
+				if (!PAYPAL_ID_TOKEN_ALGORITHMS.includes(jwtAlg)) return false;
+				const key = jwtAlg === "HS256" ? new TextEncoder().encode(options.clientSecret) : kid ? await getPayPalPublicKey(kid, jwksEndpoint) : void 0;
+				if (!key) return false;
+				const { payload: jwtClaims } = await jwtVerify(token, key, {
+					algorithms: [jwtAlg],
+					issuer,
+					audience: options.clientId,
+					maxTokenAge: "1h"
+				});
+				if (nonce && jwtClaims.nonce !== nonce) return false;
+				return true;
 			} catch (error) {
 				logger.error("Failed to verify PayPal ID token:", error);
 				return false;
@@ -136,5 +163,12 @@ const paypal = (options) => {
 		options
 	};
 };
+const getPayPalPublicKey = async (kid, jwksUri) => {
+	const { data } = await betterFetch(jwksUri);
+	if (!data?.keys) throw new APIError("BAD_REQUEST", { message: "Keys not found" });
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) throw new Error(`JWK with kid ${kid} not found`);
+	return await importJWK(jwk, jwk.alg);
+};
 //#endregion
-export { paypal };
+export { getPayPalPublicKey, paypal };

package/dist/social-providers/reddit.mjs

@@ -61,14 +61,15 @@ const reddit = (options) => {
 			} });
 			if (error) return null;
 			const userMap = await options.mapProfileToUser?.(profile);
+			const email = userMap?.email || `${profile.id}@reddit.invalid`;
 			return {
 				user: {
 					id: profile.id,
 					name: profile.name,
-					email: profile.oauth_client_id,
-					emailVerified: profile.has_verified_email,
 					image: profile.icon_img?.split("?")[0],
-					...userMap
+					...userMap,
+					email,
+					emailVerified: userMap?.emailVerified ?? false
 				},
 				data: profile
 			};

package/dist/social-providers/wechat.mjs

@@ -66,7 +66,7 @@ const wechat = (options) => {
 				user: {
 					id: profile.unionid || profile.openid || openid,
 					name: profile.nickname,
-					email: profile.email || null,
+					email: profile.email || `${profile.unionid || profile.openid || openid}@wechat.invalid`,
 					image: profile.headimgurl,
 					emailVerified: false,
 					...userMap

package/dist/types/context.d.mts

@@ -134,6 +134,22 @@ interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions
    * pair at single-use credential consumption sites.
    */
   consumeVerificationValue(identifier: string): Promise<Verification | null>;
+  /**
+   * First-writer-wins create keyed by a deterministic primary key derived from
+   * `identifier`. Returns `true` when this caller created the row and `false`
+   * when a row for the same identifier already existed.
+   *
+   * The dual of `consumeVerificationValue`: reserve races to create a marker
+   * exactly once, where consume races to delete one exactly once. Use it for
+   * replay tombstones (a SAML assertion id, a JWT `jti`) where the first caller
+   * wins. The database path is atomic via the primary key; the
+   * secondary-storage-only path is best-effort under concurrency.
+   */
+  reserveVerificationValue(data: {
+    identifier: string;
+    value: string;
+    expiresAt: Date;
+  }): Promise<boolean>;
   updateVerificationByIdentifier(identifier: string, data: Partial<Verification>): Promise<Verification>;
   refreshUserSessions(user: User): Promise<void>;
 }

package/dist/types/init-options.d.mts

@@ -73,6 +73,35 @@ type BaseURLConfig = string | DynamicBaseURLConfig;
 interface BetterAuthRateLimitStorage {
   get: (key: string) => Promise<RateLimit | null | undefined>;
   set: (key: string, value: RateLimit, update?: boolean | undefined) => Promise<void>;
+  /**
+   * Atomically records one request against `key` within the `window`
+   * (in seconds) and reports whether it is allowed.
+   *
+   * When `allowed` is true the request was counted within the active window;
+   * when `allowed` is false the limit was already reached and `retryAfter` is
+   * the number of seconds until the window frees up. Whether the window slides
+   * or is fixed depends on the backing storage: the database backend resets
+   * once the window elapses, while secondary storage uses a fixed time-to-live
+   * set when the window first opens.
+   *
+   * Performing the check and the increment in a single step closes the
+   * concurrent-bypass gap of the separate `get`/`set` path: N simultaneous
+   * requests can no longer all pass a stale read before any increment lands.
+   *
+   * Optional for backwards compatibility. A storage without it falls back to
+   * the legacy non-atomic `get`/`set` path, which is best-effort under
+   * concurrency.
+   *
+   * TODO(rate-limit-consume-required): make this the sole required member on
+   * `next`, dropping `get`/`set` and the non-atomic fallback.
+   */
+  consume?: (key: string, rule: {
+    window: number;
+    max: number;
+  }) => Promise<{
+    allowed: boolean;
+    retryAfter: number | null;
+  }>;
 }
 type BetterAuthRateLimitRule = {
   /**

package/dist/utils/host.mjs

@@ -126,6 +126,7 @@ function classifyIPv6(expanded) {
 	if (firstByte === 254 && (secondByte & 192) === 128) return "linkLocal";
 	if ((firstByte & 254) === 252) return "private";
 	if (expanded.startsWith("2001:0db8:")) return "documentation";
+	if (expanded.startsWith("2001:0002:0000:")) return "benchmarking";
 	if (expanded.startsWith("2002:")) {
 		const embedded = extractEmbeddedIPv4(expanded, 1);
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
@@ -136,12 +137,15 @@ function classifyIPv6(expanded) {
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
 		return "reserved";
 	}
+	if (expanded.startsWith("0064:ff9b:0001:")) return "reserved";
 	if (expanded.startsWith("2001:0000:")) {
 		const embedded = extractEmbeddedIPv4(expanded, 6, { xor: true });
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
 		return "reserved";
 	}
 	if (expanded.startsWith("0100:0000:0000:0000:")) return "reserved";
+	if (expanded.startsWith("3fff:0")) return "documentation";
+	if (expanded.startsWith("5f00:")) return "reserved";
 	return "public";
 }
 /**

package/dist/utils/url.mjs

@@ -22,9 +22,10 @@ function normalizePathname(requestUrl, basePath) {
 	} catch {
 		return "/";
 	}
-	if (basePath === "/" || basePath === "") return pathname;
-	if (pathname === basePath) return "/";
-	if (pathname.startsWith(basePath + "/")) return pathname.slice(basePath.length).replace(/\/+$/, "") || "/";
+	const normalizedBasePath = basePath.replace(/\/+$/, "");
+	if (normalizedBasePath === "") return pathname;
+	if (pathname === normalizedBasePath) return "/";
+	if (pathname.startsWith(normalizedBasePath + "/")) return pathname.slice(normalizedBasePath.length).replace(/\/+$/, "") || "/";
 	return pathname;
 }
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.6.15",
+  "version": "1.6.17",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -153,11 +153,11 @@
   },
   "devDependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
+    "@better-fetch/fetch": "1.3.0",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/sdk-trace-base": "^1.30.0",
     "@opentelemetry/sdk-trace-node": "^1.30.0",
-    "better-call": "1.3.5",
+    "better-call": "1.3.6",
     "@cloudflare/workers-types": "^4.20250121.0",
     "jose": "^6.1.3",
     "kysely": "^0.28.17 || ^0.29.0",
@@ -166,9 +166,9 @@
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
+    "@better-fetch/fetch": "1.3.0",
     "@opentelemetry/api": "^1.9.0",
-    "better-call": "1.3.5",
+    "better-call": "1.3.6",
     "@cloudflare/workers-types": ">=4",
     "jose": "^6.1.0",
     "kysely": "^0.28.5 || ^0.29.0",

package/src/api/index.ts

@@ -132,6 +132,51 @@ export function createAuthEndpoint<
 	);
 }
 
+/**
+ * Set `metadata.SERVER_ONLY` while preserving any existing metadata
+ * (`$Infer`, `openapi`, ...).
+ */
+function withServerOnly<Options extends EndpointOptions>(
+	options: Options,
+): Options {
+	return {
+		...options,
+		metadata: { ...options.metadata, SERVER_ONLY: true },
+	} as Options;
+}
+
+/**
+ * Declare a **server-only** endpoint.
+ *
+ * The endpoint is callable through `auth.api.*` from trusted server code but is
+ * never registered on the HTTP router and never emitted into the OpenAPI
+ * schema. It takes no path because it has no URL to be reached at.
+ *
+ * Prefer this over the path-less `createAuthEndpoint({ ... }, handler)` form.
+ * Setting `metadata.SERVER_ONLY` makes the intent explicit at the call site and
+ * keeps the endpoint off the HTTP surface even if a path is later added by
+ * mistake: better-call's router skips an endpoint when its path is missing *or*
+ * when `SERVER_ONLY` is set, so the two together are defense in depth. Relying
+ * on path omission alone is invisible and one keystroke away from exposure.
+ *
+ * @example
+ * ```ts
+ * viewBackupCodes: createAuthEndpoint.serverOnly(
+ * 	{ method: "POST", body: schema },
+ * 	async (ctx) => { ... },
+ * )
+ * ```
+ */
+createAuthEndpoint.serverOnly = <
+	Path extends string,
+	Options extends EndpointOptions,
+	R,
+>(
+	options: Options,
+	handler: EndpointHandler<Path, Options, R>,
+): StrictEndpoint<Path, Options, R> =>
+	createAuthEndpoint(withServerOnly(options), handler);
+
 export type AuthEndpoint<
 	Path extends string,
 	Opts extends EndpointOptions,

package/src/db/adapter/factory.ts

@@ -138,6 +138,11 @@ export const createAdapterFactory =
 							!config.debugLogs.consumeOne
 						) {
 							return;
+						} else if (
+							method === "incrementOne" &&
+							!config.debugLogs.incrementOne
+						) {
+							return;
 						} else if (method === "count" && !config.debugLogs.count) {
 							return;
 						}
@@ -491,6 +496,7 @@ export const createAdapterFactory =
 				| "delete"
 				| "deleteMany"
 				| "consumeOne"
+				| "incrementOne"
 				| "count";
 		}): W extends undefined ? undefined : CleanedWhere[] => {
 			if (!where) return undefined as any;
@@ -1430,6 +1436,152 @@ export const createAdapterFactory =
 				);
 				return transformed as T | null;
 			},
+			incrementOne: async <T>({
+				model: unsafeModel,
+				where: unsafeWhere,
+				increment: unsafeIncrement,
+				set: unsafeSet,
+			}: {
+				model: string;
+				where: Where[];
+				increment: Record<string, number>;
+				set?: Record<string, unknown> | undefined;
+			}): Promise<T | null> => {
+				transactionId++;
+				const thisTransactionId = transactionId;
+				const model = getModelName(unsafeModel);
+				const where = transformWhereClause({
+					model: unsafeModel,
+					where: unsafeWhere,
+					action: "incrementOne",
+				});
+				unsafeModel = getDefaultModelName(unsafeModel);
+				debugLog(
+					{ method: "incrementOne" },
+					`${formatTransactionId(thisTransactionId)} ${formatStep(1, 3)}`,
+					`${formatMethod("incrementOne")} ${formatAction("IncrementOne")}:`,
+					{ model, where, increment: unsafeIncrement, set: unsafeSet },
+				);
+
+				let res: T | null;
+				let resultNeedsOutputTransform = true;
+				if (adapterInstance.incrementOne) {
+					// Map each increment key to its DB column name, honoring a custom
+					// `mapKeysTransformInput` override the same way `transformInput`
+					// does, and keep the numeric delta unchanged: deltas are arithmetic
+					// operands, not stored values, so they must never be value-transformed.
+					const mappedKeys = config.mapKeysTransformInput ?? {};
+					const increment: Record<string, number> = {};
+					for (const [field, delta] of Object.entries(unsafeIncrement)) {
+						increment[
+							mappedKeys[field] || getFieldName({ model: unsafeModel, field })
+						] = delta;
+					}
+					let set: Record<string, unknown> | undefined;
+					if (unsafeSet && !config.disableTransformInput) {
+						set = await transformInput(unsafeSet, unsafeModel, "update");
+					} else {
+						set = unsafeSet;
+					}
+					res = await withSpan(
+						`db incrementOne ${model}`,
+						{
+							[ATTR_DB_OPERATION_NAME]: "incrementOne",
+							[ATTR_DB_COLLECTION_NAME]: model,
+						},
+						() =>
+							adapterInstance.incrementOne!<T>({
+								model,
+								where,
+								increment,
+								set,
+							}),
+					);
+				} else {
+					// FIXME(increment-one-required): remove this fallback when
+					// incrementOne becomes required on `next`. Adapters without a native
+					// incrementOne fall back to `transaction(findMany + updateMany)`.
+					res = await withSpan(
+						`db incrementOne ${model}`,
+						{
+							[ATTR_DB_OPERATION_NAME]: "incrementOne",
+							[ATTR_DB_COLLECTION_NAME]: model,
+						},
+						() =>
+							adapter.transaction(async (trx) => {
+								const rows = await trx.findMany<Record<string, any>>({
+									model: unsafeModel,
+									where: unsafeWhere,
+									limit: 1,
+								});
+								const target = rows[0];
+								if (!target) return null;
+								const nextValues: Record<string, unknown> = {
+									...(unsafeSet ?? {}),
+								};
+								for (const [field, delta] of Object.entries(unsafeIncrement)) {
+									const current =
+										typeof target[field] === "number" ? target[field] : 0;
+									nextValues[field] = current + delta;
+								}
+								// Re-applying `unsafeWhere` in the update's where is the
+								// compare-and-swap guard: under an adapter whose transaction
+								// lacks real isolation, it still rejects a racer that
+								// invalidated the guard between the read and the write (e.g.
+								// remaining dropped to 0).
+								const updated = await trx.updateMany({
+									model: unsafeModel,
+									where: [
+										...unsafeWhere,
+										{
+											field: "id",
+											value: target.id,
+											operator: "eq",
+											connector: "AND",
+											mode: "sensitive",
+										},
+									],
+									update: nextValues,
+								});
+								// A non-numeric count coerces to a false miss, so fail loud.
+								if (typeof updated !== "number") {
+									throw new BetterAuthError(
+										`Adapter "${config.adapterId}" returned a non-numeric value from updateMany during the incrementOne fallback. Return the number of updated rows, or implement a native incrementOne for atomic guarded counter updates.`,
+									);
+								}
+								return updated > 0 ? ({ ...target, ...nextValues } as T) : null;
+							}),
+					);
+					resultNeedsOutputTransform = false;
+				}
+
+				debugLog(
+					{ method: "incrementOne" },
+					`${formatTransactionId(thisTransactionId)} ${formatStep(2, 3)}`,
+					`${formatMethod("incrementOne")} ${formatAction("DB Result")}:`,
+					{ model, data: res },
+				);
+				let transformed: any = res;
+				if (
+					!config.disableTransformOutput &&
+					resultNeedsOutputTransform &&
+					res
+				) {
+					transformed = await transformOutput(
+						res as Record<string, any>,
+						unsafeModel,
+						undefined,
+						undefined,
+					);
+				}
+				debugLog(
+					{ method: "incrementOne" },
+					`${formatTransactionId(thisTransactionId)} ${formatStep(3, 3)}`,
+					`${formatMethod("incrementOne")} ${formatAction("Parsed Result")}:`,
+					{ model, data: transformed },
+				);
+				return transformed as T | null;
+			},
 			count: async ({
 				model: unsafeModel,
 				where: unsafeWhere,

package/src/db/adapter/index.ts

@@ -16,6 +16,7 @@ export type DBAdapterDebugLogOption =
 			delete?: boolean | undefined;
 			deleteMany?: boolean | undefined;
 			consumeOne?: boolean | undefined;
+			incrementOne?: boolean | undefined;
 			count?: boolean | undefined;
 	  }
 	| {
@@ -213,6 +214,7 @@ export interface DBAdapterFactoryConfig<
 					| "delete"
 					| "deleteMany"
 					| "consumeOne"
+					| "incrementOne"
 					| "count";
 				/**
 				 * The model name.
@@ -464,6 +466,36 @@ export type DBAdapter<Options extends BetterAuthOptions = BetterAuthOptions> = {
 	 * and returns the row only when the delete reports an affected row.
 	 */
 	consumeOne: <T>(data: { model: string; where: Where[] }) => Promise<T | null>;
+	/**
+	 * Atomically apply signed numeric deltas to a single row matching the where
+	 * clause. For each entry in `increment`, the operation applies
+	 * `field = field + delta` in one atomic step; a negative delta decrements.
+	 *
+	 * The `where` clause is both the selector AND the guard: comparison
+	 * operators are honored, so passing `{ field: "remaining", operator: "gt",
+	 * value: 0 }` only mutates the row while `remaining` is still above zero.
+	 * When the guard matches no row, the operation makes no change and returns
+	 * `null`.
+	 *
+	 * The optional `set` map assigns absolute values to fields in the same
+	 * atomic operation, alongside the increments.
+	 *
+	 * Returns the updated row, or `null` when the guard matched no row. Under
+	 * concurrent invocation against the same row, this is the race-safe
+	 * primitive for guarded counter updates (e.g. decrementing a remaining-uses
+	 * counter only while it is still positive).
+	 *
+	 * Always defined on the factory-wrapped adapter. When the underlying
+	 * `CustomAdapter` does not implement `incrementOne`, the factory provides a
+	 * fallback that wraps `findMany + updateMany` in `transaction(...)` and
+	 * re-applies the where clause as a compare-and-swap guard on the update.
+	 */
+	incrementOne: <T>(data: {
+		model: string;
+		where: Where[];
+		increment: Record<string, number>;
+		set?: Record<string, unknown> | undefined;
+	}) => Promise<T | null>;
 	/**
 	 * Execute multiple operations in a transaction.
 	 * If the adapter doesn't support transactions, operations will be executed sequentially.
@@ -563,6 +595,25 @@ export interface CustomAdapter {
 		model: string;
 		where: CleanedWhere[];
 	}) => Promise<T | null>;
+	/**
+	 * Optional native atomic guarded counter mutation. Applies
+	 * `field = field + delta` for each entry in `increment` (negative deltas
+	 * decrement), with `where` acting as both selector and guard and `set`
+	 * assigning absolute values in the same operation. Returns the updated row,
+	 * or `null` when the guard matched no row.
+	 *
+	 * Implementing this natively (e.g. `UPDATE ... SET n = n + $delta WHERE ...
+	 * RETURNING *`) gives one round trip and the strongest race-safety
+	 * guarantee. When omitted, the adapter factory provides a transaction-based
+	 * fallback over `findMany + updateMany`. TODO(increment-one-required):
+	 * tighten to required in the next minor on `next`.
+	 */
+	incrementOne?: <T>(data: {
+		model: string;
+		where: CleanedWhere[];
+		increment: Record<string, number>;
+		set?: Record<string, unknown> | undefined;
+	}) => Promise<T | null>;
 	count: ({
 		model,
 		where,

package/src/db/adapter/types.ts

@@ -123,6 +123,7 @@ export type AdapterFactoryCustomizeAdapterCreator = (config: {
 			| "delete"
 			| "deleteMany"
 			| "consumeOne"
+			| "incrementOne"
 			| "count";
 	}) => W extends undefined ? undefined : CleanedWhere[];
 }) => CustomAdapter;

package/src/db/type.ts

@@ -323,6 +323,21 @@ export interface SecondaryStorage {
 	 * security-sensitive consume paths.
 	 */
 	getAndDelete?: (key: string) => Awaitable<unknown>;
+	/**
+	 * Atomically increment the counter at `key` by one, returning the
+	 * post-increment value.
+	 *
+	 * When the key is absent, it is created with a value of `1` and the given
+	 * `ttl` (in SECONDS). The TTL is applied only on creation; later increments
+	 * never extend it, so the counter expires a fixed window after it was first
+	 * created.
+	 *
+	 * This is optional for backwards compatibility with existing secondary
+	 * storage implementations. TODO(secondary-storage-increment-required): make
+	 * this required for secondary-storage-backed rate limiting in the next minor
+	 * on `next`.
+	 */
+	increment?: (key: string, ttl: number) => Awaitable<number>;
 	set: (
 		/**
 		 * Key to store

package/src/env/env-impl.ts

@@ -46,8 +46,7 @@ function toBoolean(val: boolean | string | undefined) {
 	return val ? val !== "false" : false;
 }
 
-export const nodeENV =
-	(typeof process !== "undefined" && process.env && process.env.NODE_ENV) || "";
+export const nodeENV = env.NODE_ENV ?? "";
 
 /** Detect if `NODE_ENV` environment variable is `production` */
 export const isProduction = nodeENV === "production";