@better-auth/core 1.6.16 → 1.6.18

package/dist/api/index.d.mts

@@ -272,6 +272,9 @@ declare const createAuthMiddleware: {
 type EndpointHandler<Path extends string, Options extends EndpointOptions, R> = (context: EndpointContext<Path, Options, AuthContext>) => Promise<R>;
 declare function createAuthEndpoint<Path extends string, Options extends EndpointOptions, R>(path: Path, options: Options, handler: EndpointHandler<Path, Options, R>): StrictEndpoint<Path, Options, R>;
 declare function createAuthEndpoint<Path extends string, Options extends EndpointOptions, R>(options: Options, handler: EndpointHandler<Path, Options, R>): StrictEndpoint<Path, Options, R>;
+declare namespace createAuthEndpoint {
+  var serverOnly: <Path extends string, Options extends EndpointOptions, R>(options: Options, handler: EndpointHandler<Path, Options, R>) => StrictEndpoint<Path, Options, R>;
+}
 type AuthEndpoint<Path extends string, Opts extends EndpointOptions, R> = ReturnType<typeof createAuthEndpoint<Path, Opts, R>>;
 type AuthMiddleware = ReturnType<typeof createAuthMiddleware>;
 //#endregion

package/dist/api/index.mjs

@@ -52,5 +52,41 @@ function createAuthEndpoint(pathOrOptions, handlerOrOptions, handlerOrNever) {
 		use: [...options?.use || [], ...use]
 	}, wrapped);
 }
+/**
+* Set `metadata.SERVER_ONLY` while preserving any existing metadata
+* (`$Infer`, `openapi`, ...).
+*/
+function withServerOnly(options) {
+	return {
+		...options,
+		metadata: {
+			...options.metadata,
+			SERVER_ONLY: true
+		}
+	};
+}
+/**
+* Declare a **server-only** endpoint.
+*
+* The endpoint is callable through `auth.api.*` from trusted server code but is
+* never registered on the HTTP router and never emitted into the OpenAPI
+* schema. It takes no path because it has no URL to be reached at.
+*
+* Prefer this over the path-less `createAuthEndpoint({ ... }, handler)` form.
+* Setting `metadata.SERVER_ONLY` makes the intent explicit at the call site and
+* keeps the endpoint off the HTTP surface even if a path is later added by
+* mistake: better-call's router skips an endpoint when its path is missing *or*
+* when `SERVER_ONLY` is set, so the two together are defense in depth. Relying
+* on path omission alone is invisible and one keystroke away from exposure.
+*
+* @example
+* ```ts
+* viewBackupCodes: createAuthEndpoint.serverOnly(
+* 	{ method: "POST", body: schema },
+* 	async (ctx) => { ... },
+* )
+* ```
+*/
+createAuthEndpoint.serverOnly = (options, handler) => createAuthEndpoint(withServerOnly(options), handler);
 //#endregion
 export { createAuthEndpoint, createAuthMiddleware, optionsMiddleware };

package/dist/context/global.mjs

@@ -2,7 +2,7 @@
 const symbol = Symbol.for("better-auth:global");
 let bind = null;
 const __context = {};
-const __betterAuthVersion = "1.6.16";
+const __betterAuthVersion = "1.6.18";
 /**
 * We store context instance in the globalThis.
 *

package/dist/db/adapter/factory.mjs

@@ -58,6 +58,7 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 					else if (method === "delete" && !config.debugLogs.delete) return;
 					else if (method === "deleteMany" && !config.debugLogs.deleteMany) return;
 					else if (method === "consumeOne" && !config.debugLogs.consumeOne) return;
+					else if (method === "incrementOne" && !config.debugLogs.incrementOne) return;
 					else if (method === "count" && !config.debugLogs.count) return;
 				}
 				logger.info(`[${config.adapterName}]`, ...args);
@@ -738,6 +739,87 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 			});
 			return transformed;
 		},
+		incrementOne: async ({ model: unsafeModel, where: unsafeWhere, increment: unsafeIncrement, set: unsafeSet }) => {
+			transactionId++;
+			const thisTransactionId = transactionId;
+			const model = getModelName(unsafeModel);
+			const where = transformWhereClause({
+				model: unsafeModel,
+				where: unsafeWhere,
+				action: "incrementOne"
+			});
+			unsafeModel = getDefaultModelName(unsafeModel);
+			debugLog({ method: "incrementOne" }, `${formatTransactionId(thisTransactionId)} ${formatStep(1, 3)}`, `${formatMethod("incrementOne")} ${formatAction("IncrementOne")}:`, {
+				model,
+				where,
+				increment: unsafeIncrement,
+				set: unsafeSet
+			});
+			let res;
+			let resultNeedsOutputTransform = true;
+			if (adapterInstance.incrementOne) {
+				const mappedKeys = config.mapKeysTransformInput ?? {};
+				const increment = {};
+				for (const [field, delta] of Object.entries(unsafeIncrement)) increment[mappedKeys[field] || getFieldName({
+					model: unsafeModel,
+					field
+				})] = delta;
+				let set;
+				if (unsafeSet && !config.disableTransformInput) set = await transformInput(unsafeSet, unsafeModel, "update");
+				else set = unsafeSet;
+				res = await withSpan(`db incrementOne ${model}`, {
+					[ATTR_DB_OPERATION_NAME]: "incrementOne",
+					[ATTR_DB_COLLECTION_NAME]: model
+				}, () => adapterInstance.incrementOne({
+					model,
+					where,
+					increment,
+					set
+				}));
+			} else {
+				res = await withSpan(`db incrementOne ${model}`, {
+					[ATTR_DB_OPERATION_NAME]: "incrementOne",
+					[ATTR_DB_COLLECTION_NAME]: model
+				}, () => adapter.transaction(async (trx) => {
+					const target = (await trx.findMany({
+						model: unsafeModel,
+						where: unsafeWhere,
+						limit: 1
+					}))[0];
+					if (!target) return null;
+					const nextValues = { ...unsafeSet ?? {} };
+					for (const [field, delta] of Object.entries(unsafeIncrement)) nextValues[field] = (typeof target[field] === "number" ? target[field] : 0) + delta;
+					const updated = await trx.updateMany({
+						model: unsafeModel,
+						where: [...unsafeWhere, {
+							field: "id",
+							value: target.id,
+							operator: "eq",
+							connector: "AND",
+							mode: "sensitive"
+						}],
+						update: nextValues
+					});
+					if (typeof updated !== "number") throw new BetterAuthError(`Adapter "${config.adapterId}" returned a non-numeric value from updateMany during the incrementOne fallback. Return the number of updated rows, or implement a native incrementOne for atomic guarded counter updates.`);
+					return updated > 0 ? {
+						...target,
+						...nextValues
+					} : null;
+				}));
+				resultNeedsOutputTransform = false;
+			}
+			debugLog({ method: "incrementOne" }, `${formatTransactionId(thisTransactionId)} ${formatStep(2, 3)}`, `${formatMethod("incrementOne")} ${formatAction("DB Result")}:`, {
+				model,
+				data: res
+			});
+			let transformed = res;
+			if (!config.disableTransformOutput && resultNeedsOutputTransform && res) transformed = await transformOutput(res, unsafeModel, void 0, void 0);
+			debugLog({ method: "incrementOne" }, `${formatTransactionId(thisTransactionId)} ${formatStep(3, 3)}`, `${formatMethod("incrementOne")} ${formatAction("Parsed Result")}:`, {
+				model,
+				data: transformed
+			});
+			return transformed;
+		},
 		count: async ({ model: unsafeModel, where: unsafeWhere }) => {
 			transactionId++;
 			const thisTransactionId = transactionId;

package/dist/db/adapter/index.d.mts

@@ -23,6 +23,7 @@ type DBAdapterDebugLogOption = boolean | {
   delete?: boolean | undefined;
   deleteMany?: boolean | undefined;
   consumeOne?: boolean | undefined;
+  incrementOne?: boolean | undefined;
   count?: boolean | undefined;
 } | {
   /**
@@ -198,7 +199,7 @@ interface DBAdapterFactoryConfig<Options extends BetterAuthOptions = BetterAuthO
     /**
      * The action which was called from the adapter.
      */
-    action: "create" | "update" | "findOne" | "findMany" | "updateMany" | "delete" | "deleteMany" | "consumeOne" | "count";
+    action: "create" | "update" | "findOne" | "findMany" | "updateMany" | "delete" | "deleteMany" | "consumeOne" | "incrementOne" | "count";
     /**
      * The model name.
      */
@@ -436,6 +437,36 @@ type DBAdapter<Options extends BetterAuthOptions = BetterAuthOptions> = {
     model: string;
     where: Where[];
   }) => Promise<T | null>;
+  /**
+   * Atomically apply signed numeric deltas to a single row matching the where
+   * clause. For each entry in `increment`, the operation applies
+   * `field = field + delta` in one atomic step; a negative delta decrements.
+   *
+   * The `where` clause is both the selector AND the guard: comparison
+   * operators are honored, so passing `{ field: "remaining", operator: "gt",
+   * value: 0 }` only mutates the row while `remaining` is still above zero.
+   * When the guard matches no row, the operation makes no change and returns
+   * `null`.
+   *
+   * The optional `set` map assigns absolute values to fields in the same
+   * atomic operation, alongside the increments.
+   *
+   * Returns the updated row, or `null` when the guard matched no row. Under
+   * concurrent invocation against the same row, this is the race-safe
+   * primitive for guarded counter updates (e.g. decrementing a remaining-uses
+   * counter only while it is still positive).
+   *
+   * Always defined on the factory-wrapped adapter. When the underlying
+   * `CustomAdapter` does not implement `incrementOne`, the factory provides a
+   * fallback that wraps `findMany + updateMany` in `transaction(...)` and
+   * re-applies the where clause as a compare-and-swap guard on the update.
+   */
+  incrementOne: <T>(data: {
+    model: string;
+    where: Where[];
+    increment: Record<string, number>;
+    set?: Record<string, unknown> | undefined;
+  }) => Promise<T | null>;
   /**
    * Execute multiple operations in a transaction.
    * If the adapter doesn't support transactions, operations will be executed sequentially.
@@ -530,6 +561,25 @@ interface CustomAdapter {
     model: string;
     where: CleanedWhere[];
   }) => Promise<T | null>;
+  /**
+   * Optional native atomic guarded counter mutation. Applies
+   * `field = field + delta` for each entry in `increment` (negative deltas
+   * decrement), with `where` acting as both selector and guard and `set`
+   * assigning absolute values in the same operation. Returns the updated row,
+   * or `null` when the guard matched no row.
+   *
+   * Implementing this natively (e.g. `UPDATE ... SET n = n + $delta WHERE ...
+   * RETURNING *`) gives one round trip and the strongest race-safety
+   * guarantee. When omitted, the adapter factory provides a transaction-based
+   * fallback over `findMany + updateMany`. TODO(increment-one-required):
+   * tighten to required in the next minor on `next`.
+   */
+  incrementOne?: <T>(data: {
+    model: string;
+    where: CleanedWhere[];
+    increment: Record<string, number>;
+    set?: Record<string, unknown> | undefined;
+  }) => Promise<T | null>;
   count: ({
     model,
     where

package/dist/db/adapter/types.d.mts

@@ -94,7 +94,7 @@ type AdapterFactoryCustomizeAdapterCreator = (config: {
   }: {
     where: W;
     model: string;
-    action: "create" | "update" | "findOne" | "findMany" | "updateMany" | "delete" | "deleteMany" | "consumeOne" | "count";
+    action: "create" | "update" | "findOne" | "findMany" | "updateMany" | "delete" | "deleteMany" | "consumeOne" | "incrementOne" | "count";
   }) => W extends undefined ? undefined : CleanedWhere[];
 }) => CustomAdapter;
 type AdapterTestDebugLogs = {

package/dist/db/type.d.mts

@@ -153,6 +153,21 @@ interface SecondaryStorage {
    * security-sensitive consume paths.
    */
   getAndDelete?: (key: string) => Awaitable<unknown>;
+  /**
+   * Atomically increment the counter at `key` by one, returning the
+   * post-increment value.
+   *
+   * When the key is absent, it is created with a value of `1` and the given
+   * `ttl` (in SECONDS). The TTL is applied only on creation; later increments
+   * never extend it, so the counter expires a fixed window after it was first
+   * created.
+   *
+   * This is optional for backwards compatibility with existing secondary
+   * storage implementations. TODO(secondary-storage-increment-required): make
+   * this required for secondary-storage-backed rate limiting in the next minor
+   * on `next`.
+   */
+  increment?: (key: string, ttl: number) => Awaitable<number>;
   set: (
   /**
    * Key to store

package/dist/instrumentation/tracer.mjs

@@ -2,7 +2,7 @@ import { ATTR_HTTP_RESPONSE_STATUS_CODE } from "./attributes.mjs";
 import { getOpenTelemetryAPI } from "./api.mjs";
 //#region src/instrumentation/tracer.ts
 const INSTRUMENTATION_SCOPE = "better-auth";
-const INSTRUMENTATION_VERSION = "1.6.16";
+const INSTRUMENTATION_VERSION = "1.6.18";
 /**
 * Better-auth uses `throw ctx.redirect(url)` for flow control (e.g. OAuth
 * callbacks). These are APIErrors with 3xx status codes and should not be

package/dist/oauth2/verify.d.mts

@@ -1,6 +1,18 @@
 import { JSONWebKeySet, JWTPayload, JWTVerifyOptions } from "jose";
 
 //#region src/oauth2/verify.d.ts
+type JwksFetchOptions = {
+  /** Jwks url or promise of a Jwks */jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
+  /**
+   * Stable object to cache the result of a function `jwksFetch` under,
+   * with the same TTL and kid-miss refetch rules as string sources.
+   * Without it, a function source is fetched on every verification.
+   */
+  jwksCacheKey?: object;
+};
+/**
+ * @internal
+ */
 interface VerifyAccessTokenRemote {
   /** Full url of the introspect endpoint. Should end with `/oauth2/introspect` */
   introspectUrl: string;
@@ -34,13 +46,10 @@ interface VerifyAccessTokenRemote {
  *
  * Can also be configured for remote verification.
  */
-declare function verifyJwsAccessToken(token: string, opts: {
-  /** Jwks url or promise of a Jwks */jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>); /** Verify options */
-  verifyOptions: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
+declare function verifyJwsAccessToken(token: string, opts: JwksFetchOptions & {
+  /** Verify options */verifyOptions: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
 }): Promise<JWTPayload>;
-declare function getJwks(token: string, opts: {
-  /** Jwks url or promise of a Jwks */jwksFetch: string | (() => Promise<JSONWebKeySet | undefined>);
-}): Promise<JSONWebKeySet>;
+declare function getJwks(token: string, opts: JwksFetchOptions): Promise<JSONWebKeySet>;
 /**
  * Performs local verification of an access token for your API.
  *

package/dist/oauth2/verify.mjs

@@ -11,13 +11,46 @@ const joseInfrastructureErrorCodes = new Set([
 function isJoseInfrastructureError(error) {
 	return joseInfrastructureErrorCodes.has(error.code);
 }
+/**
+* @internal
+*/
 const jwksCache = /* @__PURE__ */ new Map();
 /**
+* Cache for function jwks sources, keyed by a caller-provided stable object.
+* Entries are released with their key, so per-request keys cannot accumulate.
+*/
+const functionJwksCache = /* @__PURE__ */ new WeakMap();
+/**
 * How long a cached JWKS is trusted before it is refetched
 *
 * @internal
 */
 const JWKS_CACHE_TTL_MS = 300 * 1e3;
+const JWKS_NO_KID_REFETCH_COOLDOWN_MS = 30 * 1e3;
+/**
+* Returns the cached key set when it is within the TTL. When the token carries
+* `kid`, the cached set must contain that key id; without `kid`, key selection
+* is deferred to JOSE because RFC 7515 makes the header parameter optional.
+*/
+function getFreshJwksWithKid(cached, kid) {
+	if (!cached) return void 0;
+	if (Date.now() - cached.fetchedAt >= JWKS_CACHE_TTL_MS) return void 0;
+	if (kid && !cached.jwks.keys.some((jwk) => jwk.kid === kid)) return;
+	return cached.jwks;
+}
+function shouldRefetchCachedJwksWithoutKid(error, resolved) {
+	if (!(resolved.fromCache && !resolved.kid && (error instanceof errors.JWKSNoMatchingKey || error instanceof errors.JWSSignatureVerificationFailed))) return false;
+	if (!resolved.noKidRefetchedAt) return true;
+	return Date.now() - resolved.noKidRefetchedAt >= JWKS_NO_KID_REFETCH_COOLDOWN_MS;
+}
+async function fetchJwks(jwksFetch) {
+	const jwks = typeof jwksFetch === "string" ? await betterFetch(jwksFetch, { headers: { Accept: "application/json" } }).then(async (res) => {
+		if (res.error) throw new Error(`Jwks failed: ${res.error.message ?? res.error.statusText}`);
+		return res.data;
+	}) : await jwksFetch();
+	if (!jwks) throw new Error("No jwks found");
+	return jwks;
+}
 /**
 * Performs local verification of an access token for your APIs.
 *
@@ -25,7 +58,17 @@ const JWKS_CACHE_TTL_MS = 300 * 1e3;
 */
 async function verifyJwsAccessToken(token, opts) {
 	try {
-		const jwt = await jwtVerify(token, createLocalJWKSet(await getJwks(token, opts)), opts.verifyOptions);
+		const resolved = await getJwksForVerification(token, opts);
+		let jwt;
+		try {
+			jwt = await jwtVerify(token, createLocalJWKSet(resolved.jwks), opts.verifyOptions);
+		} catch (error) {
+			if (shouldRefetchCachedJwksWithoutKid(error, resolved)) jwt = await jwtVerify(token, createLocalJWKSet((await getJwksForVerification(token, {
+				...opts,
+				forceRefresh: true
+			})).jwks), opts.verifyOptions);
+			else throw error;
+		}
 		if (jwt.payload.azp) jwt.payload.client_id = jwt.payload.azp;
 		return jwt.payload;
 	} catch (error) {
@@ -34,6 +77,9 @@ async function verifyJwsAccessToken(token, opts) {
 	}
 }
 async function getJwks(token, opts) {
+	return (await getJwksForVerification(token, opts)).jwks;
+}
+async function getJwksForVerification(token, opts) {
 	let jwtHeaders;
 	try {
 		jwtHeaders = decodeProtectedHeader(token);
@@ -41,25 +87,63 @@ async function getJwks(token, opts) {
 		if (error instanceof Error) throw error;
 		throw new Error(error);
 	}
-	if (!jwtHeaders.kid) throw new APIError("UNAUTHORIZED", { message: "invalid access token" });
 	const kid = jwtHeaders.kid;
+	if (typeof opts.jwksFetch !== "string") {
+		const cacheKey = opts.jwksCacheKey;
+		if (!cacheKey) {
+			const jwks = await opts.jwksFetch();
+			if (!jwks) throw new Error("No jwks found");
+			return {
+				jwks,
+				fromCache: false,
+				kid
+			};
+		}
+		const cached = functionJwksCache.get(cacheKey);
+		const cachedJwks = opts.forceRefresh ? void 0 : getFreshJwksWithKid(cached, kid);
+		if (cachedJwks) return {
+			jwks: cachedJwks,
+			fromCache: true,
+			kid,
+			noKidRefetchedAt: cached?.noKidRefetchedAt
+		};
+		const jwks = await opts.jwksFetch();
+		if (!jwks) throw new Error("No jwks found");
+		const fetchedAt = Date.now();
+		functionJwksCache.set(cacheKey, {
+			jwks,
+			fetchedAt,
+			...opts.forceRefresh && !kid ? { noKidRefetchedAt: fetchedAt } : {}
+		});
+		return {
+			jwks,
+			fromCache: false,
+			kid
+		};
+	}
 	const cacheKey = opts.jwksFetch;
 	const cached = jwksCache.get(cacheKey);
-	const isFresh = cached ? Date.now() - cached.fetchedAt < JWKS_CACHE_TTL_MS : false;
-	const hasKid = cached?.jwks.keys.some((jwk) => jwk.kid === kid) ?? false;
-	if (!cached || !isFresh || !hasKid) {
-		const jwks = typeof opts.jwksFetch === "string" ? await betterFetch(opts.jwksFetch, { headers: { Accept: "application/json" } }).then(async (res) => {
-			if (res.error) throw new Error(`Jwks failed: ${res.error.message ?? res.error.statusText}`);
-			return res.data;
-		}) : await opts.jwksFetch();
-		if (!jwks) throw new Error("No jwks found");
+	const cachedJwks = opts.forceRefresh ? void 0 : getFreshJwksWithKid(cached, kid);
+	if (!cachedJwks) {
+		const jwks = await fetchJwks(opts.jwksFetch);
+		const fetchedAt = Date.now();
 		jwksCache.set(cacheKey, {
 			jwks,
-			fetchedAt: Date.now()
+			fetchedAt,
+			...opts.forceRefresh && !kid ? { noKidRefetchedAt: fetchedAt } : {}
 		});
-		return jwks;
+		return {
+			jwks,
+			fromCache: false,
+			kid
+		};
 	}
-	return cached.jwks;
+	return {
+		jwks: cachedJwks,
+		fromCache: true,
+		kid,
+		noKidRefetchedAt: cached?.noKidRefetchedAt
+	};
 }
 /**
 * Performs local verification of an access token for your API.

package/dist/social-providers/microsoft-entra-id.d.mts

@@ -151,7 +151,7 @@ declare const microsoft: (options: MicrosoftOptions) => {
     user?: {
       name?: {
         firstName?: string;
-        lastName? /** The primary username that represents the user */: string;
+        lastName?: string;
       };
       email?: string;
     } | undefined;

package/dist/social-providers/microsoft-entra-id.mjs

@@ -8,9 +8,17 @@ import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
 import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
 //#region src/social-providers/microsoft-entra-id.ts
+/**
+* Microsoft's fixed tenant id for personal (consumer) Microsoft accounts. Every
+* personal-account token carries it as the `tid` claim, so it distinguishes the
+* consumer account class from work/school tenants.
+* @see https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
+*/
+const MICROSOFT_CONSUMER_TENANT_ID = "9188040d-6c67-4c5b-b112-36a304b66dad";
 const microsoft = (options) => {
 	const tenant = options.tenantId || "common";
-	const authority = options.authority || "https://login.microsoftonline.com";
+	let authority = options.authority || "https://login.microsoftonline.com";
+	while (authority.endsWith("/")) authority = authority.slice(0, -1);
 	const authorizationEndpoint = `${authority}/${tenant}/oauth2/v2.0/authorize`;
 	const tokenEndpoint = `${authority}/${tenant}/oauth2/v2.0/token`;
 	return {
@@ -70,6 +78,10 @@ const microsoft = (options) => {
 				if (tenant !== "common" && tenant !== "organizations" && tenant !== "consumers") verifyOptions.issuer = `${authority}/${tenant}/v2.0`;
 				const { payload: jwtClaims } = await jwtVerify(token, publicKey, verifyOptions);
 				if (nonce && jwtClaims.nonce !== nonce) return false;
+				const tid = jwtClaims.tid;
+				if (typeof tid !== "string" || jwtClaims.iss !== `${authority}/${tid}/v2.0`) return false;
+				if (tenant === "organizations" && tid === MICROSOFT_CONSUMER_TENANT_ID) return false;
+				if (tenant === "consumers" && tid !== MICROSOFT_CONSUMER_TENANT_ID) return false;
 				return true;
 			} catch (error) {
 				logger.error("Failed to verify ID token:", error);

package/dist/social-providers/reddit.mjs

@@ -61,7 +61,7 @@ const reddit = (options) => {
 			} });
 			if (error) return null;
 			const userMap = await options.mapProfileToUser?.(profile);
-			const email = userMap?.email || `${profile.id}@reddit.com`;
+			const email = userMap?.email || `${profile.id}@reddit.invalid`;
 			return {
 				user: {
 					id: profile.id,

package/dist/social-providers/wechat.mjs

@@ -66,7 +66,7 @@ const wechat = (options) => {
 				user: {
 					id: profile.unionid || profile.openid || openid,
 					name: profile.nickname,
-					email: profile.email || null,
+					email: profile.email || `${profile.unionid || profile.openid || openid}@wechat.invalid`,
 					image: profile.headimgurl,
 					emailVerified: false,
 					...userMap

package/dist/types/context.d.mts

@@ -134,6 +134,22 @@ interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions
    * pair at single-use credential consumption sites.
    */
   consumeVerificationValue(identifier: string): Promise<Verification | null>;
+  /**
+   * First-writer-wins create keyed by a deterministic primary key derived from
+   * `identifier`. Returns `true` when this caller created the row and `false`
+   * when a row for the same identifier already existed.
+   *
+   * The dual of `consumeVerificationValue`: reserve races to create a marker
+   * exactly once, where consume races to delete one exactly once. Use it for
+   * replay tombstones (a SAML assertion id, a JWT `jti`) where the first caller
+   * wins. The database path is atomic via the primary key; the
+   * secondary-storage-only path is best-effort under concurrency.
+   */
+  reserveVerificationValue(data: {
+    identifier: string;
+    value: string;
+    expiresAt: Date;
+  }): Promise<boolean>;
   updateVerificationByIdentifier(identifier: string, data: Partial<Verification>): Promise<Verification>;
   refreshUserSessions(user: User): Promise<void>;
 }

package/dist/types/init-options.d.mts

@@ -73,6 +73,35 @@ type BaseURLConfig = string | DynamicBaseURLConfig;
 interface BetterAuthRateLimitStorage {
   get: (key: string) => Promise<RateLimit | null | undefined>;
   set: (key: string, value: RateLimit, update?: boolean | undefined) => Promise<void>;
+  /**
+   * Atomically records one request against `key` within the `window`
+   * (in seconds) and reports whether it is allowed.
+   *
+   * When `allowed` is true the request was counted within the active window;
+   * when `allowed` is false the limit was already reached and `retryAfter` is
+   * the number of seconds until the window frees up. Whether the window slides
+   * or is fixed depends on the backing storage: the database backend resets
+   * once the window elapses, while secondary storage uses a fixed time-to-live
+   * set when the window first opens.
+   *
+   * Performing the check and the increment in a single step closes the
+   * concurrent-bypass gap of the separate `get`/`set` path: N simultaneous
+   * requests can no longer all pass a stale read before any increment lands.
+   *
+   * Optional for backwards compatibility. A storage without it falls back to
+   * the legacy non-atomic `get`/`set` path, which is best-effort under
+   * concurrency.
+   *
+   * TODO(rate-limit-consume-required): make this the sole required member on
+   * `next`, dropping `get`/`set` and the non-atomic fallback.
+   */
+  consume?: (key: string, rule: {
+    window: number;
+    max: number;
+  }) => Promise<{
+    allowed: boolean;
+    retryAfter: number | null;
+  }>;
 }
 type BetterAuthRateLimitRule = {
   /**

package/dist/types/plugin-client.d.mts

@@ -1,10 +1,20 @@
 import { LiteralString } from "./helper.mjs";
-import { BetterAuthPlugin } from "./plugin.mjs";
 import { BetterAuthOptions } from "./init-options.mjs";
 import { BetterFetch, BetterFetchOption, BetterFetchPlugin } from "@better-fetch/fetch";
 import { Atom, WritableAtom } from "nanostores";
 
 //#region src/types/plugin-client.d.ts
+type InferableServerPlugin = {
+  id?: LiteralString | undefined;
+  endpoints?: Record<string, unknown> | undefined;
+  schema?: Record<string, {
+    fields: Record<string, unknown>;
+  }> | undefined;
+  $ERROR_CODES?: Record<string, {
+    readonly code: string;
+    message: string;
+  }> | undefined;
+};
 interface ClientStore {
   notify: (signal: string) => void;
   listen: (signal: string, listener: () => void) => void;
@@ -71,7 +81,7 @@ interface BetterAuthClientPlugin {
    * only used for type inference. don't pass the
    * actual plugin
    */
-  $InferServerPlugin?: BetterAuthPlugin | undefined;
+  $InferServerPlugin?: InferableServerPlugin | undefined;
   /**
    * Custom actions
    */

package/dist/utils/host.mjs

@@ -126,6 +126,7 @@ function classifyIPv6(expanded) {
 	if (firstByte === 254 && (secondByte & 192) === 128) return "linkLocal";
 	if ((firstByte & 254) === 252) return "private";
 	if (expanded.startsWith("2001:0db8:")) return "documentation";
+	if (expanded.startsWith("2001:0002:0000:")) return "benchmarking";
 	if (expanded.startsWith("2002:")) {
 		const embedded = extractEmbeddedIPv4(expanded, 1);
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
@@ -136,12 +137,15 @@ function classifyIPv6(expanded) {
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
 		return "reserved";
 	}
+	if (expanded.startsWith("0064:ff9b:0001:")) return "reserved";
 	if (expanded.startsWith("2001:0000:")) {
 		const embedded = extractEmbeddedIPv4(expanded, 6, { xor: true });
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
 		return "reserved";
 	}
 	if (expanded.startsWith("0100:0000:0000:0000:")) return "reserved";
+	if (expanded.startsWith("3fff:0")) return "documentation";
+	if (expanded.startsWith("5f00:")) return "reserved";
 	return "public";
 }
 /**

package/dist/utils/url.mjs

@@ -22,9 +22,10 @@ function normalizePathname(requestUrl, basePath) {
 	} catch {
 		return "/";
 	}
-	if (basePath === "/" || basePath === "") return pathname;
-	if (pathname === basePath) return "/";
-	if (pathname.startsWith(basePath + "/")) return pathname.slice(basePath.length).replace(/\/+$/, "") || "/";
+	const normalizedBasePath = basePath.replace(/\/+$/, "");
+	if (normalizedBasePath === "") return pathname;
+	if (pathname === normalizedBasePath) return "/";
+	if (pathname.startsWith(normalizedBasePath + "/")) return pathname.slice(normalizedBasePath.length).replace(/\/+$/, "") || "/";
 	return pathname;
 }
 /**