@better-auth/core 1.6.18 → 1.6.20

package/dist/context/global.mjs

@@ -2,7 +2,7 @@
 const symbol = Symbol.for("better-auth:global");
 let bind = null;
 const __context = {};
-const __betterAuthVersion = "1.6.18";
+const __betterAuthVersion = "1.6.20";
 /**
 * We store context instance in the globalThis.
 *

package/dist/context/transaction.d.mts

@@ -1,10 +1,13 @@
 import { DBAdapter, DBTransactionAdapter } from "../db/adapter/index.mjs";
+import { BetterAuthOptions } from "../types/init-options.mjs";
 import { AsyncLocalStorage } from "node:async_hooks";
 
 //#region src/context/transaction.d.ts
+type StoredAdapter = DBTransactionAdapter<BetterAuthOptions>;
 type HookContext = {
-  adapter: DBTransactionAdapter;
+  adapter: StoredAdapter;
   pendingHooks: Array<() => Promise<void>>;
+  isTransactionActive: boolean;
 };
 /**
  * This is for internal use only. Most users should use `getCurrentAdapter` instead.
@@ -12,9 +15,9 @@ type HookContext = {
  * It is exposed for advanced use cases where you need direct access to the AsyncLocalStorage instance.
  */
 declare const getCurrentDBAdapterAsyncLocalStorage: () => Promise<AsyncLocalStorage<HookContext>>;
-declare const getCurrentAdapter: (fallback: DBTransactionAdapter) => Promise<DBTransactionAdapter>;
-declare const runWithAdapter: <R>(adapter: DBAdapter, fn: () => R) => Promise<R>;
-declare const runWithTransaction: <R>(adapter: DBAdapter, fn: () => R) => Promise<R>;
+declare const getCurrentAdapter: <Options extends BetterAuthOptions = BetterAuthOptions>(fallback: DBTransactionAdapter<Options>) => Promise<DBTransactionAdapter<Options>>;
+declare const runWithAdapter: <R, Options extends BetterAuthOptions = BetterAuthOptions>(adapter: DBAdapter<Options>, fn: () => R) => Promise<R>;
+declare const runWithTransaction: <R, Options extends BetterAuthOptions = BetterAuthOptions>(adapter: DBAdapter<Options>, fn: () => R) => Promise<R>;
 /**
  * Queue a hook to be executed after the current transaction commits.
  * If not in a transaction, the hook will execute immediately.

package/dist/context/transaction.mjs

@@ -35,7 +35,8 @@ const runWithAdapter = async (adapter, fn) => {
 		try {
 			result = await als.run({
 				adapter,
-				pendingHooks
+				pendingHooks,
+				isTransactionActive: false
 			}, fn);
 		} catch (err) {
 			error = err;
@@ -50,9 +51,10 @@ const runWithAdapter = async (adapter, fn) => {
 	});
 };
 const runWithTransaction = async (adapter, fn) => {
-	let called = true;
+	let called = false;
 	return ensureAsyncStorage().then(async (als) => {
 		called = true;
+		if (als.getStore()?.isTransactionActive) return fn();
 		const pendingHooks = [];
 		let result;
 		let error;
@@ -61,7 +63,8 @@ const runWithTransaction = async (adapter, fn) => {
 			result = await adapter.transaction(async (trx) => {
 				return als.run({
 					adapter: trx,
-					pendingHooks
+					pendingHooks,
+					isTransactionActive: true
 				}, fn);
 			});
 		} catch (e) {

package/dist/db/adapter/factory.mjs

@@ -1,3 +1,4 @@
+import { getCurrentAdapter, runWithTransaction } from "../../context/transaction.mjs";
 import { BetterAuthError } from "../../error/index.mjs";
 import { getAuthTables } from "../get-tables.mjs";
 import { getColorDepth } from "../../env/color-depth.mjs";
@@ -705,7 +706,8 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 				res = await withSpan(`db consumeOne ${model}`, {
 					[ATTR_DB_OPERATION_NAME]: "consumeOne",
 					[ATTR_DB_COLLECTION_NAME]: model
-				}, () => adapter.transaction(async (trx) => {
+				}, () => runWithTransaction(adapter, async () => {
+					const trx = await getCurrentAdapter(adapter);
 					const target = (await trx.findMany({
 						model: unsafeModel,
 						where: unsafeWhere,
@@ -740,6 +742,9 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 			return transformed;
 		},
 		incrementOne: async ({ model: unsafeModel, where: unsafeWhere, increment: unsafeIncrement, set: unsafeSet }) => {
+			const hasIncrement = Object.keys(unsafeIncrement).length > 0;
+			const hasSet = !!unsafeSet && Object.keys(unsafeSet).length > 0;
+			if (!hasIncrement && !hasSet) throw new BetterAuthError("incrementOne requires a non-empty `increment` or `set`; both were empty.");
 			transactionId++;
 			const thisTransactionId = transactionId;
 			const model = getModelName(unsafeModel);
@@ -767,6 +772,7 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 				let set;
 				if (unsafeSet && !config.disableTransformInput) set = await transformInput(unsafeSet, unsafeModel, "update");
 				else set = unsafeSet;
+				if (Object.keys(increment).length === 0 && (!set || Object.keys(set).length === 0)) throw new BetterAuthError("incrementOne resolved to an empty update: every increment/set field was unknown to the schema or transformed away.");
 				res = await withSpan(`db incrementOne ${model}`, {
 					[ATTR_DB_OPERATION_NAME]: "incrementOne",
 					[ATTR_DB_COLLECTION_NAME]: model
@@ -780,7 +786,8 @@ const createAdapterFactory = ({ adapter: customAdapter, config: cfg }) => (optio
 				res = await withSpan(`db incrementOne ${model}`, {
 					[ATTR_DB_OPERATION_NAME]: "incrementOne",
 					[ATTR_DB_COLLECTION_NAME]: model
-				}, () => adapter.transaction(async (trx) => {
+				}, () => runWithTransaction(adapter, async () => {
+					const trx = await getCurrentAdapter(adapter);
 					const target = (await trx.findMany({
 						model: unsafeModel,
 						where: unsafeWhere,

package/dist/error/index.d.mts

@@ -7,7 +7,14 @@ declare class BetterAuthError extends Error {
     cause?: unknown | undefined;
   });
 }
+type BaseAPIErrorInstance = InstanceType<typeof APIError$1>;
 declare class APIError extends APIError$1 {
+  status: BaseAPIErrorInstance["status"];
+  body: BaseAPIErrorInstance["body"];
+  headers: BaseAPIErrorInstance["headers"];
+  statusCode: BaseAPIErrorInstance["statusCode"];
+  message: string;
+  errorStack: BaseAPIErrorInstance["errorStack"];
   constructor(...args: ConstructorParameters<typeof APIError$1>);
   static fromStatus(status: ConstructorParameters<typeof APIError$1>[0], body?: ConstructorParameters<typeof APIError$1>[1]): APIError;
   static from(status: ConstructorParameters<typeof APIError$1>[0], error: {

package/dist/instrumentation/tracer.mjs

@@ -2,7 +2,7 @@ import { ATTR_HTTP_RESPONSE_STATUS_CODE } from "./attributes.mjs";
 import { getOpenTelemetryAPI } from "./api.mjs";
 //#region src/instrumentation/tracer.ts
 const INSTRUMENTATION_SCOPE = "better-auth";
-const INSTRUMENTATION_VERSION = "1.6.18";
+const INSTRUMENTATION_VERSION = "1.6.20";
 /**
 * Better-auth uses `throw ctx.redirect(url)` for flow control (e.g. OAuth
 * callbacks). These are APIErrors with 3xx status codes and should not be

package/dist/types/init-options.d.mts

@@ -1033,9 +1033,13 @@ type BetterAuthOptions = {
      */
     storeStateStrategy?: "database" | "cookie";
     /**
-     * Store account data after oauth flow on a cookie
+     * Store provider account data after an OAuth flow in an encrypted
+     * cookie. This includes OAuth token material such as access tokens,
+     * refresh tokens, ID tokens, scopes, and token expiry.
      *
-     * This is useful for database-less flow
+     * This is useful for database-less flows, but large provider tokens can
+     * still hit browser or proxy cookie/header limits even though Better Auth
+     * chunks oversized account cookies.
      *
      * @default false
      *

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.6.18",
+  "version": "1.6.20",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -152,8 +152,8 @@
     "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.3.0",
+    "@better-auth/utils": "0.4.2",
+    "@better-fetch/fetch": "1.3.1",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/sdk-trace-base": "^1.30.0",
     "@opentelemetry/sdk-trace-node": "^1.30.0",
@@ -165,8 +165,8 @@
     "tsdown": "0.21.1"
   },
   "peerDependencies": {
-    "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.3.0",
+    "@better-auth/utils": "0.4.2",
+    "@better-fetch/fetch": "1.3.1",
     "@opentelemetry/api": "^1.9.0",
     "better-call": "1.3.6",
     "@cloudflare/workers-types": ">=4",

package/src/context/transaction.ts

@@ -1,11 +1,15 @@
 import type { AsyncLocalStorage } from "node:async_hooks";
 import { getAsyncLocalStorage } from "@better-auth/core/async_hooks";
 import type { DBAdapter, DBTransactionAdapter } from "../db/adapter";
+import type { BetterAuthOptions } from "../types";
 import { __getBetterAuthGlobal } from "./global";
 
+type StoredAdapter = DBTransactionAdapter<BetterAuthOptions>;
+
 type HookContext = {
-	adapter: DBTransactionAdapter;
+	adapter: StoredAdapter;
 	pendingHooks: Array<() => Promise<void>>;
+	isTransactionActive: boolean;
 };
 
 const ensureAsyncStorage = async () => {
@@ -27,21 +31,29 @@ export const getCurrentDBAdapterAsyncLocalStorage = async () => {
 	return ensureAsyncStorage();
 };
 
-export const getCurrentAdapter = async (
-	fallback: DBTransactionAdapter,
-): Promise<DBTransactionAdapter> => {
+export const getCurrentAdapter = async <
+	Options extends BetterAuthOptions = BetterAuthOptions,
+>(
+	fallback: DBTransactionAdapter<Options>,
+): Promise<DBTransactionAdapter<Options>> => {
 	return ensureAsyncStorage()
 		.then((als) => {
 			const store = als.getStore();
-			return store?.adapter || fallback;
+			return (
+				(store?.adapter as DBTransactionAdapter<Options> | undefined) ||
+				fallback
+			);
 		})
 		.catch(() => {
 			return fallback;
 		});
 };
 
-export const runWithAdapter = async <R>(
-	adapter: DBAdapter,
+export const runWithAdapter = async <
+	R,
+	Options extends BetterAuthOptions = BetterAuthOptions,
+>(
+	adapter: DBAdapter<Options>,
 	fn: () => R,
 ): Promise<R> => {
 	let called = false;
@@ -53,7 +65,14 @@ export const runWithAdapter = async <R>(
 			let error: unknown;
 			let hasError = false;
 			try {
-				result = await als.run({ adapter, pendingHooks }, fn);
+				result = await als.run(
+					{
+						adapter: adapter as unknown as StoredAdapter,
+						pendingHooks,
+						isTransactionActive: false,
+					},
+					fn,
+				);
 			} catch (err) {
 				error = err;
 				hasError = true;
@@ -75,21 +94,35 @@ export const runWithAdapter = async <R>(
 		});
 };
 
-export const runWithTransaction = async <R>(
-	adapter: DBAdapter,
+export const runWithTransaction = async <
+	R,
+	Options extends BetterAuthOptions = BetterAuthOptions,
+>(
+	adapter: DBAdapter<Options>,
 	fn: () => R,
 ): Promise<R> => {
-	let called = true;
+	let called = false;
 	return ensureAsyncStorage()
 		.then(async (als) => {
 			called = true;
+			const store = als.getStore();
+			if (store?.isTransactionActive) {
+				return fn();
+			}
 			const pendingHooks: Array<() => Promise<void>> = [];
 			let result: Awaited<R>;
 			let error: unknown;
 			let hasError = false;
 			try {
 				result = await adapter.transaction(async (trx) => {
-					return als.run({ adapter: trx, pendingHooks }, fn);
+					return als.run(
+						{
+							adapter: trx as unknown as StoredAdapter,
+							pendingHooks,
+							isTransactionActive: true,
+						},
+						fn,
+					);
 				});
 			} catch (e) {
 				hasError = true;

package/src/db/adapter/factory.ts

@@ -3,6 +3,10 @@ import {
 	ATTR_DB_OPERATION_NAME,
 	withSpan,
 } from "@better-auth/core/instrumentation";
+import {
+	getCurrentAdapter,
+	runWithTransaction,
+} from "../../context/transaction";
 import { createLogger, getColorDepth, TTY_COLORS } from "../../env";
 import { BetterAuthError } from "../../error";
 import type { BetterAuthOptions } from "../../types";
@@ -1364,11 +1368,9 @@ export const createAdapterFactory =
 					// engines with real transaction isolation; race window narrows
 					// (does not close) on adapters that fall through to sequential
 					// execution. Remove this branch when consumeOne becomes required.
-					// FIXME(consume-one-nested-transaction): custom adapters without a
-					// native consumeOne have no portable signal for "already inside a
-					// transaction". First-party adapters mark transaction-scoped
-					// adapters as as-is; make that capability explicit in the next
-					// breaking adapter contract.
+					// Use Better Auth's transaction context here, not a direct adapter
+					// transaction, so callers already inside a transaction keep using
+					// the active transaction adapter.
 					res = await withSpan(
 						`db consumeOne ${model}`,
 						{
@@ -1376,7 +1378,8 @@ export const createAdapterFactory =
 							[ATTR_DB_COLLECTION_NAME]: model,
 						},
 						() =>
-							adapter.transaction(async (trx) => {
+							runWithTransaction(adapter, async () => {
+								const trx = await getCurrentAdapter(adapter);
 								const rows = await trx.findMany<Record<string, any>>({
 									model: unsafeModel,
 									where: unsafeWhere,
@@ -1447,6 +1450,16 @@ export const createAdapterFactory =
 				increment: Record<string, number>;
 				set?: Record<string, unknown> | undefined;
 			}): Promise<T | null> => {
+				const hasIncrement = Object.keys(unsafeIncrement).length > 0;
+				const hasSet = !!unsafeSet && Object.keys(unsafeSet).length > 0;
+				if (!hasIncrement && !hasSet) {
+					// An empty `increment` and empty `set` compiles to `UPDATE ... SET `
+					// with no assignments, which is a syntax error on kysely, drizzle, and
+					// Prisma. Fail fast with an actionable message instead.
+					throw new BetterAuthError(
+						"incrementOne requires a non-empty `increment` or `set`; both were empty.",
+					);
+				}
 				transactionId++;
 				const thisTransactionId = transactionId;
 				const model = getModelName(unsafeModel);
@@ -1483,6 +1496,17 @@ export const createAdapterFactory =
 					} else {
 						set = unsafeSet;
 					}
+					// `transformInput` drops unknown-to-schema and `undefined` fields, so
+					// a `set` that was non-empty on input can resolve to nothing. Re-check
+					// after mapping so this never reaches the adapter as an empty UPDATE.
+					if (
+						Object.keys(increment).length === 0 &&
+						(!set || Object.keys(set).length === 0)
+					) {
+						throw new BetterAuthError(
+							"incrementOne resolved to an empty update: every increment/set field was unknown to the schema or transformed away.",
+						);
+					}
 					res = await withSpan(
 						`db incrementOne ${model}`,
 						{
@@ -1508,7 +1532,8 @@ export const createAdapterFactory =
 							[ATTR_DB_COLLECTION_NAME]: model,
 						},
 						() =>
-							adapter.transaction(async (trx) => {
+							runWithTransaction(adapter, async () => {
+								const trx = await getCurrentAdapter(adapter);
 								const rows = await trx.findMany<Record<string, any>>({
 									model: unsafeModel,
 									where: unsafeWhere,

package/src/error/index.ts

@@ -11,7 +11,16 @@ export class BetterAuthError extends Error {
 
 export { type APIErrorCode, BASE_ERROR_CODES } from "./codes";
 
+type BaseAPIErrorInstance = InstanceType<typeof BaseAPIError>;
+
 export class APIError extends BaseAPIError {
+	declare status: BaseAPIErrorInstance["status"];
+	declare body: BaseAPIErrorInstance["body"];
+	declare headers: BaseAPIErrorInstance["headers"];
+	declare statusCode: BaseAPIErrorInstance["statusCode"];
+	declare message: string;
+	declare errorStack: BaseAPIErrorInstance["errorStack"];
+
 	constructor(...args: ConstructorParameters<typeof BaseAPIError>) {
 		super(...args);
 	}

package/src/types/init-options.ts

@@ -1160,9 +1160,13 @@ export type BetterAuthOptions = {
 				 */
 				storeStateStrategy?: "database" | "cookie";
 				/**
-				 * Store account data after oauth flow on a cookie
+				 * Store provider account data after an OAuth flow in an encrypted
+				 * cookie. This includes OAuth token material such as access tokens,
+				 * refresh tokens, ID tokens, scopes, and token expiry.
 				 *
-				 * This is useful for database-less flow
+				 * This is useful for database-less flows, but large provider tokens can
+				 * still hit browser or proxy cookie/header limits even though Better Auth
+				 * chunks oversized account cookies.
 				 *
 				 * @default false
 				 *