@better-auth/core 1.6.5 → 1.6.7

package/dist/api/index.mjs

@@ -1,6 +1,23 @@
 import { runWithEndpointContext } from "../context/endpoint-context.mjs";
-import { createEndpoint, createMiddleware } from "better-call";
+import { isAPIError } from "../utils/is-api-error.mjs";
+import { createEndpoint, createMiddleware, kAPIErrorHeaderSymbol } from "better-call";
 //#region src/api/index.ts
+/**
+* Better-call's createEndpoint re-throws APIError without exposing the headers
+* accumulated on ctx.responseHeaders (e.g. Set-Cookie from deleteSessionCookie
+* before throw). Attach them to the error via kAPIErrorHeaderSymbol — matching
+* better-call's createMiddleware contract so the outer pipeline can merge them
+* into the response.
+*/
+function attachResponseHeadersToAPIError(responseHeaders, e) {
+	if (!isAPIError(e) || !responseHeaders) return;
+	Object.defineProperty(e, kAPIErrorHeaderSymbol, {
+		enumerable: false,
+		configurable: true,
+		value: responseHeaders,
+		writable: false
+	});
+}
 const optionsMiddleware = createMiddleware(async () => {
 	/**
 	* This will be passed on the instance of
@@ -17,14 +34,23 @@ function createAuthEndpoint(pathOrOptions, handlerOrOptions, handlerOrNever) {
 	const path = typeof pathOrOptions === "string" ? pathOrOptions : void 0;
 	const options = typeof handlerOrOptions === "object" ? handlerOrOptions : pathOrOptions;
 	const handler = typeof handlerOrOptions === "function" ? handlerOrOptions : handlerOrNever;
+	const wrapped = async (ctx) => {
+		const runtimeCtx = ctx;
+		try {
+			return await runWithEndpointContext(ctx, () => handler(ctx));
+		} catch (e) {
+			attachResponseHeadersToAPIError(runtimeCtx.responseHeaders, e);
+			throw e;
+		}
+	};
 	if (path) return createEndpoint(path, {
 		...options,
 		use: [...options?.use || [], ...use]
-	}, async (ctx) => runWithEndpointContext(ctx, () => handler(ctx)));
+	}, wrapped);
 	return createEndpoint({
 		...options,
 		use: [...options?.use || [], ...use]
-	}, async (ctx) => runWithEndpointContext(ctx, () => handler(ctx)));
+	}, wrapped);
 }
 //#endregion
 export { createAuthEndpoint, createAuthMiddleware, optionsMiddleware };

package/dist/context/global.mjs

@@ -2,7 +2,7 @@
 const symbol = Symbol.for("better-auth:global");
 let bind = null;
 const __context = {};
-const __betterAuthVersion = "1.6.5";
+const __betterAuthVersion = "1.6.7";
 /**
 * We store context instance in the globalThis.
 *

package/dist/db/adapter/factory.mjs

@@ -1,7 +1,7 @@
+import { BetterAuthError } from "../../error/index.mjs";
 import { getAuthTables } from "../get-tables.mjs";
 import { getColorDepth } from "../../env/color-depth.mjs";
 import { TTY_COLORS, createLogger } from "../../env/logger.mjs";
-import { BetterAuthError } from "../../error/index.mjs";
 import { ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME } from "../../instrumentation/attributes.mjs";
 import { withSpan } from "../../instrumentation/tracer.mjs";
 import { safeJSONParse } from "../../utils/json.mjs";

package/dist/instrumentation/api.mjs

@@ -0,0 +1,12 @@
+import { noopOpenTelemetryAPI } from "./noop.mjs";
+//#region src/instrumentation/api.ts
+let openTelemetryAPIPromise;
+let openTelemetryAPI;
+function getOpenTelemetryAPI() {
+	if (!openTelemetryAPIPromise) openTelemetryAPIPromise = import("@opentelemetry/api").then((mod) => {
+		openTelemetryAPI = mod;
+	}).catch(() => void 0);
+	return openTelemetryAPI ?? noopOpenTelemetryAPI;
+}
+//#endregion
+export { getOpenTelemetryAPI };

package/dist/instrumentation/noop.mjs

@@ -0,0 +1,42 @@
+//#region src/instrumentation/noop.ts
+function createNoopSpan() {
+	const span = {
+		end() {},
+		setAttribute(_key, _value) {},
+		setStatus(_status) {},
+		recordException(_exception) {},
+		updateName(_name) {
+			return span;
+		}
+	};
+	return span;
+}
+function createNoopTracer(noopSpan) {
+	function startActiveSpan(_name, ...rest) {
+		const fn = rest[rest.length - 1];
+		return fn(noopSpan);
+	}
+	return { startActiveSpan };
+}
+function createNoopTraceAPI() {
+	const noopTracer = createNoopTracer(createNoopSpan());
+	return {
+		getTracer(_name, _version) {
+			return noopTracer;
+		},
+		getActiveSpan() {}
+	};
+}
+function createNoopOpenTelemetryAPI() {
+	return {
+		SpanStatusCode: {
+			UNSET: 0,
+			OK: 1,
+			ERROR: 2
+		},
+		trace: createNoopTraceAPI()
+	};
+}
+const noopOpenTelemetryAPI = createNoopOpenTelemetryAPI();
+//#endregion
+export { noopOpenTelemetryAPI };

package/dist/instrumentation/pure.index.d.mts

@@ -0,0 +1,7 @@
+import { ATTR_CONTEXT, ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME, ATTR_HOOK_TYPE, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID } from "./attributes.mjs";
+
+//#region src/instrumentation/pure.index.d.ts
+declare function withSpan<T>(name: string, attributes: Record<string, string | number | boolean>, fn: () => T): T;
+declare function withSpan<T>(name: string, attributes: Record<string, string | number | boolean>, fn: () => Promise<T>): Promise<T>;
+//#endregion
+export { ATTR_CONTEXT, ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME, ATTR_HOOK_TYPE, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan };

package/dist/instrumentation/pure.index.mjs

@@ -0,0 +1,7 @@
+import { ATTR_CONTEXT, ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME, ATTR_HOOK_TYPE, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID } from "./attributes.mjs";
+//#region src/instrumentation/pure.index.ts
+function withSpan(_name, _attributes, fn) {
+	return fn();
+}
+//#endregion
+export { ATTR_CONTEXT, ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME, ATTR_HOOK_TYPE, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan };

package/dist/instrumentation/tracer.mjs

@@ -1,7 +1,8 @@
 import { ATTR_HTTP_RESPONSE_STATUS_CODE } from "./attributes.mjs";
-import { SpanStatusCode, trace } from "@opentelemetry/api";
+import { getOpenTelemetryAPI } from "./api.mjs";
 //#region src/instrumentation/tracer.ts
-const tracer = trace.getTracer("better-auth", "1.6.5");
+const INSTRUMENTATION_SCOPE = "better-auth";
+const INSTRUMENTATION_VERSION = "1.6.7";
 /**
 * Better-auth uses `throw ctx.redirect(url)` for flow control (e.g. OAuth
 * callbacks). These are APIErrors with 3xx status codes and should not be
@@ -15,6 +16,7 @@ function isRedirectError(err) {
 	return false;
 }
 function endSpanWithError(span, err) {
+	const { SpanStatusCode } = getOpenTelemetryAPI();
 	if (isRedirectError(err)) {
 		span.setAttribute(ATTR_HTTP_RESPONSE_STATUS_CODE, err.statusCode);
 		span.setStatus({ code: SpanStatusCode.OK });
@@ -28,7 +30,8 @@ function endSpanWithError(span, err) {
 	span.end();
 }
 function withSpan(name, attributes, fn) {
-	return tracer.startActiveSpan(name, { attributes }, (span) => {
+	const { trace } = getOpenTelemetryAPI();
+	return trace.getTracer(INSTRUMENTATION_SCOPE, INSTRUMENTATION_VERSION).startActiveSpan(name, { attributes }, (span) => {
 		try {
 			const result = fn();
 			if (result instanceof Promise) return result.then((value) => {

package/dist/oauth2/index.d.mts

@@ -2,7 +2,7 @@ import { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions } from "./
 import { clientCredentialsToken, clientCredentialsTokenRequest, createClientCredentialsTokenRequest } from "./client-credentials-token.mjs";
 import { createAuthorizationURL } from "./create-authorization-url.mjs";
 import { createRefreshAccessTokenRequest, refreshAccessToken, refreshAccessTokenRequest } from "./refresh-access-token.mjs";
-import { generateCodeChallenge, getOAuth2Tokens } from "./utils.mjs";
+import { generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId } from "./utils.mjs";
 import { authorizationCodeRequest, createAuthorizationCodeRequest, validateAuthorizationCode, validateToken } from "./validate-authorization-code.mjs";
 import { getJwks, verifyAccessToken, verifyJwsAccessToken } from "./verify.mjs";
-export { type OAuth2Tokens, type OAuth2UserInfo, type OAuthProvider, type ProviderOptions, authorizationCodeRequest, clientCredentialsToken, clientCredentialsTokenRequest, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, refreshAccessTokenRequest, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };
+export { type OAuth2Tokens, type OAuth2UserInfo, type OAuthProvider, type ProviderOptions, authorizationCodeRequest, clientCredentialsToken, clientCredentialsTokenRequest, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, getPrimaryClientId, refreshAccessToken, refreshAccessTokenRequest, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/oauth2/index.mjs

@@ -1,7 +1,7 @@
 import { clientCredentialsToken, clientCredentialsTokenRequest, createClientCredentialsTokenRequest } from "./client-credentials-token.mjs";
-import { generateCodeChallenge, getOAuth2Tokens } from "./utils.mjs";
+import { generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId } from "./utils.mjs";
 import { createAuthorizationURL } from "./create-authorization-url.mjs";
 import { createRefreshAccessTokenRequest, refreshAccessToken, refreshAccessTokenRequest } from "./refresh-access-token.mjs";
 import { authorizationCodeRequest, createAuthorizationCodeRequest, validateAuthorizationCode, validateToken } from "./validate-authorization-code.mjs";
 import { getJwks, verifyAccessToken, verifyJwsAccessToken } from "./verify.mjs";
-export { authorizationCodeRequest, clientCredentialsToken, clientCredentialsTokenRequest, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, refreshAccessTokenRequest, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };
+export { authorizationCodeRequest, clientCredentialsToken, clientCredentialsTokenRequest, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, getPrimaryClientId, refreshAccessToken, refreshAccessTokenRequest, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/oauth2/utils.d.mts

@@ -2,6 +2,15 @@ import { OAuth2Tokens } from "./oauth-provider.mjs";
 
 //#region src/oauth2/utils.d.ts
 declare function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens;
+/**
+ * Return the provider's primary Client ID: the single string, or the entry at
+ * array index 0 for the cross-platform form used by ID token audience
+ * verification. Index 0 is the designated primary and pairs with
+ * `clientSecret` for the authorization code flow; later array entries are
+ * only used as additional accepted audiences. Returns `undefined` when the
+ * primary value is missing or an empty string.
+ */
+declare function getPrimaryClientId(clientId: unknown): string | undefined;
 declare function generateCodeChallenge(codeVerifier: string): Promise<string>;
 //#endregion
-export { generateCodeChallenge, getOAuth2Tokens };
+export { generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId };

package/dist/oauth2/utils.mjs

@@ -16,10 +16,22 @@ function getOAuth2Tokens(data) {
 		raw: data
 	};
 }
+/**
+* Return the provider's primary Client ID: the single string, or the entry at
+* array index 0 for the cross-platform form used by ID token audience
+* verification. Index 0 is the designated primary and pairs with
+* `clientSecret` for the authorization code flow; later array entries are
+* only used as additional accepted audiences. Returns `undefined` when the
+* primary value is missing or an empty string.
+*/
+function getPrimaryClientId(clientId) {
+	const value = Array.isArray(clientId) ? clientId[0] : clientId;
+	return typeof value === "string" && value.length > 0 ? value : void 0;
+}
 async function generateCodeChallenge(codeVerifier) {
 	const data = new TextEncoder().encode(codeVerifier);
 	const hash = await crypto.subtle.digest("SHA-256", data);
 	return base64Url.encode(new Uint8Array(hash), { padding: false });
 }
 //#endregion
-export { generateCodeChallenge, getOAuth2Tokens };
+export { generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId };

package/dist/social-providers/apple.d.mts

@@ -60,7 +60,7 @@ interface AppleNonConformUser {
   email: string;
 }
 interface AppleOptions extends ProviderOptions<AppleProfile> {
-  clientId: string;
+  clientId: string | string[];
   appBundleIdentifier?: string | undefined;
   audience?: (string | string[]) | undefined;
 }
@@ -93,7 +93,16 @@ declare const apple: (options: AppleOptions) => {
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
     user?: {
-      name?: {
+      name?
+      /**
+      * An Integer value that indicates whether the user appears to be a real
+      * person. Use the value of this claim to mitigate fraud. The possible
+      * values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal). For
+      * more information, see ASUserDetectionStatus. This claim is present only
+      * in iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14
+      * and later. The claim isn’t present or supported for web-based apps.
+      */
+      : {
         firstName?: string;
         lastName?: string;
       };

package/dist/social-providers/apple.mjs

@@ -1,4 +1,6 @@
-import { APIError } from "../error/index.mjs";
+import { APIError, BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -11,6 +13,10 @@ const apple = (options) => {
 		id: "apple",
 		name: "Apple",
 		async createAuthorizationURL({ state, scopes, redirectURI }) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
+				logger.error("Client ID and client secret are required for Apple. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
 			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
 			if (options.scope) _scope.push(...options.scope);
 			if (scopes) _scope.push(...scopes);

package/dist/social-providers/atlassian.mjs

@@ -1,5 +1,5 @@
-import { logger } from "../env/logger.mjs";
 import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";

package/dist/social-providers/cognito.d.mts

@@ -19,7 +19,7 @@ interface CognitoProfile {
   [key: string]: any;
 }
 interface CognitoOptions extends ProviderOptions<CognitoProfile> {
-  clientId: string;
+  clientId: string | string[];
   /**
    * The Cognito domain (e.g., "your-app.auth.us-east-1.amazoncognito.com")
    */

package/dist/social-providers/cognito.mjs

@@ -1,5 +1,6 @@
-import { logger } from "../env/logger.mjs";
 import { APIError, BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -19,7 +20,7 @@ const cognito = (options) => {
 		id: "cognito",
 		name: "Cognito",
 		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
-			if (!options.clientId) {
+			if (!getPrimaryClientId(options.clientId)) {
 				logger.error("ClientId is required for Amazon Cognito. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}

package/dist/social-providers/facebook.d.mts

@@ -15,7 +15,7 @@ interface FacebookProfile {
   };
 }
 interface FacebookOptions extends ProviderOptions<FacebookProfile> {
-  clientId: string;
+  clientId: string | string[];
   /**
    * Extend list of fields to retrieve from the Facebook user profile.
    *

package/dist/social-providers/facebook.mjs

@@ -1,3 +1,6 @@
+import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -9,6 +12,10 @@ const facebook = (options) => {
 		id: "facebook",
 		name: "Facebook",
 		async createAuthorizationURL({ state, scopes, redirectURI, loginHint }) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
+				logger.error("Client ID and client secret are required for Facebook. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
 			const _scopes = options.disableDefaultScope ? [] : ["email", "public_profile"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);

package/dist/social-providers/figma.mjs

@@ -1,5 +1,5 @@
-import { logger } from "../env/logger.mjs";
 import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";

package/dist/social-providers/google.d.mts

@@ -27,7 +27,7 @@ interface GoogleProfile {
   sub: string;
 }
 interface GoogleOptions extends ProviderOptions<GoogleProfile> {
-  clientId: string;
+  clientId: string | string[];
   /**
    * The access type to use for the authorization code request
    */

package/dist/social-providers/google.mjs

@@ -1,5 +1,6 @@
-import { logger } from "../env/logger.mjs";
 import { APIError, BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -11,7 +12,7 @@ const google = (options) => {
 		id: "google",
 		name: "Google",
 		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, display }) {
-			if (!options.clientId || !options.clientSecret) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
 				logger.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}

package/dist/social-providers/microsoft-entra-id.d.mts

@@ -104,7 +104,7 @@ interface MicrosoftEntraIDProfile extends Record<string, any> {
   given_name: string;
 }
 interface MicrosoftOptions extends ProviderOptions<MicrosoftEntraIDProfile> {
-  clientId: string;
+  clientId: string | string[];
   /**
    * The tenant ID of the Microsoft account
    * @default "common"
@@ -151,7 +151,7 @@ declare const microsoft: (options: MicrosoftOptions) => {
     user?: {
       name?: {
         firstName?: string;
-        lastName?: string;
+        lastName? /** The primary username that represents the user */: string;
       };
       email?: string;
     } | undefined;

package/dist/social-providers/microsoft-entra-id.mjs

@@ -1,5 +1,6 @@
+import { APIError, BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
-import { APIError } from "../error/index.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -16,6 +17,10 @@ const microsoft = (options) => {
 		id: "microsoft",
 		name: "Microsoft EntraID",
 		createAuthorizationURL(data) {
+			if (!getPrimaryClientId(options.clientId)) {
+				logger.error("Client Id is required for Microsoft Entra ID. Make sure to provide it in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
 			const scopes = options.disableDefaultScope ? [] : [
 				"openid",
 				"profile",

package/dist/social-providers/paybin.mjs

@@ -1,5 +1,5 @@
-import { logger } from "../env/logger.mjs";
 import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";

package/dist/social-providers/paypal.mjs

@@ -1,5 +1,5 @@
-import { logger } from "../env/logger.mjs";
 import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";

package/dist/social-providers/salesforce.mjs

@@ -1,5 +1,5 @@
-import { logger } from "../env/logger.mjs";
 import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";

package/dist/utils/async.d.mts

@@ -0,0 +1,22 @@
+import { Awaitable } from "../types/helper.mjs";
+
+//#region src/utils/async.d.ts
+interface MapConcurrentOptions {
+  /**
+   * Max in-flight mappers. Non-integer values are floored, then clamped
+   * to the range `[1, items.length]`. `NaN` falls back to 1.
+   */
+  concurrency: number;
+  /**
+   * Rejects with `signal.reason` when aborted. In-flight mappers keep
+   * running but their results are not returned.
+   */
+  signal?: AbortSignal;
+}
+/**
+ * Run an async mapper over items with bounded concurrency.
+ * Preserves input order in the result. Fails fast on the first rejection.
+ */
+declare function mapConcurrent<T, R>(items: readonly T[], fn: (item: T, index: number) => Awaitable<R>, options: MapConcurrentOptions): Promise<R[]>;
+//#endregion
+export { MapConcurrentOptions, mapConcurrent };

package/dist/utils/async.mjs

@@ -0,0 +1,32 @@
+//#region src/utils/async.ts
+/**
+* Run an async mapper over items with bounded concurrency.
+* Preserves input order in the result. Fails fast on the first rejection.
+*/
+async function mapConcurrent(items, fn, options) {
+	const n = items.length;
+	if (n === 0) return [];
+	const { signal } = options;
+	if (signal?.aborted) throw signal.reason;
+	const raw = Math.floor(options.concurrency);
+	const width = Math.min(n, raw >= 1 ? raw : 1);
+	const results = new Array(n);
+	let idx = 0;
+	let failed = false;
+	const worker = async () => {
+		while (!failed && idx < n) {
+			if (signal?.aborted) throw signal.reason;
+			const i = idx++;
+			try {
+				results[i] = await fn(items[i], i);
+			} catch (error) {
+				failed = true;
+				throw error;
+			}
+		}
+	};
+	await Promise.all(Array.from({ length: width }, worker));
+	return results;
+}
+//#endregion
+export { mapConcurrent };