@better-auth/core 1.6.5 → 1.6.7

package/dist/utils/host.d.mts

@@ -0,0 +1,147 @@
+//#region src/utils/host.d.ts
+/**
+ * Host classification per RFC 6890 (Special-Purpose IP Address Registries),
+ * RFC 6761 (Special-Use Domain Names), and RFC 8252 §7.3 (loopback redirect URIs).
+ *
+ * This module is the single source of truth for "is this host public? private?
+ * loopback? link-local?" in the codebase. Consumers MUST prefer these predicates
+ * over bespoke regexes or substring matches; divergent checks are how bypass
+ * vulnerabilities get introduced (e.g. Oligo's "0.0.0.0 Day" 2024).
+ *
+ * Four user-facing primitives:
+ *
+ *   - `classifyHost(host)` — the workhorse. Returns a {@link HostClassification}
+ *     with `kind`, `literal`, and `canonical` fields.
+ *   - `isLoopbackIP(host)` — strict: IPv4 `127.0.0.0/8` or IPv6 `::1` only.
+ *     Use this for RFC 8252 §7.3 loopback redirect URI matching where IP
+ *     literals are REQUIRED.
+ *   - `isLoopbackHost(host)` — permissive: also accepts `localhost` and RFC 6761
+ *     `.localhost` subdomains. Use this for developer ergonomics (CORS, cookie
+ *     secure bypass, dev-mode HTTP allow-list).
+ *   - `isPublicRoutableHost(host)` — SSRF gate. Returns false for every
+ *     non-`public` kind. Use this before server-side fetches to user-controlled
+ *     URLs.
+ */
+/**
+ * The semantic kind of a host, derived from RFC 6890 special-purpose registries
+ * plus a few domain-name categories (localhost, cloud metadata FQDNs).
+ */
+type HostKind = /** IPv4 `127.0.0.0/8` or IPv6 `::1`. */"loopback" /** DNS name `localhost` or RFC 6761 `.localhost` TLD. */ | "localhost" /** IPv4 `0.0.0.0` or IPv6 `::` — "this host on this network", not loopback. */ | "unspecified" /** RFC 1918 `10/8`, `172.16/12`, `192.168/16`, or IPv6 ULA `fc00::/7`. */ | "private" /** IPv4 `169.254/16` or IPv6 `fe80::/10`. Includes AWS IMDS `169.254.169.254`. */ | "linkLocal" /** RFC 6598 carrier-grade NAT `100.64.0.0/10`. */ | "sharedAddressSpace" /** RFC 5737 `192.0.2/24`, `198.51.100/24`, `203.0.113/24`, or RFC 3849 `2001:db8::/32`. */ | "documentation" /** RFC 2544 `198.18.0.0/15`. */ | "benchmarking" /** IPv4 `224.0.0.0/4` or IPv6 `ff00::/8`. */ | "multicast" /** IPv4 limited broadcast `255.255.255.255`. */ | "broadcast" /** Other RFC 6890 special-purpose ranges (0/8, 192.0.0/24, 240/4, 2001::/32, etc.). */ | "reserved" /** Cloud metadata service FQDN (e.g. `metadata.google.internal`). */ | "cloudMetadata" /** Any host not matching a special-purpose range above. */ | "public";
+/**
+ * The syntactic form of the input host: an IPv4 literal, an IPv6 literal, or
+ * a domain name. IPv4-mapped IPv6 (`::ffff:192.0.2.1`) is reported as `ipv4`
+ * because it's unmapped during canonicalization.
+ */
+type HostLiteral = "ipv4" | "ipv6" | "fqdn";
+/**
+ * Result of {@link classifyHost}. All fields are readonly.
+ *
+ * @property kind - Semantic classification per RFC 6890 + RFC 6761.
+ * @property literal - Syntactic form of the input (IPv4, IPv6, or FQDN).
+ * @property canonical - Lowercase, port-stripped, bracket-stripped, zone-id-stripped
+ *   form suitable for equality comparison. IPv6 is expanded to full form.
+ *   IPv4-mapped IPv6 is collapsed to the underlying IPv4.
+ */
+interface HostClassification {
+  readonly kind: HostKind;
+  readonly literal: HostLiteral;
+  readonly canonical: string;
+}
+/**
+ * Classify a host string according to RFC 6890 / RFC 6761.
+ *
+ * Accepts inputs in any of these shapes and normalizes before classifying:
+ *
+ *   - Bare IPv4: `127.0.0.1`
+ *   - Bare IPv6: `::1`, `fe80::1%eth0`
+ *   - Bracketed IPv6: `[::1]`
+ *   - Host with port: `localhost:3000`, `127.0.0.1:443`, `[::1]:8080`
+ *   - FQDN: `example.com`, `tenant.localhost`
+ *   - IPv4-mapped IPv6: `::ffff:192.0.2.1` (reported as `literal: "ipv4"`)
+ *
+ * Invalid or non-resolvable FQDNs are returned as `{ kind: "public", literal: "fqdn" }`
+ * — this function never throws. Callers that need structural validation must
+ * combine this with a URL/hostname validator upstream.
+ *
+ * @example
+ * classifyHost("127.0.0.1")
+ * // { kind: "loopback", literal: "ipv4", canonical: "127.0.0.1" }
+ *
+ * @example
+ * classifyHost("[::1]:8080")
+ * // { kind: "loopback", literal: "ipv6", canonical: "0000:0000:...:0001" }
+ *
+ * @example
+ * classifyHost("::ffff:192.0.2.1")
+ * // { kind: "documentation", literal: "ipv4", canonical: "192.0.2.1" }
+ *
+ * @example
+ * classifyHost("tenant-a.localhost")
+ * // { kind: "localhost", literal: "fqdn", canonical: "tenant-a.localhost" }
+ */
+declare function classifyHost(host: string): HostClassification;
+/**
+ * Strict loopback-IP-literal check per RFC 8252 §7.3.
+ *
+ * Returns true ONLY for IPv4 `127.0.0.0/8` or IPv6 `::1`. The DNS name
+ * `localhost` returns false — RFC 8252 §8.3 explicitly recommends against
+ * relying on name resolution for loopback redirect URIs.
+ *
+ * Use this for OAuth redirect URI matching.
+ *
+ * @example
+ * isLoopbackIP("127.0.0.1")     // true
+ * isLoopbackIP("::1")           // true
+ * isLoopbackIP("[::1]:8080")    // true
+ * isLoopbackIP("localhost")     // false  (use isLoopbackHost for DNS names)
+ * isLoopbackIP("0.0.0.0")       // false  (unspecified, not loopback)
+ */
+declare function isLoopbackIP(host: string): boolean;
+/**
+ * Permissive loopback check for developer-ergonomics code paths.
+ *
+ * Returns true for IPv4 `127.0.0.0/8`, IPv6 `::1`, the literal name `localhost`,
+ * and any RFC 6761 `.localhost` subdomain (`tenant.localhost`, `app.localhost`).
+ *
+ * Use this for things like: allowing HTTP for dev servers, skipping Secure
+ * cookie requirements, browser-trust heuristics. Do NOT use this for OAuth
+ * redirect URI matching — use {@link isLoopbackIP} there.
+ *
+ * @example
+ * isLoopbackHost("localhost")         // true
+ * isLoopbackHost("tenant.localhost")  // true  (RFC 6761)
+ * isLoopbackHost("127.0.0.1")         // true
+ * isLoopbackHost("0.0.0.0")           // false (unspecified, NOT loopback)
+ */
+declare function isLoopbackHost(host: string): boolean;
+/**
+ * First-line SSRF gate: returns true ONLY for hosts that classify as `public`.
+ *
+ * Every RFC 6890 special-purpose range (loopback, private, link-local,
+ * unspecified, documentation, multicast, broadcast, reserved, shared address
+ * space, benchmarking) and cloud-metadata FQDN returns false.
+ *
+ * Use this BEFORE issuing a server-side fetch to a user-supplied URL, e.g.
+ * OAuth introspection endpoints, webhook targets, or metadata-document
+ * fetches (CIMD).
+ *
+ * Limitations (this is a syntactic check, not a complete SSRF mitigation):
+ * - No DNS resolution: a public-looking FQDN that resolves to a private IP
+ *   passes this check. Re-verify the resolved address before connecting, or
+ *   pin the socket to the resolved IP.
+ * - No DNS-rebinding defense: attackers can return a public IP on the first
+ *   lookup and a private IP on the second. Resolve once and reuse the IP.
+ * - No redirect following: HTTP 3xx responses can redirect to private hosts.
+ *   Re-run this check on every redirect target, or disable auto-follow.
+ *
+ * @example
+ * isPublicRoutableHost("example.com")            // true
+ * isPublicRoutableHost("127.0.0.1")              // false (loopback)
+ * isPublicRoutableHost("169.254.169.254")        // false (linkLocal / AWS IMDS)
+ * isPublicRoutableHost("metadata.google.internal") // false (cloudMetadata)
+ * isPublicRoutableHost("10.0.0.1")               // false (private)
+ * isPublicRoutableHost("::ffff:127.0.0.1")       // false (mapped loopback)
+ */
+declare function isPublicRoutableHost(host: string): boolean;
+//#endregion
+export { HostClassification, HostKind, HostLiteral, classifyHost, isLoopbackHost, isLoopbackIP, isPublicRoutableHost };

package/dist/utils/host.mjs

@@ -0,0 +1,291 @@
+import { isValidIP, normalizeIP } from "./ip.mjs";
+//#region src/utils/host.ts
+/**
+* Cloud provider instance metadata service FQDNs. These resolve to link-local
+* IPs (usually `169.254.169.254`) inside their respective clouds and are
+* prime SSRF targets.
+*
+* The IPs themselves are already caught by the `linkLocal` kind; this set
+* only exists for the FQDN form that a naive server-side fetch might resolve
+* via its own resolver.
+*/
+const CLOUD_METADATA_HOSTS = new Set([
+	"metadata.google.internal",
+	"metadata.goog",
+	"metadata",
+	"instance-data",
+	"instance-data.ec2.internal"
+]);
+/** Strip `[...]` if the entire input is bracketed (IPv6 literal form). */
+function stripBrackets(host) {
+	if (host.length >= 2 && host.startsWith("[") && host.endsWith("]")) return host.slice(1, -1);
+	return host;
+}
+/**
+* Strip trailing `:port` from host-with-port strings.
+*
+* - Bracketed IPv6 with port: `[::1]:8080` → `[::1]`
+* - IPv4/FQDN with port: `127.0.0.1:3000` / `example.com:443` → base form
+* - Bare IPv6: `::1` / `fe80::1` → unchanged (multiple colons means no port)
+*/
+function stripPort(host) {
+	if (host.startsWith("[")) {
+		const end = host.indexOf("]");
+		if (end === -1) return host;
+		return host.slice(0, end + 1);
+	}
+	const firstColon = host.indexOf(":");
+	if (firstColon === -1) return host;
+	if (host.indexOf(":", firstColon + 1) !== -1) return host;
+	return host.slice(0, firstColon);
+}
+/** Strip IPv6 zone identifier: `fe80::1%eth0` → `fe80::1`. */
+function stripZoneId(host) {
+	const zone = host.indexOf("%");
+	if (zone === -1) return host;
+	return host.slice(0, zone);
+}
+/**
+* Strip trailing dots (RFC 1034 absolute DNS form): `localhost.` → `localhost`.
+* Without this, `metadata.google.internal.` would fall through to `public` and
+* bypass the cloud-metadata / `.localhost` checks, since WHATWG URL parsing
+* preserves the trailing dot in `url.hostname`.
+*/
+function stripTrailingDot(host) {
+	return host.replace(/\.+$/, "");
+}
+/** Fast dotted-decimal shape check. Does NOT validate octet bounds. */
+function looksLikeIPv4(host) {
+	return /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(host);
+}
+/** Pack a validated dotted-decimal IPv4 into a 32-bit unsigned integer. */
+function ipv4ToUint32(ip) {
+	const parts = ip.split(".");
+	return (Number(parts[0]) << 24 | Number(parts[1]) << 16 | Number(parts[2]) << 8 | Number(parts[3])) >>> 0;
+}
+/** Check whether a 32-bit value matches `prefix/length` (both unsigned). */
+function inIPv4Range(value, prefix, length) {
+	if (length === 0) return true;
+	const mask = length === 32 ? 4294967295 : -1 << 32 - length >>> 0;
+	return (value & mask) === (prefix & mask);
+}
+function classifyIPv4(ip) {
+	if (ip === "0.0.0.0") return "unspecified";
+	if (ip === "255.255.255.255") return "broadcast";
+	const n = ipv4ToUint32(ip);
+	if (inIPv4Range(n, ipv4ToUint32("127.0.0.0"), 8)) return "loopback";
+	if (inIPv4Range(n, ipv4ToUint32("10.0.0.0"), 8)) return "private";
+	if (inIPv4Range(n, ipv4ToUint32("172.16.0.0"), 12)) return "private";
+	if (inIPv4Range(n, ipv4ToUint32("192.168.0.0"), 16)) return "private";
+	if (inIPv4Range(n, ipv4ToUint32("169.254.0.0"), 16)) return "linkLocal";
+	if (inIPv4Range(n, ipv4ToUint32("100.64.0.0"), 10)) return "sharedAddressSpace";
+	if (inIPv4Range(n, ipv4ToUint32("192.0.2.0"), 24)) return "documentation";
+	if (inIPv4Range(n, ipv4ToUint32("198.51.100.0"), 24)) return "documentation";
+	if (inIPv4Range(n, ipv4ToUint32("203.0.113.0"), 24)) return "documentation";
+	if (inIPv4Range(n, ipv4ToUint32("198.18.0.0"), 15)) return "benchmarking";
+	if (inIPv4Range(n, ipv4ToUint32("224.0.0.0"), 4)) return "multicast";
+	if (inIPv4Range(n, ipv4ToUint32("0.0.0.0"), 8)) return "reserved";
+	if (inIPv4Range(n, ipv4ToUint32("192.0.0.0"), 24)) return "reserved";
+	if (inIPv4Range(n, ipv4ToUint32("240.0.0.0"), 4)) return "reserved";
+	return "public";
+}
+/**
+* Extract an IPv4 address embedded in an expanded IPv6 literal.
+*
+* Used to recurse into tunnel/translation forms (6to4, NAT64, Teredo) so a
+* private destination cannot be smuggled behind a syntactically-public IPv6
+* literal. `startGroup` is the index of the first of two 16-bit groups in the
+* expanded form (`0000:0000:...`). With `xor: true`, the 32-bit value is XORed
+* with `0xffffffff` before decoding (Teredo obfuscates the client IPv4 this
+* way).
+*/
+function extractEmbeddedIPv4(expanded, startGroup, options = {}) {
+	const offset = startGroup * 5;
+	const g1 = Number.parseInt(expanded.slice(offset, offset + 4), 16);
+	const g2 = Number.parseInt(expanded.slice(offset + 5, offset + 9), 16);
+	if (!Number.isFinite(g1) || !Number.isFinite(g2)) return null;
+	let combined = (g1 << 16 | g2) >>> 0;
+	if (options.xor) combined = (combined ^ 4294967295) >>> 0;
+	return `${combined >>> 24 & 255}.${combined >>> 16 & 255}.${combined >>> 8 & 255}.${combined & 255}`;
+}
+/**
+* Classify an expanded, full-form, lowercase IPv6 address (no IPv4-mapped
+* input — those are unmapped to IPv4 before reaching here).
+*
+* 6to4 (`2002::/16`), NAT64 (`64:ff9b::/96`) and Teredo (`2001:0000::/32`)
+* embed an IPv4 that can route to private/loopback space. If the embedded
+* IPv4 classifies as non-`public`, return `reserved` — blocks SSRF without
+* advertising the address as a loopback literal for RFC 8252 §7.3 matching.
+*/
+function classifyIPv6(expanded) {
+	if (expanded === "0000:0000:0000:0000:0000:0000:0000:0000") return "unspecified";
+	if (expanded === "0000:0000:0000:0000:0000:0000:0000:0001") return "loopback";
+	const firstByte = Number.parseInt(expanded.slice(0, 2), 16);
+	const secondByte = Number.parseInt(expanded.slice(2, 4), 16);
+	if (firstByte === 255) return "multicast";
+	if (firstByte === 254 && (secondByte & 192) === 128) return "linkLocal";
+	if ((firstByte & 254) === 252) return "private";
+	if (expanded.startsWith("2001:0db8:")) return "documentation";
+	if (expanded.startsWith("2002:")) {
+		const embedded = extractEmbeddedIPv4(expanded, 1);
+		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
+		return "public";
+	}
+	if (expanded.startsWith("0064:ff9b:0000:0000:0000:0000:")) {
+		const embedded = extractEmbeddedIPv4(expanded, 6);
+		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
+		return "reserved";
+	}
+	if (expanded.startsWith("2001:0000:")) {
+		const embedded = extractEmbeddedIPv4(expanded, 6, { xor: true });
+		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
+		return "reserved";
+	}
+	if (expanded.startsWith("0100:0000:0000:0000:")) return "reserved";
+	return "public";
+}
+/**
+* Classify a host string according to RFC 6890 / RFC 6761.
+*
+* Accepts inputs in any of these shapes and normalizes before classifying:
+*
+*   - Bare IPv4: `127.0.0.1`
+*   - Bare IPv6: `::1`, `fe80::1%eth0`
+*   - Bracketed IPv6: `[::1]`
+*   - Host with port: `localhost:3000`, `127.0.0.1:443`, `[::1]:8080`
+*   - FQDN: `example.com`, `tenant.localhost`
+*   - IPv4-mapped IPv6: `::ffff:192.0.2.1` (reported as `literal: "ipv4"`)
+*
+* Invalid or non-resolvable FQDNs are returned as `{ kind: "public", literal: "fqdn" }`
+* — this function never throws. Callers that need structural validation must
+* combine this with a URL/hostname validator upstream.
+*
+* @example
+* classifyHost("127.0.0.1")
+* // { kind: "loopback", literal: "ipv4", canonical: "127.0.0.1" }
+*
+* @example
+* classifyHost("[::1]:8080")
+* // { kind: "loopback", literal: "ipv6", canonical: "0000:0000:...:0001" }
+*
+* @example
+* classifyHost("::ffff:192.0.2.1")
+* // { kind: "documentation", literal: "ipv4", canonical: "192.0.2.1" }
+*
+* @example
+* classifyHost("tenant-a.localhost")
+* // { kind: "localhost", literal: "fqdn", canonical: "tenant-a.localhost" }
+*/
+function classifyHost(host) {
+	const lowered = stripTrailingDot(stripZoneId(stripBrackets(stripPort(host.trim())))).toLowerCase();
+	if (lowered === "") return {
+		kind: "reserved",
+		literal: "fqdn",
+		canonical: ""
+	};
+	if (!isValidIP(lowered)) {
+		if (lowered === "localhost" || lowered.endsWith(".localhost")) return {
+			kind: "localhost",
+			literal: "fqdn",
+			canonical: lowered
+		};
+		if (CLOUD_METADATA_HOSTS.has(lowered)) return {
+			kind: "cloudMetadata",
+			literal: "fqdn",
+			canonical: lowered
+		};
+		return {
+			kind: "public",
+			literal: "fqdn",
+			canonical: lowered
+		};
+	}
+	if (looksLikeIPv4(lowered)) return {
+		kind: classifyIPv4(lowered),
+		literal: "ipv4",
+		canonical: lowered
+	};
+	const canonical = normalizeIP(lowered, { ipv6Subnet: 128 });
+	if (looksLikeIPv4(canonical)) return {
+		kind: classifyIPv4(canonical),
+		literal: "ipv4",
+		canonical
+	};
+	return {
+		kind: classifyIPv6(canonical),
+		literal: "ipv6",
+		canonical
+	};
+}
+/**
+* Strict loopback-IP-literal check per RFC 8252 §7.3.
+*
+* Returns true ONLY for IPv4 `127.0.0.0/8` or IPv6 `::1`. The DNS name
+* `localhost` returns false — RFC 8252 §8.3 explicitly recommends against
+* relying on name resolution for loopback redirect URIs.
+*
+* Use this for OAuth redirect URI matching.
+*
+* @example
+* isLoopbackIP("127.0.0.1")     // true
+* isLoopbackIP("::1")           // true
+* isLoopbackIP("[::1]:8080")    // true
+* isLoopbackIP("localhost")     // false  (use isLoopbackHost for DNS names)
+* isLoopbackIP("0.0.0.0")       // false  (unspecified, not loopback)
+*/
+function isLoopbackIP(host) {
+	return classifyHost(host).kind === "loopback";
+}
+/**
+* Permissive loopback check for developer-ergonomics code paths.
+*
+* Returns true for IPv4 `127.0.0.0/8`, IPv6 `::1`, the literal name `localhost`,
+* and any RFC 6761 `.localhost` subdomain (`tenant.localhost`, `app.localhost`).
+*
+* Use this for things like: allowing HTTP for dev servers, skipping Secure
+* cookie requirements, browser-trust heuristics. Do NOT use this for OAuth
+* redirect URI matching — use {@link isLoopbackIP} there.
+*
+* @example
+* isLoopbackHost("localhost")         // true
+* isLoopbackHost("tenant.localhost")  // true  (RFC 6761)
+* isLoopbackHost("127.0.0.1")         // true
+* isLoopbackHost("0.0.0.0")           // false (unspecified, NOT loopback)
+*/
+function isLoopbackHost(host) {
+	const kind = classifyHost(host).kind;
+	return kind === "loopback" || kind === "localhost";
+}
+/**
+* First-line SSRF gate: returns true ONLY for hosts that classify as `public`.
+*
+* Every RFC 6890 special-purpose range (loopback, private, link-local,
+* unspecified, documentation, multicast, broadcast, reserved, shared address
+* space, benchmarking) and cloud-metadata FQDN returns false.
+*
+* Use this BEFORE issuing a server-side fetch to a user-supplied URL, e.g.
+* OAuth introspection endpoints, webhook targets, or metadata-document
+* fetches (CIMD).
+*
+* Limitations (this is a syntactic check, not a complete SSRF mitigation):
+* - No DNS resolution: a public-looking FQDN that resolves to a private IP
+*   passes this check. Re-verify the resolved address before connecting, or
+*   pin the socket to the resolved IP.
+* - No DNS-rebinding defense: attackers can return a public IP on the first
+*   lookup and a private IP on the second. Resolve once and reuse the IP.
+* - No redirect following: HTTP 3xx responses can redirect to private hosts.
+*   Re-run this check on every redirect target, or disable auto-follow.
+*
+* @example
+* isPublicRoutableHost("example.com")            // true
+* isPublicRoutableHost("127.0.0.1")              // false (loopback)
+* isPublicRoutableHost("169.254.169.254")        // false (linkLocal / AWS IMDS)
+* isPublicRoutableHost("metadata.google.internal") // false (cloudMetadata)
+* isPublicRoutableHost("10.0.0.1")               // false (private)
+* isPublicRoutableHost("::ffff:127.0.0.1")       // false (mapped loopback)
+*/
+function isPublicRoutableHost(host) {
+	return classifyHost(host).kind === "public";
+}
+//#endregion
+export { classifyHost, isLoopbackHost, isLoopbackIP, isPublicRoutableHost };

package/dist/utils/is-api-error.d.mts

@@ -0,0 +1,6 @@
+import { APIError } from "../error/index.mjs";
+
+//#region src/utils/is-api-error.d.ts
+declare function isAPIError(error: unknown): error is APIError;
+//#endregion
+export { isAPIError };

package/dist/utils/is-api-error.mjs

@@ -0,0 +1,8 @@
+import { APIError as APIError$1 } from "../error/index.mjs";
+import { APIError } from "better-call";
+//#region src/utils/is-api-error.ts
+function isAPIError(error) {
+	return error instanceof APIError || error instanceof APIError$1 || error?.name === "APIError";
+}
+//#endregion
+export { isAPIError };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.6.5",
+  "version": "1.6.7",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -93,6 +93,12 @@
     "./instrumentation": {
       "dev-source": "./src/instrumentation/index.ts",
       "types": "./dist/instrumentation/index.d.mts",
+      "node": "./dist/instrumentation/index.mjs",
+      "deno": "./dist/instrumentation/index.mjs",
+      "bun": "./dist/instrumentation/index.mjs",
+      "edge": "./dist/instrumentation/pure.index.mjs",
+      "workerd": "./dist/instrumentation/index.mjs",
+      "browser": "./dist/instrumentation/pure.index.mjs",
       "default": "./dist/instrumentation/index.mjs"
     }
   },
@@ -170,6 +176,9 @@
   "peerDependenciesMeta": {
     "@cloudflare/workers-types": {
       "optional": true
+    },
+    "@opentelemetry/api": {
+      "optional": true
     }
   },
   "scripts": {

package/src/api/index.ts

@@ -3,9 +3,34 @@ import type {
 	EndpointOptions,
 	StrictEndpoint,
 } from "better-call";
-import { createEndpoint, createMiddleware } from "better-call";
+import {
+	createEndpoint,
+	createMiddleware,
+	kAPIErrorHeaderSymbol,
+} from "better-call";
 import { runWithEndpointContext } from "../context";
 import type { AuthContext } from "../types";
+import { isAPIError } from "../utils/is-api-error";
+
+/**
+ * Better-call's createEndpoint re-throws APIError without exposing the headers
+ * accumulated on ctx.responseHeaders (e.g. Set-Cookie from deleteSessionCookie
+ * before throw). Attach them to the error via kAPIErrorHeaderSymbol — matching
+ * better-call's createMiddleware contract so the outer pipeline can merge them
+ * into the response.
+ */
+function attachResponseHeadersToAPIError(
+	responseHeaders: Headers | undefined,
+	e: unknown,
+): void {
+	if (!isAPIError(e) || !responseHeaders) return;
+	Object.defineProperty(e, kAPIErrorHeaderSymbol, {
+		enumerable: false,
+		configurable: true,
+		value: responseHeaders,
+		writable: false,
+	});
+}
 
 export const optionsMiddleware = createMiddleware(async () => {
 	/**
@@ -76,6 +101,17 @@ export function createAuthEndpoint<
 	const handler: EndpointHandler<Path, Opts, R> =
 		typeof handlerOrOptions === "function" ? handlerOrOptions : handlerOrNever;
 
+	// todo: prettify the code, we want to call `runWithEndpointContext` to top level
+	const wrapped: EndpointHandler<Path, Opts, R> = async (ctx) => {
+		const runtimeCtx = ctx as unknown as { responseHeaders?: Headers };
+		try {
+			return await runWithEndpointContext(ctx as any, () => handler(ctx));
+		} catch (e) {
+			attachResponseHeadersToAPIError(runtimeCtx.responseHeaders, e);
+			throw e;
+		}
+	};
+
 	if (path) {
 		return createEndpoint(
 			path,
@@ -83,8 +119,7 @@ export function createAuthEndpoint<
 				...options,
 				use: [...(options?.use || []), ...use],
 			},
-			// todo: prettify the code, we want to call `runWithEndpointContext` to top level
-			async (ctx) => runWithEndpointContext(ctx as any, () => handler(ctx)),
+			wrapped,
 		);
 	}
 
@@ -93,8 +128,7 @@ export function createAuthEndpoint<
 			...options,
 			use: [...(options?.use || []), ...use],
 		},
-		// todo: prettify the code, we want to call `runWithEndpointContext` to top level
-		async (ctx) => runWithEndpointContext(ctx as any, () => handler(ctx)),
+		wrapped,
 	);
 }
 

package/src/instrumentation/api.ts

@@ -0,0 +1,17 @@
+import type { OpenTelemetryAPI } from "./noop";
+import { noopOpenTelemetryAPI } from "./noop";
+
+let openTelemetryAPIPromise: Promise<void> | undefined;
+let openTelemetryAPI: OpenTelemetryAPI | undefined;
+
+export function getOpenTelemetryAPI(): OpenTelemetryAPI {
+	if (!openTelemetryAPIPromise) {
+		openTelemetryAPIPromise = import("@opentelemetry/api")
+			.then((mod) => {
+				openTelemetryAPI = mod;
+			})
+			.catch(() => /* ignore failures */ undefined);
+	}
+
+	return openTelemetryAPI ?? noopOpenTelemetryAPI;
+}

package/src/instrumentation/noop.ts

@@ -0,0 +1,74 @@
+import type { Span, Tracer } from "@opentelemetry/api";
+
+export type OpenTelemetryAPI = Pick<
+	typeof import("@opentelemetry/api"),
+	"trace" | "SpanStatusCode"
+>;
+
+function createNoopSpan(): Span {
+	const span = {
+		end(): void {},
+		setAttribute(_key: string, _value: unknown): void {},
+		setStatus(_status: unknown): void {},
+		recordException(_exception: unknown): void {},
+		updateName(_name: string) {
+			return span;
+		},
+	} as unknown as Span;
+	return span;
+}
+
+function createNoopTracer(noopSpan: Span): Tracer {
+	// OpenTelemetry `Tracer.startActiveSpan` has three overloads:
+	//   (name, fn)
+	//   (name, options, fn)
+	//   (name, options, context, fn)
+	// The callback is always the last argument; fish it out by arity so a
+	// 2-arg call (options omitted) doesn't try to invoke `undefined`.
+	function startActiveSpan<F extends (span: Span) => unknown>(
+		_name: string,
+		fn: F,
+	): ReturnType<F>;
+	function startActiveSpan<F extends (span: Span) => unknown>(
+		_name: string,
+		_options: { attributes?: Record<string, string | number | boolean> },
+		fn: F,
+	): ReturnType<F>;
+	function startActiveSpan<F extends (span: Span) => unknown>(
+		_name: string,
+		_options: { attributes?: Record<string, string | number | boolean> },
+		_context: unknown,
+		fn: F,
+	): ReturnType<F>;
+	function startActiveSpan(_name: string, ...rest: Array<unknown>): unknown {
+		const fn = rest[rest.length - 1] as (span: Span) => unknown;
+		return fn(noopSpan);
+	}
+	return { startActiveSpan } as Tracer;
+}
+
+function createNoopTraceAPI() {
+	const noopTracer = createNoopTracer(createNoopSpan());
+	return {
+		getTracer(_name?: string, _version?: string) {
+			return noopTracer;
+		},
+		getActiveSpan(): Span | undefined {
+			return undefined;
+		},
+	};
+}
+
+function createNoopOpenTelemetryAPI(): OpenTelemetryAPI {
+	return {
+		SpanStatusCode: {
+			UNSET: 0,
+			OK: 1,
+			ERROR: 2,
+		},
+		trace: createNoopTraceAPI(),
+	} as OpenTelemetryAPI;
+}
+
+export const noopOpenTelemetryAPI: OpenTelemetryAPI =
+	createNoopOpenTelemetryAPI();

package/src/instrumentation/pure.index.ts

@@ -0,0 +1,31 @@
+/**
+ * Noop variant of `./instrumentation` for runtimes where the dynamic
+ * `import("@opentelemetry/api")` in `./api` throws synchronously instead of
+ * rejecting its returned promise. Convex's V8 isolate is the reproducer: bare
+ * specifiers are rejected at resolve time in `get-convex/convex-backend`
+ * `crates/isolate/src/request_scope.rs`, so the `.catch()` in
+ * `getOpenTelemetryAPI` never runs and every `withSpan` call surfaces an
+ * uncaught error.
+ *
+ * Public surface must stay identical to `./index` (enforced by `pure.test.ts`).
+ */
+
+export * from "./attributes";
+
+export function withSpan<T>(
+	name: string,
+	attributes: Record<string, string | number | boolean>,
+	fn: () => T,
+): T;
+export function withSpan<T>(
+	name: string,
+	attributes: Record<string, string | number | boolean>,
+	fn: () => Promise<T>,
+): Promise<T>;
+export function withSpan<T>(
+	_name: string,
+	_attributes: Record<string, string | number | boolean>,
+	fn: () => T | Promise<T>,
+): T | Promise<T> {
+	return fn();
+}