@better-auth/core 1.6.6 → 1.6.7

package/dist/api/index.mjs

@@ -1,6 +1,23 @@
 import { runWithEndpointContext } from "../context/endpoint-context.mjs";
-import { createEndpoint, createMiddleware } from "better-call";
+import { isAPIError } from "../utils/is-api-error.mjs";
+import { createEndpoint, createMiddleware, kAPIErrorHeaderSymbol } from "better-call";
 //#region src/api/index.ts
+/**
+* Better-call's createEndpoint re-throws APIError without exposing the headers
+* accumulated on ctx.responseHeaders (e.g. Set-Cookie from deleteSessionCookie
+* before throw). Attach them to the error via kAPIErrorHeaderSymbol — matching
+* better-call's createMiddleware contract so the outer pipeline can merge them
+* into the response.
+*/
+function attachResponseHeadersToAPIError(responseHeaders, e) {
+	if (!isAPIError(e) || !responseHeaders) return;
+	Object.defineProperty(e, kAPIErrorHeaderSymbol, {
+		enumerable: false,
+		configurable: true,
+		value: responseHeaders,
+		writable: false
+	});
+}
 const optionsMiddleware = createMiddleware(async () => {
 	/**
 	* This will be passed on the instance of
@@ -17,14 +34,23 @@ function createAuthEndpoint(pathOrOptions, handlerOrOptions, handlerOrNever) {
 	const path = typeof pathOrOptions === "string" ? pathOrOptions : void 0;
 	const options = typeof handlerOrOptions === "object" ? handlerOrOptions : pathOrOptions;
 	const handler = typeof handlerOrOptions === "function" ? handlerOrOptions : handlerOrNever;
+	const wrapped = async (ctx) => {
+		const runtimeCtx = ctx;
+		try {
+			return await runWithEndpointContext(ctx, () => handler(ctx));
+		} catch (e) {
+			attachResponseHeadersToAPIError(runtimeCtx.responseHeaders, e);
+			throw e;
+		}
+	};
 	if (path) return createEndpoint(path, {
 		...options,
 		use: [...options?.use || [], ...use]
-	}, async (ctx) => runWithEndpointContext(ctx, () => handler(ctx)));
+	}, wrapped);
 	return createEndpoint({
 		...options,
 		use: [...options?.use || [], ...use]
-	}, async (ctx) => runWithEndpointContext(ctx, () => handler(ctx)));
+	}, wrapped);
 }
 //#endregion
 export { createAuthEndpoint, createAuthMiddleware, optionsMiddleware };

package/dist/context/global.mjs

@@ -2,7 +2,7 @@
 const symbol = Symbol.for("better-auth:global");
 let bind = null;
 const __context = {};
-const __betterAuthVersion = "1.6.6";
+const __betterAuthVersion = "1.6.7";
 /**
 * We store context instance in the globalThis.
 *

package/dist/db/adapter/factory.mjs

@@ -1,7 +1,7 @@
+import { BetterAuthError } from "../../error/index.mjs";
 import { getAuthTables } from "../get-tables.mjs";
 import { getColorDepth } from "../../env/color-depth.mjs";
 import { TTY_COLORS, createLogger } from "../../env/logger.mjs";
-import { BetterAuthError } from "../../error/index.mjs";
 import { ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME } from "../../instrumentation/attributes.mjs";
 import { withSpan } from "../../instrumentation/tracer.mjs";
 import { safeJSONParse } from "../../utils/json.mjs";

package/dist/instrumentation/api.mjs

@@ -1,35 +1,5 @@
+import { noopOpenTelemetryAPI } from "./noop.mjs";
 //#region src/instrumentation/api.ts
-function createNoopSpan() {
-	return {
-		end() {},
-		setAttribute(_key, _value) {},
-		setStatus(_status) {},
-		recordException(_exception) {}
-	};
-}
-function createNoopTracer(noopSpanInstance) {
-	function startActiveSpan(_name, _options, fn) {
-		return fn(noopSpanInstance);
-	}
-	return { startActiveSpan };
-}
-function createNoopTraceAPI() {
-	const noopTracer = createNoopTracer(createNoopSpan());
-	return { getTracer(_name, _version) {
-		return noopTracer;
-	} };
-}
-function createNoopOpenTelemetryAPI() {
-	return {
-		SpanStatusCode: {
-			UNSET: 0,
-			OK: 1,
-			ERROR: 2
-		},
-		trace: createNoopTraceAPI()
-	};
-}
-const noopOpenTelemetryAPI = createNoopOpenTelemetryAPI();
 let openTelemetryAPIPromise;
 let openTelemetryAPI;
 function getOpenTelemetryAPI() {

package/dist/instrumentation/noop.mjs

@@ -0,0 +1,42 @@
+//#region src/instrumentation/noop.ts
+function createNoopSpan() {
+	const span = {
+		end() {},
+		setAttribute(_key, _value) {},
+		setStatus(_status) {},
+		recordException(_exception) {},
+		updateName(_name) {
+			return span;
+		}
+	};
+	return span;
+}
+function createNoopTracer(noopSpan) {
+	function startActiveSpan(_name, ...rest) {
+		const fn = rest[rest.length - 1];
+		return fn(noopSpan);
+	}
+	return { startActiveSpan };
+}
+function createNoopTraceAPI() {
+	const noopTracer = createNoopTracer(createNoopSpan());
+	return {
+		getTracer(_name, _version) {
+			return noopTracer;
+		},
+		getActiveSpan() {}
+	};
+}
+function createNoopOpenTelemetryAPI() {
+	return {
+		SpanStatusCode: {
+			UNSET: 0,
+			OK: 1,
+			ERROR: 2
+		},
+		trace: createNoopTraceAPI()
+	};
+}
+const noopOpenTelemetryAPI = createNoopOpenTelemetryAPI();
+//#endregion
+export { noopOpenTelemetryAPI };

package/dist/instrumentation/pure.index.d.mts

@@ -0,0 +1,7 @@
+import { ATTR_CONTEXT, ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME, ATTR_HOOK_TYPE, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID } from "./attributes.mjs";
+
+//#region src/instrumentation/pure.index.d.ts
+declare function withSpan<T>(name: string, attributes: Record<string, string | number | boolean>, fn: () => T): T;
+declare function withSpan<T>(name: string, attributes: Record<string, string | number | boolean>, fn: () => Promise<T>): Promise<T>;
+//#endregion
+export { ATTR_CONTEXT, ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME, ATTR_HOOK_TYPE, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan };

package/dist/instrumentation/pure.index.mjs

@@ -0,0 +1,7 @@
+import { ATTR_CONTEXT, ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME, ATTR_HOOK_TYPE, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID } from "./attributes.mjs";
+//#region src/instrumentation/pure.index.ts
+function withSpan(_name, _attributes, fn) {
+	return fn();
+}
+//#endregion
+export { ATTR_CONTEXT, ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME, ATTR_HOOK_TYPE, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan };

package/dist/instrumentation/tracer.mjs

@@ -2,7 +2,7 @@ import { ATTR_HTTP_RESPONSE_STATUS_CODE } from "./attributes.mjs";
 import { getOpenTelemetryAPI } from "./api.mjs";
 //#region src/instrumentation/tracer.ts
 const INSTRUMENTATION_SCOPE = "better-auth";
-const INSTRUMENTATION_VERSION = "1.6.6";
+const INSTRUMENTATION_VERSION = "1.6.7";
 /**
 * Better-auth uses `throw ctx.redirect(url)` for flow control (e.g. OAuth
 * callbacks). These are APIErrors with 3xx status codes and should not be

package/dist/oauth2/index.d.mts

@@ -2,7 +2,7 @@ import { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions } from "./
 import { clientCredentialsToken, clientCredentialsTokenRequest, createClientCredentialsTokenRequest } from "./client-credentials-token.mjs";
 import { createAuthorizationURL } from "./create-authorization-url.mjs";
 import { createRefreshAccessTokenRequest, refreshAccessToken, refreshAccessTokenRequest } from "./refresh-access-token.mjs";
-import { generateCodeChallenge, getOAuth2Tokens } from "./utils.mjs";
+import { generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId } from "./utils.mjs";
 import { authorizationCodeRequest, createAuthorizationCodeRequest, validateAuthorizationCode, validateToken } from "./validate-authorization-code.mjs";
 import { getJwks, verifyAccessToken, verifyJwsAccessToken } from "./verify.mjs";
-export { type OAuth2Tokens, type OAuth2UserInfo, type OAuthProvider, type ProviderOptions, authorizationCodeRequest, clientCredentialsToken, clientCredentialsTokenRequest, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, refreshAccessTokenRequest, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };
+export { type OAuth2Tokens, type OAuth2UserInfo, type OAuthProvider, type ProviderOptions, authorizationCodeRequest, clientCredentialsToken, clientCredentialsTokenRequest, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, getPrimaryClientId, refreshAccessToken, refreshAccessTokenRequest, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/oauth2/index.mjs

@@ -1,7 +1,7 @@
 import { clientCredentialsToken, clientCredentialsTokenRequest, createClientCredentialsTokenRequest } from "./client-credentials-token.mjs";
-import { generateCodeChallenge, getOAuth2Tokens } from "./utils.mjs";
+import { generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId } from "./utils.mjs";
 import { createAuthorizationURL } from "./create-authorization-url.mjs";
 import { createRefreshAccessTokenRequest, refreshAccessToken, refreshAccessTokenRequest } from "./refresh-access-token.mjs";
 import { authorizationCodeRequest, createAuthorizationCodeRequest, validateAuthorizationCode, validateToken } from "./validate-authorization-code.mjs";
 import { getJwks, verifyAccessToken, verifyJwsAccessToken } from "./verify.mjs";
-export { authorizationCodeRequest, clientCredentialsToken, clientCredentialsTokenRequest, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, refreshAccessTokenRequest, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };
+export { authorizationCodeRequest, clientCredentialsToken, clientCredentialsTokenRequest, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, getPrimaryClientId, refreshAccessToken, refreshAccessTokenRequest, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/oauth2/utils.d.mts

@@ -2,6 +2,15 @@ import { OAuth2Tokens } from "./oauth-provider.mjs";
 
 //#region src/oauth2/utils.d.ts
 declare function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens;
+/**
+ * Return the provider's primary Client ID: the single string, or the entry at
+ * array index 0 for the cross-platform form used by ID token audience
+ * verification. Index 0 is the designated primary and pairs with
+ * `clientSecret` for the authorization code flow; later array entries are
+ * only used as additional accepted audiences. Returns `undefined` when the
+ * primary value is missing or an empty string.
+ */
+declare function getPrimaryClientId(clientId: unknown): string | undefined;
 declare function generateCodeChallenge(codeVerifier: string): Promise<string>;
 //#endregion
-export { generateCodeChallenge, getOAuth2Tokens };
+export { generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId };

package/dist/oauth2/utils.mjs

@@ -16,10 +16,22 @@ function getOAuth2Tokens(data) {
 		raw: data
 	};
 }
+/**
+* Return the provider's primary Client ID: the single string, or the entry at
+* array index 0 for the cross-platform form used by ID token audience
+* verification. Index 0 is the designated primary and pairs with
+* `clientSecret` for the authorization code flow; later array entries are
+* only used as additional accepted audiences. Returns `undefined` when the
+* primary value is missing or an empty string.
+*/
+function getPrimaryClientId(clientId) {
+	const value = Array.isArray(clientId) ? clientId[0] : clientId;
+	return typeof value === "string" && value.length > 0 ? value : void 0;
+}
 async function generateCodeChallenge(codeVerifier) {
 	const data = new TextEncoder().encode(codeVerifier);
 	const hash = await crypto.subtle.digest("SHA-256", data);
 	return base64Url.encode(new Uint8Array(hash), { padding: false });
 }
 //#endregion
-export { generateCodeChallenge, getOAuth2Tokens };
+export { generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId };

package/dist/social-providers/apple.d.mts

@@ -60,7 +60,7 @@ interface AppleNonConformUser {
   email: string;
 }
 interface AppleOptions extends ProviderOptions<AppleProfile> {
-  clientId: string;
+  clientId: string | string[];
   appBundleIdentifier?: string | undefined;
   audience?: (string | string[]) | undefined;
 }
@@ -93,7 +93,16 @@ declare const apple: (options: AppleOptions) => {
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
     user?: {
-      name?: {
+      name?
+      /**
+      * An Integer value that indicates whether the user appears to be a real
+      * person. Use the value of this claim to mitigate fraud. The possible
+      * values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal). For
+      * more information, see ASUserDetectionStatus. This claim is present only
+      * in iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14
+      * and later. The claim isn’t present or supported for web-based apps.
+      */
+      : {
         firstName?: string;
         lastName?: string;
       };

package/dist/social-providers/apple.mjs

@@ -1,4 +1,6 @@
-import { APIError } from "../error/index.mjs";
+import { APIError, BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -11,6 +13,10 @@ const apple = (options) => {
 		id: "apple",
 		name: "Apple",
 		async createAuthorizationURL({ state, scopes, redirectURI }) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
+				logger.error("Client ID and client secret are required for Apple. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
 			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
 			if (options.scope) _scope.push(...options.scope);
 			if (scopes) _scope.push(...scopes);

package/dist/social-providers/atlassian.mjs

@@ -1,5 +1,5 @@
-import { logger } from "../env/logger.mjs";
 import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";

package/dist/social-providers/cognito.d.mts

@@ -19,7 +19,7 @@ interface CognitoProfile {
   [key: string]: any;
 }
 interface CognitoOptions extends ProviderOptions<CognitoProfile> {
-  clientId: string;
+  clientId: string | string[];
   /**
    * The Cognito domain (e.g., "your-app.auth.us-east-1.amazoncognito.com")
    */

package/dist/social-providers/cognito.mjs

@@ -1,5 +1,6 @@
-import { logger } from "../env/logger.mjs";
 import { APIError, BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -19,7 +20,7 @@ const cognito = (options) => {
 		id: "cognito",
 		name: "Cognito",
 		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
-			if (!options.clientId) {
+			if (!getPrimaryClientId(options.clientId)) {
 				logger.error("ClientId is required for Amazon Cognito. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}

package/dist/social-providers/facebook.d.mts

@@ -15,7 +15,7 @@ interface FacebookProfile {
   };
 }
 interface FacebookOptions extends ProviderOptions<FacebookProfile> {
-  clientId: string;
+  clientId: string | string[];
   /**
    * Extend list of fields to retrieve from the Facebook user profile.
    *

package/dist/social-providers/facebook.mjs

@@ -1,3 +1,6 @@
+import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -9,6 +12,10 @@ const facebook = (options) => {
 		id: "facebook",
 		name: "Facebook",
 		async createAuthorizationURL({ state, scopes, redirectURI, loginHint }) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
+				logger.error("Client ID and client secret are required for Facebook. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
 			const _scopes = options.disableDefaultScope ? [] : ["email", "public_profile"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);

package/dist/social-providers/figma.mjs

@@ -1,5 +1,5 @@
-import { logger } from "../env/logger.mjs";
 import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";

package/dist/social-providers/google.d.mts

@@ -27,7 +27,7 @@ interface GoogleProfile {
   sub: string;
 }
 interface GoogleOptions extends ProviderOptions<GoogleProfile> {
-  clientId: string;
+  clientId: string | string[];
   /**
    * The access type to use for the authorization code request
    */

package/dist/social-providers/google.mjs

@@ -1,5 +1,6 @@
-import { logger } from "../env/logger.mjs";
 import { APIError, BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -11,7 +12,7 @@ const google = (options) => {
 		id: "google",
 		name: "Google",
 		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, display }) {
-			if (!options.clientId || !options.clientSecret) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
 				logger.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}

package/dist/social-providers/microsoft-entra-id.d.mts

@@ -104,7 +104,7 @@ interface MicrosoftEntraIDProfile extends Record<string, any> {
   given_name: string;
 }
 interface MicrosoftOptions extends ProviderOptions<MicrosoftEntraIDProfile> {
-  clientId: string;
+  clientId: string | string[];
   /**
    * The tenant ID of the Microsoft account
    * @default "common"
@@ -151,7 +151,7 @@ declare const microsoft: (options: MicrosoftOptions) => {
     user?: {
       name?: {
         firstName?: string;
-        lastName?: string;
+        lastName? /** The primary username that represents the user */: string;
       };
       email?: string;
     } | undefined;

package/dist/social-providers/microsoft-entra-id.mjs

@@ -1,5 +1,6 @@
+import { APIError, BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
-import { APIError } from "../error/index.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -16,6 +17,10 @@ const microsoft = (options) => {
 		id: "microsoft",
 		name: "Microsoft EntraID",
 		createAuthorizationURL(data) {
+			if (!getPrimaryClientId(options.clientId)) {
+				logger.error("Client Id is required for Microsoft Entra ID. Make sure to provide it in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
 			const scopes = options.disableDefaultScope ? [] : [
 				"openid",
 				"profile",

package/dist/social-providers/paybin.mjs

@@ -1,5 +1,5 @@
-import { logger } from "../env/logger.mjs";
 import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";

package/dist/social-providers/paypal.mjs

@@ -1,5 +1,5 @@
-import { logger } from "../env/logger.mjs";
 import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";

package/dist/social-providers/salesforce.mjs

@@ -1,5 +1,5 @@
-import { logger } from "../env/logger.mjs";
 import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";

package/dist/utils/is-api-error.d.mts

@@ -0,0 +1,6 @@
+import { APIError } from "../error/index.mjs";
+
+//#region src/utils/is-api-error.d.ts
+declare function isAPIError(error: unknown): error is APIError;
+//#endregion
+export { isAPIError };

package/dist/utils/is-api-error.mjs

@@ -0,0 +1,8 @@
+import { APIError as APIError$1 } from "../error/index.mjs";
+import { APIError } from "better-call";
+//#region src/utils/is-api-error.ts
+function isAPIError(error) {
+	return error instanceof APIError || error instanceof APIError$1 || error?.name === "APIError";
+}
+//#endregion
+export { isAPIError };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.6.6",
+  "version": "1.6.7",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -93,6 +93,12 @@
     "./instrumentation": {
       "dev-source": "./src/instrumentation/index.ts",
       "types": "./dist/instrumentation/index.d.mts",
+      "node": "./dist/instrumentation/index.mjs",
+      "deno": "./dist/instrumentation/index.mjs",
+      "bun": "./dist/instrumentation/index.mjs",
+      "edge": "./dist/instrumentation/pure.index.mjs",
+      "workerd": "./dist/instrumentation/index.mjs",
+      "browser": "./dist/instrumentation/pure.index.mjs",
       "default": "./dist/instrumentation/index.mjs"
     }
   },

package/src/api/index.ts

@@ -3,9 +3,34 @@ import type {
 	EndpointOptions,
 	StrictEndpoint,
 } from "better-call";
-import { createEndpoint, createMiddleware } from "better-call";
+import {
+	createEndpoint,
+	createMiddleware,
+	kAPIErrorHeaderSymbol,
+} from "better-call";
 import { runWithEndpointContext } from "../context";
 import type { AuthContext } from "../types";
+import { isAPIError } from "../utils/is-api-error";
+
+/**
+ * Better-call's createEndpoint re-throws APIError without exposing the headers
+ * accumulated on ctx.responseHeaders (e.g. Set-Cookie from deleteSessionCookie
+ * before throw). Attach them to the error via kAPIErrorHeaderSymbol — matching
+ * better-call's createMiddleware contract so the outer pipeline can merge them
+ * into the response.
+ */
+function attachResponseHeadersToAPIError(
+	responseHeaders: Headers | undefined,
+	e: unknown,
+): void {
+	if (!isAPIError(e) || !responseHeaders) return;
+	Object.defineProperty(e, kAPIErrorHeaderSymbol, {
+		enumerable: false,
+		configurable: true,
+		value: responseHeaders,
+		writable: false,
+	});
+}
 
 export const optionsMiddleware = createMiddleware(async () => {
 	/**
@@ -76,6 +101,17 @@ export function createAuthEndpoint<
 	const handler: EndpointHandler<Path, Opts, R> =
 		typeof handlerOrOptions === "function" ? handlerOrOptions : handlerOrNever;
 
+	// todo: prettify the code, we want to call `runWithEndpointContext` to top level
+	const wrapped: EndpointHandler<Path, Opts, R> = async (ctx) => {
+		const runtimeCtx = ctx as unknown as { responseHeaders?: Headers };
+		try {
+			return await runWithEndpointContext(ctx as any, () => handler(ctx));
+		} catch (e) {
+			attachResponseHeadersToAPIError(runtimeCtx.responseHeaders, e);
+			throw e;
+		}
+	};
+
 	if (path) {
 		return createEndpoint(
 			path,
@@ -83,8 +119,7 @@ export function createAuthEndpoint<
 				...options,
 				use: [...(options?.use || []), ...use],
 			},
-			// todo: prettify the code, we want to call `runWithEndpointContext` to top level
-			async (ctx) => runWithEndpointContext(ctx as any, () => handler(ctx)),
+			wrapped,
 		);
 	}
 
@@ -93,8 +128,7 @@ export function createAuthEndpoint<
 			...options,
 			use: [...(options?.use || []), ...use],
 		},
-		// todo: prettify the code, we want to call `runWithEndpointContext` to top level
-		async (ctx) => runWithEndpointContext(ctx as any, () => handler(ctx)),
+		wrapped,
 	);
 }
 

package/src/instrumentation/api.ts

@@ -1,52 +1,5 @@
-import type { Span, Tracer } from "@opentelemetry/api";
-
-type OpenTelemetryAPI = Pick<
-	typeof import("@opentelemetry/api"),
-	"trace" | "SpanStatusCode"
->;
-
-function createNoopSpan(): Span {
-	return {
-		end(): void {},
-		setAttribute(_key: string, _value: unknown): void {},
-		setStatus(_status: unknown): void {},
-		recordException(_exception: unknown): void {},
-	} as Span;
-}
-
-function createNoopTracer(noopSpanInstance: Span): Tracer {
-	function startActiveSpan<F extends (span: Span) => unknown>(
-		_name: string,
-		_options: { attributes?: Record<string, string | number | boolean> },
-		fn: F,
-	): ReturnType<F> {
-		return fn(noopSpanInstance) as ReturnType<F>;
-	}
-
-	return { startActiveSpan } as Tracer;
-}
-
-function createNoopTraceAPI() {
-	const noopTracer = createNoopTracer(createNoopSpan());
-	return {
-		getTracer(_name?: string, _version?: string) {
-			return noopTracer;
-		},
-	};
-}
-
-function createNoopOpenTelemetryAPI(): OpenTelemetryAPI {
-	return {
-		SpanStatusCode: {
-			UNSET: 0,
-			OK: 1,
-			ERROR: 2,
-		},
-		trace: createNoopTraceAPI(),
-	} as OpenTelemetryAPI;
-}
-
-const noopOpenTelemetryAPI = createNoopOpenTelemetryAPI();
+import type { OpenTelemetryAPI } from "./noop";
+import { noopOpenTelemetryAPI } from "./noop";
 
 let openTelemetryAPIPromise: Promise<void> | undefined;
 let openTelemetryAPI: OpenTelemetryAPI | undefined;

package/src/instrumentation/noop.ts

@@ -0,0 +1,74 @@
+import type { Span, Tracer } from "@opentelemetry/api";
+
+export type OpenTelemetryAPI = Pick<
+	typeof import("@opentelemetry/api"),
+	"trace" | "SpanStatusCode"
+>;
+
+function createNoopSpan(): Span {
+	const span = {
+		end(): void {},
+		setAttribute(_key: string, _value: unknown): void {},
+		setStatus(_status: unknown): void {},
+		recordException(_exception: unknown): void {},
+		updateName(_name: string) {
+			return span;
+		},
+	} as unknown as Span;
+	return span;
+}
+
+function createNoopTracer(noopSpan: Span): Tracer {
+	// OpenTelemetry `Tracer.startActiveSpan` has three overloads:
+	//   (name, fn)
+	//   (name, options, fn)
+	//   (name, options, context, fn)
+	// The callback is always the last argument; fish it out by arity so a
+	// 2-arg call (options omitted) doesn't try to invoke `undefined`.
+	function startActiveSpan<F extends (span: Span) => unknown>(
+		_name: string,
+		fn: F,
+	): ReturnType<F>;
+	function startActiveSpan<F extends (span: Span) => unknown>(
+		_name: string,
+		_options: { attributes?: Record<string, string | number | boolean> },
+		fn: F,
+	): ReturnType<F>;
+	function startActiveSpan<F extends (span: Span) => unknown>(
+		_name: string,
+		_options: { attributes?: Record<string, string | number | boolean> },
+		_context: unknown,
+		fn: F,
+	): ReturnType<F>;
+	function startActiveSpan(_name: string, ...rest: Array<unknown>): unknown {
+		const fn = rest[rest.length - 1] as (span: Span) => unknown;
+		return fn(noopSpan);
+	}
+	return { startActiveSpan } as Tracer;
+}
+
+function createNoopTraceAPI() {
+	const noopTracer = createNoopTracer(createNoopSpan());
+	return {
+		getTracer(_name?: string, _version?: string) {
+			return noopTracer;
+		},
+		getActiveSpan(): Span | undefined {
+			return undefined;
+		},
+	};
+}
+
+function createNoopOpenTelemetryAPI(): OpenTelemetryAPI {
+	return {
+		SpanStatusCode: {
+			UNSET: 0,
+			OK: 1,
+			ERROR: 2,
+		},
+		trace: createNoopTraceAPI(),
+	} as OpenTelemetryAPI;
+}
+
+export const noopOpenTelemetryAPI: OpenTelemetryAPI =
+	createNoopOpenTelemetryAPI();

package/src/instrumentation/pure.index.ts

@@ -0,0 +1,31 @@
+/**
+ * Noop variant of `./instrumentation` for runtimes where the dynamic
+ * `import("@opentelemetry/api")` in `./api` throws synchronously instead of
+ * rejecting its returned promise. Convex's V8 isolate is the reproducer: bare
+ * specifiers are rejected at resolve time in `get-convex/convex-backend`
+ * `crates/isolate/src/request_scope.rs`, so the `.catch()` in
+ * `getOpenTelemetryAPI` never runs and every `withSpan` call surfaces an
+ * uncaught error.
+ *
+ * Public surface must stay identical to `./index` (enforced by `pure.test.ts`).
+ */
+
+export * from "./attributes";
+
+export function withSpan<T>(
+	name: string,
+	attributes: Record<string, string | number | boolean>,
+	fn: () => T,
+): T;
+export function withSpan<T>(
+	name: string,
+	attributes: Record<string, string | number | boolean>,
+	fn: () => Promise<T>,
+): Promise<T>;
+export function withSpan<T>(
+	_name: string,
+	_attributes: Record<string, string | number | boolean>,
+	fn: () => T | Promise<T>,
+): T | Promise<T> {
+	return fn();
+}

package/src/oauth2/index.ts

@@ -15,7 +15,11 @@ export {
 	refreshAccessToken,
 	refreshAccessTokenRequest,
 } from "./refresh-access-token";
-export { generateCodeChallenge, getOAuth2Tokens } from "./utils";
+export {
+	generateCodeChallenge,
+	getOAuth2Tokens,
+	getPrimaryClientId,
+} from "./utils";
 export {
 	authorizationCodeRequest,
 	createAuthorizationCodeRequest,

package/src/oauth2/utils.ts

@@ -28,6 +28,19 @@ export function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens {
 	};
 }
 
+/**
+ * Return the provider's primary Client ID: the single string, or the entry at
+ * array index 0 for the cross-platform form used by ID token audience
+ * verification. Index 0 is the designated primary and pairs with
+ * `clientSecret` for the authorization code flow; later array entries are
+ * only used as additional accepted audiences. Returns `undefined` when the
+ * primary value is missing or an empty string.
+ */
+export function getPrimaryClientId(clientId: unknown): string | undefined {
+	const value = Array.isArray(clientId) ? clientId[0] : clientId;
+	return typeof value === "string" && value.length > 0 ? value : undefined;
+}
+
 export async function generateCodeChallenge(codeVerifier: string) {
 	const encoder = new TextEncoder();
 	const data = encoder.encode(codeVerifier);

package/src/social-providers/apple.ts

@@ -1,10 +1,12 @@
 import { betterFetch } from "@better-fetch/fetch";
 
 import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
-import { APIError } from "../error";
+import { logger } from "../env";
+import { APIError, BetterAuthError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	getPrimaryClientId,
 	refreshAccessToken,
 	validateAuthorizationCode,
 } from "../oauth2";
@@ -70,7 +72,7 @@ export interface AppleNonConformUser {
 }
 
 export interface AppleOptions extends ProviderOptions<AppleProfile> {
-	clientId: string;
+	clientId: string | string[];
 	appBundleIdentifier?: string | undefined;
 	audience?: (string | string[]) | undefined;
 }
@@ -81,6 +83,12 @@ export const apple = (options: AppleOptions) => {
 		id: "apple",
 		name: "Apple",
 		async createAuthorizationURL({ state, scopes, redirectURI }) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
+				logger.error(
+					"Client ID and client secret are required for Apple. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
 			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
 			if (options.scope) _scope.push(...options.scope);
 			if (scopes) _scope.push(...scopes);

package/src/social-providers/cognito.ts

@@ -5,6 +5,7 @@ import { APIError, BetterAuthError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	getPrimaryClientId,
 	refreshAccessToken,
 	validateAuthorizationCode,
 } from "../oauth2";
@@ -30,7 +31,7 @@ export interface CognitoProfile {
 }
 
 export interface CognitoOptions extends ProviderOptions<CognitoProfile> {
-	clientId: string;
+	clientId: string | string[];
 	/**
 	 * The Cognito domain (e.g., "your-app.auth.us-east-1.amazoncognito.com")
 	 */
@@ -60,7 +61,7 @@ export const cognito = (options: CognitoOptions) => {
 		id: "cognito",
 		name: "Cognito",
 		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
-			if (!options.clientId) {
+			if (!getPrimaryClientId(options.clientId)) {
 				logger.error(
 					"ClientId is required for Amazon Cognito. Make sure to provide them in the options.",
 				);

package/src/social-providers/facebook.ts

@@ -1,8 +1,11 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { createRemoteJWKSet, decodeJwt, jwtVerify } from "jose";
+import { logger } from "../env";
+import { BetterAuthError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	getPrimaryClientId,
 	refreshAccessToken,
 	validateAuthorizationCode,
 } from "../oauth2";
@@ -22,7 +25,7 @@ export interface FacebookProfile {
 }
 
 export interface FacebookOptions extends ProviderOptions<FacebookProfile> {
-	clientId: string;
+	clientId: string | string[];
 	/**
 	 * Extend list of fields to retrieve from the Facebook user profile.
 	 *
@@ -41,6 +44,12 @@ export const facebook = (options: FacebookOptions) => {
 		id: "facebook",
 		name: "Facebook",
 		async createAuthorizationURL({ state, scopes, redirectURI, loginHint }) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
+				logger.error(
+					"Client ID and client secret are required for Facebook. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["email", "public_profile"];

package/src/social-providers/google.ts

@@ -5,6 +5,7 @@ import { APIError, BetterAuthError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	getPrimaryClientId,
 	refreshAccessToken,
 	validateAuthorizationCode,
 } from "../oauth2";
@@ -37,7 +38,7 @@ export interface GoogleProfile {
 }
 
 export interface GoogleOptions extends ProviderOptions<GoogleProfile> {
-	clientId: string;
+	clientId: string | string[];
 	/**
 	 * The access type to use for the authorization code request
 	 */
@@ -64,7 +65,7 @@ export const google = (options: GoogleOptions) => {
 			loginHint,
 			display,
 		}) {
-			if (!options.clientId || !options.clientSecret) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
 				logger.error(
 					"Client Id and Client Secret is required for Google. Make sure to provide them in the options.",
 				);

package/src/social-providers/microsoft-entra-id.ts

@@ -2,10 +2,11 @@ import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
 import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
 import { logger } from "../env";
-import { APIError } from "../error";
+import { APIError, BetterAuthError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	getPrimaryClientId,
 	refreshAccessToken,
 	validateAuthorizationCode,
 } from "../oauth2";
@@ -116,7 +117,7 @@ export interface MicrosoftEntraIDProfile extends Record<string, any> {
 
 export interface MicrosoftOptions
 	extends ProviderOptions<MicrosoftEntraIDProfile> {
-	clientId: string;
+	clientId: string | string[];
 	/**
 	 * The tenant ID of the Microsoft account
 	 * @default "common"
@@ -149,6 +150,15 @@ export const microsoft = (options: MicrosoftOptions) => {
 		id: "microsoft",
 		name: "Microsoft EntraID",
 		createAuthorizationURL(data) {
+			// Microsoft Entra supports public clients (SPA / native apps with
+			// PKCE only), so clientSecret is intentionally not required here.
+			// See https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow
+			if (!getPrimaryClientId(options.clientId)) {
+				logger.error(
+					"Client Id is required for Microsoft Entra ID. Make sure to provide it in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
 			const scopes = options.disableDefaultScope
 				? []
 				: ["openid", "profile", "email", "User.Read", "offline_access"];
@@ -190,7 +200,7 @@ export const microsoft = (options: MicrosoftOptions) => {
 				const publicKey = await getMicrosoftPublicKey(kid, tenant, authority);
 				const verifyOptions: {
 					algorithms: [string];
-					audience: string;
+					audience: string | string[];
 					maxTokenAge: string;
 					issuer?: string;
 				} = {

package/src/utils/is-api-error.ts

@@ -0,0 +1,10 @@
+import { APIError as BaseAPIError } from "better-call";
+import { APIError } from "../error";
+
+export function isAPIError(error: unknown): error is APIError {
+	return (
+		error instanceof BaseAPIError ||
+		error instanceof APIError ||
+		(error as { name?: string })?.name === "APIError"
+	);
+}