@better-auth/core 1.7.0-beta.1 → 1.7.0-beta.3

package/dist/api/index.mjs

@@ -1,6 +1,23 @@
 import { runWithEndpointContext } from "../context/endpoint-context.mjs";
-import { createEndpoint, createMiddleware } from "better-call";
+import { isAPIError } from "../utils/is-api-error.mjs";
+import { createEndpoint, createMiddleware, kAPIErrorHeaderSymbol } from "better-call";
 //#region src/api/index.ts
+/**
+* Better-call's createEndpoint re-throws APIError without exposing the headers
+* accumulated on ctx.responseHeaders (e.g. Set-Cookie from deleteSessionCookie
+* before throw). Attach them to the error via kAPIErrorHeaderSymbol — matching
+* better-call's createMiddleware contract so the outer pipeline can merge them
+* into the response.
+*/
+function attachResponseHeadersToAPIError(responseHeaders, e) {
+	if (!isAPIError(e) || !responseHeaders) return;
+	Object.defineProperty(e, kAPIErrorHeaderSymbol, {
+		enumerable: false,
+		configurable: true,
+		value: responseHeaders,
+		writable: false
+	});
+}
 const optionsMiddleware = createMiddleware(async () => {
 	/**
 	* This will be passed on the instance of
@@ -17,14 +34,23 @@ function createAuthEndpoint(pathOrOptions, handlerOrOptions, handlerOrNever) {
 	const path = typeof pathOrOptions === "string" ? pathOrOptions : void 0;
 	const options = typeof handlerOrOptions === "object" ? handlerOrOptions : pathOrOptions;
 	const handler = typeof handlerOrOptions === "function" ? handlerOrOptions : handlerOrNever;
+	const wrapped = async (ctx) => {
+		const runtimeCtx = ctx;
+		try {
+			return await runWithEndpointContext(ctx, () => handler(ctx));
+		} catch (e) {
+			attachResponseHeadersToAPIError(runtimeCtx.responseHeaders, e);
+			throw e;
+		}
+	};
 	if (path) return createEndpoint(path, {
 		...options,
 		use: [...options?.use || [], ...use]
-	}, async (ctx) => runWithEndpointContext(ctx, () => handler(ctx)));
+	}, wrapped);
 	return createEndpoint({
 		...options,
 		use: [...options?.use || [], ...use]
-	}, async (ctx) => runWithEndpointContext(ctx, () => handler(ctx)));
+	}, wrapped);
 }
 //#endregion
 export { createAuthEndpoint, createAuthMiddleware, optionsMiddleware };

package/dist/context/global.mjs

@@ -2,7 +2,7 @@
 const symbol = Symbol.for("better-auth:global");
 let bind = null;
 const __context = {};
-const __betterAuthVersion = "1.7.0-beta.1";
+const __betterAuthVersion = "1.7.0-beta.3";
 /**
 * We store context instance in the globalThis.
 *

package/dist/db/adapter/factory.mjs

@@ -1,9 +1,7 @@
+import { BetterAuthError } from "../../error/index.mjs";
 import { getAuthTables } from "../get-tables.mjs";
 import { getColorDepth } from "../../env/color-depth.mjs";
 import { TTY_COLORS, createLogger } from "../../env/logger.mjs";
-import { BetterAuthError } from "../../error/index.mjs";
-import { ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME } from "../../instrumentation/attributes.mjs";
-import { withSpan } from "../../instrumentation/tracer.mjs";
 import { safeJSONParse } from "../../utils/json.mjs";
 import { initGetDefaultModelName } from "./get-default-model-name.mjs";
 import { initGetDefaultFieldName } from "./get-default-field-name.mjs";
@@ -12,6 +10,7 @@ import { initGetFieldAttributes } from "./get-field-attributes.mjs";
 import { initGetFieldName } from "./get-field-name.mjs";
 import { initGetModelName } from "./get-model-name.mjs";
 import { withApplyDefault } from "./utils.mjs";
+import { ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME, withSpan } from "@better-auth/core/instrumentation";
 //#region src/db/adapter/factory.ts
 let debugLogs = [];
 let transactionId = -1;

package/dist/db/adapter/get-id-field.mjs

@@ -40,12 +40,12 @@ const initGetIdField = ({ usePlural, schema, disableIdGeneration, options, custo
 					if (useUUIDs) {
 						if (shouldGenerateId && !forceAllowId) return value;
 						if (disableIdGeneration) return void 0;
-						if (supportsUUIDs) return void 0;
 						if (forceAllowId && typeof value === "string") if (/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i.test(value)) return value;
 						else {
 							const stack = (/* @__PURE__ */ new Error()).stack?.split("\n").filter((_, i) => i !== 1).join("\n").replace("Error:", "");
 							logger.warn("[Adapter Factory] - Invalid UUID value for field `id` provided when `forceAllowId` is true. Generating a new UUID.", stack);
 						}
+						if (supportsUUIDs) return void 0;
 						if (typeof value !== "string" && !supportsUUIDs) return crypto.randomUUID();
 						return;
 					}

package/dist/instrumentation/api.mjs

@@ -0,0 +1,12 @@
+import { noopOpenTelemetryAPI } from "./noop.mjs";
+//#region src/instrumentation/api.ts
+let openTelemetryAPIPromise;
+let openTelemetryAPI;
+function getOpenTelemetryAPI() {
+	if (!openTelemetryAPIPromise) openTelemetryAPIPromise = import("@opentelemetry/api").then((mod) => {
+		openTelemetryAPI = mod;
+	}).catch(() => void 0);
+	return openTelemetryAPI ?? noopOpenTelemetryAPI;
+}
+//#endregion
+export { getOpenTelemetryAPI };

package/dist/instrumentation/noop.mjs

@@ -0,0 +1,42 @@
+//#region src/instrumentation/noop.ts
+function createNoopSpan() {
+	const span = {
+		end() {},
+		setAttribute(_key, _value) {},
+		setStatus(_status) {},
+		recordException(_exception) {},
+		updateName(_name) {
+			return span;
+		}
+	};
+	return span;
+}
+function createNoopTracer(noopSpan) {
+	function startActiveSpan(_name, ...rest) {
+		const fn = rest[rest.length - 1];
+		return fn(noopSpan);
+	}
+	return { startActiveSpan };
+}
+function createNoopTraceAPI() {
+	const noopTracer = createNoopTracer(createNoopSpan());
+	return {
+		getTracer(_name, _version) {
+			return noopTracer;
+		},
+		getActiveSpan() {}
+	};
+}
+function createNoopOpenTelemetryAPI() {
+	return {
+		SpanStatusCode: {
+			UNSET: 0,
+			OK: 1,
+			ERROR: 2
+		},
+		trace: createNoopTraceAPI()
+	};
+}
+const noopOpenTelemetryAPI = createNoopOpenTelemetryAPI();
+//#endregion
+export { noopOpenTelemetryAPI };

package/dist/instrumentation/pure.index.d.mts

@@ -0,0 +1,7 @@
+import { ATTR_CONTEXT, ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME, ATTR_HOOK_TYPE, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID } from "./attributes.mjs";
+
+//#region src/instrumentation/pure.index.d.ts
+declare function withSpan<T>(name: string, attributes: Record<string, string | number | boolean>, fn: () => T): T;
+declare function withSpan<T>(name: string, attributes: Record<string, string | number | boolean>, fn: () => Promise<T>): Promise<T>;
+//#endregion
+export { ATTR_CONTEXT, ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME, ATTR_HOOK_TYPE, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan };

package/dist/instrumentation/pure.index.mjs

@@ -0,0 +1,7 @@
+import { ATTR_CONTEXT, ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME, ATTR_HOOK_TYPE, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID } from "./attributes.mjs";
+//#region src/instrumentation/pure.index.ts
+function withSpan(_name, _attributes, fn) {
+	return fn();
+}
+//#endregion
+export { ATTR_CONTEXT, ATTR_DB_COLLECTION_NAME, ATTR_DB_OPERATION_NAME, ATTR_HOOK_TYPE, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, ATTR_OPERATION_ID, withSpan };

package/dist/instrumentation/tracer.mjs

@@ -1,7 +1,8 @@
 import { ATTR_HTTP_RESPONSE_STATUS_CODE } from "./attributes.mjs";
-import { SpanStatusCode, trace } from "@opentelemetry/api";
+import { getOpenTelemetryAPI } from "./api.mjs";
 //#region src/instrumentation/tracer.ts
-const tracer = trace.getTracer("better-auth", "1.7.0-beta.1");
+const INSTRUMENTATION_SCOPE = "better-auth";
+const INSTRUMENTATION_VERSION = "1.7.0-beta.3";
 /**
 * Better-auth uses `throw ctx.redirect(url)` for flow control (e.g. OAuth
 * callbacks). These are APIErrors with 3xx status codes and should not be
@@ -15,6 +16,7 @@ function isRedirectError(err) {
 	return false;
 }
 function endSpanWithError(span, err) {
+	const { SpanStatusCode } = getOpenTelemetryAPI();
 	if (isRedirectError(err)) {
 		span.setAttribute(ATTR_HTTP_RESPONSE_STATUS_CODE, err.statusCode);
 		span.setStatus({ code: SpanStatusCode.OK });
@@ -28,7 +30,8 @@ function endSpanWithError(span, err) {
 	span.end();
 }
 function withSpan(name, attributes, fn) {
-	return tracer.startActiveSpan(name, { attributes }, (span) => {
+	const { trace } = getOpenTelemetryAPI();
+	return trace.getTracer(INSTRUMENTATION_SCOPE, INSTRUMENTATION_VERSION).startActiveSpan(name, { attributes }, (span) => {
 		try {
 			const result = fn();
 			if (result instanceof Promise) return result.then((value) => {

package/dist/oauth2/index.d.mts

@@ -3,7 +3,7 @@ import { OAuth2Tokens, OAuth2UserInfo, OAuthProvider, ProviderOptions } from "./
 import { clientCredentialsToken, clientCredentialsTokenRequest, createClientCredentialsTokenRequest } from "./client-credentials-token.mjs";
 import { createAuthorizationURL } from "./create-authorization-url.mjs";
 import { createRefreshAccessTokenRequest, refreshAccessToken, refreshAccessTokenRequest } from "./refresh-access-token.mjs";
-import { generateCodeChallenge, getOAuth2Tokens } from "./utils.mjs";
+import { generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId } from "./utils.mjs";
 import { authorizationCodeRequest, createAuthorizationCodeRequest, validateAuthorizationCode, validateToken } from "./validate-authorization-code.mjs";
 import { getJwks, verifyAccessToken, verifyJwsAccessToken } from "./verify.mjs";
-export { ASSERTION_SIGNING_ALGORITHMS, type AssertionSigningAlgorithm, CLIENT_ASSERTION_TYPE, type ClientAssertionConfig, type OAuth2Tokens, type OAuth2UserInfo, type OAuthProvider, type ProviderOptions, authorizationCodeRequest, clientCredentialsToken, clientCredentialsTokenRequest, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, refreshAccessTokenRequest, resolveAssertionParams, signClientAssertion, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };
+export { ASSERTION_SIGNING_ALGORITHMS, type AssertionSigningAlgorithm, CLIENT_ASSERTION_TYPE, type ClientAssertionConfig, type OAuth2Tokens, type OAuth2UserInfo, type OAuthProvider, type ProviderOptions, authorizationCodeRequest, clientCredentialsToken, clientCredentialsTokenRequest, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, getPrimaryClientId, refreshAccessToken, refreshAccessTokenRequest, resolveAssertionParams, signClientAssertion, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/oauth2/index.mjs

@@ -1,8 +1,8 @@
 import { ASSERTION_SIGNING_ALGORITHMS, CLIENT_ASSERTION_TYPE, resolveAssertionParams, signClientAssertion } from "./client-assertion.mjs";
 import { clientCredentialsToken, clientCredentialsTokenRequest, createClientCredentialsTokenRequest } from "./client-credentials-token.mjs";
-import { generateCodeChallenge, getOAuth2Tokens } from "./utils.mjs";
+import { generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId } from "./utils.mjs";
 import { createAuthorizationURL } from "./create-authorization-url.mjs";
 import { createRefreshAccessTokenRequest, refreshAccessToken, refreshAccessTokenRequest } from "./refresh-access-token.mjs";
 import { authorizationCodeRequest, createAuthorizationCodeRequest, validateAuthorizationCode, validateToken } from "./validate-authorization-code.mjs";
 import { getJwks, verifyAccessToken, verifyJwsAccessToken } from "./verify.mjs";
-export { ASSERTION_SIGNING_ALGORITHMS, CLIENT_ASSERTION_TYPE, authorizationCodeRequest, clientCredentialsToken, clientCredentialsTokenRequest, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, refreshAccessToken, refreshAccessTokenRequest, resolveAssertionParams, signClientAssertion, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };
+export { ASSERTION_SIGNING_ALGORITHMS, CLIENT_ASSERTION_TYPE, authorizationCodeRequest, clientCredentialsToken, clientCredentialsTokenRequest, createAuthorizationCodeRequest, createAuthorizationURL, createClientCredentialsTokenRequest, createRefreshAccessTokenRequest, generateCodeChallenge, getJwks, getOAuth2Tokens, getPrimaryClientId, refreshAccessToken, refreshAccessTokenRequest, resolveAssertionParams, signClientAssertion, validateAuthorizationCode, validateToken, verifyAccessToken, verifyJwsAccessToken };

package/dist/oauth2/utils.d.mts

@@ -2,6 +2,15 @@ import { OAuth2Tokens } from "./oauth-provider.mjs";
 
 //#region src/oauth2/utils.d.ts
 declare function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens;
+/**
+ * Return the provider's primary Client ID: the single string, or the entry at
+ * array index 0 for the cross-platform form used by ID token audience
+ * verification. Index 0 is the designated primary and pairs with
+ * `clientSecret` for the authorization code flow; later array entries are
+ * only used as additional accepted audiences. Returns `undefined` when the
+ * primary value is missing or an empty string.
+ */
+declare function getPrimaryClientId(clientId: unknown): string | undefined;
 declare function generateCodeChallenge(codeVerifier: string): Promise<string>;
 //#endregion
-export { generateCodeChallenge, getOAuth2Tokens };
+export { generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId };

package/dist/oauth2/utils.mjs

@@ -16,10 +16,22 @@ function getOAuth2Tokens(data) {
 		raw: data
 	};
 }
+/**
+* Return the provider's primary Client ID: the single string, or the entry at
+* array index 0 for the cross-platform form used by ID token audience
+* verification. Index 0 is the designated primary and pairs with
+* `clientSecret` for the authorization code flow; later array entries are
+* only used as additional accepted audiences. Returns `undefined` when the
+* primary value is missing or an empty string.
+*/
+function getPrimaryClientId(clientId) {
+	const value = Array.isArray(clientId) ? clientId[0] : clientId;
+	return typeof value === "string" && value.length > 0 ? value : void 0;
+}
 async function generateCodeChallenge(codeVerifier) {
 	const data = new TextEncoder().encode(codeVerifier);
 	const hash = await crypto.subtle.digest("SHA-256", data);
 	return base64Url.encode(new Uint8Array(hash), { padding: false });
 }
 //#endregion
-export { generateCodeChallenge, getOAuth2Tokens };
+export { generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId };

package/dist/social-providers/apple.d.mts

@@ -12,7 +12,7 @@ interface AppleProfile {
    * The email address is either the user's real email address or the proxy
    * address, depending on their status private email relay service.
    */
-  email: string;
+  email?: string;
   /**
    * A string or Boolean value that indicates whether the service verifies
    * the email. The value can either be a string ("true" or "false") or a
@@ -60,7 +60,7 @@ interface AppleNonConformUser {
   email: string;
 }
 interface AppleOptions extends ProviderOptions<AppleProfile> {
-  clientId: string;
+  clientId: string | string[];
   appBundleIdentifier?: string | undefined;
   audience?: (string | string[]) | undefined;
 }
@@ -93,7 +93,23 @@ declare const apple: (options: AppleOptions) => {
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
     user?: {
-      name?: {
+      name /**
+            * An Integer value that indicates whether the user appears to be a real
+            * person. Use the value of this claim to mitigate fraud. The possible
+            * values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal). For
+            * more information, see ASUserDetectionStatus. This claim is present only
+            * in iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14
+            * and later. The claim isn’t present or supported for web-based apps.
+            */?
+      /**
+      * An Integer value that indicates whether the user appears to be a real
+      * person. Use the value of this claim to mitigate fraud. The possible
+      * values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal). For
+      * more information, see ASUserDetectionStatus. This claim is present only
+      * in iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14
+      * and later. The claim isn’t present or supported for web-based apps.
+      */
+      : {
         firstName?: string;
         lastName?: string;
       };

package/dist/social-providers/apple.mjs

@@ -1,4 +1,6 @@
-import { APIError } from "../error/index.mjs";
+import { APIError, BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -11,6 +13,10 @@ const apple = (options) => {
 		id: "apple",
 		name: "Apple",
 		async createAuthorizationURL({ state, scopes, redirectURI }) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
+				logger.error("Client ID and client secret are required for Apple. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
 			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
 			if (options.scope) _scope.push(...options.scope);
 			if (scopes) _scope.push(...scopes);

package/dist/social-providers/atlassian.mjs

@@ -1,5 +1,5 @@
-import { logger } from "../env/logger.mjs";
 import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";

package/dist/social-providers/cognito.d.mts

@@ -19,7 +19,7 @@ interface CognitoProfile {
   [key: string]: any;
 }
 interface CognitoOptions extends ProviderOptions<CognitoProfile> {
-  clientId: string;
+  clientId: string | string[];
   /**
    * The Cognito domain (e.g., "your-app.auth.us-east-1.amazoncognito.com")
    */

package/dist/social-providers/cognito.mjs

@@ -1,5 +1,6 @@
-import { logger } from "../env/logger.mjs";
 import { APIError, BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -19,7 +20,7 @@ const cognito = (options) => {
 		id: "cognito",
 		name: "Cognito",
 		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
-			if (!options.clientId) {
+			if (!getPrimaryClientId(options.clientId)) {
 				logger.error("ClientId is required for Amazon Cognito. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}

package/dist/social-providers/discord.d.mts

@@ -38,7 +38,7 @@ interface DiscordProfile extends Record<string, any> {
   /** whether the email on this account has been verified */
   verified: boolean;
   /** the user's email */
-  email: string;
+  email?: string | null;
   /**
    * the flags on a user's account:
    * https://discord.com/developers/docs/resources/user#user-object-user-flags

package/dist/social-providers/facebook.d.mts

@@ -3,8 +3,8 @@ import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
 interface FacebookProfile {
   id: string;
   name: string;
-  email: string;
-  email_verified: boolean;
+  email?: string;
+  email_verified?: boolean;
   picture: {
     data: {
       height: number;
@@ -15,7 +15,7 @@ interface FacebookProfile {
   };
 }
 interface FacebookOptions extends ProviderOptions<FacebookProfile> {
-  clientId: string;
+  clientId: string | string[];
   /**
    * Extend list of fields to retrieve from the Facebook user profile.
    *

package/dist/social-providers/facebook.mjs

@@ -1,3 +1,6 @@
+import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -9,6 +12,10 @@ const facebook = (options) => {
 		id: "facebook",
 		name: "Facebook",
 		async createAuthorizationURL({ state, scopes, redirectURI, loginHint }) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
+				logger.error("Client ID and client secret are required for Facebook. Make sure to provide them in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
 			const _scopes = options.disableDefaultScope ? [] : ["email", "public_profile"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
@@ -104,7 +111,7 @@ const facebook = (options) => {
 					name: profile.name,
 					email: profile.email,
 					image: profile.picture.data.url,
-					emailVerified: profile.email_verified,
+					emailVerified: profile.email_verified ?? false,
 					...userMap
 				},
 				data: profile

package/dist/social-providers/figma.mjs

@@ -1,5 +1,5 @@
-import { logger } from "../env/logger.mjs";
 import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";

package/dist/social-providers/github.d.mts

@@ -23,7 +23,7 @@ interface GithubProfile {
   company: string;
   blog: string;
   location: string;
-  email: string;
+  email: string | null;
   hireable: boolean;
   bio: string;
   twitter_username: string;

package/dist/social-providers/google.d.mts

@@ -27,7 +27,7 @@ interface GoogleProfile {
   sub: string;
 }
 interface GoogleOptions extends ProviderOptions<GoogleProfile> {
-  clientId: string;
+  clientId: string | string[];
   /**
    * The access type to use for the authorization code request
    */

package/dist/social-providers/google.mjs

@@ -1,5 +1,6 @@
-import { logger } from "../env/logger.mjs";
 import { APIError, BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -11,7 +12,7 @@ const google = (options) => {
 		id: "google",
 		name: "Google",
 		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, display }) {
-			if (!options.clientId || !options.clientSecret) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
 				logger.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}

package/dist/social-providers/linkedin.d.mts

@@ -10,8 +10,8 @@ interface LinkedInProfile {
     country: string;
     language: string;
   };
-  email: string;
-  email_verified: boolean;
+  email?: string;
+  email_verified?: boolean;
 }
 interface LinkedInOptions extends ProviderOptions<LinkedInProfile> {
   clientId: string;

package/dist/social-providers/linkedin.mjs

@@ -59,7 +59,7 @@ const linkedin = (options) => {
 					id: profile.sub,
 					name: profile.name,
 					email: profile.email,
-					emailVerified: profile.email_verified || false,
+					emailVerified: profile.email_verified ?? false,
 					image: profile.picture,
 					...userMap
 				},

package/dist/social-providers/microsoft-entra-id.d.mts

@@ -25,7 +25,7 @@ interface MicrosoftEntraIDProfile extends Record<string, any> {
   /** The primary username that represents the user */
   preferred_username: string;
   /** User's email address */
-  email: string;
+  email?: string;
   /** Human-readable value that identifies the subject of the token */
   name: string;
   /** Matches the parameter included in the original authorize request */
@@ -104,7 +104,7 @@ interface MicrosoftEntraIDProfile extends Record<string, any> {
   given_name: string;
 }
 interface MicrosoftOptions extends ProviderOptions<MicrosoftEntraIDProfile> {
-  clientId: string;
+  clientId: string | string[];
   /**
    * The tenant ID of the Microsoft account
    * @default "common"
@@ -151,7 +151,7 @@ declare const microsoft: (options: MicrosoftOptions) => {
     user?: {
       name?: {
         firstName?: string;
-        lastName?: string;
+        lastName? /** The primary username that represents the user */: string;
       };
       email?: string;
     } | undefined;

package/dist/social-providers/microsoft-entra-id.mjs

@@ -1,5 +1,6 @@
+import { APIError, BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
-import { APIError } from "../error/index.mjs";
+import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
@@ -16,6 +17,10 @@ const microsoft = (options) => {
 		id: "microsoft",
 		name: "Microsoft EntraID",
 		createAuthorizationURL(data) {
+			if (!getPrimaryClientId(options.clientId)) {
+				logger.error("Client Id is required for Microsoft Entra ID. Make sure to provide it in the options.");
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
 			const scopes = options.disableDefaultScope ? [] : [
 				"openid",
 				"profile",

package/dist/social-providers/paybin.mjs

@@ -1,5 +1,5 @@
-import { logger } from "../env/logger.mjs";
 import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";

package/dist/social-providers/paypal.mjs

@@ -1,5 +1,5 @@
-import { logger } from "../env/logger.mjs";
 import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { decodeJwt } from "jose";
 import { base64 } from "@better-auth/utils/base64";

package/dist/social-providers/salesforce.mjs

@@ -1,5 +1,5 @@
-import { logger } from "../env/logger.mjs";
 import { BetterAuthError } from "../error/index.mjs";
+import { logger } from "../env/logger.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";

package/dist/types/context.d.mts

@@ -83,7 +83,12 @@ interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions
   updateSession(sessionToken: string, session: Partial<Session> & Record<string, any>): Promise<Session | null>;
   deleteSession(token: string): Promise<void>;
   deleteAccounts(userId: string): Promise<void>;
-  deleteAccount(accountId: string): Promise<void>;
+  /**
+   * Delete an account by its primary key.
+   *
+   * @param id - The account row's primary key (the `id` column, not the `accountId` column).
+   */
+  deleteAccount(id: string): Promise<void>;
   deleteSessions(userIdOrSessionTokens: string | string[]): Promise<void>;
   findOAuthUser(email: string, accountId: string, providerId: string): Promise<{
     user: User;
@@ -110,6 +115,7 @@ interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions
   findVerificationValue(identifier: string): Promise<Verification | null>;
   deleteVerificationByIdentifier(identifier: string): Promise<void>;
   updateVerificationByIdentifier(identifier: string, data: Partial<Verification>): Promise<Verification>;
+  refreshUserSessions(user: User): Promise<void>;
 }
 type CreateCookieGetterFn = (cookieName: string, overrideAttributes?: Partial<CookieOptions> | undefined) => BetterAuthCookie;
 type CheckPasswordFn<Options extends BetterAuthOptions = BetterAuthOptions> = (userId: string, ctx: GenericEndpointContext<Options>) => Promise<boolean>;

package/dist/utils/async.d.mts

@@ -0,0 +1,22 @@
+import { Awaitable } from "../types/helper.mjs";
+
+//#region src/utils/async.d.ts
+interface MapConcurrentOptions {
+  /**
+   * Max in-flight mappers. Non-integer values are floored, then clamped
+   * to the range `[1, items.length]`. `NaN` falls back to 1.
+   */
+  concurrency: number;
+  /**
+   * Rejects with `signal.reason` when aborted. In-flight mappers keep
+   * running but their results are not returned.
+   */
+  signal?: AbortSignal;
+}
+/**
+ * Run an async mapper over items with bounded concurrency.
+ * Preserves input order in the result. Fails fast on the first rejection.
+ */
+declare function mapConcurrent<T, R>(items: readonly T[], fn: (item: T, index: number) => Awaitable<R>, options: MapConcurrentOptions): Promise<R[]>;
+//#endregion
+export { MapConcurrentOptions, mapConcurrent };