@better-auth/core 1.7.0-beta.1 → 1.7.0-beta.3

package/src/instrumentation/noop.ts

@@ -0,0 +1,74 @@
+import type { Span, Tracer } from "@opentelemetry/api";
+
+export type OpenTelemetryAPI = Pick<
+	typeof import("@opentelemetry/api"),
+	"trace" | "SpanStatusCode"
+>;
+
+function createNoopSpan(): Span {
+	const span = {
+		end(): void {},
+		setAttribute(_key: string, _value: unknown): void {},
+		setStatus(_status: unknown): void {},
+		recordException(_exception: unknown): void {},
+		updateName(_name: string) {
+			return span;
+		},
+	} as unknown as Span;
+	return span;
+}
+
+function createNoopTracer(noopSpan: Span): Tracer {
+	// OpenTelemetry `Tracer.startActiveSpan` has three overloads:
+	//   (name, fn)
+	//   (name, options, fn)
+	//   (name, options, context, fn)
+	// The callback is always the last argument; fish it out by arity so a
+	// 2-arg call (options omitted) doesn't try to invoke `undefined`.
+	function startActiveSpan<F extends (span: Span) => unknown>(
+		_name: string,
+		fn: F,
+	): ReturnType<F>;
+	function startActiveSpan<F extends (span: Span) => unknown>(
+		_name: string,
+		_options: { attributes?: Record<string, string | number | boolean> },
+		fn: F,
+	): ReturnType<F>;
+	function startActiveSpan<F extends (span: Span) => unknown>(
+		_name: string,
+		_options: { attributes?: Record<string, string | number | boolean> },
+		_context: unknown,
+		fn: F,
+	): ReturnType<F>;
+	function startActiveSpan(_name: string, ...rest: Array<unknown>): unknown {
+		const fn = rest[rest.length - 1] as (span: Span) => unknown;
+		return fn(noopSpan);
+	}
+	return { startActiveSpan } as Tracer;
+}
+
+function createNoopTraceAPI() {
+	const noopTracer = createNoopTracer(createNoopSpan());
+	return {
+		getTracer(_name?: string, _version?: string) {
+			return noopTracer;
+		},
+		getActiveSpan(): Span | undefined {
+			return undefined;
+		},
+	};
+}
+
+function createNoopOpenTelemetryAPI(): OpenTelemetryAPI {
+	return {
+		SpanStatusCode: {
+			UNSET: 0,
+			OK: 1,
+			ERROR: 2,
+		},
+		trace: createNoopTraceAPI(),
+	} as OpenTelemetryAPI;
+}
+
+export const noopOpenTelemetryAPI: OpenTelemetryAPI =
+	createNoopOpenTelemetryAPI();

package/src/instrumentation/pure.index.ts

@@ -0,0 +1,31 @@
+/**
+ * Noop variant of `./instrumentation` for runtimes where the dynamic
+ * `import("@opentelemetry/api")` in `./api` throws synchronously instead of
+ * rejecting its returned promise. Convex's V8 isolate is the reproducer: bare
+ * specifiers are rejected at resolve time in `get-convex/convex-backend`
+ * `crates/isolate/src/request_scope.rs`, so the `.catch()` in
+ * `getOpenTelemetryAPI` never runs and every `withSpan` call surfaces an
+ * uncaught error.
+ *
+ * Public surface must stay identical to `./index` (enforced by `pure.test.ts`).
+ */
+
+export * from "./attributes";
+
+export function withSpan<T>(
+	name: string,
+	attributes: Record<string, string | number | boolean>,
+	fn: () => T,
+): T;
+export function withSpan<T>(
+	name: string,
+	attributes: Record<string, string | number | boolean>,
+	fn: () => Promise<T>,
+): Promise<T>;
+export function withSpan<T>(
+	_name: string,
+	_attributes: Record<string, string | number | boolean>,
+	fn: () => T | Promise<T>,
+): T | Promise<T> {
+	return fn();
+}

package/src/instrumentation/tracer.ts

@@ -1,12 +1,10 @@
 import type { Span } from "@opentelemetry/api";
-import { SpanStatusCode, trace } from "@opentelemetry/api";
+import { getOpenTelemetryAPI } from "./api";
 import { ATTR_HTTP_RESPONSE_STATUS_CODE } from "./attributes";
 
 const INSTRUMENTATION_SCOPE = "better-auth";
 const INSTRUMENTATION_VERSION = import.meta.env?.BETTER_AUTH_VERSION ?? "1.0.0";
 
-const tracer = trace.getTracer(INSTRUMENTATION_SCOPE, INSTRUMENTATION_VERSION);
-
 /**
  * Better-auth uses `throw ctx.redirect(url)` for flow control (e.g. OAuth
  * callbacks). These are APIErrors with 3xx status codes and should not be
@@ -27,6 +25,7 @@ function isRedirectError(err: unknown): boolean {
 }
 
 function endSpanWithError(span: Span, err: unknown) {
+	const { SpanStatusCode } = getOpenTelemetryAPI();
 	if (isRedirectError(err)) {
 		span.setAttribute(
 			ATTR_HTTP_RESPONSE_STATUS_CODE,
@@ -66,6 +65,12 @@ export function withSpan<T>(
 	attributes: Record<string, string | number | boolean>,
 	fn: () => T | Promise<T>,
 ): T | Promise<T> {
+	const { trace } = getOpenTelemetryAPI();
+	const tracer = trace.getTracer(
+		INSTRUMENTATION_SCOPE,
+		INSTRUMENTATION_VERSION,
+	);
+
 	return tracer.startActiveSpan(name, { attributes }, (span) => {
 		try {
 			const result = fn();

package/src/oauth2/index.ts

@@ -25,7 +25,11 @@ export {
 	refreshAccessToken,
 	refreshAccessTokenRequest,
 } from "./refresh-access-token";
-export { generateCodeChallenge, getOAuth2Tokens } from "./utils";
+export {
+	generateCodeChallenge,
+	getOAuth2Tokens,
+	getPrimaryClientId,
+} from "./utils";
 export {
 	authorizationCodeRequest,
 	createAuthorizationCodeRequest,

package/src/oauth2/utils.ts

@@ -28,6 +28,19 @@ export function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens {
 	};
 }
 
+/**
+ * Return the provider's primary Client ID: the single string, or the entry at
+ * array index 0 for the cross-platform form used by ID token audience
+ * verification. Index 0 is the designated primary and pairs with
+ * `clientSecret` for the authorization code flow; later array entries are
+ * only used as additional accepted audiences. Returns `undefined` when the
+ * primary value is missing or an empty string.
+ */
+export function getPrimaryClientId(clientId: unknown): string | undefined {
+	const value = Array.isArray(clientId) ? clientId[0] : clientId;
+	return typeof value === "string" && value.length > 0 ? value : undefined;
+}
+
 export async function generateCodeChallenge(codeVerifier: string) {
 	const encoder = new TextEncoder();
 	const data = encoder.encode(codeVerifier);

package/src/social-providers/apple.ts

@@ -1,10 +1,12 @@
 import { betterFetch } from "@better-fetch/fetch";
 
 import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
-import { APIError } from "../error";
+import { logger } from "../env";
+import { APIError, BetterAuthError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	getPrimaryClientId,
 	refreshAccessToken,
 	validateAuthorizationCode,
 } from "../oauth2";
@@ -20,7 +22,7 @@ export interface AppleProfile {
 	 * The email address is either the user's real email address or the proxy
 	 * address, depending on their status private email relay service.
 	 */
-	email: string;
+	email?: string;
 	/**
 	 * A string or Boolean value that indicates whether the service verifies
 	 * the email. The value can either be a string ("true" or "false") or a
@@ -70,7 +72,7 @@ export interface AppleNonConformUser {
 }
 
 export interface AppleOptions extends ProviderOptions<AppleProfile> {
-	clientId: string;
+	clientId: string | string[];
 	appBundleIdentifier?: string | undefined;
 	audience?: (string | string[]) | undefined;
 }
@@ -81,6 +83,12 @@ export const apple = (options: AppleOptions) => {
 		id: "apple",
 		name: "Apple",
 		async createAuthorizationURL({ state, scopes, redirectURI }) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
+				logger.error(
+					"Client ID and client secret are required for Apple. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
 			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
 			if (options.scope) _scope.push(...options.scope);
 			if (scopes) _scope.push(...scopes);

package/src/social-providers/cognito.ts

@@ -5,6 +5,7 @@ import { APIError, BetterAuthError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	getPrimaryClientId,
 	refreshAccessToken,
 	validateAuthorizationCode,
 } from "../oauth2";
@@ -30,7 +31,7 @@ export interface CognitoProfile {
 }
 
 export interface CognitoOptions extends ProviderOptions<CognitoProfile> {
-	clientId: string;
+	clientId: string | string[];
 	/**
 	 * The Cognito domain (e.g., "your-app.auth.us-east-1.amazoncognito.com")
 	 */
@@ -60,7 +61,7 @@ export const cognito = (options: CognitoOptions) => {
 		id: "cognito",
 		name: "Cognito",
 		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
-			if (!options.clientId) {
+			if (!getPrimaryClientId(options.clientId)) {
 				logger.error(
 					"ClientId is required for Amazon Cognito. Make sure to provide them in the options.",
 				);

package/src/social-providers/discord.ts

@@ -41,7 +41,7 @@ export interface DiscordProfile extends Record<string, any> {
 	/** whether the email on this account has been verified */
 	verified: boolean;
 	/** the user's email */
-	email: string;
+	email?: string | null;
 	/**
 	 * the flags on a user's account:
 	 * https://discord.com/developers/docs/resources/user#user-object-user-flags

package/src/social-providers/facebook.ts

@@ -1,16 +1,19 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { createRemoteJWKSet, decodeJwt, jwtVerify } from "jose";
+import { logger } from "../env";
+import { BetterAuthError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	getPrimaryClientId,
 	refreshAccessToken,
 	validateAuthorizationCode,
 } from "../oauth2";
 export interface FacebookProfile {
 	id: string;
 	name: string;
-	email: string;
-	email_verified: boolean;
+	email?: string;
+	email_verified?: boolean;
 	picture: {
 		data: {
 			height: number;
@@ -22,7 +25,7 @@ export interface FacebookProfile {
 }
 
 export interface FacebookOptions extends ProviderOptions<FacebookProfile> {
-	clientId: string;
+	clientId: string | string[];
 	/**
 	 * Extend list of fields to retrieve from the Facebook user profile.
 	 *
@@ -41,6 +44,12 @@ export const facebook = (options: FacebookOptions) => {
 		id: "facebook",
 		name: "Facebook",
 		async createAuthorizationURL({ state, scopes, redirectURI, loginHint }) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
+				logger.error(
+					"Client ID and client secret are required for Facebook. Make sure to provide them in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
 			const _scopes = options.disableDefaultScope
 				? []
 				: ["email", "public_profile"];
@@ -195,7 +204,7 @@ export const facebook = (options: FacebookOptions) => {
 					name: profile.name,
 					email: profile.email,
 					image: profile.picture.data.url,
-					emailVerified: profile.email_verified,
+					emailVerified: profile.email_verified ?? false,
 					...userMap,
 				},
 				data: profile,

package/src/social-providers/github.ts

@@ -31,7 +31,7 @@ export interface GithubProfile {
 	company: string;
 	blog: string;
 	location: string;
-	email: string;
+	email: string | null;
 	hireable: boolean;
 	bio: string;
 	twitter_username: string;

package/src/social-providers/google.ts

@@ -5,6 +5,7 @@ import { APIError, BetterAuthError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	getPrimaryClientId,
 	refreshAccessToken,
 	validateAuthorizationCode,
 } from "../oauth2";
@@ -37,7 +38,7 @@ export interface GoogleProfile {
 }
 
 export interface GoogleOptions extends ProviderOptions<GoogleProfile> {
-	clientId: string;
+	clientId: string | string[];
 	/**
 	 * The access type to use for the authorization code request
 	 */
@@ -64,7 +65,7 @@ export const google = (options: GoogleOptions) => {
 			loginHint,
 			display,
 		}) {
-			if (!options.clientId || !options.clientSecret) {
+			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
 				logger.error(
 					"Client Id and Client Secret is required for Google. Make sure to provide them in the options.",
 				);

package/src/social-providers/linkedin.ts

@@ -16,8 +16,8 @@ export interface LinkedInProfile {
 		country: string;
 		language: string;
 	};
-	email: string;
-	email_verified: boolean;
+	email?: string;
+	email_verified?: boolean;
 }
 
 export interface LinkedInOptions extends ProviderOptions<LinkedInProfile> {
@@ -98,7 +98,7 @@ export const linkedin = (options: LinkedInOptions) => {
 					id: profile.sub,
 					name: profile.name,
 					email: profile.email,
-					emailVerified: profile.email_verified || false,
+					emailVerified: profile.email_verified ?? false,
 					image: profile.picture,
 					...userMap,
 				},

package/src/social-providers/microsoft-entra-id.ts

@@ -2,10 +2,11 @@ import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
 import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
 import { logger } from "../env";
-import { APIError } from "../error";
+import { APIError, BetterAuthError } from "../error";
 import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
+	getPrimaryClientId,
 	refreshAccessToken,
 	validateAuthorizationCode,
 } from "../oauth2";
@@ -35,7 +36,7 @@ export interface MicrosoftEntraIDProfile extends Record<string, any> {
 	/** The primary username that represents the user */
 	preferred_username: string;
 	/** User's email address */
-	email: string;
+	email?: string;
 	/** Human-readable value that identifies the subject of the token */
 	name: string;
 	/** Matches the parameter included in the original authorize request */
@@ -116,7 +117,7 @@ export interface MicrosoftEntraIDProfile extends Record<string, any> {
 
 export interface MicrosoftOptions
 	extends ProviderOptions<MicrosoftEntraIDProfile> {
-	clientId: string;
+	clientId: string | string[];
 	/**
 	 * The tenant ID of the Microsoft account
 	 * @default "common"
@@ -149,6 +150,15 @@ export const microsoft = (options: MicrosoftOptions) => {
 		id: "microsoft",
 		name: "Microsoft EntraID",
 		createAuthorizationURL(data) {
+			// Microsoft Entra supports public clients (SPA / native apps with
+			// PKCE only), so clientSecret is intentionally not required here.
+			// See https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow
+			if (!getPrimaryClientId(options.clientId)) {
+				logger.error(
+					"Client Id is required for Microsoft Entra ID. Make sure to provide it in the options.",
+				);
+				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+			}
 			const scopes = options.disableDefaultScope
 				? []
 				: ["openid", "profile", "email", "User.Read", "offline_access"];
@@ -190,7 +200,7 @@ export const microsoft = (options: MicrosoftOptions) => {
 				const publicKey = await getMicrosoftPublicKey(kid, tenant, authority);
 				const verifyOptions: {
 					algorithms: [string];
-					audience: string;
+					audience: string | string[];
 					maxTokenAge: string;
 					issuer?: string;
 				} = {

package/src/types/context.ts

@@ -151,7 +151,12 @@ export interface InternalAdapter<
 
 	deleteAccounts(userId: string): Promise<void>;
 
-	deleteAccount(accountId: string): Promise<void>;
+	/**
+	 * Delete an account by its primary key.
+	 *
+	 * @param id - The account row's primary key (the `id` column, not the `accountId` column).
+	 */
+	deleteAccount(id: string): Promise<void>;
 
 	deleteSessions(userIdOrSessionTokens: string | string[]): Promise<void>;
 
@@ -215,6 +220,8 @@ export interface InternalAdapter<
 		identifier: string,
 		data: Partial<Verification>,
 	): Promise<Verification>;
+
+	refreshUserSessions(user: User): Promise<void>;
 }
 
 type CreateCookieGetterFn = (

package/src/utils/async.ts

@@ -0,0 +1,53 @@
+import type { Awaitable } from "../types/helper";
+
+export interface MapConcurrentOptions {
+	/**
+	 * Max in-flight mappers. Non-integer values are floored, then clamped
+	 * to the range `[1, items.length]`. `NaN` falls back to 1.
+	 */
+	concurrency: number;
+	/**
+	 * Rejects with `signal.reason` when aborted. In-flight mappers keep
+	 * running but their results are not returned.
+	 */
+	signal?: AbortSignal;
+}
+
+/**
+ * Run an async mapper over items with bounded concurrency.
+ * Preserves input order in the result. Fails fast on the first rejection.
+ */
+export async function mapConcurrent<T, R>(
+	items: readonly T[],
+	fn: (item: T, index: number) => Awaitable<R>,
+	options: MapConcurrentOptions,
+): Promise<R[]> {
+	const n = items.length;
+	if (n === 0) return [];
+
+	const { signal } = options;
+	if (signal?.aborted) throw signal.reason;
+
+	const raw = Math.floor(options.concurrency);
+	const width = Math.min(n, raw >= 1 ? raw : 1);
+
+	const results = new Array<R>(n);
+	let idx = 0;
+	let failed = false;
+
+	const worker = async (): Promise<void> => {
+		while (!failed && idx < n) {
+			if (signal?.aborted) throw signal.reason;
+			const i = idx++;
+			try {
+				results[i] = await fn(items[i] as T, i);
+			} catch (error) {
+				failed = true;
+				throw error;
+			}
+		}
+	};
+
+	await Promise.all(Array.from({ length: width }, worker));
+	return results;
+}