@better-auth/core 1.7.0-beta.2 → 1.7.0-beta.4

package/dist/social-providers/twitch.d.mts

@@ -35,7 +35,8 @@ declare const twitch: (options: TwitchOptions) => {
   createAuthorizationURL({
     state,
     scopes,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -43,6 +44,7 @@ declare const twitch: (options: TwitchOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    additionalParams?: Record<string, string> | undefined;
   }): Promise<URL>;
   validateAuthorizationCode: ({
     code,

package/dist/social-providers/twitch.mjs

@@ -9,7 +9,7 @@ const twitch = (options) => {
 	return {
 		id: "twitch",
 		name: "Twitch",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
 			const _scopes = options.disableDefaultScope ? [] : ["user:read:email", "openid"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
@@ -25,7 +25,8 @@ const twitch = (options) => {
 					"email_verified",
 					"preferred_username",
 					"picture"
-				]
+				],
+				additionalParams
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {

package/dist/social-providers/twitter.d.mts

@@ -89,6 +89,7 @@ declare const twitter: (options: TwitterOption) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    additionalParams?: Record<string, string> | undefined;
   }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
@@ -103,9 +104,11 @@ declare const twitter: (options: TwitterOption) => {
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
     user?: {
-      name? /** The start position (zero-based) of the recognized user's profile website. All start indices are inclusive. */: {
+      name?: {
         firstName?: string;
-        lastName?: string;
+        lastName
+
+        /** The fully resolved URL. */? /** The fully resolved URL. */: string;
       };
       email?: string;
     } | undefined;

package/dist/social-providers/twitter.mjs

@@ -24,7 +24,8 @@ const twitter = (options) => {
 				scopes: _scopes,
 				state: data.state,
 				codeVerifier: data.codeVerifier,
-				redirectURI: data.redirectURI
+				redirectURI: data.redirectURI,
+				additionalParams: data.additionalParams
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {

package/dist/social-providers/vercel.d.mts

@@ -18,7 +18,8 @@ declare const vercel: (options: VercelOptions) => {
     state,
     scopes,
     codeVerifier,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -26,6 +27,7 @@ declare const vercel: (options: VercelOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    additionalParams?: Record<string, string> | undefined;
   }): Promise<URL>;
   validateAuthorizationCode: ({
     code,

package/dist/social-providers/vercel.mjs

@@ -7,7 +7,7 @@ const vercel = (options) => {
 	return {
 		id: "vercel",
 		name: "Vercel",
-		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Vercel");
 			let _scopes = void 0;
 			if (options.scope !== void 0 || scopes !== void 0) {
@@ -22,7 +22,8 @@ const vercel = (options) => {
 				scopes: _scopes,
 				state,
 				codeVerifier,
-				redirectURI
+				redirectURI,
+				additionalParams
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {

package/dist/social-providers/vk.d.mts

@@ -24,7 +24,8 @@ declare const vk: (options: VkOption) => {
     state,
     scopes,
     codeVerifier,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -32,6 +33,7 @@ declare const vk: (options: VkOption) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    additionalParams?: Record<string, string> | undefined;
   }): Promise<URL>;
   validateAuthorizationCode: ({
     code,

package/dist/social-providers/vk.mjs

@@ -8,7 +8,7 @@ const vk = (options) => {
 	return {
 		id: "vk",
 		name: "VK",
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			const _scopes = options.disableDefaultScope ? [] : ["email", "phone"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
@@ -19,7 +19,8 @@ const vk = (options) => {
 				scopes: _scopes,
 				state,
 				redirectURI,
-				codeVerifier
+				codeVerifier,
+				additionalParams
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI, deviceId }) => {

package/dist/social-providers/wechat.d.mts

@@ -56,7 +56,8 @@ declare const wechat: (options: WeChatOptions) => {
   createAuthorizationURL({
     state,
     scopes,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -64,6 +65,7 @@ declare const wechat: (options: WeChatOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    additionalParams?: Record<string, string> | undefined;
   }): URL;
   validateAuthorizationCode: ({
     code

package/dist/social-providers/wechat.mjs

@@ -1,10 +1,11 @@
+import { RESERVED_AUTHORIZATION_PARAMS_SET } from "../oauth2/create-authorization-url.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/wechat.ts
 const wechat = (options) => {
 	return {
 		id: "wechat",
 		name: "WeChat",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
 			const _scopes = options.disableDefaultScope ? [] : ["snsapi_login"];
 			options.scope && _scopes.push(...options.scope);
 			scopes && _scopes.push(...scopes);
@@ -15,6 +16,11 @@ const wechat = (options) => {
 			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
 			url.searchParams.set("state", state);
 			url.searchParams.set("lang", options.lang || "cn");
+			if (additionalParams) for (const [key, value] of Object.entries(additionalParams)) {
+				if (RESERVED_AUTHORIZATION_PARAMS_SET.has(key)) continue;
+				if (key === "appid") continue;
+				url.searchParams.set(key, value);
+			}
 			url.hash = "wechat_redirect";
 			return url;
 		},

package/dist/social-providers/zoom.d.mts

@@ -119,7 +119,8 @@ declare const zoom: (userOptions: ZoomOptions) => {
   createAuthorizationURL: ({
     state,
     redirectURI,
-    codeVerifier
+    codeVerifier,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -127,6 +128,7 @@ declare const zoom: (userOptions: ZoomOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    additionalParams?: Record<string, string> | undefined;
   }) => Promise<URL>;
   validateAuthorizationCode: ({
     code,
@@ -151,7 +153,7 @@ declare const zoom: (userOptions: ZoomOptions) => {
     user: {
       id: string;
       name?: string;
-      email /** The employee's unique ID. This field only returns when SAML single sign-on (SSO) is enabled. The `login_type` value is `101` (SSO) (Example: "HqDyI037Qjili1kNsSIrIg") */?: string | null;
+      email?: string | null;
       image?: string;
       emailVerified: boolean;
       [key: string]: any;

package/dist/social-providers/zoom.mjs

@@ -1,4 +1,4 @@
-import { generateCodeChallenge } from "../oauth2/utils.mjs";
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
@@ -11,22 +11,15 @@ const zoom = (userOptions) => {
 	return {
 		id: "zoom",
 		name: "Zoom",
-		createAuthorizationURL: async ({ state, redirectURI, codeVerifier }) => {
-			const params = new URLSearchParams({
-				response_type: "code",
-				redirect_uri: options.redirectURI ? options.redirectURI : redirectURI,
-				client_id: options.clientId,
-				state
-			});
-			if (options.pkce) {
-				const codeChallenge = await generateCodeChallenge(codeVerifier);
-				params.set("code_challenge_method", "S256");
-				params.set("code_challenge", codeChallenge);
-			}
-			const url = new URL("https://zoom.us/oauth/authorize");
-			url.search = params.toString();
-			return url;
-		},
+		createAuthorizationURL: async ({ state, redirectURI, codeVerifier, additionalParams }) => createAuthorizationURL({
+			id: "zoom",
+			options,
+			authorizationEndpoint: "https://zoom.us/oauth/authorize",
+			state,
+			redirectURI,
+			codeVerifier: options.pkce ? codeVerifier : void 0,
+			additionalParams
+		}),
 		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {
 			return validateAuthorizationCode({
 				code,

package/dist/types/context.d.mts

@@ -83,8 +83,20 @@ interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions
   updateSession(sessionToken: string, session: Partial<Session> & Record<string, any>): Promise<Session | null>;
   deleteSession(token: string): Promise<void>;
   deleteAccounts(userId: string): Promise<void>;
-  deleteAccount(accountId: string): Promise<void>;
-  deleteSessions(userIdOrSessionTokens: string | string[]): Promise<void>;
+  /**
+   * Delete an account by its primary key.
+   *
+   * @param id - The account row's primary key (the `id` column, not the `accountId` column).
+   */
+  deleteAccount(id: string): Promise<void>;
+  /**
+   * Delete every session belonging to a user.
+   */
+  deleteUserSessions(userId: string): Promise<void>;
+  /**
+   * Delete sessions by their session tokens.
+   */
+  deleteSessions(sessionTokens: string[]): Promise<void>;
   findOAuthUser(email: string, accountId: string, providerId: string): Promise<{
     user: User;
     linkedAccount: Account | null;
@@ -102,14 +114,28 @@ interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions
   updateUserByEmail<T extends Record<string, any>>(email: string, data: Partial<User & Record<string, any>>): Promise<User & T>;
   updatePassword(userId: string, password: string): Promise<void>;
   findAccounts(userId: string): Promise<Account[]>;
-  findAccount(accountId: string): Promise<Account | null>;
   findAccountByProviderId(accountId: string, providerId: string): Promise<Account | null>;
   findAccountByUserId(userId: string): Promise<Account[]>;
   updateAccount(id: string, data: Partial<Account>): Promise<Account>;
   createVerificationValue(data: Omit<Verification, "createdAt" | "id" | "updatedAt"> & Partial<Verification>): Promise<Verification>;
   findVerificationValue(identifier: string): Promise<Verification | null>;
   deleteVerificationByIdentifier(identifier: string): Promise<void>;
+  /**
+   * Atomically consume a single-use verification row by `identifier` and
+   * return it. Only the first concurrent caller receives the latest row;
+   * subsequent callers receive `null`. Consuming one row invalidates the
+   * whole identifier so stale rows cannot be replayed. Rows past their
+   * `expiresAt` are treated as already invalid: the row is deleted but
+   * `null` is returned, so callers do not need to gate on `expiresAt`
+   * themselves. Callers MUST gate any state change (issue session, mint
+   * token, change password) on a non-null result.
+   *
+   * Replaces the racy `findVerificationValue` + `deleteVerificationByIdentifier`
+   * pair at single-use credential consumption sites.
+   */
+  consumeVerificationValue(identifier: string): Promise<Verification | null>;
   updateVerificationByIdentifier(identifier: string, data: Partial<Verification>): Promise<Verification>;
+  refreshUserSessions(user: User): Promise<void>;
 }
 type CreateCookieGetterFn = (cookieName: string, overrideAttributes?: Partial<CookieOptions> | undefined) => BetterAuthCookie;
 type CheckPasswordFn<Options extends BetterAuthOptions = BetterAuthOptions> = (userId: string, ctx: GenericEndpointContext<Options>) => Promise<boolean>;
@@ -165,7 +191,7 @@ type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> = Plugin
      * - "cookie": Store state in an encrypted cookie (stateless)
      * - "database": Store state in the database
      *
-     * @default "cookie"
+     * @default "database" when `database` or `secondaryStorage` is configured, "cookie" otherwise
      */
     storeStateStrategy: "database" | "cookie";
   };

package/dist/types/init-options.d.mts

@@ -157,12 +157,13 @@ type BetterAuthAdvancedOptions = {
      */
     disableIpTracking?: boolean;
     /**
-     * IPv6 subnet prefix length for rate limiting.
-     * IPv6 addresses will be normalized to this subnet.
+     * IPv6 prefix length used to collapse addresses before rate-limit keying.
+     * Any integer from 0 to 128 is accepted; common values are 32, 48, 56, 64, 128.
+     * Out-of-range values fall back to safe behavior (negative -> mask all, > 128 -> no mask).
      *
      * @default 64
      */
-    ipv6Subnet?: 128 | 64 | 48 | 32;
+    ipv6Subnet?: number;
   } | undefined;
   /**
    * Force cookies to always use the `Secure` attribute. By default,
@@ -906,6 +907,25 @@ type BetterAuthOptions = {
        * @default false
        */
       disableImplicitLinking?: boolean;
+      /**
+       * Require the existing local user row to have
+       * `emailVerified: true` before implicit account linking
+       * uses the IdP's `email_verified` claim as ownership
+       * proof. Defaults to `true` so an attacker who
+       * pre-registers an unverified account at a victim's
+       * email cannot have the victim's OAuth identity linked
+       * into the attacker-owned row on first sign-in. Set to
+       * `false` for backward compatibility on apps whose
+       * users sign up via OAuth without verifying their email
+       * locally; understand the takeover risk before doing
+       * so.
+       *
+       * @default true
+       *
+       * @deprecated The option will be removed on the next
+       * minor; the gate will become unconditional.
+       */
+      requireLocalEmailVerified?: boolean;
       /**
        * List of trusted providers. Can be a static array or a function
        * that returns providers dynamically. The function is called
@@ -943,7 +963,11 @@ type BetterAuthOptions = {
        */
       allowUnlinkingAll?: boolean;
       /**
-       * If enabled (true), this will update the user information based on the newly linked account
+       * When enabled, linking an account copies the provider's profile onto
+       * the local user, matching the fields persisted on sign-up (`name`,
+       * `image`, and any `mapProfileToUser` fields). The local `email` and
+       * `emailVerified` are never changed, so a link cannot rebind the
+       * account's identity.
        *
        * @default false
        */
@@ -976,7 +1000,7 @@ type BetterAuthOptions = {
      * - "cookie": Store state in an encrypted cookie (stateless)
      * - "database": Store state in the database
      *
-     * @default "cookie"
+     * @default "database" when `database` or `secondaryStorage` is configured, "cookie" otherwise
      */
     storeStateStrategy?: "database" | "cookie";
     /**

package/dist/utils/ip.d.mts

@@ -10,12 +10,13 @@
  */
 interface NormalizeIPOptions {
   /**
-   * For IPv6 addresses, extract the subnet prefix instead of full address.
-   * Common values: 32, 48, 64, 128 (default: 128 = full address)
+   * Prefix length used to collapse IPv6 addresses before keying.
+   * Any integer from 0 to 128 is accepted. Common values: 32, 48, 56, 64, 128.
+   * Values outside 0-128 are clamped.
    *
-   * @default 128
+   * @default 64
    */
-  ipv6Subnet?: 128 | 64 | 48 | 32;
+  ipv6Subnet?: number;
 }
 /**
  * Checks if an IP is valid IPv4 or IPv6

package/dist/utils/ip.mjs

@@ -60,8 +60,8 @@ function expandIPv6(ipv6) {
 */
 function normalizeIPv6(ipv6, subnetPrefix) {
 	const groups = expandIPv6(ipv6);
-	if (subnetPrefix && subnetPrefix < 128) {
-		let bitsRemaining = subnetPrefix;
+	if (subnetPrefix !== void 0 && subnetPrefix < 128) {
+		let bitsRemaining = Math.max(0, Math.floor(subnetPrefix));
 		return groups.map((group) => {
 			if (bitsRemaining <= 0) return "0000";
 			if (bitsRemaining >= 16) {
@@ -99,7 +99,7 @@ function normalizeIP(ip, options = {}) {
 	if (!isIPv6(ip)) return ip.toLowerCase();
 	const ipv4 = extractIPv4FromMapped(ip);
 	if (ipv4) return ipv4.toLowerCase();
-	return normalizeIPv6(ip, options.ipv6Subnet || 64);
+	return normalizeIPv6(ip, options.ipv6Subnet ?? 64);
 }
 /**
 * Creates a rate limit key from IP and path

package/dist/utils/redirect-uri.d.mts

@@ -0,0 +1,20 @@
+import * as z from "zod";
+
+//#region src/utils/redirect-uri.d.ts
+/**
+ * Zod schema for OAuth redirect URIs and other developer-supplied URLs that the
+ * server stores and later hands back to a browser.
+ *
+ * - Rejects dangerous schemes (`javascript:`, `data:`, `vbscript:`).
+ * - Rejects URIs with a fragment component (`#...`) per RFC 6749 §3.1.2.
+ * - Requires HTTPS, except for loopback hosts (`127.0.0.0/8`, `[::1]`,
+ *   `*.localhost` per RFC 6761), where HTTP is allowed for local development.
+ * - Allows custom schemes for mobile apps (e.g. `myapp://callback`).
+ *
+ * This is the single source of truth for redirect-URI validation across the
+ * OAuth provider plugins. Consume it from `@better-auth/core/utils/redirect-uri`
+ * rather than re-implementing the scheme policy per plugin.
+ */
+declare const SafeUrlSchema: z.ZodURL;
+//#endregion
+export { SafeUrlSchema };

package/dist/utils/redirect-uri.mjs

@@ -0,0 +1,48 @@
+import { isLoopbackHost } from "./host.mjs";
+import { DANGEROUS_URL_SCHEMES } from "./url.mjs";
+import * as z from "zod";
+//#region src/utils/redirect-uri.ts
+/**
+* Zod schema for OAuth redirect URIs and other developer-supplied URLs that the
+* server stores and later hands back to a browser.
+*
+* - Rejects dangerous schemes (`javascript:`, `data:`, `vbscript:`).
+* - Rejects URIs with a fragment component (`#...`) per RFC 6749 §3.1.2.
+* - Requires HTTPS, except for loopback hosts (`127.0.0.0/8`, `[::1]`,
+*   `*.localhost` per RFC 6761), where HTTP is allowed for local development.
+* - Allows custom schemes for mobile apps (e.g. `myapp://callback`).
+*
+* This is the single source of truth for redirect-URI validation across the
+* OAuth provider plugins. Consume it from `@better-auth/core/utils/redirect-uri`
+* rather than re-implementing the scheme policy per plugin.
+*/
+const SafeUrlSchema = z.url().superRefine((val, ctx) => {
+	let u;
+	try {
+		u = new URL(val);
+	} catch {
+		ctx.addIssue({
+			code: "custom",
+			message: "URL must be parseable",
+			fatal: true
+		});
+		return z.NEVER;
+	}
+	if (DANGEROUS_URL_SCHEMES.includes(u.protocol)) {
+		ctx.addIssue({
+			code: "custom",
+			message: "URL cannot use javascript:, data:, or vbscript: scheme"
+		});
+		return;
+	}
+	if (val.includes("#")) ctx.addIssue({
+		code: "custom",
+		message: "Redirect URI must not contain a fragment component"
+	});
+	if (u.protocol === "http:" && !isLoopbackHost(u.host)) ctx.addIssue({
+		code: "custom",
+		message: "Redirect URI must use HTTPS (HTTP allowed only for loopback hosts)"
+	});
+});
+//#endregion
+export { SafeUrlSchema };

package/dist/utils/string.d.mts

@@ -1,4 +1,8 @@
 //#region src/utils/string.d.ts
 declare function capitalizeFirstLetter(str: string): string;
+declare function toSnakeCase(input: string): string;
+declare function toKebabCase(input: string): string;
+declare function toCamelCase(input: string): string;
+declare function toPascalCase(input: string): string;
 //#endregion
-export { capitalizeFirstLetter };
+export { capitalizeFirstLetter, toCamelCase, toKebabCase, toPascalCase, toSnakeCase };

package/dist/utils/string.mjs

@@ -2,5 +2,24 @@
 function capitalizeFirstLetter(str) {
 	return str.charAt(0).toUpperCase() + str.slice(1);
 }
+const WORD_PATTERN = /[\p{Ll}\d]+|\p{Lu}+(?!\p{Ll})|\p{Lu}[\p{Ll}\d]+|\p{Lo}+/gu;
+const APOSTROPHE_PATTERN = /['\u2019]/g;
+function splitWords(input) {
+	return input.replace(APOSTROPHE_PATTERN, "").match(WORD_PATTERN) ?? [];
+}
+function toSnakeCase(input) {
+	return splitWords(input).map((word) => word.toLowerCase()).join("_");
+}
+function toKebabCase(input) {
+	return splitWords(input).map((word) => word.toLowerCase()).join("-");
+}
+function toCamelCase(input) {
+	return splitWords(input).reduce((acc, word, i) => {
+		return acc + (i === 0 ? word.toLowerCase() : `${word[0].toUpperCase()}${word.slice(1)}`);
+	}, "");
+}
+function toPascalCase(input) {
+	return splitWords(input).map((word) => `${word[0].toUpperCase()}${word.slice(1).toLowerCase()}`).join("");
+}
 //#endregion
-export { capitalizeFirstLetter };
+export { capitalizeFirstLetter, toCamelCase, toKebabCase, toPascalCase, toSnakeCase };

package/dist/utils/url.d.mts

@@ -16,5 +16,22 @@
  * // Returns: "/sso/saml2/callback/provider1"
  */
 declare function normalizePathname(requestUrl: string, basePath: string): string;
+/**
+ * Schemes that execute or embed code when navigated to or accepted as a
+ * redirect target. These are never safe as an OAuth `redirect_uri` or as a
+ * client-side navigation target (`window.location.href`, `location.assign`, ...).
+ */
+declare const DANGEROUS_URL_SCHEMES: string[];
+/**
+ * Returns `false` only when `value` is an absolute URL using a dangerous scheme
+ * (`javascript:`, `data:`, `vbscript:`). Relative URLs (e.g. `/dashboard`) and
+ * safe absolute schemes (`http`, `https`, custom app schemes such as
+ * `myapp://`) return `true`.
+ *
+ * Use this to guard browser navigation sinks and any redirect target that may
+ * originate from untrusted input. It is intentionally narrow: it blocks code
+ * execution schemes without rejecting relative paths or mobile deep links.
+ */
+declare function isSafeUrlScheme(value: string): boolean;
 //#endregion
-export { normalizePathname };
+export { DANGEROUS_URL_SCHEMES, isSafeUrlScheme, normalizePathname };

package/dist/utils/url.mjs

@@ -27,5 +27,34 @@ function normalizePathname(requestUrl, basePath) {
 	if (pathname.startsWith(basePath + "/")) return pathname.slice(basePath.length).replace(/\/+$/, "") || "/";
 	return pathname;
 }
+/**
+* Schemes that execute or embed code when navigated to or accepted as a
+* redirect target. These are never safe as an OAuth `redirect_uri` or as a
+* client-side navigation target (`window.location.href`, `location.assign`, ...).
+*/
+const DANGEROUS_URL_SCHEMES = [
+	"javascript:",
+	"data:",
+	"vbscript:"
+];
+/**
+* Returns `false` only when `value` is an absolute URL using a dangerous scheme
+* (`javascript:`, `data:`, `vbscript:`). Relative URLs (e.g. `/dashboard`) and
+* safe absolute schemes (`http`, `https`, custom app schemes such as
+* `myapp://`) return `true`.
+*
+* Use this to guard browser navigation sinks and any redirect target that may
+* originate from untrusted input. It is intentionally narrow: it blocks code
+* execution schemes without rejecting relative paths or mobile deep links.
+*/
+function isSafeUrlScheme(value) {
+	let parsed;
+	try {
+		parsed = new URL(value);
+	} catch {
+		return true;
+	}
+	return !DANGEROUS_URL_SCHEMES.includes(parsed.protocol);
+}
 //#endregion
-export { normalizePathname };
+export { DANGEROUS_URL_SCHEMES, isSafeUrlScheme, normalizePathname };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.7.0-beta.2",
+  "version": "1.7.0-beta.4",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -93,12 +93,13 @@
     "./instrumentation": {
       "dev-source": "./src/instrumentation/index.ts",
       "types": "./dist/instrumentation/index.d.mts",
+      "workerd": "./dist/instrumentation/pure.index.mjs",
+      "edge": "./dist/instrumentation/pure.index.mjs",
+      "browser": "./dist/instrumentation/pure.index.mjs",
       "node": "./dist/instrumentation/index.mjs",
       "deno": "./dist/instrumentation/index.mjs",
       "bun": "./dist/instrumentation/index.mjs",
-      "edge": "./dist/instrumentation/pure.index.mjs",
-      "workerd": "./dist/instrumentation/index.mjs",
-      "browser": "./dist/instrumentation/pure.index.mjs",
+      "import": "./dist/instrumentation/index.mjs",
       "default": "./dist/instrumentation/index.mjs"
     }
   },
@@ -151,7 +152,7 @@
     "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@better-auth/utils": "0.4.0",
+    "@better-auth/utils": "0.4.1",
     "@better-fetch/fetch": "1.1.21",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/sdk-trace-base": "^1.30.0",
@@ -159,18 +160,18 @@
     "better-call": "1.3.5",
     "@cloudflare/workers-types": "^4.20250121.0",
     "jose": "^6.1.3",
-    "kysely": "^0.28.14",
+    "kysely": "^0.28.17 || ^0.29.0",
     "nanostores": "^1.1.1",
     "tsdown": "0.21.1"
   },
   "peerDependencies": {
-    "@better-auth/utils": "0.4.0",
+    "@better-auth/utils": "0.4.1",
     "@better-fetch/fetch": "1.1.21",
     "@opentelemetry/api": "^1.9.0",
     "better-call": "1.3.5",
     "@cloudflare/workers-types": ">=4",
     "jose": "^6.1.0",
-    "kysely": "^0.28.5",
+    "kysely": "^0.28.5 || ^0.29.0",
     "nanostores": "^1.0.1"
   },
   "peerDependenciesMeta": {