@better-auth/core 1.7.0-beta.3 → 1.7.0-beta.5

package/dist/social-providers/spotify.d.mts

@@ -14,11 +14,13 @@ interface SpotifyOptions extends ProviderOptions<SpotifyProfile> {
 declare const spotify: (options: SpotifyOptions) => {
   id: "spotify";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
     codeVerifier,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -26,7 +28,11 @@ declare const spotify: (options: SpotifyOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
-  }): Promise<URL>;
+    additionalParams?: Record<string, string> | undefined;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/spotify.mjs

@@ -1,25 +1,26 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/spotify.ts
+const SPOTIFY_DEFAULT_SCOPES = ["user-read-email"];
 const spotify = (options) => {
 	const tokenEndpoint = "https://accounts.spotify.com/api/token";
 	return {
 		id: "spotify",
 		name: "Spotify",
-		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
-			const _scopes = options.disableDefaultScope ? [] : ["user-read-email"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/spotify",
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			return createAuthorizationURL({
 				id: "spotify",
 				options,
 				authorizationEndpoint: "https://accounts.spotify.com/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, SPOTIFY_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
-				redirectURI
+				redirectURI,
+				additionalParams
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {

package/dist/social-providers/tiktok.d.mts

@@ -121,10 +121,12 @@ interface TiktokOptions extends ProviderOptions {
 declare const tiktok: (options: TiktokOptions) => {
   id: "tiktok";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -132,7 +134,11 @@ declare const tiktok: (options: TiktokOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
-  }): URL;
+    additionalParams?: Record<string, string> | undefined;
+  }): {
+    url: URL;
+    requestedScopes: string[];
+  };
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/tiktok.mjs

@@ -1,17 +1,33 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
+import { RESERVED_AUTHORIZATION_PARAMS_SET } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/tiktok.ts
+const TIKTOK_DEFAULT_SCOPES = ["user.info.profile"];
 const tiktok = (options) => {
 	const tokenEndpoint = "https://open.tiktokapis.com/v2/oauth/token/";
 	return {
 		id: "tiktok",
 		name: "TikTok",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
-			const _scopes = options.disableDefaultScope ? [] : ["user.info.profile"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			return new URL(`https://www.tiktok.com/v2/auth/authorize?scope=${_scopes.join(",")}&response_type=code&client_key=${options.clientKey}&redirect_uri=${encodeURIComponent(options.redirectURI || redirectURI)}&state=${state}`);
+		callbackPath: "/callback/tiktok",
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
+			const requestedScopes = resolveRequestedScopes(options, TIKTOK_DEFAULT_SCOPES, scopes);
+			const url = new URL("https://www.tiktok.com/v2/auth/authorize");
+			url.searchParams.set("scope", requestedScopes.join(","));
+			url.searchParams.set("response_type", "code");
+			url.searchParams.set("client_key", options.clientKey);
+			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
+			url.searchParams.set("state", state);
+			if (additionalParams) for (const [key, value] of Object.entries(additionalParams)) {
+				if (RESERVED_AUTHORIZATION_PARAMS_SET.has(key)) continue;
+				if (key === "client_key") continue;
+				url.searchParams.set(key, value);
+			}
+			return {
+				url,
+				requestedScopes
+			};
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
 			return validateAuthorizationCode({

package/dist/social-providers/twitch.d.mts

@@ -32,10 +32,12 @@ interface TwitchOptions extends ProviderOptions<TwitchProfile> {
 declare const twitch: (options: TwitchOptions) => {
   id: "twitch";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -43,7 +45,11 @@ declare const twitch: (options: TwitchOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
-  }): Promise<URL>;
+    additionalParams?: Record<string, string> | undefined;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/twitch.mjs

@@ -1,31 +1,32 @@
 import { logger } from "../env/logger.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { decodeJwt } from "jose";
 //#region src/social-providers/twitch.ts
+const TWITCH_DEFAULT_SCOPES = ["user:read:email", "openid"];
 const twitch = (options) => {
 	const tokenEndpoint = "https://id.twitch.tv/oauth2/token";
 	return {
 		id: "twitch",
 		name: "Twitch",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
-			const _scopes = options.disableDefaultScope ? [] : ["user:read:email", "openid"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/twitch",
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
 			return createAuthorizationURL({
 				id: "twitch",
 				redirectURI,
 				options,
 				authorizationEndpoint: "https://id.twitch.tv/oauth2/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, TWITCH_DEFAULT_SCOPES, scopes),
 				state,
 				claims: options.claims || [
 					"email",
 					"email_verified",
 					"preferred_username",
 					"picture"
-				]
+				],
+				additionalParams
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {

package/dist/social-providers/twitter.d.mts

@@ -82,6 +82,7 @@ interface TwitterOption extends ProviderOptions<TwitterProfile> {
 declare const twitter: (options: TwitterOption) => {
   id: "twitter";
   name: string;
+  callbackPath: string;
   createAuthorizationURL(data: {
     state: string;
     codeVerifier: string;
@@ -89,7 +90,11 @@ declare const twitter: (options: TwitterOption) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
-  }): Promise<URL>;
+    additionalParams?: Record<string, string> | undefined;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,
@@ -103,7 +108,7 @@ declare const twitter: (options: TwitterOption) => {
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
     user?: {
-      name? /** The start position (zero-based) of the recognized user's profile website. All start indices are inclusive. */: {
+      name?: {
         firstName?: string;
         lastName?: string;
       };

package/dist/social-providers/twitter.mjs

@@ -1,30 +1,31 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/twitter.ts
+const TWITTER_DEFAULT_SCOPES = [
+	"users.read",
+	"tweet.read",
+	"offline.access",
+	"users.email"
+];
 const twitter = (options) => {
 	const tokenEndpoint = "https://api.x.com/2/oauth2/token";
 	return {
 		id: "twitter",
 		name: "Twitter",
+		callbackPath: "/callback/twitter",
 		createAuthorizationURL(data) {
-			const _scopes = options.disableDefaultScope ? [] : [
-				"users.read",
-				"tweet.read",
-				"offline.access",
-				"users.email"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (data.scopes) _scopes.push(...data.scopes);
 			return createAuthorizationURL({
 				id: "twitter",
 				options,
 				authorizationEndpoint: "https://x.com/i/oauth2/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, TWITTER_DEFAULT_SCOPES, data.scopes),
 				state: data.state,
 				codeVerifier: data.codeVerifier,
-				redirectURI: data.redirectURI
+				redirectURI: data.redirectURI,
+				additionalParams: data.additionalParams
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {

package/dist/social-providers/vercel.d.mts

@@ -14,11 +14,13 @@ interface VercelOptions extends ProviderOptions<VercelProfile> {
 declare const vercel: (options: VercelOptions) => {
   id: "vercel";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
     codeVerifier,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -26,7 +28,11 @@ declare const vercel: (options: VercelOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
-  }): Promise<URL>;
+    additionalParams?: Record<string, string> | undefined;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/vercel.mjs

@@ -1,28 +1,26 @@
 import { BetterAuthError } from "../error/index.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/vercel.ts
+const VERCEL_DEFAULT_SCOPES = [];
 const vercel = (options) => {
 	return {
 		id: "vercel",
 		name: "Vercel",
-		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		callbackPath: "/callback/vercel",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Vercel");
-			let _scopes = void 0;
-			if (options.scope !== void 0 || scopes !== void 0) {
-				_scopes = [];
-				if (options.scope) _scopes.push(...options.scope);
-				if (scopes) _scopes.push(...scopes);
-			}
 			return createAuthorizationURL({
 				id: "vercel",
 				options,
 				authorizationEndpoint: "https://vercel.com/oauth/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, VERCEL_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
-				redirectURI
+				redirectURI,
+				additionalParams
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {

package/dist/social-providers/vk.d.mts

@@ -20,11 +20,13 @@ interface VkOption extends ProviderOptions {
 declare const vk: (options: VkOption) => {
   id: "vk";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
     codeVerifier,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -32,7 +34,11 @@ declare const vk: (options: VkOption) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
-  }): Promise<URL>;
+    additionalParams?: Record<string, string> | undefined;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/vk.mjs

@@ -1,25 +1,26 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/vk.ts
+const VK_DEFAULT_SCOPES = ["email", "phone"];
 const vk = (options) => {
 	const tokenEndpoint = "https://id.vk.com/oauth2/auth";
 	return {
 		id: "vk",
 		name: "VK",
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
-			const _scopes = options.disableDefaultScope ? [] : ["email", "phone"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/vk",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			return createAuthorizationURL({
 				id: "vk",
 				options,
 				authorizationEndpoint: "https://id.vk.com/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, VK_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
-				codeVerifier
+				codeVerifier,
+				additionalParams
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI, deviceId }) => {

package/dist/social-providers/wechat.d.mts

@@ -53,10 +53,12 @@ interface WeChatOptions extends ProviderOptions<WeChatProfile> {
 declare const wechat: (options: WeChatOptions) => {
   id: "wechat";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -64,7 +66,11 @@ declare const wechat: (options: WeChatOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
-  }): URL;
+    additionalParams?: Record<string, string> | undefined;
+  }): {
+    url: URL;
+    requestedScopes: string[];
+  };
   validateAuthorizationCode: ({
     code
   }: {

package/dist/social-providers/wechat.mjs

@@ -1,22 +1,32 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
+import { RESERVED_AUTHORIZATION_PARAMS_SET } from "../oauth2/create-authorization-url.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/wechat.ts
+const WECHAT_DEFAULT_SCOPES = ["snsapi_login"];
 const wechat = (options) => {
 	return {
 		id: "wechat",
 		name: "WeChat",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
-			const _scopes = options.disableDefaultScope ? [] : ["snsapi_login"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+		callbackPath: "/callback/wechat",
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
+			const requestedScopes = resolveRequestedScopes(options, WECHAT_DEFAULT_SCOPES, scopes);
 			const url = new URL("https://open.weixin.qq.com/connect/qrconnect");
-			url.searchParams.set("scope", _scopes.join(","));
+			url.searchParams.set("scope", requestedScopes.join(","));
 			url.searchParams.set("response_type", "code");
 			url.searchParams.set("appid", options.clientId);
 			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
 			url.searchParams.set("state", state);
 			url.searchParams.set("lang", options.lang || "cn");
+			if (additionalParams) for (const [key, value] of Object.entries(additionalParams)) {
+				if (RESERVED_AUTHORIZATION_PARAMS_SET.has(key)) continue;
+				if (key === "appid") continue;
+				url.searchParams.set(key, value);
+			}
 			url.hash = "wechat_redirect";
-			return url;
+			return {
+				url,
+				requestedScopes
+			};
 		},
 		validateAuthorizationCode: async ({ code }) => {
 			const { data: tokenData, error } = await betterFetch("https://api.weixin.qq.com/sns/oauth2/access_token?" + new URLSearchParams({

package/dist/social-providers/zoom.d.mts

@@ -116,10 +116,13 @@ interface ZoomOptions extends ProviderOptions<ZoomProfile> {
 declare const zoom: (userOptions: ZoomOptions) => {
   id: "zoom";
   name: string;
+  callbackPath: string;
   createAuthorizationURL: ({
     state,
+    scopes,
     redirectURI,
-    codeVerifier
+    codeVerifier,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -127,7 +130,11 @@ declare const zoom: (userOptions: ZoomOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
-  }) => Promise<URL>;
+    additionalParams?: Record<string, string> | undefined;
+  }) => Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI,
@@ -151,7 +158,7 @@ declare const zoom: (userOptions: ZoomOptions) => {
     user: {
       id: string;
       name?: string;
-      email /** The employee's unique ID. This field only returns when SAML single sign-on (SSO) is enabled. The `login_type` value is `101` (SSO) (Example: "HqDyI037Qjili1kNsSIrIg") */?: string | null;
+      email?: string | null;
       image?: string;
       emailVerified: boolean;
       [key: string]: any;

package/dist/social-providers/zoom.mjs

@@ -1,8 +1,10 @@
-import { generateCodeChallenge } from "../oauth2/utils.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/zoom.ts
+const ZOOM_DEFAULT_SCOPES = [];
 const zoom = (userOptions) => {
 	const options = {
 		pkce: true,
@@ -11,21 +13,18 @@ const zoom = (userOptions) => {
 	return {
 		id: "zoom",
 		name: "Zoom",
-		createAuthorizationURL: async ({ state, redirectURI, codeVerifier }) => {
-			const params = new URLSearchParams({
-				response_type: "code",
-				redirect_uri: options.redirectURI ? options.redirectURI : redirectURI,
-				client_id: options.clientId,
-				state
+		callbackPath: "/callback/zoom",
+		createAuthorizationURL: ({ state, scopes, redirectURI, codeVerifier, additionalParams }) => {
+			return createAuthorizationURL({
+				id: "zoom",
+				options,
+				authorizationEndpoint: "https://zoom.us/oauth/authorize",
+				scopes: resolveRequestedScopes(options, ZOOM_DEFAULT_SCOPES, scopes),
+				state,
+				redirectURI,
+				codeVerifier: options.pkce ? codeVerifier : void 0,
+				additionalParams
 			});
-			if (options.pkce) {
-				const codeChallenge = await generateCodeChallenge(codeVerifier);
-				params.set("code_challenge_method", "S256");
-				params.set("code_challenge", codeChallenge);
-			}
-			const url = new URL("https://zoom.us/oauth/authorize");
-			url.search = params.toString();
-			return url;
 		},
 		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {
 			return validateAuthorizationCode({

package/dist/types/context.d.mts

@@ -6,11 +6,11 @@ import { Verification } from "../db/schema/verification.mjs";
 import { createLogger } from "../env/logger.mjs";
 import { Awaitable, LiteralString } from "./helper.mjs";
 import { BetterAuthPlugin } from "./plugin.mjs";
-import { BetterAuthOptions, BetterAuthRateLimitOptions } from "./init-options.mjs";
+import { BetterAuthOptions, BetterAuthRateLimitOptions, UserProvisioningSource } from "./init-options.mjs";
 import { Account } from "../db/schema/account.mjs";
 import { BetterAuthCookie, BetterAuthCookies } from "./cookie.mjs";
 import { SecretConfig } from "./secret.mjs";
-import { OAuthProvider } from "../oauth2/oauth-provider.mjs";
+import { UpstreamProvider } from "../oauth2/oauth-provider.mjs";
 import { CookieOptions, EndpointContext } from "better-call";
 
 //#region src/types/context.d.ts
@@ -54,11 +54,13 @@ type GenericEndpointContext<Options extends BetterAuthOptions = BetterAuthOption
   context: AuthContext<Options>;
 };
 interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions> {
-  createOAuthUser(user: Omit<User, "id" | "createdAt" | "updatedAt">, account: Omit<Account, "userId" | "id" | "createdAt" | "updatedAt"> & Partial<Account>): Promise<{
-    user: User;
-    account: Account;
-  }>;
-  createUser<T extends Record<string, any>>(user: Omit<User, "id" | "createdAt" | "updatedAt" | "emailVerified"> & Partial<User> & Record<string, any>): Promise<T & User>;
+  createUser<T extends Record<string, any>>(user: Omit<User, "id" | "createdAt" | "updatedAt" | "emailVerified"> & Partial<User> & Record<string, any>,
+  /**
+   * Provisioning source. The creation seam adds `action: "create-user"` and
+   * runs the `user.validateUserInfo` gate.
+   */
+
+  source: UserProvisioningSource): Promise<T & User>;
   createAccount<T extends Record<string, any>>(account: Omit<Account, "id" | "createdAt" | "updatedAt"> & Partial<Account> & T): Promise<T & Account>;
   listSessions(userId: string, options?: {
     onlyActiveSessions?: boolean | undefined;
@@ -89,7 +91,14 @@ interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions
    * @param id - The account row's primary key (the `id` column, not the `accountId` column).
    */
   deleteAccount(id: string): Promise<void>;
-  deleteSessions(userIdOrSessionTokens: string | string[]): Promise<void>;
+  /**
+   * Delete every session belonging to a user.
+   */
+  deleteUserSessions(userId: string): Promise<void>;
+  /**
+   * Delete sessions by their session tokens.
+   */
+  deleteSessions(sessionTokens: string[]): Promise<void>;
   findOAuthUser(email: string, accountId: string, providerId: string): Promise<{
     user: User;
     linkedAccount: Account | null;
@@ -107,13 +116,26 @@ interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions
   updateUserByEmail<T extends Record<string, any>>(email: string, data: Partial<User & Record<string, any>>): Promise<User & T>;
   updatePassword(userId: string, password: string): Promise<void>;
   findAccounts(userId: string): Promise<Account[]>;
-  findAccount(accountId: string): Promise<Account | null>;
   findAccountByProviderId(accountId: string, providerId: string): Promise<Account | null>;
   findAccountByUserId(userId: string): Promise<Account[]>;
   updateAccount(id: string, data: Partial<Account>): Promise<Account>;
   createVerificationValue(data: Omit<Verification, "createdAt" | "id" | "updatedAt"> & Partial<Verification>): Promise<Verification>;
   findVerificationValue(identifier: string): Promise<Verification | null>;
   deleteVerificationByIdentifier(identifier: string): Promise<void>;
+  /**
+   * Atomically consume a single-use verification row by `identifier` and
+   * return it. Only the first concurrent caller receives the latest row;
+   * subsequent callers receive `null`. Consuming one row invalidates the
+   * whole identifier so stale rows cannot be replayed. Rows past their
+   * `expiresAt` are treated as already invalid: the row is deleted but
+   * `null` is returned, so callers do not need to gate on `expiresAt`
+   * themselves. Callers MUST gate any state change (issue session, mint
+   * token, change password) on a non-null result.
+   *
+   * Replaces the racy `findVerificationValue` + `deleteVerificationByIdentifier`
+   * pair at single-use credential consumption sites.
+   */
+  consumeVerificationValue(identifier: string): Promise<Verification | null>;
   updateVerificationByIdentifier(identifier: string, data: Partial<Verification>): Promise<Verification>;
   refreshUserSessions(user: User): Promise<void>;
 }
@@ -171,7 +193,7 @@ type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> = Plugin
      * - "cookie": Store state in an encrypted cookie (stateless)
      * - "database": Store state in the database
      *
-     * @default "cookie"
+     * @default "database" when `database` or `secondaryStorage` is configured, "cookie" otherwise
      */
     storeStateStrategy: "database" | "cookie";
   };
@@ -193,7 +215,7 @@ type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> = Plugin
     session: Session & Record<string, any>;
     user: User & Record<string, any>;
   } | null) => void;
-  socialProviders: OAuthProvider[];
+  socialProviders: UpstreamProvider[];
   authCookies: BetterAuthCookies;
   logger: ReturnType<typeof createLogger>;
   rateLimit: {

package/dist/types/index.d.mts

@@ -1,6 +1,6 @@
 import { Awaitable, AwaitableFunction, LiteralString, LiteralUnion, Prettify, Primitive, UnionToIntersection } from "./helper.mjs";
 import { BetterAuthPlugin, BetterAuthPluginErrorCodePart, HookEndpointContext } from "./plugin.mjs";
-import { BaseURLConfig, BetterAuthAdvancedOptions, BetterAuthDBOptions, BetterAuthOptions, BetterAuthRateLimitOptions, BetterAuthRateLimitRule, BetterAuthRateLimitStorage, DynamicBaseURLConfig, GenerateIdFn, StoreIdentifierOption } from "./init-options.mjs";
+import { BaseURLConfig, BetterAuthAdvancedOptions, BetterAuthDBOptions, BetterAuthOptions, BetterAuthRateLimitOptions, BetterAuthRateLimitRule, BetterAuthRateLimitStorage, DynamicBaseURLConfig, GenerateIdFn, StoreIdentifierOption, UserProvisioningSource, ValidateUserInfoAction, ValidateUserInfoMethod, ValidateUserInfoOAuthInfo, ValidateUserInfoResult, ValidateUserInfoSSOInfo, ValidateUserInfoSource } from "./init-options.mjs";
 import { BetterAuthCookie, BetterAuthCookies } from "./cookie.mjs";
 import { SecretConfig } from "./secret.mjs";
 import { AuthContext, BetterAuthPluginRegistry, BetterAuthPluginRegistryIdentifier, GenericEndpointContext, InfoContext, InternalAdapter, PluginContext } from "./context.mjs";