@better-auth/core 1.7.0-beta.4 → 1.7.0-beta.6

package/dist/social-providers/twitter.mjs

@@ -1,27 +1,27 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/twitter.ts
+const TWITTER_DEFAULT_SCOPES = [
+	"users.read",
+	"tweet.read",
+	"offline.access",
+	"users.email"
+];
 const twitter = (options) => {
 	const tokenEndpoint = "https://api.x.com/2/oauth2/token";
 	return {
 		id: "twitter",
 		name: "Twitter",
+		callbackPath: "/callback/twitter",
 		createAuthorizationURL(data) {
-			const _scopes = options.disableDefaultScope ? [] : [
-				"users.read",
-				"tweet.read",
-				"offline.access",
-				"users.email"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (data.scopes) _scopes.push(...data.scopes);
 			return createAuthorizationURL({
 				id: "twitter",
 				options,
 				authorizationEndpoint: "https://x.com/i/oauth2/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, TWITTER_DEFAULT_SCOPES, data.scopes),
 				state: data.state,
 				codeVerifier: data.codeVerifier,
 				redirectURI: data.redirectURI,

package/dist/social-providers/vercel.d.mts

@@ -14,6 +14,7 @@ interface VercelOptions extends ProviderOptions<VercelProfile> {
 declare const vercel: (options: VercelOptions) => {
   id: "vercel";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -28,7 +29,10 @@ declare const vercel: (options: VercelOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/vercel.mjs

@@ -1,25 +1,22 @@
 import { BetterAuthError } from "../error/index.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/vercel.ts
+const VERCEL_DEFAULT_SCOPES = [];
 const vercel = (options) => {
 	return {
 		id: "vercel",
 		name: "Vercel",
+		callbackPath: "/callback/vercel",
 		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Vercel");
-			let _scopes = void 0;
-			if (options.scope !== void 0 || scopes !== void 0) {
-				_scopes = [];
-				if (options.scope) _scopes.push(...options.scope);
-				if (scopes) _scopes.push(...scopes);
-			}
 			return createAuthorizationURL({
 				id: "vercel",
 				options,
 				authorizationEndpoint: "https://vercel.com/oauth/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, VERCEL_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
 				redirectURI,

package/dist/social-providers/vk.d.mts

@@ -20,6 +20,7 @@ interface VkOption extends ProviderOptions {
 declare const vk: (options: VkOption) => {
   id: "vk";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -34,7 +35,10 @@ declare const vk: (options: VkOption) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/vk.mjs

@@ -1,22 +1,22 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/vk.ts
+const VK_DEFAULT_SCOPES = ["email", "phone"];
 const vk = (options) => {
 	const tokenEndpoint = "https://id.vk.com/oauth2/auth";
 	return {
 		id: "vk",
 		name: "VK",
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["email", "phone"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/vk",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			return createAuthorizationURL({
 				id: "vk",
 				options,
 				authorizationEndpoint: "https://id.vk.com/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, VK_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				codeVerifier,

package/dist/social-providers/wechat.d.mts

@@ -53,6 +53,7 @@ interface WeChatOptions extends ProviderOptions<WeChatProfile> {
 declare const wechat: (options: WeChatOptions) => {
   id: "wechat";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -66,7 +67,10 @@ declare const wechat: (options: WeChatOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): URL;
+  }): {
+    url: URL;
+    requestedScopes: string[];
+  };
   validateAuthorizationCode: ({
     code
   }: {

package/dist/social-providers/wechat.mjs

@@ -1,16 +1,17 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { RESERVED_AUTHORIZATION_PARAMS_SET } from "../oauth2/create-authorization-url.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/wechat.ts
+const WECHAT_DEFAULT_SCOPES = ["snsapi_login"];
 const wechat = (options) => {
 	return {
 		id: "wechat",
 		name: "WeChat",
+		callbackPath: "/callback/wechat",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["snsapi_login"];
-			options.scope && _scopes.push(...options.scope);
-			scopes && _scopes.push(...scopes);
+			const requestedScopes = resolveRequestedScopes(options, WECHAT_DEFAULT_SCOPES, scopes);
 			const url = new URL("https://open.weixin.qq.com/connect/qrconnect");
-			url.searchParams.set("scope", _scopes.join(","));
+			url.searchParams.set("scope", requestedScopes.join(","));
 			url.searchParams.set("response_type", "code");
 			url.searchParams.set("appid", options.clientId);
 			url.searchParams.set("redirect_uri", options.redirectURI || redirectURI);
@@ -22,7 +23,10 @@ const wechat = (options) => {
 				url.searchParams.set(key, value);
 			}
 			url.hash = "wechat_redirect";
-			return url;
+			return {
+				url,
+				requestedScopes
+			};
 		},
 		validateAuthorizationCode: async ({ code }) => {
 			const { data: tokenData, error } = await betterFetch("https://api.weixin.qq.com/sns/oauth2/access_token?" + new URLSearchParams({
@@ -72,7 +76,7 @@ const wechat = (options) => {
 				user: {
 					id: profile.unionid || profile.openid || openid,
 					name: profile.nickname,
-					email: profile.email || null,
+					email: profile.email || `${profile.unionid || profile.openid || openid}@wechat.invalid`,
 					image: profile.headimgurl,
 					emailVerified: false,
 					...userMap

package/dist/social-providers/zoom.d.mts

@@ -116,8 +116,10 @@ interface ZoomOptions extends ProviderOptions<ZoomProfile> {
 declare const zoom: (userOptions: ZoomOptions) => {
   id: "zoom";
   name: string;
+  callbackPath: string;
   createAuthorizationURL: ({
     state,
+    scopes,
     redirectURI,
     codeVerifier,
     additionalParams
@@ -129,7 +131,10 @@ declare const zoom: (userOptions: ZoomOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }) => Promise<URL>;
+  }) => Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI,

package/dist/social-providers/zoom.mjs

@@ -1,8 +1,10 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/zoom.ts
+const ZOOM_DEFAULT_SCOPES = [];
 const zoom = (userOptions) => {
 	const options = {
 		pkce: true,
@@ -11,15 +13,19 @@ const zoom = (userOptions) => {
 	return {
 		id: "zoom",
 		name: "Zoom",
-		createAuthorizationURL: async ({ state, redirectURI, codeVerifier, additionalParams }) => createAuthorizationURL({
-			id: "zoom",
-			options,
-			authorizationEndpoint: "https://zoom.us/oauth/authorize",
-			state,
-			redirectURI,
-			codeVerifier: options.pkce ? codeVerifier : void 0,
-			additionalParams
-		}),
+		callbackPath: "/callback/zoom",
+		createAuthorizationURL: ({ state, scopes, redirectURI, codeVerifier, additionalParams }) => {
+			return createAuthorizationURL({
+				id: "zoom",
+				options,
+				authorizationEndpoint: "https://zoom.us/oauth/authorize",
+				scopes: resolveRequestedScopes(options, ZOOM_DEFAULT_SCOPES, scopes),
+				state,
+				redirectURI,
+				codeVerifier: options.pkce ? codeVerifier : void 0,
+				additionalParams
+			});
+		},
 		validateAuthorizationCode: async ({ code, redirectURI, codeVerifier }) => {
 			return validateAuthorizationCode({
 				code,

package/dist/types/context.d.mts

@@ -6,11 +6,11 @@ import { Verification } from "../db/schema/verification.mjs";
 import { createLogger } from "../env/logger.mjs";
 import { Awaitable, LiteralString } from "./helper.mjs";
 import { BetterAuthPlugin } from "./plugin.mjs";
-import { BetterAuthOptions, BetterAuthRateLimitOptions } from "./init-options.mjs";
+import { BetterAuthOptions, BetterAuthRateLimitOptions, UserProvisioningSource } from "./init-options.mjs";
 import { Account } from "../db/schema/account.mjs";
 import { BetterAuthCookie, BetterAuthCookies } from "./cookie.mjs";
 import { SecretConfig } from "./secret.mjs";
-import { OAuthProvider } from "../oauth2/oauth-provider.mjs";
+import { UpstreamProvider } from "../oauth2/oauth-provider.mjs";
 import { CookieOptions, EndpointContext } from "better-call";
 
 //#region src/types/context.d.ts
@@ -54,11 +54,13 @@ type GenericEndpointContext<Options extends BetterAuthOptions = BetterAuthOption
   context: AuthContext<Options>;
 };
 interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions> {
-  createOAuthUser(user: Omit<User, "id" | "createdAt" | "updatedAt">, account: Omit<Account, "userId" | "id" | "createdAt" | "updatedAt"> & Partial<Account>): Promise<{
-    user: User;
-    account: Account;
-  }>;
-  createUser<T extends Record<string, any>>(user: Omit<User, "id" | "createdAt" | "updatedAt" | "emailVerified"> & Partial<User> & Record<string, any>): Promise<T & User>;
+  createUser<T extends Record<string, any>>(user: Omit<User, "id" | "createdAt" | "updatedAt" | "emailVerified"> & Partial<User> & Record<string, any>,
+  /**
+   * Provisioning source. The creation seam adds `action: "create-user"` and
+   * runs the `user.validateUserInfo` gate.
+   */
+
+  source: UserProvisioningSource): Promise<T & User>;
   createAccount<T extends Record<string, any>>(account: Omit<Account, "id" | "createdAt" | "updatedAt"> & Partial<Account> & T): Promise<T & Account>;
   listSessions(userId: string, options?: {
     onlyActiveSessions?: boolean | undefined;
@@ -134,6 +136,23 @@ interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions
    * pair at single-use credential consumption sites.
    */
   consumeVerificationValue(identifier: string): Promise<Verification | null>;
+  /**
+   * First-writer-wins create keyed by a deterministic primary key derived from
+   * `identifier`. Returns `true` when this caller created the row and `false`
+   * when a row for the same identifier already existed.
+   *
+   * The dual of `consumeVerificationValue`: reserve races to create a marker
+   * exactly once, where consume races to delete one exactly once. Use it for
+   * replay tombstones (a SAML assertion id, a JWT `jti`) where the first caller
+   * wins. The database path is atomic via the primary key. Secondary-storage-only
+   * verification is not supported for reservation and runtime implementations
+   * should fail closed unless verification is backed by the database.
+   */
+  reserveVerificationValue(data: {
+    identifier: string;
+    value: string;
+    expiresAt: Date;
+  }): Promise<boolean>;
   updateVerificationByIdentifier(identifier: string, data: Partial<Verification>): Promise<Verification>;
   refreshUserSessions(user: User): Promise<void>;
 }
@@ -213,7 +232,7 @@ type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> = Plugin
     session: Session & Record<string, any>;
     user: User & Record<string, any>;
   } | null) => void;
-  socialProviders: OAuthProvider[];
+  socialProviders: UpstreamProvider[];
   authCookies: BetterAuthCookies;
   logger: ReturnType<typeof createLogger>;
   rateLimit: {

package/dist/types/index.d.mts

@@ -1,6 +1,6 @@
 import { Awaitable, AwaitableFunction, LiteralString, LiteralUnion, Prettify, Primitive, UnionToIntersection } from "./helper.mjs";
 import { BetterAuthPlugin, BetterAuthPluginErrorCodePart, HookEndpointContext } from "./plugin.mjs";
-import { BaseURLConfig, BetterAuthAdvancedOptions, BetterAuthDBOptions, BetterAuthOptions, BetterAuthRateLimitOptions, BetterAuthRateLimitRule, BetterAuthRateLimitStorage, DynamicBaseURLConfig, GenerateIdFn, StoreIdentifierOption } from "./init-options.mjs";
+import { BaseURLConfig, BetterAuthAdvancedOptions, BetterAuthDBOptions, BetterAuthOptions, BetterAuthRateLimitOptions, BetterAuthRateLimitRule, BetterAuthRateLimitStorage, DynamicBaseURLConfig, GenerateIdFn, StoreIdentifierOption, UserProvisioningSource, ValidateUserInfoAction, ValidateUserInfoMethod, ValidateUserInfoOAuthInfo, ValidateUserInfoResult, ValidateUserInfoSSOInfo, ValidateUserInfoSource } from "./init-options.mjs";
 import { BetterAuthCookie, BetterAuthCookies } from "./cookie.mjs";
 import { SecretConfig } from "./secret.mjs";
 import { AuthContext, BetterAuthPluginRegistry, BetterAuthPluginRegistryIdentifier, GenericEndpointContext, InfoContext, InternalAdapter, PluginContext } from "./context.mjs";

package/dist/types/init-options.d.mts

@@ -1,6 +1,6 @@
 import { DBFieldAttribute, ModelNames, SecondaryStorage } from "../db/type.mjs";
 import { DBAdapterDebugLogOption, DBAdapterInstance } from "../db/adapter/index.mjs";
-import { BaseRateLimit, RateLimit } from "../db/schema/rate-limit.mjs";
+import { BaseRateLimit } from "../db/schema/rate-limit.mjs";
 import { BaseSession, Session } from "../db/schema/session.mjs";
 import { BaseUser, User } from "../db/schema/user.mjs";
 import { BaseVerification, Verification } from "../db/schema/verification.mjs";
@@ -27,6 +27,73 @@ type GenerateIdFn = (options: {
   model: ModelNames;
   size?: number | undefined;
 }) => string | false;
+/**
+ * What Better Auth is about to do with an incoming identity when
+ * {@link BetterAuthOptions.user}'s `validateUserInfo` runs.
+ *
+ * - `create-user`: a brand-new user record is about to be created.
+ * - `link-account`: a new provider account is about to be linked to an
+ *   already-existing user.
+ * - `sign-in`: an existing OAuth or SSO user is signing in again. This is the
+ *   one case where the provider can assert *changed* data, so the hook receives
+ *   the fresh provider email and profile (not the stored row), letting a domain
+ *   or org policy reject a user whose provider identity moved out of bounds.
+ *
+ * Non-provider returning sign-ins are not re-validated: they carry only the
+ * stored row, which has not changed since `create-user` gated it. Use the admin
+ * plugin's ban controls or a `databaseHooks.session.create.before` hook to
+ * block those.
+ */
+type ValidateUserInfoAction = "create-user" | "link-account" | "sign-in";
+/**
+ * The authentication method that produced the incoming user info. The named
+ * methods cover Better Auth's built-ins; the open `string` keeps it extensible
+ * for plugins (for example `"scim"`).
+ */
+type ValidateUserInfoMethod = "oauth" | "sso-oidc" | "sso-saml" | "email-password" | "magic-link" | "email-otp" | "anonymous" | "siwe" | "phone-number" | "admin" | (string & {});
+/** OAuth-specific provisioning context; present only when `method` is `"oauth"`. */
+type ValidateUserInfoOAuthInfo = {
+  /** The social or generic OAuth provider id (e.g. `"google"`). */providerId: string; /** The raw provider profile (userinfo or id-token claims), unmapped. */
+  profile?: Record<string, unknown> | undefined;
+};
+/** SSO-specific provisioning context; present for OIDC and SAML SSO methods. */
+type ValidateUserInfoSSOInfo = {
+  /** The configured SSO provider id. */providerId: string; /** The raw OIDC claims or SAML assertion attributes, unmapped. */
+  profile?: Record<string, unknown> | undefined;
+};
+/** Provisioning origin passed to `createUser`; the creation seam adds `action: "create-user"` to build {@link ValidateUserInfoSource}. */
+type UserProvisioningSource = {
+  method: ValidateUserInfoMethod; /** Provider id and raw profile; present iff `method` is `"oauth"`. */
+  oauth?: ValidateUserInfoOAuthInfo | undefined; /** Provider id and raw profile; present iff `method` is `"sso-oidc"` or `"sso-saml"`. */
+  sso?: ValidateUserInfoSSOInfo | undefined;
+};
+/**
+ * The context passed to `validateUserInfo`: the lifecycle
+ * {@link ValidateUserInfoAction}, the {@link ValidateUserInfoMethod}, and (for
+ * OAuth/SSO provider methods) protocol-specific provider metadata.
+ *
+ * ```ts
+ * // Scope to one OAuth provider:
+ * if (source.oauth?.providerId !== "google") return;
+ * // Branch on the method:
+ * if (source.method === "anonymous") return { error: "no_anonymous" };
+ * // Inspect SSO claims:
+ * if (source.method === "sso-saml" && source.sso?.profile?.department !== "eng") {
+ *   return { error: "invalid_department" };
+ * }
+ * ```
+ */
+type ValidateUserInfoSource = UserProvisioningSource & {
+  action: ValidateUserInfoAction;
+};
+type ValidateUserInfoResult = {
+  /** A short, machine-readable rejection code, surfaced to the client. */error: string;
+  /**
+   * A human-readable reason, surfaced to the client. Do not put sensitive
+   * details here.
+   */
+  errorDescription?: string | undefined;
+};
 /**
  * Configuration for dynamic base URL resolution.
  * Allows Better Auth to work with multiple domains (e.g., Vercel preview deployments).
@@ -71,8 +138,30 @@ type DynamicBaseURLConfig = {
  */
 type BaseURLConfig = string | DynamicBaseURLConfig;
 interface BetterAuthRateLimitStorage {
-  get: (key: string) => Promise<RateLimit | null | undefined>;
-  set: (key: string, value: RateLimit, update?: boolean | undefined) => Promise<void>;
+  /**
+   * Atomically records one request against `key` within the rolling `window`
+   * (in seconds) and reports whether it is allowed.
+   *
+   * When `allowed` is true the count was incremented within the active window,
+   * or the window had elapsed and was reset to start at 1. When `allowed` is
+   * false the limit was already reached and `retryAfter` is the number of
+   * seconds until the window frees up.
+   *
+   * Performing the check and the increment in a single step closes the
+   * concurrent-bypass gap of the separate `get`/`set` path: N simultaneous
+   * requests can no longer all pass a stale read before any increment lands.
+   *
+   * Custom storages must implement this operation directly. Better Auth no
+   * longer accepts separate `get`/`set` rate-limit storage because that shape
+   * cannot enforce a distributed limit under concurrent requests.
+   */
+  consume: (key: string, rule: {
+    window: number;
+    max: number;
+  }) => Promise<{
+    allowed: boolean;
+    retryAfter: number | null;
+  }>;
 }
 type BetterAuthRateLimitRule = {
   /**
@@ -684,6 +773,30 @@ type BetterAuthOptions = {
    * User configuration
    */
   user?: (BetterAuthDBOptions<"user", keyof BaseUser> & {
+    /**
+     * Gate which identities Better Auth admits. Called just before
+     * `create-user`, `link-account`, and (for OAuth) `sign-in`, across
+     * every authentication method, including stateless setups with no
+     * persistent database. On `sign-in` the hook receives the *fresh*
+     * provider email and profile, so a domain policy can reject a user
+     * whose provider identity moved out of bounds.
+     *
+     * Non-provider returning sign-ins are not re-validated; use the admin
+     * plugin's ban controls or a `databaseHooks.session.create.before`
+     * hook for those.
+     *
+     * Return nothing to allow; return `{ error }` to reject. Browser flows
+     * redirect to the configured error URL; programmatic flows surface a
+     * `403`.
+     *
+     * TODO: rename to `validateUser` (and the `ValidateUserInfo*` types).
+     * "UserInfo" is the OIDC term and misleads for the email/password,
+     * SIWE, phone, and admin methods.
+     */
+    validateUserInfo?: (data: {
+      user: Partial<User> & Record<string, unknown>;
+      source: ValidateUserInfoSource;
+    }, context: GenericEndpointContext) => Awaitable<void | ValidateUserInfoResult>;
     /**
      * Changing email configuration
      */
@@ -825,6 +938,20 @@ type BetterAuthOptions = {
        * @default "compact"
        */
       strategy?: "compact" | "jwt" | "jwe";
+      /**
+       * JWT-specific configuration for `strategy: "jwt"`.
+       */
+      jwt?: {
+        /**
+         * Which signing key is used for cookie-cache JWTs.
+         *
+         * - `"secret"`: uses the Better Auth secret with HS256.
+         * - `"jwt-plugin"`: uses the installed `jwt()` plugin's asymmetric signing keys.
+         *
+         * @default "secret"
+         */
+        signingKey?: "secret" | "jwt-plugin";
+      };
       /**
        * Controls stateless cookie cache refresh behavior.
        *
@@ -1004,9 +1131,13 @@ type BetterAuthOptions = {
      */
     storeStateStrategy?: "database" | "cookie";
     /**
-     * Store account data after oauth flow on a cookie
+     * Store provider account data after an OAuth flow in an encrypted
+     * cookie. This includes OAuth token material such as access tokens,
+     * refresh tokens, ID tokens, scopes, and token expiry.
      *
-     * This is useful for database-less flow
+     * This is useful for database-less flows, but large provider tokens can
+     * still hit browser or proxy cookie/header limits even though Better Auth
+     * chunks oversized account cookies.
      *
      * @default false
      *
@@ -1379,4 +1510,4 @@ type BetterAuthOptions = {
   };
 };
 //#endregion
-export { BaseURLConfig, BetterAuthAdvancedOptions, BetterAuthDBOptions, BetterAuthOptions, BetterAuthRateLimitOptions, BetterAuthRateLimitRule, BetterAuthRateLimitStorage, DynamicBaseURLConfig, GenerateIdFn, StoreIdentifierOption };
+export { BaseURLConfig, BetterAuthAdvancedOptions, BetterAuthDBOptions, BetterAuthOptions, BetterAuthRateLimitOptions, BetterAuthRateLimitRule, BetterAuthRateLimitStorage, DynamicBaseURLConfig, GenerateIdFn, StoreIdentifierOption, UserProvisioningSource, ValidateUserInfoAction, ValidateUserInfoMethod, ValidateUserInfoOAuthInfo, ValidateUserInfoResult, ValidateUserInfoSSOInfo, ValidateUserInfoSource };

package/dist/types/plugin-client.d.mts

@@ -1,10 +1,20 @@
 import { LiteralString } from "./helper.mjs";
-import { BetterAuthPlugin } from "./plugin.mjs";
 import { BetterAuthOptions } from "./init-options.mjs";
 import { BetterFetch, BetterFetchOption, BetterFetchPlugin } from "@better-fetch/fetch";
 import { Atom, WritableAtom } from "nanostores";
 
 //#region src/types/plugin-client.d.ts
+type InferableServerPlugin = {
+  id?: LiteralString | undefined;
+  endpoints?: Record<string, unknown> | undefined;
+  schema?: Record<string, {
+    fields: Record<string, unknown>;
+  }> | undefined;
+  $ERROR_CODES?: Record<string, {
+    readonly code: string;
+    message: string;
+  }> | undefined;
+};
 interface ClientStore {
   notify: (signal: string) => void;
   listen: (signal: string, listener: () => void) => void;
@@ -71,7 +81,7 @@ interface BetterAuthClientPlugin {
    * only used for type inference. don't pass the
    * actual plugin
    */
-  $InferServerPlugin?: BetterAuthPlugin | undefined;
+  $InferServerPlugin?: InferableServerPlugin | undefined;
   /**
    * Custom actions
    */

package/dist/utils/host.mjs

@@ -126,6 +126,7 @@ function classifyIPv6(expanded) {
 	if (firstByte === 254 && (secondByte & 192) === 128) return "linkLocal";
 	if ((firstByte & 254) === 252) return "private";
 	if (expanded.startsWith("2001:0db8:")) return "documentation";
+	if (expanded.startsWith("2001:0002:0000:")) return "benchmarking";
 	if (expanded.startsWith("2002:")) {
 		const embedded = extractEmbeddedIPv4(expanded, 1);
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
@@ -136,12 +137,15 @@ function classifyIPv6(expanded) {
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
 		return "reserved";
 	}
+	if (expanded.startsWith("0064:ff9b:0001:")) return "reserved";
 	if (expanded.startsWith("2001:0000:")) {
 		const embedded = extractEmbeddedIPv4(expanded, 6, { xor: true });
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
 		return "reserved";
 	}
 	if (expanded.startsWith("0100:0000:0000:0000:")) return "reserved";
+	if (expanded.startsWith("3fff:0")) return "documentation";
+	if (expanded.startsWith("5f00:")) return "reserved";
 	return "public";
 }
 /**

package/dist/utils/url.mjs

@@ -22,9 +22,10 @@ function normalizePathname(requestUrl, basePath) {
 	} catch {
 		return "/";
 	}
-	if (basePath === "/" || basePath === "") return pathname;
-	if (pathname === basePath) return "/";
-	if (pathname.startsWith(basePath + "/")) return pathname.slice(basePath.length).replace(/\/+$/, "") || "/";
+	const normalizedBasePath = basePath.replace(/\/+$/, "");
+	if (normalizedBasePath === "") return pathname;
+	if (pathname === normalizedBasePath) return "/";
+	if (pathname.startsWith(normalizedBasePath + "/")) return pathname.slice(normalizedBasePath.length).replace(/\/+$/, "") || "/";
 	return pathname;
 }
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.7.0-beta.4",
+  "version": "1.7.0-beta.6",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -152,12 +152,12 @@
     "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
+    "@better-auth/utils": "0.4.2",
+    "@better-fetch/fetch": "1.3.1",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/sdk-trace-base": "^1.30.0",
     "@opentelemetry/sdk-trace-node": "^1.30.0",
-    "better-call": "1.3.5",
+    "better-call": "1.3.6",
     "@cloudflare/workers-types": "^4.20250121.0",
     "jose": "^6.1.3",
     "kysely": "^0.28.17 || ^0.29.0",
@@ -165,10 +165,10 @@
     "tsdown": "0.21.1"
   },
   "peerDependencies": {
-    "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
+    "@better-auth/utils": "0.4.2",
+    "@better-fetch/fetch": "1.3.1",
     "@opentelemetry/api": "^1.9.0",
-    "better-call": "1.3.5",
+    "better-call": "1.3.6",
     "@cloudflare/workers-types": ">=4",
     "jose": "^6.1.0",
     "kysely": "^0.28.5 || ^0.29.0",