@better-auth/core 1.7.0-beta.5 → 1.7.0-beta.6

package/dist/social-providers/microsoft-entra-id.mjs

@@ -9,6 +9,13 @@ import { base64 } from "@better-auth/utils/base64";
 import { decodeJwt, importJWK } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/microsoft-entra-id.ts
+/**
+* Microsoft's fixed tenant id for personal (consumer) Microsoft accounts. Every
+* personal-account token carries it as the `tid` claim, so it distinguishes the
+* consumer account class from work/school tenants.
+* @see https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
+*/
+const MICROSOFT_CONSUMER_TENANT_ID = "9188040d-6c67-4c5b-b112-36a304b66dad";
 const MICROSOFT_ENTRA_ID_DEFAULT_SCOPES = [
 	"openid",
 	"profile",
@@ -18,7 +25,8 @@ const MICROSOFT_ENTRA_ID_DEFAULT_SCOPES = [
 ];
 const microsoft = (options) => {
 	const tenant = options.tenantId || "common";
-	const authority = options.authority || "https://login.microsoftonline.com";
+	let authority = options.authority || "https://login.microsoftonline.com";
+	while (authority.endsWith("/")) authority = authority.slice(0, -1);
 	const authorizationEndpoint = `${authority}/${tenant}/oauth2/v2.0/authorize`;
 	const tokenEndpoint = `${authority}/${tenant}/oauth2/v2.0/token`;
 	if (options.clientSecret && options.clientAssertion) throw new BetterAuthError("Microsoft Entra ID clientAssertion cannot be combined with clientSecret");
@@ -63,7 +71,14 @@ const microsoft = (options) => {
 			jwks: (header) => getMicrosoftPublicKey(header.kid, tenant, authority),
 			audience: options.clientId,
 			maxTokenAge: "1h",
-			issuer: tenant !== "common" && tenant !== "organizations" && tenant !== "consumers" ? `${authority}/${tenant}/v2.0` : void 0
+			issuer: tenant !== "common" && tenant !== "organizations" && tenant !== "consumers" ? `${authority}/${tenant}/v2.0` : void 0,
+			verifyClaims: (claims) => {
+				const tid = claims.tid;
+				if (typeof tid !== "string" || claims.iss !== `${authority}/${tid}/v2.0`) return false;
+				if (tenant === "organizations" && tid === MICROSOFT_CONSUMER_TENANT_ID) return false;
+				if (tenant === "consumers" && tid !== MICROSOFT_CONSUMER_TENANT_ID) return false;
+				return true;
+			}
 		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) return options.getUserInfo(token);

package/dist/social-providers/reddit.mjs

@@ -62,7 +62,7 @@ const reddit = (options) => {
 			} });
 			if (error) return null;
 			const userMap = await options.mapProfileToUser?.(profile);
-			const email = userMap?.email || `${profile.id}@reddit.com`;
+			const email = userMap?.email || `${profile.id}@reddit.invalid`;
 			return {
 				user: {
 					id: profile.id,

package/dist/social-providers/wechat.mjs

@@ -76,7 +76,7 @@ const wechat = (options) => {
 				user: {
 					id: profile.unionid || profile.openid || openid,
 					name: profile.nickname,
-					email: profile.email || null,
+					email: profile.email || `${profile.unionid || profile.openid || openid}@wechat.invalid`,
 					image: profile.headimgurl,
 					emailVerified: false,
 					...userMap

package/dist/types/context.d.mts

@@ -136,6 +136,23 @@ interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions
    * pair at single-use credential consumption sites.
    */
   consumeVerificationValue(identifier: string): Promise<Verification | null>;
+  /**
+   * First-writer-wins create keyed by a deterministic primary key derived from
+   * `identifier`. Returns `true` when this caller created the row and `false`
+   * when a row for the same identifier already existed.
+   *
+   * The dual of `consumeVerificationValue`: reserve races to create a marker
+   * exactly once, where consume races to delete one exactly once. Use it for
+   * replay tombstones (a SAML assertion id, a JWT `jti`) where the first caller
+   * wins. The database path is atomic via the primary key. Secondary-storage-only
+   * verification is not supported for reservation and runtime implementations
+   * should fail closed unless verification is backed by the database.
+   */
+  reserveVerificationValue(data: {
+    identifier: string;
+    value: string;
+    expiresAt: Date;
+  }): Promise<boolean>;
   updateVerificationByIdentifier(identifier: string, data: Partial<Verification>): Promise<Verification>;
   refreshUserSessions(user: User): Promise<void>;
 }

package/dist/types/init-options.d.mts

@@ -1,6 +1,6 @@
 import { DBFieldAttribute, ModelNames, SecondaryStorage } from "../db/type.mjs";
 import { DBAdapterDebugLogOption, DBAdapterInstance } from "../db/adapter/index.mjs";
-import { BaseRateLimit, RateLimit } from "../db/schema/rate-limit.mjs";
+import { BaseRateLimit } from "../db/schema/rate-limit.mjs";
 import { BaseSession, Session } from "../db/schema/session.mjs";
 import { BaseUser, User } from "../db/schema/user.mjs";
 import { BaseVerification, Verification } from "../db/schema/verification.mjs";
@@ -138,8 +138,30 @@ type DynamicBaseURLConfig = {
  */
 type BaseURLConfig = string | DynamicBaseURLConfig;
 interface BetterAuthRateLimitStorage {
-  get: (key: string) => Promise<RateLimit | null | undefined>;
-  set: (key: string, value: RateLimit, update?: boolean | undefined) => Promise<void>;
+  /**
+   * Atomically records one request against `key` within the rolling `window`
+   * (in seconds) and reports whether it is allowed.
+   *
+   * When `allowed` is true the count was incremented within the active window,
+   * or the window had elapsed and was reset to start at 1. When `allowed` is
+   * false the limit was already reached and `retryAfter` is the number of
+   * seconds until the window frees up.
+   *
+   * Performing the check and the increment in a single step closes the
+   * concurrent-bypass gap of the separate `get`/`set` path: N simultaneous
+   * requests can no longer all pass a stale read before any increment lands.
+   *
+   * Custom storages must implement this operation directly. Better Auth no
+   * longer accepts separate `get`/`set` rate-limit storage because that shape
+   * cannot enforce a distributed limit under concurrent requests.
+   */
+  consume: (key: string, rule: {
+    window: number;
+    max: number;
+  }) => Promise<{
+    allowed: boolean;
+    retryAfter: number | null;
+  }>;
 }
 type BetterAuthRateLimitRule = {
   /**
@@ -916,6 +938,20 @@ type BetterAuthOptions = {
        * @default "compact"
        */
       strategy?: "compact" | "jwt" | "jwe";
+      /**
+       * JWT-specific configuration for `strategy: "jwt"`.
+       */
+      jwt?: {
+        /**
+         * Which signing key is used for cookie-cache JWTs.
+         *
+         * - `"secret"`: uses the Better Auth secret with HS256.
+         * - `"jwt-plugin"`: uses the installed `jwt()` plugin's asymmetric signing keys.
+         *
+         * @default "secret"
+         */
+        signingKey?: "secret" | "jwt-plugin";
+      };
       /**
        * Controls stateless cookie cache refresh behavior.
        *
@@ -1095,9 +1131,13 @@ type BetterAuthOptions = {
      */
     storeStateStrategy?: "database" | "cookie";
     /**
-     * Store account data after oauth flow on a cookie
+     * Store provider account data after an OAuth flow in an encrypted
+     * cookie. This includes OAuth token material such as access tokens,
+     * refresh tokens, ID tokens, scopes, and token expiry.
      *
-     * This is useful for database-less flow
+     * This is useful for database-less flows, but large provider tokens can
+     * still hit browser or proxy cookie/header limits even though Better Auth
+     * chunks oversized account cookies.
      *
      * @default false
      *

package/dist/types/plugin-client.d.mts

@@ -1,10 +1,20 @@
 import { LiteralString } from "./helper.mjs";
-import { BetterAuthPlugin } from "./plugin.mjs";
 import { BetterAuthOptions } from "./init-options.mjs";
 import { BetterFetch, BetterFetchOption, BetterFetchPlugin } from "@better-fetch/fetch";
 import { Atom, WritableAtom } from "nanostores";
 
 //#region src/types/plugin-client.d.ts
+type InferableServerPlugin = {
+  id?: LiteralString | undefined;
+  endpoints?: Record<string, unknown> | undefined;
+  schema?: Record<string, {
+    fields: Record<string, unknown>;
+  }> | undefined;
+  $ERROR_CODES?: Record<string, {
+    readonly code: string;
+    message: string;
+  }> | undefined;
+};
 interface ClientStore {
   notify: (signal: string) => void;
   listen: (signal: string, listener: () => void) => void;
@@ -71,7 +81,7 @@ interface BetterAuthClientPlugin {
    * only used for type inference. don't pass the
    * actual plugin
    */
-  $InferServerPlugin?: BetterAuthPlugin | undefined;
+  $InferServerPlugin?: InferableServerPlugin | undefined;
   /**
    * Custom actions
    */

package/dist/utils/host.mjs

@@ -126,6 +126,7 @@ function classifyIPv6(expanded) {
 	if (firstByte === 254 && (secondByte & 192) === 128) return "linkLocal";
 	if ((firstByte & 254) === 252) return "private";
 	if (expanded.startsWith("2001:0db8:")) return "documentation";
+	if (expanded.startsWith("2001:0002:0000:")) return "benchmarking";
 	if (expanded.startsWith("2002:")) {
 		const embedded = extractEmbeddedIPv4(expanded, 1);
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
@@ -136,12 +137,15 @@ function classifyIPv6(expanded) {
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
 		return "reserved";
 	}
+	if (expanded.startsWith("0064:ff9b:0001:")) return "reserved";
 	if (expanded.startsWith("2001:0000:")) {
 		const embedded = extractEmbeddedIPv4(expanded, 6, { xor: true });
 		if (embedded && classifyIPv4(embedded) !== "public") return "reserved";
 		return "reserved";
 	}
 	if (expanded.startsWith("0100:0000:0000:0000:")) return "reserved";
+	if (expanded.startsWith("3fff:0")) return "documentation";
+	if (expanded.startsWith("5f00:")) return "reserved";
 	return "public";
 }
 /**

package/dist/utils/url.mjs

@@ -22,9 +22,10 @@ function normalizePathname(requestUrl, basePath) {
 	} catch {
 		return "/";
 	}
-	if (basePath === "/" || basePath === "") return pathname;
-	if (pathname === basePath) return "/";
-	if (pathname.startsWith(basePath + "/")) return pathname.slice(basePath.length).replace(/\/+$/, "") || "/";
+	const normalizedBasePath = basePath.replace(/\/+$/, "");
+	if (normalizedBasePath === "") return pathname;
+	if (pathname === normalizedBasePath) return "/";
+	if (pathname.startsWith(normalizedBasePath + "/")) return pathname.slice(normalizedBasePath.length).replace(/\/+$/, "") || "/";
 	return pathname;
 }
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.7.0-beta.5",
+  "version": "1.7.0-beta.6",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -152,8 +152,8 @@
     "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.2.2",
+    "@better-auth/utils": "0.4.2",
+    "@better-fetch/fetch": "1.3.1",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/sdk-trace-base": "^1.30.0",
     "@opentelemetry/sdk-trace-node": "^1.30.0",
@@ -165,8 +165,8 @@
     "tsdown": "0.21.1"
   },
   "peerDependencies": {
-    "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.2.2",
+    "@better-auth/utils": "0.4.2",
+    "@better-fetch/fetch": "1.3.1",
     "@opentelemetry/api": "^1.9.0",
     "better-call": "1.3.6",
     "@cloudflare/workers-types": ">=4",

package/src/api/index.ts

@@ -12,6 +12,25 @@ import { runWithEndpointContext } from "../context";
 import type { AuthContext } from "../types";
 import { isAPIError } from "../utils/is-api-error";
 
+/**
+ * Response headers that forbid any intermediary (proxy, CDN, browser) from
+ * caching a response body. Credential-bearing responses (access/refresh tokens,
+ * ID tokens, client secrets, device codes) must carry them.
+ *
+ * Set `metadata: { noStore: true }` on an endpoint and {@link createAuthEndpoint}
+ * applies these to the responses its handler produces: the success body and any
+ * error the handler throws. A request rejected by schema or media-type
+ * validation before the handler runs is not covered, and carries no credentials
+ * to protect. Spread them into a hand-built `Response` or `APIError`'s headers
+ * for the rare endpoint that constructs its own response.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
+ */
+export const NO_STORE_HEADERS = {
+	"Cache-Control": "no-store",
+	Pragma: "no-cache",
+} as const;
+
 /**
  * Better-call's createEndpoint re-throws APIError without exposing the headers
  * accumulated on ctx.responseHeaders (e.g. Set-Cookie from deleteSessionCookie
@@ -101,8 +120,23 @@ export function createAuthEndpoint<
 	const handler: EndpointHandler<Path, Opts, R> =
 		typeof handlerOrOptions === "function" ? handlerOrOptions : handlerOrNever;
 
+	// Endpoints that return credentials declare `metadata: { noStore: true }`.
+	// Emit the no-store headers at the boundary, before the handler runs, so they
+	// land on every response the handler produces: a success harvests
+	// `responseHeaders`, and a thrown error carries the same headers through
+	// `attachResponseHeadersToAPIError`. Validation that rejects the request
+	// before the handler runs is not covered (and returns no credentials).
+	const noStore =
+		(options as { metadata?: { noStore?: boolean } }).metadata?.noStore ===
+		true;
+
 	// todo: prettify the code, we want to call `runWithEndpointContext` to top level
 	const wrapped: EndpointHandler<Path, Opts, R> = async (ctx) => {
+		if (noStore) {
+			for (const [name, value] of Object.entries(NO_STORE_HEADERS)) {
+				ctx.setHeader(name, value);
+			}
+		}
 		const runtimeCtx = ctx as unknown as { responseHeaders?: Headers };
 		try {
 			return await runWithEndpointContext(ctx as any, () => handler(ctx));
@@ -132,6 +166,54 @@ export function createAuthEndpoint<
 	);
 }
 
+/**
+ * Set `metadata.SERVER_ONLY` while preserving any existing metadata
+ * (`$Infer`, `openapi`, ...).
+ */
+function withServerOnly<Options extends EndpointOptions>(
+	options: Options,
+): Options {
+	return {
+		...options,
+		metadata: { ...options.metadata, SERVER_ONLY: true },
+	} as Options;
+}
+
+export namespace createAuthEndpoint {
+	/**
+	 * Declare a **server-only** endpoint.
+	 *
+	 * The endpoint is callable through `auth.api.*` from trusted server code but is
+	 * never registered on the HTTP router and never emitted into the OpenAPI
+	 * schema. It takes no path because it has no URL to be reached at.
+	 *
+	 * Prefer this over the path-less `createAuthEndpoint({ ... }, handler)` form.
+	 * Setting `metadata.SERVER_ONLY` makes the intent explicit at the call site and
+	 * keeps the endpoint off the HTTP surface even if a path is later added by
+	 * mistake: better-call's router skips an endpoint when its path is missing *or*
+	 * when `SERVER_ONLY` is set, so the two together are defense in depth. Relying
+	 * on path omission alone is invisible and one keystroke away from exposure.
+	 *
+	 * @example
+	 * ```ts
+	 * viewBackupCodes: createAuthEndpoint.serverOnly(
+	 * 	{ method: "POST", body: schema },
+	 * 	async (ctx) => { ... },
+	 * )
+	 * ```
+	 */
+	export function serverOnly<
+		Path extends string,
+		Options extends EndpointOptions,
+		R,
+	>(
+		options: Options,
+		handler: EndpointHandler<Path, Options, R>,
+	): StrictEndpoint<Path, Options, R> {
+		return createAuthEndpoint(withServerOnly(options), handler);
+	}
+}
+
 export type AuthEndpoint<
 	Path extends string,
 	Opts extends EndpointOptions,

package/src/context/transaction.ts

@@ -1,11 +1,15 @@
 import type { AsyncLocalStorage } from "node:async_hooks";
 import { getAsyncLocalStorage } from "@better-auth/core/async_hooks";
 import type { DBAdapter, DBTransactionAdapter } from "../db/adapter";
+import type { BetterAuthOptions } from "../types";
 import { __getBetterAuthGlobal } from "./global";
 
+type StoredAdapter = DBTransactionAdapter<BetterAuthOptions>;
+
 type HookContext = {
-	adapter: DBTransactionAdapter;
+	adapter: StoredAdapter;
 	pendingHooks: Array<() => Promise<void>>;
+	isTransactionActive: boolean;
 };
 
 const ensureAsyncStorage = async () => {
@@ -27,21 +31,29 @@ export const getCurrentDBAdapterAsyncLocalStorage = async () => {
 	return ensureAsyncStorage();
 };
 
-export const getCurrentAdapter = async (
-	fallback: DBTransactionAdapter,
-): Promise<DBTransactionAdapter> => {
+export const getCurrentAdapter = async <
+	Options extends BetterAuthOptions = BetterAuthOptions,
+>(
+	fallback: DBTransactionAdapter<Options>,
+): Promise<DBTransactionAdapter<Options>> => {
 	return ensureAsyncStorage()
 		.then((als) => {
 			const store = als.getStore();
-			return store?.adapter || fallback;
+			return (
+				(store?.adapter as DBTransactionAdapter<Options> | undefined) ||
+				fallback
+			);
 		})
 		.catch(() => {
 			return fallback;
 		});
 };
 
-export const runWithAdapter = async <R>(
-	adapter: DBAdapter,
+export const runWithAdapter = async <
+	R,
+	Options extends BetterAuthOptions = BetterAuthOptions,
+>(
+	adapter: DBAdapter<Options>,
 	fn: () => R,
 ): Promise<R> => {
 	let called = false;
@@ -53,7 +65,14 @@ export const runWithAdapter = async <R>(
 			let error: unknown;
 			let hasError = false;
 			try {
-				result = await als.run({ adapter, pendingHooks }, fn);
+				result = await als.run(
+					{
+						adapter: adapter as unknown as StoredAdapter,
+						pendingHooks,
+						isTransactionActive: false,
+					},
+					fn,
+				);
 			} catch (err) {
 				error = err;
 				hasError = true;
@@ -75,21 +94,35 @@ export const runWithAdapter = async <R>(
 		});
 };
 
-export const runWithTransaction = async <R>(
-	adapter: DBAdapter,
+export const runWithTransaction = async <
+	R,
+	Options extends BetterAuthOptions = BetterAuthOptions,
+>(
+	adapter: DBAdapter<Options>,
 	fn: () => R,
 ): Promise<R> => {
-	let called = true;
+	let called = false;
 	return ensureAsyncStorage()
 		.then(async (als) => {
 			called = true;
+			const store = als.getStore();
+			if (store?.isTransactionActive) {
+				return fn();
+			}
 			const pendingHooks: Array<() => Promise<void>> = [];
 			let result: Awaited<R>;
 			let error: unknown;
 			let hasError = false;
 			try {
 				result = await adapter.transaction(async (trx) => {
-					return als.run({ adapter: trx, pendingHooks }, fn);
+					return als.run(
+						{
+							adapter: trx as unknown as StoredAdapter,
+							pendingHooks,
+							isTransactionActive: true,
+						},
+						fn,
+					);
 				});
 			} catch (e) {
 				hasError = true;