@better-auth/infra 0.1.8 → 0.1.9

package/dist/index.mjs

@@ -1,7 +1,9 @@
-import { a as INFRA_API_URL, i as sendEmail, n as createEmailSender, o as INFRA_KV_URL, r as sendBulkEmails, t as EMAIL_TEMPLATES } from "./email-D2dL1i3c.mjs";
+import { n as INFRA_KV_URL, r as KV_TIMEOUT_MS, t as INFRA_API_URL } from "./constants-B-e0_Nsv.mjs";
+import { EMAIL_TEMPLATES, createEmailSender, sendBulkEmails, sendEmail } from "./email.mjs";
 import { APIError, generateId, getAuthTables, logger, parseState } from "better-auth";
 import { env } from "@better-auth/core/env";
 import { APIError as APIError$1, createAuthEndpoint, createAuthMiddleware, requestPasswordReset, sendVerificationEmailFn, sessionMiddleware } from "better-auth/api";
+import { getCurrentAuthContext } from "@better-auth/core/context";
 import { betterFetch, createFetch } from "@better-fetch/fetch";
 import { isValidPhoneNumber, parsePhoneNumberFromString } from "libphonenumber-js";
 import { createLocalJWKSet, jwtVerify } from "jose";
@@ -132,21 +134,6 @@ const ORGANIZATION_EVENT_TYPES = {
 	ORGANIZATION_TEAM_MEMBER_REMOVED: "organization_team_member_removed"
 };
 
-//#endregion
-//#region src/events/utils.ts
-function backgroundTask(task) {
-	let result;
-	try {
-		result = task();
-	} catch (error) {
-		logger.debug("[Dash] Background operation failed: ", error);
-		return;
-	}
-	Promise.resolve(result).catch((error) => {
-		logger.debug("[Dash] Background operation failed: ", error);
-	});
-}
-
 //#endregion
 //#region src/events/core/adapter.ts
 const getUserByEmail = async (email, ctx) => {
@@ -244,7 +231,7 @@ const initAccountEvents = (tracker) => {
 				countryCode: location?.countryCode
 			});
 		};
-		backgroundTask(track);
+		ctx.context.runInBackground(track());
 	};
 	const trackAccountUnlink = (account, trigger, ctx, location) => {
 		const track = async () => {
@@ -268,7 +255,7 @@ const initAccountEvents = (tracker) => {
 				countryCode: location?.countryCode
 			});
 		};
-		backgroundTask(track);
+		ctx.context.runInBackground(track());
 	};
 	const trackAccountPasswordChange = (account, trigger, ctx, location) => {
 		const track = async () => {
@@ -292,7 +279,7 @@ const initAccountEvents = (tracker) => {
 				countryCode: location?.countryCode
 			});
 		};
-		backgroundTask(track);
+		ctx.context.runInBackground(track());
 	};
 	return {
 		trackAccountLinking,
@@ -306,7 +293,7 @@ const initAccountEvents = (tracker) => {
 const stripQuery = (value) => value.split("?")[0] || value;
 const escapeRegex = (value) => value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 const routeToRegex = (route) => {
-	const pattern = escapeRegex(stripQuery(route)).replace(/\\\/:([^/]+)/g, "/[^/]+");
+	const pattern = escapeRegex(stripQuery(route)).replace(/\/:([^/]+)/g, "/[^/]+");
 	return /* @__PURE__ */ new RegExp(`${pattern}(?:$|[/?])`);
 };
 const matchesAnyRoute = (path, routes$1) => {
@@ -357,7 +344,7 @@ const initSessionEvents = (tracker) => {
 				countryCode: location?.countryCode
 			});
 		};
-		backgroundTask(track);
+		ctx.context.runInBackground(track());
 	};
 	const trackUserSignedOut = (session, trigger, ctx, location) => {
 		const track = async () => {
@@ -383,7 +370,7 @@ const initSessionEvents = (tracker) => {
 				countryCode: location?.countryCode
 			});
 		};
-		backgroundTask(track);
+		ctx.context.runInBackground(track());
 	};
 	const trackSessionRevoked = (session, trigger, ctx, location) => {
 		const track = async () => {
@@ -409,7 +396,7 @@ const initSessionEvents = (tracker) => {
 				countryCode: location?.countryCode
 			});
 		};
-		backgroundTask(track);
+		ctx.context.runInBackground(track());
 	};
 	const trackSessionRevokedAll = (session, trigger, ctx, _location) => {
 		const track = async () => {
@@ -427,7 +414,7 @@ const initSessionEvents = (tracker) => {
 				}
 			});
 		};
-		backgroundTask(track);
+		ctx.context.runInBackground(track());
 	};
 	const trackUserImpersonated = (session, trigger, ctx, location) => {
 		const track = async () => {
@@ -456,7 +443,7 @@ const initSessionEvents = (tracker) => {
 				countryCode: location?.countryCode
 			});
 		};
-		backgroundTask(track);
+		ctx.context.runInBackground(track());
 	};
 	const trackUserImpersonationStop = (session, trigger, ctx, location) => {
 		const track = async () => {
@@ -485,7 +472,7 @@ const initSessionEvents = (tracker) => {
 				countryCode: location?.countryCode
 			});
 		};
-		backgroundTask(track);
+		ctx.context.runInBackground(track());
 	};
 	const trackSessionCreated = (session, trigger, ctx, location) => {
 		const track = async () => {
@@ -511,7 +498,7 @@ const initSessionEvents = (tracker) => {
 				countryCode: location?.countryCode
 			});
 		};
-		backgroundTask(track);
+		ctx.context.runInBackground(track());
 	};
 	const trackEmailVerificationSent = (session, user, trigger, _ctx) => {
 		trackEvent({
@@ -545,7 +532,7 @@ const initSessionEvents = (tracker) => {
 				}
 			});
 		};
-		backgroundTask(track);
+		ctx.context.runInBackground(track());
 	};
 	const trackSocialSignInAttempt = (ctx, trigger) => {
 		const track = async () => {
@@ -564,11 +551,11 @@ const initSessionEvents = (tracker) => {
 				}
 			});
 		};
-		backgroundTask(track);
+		ctx.context.runInBackground(track());
 	};
 	const trackSocialSignInRedirectionAttempt = (ctx, trigger) => {
 		const track = async () => {
-			const user = await getUserByAuthorizationCode(ctx.body.provider, ctx);
+			const user = await getUserByAuthorizationCode(ctx.params?.id, ctx);
 			trackEvent({
 				eventKey: user?.id.toString() ?? UNKNOWN_USER,
 				eventType: EVENT_TYPES.USER_SIGN_IN_FAILED,
@@ -583,7 +570,7 @@ const initSessionEvents = (tracker) => {
 				}
 			});
 		};
-		backgroundTask(track);
+		ctx.context.runInBackground(track());
 	};
 	return {
 		trackUserSignedIn,
@@ -772,7 +759,7 @@ const initVerificationEvents = (tracker) => {
 				countryCode: location?.countryCode
 			});
 		};
-		backgroundTask(track);
+		ctx.context.runInBackground(track());
 	};
 	const trackPasswordResetRequestCompletion = (verification, trigger, ctx, location) => {
 		const track = async () => {
@@ -794,7 +781,7 @@ const initVerificationEvents = (tracker) => {
 				countryCode: location?.countryCode
 			});
 		};
-		backgroundTask(track);
+		ctx.context.runInBackground(track());
 	};
 	return {
 		trackPasswordResetRequest,
@@ -805,7 +792,7 @@ const initVerificationEvents = (tracker) => {
 //#endregion
 //#region src/events/triggers.ts
 const getTriggerInfo = (ctx, userId, session) => {
-	const sessionUserId = session?.userId ?? ctx.context.session?.session.userId ?? UNKNOWN_USER;
+	const sessionUserId = session?.userId ?? ctx.context.session?.session.userId ?? userId;
 	return {
 		triggeredBy: sessionUserId,
 		triggerContext: sessionUserId === userId ? "user" : matchesAnyRoute(ctx.path, [routes.ADMIN_ROUTE]) ? "admin" : matchesAnyRoute(ctx.path, [routes.DASH_ROUTE]) ? "dashboard" : sessionUserId === UNKNOWN_USER ? "user" : "unknown"
@@ -850,7 +837,13 @@ const initTrackEvents = (options) => {
 				logger.debug("[Dash] Failed to track event:", e);
 			}
 		};
-		track();
+		const onSuccess = (ctx) => {
+			ctx.context.runInBackground(track());
+		};
+		const onError = () => {
+			track();
+		};
+		getCurrentAuthContext().then(onSuccess, onError);
 	};
 	return { tracker: { trackEvent } };
 };
@@ -863,6 +856,7 @@ const initTrackEvents = (options) => {
 * Fetches identification data from the durable-kv service
 * when a request includes an X-Request-Id header.
 */
+const IDENTIFICATION_COOKIE_NAME = "__infra-rid";
 const identificationCache = /* @__PURE__ */ new Map();
 const CACHE_TTL_MS = 6e4;
 const CACHE_MAX_SIZE = 1e3;
@@ -892,7 +886,8 @@ async function getIdentification(requestId, apiKey, kvUrl) {
 	for (let attempt = 0; attempt <= maxRetries; attempt++) try {
 		const response = await fetch(`${baseUrl}/identify/${requestId}`, {
 			method: "GET",
-			headers: { "x-api-key": apiKey }
+			headers: { "x-api-key": apiKey },
+			signal: AbortSignal.timeout(KV_TIMEOUT_MS)
 		});
 		if (response.ok) {
 			const data = await response.json();
@@ -938,7 +933,8 @@ function extractIdentificationHeaders(request) {
 */
 function createIdentificationMiddleware(options) {
 	return createAuthMiddleware(async (ctx) => {
-		const { visitorId, requestId } = extractIdentificationHeaders(ctx.request);
+		const { visitorId, requestId: headerRequestId } = extractIdentificationHeaders(ctx.request);
+		const requestId = headerRequestId ?? ctx.getCookie(IDENTIFICATION_COOKIE_NAME) ?? null;
 		ctx.context.visitorId = visitorId;
 		ctx.context.requestId = requestId;
 		if (requestId) ctx.context.identification = ctx.context.identification ?? await getIdentification(requestId, options.apiKey, options.kvUrl) ?? null;
@@ -1249,9 +1245,9 @@ function createSecurityClient(apiUrl, apiKey, options, onSecurityEvent) {
 		},
 		async checkCompromisedPassword(password) {
 			try {
-				const hash = await sha1Hash(password);
-				const prefix = hash.substring(0, 5);
-				const suffix = hash.substring(5);
+				const hash$1 = await sha1Hash(password);
+				const prefix = hash$1.substring(0, 5);
+				const suffix = hash$1.substring(5);
 				const data = await $api("/security/breached-passwords", {
 					method: "POST",
 					body: {
@@ -1633,7 +1629,8 @@ function createEmailValidator(options = {}) {
 	});
 	const $kv = createFetch({
 		baseURL: kvUrl,
-		headers: { "x-api-key": apiKey }
+		headers: { "x-api-key": apiKey },
+		timeout: KV_TIMEOUT_MS
 	});
 	/**
 	* Fetch and resolve email validity policy from API with caching
@@ -2037,7 +2034,7 @@ const sentinel = (options) => {
 	const { trackEvent } = tracker;
 	if (!opts.apiKey) logger.warn("[Sentinel] Missing BETTER_AUTH_API_KEY. Security checks may fall back to allow mode when the Infra API rejects requests.");
 	const securityService = createSecurityClient(opts.apiUrl, opts.apiKey, opts.security || {}, (event) => {
-		tracker.trackEvent({
+		trackEvent({
 			eventKey: event.visitorId || event.userId || "unknown",
 			eventType: `security_${event.type}`,
 			eventDisplayName: `Security: ${event.type.replace(/_/g, " ")}`,
@@ -2068,7 +2065,7 @@ const sentinel = (options) => {
 			const displayName = isNoMxRecord ? `Security: invalid email domain ${actionVerb}` : `Security: disposable email ${actionVerb}`;
 			const description = isNoMxRecord ? `${actionVerb.charAt(0).toUpperCase() + actionVerb.slice(1)} signup attempt with invalid email domain (no MX records): ${data.email}` : `${actionVerb.charAt(0).toUpperCase() + actionVerb.slice(1)} signup attempt with disposable email: ${data.email} (${data.reason}, ${data.confidence} confidence)`;
 			logger.info(`[Sentinel] Tracking ${reason} event for email: ${data.email} (action: ${actionLabel})`);
-			tracker.trackEvent({
+			trackEvent({
 				eventKey: data.email,
 				eventType,
 				eventDisplayName: displayName,
@@ -2086,28 +2083,28 @@ const sentinel = (options) => {
 	});
 	return {
 		id: "sentinel",
-		init(ctx) {
+		init() {
 			return { options: { databaseHooks: {
 				user: { create: {
-					async before(_user, hookCtx) {
-						if (!hookCtx) return;
-						const visitorId = hookCtx.context.visitorId;
+					async before(_user, ctx) {
+						if (!ctx) return;
+						const visitorId = ctx.context.visitorId;
 						if (visitorId && opts.security?.freeTrialAbuse?.enabled) {
 							const abuseCheck = await securityService.checkFreeTrialAbuse(visitorId);
 							if (abuseCheck.isAbuse && abuseCheck.action === "block") throw new APIError("FORBIDDEN", { message: "Account creation is not allowed from this device." });
 						}
 					},
-					async after(user, hookCtx) {
-						if (!hookCtx) return;
-						const visitorId = hookCtx.context.visitorId;
-						if (visitorId && opts.security?.freeTrialAbuse?.enabled) backgroundTask(() => securityService.trackFreeTrialSignup(visitorId, user.id));
+					async after(user, ctx) {
+						if (!ctx) return;
+						const visitorId = ctx.context.visitorId;
+						if (visitorId && opts.security?.freeTrialAbuse?.enabled) await ctx.context.runInBackgroundOrAwait(securityService.trackFreeTrialSignup(visitorId, user.id));
 					}
 				} },
 				session: { create: {
-					async before(session, hookCtx) {
-						if (!hookCtx) return;
-						const visitorId = hookCtx.context.visitorId;
-						const identification = hookCtx.context.identification;
+					async before(session, ctx) {
+						if (!ctx) return;
+						const visitorId = ctx.context.visitorId;
+						const identification = ctx.context.identification;
 						if (session.userId && identification?.location && visitorId) {
 							const travelCheck = await securityService.checkImpossibleTravel(session.userId, identification.location, visitorId);
 							if (travelCheck?.isImpossible) {
@@ -2116,13 +2113,13 @@ const sentinel = (options) => {
 							}
 						}
 					},
-					async after(session, hookCtx) {
-						if (!hookCtx || !session.userId) return;
-						const visitorId = hookCtx.context.visitorId;
-						const identification = hookCtx.context.identification;
+					async after(session, ctx) {
+						if (!ctx || !session.userId) return;
+						const visitorId = ctx.context.visitorId;
+						const identification = ctx.context.identification;
 						let user = null;
 						try {
-							user = await hookCtx.context.adapter.findOne({
+							user = await ctx.context.adapter.findOne({
 								model: "user",
 								select: [
 									"email",
@@ -2138,7 +2135,7 @@ const sentinel = (options) => {
 							logger.warn("[Sentinel] Failed to fetch user for security checks:", error);
 						}
 						if (visitorId) {
-							if (await securityService.checkUnknownDevice(session.userId, visitorId) && user?.email) backgroundTask(() => securityService.notifyUnknownDevice(session.userId, user.email, identification));
+							if (await securityService.checkUnknownDevice(session.userId, visitorId) && user?.email) await ctx.context.runInBackgroundOrAwait(securityService.notifyUnknownDevice(session.userId, user.email, identification));
 						}
 						if (opts.security?.staleUsers?.enabled && user) {
 							const staleCheck = await securityService.checkStaleUser(session.userId, user.lastActiveAt || null);
@@ -2177,7 +2174,7 @@ const sentinel = (options) => {
 								});
 							}
 						}
-						if (identification?.location) backgroundTask(() => securityService.storeLastLocation(session.userId, identification.location));
+						if (identification?.location) await ctx.context.runInBackgroundOrAwait(securityService.storeLastLocation(session.userId, identification.location));
 					}
 				} }
 			} } };
@@ -2190,11 +2187,11 @@ const sentinel = (options) => {
 				},
 				{
 					matcher: (ctx) => ctx.request?.method !== "GET",
-					handler: createAuthMiddleware(async (hookCtx) => {
-						const visitorId = hookCtx.context.visitorId;
-						const powSolution = hookCtx.headers?.get?.("X-PoW-Solution");
+					handler: createAuthMiddleware(async (ctx) => {
+						const visitorId = ctx.context.visitorId;
+						const powSolution = ctx.headers?.get?.("X-PoW-Solution");
 						if (visitorId && powSolution) {
-							if ((await securityService.verifyPoWSolution(visitorId, powSolution)).valid) hookCtx.context.powVerified = true;
+							if ((await securityService.verifyPoWSolution(visitorId, powSolution)).valid) ctx.context.powVerified = true;
 						}
 					})
 				},
@@ -2202,10 +2199,10 @@ const sentinel = (options) => {
 				...phoneValidationHooks.before,
 				{
 					matcher: (ctx) => ctx.request?.method !== "GET",
-					handler: createAuthMiddleware(async (hookCtx) => {
-						const visitorId = hookCtx.context.visitorId;
-						const identification = hookCtx.context.identification;
-						const isSignIn = matchesAnyRoute(hookCtx.path, [
+					handler: createAuthMiddleware(async (ctx) => {
+						const visitorId = ctx.context.visitorId;
+						const identification = ctx.context.identification;
+						const isSignIn = matchesAnyRoute(ctx.path, [
 							routes.SIGN_IN_EMAIL,
 							routes.SIGN_IN_USERNAME,
 							routes.SIGN_IN_EMAIL_OTP,
@@ -2215,17 +2212,17 @@ const sentinel = (options) => {
 							routes.SIGN_IN_SSO,
 							routes.SIGN_IN_ANONYMOUS
 						]);
-						const isSignUp = matchesAnyRoute(hookCtx.path, [routes.SIGN_UP_EMAIL]);
-						const isPasswordReset = matchesAnyRoute(hookCtx.path, [routes.FORGET_PASSWORD, routes.REQUEST_PASSWORD_RESET]);
-						const isTwoFactor = matchesAnyRoute(hookCtx.path, [
+						const isSignUp = matchesAnyRoute(ctx.path, [routes.SIGN_UP_EMAIL]);
+						const isPasswordReset = matchesAnyRoute(ctx.path, [routes.FORGET_PASSWORD, routes.REQUEST_PASSWORD_RESET]);
+						const isTwoFactor = matchesAnyRoute(ctx.path, [
 							routes.TWO_FACTOR_VERIFY_TOTP,
 							routes.TWO_FACTOR_VERIFY_BACKUP,
 							routes.TWO_FACTOR_VERIFY_OTP
 						]);
-						const isOtpSend = matchesAnyRoute(hookCtx.path, [routes.EMAIL_OTP_SEND, routes.PHONE_SEND_OTP]);
-						const isMagicLinkVerify = matchesAnyRoute(hookCtx.path, [routes.MAGIC_LINK_VERIFY]);
-						const isOrgCreate = matchesAnyRoute(hookCtx.path, [routes.ORG_CREATE]);
-						const isSensitiveAction = matchesAnyRoute(hookCtx.path, [
+						const isOtpSend = matchesAnyRoute(ctx.path, [routes.EMAIL_OTP_SEND, routes.PHONE_SEND_OTP]);
+						const isMagicLinkVerify = matchesAnyRoute(ctx.path, [routes.MAGIC_LINK_VERIFY]);
+						const isOrgCreate = matchesAnyRoute(ctx.path, [routes.ORG_CREATE]);
+						const isSensitiveAction = matchesAnyRoute(ctx.path, [
 							routes.CHANGE_EMAIL,
 							routes.CHANGE_PASSWORD,
 							routes.SET_PASSWORD,
@@ -2233,9 +2230,9 @@ const sentinel = (options) => {
 							routes.PASSKEY_ADD
 						]);
 						if (!(isSignIn || isSignUp || isPasswordReset || isTwoFactor || isOtpSend || isMagicLinkVerify || isOrgCreate || isSensitiveAction)) return;
-						const requestBody = hookCtx.body;
+						const requestBody = ctx.body;
 						const identifier = requestBody?.email || requestBody?.phone || requestBody?.username || void 0;
-						const powVerified = hookCtx.context.powVerified === true;
+						const powVerified = ctx.context.powVerified === true;
 						if (visitorId && powVerified) trackEvent({
 							eventKey: visitorId,
 							eventType: "security_allowed",
@@ -2244,8 +2241,8 @@ const sentinel = (options) => {
 								action: "allowed",
 								reason: "pow_verified",
 								visitorId,
-								path: hookCtx.path,
-								userAgent: hookCtx.headers?.get?.("user-agent") || "",
+								path: ctx.path,
+								userAgent: ctx.headers?.get?.("user-agent") || "",
 								identifier,
 								detectionLabel: "Challenge Completed",
 								description: identifier ? `Successfully completed security challenge for "${identifier}"` : "Successfully completed security challenge"
@@ -2265,8 +2262,8 @@ const sentinel = (options) => {
 										action: "blocked",
 										reason: "credential_stuffing",
 										visitorId,
-										path: hookCtx.path,
-										userAgent: hookCtx.headers?.get?.("user-agent") || "",
+										path: ctx.path,
+										userAgent: ctx.headers?.get?.("user-agent") || "",
 										identifier,
 										detectionType: "cooldown_active",
 										detectionLabel: "Credential Stuffing",
@@ -2282,19 +2279,19 @@ const sentinel = (options) => {
 							}
 						}
 						await runSecurityChecks({
-							path: hookCtx.path,
+							path: ctx.path,
 							identifier,
 							visitorId,
 							identification,
-							userAgent: hookCtx.headers?.get?.("user-agent") || ""
+							userAgent: ctx.headers?.get?.("user-agent") || ""
 						}, securityService, trackEvent, powVerified);
-						if (matchesAnyRoute(hookCtx.path, [
+						if (matchesAnyRoute(ctx.path, [
 							routes.SIGN_UP_EMAIL,
 							routes.CHANGE_PASSWORD,
 							routes.SET_PASSWORD,
 							routes.RESET_PASSWORD
 						])) {
-							const body = hookCtx.body;
+							const body = ctx.body;
 							const passwordToCheck = body?.newPassword || body?.password;
 							if (passwordToCheck) {
 								const compromisedResult = await securityService.checkCompromisedPassword(passwordToCheck);
@@ -2311,18 +2308,18 @@ const sentinel = (options) => {
 			],
 			after: [{
 				matcher: (ctx) => ctx.request?.method !== "GET",
-				handler: createAuthMiddleware(async (hookCtx) => {
-					const visitorId = hookCtx.context.visitorId;
-					const identification = hookCtx.context.identification;
-					const body = hookCtx.body;
-					if (matchesAnyRoute(hookCtx.path, [routes.SIGN_IN_EMAIL, routes.SIGN_IN_EMAIL_OTP]) && hookCtx.context.returned instanceof Error && body?.email && body?.password && visitorId) {
+				handler: createAuthMiddleware(async (ctx) => {
+					const visitorId = ctx.context.visitorId;
+					const identification = ctx.context.identification;
+					const body = ctx.body;
+					if (matchesAnyRoute(ctx.path, [routes.SIGN_IN_EMAIL, routes.SIGN_IN_EMAIL_OTP]) && ctx.context.returned instanceof Error && body?.email && body?.password && visitorId) {
 						const { email, password } = body;
 						const ip = identification?.ip || null;
-						backgroundTask(() => securityService.trackFailedAttempt(email, visitorId, password, ip));
+						await ctx.context.runInBackgroundOrAwait(securityService.trackFailedAttempt(email, visitorId, password, ip));
 					}
-					if (matchesAnyRoute(hookCtx.path, [routes.SIGN_IN_EMAIL, routes.SIGN_IN_EMAIL_OTP]) && !(hookCtx.context.returned instanceof Error) && body?.email) {
+					if (matchesAnyRoute(ctx.path, [routes.SIGN_IN_EMAIL, routes.SIGN_IN_EMAIL_OTP]) && !(ctx.context.returned instanceof Error) && body?.email) {
 						const email = body.email;
-						backgroundTask(() => securityService.clearFailedAttempts(email));
+						await ctx.context.runInBackgroundOrAwait(securityService.clearFailedAttempts(email));
 					}
 				})
 			}]
@@ -2635,6 +2632,17 @@ const initTeamEvents = (tracker) => {
 //#endregion
 //#region src/jwt.ts
 /**
+* Hash the given value
+* Note: Must match @infra/crypto hash()
+* @param value - The value to hash
+*/
+async function hash(value) {
+	const data = new TextEncoder().encode(value);
+	const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+	const hashArray = new Uint8Array(hashBuffer);
+	return Array.from(hashArray).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+/**
 * Skip JTI check for JWTs issued within this many seconds.
 * This is safe because replay attacks require time for interception.
 * A freshly issued token is almost certainly legitimate.
@@ -2695,6 +2703,9 @@ const jwtMiddleware = (options, schema, getJWT) => createAuthMiddleware(async (c
 			}
 		})).data?.valid) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
 	}
+	const apiKeyHash = payload.apiKeyHash;
+	if (typeof apiKeyHash !== "string" || !options.apiKey) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
+	if (apiKeyHash !== await hash(options.apiKey)) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
 	if (schema) {
 		const parsed = schema.safeParse(payload);
 		if (!parsed.success) throw ctx.error("UNAUTHORIZED", { message: "Invalid API key" });
@@ -2705,6 +2716,33 @@ const jwtMiddleware = (options, schema, getJWT) => createAuthMiddleware(async (c
 
 //#endregion
 //#region src/routes/config.ts
+const PLUGIN_OPTIONS_EXCLUDE_KEYS = { stripe: new Set(["stripeClient"]) };
+function isPlainSerializable(value) {
+	if (value === null || typeof value !== "object") return true;
+	if (Array.isArray(value)) return true;
+	if (value instanceof Date) return true;
+	const constructor = Object.getPrototypeOf(value)?.constructor;
+	if (constructor && constructor.name !== "Object" && constructor.name !== "Array") return false;
+	return true;
+}
+function sanitizePluginOptions(pluginId, options, seen = /* @__PURE__ */ new WeakSet()) {
+	if (options === null || options === void 0) return options;
+	if (typeof options === "function") return void 0;
+	if (typeof options !== "object") return options;
+	if (seen.has(options)) return void 0;
+	seen.add(options);
+	const excludeKeys = PLUGIN_OPTIONS_EXCLUDE_KEYS[pluginId];
+	if (Array.isArray(options)) return options.map((item) => sanitizePluginOptions(pluginId, item, seen)).filter((item) => item !== void 0);
+	const result = {};
+	for (const [key, value] of Object.entries(options)) {
+		if (excludeKeys?.has(key)) continue;
+		if (typeof value === "function") continue;
+		if (value !== null && typeof value === "object" && !isPlainSerializable(value)) continue;
+		const sanitized = sanitizePluginOptions(pluginId, value, seen);
+		if (sanitized !== void 0) result[key] = sanitized;
+	}
+	return result;
+}
 function estimateEntropy(str) {
 	const unique = new Set(str).size;
 	if (unique === 0) return 0;
@@ -2725,7 +2763,7 @@ const getConfig = (options) => {
 				return {
 					id: plugin.id,
 					schema: plugin.schema,
-					options: plugin.options
+					options: sanitizePluginOptions(plugin.id, plugin.options)
 				};
 			}),
 			organization: {
@@ -4041,12 +4079,19 @@ const listOrganizations = (options) => {
 				"members"
 			]).optional(),
 			sortOrder: z$1.enum(["asc", "desc"]).optional(),
+			filterMembers: z$1.enum([
+				"abandoned",
+				"eq1",
+				"gt1",
+				"gt5",
+				"gt10"
+			]).optional(),
 			search: z$1.string().optional(),
 			startDate: z$1.date().or(z$1.string().transform((val) => new Date(val))).optional(),
 			endDate: z$1.date().or(z$1.string().transform((val) => new Date(val))).optional()
 		}).optional()
 	}, async (ctx) => {
-		const { limit = 10, offset = 0, sortBy = "createdAt", sortOrder = "desc", search } = ctx.query || {};
+		const { limit = 10, offset = 0, sortBy = "createdAt", sortOrder = "desc", search, filterMembers } = ctx.query || {};
 		const where = [];
 		if (search && search.trim().length > 0) {
 			const searchTerm = search.trim();
@@ -4072,26 +4117,64 @@ const listOrganizations = (options) => {
 			value: ctx.query.endDate,
 			operator: "lte"
 		});
+		const needsInMemoryProcessing = sortBy === "members" || !!filterMembers;
+		const dbSortBy = sortBy === "members" ? "createdAt" : sortBy;
+		const fetchLimit = needsInMemoryProcessing ? 1e3 : limit;
+		const fetchOffset = needsInMemoryProcessing ? 0 : offset;
 		const [organizations, initialTotal] = await Promise.all([ctx.context.adapter.findMany({
 			model: "organization",
 			where,
-			limit,
-			offset,
+			limit: fetchLimit,
+			offset: fetchOffset,
 			sortBy: {
-				field: sortBy,
+				field: dbSortBy,
 				direction: sortOrder
-			},
-			join: { member: true }
-		}), ctx.context.adapter.count({
+			}
+		}), needsInMemoryProcessing ? Promise.resolve(0) : ctx.context.adapter.count({
 			model: "organization",
 			where
 		})]);
-		const withCounts = organizations.map((organization) => ({
-			...organization,
-			memberCount: organization.member.length
-		}));
+		const orgIds = organizations.map((o) => o.id);
+		const allMembers = orgIds.length > 0 ? await ctx.context.adapter.findMany({
+			model: "member",
+			where: [{
+				field: "organizationId",
+				value: orgIds,
+				operator: "in"
+			}]
+		}) : [];
+		const membersByOrg = /* @__PURE__ */ new Map();
+		for (const m of allMembers) {
+			const list = membersByOrg.get(m.organizationId) || [];
+			list.push(m);
+			membersByOrg.set(m.organizationId, list);
+		}
+		let withCounts = organizations.map((organization) => {
+			const orgMembers = membersByOrg.get(organization.id) || [];
+			return {
+				...organization,
+				_members: orgMembers,
+				memberCount: orgMembers.length
+			};
+		});
+		if (filterMembers) {
+			const predicate = {
+				abandoned: (c) => c === 0,
+				eq1: (c) => c === 1,
+				gt1: (c) => c > 1,
+				gt5: (c) => c > 5,
+				gt10: (c) => c > 10
+			}[filterMembers];
+			if (predicate) withCounts = withCounts.filter((o) => predicate(o.memberCount));
+		}
+		if (sortBy === "members") {
+			const dir = sortOrder === "asc" ? 1 : -1;
+			withCounts.sort((a, b) => (a.memberCount - b.memberCount) * dir);
+		}
+		const total = needsInMemoryProcessing ? withCounts.length : initialTotal;
+		if (needsInMemoryProcessing) withCounts = withCounts.slice(offset, offset + limit);
 		const allUserIds = /* @__PURE__ */ new Set();
-		for (const organization of withCounts) for (const member of organization.member.slice(0, 5)) allUserIds.add(member.userId);
+		for (const organization of withCounts) for (const member of organization._members.slice(0, 5)) allUserIds.add(member.userId);
 		const users = allUserIds.size > 0 ? await ctx.context.adapter.findMany({
 			model: "user",
 			where: [{
@@ -4103,32 +4186,36 @@ const listOrganizations = (options) => {
 		const userMap = new Map(users.map((u) => [u.id, u]));
 		return {
 			organizations: withCounts.map((organization) => {
-				const members = organization.member.slice(0, 5).map((m) => userMap.get(m.userId)).filter((u) => u !== void 0).map((u) => ({
+				const members = organization._members.slice(0, 5).map((m) => userMap.get(m.userId)).filter((u) => u !== void 0).map((u) => ({
 					id: u.id,
 					name: u.name,
 					email: u.email,
 					image: u.image
 				}));
+				const { _members, ...org } = organization;
 				return {
-					...organization,
+					...org,
 					members
 				};
 			}),
-			total: initialTotal,
+			total,
 			offset,
 			limit
 		};
 	});
 };
+function parseWhereClause$1(val) {
+	if (!val) return [];
+	const parsed = JSON.parse(val);
+	if (!Array.isArray(parsed)) return [];
+	return parsed;
+}
 const exportOrganizationsQuerySchema = z$1.object({
 	limit: z$1.number().or(z$1.string().transform(Number)).optional(),
 	offset: z$1.number().or(z$1.string().transform(Number)).optional(),
 	sortBy: z$1.string().optional(),
 	sortOrder: z$1.enum(["asc", "desc"]).optional(),
-	where: z$1.string().transform((val) => {
-		if (!val) return [];
-		return JSON.parse(val);
-	}).optional()
+	where: z$1.string().transform(parseWhereClause$1).optional()
 }).optional();
 const exportOrganizations = (options) => {
 	return createAuthEndpoint("/dash/export-organizations", {
@@ -5149,7 +5236,7 @@ const updateOrganization = (options) => {
 				value: organizationId
 			}],
 			update: {
-				updateData,
+				...updateData,
 				metadata: typeof updateData.metadata === "object" ? JSON.stringify(updateData.metadata) : updateData.metadata
 			}
 		});
@@ -6121,19 +6208,19 @@ const revokeManySessions = (options) => createAuthEndpoint("/dash/sessions/revok
 
 //#endregion
 //#region src/routes/users.ts
+function parseWhereClause(val) {
+	if (!val) return [];
+	const parsed = JSON.parse(val);
+	if (!Array.isArray(parsed)) return [];
+	return parsed;
+}
 const getUsersQuerySchema = z$1.object({
 	limit: z$1.number().or(z$1.string().transform(Number)).optional(),
 	offset: z$1.number().or(z$1.string().transform(Number)).optional(),
 	sortBy: z$1.string().optional(),
 	sortOrder: z$1.enum(["asc", "desc"]).optional(),
-	where: z$1.string().transform((val) => {
-		if (!val) return [];
-		return JSON.parse(val);
-	}).optional(),
-	countWhere: z$1.string().transform((val) => {
-		if (!val) return [];
-		return JSON.parse(val);
-	}).optional()
+	where: z$1.string().transform(parseWhereClause).optional(),
+	countWhere: z$1.string().transform(parseWhereClause).optional()
 }).optional();
 const getUsers = (options) => {
 	return createAuthEndpoint("/dash/list-users", {
@@ -6148,6 +6235,8 @@ const getUsers = (options) => {
 			if (fields.lastActiveAt.type !== "date") return false;
 			return true;
 		})();
+		const where = ctx.query?.where?.length ? ctx.query.where : void 0;
+		const countWhere = ctx.query?.countWhere?.length ? ctx.query.countWhere : void 0;
 		const userQuery = ctx.context.adapter.findMany({
 			model: "user",
 			limit: ctx.query?.limit || 10,
@@ -6156,11 +6245,11 @@ const getUsers = (options) => {
 				field: ctx.query?.sortBy || "createdAt",
 				direction: ctx.query?.sortOrder || "desc"
 			},
-			where: ctx.query?.where
+			where
 		});
 		const totalQuery = ctx.context.adapter.count({
 			model: "user",
-			where: ctx.query?.countWhere
+			where: countWhere
 		});
 		const onlineUsersQuery = activityTrackingEnabled ? ctx.context.adapter.count({
 			model: "user",
@@ -6169,6 +6258,9 @@ const getUsers = (options) => {
 				value: /* @__PURE__ */ new Date(Date.now() - 1e3 * 60 * 2),
 				operator: "gte"
 			}]
+		}).catch((e) => {
+			ctx.context.logger.error("[Dash] Failed to count online users:", e);
+			return 0;
 		}) : Promise.resolve(0);
 		const [users, total, onlineUsers] = await Promise.all([
 			userQuery,
@@ -7387,12 +7479,12 @@ async function sha256(message) {
 /**
 * Check if a hash has the required number of leading zero bits
 */
-function hasLeadingZeroBits(hash, bits) {
+function hasLeadingZeroBits(hash$1, bits) {
 	const fullHexChars = Math.floor(bits / 4);
 	const remainingBits = bits % 4;
-	for (let i = 0; i < fullHexChars; i++) if (hash[i] !== "0") return false;
-	if (remainingBits > 0 && fullHexChars < hash.length) {
-		if (parseInt(hash[fullHexChars], 16) > (1 << 4 - remainingBits) - 1) return false;
+	for (let i = 0; i < fullHexChars; i++) if (hash$1[i] !== "0") return false;
+	if (remainingBits > 0 && fullHexChars < hash$1.length) {
+		if (parseInt(hash$1[fullHexChars], 16) > (1 << 4 - remainingBits) - 1) return false;
 	}
 	return true;
 }
@@ -7692,8 +7784,10 @@ const dash = (options) => {
 								const ctx$1 = _ctx;
 								if (!ctx$1 || !session.userId) return;
 								const location = ctx$1.context.location;
+								const loginMethod = getLoginMethod(ctx$1) ?? void 0;
 								const enrichedSession = {
 									...session,
+									loginMethod,
 									ipAddress: location?.ipAddress,
 									city: location?.city,
 									country: location?.country,
@@ -7812,11 +7906,19 @@ const dash = (options) => {
 		},
 		hooks: {
 			before: [{
-				matcher: (ctx) => ctx.request?.method !== "GET",
+				matcher: (ctx) => {
+					if (ctx.request?.method !== "GET") return true;
+					const path = new URL(ctx.request.url).pathname;
+					return matchesAnyRoute(path, [routes.SIGN_IN_SOCIAL_CALLBACK, routes.SIGN_IN_OAUTH_CALLBACK]);
+				},
 				handler: createIdentificationMiddleware(opts)
 			}],
 			after: [{
-				matcher: (ctx) => ctx.request?.method !== "GET",
+				matcher: (ctx) => {
+					if (ctx.request?.method !== "GET") return true;
+					const path = new URL(ctx.request.url).pathname;
+					return matchesAnyRoute(path, [routes.SIGN_IN_SOCIAL_CALLBACK, routes.SIGN_IN_OAUTH_CALLBACK]);
+				},
 				handler: createAuthMiddleware(async (_ctx) => {
 					const ctx = _ctx;
 					const trigger = getTriggerInfo(ctx, ctx.context.session?.user.id ?? UNKNOWN_USER);
@@ -7825,6 +7927,17 @@ const dash = (options) => {
 					if (matchesAnyRoute(ctx.path, [routes.SIGN_IN_EMAIL, routes.SIGN_IN_EMAIL_OTP]) && ctx.context.returned instanceof Error && body?.email) trackEmailSignInAttempt(ctx, trigger);
 					if (matchesAnyRoute(ctx.path, [routes.SIGN_IN_SOCIAL]) && ctx.context.returned instanceof Error && ctx.body.provider && ctx.body.idToken) trackSocialSignInAttempt(ctx, trigger);
 					if (matchesAnyRoute(ctx.path, [routes.SIGN_IN_SOCIAL_CALLBACK]) && ctx.context.returned instanceof Error) trackSocialSignInRedirectionAttempt(ctx, trigger);
+					const headerRequestId = ctx.request?.headers.get("X-Request-Id");
+					if (headerRequestId) ctx.setCookie(IDENTIFICATION_COOKIE_NAME, headerRequestId, {
+						maxAge: 600,
+						sameSite: "lax",
+						httpOnly: true,
+						path: "/"
+					});
+					else if (ctx.context.requestId) ctx.setCookie(IDENTIFICATION_COOKIE_NAME, "", {
+						maxAge: 0,
+						path: "/"
+					});
 				})
 			}, {
 				handler: createAuthMiddleware(async (ctx) => {
@@ -7933,7 +8046,7 @@ const dash = (options) => {
 			getDashDirectoryDetails: getDirectoryDetails(opts),
 			dashExecuteAdapter: executeAdapter(opts)
 		},
-		schema: { ...opts.activityTracking?.enabled ? { user: { fields: { lastActiveAt: { type: "date" } } } } : {} }
+		schema: opts.activityTracking?.enabled ? { user: { fields: { lastActiveAt: { type: "date" } } } } : {}
 	};
 };