@better-auth/oauth-provider 1.6.8 → 1.6.10

package/dist/client-resource.d.mts

@@ -1,4 +1,4 @@
-import { a as ResourceServerMetadata } from "./oauth-DMjvJjmR.mjs";
+import { s as ResourceServerMetadata } from "./oauth-CqgT-XaR.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { Auth } from "better-auth/types";
 

package/dist/client-resource.mjs

@@ -1,5 +1,5 @@
-import { a as getJwtPlugin, o as getOAuthProviderPlugin, y as handleMcpErrors } from "./utils-B9Pj9EPf.mjs";
-import { t as PACKAGE_VERSION } from "./version-DJz94mwS.mjs";
+import { S as handleMcpErrors, a as getOAuthProviderPlugin, i as getJwtPlugin } from "./utils-LAthGy-x.mjs";
+import { t as PACKAGE_VERSION } from "./version-Cg-c01N0.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-By0LyEmY.mjs";
+import { n as oauthProvider } from "./oauth-DBCeGXT3.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-DJz94mwS.mjs";
+import { t as PACKAGE_VERSION } from "./version-Cg-c01N0.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-DMjvJjmR.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-By0LyEmY.mjs";
+import { _ as Scope, a as OAuthClient, b as Awaitable, c as TokenEndpointAuthMethod, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as GrantType, l as AuthorizePrompt, m as OAuthRefreshToken, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-CqgT-XaR.mjs";
+import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-DBCeGXT3.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";
@@ -61,4 +61,4 @@ declare const oauthProviderOpenIdConfigMetadata: <Auth extends {
   headers?: HeadersInit;
 }) => (request: Request) => Promise<Response>;
 //#endregion
-export { AuthServerMetadata, AuthorizePrompt, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, OAuthOpaqueAccessToken, OAuthOptions, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, VerificationValue, authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
+export { AuthMethod, AuthServerMetadata, AuthorizePrompt, BearerMethodsSupported, GrantType, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, OAuthOpaqueAccessToken, OAuthOptions, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, TokenEndpointAuthMethod, VerificationValue, authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };

package/dist/index.mjs

@@ -1,5 +1,5 @@
-import { _ as validateClientCredentials, a as getJwtPlugin, b as mcpHandler, c as isPKCERequired, d as parsePrompt, f as resolveSessionAuthTime, g as storeToken, h as storeClientSecret, i as getClient, l as normalizeTimestampValue, m as searchParamsToQuery, n as decryptStoredClientSecret, p as resolveSubjectIdentifier, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as verifyOAuthQueryParams } from "./utils-B9Pj9EPf.mjs";
-import { t as PACKAGE_VERSION } from "./version-DJz94mwS.mjs";
+import { C as mcpHandler, _ as signedQueryIssuedAtParam, b as validateClientCredentials, c as isPKCERequired, d as parsePrompt, f as postLoginClearedParam, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as getJwtPlugin, l as normalizeTimestampValue, m as resolveSessionAuthTime, n as decryptStoredClientSecret, o as getSignedQueryIssuedAt, p as removePromptFromQuery, r as getClient, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as storeClientSecret, x as verifyOAuthQueryParams, y as storeToken } from "./utils-LAthGy-x.mjs";
+import { t as PACKAGE_VERSION } from "./version-Cg-c01N0.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
@@ -16,7 +16,8 @@ import { signJWT, toExpJWT } from "better-auth/plugins";
 import { SignJWT, compactVerify, createLocalJWKSet, decodeJwt } from "jose";
 //#region src/consent.ts
 async function consentEndpoint(ctx, opts) {
-	const _query = (await oAuthState.get())?.query;
+	const oauthRequest = await oAuthState.get();
+	const _query = oauthRequest?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
 		error: "invalid_request"
@@ -40,6 +41,17 @@ async function consentEndpoint(ctx, opts) {
 		url: formatErrorURL(query.get("redirect_uri") ?? "", "access_denied", "User denied access", query.get("state") ?? void 0, getIssuer(ctx, opts))
 	};
 	const session = await getSessionFromCtx(ctx);
+	const hasLoginPrompt = parsePrompt(query.get("prompt") ?? "").has("login");
+	const hasSatisfiedLoginPrompt = hasLoginPrompt && sessionSatisfiesLoginPrompt(session?.session.createdAt, oauthRequest?.signedQueryIssuedAt);
+	if (hasLoginPrompt && !hasSatisfiedLoginPrompt) {
+		ctx?.headers?.set("accept", "application/json");
+		ctx.query = searchParamsToQuery(query);
+		const { url } = await authorizeEndpoint(ctx, opts);
+		return {
+			redirect: true,
+			url
+		};
+	}
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
 		user: session?.user,
 		session: session?.session,
@@ -90,14 +102,21 @@ async function consentEndpoint(ctx, opts) {
 	});
 	if (requestedScopes) query.set("scope", consent.scopes.join(" "));
 	ctx?.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(query, "consent");
-	ctx.context.postLogin = true;
-	const { url } = await authorizeEndpoint(ctx, opts);
+	let authorizationQuery = removePromptFromQuery(query, "consent");
+	if (hasSatisfiedLoginPrompt) authorizationQuery = removePromptFromQuery(authorizationQuery, "login");
+	ctx.query = searchParamsToQuery(authorizationQuery);
+	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: oauthRequest?.postLoginClearedForSession !== void 0 && oauthRequest.postLoginClearedForSession === session?.session.id });
 	return {
 		redirect: true,
 		url
 	};
 }
+function sessionSatisfiesLoginPrompt(sessionCreatedAt, signedQueryIssuedAt) {
+	if (!signedQueryIssuedAt) return false;
+	const normalized = normalizeTimestampValue(sessionCreatedAt);
+	if (!normalized) return false;
+	return normalized.getTime() >= signedQueryIssuedAt.getTime();
+}
 //#endregion
 //#region src/continue.ts
 async function continueEndpoint(ctx, opts) {
@@ -116,7 +135,7 @@ async function selected(ctx, opts) {
 		error: "invalid_request"
 	});
 	ctx.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(new URLSearchParams(_query), "select_account");
+	ctx.query = searchParamsToQuery(removePromptFromQuery(new URLSearchParams(_query), "select_account"));
 	const { url } = await authorizeEndpoint(ctx, opts);
 	return {
 		redirect: true,
@@ -131,7 +150,7 @@ async function created(ctx, opts) {
 	});
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(query, "create");
+	ctx.query = searchParamsToQuery(removePromptFromQuery(query, "create"));
 	const { url } = await authorizeEndpoint(ctx, opts);
 	return {
 		redirect: true,
@@ -936,7 +955,7 @@ async function validateRefreshToken(ctx, opts, token, clientId) {
 			model: "session",
 			where: [{
 				field: "id",
-				value: refreshToken.sessionId
+				value: sessionId
 			}]
 		});
 		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) sessionId = void 0;
@@ -2458,7 +2477,8 @@ const schema = {
 				references: {
 					model: "user",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			createdAt: {
 				type: "date",
@@ -2557,7 +2577,8 @@ const schema = {
 			references: {
 				model: "oauthClient",
 				field: "clientId"
-			}
+			},
+			index: true
 		},
 		sessionId: {
 			type: "string",
@@ -2566,7 +2587,8 @@ const schema = {
 				model: "session",
 				field: "id",
 				onDelete: "set null"
-			}
+			},
+			index: true
 		},
 		userId: {
 			type: "string",
@@ -2574,7 +2596,8 @@ const schema = {
 			references: {
 				model: "user",
 				field: "id"
-			}
+			},
+			index: true
 		},
 		referenceId: {
 			type: "string",
@@ -2608,7 +2631,8 @@ const schema = {
 				references: {
 					model: "oauthClient",
 					field: "clientId"
-				}
+				},
+				index: true
 			},
 			sessionId: {
 				type: "string",
@@ -2617,7 +2641,8 @@ const schema = {
 					model: "session",
 					field: "id",
 					onDelete: "set null"
-				}
+				},
+				index: true
 			},
 			userId: {
 				type: "string",
@@ -2625,7 +2650,8 @@ const schema = {
 				references: {
 					model: "user",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			referenceId: {
 				type: "string",
@@ -2637,7 +2663,8 @@ const schema = {
 				references: {
 					model: "oauthRefreshToken",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			expiresAt: { type: "date" },
 			createdAt: { type: "date" },
@@ -2656,7 +2683,8 @@ const schema = {
 				references: {
 					model: "oauthClient",
 					field: "clientId"
-				}
+				},
+				index: true
 			},
 			userId: {
 				type: "string",
@@ -2664,7 +2692,8 @@ const schema = {
 				references: {
 					model: "user",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			referenceId: {
 				type: "string",
@@ -2776,10 +2805,18 @@ const oauthProvider = (options) => {
 				handler: createAuthMiddleware(async (ctx) => {
 					const query = ctx.body.oauth_query;
 					if (!await verifyOAuthQueryParams(query, ctx.context.secret)) throw new APIError("BAD_REQUEST", { error: "invalid_signature" });
+					const signedQueryIssuedAt = getSignedQueryIssuedAt(query);
 					const queryParams = new URLSearchParams(query);
+					const postLoginClearedForSession = queryParams.get("ba_pl") ?? void 0;
 					queryParams.delete("sig");
 					queryParams.delete("exp");
-					await oAuthState.set({ query: queryParams.toString() });
+					queryParams.delete(signedQueryIssuedAtParam);
+					queryParams.delete(postLoginClearedParam);
+					await oAuthState.set({
+						query: queryParams.toString(),
+						signedQueryIssuedAt: signedQueryIssuedAt ?? void 0,
+						postLoginClearedForSession
+					});
 					if (ctx.path === "/sign-in/social" || ctx.path === "/sign-in/oauth2") {
 						if (ctx.body.additionalData?.query) return;
 						if (!ctx.body.additionalData) ctx.body.additionalData = {};
@@ -2803,7 +2840,7 @@ const oauthProvider = (options) => {
 					const secFetchMode = ctx.request?.headers?.get("sec-fetch-mode")?.toLowerCase();
 					const acceptHeader = ctx.request?.headers?.get("accept")?.toLowerCase() ?? "";
 					if (!(secFetchMode === "navigate" || !secFetchMode && (acceptHeader.includes("text/html") || acceptHeader.includes("application/xhtml+xml")))) ctx.headers?.set("accept", "application/json");
-					ctx.query = deleteFromPrompt(query, "login");
+					ctx.query = searchParamsToQuery(removePromptFromQuery(query, "login"));
 					return await authorizeEndpoint(ctx, opts);
 				})
 			}]
@@ -3811,7 +3848,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		});
 		if (signupRedirect) {
 			if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "interaction_required", "End-User interaction is required");
-			return redirectWithPromptCode(ctx, opts, "create", typeof signupRedirect === "string" ? signupRedirect : void 0);
+			return redirectWithPromptCode(ctx, opts, "create", { page: typeof signupRedirect === "string" ? signupRedirect : void 0 });
 		}
 	}
 	if (!settings?.postLogin && opts.postLogin) {
@@ -3825,7 +3862,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 			return redirectWithPromptCode(ctx, opts, "post_login");
 		}
 	}
-	if (promptSet?.has("consent")) return redirectWithPromptCode(ctx, opts, "consent");
+	if (promptSet?.has("consent")) return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
 		user: session.user,
 		session: session.session,
@@ -3858,7 +3895,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	});
 	if (!consent || !requestedScopes.every((val) => consent.scopes.includes(val))) {
 		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "consent_required", "End-User consent is required");
-		return redirectWithPromptCode(ctx, opts, "consent");
+		return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
 	}
 	return redirectWithAuthorizationCode(ctx, opts, {
 		query,
@@ -3905,8 +3942,8 @@ async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
 	redirectUriWithCode.searchParams.set("iss", getIssuer(ctx, opts));
 	return handleRedirect(ctx, redirectUriWithCode.toString());
 }
-async function redirectWithPromptCode(ctx, opts, type, page) {
-	const queryParams = await signParams(ctx, opts);
+async function redirectWithPromptCode(ctx, opts, type, options) {
+	const queryParams = await signParams(ctx, opts, { postLoginClearedForSession: type === "consent" && opts.postLogin ? options?.sessionId : void 0 });
 	let path = opts.loginPage;
 	if (type === "select_account") path = opts.selectAccount?.page ?? opts.loginPage;
 	else if (type === "post_login") {
@@ -3914,12 +3951,16 @@ async function redirectWithPromptCode(ctx, opts, type, page) {
 		path = opts.postLogin?.page;
 	} else if (type === "consent") path = opts.consentPage;
 	else if (type === "create") path = opts.signup?.page ?? opts.loginPage;
-	return handleRedirect(ctx, `${page ?? path}?${queryParams}`);
+	return handleRedirect(ctx, `${options?.page ?? path}?${queryParams}`);
 }
-async function signParams(ctx, opts) {
-	const exp = Math.floor(Date.now() / 1e3) + (opts.codeExpiresIn ?? 600);
+async function signParams(ctx, opts, flags) {
+	const issuedAt = Date.now();
+	const exp = Math.floor(issuedAt / 1e3) + (opts.codeExpiresIn ?? 600);
 	const params = serializeAuthorizationQuery(ctx.query);
 	params.set("exp", String(exp));
+	params.set(signedQueryIssuedAtParam, String(issuedAt));
+	params.delete(postLoginClearedParam);
+	if (flags?.postLoginClearedForSession) params.set(postLoginClearedParam, flags.postLoginClearedForSession);
 	const signature = await makeSignature(params.toString(), ctx.context.secret);
 	params.append("sig", signature);
 	return params.toString();

package/dist/{oauth-DMjvJjmR.d.mts → oauth-CqgT-XaR.d.mts}

@@ -45,6 +45,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       createdAt: {
         type: "date";
@@ -150,6 +151,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       sessionId: {
         type: "string";
@@ -159,6 +161,7 @@ declare const schema: {
           field: string;
           onDelete: "set null";
         };
+        index: true;
       };
       userId: {
         type: "string";
@@ -167,6 +170,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       referenceId: {
         type: "string";
@@ -218,6 +222,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       sessionId: {
         type: "string";
@@ -227,6 +232,7 @@ declare const schema: {
           field: string;
           onDelete: "set null";
         };
+        index: true;
       };
       userId: {
         type: "string";
@@ -235,6 +241,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       referenceId: {
         type: "string";
@@ -247,6 +254,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       expiresAt: {
         type: "date";
@@ -270,6 +278,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       userId: {
         type: "string";
@@ -278,6 +287,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       referenceId: {
         type: "string";
@@ -1287,7 +1297,7 @@ interface OAuthOpaqueAccessToken<Scopes extends readonly Scope[] = InternallySup
  */
 interface OAuthRefreshToken<Scopes extends readonly Scope[] = InternallySupportedScopes[]> {
   token: string;
-  sessionId: string;
+  sessionId?: string;
   userId: string;
   referenceId?: string;
   clientId?: string;
@@ -1649,4 +1659,4 @@ interface ResourceServerMetadata {
   dpop_bound_access_tokens_required?: boolean;
 }
 //#endregion
-export { Awaitable as _, ResourceServerMetadata as a, OAuthConsent as c, OAuthRefreshToken as d, Prompt as f, VerificationValue as g, StoreTokenType as h, OIDCMetadata as i, OAuthOpaqueAccessToken as l, Scope as m, GrantType as n, AuthorizePrompt as o, SchemaClient as p, OAuthClient as r, OAuthAuthorizationQuery as s, AuthServerMetadata as t, OAuthOptions as u };
+export { Scope as _, OAuthClient as a, Awaitable as b, TokenEndpointAuthMethod as c, OAuthConsent as d, OAuthOpaqueAccessToken as f, SchemaClient as g, Prompt as h, GrantType as i, AuthorizePrompt as l, OAuthRefreshToken as m, AuthServerMetadata as n, OIDCMetadata as o, OAuthOptions as p, BearerMethodsSupported as r, ResourceServerMetadata as s, AuthMethod as t, OAuthAuthorizationQuery as u, StoreTokenType as v, VerificationValue as y };

package/dist/{oauth-By0LyEmY.d.mts → oauth-DBCeGXT3.d.mts}

@@ -1,4 +1,4 @@
-import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-DMjvJjmR.mjs";
+import { _ as Scope, a as OAuthClient, d as OAuthConsent, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions } from "./oauth-CqgT-XaR.mjs";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 import * as better_auth_plugins0 from "better-auth/plugins";
@@ -15,6 +15,8 @@ declare module "@better-auth/core" {
 }
 declare const getOAuthProviderState: () => Promise<{
   query?: string;
+  signedQueryIssuedAt?: Date;
+  postLoginClearedForSession?: string;
 } | null>;
 /**
  * oAuth 2.1 provider plugin for Better Auth.
@@ -1819,6 +1821,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         createdAt: {
           type: "date";
@@ -1919,6 +1922,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         sessionId: {
           type: "string";
@@ -1928,6 +1932,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             field: string;
             onDelete: "set null";
           };
+          index: true;
         };
         userId: {
           type: "string";
@@ -1936,6 +1941,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         referenceId: {
           type: "string";
@@ -1975,6 +1981,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         sessionId: {
           type: "string";
@@ -1984,6 +1991,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             field: string;
             onDelete: "set null";
           };
+          index: true;
         };
         userId: {
           type: "string";
@@ -1992,6 +2000,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         referenceId: {
           type: "string";
@@ -2004,6 +2013,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         expiresAt: {
           type: "date";
@@ -2027,6 +2037,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         userId: {
           type: "string";
@@ -2035,6 +2046,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         referenceId: {
           type: "string";

package/dist/{utils-B9Pj9EPf.mjs → utils-LAthGy-x.mjs}

@@ -369,20 +369,24 @@ function searchParamsToQuery(params) {
 	}
 	return result;
 }
-/**
-* Deletes a prompt value
-*
-* @param ctx
-* @param prompt - the prompt value to delete
-*/
-function deleteFromPrompt(query, prompt) {
-	const prompts = query.get("prompt")?.split(" ");
+const signedQueryIssuedAtParam = "ba_iat";
+const postLoginClearedParam = "ba_pl";
+function getSignedQueryIssuedAt(oauthQuery) {
+	const raw = new URLSearchParams(oauthQuery).get(signedQueryIssuedAtParam);
+	if (!raw) return null;
+	const issuedAt = Number(raw);
+	if (!Number.isFinite(issuedAt) || issuedAt <= 0) return null;
+	return new Date(issuedAt);
+}
+function removePromptFromQuery(query, prompt) {
+	const nextQuery = new URLSearchParams(query);
+	const prompts = nextQuery.get("prompt")?.split(" ");
 	const foundPrompt = prompts?.findIndex((v) => v === prompt) ?? -1;
 	if (foundPrompt >= 0) {
 		prompts?.splice(foundPrompt, 1);
-		prompts?.length ? query.set("prompt", prompts.join(" ")) : query.delete("prompt");
+		prompts?.length ? nextQuery.set("prompt", prompts.join(" ")) : nextQuery.delete("prompt");
 	}
-	return searchParamsToQuery(query);
+	return nextQuery;
 }
 var PKCERequirementErrors = /* @__PURE__ */ function(PKCERequirementErrors) {
 	PKCERequirementErrors["PUBLIC_CLIENT"] = "pkce is required for public clients";
@@ -411,4 +415,4 @@ function isPKCERequired(client, requestedScopes) {
 	return false;
 }
 //#endregion
-export { validateClientCredentials as _, getJwtPlugin as a, mcpHandler as b, isPKCERequired as c, parsePrompt as d, resolveSessionAuthTime as f, storeToken as g, storeClientSecret as h, getClient as i, normalizeTimestampValue as l, searchParamsToQuery as m, decryptStoredClientSecret as n, getOAuthProviderPlugin as o, resolveSubjectIdentifier as p, deleteFromPrompt as r, getStoredToken as s, basicToClientCredentials as t, parseClientMetadata as u, verifyOAuthQueryParams as v, handleMcpErrors as y };
+export { mcpHandler as C, handleMcpErrors as S, signedQueryIssuedAtParam as _, getOAuthProviderPlugin as a, validateClientCredentials as b, isPKCERequired as c, parsePrompt as d, postLoginClearedParam as f, searchParamsToQuery as g, resolveSubjectIdentifier as h, getJwtPlugin as i, normalizeTimestampValue as l, resolveSessionAuthTime as m, decryptStoredClientSecret as n, getSignedQueryIssuedAt as o, removePromptFromQuery as p, getClient as r, getStoredToken as s, basicToClientCredentials as t, parseClientMetadata as u, storeClientSecret as v, verifyOAuthQueryParams as x, storeToken as y };

package/dist/{version-DJz94mwS.mjs → version-Cg-c01N0.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.8";
+const PACKAGE_VERSION = "1.6.10";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.6.8",
+  "version": "1.6.10",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.8",
-    "better-auth": "1.6.8"
+    "@better-auth/core": "1.6.10",
+    "better-auth": "1.6.10"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.0",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.8",
-    "better-auth": "^1.6.8"
+    "@better-auth/core": "^1.6.10",
+    "better-auth": "^1.6.10"
   },
   "scripts": {
     "build": "tsdown",