@better-auth/oauth-provider 1.6.9 → 1.6.11

package/dist/client-resource.d.mts

@@ -1,4 +1,4 @@
-import { a as ResourceServerMetadata } from "./oauth-DMjvJjmR.mjs";
+import { s as ResourceServerMetadata } from "./oauth-BqWgUea8.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { Auth } from "better-auth/types";
 

package/dist/client-resource.mjs

@@ -1,5 +1,5 @@
-import { a as getJwtPlugin, o as getOAuthProviderPlugin, y as handleMcpErrors } from "./utils-B9Pj9EPf.mjs";
-import { t as PACKAGE_VERSION } from "./version-ittBKKvy.mjs";
+import { S as handleMcpErrors, a as getOAuthProviderPlugin, i as getJwtPlugin } from "./utils-LAthGy-x.mjs";
+import { t as PACKAGE_VERSION } from "./version-CRjaDWWg.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-By0LyEmY.mjs";
+import { n as oauthProvider } from "./oauth-C4GaGx2I.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-ittBKKvy.mjs";
+import { t as PACKAGE_VERSION } from "./version-CRjaDWWg.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-DMjvJjmR.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-By0LyEmY.mjs";
+import { _ as Scope, a as OAuthClient, b as Awaitable, c as TokenEndpointAuthMethod, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as GrantType, l as AuthorizePrompt, m as OAuthRefreshToken, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-BqWgUea8.mjs";
+import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-C4GaGx2I.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";
@@ -61,4 +61,4 @@ declare const oauthProviderOpenIdConfigMetadata: <Auth extends {
   headers?: HeadersInit;
 }) => (request: Request) => Promise<Response>;
 //#endregion
-export { AuthServerMetadata, AuthorizePrompt, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, OAuthOpaqueAccessToken, OAuthOptions, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, VerificationValue, authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
+export { AuthMethod, AuthServerMetadata, AuthorizePrompt, BearerMethodsSupported, GrantType, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, OAuthOpaqueAccessToken, OAuthOptions, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, TokenEndpointAuthMethod, VerificationValue, authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };

package/dist/index.mjs

@@ -1,5 +1,5 @@
-import { _ as validateClientCredentials, a as getJwtPlugin, b as mcpHandler, c as isPKCERequired, d as parsePrompt, f as resolveSessionAuthTime, g as storeToken, h as storeClientSecret, i as getClient, l as normalizeTimestampValue, m as searchParamsToQuery, n as decryptStoredClientSecret, p as resolveSubjectIdentifier, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as verifyOAuthQueryParams } from "./utils-B9Pj9EPf.mjs";
-import { t as PACKAGE_VERSION } from "./version-ittBKKvy.mjs";
+import { C as mcpHandler, _ as signedQueryIssuedAtParam, b as validateClientCredentials, c as isPKCERequired, d as parsePrompt, f as postLoginClearedParam, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as getJwtPlugin, l as normalizeTimestampValue, m as resolveSessionAuthTime, n as decryptStoredClientSecret, o as getSignedQueryIssuedAt, p as removePromptFromQuery, r as getClient, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as storeClientSecret, x as verifyOAuthQueryParams, y as storeToken } from "./utils-LAthGy-x.mjs";
+import { t as PACKAGE_VERSION } from "./version-CRjaDWWg.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
@@ -16,7 +16,8 @@ import { signJWT, toExpJWT } from "better-auth/plugins";
 import { SignJWT, compactVerify, createLocalJWKSet, decodeJwt } from "jose";
 //#region src/consent.ts
 async function consentEndpoint(ctx, opts) {
-	const _query = (await oAuthState.get())?.query;
+	const oauthRequest = await oAuthState.get();
+	const _query = oauthRequest?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
 		error: "invalid_request"
@@ -40,6 +41,17 @@ async function consentEndpoint(ctx, opts) {
 		url: formatErrorURL(query.get("redirect_uri") ?? "", "access_denied", "User denied access", query.get("state") ?? void 0, getIssuer(ctx, opts))
 	};
 	const session = await getSessionFromCtx(ctx);
+	const hasLoginPrompt = parsePrompt(query.get("prompt") ?? "").has("login");
+	const hasSatisfiedLoginPrompt = hasLoginPrompt && sessionSatisfiesLoginPrompt(session?.session.createdAt, oauthRequest?.signedQueryIssuedAt);
+	if (hasLoginPrompt && !hasSatisfiedLoginPrompt) {
+		ctx?.headers?.set("accept", "application/json");
+		ctx.query = searchParamsToQuery(query);
+		const { url } = await authorizeEndpoint(ctx, opts);
+		return {
+			redirect: true,
+			url
+		};
+	}
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
 		user: session?.user,
 		session: session?.session,
@@ -90,14 +102,21 @@ async function consentEndpoint(ctx, opts) {
 	});
 	if (requestedScopes) query.set("scope", consent.scopes.join(" "));
 	ctx?.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(query, "consent");
-	ctx.context.postLogin = true;
-	const { url } = await authorizeEndpoint(ctx, opts);
+	let authorizationQuery = removePromptFromQuery(query, "consent");
+	if (hasSatisfiedLoginPrompt) authorizationQuery = removePromptFromQuery(authorizationQuery, "login");
+	ctx.query = searchParamsToQuery(authorizationQuery);
+	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: oauthRequest?.postLoginClearedForSession !== void 0 && oauthRequest.postLoginClearedForSession === session?.session.id });
 	return {
 		redirect: true,
 		url
 	};
 }
+function sessionSatisfiesLoginPrompt(sessionCreatedAt, signedQueryIssuedAt) {
+	if (!signedQueryIssuedAt) return false;
+	const normalized = normalizeTimestampValue(sessionCreatedAt);
+	if (!normalized) return false;
+	return normalized.getTime() >= signedQueryIssuedAt.getTime();
+}
 //#endregion
 //#region src/continue.ts
 async function continueEndpoint(ctx, opts) {
@@ -116,7 +135,7 @@ async function selected(ctx, opts) {
 		error: "invalid_request"
 	});
 	ctx.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(new URLSearchParams(_query), "select_account");
+	ctx.query = searchParamsToQuery(removePromptFromQuery(new URLSearchParams(_query), "select_account"));
 	const { url } = await authorizeEndpoint(ctx, opts);
 	return {
 		redirect: true,
@@ -131,7 +150,7 @@ async function created(ctx, opts) {
 	});
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(query, "create");
+	ctx.query = searchParamsToQuery(removePromptFromQuery(query, "create"));
 	const { url } = await authorizeEndpoint(ctx, opts);
 	return {
 		redirect: true,
@@ -418,33 +437,95 @@ async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload,
 	});
 	return (opts.prefix?.opaqueAccessToken ?? "") + token;
 }
+/**
+* Tear down the entire refresh-token family for a (client, user) pair, plus
+* any access tokens that reference those refresh rows, per RFC 9700 §4.14.
+* Access tokens are deleted first so the parent rows' foreign-key children
+* do not block the refresh-row delete.
+*
+* TODO(invalidate-family-race): the two `deleteMany` calls are not atomic
+* with respect to each other. Between them, a concurrent rotation in a
+* different worker can `create` a fresh refresh row (and, immediately after,
+* an access-token row referencing it) for the same (client, user) pair,
+* leaving the family partially rebuilt and the new refresh row orphaned of
+* any deletion. Closing this window requires the same transactional adapter
+* contract tracked under FIXME(strict-family-invalidation) in
+* `createRefreshToken`.
+*
+* @internal
+*/
+async function invalidateRefreshFamily(ctx, clientId, userId) {
+	const refreshTokens = await ctx.context.adapter.findMany({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}, {
+			field: "userId",
+			value: userId
+		}]
+	});
+	if (refreshTokens.length) await ctx.context.adapter.deleteMany({
+		model: "oauthAccessToken",
+		where: [{
+			field: "refreshId",
+			operator: "in",
+			value: refreshTokens.map((r) => r.id)
+		}]
+	});
+	await ctx.context.adapter.deleteMany({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}, {
+			field: "userId",
+			value: userId
+		}]
+	});
+}
 async function createRefreshToken(ctx, opts, user, referenceId, client, scopes, payload, originalRefresh, authTime) {
 	const iat = payload.iat ?? Math.floor(Date.now() / 1e3);
 	const exp = payload?.exp ?? iat + (opts.refreshTokenExpiresIn ?? 2592e3);
 	const token = opts.generateRefreshToken ? await opts.generateRefreshToken() : generateRandomString(32, "A-Z", "a-z");
 	const sessionId = payload?.sid;
-	if (originalRefresh?.id) await ctx.context.adapter.update({
+	const newRow = {
+		token: await storeToken(opts.storeTokens, token, "refresh_token"),
+		clientId: client.clientId,
+		sessionId,
+		userId: user.id,
+		referenceId,
+		authTime,
+		scopes,
+		createdAt: /* @__PURE__ */ new Date(iat * 1e3),
+		expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
+	};
+	if (!originalRefresh?.id) return {
+		id: (await ctx.context.adapter.create({
+			model: "oauthRefreshToken",
+			data: newRow
+		})).id,
+		token: await encodeRefreshToken(opts, token, sessionId)
+	};
+	if (!await ctx.context.adapter.update({
 		model: "oauthRefreshToken",
 		where: [{
 			field: "id",
 			value: originalRefresh.id
+		}, {
+			field: "revoked",
+			operator: "eq",
+			value: null
 		}],
 		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
+	})) throw new APIError("BAD_REQUEST", {
+		error_description: "invalid refresh token",
+		error: "invalid_grant"
 	});
 	return {
 		id: (await ctx.context.adapter.create({
 			model: "oauthRefreshToken",
-			data: {
-				token: await storeToken(opts.storeTokens, token, "refresh_token"),
-				clientId: client.clientId,
-				sessionId,
-				userId: user.id,
-				referenceId,
-				authTime,
-				scopes,
-				createdAt: /* @__PURE__ */ new Date(iat * 1e3),
-				expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
-			}
+			data: newRow
 		})).id,
 		token: await encodeRefreshToken(opts, token, sessionId)
 	};
@@ -522,15 +603,14 @@ async function createUserTokens(ctx, opts, params) {
 }
 /** Checks verification value */
 async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri) {
-	const verification = await ctx.context.internalAdapter.findVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
+	const verification = await ctx.context.internalAdapter.consumeVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
 	if (!verification) throw new APIError("UNAUTHORIZED", {
 		error_description: "Invalid code",
-		error: "invalid_verification"
+		error: "invalid_grant"
 	});
-	await ctx.context.internalAdapter.deleteVerificationByIdentifier(await storeToken(opts.storeTokens, code, "authorization_code"));
 	if (!verification.expiresAt || verification.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("UNAUTHORIZED", {
 		error_description: "code expired",
-		error: "invalid_verification"
+		error: "invalid_grant"
 	});
 	let rawValue;
 	try {
@@ -538,13 +618,13 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 	} catch {
 		throw new APIError("UNAUTHORIZED", {
 			error_description: "malformed verification value",
-			error: "invalid_verification"
+			error: "invalid_grant"
 		});
 	}
 	const parsed = verificationValueSchema.safeParse(rawValue);
 	if (!parsed.success) throw new APIError("UNAUTHORIZED", {
 		error_description: "malformed verification value",
-		error: "invalid_verification"
+		error: "invalid_grant"
 	});
 	const verificationValue = parsed.data;
 	if (verificationValue.query.client_id !== client_id) throw new APIError("UNAUTHORIZED", {
@@ -745,16 +825,7 @@ async function handleRefreshTokenGrant(ctx, opts) {
 		error: "invalid_grant"
 	});
 	if (refreshToken.revoked) {
-		await ctx.context.adapter.deleteMany({
-			model: "oauthRefreshToken",
-			where: [{
-				field: "clientId",
-				value: client_id
-			}, {
-				field: "userId",
-				value: refreshToken.userId
-			}]
-		});
+		await invalidateRefreshFamily(ctx, client_id, refreshToken.userId);
 		throw new APIError("BAD_REQUEST", {
 			error_description: "invalid refresh token",
 			error: "invalid_grant"
@@ -936,7 +1007,7 @@ async function validateRefreshToken(ctx, opts, token, clientId) {
 			model: "session",
 			where: [{
 				field: "id",
-				value: refreshToken.sessionId
+				value: sessionId
 			}]
 		});
 		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) sessionId = void 0;
@@ -2310,16 +2381,7 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 		error: "invalid_request"
 	});
 	if (refreshToken.revoked) {
-		await ctx.context.adapter.deleteMany({
-			model: "oauthRefreshToken",
-			where: [{
-				field: "clientId",
-				value: clientId
-			}, {
-				field: "userId",
-				value: refreshToken.userId
-			}]
-		});
+		await invalidateRefreshFamily(ctx, clientId, refreshToken.userId);
 		throw new APIError$1("BAD_REQUEST", {
 			error_description: "refresh token revoked",
 			error: "invalid_request"
@@ -2327,20 +2389,31 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 	}
 	if (!refreshToken.clientId || refreshToken.clientId !== clientId) return null;
 	const iat = Math.floor(Date.now() / 1e3);
-	await Promise.allSettled([ctx.context.adapter.deleteMany({
-		model: "oauthAccessToken",
-		where: [{
-			field: "refreshId",
-			value: refreshToken.id
-		}]
-	}), ctx.context.adapter.update({
+	if (!await ctx.context.adapter.update({
 		model: "oauthRefreshToken",
 		where: [{
 			field: "id",
 			value: refreshToken.id
+		}, {
+			field: "revoked",
+			operator: "eq",
+			value: null
 		}],
 		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
-	})]);
+	})) {
+		await invalidateRefreshFamily(ctx, clientId, refreshToken.userId);
+		throw new APIError$1("BAD_REQUEST", {
+			error_description: "refresh token revoked",
+			error: "invalid_request"
+		});
+	}
+	await ctx.context.adapter.deleteMany({
+		model: "oauthAccessToken",
+		where: [{
+			field: "refreshId",
+			value: refreshToken.id
+		}]
+	});
 }
 /**
 * We don't know the access token format so we try to validate it
@@ -2458,7 +2531,8 @@ const schema = {
 				references: {
 					model: "user",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			createdAt: {
 				type: "date",
@@ -2549,7 +2623,8 @@ const schema = {
 	oauthRefreshToken: { fields: {
 		token: {
 			type: "string",
-			required: true
+			required: true,
+			unique: true
 		},
 		clientId: {
 			type: "string",
@@ -2557,7 +2632,8 @@ const schema = {
 			references: {
 				model: "oauthClient",
 				field: "clientId"
-			}
+			},
+			index: true
 		},
 		sessionId: {
 			type: "string",
@@ -2566,7 +2642,8 @@ const schema = {
 				model: "session",
 				field: "id",
 				onDelete: "set null"
-			}
+			},
+			index: true
 		},
 		userId: {
 			type: "string",
@@ -2574,7 +2651,8 @@ const schema = {
 			references: {
 				model: "user",
 				field: "id"
-			}
+			},
+			index: true
 		},
 		referenceId: {
 			type: "string",
@@ -2608,7 +2686,8 @@ const schema = {
 				references: {
 					model: "oauthClient",
 					field: "clientId"
-				}
+				},
+				index: true
 			},
 			sessionId: {
 				type: "string",
@@ -2617,7 +2696,8 @@ const schema = {
 					model: "session",
 					field: "id",
 					onDelete: "set null"
-				}
+				},
+				index: true
 			},
 			userId: {
 				type: "string",
@@ -2625,7 +2705,8 @@ const schema = {
 				references: {
 					model: "user",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			referenceId: {
 				type: "string",
@@ -2637,7 +2718,8 @@ const schema = {
 				references: {
 					model: "oauthRefreshToken",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			expiresAt: { type: "date" },
 			createdAt: { type: "date" },
@@ -2656,7 +2738,8 @@ const schema = {
 				references: {
 					model: "oauthClient",
 					field: "clientId"
-				}
+				},
+				index: true
 			},
 			userId: {
 				type: "string",
@@ -2664,7 +2747,8 @@ const schema = {
 				references: {
 					model: "user",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			referenceId: {
 				type: "string",
@@ -2776,10 +2860,18 @@ const oauthProvider = (options) => {
 				handler: createAuthMiddleware(async (ctx) => {
 					const query = ctx.body.oauth_query;
 					if (!await verifyOAuthQueryParams(query, ctx.context.secret)) throw new APIError("BAD_REQUEST", { error: "invalid_signature" });
+					const signedQueryIssuedAt = getSignedQueryIssuedAt(query);
 					const queryParams = new URLSearchParams(query);
+					const postLoginClearedForSession = queryParams.get("ba_pl") ?? void 0;
 					queryParams.delete("sig");
 					queryParams.delete("exp");
-					await oAuthState.set({ query: queryParams.toString() });
+					queryParams.delete(signedQueryIssuedAtParam);
+					queryParams.delete(postLoginClearedParam);
+					await oAuthState.set({
+						query: queryParams.toString(),
+						signedQueryIssuedAt: signedQueryIssuedAt ?? void 0,
+						postLoginClearedForSession
+					});
 					if (ctx.path === "/sign-in/social" || ctx.path === "/sign-in/oauth2") {
 						if (ctx.body.additionalData?.query) return;
 						if (!ctx.body.additionalData) ctx.body.additionalData = {};
@@ -2803,7 +2895,7 @@ const oauthProvider = (options) => {
 					const secFetchMode = ctx.request?.headers?.get("sec-fetch-mode")?.toLowerCase();
 					const acceptHeader = ctx.request?.headers?.get("accept")?.toLowerCase() ?? "";
 					if (!(secFetchMode === "navigate" || !secFetchMode && (acceptHeader.includes("text/html") || acceptHeader.includes("application/xhtml+xml")))) ctx.headers?.set("accept", "application/json");
-					ctx.query = deleteFromPrompt(query, "login");
+					ctx.query = searchParamsToQuery(removePromptFromQuery(query, "login"));
 					return await authorizeEndpoint(ctx, opts);
 				})
 			}]
@@ -3811,7 +3903,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		});
 		if (signupRedirect) {
 			if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "interaction_required", "End-User interaction is required");
-			return redirectWithPromptCode(ctx, opts, "create", typeof signupRedirect === "string" ? signupRedirect : void 0);
+			return redirectWithPromptCode(ctx, opts, "create", { page: typeof signupRedirect === "string" ? signupRedirect : void 0 });
 		}
 	}
 	if (!settings?.postLogin && opts.postLogin) {
@@ -3825,7 +3917,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 			return redirectWithPromptCode(ctx, opts, "post_login");
 		}
 	}
-	if (promptSet?.has("consent")) return redirectWithPromptCode(ctx, opts, "consent");
+	if (promptSet?.has("consent")) return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
 		user: session.user,
 		session: session.session,
@@ -3858,7 +3950,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	});
 	if (!consent || !requestedScopes.every((val) => consent.scopes.includes(val))) {
 		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "consent_required", "End-User consent is required");
-		return redirectWithPromptCode(ctx, opts, "consent");
+		return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
 	}
 	return redirectWithAuthorizationCode(ctx, opts, {
 		query,
@@ -3905,8 +3997,8 @@ async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
 	redirectUriWithCode.searchParams.set("iss", getIssuer(ctx, opts));
 	return handleRedirect(ctx, redirectUriWithCode.toString());
 }
-async function redirectWithPromptCode(ctx, opts, type, page) {
-	const queryParams = await signParams(ctx, opts);
+async function redirectWithPromptCode(ctx, opts, type, options) {
+	const queryParams = await signParams(ctx, opts, { postLoginClearedForSession: type === "consent" && opts.postLogin ? options?.sessionId : void 0 });
 	let path = opts.loginPage;
 	if (type === "select_account") path = opts.selectAccount?.page ?? opts.loginPage;
 	else if (type === "post_login") {
@@ -3914,12 +4006,16 @@ async function redirectWithPromptCode(ctx, opts, type, page) {
 		path = opts.postLogin?.page;
 	} else if (type === "consent") path = opts.consentPage;
 	else if (type === "create") path = opts.signup?.page ?? opts.loginPage;
-	return handleRedirect(ctx, `${page ?? path}?${queryParams}`);
+	return handleRedirect(ctx, `${options?.page ?? path}?${queryParams}`);
 }
-async function signParams(ctx, opts) {
-	const exp = Math.floor(Date.now() / 1e3) + (opts.codeExpiresIn ?? 600);
+async function signParams(ctx, opts, flags) {
+	const issuedAt = Date.now();
+	const exp = Math.floor(issuedAt / 1e3) + (opts.codeExpiresIn ?? 600);
 	const params = serializeAuthorizationQuery(ctx.query);
 	params.set("exp", String(exp));
+	params.set(signedQueryIssuedAtParam, String(issuedAt));
+	params.delete(postLoginClearedParam);
+	if (flags?.postLoginClearedForSession) params.set(postLoginClearedParam, flags.postLoginClearedForSession);
 	const signature = await makeSignature(params.toString(), ctx.context.secret);
 	params.append("sig", signature);
 	return params.toString();

package/dist/{oauth-DMjvJjmR.d.mts → oauth-BqWgUea8.d.mts}

@@ -45,6 +45,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       createdAt: {
         type: "date";
@@ -142,6 +143,7 @@ declare const schema: {
       token: {
         type: "string";
         required: true;
+        unique: true;
       };
       clientId: {
         type: "string";
@@ -150,6 +152,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       sessionId: {
         type: "string";
@@ -159,6 +162,7 @@ declare const schema: {
           field: string;
           onDelete: "set null";
         };
+        index: true;
       };
       userId: {
         type: "string";
@@ -167,6 +171,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       referenceId: {
         type: "string";
@@ -218,6 +223,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       sessionId: {
         type: "string";
@@ -227,6 +233,7 @@ declare const schema: {
           field: string;
           onDelete: "set null";
         };
+        index: true;
       };
       userId: {
         type: "string";
@@ -235,6 +242,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       referenceId: {
         type: "string";
@@ -247,6 +255,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       expiresAt: {
         type: "date";
@@ -270,6 +279,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       userId: {
         type: "string";
@@ -278,6 +288,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       referenceId: {
         type: "string";
@@ -1287,7 +1298,7 @@ interface OAuthOpaqueAccessToken<Scopes extends readonly Scope[] = InternallySup
  */
 interface OAuthRefreshToken<Scopes extends readonly Scope[] = InternallySupportedScopes[]> {
   token: string;
-  sessionId: string;
+  sessionId?: string;
   userId: string;
   referenceId?: string;
   clientId?: string;
@@ -1649,4 +1660,4 @@ interface ResourceServerMetadata {
   dpop_bound_access_tokens_required?: boolean;
 }
 //#endregion
-export { Awaitable as _, ResourceServerMetadata as a, OAuthConsent as c, OAuthRefreshToken as d, Prompt as f, VerificationValue as g, StoreTokenType as h, OIDCMetadata as i, OAuthOpaqueAccessToken as l, Scope as m, GrantType as n, AuthorizePrompt as o, SchemaClient as p, OAuthClient as r, OAuthAuthorizationQuery as s, AuthServerMetadata as t, OAuthOptions as u };
+export { Scope as _, OAuthClient as a, Awaitable as b, TokenEndpointAuthMethod as c, OAuthConsent as d, OAuthOpaqueAccessToken as f, SchemaClient as g, Prompt as h, GrantType as i, AuthorizePrompt as l, OAuthRefreshToken as m, AuthServerMetadata as n, OIDCMetadata as o, OAuthOptions as p, BearerMethodsSupported as r, ResourceServerMetadata as s, AuthMethod as t, OAuthAuthorizationQuery as u, StoreTokenType as v, VerificationValue as y };

package/dist/{oauth-By0LyEmY.d.mts → oauth-C4GaGx2I.d.mts}

@@ -1,4 +1,4 @@
-import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-DMjvJjmR.mjs";
+import { _ as Scope, a as OAuthClient, d as OAuthConsent, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions } from "./oauth-BqWgUea8.mjs";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 import * as better_auth_plugins0 from "better-auth/plugins";
@@ -15,6 +15,8 @@ declare module "@better-auth/core" {
 }
 declare const getOAuthProviderState: () => Promise<{
   query?: string;
+  signedQueryIssuedAt?: Date;
+  postLoginClearedForSession?: string;
 } | null>;
 /**
  * oAuth 2.1 provider plugin for Better Auth.
@@ -1819,6 +1821,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         createdAt: {
           type: "date";
@@ -1911,6 +1914,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         token: {
           type: "string";
           required: true;
+          unique: true;
         };
         clientId: {
           type: "string";
@@ -1919,6 +1923,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         sessionId: {
           type: "string";
@@ -1928,6 +1933,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             field: string;
             onDelete: "set null";
           };
+          index: true;
         };
         userId: {
           type: "string";
@@ -1936,6 +1942,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         referenceId: {
           type: "string";
@@ -1975,6 +1982,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         sessionId: {
           type: "string";
@@ -1984,6 +1992,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             field: string;
             onDelete: "set null";
           };
+          index: true;
         };
         userId: {
           type: "string";
@@ -1992,6 +2001,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         referenceId: {
           type: "string";
@@ -2004,6 +2014,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         expiresAt: {
           type: "date";
@@ -2027,6 +2038,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         userId: {
           type: "string";
@@ -2035,6 +2047,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         referenceId: {
           type: "string";

package/dist/{utils-B9Pj9EPf.mjs → utils-LAthGy-x.mjs}

@@ -369,20 +369,24 @@ function searchParamsToQuery(params) {
 	}
 	return result;
 }
-/**
-* Deletes a prompt value
-*
-* @param ctx
-* @param prompt - the prompt value to delete
-*/
-function deleteFromPrompt(query, prompt) {
-	const prompts = query.get("prompt")?.split(" ");
+const signedQueryIssuedAtParam = "ba_iat";
+const postLoginClearedParam = "ba_pl";
+function getSignedQueryIssuedAt(oauthQuery) {
+	const raw = new URLSearchParams(oauthQuery).get(signedQueryIssuedAtParam);
+	if (!raw) return null;
+	const issuedAt = Number(raw);
+	if (!Number.isFinite(issuedAt) || issuedAt <= 0) return null;
+	return new Date(issuedAt);
+}
+function removePromptFromQuery(query, prompt) {
+	const nextQuery = new URLSearchParams(query);
+	const prompts = nextQuery.get("prompt")?.split(" ");
 	const foundPrompt = prompts?.findIndex((v) => v === prompt) ?? -1;
 	if (foundPrompt >= 0) {
 		prompts?.splice(foundPrompt, 1);
-		prompts?.length ? query.set("prompt", prompts.join(" ")) : query.delete("prompt");
+		prompts?.length ? nextQuery.set("prompt", prompts.join(" ")) : nextQuery.delete("prompt");
 	}
-	return searchParamsToQuery(query);
+	return nextQuery;
 }
 var PKCERequirementErrors = /* @__PURE__ */ function(PKCERequirementErrors) {
 	PKCERequirementErrors["PUBLIC_CLIENT"] = "pkce is required for public clients";
@@ -411,4 +415,4 @@ function isPKCERequired(client, requestedScopes) {
 	return false;
 }
 //#endregion
-export { validateClientCredentials as _, getJwtPlugin as a, mcpHandler as b, isPKCERequired as c, parsePrompt as d, resolveSessionAuthTime as f, storeToken as g, storeClientSecret as h, getClient as i, normalizeTimestampValue as l, searchParamsToQuery as m, decryptStoredClientSecret as n, getOAuthProviderPlugin as o, resolveSubjectIdentifier as p, deleteFromPrompt as r, getStoredToken as s, basicToClientCredentials as t, parseClientMetadata as u, verifyOAuthQueryParams as v, handleMcpErrors as y };
+export { mcpHandler as C, handleMcpErrors as S, signedQueryIssuedAtParam as _, getOAuthProviderPlugin as a, validateClientCredentials as b, isPKCERequired as c, parsePrompt as d, postLoginClearedParam as f, searchParamsToQuery as g, resolveSubjectIdentifier as h, getJwtPlugin as i, normalizeTimestampValue as l, resolveSessionAuthTime as m, decryptStoredClientSecret as n, getSignedQueryIssuedAt as o, removePromptFromQuery as p, getClient as r, getStoredToken as s, basicToClientCredentials as t, parseClientMetadata as u, storeClientSecret as v, verifyOAuthQueryParams as x, storeToken as y };

package/dist/{version-ittBKKvy.mjs → version-CRjaDWWg.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.9";
+const PACKAGE_VERSION = "1.6.11";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.6.9",
+  "version": "1.6.11",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.9",
-    "better-auth": "1.6.9"
+    "@better-auth/core": "1.6.11",
+    "better-auth": "1.6.11"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.0",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.9",
-    "better-auth": "^1.6.9"
+    "@better-auth/core": "^1.6.11",
+    "better-auth": "^1.6.11"
   },
   "scripts": {
     "build": "tsdown",