@better-auth/oauth-provider 1.7.0-beta.2 → 1.7.0-beta.3

package/dist/{client-assertion-CderPEmR.mjs → client-assertion-BYtMWGCE.mjs}

@@ -1,4 +1,4 @@
-import { a as getClient } from "./utils-Cx_XnD9i.mjs";
+import { i as getClient } from "./utils-_Jr_enAe.mjs";
 import { APIError } from "better-call";
 import { ASSERTION_SIGNING_ALGORITHMS, CLIENT_ASSERTION_TYPE } from "@better-auth/core/oauth2";
 import { createLocalJWKSet, decodeJwt, decodeProtectedHeader, jwtVerify } from "jose";

package/dist/client-resource.d.mts

@@ -1,4 +1,4 @@
-import { o as ResourceServerMetadata } from "./oauth-CU79t-eG.mjs";
+import { s as ResourceServerMetadata } from "./oauth-Ds-ejTJY.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { Auth } from "better-auth/types";
 

package/dist/client-resource.mjs

@@ -1,6 +1,6 @@
 import { t as handleMcpErrors } from "./mcp-CYnz-MXn.mjs";
-import { o as getJwtPlugin, s as getOAuthProviderPlugin } from "./utils-Cx_XnD9i.mjs";
-import { t as PACKAGE_VERSION } from "./version-CZxZ64qJ.mjs";
+import { a as getJwtPlugin, o as getOAuthProviderPlugin } from "./utils-_Jr_enAe.mjs";
+import { t as PACKAGE_VERSION } from "./version-CG1YnCiF.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-DJcZ8MMZ.mjs";
+import { n as oauthProvider } from "./oauth-BxP4Iupj.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-CZxZ64qJ.mjs";
+import { t as PACKAGE_VERSION } from "./version-CG1YnCiF.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as Scope, a as OIDCMetadata, b as Awaitable, c as AuthorizePrompt, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as OAuthClient, l as ClientDiscovery, m as OAuthRefreshToken, n as AuthServerMetadata, o as ResourceServerMetadata, p as OAuthOptions, r as GrantType, s as TokenEndpointAuthMethod, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-CU79t-eG.mjs";
-import { a as OAuthErrorCode, c as OAuthRedirectOnError, i as OAuthEndpointRedirectContext, n as oauthProvider, o as OAuthFieldErrorCode, r as OAuthEndpointErrorResult, s as OAuthFieldErrorCodeMap, t as getOAuthProviderState } from "./oauth-DJcZ8MMZ.mjs";
+import { _ as SchemaClient, a as OAuthClient, b as VerificationValue, c as TokenEndpointAuthMethod, d as OAuthAuthorizationQuery, f as OAuthConsent, g as Prompt, h as OAuthRefreshToken, i as GrantType, l as AuthorizePrompt, m as OAuthOptions, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOpaqueAccessToken, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as ClientDiscovery, v as Scope, x as Awaitable, y as StoreTokenType } from "./oauth-Ds-ejTJY.mjs";
+import { a as OAuthErrorCode, c as OAuthRedirectOnError, i as OAuthEndpointRedirectContext, n as oauthProvider, o as OAuthFieldErrorCode, r as OAuthEndpointErrorResult, s as OAuthFieldErrorCodeMap, t as getOAuthProviderState } from "./oauth-BxP4Iupj.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";
@@ -105,4 +105,4 @@ declare function checkOAuthClient(client: OAuthClient, opts: OAuthOptions<Scope[
  */
 declare function oauthToSchema(input: OAuthClient): SchemaClient<Scope[]>;
 //#endregion
-export { AuthServerMetadata, AuthorizePrompt, ClientDiscovery, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, type OAuthEndpointErrorResult, type OAuthEndpointRedirectContext, type OAuthErrorCode, type OAuthFieldErrorCode, type OAuthFieldErrorCodeMap, OAuthOpaqueAccessToken, OAuthOptions, type OAuthRedirectOnError, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, VerificationValue, authServerMetadata, checkOAuthClient, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata };
+export { AuthMethod, AuthServerMetadata, AuthorizePrompt, BearerMethodsSupported, ClientDiscovery, GrantType, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, type OAuthEndpointErrorResult, type OAuthEndpointRedirectContext, type OAuthErrorCode, type OAuthFieldErrorCode, type OAuthFieldErrorCodeMap, OAuthOpaqueAccessToken, OAuthOptions, type OAuthRedirectOnError, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, TokenEndpointAuthMethod, VerificationValue, authServerMetadata, checkOAuthClient, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata };

package/dist/index.mjs

@@ -1,7 +1,7 @@
-import { n as isPrivateHostname } from "./client-assertion-CderPEmR.mjs";
+import { n as isPrivateHostname } from "./client-assertion-BYtMWGCE.mjs";
 import { n as mcpHandler } from "./mcp-CYnz-MXn.mjs";
-import { _ as storeClientSecret, a as getClient, b as validateClientCredentials, c as getStoredToken, d as normalizeTimestampValue, f as parseClientMetadata, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as extractClientCredentials, l as isPKCERequired, m as resolveSessionAuthTime, n as deleteFromPrompt, o as getJwtPlugin, p as parsePrompt, r as destructureCredentials, t as decryptStoredClientSecret, u as mergeDiscoveryMetadata, v as storeToken, x as verifyOAuthQueryParams, y as toClientDiscoveryArray } from "./utils-Cx_XnD9i.mjs";
-import { t as PACKAGE_VERSION } from "./version-CZxZ64qJ.mjs";
+import { C as validateClientCredentials, S as toClientDiscoveryArray, _ as resolveSubjectIdentifier, a as getJwtPlugin, b as storeClientSecret, c as getStoredToken, d as normalizeTimestampValue, f as parseClientMetadata, g as resolveSessionAuthTime, h as removePromptFromQuery, i as getClient, l as isPKCERequired, m as postLoginClearedParam, n as destructureCredentials, p as parsePrompt, r as extractClientCredentials, s as getSignedQueryIssuedAt, t as decryptStoredClientSecret, u as mergeDiscoveryMetadata, v as searchParamsToQuery, w as verifyOAuthQueryParams, x as storeToken, y as signedQueryIssuedAtParam } from "./utils-_Jr_enAe.mjs";
+import { t as PACKAGE_VERSION } from "./version-CG1YnCiF.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
@@ -19,7 +19,8 @@ import { resolveSigningKey, signJWT, toExpJWT } from "better-auth/plugins";
 import { SignJWT, base64url, compactVerify, createLocalJWKSet, decodeJwt, decodeProtectedHeader } from "jose";
 //#region src/consent.ts
 async function consentEndpoint(ctx, opts) {
-	const _query = (await oAuthState.get())?.query;
+	const oauthRequest = await oAuthState.get();
+	const _query = oauthRequest?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
 		error: "invalid_request"
@@ -43,6 +44,17 @@ async function consentEndpoint(ctx, opts) {
 		url: formatErrorURL(query.get("redirect_uri") ?? "", "access_denied", "User denied access", query.get("state") ?? void 0, getIssuer(ctx, opts))
 	};
 	const session = await getSessionFromCtx(ctx);
+	const hasLoginPrompt = parsePrompt(query.get("prompt") ?? "").has("login");
+	const hasSatisfiedLoginPrompt = hasLoginPrompt && sessionSatisfiesLoginPrompt(session?.session.createdAt, oauthRequest?.signedQueryIssuedAt);
+	if (hasLoginPrompt && !hasSatisfiedLoginPrompt) {
+		ctx?.headers?.set("accept", "application/json");
+		ctx.query = searchParamsToQuery(query);
+		const { url } = await authorizeEndpoint(ctx, opts);
+		return {
+			redirect: true,
+			url
+		};
+	}
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
 		user: session?.user,
 		session: session?.session,
@@ -93,14 +105,21 @@ async function consentEndpoint(ctx, opts) {
 	});
 	if (requestedScopes) query.set("scope", consent.scopes.join(" "));
 	ctx?.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(query, "consent");
-	ctx.context.postLogin = true;
-	const { url } = await authorizeEndpoint(ctx, opts);
+	let authorizationQuery = removePromptFromQuery(query, "consent");
+	if (hasSatisfiedLoginPrompt) authorizationQuery = removePromptFromQuery(authorizationQuery, "login");
+	ctx.query = searchParamsToQuery(authorizationQuery);
+	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: oauthRequest?.postLoginClearedForSession !== void 0 && oauthRequest.postLoginClearedForSession === session?.session.id });
 	return {
 		redirect: true,
 		url
 	};
 }
+function sessionSatisfiesLoginPrompt(sessionCreatedAt, signedQueryIssuedAt) {
+	if (!signedQueryIssuedAt) return false;
+	const normalized = normalizeTimestampValue(sessionCreatedAt);
+	if (!normalized) return false;
+	return normalized.getTime() >= signedQueryIssuedAt.getTime();
+}
 //#endregion
 //#region src/continue.ts
 async function continueEndpoint(ctx, opts) {
@@ -119,7 +138,7 @@ async function selected(ctx, opts) {
 		error: "invalid_request"
 	});
 	ctx.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(new URLSearchParams(_query), "select_account");
+	ctx.query = searchParamsToQuery(removePromptFromQuery(new URLSearchParams(_query), "select_account"));
 	const { url } = await authorizeEndpoint(ctx, opts);
 	return {
 		redirect: true,
@@ -134,7 +153,7 @@ async function created(ctx, opts) {
 	});
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(query, "create");
+	ctx.query = searchParamsToQuery(removePromptFromQuery(query, "create"));
 	const { url } = await authorizeEndpoint(ctx, opts);
 	return {
 		redirect: true,
@@ -939,7 +958,7 @@ async function validateRefreshToken(ctx, opts, token, clientId) {
 			model: "session",
 			where: [{
 				field: "id",
-				value: refreshToken.sessionId
+				value: sessionId
 			}]
 		});
 		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) sessionId = void 0;
@@ -2617,7 +2636,8 @@ const schema = {
 				references: {
 					model: "user",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			createdAt: {
 				type: "date",
@@ -2724,7 +2744,8 @@ const schema = {
 			references: {
 				model: "oauthClient",
 				field: "clientId"
-			}
+			},
+			index: true
 		},
 		sessionId: {
 			type: "string",
@@ -2733,7 +2754,8 @@ const schema = {
 				model: "session",
 				field: "id",
 				onDelete: "set null"
-			}
+			},
+			index: true
 		},
 		userId: {
 			type: "string",
@@ -2741,7 +2763,8 @@ const schema = {
 			references: {
 				model: "user",
 				field: "id"
-			}
+			},
+			index: true
 		},
 		referenceId: {
 			type: "string",
@@ -2775,7 +2798,8 @@ const schema = {
 				references: {
 					model: "oauthClient",
 					field: "clientId"
-				}
+				},
+				index: true
 			},
 			sessionId: {
 				type: "string",
@@ -2784,7 +2808,8 @@ const schema = {
 					model: "session",
 					field: "id",
 					onDelete: "set null"
-				}
+				},
+				index: true
 			},
 			userId: {
 				type: "string",
@@ -2792,7 +2817,8 @@ const schema = {
 				references: {
 					model: "user",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			referenceId: {
 				type: "string",
@@ -2804,7 +2830,8 @@ const schema = {
 				references: {
 					model: "oauthRefreshToken",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			expiresAt: { type: "date" },
 			createdAt: { type: "date" },
@@ -2823,7 +2850,8 @@ const schema = {
 				references: {
 					model: "oauthClient",
 					field: "clientId"
-				}
+				},
+				index: true
 			},
 			userId: {
 				type: "string",
@@ -2831,7 +2859,8 @@ const schema = {
 				references: {
 					model: "user",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			referenceId: {
 				type: "string",
@@ -2943,10 +2972,18 @@ const oauthProvider = (options) => {
 				handler: createAuthMiddleware(async (ctx) => {
 					const query = ctx.body.oauth_query;
 					if (!await verifyOAuthQueryParams(query, ctx.context.secret)) throw new APIError("BAD_REQUEST", { error: "invalid_signature" });
+					const signedQueryIssuedAt = getSignedQueryIssuedAt(query);
 					const queryParams = new URLSearchParams(query);
+					const postLoginClearedForSession = queryParams.get("ba_pl") ?? void 0;
 					queryParams.delete("sig");
 					queryParams.delete("exp");
-					await oAuthState.set({ query: queryParams.toString() });
+					queryParams.delete(signedQueryIssuedAtParam);
+					queryParams.delete(postLoginClearedParam);
+					await oAuthState.set({
+						query: queryParams.toString(),
+						signedQueryIssuedAt: signedQueryIssuedAt ?? void 0,
+						postLoginClearedForSession
+					});
 					if (ctx.path === "/sign-in/social") {
 						if (ctx.body.additionalData?.query) return;
 						if (!ctx.body.additionalData) ctx.body.additionalData = {};
@@ -2970,7 +3007,7 @@ const oauthProvider = (options) => {
 					const secFetchMode = ctx.request?.headers?.get("sec-fetch-mode")?.toLowerCase();
 					const acceptHeader = ctx.request?.headers?.get("accept")?.toLowerCase() ?? "";
 					if (!(secFetchMode === "navigate" || !secFetchMode && (acceptHeader.includes("text/html") || acceptHeader.includes("application/xhtml+xml")))) ctx.headers?.set("accept", "application/json");
-					ctx.query = deleteFromPrompt(query, "login");
+					ctx.query = searchParamsToQuery(removePromptFromQuery(query, "login"));
 					return await authorizeEndpoint(ctx, opts);
 				})
 			}]
@@ -4071,7 +4108,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		});
 		if (signupRedirect) {
 			if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "interaction_required", "End-User interaction is required");
-			return redirectWithPromptCode(ctx, opts, "create", typeof signupRedirect === "string" ? signupRedirect : void 0);
+			return redirectWithPromptCode(ctx, opts, "create", { page: typeof signupRedirect === "string" ? signupRedirect : void 0 });
 		}
 	}
 	if (!settings?.postLogin && opts.postLogin) {
@@ -4085,7 +4122,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 			return redirectWithPromptCode(ctx, opts, "post_login");
 		}
 	}
-	if (promptSet?.has("consent")) return redirectWithPromptCode(ctx, opts, "consent");
+	if (promptSet?.has("consent")) return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
 		user: session.user,
 		session: session.session,
@@ -4118,7 +4155,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	});
 	if (!consent || !requestedScopes.every((val) => consent.scopes.includes(val))) {
 		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "consent_required", "End-User consent is required");
-		return redirectWithPromptCode(ctx, opts, "consent");
+		return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
 	}
 	return redirectWithAuthorizationCode(ctx, opts, {
 		query,
@@ -4165,8 +4202,8 @@ async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
 	redirectUriWithCode.searchParams.set("iss", getIssuer(ctx, opts));
 	return handleRedirect(ctx, redirectUriWithCode.toString());
 }
-async function redirectWithPromptCode(ctx, opts, type, page) {
-	const queryParams = await signParams(ctx, opts);
+async function redirectWithPromptCode(ctx, opts, type, options) {
+	const queryParams = await signParams(ctx, opts, { postLoginClearedForSession: type === "consent" && opts.postLogin ? options?.sessionId : void 0 });
 	let path = opts.loginPage;
 	if (type === "select_account") path = opts.selectAccount?.page ?? opts.loginPage;
 	else if (type === "post_login") {
@@ -4174,12 +4211,16 @@ async function redirectWithPromptCode(ctx, opts, type, page) {
 		path = opts.postLogin?.page;
 	} else if (type === "consent") path = opts.consentPage;
 	else if (type === "create") path = opts.signup?.page ?? opts.loginPage;
-	return handleRedirect(ctx, `${page ?? path}?${queryParams}`);
+	return handleRedirect(ctx, `${options?.page ?? path}?${queryParams}`);
 }
-async function signParams(ctx, opts) {
-	const exp = Math.floor(Date.now() / 1e3) + (opts.codeExpiresIn ?? 600);
+async function signParams(ctx, opts, flags) {
+	const issuedAt = Date.now();
+	const exp = Math.floor(issuedAt / 1e3) + (opts.codeExpiresIn ?? 600);
 	const params = serializeAuthorizationQuery(ctx.query);
 	params.set("exp", String(exp));
+	params.set(signedQueryIssuedAtParam, String(issuedAt));
+	params.delete(postLoginClearedParam);
+	if (flags?.postLoginClearedForSession) params.set(postLoginClearedParam, flags.postLoginClearedForSession);
 	const signature = await makeSignature(params.toString(), ctx.context.secret);
 	params.append("sig", signature);
 	return params.toString();

package/dist/{oauth-DJcZ8MMZ.d.mts → oauth-BxP4Iupj.d.mts}

@@ -1,4 +1,4 @@
-import { _ as Scope, d as OAuthConsent, h as Prompt, i as OAuthClient, p as OAuthOptions, r as GrantType, s as TokenEndpointAuthMethod, t as AuthMethod } from "./oauth-CU79t-eG.mjs";
+import { a as OAuthClient, c as TokenEndpointAuthMethod, f as OAuthConsent, g as Prompt, i as GrantType, m as OAuthOptions, t as AuthMethod, v as Scope } from "./oauth-Ds-ejTJY.mjs";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 import * as better_auth_plugins0 from "better-auth/plugins";
@@ -45,6 +45,8 @@ declare module "@better-auth/core" {
 }
 declare const getOAuthProviderState: () => Promise<{
   query?: string;
+  signedQueryIssuedAt?: Date;
+  postLoginClearedForSession?: string;
 } | null>;
 /**
  * oAuth 2.1 provider plugin for Better Auth.
@@ -1967,6 +1969,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         createdAt: {
           type: "date";
@@ -2075,6 +2078,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         sessionId: {
           type: "string";
@@ -2084,6 +2088,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             field: string;
             onDelete: "set null";
           };
+          index: true;
         };
         userId: {
           type: "string";
@@ -2092,6 +2097,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         referenceId: {
           type: "string";
@@ -2131,6 +2137,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         sessionId: {
           type: "string";
@@ -2140,6 +2147,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             field: string;
             onDelete: "set null";
           };
+          index: true;
         };
         userId: {
           type: "string";
@@ -2148,6 +2156,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         referenceId: {
           type: "string";
@@ -2160,6 +2169,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         expiresAt: {
           type: "date";
@@ -2183,6 +2193,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         userId: {
           type: "string";
@@ -2191,6 +2202,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             model: string;
             field: string;
           };
+          index: true;
         };
         referenceId: {
           type: "string";

package/dist/{oauth-CU79t-eG.d.mts → oauth-Ds-ejTJY.d.mts}

@@ -46,6 +46,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       createdAt: {
         type: "date";
@@ -159,6 +160,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       sessionId: {
         type: "string";
@@ -168,6 +170,7 @@ declare const schema: {
           field: string;
           onDelete: "set null";
         };
+        index: true;
       };
       userId: {
         type: "string";
@@ -176,6 +179,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       referenceId: {
         type: "string";
@@ -227,6 +231,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       sessionId: {
         type: "string";
@@ -236,6 +241,7 @@ declare const schema: {
           field: string;
           onDelete: "set null";
         };
+        index: true;
       };
       userId: {
         type: "string";
@@ -244,6 +250,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       referenceId: {
         type: "string";
@@ -256,6 +263,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       expiresAt: {
         type: "date";
@@ -279,6 +287,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       userId: {
         type: "string";
@@ -287,6 +296,7 @@ declare const schema: {
           model: string;
           field: string;
         };
+        index: true;
       };
       referenceId: {
         type: "string";
@@ -1096,10 +1106,12 @@ interface OAuthAuthorizationQuery {
    * Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the
    * value of this parameter with a browser cookie.
    *
+   * Recommended for clients, but optional for the authorization server.
+   *
    * Note: Better Auth stores the state in a database instead of a cookie. - This is to minimize
    * the complication with native apps and other clients that may not have access to cookies.
    */
-  state: string;
+  state?: string;
   /**
    * The client ID. Must be the ID of a registered client.
    */
@@ -1363,7 +1375,7 @@ interface OAuthOpaqueAccessToken<Scopes extends readonly Scope[] = InternallySup
  */
 interface OAuthRefreshToken<Scopes extends readonly Scope[] = InternallySupportedScopes[]> {
   token: string;
-  sessionId: string;
+  sessionId?: string;
   userId: string;
   referenceId?: string;
   clientId?: string;
@@ -1739,4 +1751,4 @@ interface ResourceServerMetadata {
   dpop_bound_access_tokens_required?: boolean;
 }
 //#endregion
-export { Scope as _, OIDCMetadata as a, Awaitable as b, AuthorizePrompt as c, OAuthConsent as d, OAuthOpaqueAccessToken as f, SchemaClient as g, Prompt as h, OAuthClient as i, ClientDiscovery as l, OAuthRefreshToken as m, AuthServerMetadata as n, ResourceServerMetadata as o, OAuthOptions as p, GrantType as r, TokenEndpointAuthMethod as s, AuthMethod as t, OAuthAuthorizationQuery as u, StoreTokenType as v, VerificationValue as y };
+export { SchemaClient as _, OAuthClient as a, VerificationValue as b, TokenEndpointAuthMethod as c, OAuthAuthorizationQuery as d, OAuthConsent as f, Prompt as g, OAuthRefreshToken as h, GrantType as i, AuthorizePrompt as l, OAuthOptions as m, AuthServerMetadata as n, OIDCMetadata as o, OAuthOpaqueAccessToken as p, BearerMethodsSupported as r, ResourceServerMetadata as s, AuthMethod as t, ClientDiscovery as u, Scope as v, Awaitable as x, StoreTokenType as y };

package/dist/{utils-Cx_XnD9i.mjs → utils-_Jr_enAe.mjs}

@@ -324,7 +324,7 @@ async function extractClientCredentials(ctx, opts, expectedAudience) {
 			error_description: "client_assertion cannot be combined with client_secret or Basic auth",
 			error: "invalid_client"
 		});
-		const { verifyClientAssertion: verify } = await import("./client-assertion-CderPEmR.mjs").then((n) => n.t);
+		const { verifyClientAssertion: verify } = await import("./client-assertion-BYtMWGCE.mjs").then((n) => n.t);
 		const result = await verify(ctx, opts, body.client_assertion, body.client_assertion_type, body.client_id, expectedAudience);
 		return {
 			method: "private_key_jwt",
@@ -404,20 +404,24 @@ function searchParamsToQuery(params) {
 	}
 	return result;
 }
-/**
-* Deletes a prompt value
-*
-* @param ctx
-* @param prompt - the prompt value to delete
-*/
-function deleteFromPrompt(query, prompt) {
-	const prompts = query.get("prompt")?.split(" ");
+const signedQueryIssuedAtParam = "ba_iat";
+const postLoginClearedParam = "ba_pl";
+function getSignedQueryIssuedAt(oauthQuery) {
+	const raw = new URLSearchParams(oauthQuery).get(signedQueryIssuedAtParam);
+	if (!raw) return null;
+	const issuedAt = Number(raw);
+	if (!Number.isFinite(issuedAt) || issuedAt <= 0) return null;
+	return new Date(issuedAt);
+}
+function removePromptFromQuery(query, prompt) {
+	const nextQuery = new URLSearchParams(query);
+	const prompts = nextQuery.get("prompt")?.split(" ");
 	const foundPrompt = prompts?.findIndex((v) => v === prompt) ?? -1;
 	if (foundPrompt >= 0) {
 		prompts?.splice(foundPrompt, 1);
-		prompts?.length ? query.set("prompt", prompts.join(" ")) : query.delete("prompt");
+		prompts?.length ? nextQuery.set("prompt", prompts.join(" ")) : nextQuery.delete("prompt");
 	}
-	return searchParamsToQuery(query);
+	return nextQuery;
 }
 var PKCERequirementErrors = /* @__PURE__ */ function(PKCERequirementErrors) {
 	PKCERequirementErrors["PUBLIC_CLIENT"] = "pkce is required for public clients";
@@ -446,4 +450,4 @@ function isPKCERequired(client, requestedScopes) {
 	return false;
 }
 //#endregion
-export { storeClientSecret as _, getClient as a, validateClientCredentials as b, getStoredToken as c, normalizeTimestampValue as d, parseClientMetadata as f, searchParamsToQuery as g, resolveSubjectIdentifier as h, extractClientCredentials as i, isPKCERequired as l, resolveSessionAuthTime as m, deleteFromPrompt as n, getJwtPlugin as o, parsePrompt as p, destructureCredentials as r, getOAuthProviderPlugin as s, decryptStoredClientSecret as t, mergeDiscoveryMetadata as u, storeToken as v, verifyOAuthQueryParams as x, toClientDiscoveryArray as y };
+export { validateClientCredentials as C, toClientDiscoveryArray as S, resolveSubjectIdentifier as _, getJwtPlugin as a, storeClientSecret as b, getStoredToken as c, normalizeTimestampValue as d, parseClientMetadata as f, resolveSessionAuthTime as g, removePromptFromQuery as h, getClient as i, isPKCERequired as l, postLoginClearedParam as m, destructureCredentials as n, getOAuthProviderPlugin as o, parsePrompt as p, extractClientCredentials as r, getSignedQueryIssuedAt as s, decryptStoredClientSecret as t, mergeDiscoveryMetadata as u, searchParamsToQuery as v, verifyOAuthQueryParams as w, storeToken as x, signedQueryIssuedAtParam as y };

package/dist/{version-CZxZ64qJ.mjs → version-CG1YnCiF.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.7.0-beta.2";
+const PACKAGE_VERSION = "1.7.0-beta.3";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.7.0-beta.2",
+  "version": "1.7.0-beta.3",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.7.0-beta.2",
-    "better-auth": "1.7.0-beta.2"
+    "@better-auth/core": "1.7.0-beta.3",
+    "better-auth": "1.7.0-beta.3"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.0",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.7.0-beta.2",
-    "better-auth": "^1.7.0-beta.2"
+    "@better-auth/core": "^1.7.0-beta.3",
+    "better-auth": "^1.7.0-beta.3"
   },
   "scripts": {
     "build": "tsdown",