@better-auth/oauth-provider 1.7.0-beta.3 → 1.7.0-beta.4

package/dist/{oauth-BxP4Iupj.d.mts → oauth-Vt3lTNHX.d.mts}

@@ -1,8 +1,9 @@
-import { a as OAuthClient, c as TokenEndpointAuthMethod, f as OAuthConsent, g as Prompt, i as GrantType, m as OAuthOptions, t as AuthMethod, v as Scope } from "./oauth-Ds-ejTJY.mjs";
+import { a as OAuthClient, c as TokenEndpointAuthMethod, f as OAuthConsent, g as Prompt, i as GrantType, m as OAuthOptions, t as AuthMethod, v as Scope } from "./oauth-q7dn10NU.mjs";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 import * as better_auth_plugins0 from "better-auth/plugins";
 import * as jose from "jose";
+import { GenericEndpointContext } from "@better-auth/core";
 import * as better_auth0 from "better-auth";
 
 //#region src/oauth-endpoint.d.ts
@@ -59,6 +60,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
   id: "oauth-provider";
   version: string;
   options: NoInfer<O>;
+  onRequest: (request: Request, ctx: better_auth0.AuthContext) => Promise<{
+    response: Response;
+  } | {
+    request: Request;
+  } | void>;
   init: (ctx: better_auth0.AuthContext) => void;
   hooks: {
     before: {
@@ -97,23 +103,23 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       issuer: string;
       authorization_endpoint: string;
       token_endpoint: string;
-      registration_endpoint: string;
+      registration_endpoint?: string | undefined;
       scopes_supported?: string[] | undefined;
       response_types_supported: "code"[];
       response_modes_supported: "query"[];
       grant_types_supported: GrantType[];
       token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
-      token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
       service_documentation?: string | undefined;
       ui_locales_supported?: string[] | undefined;
       op_policy_uri?: string | undefined;
       op_tos_uri?: string | undefined;
       revocation_endpoint?: string | undefined;
       revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
-      revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
       introspection_endpoint?: string | undefined;
       introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
-      introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
       code_challenge_methods_supported: "S256"[];
       authorization_response_iss_parameter_supported?: boolean | undefined;
       client_id_metadata_document_supported?: boolean | undefined;
@@ -123,23 +129,23 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       authorization_endpoint: string;
       token_endpoint: string;
       jwks_uri?: string;
-      registration_endpoint: string;
+      registration_endpoint?: string;
       scopes_supported?: string[];
       response_types_supported: "code"[];
       response_modes_supported: "query"[];
       grant_types_supported: GrantType[];
       token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
-      token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[];
+      token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[];
       service_documentation?: string;
       ui_locales_supported?: string[];
       op_policy_uri?: string;
       op_tos_uri?: string;
       revocation_endpoint?: string;
       revocation_endpoint_auth_methods_supported?: AuthMethod[];
-      revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[];
+      revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[];
       introspection_endpoint?: string;
       introspection_endpoint_auth_methods_supported?: AuthMethod[];
-      introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[];
+      introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[];
       code_challenge_methods_supported: "S256"[];
       authorization_response_iss_parameter_supported?: boolean;
       client_id_metadata_document_supported?: boolean;
@@ -167,23 +173,23 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       issuer: string;
       authorization_endpoint: string;
       token_endpoint: string;
-      registration_endpoint: string;
+      registration_endpoint?: string | undefined;
       scopes_supported?: string[] | undefined;
       response_types_supported: "code"[];
       response_modes_supported: "query"[];
       grant_types_supported: GrantType[];
       token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
-      token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
       service_documentation?: string | undefined;
       ui_locales_supported?: string[] | undefined;
       op_policy_uri?: string | undefined;
       op_tos_uri?: string | undefined;
       revocation_endpoint?: string | undefined;
       revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
-      revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
       introspection_endpoint?: string | undefined;
       introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
-      introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
       code_challenge_methods_supported: "S256"[];
       authorization_response_iss_parameter_supported?: boolean | undefined;
       client_id_metadata_document_supported?: boolean | undefined;
@@ -205,6 +211,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           S256: "S256";
         }>>>;
         nonce: z.ZodOptional<z.ZodString>;
+        resource: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
         prompt: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodEnum<{
           none: "none";
           consent: "consent";
@@ -215,11 +222,14 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           "select_account consent": "select_account consent";
         }>>>;
       }, z.core.$strip>;
-      redirectOnError: OAuthRedirectOnError<better_auth0.GenericEndpointContext>;
+      redirectOnError: OAuthRedirectOnError<GenericEndpointContext>;
       errorCodesByField: {
         response_type: {
           invalid: "unsupported_response_type";
         };
+        resource: {
+          invalid: "invalid_target";
+        };
       };
       metadata: {
         openapi: {
@@ -231,6 +241,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             schema: {
               type: "string";
               format?: undefined;
+              items?: undefined;
             };
             description: string;
           } | {
@@ -240,6 +251,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             schema: {
               type: "string";
               format?: undefined;
+              items?: undefined;
             };
             description: string;
           } | {
@@ -249,6 +261,19 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
             schema: {
               type: "string";
               format: string;
+              items?: undefined;
+            };
+            description: string;
+          } | {
+            name: string;
+            in: "query";
+            required: false;
+            schema: {
+              type: "array";
+              items: {
+                type: "string";
+              };
+              format?: undefined;
             };
             description: string;
           })[];
@@ -429,7 +454,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         code_verifier: z.ZodOptional<z.ZodString>;
         redirect_uri: z.ZodOptional<z.ZodURL>;
         refresh_token: z.ZodOptional<z.ZodString>;
-        resource: z.ZodOptional<z.ZodString>;
+        resource: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
         scope: z.ZodOptional<z.ZodString>;
       }, z.core.$strip>;
       errorCodesByField: {
@@ -437,6 +462,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           missing: "invalid_request";
           invalid: "unsupported_grant_type";
         };
+        resource: {
+          invalid: "invalid_target";
+        };
       };
       metadata: {
         allowedMediaTypes: string[];
@@ -480,7 +508,17 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
                       description: string;
                     };
                     resource: {
-                      type: string;
+                      oneOf: ({
+                        type: string;
+                        description: string;
+                        items?: undefined;
+                      } | {
+                        type: string;
+                        items: {
+                          type: string;
+                        };
+                        description: string;
+                      })[];
                       description: string;
                     };
                     scope: {
@@ -603,10 +641,6 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
                       type: string;
                       description: string;
                     };
-                    resource: {
-                      type: string;
-                      description: string;
-                    };
                   };
                   required: string[];
                 };
@@ -2070,6 +2104,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         token: {
           type: "string";
           required: true;
+          unique: true;
         };
         clientId: {
           type: "string";
@@ -2103,6 +2138,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           type: "string";
           required: false;
         };
+        resources: {
+          type: "string[]";
+          required: false;
+        };
         expiresAt: {
           type: "date";
         };
@@ -2162,6 +2201,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           type: "string";
           required: false;
         };
+        resources: {
+          type: "string[]";
+          required: false;
+        };
         refreshId: {
           type: "string";
           required: false;
@@ -2208,6 +2251,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           type: "string";
           required: false;
         };
+        resources: {
+          type: "string[]";
+          required: false;
+        };
         scopes: {
           type: "string[]";
           required: true;

package/dist/{oauth-Ds-ejTJY.d.mts → oauth-q7dn10NU.d.mts}

@@ -1,4 +1,4 @@
-import { AssertionSigningAlgorithm } from "@better-auth/core/oauth2";
+import { PrivateKeyJwtSigningAlgorithm } from "@better-auth/core/oauth2";
 import { JWSAlgorithms } from "better-auth/plugins";
 import { JWTPayload } from "jose";
 import { InferOptionSchema, Session, User } from "better-auth/types";
@@ -152,6 +152,7 @@ declare const schema: {
       token: {
         type: "string";
         required: true;
+        unique: true;
       };
       clientId: {
         type: "string";
@@ -185,6 +186,10 @@ declare const schema: {
         type: "string";
         required: false;
       };
+      resources: {
+        type: "string[]";
+        required: false;
+      };
       expiresAt: {
         type: "date";
       };
@@ -256,6 +261,10 @@ declare const schema: {
         type: "string";
         required: false;
       };
+      resources: {
+        type: "string[]";
+        required: false;
+      };
       refreshId: {
         type: "string";
         required: false;
@@ -302,6 +311,10 @@ declare const schema: {
         type: "string";
         required: false;
       };
+      resources: {
+        type: "string[]";
+        required: false;
+      };
       scopes: {
         type: "string[]";
         required: true;
@@ -832,8 +845,8 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
   customAccessTokenClaims?: (info: {
     /** The user object if token is associated to a user. Null if user doesn't exist. Undefined if user not applicable. */user?: (User & Record<string, unknown>) | null; /** reference of the consent/authorization */
     referenceId?: string; /** Scopes granted for this token */
-    scopes: Scopes; /** The resource requesting. Provided by the token endpoint. */
-    resource?: string; /** oAuthClient metadata */
+    scopes: Scopes; /** The resources requested. */
+    resources?: string[]; /** oAuthClient metadata */
     metadata?: Record<string, any>;
   }) => Awaitable<Record<string, any>>;
   /**
@@ -1191,6 +1204,10 @@ interface OAuthAuthorizationQuery {
    * with the Claim Value being the nonce value sent in the Authentication Request.
    */
   nonce?: string;
+  /**
+   * Resource parameter as specified by [RFC 8707](https://www.rfc-editor.org/rfc/rfc8707.html)
+   */
+  resource?: string | string[];
 }
 /**
  * Stored within the verification.value field
@@ -1204,6 +1221,7 @@ interface VerificationValue {
   query: OAuthAuthorizationQuery;
   sessionId: string;
   userId: string;
+  resource?: string[];
   referenceId?: string;
   authTime?: number;
 }
@@ -1369,6 +1387,10 @@ interface OAuthOpaqueAccessToken<Scopes extends readonly Scope[] = InternallySup
    * Shall match the refreshId.scopes if refreshId is provided.
    */
   scopes: Scopes;
+  /**
+   * Resources allowed for this access token.
+   */
+  resources?: string[];
 }
 /**
  * Refresh Token Database Schema
@@ -1396,6 +1418,10 @@ interface OAuthRefreshToken<Scopes extends readonly Scope[] = InternallySupporte
    * Considered Immutable once granted.
    */
   scopes: Scopes;
+  /**
+   * Resources allowed for this refresh token
+   */
+  resources?: string[];
 }
 /**
  * Consent Database Schema
@@ -1404,6 +1430,7 @@ type OAuthConsent<Scopes extends readonly Scope[] = InternallySupportedScopes[]>
   id: string;
   clientId: string;
   userId: string;
+  resources?: string[];
   referenceId?: string;
   scopes: Scopes;
   createdAt: Date;
@@ -1457,9 +1484,11 @@ interface AuthServerMetadata {
   /**
    * The URL of the dynamic client registration endpoint.
    *
+   * This field is only present when `allowDynamicClientRegistration` is enabled.
+   *
    * @default `/oauth2/register`
    */
-  registration_endpoint: string;
+  registration_endpoint?: string;
   /**
    * Supported scopes.
    */
@@ -1492,7 +1521,7 @@ interface AuthServerMetadata {
    * token endpoint for the "private_key_jwt" and "client_secret_jwt"
    * authentication methods (see field token_endpoint_auth_methods_supported).
    */
-  token_endpoint_auth_signing_alg_values_supported?: AssertionSigningAlgorithm[];
+  token_endpoint_auth_signing_alg_values_supported?: PrivateKeyJwtSigningAlgorithm[];
   /**
    * URL of a page containing human-readable information
    * that developers might want or need to know when using the
@@ -1538,7 +1567,7 @@ interface AuthServerMetadata {
    * token endpoint for the "private_key_jwt" and "client_secret_jwt"
    * authentication methods (see field revocation_endpoint_auth_methods_supported).
    */
-  revocation_endpoint_auth_signing_alg_values_supported?: AssertionSigningAlgorithm[];
+  revocation_endpoint_auth_signing_alg_values_supported?: PrivateKeyJwtSigningAlgorithm[];
   /**
    * URL of the authorization server's OAuth 2.0
    * introspection endpoint [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662)
@@ -1559,7 +1588,7 @@ interface AuthServerMetadata {
    * the "private_key_jwt" and "client_secret_jwt" authentication methods
    * (see field introspection_endpoint_auth_methods_supported).
    */
-  introspection_endpoint_auth_signing_alg_values_supported?: AssertionSigningAlgorithm[];
+  introspection_endpoint_auth_signing_alg_values_supported?: PrivateKeyJwtSigningAlgorithm[];
   /**
    * Supported code challenge methods.
    *

package/dist/{utils-_Jr_enAe.mjs → utils-DKBWQ8fe.mjs}

@@ -1,7 +1,8 @@
 import { APIError } from "better-call";
+import { decodeBasicCredentials } from "@better-auth/core/oauth2";
 import { constantTimeEqual, makeSignature, symmetricDecrypt, symmetricEncrypt } from "better-auth/crypto";
 import { BetterAuthError } from "@better-auth/core/error";
-import { base64, base64Url } from "@better-auth/utils/base64";
+import { base64Url } from "@better-auth/utils/base64";
 import { createHash } from "@better-auth/utils/hash";
 //#region src/utils/index.ts
 var TTLCache = class {
@@ -74,6 +75,47 @@ function resolveSessionAuthTime(value) {
 	if (!nested || typeof nested !== "object") return;
 	return normalizeTimestampValue(nested.createdAt) ?? normalizeTimestampValue(nested.created_at);
 }
+/**
+* Normalizes OAuth resource values into a non-empty string array.
+*/
+function toResourceList(value) {
+	if (typeof value === "string") return [value];
+	if (!value?.length) return void 0;
+	return value;
+}
+/**
+* Normalizes audience values for JWT claims.
+*/
+function toAudienceClaim(audience) {
+	if (typeof audience === "string") return audience;
+	if (!audience?.length) return void 0;
+	return audience.length === 1 ? audience.at(0) : audience;
+}
+/**
+* Checks the resource parameter, if provided,
+* and returns either a valid audience or a tagged validation error.
+*/
+async function checkResource(ctx, opts, resource, scopes) {
+	const normalizedResource = toResourceList(resource);
+	const audience = normalizedResource ? [...normalizedResource] : void 0;
+	if (audience) {
+		const hasOpenId = scopes.includes("openid");
+		const baseUrl = ctx.context.baseURL;
+		const userInfoEndpoint = `${baseUrl}/oauth2/userinfo`;
+		if (hasOpenId && !audience.includes(userInfoEndpoint)) audience.push(userInfoEndpoint);
+		const filteredValidAudiences = opts.validAudiences?.filter((aud) => aud.length);
+		const validAudiences = new Set(filteredValidAudiences?.length ? filteredValidAudiences : [baseUrl]);
+		if (hasOpenId) validAudiences.add(userInfoEndpoint);
+		for (const aud of audience) if (!validAudiences.has(aud)) return {
+			success: false,
+			error: "invalid_resource"
+		};
+	}
+	return {
+		success: true,
+		audience: toAudienceClaim(audience)
+	};
+}
 const cachedTrustedClients = new TTLCache();
 async function verifyOAuthQueryParams(oauth_query, secret) {
 	const queryParams = new URLSearchParams(oauth_query);
@@ -228,23 +270,20 @@ async function getStoredToken(storageMethod = "hashed", token, type) {
 *
 * @internal
 */
+const BASIC_SCHEME_PREFIX = /^Basic +/i;
 function basicToClientCredentials(authorization) {
-	if (authorization.startsWith("Basic ")) {
-		const encoded = authorization.replace("Basic ", "");
-		const decoded = new TextDecoder().decode(base64.decode(encoded));
-		if (!decoded.includes(":")) throw new APIError("BAD_REQUEST", {
-			error_description: "invalid authorization header format",
-			error: "invalid_client"
-		});
-		const [id, secret] = decoded.split(":", 2);
-		if (!id || !secret) throw new APIError("BAD_REQUEST", {
+	if (!BASIC_SCHEME_PREFIX.test(authorization)) return;
+	try {
+		const { clientId, clientSecret } = decodeBasicCredentials(authorization);
+		return {
+			client_id: clientId,
+			client_secret: clientSecret
+		};
+	} catch {
+		throw new APIError("BAD_REQUEST", {
 			error_description: "invalid authorization header format",
 			error: "invalid_client"
 		});
-		return {
-			client_id: id,
-			client_secret: secret
-		};
 	}
 }
 /**
@@ -324,7 +363,7 @@ async function extractClientCredentials(ctx, opts, expectedAudience) {
 			error_description: "client_assertion cannot be combined with client_secret or Basic auth",
 			error: "invalid_client"
 		});
-		const { verifyClientAssertion: verify } = await import("./client-assertion-BYtMWGCE.mjs").then((n) => n.t);
+		const { verifyClientAssertion: verify } = await import("./client-assertion-DLMKVgoj.mjs").then((n) => n.t);
 		const result = await verify(ctx, opts, body.client_assertion, body.client_assertion_type, body.client_id, expectedAudience);
 		return {
 			method: "private_key_jwt",
@@ -450,4 +489,4 @@ function isPKCERequired(client, requestedScopes) {
 	return false;
 }
 //#endregion
-export { validateClientCredentials as C, toClientDiscoveryArray as S, resolveSubjectIdentifier as _, getJwtPlugin as a, storeClientSecret as b, getStoredToken as c, normalizeTimestampValue as d, parseClientMetadata as f, resolveSessionAuthTime as g, removePromptFromQuery as h, getClient as i, isPKCERequired as l, postLoginClearedParam as m, destructureCredentials as n, getOAuthProviderPlugin as o, parsePrompt as p, extractClientCredentials as r, getSignedQueryIssuedAt as s, decryptStoredClientSecret as t, mergeDiscoveryMetadata as u, searchParamsToQuery as v, verifyOAuthQueryParams as w, storeToken as x, signedQueryIssuedAtParam as y };
+export { toAudienceClaim as C, verifyOAuthQueryParams as D, validateClientCredentials as E, storeToken as S, toResourceList as T, resolveSessionAuthTime as _, getClient as a, signedQueryIssuedAtParam as b, getSignedQueryIssuedAt as c, mergeDiscoveryMetadata as d, normalizeTimestampValue as f, removePromptFromQuery as g, postLoginClearedParam as h, extractClientCredentials as i, getStoredToken as l, parsePrompt as m, decryptStoredClientSecret as n, getJwtPlugin as o, parseClientMetadata as p, destructureCredentials as r, getOAuthProviderPlugin as s, checkResource as t, isPKCERequired as u, resolveSubjectIdentifier as v, toClientDiscoveryArray as w, storeClientSecret as x, searchParamsToQuery as y };

package/dist/{version-CG1YnCiF.mjs → version-nFnRm-a3.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.7.0-beta.3";
+const PACKAGE_VERSION = "1.7.0-beta.4";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.7.0-beta.3",
+  "version": "1.7.0-beta.4",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.7.0-beta.3",
-    "better-auth": "1.7.0-beta.3"
+    "@better-auth/core": "1.7.0-beta.4",
+    "better-auth": "1.7.0-beta.4"
   },
   "peerDependencies": {
-    "@better-auth/utils": "0.4.0",
+    "@better-auth/utils": "0.4.1",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.7.0-beta.3",
-    "better-auth": "^1.7.0-beta.3"
+    "@better-auth/core": "^1.7.0-beta.4",
+    "better-auth": "^1.7.0-beta.4"
   },
   "scripts": {
     "build": "tsdown",