@convex-dev/better-auth 0.6.1 → 0.7.0-alpha.0

package/dist/esm/react-start/index.js

@@ -1,9 +1,10 @@
 import { createCookieGetter } from "better-auth/cookies";
 import { betterFetch } from "@better-fetch/fetch";
+import { JWT_COOKIE_NAME } from "../plugins/convex/index.js";
 export const getCookieName = async (createAuth) => {
     const auth = createAuth({});
     const createCookie = createCookieGetter(auth.options);
-    const cookie = createCookie("convex_jwt");
+    const cookie = createCookie(JWT_COOKIE_NAME);
     return cookie.name;
 };
 export const fetchSession = async (createAuth, request) => {
@@ -15,7 +16,6 @@ export const fetchSession = async (createAuth, request) => {
         baseURL,
         headers: {
             cookie: request.headers.get("cookie") ?? "",
-            origin: baseURL,
         },
     });
     return {

package/dist/esm/react-start/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/react-start/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAGlD,MAAM,CAAC,MAAM,aAAa,GAAG,KAAK,EAChC,UAAyE,EACzE,EAAE;IACF,MAAM,IAAI,GAAG,UAAU,CAAC,EAAS,CAAC,CAAC;IACnC,MAAM,YAAY,GAAG,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACtD,MAAM,MAAM,GAAG,YAAY,CAAC,YAAY,CAAC,CAAC;IAC1C,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,YAAY,GAAG,KAAK,EAG/B,UAAa,EACb,OAAiB,EACjB,EAAE;IAGF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACtC,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,MAAM,WAAW,CACzC,uBAAuB,EACvB;QACE,OAAO;QACP,OAAO,EAAE;YACP,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE;YAC3C,MAAM,EAAE,OAAO;SAChB;KACF,CACF,CAAC;IACF,OAAO;QACL,OAAO;KACR,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAC/B,OAAgB,EAChB,IAAiC,EACjC,EAAE;IACF,MAAM,aAAa,GAAG,IAAI,EAAE,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IAC9E,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,OAAO,GAAG,GAAG,aAAa,GAAG,UAAU,CAAC,QAAQ,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC;IAC7E,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,kBAAkB,CAAC,CAAC;IAC3D,OAAO,KAAK,CAAC,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;AACtE,CAAC,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/react-start/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAElD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEpD,MAAM,CAAC,MAAM,aAAa,GAAG,KAAK,EAChC,UAAyE,EACzE,EAAE;IACF,MAAM,IAAI,GAAG,UAAU,CAAC,EAAS,CAAC,CAAC;IACnC,MAAM,YAAY,GAAG,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACtD,MAAM,MAAM,GAAG,YAAY,CAAC,eAAe,CAAC,CAAC;IAC7C,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,YAAY,GAAG,KAAK,EAG/B,UAAa,EACb,OAAiB,EACjB,EAAE;IAGF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACtC,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5C,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,MAAM,WAAW,CACzC,uBAAuB,EACvB;QACE,OAAO;QACP,OAAO,EAAE;YACP,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE;SAC5C;KACF,CACF,CAAC;IACF,OAAO;QACL,OAAO;KACR,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAC/B,OAAgB,EAChB,IAAiC,EACjC,EAAE;IACF,MAAM,aAAa,GAAG,IAAI,EAAE,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IAC9E,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,OAAO,GAAG,GAAG,aAAa,GAAG,UAAU,CAAC,QAAQ,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC;IAC7E,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,kBAAkB,CAAC,CAAC;IAC3D,OAAO,KAAK,CAAC,OAAO,EAAE,IAAI,OAAO,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;AACtE,CAAC,CAAC"}

package/dist/esm/util.d.ts

@@ -0,0 +1,2 @@
+export declare const requireEnv: (name: string) => string;
+//# sourceMappingURL=util.d.ts.map

package/dist/esm/util.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../../src/util.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,UAAU,GAAI,MAAM,MAAM,WAMtC,CAAC"}

package/dist/esm/util.js

@@ -0,0 +1,8 @@
+export const requireEnv = (name) => {
+    const value = process.env[name];
+    if (value === undefined) {
+        throw new Error(`Missing environment variable \`${name}\``);
+    }
+    return value;
+};
+//# sourceMappingURL=util.js.map

package/dist/esm/util.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"util.js","sourceRoot":"","sources":["../../src/util.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,IAAY,EAAE,EAAE;IACzC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,kCAAkC,IAAI,IAAI,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC"}

package/package.json

@@ -6,7 +6,7 @@
   "bugs": {
     "url": "https://github.com/get-convex/better-auth/issues"
   },
-  "version": "0.6.1",
+  "version": "0.7.0-alpha.0",
   "license": "Apache-2.0",
   "keywords": [
     "convex",

package/src/client/adapter.ts

@@ -80,7 +80,7 @@ export const convexAdapter = <
           limit,
         }): Promise<any[]> => {
           if (offset) {
-            throw new Error("where clause not supported");
+            throw new Error("offset not supported");
           }
           if (
             model === "jwks" &&
@@ -90,18 +90,12 @@ export const convexAdapter = <
           ) {
             return ctx.runQuery(component.component.lib.getJwks, { limit });
           }
-          if (where?.length !== 1 || where[0].operator !== "eq") {
+          if (
+            where?.length !== 1 ||
+            (where[0].operator && where[0].operator !== "eq")
+          ) {
             throw new Error("where clause not supported");
           }
-          if (offset) {
-            throw new Error("offset not supported");
-          }
-          if (model === "account" && where[0].field === "userId") {
-            return ctx.runQuery(component.component.lib.getAccountsByUserId, {
-              userId: where[0].value as any,
-              limit,
-            });
-          }
           if (model === "verification" && where[0].field === "identifier") {
             return ctx.runQuery(
               component.component.lib.listVerificationsByIdentifier,
@@ -112,6 +106,18 @@ export const convexAdapter = <
               }
             );
           }
+          if (model === "account" && where[0].field === "userId" && !sortBy) {
+            return ctx.runQuery(component.component.lib.getAccountsByUserId, {
+              userId: where[0].value as any,
+              limit,
+            });
+          }
+          if (model === "session" && where[0].field === "userId" && !sortBy) {
+            return ctx.runQuery(component.component.lib.getSessionsByUserId, {
+              userId: where[0].value as any,
+              limit,
+            });
+          }
           throw new Error("where clause not supported");
         },
         count: async ({ where }) => {
@@ -184,6 +190,24 @@ export const convexAdapter = <
               userId: where[0].value as any,
             });
           }
+          if (
+            model === "session" &&
+            where?.length === 2 &&
+            where[0].operator === "eq" &&
+            where[0].connector === "AND" &&
+            where[0].field === "userId" &&
+            where[1].operator === "lte" &&
+            where[1].field === "expiresAt" &&
+            typeof where[1].value === "number"
+          ) {
+            return ctx.runMutation(
+              component.component.lib.deleteExpiredSessions,
+              {
+                userId: where[0].value as string,
+                expiresAt: where[1].value as number,
+              }
+            );
+          }
           throw new Error("where clause not supported");
           // return count;
         },
@@ -208,6 +232,7 @@ export const convexAdapter = <
             where[0].operator === "eq" &&
             where[0].connector === "AND" &&
             where[0].field === "userId" &&
+            where[1].operator === "eq" &&
             where[1].field === "providerId"
           ) {
             return ctx.runMutation(

package/src/client/cors.ts

@@ -13,14 +13,16 @@
  * maintaining proper CORS configuration.
  */
 import {
-  GenericActionCtx,
+  type GenericActionCtx,
   httpActionGeneric,
   httpRouter,
   HttpRouter,
-  PublicHttpAction,
-  RouteSpec,
-  RouteSpecWithPath,
-  RouteSpecWithPathPrefix,
+  ROUTABLE_HTTP_METHODS,
+  type RoutableMethod,
+  type PublicHttpAction,
+  type RouteSpec,
+  type RouteSpecWithPath,
+  type RouteSpecWithPathPrefix,
 } from "convex/server";
 
 export const DEFAULT_EXPOSED_HEADERS = [
@@ -46,7 +48,7 @@ export type CorsConfig = {
    * - https://example.com
    * @default ["*"]
    */
-  allowedOrigins?: string[];
+  allowedOrigins?: string[] | ((req: Request) => Promise<string[]>);
   /**
    * An array of allowed headers: what headers are allowed to be sent in
    * the request.
@@ -68,10 +70,15 @@ export type CorsConfig = {
    */
   browserCacheMaxAge?: number;
   /**
-   * Whether to log verbose information about CORS requests.
+   * Whether to block requests from origins that are not in the allowedOrigins list.
+   * @default true
+   */
+  enforceAllowOrigins?: boolean;
+  /**
+   * Whether to log debugging information about CORS requests.
    * @default false
    */
-  verbose?: boolean;
+  debug?: boolean;
 };
 
 type RouteSpecWithCors = RouteSpec & CorsConfig;
@@ -219,8 +226,6 @@ export default corsRouter;
  * to web applications hosted on different domains.
  */
 
-import { ROUTABLE_HTTP_METHODS, RoutableMethod } from "convex/server";
-
 const SECONDS_IN_A_DAY = 60 * 60 * 24;
 
 /**
@@ -240,7 +245,8 @@ const handleCors = ({
   exposedHeaders = DEFAULT_EXPOSED_HEADERS,
   allowCredentials = false,
   browserCacheMaxAge = SECONDS_IN_A_DAY,
-  verbose = false,
+  enforceAllowOrigins = true,
+  debug = false,
 }: {
   originalHandler?: PublicHttpAction;
   allowedMethods?: string[];
@@ -279,9 +285,17 @@ const handleCors = ({
     commonHeaders["Access-Control-Expose-Headers"] = exposedHeaders.join(", ");
   }
 
+  async function parseAllowedOrigins(request: Request): Promise<string[]> {
+    return Array.isArray(allowedOrigins)
+      ? allowedOrigins
+      : await allowedOrigins(request);
+  }
+
   // Helper function to check if origin is allowed (including wildcard subdomain matching)
-  function isAllowedOrigin(requestOrigin: string): boolean {
-    return allowedOrigins.some((allowed) => {
+  async function isAllowedOrigin(request: Request): Promise<boolean> {
+    const requestOrigin = request.headers.get("origin");
+    if (!requestOrigin) return false;
+    return (await parseAllowedOrigins(request)).some((allowed) => {
       if (allowed === "*") return true;
       if (allowed === requestOrigin) return true;
       if (allowed.startsWith("*.")) {
@@ -307,38 +321,38 @@ const handleCors = ({
    */
   return httpActionGeneric(
     async (ctx: GenericActionCtx<any>, request: Request) => {
-      if (verbose) {
-        console.log("path", request.url);
-        console.log("origin", request.headers.get("origin"));
-        console.log("headers", request.headers);
+      if (debug) {
+        console.log("CORS request", {
+          path: request.url,
+          origin: request.headers.get("origin"),
+          headers: request.headers,
+          method: request.method,
+          body: request.body,
+        });
       }
-      const requestOriginRaw =
-        request.headers.get("Origin") ??
-        request.headers.get("Referer") ??
-        request.headers.get("Expo-Origin");
+      const requestOrigin = request.headers.get("origin");
+      const parsedAllowedOrigins = await parseAllowedOrigins(request);
 
-      const requestOrigin =
-        typeof requestOriginRaw === "string" &&
-        requestOriginRaw.startsWith("http")
-          ? new URL(requestOriginRaw).origin
-          : requestOriginRaw;
+      if (debug) {
+        console.log("allowed origins", parsedAllowedOrigins);
+      }
 
       // Handle origin matching
       let allowOrigins: string | null = null;
-      if (allowedOrigins.includes("*") && !allowCredentials) {
+      if (parsedAllowedOrigins.includes("*") && !allowCredentials) {
         allowOrigins = "*";
       } else if (requestOrigin) {
         // Check if the request origin matches any of the allowed origins
         // (including wildcard subdomain matching if configured)
-        if (isAllowedOrigin(requestOrigin)) {
+        if (await isAllowedOrigin(request)) {
           allowOrigins = requestOrigin;
         }
       }
 
-      if (!allowOrigins) {
+      if (enforceAllowOrigins && !allowOrigins) {
         // Origin not allowed
         console.error(
-          `Request from origin ${requestOrigin} blocked, missing from allowed origins (${allowedOrigins.join()})`
+          `Request from origin ${requestOrigin} blocked, missing from allowed origins: ${parsedAllowedOrigins.join()}`
         );
         return new Response(null, { status: 403 });
       }
@@ -346,15 +360,19 @@ const handleCors = ({
        * OPTIONS has no handler and just returns headers
        */
       if (request.method === "OPTIONS") {
+        const responseHeaders = new Headers({
+          ...commonHeaders,
+          "Access-Control-Allow-Origin": allowOrigins ?? "",
+          "Access-Control-Allow-Methods": allowMethods,
+          "Access-Control-Allow-Headers": allowedHeaders.join(", "),
+          "Access-Control-Max-Age": browserCacheMaxAge.toString(),
+        });
+        if (debug) {
+          console.log("CORS OPTIONS response headers", responseHeaders);
+        }
         return new Response(null, {
           status: 204,
-          headers: new Headers({
-            ...commonHeaders,
-            "Access-Control-Allow-Origin": allowOrigins,
-            "Access-Control-Allow-Methods": allowMethods,
-            "Access-Control-Allow-Headers": allowedHeaders.join(", "),
-            "Access-Control-Max-Age": browserCacheMaxAge.toString(),
-          }),
+          headers: responseHeaders,
         });
       }
 
@@ -380,7 +398,7 @@ const handleCors = ({
        * Second, get a copy of the original response's headers
        */
       const newHeaders = new Headers(originalResponse.headers);
-      newHeaders.set("Access-Control-Allow-Origin", allowOrigins);
+      newHeaders.set("Access-Control-Allow-Origin", allowOrigins ?? "");
 
       /**
        * Third, add or update our CORS headers
@@ -389,6 +407,10 @@ const handleCors = ({
         newHeaders.set(key, value);
       });
 
+      if (debug) {
+        console.log("CORS response headers", newHeaders);
+      }
+
       /**
        * Fourth, return the modified Response.
        * A Response object is immutable, so we create a new one to return here.

package/src/client/index.ts

@@ -22,6 +22,8 @@ import { betterAuth } from "better-auth";
 import { omit } from "convex-helpers";
 import { createCookieGetter } from "better-auth/cookies";
 import { fetchQuery } from "convex/nextjs";
+import { JWT_COOKIE_NAME } from "../plugins/convex";
+import { requireEnv } from "../util";
 export { convexAdapter };
 
 const createUserFields = omit(schema.tables.user.validator.fields, ["userId"]);
@@ -147,7 +149,7 @@ export class BetterAuth<UserId extends string = string> {
   ) {
     const auth = createAuth({} as any);
     const createCookie = createCookieGetter(auth.options);
-    const cookie = createCookie("convex_jwt");
+    const cookie = createCookie(JWT_COOKIE_NAME);
     return cookie.name;
   }
 
@@ -234,41 +236,10 @@ export class BetterAuth<UserId extends string = string> {
   registerRoutes(
     http: HttpRouter,
     createAuth: (ctx: GenericActionCtx<any>) => ReturnType<typeof betterAuth>,
-    opts?: {
-      path?: string;
-      allowedOrigins?: string[];
-    }
+    opts = { cors: false }
   ) {
-    const path = opts?.path ?? "/api/auth";
-    const options = createAuth({} as any).options;
-    const trustedOriginsOption: string[] = Array.isArray(options.trustedOrigins)
-      ? options.trustedOrigins
-      : [];
-
-    const trustedOrigins = createAuth({} as any).options.plugins?.reduce(
-      (acc, plugin) => {
-        if (plugin.options?.trustedOrigins) {
-          acc.push(...plugin.options.trustedOrigins);
-        }
-        return acc;
-      },
-      [...trustedOriginsOption, options.baseURL].filter(Boolean) as string[]
-    );
-    // Reuse trustedOrigins as default for allowedOrigins
-    const allowedOrigins =
-      opts?.allowedOrigins ??
-      trustedOrigins?.map((origin) =>
-        // Strip trailing wildcards, unsupported for allowedOrigins
-        origin.endsWith("*") && origin.length > 1 ? origin.slice(0, -1) : origin
-      );
-    const requireEnv = (name: string) => {
-      const value = process.env[name];
-      if (value === undefined) {
-        throw new Error(`Missing environment variable \`${name}\``);
-      }
-      return value;
-    };
-
+    const betterAuthOptions = createAuth({} as any).options;
+    const path = betterAuthOptions.basePath ?? "/api/auth";
     const authRequestHandler = httpActionGeneric(async (ctx, request) => {
       const auth = createAuth(ctx);
       const response = await auth.handler(request);
@@ -278,14 +249,7 @@ export class BetterAuth<UserId extends string = string> {
       return response;
     });
 
-    const cors = corsRouter(http, {
-      allowedOrigins,
-      allowCredentials: true,
-      allowedHeaders: ["Authorization", "Content-Type", "Better-Auth-Cookie"],
-      verbose: this.config?.verbose,
-      exposedHeaders: ["Set-Better-Auth-Cookie"],
-    });
-
+    // Redirect root well-known to api well-known
     http.route({
       path: "/.well-known/openid-configuration",
       method: "GET",
@@ -295,40 +259,68 @@ export class BetterAuth<UserId extends string = string> {
       }),
     });
 
-    http.route({
-      path: `${path}/convex/.well-known/openid-configuration`,
-      method: "GET",
-      handler: authRequestHandler,
-    });
-
-    http.route({
-      path: `${path}/convex/jwks`,
-      method: "GET",
-      handler: authRequestHandler,
-    });
+    if (!opts.cors) {
+      http.route({
+        pathPrefix: `${path}/`,
+        method: "GET",
+        handler: authRequestHandler,
+      });
 
-    http.route({
-      pathPrefix: `${path}/callback/`,
-      method: "GET",
-      handler: authRequestHandler,
-    });
+      http.route({
+        pathPrefix: `${path}/`,
+        method: "POST",
+        handler: authRequestHandler,
+      });
+    }
 
-    http.route({
-      path: `${path}/magic-link/verify`,
-      method: "GET",
-      handler: authRequestHandler,
-    });
+    const trustedOrigins = [
+      ...(Array.isArray(betterAuthOptions.trustedOrigins)
+        ? betterAuthOptions.trustedOrigins
+        : [betterAuthOptions.trustedOrigins]),
+      betterAuthOptions.baseURL!,
+    ];
+    // The crossDomain plugin adds siteUrl to trustedOrigins
+    const trustedOriginsFromPlugins =
+      betterAuthOptions.plugins?.reduce((acc, plugin) => {
+        if (plugin.options?.trustedOrigins) {
+          acc.push(...plugin.options.trustedOrigins);
+        }
+        return acc;
+      }, [] as string[]) ?? [];
 
-    http.route({
-      path: `${path}/verify-email`,
-      method: "GET",
-      handler: authRequestHandler,
-    });
+    // Reuse trustedOrigins as default for allowedOrigins
+    const allowedOrigins = async (request: Request) => {
+      return (
+        await Promise.all(
+          [...trustedOrigins, ...trustedOriginsFromPlugins].map(
+            async (origin) => {
+              if (!origin) {
+                return [];
+              }
+              if (typeof origin === "function") {
+                return origin(request);
+              }
+              return [origin];
+            }
+          )
+        )
+      )
+        .flat()
+        .map((origin) =>
+          // Strip trailing wildcards, unsupported for allowedOrigins
+          origin.endsWith("*") && origin.length > 1
+            ? origin.slice(0, -1)
+            : origin
+        );
+    };
 
-    http.route({
-      pathPrefix: `${path}/reset-password/`,
-      method: "GET",
-      handler: authRequestHandler,
+    const cors = corsRouter(http, {
+      allowedOrigins,
+      allowCredentials: true,
+      allowedHeaders: ["Content-Type", "Better-Auth-Cookie"],
+      exposedHeaders: ["Set-Better-Auth-Cookie"],
+      debug: this.config?.verbose,
+      enforceAllowOrigins: false,
     });
 
     cors.route({

package/src/component/_generated/api.d.ts

@@ -130,6 +130,12 @@ export type Mounts = {
       },
       any
     >;
+    deleteExpiredSessions: FunctionReference<
+      "mutation",
+      "public",
+      { expiresAt: number; userId: string },
+      any
+    >;
     deleteOldVerifications: FunctionReference<
       "action",
       "public",
@@ -188,6 +194,12 @@ export type Mounts = {
     >;
     getCurrentSession: FunctionReference<"query", "public", {}, any>;
     getJwks: FunctionReference<"query", "public", { limit?: number }, any>;
+    getSessionsByUserId: FunctionReference<
+      "query",
+      "public",
+      { limit?: number; userId: string },
+      any
+    >;
     listVerificationsByIdentifier: FunctionReference<
       "query",
       "public",

package/src/component/lib.ts

@@ -181,6 +181,19 @@ export const getAccountsByUserId = query({
   },
 });
 
+export const getSessionsByUserId = query({
+  args: { userId: v.string(), limit: v.optional(v.number()) },
+  handler: async (ctx, args) => {
+    const query = ctx.db
+      .query("session")
+      .withIndex("userId", (q) => q.eq("userId", args.userId));
+    const docs = args.limit
+      ? await query.take(args.limit)
+      : await query.collect();
+    return docs.map((doc) => transformOutput(doc, "session"));
+  },
+});
+
 export const getJwks = query({
   args: {
     limit: v.optional(v.number()),
@@ -276,6 +289,25 @@ export const deleteOldVerifications = action({
   },
 });
 
+export const deleteExpiredSessions = mutation({
+  args: {
+    userId: v.string(),
+    expiresAt: v.number(),
+  },
+  handler: async (ctx, args) => {
+    const docs = await ctx.db
+      .query("session")
+      .withIndex("userId_expiresAt", (q) =>
+        q.eq("userId", args.userId).lt("expiresAt", args.expiresAt)
+      )
+      .collect();
+    await asyncMap(docs, async (doc) => {
+      await ctx.db.delete(doc._id);
+    });
+    return docs.length;
+  },
+});
+
 export const deleteAllForUserPage = mutation({
   args: {
     table: v.string(),

package/src/component/schema.ts

@@ -25,7 +25,9 @@ const schema = defineSchema({
     userId: v.string(),
   })
     .index("token", ["token"])
-    .index("userId", ["userId"]),
+    .index("userId", ["userId"])
+    .index("expiresAt", ["expiresAt"])
+    .index("userId_expiresAt", ["userId", "expiresAt"]),
 
   account: defineTable({
     accountId: v.string(),

package/src/nextjs/index.ts

@@ -1,6 +1,7 @@
 import { betterAuth } from "better-auth";
 import { createCookieGetter } from "better-auth/cookies";
 import { GenericActionCtx } from "convex/server";
+import { JWT_COOKIE_NAME } from "../plugins/convex";
 
 export const getToken = async (
   createAuth: (ctx: GenericActionCtx<any>) => ReturnType<typeof betterAuth>
@@ -9,9 +10,9 @@ export const getToken = async (
   const cookieStore = await cookies();
   const auth = createAuth({} as any);
   const createCookie = createCookieGetter(auth.options);
-  const cookie = createCookie("convex_jwt");
+  const cookie = createCookie(JWT_COOKIE_NAME);
   const token = cookieStore.get(cookie.name);
-  return typeof token === "string" ? token : token?.value;
+  return token?.value;
 };
 
 const handler = (request: Request, opts?: { convexSiteUrl?: string }) => {