@hammadj/better-auth 1.5.0-beta.10

package/README.md

@@ -0,0 +1,33 @@
+<p align="center">
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://github.com/better-auth/better-auth/blob/main/banner-dark.png?raw=true" />
+    <source media="(prefers-color-scheme: light)" srcset="https://github.com/better-auth/better-auth/blob/main/banner.png?raw=true" />
+    <img alt="Better Auth Logo" src="https://github.com/better-auth/better-auth/blob/main/banner.png?raw=true" />
+  </picture>
+
+  <h1 align="center">
+    Better Auth
+  </h1>
+
+  <p align="center">
+    The most comprehensive authentication framework for TypeScript
+    <br />
+    <a href="https://better-auth.com"><strong>Learn more »</strong></a>
+    <br />
+    <br />
+    <a href="https://discord.gg/better-auth">Discord</a>
+    ·
+    <a href="https://better-auth.com">Website</a>
+    ·
+    <a href="https://github.com/better-auth/better-auth/issues">Issues</a>
+  </p>
+</p>
+
+## Getting Started
+
+```bash
+pnpm install better-auth
+```
+
+Read the [Installation Guide](https://better-auth.com/docs/installation) to
+learn more.

package/dist/_virtual/rolldown_runtime.mjs

@@ -0,0 +1,36 @@
+//#region rolldown:runtime
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __exportAll = (all, symbols) => {
+	let target = {};
+	for (var name in all) {
+		__defProp(target, name, {
+			get: all[name],
+			enumerable: true
+		});
+	}
+	if (symbols) {
+		__defProp(target, Symbol.toStringTag, { value: "Module" });
+	}
+	return target;
+};
+var __copyProps = (to, from, except, desc) => {
+	if (from && typeof from === "object" || typeof from === "function") {
+		for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
+			key = keys[i];
+			if (!__hasOwnProp.call(to, key) && key !== except) {
+				__defProp(to, key, {
+					get: ((k) => from[k]).bind(null, key),
+					enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+				});
+			}
+		}
+	}
+	return to;
+};
+var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
+
+//#endregion
+export { __exportAll, __reExport };

package/dist/adapters/drizzle-adapter/index.d.mts

@@ -0,0 +1 @@
+export * from "@better-auth/drizzle-adapter";

package/dist/adapters/drizzle-adapter/index.mjs

@@ -0,0 +1,3 @@
+export * from "@better-auth/drizzle-adapter"
+
+export {  };

package/dist/adapters/index.d.mts

@@ -0,0 +1,23 @@
+import { AdapterFactory, AdapterFactoryConfig, AdapterFactoryCustomizeAdapterCreator, AdapterFactoryOptions, AdapterTestDebugLogs, CustomAdapter, createAdapterFactory, initGetDefaultFieldName, initGetDefaultModelName, initGetFieldAttributes, initGetFieldName, initGetIdField, initGetModelName } from "@better-auth/core/db/adapter";
+export * from "@better-auth/core/db/adapter";
+
+//#region src/adapters/index.d.ts
+/**
+ * @deprecated Use `createAdapterFactory` instead. This export will be removed in the next major version.
+ */
+declare const createAdapter: any;
+/**
+ * @deprecated Use `AdapterFactoryOptions` instead. This export will be removed in the next major version.
+ */
+type CreateAdapterOptions = AdapterFactoryOptions;
+/**
+ * @deprecated Use `AdapterFactoryConfig` instead. This export will be removed in the next major version.
+ */
+type AdapterConfig = AdapterFactoryConfig;
+/**
+ * @deprecated Use `AdapterFactoryCustomizeAdapterCreator` instead. This export will be removed in the next major version.
+ */
+type CreateCustomAdapter = AdapterFactoryCustomizeAdapterCreator;
+//#endregion
+export { AdapterConfig, type AdapterFactory, type AdapterFactoryConfig, type AdapterFactoryCustomizeAdapterCreator, type AdapterFactoryOptions, type AdapterTestDebugLogs, CreateAdapterOptions, CreateCustomAdapter, type CustomAdapter, createAdapter, createAdapterFactory, initGetDefaultFieldName, initGetDefaultModelName, initGetFieldAttributes, initGetFieldName, initGetIdField, initGetModelName };
+//# sourceMappingURL=index.d.mts.map

package/dist/adapters/index.mjs

@@ -0,0 +1,13 @@
+import { createAdapterFactory, initGetDefaultFieldName, initGetDefaultModelName, initGetFieldAttributes, initGetFieldName, initGetIdField, initGetModelName } from "@better-auth/core/db/adapter";
+
+export * from "@better-auth/core/db/adapter"
+
+//#region src/adapters/index.ts
+/**
+* @deprecated Use `createAdapterFactory` instead. This export will be removed in the next major version.
+*/
+const createAdapter = createAdapterFactory;
+
+//#endregion
+export { createAdapter, createAdapterFactory, initGetDefaultFieldName, initGetDefaultModelName, initGetFieldAttributes, initGetFieldName, initGetIdField, initGetModelName };
+//# sourceMappingURL=index.mjs.map

package/dist/adapters/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../src/adapters/index.ts"],"sourcesContent":["import type {\n\tAdapterFactory,\n\tAdapterFactoryConfig,\n\tAdapterFactoryCustomizeAdapterCreator,\n\tAdapterFactoryOptions,\n\tAdapterTestDebugLogs,\n\tCustomAdapter,\n} from \"@better-auth/core/db/adapter\";\nimport {\n\tcreateAdapterFactory,\n\tinitGetDefaultFieldName,\n\tinitGetDefaultModelName,\n\tinitGetFieldAttributes,\n\tinitGetFieldName,\n\tinitGetIdField,\n\tinitGetModelName,\n} from \"@better-auth/core/db/adapter\";\n\nexport * from \"@better-auth/core/db/adapter\";\n\nexport type {\n\tAdapterFactoryOptions,\n\tAdapterFactory,\n\tAdapterTestDebugLogs,\n\tAdapterFactoryConfig,\n\tCustomAdapter,\n\tAdapterFactoryCustomizeAdapterCreator,\n};\nexport {\n\tcreateAdapterFactory,\n\tinitGetDefaultFieldName,\n\tinitGetDefaultModelName,\n\tinitGetFieldName,\n\tinitGetModelName,\n\tinitGetFieldAttributes,\n\tinitGetIdField,\n};\n\n/**\n * @deprecated Use `createAdapterFactory` instead. This export will be removed in the next major version.\n */\nexport const createAdapter = createAdapterFactory;\n\n/**\n * @deprecated Use `AdapterFactoryOptions` instead. This export will be removed in the next major version.\n */\nexport type CreateAdapterOptions = AdapterFactoryOptions;\n\n/**\n * @deprecated Use `AdapterFactoryConfig` instead. This export will be removed in the next major version.\n */\nexport type AdapterConfig = AdapterFactoryConfig;\n\n/**\n * @deprecated Use `AdapterFactoryCustomizeAdapterCreator` instead. This export will be removed in the next major version.\n */\nexport type CreateCustomAdapter = AdapterFactoryCustomizeAdapterCreator;\n"],"mappings":";;;;;;;;AAyCA,MAAa,gBAAgB"}

package/dist/adapters/kysely-adapter/index.d.mts

@@ -0,0 +1 @@
+export * from "@better-auth/kysely-adapter";

package/dist/adapters/kysely-adapter/index.mjs

@@ -0,0 +1,3 @@
+export * from "@better-auth/kysely-adapter"
+
+export {  };

package/dist/adapters/memory-adapter/index.d.mts

@@ -0,0 +1 @@
+export * from "@better-auth/memory-adapter";

package/dist/adapters/memory-adapter/index.mjs

@@ -0,0 +1,3 @@
+export * from "@better-auth/memory-adapter"
+
+export {  };

package/dist/adapters/mongodb-adapter/index.d.mts

@@ -0,0 +1 @@
+export * from "@better-auth/mongo-adapter";

package/dist/adapters/mongodb-adapter/index.mjs

@@ -0,0 +1,3 @@
+export * from "@better-auth/mongo-adapter"
+
+export {  };

package/dist/adapters/prisma-adapter/index.d.mts

@@ -0,0 +1 @@
+export * from "@better-auth/prisma-adapter";

package/dist/adapters/prisma-adapter/index.mjs

@@ -0,0 +1,3 @@
+export * from "@better-auth/prisma-adapter"
+
+export {  };

package/dist/api/index.d.mts

@@ -0,0 +1,40 @@
+import { UnionToIntersection } from "../types/helper.mjs";
+import "../types/index.mjs";
+import { getIp } from "../utils/get-request-ip.mjs";
+import { isAPIError } from "../utils/is-api-error.mjs";
+import { formCsrfMiddleware, originCheck, originCheckMiddleware } from "./middlewares/origin-check.mjs";
+import "./middlewares/index.mjs";
+import { accountInfo, getAccessToken, linkSocialAccount, listUserAccounts, refreshToken, unlinkAccount } from "./routes/account.mjs";
+import { callbackOAuth } from "./routes/callback.mjs";
+import { createEmailVerificationToken, sendVerificationEmail, sendVerificationEmailFn, verifyEmail } from "./routes/email-verification.mjs";
+import { error } from "./routes/error.mjs";
+import { ok } from "./routes/ok.mjs";
+import { requestPasswordReset, requestPasswordResetCallback, resetPassword, verifyPassword } from "./routes/password.mjs";
+import { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
+import { signInEmail, signInSocial } from "./routes/sign-in.mjs";
+import { signOut } from "./routes/sign-out.mjs";
+import { signUpEmail } from "./routes/sign-up.mjs";
+import { changeEmail, changePassword, deleteUser, deleteUserCallback, setPassword, updateUser } from "./routes/update-user.mjs";
+import "./routes/index.mjs";
+import { getOAuthState } from "./state/oauth.mjs";
+import { getShouldSkipSessionRefresh, setShouldSkipSessionRefresh } from "./state/should-session-refresh.mjs";
+import { AuthContext, Awaitable, BetterAuthOptions } from "@better-auth/core";
+import { InternalLogger } from "@better-auth/core/env";
+import { APIError } from "@better-auth/core/error";
+import { AuthEndpoint, AuthMiddleware, createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
+
+//#region src/api/index.d.ts
+declare function checkEndpointConflicts(options: BetterAuthOptions, logger: InternalLogger): void;
+declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<AuthContext>, options: Option): {
+  api: any & UnionToIntersection<Option["plugins"] extends (infer T)[] ? T extends BetterAuthPlugin ? T extends {
+    endpoints: infer E;
+  } ? E : {} : {} : {}>;
+  middlewares: any;
+};
+declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, options: Option) => {
+  handler: (request: Request) => Promise<Response>;
+  endpoints: any;
+};
+//#endregion
+export { APIError, type AuthEndpoint, type AuthMiddleware, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateUser, verifyEmail, verifyPassword };
+//# sourceMappingURL=index.d.mts.map

package/dist/api/index.mjs

@@ -0,0 +1,205 @@
+import { isAPIError } from "../utils/is-api-error.mjs";
+import { formCsrfMiddleware, originCheck, originCheckMiddleware } from "./middlewares/origin-check.mjs";
+import "./middlewares/index.mjs";
+import { getIp } from "../utils/get-request-ip.mjs";
+import { onRequestRateLimit } from "./rate-limiter/index.mjs";
+import { getOAuthState } from "./state/oauth.mjs";
+import { getShouldSkipSessionRefresh, setShouldSkipSessionRefresh } from "./state/should-session-refresh.mjs";
+import { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
+import { accountInfo, getAccessToken, linkSocialAccount, listUserAccounts, refreshToken, unlinkAccount } from "./routes/account.mjs";
+import { callbackOAuth } from "./routes/callback.mjs";
+import { createEmailVerificationToken, sendVerificationEmail, sendVerificationEmailFn, verifyEmail } from "./routes/email-verification.mjs";
+import { error } from "./routes/error.mjs";
+import { ok } from "./routes/ok.mjs";
+import { requestPasswordReset, requestPasswordResetCallback, resetPassword, verifyPassword } from "./routes/password.mjs";
+import { signInEmail, signInSocial } from "./routes/sign-in.mjs";
+import { signOut } from "./routes/sign-out.mjs";
+import { signUpEmail } from "./routes/sign-up.mjs";
+import { changeEmail, changePassword, deleteUser, deleteUserCallback, setPassword, updateUser } from "./routes/update-user.mjs";
+import "./routes/index.mjs";
+import { toAuthEndpoints } from "./to-auth-endpoints.mjs";
+import { logger as logger$1 } from "@better-auth/core/env";
+import { APIError } from "@better-auth/core/error";
+import { normalizePathname } from "@better-auth/core/utils/url";
+import { createRouter } from "better-call";
+import { createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
+
+//#region src/api/index.ts
+function checkEndpointConflicts(options, logger) {
+	const endpointRegistry = /* @__PURE__ */ new Map();
+	options.plugins?.forEach((plugin) => {
+		if (plugin.endpoints) {
+			for (const [key, endpoint] of Object.entries(plugin.endpoints)) if (endpoint && "path" in endpoint && typeof endpoint.path === "string") {
+				const path = endpoint.path;
+				let methods = [];
+				if (endpoint.options && "method" in endpoint.options) {
+					if (Array.isArray(endpoint.options.method)) methods = endpoint.options.method;
+					else if (typeof endpoint.options.method === "string") methods = [endpoint.options.method];
+				}
+				if (methods.length === 0) methods = ["*"];
+				if (!endpointRegistry.has(path)) endpointRegistry.set(path, []);
+				endpointRegistry.get(path).push({
+					pluginId: plugin.id,
+					endpointKey: key,
+					methods
+				});
+			}
+		}
+	});
+	const conflicts = [];
+	for (const [path, entries] of endpointRegistry.entries()) if (entries.length > 1) {
+		const methodMap = /* @__PURE__ */ new Map();
+		let hasConflict = false;
+		for (const entry of entries) for (const method of entry.methods) {
+			if (!methodMap.has(method)) methodMap.set(method, []);
+			methodMap.get(method).push(entry.pluginId);
+			if (methodMap.get(method).length > 1) hasConflict = true;
+			if (method === "*" && entries.length > 1) hasConflict = true;
+			else if (method !== "*" && methodMap.has("*")) hasConflict = true;
+		}
+		if (hasConflict) {
+			const uniquePlugins = [...new Set(entries.map((e) => e.pluginId))];
+			const conflictingMethods = [];
+			for (const [method, plugins] of methodMap.entries()) if (plugins.length > 1 || method === "*" && entries.length > 1 || method !== "*" && methodMap.has("*")) conflictingMethods.push(method);
+			conflicts.push({
+				path,
+				plugins: uniquePlugins,
+				conflictingMethods
+			});
+		}
+	}
+	if (conflicts.length > 0) {
+		const conflictMessages = conflicts.map((conflict) => `  - "${conflict.path}" [${conflict.conflictingMethods.join(", ")}] used by plugins: ${conflict.plugins.join(", ")}`).join("\n");
+		logger.error(`Endpoint path conflicts detected! Multiple plugins are trying to use the same endpoint paths with conflicting HTTP methods:
+${conflictMessages}
+
+To resolve this, you can:
+	1. Use only one of the conflicting plugins
+	2. Configure the plugins to use different paths (if supported)
+	3. Ensure plugins use different HTTP methods for the same path
+`);
+	}
+}
+function getEndpoints(ctx, options) {
+	const pluginEndpoints = options.plugins?.reduce((acc, plugin) => {
+		return {
+			...acc,
+			...plugin.endpoints
+		};
+	}, {}) ?? {};
+	const middlewares = options.plugins?.map((plugin) => plugin.middlewares?.map((m) => {
+		const middleware = (async (context) => {
+			const authContext = await ctx;
+			return m.middleware({
+				...context,
+				context: {
+					...authContext,
+					...context.context
+				}
+			});
+		});
+		middleware.options = m.middleware.options;
+		return {
+			path: m.path,
+			middleware
+		};
+	})).filter((plugin) => plugin !== void 0).flat() || [];
+	return {
+		api: toAuthEndpoints({
+			signInSocial: signInSocial(),
+			callbackOAuth,
+			getSession: getSession(),
+			signOut,
+			signUpEmail: signUpEmail(),
+			signInEmail: signInEmail(),
+			resetPassword,
+			verifyPassword,
+			verifyEmail,
+			sendVerificationEmail,
+			changeEmail,
+			changePassword,
+			setPassword,
+			updateUser: updateUser(),
+			deleteUser,
+			requestPasswordReset,
+			requestPasswordResetCallback,
+			listSessions: listSessions(),
+			revokeSession,
+			revokeSessions,
+			revokeOtherSessions,
+			linkSocialAccount,
+			listUserAccounts,
+			deleteUserCallback,
+			unlinkAccount,
+			refreshToken,
+			getAccessToken,
+			accountInfo,
+			...pluginEndpoints,
+			ok,
+			error
+		}, ctx),
+		middlewares
+	};
+}
+const router = (ctx, options) => {
+	const { api, middlewares } = getEndpoints(ctx, options);
+	const basePath = new URL(ctx.baseURL).pathname;
+	return createRouter(api, {
+		routerContext: ctx,
+		openapi: { disabled: true },
+		basePath,
+		routerMiddleware: [{
+			path: "/**",
+			middleware: originCheckMiddleware
+		}, ...middlewares],
+		allowedMediaTypes: ["application/json"],
+		skipTrailingSlashes: options.advanced?.skipTrailingSlashes ?? false,
+		async onRequest(req) {
+			const disabledPaths = ctx.options.disabledPaths || [];
+			const normalizedPath = normalizePathname(req.url, basePath);
+			if (disabledPaths.includes(normalizedPath)) return new Response("Not Found", { status: 404 });
+			let currentRequest = req;
+			for (const plugin of ctx.options.plugins || []) if (plugin.onRequest) {
+				const response = await plugin.onRequest(currentRequest, ctx);
+				if (response && "response" in response) return response.response;
+				if (response && "request" in response) currentRequest = response.request;
+			}
+			const rateLimitResponse = await onRequestRateLimit(currentRequest, ctx);
+			if (rateLimitResponse) return rateLimitResponse;
+			return currentRequest;
+		},
+		async onResponse(res) {
+			for (const plugin of ctx.options.plugins || []) if (plugin.onResponse) {
+				const response = await plugin.onResponse(res, ctx);
+				if (response) return response.response;
+			}
+			return res;
+		},
+		onError(e) {
+			if (isAPIError(e) && e.status === "FOUND") return;
+			if (options.onAPIError?.throw) throw e;
+			if (options.onAPIError?.onError) {
+				options.onAPIError.onError(e, ctx);
+				return;
+			}
+			const optLogLevel = options.logger?.level;
+			const log = optLogLevel === "error" || optLogLevel === "warn" || optLogLevel === "debug" ? logger$1 : void 0;
+			if (options.logger?.disabled !== true) {
+				if (e && typeof e === "object" && "message" in e && typeof e.message === "string") {
+					if (e.message.includes("no column") || e.message.includes("column") || e.message.includes("relation") || e.message.includes("table") || e.message.includes("does not exist")) {
+						ctx.logger?.error(e.message);
+						return;
+					}
+				}
+				if (isAPIError(e)) {
+					if (e.status === "INTERNAL_SERVER_ERROR") ctx.logger.error(e.status, e);
+					log?.error(e.message);
+				} else ctx.logger?.error(e && typeof e === "object" && "name" in e ? e.name : "", e);
+			}
+		}
+	});
+};
+
+//#endregion
+export { APIError, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateUser, verifyEmail, verifyPassword };
+//# sourceMappingURL=index.mjs.map

package/dist/api/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":["logger"],"sources":["../../src/api/index.ts"],"sourcesContent":["import type {\n\tAuthContext,\n\tAwaitable,\n\tBetterAuthOptions,\n\tBetterAuthPlugin,\n} from \"@better-auth/core\";\nimport type { InternalLogger } from \"@better-auth/core/env\";\nimport { logger } from \"@better-auth/core/env\";\nimport { normalizePathname } from \"@better-auth/core/utils/url\";\nimport type { Endpoint, Middleware } from \"better-call\";\nimport { createRouter } from \"better-call\";\nimport type { UnionToIntersection } from \"../types\";\nimport { isAPIError } from \"../utils/is-api-error\";\nimport { originCheckMiddleware } from \"./middlewares\";\nimport { onRequestRateLimit } from \"./rate-limiter\";\nimport {\n\taccountInfo,\n\tcallbackOAuth,\n\tchangeEmail,\n\tchangePassword,\n\tdeleteUser,\n\tdeleteUserCallback,\n\terror,\n\tgetAccessToken,\n\tgetSession,\n\tlinkSocialAccount,\n\tlistSessions,\n\tlistUserAccounts,\n\tok,\n\trefreshToken,\n\trequestPasswordReset,\n\trequestPasswordResetCallback,\n\tresetPassword,\n\trevokeOtherSessions,\n\trevokeSession,\n\trevokeSessions,\n\tsendVerificationEmail,\n\tsetPassword,\n\tsignInEmail,\n\tsignInSocial,\n\tsignOut,\n\tsignUpEmail,\n\tunlinkAccount,\n\tupdateUser,\n\tverifyEmail,\n\tverifyPassword,\n} from \"./routes\";\nimport { toAuthEndpoints } from \"./to-auth-endpoints\";\n\nexport function checkEndpointConflicts(\n\toptions: BetterAuthOptions,\n\tlogger: InternalLogger,\n) {\n\tconst endpointRegistry = new Map<\n\t\tstring,\n\t\t{ pluginId: string; endpointKey: string; methods: string[] }[]\n\t>();\n\n\toptions.plugins?.forEach((plugin) => {\n\t\tif (plugin.endpoints) {\n\t\t\tfor (const [key, endpoint] of Object.entries(plugin.endpoints)) {\n\t\t\t\tif (\n\t\t\t\t\tendpoint &&\n\t\t\t\t\t\"path\" in endpoint &&\n\t\t\t\t\ttypeof endpoint.path === \"string\"\n\t\t\t\t) {\n\t\t\t\t\tconst path = endpoint.path;\n\t\t\t\t\tlet methods: string[] = [];\n\t\t\t\t\tif (endpoint.options && \"method\" in endpoint.options) {\n\t\t\t\t\t\tif (Array.isArray(endpoint.options.method)) {\n\t\t\t\t\t\t\tmethods = endpoint.options.method;\n\t\t\t\t\t\t} else if (typeof endpoint.options.method === \"string\") {\n\t\t\t\t\t\t\tmethods = [endpoint.options.method];\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tif (methods.length === 0) {\n\t\t\t\t\t\tmethods = [\"*\"];\n\t\t\t\t\t}\n\n\t\t\t\t\tif (!endpointRegistry.has(path)) {\n\t\t\t\t\t\tendpointRegistry.set(path, []);\n\t\t\t\t\t}\n\t\t\t\t\tendpointRegistry.get(path)!.push({\n\t\t\t\t\t\tpluginId: plugin.id,\n\t\t\t\t\t\tendpointKey: key,\n\t\t\t\t\t\tmethods,\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t});\n\n\tconst conflicts: {\n\t\tpath: string;\n\t\tplugins: string[];\n\t\tconflictingMethods: string[];\n\t}[] = [];\n\tfor (const [path, entries] of endpointRegistry.entries()) {\n\t\tif (entries.length > 1) {\n\t\t\tconst methodMap = new Map<string, string[]>();\n\t\t\tlet hasConflict = false;\n\n\t\t\tfor (const entry of entries) {\n\t\t\t\tfor (const method of entry.methods) {\n\t\t\t\t\tif (!methodMap.has(method)) {\n\t\t\t\t\t\tmethodMap.set(method, []);\n\t\t\t\t\t}\n\t\t\t\t\tmethodMap.get(method)!.push(entry.pluginId);\n\n\t\t\t\t\tif (methodMap.get(method)!.length > 1) {\n\t\t\t\t\t\thasConflict = true;\n\t\t\t\t\t}\n\n\t\t\t\t\tif (method === \"*\" && entries.length > 1) {\n\t\t\t\t\t\thasConflict = true;\n\t\t\t\t\t} else if (method !== \"*\" && methodMap.has(\"*\")) {\n\t\t\t\t\t\thasConflict = true;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (hasConflict) {\n\t\t\t\tconst uniquePlugins = [...new Set(entries.map((e) => e.pluginId))];\n\t\t\t\tconst conflictingMethods: string[] = [];\n\n\t\t\t\tfor (const [method, plugins] of methodMap.entries()) {\n\t\t\t\t\tif (\n\t\t\t\t\t\tplugins.length > 1 ||\n\t\t\t\t\t\t(method === \"*\" && entries.length > 1) ||\n\t\t\t\t\t\t(method !== \"*\" && methodMap.has(\"*\"))\n\t\t\t\t\t) {\n\t\t\t\t\t\tconflictingMethods.push(method);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tconflicts.push({\n\t\t\t\t\tpath,\n\t\t\t\t\tplugins: uniquePlugins,\n\t\t\t\t\tconflictingMethods,\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\t}\n\n\tif (conflicts.length > 0) {\n\t\tconst conflictMessages = conflicts\n\t\t\t.map(\n\t\t\t\t(conflict) =>\n\t\t\t\t\t`  - \"${conflict.path}\" [${conflict.conflictingMethods.join(\", \")}] used by plugins: ${conflict.plugins.join(\", \")}`,\n\t\t\t)\n\t\t\t.join(\"\\n\");\n\t\tlogger.error(\n\t\t\t`Endpoint path conflicts detected! Multiple plugins are trying to use the same endpoint paths with conflicting HTTP methods:\n${conflictMessages}\n\nTo resolve this, you can:\n\t1. Use only one of the conflicting plugins\n\t2. Configure the plugins to use different paths (if supported)\n\t3. Ensure plugins use different HTTP methods for the same path\n`,\n\t\t);\n\t}\n}\n\nexport function getEndpoints<Option extends BetterAuthOptions>(\n\tctx: Awaitable<AuthContext>,\n\toptions: Option,\n) {\n\tconst pluginEndpoints =\n\t\toptions.plugins?.reduce<Record<string, Endpoint>>((acc, plugin) => {\n\t\t\treturn {\n\t\t\t\t...acc,\n\t\t\t\t...plugin.endpoints,\n\t\t\t};\n\t\t}, {}) ?? {};\n\n\ttype PluginEndpoint = UnionToIntersection<\n\t\tOption[\"plugins\"] extends Array<infer T>\n\t\t\t? T extends BetterAuthPlugin\n\t\t\t\t? T extends {\n\t\t\t\t\t\tendpoints: infer E;\n\t\t\t\t\t}\n\t\t\t\t\t? E\n\t\t\t\t\t: {}\n\t\t\t\t: {}\n\t\t\t: {}\n\t>;\n\n\tconst middlewares =\n\t\toptions.plugins\n\t\t\t?.map((plugin) =>\n\t\t\t\tplugin.middlewares?.map((m) => {\n\t\t\t\t\tconst middleware = (async (context: any) => {\n\t\t\t\t\t\tconst authContext = await ctx;\n\t\t\t\t\t\treturn m.middleware({\n\t\t\t\t\t\t\t...context,\n\t\t\t\t\t\t\tcontext: {\n\t\t\t\t\t\t\t\t...authContext,\n\t\t\t\t\t\t\t\t...context.context,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t});\n\t\t\t\t\t}) as Middleware;\n\t\t\t\t\tmiddleware.options = m.middleware.options;\n\t\t\t\t\treturn {\n\t\t\t\t\t\tpath: m.path,\n\t\t\t\t\t\tmiddleware,\n\t\t\t\t\t};\n\t\t\t\t}),\n\t\t\t)\n\t\t\t.filter((plugin) => plugin !== undefined)\n\t\t\t.flat() || [];\n\n\tconst baseEndpoints = {\n\t\tsignInSocial: signInSocial<Option>(),\n\t\tcallbackOAuth,\n\t\tgetSession: getSession<Option>(),\n\t\tsignOut,\n\t\tsignUpEmail: signUpEmail<Option>(),\n\t\tsignInEmail: signInEmail<Option>(),\n\t\tresetPassword,\n\t\tverifyPassword,\n\t\tverifyEmail,\n\t\tsendVerificationEmail,\n\t\tchangeEmail,\n\t\tchangePassword,\n\t\tsetPassword,\n\t\tupdateUser: updateUser<Option>(),\n\t\tdeleteUser,\n\t\trequestPasswordReset,\n\t\trequestPasswordResetCallback,\n\t\tlistSessions: listSessions<Option>(),\n\t\trevokeSession,\n\t\trevokeSessions,\n\t\trevokeOtherSessions,\n\t\tlinkSocialAccount,\n\t\tlistUserAccounts,\n\t\tdeleteUserCallback,\n\t\tunlinkAccount,\n\t\trefreshToken,\n\t\tgetAccessToken,\n\t\taccountInfo,\n\t};\n\tconst endpoints = {\n\t\t...baseEndpoints,\n\t\t...pluginEndpoints,\n\t\tok,\n\t\terror,\n\t} as const;\n\tconst api = toAuthEndpoints(endpoints, ctx);\n\treturn {\n\t\tapi: api as typeof endpoints & PluginEndpoint,\n\t\tmiddlewares,\n\t};\n}\nexport const router = <Option extends BetterAuthOptions>(\n\tctx: AuthContext,\n\toptions: Option,\n) => {\n\tconst { api, middlewares } = getEndpoints(ctx, options);\n\tconst basePath = new URL(ctx.baseURL).pathname;\n\n\treturn createRouter(api, {\n\t\trouterContext: ctx,\n\t\topenapi: {\n\t\t\tdisabled: true,\n\t\t},\n\t\tbasePath,\n\t\trouterMiddleware: [\n\t\t\t{\n\t\t\t\tpath: \"/**\",\n\t\t\t\tmiddleware: originCheckMiddleware,\n\t\t\t},\n\t\t\t...middlewares,\n\t\t],\n\t\tallowedMediaTypes: [\"application/json\"],\n\t\tskipTrailingSlashes: options.advanced?.skipTrailingSlashes ?? false,\n\t\tasync onRequest(req) {\n\t\t\t//handle disabled paths\n\t\t\tconst disabledPaths = ctx.options.disabledPaths || [];\n\t\t\tconst normalizedPath = normalizePathname(req.url, basePath);\n\t\t\tif (disabledPaths.includes(normalizedPath)) {\n\t\t\t\treturn new Response(\"Not Found\", { status: 404 });\n\t\t\t}\n\n\t\t\tlet currentRequest = req;\n\t\t\tfor (const plugin of ctx.options.plugins || []) {\n\t\t\t\tif (plugin.onRequest) {\n\t\t\t\t\tconst response = await plugin.onRequest(currentRequest, ctx);\n\t\t\t\t\tif (response && \"response\" in response) {\n\t\t\t\t\t\treturn response.response;\n\t\t\t\t\t}\n\t\t\t\t\tif (response && \"request\" in response) {\n\t\t\t\t\t\tcurrentRequest = response.request;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tconst rateLimitResponse = await onRequestRateLimit(currentRequest, ctx);\n\t\t\tif (rateLimitResponse) {\n\t\t\t\treturn rateLimitResponse;\n\t\t\t}\n\n\t\t\treturn currentRequest;\n\t\t},\n\t\tasync onResponse(res) {\n\t\t\tfor (const plugin of ctx.options.plugins || []) {\n\t\t\t\tif (plugin.onResponse) {\n\t\t\t\t\tconst response = await plugin.onResponse(res, ctx);\n\t\t\t\t\tif (response) {\n\t\t\t\t\t\treturn response.response;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn res;\n\t\t},\n\t\tonError(e) {\n\t\t\tif (isAPIError(e) && e.status === \"FOUND\") {\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tif (options.onAPIError?.throw) {\n\t\t\t\tthrow e;\n\t\t\t}\n\t\t\tif (options.onAPIError?.onError) {\n\t\t\t\toptions.onAPIError.onError(e, ctx);\n\t\t\t\treturn;\n\t\t\t}\n\n\t\t\tconst optLogLevel = options.logger?.level;\n\t\t\tconst log =\n\t\t\t\toptLogLevel === \"error\" ||\n\t\t\t\toptLogLevel === \"warn\" ||\n\t\t\t\toptLogLevel === \"debug\"\n\t\t\t\t\t? logger\n\t\t\t\t\t: undefined;\n\t\t\tif (options.logger?.disabled !== true) {\n\t\t\t\tif (\n\t\t\t\t\te &&\n\t\t\t\t\ttypeof e === \"object\" &&\n\t\t\t\t\t\"message\" in e &&\n\t\t\t\t\ttypeof e.message === \"string\"\n\t\t\t\t) {\n\t\t\t\t\tif (\n\t\t\t\t\t\te.message.includes(\"no column\") ||\n\t\t\t\t\t\te.message.includes(\"column\") ||\n\t\t\t\t\t\te.message.includes(\"relation\") ||\n\t\t\t\t\t\te.message.includes(\"table\") ||\n\t\t\t\t\t\te.message.includes(\"does not exist\")\n\t\t\t\t\t) {\n\t\t\t\t\t\tctx.logger?.error(e.message);\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif (isAPIError(e)) {\n\t\t\t\t\tif (e.status === \"INTERNAL_SERVER_ERROR\") {\n\t\t\t\t\t\tctx.logger.error(e.status, e);\n\t\t\t\t\t}\n\t\t\t\t\tlog?.error(e.message);\n\t\t\t\t} else {\n\t\t\t\t\tctx.logger?.error(\n\t\t\t\t\t\te && typeof e === \"object\" && \"name\" in e ? (e.name as string) : \"\",\n\t\t\t\t\t\te,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t}\n\t\t},\n\t});\n};\n\nexport {\n\ttype AuthEndpoint,\n\ttype AuthMiddleware,\n\tcreateAuthEndpoint,\n\tcreateAuthMiddleware,\n\toptionsMiddleware,\n} from \"@better-auth/core/api\";\nexport { APIError } from \"@better-auth/core/error\";\nexport { getIp } from \"../utils/get-request-ip\";\nexport { isAPIError } from \"../utils/is-api-error\";\nexport * from \"./middlewares\";\nexport * from \"./routes\";\nexport { getOAuthState } from \"./state/oauth\";\nexport {\n\tgetShouldSkipSessionRefresh,\n\tsetShouldSkipSessionRefresh,\n} from \"./state/should-session-refresh\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAiDA,SAAgB,uBACf,SACA,QACC;CACD,MAAM,mCAAmB,IAAI,KAG1B;AAEH,SAAQ,SAAS,SAAS,WAAW;AACpC,MAAI,OAAO,WACV;QAAK,MAAM,CAAC,KAAK,aAAa,OAAO,QAAQ,OAAO,UAAU,CAC7D,KACC,YACA,UAAU,YACV,OAAO,SAAS,SAAS,UACxB;IACD,MAAM,OAAO,SAAS;IACtB,IAAI,UAAoB,EAAE;AAC1B,QAAI,SAAS,WAAW,YAAY,SAAS,SAC5C;SAAI,MAAM,QAAQ,SAAS,QAAQ,OAAO,CACzC,WAAU,SAAS,QAAQ;cACjB,OAAO,SAAS,QAAQ,WAAW,SAC7C,WAAU,CAAC,SAAS,QAAQ,OAAO;;AAGrC,QAAI,QAAQ,WAAW,EACtB,WAAU,CAAC,IAAI;AAGhB,QAAI,CAAC,iBAAiB,IAAI,KAAK,CAC9B,kBAAiB,IAAI,MAAM,EAAE,CAAC;AAE/B,qBAAiB,IAAI,KAAK,CAAE,KAAK;KAChC,UAAU,OAAO;KACjB,aAAa;KACb;KACA,CAAC;;;GAIJ;CAEF,MAAM,YAIA,EAAE;AACR,MAAK,MAAM,CAAC,MAAM,YAAY,iBAAiB,SAAS,CACvD,KAAI,QAAQ,SAAS,GAAG;EACvB,MAAM,4BAAY,IAAI,KAAuB;EAC7C,IAAI,cAAc;AAElB,OAAK,MAAM,SAAS,QACnB,MAAK,MAAM,UAAU,MAAM,SAAS;AACnC,OAAI,CAAC,UAAU,IAAI,OAAO,CACzB,WAAU,IAAI,QAAQ,EAAE,CAAC;AAE1B,aAAU,IAAI,OAAO,CAAE,KAAK,MAAM,SAAS;AAE3C,OAAI,UAAU,IAAI,OAAO,CAAE,SAAS,EACnC,eAAc;AAGf,OAAI,WAAW,OAAO,QAAQ,SAAS,EACtC,eAAc;YACJ,WAAW,OAAO,UAAU,IAAI,IAAI,CAC9C,eAAc;;AAKjB,MAAI,aAAa;GAChB,MAAM,gBAAgB,CAAC,GAAG,IAAI,IAAI,QAAQ,KAAK,MAAM,EAAE,SAAS,CAAC,CAAC;GAClE,MAAM,qBAA+B,EAAE;AAEvC,QAAK,MAAM,CAAC,QAAQ,YAAY,UAAU,SAAS,CAClD,KACC,QAAQ,SAAS,KAChB,WAAW,OAAO,QAAQ,SAAS,KACnC,WAAW,OAAO,UAAU,IAAI,IAAI,CAErC,oBAAmB,KAAK,OAAO;AAIjC,aAAU,KAAK;IACd;IACA,SAAS;IACT;IACA,CAAC;;;AAKL,KAAI,UAAU,SAAS,GAAG;EACzB,MAAM,mBAAmB,UACvB,KACC,aACA,QAAQ,SAAS,KAAK,KAAK,SAAS,mBAAmB,KAAK,KAAK,CAAC,qBAAqB,SAAS,QAAQ,KAAK,KAAK,GACnH,CACA,KAAK,KAAK;AACZ,SAAO,MACN;EACD,iBAAiB;;;;;;EAOhB;;;AAIH,SAAgB,aACf,KACA,SACC;CACD,MAAM,kBACL,QAAQ,SAAS,QAAkC,KAAK,WAAW;AAClE,SAAO;GACN,GAAG;GACH,GAAG,OAAO;GACV;IACC,EAAE,CAAC,IAAI,EAAE;CAcb,MAAM,cACL,QAAQ,SACL,KAAK,WACN,OAAO,aAAa,KAAK,MAAM;EAC9B,MAAM,cAAc,OAAO,YAAiB;GAC3C,MAAM,cAAc,MAAM;AAC1B,UAAO,EAAE,WAAW;IACnB,GAAG;IACH,SAAS;KACR,GAAG;KACH,GAAG,QAAQ;KACX;IACD,CAAC;;AAEH,aAAW,UAAU,EAAE,WAAW;AAClC,SAAO;GACN,MAAM,EAAE;GACR;GACA;GACA,CACF,CACA,QAAQ,WAAW,WAAW,OAAU,CACxC,MAAM,IAAI,EAAE;AAuCf,QAAO;EACN,KAFW,gBANM;GA7BjB,cAAc,cAAsB;GACpC;GACA,YAAY,YAAoB;GAChC;GACA,aAAa,aAAqB;GAClC,aAAa,aAAqB;GAClC;GACA;GACA;GACA;GACA;GACA;GACA;GACA,YAAY,YAAoB;GAChC;GACA;GACA;GACA,cAAc,cAAsB;GACpC;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GAIA,GAAG;GACH;GACA;GACA,EACsC,IAAI;EAG1C;EACA;;AAEF,MAAa,UACZ,KACA,YACI;CACJ,MAAM,EAAE,KAAK,gBAAgB,aAAa,KAAK,QAAQ;CACvD,MAAM,WAAW,IAAI,IAAI,IAAI,QAAQ,CAAC;AAEtC,QAAO,aAAa,KAAK;EACxB,eAAe;EACf,SAAS,EACR,UAAU,MACV;EACD;EACA,kBAAkB,CACjB;GACC,MAAM;GACN,YAAY;GACZ,EACD,GAAG,YACH;EACD,mBAAmB,CAAC,mBAAmB;EACvC,qBAAqB,QAAQ,UAAU,uBAAuB;EAC9D,MAAM,UAAU,KAAK;GAEpB,MAAM,gBAAgB,IAAI,QAAQ,iBAAiB,EAAE;GACrD,MAAM,iBAAiB,kBAAkB,IAAI,KAAK,SAAS;AAC3D,OAAI,cAAc,SAAS,eAAe,CACzC,QAAO,IAAI,SAAS,aAAa,EAAE,QAAQ,KAAK,CAAC;GAGlD,IAAI,iBAAiB;AACrB,QAAK,MAAM,UAAU,IAAI,QAAQ,WAAW,EAAE,CAC7C,KAAI,OAAO,WAAW;IACrB,MAAM,WAAW,MAAM,OAAO,UAAU,gBAAgB,IAAI;AAC5D,QAAI,YAAY,cAAc,SAC7B,QAAO,SAAS;AAEjB,QAAI,YAAY,aAAa,SAC5B,kBAAiB,SAAS;;GAK7B,MAAM,oBAAoB,MAAM,mBAAmB,gBAAgB,IAAI;AACvE,OAAI,kBACH,QAAO;AAGR,UAAO;;EAER,MAAM,WAAW,KAAK;AACrB,QAAK,MAAM,UAAU,IAAI,QAAQ,WAAW,EAAE,CAC7C,KAAI,OAAO,YAAY;IACtB,MAAM,WAAW,MAAM,OAAO,WAAW,KAAK,IAAI;AAClD,QAAI,SACH,QAAO,SAAS;;AAInB,UAAO;;EAER,QAAQ,GAAG;AACV,OAAI,WAAW,EAAE,IAAI,EAAE,WAAW,QACjC;AAED,OAAI,QAAQ,YAAY,MACvB,OAAM;AAEP,OAAI,QAAQ,YAAY,SAAS;AAChC,YAAQ,WAAW,QAAQ,GAAG,IAAI;AAClC;;GAGD,MAAM,cAAc,QAAQ,QAAQ;GACpC,MAAM,MACL,gBAAgB,WAChB,gBAAgB,UAChB,gBAAgB,UACbA,WACA;AACJ,OAAI,QAAQ,QAAQ,aAAa,MAAM;AACtC,QACC,KACA,OAAO,MAAM,YACb,aAAa,KACb,OAAO,EAAE,YAAY,UAErB;SACC,EAAE,QAAQ,SAAS,YAAY,IAC/B,EAAE,QAAQ,SAAS,SAAS,IAC5B,EAAE,QAAQ,SAAS,WAAW,IAC9B,EAAE,QAAQ,SAAS,QAAQ,IAC3B,EAAE,QAAQ,SAAS,iBAAiB,EACnC;AACD,UAAI,QAAQ,MAAM,EAAE,QAAQ;AAC5B;;;AAIF,QAAI,WAAW,EAAE,EAAE;AAClB,SAAI,EAAE,WAAW,wBAChB,KAAI,OAAO,MAAM,EAAE,QAAQ,EAAE;AAE9B,UAAK,MAAM,EAAE,QAAQ;UAErB,KAAI,QAAQ,MACX,KAAK,OAAO,MAAM,YAAY,UAAU,IAAK,EAAE,OAAkB,IACjE,EACA;;;EAIJ,CAAC"}

package/dist/api/middlewares/index.d.mts

@@ -0,0 +1 @@
+import { formCsrfMiddleware, originCheck, originCheckMiddleware } from "./origin-check.mjs";

package/dist/api/middlewares/index.mjs

@@ -0,0 +1,3 @@
+import { formCsrfMiddleware, originCheck, originCheckMiddleware } from "./origin-check.mjs";
+
+export {  };

package/dist/api/middlewares/origin-check.d.mts

@@ -0,0 +1,17 @@
+import { GenericEndpointContext } from "@better-auth/core";
+
+//#region src/api/middlewares/origin-check.d.ts
+/**
+ * A middleware to validate callbackURL and origin against trustedOrigins.
+ * Also handles CSRF protection using Fetch Metadata for first-login scenarios.
+ */
+declare const originCheckMiddleware: any;
+declare const originCheck: (getValue: (ctx: GenericEndpointContext) => string | string[]) => any;
+/**
+ * Middleware for CSRF protection using Fetch Metadata headers.
+ * This prevents cross-site navigation login attacks while supporting progressive enhancement.
+ */
+declare const formCsrfMiddleware: any;
+//#endregion
+export { formCsrfMiddleware, originCheck, originCheckMiddleware };
+//# sourceMappingURL=origin-check.d.mts.map

package/dist/api/middlewares/origin-check.mjs

@@ -0,0 +1,140 @@
+import { matchesOriginPattern } from "../../auth/trusted-origins.mjs";
+import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
+import { deprecate } from "@better-auth/core/utils/deprecate";
+import { normalizePathname } from "@better-auth/core/utils/url";
+import { createAuthMiddleware } from "@better-auth/core/api";
+
+//#region src/api/middlewares/origin-check.ts
+/**
+* Checks if CSRF should be skipped for backward compatibility.
+* Previously, disableOriginCheck also disabled CSRF checks.
+* This maintains that behavior when disableCSRFCheck isn't explicitly set.
+* Only triggers for skipOriginCheck === true, not for path arrays.
+*/
+function shouldSkipCSRFForBackwardCompat(ctx) {
+	return ctx.context.skipOriginCheck === true && ctx.context.options.advanced?.disableCSRFCheck === void 0;
+}
+/**
+* Logs deprecation warning for users relying on coupled behavior.
+* Only logs if user explicitly set disableOriginCheck (not test environment default).
+*/
+const logBackwardCompatWarning = deprecate(function logBackwardCompatWarning() {}, "disableOriginCheck: true currently also disables CSRF checks. In a future version, disableOriginCheck will ONLY disable URL validation. To keep CSRF disabled, add disableCSRFCheck: true to your config.");
+/**
+* A middleware to validate callbackURL and origin against trustedOrigins.
+* Also handles CSRF protection using Fetch Metadata for first-login scenarios.
+*/
+const originCheckMiddleware = createAuthMiddleware(async (ctx) => {
+	if (ctx.request?.method === "GET" || ctx.request?.method === "OPTIONS" || ctx.request?.method === "HEAD" || !ctx.request) return;
+	await validateOrigin(ctx);
+	if (ctx.context.skipOriginCheck) return;
+	const { body, query } = ctx;
+	const callbackURL = body?.callbackURL || query?.callbackURL;
+	const redirectURL = body?.redirectTo;
+	const errorCallbackURL = body?.errorCallbackURL;
+	const newUserCallbackURL = body?.newUserCallbackURL;
+	const validateURL = (url, label) => {
+		if (!url) return;
+		if (!ctx.context.isTrustedOrigin(url, { allowRelativePaths: label !== "origin" })) {
+			ctx.context.logger.error(`Invalid ${label}: ${url}`);
+			ctx.context.logger.info(`If it's a valid URL, please add ${url} to trustedOrigins in your auth config\n`, `Current list of trustedOrigins: ${ctx.context.trustedOrigins}`);
+			if (label === "origin") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_ORIGIN);
+			if (label === "callbackURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_CALLBACK_URL);
+			if (label === "redirectURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_REDIRECT_URL);
+			if (label === "errorCallbackURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_ERROR_CALLBACK_URL);
+			if (label === "newUserCallbackURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_NEW_USER_CALLBACK_URL);
+			throw APIError.fromStatus("FORBIDDEN", { message: `Invalid ${label}` });
+		}
+	};
+	callbackURL && validateURL(callbackURL, "callbackURL");
+	redirectURL && validateURL(redirectURL, "redirectURL");
+	errorCallbackURL && validateURL(errorCallbackURL, "errorCallbackURL");
+	newUserCallbackURL && validateURL(newUserCallbackURL, "newUserCallbackURL");
+});
+const originCheck = (getValue) => createAuthMiddleware(async (ctx) => {
+	if (!ctx.request) return;
+	if (ctx.context.skipOriginCheck) return;
+	const callbackURL = getValue(ctx);
+	const validateURL = (url, label) => {
+		if (!url) return;
+		if (!ctx.context.isTrustedOrigin(url, { allowRelativePaths: label !== "origin" })) {
+			ctx.context.logger.error(`Invalid ${label}: ${url}`);
+			ctx.context.logger.info(`If it's a valid URL, please add ${url} to trustedOrigins in your auth config\n`, `Current list of trustedOrigins: ${ctx.context.trustedOrigins}`);
+			if (label === "origin") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_ORIGIN);
+			if (label === "callbackURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_CALLBACK_URL);
+			if (label === "redirectURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_REDIRECT_URL);
+			if (label === "errorCallbackURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_ERROR_CALLBACK_URL);
+			if (label === "newUserCallbackURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_NEW_USER_CALLBACK_URL);
+			throw APIError.fromStatus("FORBIDDEN", { message: `Invalid ${label}` });
+		}
+	};
+	const callbacks = Array.isArray(callbackURL) ? callbackURL : [callbackURL];
+	for (const url of callbacks) validateURL(url, "callbackURL");
+});
+/**
+* Validates origin header against trusted origins.
+* @param ctx - The endpoint context
+* @param forceValidate - If true, always validate origin regardless of cookies/skip flags
+*/
+async function validateOrigin(ctx, forceValidate = false) {
+	const headers = ctx.request?.headers;
+	if (!headers || !ctx.request) return;
+	const originHeader = headers.get("origin") || headers.get("referer") || "";
+	const useCookies = headers.has("cookie");
+	if (ctx.context.skipCSRFCheck) return;
+	if (shouldSkipCSRFForBackwardCompat(ctx)) {
+		ctx.context.options.advanced?.disableOriginCheck === true && logBackwardCompatWarning();
+		return;
+	}
+	const skipOriginCheck = ctx.context.skipOriginCheck;
+	if (Array.isArray(skipOriginCheck)) try {
+		const basePath = new URL(ctx.context.baseURL).pathname;
+		const currentPath = normalizePathname(ctx.request.url, basePath);
+		if (skipOriginCheck.some((skipPath) => currentPath.startsWith(skipPath))) return;
+	} catch {}
+	if (!(forceValidate || useCookies)) return;
+	if (!originHeader || originHeader === "null") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.MISSING_OR_NULL_ORIGIN);
+	const trustedOrigins = Array.isArray(ctx.context.options.trustedOrigins) ? ctx.context.trustedOrigins : [...ctx.context.trustedOrigins, ...(await ctx.context.options.trustedOrigins?.(ctx.request))?.filter((v) => Boolean(v)) || []];
+	if (!trustedOrigins.some((origin) => matchesOriginPattern(originHeader, origin))) {
+		ctx.context.logger.error(`Invalid origin: ${originHeader}`);
+		ctx.context.logger.info(`If it's a valid URL, please add ${originHeader} to trustedOrigins in your auth config\n`, `Current list of trustedOrigins: ${trustedOrigins}`);
+		throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_ORIGIN);
+	}
+}
+/**
+* Middleware for CSRF protection using Fetch Metadata headers.
+* This prevents cross-site navigation login attacks while supporting progressive enhancement.
+*/
+const formCsrfMiddleware = createAuthMiddleware(async (ctx) => {
+	if (!ctx.request) return;
+	await validateFormCsrf(ctx);
+});
+/**
+* Validates CSRF protection for first-login scenarios using Fetch Metadata headers.
+* This prevents cross-site form submission attacks while supporting progressive enhancement.
+*/
+async function validateFormCsrf(ctx) {
+	const req = ctx.request;
+	if (!req) return;
+	if (ctx.context.skipCSRFCheck) return;
+	if (shouldSkipCSRFForBackwardCompat(ctx)) return;
+	const headers = req.headers;
+	if (headers.has("cookie")) return await validateOrigin(ctx);
+	const site = headers.get("Sec-Fetch-Site");
+	const mode = headers.get("Sec-Fetch-Mode");
+	const dest = headers.get("Sec-Fetch-Dest");
+	if (Boolean(site && site.trim() || mode && mode.trim() || dest && dest.trim())) {
+		if (site === "cross-site" && mode === "navigate") {
+			ctx.context.logger.error("Blocked cross-site navigation login attempt (CSRF protection)", {
+				secFetchSite: site,
+				secFetchMode: mode,
+				secFetchDest: dest
+			});
+			throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.CROSS_SITE_NAVIGATION_LOGIN_BLOCKED);
+		}
+		return await validateOrigin(ctx, true);
+	}
+}
+
+//#endregion
+export { formCsrfMiddleware, originCheck, originCheckMiddleware };
+//# sourceMappingURL=origin-check.mjs.map