@hammadj/better-auth 1.5.0-beta.10

package/dist/api/middlewares/origin-check.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"origin-check.mjs","names":[],"sources":["../../../src/api/middlewares/origin-check.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { createAuthMiddleware } from \"@better-auth/core/api\";\nimport { APIError, BASE_ERROR_CODES } from \"@better-auth/core/error\";\nimport { deprecate } from \"@better-auth/core/utils/deprecate\";\nimport { normalizePathname } from \"@better-auth/core/utils/url\";\nimport { matchesOriginPattern } from \"../../auth/trusted-origins\";\n\n/**\n * Checks if CSRF should be skipped for backward compatibility.\n * Previously, disableOriginCheck also disabled CSRF checks.\n * This maintains that behavior when disableCSRFCheck isn't explicitly set.\n * Only triggers for skipOriginCheck === true, not for path arrays.\n */\nfunction shouldSkipCSRFForBackwardCompat(ctx: GenericEndpointContext): boolean {\n\treturn (\n\t\tctx.context.skipOriginCheck === true &&\n\t\tctx.context.options.advanced?.disableCSRFCheck === undefined\n\t);\n}\n\n/**\n * Logs deprecation warning for users relying on coupled behavior.\n * Only logs if user explicitly set disableOriginCheck (not test environment default).\n */\nconst logBackwardCompatWarning = deprecate(\n\tfunction logBackwardCompatWarning() {},\n\t\"disableOriginCheck: true currently also disables CSRF checks. \" +\n\t\t\"In a future version, disableOriginCheck will ONLY disable URL validation. \" +\n\t\t\"To keep CSRF disabled, add disableCSRFCheck: true to your config.\",\n);\n\n/**\n * A middleware to validate callbackURL and origin against trustedOrigins.\n * Also handles CSRF protection using Fetch Metadata for first-login scenarios.\n */\nexport const originCheckMiddleware = createAuthMiddleware(async (ctx) => {\n\t// Skip origin check for GET, OPTIONS, HEAD requests - we don't mutate state here.\n\tif (\n\t\tctx.request?.method === \"GET\" ||\n\t\tctx.request?.method === \"OPTIONS\" ||\n\t\tctx.request?.method === \"HEAD\" ||\n\t\t!ctx.request\n\t) {\n\t\treturn;\n\t}\n\tawait validateOrigin(ctx);\n\n\tif (ctx.context.skipOriginCheck) {\n\t\treturn;\n\t}\n\n\tconst { body, query } = ctx;\n\tconst callbackURL = body?.callbackURL || query?.callbackURL;\n\tconst redirectURL = body?.redirectTo;\n\tconst errorCallbackURL = body?.errorCallbackURL;\n\tconst newUserCallbackURL = body?.newUserCallbackURL;\n\n\tconst validateURL = (\n\t\turl: string | undefined,\n\t\tlabel:\n\t\t\t| \"origin\"\n\t\t\t| \"callbackURL\"\n\t\t\t| \"redirectURL\"\n\t\t\t| \"errorCallbackURL\"\n\t\t\t| \"newUserCallbackURL\",\n\t) => {\n\t\tif (!url) {\n\t\t\treturn;\n\t\t}\n\t\tconst isTrustedOrigin = ctx.context.isTrustedOrigin(url, {\n\t\t\tallowRelativePaths: label !== \"origin\",\n\t\t});\n\n\t\tif (!isTrustedOrigin) {\n\t\t\tctx.context.logger.error(`Invalid ${label}: ${url}`);\n\t\t\tctx.context.logger.info(\n\t\t\t\t`If it's a valid URL, please add ${url} to trustedOrigins in your auth config\\n`,\n\t\t\t\t`Current list of trustedOrigins: ${ctx.context.trustedOrigins}`,\n\t\t\t);\n\t\t\tif (label === \"origin\") {\n\t\t\t\tthrow APIError.from(\"FORBIDDEN\", BASE_ERROR_CODES.INVALID_ORIGIN);\n\t\t\t}\n\t\t\tif (label === \"callbackURL\") {\n\t\t\t\tthrow APIError.from(\"FORBIDDEN\", BASE_ERROR_CODES.INVALID_CALLBACK_URL);\n\t\t\t}\n\t\t\tif (label === \"redirectURL\") {\n\t\t\t\tthrow APIError.from(\"FORBIDDEN\", BASE_ERROR_CODES.INVALID_REDIRECT_URL);\n\t\t\t}\n\t\t\tif (label === \"errorCallbackURL\") {\n\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\"FORBIDDEN\",\n\t\t\t\t\tBASE_ERROR_CODES.INVALID_ERROR_CALLBACK_URL,\n\t\t\t\t);\n\t\t\t}\n\t\t\tif (label === \"newUserCallbackURL\") {\n\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\"FORBIDDEN\",\n\t\t\t\t\tBASE_ERROR_CODES.INVALID_NEW_USER_CALLBACK_URL,\n\t\t\t\t);\n\t\t\t}\n\t\t\tthrow APIError.fromStatus(\"FORBIDDEN\", {\n\t\t\t\tmessage: `Invalid ${label}`,\n\t\t\t});\n\t\t}\n\t};\n\n\tcallbackURL && validateURL(callbackURL, \"callbackURL\");\n\tredirectURL && validateURL(redirectURL, \"redirectURL\");\n\terrorCallbackURL && validateURL(errorCallbackURL, \"errorCallbackURL\");\n\tnewUserCallbackURL && validateURL(newUserCallbackURL, \"newUserCallbackURL\");\n});\n\nexport const originCheck = (\n\tgetValue: (ctx: GenericEndpointContext) => string | string[],\n) =>\n\tcreateAuthMiddleware(async (ctx) => {\n\t\tif (!ctx.request) {\n\t\t\treturn;\n\t\t}\n\t\tif (ctx.context.skipOriginCheck) {\n\t\t\treturn;\n\t\t}\n\t\tconst callbackURL = getValue(ctx);\n\t\tconst validateURL = (url: string | undefined, label: string) => {\n\t\t\tif (!url) {\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tconst isTrustedOrigin = ctx.context.isTrustedOrigin(url, {\n\t\t\t\tallowRelativePaths: label !== \"origin\",\n\t\t\t});\n\n\t\t\tif (!isTrustedOrigin) {\n\t\t\t\tctx.context.logger.error(`Invalid ${label}: ${url}`);\n\t\t\t\tctx.context.logger.info(\n\t\t\t\t\t`If it's a valid URL, please add ${url} to trustedOrigins in your auth config\\n`,\n\t\t\t\t\t`Current list of trustedOrigins: ${ctx.context.trustedOrigins}`,\n\t\t\t\t);\n\t\t\t\tif (label === \"origin\") {\n\t\t\t\t\tthrow APIError.from(\"FORBIDDEN\", BASE_ERROR_CODES.INVALID_ORIGIN);\n\t\t\t\t}\n\t\t\t\tif (label === \"callbackURL\") {\n\t\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\t\"FORBIDDEN\",\n\t\t\t\t\t\tBASE_ERROR_CODES.INVALID_CALLBACK_URL,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\tif (label === \"redirectURL\") {\n\t\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\t\"FORBIDDEN\",\n\t\t\t\t\t\tBASE_ERROR_CODES.INVALID_REDIRECT_URL,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\tif (label === \"errorCallbackURL\") {\n\t\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\t\"FORBIDDEN\",\n\t\t\t\t\t\tBASE_ERROR_CODES.INVALID_ERROR_CALLBACK_URL,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\tif (label === \"newUserCallbackURL\") {\n\t\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\t\"FORBIDDEN\",\n\t\t\t\t\t\tBASE_ERROR_CODES.INVALID_NEW_USER_CALLBACK_URL,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\tthrow APIError.fromStatus(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: `Invalid ${label}`,\n\t\t\t\t});\n\t\t\t}\n\t\t};\n\t\tconst callbacks = Array.isArray(callbackURL) ? callbackURL : [callbackURL];\n\t\tfor (const url of callbacks) {\n\t\t\tvalidateURL(url, \"callbackURL\");\n\t\t}\n\t});\n\n/**\n * Validates origin header against trusted origins.\n * @param ctx - The endpoint context\n * @param forceValidate - If true, always validate origin regardless of cookies/skip flags\n */\nasync function validateOrigin(\n\tctx: GenericEndpointContext,\n\tforceValidate = false,\n): Promise<void> {\n\tconst headers = ctx.request?.headers;\n\tif (!headers || !ctx.request) {\n\t\treturn;\n\t}\n\tconst originHeader = headers.get(\"origin\") || headers.get(\"referer\") || \"\";\n\tconst useCookies = headers.has(\"cookie\");\n\n\tif (ctx.context.skipCSRFCheck) {\n\t\treturn;\n\t}\n\n\tif (shouldSkipCSRFForBackwardCompat(ctx)) {\n\t\tctx.context.options.advanced?.disableOriginCheck === true &&\n\t\t\tlogBackwardCompatWarning();\n\t\treturn;\n\t}\n\n\tconst skipOriginCheck = ctx.context.skipOriginCheck;\n\tif (Array.isArray(skipOriginCheck)) {\n\t\ttry {\n\t\t\tconst basePath = new URL(ctx.context.baseURL).pathname;\n\t\t\tconst currentPath = normalizePathname(ctx.request.url, basePath);\n\t\t\tconst shouldSkipPath = skipOriginCheck.some((skipPath) =>\n\t\t\t\tcurrentPath.startsWith(skipPath),\n\t\t\t);\n\t\t\tif (shouldSkipPath) {\n\t\t\t\treturn;\n\t\t\t}\n\t\t} catch {\n\t\t\t// If parsing fails, don't skip - continue with validation\n\t\t}\n\t}\n\n\tconst shouldValidate = forceValidate || useCookies;\n\n\tif (!shouldValidate) {\n\t\treturn;\n\t}\n\n\tif (!originHeader || originHeader === \"null\") {\n\t\tthrow APIError.from(\"FORBIDDEN\", BASE_ERROR_CODES.MISSING_OR_NULL_ORIGIN);\n\t}\n\n\tconst trustedOrigins: string[] = Array.isArray(\n\t\tctx.context.options.trustedOrigins,\n\t)\n\t\t? ctx.context.trustedOrigins\n\t\t: [\n\t\t\t\t...ctx.context.trustedOrigins,\n\t\t\t\t...((await ctx.context.options.trustedOrigins?.(ctx.request))?.filter(\n\t\t\t\t\t(v): v is string => Boolean(v),\n\t\t\t\t) || []),\n\t\t\t];\n\n\tconst isTrustedOrigin = trustedOrigins.some((origin) =>\n\t\tmatchesOriginPattern(originHeader, origin),\n\t);\n\tif (!isTrustedOrigin) {\n\t\tctx.context.logger.error(`Invalid origin: ${originHeader}`);\n\t\tctx.context.logger.info(\n\t\t\t`If it's a valid URL, please add ${originHeader} to trustedOrigins in your auth config\\n`,\n\t\t\t`Current list of trustedOrigins: ${trustedOrigins}`,\n\t\t);\n\t\tthrow APIError.from(\"FORBIDDEN\", BASE_ERROR_CODES.INVALID_ORIGIN);\n\t}\n}\n\n/**\n * Middleware for CSRF protection using Fetch Metadata headers.\n * This prevents cross-site navigation login attacks while supporting progressive enhancement.\n */\nexport const formCsrfMiddleware = createAuthMiddleware(async (ctx) => {\n\tconst request = ctx.request;\n\tif (!request) {\n\t\treturn;\n\t}\n\n\tawait validateFormCsrf(ctx);\n});\n\n/**\n * Validates CSRF protection for first-login scenarios using Fetch Metadata headers.\n * This prevents cross-site form submission attacks while supporting progressive enhancement.\n */\nasync function validateFormCsrf(ctx: GenericEndpointContext): Promise<void> {\n\tconst req = ctx.request;\n\tif (!req) {\n\t\treturn;\n\t}\n\n\tif (ctx.context.skipCSRFCheck) {\n\t\treturn;\n\t}\n\n\tif (shouldSkipCSRFForBackwardCompat(ctx)) {\n\t\treturn;\n\t}\n\n\tconst headers = req.headers;\n\tconst hasAnyCookies = headers.has(\"cookie\");\n\n\tif (hasAnyCookies) {\n\t\treturn await validateOrigin(ctx);\n\t}\n\n\tconst site = headers.get(\"Sec-Fetch-Site\");\n\tconst mode = headers.get(\"Sec-Fetch-Mode\");\n\tconst dest = headers.get(\"Sec-Fetch-Dest\");\n\n\tconst hasMetadata = Boolean(\n\t\t(site && site.trim()) || (mode && mode.trim()) || (dest && dest.trim()),\n\t);\n\n\tif (hasMetadata) {\n\t\t// Block cross-site navigation requests (classic CSRF attack pattern)\n\t\tif (site === \"cross-site\" && mode === \"navigate\") {\n\t\t\tctx.context.logger.error(\n\t\t\t\t\"Blocked cross-site navigation login attempt (CSRF protection)\",\n\t\t\t\t{\n\t\t\t\t\tsecFetchSite: site,\n\t\t\t\t\tsecFetchMode: mode,\n\t\t\t\t\tsecFetchDest: dest,\n\t\t\t\t},\n\t\t\t);\n\t\t\tthrow APIError.from(\n\t\t\t\t\"FORBIDDEN\",\n\t\t\t\tBASE_ERROR_CODES.CROSS_SITE_NAVIGATION_LOGIN_BLOCKED,\n\t\t\t);\n\t\t}\n\n\t\treturn await validateOrigin(ctx, true);\n\t}\n\n\t// No cookies, no Fetch Metadata → fallback to old behavior (no validation)\n\treturn;\n}\n"],"mappings":";;;;;;;;;;;;;AAaA,SAAS,gCAAgC,KAAsC;AAC9E,QACC,IAAI,QAAQ,oBAAoB,QAChC,IAAI,QAAQ,QAAQ,UAAU,qBAAqB;;;;;;AAQrD,MAAM,2BAA2B,UAChC,SAAS,2BAA2B,IACpC,4MAGA;;;;;AAMD,MAAa,wBAAwB,qBAAqB,OAAO,QAAQ;AAExE,KACC,IAAI,SAAS,WAAW,SACxB,IAAI,SAAS,WAAW,aACxB,IAAI,SAAS,WAAW,UACxB,CAAC,IAAI,QAEL;AAED,OAAM,eAAe,IAAI;AAEzB,KAAI,IAAI,QAAQ,gBACf;CAGD,MAAM,EAAE,MAAM,UAAU;CACxB,MAAM,cAAc,MAAM,eAAe,OAAO;CAChD,MAAM,cAAc,MAAM;CAC1B,MAAM,mBAAmB,MAAM;CAC/B,MAAM,qBAAqB,MAAM;CAEjC,MAAM,eACL,KACA,UAMI;AACJ,MAAI,CAAC,IACJ;AAMD,MAAI,CAJoB,IAAI,QAAQ,gBAAgB,KAAK,EACxD,oBAAoB,UAAU,UAC9B,CAAC,EAEoB;AACrB,OAAI,QAAQ,OAAO,MAAM,WAAW,MAAM,IAAI,MAAM;AACpD,OAAI,QAAQ,OAAO,KAClB,mCAAmC,IAAI,2CACvC,mCAAmC,IAAI,QAAQ,iBAC/C;AACD,OAAI,UAAU,SACb,OAAM,SAAS,KAAK,aAAa,iBAAiB,eAAe;AAElE,OAAI,UAAU,cACb,OAAM,SAAS,KAAK,aAAa,iBAAiB,qBAAqB;AAExE,OAAI,UAAU,cACb,OAAM,SAAS,KAAK,aAAa,iBAAiB,qBAAqB;AAExE,OAAI,UAAU,mBACb,OAAM,SAAS,KACd,aACA,iBAAiB,2BACjB;AAEF,OAAI,UAAU,qBACb,OAAM,SAAS,KACd,aACA,iBAAiB,8BACjB;AAEF,SAAM,SAAS,WAAW,aAAa,EACtC,SAAS,WAAW,SACpB,CAAC;;;AAIJ,gBAAe,YAAY,aAAa,cAAc;AACtD,gBAAe,YAAY,aAAa,cAAc;AACtD,qBAAoB,YAAY,kBAAkB,mBAAmB;AACrE,uBAAsB,YAAY,oBAAoB,qBAAqB;EAC1E;AAEF,MAAa,eACZ,aAEA,qBAAqB,OAAO,QAAQ;AACnC,KAAI,CAAC,IAAI,QACR;AAED,KAAI,IAAI,QAAQ,gBACf;CAED,MAAM,cAAc,SAAS,IAAI;CACjC,MAAM,eAAe,KAAyB,UAAkB;AAC/D,MAAI,CAAC,IACJ;AAMD,MAAI,CAJoB,IAAI,QAAQ,gBAAgB,KAAK,EACxD,oBAAoB,UAAU,UAC9B,CAAC,EAEoB;AACrB,OAAI,QAAQ,OAAO,MAAM,WAAW,MAAM,IAAI,MAAM;AACpD,OAAI,QAAQ,OAAO,KAClB,mCAAmC,IAAI,2CACvC,mCAAmC,IAAI,QAAQ,iBAC/C;AACD,OAAI,UAAU,SACb,OAAM,SAAS,KAAK,aAAa,iBAAiB,eAAe;AAElE,OAAI,UAAU,cACb,OAAM,SAAS,KACd,aACA,iBAAiB,qBACjB;AAEF,OAAI,UAAU,cACb,OAAM,SAAS,KACd,aACA,iBAAiB,qBACjB;AAEF,OAAI,UAAU,mBACb,OAAM,SAAS,KACd,aACA,iBAAiB,2BACjB;AAEF,OAAI,UAAU,qBACb,OAAM,SAAS,KACd,aACA,iBAAiB,8BACjB;AAEF,SAAM,SAAS,WAAW,aAAa,EACtC,SAAS,WAAW,SACpB,CAAC;;;CAGJ,MAAM,YAAY,MAAM,QAAQ,YAAY,GAAG,cAAc,CAAC,YAAY;AAC1E,MAAK,MAAM,OAAO,UACjB,aAAY,KAAK,cAAc;EAE/B;;;;;;AAOH,eAAe,eACd,KACA,gBAAgB,OACA;CAChB,MAAM,UAAU,IAAI,SAAS;AAC7B,KAAI,CAAC,WAAW,CAAC,IAAI,QACpB;CAED,MAAM,eAAe,QAAQ,IAAI,SAAS,IAAI,QAAQ,IAAI,UAAU,IAAI;CACxE,MAAM,aAAa,QAAQ,IAAI,SAAS;AAExC,KAAI,IAAI,QAAQ,cACf;AAGD,KAAI,gCAAgC,IAAI,EAAE;AACzC,MAAI,QAAQ,QAAQ,UAAU,uBAAuB,QACpD,0BAA0B;AAC3B;;CAGD,MAAM,kBAAkB,IAAI,QAAQ;AACpC,KAAI,MAAM,QAAQ,gBAAgB,CACjC,KAAI;EACH,MAAM,WAAW,IAAI,IAAI,IAAI,QAAQ,QAAQ,CAAC;EAC9C,MAAM,cAAc,kBAAkB,IAAI,QAAQ,KAAK,SAAS;AAIhE,MAHuB,gBAAgB,MAAM,aAC5C,YAAY,WAAW,SAAS,CAChC,CAEA;SAEM;AAOT,KAAI,EAFmB,iBAAiB,YAGvC;AAGD,KAAI,CAAC,gBAAgB,iBAAiB,OACrC,OAAM,SAAS,KAAK,aAAa,iBAAiB,uBAAuB;CAG1E,MAAM,iBAA2B,MAAM,QACtC,IAAI,QAAQ,QAAQ,eACpB,GACE,IAAI,QAAQ,iBACZ,CACA,GAAG,IAAI,QAAQ,gBACf,IAAK,MAAM,IAAI,QAAQ,QAAQ,iBAAiB,IAAI,QAAQ,GAAG,QAC7D,MAAmB,QAAQ,EAAE,CAC9B,IAAI,EAAE,CACP;AAKH,KAAI,CAHoB,eAAe,MAAM,WAC5C,qBAAqB,cAAc,OAAO,CAC1C,EACqB;AACrB,MAAI,QAAQ,OAAO,MAAM,mBAAmB,eAAe;AAC3D,MAAI,QAAQ,OAAO,KAClB,mCAAmC,aAAa,2CAChD,mCAAmC,iBACnC;AACD,QAAM,SAAS,KAAK,aAAa,iBAAiB,eAAe;;;;;;;AAQnE,MAAa,qBAAqB,qBAAqB,OAAO,QAAQ;AAErE,KAAI,CADY,IAAI,QAEnB;AAGD,OAAM,iBAAiB,IAAI;EAC1B;;;;;AAMF,eAAe,iBAAiB,KAA4C;CAC3E,MAAM,MAAM,IAAI;AAChB,KAAI,CAAC,IACJ;AAGD,KAAI,IAAI,QAAQ,cACf;AAGD,KAAI,gCAAgC,IAAI,CACvC;CAGD,MAAM,UAAU,IAAI;AAGpB,KAFsB,QAAQ,IAAI,SAAS,CAG1C,QAAO,MAAM,eAAe,IAAI;CAGjC,MAAM,OAAO,QAAQ,IAAI,iBAAiB;CAC1C,MAAM,OAAO,QAAQ,IAAI,iBAAiB;CAC1C,MAAM,OAAO,QAAQ,IAAI,iBAAiB;AAM1C,KAJoB,QAClB,QAAQ,KAAK,MAAM,IAAM,QAAQ,KAAK,MAAM,IAAM,QAAQ,KAAK,MAAM,CACtE,EAEgB;AAEhB,MAAI,SAAS,gBAAgB,SAAS,YAAY;AACjD,OAAI,QAAQ,OAAO,MAClB,iEACA;IACC,cAAc;IACd,cAAc;IACd,cAAc;IACd,CACD;AACD,SAAM,SAAS,KACd,aACA,iBAAiB,oCACjB;;AAGF,SAAO,MAAM,eAAe,KAAK,KAAK"}

package/dist/api/rate-limiter/index.mjs

@@ -0,0 +1,177 @@
+import { wildcardMatch } from "../../utils/wildcard.mjs";
+import { getIp } from "../../utils/get-request-ip.mjs";
+import { safeJSONParse } from "@better-auth/core/utils/json";
+import { normalizePathname } from "@better-auth/core/utils/url";
+import { createRateLimitKey } from "@better-auth/core/utils/ip";
+
+//#region src/api/rate-limiter/index.ts
+const memory = /* @__PURE__ */ new Map();
+function shouldRateLimit(max, window, rateLimitData) {
+	const now = Date.now();
+	const windowInMs = window * 1e3;
+	return now - rateLimitData.lastRequest < windowInMs && rateLimitData.count >= max;
+}
+function rateLimitResponse(retryAfter) {
+	return new Response(JSON.stringify({ message: "Too many requests. Please try again later." }), {
+		status: 429,
+		statusText: "Too Many Requests",
+		headers: { "X-Retry-After": retryAfter.toString() }
+	});
+}
+function getRetryAfter(lastRequest, window) {
+	const now = Date.now();
+	const windowInMs = window * 1e3;
+	return Math.ceil((lastRequest + windowInMs - now) / 1e3);
+}
+function createDatabaseStorageWrapper(ctx) {
+	const model = "rateLimit";
+	const db = ctx.adapter;
+	return {
+		get: async (key) => {
+			const data = (await db.findMany({
+				model,
+				where: [{
+					field: "key",
+					value: key
+				}]
+			}))[0];
+			if (typeof data?.lastRequest === "bigint") data.lastRequest = Number(data.lastRequest);
+			return data;
+		},
+		set: async (key, value, _update) => {
+			try {
+				if (_update) await db.updateMany({
+					model,
+					where: [{
+						field: "key",
+						value: key
+					}],
+					update: {
+						count: value.count,
+						lastRequest: value.lastRequest
+					}
+				});
+				else await db.create({
+					model,
+					data: {
+						key,
+						count: value.count,
+						lastRequest: value.lastRequest
+					}
+				});
+			} catch (e) {
+				ctx.logger.error("Error setting rate limit", e);
+			}
+		}
+	};
+}
+function getRateLimitStorage(ctx, rateLimitSettings) {
+	if (ctx.options.rateLimit?.customStorage) return ctx.options.rateLimit.customStorage;
+	const storage = ctx.rateLimit.storage;
+	if (storage === "secondary-storage") return {
+		get: async (key) => {
+			const data = await ctx.options.secondaryStorage?.get(key);
+			return data ? safeJSONParse(data) : null;
+		},
+		set: async (key, value, _update) => {
+			const ttl = rateLimitSettings?.window ?? ctx.options.rateLimit?.window ?? 10;
+			await ctx.options.secondaryStorage?.set?.(key, JSON.stringify(value), ttl);
+		}
+	};
+	else if (storage === "memory") return {
+		async get(key) {
+			const entry = memory.get(key);
+			if (!entry) return null;
+			if (Date.now() >= entry.expiresAt) {
+				memory.delete(key);
+				return null;
+			}
+			return entry.data;
+		},
+		async set(key, value, _update) {
+			const ttl = rateLimitSettings?.window ?? ctx.options.rateLimit?.window ?? 10;
+			const expiresAt = Date.now() + ttl * 1e3;
+			memory.set(key, {
+				data: value,
+				expiresAt
+			});
+		}
+	};
+	return createDatabaseStorageWrapper(ctx);
+}
+async function onRequestRateLimit(req, ctx) {
+	if (!ctx.rateLimit.enabled) return;
+	const basePath = new URL(ctx.baseURL).pathname;
+	const path = normalizePathname(req.url, basePath);
+	let currentWindow = ctx.rateLimit.window;
+	let currentMax = ctx.rateLimit.max;
+	const ip = getIp(req, ctx.options);
+	if (!ip) return;
+	const key = createRateLimitKey(ip, path);
+	const specialRule = getDefaultSpecialRules().find((rule) => rule.pathMatcher(path));
+	if (specialRule) {
+		currentWindow = specialRule.window;
+		currentMax = specialRule.max;
+	}
+	for (const plugin of ctx.options.plugins || []) if (plugin.rateLimit) {
+		const matchedRule = plugin.rateLimit.find((rule) => rule.pathMatcher(path));
+		if (matchedRule) {
+			currentWindow = matchedRule.window;
+			currentMax = matchedRule.max;
+			break;
+		}
+	}
+	if (ctx.rateLimit.customRules) {
+		const _path = Object.keys(ctx.rateLimit.customRules).find((p) => {
+			if (p.includes("*")) return wildcardMatch(p)(path);
+			return p === path;
+		});
+		if (_path) {
+			const customRule = ctx.rateLimit.customRules[_path];
+			const resolved = typeof customRule === "function" ? await customRule(req, {
+				window: currentWindow,
+				max: currentMax
+			}) : customRule;
+			if (resolved) {
+				currentWindow = resolved.window;
+				currentMax = resolved.max;
+			}
+			if (resolved === false) return;
+		}
+	}
+	const storage = getRateLimitStorage(ctx, { window: currentWindow });
+	const data = await storage.get(key);
+	const now = Date.now();
+	if (!data) await storage.set(key, {
+		key,
+		count: 1,
+		lastRequest: now
+	});
+	else {
+		const timeSinceLastRequest = now - data.lastRequest;
+		if (shouldRateLimit(currentMax, currentWindow, data)) return rateLimitResponse(getRetryAfter(data.lastRequest, currentWindow));
+		else if (timeSinceLastRequest > currentWindow * 1e3) await storage.set(key, {
+			...data,
+			count: 1,
+			lastRequest: now
+		}, true);
+		else await storage.set(key, {
+			...data,
+			count: data.count + 1,
+			lastRequest: now
+		}, true);
+	}
+}
+function getDefaultSpecialRules() {
+	return [{
+		pathMatcher(path) {
+			return path.startsWith("/sign-in") || path.startsWith("/sign-up") || path.startsWith("/change-password") || path.startsWith("/change-email");
+		},
+		window: 10,
+		max: 3
+	}];
+}
+
+//#endregion
+export { onRequestRateLimit };
+//# sourceMappingURL=index.mjs.map

package/dist/api/rate-limiter/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/api/rate-limiter/index.ts"],"sourcesContent":["import type {\n\tAuthContext,\n\tBetterAuthRateLimitStorage,\n} from \"@better-auth/core\";\nimport { createRateLimitKey } from \"@better-auth/core/utils/ip\";\nimport { safeJSONParse } from \"@better-auth/core/utils/json\";\nimport { normalizePathname } from \"@better-auth/core/utils/url\";\nimport type { RateLimit } from \"../../types\";\nimport { getIp } from \"../../utils/get-request-ip\";\nimport { wildcardMatch } from \"../../utils/wildcard\";\n\ninterface MemoryRateLimitEntry {\n\tdata: RateLimit;\n\texpiresAt: number;\n}\n\nconst memory = new Map<string, MemoryRateLimitEntry>();\n\nfunction shouldRateLimit(\n\tmax: number,\n\twindow: number,\n\trateLimitData: RateLimit,\n) {\n\tconst now = Date.now();\n\tconst windowInMs = window * 1000;\n\tconst timeSinceLastRequest = now - rateLimitData.lastRequest;\n\treturn timeSinceLastRequest < windowInMs && rateLimitData.count >= max;\n}\n\nfunction rateLimitResponse(retryAfter: number) {\n\treturn new Response(\n\t\tJSON.stringify({\n\t\t\tmessage: \"Too many requests. Please try again later.\",\n\t\t}),\n\t\t{\n\t\t\tstatus: 429,\n\t\t\tstatusText: \"Too Many Requests\",\n\t\t\theaders: {\n\t\t\t\t\"X-Retry-After\": retryAfter.toString(),\n\t\t\t},\n\t\t},\n\t);\n}\n\nfunction getRetryAfter(lastRequest: number, window: number) {\n\tconst now = Date.now();\n\tconst windowInMs = window * 1000;\n\treturn Math.ceil((lastRequest + windowInMs - now) / 1000);\n}\n\nfunction createDatabaseStorageWrapper(\n\tctx: AuthContext,\n): BetterAuthRateLimitStorage {\n\tconst model = \"rateLimit\";\n\tconst db = ctx.adapter;\n\treturn {\n\t\tget: async (key: string) => {\n\t\t\tconst res = await db.findMany<RateLimit>({\n\t\t\t\tmodel,\n\t\t\t\twhere: [{ field: \"key\", value: key }],\n\t\t\t});\n\t\t\tconst data = res[0];\n\n\t\t\tif (typeof data?.lastRequest === \"bigint\") {\n\t\t\t\tdata.lastRequest = Number(data.lastRequest);\n\t\t\t}\n\n\t\t\treturn data;\n\t\t},\n\t\tset: async (\n\t\t\tkey: string,\n\t\t\tvalue: RateLimit,\n\t\t\t_update?: boolean | undefined,\n\t\t) => {\n\t\t\ttry {\n\t\t\t\tif (_update) {\n\t\t\t\t\tawait db.updateMany({\n\t\t\t\t\t\tmodel,\n\t\t\t\t\t\twhere: [{ field: \"key\", value: key }],\n\t\t\t\t\t\tupdate: {\n\t\t\t\t\t\t\tcount: value.count,\n\t\t\t\t\t\t\tlastRequest: value.lastRequest,\n\t\t\t\t\t\t},\n\t\t\t\t\t});\n\t\t\t\t} else {\n\t\t\t\t\tawait db.create({\n\t\t\t\t\t\tmodel,\n\t\t\t\t\t\tdata: {\n\t\t\t\t\t\t\tkey,\n\t\t\t\t\t\t\tcount: value.count,\n\t\t\t\t\t\t\tlastRequest: value.lastRequest,\n\t\t\t\t\t\t},\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t} catch (e) {\n\t\t\t\tctx.logger.error(\"Error setting rate limit\", e);\n\t\t\t}\n\t\t},\n\t};\n}\n\nfunction getRateLimitStorage(\n\tctx: AuthContext,\n\trateLimitSettings: {\n\t\twindow: number;\n\t},\n): BetterAuthRateLimitStorage {\n\tif (ctx.options.rateLimit?.customStorage) {\n\t\treturn ctx.options.rateLimit.customStorage;\n\t}\n\tconst storage = ctx.rateLimit.storage;\n\tif (storage === \"secondary-storage\") {\n\t\treturn {\n\t\t\tget: async (key: string) => {\n\t\t\t\tconst data = await ctx.options.secondaryStorage?.get(key);\n\t\t\t\treturn data ? safeJSONParse<RateLimit>(data) : null;\n\t\t\t},\n\t\t\tset: async (\n\t\t\t\tkey: string,\n\t\t\t\tvalue: RateLimit,\n\t\t\t\t_update?: boolean | undefined,\n\t\t\t) => {\n\t\t\t\tconst ttl =\n\t\t\t\t\trateLimitSettings?.window ?? ctx.options.rateLimit?.window ?? 10;\n\t\t\t\tawait ctx.options.secondaryStorage?.set?.(\n\t\t\t\t\tkey,\n\t\t\t\t\tJSON.stringify(value),\n\t\t\t\t\tttl,\n\t\t\t\t);\n\t\t\t},\n\t\t};\n\t} else if (storage === \"memory\") {\n\t\treturn {\n\t\t\tasync get(key: string) {\n\t\t\t\tconst entry = memory.get(key);\n\t\t\t\tif (!entry) {\n\t\t\t\t\treturn null;\n\t\t\t\t}\n\t\t\t\t// Check if entry has expired\n\t\t\t\tif (Date.now() >= entry.expiresAt) {\n\t\t\t\t\tmemory.delete(key);\n\t\t\t\t\treturn null;\n\t\t\t\t}\n\t\t\t\treturn entry.data;\n\t\t\t},\n\t\t\tasync set(key: string, value: RateLimit, _update?: boolean | undefined) {\n\t\t\t\tconst ttl =\n\t\t\t\t\trateLimitSettings?.window ?? ctx.options.rateLimit?.window ?? 10;\n\t\t\t\tconst expiresAt = Date.now() + ttl * 1000;\n\t\t\t\tmemory.set(key, {\n\t\t\t\t\tdata: value,\n\t\t\t\t\texpiresAt,\n\t\t\t\t});\n\t\t\t},\n\t\t};\n\t}\n\treturn createDatabaseStorageWrapper(ctx);\n}\n\nexport async function onRequestRateLimit(req: Request, ctx: AuthContext) {\n\tif (!ctx.rateLimit.enabled) {\n\t\treturn;\n\t}\n\tconst basePath = new URL(ctx.baseURL).pathname;\n\tconst path = normalizePathname(req.url, basePath);\n\tlet currentWindow = ctx.rateLimit.window;\n\tlet currentMax = ctx.rateLimit.max;\n\tconst ip = getIp(req, ctx.options);\n\tif (!ip) {\n\t\treturn;\n\t}\n\tconst key = createRateLimitKey(ip, path);\n\tconst specialRules = getDefaultSpecialRules();\n\tconst specialRule = specialRules.find((rule) => rule.pathMatcher(path));\n\n\tif (specialRule) {\n\t\tcurrentWindow = specialRule.window;\n\t\tcurrentMax = specialRule.max;\n\t}\n\n\tfor (const plugin of ctx.options.plugins || []) {\n\t\tif (plugin.rateLimit) {\n\t\t\tconst matchedRule = plugin.rateLimit.find((rule) =>\n\t\t\t\trule.pathMatcher(path),\n\t\t\t);\n\t\t\tif (matchedRule) {\n\t\t\t\tcurrentWindow = matchedRule.window;\n\t\t\t\tcurrentMax = matchedRule.max;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\t}\n\n\tif (ctx.rateLimit.customRules) {\n\t\tconst _path = Object.keys(ctx.rateLimit.customRules).find((p) => {\n\t\t\tif (p.includes(\"*\")) {\n\t\t\t\tconst isMatch = wildcardMatch(p)(path);\n\t\t\t\treturn isMatch;\n\t\t\t}\n\t\t\treturn p === path;\n\t\t});\n\t\tif (_path) {\n\t\t\tconst customRule = ctx.rateLimit.customRules[_path];\n\t\t\tconst resolved =\n\t\t\t\ttypeof customRule === \"function\"\n\t\t\t\t\t? await customRule(req, {\n\t\t\t\t\t\t\twindow: currentWindow,\n\t\t\t\t\t\t\tmax: currentMax,\n\t\t\t\t\t\t})\n\t\t\t\t\t: customRule;\n\t\t\tif (resolved) {\n\t\t\t\tcurrentWindow = resolved.window;\n\t\t\t\tcurrentMax = resolved.max;\n\t\t\t}\n\n\t\t\tif (resolved === false) {\n\t\t\t\treturn;\n\t\t\t}\n\t\t}\n\t}\n\n\tconst storage = getRateLimitStorage(ctx, {\n\t\twindow: currentWindow,\n\t});\n\tconst data = await storage.get(key);\n\tconst now = Date.now();\n\n\tif (!data) {\n\t\tawait storage.set(key, {\n\t\t\tkey,\n\t\t\tcount: 1,\n\t\t\tlastRequest: now,\n\t\t});\n\t} else {\n\t\tconst timeSinceLastRequest = now - data.lastRequest;\n\n\t\tif (shouldRateLimit(currentMax, currentWindow, data)) {\n\t\t\tconst retryAfter = getRetryAfter(data.lastRequest, currentWindow);\n\t\t\treturn rateLimitResponse(retryAfter);\n\t\t} else if (timeSinceLastRequest > currentWindow * 1000) {\n\t\t\t// Reset the count if the window has passed since the last request\n\t\t\tawait storage.set(\n\t\t\t\tkey,\n\t\t\t\t{\n\t\t\t\t\t...data,\n\t\t\t\t\tcount: 1,\n\t\t\t\t\tlastRequest: now,\n\t\t\t\t},\n\t\t\t\ttrue,\n\t\t\t);\n\t\t} else {\n\t\t\tawait storage.set(\n\t\t\t\tkey,\n\t\t\t\t{\n\t\t\t\t\t...data,\n\t\t\t\t\tcount: data.count + 1,\n\t\t\t\t\tlastRequest: now,\n\t\t\t\t},\n\t\t\t\ttrue,\n\t\t\t);\n\t\t}\n\t}\n}\n\nfunction getDefaultSpecialRules() {\n\tconst specialRules = [\n\t\t{\n\t\t\tpathMatcher(path: string) {\n\t\t\t\treturn (\n\t\t\t\t\tpath.startsWith(\"/sign-in\") ||\n\t\t\t\t\tpath.startsWith(\"/sign-up\") ||\n\t\t\t\t\tpath.startsWith(\"/change-password\") ||\n\t\t\t\t\tpath.startsWith(\"/change-email\")\n\t\t\t\t);\n\t\t\t},\n\t\t\twindow: 10,\n\t\t\tmax: 3,\n\t\t},\n\t];\n\treturn specialRules;\n}\n"],"mappings":";;;;;;;AAgBA,MAAM,yBAAS,IAAI,KAAmC;AAEtD,SAAS,gBACR,KACA,QACA,eACC;CACD,MAAM,MAAM,KAAK,KAAK;CACtB,MAAM,aAAa,SAAS;AAE5B,QAD6B,MAAM,cAAc,cACnB,cAAc,cAAc,SAAS;;AAGpE,SAAS,kBAAkB,YAAoB;AAC9C,QAAO,IAAI,SACV,KAAK,UAAU,EACd,SAAS,8CACT,CAAC,EACF;EACC,QAAQ;EACR,YAAY;EACZ,SAAS,EACR,iBAAiB,WAAW,UAAU,EACtC;EACD,CACD;;AAGF,SAAS,cAAc,aAAqB,QAAgB;CAC3D,MAAM,MAAM,KAAK,KAAK;CACtB,MAAM,aAAa,SAAS;AAC5B,QAAO,KAAK,MAAM,cAAc,aAAa,OAAO,IAAK;;AAG1D,SAAS,6BACR,KAC6B;CAC7B,MAAM,QAAQ;CACd,MAAM,KAAK,IAAI;AACf,QAAO;EACN,KAAK,OAAO,QAAgB;GAK3B,MAAM,QAJM,MAAM,GAAG,SAAoB;IACxC;IACA,OAAO,CAAC;KAAE,OAAO;KAAO,OAAO;KAAK,CAAC;IACrC,CAAC,EACe;AAEjB,OAAI,OAAO,MAAM,gBAAgB,SAChC,MAAK,cAAc,OAAO,KAAK,YAAY;AAG5C,UAAO;;EAER,KAAK,OACJ,KACA,OACA,YACI;AACJ,OAAI;AACH,QAAI,QACH,OAAM,GAAG,WAAW;KACnB;KACA,OAAO,CAAC;MAAE,OAAO;MAAO,OAAO;MAAK,CAAC;KACrC,QAAQ;MACP,OAAO,MAAM;MACb,aAAa,MAAM;MACnB;KACD,CAAC;QAEF,OAAM,GAAG,OAAO;KACf;KACA,MAAM;MACL;MACA,OAAO,MAAM;MACb,aAAa,MAAM;MACnB;KACD,CAAC;YAEK,GAAG;AACX,QAAI,OAAO,MAAM,4BAA4B,EAAE;;;EAGjD;;AAGF,SAAS,oBACR,KACA,mBAG6B;AAC7B,KAAI,IAAI,QAAQ,WAAW,cAC1B,QAAO,IAAI,QAAQ,UAAU;CAE9B,MAAM,UAAU,IAAI,UAAU;AAC9B,KAAI,YAAY,oBACf,QAAO;EACN,KAAK,OAAO,QAAgB;GAC3B,MAAM,OAAO,MAAM,IAAI,QAAQ,kBAAkB,IAAI,IAAI;AACzD,UAAO,OAAO,cAAyB,KAAK,GAAG;;EAEhD,KAAK,OACJ,KACA,OACA,YACI;GACJ,MAAM,MACL,mBAAmB,UAAU,IAAI,QAAQ,WAAW,UAAU;AAC/D,SAAM,IAAI,QAAQ,kBAAkB,MACnC,KACA,KAAK,UAAU,MAAM,EACrB,IACA;;EAEF;UACS,YAAY,SACtB,QAAO;EACN,MAAM,IAAI,KAAa;GACtB,MAAM,QAAQ,OAAO,IAAI,IAAI;AAC7B,OAAI,CAAC,MACJ,QAAO;AAGR,OAAI,KAAK,KAAK,IAAI,MAAM,WAAW;AAClC,WAAO,OAAO,IAAI;AAClB,WAAO;;AAER,UAAO,MAAM;;EAEd,MAAM,IAAI,KAAa,OAAkB,SAA+B;GACvE,MAAM,MACL,mBAAmB,UAAU,IAAI,QAAQ,WAAW,UAAU;GAC/D,MAAM,YAAY,KAAK,KAAK,GAAG,MAAM;AACrC,UAAO,IAAI,KAAK;IACf,MAAM;IACN;IACA,CAAC;;EAEH;AAEF,QAAO,6BAA6B,IAAI;;AAGzC,eAAsB,mBAAmB,KAAc,KAAkB;AACxE,KAAI,CAAC,IAAI,UAAU,QAClB;CAED,MAAM,WAAW,IAAI,IAAI,IAAI,QAAQ,CAAC;CACtC,MAAM,OAAO,kBAAkB,IAAI,KAAK,SAAS;CACjD,IAAI,gBAAgB,IAAI,UAAU;CAClC,IAAI,aAAa,IAAI,UAAU;CAC/B,MAAM,KAAK,MAAM,KAAK,IAAI,QAAQ;AAClC,KAAI,CAAC,GACJ;CAED,MAAM,MAAM,mBAAmB,IAAI,KAAK;CAExC,MAAM,cADe,wBAAwB,CACZ,MAAM,SAAS,KAAK,YAAY,KAAK,CAAC;AAEvE,KAAI,aAAa;AAChB,kBAAgB,YAAY;AAC5B,eAAa,YAAY;;AAG1B,MAAK,MAAM,UAAU,IAAI,QAAQ,WAAW,EAAE,CAC7C,KAAI,OAAO,WAAW;EACrB,MAAM,cAAc,OAAO,UAAU,MAAM,SAC1C,KAAK,YAAY,KAAK,CACtB;AACD,MAAI,aAAa;AAChB,mBAAgB,YAAY;AAC5B,gBAAa,YAAY;AACzB;;;AAKH,KAAI,IAAI,UAAU,aAAa;EAC9B,MAAM,QAAQ,OAAO,KAAK,IAAI,UAAU,YAAY,CAAC,MAAM,MAAM;AAChE,OAAI,EAAE,SAAS,IAAI,CAElB,QADgB,cAAc,EAAE,CAAC,KAAK;AAGvC,UAAO,MAAM;IACZ;AACF,MAAI,OAAO;GACV,MAAM,aAAa,IAAI,UAAU,YAAY;GAC7C,MAAM,WACL,OAAO,eAAe,aACnB,MAAM,WAAW,KAAK;IACtB,QAAQ;IACR,KAAK;IACL,CAAC,GACD;AACJ,OAAI,UAAU;AACb,oBAAgB,SAAS;AACzB,iBAAa,SAAS;;AAGvB,OAAI,aAAa,MAChB;;;CAKH,MAAM,UAAU,oBAAoB,KAAK,EACxC,QAAQ,eACR,CAAC;CACF,MAAM,OAAO,MAAM,QAAQ,IAAI,IAAI;CACnC,MAAM,MAAM,KAAK,KAAK;AAEtB,KAAI,CAAC,KACJ,OAAM,QAAQ,IAAI,KAAK;EACtB;EACA,OAAO;EACP,aAAa;EACb,CAAC;MACI;EACN,MAAM,uBAAuB,MAAM,KAAK;AAExC,MAAI,gBAAgB,YAAY,eAAe,KAAK,CAEnD,QAAO,kBADY,cAAc,KAAK,aAAa,cAAc,CAC7B;WAC1B,uBAAuB,gBAAgB,IAEjD,OAAM,QAAQ,IACb,KACA;GACC,GAAG;GACH,OAAO;GACP,aAAa;GACb,EACD,KACA;MAED,OAAM,QAAQ,IACb,KACA;GACC,GAAG;GACH,OAAO,KAAK,QAAQ;GACpB,aAAa;GACb,EACD,KACA;;;AAKJ,SAAS,yBAAyB;AAejC,QAdqB,CACpB;EACC,YAAY,MAAc;AACzB,UACC,KAAK,WAAW,WAAW,IAC3B,KAAK,WAAW,WAAW,IAC3B,KAAK,WAAW,mBAAmB,IACnC,KAAK,WAAW,gBAAgB;;EAGlC,QAAQ;EACR,KAAK;EACL,CACD"}

package/dist/api/routes/account.d.mts

@@ -0,0 +1,10 @@
+//#region src/api/routes/account.d.ts
+declare const listUserAccounts: any;
+declare const linkSocialAccount: any;
+declare const unlinkAccount: any;
+declare const getAccessToken: any;
+declare const refreshToken: any;
+declare const accountInfo: any;
+//#endregion
+export { accountInfo, getAccessToken, linkSocialAccount, listUserAccounts, refreshToken, unlinkAccount };
+//# sourceMappingURL=account.d.mts.map