@hammadj/better-auth 1.5.0-beta.10

package/dist/oauth2/link-account.mjs

@@ -0,0 +1,144 @@
+import { isAPIError } from "../utils/is-api-error.mjs";
+import { setAccountCookie } from "../cookies/session-store.mjs";
+import { setTokenUtil } from "./utils.mjs";
+import { createEmailVerificationToken } from "../api/routes/email-verification.mjs";
+import "../api/index.mjs";
+import { isDevelopment, logger } from "@better-auth/core/env";
+
+//#region src/oauth2/link-account.ts
+async function handleOAuthUserInfo(c, opts) {
+	const { userInfo, account, callbackURL, disableSignUp, overrideUserInfo } = opts;
+	const dbUser = await c.context.internalAdapter.findOAuthUser(userInfo.email.toLowerCase(), account.accountId, account.providerId).catch((e) => {
+		logger.error("Better auth was unable to query your database.\nError: ", e);
+		const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
+		throw c.redirect(`${errorURL}?error=internal_server_error`);
+	});
+	let user = dbUser?.user;
+	const isRegister = !user;
+	if (dbUser) {
+		const linkedAccount = dbUser.linkedAccount ?? dbUser.accounts.find((acc) => acc.providerId === account.providerId && acc.accountId === account.accountId);
+		if (!linkedAccount) {
+			const accountLinking = c.context.options.account?.accountLinking;
+			const trustedProviders = c.context.options.account?.accountLinking?.trustedProviders;
+			if (!(opts.isTrustedProvider || trustedProviders?.includes(account.providerId)) && !userInfo.emailVerified || accountLinking?.enabled === false || accountLinking?.disableImplicitLinking === true) {
+				if (isDevelopment()) logger.warn(`User already exist but account isn't linked to ${account.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`);
+				return {
+					error: "account not linked",
+					data: null
+				};
+			}
+			try {
+				await c.context.internalAdapter.linkAccount({
+					providerId: account.providerId,
+					accountId: userInfo.id.toString(),
+					userId: dbUser.user.id,
+					accessToken: await setTokenUtil(account.accessToken, c.context),
+					refreshToken: await setTokenUtil(account.refreshToken, c.context),
+					idToken: account.idToken,
+					accessTokenExpiresAt: account.accessTokenExpiresAt,
+					refreshTokenExpiresAt: account.refreshTokenExpiresAt,
+					scope: account.scope
+				});
+			} catch (e) {
+				logger.error("Unable to link account", e);
+				return {
+					error: "unable to link account",
+					data: null
+				};
+			}
+			if (userInfo.emailVerified && !dbUser.user.emailVerified && userInfo.email.toLowerCase() === dbUser.user.email) await c.context.internalAdapter.updateUser(dbUser.user.id, { emailVerified: true });
+		} else {
+			const freshTokens = c.context.options.account?.updateAccountOnSignIn !== false ? Object.fromEntries(Object.entries({
+				idToken: account.idToken,
+				accessToken: await setTokenUtil(account.accessToken, c.context),
+				refreshToken: await setTokenUtil(account.refreshToken, c.context),
+				accessTokenExpiresAt: account.accessTokenExpiresAt,
+				refreshTokenExpiresAt: account.refreshTokenExpiresAt,
+				scope: account.scope
+			}).filter(([_, value]) => value !== void 0)) : {};
+			if (c.context.options.account?.storeAccountCookie) await setAccountCookie(c, {
+				...linkedAccount,
+				...freshTokens
+			});
+			if (Object.keys(freshTokens).length > 0) await c.context.internalAdapter.updateAccount(linkedAccount.id, freshTokens);
+			if (userInfo.emailVerified && !dbUser.user.emailVerified && userInfo.email.toLowerCase() === dbUser.user.email) await c.context.internalAdapter.updateUser(dbUser.user.id, { emailVerified: true });
+		}
+		if (overrideUserInfo) {
+			const { id: _, ...restUserInfo } = userInfo;
+			user = await c.context.internalAdapter.updateUser(dbUser.user.id, {
+				...restUserInfo,
+				email: userInfo.email.toLowerCase(),
+				emailVerified: userInfo.email.toLowerCase() === dbUser.user.email ? dbUser.user.emailVerified || userInfo.emailVerified : userInfo.emailVerified
+			});
+		}
+	} else {
+		if (disableSignUp) return {
+			error: "signup disabled",
+			data: null,
+			isRegister: false
+		};
+		try {
+			const { id: _, ...restUserInfo } = userInfo;
+			const accountData = {
+				accessToken: await setTokenUtil(account.accessToken, c.context),
+				refreshToken: await setTokenUtil(account.refreshToken, c.context),
+				idToken: account.idToken,
+				accessTokenExpiresAt: account.accessTokenExpiresAt,
+				refreshTokenExpiresAt: account.refreshTokenExpiresAt,
+				scope: account.scope,
+				providerId: account.providerId,
+				accountId: userInfo.id.toString()
+			};
+			const { user: createdUser, account: createdAccount } = await c.context.internalAdapter.createOAuthUser({
+				...restUserInfo,
+				email: userInfo.email.toLowerCase()
+			}, accountData);
+			user = createdUser;
+			if (c.context.options.account?.storeAccountCookie) await setAccountCookie(c, createdAccount);
+			if (!userInfo.emailVerified && user && c.context.options.emailVerification?.sendOnSignUp && c.context.options.emailVerification?.sendVerificationEmail) {
+				const token = await createEmailVerificationToken(c.context.secret, user.email, void 0, c.context.options.emailVerification?.expiresIn);
+				const url = `${c.context.baseURL}/verify-email?token=${token}&callbackURL=${callbackURL}`;
+				await c.context.runInBackgroundOrAwait(c.context.options.emailVerification.sendVerificationEmail({
+					user,
+					url,
+					token
+				}, c.request));
+			}
+		} catch (e) {
+			logger.error(e);
+			if (isAPIError(e)) return {
+				error: e.message,
+				data: null,
+				isRegister: false
+			};
+			return {
+				error: "unable to create user",
+				data: null,
+				isRegister: false
+			};
+		}
+	}
+	if (!user) return {
+		error: "unable to create user",
+		data: null,
+		isRegister: false
+	};
+	const session = await c.context.internalAdapter.createSession(user.id);
+	if (!session) return {
+		error: "unable to create session",
+		data: null,
+		isRegister: false
+	};
+	return {
+		data: {
+			session,
+			user
+		},
+		error: null,
+		isRegister
+	};
+}
+
+//#endregion
+export { handleOAuthUserInfo };
+//# sourceMappingURL=link-account.mjs.map

package/dist/oauth2/link-account.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"link-account.mjs","names":[],"sources":["../../src/oauth2/link-account.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { isDevelopment, logger } from \"@better-auth/core/env\";\nimport { createEmailVerificationToken } from \"../api\";\nimport { setAccountCookie } from \"../cookies/session-store\";\nimport type { Account, User } from \"../types\";\nimport { isAPIError } from \"../utils/is-api-error\";\nimport { setTokenUtil } from \"./utils\";\n\nexport async function handleOAuthUserInfo(\n\tc: GenericEndpointContext,\n\topts: {\n\t\tuserInfo: Omit<User, \"createdAt\" | \"updatedAt\">;\n\t\taccount: Omit<Account, \"id\" | \"userId\" | \"createdAt\" | \"updatedAt\">;\n\t\tcallbackURL?: string | undefined;\n\t\tdisableSignUp?: boolean | undefined;\n\t\toverrideUserInfo?: boolean | undefined;\n\t\tisTrustedProvider?: boolean | undefined;\n\t},\n) {\n\tconst { userInfo, account, callbackURL, disableSignUp, overrideUserInfo } =\n\t\topts;\n\tconst dbUser = await c.context.internalAdapter\n\t\t.findOAuthUser(\n\t\t\tuserInfo.email.toLowerCase(),\n\t\t\taccount.accountId,\n\t\t\taccount.providerId,\n\t\t)\n\t\t.catch((e) => {\n\t\t\tlogger.error(\n\t\t\t\t\"Better auth was unable to query your database.\\nError: \",\n\t\t\t\te,\n\t\t\t);\n\t\t\tconst errorURL =\n\t\t\t\tc.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;\n\t\t\tthrow c.redirect(`${errorURL}?error=internal_server_error`);\n\t\t});\n\tlet user = dbUser?.user;\n\tconst isRegister = !user;\n\n\tif (dbUser) {\n\t\tconst linkedAccount =\n\t\t\tdbUser.linkedAccount ??\n\t\t\tdbUser.accounts.find(\n\t\t\t\t(acc) =>\n\t\t\t\t\tacc.providerId === account.providerId &&\n\t\t\t\t\tacc.accountId === account.accountId,\n\t\t\t);\n\t\tif (!linkedAccount) {\n\t\t\tconst accountLinking = c.context.options.account?.accountLinking;\n\t\t\tconst trustedProviders =\n\t\t\t\tc.context.options.account?.accountLinking?.trustedProviders;\n\t\t\tconst isTrustedProvider =\n\t\t\t\topts.isTrustedProvider ||\n\t\t\t\ttrustedProviders?.includes(account.providerId);\n\t\t\tif (\n\t\t\t\t(!isTrustedProvider && !userInfo.emailVerified) ||\n\t\t\t\taccountLinking?.enabled === false ||\n\t\t\t\taccountLinking?.disableImplicitLinking === true\n\t\t\t) {\n\t\t\t\tif (isDevelopment()) {\n\t\t\t\t\tlogger.warn(\n\t\t\t\t\t\t`User already exist but account isn't linked to ${account.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\treturn {\n\t\t\t\t\terror: \"account not linked\",\n\t\t\t\t\tdata: null,\n\t\t\t\t};\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tawait c.context.internalAdapter.linkAccount({\n\t\t\t\t\tproviderId: account.providerId,\n\t\t\t\t\taccountId: userInfo.id.toString(),\n\t\t\t\t\tuserId: dbUser.user.id,\n\t\t\t\t\taccessToken: await setTokenUtil(account.accessToken, c.context),\n\t\t\t\t\trefreshToken: await setTokenUtil(account.refreshToken, c.context),\n\t\t\t\t\tidToken: account.idToken,\n\t\t\t\t\taccessTokenExpiresAt: account.accessTokenExpiresAt,\n\t\t\t\t\trefreshTokenExpiresAt: account.refreshTokenExpiresAt,\n\t\t\t\t\tscope: account.scope,\n\t\t\t\t});\n\t\t\t} catch (e) {\n\t\t\t\tlogger.error(\"Unable to link account\", e);\n\t\t\t\treturn {\n\t\t\t\t\terror: \"unable to link account\",\n\t\t\t\t\tdata: null,\n\t\t\t\t};\n\t\t\t}\n\n\t\t\tif (\n\t\t\t\tuserInfo.emailVerified &&\n\t\t\t\t!dbUser.user.emailVerified &&\n\t\t\t\tuserInfo.email.toLowerCase() === dbUser.user.email\n\t\t\t) {\n\t\t\t\tawait c.context.internalAdapter.updateUser(dbUser.user.id, {\n\t\t\t\t\temailVerified: true,\n\t\t\t\t});\n\t\t\t}\n\t\t} else {\n\t\t\tconst freshTokens =\n\t\t\t\tc.context.options.account?.updateAccountOnSignIn !== false\n\t\t\t\t\t? Object.fromEntries(\n\t\t\t\t\t\t\tObject.entries({\n\t\t\t\t\t\t\t\tidToken: account.idToken,\n\t\t\t\t\t\t\t\taccessToken: await setTokenUtil(account.accessToken, c.context),\n\t\t\t\t\t\t\t\trefreshToken: await setTokenUtil(\n\t\t\t\t\t\t\t\t\taccount.refreshToken,\n\t\t\t\t\t\t\t\t\tc.context,\n\t\t\t\t\t\t\t\t),\n\t\t\t\t\t\t\t\taccessTokenExpiresAt: account.accessTokenExpiresAt,\n\t\t\t\t\t\t\t\trefreshTokenExpiresAt: account.refreshTokenExpiresAt,\n\t\t\t\t\t\t\t\tscope: account.scope,\n\t\t\t\t\t\t\t}).filter(([_, value]) => value !== undefined),\n\t\t\t\t\t\t)\n\t\t\t\t\t: {};\n\n\t\t\tif (c.context.options.account?.storeAccountCookie) {\n\t\t\t\tawait setAccountCookie(c, {\n\t\t\t\t\t...linkedAccount,\n\t\t\t\t\t...freshTokens,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tif (Object.keys(freshTokens).length > 0) {\n\t\t\t\tawait c.context.internalAdapter.updateAccount(\n\t\t\t\t\tlinkedAccount.id,\n\t\t\t\t\tfreshTokens,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tif (\n\t\t\t\tuserInfo.emailVerified &&\n\t\t\t\t!dbUser.user.emailVerified &&\n\t\t\t\tuserInfo.email.toLowerCase() === dbUser.user.email\n\t\t\t) {\n\t\t\t\tawait c.context.internalAdapter.updateUser(dbUser.user.id, {\n\t\t\t\t\temailVerified: true,\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\t\tif (overrideUserInfo) {\n\t\t\tconst { id: _, ...restUserInfo } = userInfo;\n\t\t\t// update user info from the provider if overrideUserInfo is true\n\t\t\tuser = await c.context.internalAdapter.updateUser(dbUser.user.id, {\n\t\t\t\t...restUserInfo,\n\t\t\t\temail: userInfo.email.toLowerCase(),\n\t\t\t\temailVerified:\n\t\t\t\t\tuserInfo.email.toLowerCase() === dbUser.user.email\n\t\t\t\t\t\t? dbUser.user.emailVerified || userInfo.emailVerified\n\t\t\t\t\t\t: userInfo.emailVerified,\n\t\t\t});\n\t\t}\n\t} else {\n\t\tif (disableSignUp) {\n\t\t\treturn {\n\t\t\t\terror: \"signup disabled\",\n\t\t\t\tdata: null,\n\t\t\t\tisRegister: false,\n\t\t\t};\n\t\t}\n\t\ttry {\n\t\t\tconst { id: _, ...restUserInfo } = userInfo;\n\t\t\tconst accountData = {\n\t\t\t\taccessToken: await setTokenUtil(account.accessToken, c.context),\n\t\t\t\trefreshToken: await setTokenUtil(account.refreshToken, c.context),\n\t\t\t\tidToken: account.idToken,\n\t\t\t\taccessTokenExpiresAt: account.accessTokenExpiresAt,\n\t\t\t\trefreshTokenExpiresAt: account.refreshTokenExpiresAt,\n\t\t\t\tscope: account.scope,\n\t\t\t\tproviderId: account.providerId,\n\t\t\t\taccountId: userInfo.id.toString(),\n\t\t\t};\n\t\t\tconst { user: createdUser, account: createdAccount } =\n\t\t\t\tawait c.context.internalAdapter.createOAuthUser(\n\t\t\t\t\t{\n\t\t\t\t\t\t...restUserInfo,\n\t\t\t\t\t\temail: userInfo.email.toLowerCase(),\n\t\t\t\t\t},\n\t\t\t\t\taccountData,\n\t\t\t\t);\n\t\t\tuser = createdUser;\n\t\t\tif (c.context.options.account?.storeAccountCookie) {\n\t\t\t\tawait setAccountCookie(c, createdAccount);\n\t\t\t}\n\t\t\tif (\n\t\t\t\t!userInfo.emailVerified &&\n\t\t\t\tuser &&\n\t\t\t\tc.context.options.emailVerification?.sendOnSignUp &&\n\t\t\t\tc.context.options.emailVerification?.sendVerificationEmail\n\t\t\t) {\n\t\t\t\tconst token = await createEmailVerificationToken(\n\t\t\t\t\tc.context.secret,\n\t\t\t\t\tuser.email,\n\t\t\t\t\tundefined,\n\t\t\t\t\tc.context.options.emailVerification?.expiresIn,\n\t\t\t\t);\n\t\t\t\tconst url = `${c.context.baseURL}/verify-email?token=${token}&callbackURL=${callbackURL}`;\n\t\t\t\tawait c.context.runInBackgroundOrAwait(\n\t\t\t\t\tc.context.options.emailVerification.sendVerificationEmail(\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tuser,\n\t\t\t\t\t\t\turl,\n\t\t\t\t\t\t\ttoken,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tc.request,\n\t\t\t\t\t),\n\t\t\t\t);\n\t\t\t}\n\t\t} catch (e: any) {\n\t\t\tlogger.error(e);\n\t\t\tif (isAPIError(e)) {\n\t\t\t\treturn {\n\t\t\t\t\terror: e.message,\n\t\t\t\t\tdata: null,\n\t\t\t\t\tisRegister: false,\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn {\n\t\t\t\terror: \"unable to create user\",\n\t\t\t\tdata: null,\n\t\t\t\tisRegister: false,\n\t\t\t};\n\t\t}\n\t}\n\tif (!user) {\n\t\treturn {\n\t\t\terror: \"unable to create user\",\n\t\t\tdata: null,\n\t\t\tisRegister: false,\n\t\t};\n\t}\n\n\tconst session = await c.context.internalAdapter.createSession(user.id);\n\tif (!session) {\n\t\treturn {\n\t\t\terror: \"unable to create session\",\n\t\t\tdata: null,\n\t\t\tisRegister: false,\n\t\t};\n\t}\n\n\treturn {\n\t\tdata: {\n\t\t\tsession,\n\t\t\tuser,\n\t\t},\n\t\terror: null,\n\t\tisRegister,\n\t};\n}\n"],"mappings":";;;;;;;;AAQA,eAAsB,oBACrB,GACA,MAQC;CACD,MAAM,EAAE,UAAU,SAAS,aAAa,eAAe,qBACtD;CACD,MAAM,SAAS,MAAM,EAAE,QAAQ,gBAC7B,cACA,SAAS,MAAM,aAAa,EAC5B,QAAQ,WACR,QAAQ,WACR,CACA,OAAO,MAAM;AACb,SAAO,MACN,2DACA,EACA;EACD,MAAM,WACL,EAAE,QAAQ,QAAQ,YAAY,YAAY,GAAG,EAAE,QAAQ,QAAQ;AAChE,QAAM,EAAE,SAAS,GAAG,SAAS,8BAA8B;GAC1D;CACH,IAAI,OAAO,QAAQ;CACnB,MAAM,aAAa,CAAC;AAEpB,KAAI,QAAQ;EACX,MAAM,gBACL,OAAO,iBACP,OAAO,SAAS,MACd,QACA,IAAI,eAAe,QAAQ,cAC3B,IAAI,cAAc,QAAQ,UAC3B;AACF,MAAI,CAAC,eAAe;GACnB,MAAM,iBAAiB,EAAE,QAAQ,QAAQ,SAAS;GAClD,MAAM,mBACL,EAAE,QAAQ,QAAQ,SAAS,gBAAgB;AAI5C,OACE,EAHD,KAAK,qBACL,kBAAkB,SAAS,QAAQ,WAAW,KAEvB,CAAC,SAAS,iBACjC,gBAAgB,YAAY,SAC5B,gBAAgB,2BAA2B,MAC1C;AACD,QAAI,eAAe,CAClB,QAAO,KACN,kDAAkD,QAAQ,WAAW,6IACrE;AAEF,WAAO;KACN,OAAO;KACP,MAAM;KACN;;AAEF,OAAI;AACH,UAAM,EAAE,QAAQ,gBAAgB,YAAY;KAC3C,YAAY,QAAQ;KACpB,WAAW,SAAS,GAAG,UAAU;KACjC,QAAQ,OAAO,KAAK;KACpB,aAAa,MAAM,aAAa,QAAQ,aAAa,EAAE,QAAQ;KAC/D,cAAc,MAAM,aAAa,QAAQ,cAAc,EAAE,QAAQ;KACjE,SAAS,QAAQ;KACjB,sBAAsB,QAAQ;KAC9B,uBAAuB,QAAQ;KAC/B,OAAO,QAAQ;KACf,CAAC;YACM,GAAG;AACX,WAAO,MAAM,0BAA0B,EAAE;AACzC,WAAO;KACN,OAAO;KACP,MAAM;KACN;;AAGF,OACC,SAAS,iBACT,CAAC,OAAO,KAAK,iBACb,SAAS,MAAM,aAAa,KAAK,OAAO,KAAK,MAE7C,OAAM,EAAE,QAAQ,gBAAgB,WAAW,OAAO,KAAK,IAAI,EAC1D,eAAe,MACf,CAAC;SAEG;GACN,MAAM,cACL,EAAE,QAAQ,QAAQ,SAAS,0BAA0B,QAClD,OAAO,YACP,OAAO,QAAQ;IACd,SAAS,QAAQ;IACjB,aAAa,MAAM,aAAa,QAAQ,aAAa,EAAE,QAAQ;IAC/D,cAAc,MAAM,aACnB,QAAQ,cACR,EAAE,QACF;IACD,sBAAsB,QAAQ;IAC9B,uBAAuB,QAAQ;IAC/B,OAAO,QAAQ;IACf,CAAC,CAAC,QAAQ,CAAC,GAAG,WAAW,UAAU,OAAU,CAC9C,GACA,EAAE;AAEN,OAAI,EAAE,QAAQ,QAAQ,SAAS,mBAC9B,OAAM,iBAAiB,GAAG;IACzB,GAAG;IACH,GAAG;IACH,CAAC;AAGH,OAAI,OAAO,KAAK,YAAY,CAAC,SAAS,EACrC,OAAM,EAAE,QAAQ,gBAAgB,cAC/B,cAAc,IACd,YACA;AAGF,OACC,SAAS,iBACT,CAAC,OAAO,KAAK,iBACb,SAAS,MAAM,aAAa,KAAK,OAAO,KAAK,MAE7C,OAAM,EAAE,QAAQ,gBAAgB,WAAW,OAAO,KAAK,IAAI,EAC1D,eAAe,MACf,CAAC;;AAGJ,MAAI,kBAAkB;GACrB,MAAM,EAAE,IAAI,GAAG,GAAG,iBAAiB;AAEnC,UAAO,MAAM,EAAE,QAAQ,gBAAgB,WAAW,OAAO,KAAK,IAAI;IACjE,GAAG;IACH,OAAO,SAAS,MAAM,aAAa;IACnC,eACC,SAAS,MAAM,aAAa,KAAK,OAAO,KAAK,QAC1C,OAAO,KAAK,iBAAiB,SAAS,gBACtC,SAAS;IACb,CAAC;;QAEG;AACN,MAAI,cACH,QAAO;GACN,OAAO;GACP,MAAM;GACN,YAAY;GACZ;AAEF,MAAI;GACH,MAAM,EAAE,IAAI,GAAG,GAAG,iBAAiB;GACnC,MAAM,cAAc;IACnB,aAAa,MAAM,aAAa,QAAQ,aAAa,EAAE,QAAQ;IAC/D,cAAc,MAAM,aAAa,QAAQ,cAAc,EAAE,QAAQ;IACjE,SAAS,QAAQ;IACjB,sBAAsB,QAAQ;IAC9B,uBAAuB,QAAQ;IAC/B,OAAO,QAAQ;IACf,YAAY,QAAQ;IACpB,WAAW,SAAS,GAAG,UAAU;IACjC;GACD,MAAM,EAAE,MAAM,aAAa,SAAS,mBACnC,MAAM,EAAE,QAAQ,gBAAgB,gBAC/B;IACC,GAAG;IACH,OAAO,SAAS,MAAM,aAAa;IACnC,EACD,YACA;AACF,UAAO;AACP,OAAI,EAAE,QAAQ,QAAQ,SAAS,mBAC9B,OAAM,iBAAiB,GAAG,eAAe;AAE1C,OACC,CAAC,SAAS,iBACV,QACA,EAAE,QAAQ,QAAQ,mBAAmB,gBACrC,EAAE,QAAQ,QAAQ,mBAAmB,uBACpC;IACD,MAAM,QAAQ,MAAM,6BACnB,EAAE,QAAQ,QACV,KAAK,OACL,QACA,EAAE,QAAQ,QAAQ,mBAAmB,UACrC;IACD,MAAM,MAAM,GAAG,EAAE,QAAQ,QAAQ,sBAAsB,MAAM,eAAe;AAC5E,UAAM,EAAE,QAAQ,uBACf,EAAE,QAAQ,QAAQ,kBAAkB,sBACnC;KACC;KACA;KACA;KACA,EACD,EAAE,QACF,CACD;;WAEM,GAAQ;AAChB,UAAO,MAAM,EAAE;AACf,OAAI,WAAW,EAAE,CAChB,QAAO;IACN,OAAO,EAAE;IACT,MAAM;IACN,YAAY;IACZ;AAEF,UAAO;IACN,OAAO;IACP,MAAM;IACN,YAAY;IACZ;;;AAGH,KAAI,CAAC,KACJ,QAAO;EACN,OAAO;EACP,MAAM;EACN,YAAY;EACZ;CAGF,MAAM,UAAU,MAAM,EAAE,QAAQ,gBAAgB,cAAc,KAAK,GAAG;AACtE,KAAI,CAAC,QACJ,QAAO;EACN,OAAO;EACP,MAAM;EACN,YAAY;EACZ;AAGF,QAAO;EACN,MAAM;GACL;GACA;GACA;EACD,OAAO;EACP;EACA"}

package/dist/oauth2/state.d.mts

@@ -0,0 +1,26 @@
+import { GenericEndpointContext } from "@better-auth/core";
+
+//#region src/oauth2/state.d.ts
+declare function generateState(c: GenericEndpointContext, link: {
+  email: string;
+  userId: string;
+} | undefined, additionalData: Record<string, any> | false | undefined): Promise<{
+  state: any;
+  codeVerifier: string;
+}>;
+declare function parseState(c: GenericEndpointContext): Promise<{
+  [x: string]: unknown;
+  callbackURL: string;
+  codeVerifier: string;
+  expiresAt: number;
+  errorURL?: string | undefined;
+  newUserURL?: string | undefined;
+  link?: {
+    email: string;
+    userId: string;
+  } | undefined;
+  requestSignUp?: boolean | undefined;
+}>;
+//#endregion
+export { generateState, parseState };
+//# sourceMappingURL=state.d.mts.map

package/dist/oauth2/state.mjs

@@ -0,0 +1,51 @@
+import { generateRandomString } from "../crypto/random.mjs";
+import "../crypto/index.mjs";
+import { setOAuthState } from "../api/state/oauth.mjs";
+import { StateError, generateGenericState, parseGenericState } from "../state.mjs";
+import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
+
+//#region src/oauth2/state.ts
+async function generateState(c, link, additionalData) {
+	const callbackURL = c.body?.callbackURL || c.context.options.baseURL;
+	if (!callbackURL) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.CALLBACK_URL_REQUIRED);
+	const codeVerifier = generateRandomString(128);
+	const stateData = {
+		...additionalData ? additionalData : {},
+		callbackURL,
+		codeVerifier,
+		errorURL: c.body?.errorCallbackURL,
+		newUserURL: c.body?.newUserCallbackURL,
+		link,
+		expiresAt: Date.now() + 600 * 1e3,
+		requestSignUp: c.body?.requestSignUp
+	};
+	await setOAuthState(stateData);
+	try {
+		return generateGenericState(c, stateData);
+	} catch (error) {
+		c.context.logger.error("Failed to create verification", error);
+		throw new APIError("INTERNAL_SERVER_ERROR", {
+			message: "Unable to create verification",
+			cause: error
+		});
+	}
+}
+async function parseState(c) {
+	const state = c.query.state || c.body.state;
+	const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
+	let parsedData;
+	try {
+		parsedData = await parseGenericState(c, state);
+	} catch (error) {
+		c.context.logger.error("Failed to parse state", error);
+		if (error instanceof StateError && error.code === "state_security_mismatch") throw c.redirect(`${errorURL}?error=state_mismatch`);
+		throw c.redirect(`${errorURL}?error=please_restart_the_process`);
+	}
+	if (!parsedData.errorURL) parsedData.errorURL = errorURL;
+	if (parsedData) await setOAuthState(parsedData);
+	return parsedData;
+}
+
+//#endregion
+export { generateState, parseState };
+//# sourceMappingURL=state.mjs.map

package/dist/oauth2/state.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.mjs","names":[],"sources":["../../src/oauth2/state.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError, BASE_ERROR_CODES } from \"@better-auth/core/error\";\nimport { setOAuthState } from \"../api/state/oauth\";\nimport { generateRandomString } from \"../crypto\";\nimport type { StateData } from \"../state\";\nimport { generateGenericState, parseGenericState, StateError } from \"../state\";\n\nexport async function generateState(\n\tc: GenericEndpointContext,\n\tlink:\n\t\t| {\n\t\t\t\temail: string;\n\t\t\t\tuserId: string;\n\t\t  }\n\t\t| undefined,\n\tadditionalData: Record<string, any> | false | undefined,\n) {\n\tconst callbackURL = c.body?.callbackURL || c.context.options.baseURL;\n\tif (!callbackURL) {\n\t\tthrow APIError.from(\"BAD_REQUEST\", BASE_ERROR_CODES.CALLBACK_URL_REQUIRED);\n\t}\n\n\tconst codeVerifier = generateRandomString(128);\n\n\tconst stateData: StateData = {\n\t\t...(additionalData ? additionalData : {}),\n\t\tcallbackURL,\n\t\tcodeVerifier,\n\t\terrorURL: c.body?.errorCallbackURL,\n\t\tnewUserURL: c.body?.newUserCallbackURL,\n\t\tlink,\n\t\texpiresAt: Date.now() + 10 * 60 * 1000,\n\t\trequestSignUp: c.body?.requestSignUp,\n\t};\n\n\tawait setOAuthState(stateData);\n\n\ttry {\n\t\treturn generateGenericState(c, stateData);\n\t} catch (error) {\n\t\tc.context.logger.error(\"Failed to create verification\", error);\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\tmessage: \"Unable to create verification\",\n\t\t\tcause: error,\n\t\t});\n\t}\n}\n\nexport async function parseState(c: GenericEndpointContext) {\n\tconst state = c.query.state || c.body.state;\n\tconst errorURL =\n\t\tc.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;\n\n\tlet parsedData: StateData;\n\n\ttry {\n\t\tparsedData = await parseGenericState(c, state);\n\t} catch (error) {\n\t\tc.context.logger.error(\"Failed to parse state\", error);\n\n\t\tif (\n\t\t\terror instanceof StateError &&\n\t\t\terror.code === \"state_security_mismatch\"\n\t\t) {\n\t\t\tthrow c.redirect(`${errorURL}?error=state_mismatch`);\n\t\t}\n\n\t\tthrow c.redirect(`${errorURL}?error=please_restart_the_process`);\n\t}\n\n\tif (!parsedData.errorURL) {\n\t\tparsedData.errorURL = errorURL;\n\t}\n\n\tif (parsedData) {\n\t\tawait setOAuthState(parsedData);\n\t}\n\n\treturn parsedData;\n}\n"],"mappings":";;;;;;;AAOA,eAAsB,cACrB,GACA,MAMA,gBACC;CACD,MAAM,cAAc,EAAE,MAAM,eAAe,EAAE,QAAQ,QAAQ;AAC7D,KAAI,CAAC,YACJ,OAAM,SAAS,KAAK,eAAe,iBAAiB,sBAAsB;CAG3E,MAAM,eAAe,qBAAqB,IAAI;CAE9C,MAAM,YAAuB;EAC5B,GAAI,iBAAiB,iBAAiB,EAAE;EACxC;EACA;EACA,UAAU,EAAE,MAAM;EAClB,YAAY,EAAE,MAAM;EACpB;EACA,WAAW,KAAK,KAAK,GAAG,MAAU;EAClC,eAAe,EAAE,MAAM;EACvB;AAED,OAAM,cAAc,UAAU;AAE9B,KAAI;AACH,SAAO,qBAAqB,GAAG,UAAU;UACjC,OAAO;AACf,IAAE,QAAQ,OAAO,MAAM,iCAAiC,MAAM;AAC9D,QAAM,IAAI,SAAS,yBAAyB;GAC3C,SAAS;GACT,OAAO;GACP,CAAC;;;AAIJ,eAAsB,WAAW,GAA2B;CAC3D,MAAM,QAAQ,EAAE,MAAM,SAAS,EAAE,KAAK;CACtC,MAAM,WACL,EAAE,QAAQ,QAAQ,YAAY,YAAY,GAAG,EAAE,QAAQ,QAAQ;CAEhE,IAAI;AAEJ,KAAI;AACH,eAAa,MAAM,kBAAkB,GAAG,MAAM;UACtC,OAAO;AACf,IAAE,QAAQ,OAAO,MAAM,yBAAyB,MAAM;AAEtD,MACC,iBAAiB,cACjB,MAAM,SAAS,0BAEf,OAAM,EAAE,SAAS,GAAG,SAAS,uBAAuB;AAGrD,QAAM,EAAE,SAAS,GAAG,SAAS,mCAAmC;;AAGjE,KAAI,CAAC,WAAW,SACf,YAAW,WAAW;AAGvB,KAAI,WACH,OAAM,cAAc,WAAW;AAGhC,QAAO"}

package/dist/oauth2/utils.d.mts

@@ -0,0 +1,8 @@
+import { AuthContext } from "@better-auth/core";
+
+//#region src/oauth2/utils.d.ts
+declare function decryptOAuthToken(token: string, ctx: AuthContext): string | Promise<string>;
+declare function setTokenUtil(token: string | null | undefined, ctx: AuthContext): string | Promise<string> | null | undefined;
+//#endregion
+export { decryptOAuthToken, setTokenUtil };
+//# sourceMappingURL=utils.d.mts.map

package/dist/oauth2/utils.mjs

@@ -0,0 +1,31 @@
+import { symmetricDecrypt, symmetricEncrypt } from "../crypto/index.mjs";
+
+//#region src/oauth2/utils.ts
+/**
+* Check if a string looks like encrypted data
+*/
+function isLikelyEncrypted(token) {
+	return token.length % 2 === 0 && /^[0-9a-f]+$/i.test(token);
+}
+function decryptOAuthToken(token, ctx) {
+	if (!token) return token;
+	if (ctx.options.account?.encryptOAuthTokens) {
+		if (!isLikelyEncrypted(token)) return token;
+		return symmetricDecrypt({
+			key: ctx.secret,
+			data: token
+		});
+	}
+	return token;
+}
+function setTokenUtil(token, ctx) {
+	if (ctx.options.account?.encryptOAuthTokens && token) return symmetricEncrypt({
+		key: ctx.secret,
+		data: token
+	});
+	return token;
+}
+
+//#endregion
+export { decryptOAuthToken, setTokenUtil };
+//# sourceMappingURL=utils.mjs.map

package/dist/oauth2/utils.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.mjs","names":[],"sources":["../../src/oauth2/utils.ts"],"sourcesContent":["import type { AuthContext } from \"@better-auth/core\";\nimport { symmetricDecrypt, symmetricEncrypt } from \"../crypto\";\n\n/**\n * Check if a string looks like encrypted data\n */\nfunction isLikelyEncrypted(token: string): boolean {\n\treturn token.length % 2 === 0 && /^[0-9a-f]+$/i.test(token);\n}\n\nexport function decryptOAuthToken(token: string, ctx: AuthContext) {\n\tif (!token) return token;\n\tif (ctx.options.account?.encryptOAuthTokens) {\n\t\tif (!isLikelyEncrypted(token)) {\n\t\t\treturn token;\n\t\t}\n\t\treturn symmetricDecrypt({\n\t\t\tkey: ctx.secret,\n\t\t\tdata: token,\n\t\t});\n\t}\n\treturn token;\n}\n\nexport function setTokenUtil(\n\ttoken: string | null | undefined,\n\tctx: AuthContext,\n) {\n\tif (ctx.options.account?.encryptOAuthTokens && token) {\n\t\treturn symmetricEncrypt({\n\t\t\tkey: ctx.secret,\n\t\t\tdata: token,\n\t\t});\n\t}\n\treturn token;\n}\n"],"mappings":";;;;;;AAMA,SAAS,kBAAkB,OAAwB;AAClD,QAAO,MAAM,SAAS,MAAM,KAAK,eAAe,KAAK,MAAM;;AAG5D,SAAgB,kBAAkB,OAAe,KAAkB;AAClE,KAAI,CAAC,MAAO,QAAO;AACnB,KAAI,IAAI,QAAQ,SAAS,oBAAoB;AAC5C,MAAI,CAAC,kBAAkB,MAAM,CAC5B,QAAO;AAER,SAAO,iBAAiB;GACvB,KAAK,IAAI;GACT,MAAM;GACN,CAAC;;AAEH,QAAO;;AAGR,SAAgB,aACf,OACA,KACC;AACD,KAAI,IAAI,QAAQ,SAAS,sBAAsB,MAC9C,QAAO,iBAAiB;EACvB,KAAK,IAAI;EACT,MAAM;EACN,CAAC;AAEH,QAAO"}

package/dist/plugins/access/access.d.mts

@@ -0,0 +1,30 @@
+import { Statements, Subset } from "./types.mjs";
+
+//#region src/plugins/access/access.d.ts
+type AuthorizeResponse = {
+  success: false;
+  error: string;
+} | {
+  success: true;
+  error?: never | undefined;
+};
+declare function role<TStatements extends Statements>(statements: TStatements): {
+  authorize<K extends keyof TStatements>(request: { [key in K]?: TStatements[key] | {
+    actions: TStatements[key];
+    connector: "OR" | "AND";
+  } }, connector?: "OR" | "AND"): AuthorizeResponse;
+  statements: TStatements;
+};
+declare function createAccessControl<const TStatements extends Statements>(s: TStatements): {
+  newRole<K extends keyof TStatements>(statements: Subset<K, TStatements>): {
+    authorize<K_1 extends K>(request: K_1 extends infer T extends keyof Subset<K, TStatements> ? { [key in T]?: Subset<K, TStatements>[key] | {
+      actions: Subset<K, TStatements>[key];
+      connector: "OR" | "AND";
+    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
+    statements: Subset<K, TStatements>;
+  };
+  statements: TStatements;
+};
+//#endregion
+export { AuthorizeResponse, createAccessControl, role };
+//# sourceMappingURL=access.d.mts.map

package/dist/plugins/access/access.mjs

@@ -0,0 +1,46 @@
+import { BetterAuthError } from "@better-auth/core/error";
+
+//#region src/plugins/access/access.ts
+function role(statements) {
+	return {
+		authorize(request, connector = "AND") {
+			let success = false;
+			for (const [requestedResource, requestedActions] of Object.entries(request)) {
+				const allowedActions = statements[requestedResource];
+				if (!allowedActions) return {
+					success: false,
+					error: `You are not allowed to access resource: ${requestedResource}`
+				};
+				if (Array.isArray(requestedActions)) success = requestedActions.every((requestedAction) => allowedActions.includes(requestedAction));
+				else if (typeof requestedActions === "object") {
+					const actions = requestedActions;
+					if (actions.connector === "OR") success = actions.actions.some((requestedAction) => allowedActions.includes(requestedAction));
+					else success = actions.actions.every((requestedAction) => allowedActions.includes(requestedAction));
+				} else throw new BetterAuthError("Invalid access control request");
+				if (success && connector === "OR") return { success };
+				if (!success && connector === "AND") return {
+					success: false,
+					error: `unauthorized to access resource "${requestedResource}"`
+				};
+			}
+			if (success) return { success };
+			return {
+				success: false,
+				error: "Not authorized"
+			};
+		},
+		statements
+	};
+}
+function createAccessControl(s) {
+	return {
+		newRole(statements) {
+			return role(statements);
+		},
+		statements: s
+	};
+}
+
+//#endregion
+export { createAccessControl, role };
+//# sourceMappingURL=access.mjs.map

package/dist/plugins/access/access.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.mjs","names":[],"sources":["../../../src/plugins/access/access.ts"],"sourcesContent":["import { BetterAuthError } from \"@better-auth/core/error\";\nimport type { Statements, Subset } from \"./types\";\n\nexport type AuthorizeResponse =\n\t| { success: false; error: string }\n\t| { success: true; error?: never | undefined };\n\nexport function role<TStatements extends Statements>(statements: TStatements) {\n\treturn {\n\t\tauthorize<K extends keyof TStatements>(\n\t\t\trequest: {\n\t\t\t\t[key in K]?:\n\t\t\t\t\t| TStatements[key]\n\t\t\t\t\t| {\n\t\t\t\t\t\t\tactions: TStatements[key];\n\t\t\t\t\t\t\tconnector: \"OR\" | \"AND\";\n\t\t\t\t\t  };\n\t\t\t},\n\t\t\tconnector: \"OR\" | \"AND\" = \"AND\",\n\t\t): AuthorizeResponse {\n\t\t\tlet success = false;\n\t\t\tfor (const [requestedResource, requestedActions] of Object.entries(\n\t\t\t\trequest,\n\t\t\t)) {\n\t\t\t\tconst allowedActions = statements[requestedResource];\n\t\t\t\tif (!allowedActions) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: `You are not allowed to access resource: ${requestedResource}`,\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t\tif (Array.isArray(requestedActions)) {\n\t\t\t\t\tsuccess = (requestedActions as string[]).every((requestedAction) =>\n\t\t\t\t\t\tallowedActions.includes(requestedAction),\n\t\t\t\t\t);\n\t\t\t\t} else {\n\t\t\t\t\tif (typeof requestedActions === \"object\") {\n\t\t\t\t\t\tconst actions = requestedActions as {\n\t\t\t\t\t\t\tactions: string[];\n\t\t\t\t\t\t\tconnector: \"OR\" | \"AND\";\n\t\t\t\t\t\t};\n\t\t\t\t\t\tif (actions.connector === \"OR\") {\n\t\t\t\t\t\t\tsuccess = actions.actions.some((requestedAction) =>\n\t\t\t\t\t\t\t\tallowedActions.includes(requestedAction),\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tsuccess = actions.actions.every((requestedAction) =>\n\t\t\t\t\t\t\t\tallowedActions.includes(requestedAction),\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t}\n\t\t\t\t\t} else {\n\t\t\t\t\t\tthrow new BetterAuthError(\"Invalid access control request\");\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif (success && connector === \"OR\") {\n\t\t\t\t\treturn { success };\n\t\t\t\t}\n\t\t\t\tif (!success && connector === \"AND\") {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: `unauthorized to access resource \"${requestedResource}\"`,\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\t\t\tif (success) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess,\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: \"Not authorized\",\n\t\t\t};\n\t\t},\n\t\tstatements,\n\t};\n}\n\nexport function createAccessControl<const TStatements extends Statements>(\n\ts: TStatements,\n) {\n\treturn {\n\t\tnewRole<K extends keyof TStatements>(statements: Subset<K, TStatements>) {\n\t\t\treturn role<Subset<K, TStatements>>(statements);\n\t\t},\n\t\tstatements: s,\n\t};\n}\n"],"mappings":";;;AAOA,SAAgB,KAAqC,YAAyB;AAC7E,QAAO;EACN,UACC,SAQA,YAA0B,OACN;GACpB,IAAI,UAAU;AACd,QAAK,MAAM,CAAC,mBAAmB,qBAAqB,OAAO,QAC1D,QACA,EAAE;IACF,MAAM,iBAAiB,WAAW;AAClC,QAAI,CAAC,eACJ,QAAO;KACN,SAAS;KACT,OAAO,2CAA2C;KAClD;AAEF,QAAI,MAAM,QAAQ,iBAAiB,CAClC,WAAW,iBAA8B,OAAO,oBAC/C,eAAe,SAAS,gBAAgB,CACxC;aAEG,OAAO,qBAAqB,UAAU;KACzC,MAAM,UAAU;AAIhB,SAAI,QAAQ,cAAc,KACzB,WAAU,QAAQ,QAAQ,MAAM,oBAC/B,eAAe,SAAS,gBAAgB,CACxC;SAED,WAAU,QAAQ,QAAQ,OAAO,oBAChC,eAAe,SAAS,gBAAgB,CACxC;UAGF,OAAM,IAAI,gBAAgB,iCAAiC;AAG7D,QAAI,WAAW,cAAc,KAC5B,QAAO,EAAE,SAAS;AAEnB,QAAI,CAAC,WAAW,cAAc,MAC7B,QAAO;KACN,SAAS;KACT,OAAO,oCAAoC,kBAAkB;KAC7D;;AAGH,OAAI,QACH,QAAO,EACN,SACA;AAEF,UAAO;IACN,SAAS;IACT,OAAO;IACP;;EAEF;EACA;;AAGF,SAAgB,oBACf,GACC;AACD,QAAO;EACN,QAAqC,YAAoC;AACxE,UAAO,KAA6B,WAAW;;EAEhD,YAAY;EACZ"}

package/dist/plugins/access/index.d.mts

@@ -0,0 +1,3 @@
+import { AccessControl, Role, Statements, SubArray, Subset } from "./types.mjs";
+import { AuthorizeResponse, createAccessControl, role } from "./access.mjs";
+export { AccessControl, AuthorizeResponse, Role, Statements, SubArray, Subset, createAccessControl, role };

package/dist/plugins/access/index.mjs

@@ -0,0 +1,3 @@
+import { createAccessControl, role } from "./access.mjs";
+
+export { createAccessControl, role };

package/dist/plugins/access/types.d.mts

@@ -0,0 +1,17 @@
+import { AuthorizeResponse, createAccessControl } from "./access.mjs";
+import { LiteralString } from "@better-auth/core";
+
+//#region src/plugins/access/types.d.ts
+type SubArray<T extends unknown[] | readonly unknown[] | any[]> = T[number][];
+type Subset<K extends keyof R, R extends Record<string | LiteralString, readonly string[] | readonly LiteralString[]>> = { [P in K]: SubArray<R[P]> };
+type Statements = {
+  readonly [resource: string]: readonly LiteralString[];
+};
+type AccessControl<TStatements extends Statements = Statements> = ReturnType<typeof createAccessControl<TStatements>>;
+type Role<TStatements extends Statements = Record<string, any>> = {
+  authorize: (request: any, connector?: ("OR" | "AND") | undefined) => AuthorizeResponse;
+  statements: TStatements;
+};
+//#endregion
+export { AccessControl, Role, Statements, SubArray, Subset };
+//# sourceMappingURL=types.d.mts.map

package/dist/plugins/additional-fields/client.d.mts

@@ -0,0 +1,14 @@
+import { DBFieldAttribute } from "@better-auth/core/db";
+
+//#region src/plugins/additional-fields/client.d.ts
+declare const inferAdditionalFields: <T, S extends {
+  user?: {
+    [key: string]: DBFieldAttribute;
+  } | undefined;
+  session?: {
+    [key: string]: DBFieldAttribute;
+  } | undefined;
+} = {}>(schema?: S | undefined) => BetterAuthClientPlugin;
+//#endregion
+export { inferAdditionalFields };
+//# sourceMappingURL=client.d.mts.map

package/dist/plugins/additional-fields/client.mjs

@@ -0,0 +1,11 @@
+//#region src/plugins/additional-fields/client.ts
+const inferAdditionalFields = (schema) => {
+	return {
+		id: "additional-fields-client",
+		$InferServerPlugin: {}
+	};
+};
+
+//#endregion
+export { inferAdditionalFields };
+//# sourceMappingURL=client.mjs.map

package/dist/plugins/additional-fields/client.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.mjs","names":[],"sources":["../../../src/plugins/additional-fields/client.ts"],"sourcesContent":["import type {\n\tBetterAuthClientPlugin,\n\tBetterAuthOptions,\n\tBetterAuthPlugin,\n} from \"@better-auth/core\";\nimport type { DBFieldAttribute } from \"@better-auth/core/db\";\n\nexport const inferAdditionalFields = <\n\tT,\n\tS extends {\n\t\tuser?:\n\t\t\t| {\n\t\t\t\t\t[key: string]: DBFieldAttribute;\n\t\t\t  }\n\t\t\t| undefined;\n\t\tsession?:\n\t\t\t| {\n\t\t\t\t\t[key: string]: DBFieldAttribute;\n\t\t\t  }\n\t\t\t| undefined;\n\t} = {},\n>(\n\tschema?: S | undefined,\n) => {\n\ttype Opts = T extends BetterAuthOptions\n\t\t? T\n\t\t: T extends {\n\t\t\t\t\toptions: BetterAuthOptions;\n\t\t\t\t}\n\t\t\t? T[\"options\"]\n\t\t\t: never;\n\n\ttype Plugin = Opts extends never\n\t\t? S extends {\n\t\t\t\tuser?:\n\t\t\t\t\t| {\n\t\t\t\t\t\t\t[key: string]: DBFieldAttribute;\n\t\t\t\t\t  }\n\t\t\t\t\t| undefined;\n\t\t\t\tsession?:\n\t\t\t\t\t| {\n\t\t\t\t\t\t\t[key: string]: DBFieldAttribute;\n\t\t\t\t\t  }\n\t\t\t\t\t| undefined;\n\t\t\t}\n\t\t\t? {\n\t\t\t\t\tid: \"additional-fields-client\";\n\t\t\t\t\tschema: {\n\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\tfields: S[\"user\"] extends object ? S[\"user\"] : {};\n\t\t\t\t\t\t};\n\t\t\t\t\t\tsession: {\n\t\t\t\t\t\t\tfields: S[\"session\"] extends object ? S[\"session\"] : {};\n\t\t\t\t\t\t};\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t: never\n\t\t: Opts extends BetterAuthOptions\n\t\t\t? {\n\t\t\t\t\tid: \"additional-fields\";\n\t\t\t\t\tschema: {\n\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\tfields: Opts[\"user\"] extends {\n\t\t\t\t\t\t\t\tadditionalFields: infer U;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t? U\n\t\t\t\t\t\t\t\t: {};\n\t\t\t\t\t\t};\n\t\t\t\t\t\tsession: {\n\t\t\t\t\t\t\tfields: Opts[\"session\"] extends {\n\t\t\t\t\t\t\t\tadditionalFields: infer U;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t? U\n\t\t\t\t\t\t\t\t: {};\n\t\t\t\t\t\t};\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t: never;\n\n\treturn {\n\t\tid: \"additional-fields-client\",\n\t\t$InferServerPlugin: {} as Plugin extends BetterAuthPlugin\n\t\t\t? Plugin\n\t\t\t: undefined,\n\t} satisfies BetterAuthClientPlugin;\n};\n"],"mappings":";AAOA,MAAa,yBAeZ,WACI;AAwDJ,QAAO;EACN,IAAI;EACJ,oBAAoB,EAAE;EAGtB"}

package/dist/plugins/admin/access/index.d.mts

@@ -0,0 +1,2 @@
+import { adminAc, defaultAc, defaultRoles, defaultStatements, userAc } from "./statement.mjs";
+export { adminAc, defaultAc, defaultRoles, defaultStatements, userAc };

package/dist/plugins/admin/access/index.mjs

@@ -0,0 +1,3 @@
+import { adminAc, defaultAc, defaultRoles, defaultStatements, userAc } from "./statement.mjs";
+
+export { adminAc, defaultAc, defaultRoles, defaultStatements, userAc };

package/dist/plugins/admin/access/statement.d.mts

@@ -0,0 +1,118 @@
+import { Subset } from "../../access/types.mjs";
+import { AuthorizeResponse } from "../../access/access.mjs";
+import "../../index.mjs";
+
+//#region src/plugins/admin/access/statement.d.ts
+declare const defaultStatements: {
+  readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+  readonly session: readonly ["list", "revoke", "delete"];
+};
+declare const defaultAc: {
+  newRole<K extends "session" | "user">(statements: Subset<K, {
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+    readonly session: readonly ["list", "revoke", "delete"];
+  }>): {
+    authorize<K_1 extends K>(request: K_1 extends infer T extends keyof Subset<K, {
+      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+      readonly session: readonly ["list", "revoke", "delete"];
+    }> ? { [key in T]?: Subset<K, {
+      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+      readonly session: readonly ["list", "revoke", "delete"];
+    }>[key] | {
+      actions: Subset<K, {
+        readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+        readonly session: readonly ["list", "revoke", "delete"];
+      }>[key];
+      connector: "OR" | "AND";
+    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
+    statements: Subset<K, {
+      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+      readonly session: readonly ["list", "revoke", "delete"];
+    }>;
+  };
+  statements: {
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+    readonly session: readonly ["list", "revoke", "delete"];
+  };
+};
+declare const adminAc: {
+  authorize<K extends "session" | "user">(request: K extends infer T extends keyof Subset<"session" | "user", {
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+    readonly session: readonly ["list", "revoke", "delete"];
+  }> ? { [key in T]?: Subset<"session" | "user", {
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+    readonly session: readonly ["list", "revoke", "delete"];
+  }>[key] | {
+    actions: Subset<"session" | "user", {
+      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+      readonly session: readonly ["list", "revoke", "delete"];
+    }>[key];
+    connector: "OR" | "AND";
+  } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
+  statements: Subset<"session" | "user", {
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+    readonly session: readonly ["list", "revoke", "delete"];
+  }>;
+};
+declare const userAc: {
+  authorize<K extends "session" | "user">(request: K extends infer T extends keyof Subset<"session" | "user", {
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+    readonly session: readonly ["list", "revoke", "delete"];
+  }> ? { [key in T]?: Subset<"session" | "user", {
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+    readonly session: readonly ["list", "revoke", "delete"];
+  }>[key] | {
+    actions: Subset<"session" | "user", {
+      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+      readonly session: readonly ["list", "revoke", "delete"];
+    }>[key];
+    connector: "OR" | "AND";
+  } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
+  statements: Subset<"session" | "user", {
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+    readonly session: readonly ["list", "revoke", "delete"];
+  }>;
+};
+declare const defaultRoles: {
+  admin: {
+    authorize<K extends "session" | "user">(request: K extends infer T extends keyof Subset<"session" | "user", {
+      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+      readonly session: readonly ["list", "revoke", "delete"];
+    }> ? { [key in T]?: Subset<"session" | "user", {
+      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+      readonly session: readonly ["list", "revoke", "delete"];
+    }>[key] | {
+      actions: Subset<"session" | "user", {
+        readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+        readonly session: readonly ["list", "revoke", "delete"];
+      }>[key];
+      connector: "OR" | "AND";
+    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
+    statements: Subset<"session" | "user", {
+      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+      readonly session: readonly ["list", "revoke", "delete"];
+    }>;
+  };
+  user: {
+    authorize<K extends "session" | "user">(request: K extends infer T extends keyof Subset<"session" | "user", {
+      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+      readonly session: readonly ["list", "revoke", "delete"];
+    }> ? { [key in T]?: Subset<"session" | "user", {
+      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+      readonly session: readonly ["list", "revoke", "delete"];
+    }>[key] | {
+      actions: Subset<"session" | "user", {
+        readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+        readonly session: readonly ["list", "revoke", "delete"];
+      }>[key];
+      connector: "OR" | "AND";
+    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
+    statements: Subset<"session" | "user", {
+      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+      readonly session: readonly ["list", "revoke", "delete"];
+    }>;
+  };
+};
+//#endregion
+export { adminAc, defaultAc, defaultRoles, defaultStatements, userAc };
+//# sourceMappingURL=statement.d.mts.map

package/dist/plugins/admin/access/statement.mjs

@@ -0,0 +1,53 @@
+import { createAccessControl } from "../../access/access.mjs";
+import "../../access/index.mjs";
+
+//#region src/plugins/admin/access/statement.ts
+const defaultStatements = {
+	user: [
+		"create",
+		"list",
+		"set-role",
+		"ban",
+		"impersonate",
+		"delete",
+		"set-password",
+		"get",
+		"update"
+	],
+	session: [
+		"list",
+		"revoke",
+		"delete"
+	]
+};
+const defaultAc = createAccessControl(defaultStatements);
+const adminAc = defaultAc.newRole({
+	user: [
+		"create",
+		"list",
+		"set-role",
+		"ban",
+		"impersonate",
+		"delete",
+		"set-password",
+		"get",
+		"update"
+	],
+	session: [
+		"list",
+		"revoke",
+		"delete"
+	]
+});
+const userAc = defaultAc.newRole({
+	user: [],
+	session: []
+});
+const defaultRoles = {
+	admin: adminAc,
+	user: userAc
+};
+
+//#endregion
+export { adminAc, defaultAc, defaultRoles, defaultStatements, userAc };
+//# sourceMappingURL=statement.mjs.map