@hammadj/better-auth 1.5.0-beta.10

package/dist/plugins/jwt/utils.mjs

@@ -0,0 +1,64 @@
+import { symmetricEncrypt } from "../../crypto/index.mjs";
+import { sec } from "../../utils/time.mjs";
+import { getJwksAdapter } from "./adapter.mjs";
+import { exportJWK, generateKeyPair } from "jose";
+
+//#region src/plugins/jwt/utils.ts
+/**
+* Converts an expirationTime to ISO seconds expiration time (the format of JWT exp)
+*
+* See https://github.com/panva/jose/blob/main/src/lib/jwt_claims_set.ts#L245
+*
+* @param expirationTime - see options.jwt.expirationTime
+* @param iat - the iat time to consolidate on
+* @returns
+*/
+function toExpJWT(expirationTime, iat) {
+	if (typeof expirationTime === "number") return expirationTime;
+	else if (expirationTime instanceof Date) return Math.floor(expirationTime.getTime() / 1e3);
+	else return iat + sec(expirationTime);
+}
+async function generateExportedKeyPair(options) {
+	const { alg, ...cfg } = options?.jwks?.keyPairConfig ?? {
+		alg: "EdDSA",
+		crv: "Ed25519"
+	};
+	const { publicKey, privateKey } = await generateKeyPair(alg, {
+		...cfg,
+		extractable: true
+	});
+	return {
+		publicWebKey: await exportJWK(publicKey),
+		privateWebKey: await exportJWK(privateKey),
+		alg,
+		cfg
+	};
+}
+/**
+* Creates a Jwk on the database
+*
+* @param ctx
+* @param options
+* @returns
+*/
+async function createJwk(ctx, options) {
+	const { publicWebKey, privateWebKey, alg, cfg } = await generateExportedKeyPair(options);
+	const stringifiedPrivateWebKey = JSON.stringify(privateWebKey);
+	const privateKeyEncryptionEnabled = !options?.jwks?.disablePrivateKeyEncryption;
+	const jwk = {
+		alg,
+		...cfg && "crv" in cfg ? { crv: cfg.crv } : {},
+		publicKey: JSON.stringify(publicWebKey),
+		privateKey: privateKeyEncryptionEnabled ? JSON.stringify(await symmetricEncrypt({
+			key: ctx.context.secret,
+			data: stringifiedPrivateWebKey
+		})) : stringifiedPrivateWebKey,
+		createdAt: /* @__PURE__ */ new Date(),
+		...options?.jwks?.rotationInterval ? { expiresAt: new Date(Date.now() + options.jwks.rotationInterval * 1e3) } : {}
+	};
+	return await getJwksAdapter(ctx.context.adapter, options).createJwk(ctx, jwk);
+}
+
+//#endregion
+export { createJwk, generateExportedKeyPair, toExpJWT };
+//# sourceMappingURL=utils.mjs.map

package/dist/plugins/jwt/utils.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.mjs","names":[],"sources":["../../../src/plugins/jwt/utils.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { exportJWK, generateKeyPair } from \"jose\";\nimport { symmetricEncrypt } from \"../../crypto\";\nimport type { TimeString } from \"../../utils/time\";\nimport { sec } from \"../../utils/time\";\nimport { getJwksAdapter } from \"./adapter\";\nimport type { Jwk, JwtOptions } from \"./types\";\n\n/**\n * Converts an expirationTime to ISO seconds expiration time (the format of JWT exp)\n *\n * See https://github.com/panva/jose/blob/main/src/lib/jwt_claims_set.ts#L245\n *\n * @param expirationTime - see options.jwt.expirationTime\n * @param iat - the iat time to consolidate on\n * @returns\n */\nexport function toExpJWT(\n\texpirationTime: number | Date | string,\n\tiat: number,\n): number {\n\tif (typeof expirationTime === \"number\") {\n\t\treturn expirationTime;\n\t} else if (expirationTime instanceof Date) {\n\t\treturn Math.floor(expirationTime.getTime() / 1000);\n\t} else {\n\t\treturn iat + sec(expirationTime as TimeString);\n\t}\n}\n\nexport async function generateExportedKeyPair(\n\toptions?: JwtOptions | undefined,\n) {\n\tconst { alg, ...cfg } = options?.jwks?.keyPairConfig ?? {\n\t\talg: \"EdDSA\",\n\t\tcrv: \"Ed25519\",\n\t};\n\tconst { publicKey, privateKey } = await generateKeyPair(alg, {\n\t\t...cfg,\n\t\textractable: true,\n\t});\n\n\tconst publicWebKey = await exportJWK(publicKey);\n\tconst privateWebKey = await exportJWK(privateKey);\n\n\treturn { publicWebKey, privateWebKey, alg, cfg };\n}\n\n/**\n * Creates a Jwk on the database\n *\n * @param ctx\n * @param options\n * @returns\n */\nexport async function createJwk(\n\tctx: GenericEndpointContext,\n\toptions?: JwtOptions | undefined,\n) {\n\tconst { publicWebKey, privateWebKey, alg, cfg } =\n\t\tawait generateExportedKeyPair(options);\n\n\tconst stringifiedPrivateWebKey = JSON.stringify(privateWebKey);\n\tconst privateKeyEncryptionEnabled =\n\t\t!options?.jwks?.disablePrivateKeyEncryption;\n\tconst jwk: Omit<Jwk, \"id\"> = {\n\t\talg,\n\t\t...(cfg && \"crv\" in cfg\n\t\t\t? {\n\t\t\t\t\tcrv: (cfg as { crv: (typeof jwk)[\"crv\"] }).crv,\n\t\t\t\t}\n\t\t\t: {}),\n\t\tpublicKey: JSON.stringify(publicWebKey),\n\t\tprivateKey: privateKeyEncryptionEnabled\n\t\t\t? JSON.stringify(\n\t\t\t\t\tawait symmetricEncrypt({\n\t\t\t\t\t\tkey: ctx.context.secret,\n\t\t\t\t\t\tdata: stringifiedPrivateWebKey,\n\t\t\t\t\t}),\n\t\t\t\t)\n\t\t\t: stringifiedPrivateWebKey,\n\t\tcreatedAt: new Date(),\n\t\t...(options?.jwks?.rotationInterval\n\t\t\t? {\n\t\t\t\t\texpiresAt: new Date(\n\t\t\t\t\t\tDate.now() + options.jwks.rotationInterval * 1000,\n\t\t\t\t\t),\n\t\t\t\t}\n\t\t\t: {}),\n\t};\n\n\tconst adapter = getJwksAdapter(ctx.context.adapter, options);\n\tconst key = await adapter.createJwk(ctx, jwk as Jwk);\n\n\treturn key;\n}\n"],"mappings":";;;;;;;;;;;;;;;AAiBA,SAAgB,SACf,gBACA,KACS;AACT,KAAI,OAAO,mBAAmB,SAC7B,QAAO;UACG,0BAA0B,KACpC,QAAO,KAAK,MAAM,eAAe,SAAS,GAAG,IAAK;KAElD,QAAO,MAAM,IAAI,eAA6B;;AAIhD,eAAsB,wBACrB,SACC;CACD,MAAM,EAAE,KAAK,GAAG,QAAQ,SAAS,MAAM,iBAAiB;EACvD,KAAK;EACL,KAAK;EACL;CACD,MAAM,EAAE,WAAW,eAAe,MAAM,gBAAgB,KAAK;EAC5D,GAAG;EACH,aAAa;EACb,CAAC;AAKF,QAAO;EAAE,cAHY,MAAM,UAAU,UAAU;EAGxB,eAFD,MAAM,UAAU,WAAW;EAEX;EAAK;EAAK;;;;;;;;;AAUjD,eAAsB,UACrB,KACA,SACC;CACD,MAAM,EAAE,cAAc,eAAe,KAAK,QACzC,MAAM,wBAAwB,QAAQ;CAEvC,MAAM,2BAA2B,KAAK,UAAU,cAAc;CAC9D,MAAM,8BACL,CAAC,SAAS,MAAM;CACjB,MAAM,MAAuB;EAC5B;EACA,GAAI,OAAO,SAAS,MACjB,EACA,KAAM,IAAqC,KAC3C,GACA,EAAE;EACL,WAAW,KAAK,UAAU,aAAa;EACvC,YAAY,8BACT,KAAK,UACL,MAAM,iBAAiB;GACtB,KAAK,IAAI,QAAQ;GACjB,MAAM;GACN,CAAC,CACF,GACA;EACH,2BAAW,IAAI,MAAM;EACrB,GAAI,SAAS,MAAM,mBAChB,EACA,WAAW,IAAI,KACd,KAAK,KAAK,GAAG,QAAQ,KAAK,mBAAmB,IAC7C,EACD,GACA,EAAE;EACL;AAKD,QAFY,MADI,eAAe,IAAI,QAAQ,SAAS,QAAQ,CAClC,UAAU,KAAK,IAAW"}

package/dist/plugins/jwt/verify.d.mts

@@ -0,0 +1,12 @@
+import { JwtOptions } from "./types.mjs";
+import { JWTPayload } from "jose";
+
+//#region src/plugins/jwt/verify.d.ts
+/**
+ * Verify a JWT token using the JWKS public keys
+ * Returns the payload if valid, null otherwise
+ */
+declare function verifyJWT<T extends JWTPayload = JWTPayload>(token: string, options?: JwtOptions): Promise<(T & Required<Pick<JWTPayload, "sub" | "aud">>) | null>;
+//#endregion
+export { verifyJWT };
+//# sourceMappingURL=verify.d.mts.map

package/dist/plugins/jwt/verify.mjs

@@ -0,0 +1,46 @@
+import { getJwksAdapter } from "./adapter.mjs";
+import { getCurrentAuthContext } from "@better-auth/core/context";
+import { importJWK, jwtVerify } from "jose";
+import { base64 } from "@better-auth/utils/base64";
+
+//#region src/plugins/jwt/verify.ts
+/**
+* Verify a JWT token using the JWKS public keys
+* Returns the payload if valid, null otherwise
+*/
+async function verifyJWT(token, options) {
+	const ctx = await getCurrentAuthContext();
+	try {
+		const parts = token.split(".");
+		if (parts.length !== 3) return null;
+		const headerStr = new TextDecoder().decode(base64.decode(parts[0]));
+		const kid = JSON.parse(headerStr).kid;
+		if (!kid) {
+			ctx.context.logger.debug("JWT missing kid in header");
+			return null;
+		}
+		const keys = await getJwksAdapter(ctx.context.adapter, options).getAllKeys(ctx);
+		if (!keys || keys.length === 0) {
+			ctx.context.logger.debug("No JWKS keys available");
+			return null;
+		}
+		const key = keys.find((k) => k.id === kid);
+		if (!key) {
+			ctx.context.logger.debug(`No JWKS key found for kid: ${kid}`);
+			return null;
+		}
+		const { payload } = await jwtVerify(token, await importJWK(JSON.parse(key.publicKey), key.alg ?? options?.jwks?.keyPairConfig?.alg ?? "EdDSA"), {
+			issuer: options?.jwt?.issuer ?? ctx.context.options.baseURL,
+			audience: options?.jwt?.audience ?? ctx.context.options.baseURL
+		});
+		if (!payload.sub || !payload.aud) return null;
+		return payload;
+	} catch (error) {
+		ctx.context.logger.debug("JWT verification failed", error);
+		return null;
+	}
+}
+
+//#endregion
+export { verifyJWT };
+//# sourceMappingURL=verify.mjs.map

package/dist/plugins/jwt/verify.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.mjs","names":[],"sources":["../../../src/plugins/jwt/verify.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { getCurrentAuthContext } from \"@better-auth/core/context\";\nimport { base64 } from \"@better-auth/utils/base64\";\nimport type { JWTPayload } from \"jose\";\nimport { importJWK, jwtVerify } from \"jose\";\nimport { getJwksAdapter } from \"./adapter\";\nimport type { JwtOptions } from \"./types\";\n\n/**\n * Verify a JWT token using the JWKS public keys\n * Returns the payload if valid, null otherwise\n */\nexport async function verifyJWT<T extends JWTPayload = JWTPayload>(\n\ttoken: string,\n\toptions?: JwtOptions,\n): Promise<(T & Required<Pick<JWTPayload, \"sub\" | \"aud\">>) | null> {\n\tconst ctx = await getCurrentAuthContext();\n\ttry {\n\t\tconst parts = token.split(\".\");\n\t\tif (parts.length !== 3) {\n\t\t\treturn null;\n\t\t}\n\n\t\tconst headerStr = new TextDecoder().decode(base64.decode(parts[0]!));\n\t\tconst header = JSON.parse(headerStr);\n\t\tconst kid = header.kid;\n\n\t\tif (!kid) {\n\t\t\tctx.context.logger.debug(\"JWT missing kid in header\");\n\t\t\treturn null;\n\t\t}\n\n\t\t// Get all JWKS keys\n\t\tconst adapter = getJwksAdapter(ctx.context.adapter, options);\n\t\tconst keys = await adapter.getAllKeys(ctx as GenericEndpointContext);\n\n\t\tif (!keys || keys.length === 0) {\n\t\t\tctx.context.logger.debug(\"No JWKS keys available\");\n\t\t\treturn null;\n\t\t}\n\n\t\tconst key = keys.find((k) => k.id === kid);\n\t\tif (!key) {\n\t\t\tctx.context.logger.debug(`No JWKS key found for kid: ${kid}`);\n\t\t\treturn null;\n\t\t}\n\n\t\tconst publicKey = JSON.parse(key.publicKey);\n\t\tconst alg = key.alg ?? options?.jwks?.keyPairConfig?.alg ?? \"EdDSA\";\n\t\tconst cryptoKey = await importJWK(publicKey, alg);\n\n\t\tconst { payload } = await jwtVerify(token, cryptoKey, {\n\t\t\tissuer: options?.jwt?.issuer ?? ctx.context.options.baseURL,\n\t\t\taudience: options?.jwt?.audience ?? ctx.context.options.baseURL,\n\t\t});\n\n\t\tif (!payload.sub || !payload.aud) {\n\t\t\treturn null;\n\t\t}\n\n\t\treturn payload as T & Required<Pick<JWTPayload, \"sub\" | \"aud\">>;\n\t} catch (error) {\n\t\tctx.context.logger.debug(\"JWT verification failed\", error);\n\t\treturn null;\n\t}\n}\n"],"mappings":";;;;;;;;;;AAYA,eAAsB,UACrB,OACA,SACkE;CAClE,MAAM,MAAM,MAAM,uBAAuB;AACzC,KAAI;EACH,MAAM,QAAQ,MAAM,MAAM,IAAI;AAC9B,MAAI,MAAM,WAAW,EACpB,QAAO;EAGR,MAAM,YAAY,IAAI,aAAa,CAAC,OAAO,OAAO,OAAO,MAAM,GAAI,CAAC;EAEpE,MAAM,MADS,KAAK,MAAM,UAAU,CACjB;AAEnB,MAAI,CAAC,KAAK;AACT,OAAI,QAAQ,OAAO,MAAM,4BAA4B;AACrD,UAAO;;EAKR,MAAM,OAAO,MADG,eAAe,IAAI,QAAQ,SAAS,QAAQ,CACjC,WAAW,IAA8B;AAEpE,MAAI,CAAC,QAAQ,KAAK,WAAW,GAAG;AAC/B,OAAI,QAAQ,OAAO,MAAM,yBAAyB;AAClD,UAAO;;EAGR,MAAM,MAAM,KAAK,MAAM,MAAM,EAAE,OAAO,IAAI;AAC1C,MAAI,CAAC,KAAK;AACT,OAAI,QAAQ,OAAO,MAAM,8BAA8B,MAAM;AAC7D,UAAO;;EAOR,MAAM,EAAE,YAAY,MAAM,UAAU,OAFlB,MAAM,UAFN,KAAK,MAAM,IAAI,UAAU,EAC/B,IAAI,OAAO,SAAS,MAAM,eAAe,OAAO,QACX,EAEK;GACrD,QAAQ,SAAS,KAAK,UAAU,IAAI,QAAQ,QAAQ;GACpD,UAAU,SAAS,KAAK,YAAY,IAAI,QAAQ,QAAQ;GACxD,CAAC;AAEF,MAAI,CAAC,QAAQ,OAAO,CAAC,QAAQ,IAC5B,QAAO;AAGR,SAAO;UACC,OAAO;AACf,MAAI,QAAQ,OAAO,MAAM,2BAA2B,MAAM;AAC1D,SAAO"}

package/dist/plugins/last-login-method/client.d.mts

@@ -0,0 +1,18 @@
+//#region src/plugins/last-login-method/client.d.ts
+/**
+ * Configuration for the client-side last login method plugin
+ */
+interface LastLoginMethodClientConfig {
+  /**
+   * Name of the cookie to read the last login method from
+   * @default "better-auth.last_used_login_method"
+   */
+  cookieName?: string | undefined;
+}
+/**
+ * Client-side plugin to retrieve the last used login method
+ */
+declare const lastLoginMethodClient: (config?: LastLoginMethodClientConfig) => BetterAuthClientPlugin;
+//#endregion
+export { LastLoginMethodClientConfig, lastLoginMethodClient };
+//# sourceMappingURL=client.d.mts.map

package/dist/plugins/last-login-method/client.mjs

@@ -0,0 +1,32 @@
+//#region src/plugins/last-login-method/client.ts
+function getCookieValue(name) {
+	if (typeof document === "undefined") return null;
+	const cookie = document.cookie.split("; ").find((row) => row.startsWith(`${name}=`));
+	return cookie ? cookie.split("=")[1] : null;
+}
+/**
+* Client-side plugin to retrieve the last used login method
+*/
+const lastLoginMethodClient = (config = {}) => {
+	const cookieName = config.cookieName || "better-auth.last_used_login_method";
+	return {
+		id: "last-login-method-client",
+		getActions() {
+			return {
+				getLastUsedLoginMethod: () => {
+					return getCookieValue(cookieName);
+				},
+				clearLastUsedLoginMethod: () => {
+					if (typeof document !== "undefined") document.cookie = `${cookieName}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;`;
+				},
+				isLastUsedLoginMethod: (method) => {
+					return getCookieValue(cookieName) === method;
+				}
+			};
+		}
+	};
+};
+
+//#endregion
+export { lastLoginMethodClient };
+//# sourceMappingURL=client.mjs.map

package/dist/plugins/last-login-method/client.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.mjs","names":[],"sources":["../../../src/plugins/last-login-method/client.ts"],"sourcesContent":["import type { BetterAuthClientPlugin } from \"@better-auth/core\";\n\n/**\n * Configuration for the client-side last login method plugin\n */\nexport interface LastLoginMethodClientConfig {\n\t/**\n\t * Name of the cookie to read the last login method from\n\t * @default \"better-auth.last_used_login_method\"\n\t */\n\tcookieName?: string | undefined;\n}\n\nfunction getCookieValue(name: string): string | null {\n\tif (typeof document === \"undefined\") {\n\t\treturn null;\n\t}\n\n\tconst cookie = document.cookie\n\t\t.split(\"; \")\n\t\t.find((row) => row.startsWith(`${name}=`));\n\n\treturn cookie ? cookie.split(\"=\")[1]! : null;\n}\n\n/**\n * Client-side plugin to retrieve the last used login method\n */\nexport const lastLoginMethodClient = (\n\tconfig: LastLoginMethodClientConfig = {},\n) => {\n\tconst cookieName = config.cookieName || \"better-auth.last_used_login_method\";\n\n\treturn {\n\t\tid: \"last-login-method-client\",\n\t\tgetActions() {\n\t\t\treturn {\n\t\t\t\t/**\n\t\t\t\t * Get the last used login method from cookies\n\t\t\t\t * @returns The last used login method or null if not found\n\t\t\t\t */\n\t\t\t\tgetLastUsedLoginMethod: (): string | null => {\n\t\t\t\t\treturn getCookieValue(cookieName);\n\t\t\t\t},\n\t\t\t\t/**\n\t\t\t\t * Clear the last used login method cookie\n\t\t\t\t * This sets the cookie with an expiration date in the past\n\t\t\t\t */\n\t\t\t\tclearLastUsedLoginMethod: (): void => {\n\t\t\t\t\tif (typeof document !== \"undefined\") {\n\t\t\t\t\t\tdocument.cookie = `${cookieName}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;`;\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t\t/**\n\t\t\t\t * Check if a specific login method was the last used\n\t\t\t\t * @param method The method to check\n\t\t\t\t * @returns True if the method was the last used, false otherwise\n\t\t\t\t */\n\t\t\t\tisLastUsedLoginMethod: (method: string): boolean => {\n\t\t\t\t\tconst lastMethod = getCookieValue(cookieName);\n\t\t\t\t\treturn lastMethod === method;\n\t\t\t\t},\n\t\t\t};\n\t\t},\n\t} satisfies BetterAuthClientPlugin;\n};\n"],"mappings":";AAaA,SAAS,eAAe,MAA6B;AACpD,KAAI,OAAO,aAAa,YACvB,QAAO;CAGR,MAAM,SAAS,SAAS,OACtB,MAAM,KAAK,CACX,MAAM,QAAQ,IAAI,WAAW,GAAG,KAAK,GAAG,CAAC;AAE3C,QAAO,SAAS,OAAO,MAAM,IAAI,CAAC,KAAM;;;;;AAMzC,MAAa,yBACZ,SAAsC,EAAE,KACpC;CACJ,MAAM,aAAa,OAAO,cAAc;AAExC,QAAO;EACN,IAAI;EACJ,aAAa;AACZ,UAAO;IAKN,8BAA6C;AAC5C,YAAO,eAAe,WAAW;;IAMlC,gCAAsC;AACrC,SAAI,OAAO,aAAa,YACvB,UAAS,SAAS,GAAG,WAAW;;IAQlC,wBAAwB,WAA4B;AAEnD,YADmB,eAAe,WAAW,KACvB;;IAEvB;;EAEF"}

package/dist/plugins/last-login-method/index.d.mts

@@ -0,0 +1,52 @@
+import { GenericEndpointContext } from "@better-auth/core";
+
+//#region src/plugins/last-login-method/index.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+    "last-login-method": {
+      creator: typeof lastLoginMethod;
+    };
+  }
+}
+/**
+ * Configuration for tracking different authentication methods
+ */
+interface LastLoginMethodOptions {
+  /**
+   * Name of the cookie to store the last login method
+   * @default "better-auth.last_used_login_method"
+   */
+  cookieName?: string | undefined;
+  /**
+   * Cookie expiration time in seconds
+   * @default 2592000 (30 days)
+   */
+  maxAge?: number | undefined;
+  /**
+   * Custom method to resolve the last login method
+   * @param ctx - The context from the hook
+   * @returns The last login method
+   */
+  customResolveMethod?: ((ctx: GenericEndpointContext) => string | null) | undefined;
+  /**
+   * Store the last login method in the database. This will create a new field in the user table.
+   * @default false
+   */
+  storeInDatabase?: boolean | undefined;
+  /**
+   * Custom schema for the plugin
+   * @default undefined
+   */
+  schema?: {
+    user?: {
+      lastLoginMethod?: string;
+    };
+  } | undefined;
+}
+/**
+ * Plugin to track the last used login method
+ */
+declare const lastLoginMethod: <O extends LastLoginMethodOptions>(userConfig?: O | undefined) => BetterAuthPlugin;
+//#endregion
+export { LastLoginMethodOptions, lastLoginMethod };
+//# sourceMappingURL=index.d.mts.map

package/dist/plugins/last-login-method/index.mjs

@@ -0,0 +1,77 @@
+import { createAuthMiddleware } from "@better-auth/core/api";
+
+//#region src/plugins/last-login-method/index.ts
+/**
+* Plugin to track the last used login method
+*/
+const lastLoginMethod = (userConfig) => {
+	const defaultResolveMethod = (ctx) => {
+		if (ctx.path.startsWith("/callback/") || ctx.path.startsWith("/oauth2/callback/")) return ctx.params?.id || ctx.params?.providerId || ctx.path.split("/").pop();
+		if (ctx.path === "/sign-in/email" || ctx.path === "/sign-up/email") return "email";
+		if (ctx.path.includes("siwe")) return "siwe";
+		if (ctx.path.includes("/passkey/verify-authentication")) return "passkey";
+		return null;
+	};
+	const config = {
+		cookieName: "better-auth.last_used_login_method",
+		maxAge: 3600 * 24 * 30,
+		...userConfig
+	};
+	return {
+		id: "last-login-method",
+		init(ctx) {
+			return { options: { databaseHooks: {
+				user: { create: { async before(user, context) {
+					if (!config.storeInDatabase) return;
+					if (!context) return;
+					const lastUsedLoginMethod = config.customResolveMethod?.(context) ?? defaultResolveMethod(context);
+					if (lastUsedLoginMethod) return { data: {
+						...user,
+						lastLoginMethod: lastUsedLoginMethod
+					} };
+				} } },
+				session: { create: { async after(session, context) {
+					if (!config.storeInDatabase) return;
+					if (!context) return;
+					const lastUsedLoginMethod = config.customResolveMethod?.(context) ?? defaultResolveMethod(context);
+					if (lastUsedLoginMethod && session?.userId) try {
+						await ctx.internalAdapter.updateUser(session.userId, { lastLoginMethod: lastUsedLoginMethod });
+					} catch (error) {
+						ctx.logger.error("Failed to update lastLoginMethod", error);
+					}
+				} } }
+			} } };
+		},
+		hooks: { after: [{
+			matcher() {
+				return true;
+			},
+			handler: createAuthMiddleware(async (ctx) => {
+				const lastUsedLoginMethod = config.customResolveMethod?.(ctx) ?? defaultResolveMethod(ctx);
+				if (lastUsedLoginMethod) {
+					const setCookie = ctx.context.responseHeaders?.get("set-cookie");
+					const sessionTokenName = ctx.context.authCookies.sessionToken.name;
+					if (setCookie && setCookie.includes(sessionTokenName)) {
+						const cookieAttributes = {
+							...ctx.context.authCookies.sessionToken.attributes,
+							maxAge: config.maxAge,
+							httpOnly: false
+						};
+						ctx.setCookie(config.cookieName, lastUsedLoginMethod, cookieAttributes);
+					}
+				}
+			})
+		}] },
+		schema: config.storeInDatabase ? { user: { fields: { lastLoginMethod: {
+			type: "string",
+			input: false,
+			required: false,
+			fieldName: config.schema?.user?.lastLoginMethod || "lastLoginMethod"
+		} } } } : void 0,
+		options: userConfig
+	};
+};
+
+//#endregion
+export { lastLoginMethod };
+//# sourceMappingURL=index.mjs.map

package/dist/plugins/last-login-method/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/last-login-method/index.ts"],"sourcesContent":["import type {\n\tBetterAuthPlugin,\n\tGenericEndpointContext,\n} from \"@better-auth/core\";\nimport { createAuthMiddleware } from \"@better-auth/core/api\";\n\ndeclare module \"@better-auth/core\" {\n\tinterface BetterAuthPluginRegistry<AuthOptions, Options> {\n\t\t\"last-login-method\": {\n\t\t\tcreator: typeof lastLoginMethod;\n\t\t};\n\t}\n}\n/**\n * Configuration for tracking different authentication methods\n */\nexport interface LastLoginMethodOptions {\n\t/**\n\t * Name of the cookie to store the last login method\n\t * @default \"better-auth.last_used_login_method\"\n\t */\n\tcookieName?: string | undefined;\n\t/**\n\t * Cookie expiration time in seconds\n\t * @default 2592000 (30 days)\n\t */\n\tmaxAge?: number | undefined;\n\t/**\n\t * Custom method to resolve the last login method\n\t * @param ctx - The context from the hook\n\t * @returns The last login method\n\t */\n\tcustomResolveMethod?:\n\t\t| ((ctx: GenericEndpointContext) => string | null)\n\t\t| undefined;\n\t/**\n\t * Store the last login method in the database. This will create a new field in the user table.\n\t * @default false\n\t */\n\tstoreInDatabase?: boolean | undefined;\n\t/**\n\t * Custom schema for the plugin\n\t * @default undefined\n\t */\n\tschema?:\n\t\t| {\n\t\t\t\tuser?: {\n\t\t\t\t\tlastLoginMethod?: string;\n\t\t\t\t};\n\t\t  }\n\t\t| undefined;\n}\n\n/**\n * Plugin to track the last used login method\n */\nexport const lastLoginMethod = <O extends LastLoginMethodOptions>(\n\tuserConfig?: O | undefined,\n) => {\n\tconst defaultResolveMethod = (ctx: GenericEndpointContext) => {\n\t\t// Check for OAuth callbacks (/callback/:id or /oauth2/callback/:providerId)\n\t\tif (\n\t\t\tctx.path.startsWith(\"/callback/\") ||\n\t\t\tctx.path.startsWith(\"/oauth2/callback/\")\n\t\t) {\n\t\t\treturn (\n\t\t\t\tctx.params?.id || ctx.params?.providerId || ctx.path.split(\"/\").pop()\n\t\t\t);\n\t\t}\n\t\t// Check for email sign-in/sign-up\n\t\tif (ctx.path === \"/sign-in/email\" || ctx.path === \"/sign-up/email\") {\n\t\t\treturn \"email\";\n\t\t}\n\t\tif (ctx.path.includes(\"siwe\")) return \"siwe\";\n\t\tif (ctx.path.includes(\"/passkey/verify-authentication\")) return \"passkey\";\n\t\treturn null;\n\t};\n\n\tconst config = {\n\t\tcookieName: \"better-auth.last_used_login_method\",\n\t\tmaxAge: 60 * 60 * 24 * 30,\n\t\t...userConfig,\n\t} satisfies LastLoginMethodOptions;\n\n\treturn {\n\t\tid: \"last-login-method\",\n\t\tinit(ctx) {\n\t\t\treturn {\n\t\t\t\toptions: {\n\t\t\t\t\tdatabaseHooks: {\n\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\tcreate: {\n\t\t\t\t\t\t\t\tasync before(user, context) {\n\t\t\t\t\t\t\t\t\tif (!config.storeInDatabase) return;\n\t\t\t\t\t\t\t\t\tif (!context) return;\n\t\t\t\t\t\t\t\t\tconst lastUsedLoginMethod =\n\t\t\t\t\t\t\t\t\t\tconfig.customResolveMethod?.(context) ??\n\t\t\t\t\t\t\t\t\t\tdefaultResolveMethod(context);\n\t\t\t\t\t\t\t\t\tif (lastUsedLoginMethod) {\n\t\t\t\t\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\t\t\t\t\tdata: {\n\t\t\t\t\t\t\t\t\t\t\t\t...user,\n\t\t\t\t\t\t\t\t\t\t\t\tlastLoginMethod: lastUsedLoginMethod,\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t};\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tsession: {\n\t\t\t\t\t\t\tcreate: {\n\t\t\t\t\t\t\t\tasync after(session, context) {\n\t\t\t\t\t\t\t\t\tif (!config.storeInDatabase) return;\n\t\t\t\t\t\t\t\t\tif (!context) return;\n\t\t\t\t\t\t\t\t\tconst lastUsedLoginMethod =\n\t\t\t\t\t\t\t\t\t\tconfig.customResolveMethod?.(context) ??\n\t\t\t\t\t\t\t\t\t\tdefaultResolveMethod(context);\n\t\t\t\t\t\t\t\t\tif (lastUsedLoginMethod && session?.userId) {\n\t\t\t\t\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\t\t\t\t\tawait ctx.internalAdapter.updateUser(session.userId, {\n\t\t\t\t\t\t\t\t\t\t\t\tlastLoginMethod: lastUsedLoginMethod,\n\t\t\t\t\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\t\t\t\t} catch (error) {\n\t\t\t\t\t\t\t\t\t\t\tctx.logger.error(\n\t\t\t\t\t\t\t\t\t\t\t\t\"Failed to update lastLoginMethod\",\n\t\t\t\t\t\t\t\t\t\t\t\terror,\n\t\t\t\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t};\n\t\t},\n\t\thooks: {\n\t\t\tafter: [\n\t\t\t\t{\n\t\t\t\t\tmatcher() {\n\t\t\t\t\t\treturn true;\n\t\t\t\t\t},\n\t\t\t\t\thandler: createAuthMiddleware(async (ctx) => {\n\t\t\t\t\t\tconst lastUsedLoginMethod =\n\t\t\t\t\t\t\tconfig.customResolveMethod?.(ctx) ?? defaultResolveMethod(ctx);\n\t\t\t\t\t\tif (lastUsedLoginMethod) {\n\t\t\t\t\t\t\tconst setCookie = ctx.context.responseHeaders?.get(\"set-cookie\");\n\t\t\t\t\t\t\tconst sessionTokenName =\n\t\t\t\t\t\t\t\tctx.context.authCookies.sessionToken.name;\n\t\t\t\t\t\t\tconst hasSessionToken =\n\t\t\t\t\t\t\t\tsetCookie && setCookie.includes(sessionTokenName);\n\t\t\t\t\t\t\tif (hasSessionToken) {\n\t\t\t\t\t\t\t\t// Inherit cookie attributes from Better Auth's centralized cookie system\n\t\t\t\t\t\t\t\t// This ensures consistency with cross-origin, cross-subdomain, and security settings\n\t\t\t\t\t\t\t\tconst cookieAttributes = {\n\t\t\t\t\t\t\t\t\t...ctx.context.authCookies.sessionToken.attributes,\n\t\t\t\t\t\t\t\t\tmaxAge: config.maxAge,\n\t\t\t\t\t\t\t\t\thttpOnly: false, // Override: plugin cookies are not httpOnly\n\t\t\t\t\t\t\t\t};\n\n\t\t\t\t\t\t\t\tctx.setCookie(\n\t\t\t\t\t\t\t\t\tconfig.cookieName,\n\t\t\t\t\t\t\t\t\tlastUsedLoginMethod,\n\t\t\t\t\t\t\t\t\tcookieAttributes,\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t],\n\t\t},\n\t\tschema: (config.storeInDatabase\n\t\t\t? {\n\t\t\t\t\tuser: {\n\t\t\t\t\t\tfields: {\n\t\t\t\t\t\t\tlastLoginMethod: {\n\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\tinput: false,\n\t\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\t\tfieldName:\n\t\t\t\t\t\t\t\t\tconfig.schema?.user?.lastLoginMethod || \"lastLoginMethod\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t}\n\t\t\t: undefined) as O[\"storeInDatabase\"] extends true\n\t\t\t? {\n\t\t\t\t\tuser: {\n\t\t\t\t\t\tfields: {\n\t\t\t\t\t\t\tlastLoginMethod: {\n\t\t\t\t\t\t\t\ttype: \"string\";\n\t\t\t\t\t\t\t\trequired: false;\n\t\t\t\t\t\t\t\tinput: false;\n\t\t\t\t\t\t\t};\n\t\t\t\t\t\t};\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t: undefined,\n\t\toptions: userConfig as NoInfer<O>,\n\t} satisfies BetterAuthPlugin;\n};\n"],"mappings":";;;;;;AAwDA,MAAa,mBACZ,eACI;CACJ,MAAM,wBAAwB,QAAgC;AAE7D,MACC,IAAI,KAAK,WAAW,aAAa,IACjC,IAAI,KAAK,WAAW,oBAAoB,CAExC,QACC,IAAI,QAAQ,MAAM,IAAI,QAAQ,cAAc,IAAI,KAAK,MAAM,IAAI,CAAC,KAAK;AAIvE,MAAI,IAAI,SAAS,oBAAoB,IAAI,SAAS,iBACjD,QAAO;AAER,MAAI,IAAI,KAAK,SAAS,OAAO,CAAE,QAAO;AACtC,MAAI,IAAI,KAAK,SAAS,iCAAiC,CAAE,QAAO;AAChE,SAAO;;CAGR,MAAM,SAAS;EACd,YAAY;EACZ,QAAQ,OAAU,KAAK;EACvB,GAAG;EACH;AAED,QAAO;EACN,IAAI;EACJ,KAAK,KAAK;AACT,UAAO,EACN,SAAS,EACR,eAAe;IACd,MAAM,EACL,QAAQ,EACP,MAAM,OAAO,MAAM,SAAS;AAC3B,SAAI,CAAC,OAAO,gBAAiB;AAC7B,SAAI,CAAC,QAAS;KACd,MAAM,sBACL,OAAO,sBAAsB,QAAQ,IACrC,qBAAqB,QAAQ;AAC9B,SAAI,oBACH,QAAO,EACN,MAAM;MACL,GAAG;MACH,iBAAiB;MACjB,EACD;OAGH,EACD;IACD,SAAS,EACR,QAAQ,EACP,MAAM,MAAM,SAAS,SAAS;AAC7B,SAAI,CAAC,OAAO,gBAAiB;AAC7B,SAAI,CAAC,QAAS;KACd,MAAM,sBACL,OAAO,sBAAsB,QAAQ,IACrC,qBAAqB,QAAQ;AAC9B,SAAI,uBAAuB,SAAS,OACnC,KAAI;AACH,YAAM,IAAI,gBAAgB,WAAW,QAAQ,QAAQ,EACpD,iBAAiB,qBACjB,CAAC;cACM,OAAO;AACf,UAAI,OAAO,MACV,oCACA,MACA;;OAIJ,EACD;IACD,EACD,EACD;;EAEF,OAAO,EACN,OAAO,CACN;GACC,UAAU;AACT,WAAO;;GAER,SAAS,qBAAqB,OAAO,QAAQ;IAC5C,MAAM,sBACL,OAAO,sBAAsB,IAAI,IAAI,qBAAqB,IAAI;AAC/D,QAAI,qBAAqB;KACxB,MAAM,YAAY,IAAI,QAAQ,iBAAiB,IAAI,aAAa;KAChE,MAAM,mBACL,IAAI,QAAQ,YAAY,aAAa;AAGtC,SADC,aAAa,UAAU,SAAS,iBAAiB,EAC7B;MAGpB,MAAM,mBAAmB;OACxB,GAAG,IAAI,QAAQ,YAAY,aAAa;OACxC,QAAQ,OAAO;OACf,UAAU;OACV;AAED,UAAI,UACH,OAAO,YACP,qBACA,iBACA;;;KAGF;GACF,CACD,EACD;EACD,QAAS,OAAO,kBACb,EACA,MAAM,EACL,QAAQ,EACP,iBAAiB;GAChB,MAAM;GACN,OAAO;GACP,UAAU;GACV,WACC,OAAO,QAAQ,MAAM,mBAAmB;GACzC,EACD,EACD,EACD,GACA;EAaH,SAAS;EACT"}

package/dist/plugins/magic-link/client.d.mts

@@ -0,0 +1,5 @@
+//#region src/plugins/magic-link/client.d.ts
+declare const magicLinkClient: () => BetterAuthClientPlugin;
+//#endregion
+export { magicLinkClient };
+//# sourceMappingURL=client.d.mts.map

package/dist/plugins/magic-link/client.mjs

@@ -0,0 +1,11 @@
+//#region src/plugins/magic-link/client.ts
+const magicLinkClient = () => {
+	return {
+		id: "magic-link",
+		$InferServerPlugin: {}
+	};
+};
+
+//#endregion
+export { magicLinkClient };
+//# sourceMappingURL=client.mjs.map

package/dist/plugins/magic-link/client.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.mjs","names":[],"sources":["../../../src/plugins/magic-link/client.ts"],"sourcesContent":["import type { BetterAuthClientPlugin } from \"@better-auth/core\";\nimport type { magicLink } from \".\";\n\nexport const magicLinkClient = () => {\n\treturn {\n\t\tid: \"magic-link\",\n\t\t$InferServerPlugin: {} as ReturnType<typeof magicLink>,\n\t} satisfies BetterAuthClientPlugin;\n};\n"],"mappings":";AAGA,MAAa,wBAAwB;AACpC,QAAO;EACN,IAAI;EACJ,oBAAoB,EAAE;EACtB"}

package/dist/plugins/magic-link/index.d.mts

@@ -0,0 +1,61 @@
+import { Awaitable, GenericEndpointContext } from "@better-auth/core";
+
+//#region src/plugins/magic-link/index.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+    "magic-link": {
+      creator: typeof magicLink;
+    };
+  }
+}
+interface MagicLinkOptions {
+  /**
+   * Time in seconds until the magic link expires.
+   * @default (60 * 5) // 5 minutes
+   */
+  expiresIn?: number | undefined;
+  /**
+   * Send magic link implementation.
+   */
+  sendMagicLink: (data: {
+    email: string;
+    url: string;
+    token: string;
+  }, ctx?: GenericEndpointContext | undefined) => Awaitable<void>;
+  /**
+   * Disable sign up if user is not found.
+   *
+   * @default false
+   */
+  disableSignUp?: boolean | undefined;
+  /**
+   * Rate limit configuration.
+   *
+   * @default {
+   *  window: 60,
+   *  max: 5,
+   * }
+   */
+  rateLimit?: {
+    window: number;
+    max: number;
+  } | undefined;
+  /**
+   * Custom function to generate a token
+   */
+  generateToken?: ((email: string) => Awaitable<string>) | undefined;
+  /**
+   * This option allows you to configure how the token is stored in your database.
+   * Note: This will not affect the token that's sent, it will only affect the token stored in your database.
+   *
+   * @default "plain"
+   */
+  storeToken?: ("plain" | "hashed" | {
+    type: "custom-hasher";
+    hash: (token: string) => Promise<string>;
+  }) | undefined;
+}
+declare const magicLink: (options: MagicLinkOptions) => BetterAuthPlugin;
+//#endregion
+export { MagicLinkOptions, magicLink };
+//# sourceMappingURL=index.d.mts.map

package/dist/plugins/magic-link/index.mjs

@@ -0,0 +1,167 @@
+import { originCheck } from "../../api/middlewares/origin-check.mjs";
+import { generateRandomString } from "../../crypto/random.mjs";
+import "../../crypto/index.mjs";
+import { parseUserOutput } from "../../db/schema.mjs";
+import { setSessionCookie } from "../../cookies/index.mjs";
+import "../../api/index.mjs";
+import { defaultKeyHasher } from "./utils.mjs";
+import { createAuthEndpoint } from "@better-auth/core/api";
+import * as z from "zod";
+
+//#region src/plugins/magic-link/index.ts
+const signInMagicLinkBodySchema = z.object({
+	email: z.email().meta({ description: "Email address to send the magic link" }),
+	name: z.string().meta({ description: "User display name. Only used if the user is registering for the first time. Eg: \"my-name\"" }).optional(),
+	callbackURL: z.string().meta({ description: "URL to redirect after magic link verification" }).optional(),
+	newUserCallbackURL: z.string().meta({ description: "URL to redirect after new user signup. Only used if the user is registering for the first time." }).optional(),
+	errorCallbackURL: z.string().meta({ description: "URL to redirect after error." }).optional()
+});
+const magicLinkVerifyQuerySchema = z.object({
+	token: z.string().meta({ description: "Verification token" }),
+	callbackURL: z.string().meta({ description: "URL to redirect after magic link verification, if not provided the user will be redirected to the root URL. Eg: \"/dashboard\"" }).optional(),
+	errorCallbackURL: z.string().meta({ description: "URL to redirect after error." }).optional(),
+	newUserCallbackURL: z.string().meta({ description: "URL to redirect after new user signup. Only used if the user is registering for the first time." }).optional()
+});
+const magicLink = (options) => {
+	const opts = {
+		storeToken: "plain",
+		...options
+	};
+	async function storeToken(ctx, token) {
+		if (opts.storeToken === "hashed") return await defaultKeyHasher(token);
+		if (typeof opts.storeToken === "object" && "type" in opts.storeToken && opts.storeToken.type === "custom-hasher") return await opts.storeToken.hash(token);
+		return token;
+	}
+	return {
+		id: "magic-link",
+		endpoints: {
+			signInMagicLink: createAuthEndpoint("/sign-in/magic-link", {
+				method: "POST",
+				requireHeaders: true,
+				body: signInMagicLinkBodySchema,
+				metadata: { openapi: {
+					operationId: "signInWithMagicLink",
+					description: "Sign in with magic link",
+					responses: { 200: {
+						description: "Success",
+						content: { "application/json": { schema: {
+							type: "object",
+							properties: { status: { type: "boolean" } }
+						} } }
+					} }
+				} }
+			}, async (ctx) => {
+				const { email } = ctx.body;
+				const verificationToken = opts?.generateToken ? await opts.generateToken(email) : generateRandomString(32, "a-z", "A-Z");
+				const storedToken = await storeToken(ctx, verificationToken);
+				await ctx.context.internalAdapter.createVerificationValue({
+					identifier: storedToken,
+					value: JSON.stringify({
+						email,
+						name: ctx.body.name
+					}),
+					expiresAt: new Date(Date.now() + (opts.expiresIn || 300) * 1e3)
+				});
+				const realBaseURL = new URL(ctx.context.baseURL);
+				const pathname = realBaseURL.pathname === "/" ? "" : realBaseURL.pathname;
+				const basePath = pathname ? "" : ctx.context.options.basePath || "";
+				const url = new URL(`${pathname}${basePath}/magic-link/verify`, realBaseURL.origin);
+				url.searchParams.set("token", verificationToken);
+				url.searchParams.set("callbackURL", ctx.body.callbackURL || "/");
+				if (ctx.body.newUserCallbackURL) url.searchParams.set("newUserCallbackURL", ctx.body.newUserCallbackURL);
+				if (ctx.body.errorCallbackURL) url.searchParams.set("errorCallbackURL", ctx.body.errorCallbackURL);
+				await options.sendMagicLink({
+					email,
+					url: url.toString(),
+					token: verificationToken
+				}, ctx);
+				return ctx.json({ status: true });
+			}),
+			magicLinkVerify: createAuthEndpoint("/magic-link/verify", {
+				method: "GET",
+				query: magicLinkVerifyQuerySchema,
+				use: [
+					originCheck((ctx) => {
+						return ctx.query.callbackURL ? decodeURIComponent(ctx.query.callbackURL) : "/";
+					}),
+					originCheck((ctx) => {
+						return ctx.query.newUserCallbackURL ? decodeURIComponent(ctx.query.newUserCallbackURL) : "/";
+					}),
+					originCheck((ctx) => {
+						return ctx.query.errorCallbackURL ? decodeURIComponent(ctx.query.errorCallbackURL) : "/";
+					})
+				],
+				requireHeaders: true,
+				metadata: { openapi: {
+					operationId: "verifyMagicLink",
+					description: "Verify magic link",
+					responses: { 200: {
+						description: "Success",
+						content: { "application/json": { schema: {
+							type: "object",
+							properties: {
+								session: { $ref: "#/components/schemas/Session" },
+								user: { $ref: "#/components/schemas/User" }
+							}
+						} } }
+					} }
+				} }
+			}, async (ctx) => {
+				const token = ctx.query.token;
+				const callbackURL = new URL(ctx.query.callbackURL ? decodeURIComponent(ctx.query.callbackURL) : "/", ctx.context.baseURL).toString();
+				const errorCallbackURL = new URL(ctx.query.errorCallbackURL ? decodeURIComponent(ctx.query.errorCallbackURL) : callbackURL, ctx.context.baseURL);
+				function redirectWithError(error) {
+					errorCallbackURL.searchParams.set("error", error);
+					throw ctx.redirect(errorCallbackURL.toString());
+				}
+				const newUserCallbackURL = new URL(ctx.query.newUserCallbackURL ? decodeURIComponent(ctx.query.newUserCallbackURL) : callbackURL, ctx.context.baseURL).toString();
+				const storedToken = await storeToken(ctx, token);
+				const tokenValue = await ctx.context.internalAdapter.findVerificationValue(storedToken);
+				if (!tokenValue) redirectWithError("INVALID_TOKEN");
+				if (tokenValue.expiresAt < /* @__PURE__ */ new Date()) {
+					await ctx.context.internalAdapter.deleteVerificationValue(tokenValue.id);
+					redirectWithError("EXPIRED_TOKEN");
+				}
+				await ctx.context.internalAdapter.deleteVerificationValue(tokenValue.id);
+				const { email, name } = JSON.parse(tokenValue.value);
+				let isNewUser = false;
+				let user = await ctx.context.internalAdapter.findUserByEmail(email).then((res) => res?.user);
+				if (!user) if (!opts.disableSignUp) {
+					const newUser = await ctx.context.internalAdapter.createUser({
+						email,
+						emailVerified: true,
+						name: name || ""
+					});
+					isNewUser = true;
+					user = newUser;
+					if (!user) redirectWithError("failed_to_create_user");
+				} else redirectWithError("new_user_signup_disabled");
+				if (!user.emailVerified) user = await ctx.context.internalAdapter.updateUser(user.id, { emailVerified: true });
+				const session = await ctx.context.internalAdapter.createSession(user.id);
+				if (!session) redirectWithError("failed_to_create_session");
+				await setSessionCookie(ctx, {
+					session,
+					user
+				});
+				if (!ctx.query.callbackURL) return ctx.json({
+					token: session.token,
+					user: parseUserOutput(ctx.context.options, user)
+				});
+				if (isNewUser) throw ctx.redirect(newUserCallbackURL);
+				throw ctx.redirect(callbackURL);
+			})
+		},
+		rateLimit: [{
+			pathMatcher(path) {
+				return path.startsWith("/sign-in/magic-link") || path.startsWith("/magic-link/verify");
+			},
+			window: opts.rateLimit?.window || 60,
+			max: opts.rateLimit?.max || 5
+		}],
+		options
+	};
+};
+
+//#endregion
+export { magicLink };
+//# sourceMappingURL=index.mjs.map

package/dist/plugins/magic-link/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/magic-link/index.ts"],"sourcesContent":["import type {\n\tAwaitable,\n\tBetterAuthPlugin,\n\tGenericEndpointContext,\n} from \"@better-auth/core\";\nimport { createAuthEndpoint } from \"@better-auth/core/api\";\nimport * as z from \"zod\";\nimport { originCheck } from \"../../api\";\nimport { setSessionCookie } from \"../../cookies\";\nimport { generateRandomString } from \"../../crypto\";\nimport { parseUserOutput } from \"../../db/schema\";\nimport { defaultKeyHasher } from \"./utils\";\n\ndeclare module \"@better-auth/core\" {\n\tinterface BetterAuthPluginRegistry<AuthOptions, Options> {\n\t\t\"magic-link\": {\n\t\t\tcreator: typeof magicLink;\n\t\t};\n\t}\n}\n\nexport interface MagicLinkOptions {\n\t/**\n\t * Time in seconds until the magic link expires.\n\t * @default (60 * 5) // 5 minutes\n\t */\n\texpiresIn?: number | undefined;\n\t/**\n\t * Send magic link implementation.\n\t */\n\tsendMagicLink: (\n\t\tdata: {\n\t\t\temail: string;\n\t\t\turl: string;\n\t\t\ttoken: string;\n\t\t},\n\t\tctx?: GenericEndpointContext | undefined,\n\t) => Awaitable<void>;\n\t/**\n\t * Disable sign up if user is not found.\n\t *\n\t * @default false\n\t */\n\tdisableSignUp?: boolean | undefined;\n\t/**\n\t * Rate limit configuration.\n\t *\n\t * @default {\n\t *  window: 60,\n\t *  max: 5,\n\t * }\n\t */\n\trateLimit?:\n\t\t| {\n\t\t\t\twindow: number;\n\t\t\t\tmax: number;\n\t\t  }\n\t\t| undefined;\n\t/**\n\t * Custom function to generate a token\n\t */\n\tgenerateToken?: ((email: string) => Awaitable<string>) | undefined;\n\n\t/**\n\t * This option allows you to configure how the token is stored in your database.\n\t * Note: This will not affect the token that's sent, it will only affect the token stored in your database.\n\t *\n\t * @default \"plain\"\n\t */\n\tstoreToken?:\n\t\t| (\n\t\t\t\t| \"plain\"\n\t\t\t\t| \"hashed\"\n\t\t\t\t| { type: \"custom-hasher\"; hash: (token: string) => Promise<string> }\n\t\t  )\n\t\t| undefined;\n}\n\nconst signInMagicLinkBodySchema = z.object({\n\temail: z.email().meta({\n\t\tdescription: \"Email address to send the magic link\",\n\t}),\n\tname: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'User display name. Only used if the user is registering for the first time. Eg: \"my-name\"',\n\t\t})\n\t\t.optional(),\n\tcallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"URL to redirect after magic link verification\",\n\t\t})\n\t\t.optional(),\n\tnewUserCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t\"URL to redirect after new user signup. Only used if the user is registering for the first time.\",\n\t\t})\n\t\t.optional(),\n\terrorCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"URL to redirect after error.\",\n\t\t})\n\t\t.optional(),\n});\nconst magicLinkVerifyQuerySchema = z.object({\n\ttoken: z.string().meta({\n\t\tdescription: \"Verification token\",\n\t}),\n\tcallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'URL to redirect after magic link verification, if not provided the user will be redirected to the root URL. Eg: \"/dashboard\"',\n\t\t})\n\t\t.optional(),\n\terrorCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"URL to redirect after error.\",\n\t\t})\n\t\t.optional(),\n\tnewUserCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t\"URL to redirect after new user signup. Only used if the user is registering for the first time.\",\n\t\t})\n\t\t.optional(),\n});\nexport const magicLink = (options: MagicLinkOptions) => {\n\tconst opts = {\n\t\tstoreToken: \"plain\",\n\t\t...options,\n\t} satisfies MagicLinkOptions;\n\n\tasync function storeToken(ctx: GenericEndpointContext, token: string) {\n\t\tif (opts.storeToken === \"hashed\") {\n\t\t\treturn await defaultKeyHasher(token);\n\t\t}\n\t\tif (\n\t\t\ttypeof opts.storeToken === \"object\" &&\n\t\t\t\"type\" in opts.storeToken &&\n\t\t\topts.storeToken.type === \"custom-hasher\"\n\t\t) {\n\t\t\treturn await opts.storeToken.hash(token);\n\t\t}\n\t\treturn token;\n\t}\n\n\treturn {\n\t\tid: \"magic-link\",\n\t\tendpoints: {\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/sign-in/magic-link`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.signInMagicLink`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.signIn.magicLink`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/sign-in#api-method-sign-in-magic-link)\n\t\t\t */\n\t\t\tsignInMagicLink: createAuthEndpoint(\n\t\t\t\t\"/sign-in/magic-link\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\trequireHeaders: true,\n\t\t\t\t\tbody: signInMagicLinkBodySchema,\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\toperationId: \"signInWithMagicLink\",\n\t\t\t\t\t\t\tdescription: \"Sign in with magic link\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tstatus: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst { email } = ctx.body;\n\n\t\t\t\t\tconst verificationToken = opts?.generateToken\n\t\t\t\t\t\t? await opts.generateToken(email)\n\t\t\t\t\t\t: generateRandomString(32, \"a-z\", \"A-Z\");\n\t\t\t\t\tconst storedToken = await storeToken(ctx, verificationToken);\n\t\t\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\t\t\tidentifier: storedToken,\n\t\t\t\t\t\tvalue: JSON.stringify({ email, name: ctx.body.name }),\n\t\t\t\t\t\texpiresAt: new Date(Date.now() + (opts.expiresIn || 60 * 5) * 1000),\n\t\t\t\t\t});\n\t\t\t\t\tconst realBaseURL = new URL(ctx.context.baseURL);\n\t\t\t\t\tconst pathname =\n\t\t\t\t\t\trealBaseURL.pathname === \"/\" ? \"\" : realBaseURL.pathname;\n\t\t\t\t\tconst basePath = pathname ? \"\" : ctx.context.options.basePath || \"\";\n\t\t\t\t\tconst url = new URL(\n\t\t\t\t\t\t`${pathname}${basePath}/magic-link/verify`,\n\t\t\t\t\t\trealBaseURL.origin,\n\t\t\t\t\t);\n\t\t\t\t\turl.searchParams.set(\"token\", verificationToken);\n\t\t\t\t\turl.searchParams.set(\"callbackURL\", ctx.body.callbackURL || \"/\");\n\t\t\t\t\tif (ctx.body.newUserCallbackURL) {\n\t\t\t\t\t\turl.searchParams.set(\n\t\t\t\t\t\t\t\"newUserCallbackURL\",\n\t\t\t\t\t\t\tctx.body.newUserCallbackURL,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t\tif (ctx.body.errorCallbackURL) {\n\t\t\t\t\t\turl.searchParams.set(\"errorCallbackURL\", ctx.body.errorCallbackURL);\n\t\t\t\t\t}\n\t\t\t\t\tawait options.sendMagicLink(\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\temail,\n\t\t\t\t\t\t\turl: url.toString(),\n\t\t\t\t\t\t\ttoken: verificationToken,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tctx,\n\t\t\t\t\t);\n\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\tstatus: true,\n\t\t\t\t\t});\n\t\t\t\t},\n\t\t\t),\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * GET `/magic-link/verify`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.magicLinkVerify`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.magicLink.verify`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/magic-link#api-method-magic-link-verify)\n\t\t\t */\n\t\t\tmagicLinkVerify: createAuthEndpoint(\n\t\t\t\t\"/magic-link/verify\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\tquery: magicLinkVerifyQuerySchema,\n\t\t\t\t\tuse: [\n\t\t\t\t\t\toriginCheck((ctx) => {\n\t\t\t\t\t\t\treturn ctx.query.callbackURL\n\t\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.callbackURL)\n\t\t\t\t\t\t\t\t: \"/\";\n\t\t\t\t\t\t}),\n\t\t\t\t\t\toriginCheck((ctx) => {\n\t\t\t\t\t\t\treturn ctx.query.newUserCallbackURL\n\t\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.newUserCallbackURL)\n\t\t\t\t\t\t\t\t: \"/\";\n\t\t\t\t\t\t}),\n\t\t\t\t\t\toriginCheck((ctx) => {\n\t\t\t\t\t\t\treturn ctx.query.errorCallbackURL\n\t\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.errorCallbackURL)\n\t\t\t\t\t\t\t\t: \"/\";\n\t\t\t\t\t\t}),\n\t\t\t\t\t],\n\t\t\t\t\trequireHeaders: true,\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\toperationId: \"verifyMagicLink\",\n\t\t\t\t\t\t\tdescription: \"Verify magic link\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tsession: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/Session\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst token = ctx.query.token;\n\t\t\t\t\t// If the first argument provides the origin, it will ignore the second argument of `new URL`.\n\t\t\t\t\t// new URL(\"http://localhost:3001/hello\", \"http://localhost:3000\").toString()\n\t\t\t\t\t// Returns http://localhost:3001/hello\n\t\t\t\t\tconst callbackURL = new URL(\n\t\t\t\t\t\tctx.query.callbackURL\n\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.callbackURL)\n\t\t\t\t\t\t\t: \"/\",\n\t\t\t\t\t\tctx.context.baseURL,\n\t\t\t\t\t).toString();\n\t\t\t\t\tconst errorCallbackURL = new URL(\n\t\t\t\t\t\tctx.query.errorCallbackURL\n\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.errorCallbackURL)\n\t\t\t\t\t\t\t: callbackURL,\n\t\t\t\t\t\tctx.context.baseURL,\n\t\t\t\t\t);\n\n\t\t\t\t\tfunction redirectWithError(error: string): never {\n\t\t\t\t\t\terrorCallbackURL.searchParams.set(\"error\", error);\n\t\t\t\t\t\tthrow ctx.redirect(errorCallbackURL.toString());\n\t\t\t\t\t}\n\n\t\t\t\t\tconst newUserCallbackURL = new URL(\n\t\t\t\t\t\tctx.query.newUserCallbackURL\n\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.newUserCallbackURL)\n\t\t\t\t\t\t\t: callbackURL,\n\t\t\t\t\t\tctx.context.baseURL,\n\t\t\t\t\t).toString();\n\t\t\t\t\tconst storedToken = await storeToken(ctx, token);\n\t\t\t\t\tconst tokenValue =\n\t\t\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t\t\tstoredToken,\n\t\t\t\t\t\t);\n\t\t\t\t\tif (!tokenValue) {\n\t\t\t\t\t\tredirectWithError(\"INVALID_TOKEN\");\n\t\t\t\t\t}\n\t\t\t\t\tif (tokenValue.expiresAt < new Date()) {\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\t\t\ttokenValue.id,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tredirectWithError(\"EXPIRED_TOKEN\");\n\t\t\t\t\t}\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\t\ttokenValue.id,\n\t\t\t\t\t);\n\t\t\t\t\tconst { email, name } = JSON.parse(tokenValue.value) as {\n\t\t\t\t\t\temail: string;\n\t\t\t\t\t\tname?: string | undefined;\n\t\t\t\t\t};\n\t\t\t\t\tlet isNewUser = false;\n\t\t\t\t\tlet user = await ctx.context.internalAdapter\n\t\t\t\t\t\t.findUserByEmail(email)\n\t\t\t\t\t\t.then((res) => res?.user);\n\n\t\t\t\t\tif (!user) {\n\t\t\t\t\t\tif (!opts.disableSignUp) {\n\t\t\t\t\t\t\tconst newUser = await ctx.context.internalAdapter.createUser({\n\t\t\t\t\t\t\t\temail: email,\n\t\t\t\t\t\t\t\temailVerified: true,\n\t\t\t\t\t\t\t\tname: name || \"\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\tisNewUser = true;\n\t\t\t\t\t\t\tuser = newUser;\n\t\t\t\t\t\t\tif (!user) {\n\t\t\t\t\t\t\t\tredirectWithError(\"failed_to_create_user\");\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tredirectWithError(\"new_user_signup_disabled\");\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif (!user.emailVerified) {\n\t\t\t\t\t\tuser = await ctx.context.internalAdapter.updateUser(user.id, {\n\t\t\t\t\t\t\temailVerified: true,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tconst session = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\tuser.id,\n\t\t\t\t\t);\n\n\t\t\t\t\tif (!session) {\n\t\t\t\t\t\tredirectWithError(\"failed_to_create_session\");\n\t\t\t\t\t}\n\n\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\tsession,\n\t\t\t\t\t\tuser,\n\t\t\t\t\t});\n\t\t\t\t\tif (!ctx.query.callbackURL) {\n\t\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\t\ttoken: session.token,\n\t\t\t\t\t\t\tuser: parseUserOutput(ctx.context.options, user),\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tif (isNewUser) {\n\t\t\t\t\t\tthrow ctx.redirect(newUserCallbackURL);\n\t\t\t\t\t}\n\t\t\t\t\tthrow ctx.redirect(callbackURL);\n\t\t\t\t},\n\t\t\t),\n\t\t},\n\t\trateLimit: [\n\t\t\t{\n\t\t\t\tpathMatcher(path) {\n\t\t\t\t\treturn (\n\t\t\t\t\t\tpath.startsWith(\"/sign-in/magic-link\") ||\n\t\t\t\t\t\tpath.startsWith(\"/magic-link/verify\")\n\t\t\t\t\t);\n\t\t\t\t},\n\t\t\t\twindow: opts.rateLimit?.window || 60,\n\t\t\t\tmax: opts.rateLimit?.max || 5,\n\t\t\t},\n\t\t],\n\t\toptions,\n\t} satisfies BetterAuthPlugin;\n};\n"],"mappings":";;;;;;;;;;;AA8EA,MAAM,4BAA4B,EAAE,OAAO;CAC1C,OAAO,EAAE,OAAO,CAAC,KAAK,EACrB,aAAa,wCACb,CAAC;CACF,MAAM,EACJ,QAAQ,CACR,KAAK,EACL,aACC,+FACD,CAAC,CACD,UAAU;CACZ,aAAa,EACX,QAAQ,CACR,KAAK,EACL,aAAa,iDACb,CAAC,CACD,UAAU;CACZ,oBAAoB,EAClB,QAAQ,CACR,KAAK,EACL,aACC,mGACD,CAAC,CACD,UAAU;CACZ,kBAAkB,EAChB,QAAQ,CACR,KAAK,EACL,aAAa,gCACb,CAAC,CACD,UAAU;CACZ,CAAC;AACF,MAAM,6BAA6B,EAAE,OAAO;CAC3C,OAAO,EAAE,QAAQ,CAAC,KAAK,EACtB,aAAa,sBACb,CAAC;CACF,aAAa,EACX,QAAQ,CACR,KAAK,EACL,aACC,kIACD,CAAC,CACD,UAAU;CACZ,kBAAkB,EAChB,QAAQ,CACR,KAAK,EACL,aAAa,gCACb,CAAC,CACD,UAAU;CACZ,oBAAoB,EAClB,QAAQ,CACR,KAAK,EACL,aACC,mGACD,CAAC,CACD,UAAU;CACZ,CAAC;AACF,MAAa,aAAa,YAA8B;CACvD,MAAM,OAAO;EACZ,YAAY;EACZ,GAAG;EACH;CAED,eAAe,WAAW,KAA6B,OAAe;AACrE,MAAI,KAAK,eAAe,SACvB,QAAO,MAAM,iBAAiB,MAAM;AAErC,MACC,OAAO,KAAK,eAAe,YAC3B,UAAU,KAAK,cACf,KAAK,WAAW,SAAS,gBAEzB,QAAO,MAAM,KAAK,WAAW,KAAK,MAAM;AAEzC,SAAO;;AAGR,QAAO;EACN,IAAI;EACJ,WAAW;GAgBV,iBAAiB,mBAChB,uBACA;IACC,QAAQ;IACR,gBAAgB;IAChB,MAAM;IACN,UAAU,EACT,SAAS;KACR,aAAa;KACb,aAAa;KACb,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,QAAQ,EACP,MAAM,WACN,EACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,EAAE,UAAU,IAAI;IAEtB,MAAM,oBAAoB,MAAM,gBAC7B,MAAM,KAAK,cAAc,MAAM,GAC/B,qBAAqB,IAAI,OAAO,MAAM;IACzC,MAAM,cAAc,MAAM,WAAW,KAAK,kBAAkB;AAC5D,UAAM,IAAI,QAAQ,gBAAgB,wBAAwB;KACzD,YAAY;KACZ,OAAO,KAAK,UAAU;MAAE;MAAO,MAAM,IAAI,KAAK;MAAM,CAAC;KACrD,WAAW,IAAI,KAAK,KAAK,KAAK,IAAI,KAAK,aAAa,OAAU,IAAK;KACnE,CAAC;IACF,MAAM,cAAc,IAAI,IAAI,IAAI,QAAQ,QAAQ;IAChD,MAAM,WACL,YAAY,aAAa,MAAM,KAAK,YAAY;IACjD,MAAM,WAAW,WAAW,KAAK,IAAI,QAAQ,QAAQ,YAAY;IACjE,MAAM,MAAM,IAAI,IACf,GAAG,WAAW,SAAS,qBACvB,YAAY,OACZ;AACD,QAAI,aAAa,IAAI,SAAS,kBAAkB;AAChD,QAAI,aAAa,IAAI,eAAe,IAAI,KAAK,eAAe,IAAI;AAChE,QAAI,IAAI,KAAK,mBACZ,KAAI,aAAa,IAChB,sBACA,IAAI,KAAK,mBACT;AAEF,QAAI,IAAI,KAAK,iBACZ,KAAI,aAAa,IAAI,oBAAoB,IAAI,KAAK,iBAAiB;AAEpE,UAAM,QAAQ,cACb;KACC;KACA,KAAK,IAAI,UAAU;KACnB,OAAO;KACP,EACD,IACA;AACD,WAAO,IAAI,KAAK,EACf,QAAQ,MACR,CAAC;KAEH;GAgBD,iBAAiB,mBAChB,sBACA;IACC,QAAQ;IACR,OAAO;IACP,KAAK;KACJ,aAAa,QAAQ;AACpB,aAAO,IAAI,MAAM,cACd,mBAAmB,IAAI,MAAM,YAAY,GACzC;OACF;KACF,aAAa,QAAQ;AACpB,aAAO,IAAI,MAAM,qBACd,mBAAmB,IAAI,MAAM,mBAAmB,GAChD;OACF;KACF,aAAa,QAAQ;AACpB,aAAO,IAAI,MAAM,mBACd,mBAAmB,IAAI,MAAM,iBAAiB,GAC9C;OACF;KACF;IACD,gBAAgB;IAChB,UAAU,EACT,SAAS;KACR,aAAa;KACb,aAAa;KACb,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY;QACX,SAAS,EACR,MAAM,gCACN;QACD,MAAM,EACL,MAAM,6BACN;QACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,QAAQ,IAAI,MAAM;IAIxB,MAAM,cAAc,IAAI,IACvB,IAAI,MAAM,cACP,mBAAmB,IAAI,MAAM,YAAY,GACzC,KACH,IAAI,QAAQ,QACZ,CAAC,UAAU;IACZ,MAAM,mBAAmB,IAAI,IAC5B,IAAI,MAAM,mBACP,mBAAmB,IAAI,MAAM,iBAAiB,GAC9C,aACH,IAAI,QAAQ,QACZ;IAED,SAAS,kBAAkB,OAAsB;AAChD,sBAAiB,aAAa,IAAI,SAAS,MAAM;AACjD,WAAM,IAAI,SAAS,iBAAiB,UAAU,CAAC;;IAGhD,MAAM,qBAAqB,IAAI,IAC9B,IAAI,MAAM,qBACP,mBAAmB,IAAI,MAAM,mBAAmB,GAChD,aACH,IAAI,QAAQ,QACZ,CAAC,UAAU;IACZ,MAAM,cAAc,MAAM,WAAW,KAAK,MAAM;IAChD,MAAM,aACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,YACA;AACF,QAAI,CAAC,WACJ,mBAAkB,gBAAgB;AAEnC,QAAI,WAAW,4BAAY,IAAI,MAAM,EAAE;AACtC,WAAM,IAAI,QAAQ,gBAAgB,wBACjC,WAAW,GACX;AACD,uBAAkB,gBAAgB;;AAEnC,UAAM,IAAI,QAAQ,gBAAgB,wBACjC,WAAW,GACX;IACD,MAAM,EAAE,OAAO,SAAS,KAAK,MAAM,WAAW,MAAM;IAIpD,IAAI,YAAY;IAChB,IAAI,OAAO,MAAM,IAAI,QAAQ,gBAC3B,gBAAgB,MAAM,CACtB,MAAM,QAAQ,KAAK,KAAK;AAE1B,QAAI,CAAC,KACJ,KAAI,CAAC,KAAK,eAAe;KACxB,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,WAAW;MACrD;MACP,eAAe;MACf,MAAM,QAAQ;MACd,CAAC;AACF,iBAAY;AACZ,YAAO;AACP,SAAI,CAAC,KACJ,mBAAkB,wBAAwB;UAG3C,mBAAkB,2BAA2B;AAI/C,QAAI,CAAC,KAAK,cACT,QAAO,MAAM,IAAI,QAAQ,gBAAgB,WAAW,KAAK,IAAI,EAC5D,eAAe,MACf,CAAC;IAGH,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,cACjD,KAAK,GACL;AAED,QAAI,CAAC,QACJ,mBAAkB,2BAA2B;AAG9C,UAAM,iBAAiB,KAAK;KAC3B;KACA;KACA,CAAC;AACF,QAAI,CAAC,IAAI,MAAM,YACd,QAAO,IAAI,KAAK;KACf,OAAO,QAAQ;KACf,MAAM,gBAAgB,IAAI,QAAQ,SAAS,KAAK;KAChD,CAAC;AAEH,QAAI,UACH,OAAM,IAAI,SAAS,mBAAmB;AAEvC,UAAM,IAAI,SAAS,YAAY;KAEhC;GACD;EACD,WAAW,CACV;GACC,YAAY,MAAM;AACjB,WACC,KAAK,WAAW,sBAAsB,IACtC,KAAK,WAAW,qBAAqB;;GAGvC,QAAQ,KAAK,WAAW,UAAU;GAClC,KAAK,KAAK,WAAW,OAAO;GAC5B,CACD;EACD;EACA"}