@hammadj/better-auth 1.5.0-beta.9

package/dist/cookies/index.mjs

@@ -0,0 +1,264 @@
+import { signJWT, symmetricDecodeJWT, symmetricEncodeJWT, verifyJWT } from "../crypto/jwt.mjs";
+import { createAccountStore, createSessionStore, getAccountCookie, getChunkedCookie, setAccountCookie } from "./session-store.mjs";
+import { parseUserOutput } from "../db/schema.mjs";
+import { getDate } from "../utils/date.mjs";
+import { isPromise } from "../utils/is-promise.mjs";
+import { sec } from "../utils/time.mjs";
+import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, splitSetCookieHeader, stripSecureCookiePrefix } from "./cookie-utils.mjs";
+import { env, isProduction } from "@better-auth/core/env";
+import { BetterAuthError } from "@better-auth/core/error";
+import { safeJSONParse } from "@better-auth/core/utils/json";
+import { filterOutputFields } from "@better-auth/core/utils/db";
+import { base64Url } from "@better-auth/utils/base64";
+import { binary } from "@better-auth/utils/binary";
+import { createHMAC } from "@better-auth/utils/hmac";
+
+//#region src/cookies/index.ts
+function createCookieGetter(options) {
+	const secureCookiePrefix = (options.advanced?.useSecureCookies !== void 0 ? options.advanced?.useSecureCookies : options.baseURL ? options.baseURL.startsWith("https://") ? true : false : isProduction) ? SECURE_COOKIE_PREFIX : "";
+	const crossSubdomainEnabled = !!options.advanced?.crossSubDomainCookies?.enabled;
+	const domain = crossSubdomainEnabled ? options.advanced?.crossSubDomainCookies?.domain || (options.baseURL ? new URL(options.baseURL).hostname : void 0) : void 0;
+	if (crossSubdomainEnabled && !domain) throw new BetterAuthError("baseURL is required when crossSubdomainCookies are enabled");
+	function createCookie(cookieName, overrideAttributes = {}) {
+		const prefix = options.advanced?.cookiePrefix || "better-auth";
+		const name = options.advanced?.cookies?.[cookieName]?.name || `${prefix}.${cookieName}`;
+		const attributes = options.advanced?.cookies?.[cookieName]?.attributes ?? {};
+		return {
+			name: `${secureCookiePrefix}${name}`,
+			attributes: {
+				secure: !!secureCookiePrefix,
+				sameSite: "lax",
+				path: "/",
+				httpOnly: true,
+				...crossSubdomainEnabled ? { domain } : {},
+				...options.advanced?.defaultCookieAttributes,
+				...overrideAttributes,
+				...attributes
+			}
+		};
+	}
+	return createCookie;
+}
+function getCookies(options) {
+	const createCookie = createCookieGetter(options);
+	const sessionToken = createCookie("session_token", { maxAge: options.session?.expiresIn || sec("7d") });
+	const sessionData = createCookie("session_data", { maxAge: options.session?.cookieCache?.maxAge || 300 });
+	const accountData = createCookie("account_data", { maxAge: options.session?.cookieCache?.maxAge || 300 });
+	const dontRememberToken = createCookie("dont_remember");
+	return {
+		sessionToken: {
+			name: sessionToken.name,
+			attributes: sessionToken.attributes
+		},
+		sessionData: {
+			name: sessionData.name,
+			attributes: sessionData.attributes
+		},
+		dontRememberToken: {
+			name: dontRememberToken.name,
+			attributes: dontRememberToken.attributes
+		},
+		accountData: {
+			name: accountData.name,
+			attributes: accountData.attributes
+		}
+	};
+}
+async function setCookieCache(ctx, session, dontRememberMe) {
+	if (!ctx.context.options.session?.cookieCache?.enabled) return;
+	const filteredSession = filterOutputFields(session.session, ctx.context.options.session?.additionalFields);
+	const filteredUser = parseUserOutput(ctx.context.options, session.user);
+	const versionConfig = ctx.context.options.session?.cookieCache?.version;
+	let version = "1";
+	if (versionConfig) {
+		if (typeof versionConfig === "string") version = versionConfig;
+		else if (typeof versionConfig === "function") {
+			const result = versionConfig(session.session, session.user);
+			version = isPromise(result) ? await result : result;
+		}
+	}
+	const sessionData = {
+		session: filteredSession,
+		user: filteredUser,
+		updatedAt: Date.now(),
+		version
+	};
+	const options = {
+		...ctx.context.authCookies.sessionData.attributes,
+		maxAge: dontRememberMe ? void 0 : ctx.context.authCookies.sessionData.attributes.maxAge
+	};
+	const expiresAtDate = getDate(options.maxAge || 60, "sec").getTime();
+	const strategy = ctx.context.options.session?.cookieCache?.strategy || "compact";
+	let data;
+	if (strategy === "jwe") data = await symmetricEncodeJWT(sessionData, ctx.context.secret, "better-auth-session", options.maxAge || 300);
+	else if (strategy === "jwt") data = await signJWT(sessionData, ctx.context.secret, options.maxAge || 300);
+	else data = base64Url.encode(JSON.stringify({
+		session: sessionData,
+		expiresAt: expiresAtDate,
+		signature: await createHMAC("SHA-256", "base64urlnopad").sign(ctx.context.secret, JSON.stringify({
+			...sessionData,
+			expiresAt: expiresAtDate
+		}))
+	}), { padding: false });
+	if (data.length > 4093) {
+		const sessionStore = createSessionStore(ctx.context.authCookies.sessionData.name, options, ctx);
+		const cookies = sessionStore.chunk(data, options);
+		sessionStore.setCookies(cookies);
+	} else {
+		const sessionStore = createSessionStore(ctx.context.authCookies.sessionData.name, options, ctx);
+		if (sessionStore.hasChunks()) {
+			const cleanCookies = sessionStore.clean();
+			sessionStore.setCookies(cleanCookies);
+		}
+		ctx.setCookie(ctx.context.authCookies.sessionData.name, data, options);
+	}
+	if (ctx.context.options.account?.storeAccountCookie) {
+		const accountData = await getAccountCookie(ctx);
+		if (accountData) await setAccountCookie(ctx, accountData);
+	}
+}
+async function setSessionCookie(ctx, session, dontRememberMe, overrides) {
+	const dontRememberMeCookie = await ctx.getSignedCookie(ctx.context.authCookies.dontRememberToken.name, ctx.context.secret);
+	dontRememberMe = dontRememberMe !== void 0 ? dontRememberMe : !!dontRememberMeCookie;
+	const options = ctx.context.authCookies.sessionToken.attributes;
+	const maxAge = dontRememberMe ? void 0 : ctx.context.sessionConfig.expiresIn;
+	await ctx.setSignedCookie(ctx.context.authCookies.sessionToken.name, session.session.token, ctx.context.secret, {
+		...options,
+		maxAge,
+		...overrides
+	});
+	if (dontRememberMe) await ctx.setSignedCookie(ctx.context.authCookies.dontRememberToken.name, "true", ctx.context.secret, ctx.context.authCookies.dontRememberToken.attributes);
+	await setCookieCache(ctx, session, dontRememberMe);
+	ctx.context.setNewSession(session);
+}
+/**
+* Expires a cookie by setting `maxAge: 0` while preserving its attributes
+*/
+function expireCookie(ctx, cookie) {
+	ctx.setCookie(cookie.name, "", {
+		...cookie.attributes,
+		maxAge: 0
+	});
+}
+function deleteSessionCookie(ctx, skipDontRememberMe) {
+	expireCookie(ctx, ctx.context.authCookies.sessionToken);
+	expireCookie(ctx, ctx.context.authCookies.sessionData);
+	if (ctx.context.options.account?.storeAccountCookie) {
+		expireCookie(ctx, ctx.context.authCookies.accountData);
+		const accountStore = createAccountStore(ctx.context.authCookies.accountData.name, ctx.context.authCookies.accountData.attributes, ctx);
+		const cleanCookies = accountStore.clean();
+		accountStore.setCookies(cleanCookies);
+	}
+	if (ctx.context.oauthConfig.storeStateStrategy === "cookie") expireCookie(ctx, ctx.context.createAuthCookie("oauth_state"));
+	const sessionStore = createSessionStore(ctx.context.authCookies.sessionData.name, ctx.context.authCookies.sessionData.attributes, ctx);
+	const cleanCookies = sessionStore.clean();
+	sessionStore.setCookies(cleanCookies);
+	if (!skipDontRememberMe) expireCookie(ctx, ctx.context.authCookies.dontRememberToken);
+}
+function parseCookies(cookieHeader) {
+	const cookies = cookieHeader.split("; ");
+	const cookieMap = /* @__PURE__ */ new Map();
+	cookies.forEach((cookie) => {
+		const [name, value] = cookie.split(/=(.*)/s);
+		cookieMap.set(name, value);
+	});
+	return cookieMap;
+}
+const getSessionCookie = (request, config) => {
+	if (config?.cookiePrefix) if (config.cookieName) config.cookiePrefix = `${config.cookiePrefix}-`;
+	else config.cookiePrefix = `${config.cookiePrefix}.`;
+	const cookies = ("headers" in request ? request.headers : request).get("cookie");
+	if (!cookies) return null;
+	const { cookieName = "session_token", cookiePrefix = "better-auth." } = config || {};
+	const name = `${cookiePrefix}${cookieName}`;
+	const secureCookieName = `${SECURE_COOKIE_PREFIX}${name}`;
+	const parsedCookie = parseCookies(cookies);
+	const sessionToken = parsedCookie.get(name) || parsedCookie.get(secureCookieName);
+	if (sessionToken) return sessionToken;
+	return null;
+};
+const getCookieCache = async (request, config) => {
+	const cookies = (request instanceof Headers ? request : request.headers).get("cookie");
+	if (!cookies) return null;
+	const { cookieName = "session_data", cookiePrefix = "better-auth" } = config || {};
+	const name = config?.isSecure !== void 0 ? config.isSecure ? `${SECURE_COOKIE_PREFIX}${cookiePrefix}.${cookieName}` : `${cookiePrefix}.${cookieName}` : isProduction ? `${SECURE_COOKIE_PREFIX}${cookiePrefix}.${cookieName}` : `${cookiePrefix}.${cookieName}`;
+	const parsedCookie = parseCookies(cookies);
+	let sessionData = parsedCookie.get(name);
+	if (!sessionData) {
+		const chunks = [];
+		for (const [cookieName, value] of parsedCookie.entries()) if (cookieName.startsWith(name + ".")) {
+			const parts = cookieName.split(".");
+			const indexStr = parts[parts.length - 1];
+			const index = parseInt(indexStr || "0", 10);
+			if (!isNaN(index)) chunks.push({
+				index,
+				value
+			});
+		}
+		if (chunks.length > 0) {
+			chunks.sort((a, b) => a.index - b.index);
+			sessionData = chunks.map((c) => c.value).join("");
+		}
+	}
+	if (sessionData) {
+		const secret = config?.secret || env.BETTER_AUTH_SECRET;
+		if (!secret) throw new BetterAuthError("getCookieCache requires a secret to be provided. Either pass it as an option or set the BETTER_AUTH_SECRET environment variable");
+		const strategy = config?.strategy || "compact";
+		if (strategy === "jwe") {
+			const payload = await symmetricDecodeJWT(sessionData, secret, "better-auth-session");
+			if (payload && payload.session && payload.user) {
+				if (config?.version) {
+					const cookieVersion = payload.version || "1";
+					let expectedVersion = "1";
+					if (typeof config.version === "string") expectedVersion = config.version;
+					else if (typeof config.version === "function") {
+						const result = config.version(payload.session, payload.user);
+						expectedVersion = isPromise(result) ? await result : result;
+					}
+					if (cookieVersion !== expectedVersion) return null;
+				}
+				return payload;
+			}
+			return null;
+		} else if (strategy === "jwt") {
+			const payload = await verifyJWT(sessionData, secret);
+			if (payload && payload.session && payload.user) {
+				if (config?.version) {
+					const cookieVersion = payload.version || "1";
+					let expectedVersion = "1";
+					if (typeof config.version === "string") expectedVersion = config.version;
+					else if (typeof config.version === "function") {
+						const result = config.version(payload.session, payload.user);
+						expectedVersion = isPromise(result) ? await result : result;
+					}
+					if (cookieVersion !== expectedVersion) return null;
+				}
+				return payload;
+			}
+			return null;
+		} else {
+			const sessionDataPayload = safeJSONParse(binary.decode(base64Url.decode(sessionData)));
+			if (!sessionDataPayload) return null;
+			if (!await createHMAC("SHA-256", "base64urlnopad").verify(secret, JSON.stringify({
+				...sessionDataPayload.session,
+				expiresAt: sessionDataPayload.expiresAt
+			}), sessionDataPayload.signature)) return null;
+			if (config?.version && sessionDataPayload.session) {
+				const cookieVersion = sessionDataPayload.session.version || "1";
+				let expectedVersion = "1";
+				if (typeof config.version === "string") expectedVersion = config.version;
+				else if (typeof config.version === "function") {
+					const result = config.version(sessionDataPayload.session.session, sessionDataPayload.session.user);
+					expectedVersion = isPromise(result) ? await result : result;
+				}
+				if (cookieVersion !== expectedVersion) return null;
+			}
+			return sessionDataPayload.session;
+		}
+	}
+	return null;
+};
+
+//#endregion
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix };
+//# sourceMappingURL=index.mjs.map

package/dist/cookies/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../src/cookies/index.ts"],"sourcesContent":["import type {\n\tBetterAuthCookie,\n\tBetterAuthCookies,\n\tBetterAuthOptions,\n\tGenericEndpointContext,\n} from \"@better-auth/core\";\nimport { env, isProduction } from \"@better-auth/core/env\";\nimport { BetterAuthError } from \"@better-auth/core/error\";\nimport { filterOutputFields } from \"@better-auth/core/utils/db\";\nimport { safeJSONParse } from \"@better-auth/core/utils/json\";\nimport { base64Url } from \"@better-auth/utils/base64\";\nimport { binary } from \"@better-auth/utils/binary\";\nimport { createHMAC } from \"@better-auth/utils/hmac\";\nimport type { CookieOptions } from \"better-call\";\nimport {\n\tsignJWT,\n\tsymmetricDecodeJWT,\n\tsymmetricEncodeJWT,\n\tverifyJWT,\n} from \"../crypto/jwt\";\nimport { parseUserOutput } from \"../db/schema\";\nimport type { Session, User } from \"../types\";\nimport { getDate } from \"../utils/date\";\nimport { isPromise } from \"../utils/is-promise\";\nimport { sec } from \"../utils/time\";\nimport { SECURE_COOKIE_PREFIX } from \"./cookie-utils\";\nimport {\n\tcreateAccountStore,\n\tcreateSessionStore,\n\tgetAccountCookie,\n\tsetAccountCookie,\n} from \"./session-store\";\n\nexport function createCookieGetter(options: BetterAuthOptions) {\n\tconst secure =\n\t\toptions.advanced?.useSecureCookies !== undefined\n\t\t\t? options.advanced?.useSecureCookies\n\t\t\t: options.baseURL\n\t\t\t\t? options.baseURL.startsWith(\"https://\")\n\t\t\t\t\t? true\n\t\t\t\t\t: false\n\t\t\t\t: isProduction;\n\tconst secureCookiePrefix = secure ? SECURE_COOKIE_PREFIX : \"\";\n\tconst crossSubdomainEnabled =\n\t\t!!options.advanced?.crossSubDomainCookies?.enabled;\n\tconst domain = crossSubdomainEnabled\n\t\t? options.advanced?.crossSubDomainCookies?.domain ||\n\t\t\t(options.baseURL ? new URL(options.baseURL).hostname : undefined)\n\t\t: undefined;\n\tif (crossSubdomainEnabled && !domain) {\n\t\tthrow new BetterAuthError(\n\t\t\t\"baseURL is required when crossSubdomainCookies are enabled\",\n\t\t);\n\t}\n\tfunction createCookie(\n\t\tcookieName: string,\n\t\toverrideAttributes: Partial<CookieOptions> = {},\n\t) {\n\t\tconst prefix = options.advanced?.cookiePrefix || \"better-auth\";\n\t\tconst name =\n\t\t\toptions.advanced?.cookies?.[cookieName]?.name ||\n\t\t\t`${prefix}.${cookieName}`;\n\t\tconst attributes =\n\t\t\toptions.advanced?.cookies?.[cookieName]?.attributes ?? {};\n\n\t\treturn {\n\t\t\tname: `${secureCookiePrefix}${name}`,\n\t\t\tattributes: {\n\t\t\t\tsecure: !!secureCookiePrefix,\n\t\t\t\tsameSite: \"lax\",\n\t\t\t\tpath: \"/\",\n\t\t\t\thttpOnly: true,\n\t\t\t\t...(crossSubdomainEnabled ? { domain } : {}),\n\t\t\t\t...options.advanced?.defaultCookieAttributes,\n\t\t\t\t...overrideAttributes,\n\t\t\t\t...attributes,\n\t\t\t},\n\t\t} satisfies BetterAuthCookie;\n\t}\n\treturn createCookie;\n}\n\nexport function getCookies(options: BetterAuthOptions) {\n\tconst createCookie = createCookieGetter(options);\n\tconst sessionMaxAge = options.session?.expiresIn || sec(\"7d\");\n\tconst sessionToken = createCookie(\"session_token\", {\n\t\tmaxAge: sessionMaxAge,\n\t});\n\tconst sessionData = createCookie(\"session_data\", {\n\t\tmaxAge: options.session?.cookieCache?.maxAge || 60 * 5,\n\t});\n\tconst accountData = createCookie(\"account_data\", {\n\t\tmaxAge: options.session?.cookieCache?.maxAge || 60 * 5,\n\t});\n\tconst dontRememberToken = createCookie(\"dont_remember\");\n\treturn {\n\t\tsessionToken: {\n\t\t\tname: sessionToken.name,\n\t\t\tattributes: sessionToken.attributes,\n\t\t},\n\t\t/**\n\t\t * This cookie is used to store the session data in the cookie\n\t\t * This is useful for when you want to cache the session in the cookie\n\t\t */\n\t\tsessionData: {\n\t\t\tname: sessionData.name,\n\t\t\tattributes: sessionData.attributes,\n\t\t},\n\t\tdontRememberToken: {\n\t\t\tname: dontRememberToken.name,\n\t\t\tattributes: dontRememberToken.attributes,\n\t\t},\n\t\taccountData: {\n\t\t\tname: accountData.name,\n\t\t\tattributes: accountData.attributes,\n\t\t},\n\t};\n}\n\nexport async function setCookieCache(\n\tctx: GenericEndpointContext,\n\tsession: {\n\t\tsession: Session & Record<string, any>;\n\t\tuser: User;\n\t},\n\tdontRememberMe: boolean,\n) {\n\tif (!ctx.context.options.session?.cookieCache?.enabled) {\n\t\treturn;\n\t}\n\n\tconst filteredSession = filterOutputFields(\n\t\tsession.session,\n\t\tctx.context.options.session?.additionalFields,\n\t);\n\n\tconst filteredUser = parseUserOutput(ctx.context.options, session.user);\n\n\tconst versionConfig = ctx.context.options.session?.cookieCache?.version;\n\tlet version = \"1\";\n\tif (versionConfig) {\n\t\tif (typeof versionConfig === \"string\") {\n\t\t\tversion = versionConfig;\n\t\t} else if (typeof versionConfig === \"function\") {\n\t\t\tconst result = versionConfig(session.session, session.user);\n\t\t\tversion = isPromise(result) ? await result : result;\n\t\t}\n\t}\n\n\tconst sessionData = {\n\t\tsession: filteredSession,\n\t\tuser: filteredUser,\n\t\tupdatedAt: Date.now(),\n\t\tversion,\n\t};\n\n\tconst options = {\n\t\t...ctx.context.authCookies.sessionData.attributes,\n\t\tmaxAge: dontRememberMe\n\t\t\t? undefined\n\t\t\t: ctx.context.authCookies.sessionData.attributes.maxAge,\n\t};\n\n\tconst expiresAtDate = getDate(options.maxAge || 60, \"sec\").getTime();\n\tconst strategy =\n\t\tctx.context.options.session?.cookieCache?.strategy || \"compact\";\n\n\tlet data: string;\n\n\tif (strategy === \"jwe\") {\n\t\t// Use JWE strategy (JSON Web Encryption) with A256CBC-HS512 + HKDF\n\t\tdata = await symmetricEncodeJWT(\n\t\t\tsessionData,\n\t\t\tctx.context.secret,\n\t\t\t\"better-auth-session\",\n\t\t\toptions.maxAge || 60 * 5,\n\t\t);\n\t} else if (strategy === \"jwt\") {\n\t\t// Use JWT strategy with HMAC-SHA256 signature (HS256), no encryption\n\t\tdata = await signJWT(\n\t\t\tsessionData,\n\t\t\tctx.context.secret,\n\t\t\toptions.maxAge || 60 * 5,\n\t\t);\n\t} else {\n\t\t// Use compact strategy (base64url + HMAC, no JWT spec overhead)\n\t\t// Also handles legacy \"base64-hmac\" for backward compatibility\n\t\tdata = base64Url.encode(\n\t\t\tJSON.stringify({\n\t\t\t\tsession: sessionData,\n\t\t\t\texpiresAt: expiresAtDate,\n\t\t\t\tsignature: await createHMAC(\"SHA-256\", \"base64urlnopad\").sign(\n\t\t\t\t\tctx.context.secret,\n\t\t\t\t\tJSON.stringify({\n\t\t\t\t\t\t...sessionData,\n\t\t\t\t\t\texpiresAt: expiresAtDate,\n\t\t\t\t\t}),\n\t\t\t\t),\n\t\t\t}),\n\t\t\t{\n\t\t\t\tpadding: false,\n\t\t\t},\n\t\t);\n\t}\n\n\t// Check if we need to chunk the cookie (only if it exceeds 4093 bytes)\n\tif (data.length > 4093) {\n\t\tconst sessionStore = createSessionStore(\n\t\t\tctx.context.authCookies.sessionData.name,\n\t\t\toptions,\n\t\t\tctx,\n\t\t);\n\t\tconst cookies = sessionStore.chunk(data, options);\n\t\tsessionStore.setCookies(cookies);\n\t} else {\n\t\tconst sessionStore = createSessionStore(\n\t\t\tctx.context.authCookies.sessionData.name,\n\t\t\toptions,\n\t\t\tctx,\n\t\t);\n\t\tif (sessionStore.hasChunks()) {\n\t\t\tconst cleanCookies = sessionStore.clean();\n\t\t\tsessionStore.setCookies(cleanCookies);\n\t\t}\n\t\tctx.setCookie(ctx.context.authCookies.sessionData.name, data, options);\n\t}\n\n\t// Refresh account cookie to keep it in sync\n\tif (ctx.context.options.account?.storeAccountCookie) {\n\t\tconst accountData = await getAccountCookie(ctx);\n\t\tif (accountData) {\n\t\t\tawait setAccountCookie(ctx, accountData);\n\t\t}\n\t}\n}\n\nexport async function setSessionCookie(\n\tctx: GenericEndpointContext,\n\tsession: {\n\t\tsession: Session & Record<string, any>;\n\t\tuser: User;\n\t},\n\tdontRememberMe?: boolean | undefined,\n\toverrides?: Partial<CookieOptions> | undefined,\n) {\n\tconst dontRememberMeCookie = await ctx.getSignedCookie(\n\t\tctx.context.authCookies.dontRememberToken.name,\n\t\tctx.context.secret,\n\t);\n\t// if dontRememberMe is not set, use the cookie value\n\tdontRememberMe =\n\t\tdontRememberMe !== undefined ? dontRememberMe : !!dontRememberMeCookie;\n\n\tconst options = ctx.context.authCookies.sessionToken.attributes;\n\tconst maxAge = dontRememberMe\n\t\t? undefined\n\t\t: ctx.context.sessionConfig.expiresIn;\n\tawait ctx.setSignedCookie(\n\t\tctx.context.authCookies.sessionToken.name,\n\t\tsession.session.token,\n\t\tctx.context.secret,\n\t\t{\n\t\t\t...options,\n\t\t\tmaxAge,\n\t\t\t...overrides,\n\t\t},\n\t);\n\n\tif (dontRememberMe) {\n\t\tawait ctx.setSignedCookie(\n\t\t\tctx.context.authCookies.dontRememberToken.name,\n\t\t\t\"true\",\n\t\t\tctx.context.secret,\n\t\t\tctx.context.authCookies.dontRememberToken.attributes,\n\t\t);\n\t}\n\tawait setCookieCache(ctx, session, dontRememberMe);\n\tctx.context.setNewSession(session);\n}\n\n/**\n * Expires a cookie by setting `maxAge: 0` while preserving its attributes\n */\nexport function expireCookie(\n\tctx: GenericEndpointContext,\n\tcookie: BetterAuthCookie,\n) {\n\tctx.setCookie(cookie.name, \"\", {\n\t\t...cookie.attributes,\n\t\tmaxAge: 0,\n\t});\n}\n\nexport function deleteSessionCookie(\n\tctx: GenericEndpointContext,\n\tskipDontRememberMe?: boolean | undefined,\n) {\n\texpireCookie(ctx, ctx.context.authCookies.sessionToken);\n\texpireCookie(ctx, ctx.context.authCookies.sessionData);\n\n\tif (ctx.context.options.account?.storeAccountCookie) {\n\t\texpireCookie(ctx, ctx.context.authCookies.accountData);\n\n\t\t//clean up the account data chunks\n\t\tconst accountStore = createAccountStore(\n\t\t\tctx.context.authCookies.accountData.name,\n\t\t\tctx.context.authCookies.accountData.attributes,\n\t\t\tctx,\n\t\t);\n\t\tconst cleanCookies = accountStore.clean();\n\t\taccountStore.setCookies(cleanCookies);\n\t}\n\n\tif (ctx.context.oauthConfig.storeStateStrategy === \"cookie\") {\n\t\texpireCookie(ctx, ctx.context.createAuthCookie(\"oauth_state\"));\n\t}\n\n\t// Use createSessionStore to clean up all session data chunks\n\tconst sessionStore = createSessionStore(\n\t\tctx.context.authCookies.sessionData.name,\n\t\tctx.context.authCookies.sessionData.attributes,\n\t\tctx,\n\t);\n\tconst cleanCookies = sessionStore.clean();\n\tsessionStore.setCookies(cleanCookies);\n\n\tif (!skipDontRememberMe) {\n\t\texpireCookie(ctx, ctx.context.authCookies.dontRememberToken);\n\t}\n}\n\nexport function parseCookies(cookieHeader: string) {\n\tconst cookies = cookieHeader.split(\"; \");\n\tconst cookieMap = new Map<string, string>();\n\n\tcookies.forEach((cookie) => {\n\t\tconst [name, value] = cookie.split(/=(.*)/s);\n\t\tcookieMap.set(name!, value!);\n\t});\n\treturn cookieMap;\n}\n\nexport type EligibleCookies = (string & {}) | (keyof BetterAuthCookies & {});\n\nexport const getSessionCookie = (\n\trequest: Request | Headers,\n\tconfig?:\n\t\t| {\n\t\t\t\tcookiePrefix?: string;\n\t\t\t\tcookieName?: string;\n\t\t\t\tpath?: string;\n\t\t  }\n\t\t| undefined,\n) => {\n\tif (config?.cookiePrefix) {\n\t\tif (config.cookieName) {\n\t\t\tconfig.cookiePrefix = `${config.cookiePrefix}-`;\n\t\t} else {\n\t\t\tconfig.cookiePrefix = `${config.cookiePrefix}.`;\n\t\t}\n\t}\n\tconst headers = \"headers\" in request ? request.headers : request;\n\tconst cookies = headers.get(\"cookie\");\n\tif (!cookies) {\n\t\treturn null;\n\t}\n\tconst { cookieName = \"session_token\", cookiePrefix = \"better-auth.\" } =\n\t\tconfig || {};\n\tconst name = `${cookiePrefix}${cookieName}`;\n\tconst secureCookieName = `${SECURE_COOKIE_PREFIX}${name}`;\n\tconst parsedCookie = parseCookies(cookies);\n\tconst sessionToken =\n\t\tparsedCookie.get(name) || parsedCookie.get(secureCookieName);\n\tif (sessionToken) {\n\t\treturn sessionToken;\n\t}\n\n\treturn null;\n};\n\nexport const getCookieCache = async <\n\tS extends {\n\t\tsession: Session & Record<string, any>;\n\t\tuser: User & Record<string, any>;\n\t\tupdatedAt: number;\n\t\tversion?: string;\n\t},\n>(\n\trequest: Request | Headers,\n\tconfig?:\n\t\t| {\n\t\t\t\tcookiePrefix?: string;\n\t\t\t\tcookieName?: string;\n\t\t\t\tisSecure?: boolean;\n\t\t\t\tsecret?: string;\n\t\t\t\tstrategy?: \"compact\" | \"jwt\" | \"jwe\"; // base64-hmac for backward compatibility\n\t\t\t\tversion?:\n\t\t\t\t\t| string\n\t\t\t\t\t| ((\n\t\t\t\t\t\t\tsession: Session & Record<string, any>,\n\t\t\t\t\t\t\tuser: User & Record<string, any>,\n\t\t\t\t\t  ) => string)\n\t\t\t\t\t| ((\n\t\t\t\t\t\t\tsession: Session & Record<string, any>,\n\t\t\t\t\t\t\tuser: User & Record<string, any>,\n\t\t\t\t\t  ) => Promise<string>);\n\t\t  }\n\t\t| undefined,\n) => {\n\tconst headers = request instanceof Headers ? request : request.headers;\n\tconst cookies = headers.get(\"cookie\");\n\tif (!cookies) {\n\t\treturn null;\n\t}\n\tconst { cookieName = \"session_data\", cookiePrefix = \"better-auth\" } =\n\t\tconfig || {};\n\tconst name =\n\t\tconfig?.isSecure !== undefined\n\t\t\t? config.isSecure\n\t\t\t\t? `${SECURE_COOKIE_PREFIX}${cookiePrefix}.${cookieName}`\n\t\t\t\t: `${cookiePrefix}.${cookieName}`\n\t\t\t: isProduction\n\t\t\t\t? `${SECURE_COOKIE_PREFIX}${cookiePrefix}.${cookieName}`\n\t\t\t\t: `${cookiePrefix}.${cookieName}`;\n\tconst parsedCookie = parseCookies(cookies);\n\n\t// Check for chunked cookies\n\tlet sessionData = parsedCookie.get(name);\n\tif (!sessionData) {\n\t\t// Try to reconstruct from chunks\n\t\tconst chunks: Array<{ index: number; value: string }> = [];\n\t\tfor (const [cookieName, value] of parsedCookie.entries()) {\n\t\t\tif (cookieName.startsWith(name + \".\")) {\n\t\t\t\tconst parts = cookieName.split(\".\");\n\t\t\t\tconst indexStr = parts[parts.length - 1];\n\t\t\t\tconst index = parseInt(indexStr || \"0\", 10);\n\t\t\t\tif (!isNaN(index)) {\n\t\t\t\t\tchunks.push({ index, value });\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (chunks.length > 0) {\n\t\t\t// Sort by index and join\n\t\t\tchunks.sort((a, b) => a.index - b.index);\n\t\t\tsessionData = chunks.map((c) => c.value).join(\"\");\n\t\t}\n\t}\n\n\tif (sessionData) {\n\t\tconst secret = config?.secret || env.BETTER_AUTH_SECRET;\n\t\tif (!secret) {\n\t\t\tthrow new BetterAuthError(\n\t\t\t\t\"getCookieCache requires a secret to be provided. Either pass it as an option or set the BETTER_AUTH_SECRET environment variable\",\n\t\t\t);\n\t\t}\n\n\t\tconst strategy = config?.strategy || \"compact\";\n\n\t\tif (strategy === \"jwe\") {\n\t\t\t// Use JWE strategy (encrypted)\n\t\t\tconst payload = await symmetricDecodeJWT<S>(\n\t\t\t\tsessionData,\n\t\t\t\tsecret,\n\t\t\t\t\"better-auth-session\",\n\t\t\t);\n\n\t\t\tif (payload && payload.session && payload.user) {\n\t\t\t\t// Validate version if provided\n\t\t\t\tif (config?.version) {\n\t\t\t\t\tconst cookieVersion = payload.version || \"1\";\n\t\t\t\t\tlet expectedVersion = \"1\";\n\t\t\t\t\tif (typeof config.version === \"string\") {\n\t\t\t\t\t\texpectedVersion = config.version;\n\t\t\t\t\t} else if (typeof config.version === \"function\") {\n\t\t\t\t\t\tconst result = config.version(payload.session, payload.user);\n\t\t\t\t\t\texpectedVersion = isPromise(result) ? await result : result;\n\t\t\t\t\t}\n\t\t\t\t\tif (cookieVersion !== expectedVersion) {\n\t\t\t\t\t\treturn null;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\treturn payload;\n\t\t\t}\n\t\t\treturn null;\n\t\t} else if (strategy === \"jwt\") {\n\t\t\t// Use JWT strategy with HMAC signature (HS256), no encryption\n\t\t\tconst payload = await verifyJWT<S>(sessionData, secret);\n\n\t\t\tif (payload && payload.session && payload.user) {\n\t\t\t\t// Validate version if provided\n\t\t\t\tif (config?.version) {\n\t\t\t\t\tconst cookieVersion = payload.version || \"1\";\n\t\t\t\t\tlet expectedVersion = \"1\";\n\t\t\t\t\tif (typeof config.version === \"string\") {\n\t\t\t\t\t\texpectedVersion = config.version;\n\t\t\t\t\t} else if (typeof config.version === \"function\") {\n\t\t\t\t\t\tconst result = config.version(payload.session, payload.user);\n\t\t\t\t\t\texpectedVersion = isPromise(result) ? await result : result;\n\t\t\t\t\t}\n\t\t\t\t\tif (cookieVersion !== expectedVersion) {\n\t\t\t\t\t\treturn null;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\treturn payload;\n\t\t\t}\n\t\t\treturn null;\n\t\t} else {\n\t\t\t// Use compact strategy (or legacy base64-hmac)\n\t\t\tconst sessionDataPayload = safeJSONParse<{\n\t\t\t\tsession: S;\n\t\t\t\texpiresAt: number;\n\t\t\t\tsignature: string;\n\t\t\t}>(binary.decode(base64Url.decode(sessionData)));\n\t\t\tif (!sessionDataPayload) {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\tconst isValid = await createHMAC(\"SHA-256\", \"base64urlnopad\").verify(\n\t\t\t\tsecret,\n\t\t\t\tJSON.stringify({\n\t\t\t\t\t...sessionDataPayload.session,\n\t\t\t\t\texpiresAt: sessionDataPayload.expiresAt,\n\t\t\t\t}),\n\t\t\t\tsessionDataPayload.signature,\n\t\t\t);\n\t\t\tif (!isValid) {\n\t\t\t\treturn null;\n\t\t\t}\n\n\t\t\t// Validate version if provided\n\t\t\tif (config?.version && sessionDataPayload.session) {\n\t\t\t\tconst cookieVersion = sessionDataPayload.session.version || \"1\";\n\t\t\t\tlet expectedVersion = \"1\";\n\t\t\t\tif (typeof config.version === \"string\") {\n\t\t\t\t\texpectedVersion = config.version;\n\t\t\t\t} else if (typeof config.version === \"function\") {\n\t\t\t\t\tconst result = config.version(\n\t\t\t\t\t\tsessionDataPayload.session.session,\n\t\t\t\t\t\tsessionDataPayload.session.user,\n\t\t\t\t\t);\n\t\t\t\t\texpectedVersion = isPromise(result) ? await result : result;\n\t\t\t\t}\n\t\t\t\tif (cookieVersion !== expectedVersion) {\n\t\t\t\t\treturn null;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn sessionDataPayload.session;\n\t\t}\n\t}\n\treturn null;\n};\n\nexport * from \"./cookie-utils\";\nexport { createSessionStore, getChunkedCookie } from \"./session-store\";\n"],"mappings":";;;;;;;;;;;;;;;;AAiCA,SAAgB,mBAAmB,SAA4B;CAS9D,MAAM,sBAPL,QAAQ,UAAU,qBAAqB,SACpC,QAAQ,UAAU,mBAClB,QAAQ,UACP,QAAQ,QAAQ,WAAW,WAAW,GACrC,OACA,QACD,gBAC+B,uBAAuB;CAC3D,MAAM,wBACL,CAAC,CAAC,QAAQ,UAAU,uBAAuB;CAC5C,MAAM,SAAS,wBACZ,QAAQ,UAAU,uBAAuB,WACzC,QAAQ,UAAU,IAAI,IAAI,QAAQ,QAAQ,CAAC,WAAW,UACtD;AACH,KAAI,yBAAyB,CAAC,OAC7B,OAAM,IAAI,gBACT,6DACA;CAEF,SAAS,aACR,YACA,qBAA6C,EAAE,EAC9C;EACD,MAAM,SAAS,QAAQ,UAAU,gBAAgB;EACjD,MAAM,OACL,QAAQ,UAAU,UAAU,aAAa,QACzC,GAAG,OAAO,GAAG;EACd,MAAM,aACL,QAAQ,UAAU,UAAU,aAAa,cAAc,EAAE;AAE1D,SAAO;GACN,MAAM,GAAG,qBAAqB;GAC9B,YAAY;IACX,QAAQ,CAAC,CAAC;IACV,UAAU;IACV,MAAM;IACN,UAAU;IACV,GAAI,wBAAwB,EAAE,QAAQ,GAAG,EAAE;IAC3C,GAAG,QAAQ,UAAU;IACrB,GAAG;IACH,GAAG;IACH;GACD;;AAEF,QAAO;;AAGR,SAAgB,WAAW,SAA4B;CACtD,MAAM,eAAe,mBAAmB,QAAQ;CAEhD,MAAM,eAAe,aAAa,iBAAiB,EAClD,QAFqB,QAAQ,SAAS,aAAa,IAAI,KAAK,EAG5D,CAAC;CACF,MAAM,cAAc,aAAa,gBAAgB,EAChD,QAAQ,QAAQ,SAAS,aAAa,UAAU,KAChD,CAAC;CACF,MAAM,cAAc,aAAa,gBAAgB,EAChD,QAAQ,QAAQ,SAAS,aAAa,UAAU,KAChD,CAAC;CACF,MAAM,oBAAoB,aAAa,gBAAgB;AACvD,QAAO;EACN,cAAc;GACb,MAAM,aAAa;GACnB,YAAY,aAAa;GACzB;EAKD,aAAa;GACZ,MAAM,YAAY;GAClB,YAAY,YAAY;GACxB;EACD,mBAAmB;GAClB,MAAM,kBAAkB;GACxB,YAAY,kBAAkB;GAC9B;EACD,aAAa;GACZ,MAAM,YAAY;GAClB,YAAY,YAAY;GACxB;EACD;;AAGF,eAAsB,eACrB,KACA,SAIA,gBACC;AACD,KAAI,CAAC,IAAI,QAAQ,QAAQ,SAAS,aAAa,QAC9C;CAGD,MAAM,kBAAkB,mBACvB,QAAQ,SACR,IAAI,QAAQ,QAAQ,SAAS,iBAC7B;CAED,MAAM,eAAe,gBAAgB,IAAI,QAAQ,SAAS,QAAQ,KAAK;CAEvE,MAAM,gBAAgB,IAAI,QAAQ,QAAQ,SAAS,aAAa;CAChE,IAAI,UAAU;AACd,KAAI,eACH;MAAI,OAAO,kBAAkB,SAC5B,WAAU;WACA,OAAO,kBAAkB,YAAY;GAC/C,MAAM,SAAS,cAAc,QAAQ,SAAS,QAAQ,KAAK;AAC3D,aAAU,UAAU,OAAO,GAAG,MAAM,SAAS;;;CAI/C,MAAM,cAAc;EACnB,SAAS;EACT,MAAM;EACN,WAAW,KAAK,KAAK;EACrB;EACA;CAED,MAAM,UAAU;EACf,GAAG,IAAI,QAAQ,YAAY,YAAY;EACvC,QAAQ,iBACL,SACA,IAAI,QAAQ,YAAY,YAAY,WAAW;EAClD;CAED,MAAM,gBAAgB,QAAQ,QAAQ,UAAU,IAAI,MAAM,CAAC,SAAS;CACpE,MAAM,WACL,IAAI,QAAQ,QAAQ,SAAS,aAAa,YAAY;CAEvD,IAAI;AAEJ,KAAI,aAAa,MAEhB,QAAO,MAAM,mBACZ,aACA,IAAI,QAAQ,QACZ,uBACA,QAAQ,UAAU,IAClB;UACS,aAAa,MAEvB,QAAO,MAAM,QACZ,aACA,IAAI,QAAQ,QACZ,QAAQ,UAAU,IAClB;KAID,QAAO,UAAU,OAChB,KAAK,UAAU;EACd,SAAS;EACT,WAAW;EACX,WAAW,MAAM,WAAW,WAAW,iBAAiB,CAAC,KACxD,IAAI,QAAQ,QACZ,KAAK,UAAU;GACd,GAAG;GACH,WAAW;GACX,CAAC,CACF;EACD,CAAC,EACF,EACC,SAAS,OACT,CACD;AAIF,KAAI,KAAK,SAAS,MAAM;EACvB,MAAM,eAAe,mBACpB,IAAI,QAAQ,YAAY,YAAY,MACpC,SACA,IACA;EACD,MAAM,UAAU,aAAa,MAAM,MAAM,QAAQ;AACjD,eAAa,WAAW,QAAQ;QAC1B;EACN,MAAM,eAAe,mBACpB,IAAI,QAAQ,YAAY,YAAY,MACpC,SACA,IACA;AACD,MAAI,aAAa,WAAW,EAAE;GAC7B,MAAM,eAAe,aAAa,OAAO;AACzC,gBAAa,WAAW,aAAa;;AAEtC,MAAI,UAAU,IAAI,QAAQ,YAAY,YAAY,MAAM,MAAM,QAAQ;;AAIvE,KAAI,IAAI,QAAQ,QAAQ,SAAS,oBAAoB;EACpD,MAAM,cAAc,MAAM,iBAAiB,IAAI;AAC/C,MAAI,YACH,OAAM,iBAAiB,KAAK,YAAY;;;AAK3C,eAAsB,iBACrB,KACA,SAIA,gBACA,WACC;CACD,MAAM,uBAAuB,MAAM,IAAI,gBACtC,IAAI,QAAQ,YAAY,kBAAkB,MAC1C,IAAI,QAAQ,OACZ;AAED,kBACC,mBAAmB,SAAY,iBAAiB,CAAC,CAAC;CAEnD,MAAM,UAAU,IAAI,QAAQ,YAAY,aAAa;CACrD,MAAM,SAAS,iBACZ,SACA,IAAI,QAAQ,cAAc;AAC7B,OAAM,IAAI,gBACT,IAAI,QAAQ,YAAY,aAAa,MACrC,QAAQ,QAAQ,OAChB,IAAI,QAAQ,QACZ;EACC,GAAG;EACH;EACA,GAAG;EACH,CACD;AAED,KAAI,eACH,OAAM,IAAI,gBACT,IAAI,QAAQ,YAAY,kBAAkB,MAC1C,QACA,IAAI,QAAQ,QACZ,IAAI,QAAQ,YAAY,kBAAkB,WAC1C;AAEF,OAAM,eAAe,KAAK,SAAS,eAAe;AAClD,KAAI,QAAQ,cAAc,QAAQ;;;;;AAMnC,SAAgB,aACf,KACA,QACC;AACD,KAAI,UAAU,OAAO,MAAM,IAAI;EAC9B,GAAG,OAAO;EACV,QAAQ;EACR,CAAC;;AAGH,SAAgB,oBACf,KACA,oBACC;AACD,cAAa,KAAK,IAAI,QAAQ,YAAY,aAAa;AACvD,cAAa,KAAK,IAAI,QAAQ,YAAY,YAAY;AAEtD,KAAI,IAAI,QAAQ,QAAQ,SAAS,oBAAoB;AACpD,eAAa,KAAK,IAAI,QAAQ,YAAY,YAAY;EAGtD,MAAM,eAAe,mBACpB,IAAI,QAAQ,YAAY,YAAY,MACpC,IAAI,QAAQ,YAAY,YAAY,YACpC,IACA;EACD,MAAM,eAAe,aAAa,OAAO;AACzC,eAAa,WAAW,aAAa;;AAGtC,KAAI,IAAI,QAAQ,YAAY,uBAAuB,SAClD,cAAa,KAAK,IAAI,QAAQ,iBAAiB,cAAc,CAAC;CAI/D,MAAM,eAAe,mBACpB,IAAI,QAAQ,YAAY,YAAY,MACpC,IAAI,QAAQ,YAAY,YAAY,YACpC,IACA;CACD,MAAM,eAAe,aAAa,OAAO;AACzC,cAAa,WAAW,aAAa;AAErC,KAAI,CAAC,mBACJ,cAAa,KAAK,IAAI,QAAQ,YAAY,kBAAkB;;AAI9D,SAAgB,aAAa,cAAsB;CAClD,MAAM,UAAU,aAAa,MAAM,KAAK;CACxC,MAAM,4BAAY,IAAI,KAAqB;AAE3C,SAAQ,SAAS,WAAW;EAC3B,MAAM,CAAC,MAAM,SAAS,OAAO,MAAM,SAAS;AAC5C,YAAU,IAAI,MAAO,MAAO;GAC3B;AACF,QAAO;;AAKR,MAAa,oBACZ,SACA,WAOI;AACJ,KAAI,QAAQ,aACX,KAAI,OAAO,WACV,QAAO,eAAe,GAAG,OAAO,aAAa;KAE7C,QAAO,eAAe,GAAG,OAAO,aAAa;CAI/C,MAAM,WADU,aAAa,UAAU,QAAQ,UAAU,SACjC,IAAI,SAAS;AACrC,KAAI,CAAC,QACJ,QAAO;CAER,MAAM,EAAE,aAAa,iBAAiB,eAAe,mBACpD,UAAU,EAAE;CACb,MAAM,OAAO,GAAG,eAAe;CAC/B,MAAM,mBAAmB,GAAG,uBAAuB;CACnD,MAAM,eAAe,aAAa,QAAQ;CAC1C,MAAM,eACL,aAAa,IAAI,KAAK,IAAI,aAAa,IAAI,iBAAiB;AAC7D,KAAI,aACH,QAAO;AAGR,QAAO;;AAGR,MAAa,iBAAiB,OAQ7B,SACA,WAmBI;CAEJ,MAAM,WADU,mBAAmB,UAAU,UAAU,QAAQ,SACvC,IAAI,SAAS;AACrC,KAAI,CAAC,QACJ,QAAO;CAER,MAAM,EAAE,aAAa,gBAAgB,eAAe,kBACnD,UAAU,EAAE;CACb,MAAM,OACL,QAAQ,aAAa,SAClB,OAAO,WACN,GAAG,uBAAuB,aAAa,GAAG,eAC1C,GAAG,aAAa,GAAG,eACpB,eACC,GAAG,uBAAuB,aAAa,GAAG,eAC1C,GAAG,aAAa,GAAG;CACxB,MAAM,eAAe,aAAa,QAAQ;CAG1C,IAAI,cAAc,aAAa,IAAI,KAAK;AACxC,KAAI,CAAC,aAAa;EAEjB,MAAM,SAAkD,EAAE;AAC1D,OAAK,MAAM,CAAC,YAAY,UAAU,aAAa,SAAS,CACvD,KAAI,WAAW,WAAW,OAAO,IAAI,EAAE;GACtC,MAAM,QAAQ,WAAW,MAAM,IAAI;GACnC,MAAM,WAAW,MAAM,MAAM,SAAS;GACtC,MAAM,QAAQ,SAAS,YAAY,KAAK,GAAG;AAC3C,OAAI,CAAC,MAAM,MAAM,CAChB,QAAO,KAAK;IAAE;IAAO;IAAO,CAAC;;AAKhC,MAAI,OAAO,SAAS,GAAG;AAEtB,UAAO,MAAM,GAAG,MAAM,EAAE,QAAQ,EAAE,MAAM;AACxC,iBAAc,OAAO,KAAK,MAAM,EAAE,MAAM,CAAC,KAAK,GAAG;;;AAInD,KAAI,aAAa;EAChB,MAAM,SAAS,QAAQ,UAAU,IAAI;AACrC,MAAI,CAAC,OACJ,OAAM,IAAI,gBACT,kIACA;EAGF,MAAM,WAAW,QAAQ,YAAY;AAErC,MAAI,aAAa,OAAO;GAEvB,MAAM,UAAU,MAAM,mBACrB,aACA,QACA,sBACA;AAED,OAAI,WAAW,QAAQ,WAAW,QAAQ,MAAM;AAE/C,QAAI,QAAQ,SAAS;KACpB,MAAM,gBAAgB,QAAQ,WAAW;KACzC,IAAI,kBAAkB;AACtB,SAAI,OAAO,OAAO,YAAY,SAC7B,mBAAkB,OAAO;cACf,OAAO,OAAO,YAAY,YAAY;MAChD,MAAM,SAAS,OAAO,QAAQ,QAAQ,SAAS,QAAQ,KAAK;AAC5D,wBAAkB,UAAU,OAAO,GAAG,MAAM,SAAS;;AAEtD,SAAI,kBAAkB,gBACrB,QAAO;;AAGT,WAAO;;AAER,UAAO;aACG,aAAa,OAAO;GAE9B,MAAM,UAAU,MAAM,UAAa,aAAa,OAAO;AAEvD,OAAI,WAAW,QAAQ,WAAW,QAAQ,MAAM;AAE/C,QAAI,QAAQ,SAAS;KACpB,MAAM,gBAAgB,QAAQ,WAAW;KACzC,IAAI,kBAAkB;AACtB,SAAI,OAAO,OAAO,YAAY,SAC7B,mBAAkB,OAAO;cACf,OAAO,OAAO,YAAY,YAAY;MAChD,MAAM,SAAS,OAAO,QAAQ,QAAQ,SAAS,QAAQ,KAAK;AAC5D,wBAAkB,UAAU,OAAO,GAAG,MAAM,SAAS;;AAEtD,SAAI,kBAAkB,gBACrB,QAAO;;AAGT,WAAO;;AAER,UAAO;SACD;GAEN,MAAM,qBAAqB,cAIxB,OAAO,OAAO,UAAU,OAAO,YAAY,CAAC,CAAC;AAChD,OAAI,CAAC,mBACJ,QAAO;AAUR,OAAI,CARY,MAAM,WAAW,WAAW,iBAAiB,CAAC,OAC7D,QACA,KAAK,UAAU;IACd,GAAG,mBAAmB;IACtB,WAAW,mBAAmB;IAC9B,CAAC,EACF,mBAAmB,UACnB,CAEA,QAAO;AAIR,OAAI,QAAQ,WAAW,mBAAmB,SAAS;IAClD,MAAM,gBAAgB,mBAAmB,QAAQ,WAAW;IAC5D,IAAI,kBAAkB;AACtB,QAAI,OAAO,OAAO,YAAY,SAC7B,mBAAkB,OAAO;aACf,OAAO,OAAO,YAAY,YAAY;KAChD,MAAM,SAAS,OAAO,QACrB,mBAAmB,QAAQ,SAC3B,mBAAmB,QAAQ,KAC3B;AACD,uBAAkB,UAAU,OAAO,GAAG,MAAM,SAAS;;AAEtD,QAAI,kBAAkB,gBACrB,QAAO;;AAIT,UAAO,mBAAmB;;;AAG5B,QAAO"}

package/dist/cookies/session-store.d.mts

@@ -0,0 +1,36 @@
+import { GenericEndpointContext } from "@better-auth/core";
+import { CookieOptions } from "better-call";
+import "zod";
+
+//#region src/cookies/session-store.d.ts
+interface Cookie {
+  name: string;
+  value: string;
+  attributes: CookieOptions;
+}
+declare const createSessionStore: (cookieName: string, cookieOptions: CookieOptions, ctx: GenericEndpointContext) => {
+  /**
+   * Get the full session data by joining all chunks
+   */
+  getValue(): string;
+  /**
+   * Check if there are existing chunks
+   */
+  hasChunks(): boolean;
+  /**
+   * Chunk a cookie value and return all cookies to set (including cleanup cookies)
+   */
+  chunk(value: string, options?: Partial<CookieOptions>): Cookie[];
+  /**
+   * Get cookies to clean up all chunks
+   */
+  clean(): Cookie[];
+  /**
+   * Set all cookies in the context
+   */
+  setCookies(cookies: Cookie[]): void;
+};
+declare function getChunkedCookie(ctx: GenericEndpointContext, cookieName: string): string | null;
+//#endregion
+export { createSessionStore, getChunkedCookie };
+//# sourceMappingURL=session-store.d.mts.map

package/dist/cookies/session-store.mjs

@@ -0,0 +1,200 @@
+import { symmetricDecodeJWT, symmetricEncodeJWT } from "../crypto/jwt.mjs";
+import "../crypto/index.mjs";
+import { safeJSONParse } from "@better-auth/core/utils/json";
+import * as z from "zod";
+
+//#region src/cookies/session-store.ts
+const ALLOWED_COOKIE_SIZE = 4096;
+const ESTIMATED_EMPTY_COOKIE_SIZE = 200;
+const CHUNK_SIZE = ALLOWED_COOKIE_SIZE - ESTIMATED_EMPTY_COOKIE_SIZE;
+/**
+* Parse cookies from the request headers
+*/
+function parseCookiesFromContext(ctx) {
+	const cookieHeader = ctx.headers?.get("cookie");
+	if (!cookieHeader) return {};
+	const cookies = {};
+	const pairs = cookieHeader.split("; ");
+	for (const pair of pairs) {
+		const [name, ...valueParts] = pair.split("=");
+		if (name && valueParts.length > 0) cookies[name] = valueParts.join("=");
+	}
+	return cookies;
+}
+/**
+* Extract the chunk index from a cookie name
+*/
+function getChunkIndex(cookieName) {
+	const parts = cookieName.split(".");
+	const lastPart = parts[parts.length - 1];
+	const index = parseInt(lastPart || "0", 10);
+	return isNaN(index) ? 0 : index;
+}
+/**
+* Read all existing chunks from cookies
+*/
+function readExistingChunks(cookieName, ctx) {
+	const chunks = {};
+	const cookies = parseCookiesFromContext(ctx);
+	for (const [name, value] of Object.entries(cookies)) if (name.startsWith(cookieName)) chunks[name] = value;
+	return chunks;
+}
+/**
+* Get the full session data by joining all chunks
+*/
+function joinChunks(chunks) {
+	return Object.keys(chunks).sort((a, b) => {
+		return getChunkIndex(a) - getChunkIndex(b);
+	}).map((key) => chunks[key]).join("");
+}
+/**
+* Split a cookie value into chunks if needed
+*/
+function chunkCookie(storeName, cookie, chunks, logger) {
+	const chunkCount = Math.ceil(cookie.value.length / CHUNK_SIZE);
+	if (chunkCount === 1) {
+		chunks[cookie.name] = cookie.value;
+		return [cookie];
+	}
+	const cookies = [];
+	for (let i = 0; i < chunkCount; i++) {
+		const name = `${cookie.name}.${i}`;
+		const start = i * CHUNK_SIZE;
+		const value = cookie.value.substring(start, start + CHUNK_SIZE);
+		cookies.push({
+			...cookie,
+			name,
+			value
+		});
+		chunks[name] = value;
+	}
+	logger.debug(`CHUNKING_${storeName.toUpperCase()}_COOKIE`, {
+		message: `${storeName} cookie exceeds allowed ${ALLOWED_COOKIE_SIZE} bytes.`,
+		emptyCookieSize: ESTIMATED_EMPTY_COOKIE_SIZE,
+		valueSize: cookie.value.length,
+		chunkCount,
+		chunks: cookies.map((c) => c.value.length + ESTIMATED_EMPTY_COOKIE_SIZE)
+	});
+	return cookies;
+}
+/**
+* Get all cookies that should be cleaned (removed)
+*/
+function getCleanCookies(chunks, cookieOptions) {
+	const cleanedChunks = {};
+	for (const name in chunks) cleanedChunks[name] = {
+		name,
+		value: "",
+		attributes: {
+			...cookieOptions,
+			maxAge: 0
+		}
+	};
+	return cleanedChunks;
+}
+/**
+* Create a session store for handling cookie chunking.
+* When session data exceeds 4KB, it automatically splits it into multiple cookies.
+*
+* Based on next-auth's SessionStore implementation.
+* @see https://github.com/nextauthjs/next-auth/blob/27b2519b84b8eb9cf053775dea29d577d2aa0098/packages/next-auth/src/core/lib/cookie.ts
+*/
+const storeFactory = (storeName) => (cookieName, cookieOptions, ctx) => {
+	const chunks = readExistingChunks(cookieName, ctx);
+	const logger = ctx.context.logger;
+	return {
+		getValue() {
+			return joinChunks(chunks);
+		},
+		hasChunks() {
+			return Object.keys(chunks).length > 0;
+		},
+		chunk(value, options) {
+			const cleanedChunks = getCleanCookies(chunks, cookieOptions);
+			for (const name in chunks) delete chunks[name];
+			const cookies = cleanedChunks;
+			const chunked = chunkCookie(storeName, {
+				name: cookieName,
+				value,
+				attributes: {
+					...cookieOptions,
+					...options
+				}
+			}, chunks, logger);
+			for (const chunk of chunked) cookies[chunk.name] = chunk;
+			return Object.values(cookies);
+		},
+		clean() {
+			const cleanedChunks = getCleanCookies(chunks, cookieOptions);
+			for (const name in chunks) delete chunks[name];
+			return Object.values(cleanedChunks);
+		},
+		setCookies(cookies) {
+			for (const cookie of cookies) ctx.setCookie(cookie.name, cookie.value, cookie.attributes);
+		}
+	};
+};
+const createSessionStore = storeFactory("Session");
+const createAccountStore = storeFactory("Account");
+function getChunkedCookie(ctx, cookieName) {
+	const value = ctx.getCookie(cookieName);
+	if (value) return value;
+	const chunks = [];
+	const cookieHeader = ctx.headers?.get("cookie");
+	if (!cookieHeader) return null;
+	const cookies = {};
+	const pairs = cookieHeader.split("; ");
+	for (const pair of pairs) {
+		const [name, ...valueParts] = pair.split("=");
+		if (name && valueParts.length > 0) cookies[name] = valueParts.join("=");
+	}
+	for (const [name, val] of Object.entries(cookies)) if (name.startsWith(cookieName + ".")) {
+		const indexStr = name.split(".").at(-1);
+		const index = parseInt(indexStr || "0", 10);
+		if (!isNaN(index)) chunks.push({
+			index,
+			value: val
+		});
+	}
+	if (chunks.length > 0) {
+		chunks.sort((a, b) => a.index - b.index);
+		return chunks.map((c) => c.value).join("");
+	}
+	return null;
+}
+async function setAccountCookie(c, accountData) {
+	const accountDataCookie = c.context.authCookies.accountData;
+	const options = {
+		maxAge: 300,
+		...accountDataCookie.attributes
+	};
+	const data = await symmetricEncodeJWT(accountData, c.context.secret, "better-auth-account", options.maxAge);
+	if (data.length > ALLOWED_COOKIE_SIZE) {
+		const accountStore = createAccountStore(accountDataCookie.name, options, c);
+		const cookies = accountStore.chunk(data, options);
+		accountStore.setCookies(cookies);
+	} else {
+		const accountStore = createAccountStore(accountDataCookie.name, options, c);
+		if (accountStore.hasChunks()) {
+			const cleanCookies = accountStore.clean();
+			accountStore.setCookies(cleanCookies);
+		}
+		c.setCookie(accountDataCookie.name, data, options);
+	}
+}
+async function getAccountCookie(c) {
+	const accountCookie = getChunkedCookie(c, c.context.authCookies.accountData.name);
+	if (accountCookie) {
+		const accountData = safeJSONParse(await symmetricDecodeJWT(accountCookie, c.context.secret, "better-auth-account"));
+		if (accountData) return accountData;
+	}
+	return null;
+}
+const getSessionQuerySchema = z.optional(z.object({
+	disableCookieCache: z.coerce.boolean().meta({ description: "Disable cookie cache and fetch session from database" }).optional(),
+	disableRefresh: z.coerce.boolean().meta({ description: "Disable session refresh. Useful for checking session status, without updating the session" }).optional()
+}));
+
+//#endregion
+export { createAccountStore, createSessionStore, getAccountCookie, getChunkedCookie, getSessionQuerySchema, setAccountCookie };
+//# sourceMappingURL=session-store.mjs.map

package/dist/cookies/session-store.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-store.mjs","names":[],"sources":["../../src/cookies/session-store.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport type { Account } from \"@better-auth/core/db\";\nimport type { InternalLogger } from \"@better-auth/core/env\";\nimport { safeJSONParse } from \"@better-auth/core/utils/json\";\nimport type { CookieOptions } from \"better-call\";\nimport * as z from \"zod\";\nimport { symmetricDecodeJWT, symmetricEncodeJWT } from \"../crypto\";\n\n// Cookie size constants based on browser limits\nconst ALLOWED_COOKIE_SIZE = 4096;\n// Estimated size of an empty cookie with all attributes\n// (name, path, domain, secure, httpOnly, sameSite, expires/maxAge)\nconst ESTIMATED_EMPTY_COOKIE_SIZE = 200;\nconst CHUNK_SIZE = ALLOWED_COOKIE_SIZE - ESTIMATED_EMPTY_COOKIE_SIZE;\n\ninterface Cookie {\n\tname: string;\n\tvalue: string;\n\tattributes: CookieOptions;\n}\n\ntype Chunks = Record<string, string>;\n\n/**\n * Parse cookies from the request headers\n */\nfunction parseCookiesFromContext(\n\tctx: GenericEndpointContext,\n): Record<string, string> {\n\tconst cookieHeader = ctx.headers?.get(\"cookie\");\n\tif (!cookieHeader) {\n\t\treturn {};\n\t}\n\n\tconst cookies: Record<string, string> = {};\n\tconst pairs = cookieHeader.split(\"; \");\n\n\tfor (const pair of pairs) {\n\t\tconst [name, ...valueParts] = pair.split(\"=\");\n\t\tif (name && valueParts.length > 0) {\n\t\t\tcookies[name] = valueParts.join(\"=\");\n\t\t}\n\t}\n\n\treturn cookies;\n}\n\n/**\n * Extract the chunk index from a cookie name\n */\nfunction getChunkIndex(cookieName: string): number {\n\tconst parts = cookieName.split(\".\");\n\tconst lastPart = parts[parts.length - 1];\n\tconst index = parseInt(lastPart || \"0\", 10);\n\treturn isNaN(index) ? 0 : index;\n}\n\n/**\n * Read all existing chunks from cookies\n */\nfunction readExistingChunks(\n\tcookieName: string,\n\tctx: GenericEndpointContext,\n): Chunks {\n\tconst chunks: Chunks = {};\n\tconst cookies = parseCookiesFromContext(ctx);\n\n\tfor (const [name, value] of Object.entries(cookies)) {\n\t\tif (name.startsWith(cookieName)) {\n\t\t\tchunks[name] = value;\n\t\t}\n\t}\n\n\treturn chunks;\n}\n\n/**\n * Get the full session data by joining all chunks\n */\nfunction joinChunks(chunks: Chunks): string {\n\tconst sortedKeys = Object.keys(chunks).sort((a, b) => {\n\t\tconst aIndex = getChunkIndex(a);\n\t\tconst bIndex = getChunkIndex(b);\n\t\treturn aIndex - bIndex;\n\t});\n\n\treturn sortedKeys.map((key) => chunks[key]).join(\"\");\n}\n\n/**\n * Split a cookie value into chunks if needed\n */\nfunction chunkCookie(\n\tstoreName: string,\n\tcookie: Cookie,\n\tchunks: Chunks,\n\tlogger: InternalLogger,\n): Cookie[] {\n\tconst chunkCount = Math.ceil(cookie.value.length / CHUNK_SIZE);\n\n\tif (chunkCount === 1) {\n\t\tchunks[cookie.name] = cookie.value;\n\t\treturn [cookie];\n\t}\n\n\tconst cookies: Cookie[] = [];\n\tfor (let i = 0; i < chunkCount; i++) {\n\t\tconst name = `${cookie.name}.${i}`;\n\t\tconst start = i * CHUNK_SIZE;\n\t\tconst value = cookie.value.substring(start, start + CHUNK_SIZE);\n\t\tcookies.push({ ...cookie, name, value });\n\t\tchunks[name] = value;\n\t}\n\n\tlogger.debug(`CHUNKING_${storeName.toUpperCase()}_COOKIE`, {\n\t\tmessage: `${storeName} cookie exceeds allowed ${ALLOWED_COOKIE_SIZE} bytes.`,\n\t\temptyCookieSize: ESTIMATED_EMPTY_COOKIE_SIZE,\n\t\tvalueSize: cookie.value.length,\n\t\tchunkCount,\n\t\tchunks: cookies.map((c) => c.value.length + ESTIMATED_EMPTY_COOKIE_SIZE),\n\t});\n\n\treturn cookies;\n}\n\n/**\n * Get all cookies that should be cleaned (removed)\n */\nfunction getCleanCookies(\n\tchunks: Chunks,\n\tcookieOptions: CookieOptions,\n): Record<string, Cookie> {\n\tconst cleanedChunks: Record<string, Cookie> = {};\n\tfor (const name in chunks) {\n\t\tcleanedChunks[name] = {\n\t\t\tname,\n\t\t\tvalue: \"\",\n\t\t\tattributes: { ...cookieOptions, maxAge: 0 },\n\t\t};\n\t}\n\treturn cleanedChunks;\n}\n\n/**\n * Create a session store for handling cookie chunking.\n * When session data exceeds 4KB, it automatically splits it into multiple cookies.\n *\n * Based on next-auth's SessionStore implementation.\n * @see https://github.com/nextauthjs/next-auth/blob/27b2519b84b8eb9cf053775dea29d577d2aa0098/packages/next-auth/src/core/lib/cookie.ts\n */\nconst storeFactory =\n\t(storeName: string) =>\n\t(\n\t\tcookieName: string,\n\t\tcookieOptions: CookieOptions,\n\t\tctx: GenericEndpointContext,\n\t) => {\n\t\tconst chunks = readExistingChunks(cookieName, ctx);\n\t\tconst logger = ctx.context.logger;\n\n\t\treturn {\n\t\t\t/**\n\t\t\t * Get the full session data by joining all chunks\n\t\t\t */\n\t\t\tgetValue(): string {\n\t\t\t\treturn joinChunks(chunks);\n\t\t\t},\n\n\t\t\t/**\n\t\t\t * Check if there are existing chunks\n\t\t\t */\n\t\t\thasChunks(): boolean {\n\t\t\t\treturn Object.keys(chunks).length > 0;\n\t\t\t},\n\n\t\t\t/**\n\t\t\t * Chunk a cookie value and return all cookies to set (including cleanup cookies)\n\t\t\t */\n\t\t\tchunk(value: string, options?: Partial<CookieOptions>): Cookie[] {\n\t\t\t\t// Start by cleaning all existing chunks\n\t\t\t\tconst cleanedChunks = getCleanCookies(chunks, cookieOptions);\n\t\t\t\t// Clear the chunks object\n\t\t\t\tfor (const name in chunks) {\n\t\t\t\t\tdelete chunks[name];\n\t\t\t\t}\n\t\t\t\tconst cookies: Record<string, Cookie> = cleanedChunks;\n\n\t\t\t\t// Create new chunks\n\t\t\t\tconst chunked = chunkCookie(\n\t\t\t\t\tstoreName,\n\t\t\t\t\t{\n\t\t\t\t\t\tname: cookieName,\n\t\t\t\t\t\tvalue,\n\t\t\t\t\t\tattributes: { ...cookieOptions, ...options },\n\t\t\t\t\t},\n\t\t\t\t\tchunks,\n\t\t\t\t\tlogger,\n\t\t\t\t);\n\n\t\t\t\t// Update with new chunks\n\t\t\t\tfor (const chunk of chunked) {\n\t\t\t\t\tcookies[chunk.name] = chunk;\n\t\t\t\t}\n\n\t\t\t\treturn Object.values(cookies);\n\t\t\t},\n\n\t\t\t/**\n\t\t\t * Get cookies to clean up all chunks\n\t\t\t */\n\t\t\tclean(): Cookie[] {\n\t\t\t\tconst cleanedChunks = getCleanCookies(chunks, cookieOptions);\n\t\t\t\t// Clear the chunks object\n\t\t\t\tfor (const name in chunks) {\n\t\t\t\t\tdelete chunks[name];\n\t\t\t\t}\n\t\t\t\treturn Object.values(cleanedChunks);\n\t\t\t},\n\n\t\t\t/**\n\t\t\t * Set all cookies in the context\n\t\t\t */\n\t\t\tsetCookies(cookies: Cookie[]): void {\n\t\t\t\tfor (const cookie of cookies) {\n\t\t\t\t\tctx.setCookie(cookie.name, cookie.value, cookie.attributes);\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\t};\n\nexport const createSessionStore = storeFactory(\"Session\");\nexport const createAccountStore = storeFactory(\"Account\");\n\nexport function getChunkedCookie(\n\tctx: GenericEndpointContext,\n\tcookieName: string,\n): string | null {\n\tconst value = ctx.getCookie(cookieName);\n\tif (value) {\n\t\treturn value;\n\t}\n\n\tconst chunks: Array<{ index: number; value: string }> = [];\n\n\tconst cookieHeader = ctx.headers?.get(\"cookie\");\n\tif (!cookieHeader) {\n\t\treturn null;\n\t}\n\n\tconst cookies: Record<string, string> = {};\n\tconst pairs = cookieHeader.split(\"; \");\n\tfor (const pair of pairs) {\n\t\tconst [name, ...valueParts] = pair.split(\"=\");\n\t\tif (name && valueParts.length > 0) {\n\t\t\tcookies[name] = valueParts.join(\"=\");\n\t\t}\n\t}\n\n\tfor (const [name, val] of Object.entries(cookies)) {\n\t\tif (name.startsWith(cookieName + \".\")) {\n\t\t\tconst parts = name.split(\".\");\n\t\t\tconst indexStr = parts.at(-1);\n\t\t\tconst index = parseInt(indexStr || \"0\", 10);\n\t\t\tif (!isNaN(index)) {\n\t\t\t\tchunks.push({ index, value: val });\n\t\t\t}\n\t\t}\n\t}\n\n\tif (chunks.length > 0) {\n\t\tchunks.sort((a, b) => a.index - b.index);\n\t\treturn chunks.map((c) => c.value).join(\"\");\n\t}\n\n\treturn null;\n}\n\nexport async function setAccountCookie(\n\tc: GenericEndpointContext,\n\taccountData: Record<string, any>,\n) {\n\tconst accountDataCookie = c.context.authCookies.accountData;\n\tconst options = {\n\t\tmaxAge: 60 * 5,\n\t\t...accountDataCookie.attributes,\n\t};\n\tconst data = await symmetricEncodeJWT(\n\t\taccountData,\n\t\tc.context.secret,\n\t\t\"better-auth-account\",\n\t\toptions.maxAge,\n\t);\n\n\tif (data.length > ALLOWED_COOKIE_SIZE) {\n\t\tconst accountStore = createAccountStore(accountDataCookie.name, options, c);\n\n\t\tconst cookies = accountStore.chunk(data, options);\n\t\taccountStore.setCookies(cookies);\n\t} else {\n\t\tconst accountStore = createAccountStore(accountDataCookie.name, options, c);\n\t\tif (accountStore.hasChunks()) {\n\t\t\tconst cleanCookies = accountStore.clean();\n\t\t\taccountStore.setCookies(cleanCookies);\n\t\t}\n\t\tc.setCookie(accountDataCookie.name, data, options);\n\t}\n}\n\nexport async function getAccountCookie(c: GenericEndpointContext) {\n\tconst accountCookie = getChunkedCookie(\n\t\tc,\n\t\tc.context.authCookies.accountData.name,\n\t);\n\tif (accountCookie) {\n\t\tconst accountData = safeJSONParse<Account>(\n\t\t\tawait symmetricDecodeJWT(\n\t\t\t\taccountCookie,\n\t\t\t\tc.context.secret,\n\t\t\t\t\"better-auth-account\",\n\t\t\t),\n\t\t);\n\t\tif (accountData) {\n\t\t\treturn accountData;\n\t\t}\n\t}\n\n\treturn null;\n}\n\nexport const getSessionQuerySchema = z.optional(\n\tz.object({\n\t\t/**\n\t\t * If cookie cache is enabled, it will disable the cache\n\t\t * and fetch the session from the database\n\t\t */\n\t\tdisableCookieCache: z.coerce\n\t\t\t.boolean()\n\t\t\t.meta({\n\t\t\t\tdescription: \"Disable cookie cache and fetch session from database\",\n\t\t\t})\n\t\t\t.optional(),\n\t\tdisableRefresh: z.coerce\n\t\t\t.boolean()\n\t\t\t.meta({\n\t\t\t\tdescription:\n\t\t\t\t\t\"Disable session refresh. Useful for checking session status, without updating the session\",\n\t\t\t})\n\t\t\t.optional(),\n\t}),\n);\n"],"mappings":";;;;;;AASA,MAAM,sBAAsB;AAG5B,MAAM,8BAA8B;AACpC,MAAM,aAAa,sBAAsB;;;;AAazC,SAAS,wBACR,KACyB;CACzB,MAAM,eAAe,IAAI,SAAS,IAAI,SAAS;AAC/C,KAAI,CAAC,aACJ,QAAO,EAAE;CAGV,MAAM,UAAkC,EAAE;CAC1C,MAAM,QAAQ,aAAa,MAAM,KAAK;AAEtC,MAAK,MAAM,QAAQ,OAAO;EACzB,MAAM,CAAC,MAAM,GAAG,cAAc,KAAK,MAAM,IAAI;AAC7C,MAAI,QAAQ,WAAW,SAAS,EAC/B,SAAQ,QAAQ,WAAW,KAAK,IAAI;;AAItC,QAAO;;;;;AAMR,SAAS,cAAc,YAA4B;CAClD,MAAM,QAAQ,WAAW,MAAM,IAAI;CACnC,MAAM,WAAW,MAAM,MAAM,SAAS;CACtC,MAAM,QAAQ,SAAS,YAAY,KAAK,GAAG;AAC3C,QAAO,MAAM,MAAM,GAAG,IAAI;;;;;AAM3B,SAAS,mBACR,YACA,KACS;CACT,MAAM,SAAiB,EAAE;CACzB,MAAM,UAAU,wBAAwB,IAAI;AAE5C,MAAK,MAAM,CAAC,MAAM,UAAU,OAAO,QAAQ,QAAQ,CAClD,KAAI,KAAK,WAAW,WAAW,CAC9B,QAAO,QAAQ;AAIjB,QAAO;;;;;AAMR,SAAS,WAAW,QAAwB;AAO3C,QANmB,OAAO,KAAK,OAAO,CAAC,MAAM,GAAG,MAAM;AAGrD,SAFe,cAAc,EAAE,GAChB,cAAc,EAAE;GAE9B,CAEgB,KAAK,QAAQ,OAAO,KAAK,CAAC,KAAK,GAAG;;;;;AAMrD,SAAS,YACR,WACA,QACA,QACA,QACW;CACX,MAAM,aAAa,KAAK,KAAK,OAAO,MAAM,SAAS,WAAW;AAE9D,KAAI,eAAe,GAAG;AACrB,SAAO,OAAO,QAAQ,OAAO;AAC7B,SAAO,CAAC,OAAO;;CAGhB,MAAM,UAAoB,EAAE;AAC5B,MAAK,IAAI,IAAI,GAAG,IAAI,YAAY,KAAK;EACpC,MAAM,OAAO,GAAG,OAAO,KAAK,GAAG;EAC/B,MAAM,QAAQ,IAAI;EAClB,MAAM,QAAQ,OAAO,MAAM,UAAU,OAAO,QAAQ,WAAW;AAC/D,UAAQ,KAAK;GAAE,GAAG;GAAQ;GAAM;GAAO,CAAC;AACxC,SAAO,QAAQ;;AAGhB,QAAO,MAAM,YAAY,UAAU,aAAa,CAAC,UAAU;EAC1D,SAAS,GAAG,UAAU,0BAA0B,oBAAoB;EACpE,iBAAiB;EACjB,WAAW,OAAO,MAAM;EACxB;EACA,QAAQ,QAAQ,KAAK,MAAM,EAAE,MAAM,SAAS,4BAA4B;EACxE,CAAC;AAEF,QAAO;;;;;AAMR,SAAS,gBACR,QACA,eACyB;CACzB,MAAM,gBAAwC,EAAE;AAChD,MAAK,MAAM,QAAQ,OAClB,eAAc,QAAQ;EACrB;EACA,OAAO;EACP,YAAY;GAAE,GAAG;GAAe,QAAQ;GAAG;EAC3C;AAEF,QAAO;;;;;;;;;AAUR,MAAM,gBACJ,eAEA,YACA,eACA,QACI;CACJ,MAAM,SAAS,mBAAmB,YAAY,IAAI;CAClD,MAAM,SAAS,IAAI,QAAQ;AAE3B,QAAO;EAIN,WAAmB;AAClB,UAAO,WAAW,OAAO;;EAM1B,YAAqB;AACpB,UAAO,OAAO,KAAK,OAAO,CAAC,SAAS;;EAMrC,MAAM,OAAe,SAA4C;GAEhE,MAAM,gBAAgB,gBAAgB,QAAQ,cAAc;AAE5D,QAAK,MAAM,QAAQ,OAClB,QAAO,OAAO;GAEf,MAAM,UAAkC;GAGxC,MAAM,UAAU,YACf,WACA;IACC,MAAM;IACN;IACA,YAAY;KAAE,GAAG;KAAe,GAAG;KAAS;IAC5C,EACD,QACA,OACA;AAGD,QAAK,MAAM,SAAS,QACnB,SAAQ,MAAM,QAAQ;AAGvB,UAAO,OAAO,OAAO,QAAQ;;EAM9B,QAAkB;GACjB,MAAM,gBAAgB,gBAAgB,QAAQ,cAAc;AAE5D,QAAK,MAAM,QAAQ,OAClB,QAAO,OAAO;AAEf,UAAO,OAAO,OAAO,cAAc;;EAMpC,WAAW,SAAyB;AACnC,QAAK,MAAM,UAAU,QACpB,KAAI,UAAU,OAAO,MAAM,OAAO,OAAO,OAAO,WAAW;;EAG7D;;AAGH,MAAa,qBAAqB,aAAa,UAAU;AACzD,MAAa,qBAAqB,aAAa,UAAU;AAEzD,SAAgB,iBACf,KACA,YACgB;CAChB,MAAM,QAAQ,IAAI,UAAU,WAAW;AACvC,KAAI,MACH,QAAO;CAGR,MAAM,SAAkD,EAAE;CAE1D,MAAM,eAAe,IAAI,SAAS,IAAI,SAAS;AAC/C,KAAI,CAAC,aACJ,QAAO;CAGR,MAAM,UAAkC,EAAE;CAC1C,MAAM,QAAQ,aAAa,MAAM,KAAK;AACtC,MAAK,MAAM,QAAQ,OAAO;EACzB,MAAM,CAAC,MAAM,GAAG,cAAc,KAAK,MAAM,IAAI;AAC7C,MAAI,QAAQ,WAAW,SAAS,EAC/B,SAAQ,QAAQ,WAAW,KAAK,IAAI;;AAItC,MAAK,MAAM,CAAC,MAAM,QAAQ,OAAO,QAAQ,QAAQ,CAChD,KAAI,KAAK,WAAW,aAAa,IAAI,EAAE;EAEtC,MAAM,WADQ,KAAK,MAAM,IAAI,CACN,GAAG,GAAG;EAC7B,MAAM,QAAQ,SAAS,YAAY,KAAK,GAAG;AAC3C,MAAI,CAAC,MAAM,MAAM,CAChB,QAAO,KAAK;GAAE;GAAO,OAAO;GAAK,CAAC;;AAKrC,KAAI,OAAO,SAAS,GAAG;AACtB,SAAO,MAAM,GAAG,MAAM,EAAE,QAAQ,EAAE,MAAM;AACxC,SAAO,OAAO,KAAK,MAAM,EAAE,MAAM,CAAC,KAAK,GAAG;;AAG3C,QAAO;;AAGR,eAAsB,iBACrB,GACA,aACC;CACD,MAAM,oBAAoB,EAAE,QAAQ,YAAY;CAChD,MAAM,UAAU;EACf,QAAQ;EACR,GAAG,kBAAkB;EACrB;CACD,MAAM,OAAO,MAAM,mBAClB,aACA,EAAE,QAAQ,QACV,uBACA,QAAQ,OACR;AAED,KAAI,KAAK,SAAS,qBAAqB;EACtC,MAAM,eAAe,mBAAmB,kBAAkB,MAAM,SAAS,EAAE;EAE3E,MAAM,UAAU,aAAa,MAAM,MAAM,QAAQ;AACjD,eAAa,WAAW,QAAQ;QAC1B;EACN,MAAM,eAAe,mBAAmB,kBAAkB,MAAM,SAAS,EAAE;AAC3E,MAAI,aAAa,WAAW,EAAE;GAC7B,MAAM,eAAe,aAAa,OAAO;AACzC,gBAAa,WAAW,aAAa;;AAEtC,IAAE,UAAU,kBAAkB,MAAM,MAAM,QAAQ;;;AAIpD,eAAsB,iBAAiB,GAA2B;CACjE,MAAM,gBAAgB,iBACrB,GACA,EAAE,QAAQ,YAAY,YAAY,KAClC;AACD,KAAI,eAAe;EAClB,MAAM,cAAc,cACnB,MAAM,mBACL,eACA,EAAE,QAAQ,QACV,sBACA,CACD;AACD,MAAI,YACH,QAAO;;AAIT,QAAO;;AAGR,MAAa,wBAAwB,EAAE,SACtC,EAAE,OAAO;CAKR,oBAAoB,EAAE,OACpB,SAAS,CACT,KAAK,EACL,aAAa,wDACb,CAAC,CACD,UAAU;CACZ,gBAAgB,EAAE,OAChB,SAAS,CACT,KAAK,EACL,aACC,6FACD,CAAC,CACD,UAAU;CACZ,CAAC,CACF"}

package/dist/crypto/buffer.d.mts

@@ -0,0 +1,8 @@
+//#region src/crypto/buffer.d.ts
+/**
+ * Compare two buffers in constant time.
+ */
+declare function constantTimeEqual(a: ArrayBuffer | Uint8Array | string, b: ArrayBuffer | Uint8Array | string): boolean;
+//#endregion
+export { constantTimeEqual };
+//# sourceMappingURL=buffer.d.mts.map

package/dist/crypto/buffer.mjs

@@ -0,0 +1,18 @@
+//#region src/crypto/buffer.ts
+/**
+* Compare two buffers in constant time.
+*/
+function constantTimeEqual(a, b) {
+	if (typeof a === "string") a = new TextEncoder().encode(a);
+	if (typeof b === "string") b = new TextEncoder().encode(b);
+	const aBuffer = new Uint8Array(a);
+	const bBuffer = new Uint8Array(b);
+	let c = aBuffer.length ^ bBuffer.length;
+	const length = Math.max(aBuffer.length, bBuffer.length);
+	for (let i = 0; i < length; i++) c |= (i < aBuffer.length ? aBuffer[i] : 0) ^ (i < bBuffer.length ? bBuffer[i] : 0);
+	return c === 0;
+}
+
+//#endregion
+export { constantTimeEqual };
+//# sourceMappingURL=buffer.mjs.map

package/dist/crypto/buffer.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"buffer.mjs","names":[],"sources":["../../src/crypto/buffer.ts"],"sourcesContent":["/**\n * Compare two buffers in constant time.\n */\nexport function constantTimeEqual(\n\ta: ArrayBuffer | Uint8Array | string,\n\tb: ArrayBuffer | Uint8Array | string,\n): boolean {\n\tif (typeof a === \"string\") {\n\t\ta = new TextEncoder().encode(a);\n\t}\n\tif (typeof b === \"string\") {\n\t\tb = new TextEncoder().encode(b);\n\t}\n\tconst aBuffer = new Uint8Array(a);\n\tconst bBuffer = new Uint8Array(b);\n\tlet c = aBuffer.length ^ bBuffer.length;\n\tconst length = Math.max(aBuffer.length, bBuffer.length);\n\tfor (let i = 0; i < length; i++) {\n\t\tc |=\n\t\t\t(i < aBuffer.length ? aBuffer[i]! : 0) ^\n\t\t\t(i < bBuffer.length ? bBuffer[i]! : 0);\n\t}\n\treturn c === 0;\n}\n"],"mappings":";;;;AAGA,SAAgB,kBACf,GACA,GACU;AACV,KAAI,OAAO,MAAM,SAChB,KAAI,IAAI,aAAa,CAAC,OAAO,EAAE;AAEhC,KAAI,OAAO,MAAM,SAChB,KAAI,IAAI,aAAa,CAAC,OAAO,EAAE;CAEhC,MAAM,UAAU,IAAI,WAAW,EAAE;CACjC,MAAM,UAAU,IAAI,WAAW,EAAE;CACjC,IAAI,IAAI,QAAQ,SAAS,QAAQ;CACjC,MAAM,SAAS,KAAK,IAAI,QAAQ,QAAQ,QAAQ,OAAO;AACvD,MAAK,IAAI,IAAI,GAAG,IAAI,QAAQ,IAC3B,OACE,IAAI,QAAQ,SAAS,QAAQ,KAAM,MACnC,IAAI,QAAQ,SAAS,QAAQ,KAAM;AAEtC,QAAO,MAAM"}

package/dist/crypto/index.d.mts

@@ -0,0 +1,27 @@
+import { constantTimeEqual } from "./buffer.mjs";
+import { signJWT, symmetricDecodeJWT, symmetricEncodeJWT, verifyJWT } from "./jwt.mjs";
+import { hashPassword, verifyPassword } from "./password.mjs";
+import { generateRandomString } from "./random.mjs";
+
+//#region src/crypto/index.d.ts
+type SymmetricEncryptOptions = {
+  key: string;
+  data: string;
+};
+declare const symmetricEncrypt: ({
+  key,
+  data
+}: SymmetricEncryptOptions) => Promise<string>;
+type SymmetricDecryptOptions = {
+  key: string;
+  data: string;
+};
+declare const symmetricDecrypt: ({
+  key,
+  data
+}: SymmetricDecryptOptions) => Promise<string>;
+declare const getCryptoKey: (secret: string | BufferSource) => Promise<CryptoKey>;
+declare const makeSignature: (value: string, secret: string | BufferSource) => Promise<string>;
+//#endregion
+export { SymmetricDecryptOptions, SymmetricEncryptOptions, constantTimeEqual, generateRandomString, getCryptoKey, hashPassword, makeSignature, signJWT, symmetricDecodeJWT, symmetricDecrypt, symmetricEncodeJWT, symmetricEncrypt, verifyJWT, verifyPassword };
+//# sourceMappingURL=index.d.mts.map