@hammadj/better-auth 1.5.0-beta.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (688) hide show
  1. package/LICENSE.md +20 -0
  2. package/README.md +33 -0
  3. package/dist/_virtual/rolldown_runtime.mjs +36 -0
  4. package/dist/adapters/drizzle-adapter/index.d.mts +1 -0
  5. package/dist/adapters/drizzle-adapter/index.mjs +3 -0
  6. package/dist/adapters/index.d.mts +23 -0
  7. package/dist/adapters/index.mjs +13 -0
  8. package/dist/adapters/index.mjs.map +1 -0
  9. package/dist/adapters/kysely-adapter/index.d.mts +1 -0
  10. package/dist/adapters/kysely-adapter/index.mjs +3 -0
  11. package/dist/adapters/memory-adapter/index.d.mts +1 -0
  12. package/dist/adapters/memory-adapter/index.mjs +3 -0
  13. package/dist/adapters/mongodb-adapter/index.d.mts +1 -0
  14. package/dist/adapters/mongodb-adapter/index.mjs +3 -0
  15. package/dist/adapters/prisma-adapter/index.d.mts +1 -0
  16. package/dist/adapters/prisma-adapter/index.mjs +3 -0
  17. package/dist/api/index.d.mts +40 -0
  18. package/dist/api/index.mjs +205 -0
  19. package/dist/api/index.mjs.map +1 -0
  20. package/dist/api/middlewares/index.d.mts +1 -0
  21. package/dist/api/middlewares/index.mjs +3 -0
  22. package/dist/api/middlewares/origin-check.d.mts +17 -0
  23. package/dist/api/middlewares/origin-check.mjs +140 -0
  24. package/dist/api/middlewares/origin-check.mjs.map +1 -0
  25. package/dist/api/rate-limiter/index.mjs +177 -0
  26. package/dist/api/rate-limiter/index.mjs.map +1 -0
  27. package/dist/api/routes/account.d.mts +10 -0
  28. package/dist/api/routes/account.mjs +493 -0
  29. package/dist/api/routes/account.mjs.map +1 -0
  30. package/dist/api/routes/callback.d.mts +5 -0
  31. package/dist/api/routes/callback.mjs +178 -0
  32. package/dist/api/routes/callback.mjs.map +1 -0
  33. package/dist/api/routes/email-verification.d.mts +29 -0
  34. package/dist/api/routes/email-verification.mjs +301 -0
  35. package/dist/api/routes/email-verification.mjs.map +1 -0
  36. package/dist/api/routes/error.d.mts +5 -0
  37. package/dist/api/routes/error.mjs +386 -0
  38. package/dist/api/routes/error.mjs.map +1 -0
  39. package/dist/api/routes/index.d.mts +11 -0
  40. package/dist/api/routes/index.mjs +13 -0
  41. package/dist/api/routes/ok.d.mts +5 -0
  42. package/dist/api/routes/ok.mjs +30 -0
  43. package/dist/api/routes/ok.mjs.map +1 -0
  44. package/dist/api/routes/password.d.mts +8 -0
  45. package/dist/api/routes/password.mjs +198 -0
  46. package/dist/api/routes/password.mjs.map +1 -0
  47. package/dist/api/routes/session.d.mts +52 -0
  48. package/dist/api/routes/session.mjs +478 -0
  49. package/dist/api/routes/session.mjs.map +1 -0
  50. package/dist/api/routes/sign-in.d.mts +8 -0
  51. package/dist/api/routes/sign-in.mjs +262 -0
  52. package/dist/api/routes/sign-in.mjs.map +1 -0
  53. package/dist/api/routes/sign-out.d.mts +5 -0
  54. package/dist/api/routes/sign-out.mjs +33 -0
  55. package/dist/api/routes/sign-out.mjs.map +1 -0
  56. package/dist/api/routes/sign-up.d.mts +7 -0
  57. package/dist/api/routes/sign-up.mjs +227 -0
  58. package/dist/api/routes/sign-up.mjs.map +1 -0
  59. package/dist/api/routes/update-user.d.mts +12 -0
  60. package/dist/api/routes/update-user.mjs +493 -0
  61. package/dist/api/routes/update-user.mjs.map +1 -0
  62. package/dist/api/state/oauth.d.mts +5 -0
  63. package/dist/api/state/oauth.mjs +8 -0
  64. package/dist/api/state/oauth.mjs.map +1 -0
  65. package/dist/api/state/should-session-refresh.d.mts +13 -0
  66. package/dist/api/state/should-session-refresh.mjs +16 -0
  67. package/dist/api/state/should-session-refresh.mjs.map +1 -0
  68. package/dist/api/to-auth-endpoints.mjs +197 -0
  69. package/dist/api/to-auth-endpoints.mjs.map +1 -0
  70. package/dist/auth/base.mjs +44 -0
  71. package/dist/auth/base.mjs.map +1 -0
  72. package/dist/auth/full.d.mts +30 -0
  73. package/dist/auth/full.mjs +32 -0
  74. package/dist/auth/full.mjs.map +1 -0
  75. package/dist/auth/minimal.d.mts +12 -0
  76. package/dist/auth/minimal.mjs +14 -0
  77. package/dist/auth/minimal.mjs.map +1 -0
  78. package/dist/auth/trusted-origins.mjs +31 -0
  79. package/dist/auth/trusted-origins.mjs.map +1 -0
  80. package/dist/client/broadcast-channel.d.mts +20 -0
  81. package/dist/client/broadcast-channel.mjs +46 -0
  82. package/dist/client/broadcast-channel.mjs.map +1 -0
  83. package/dist/client/config.mjs +90 -0
  84. package/dist/client/config.mjs.map +1 -0
  85. package/dist/client/fetch-plugins.mjs +18 -0
  86. package/dist/client/fetch-plugins.mjs.map +1 -0
  87. package/dist/client/focus-manager.d.mts +11 -0
  88. package/dist/client/focus-manager.mjs +32 -0
  89. package/dist/client/focus-manager.mjs.map +1 -0
  90. package/dist/client/index.d.mts +30 -0
  91. package/dist/client/index.mjs +21 -0
  92. package/dist/client/index.mjs.map +1 -0
  93. package/dist/client/lynx/index.d.mts +62 -0
  94. package/dist/client/lynx/index.mjs +24 -0
  95. package/dist/client/lynx/index.mjs.map +1 -0
  96. package/dist/client/lynx/lynx-store.d.mts +47 -0
  97. package/dist/client/lynx/lynx-store.mjs +47 -0
  98. package/dist/client/lynx/lynx-store.mjs.map +1 -0
  99. package/dist/client/online-manager.d.mts +12 -0
  100. package/dist/client/online-manager.mjs +35 -0
  101. package/dist/client/online-manager.mjs.map +1 -0
  102. package/dist/client/parser.mjs +73 -0
  103. package/dist/client/parser.mjs.map +1 -0
  104. package/dist/client/path-to-object.d.mts +57 -0
  105. package/dist/client/plugins/index.d.mts +58 -0
  106. package/dist/client/plugins/index.mjs +33 -0
  107. package/dist/client/plugins/infer-plugin.d.mts +9 -0
  108. package/dist/client/plugins/infer-plugin.mjs +11 -0
  109. package/dist/client/plugins/infer-plugin.mjs.map +1 -0
  110. package/dist/client/proxy.mjs +79 -0
  111. package/dist/client/proxy.mjs.map +1 -0
  112. package/dist/client/query.d.mts +23 -0
  113. package/dist/client/query.mjs +98 -0
  114. package/dist/client/query.mjs.map +1 -0
  115. package/dist/client/react/index.d.mts +63 -0
  116. package/dist/client/react/index.mjs +24 -0
  117. package/dist/client/react/index.mjs.map +1 -0
  118. package/dist/client/react/react-store.d.mts +47 -0
  119. package/dist/client/react/react-store.mjs +47 -0
  120. package/dist/client/react/react-store.mjs.map +1 -0
  121. package/dist/client/session-atom.mjs +29 -0
  122. package/dist/client/session-atom.mjs.map +1 -0
  123. package/dist/client/session-refresh.d.mts +28 -0
  124. package/dist/client/session-refresh.mjs +140 -0
  125. package/dist/client/session-refresh.mjs.map +1 -0
  126. package/dist/client/solid/index.d.mts +57 -0
  127. package/dist/client/solid/index.mjs +22 -0
  128. package/dist/client/solid/index.mjs.map +1 -0
  129. package/dist/client/solid/solid-store.mjs +24 -0
  130. package/dist/client/solid/solid-store.mjs.map +1 -0
  131. package/dist/client/svelte/index.d.mts +63 -0
  132. package/dist/client/svelte/index.mjs +20 -0
  133. package/dist/client/svelte/index.mjs.map +1 -0
  134. package/dist/client/types.d.mts +58 -0
  135. package/dist/client/vanilla.d.mts +62 -0
  136. package/dist/client/vanilla.mjs +20 -0
  137. package/dist/client/vanilla.mjs.map +1 -0
  138. package/dist/client/vue/index.d.mts +86 -0
  139. package/dist/client/vue/index.mjs +38 -0
  140. package/dist/client/vue/index.mjs.map +1 -0
  141. package/dist/client/vue/vue-store.mjs +26 -0
  142. package/dist/client/vue/vue-store.mjs.map +1 -0
  143. package/dist/context/create-context.mjs +211 -0
  144. package/dist/context/create-context.mjs.map +1 -0
  145. package/dist/context/helpers.mjs +62 -0
  146. package/dist/context/helpers.mjs.map +1 -0
  147. package/dist/context/init-minimal.mjs +20 -0
  148. package/dist/context/init-minimal.mjs.map +1 -0
  149. package/dist/context/init.mjs +22 -0
  150. package/dist/context/init.mjs.map +1 -0
  151. package/dist/cookies/cookie-utils.d.mts +29 -0
  152. package/dist/cookies/cookie-utils.mjs +105 -0
  153. package/dist/cookies/cookie-utils.mjs.map +1 -0
  154. package/dist/cookies/index.d.mts +67 -0
  155. package/dist/cookies/index.mjs +264 -0
  156. package/dist/cookies/index.mjs.map +1 -0
  157. package/dist/cookies/session-store.d.mts +36 -0
  158. package/dist/cookies/session-store.mjs +200 -0
  159. package/dist/cookies/session-store.mjs.map +1 -0
  160. package/dist/crypto/buffer.d.mts +8 -0
  161. package/dist/crypto/buffer.mjs +18 -0
  162. package/dist/crypto/buffer.mjs.map +1 -0
  163. package/dist/crypto/index.d.mts +27 -0
  164. package/dist/crypto/index.mjs +38 -0
  165. package/dist/crypto/index.mjs.map +1 -0
  166. package/dist/crypto/jwt.d.mts +8 -0
  167. package/dist/crypto/jwt.mjs +95 -0
  168. package/dist/crypto/jwt.mjs.map +1 -0
  169. package/dist/crypto/password.d.mts +12 -0
  170. package/dist/crypto/password.mjs +36 -0
  171. package/dist/crypto/password.mjs.map +1 -0
  172. package/dist/crypto/random.d.mts +5 -0
  173. package/dist/crypto/random.mjs +8 -0
  174. package/dist/crypto/random.mjs.map +1 -0
  175. package/dist/db/adapter-base.d.mts +8 -0
  176. package/dist/db/adapter-base.mjs +28 -0
  177. package/dist/db/adapter-base.mjs.map +1 -0
  178. package/dist/db/adapter-kysely.d.mts +8 -0
  179. package/dist/db/adapter-kysely.mjs +21 -0
  180. package/dist/db/adapter-kysely.mjs.map +1 -0
  181. package/dist/db/field-converter.d.mts +8 -0
  182. package/dist/db/field-converter.mjs +21 -0
  183. package/dist/db/field-converter.mjs.map +1 -0
  184. package/dist/db/field.d.mts +55 -0
  185. package/dist/db/field.mjs +11 -0
  186. package/dist/db/field.mjs.map +1 -0
  187. package/dist/db/get-migration.d.mts +23 -0
  188. package/dist/db/get-migration.mjs +339 -0
  189. package/dist/db/get-migration.mjs.map +1 -0
  190. package/dist/db/get-schema.d.mts +11 -0
  191. package/dist/db/get-schema.mjs +39 -0
  192. package/dist/db/get-schema.mjs.map +1 -0
  193. package/dist/db/index.d.mts +9 -0
  194. package/dist/db/index.mjs +36 -0
  195. package/dist/db/index.mjs.map +1 -0
  196. package/dist/db/internal-adapter.d.mts +14 -0
  197. package/dist/db/internal-adapter.mjs +616 -0
  198. package/dist/db/internal-adapter.mjs.map +1 -0
  199. package/dist/db/schema.d.mts +26 -0
  200. package/dist/db/schema.mjs +118 -0
  201. package/dist/db/schema.mjs.map +1 -0
  202. package/dist/db/to-zod.d.mts +36 -0
  203. package/dist/db/to-zod.mjs +26 -0
  204. package/dist/db/to-zod.mjs.map +1 -0
  205. package/dist/db/verification-token-storage.mjs +28 -0
  206. package/dist/db/verification-token-storage.mjs.map +1 -0
  207. package/dist/db/with-hooks.d.mts +33 -0
  208. package/dist/db/with-hooks.mjs +159 -0
  209. package/dist/db/with-hooks.mjs.map +1 -0
  210. package/dist/index.d.mts +52 -0
  211. package/dist/index.mjs +26 -0
  212. package/dist/integrations/next-js.d.mts +14 -0
  213. package/dist/integrations/next-js.mjs +78 -0
  214. package/dist/integrations/next-js.mjs.map +1 -0
  215. package/dist/integrations/node.d.mts +13 -0
  216. package/dist/integrations/node.mjs +16 -0
  217. package/dist/integrations/node.mjs.map +1 -0
  218. package/dist/integrations/solid-start.d.mts +23 -0
  219. package/dist/integrations/solid-start.mjs +17 -0
  220. package/dist/integrations/solid-start.mjs.map +1 -0
  221. package/dist/integrations/svelte-kit.d.mts +29 -0
  222. package/dist/integrations/svelte-kit.mjs +57 -0
  223. package/dist/integrations/svelte-kit.mjs.map +1 -0
  224. package/dist/integrations/tanstack-start-solid.d.mts +22 -0
  225. package/dist/integrations/tanstack-start-solid.mjs +61 -0
  226. package/dist/integrations/tanstack-start-solid.mjs.map +1 -0
  227. package/dist/integrations/tanstack-start.d.mts +22 -0
  228. package/dist/integrations/tanstack-start.mjs +61 -0
  229. package/dist/integrations/tanstack-start.mjs.map +1 -0
  230. package/dist/oauth2/index.d.mts +5 -0
  231. package/dist/oauth2/index.mjs +7 -0
  232. package/dist/oauth2/link-account.d.mts +31 -0
  233. package/dist/oauth2/link-account.mjs +144 -0
  234. package/dist/oauth2/link-account.mjs.map +1 -0
  235. package/dist/oauth2/state.d.mts +26 -0
  236. package/dist/oauth2/state.mjs +51 -0
  237. package/dist/oauth2/state.mjs.map +1 -0
  238. package/dist/oauth2/utils.d.mts +8 -0
  239. package/dist/oauth2/utils.mjs +31 -0
  240. package/dist/oauth2/utils.mjs.map +1 -0
  241. package/dist/plugins/access/access.d.mts +30 -0
  242. package/dist/plugins/access/access.mjs +46 -0
  243. package/dist/plugins/access/access.mjs.map +1 -0
  244. package/dist/plugins/access/index.d.mts +3 -0
  245. package/dist/plugins/access/index.mjs +3 -0
  246. package/dist/plugins/access/types.d.mts +17 -0
  247. package/dist/plugins/additional-fields/client.d.mts +14 -0
  248. package/dist/plugins/additional-fields/client.mjs +11 -0
  249. package/dist/plugins/additional-fields/client.mjs.map +1 -0
  250. package/dist/plugins/admin/access/index.d.mts +2 -0
  251. package/dist/plugins/admin/access/index.mjs +3 -0
  252. package/dist/plugins/admin/access/statement.d.mts +118 -0
  253. package/dist/plugins/admin/access/statement.mjs +53 -0
  254. package/dist/plugins/admin/access/statement.mjs.map +1 -0
  255. package/dist/plugins/admin/admin.d.mts +14 -0
  256. package/dist/plugins/admin/admin.mjs +95 -0
  257. package/dist/plugins/admin/admin.mjs.map +1 -0
  258. package/dist/plugins/admin/client.d.mts +14 -0
  259. package/dist/plugins/admin/client.mjs +36 -0
  260. package/dist/plugins/admin/client.mjs.map +1 -0
  261. package/dist/plugins/admin/error-codes.d.mts +5 -0
  262. package/dist/plugins/admin/error-codes.mjs +30 -0
  263. package/dist/plugins/admin/error-codes.mjs.map +1 -0
  264. package/dist/plugins/admin/has-permission.mjs +16 -0
  265. package/dist/plugins/admin/has-permission.mjs.map +1 -0
  266. package/dist/plugins/admin/index.d.mts +3 -0
  267. package/dist/plugins/admin/index.mjs +3 -0
  268. package/dist/plugins/admin/routes.mjs +855 -0
  269. package/dist/plugins/admin/routes.mjs.map +1 -0
  270. package/dist/plugins/admin/schema.d.mts +6 -0
  271. package/dist/plugins/admin/schema.mjs +34 -0
  272. package/dist/plugins/admin/schema.mjs.map +1 -0
  273. package/dist/plugins/admin/types.d.mts +89 -0
  274. package/dist/plugins/anonymous/client.d.mts +9 -0
  275. package/dist/plugins/anonymous/client.mjs +22 -0
  276. package/dist/plugins/anonymous/client.mjs.map +1 -0
  277. package/dist/plugins/anonymous/error-codes.d.mts +5 -0
  278. package/dist/plugins/anonymous/error-codes.mjs +16 -0
  279. package/dist/plugins/anonymous/error-codes.mjs.map +1 -0
  280. package/dist/plugins/anonymous/index.d.mts +14 -0
  281. package/dist/plugins/anonymous/index.mjs +163 -0
  282. package/dist/plugins/anonymous/index.mjs.map +1 -0
  283. package/dist/plugins/anonymous/schema.d.mts +5 -0
  284. package/dist/plugins/anonymous/schema.mjs +11 -0
  285. package/dist/plugins/anonymous/schema.mjs.map +1 -0
  286. package/dist/plugins/anonymous/types.d.mts +68 -0
  287. package/dist/plugins/api-key/adapter.mjs +468 -0
  288. package/dist/plugins/api-key/adapter.mjs.map +1 -0
  289. package/dist/plugins/api-key/client.d.mts +9 -0
  290. package/dist/plugins/api-key/client.mjs +19 -0
  291. package/dist/plugins/api-key/client.mjs.map +1 -0
  292. package/dist/plugins/api-key/error-codes.d.mts +5 -0
  293. package/dist/plugins/api-key/error-codes.mjs +34 -0
  294. package/dist/plugins/api-key/error-codes.mjs.map +1 -0
  295. package/dist/plugins/api-key/index.d.mts +17 -0
  296. package/dist/plugins/api-key/index.mjs +134 -0
  297. package/dist/plugins/api-key/index.mjs.map +1 -0
  298. package/dist/plugins/api-key/rate-limit.mjs +74 -0
  299. package/dist/plugins/api-key/rate-limit.mjs.map +1 -0
  300. package/dist/plugins/api-key/routes/create-api-key.mjs +252 -0
  301. package/dist/plugins/api-key/routes/create-api-key.mjs.map +1 -0
  302. package/dist/plugins/api-key/routes/delete-all-expired-api-keys.mjs +24 -0
  303. package/dist/plugins/api-key/routes/delete-all-expired-api-keys.mjs.map +1 -0
  304. package/dist/plugins/api-key/routes/delete-api-key.mjs +74 -0
  305. package/dist/plugins/api-key/routes/delete-api-key.mjs.map +1 -0
  306. package/dist/plugins/api-key/routes/get-api-key.mjs +158 -0
  307. package/dist/plugins/api-key/routes/get-api-key.mjs.map +1 -0
  308. package/dist/plugins/api-key/routes/index.mjs +71 -0
  309. package/dist/plugins/api-key/routes/index.mjs.map +1 -0
  310. package/dist/plugins/api-key/routes/list-api-keys.mjs +194 -0
  311. package/dist/plugins/api-key/routes/list-api-keys.mjs.map +1 -0
  312. package/dist/plugins/api-key/routes/update-api-key.mjs +248 -0
  313. package/dist/plugins/api-key/routes/update-api-key.mjs.map +1 -0
  314. package/dist/plugins/api-key/routes/verify-api-key.mjs +223 -0
  315. package/dist/plugins/api-key/routes/verify-api-key.mjs.map +1 -0
  316. package/dist/plugins/api-key/schema.d.mts +11 -0
  317. package/dist/plugins/api-key/schema.mjs +130 -0
  318. package/dist/plugins/api-key/schema.mjs.map +1 -0
  319. package/dist/plugins/api-key/types.d.mts +346 -0
  320. package/dist/plugins/bearer/index.d.mts +25 -0
  321. package/dist/plugins/bearer/index.mjs +66 -0
  322. package/dist/plugins/bearer/index.mjs.map +1 -0
  323. package/dist/plugins/captcha/constants.d.mts +10 -0
  324. package/dist/plugins/captcha/constants.mjs +22 -0
  325. package/dist/plugins/captcha/constants.mjs.map +1 -0
  326. package/dist/plugins/captcha/error-codes.mjs +16 -0
  327. package/dist/plugins/captcha/error-codes.mjs.map +1 -0
  328. package/dist/plugins/captcha/index.d.mts +14 -0
  329. package/dist/plugins/captcha/index.mjs +60 -0
  330. package/dist/plugins/captcha/index.mjs.map +1 -0
  331. package/dist/plugins/captcha/types.d.mts +28 -0
  332. package/dist/plugins/captcha/utils.mjs +11 -0
  333. package/dist/plugins/captcha/utils.mjs.map +1 -0
  334. package/dist/plugins/captcha/verify-handlers/captchafox.mjs +27 -0
  335. package/dist/plugins/captcha/verify-handlers/captchafox.mjs.map +1 -0
  336. package/dist/plugins/captcha/verify-handlers/cloudflare-turnstile.mjs +25 -0
  337. package/dist/plugins/captcha/verify-handlers/cloudflare-turnstile.mjs.map +1 -0
  338. package/dist/plugins/captcha/verify-handlers/google-recaptcha.mjs +29 -0
  339. package/dist/plugins/captcha/verify-handlers/google-recaptcha.mjs.map +1 -0
  340. package/dist/plugins/captcha/verify-handlers/h-captcha.mjs +27 -0
  341. package/dist/plugins/captcha/verify-handlers/h-captcha.mjs.map +1 -0
  342. package/dist/plugins/captcha/verify-handlers/index.mjs +6 -0
  343. package/dist/plugins/custom-session/client.d.mts +10 -0
  344. package/dist/plugins/custom-session/client.mjs +11 -0
  345. package/dist/plugins/custom-session/client.mjs.map +1 -0
  346. package/dist/plugins/custom-session/index.d.mts +26 -0
  347. package/dist/plugins/custom-session/index.mjs +70 -0
  348. package/dist/plugins/custom-session/index.mjs.map +1 -0
  349. package/dist/plugins/device-authorization/client.d.mts +5 -0
  350. package/dist/plugins/device-authorization/client.mjs +18 -0
  351. package/dist/plugins/device-authorization/client.mjs.map +1 -0
  352. package/dist/plugins/device-authorization/error-codes.mjs +21 -0
  353. package/dist/plugins/device-authorization/error-codes.mjs.map +1 -0
  354. package/dist/plugins/device-authorization/index.d.mts +28 -0
  355. package/dist/plugins/device-authorization/index.mjs +50 -0
  356. package/dist/plugins/device-authorization/index.mjs.map +1 -0
  357. package/dist/plugins/device-authorization/routes.mjs +510 -0
  358. package/dist/plugins/device-authorization/routes.mjs.map +1 -0
  359. package/dist/plugins/device-authorization/schema.mjs +57 -0
  360. package/dist/plugins/device-authorization/schema.mjs.map +1 -0
  361. package/dist/plugins/email-otp/client.d.mts +7 -0
  362. package/dist/plugins/email-otp/client.mjs +18 -0
  363. package/dist/plugins/email-otp/client.mjs.map +1 -0
  364. package/dist/plugins/email-otp/error-codes.d.mts +5 -0
  365. package/dist/plugins/email-otp/error-codes.mjs +12 -0
  366. package/dist/plugins/email-otp/error-codes.mjs.map +1 -0
  367. package/dist/plugins/email-otp/index.d.mts +14 -0
  368. package/dist/plugins/email-otp/index.mjs +108 -0
  369. package/dist/plugins/email-otp/index.mjs.map +1 -0
  370. package/dist/plugins/email-otp/otp-token.mjs +29 -0
  371. package/dist/plugins/email-otp/otp-token.mjs.map +1 -0
  372. package/dist/plugins/email-otp/routes.mjs +564 -0
  373. package/dist/plugins/email-otp/routes.mjs.map +1 -0
  374. package/dist/plugins/email-otp/types.d.mts +74 -0
  375. package/dist/plugins/email-otp/utils.mjs +17 -0
  376. package/dist/plugins/email-otp/utils.mjs.map +1 -0
  377. package/dist/plugins/generic-oauth/client.d.mts +19 -0
  378. package/dist/plugins/generic-oauth/client.mjs +14 -0
  379. package/dist/plugins/generic-oauth/client.mjs.map +1 -0
  380. package/dist/plugins/generic-oauth/error-codes.d.mts +5 -0
  381. package/dist/plugins/generic-oauth/error-codes.mjs +15 -0
  382. package/dist/plugins/generic-oauth/error-codes.mjs.map +1 -0
  383. package/dist/plugins/generic-oauth/index.d.mts +34 -0
  384. package/dist/plugins/generic-oauth/index.mjs +137 -0
  385. package/dist/plugins/generic-oauth/index.mjs.map +1 -0
  386. package/dist/plugins/generic-oauth/providers/auth0.d.mts +37 -0
  387. package/dist/plugins/generic-oauth/providers/auth0.mjs +62 -0
  388. package/dist/plugins/generic-oauth/providers/auth0.mjs.map +1 -0
  389. package/dist/plugins/generic-oauth/providers/gumroad.d.mts +32 -0
  390. package/dist/plugins/generic-oauth/providers/gumroad.mjs +60 -0
  391. package/dist/plugins/generic-oauth/providers/gumroad.mjs.map +1 -0
  392. package/dist/plugins/generic-oauth/providers/hubspot.d.mts +37 -0
  393. package/dist/plugins/generic-oauth/providers/hubspot.mjs +60 -0
  394. package/dist/plugins/generic-oauth/providers/hubspot.mjs.map +1 -0
  395. package/dist/plugins/generic-oauth/providers/index.d.mts +9 -0
  396. package/dist/plugins/generic-oauth/providers/index.mjs +11 -0
  397. package/dist/plugins/generic-oauth/providers/keycloak.d.mts +37 -0
  398. package/dist/plugins/generic-oauth/providers/keycloak.mjs +62 -0
  399. package/dist/plugins/generic-oauth/providers/keycloak.mjs.map +1 -0
  400. package/dist/plugins/generic-oauth/providers/line.d.mts +55 -0
  401. package/dist/plugins/generic-oauth/providers/line.mjs +91 -0
  402. package/dist/plugins/generic-oauth/providers/line.mjs.map +1 -0
  403. package/dist/plugins/generic-oauth/providers/microsoft-entra-id.d.mts +37 -0
  404. package/dist/plugins/generic-oauth/providers/microsoft-entra-id.mjs +66 -0
  405. package/dist/plugins/generic-oauth/providers/microsoft-entra-id.mjs.map +1 -0
  406. package/dist/plugins/generic-oauth/providers/okta.d.mts +37 -0
  407. package/dist/plugins/generic-oauth/providers/okta.mjs +62 -0
  408. package/dist/plugins/generic-oauth/providers/okta.mjs.map +1 -0
  409. package/dist/plugins/generic-oauth/providers/patreon.d.mts +30 -0
  410. package/dist/plugins/generic-oauth/providers/patreon.mjs +59 -0
  411. package/dist/plugins/generic-oauth/providers/patreon.mjs.map +1 -0
  412. package/dist/plugins/generic-oauth/providers/slack.d.mts +30 -0
  413. package/dist/plugins/generic-oauth/providers/slack.mjs +61 -0
  414. package/dist/plugins/generic-oauth/providers/slack.mjs.map +1 -0
  415. package/dist/plugins/generic-oauth/routes.mjs +394 -0
  416. package/dist/plugins/generic-oauth/routes.mjs.map +1 -0
  417. package/dist/plugins/generic-oauth/types.d.mts +145 -0
  418. package/dist/plugins/haveibeenpwned/index.d.mts +21 -0
  419. package/dist/plugins/haveibeenpwned/index.mjs +56 -0
  420. package/dist/plugins/haveibeenpwned/index.mjs.map +1 -0
  421. package/dist/plugins/index.d.mts +68 -0
  422. package/dist/plugins/index.mjs +51 -0
  423. package/dist/plugins/jwt/adapter.mjs +27 -0
  424. package/dist/plugins/jwt/adapter.mjs.map +1 -0
  425. package/dist/plugins/jwt/client.d.mts +18 -0
  426. package/dist/plugins/jwt/client.mjs +19 -0
  427. package/dist/plugins/jwt/client.mjs.map +1 -0
  428. package/dist/plugins/jwt/index.d.mts +17 -0
  429. package/dist/plugins/jwt/index.mjs +202 -0
  430. package/dist/plugins/jwt/index.mjs.map +1 -0
  431. package/dist/plugins/jwt/schema.d.mts +5 -0
  432. package/dist/plugins/jwt/schema.mjs +23 -0
  433. package/dist/plugins/jwt/schema.mjs.map +1 -0
  434. package/dist/plugins/jwt/sign.d.mts +57 -0
  435. package/dist/plugins/jwt/sign.mjs +66 -0
  436. package/dist/plugins/jwt/sign.mjs.map +1 -0
  437. package/dist/plugins/jwt/types.d.mts +194 -0
  438. package/dist/plugins/jwt/utils.d.mts +42 -0
  439. package/dist/plugins/jwt/utils.mjs +64 -0
  440. package/dist/plugins/jwt/utils.mjs.map +1 -0
  441. package/dist/plugins/jwt/verify.d.mts +12 -0
  442. package/dist/plugins/jwt/verify.mjs +46 -0
  443. package/dist/plugins/jwt/verify.mjs.map +1 -0
  444. package/dist/plugins/last-login-method/client.d.mts +18 -0
  445. package/dist/plugins/last-login-method/client.mjs +32 -0
  446. package/dist/plugins/last-login-method/client.mjs.map +1 -0
  447. package/dist/plugins/last-login-method/index.d.mts +52 -0
  448. package/dist/plugins/last-login-method/index.mjs +77 -0
  449. package/dist/plugins/last-login-method/index.mjs.map +1 -0
  450. package/dist/plugins/magic-link/client.d.mts +5 -0
  451. package/dist/plugins/magic-link/client.mjs +11 -0
  452. package/dist/plugins/magic-link/client.mjs.map +1 -0
  453. package/dist/plugins/magic-link/index.d.mts +61 -0
  454. package/dist/plugins/magic-link/index.mjs +167 -0
  455. package/dist/plugins/magic-link/index.mjs.map +1 -0
  456. package/dist/plugins/magic-link/utils.mjs +12 -0
  457. package/dist/plugins/magic-link/utils.mjs.map +1 -0
  458. package/dist/plugins/mcp/authorize.mjs +133 -0
  459. package/dist/plugins/mcp/authorize.mjs.map +1 -0
  460. package/dist/plugins/mcp/index.d.mts +46 -0
  461. package/dist/plugins/mcp/index.mjs +717 -0
  462. package/dist/plugins/mcp/index.mjs.map +1 -0
  463. package/dist/plugins/multi-session/client.d.mts +8 -0
  464. package/dist/plugins/multi-session/client.mjs +20 -0
  465. package/dist/plugins/multi-session/client.mjs.map +1 -0
  466. package/dist/plugins/multi-session/error-codes.d.mts +5 -0
  467. package/dist/plugins/multi-session/error-codes.mjs +8 -0
  468. package/dist/plugins/multi-session/error-codes.mjs.map +1 -0
  469. package/dist/plugins/multi-session/index.d.mts +22 -0
  470. package/dist/plugins/multi-session/index.mjs +172 -0
  471. package/dist/plugins/multi-session/index.mjs.map +1 -0
  472. package/dist/plugins/oauth-proxy/index.d.mts +39 -0
  473. package/dist/plugins/oauth-proxy/index.mjs +305 -0
  474. package/dist/plugins/oauth-proxy/index.mjs.map +1 -0
  475. package/dist/plugins/oauth-proxy/utils.mjs +44 -0
  476. package/dist/plugins/oauth-proxy/utils.mjs.map +1 -0
  477. package/dist/plugins/oidc-provider/authorize.mjs +194 -0
  478. package/dist/plugins/oidc-provider/authorize.mjs.map +1 -0
  479. package/dist/plugins/oidc-provider/client.d.mts +8 -0
  480. package/dist/plugins/oidc-provider/client.mjs +11 -0
  481. package/dist/plugins/oidc-provider/client.mjs.map +1 -0
  482. package/dist/plugins/oidc-provider/error.mjs +17 -0
  483. package/dist/plugins/oidc-provider/error.mjs.map +1 -0
  484. package/dist/plugins/oidc-provider/index.d.mts +32 -0
  485. package/dist/plugins/oidc-provider/index.mjs +1093 -0
  486. package/dist/plugins/oidc-provider/index.mjs.map +1 -0
  487. package/dist/plugins/oidc-provider/schema.d.mts +26 -0
  488. package/dist/plugins/oidc-provider/schema.mjs +132 -0
  489. package/dist/plugins/oidc-provider/schema.mjs.map +1 -0
  490. package/dist/plugins/oidc-provider/types.d.mts +517 -0
  491. package/dist/plugins/oidc-provider/utils/prompt.mjs +19 -0
  492. package/dist/plugins/oidc-provider/utils/prompt.mjs.map +1 -0
  493. package/dist/plugins/oidc-provider/utils.mjs +15 -0
  494. package/dist/plugins/oidc-provider/utils.mjs.map +1 -0
  495. package/dist/plugins/one-tap/client.d.mts +159 -0
  496. package/dist/plugins/one-tap/client.mjs +214 -0
  497. package/dist/plugins/one-tap/client.mjs.map +1 -0
  498. package/dist/plugins/one-tap/index.d.mts +27 -0
  499. package/dist/plugins/one-tap/index.mjs +96 -0
  500. package/dist/plugins/one-tap/index.mjs.map +1 -0
  501. package/dist/plugins/one-time-token/client.d.mts +7 -0
  502. package/dist/plugins/one-time-token/client.mjs +11 -0
  503. package/dist/plugins/one-time-token/client.mjs.map +1 -0
  504. package/dist/plugins/one-time-token/index.d.mts +53 -0
  505. package/dist/plugins/one-time-token/index.mjs +82 -0
  506. package/dist/plugins/one-time-token/index.mjs.map +1 -0
  507. package/dist/plugins/one-time-token/utils.mjs +12 -0
  508. package/dist/plugins/one-time-token/utils.mjs.map +1 -0
  509. package/dist/plugins/open-api/generator.d.mts +115 -0
  510. package/dist/plugins/open-api/generator.mjs +315 -0
  511. package/dist/plugins/open-api/generator.mjs.map +1 -0
  512. package/dist/plugins/open-api/index.d.mts +45 -0
  513. package/dist/plugins/open-api/index.mjs +67 -0
  514. package/dist/plugins/open-api/index.mjs.map +1 -0
  515. package/dist/plugins/open-api/logo.mjs +15 -0
  516. package/dist/plugins/open-api/logo.mjs.map +1 -0
  517. package/dist/plugins/organization/access/index.d.mts +2 -0
  518. package/dist/plugins/organization/access/index.mjs +3 -0
  519. package/dist/plugins/organization/access/statement.d.mts +249 -0
  520. package/dist/plugins/organization/access/statement.mjs +81 -0
  521. package/dist/plugins/organization/access/statement.mjs.map +1 -0
  522. package/dist/plugins/organization/adapter.d.mts +205 -0
  523. package/dist/plugins/organization/adapter.mjs +624 -0
  524. package/dist/plugins/organization/adapter.mjs.map +1 -0
  525. package/dist/plugins/organization/call.mjs +19 -0
  526. package/dist/plugins/organization/call.mjs.map +1 -0
  527. package/dist/plugins/organization/client.d.mts +151 -0
  528. package/dist/plugins/organization/client.mjs +107 -0
  529. package/dist/plugins/organization/client.mjs.map +1 -0
  530. package/dist/plugins/organization/error-codes.d.mts +5 -0
  531. package/dist/plugins/organization/error-codes.mjs +65 -0
  532. package/dist/plugins/organization/error-codes.mjs.map +1 -0
  533. package/dist/plugins/organization/has-permission.mjs +35 -0
  534. package/dist/plugins/organization/has-permission.mjs.map +1 -0
  535. package/dist/plugins/organization/index.d.mts +5 -0
  536. package/dist/plugins/organization/index.mjs +4 -0
  537. package/dist/plugins/organization/organization.d.mts +252 -0
  538. package/dist/plugins/organization/organization.mjs +428 -0
  539. package/dist/plugins/organization/organization.mjs.map +1 -0
  540. package/dist/plugins/organization/permission.d.mts +26 -0
  541. package/dist/plugins/organization/permission.mjs +16 -0
  542. package/dist/plugins/organization/permission.mjs.map +1 -0
  543. package/dist/plugins/organization/routes/crud-access-control.d.mts +11 -0
  544. package/dist/plugins/organization/routes/crud-access-control.mjs +656 -0
  545. package/dist/plugins/organization/routes/crud-access-control.mjs.map +1 -0
  546. package/dist/plugins/organization/routes/crud-invites.d.mts +16 -0
  547. package/dist/plugins/organization/routes/crud-invites.mjs +555 -0
  548. package/dist/plugins/organization/routes/crud-invites.mjs.map +1 -0
  549. package/dist/plugins/organization/routes/crud-members.d.mts +13 -0
  550. package/dist/plugins/organization/routes/crud-members.mjs +473 -0
  551. package/dist/plugins/organization/routes/crud-members.mjs.map +1 -0
  552. package/dist/plugins/organization/routes/crud-org.d.mts +13 -0
  553. package/dist/plugins/organization/routes/crud-org.mjs +447 -0
  554. package/dist/plugins/organization/routes/crud-org.mjs.map +1 -0
  555. package/dist/plugins/organization/routes/crud-team.d.mts +15 -0
  556. package/dist/plugins/organization/routes/crud-team.mjs +676 -0
  557. package/dist/plugins/organization/routes/crud-team.mjs.map +1 -0
  558. package/dist/plugins/organization/schema.d.mts +376 -0
  559. package/dist/plugins/organization/schema.mjs +68 -0
  560. package/dist/plugins/organization/schema.mjs.map +1 -0
  561. package/dist/plugins/organization/types.d.mts +733 -0
  562. package/dist/plugins/phone-number/client.d.mts +8 -0
  563. package/dist/plugins/phone-number/client.mjs +20 -0
  564. package/dist/plugins/phone-number/client.mjs.map +1 -0
  565. package/dist/plugins/phone-number/error-codes.d.mts +5 -0
  566. package/dist/plugins/phone-number/error-codes.mjs +21 -0
  567. package/dist/plugins/phone-number/error-codes.mjs.map +1 -0
  568. package/dist/plugins/phone-number/index.d.mts +14 -0
  569. package/dist/plugins/phone-number/index.mjs +49 -0
  570. package/dist/plugins/phone-number/index.mjs.map +1 -0
  571. package/dist/plugins/phone-number/routes.mjs +459 -0
  572. package/dist/plugins/phone-number/routes.mjs.map +1 -0
  573. package/dist/plugins/phone-number/schema.d.mts +5 -0
  574. package/dist/plugins/phone-number/schema.mjs +20 -0
  575. package/dist/plugins/phone-number/schema.mjs.map +1 -0
  576. package/dist/plugins/phone-number/types.d.mts +118 -0
  577. package/dist/plugins/siwe/client.d.mts +5 -0
  578. package/dist/plugins/siwe/client.mjs +11 -0
  579. package/dist/plugins/siwe/client.mjs.map +1 -0
  580. package/dist/plugins/siwe/error-codes.mjs +13 -0
  581. package/dist/plugins/siwe/error-codes.mjs.map +1 -0
  582. package/dist/plugins/siwe/index.d.mts +26 -0
  583. package/dist/plugins/siwe/index.mjs +261 -0
  584. package/dist/plugins/siwe/index.mjs.map +1 -0
  585. package/dist/plugins/siwe/schema.d.mts +5 -0
  586. package/dist/plugins/siwe/schema.mjs +32 -0
  587. package/dist/plugins/siwe/schema.mjs.map +1 -0
  588. package/dist/plugins/siwe/types.d.mts +44 -0
  589. package/dist/plugins/two-factor/backup-codes/index.d.mts +91 -0
  590. package/dist/plugins/two-factor/backup-codes/index.mjs +277 -0
  591. package/dist/plugins/two-factor/backup-codes/index.mjs.map +1 -0
  592. package/dist/plugins/two-factor/client.d.mts +17 -0
  593. package/dist/plugins/two-factor/client.mjs +37 -0
  594. package/dist/plugins/two-factor/client.mjs.map +1 -0
  595. package/dist/plugins/two-factor/constant.mjs +8 -0
  596. package/dist/plugins/two-factor/constant.mjs.map +1 -0
  597. package/dist/plugins/two-factor/error-code.d.mts +5 -0
  598. package/dist/plugins/two-factor/error-code.mjs +18 -0
  599. package/dist/plugins/two-factor/error-code.mjs.map +1 -0
  600. package/dist/plugins/two-factor/index.d.mts +19 -0
  601. package/dist/plugins/two-factor/index.mjs +207 -0
  602. package/dist/plugins/two-factor/index.mjs.map +1 -0
  603. package/dist/plugins/two-factor/otp/index.d.mts +96 -0
  604. package/dist/plugins/two-factor/otp/index.mjs +199 -0
  605. package/dist/plugins/two-factor/otp/index.mjs.map +1 -0
  606. package/dist/plugins/two-factor/schema.d.mts +5 -0
  607. package/dist/plugins/two-factor/schema.mjs +36 -0
  608. package/dist/plugins/two-factor/schema.mjs.map +1 -0
  609. package/dist/plugins/two-factor/totp/index.d.mts +81 -0
  610. package/dist/plugins/two-factor/totp/index.mjs +157 -0
  611. package/dist/plugins/two-factor/totp/index.mjs.map +1 -0
  612. package/dist/plugins/two-factor/types.d.mts +65 -0
  613. package/dist/plugins/two-factor/utils.mjs +12 -0
  614. package/dist/plugins/two-factor/utils.mjs.map +1 -0
  615. package/dist/plugins/two-factor/verify-two-factor.mjs +76 -0
  616. package/dist/plugins/two-factor/verify-two-factor.mjs.map +1 -0
  617. package/dist/plugins/username/client.d.mts +7 -0
  618. package/dist/plugins/username/client.mjs +18 -0
  619. package/dist/plugins/username/client.mjs.map +1 -0
  620. package/dist/plugins/username/error-codes.d.mts +5 -0
  621. package/dist/plugins/username/error-codes.mjs +17 -0
  622. package/dist/plugins/username/error-codes.mjs.map +1 -0
  623. package/dist/plugins/username/index.d.mts +74 -0
  624. package/dist/plugins/username/index.mjs +237 -0
  625. package/dist/plugins/username/index.mjs.map +1 -0
  626. package/dist/plugins/username/schema.d.mts +9 -0
  627. package/dist/plugins/username/schema.mjs +26 -0
  628. package/dist/plugins/username/schema.mjs.map +1 -0
  629. package/dist/social-providers/index.d.mts +1 -0
  630. package/dist/social-providers/index.mjs +3 -0
  631. package/dist/state.d.mts +42 -0
  632. package/dist/state.mjs +107 -0
  633. package/dist/state.mjs.map +1 -0
  634. package/dist/test-utils/headers.d.mts +9 -0
  635. package/dist/test-utils/headers.mjs +24 -0
  636. package/dist/test-utils/headers.mjs.map +1 -0
  637. package/dist/test-utils/index.d.mts +3 -0
  638. package/dist/test-utils/index.mjs +4 -0
  639. package/dist/test-utils/test-instance.d.mts +181 -0
  640. package/dist/test-utils/test-instance.mjs +210 -0
  641. package/dist/test-utils/test-instance.mjs.map +1 -0
  642. package/dist/types/adapter.d.mts +24 -0
  643. package/dist/types/api.d.mts +29 -0
  644. package/dist/types/auth.d.mts +30 -0
  645. package/dist/types/helper.d.mts +21 -0
  646. package/dist/types/index.d.mts +11 -0
  647. package/dist/types/index.mjs +1 -0
  648. package/dist/types/models.d.mts +17 -0
  649. package/dist/types/plugins.d.mts +16 -0
  650. package/dist/utils/boolean.mjs +8 -0
  651. package/dist/utils/boolean.mjs.map +1 -0
  652. package/dist/utils/constants.mjs +6 -0
  653. package/dist/utils/constants.mjs.map +1 -0
  654. package/dist/utils/date.mjs +8 -0
  655. package/dist/utils/date.mjs.map +1 -0
  656. package/dist/utils/get-request-ip.d.mts +7 -0
  657. package/dist/utils/get-request-ip.mjs +23 -0
  658. package/dist/utils/get-request-ip.mjs.map +1 -0
  659. package/dist/utils/hashing.mjs +21 -0
  660. package/dist/utils/hashing.mjs.map +1 -0
  661. package/dist/utils/hide-metadata.d.mts +7 -0
  662. package/dist/utils/hide-metadata.mjs +6 -0
  663. package/dist/utils/hide-metadata.mjs.map +1 -0
  664. package/dist/utils/index.d.mts +3 -0
  665. package/dist/utils/index.mjs +5 -0
  666. package/dist/utils/is-api-error.d.mts +7 -0
  667. package/dist/utils/is-api-error.mjs +11 -0
  668. package/dist/utils/is-api-error.mjs.map +1 -0
  669. package/dist/utils/is-atom.mjs +8 -0
  670. package/dist/utils/is-atom.mjs.map +1 -0
  671. package/dist/utils/is-promise.mjs +8 -0
  672. package/dist/utils/is-promise.mjs.map +1 -0
  673. package/dist/utils/middleware-response.mjs +6 -0
  674. package/dist/utils/middleware-response.mjs.map +1 -0
  675. package/dist/utils/password.mjs +26 -0
  676. package/dist/utils/password.mjs.map +1 -0
  677. package/dist/utils/plugin-helper.mjs +17 -0
  678. package/dist/utils/plugin-helper.mjs.map +1 -0
  679. package/dist/utils/shim.mjs +24 -0
  680. package/dist/utils/shim.mjs.map +1 -0
  681. package/dist/utils/time.d.mts +49 -0
  682. package/dist/utils/time.mjs +100 -0
  683. package/dist/utils/time.mjs.map +1 -0
  684. package/dist/utils/url.mjs +92 -0
  685. package/dist/utils/url.mjs.map +1 -0
  686. package/dist/utils/wildcard.mjs +108 -0
  687. package/dist/utils/wildcard.mjs.map +1 -0
  688. package/package.json +601 -0
package/dist/plugins/two-factor/index.mjs ADDED
@@ -0,0 +1,207 @@
1
+ import { generateRandomString } from "../../crypto/random.mjs";
2
+ import { symmetricEncrypt } from "../../crypto/index.mjs";
3
+ import { mergeSchema } from "../../db/schema.mjs";
4
+ import { deleteSessionCookie, setSessionCookie } from "../../cookies/index.mjs";
5
+ import { sessionMiddleware } from "../../api/routes/session.mjs";
6
+ import { validatePassword } from "../../utils/password.mjs";
7
+ import "../../api/index.mjs";
8
+ import { TWO_FACTOR_ERROR_CODES } from "./error-code.mjs";
9
+ import { twoFactorClient } from "./client.mjs";
10
+ import { TRUST_DEVICE_COOKIE_MAX_AGE, TRUST_DEVICE_COOKIE_NAME, TWO_FACTOR_COOKIE_NAME } from "./constant.mjs";
11
+ import { backupCode2fa, generateBackupCodes } from "./backup-codes/index.mjs";
12
+ import { otp2fa } from "./otp/index.mjs";
13
+ import { schema } from "./schema.mjs";
14
+ import { totp2fa } from "./totp/index.mjs";
15
+ import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
16
+ import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
17
+ import * as z from "zod";
18
+ import { createHMAC } from "@better-auth/utils/hmac";
19
+ import { createOTP } from "@better-auth/utils/otp";
20
+
21
+ //#region src/plugins/two-factor/index.ts
22
+ const enableTwoFactorBodySchema = z.object({
23
+ password: z.string().meta({ description: "User password" }),
24
+ issuer: z.string().meta({ description: "Custom issuer for the TOTP URI" }).optional()
25
+ });
26
+ const disableTwoFactorBodySchema = z.object({ password: z.string().meta({ description: "User password" }) });
27
+ const twoFactor = (options) => {
28
+ const opts = { twoFactorTable: "twoFactor" };
29
+ const backupCodeOptions = {
30
+ storeBackupCodes: "encrypted",
31
+ ...options?.backupCodeOptions
32
+ };
33
+ const totp = totp2fa(options?.totpOptions);
34
+ const backupCode = backupCode2fa(backupCodeOptions);
35
+ const otp = otp2fa(options?.otpOptions);
36
+ return {
37
+ id: "two-factor",
38
+ endpoints: {
39
+ ...totp.endpoints,
40
+ ...otp.endpoints,
41
+ ...backupCode.endpoints,
42
+ enableTwoFactor: createAuthEndpoint("/two-factor/enable", {
43
+ method: "POST",
44
+ body: enableTwoFactorBodySchema,
45
+ use: [sessionMiddleware],
46
+ metadata: { openapi: {
47
+ summary: "Enable two factor authentication",
48
+ description: "Use this endpoint to enable two factor authentication. This will generate a TOTP URI and backup codes. Once the user verifies the TOTP URI, the two factor authentication will be enabled.",
49
+ responses: { 200: {
50
+ description: "Successful response",
51
+ content: { "application/json": { schema: {
52
+ type: "object",
53
+ properties: {
54
+ totpURI: {
55
+ type: "string",
56
+ description: "TOTP URI"
57
+ },
58
+ backupCodes: {
59
+ type: "array",
60
+ items: { type: "string" },
61
+ description: "Backup codes"
62
+ }
63
+ }
64
+ } } }
65
+ } }
66
+ } }
67
+ }, async (ctx) => {
68
+ const user = ctx.context.session.user;
69
+ const { password, issuer } = ctx.body;
70
+ if (!await validatePassword(ctx, {
71
+ password,
72
+ userId: user.id
73
+ })) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.INVALID_PASSWORD);
74
+ const secret = generateRandomString(32);
75
+ const encryptedSecret = await symmetricEncrypt({
76
+ key: ctx.context.secret,
77
+ data: secret
78
+ });
79
+ const backupCodes = await generateBackupCodes(ctx.context.secret, backupCodeOptions);
80
+ if (options?.skipVerificationOnEnable) {
81
+ const updatedUser = await ctx.context.internalAdapter.updateUser(user.id, { twoFactorEnabled: true });
82
+ /**
83
+ * Update the session cookie with the new user data
84
+ */
85
+ await setSessionCookie(ctx, {
86
+ session: await ctx.context.internalAdapter.createSession(updatedUser.id, false, ctx.context.session.session),
87
+ user: updatedUser
88
+ });
89
+ await ctx.context.internalAdapter.deleteSession(ctx.context.session.session.token);
90
+ }
91
+ await ctx.context.adapter.deleteMany({
92
+ model: opts.twoFactorTable,
93
+ where: [{
94
+ field: "userId",
95
+ value: user.id
96
+ }]
97
+ });
98
+ await ctx.context.adapter.create({
99
+ model: opts.twoFactorTable,
100
+ data: {
101
+ secret: encryptedSecret,
102
+ backupCodes: backupCodes.encryptedBackupCodes,
103
+ userId: user.id
104
+ }
105
+ });
106
+ const totpURI = createOTP(secret, {
107
+ digits: options?.totpOptions?.digits || 6,
108
+ period: options?.totpOptions?.period
109
+ }).url(issuer || options?.issuer || ctx.context.appName, user.email);
110
+ return ctx.json({
111
+ totpURI,
112
+ backupCodes: backupCodes.backupCodes
113
+ });
114
+ }),
115
+ disableTwoFactor: createAuthEndpoint("/two-factor/disable", {
116
+ method: "POST",
117
+ body: disableTwoFactorBodySchema,
118
+ use: [sessionMiddleware],
119
+ metadata: { openapi: {
120
+ summary: "Disable two factor authentication",
121
+ description: "Use this endpoint to disable two factor authentication.",
122
+ responses: { 200: {
123
+ description: "Successful response",
124
+ content: { "application/json": { schema: {
125
+ type: "object",
126
+ properties: { status: { type: "boolean" } }
127
+ } } }
128
+ } }
129
+ } }
130
+ }, async (ctx) => {
131
+ const user = ctx.context.session.user;
132
+ const { password } = ctx.body;
133
+ if (!await validatePassword(ctx, {
134
+ password,
135
+ userId: user.id
136
+ })) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.INVALID_PASSWORD);
137
+ const updatedUser = await ctx.context.internalAdapter.updateUser(user.id, { twoFactorEnabled: false });
138
+ await ctx.context.adapter.delete({
139
+ model: opts.twoFactorTable,
140
+ where: [{
141
+ field: "userId",
142
+ value: updatedUser.id
143
+ }]
144
+ });
145
+ /**
146
+ * Update the session cookie with the new user data
147
+ */
148
+ await setSessionCookie(ctx, {
149
+ session: await ctx.context.internalAdapter.createSession(updatedUser.id, false, ctx.context.session.session),
150
+ user: updatedUser
151
+ });
152
+ await ctx.context.internalAdapter.deleteSession(ctx.context.session.session.token);
153
+ return ctx.json({ status: true });
154
+ })
155
+ },
156
+ options,
157
+ hooks: { after: [{
158
+ matcher(context) {
159
+ return context.path === "/sign-in/email" || context.path === "/sign-in/username" || context.path === "/sign-in/phone-number";
160
+ },
161
+ handler: createAuthMiddleware(async (ctx) => {
162
+ const data = ctx.context.newSession;
163
+ if (!data) return;
164
+ if (!data?.user.twoFactorEnabled) return;
165
+ const trustDeviceCookieAttrs = ctx.context.createAuthCookie(TRUST_DEVICE_COOKIE_NAME, { maxAge: TRUST_DEVICE_COOKIE_MAX_AGE });
166
+ const trustDeviceCookie = await ctx.getSignedCookie(trustDeviceCookieAttrs.name, ctx.context.secret);
167
+ if (trustDeviceCookie) {
168
+ const [token, sessionToken] = trustDeviceCookie.split("!");
169
+ if (token === await createHMAC("SHA-256", "base64urlnopad").sign(ctx.context.secret, `${data.user.id}!${sessionToken}`)) {
170
+ const newTrustDeviceCookie = ctx.context.createAuthCookie(TRUST_DEVICE_COOKIE_NAME, { maxAge: TRUST_DEVICE_COOKIE_MAX_AGE });
171
+ const newToken = await createHMAC("SHA-256", "base64urlnopad").sign(ctx.context.secret, `${data.user.id}!${data.session.token}`);
172
+ await ctx.setSignedCookie(newTrustDeviceCookie.name, `${newToken}!${data.session.token}`, ctx.context.secret, trustDeviceCookieAttrs.attributes);
173
+ return;
174
+ }
175
+ }
176
+ /**
177
+ * remove the session cookie. It's set by the sign in credential
178
+ */
179
+ deleteSessionCookie(ctx, true);
180
+ await ctx.context.internalAdapter.deleteSession(data.session.token);
181
+ const maxAge = options?.twoFactorCookieMaxAge ?? 600;
182
+ const twoFactorCookie = ctx.context.createAuthCookie(TWO_FACTOR_COOKIE_NAME, { maxAge });
183
+ const identifier = `2fa-${generateRandomString(20)}`;
184
+ await ctx.context.internalAdapter.createVerificationValue({
185
+ value: data.user.id,
186
+ identifier,
187
+ expiresAt: new Date(Date.now() + maxAge * 1e3)
188
+ });
189
+ await ctx.setSignedCookie(twoFactorCookie.name, identifier, ctx.context.secret, twoFactorCookie.attributes);
190
+ return ctx.json({ twoFactorRedirect: true });
191
+ })
192
+ }] },
193
+ schema: mergeSchema(schema, options?.schema),
194
+ rateLimit: [{
195
+ pathMatcher(path) {
196
+ return path.startsWith("/two-factor/");
197
+ },
198
+ window: 10,
199
+ max: 3
200
+ }],
201
+ $ERROR_CODES: TWO_FACTOR_ERROR_CODES
202
+ };
203
+ };
204
+
205
+ //#endregion
206
+ export { TWO_FACTOR_ERROR_CODES, twoFactor, twoFactorClient };
207
+ //# sourceMappingURL=index.mjs.map
package/dist/plugins/two-factor/index.mjs.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/two-factor/index.ts"],"sourcesContent":["import type { BetterAuthPlugin } from \"@better-auth/core\";\nimport {\n\tcreateAuthEndpoint,\n\tcreateAuthMiddleware,\n} from \"@better-auth/core/api\";\nimport { APIError, BASE_ERROR_CODES } from \"@better-auth/core/error\";\nimport { createHMAC } from \"@better-auth/utils/hmac\";\nimport { createOTP } from \"@better-auth/utils/otp\";\nimport * as z from \"zod\";\nimport { sessionMiddleware } from \"../../api\";\nimport { deleteSessionCookie, setSessionCookie } from \"../../cookies\";\nimport { symmetricEncrypt } from \"../../crypto\";\nimport { generateRandomString } from \"../../crypto/random\";\nimport { mergeSchema } from \"../../db/schema\";\nimport { validatePassword } from \"../../utils/password\";\nimport type { BackupCodeOptions } from \"./backup-codes\";\nimport { backupCode2fa, generateBackupCodes } from \"./backup-codes\";\nimport {\n\tTRUST_DEVICE_COOKIE_MAX_AGE,\n\tTRUST_DEVICE_COOKIE_NAME,\n\tTWO_FACTOR_COOKIE_NAME,\n} from \"./constant\";\nimport { TWO_FACTOR_ERROR_CODES } from \"./error-code\";\nimport { otp2fa } from \"./otp\";\nimport { schema } from \"./schema\";\nimport { totp2fa } from \"./totp\";\nimport type { TwoFactorOptions, UserWithTwoFactor } from \"./types\";\n\nexport * from \"./error-code\";\n\ndeclare module \"@better-auth/core\" {\n\tinterface BetterAuthPluginRegistry<AuthOptions, Options> {\n\t\t\"two-factor\": {\n\t\t\tcreator: typeof twoFactor;\n\t\t};\n\t}\n}\n\nconst enableTwoFactorBodySchema = z.object({\n\tpassword: z.string().meta({\n\t\tdescription: \"User password\",\n\t}),\n\tissuer: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"Custom issuer for the TOTP URI\",\n\t\t})\n\t\t.optional(),\n});\n\nconst disableTwoFactorBodySchema = z.object({\n\tpassword: z.string().meta({\n\t\tdescription: \"User password\",\n\t}),\n});\n\nexport const twoFactor = <O extends TwoFactorOptions>(options?: O) => {\n\tconst opts = {\n\t\ttwoFactorTable: \"twoFactor\",\n\t};\n\tconst backupCodeOptions = {\n\t\tstoreBackupCodes: \"encrypted\",\n\t\t...options?.backupCodeOptions,\n\t} satisfies BackupCodeOptions;\n\tconst totp = totp2fa(options?.totpOptions);\n\tconst backupCode = backupCode2fa(backupCodeOptions);\n\tconst otp = otp2fa(options?.otpOptions);\n\n\treturn {\n\t\tid: \"two-factor\",\n\t\tendpoints: {\n\t\t\t...totp.endpoints,\n\t\t\t...otp.endpoints,\n\t\t\t...backupCode.endpoints,\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/enable`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.enableTwoFactor`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.enable`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-enable)\n\t\t\t */\n\t\t\tenableTwoFactor: createAuthEndpoint(\n\t\t\t\t\"/two-factor/enable\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: enableTwoFactorBodySchema,\n\t\t\t\t\tuse: [sessionMiddleware],\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tsummary: \"Enable two factor authentication\",\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"Use this endpoint to enable two factor authentication. This will generate a TOTP URI and backup codes. Once the user verifies the TOTP URI, the two factor authentication will be enabled.\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Successful response\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttotpURI: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"TOTP URI\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tbackupCodes: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Backup codes\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst user = ctx.context.session.user as UserWithTwoFactor;\n\t\t\t\t\tconst { password, issuer } = ctx.body;\n\t\t\t\t\tconst isPasswordValid = await validatePassword(ctx, {\n\t\t\t\t\t\tpassword,\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t});\n\t\t\t\t\tif (!isPasswordValid) {\n\t\t\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\t\t\"BAD_REQUEST\",\n\t\t\t\t\t\t\tBASE_ERROR_CODES.INVALID_PASSWORD,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t\tconst secret = generateRandomString(32);\n\t\t\t\t\tconst encryptedSecret = await symmetricEncrypt({\n\t\t\t\t\t\tkey: ctx.context.secret,\n\t\t\t\t\t\tdata: secret,\n\t\t\t\t\t});\n\t\t\t\t\tconst backupCodes = await generateBackupCodes(\n\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\tbackupCodeOptions,\n\t\t\t\t\t);\n\t\t\t\t\tif (options?.skipVerificationOnEnable) {\n\t\t\t\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\t\t\t\tuser.id,\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttwoFactorEnabled: true,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t\tconst newSession = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\t\tupdatedUser.id,\n\t\t\t\t\t\t\tfalse,\n\t\t\t\t\t\t\tctx.context.session.session,\n\t\t\t\t\t\t);\n\t\t\t\t\t\t/**\n\t\t\t\t\t\t * Update the session cookie with the new user data\n\t\t\t\t\t\t */\n\t\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\t\tsession: newSession,\n\t\t\t\t\t\t\tuser: updatedUser,\n\t\t\t\t\t\t});\n\n\t\t\t\t\t\t//remove current session\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(\n\t\t\t\t\t\t\tctx.context.session.session.token,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t\t//delete existing two factor\n\t\t\t\t\tawait ctx.context.adapter.deleteMany({\n\t\t\t\t\t\tmodel: opts.twoFactorTable,\n\t\t\t\t\t\twhere: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\t\t\t\tvalue: user.id,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t});\n\n\t\t\t\t\tawait ctx.context.adapter.create({\n\t\t\t\t\t\tmodel: opts.twoFactorTable,\n\t\t\t\t\t\tdata: {\n\t\t\t\t\t\t\tsecret: encryptedSecret,\n\t\t\t\t\t\t\tbackupCodes: backupCodes.encryptedBackupCodes,\n\t\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t\t},\n\t\t\t\t\t});\n\t\t\t\t\tconst totpURI = createOTP(secret, {\n\t\t\t\t\t\tdigits: options?.totpOptions?.digits || 6,\n\t\t\t\t\t\tperiod: options?.totpOptions?.period,\n\t\t\t\t\t}).url(issuer || options?.issuer || ctx.context.appName, user.email);\n\t\t\t\t\treturn ctx.json({ totpURI, backupCodes: backupCodes.backupCodes });\n\t\t\t\t},\n\t\t\t),\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/disable`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.disableTwoFactor`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.disable`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-disable)\n\t\t\t */\n\t\t\tdisableTwoFactor: createAuthEndpoint(\n\t\t\t\t\"/two-factor/disable\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: disableTwoFactorBodySchema,\n\t\t\t\t\tuse: [sessionMiddleware],\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tsummary: \"Disable two factor authentication\",\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"Use this endpoint to disable two factor authentication.\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Successful response\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tstatus: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst user = ctx.context.session.user as UserWithTwoFactor;\n\t\t\t\t\tconst { password } = ctx.body;\n\t\t\t\t\tconst isPasswordValid = await validatePassword(ctx, {\n\t\t\t\t\t\tpassword,\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t});\n\t\t\t\t\tif (!isPasswordValid) {\n\t\t\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\t\t\"BAD_REQUEST\",\n\t\t\t\t\t\t\tBASE_ERROR_CODES.INVALID_PASSWORD,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\t\t\tuser.id,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttwoFactorEnabled: false,\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\t\t\t\t\tawait ctx.context.adapter.delete({\n\t\t\t\t\t\tmodel: opts.twoFactorTable,\n\t\t\t\t\t\twhere: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\t\t\t\tvalue: updatedUser.id,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t});\n\t\t\t\t\tconst newSession = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\tupdatedUser.id,\n\t\t\t\t\t\tfalse,\n\t\t\t\t\t\tctx.context.session.session,\n\t\t\t\t\t);\n\t\t\t\t\t/**\n\t\t\t\t\t * Update the session cookie with the new user data\n\t\t\t\t\t */\n\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\tsession: newSession,\n\t\t\t\t\t\tuser: updatedUser,\n\t\t\t\t\t});\n\t\t\t\t\t//remove current session\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(\n\t\t\t\t\t\tctx.context.session.session.token,\n\t\t\t\t\t);\n\t\t\t\t\treturn ctx.json({ status: true });\n\t\t\t\t},\n\t\t\t),\n\t\t},\n\t\toptions: options as NoInfer<O>,\n\t\thooks: {\n\t\t\tafter: [\n\t\t\t\t{\n\t\t\t\t\tmatcher(context) {\n\t\t\t\t\t\treturn (\n\t\t\t\t\t\t\tcontext.path === \"/sign-in/email\" ||\n\t\t\t\t\t\t\tcontext.path === \"/sign-in/username\" ||\n\t\t\t\t\t\t\tcontext.path === \"/sign-in/phone-number\"\n\t\t\t\t\t\t);\n\t\t\t\t\t},\n\t\t\t\t\thandler: createAuthMiddleware(async (ctx) => {\n\t\t\t\t\t\tconst data = ctx.context.newSession;\n\t\t\t\t\t\tif (!data) {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif (!data?.user.twoFactorEnabled) {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tconst trustDeviceCookieAttrs = ctx.context.createAuthCookie(\n\t\t\t\t\t\t\tTRUST_DEVICE_COOKIE_NAME,\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tmaxAge: TRUST_DEVICE_COOKIE_MAX_AGE,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t\t// Check for trust device cookie\n\t\t\t\t\t\tconst trustDeviceCookie = await ctx.getSignedCookie(\n\t\t\t\t\t\t\ttrustDeviceCookieAttrs.name,\n\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t);\n\n\t\t\t\t\t\tif (trustDeviceCookie) {\n\t\t\t\t\t\t\tconst [token, sessionToken] = trustDeviceCookie.split(\"!\");\n\t\t\t\t\t\t\tconst expectedToken = await createHMAC(\n\t\t\t\t\t\t\t\t\"SHA-256\",\n\t\t\t\t\t\t\t\t\"base64urlnopad\",\n\t\t\t\t\t\t\t).sign(ctx.context.secret, `${data.user.id}!${sessionToken}`);\n\n\t\t\t\t\t\t\t// Checks if the token is signed correctly, not that its the current session token\n\t\t\t\t\t\t\tif (token === expectedToken) {\n\t\t\t\t\t\t\t\t// Trust device cookie is valid, refresh it and skip 2FA\n\t\t\t\t\t\t\t\tconst newTrustDeviceCookie = ctx.context.createAuthCookie(\n\t\t\t\t\t\t\t\t\tTRUST_DEVICE_COOKIE_NAME,\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tmaxAge: TRUST_DEVICE_COOKIE_MAX_AGE,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\tconst newToken = await createHMAC(\n\t\t\t\t\t\t\t\t\t\"SHA-256\",\n\t\t\t\t\t\t\t\t\t\"base64urlnopad\",\n\t\t\t\t\t\t\t\t).sign(\n\t\t\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t\t\t\t`${data.user.id}!${data.session.token}`,\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\tawait ctx.setSignedCookie(\n\t\t\t\t\t\t\t\t\tnewTrustDeviceCookie.name,\n\t\t\t\t\t\t\t\t\t`${newToken}!${data.session.token}`,\n\t\t\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t\t\t\ttrustDeviceCookieAttrs.attributes,\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t/**\n\t\t\t\t\t\t * remove the session cookie. It's set by the sign in credential\n\t\t\t\t\t\t */\n\t\t\t\t\t\tdeleteSessionCookie(ctx, true);\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(data.session.token);\n\t\t\t\t\t\tconst maxAge = options?.twoFactorCookieMaxAge ?? 10 * 60; // 10 minutes\n\t\t\t\t\t\tconst twoFactorCookie = ctx.context.createAuthCookie(\n\t\t\t\t\t\t\tTWO_FACTOR_COOKIE_NAME,\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tmaxAge,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t\tconst identifier = `2fa-${generateRandomString(20)}`;\n\t\t\t\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\t\t\t\tvalue: data.user.id,\n\t\t\t\t\t\t\tidentifier,\n\t\t\t\t\t\t\texpiresAt: new Date(Date.now() + maxAge * 1000),\n\t\t\t\t\t\t});\n\t\t\t\t\t\tawait ctx.setSignedCookie(\n\t\t\t\t\t\t\ttwoFactorCookie.name,\n\t\t\t\t\t\t\tidentifier,\n\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t\ttwoFactorCookie.attributes,\n\t\t\t\t\t\t);\n\t\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\t\ttwoFactorRedirect: true,\n\t\t\t\t\t\t});\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t],\n\t\t},\n\t\tschema: mergeSchema(schema, options?.schema),\n\t\trateLimit: [\n\t\t\t{\n\t\t\t\tpathMatcher(path) {\n\t\t\t\t\treturn path.startsWith(\"/two-factor/\");\n\t\t\t\t},\n\t\t\t\twindow: 10,\n\t\t\t\tmax: 3,\n\t\t\t},\n\t\t],\n\t\t$ERROR_CODES: TWO_FACTOR_ERROR_CODES,\n\t} satisfies BetterAuthPlugin;\n};\n\nexport * from \"./client\";\nexport * from \"./types\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAsCA,MAAM,4BAA4B,EAAE,OAAO;CAC1C,UAAU,EAAE,QAAQ,CAAC,KAAK,EACzB,aAAa,iBACb,CAAC;CACF,QAAQ,EACN,QAAQ,CACR,KAAK,EACL,aAAa,kCACb,CAAC,CACD,UAAU;CACZ,CAAC;AAEF,MAAM,6BAA6B,EAAE,OAAO,EAC3C,UAAU,EAAE,QAAQ,CAAC,KAAK,EACzB,aAAa,iBACb,CAAC,EACF,CAAC;AAEF,MAAa,aAAyC,YAAgB;CACrE,MAAM,OAAO,EACZ,gBAAgB,aAChB;CACD,MAAM,oBAAoB;EACzB,kBAAkB;EAClB,GAAG,SAAS;EACZ;CACD,MAAM,OAAO,QAAQ,SAAS,YAAY;CAC1C,MAAM,aAAa,cAAc,kBAAkB;CACnD,MAAM,MAAM,OAAO,SAAS,WAAW;AAEvC,QAAO;EACN,IAAI;EACJ,WAAW;GACV,GAAG,KAAK;GACR,GAAG,IAAI;GACP,GAAG,WAAW;GAgBd,iBAAiB,mBAChB,sBACA;IACC,QAAQ;IACR,MAAM;IACN,KAAK,CAAC,kBAAkB;IACxB,UAAU,EACT,SAAS;KACR,SAAS;KACT,aACC;KACD,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY;QACX,SAAS;SACR,MAAM;SACN,aAAa;SACb;QACD,aAAa;SACZ,MAAM;SACN,OAAO,EACN,MAAM,UACN;SACD,aAAa;SACb;QACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,OAAO,IAAI,QAAQ,QAAQ;IACjC,MAAM,EAAE,UAAU,WAAW,IAAI;AAKjC,QAAI,CAJoB,MAAM,iBAAiB,KAAK;KACnD;KACA,QAAQ,KAAK;KACb,CAAC,CAED,OAAM,SAAS,KACd,eACA,iBAAiB,iBACjB;IAEF,MAAM,SAAS,qBAAqB,GAAG;IACvC,MAAM,kBAAkB,MAAM,iBAAiB;KAC9C,KAAK,IAAI,QAAQ;KACjB,MAAM;KACN,CAAC;IACF,MAAM,cAAc,MAAM,oBACzB,IAAI,QAAQ,QACZ,kBACA;AACD,QAAI,SAAS,0BAA0B;KACtC,MAAM,cAAc,MAAM,IAAI,QAAQ,gBAAgB,WACrD,KAAK,IACL,EACC,kBAAkB,MAClB,CACD;;;;AASD,WAAM,iBAAiB,KAAK;MAC3B,SATkB,MAAM,IAAI,QAAQ,gBAAgB,cACpD,YAAY,IACZ,OACA,IAAI,QAAQ,QAAQ,QACpB;MAMA,MAAM;MACN,CAAC;AAGF,WAAM,IAAI,QAAQ,gBAAgB,cACjC,IAAI,QAAQ,QAAQ,QAAQ,MAC5B;;AAGF,UAAM,IAAI,QAAQ,QAAQ,WAAW;KACpC,OAAO,KAAK;KACZ,OAAO,CACN;MACC,OAAO;MACP,OAAO,KAAK;MACZ,CACD;KACD,CAAC;AAEF,UAAM,IAAI,QAAQ,QAAQ,OAAO;KAChC,OAAO,KAAK;KACZ,MAAM;MACL,QAAQ;MACR,aAAa,YAAY;MACzB,QAAQ,KAAK;MACb;KACD,CAAC;IACF,MAAM,UAAU,UAAU,QAAQ;KACjC,QAAQ,SAAS,aAAa,UAAU;KACxC,QAAQ,SAAS,aAAa;KAC9B,CAAC,CAAC,IAAI,UAAU,SAAS,UAAU,IAAI,QAAQ,SAAS,KAAK,MAAM;AACpE,WAAO,IAAI,KAAK;KAAE;KAAS,aAAa,YAAY;KAAa,CAAC;KAEnE;GAgBD,kBAAkB,mBACjB,uBACA;IACC,QAAQ;IACR,MAAM;IACN,KAAK,CAAC,kBAAkB;IACxB,UAAU,EACT,SAAS;KACR,SAAS;KACT,aACC;KACD,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,QAAQ,EACP,MAAM,WACN,EACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,OAAO,IAAI,QAAQ,QAAQ;IACjC,MAAM,EAAE,aAAa,IAAI;AAKzB,QAAI,CAJoB,MAAM,iBAAiB,KAAK;KACnD;KACA,QAAQ,KAAK;KACb,CAAC,CAED,OAAM,SAAS,KACd,eACA,iBAAiB,iBACjB;IAEF,MAAM,cAAc,MAAM,IAAI,QAAQ,gBAAgB,WACrD,KAAK,IACL,EACC,kBAAkB,OAClB,CACD;AACD,UAAM,IAAI,QAAQ,QAAQ,OAAO;KAChC,OAAO,KAAK;KACZ,OAAO,CACN;MACC,OAAO;MACP,OAAO,YAAY;MACnB,CACD;KACD,CAAC;;;;AASF,UAAM,iBAAiB,KAAK;KAC3B,SATkB,MAAM,IAAI,QAAQ,gBAAgB,cACpD,YAAY,IACZ,OACA,IAAI,QAAQ,QAAQ,QACpB;KAMA,MAAM;KACN,CAAC;AAEF,UAAM,IAAI,QAAQ,gBAAgB,cACjC,IAAI,QAAQ,QAAQ,QAAQ,MAC5B;AACD,WAAO,IAAI,KAAK,EAAE,QAAQ,MAAM,CAAC;KAElC;GACD;EACQ;EACT,OAAO,EACN,OAAO,CACN;GACC,QAAQ,SAAS;AAChB,WACC,QAAQ,SAAS,oBACjB,QAAQ,SAAS,uBACjB,QAAQ,SAAS;;GAGnB,SAAS,qBAAqB,OAAO,QAAQ;IAC5C,MAAM,OAAO,IAAI,QAAQ;AACzB,QAAI,CAAC,KACJ;AAGD,QAAI,CAAC,MAAM,KAAK,iBACf;IAGD,MAAM,yBAAyB,IAAI,QAAQ,iBAC1C,0BACA,EACC,QAAQ,6BACR,CACD;IAED,MAAM,oBAAoB,MAAM,IAAI,gBACnC,uBAAuB,MACvB,IAAI,QAAQ,OACZ;AAED,QAAI,mBAAmB;KACtB,MAAM,CAAC,OAAO,gBAAgB,kBAAkB,MAAM,IAAI;AAO1D,SAAI,UANkB,MAAM,WAC3B,WACA,iBACA,CAAC,KAAK,IAAI,QAAQ,QAAQ,GAAG,KAAK,KAAK,GAAG,GAAG,eAAe,EAGhC;MAE5B,MAAM,uBAAuB,IAAI,QAAQ,iBACxC,0BACA,EACC,QAAQ,6BACR,CACD;MACD,MAAM,WAAW,MAAM,WACtB,WACA,iBACA,CAAC,KACD,IAAI,QAAQ,QACZ,GAAG,KAAK,KAAK,GAAG,GAAG,KAAK,QAAQ,QAChC;AACD,YAAM,IAAI,gBACT,qBAAqB,MACrB,GAAG,SAAS,GAAG,KAAK,QAAQ,SAC5B,IAAI,QAAQ,QACZ,uBAAuB,WACvB;AACD;;;;;;AAOF,wBAAoB,KAAK,KAAK;AAC9B,UAAM,IAAI,QAAQ,gBAAgB,cAAc,KAAK,QAAQ,MAAM;IACnE,MAAM,SAAS,SAAS,yBAAyB;IACjD,MAAM,kBAAkB,IAAI,QAAQ,iBACnC,wBACA,EACC,QACA,CACD;IACD,MAAM,aAAa,OAAO,qBAAqB,GAAG;AAClD,UAAM,IAAI,QAAQ,gBAAgB,wBAAwB;KACzD,OAAO,KAAK,KAAK;KACjB;KACA,WAAW,IAAI,KAAK,KAAK,KAAK,GAAG,SAAS,IAAK;KAC/C,CAAC;AACF,UAAM,IAAI,gBACT,gBAAgB,MAChB,YACA,IAAI,QAAQ,QACZ,gBAAgB,WAChB;AACD,WAAO,IAAI,KAAK,EACf,mBAAmB,MACnB,CAAC;KACD;GACF,CACD,EACD;EACD,QAAQ,YAAY,QAAQ,SAAS,OAAO;EAC5C,WAAW,CACV;GACC,YAAY,MAAM;AACjB,WAAO,KAAK,WAAW,eAAe;;GAEvC,QAAQ;GACR,KAAK;GACL,CACD;EACD,cAAc;EACd"}
package/dist/plugins/two-factor/otp/index.d.mts ADDED
@@ -0,0 +1,96 @@
1
+ import { UserWithTwoFactor } from "../types.mjs";
2
+ import { Awaitable, GenericEndpointContext } from "@better-auth/core";
3
+
4
+ //#region src/plugins/two-factor/otp/index.d.ts
5
+ interface OTPOptions {
6
+ /**
7
+ * How long the opt will be valid for in
8
+ * minutes
9
+ *
10
+ * @default "3 mins"
11
+ */
12
+ period?: number | undefined;
13
+ /**
14
+ * Number of digits for the OTP code
15
+ *
16
+ * @default 6
17
+ */
18
+ digits?: number | undefined;
19
+ /**
20
+ * Send the otp to the user
21
+ *
22
+ * @param user - The user to send the otp to
23
+ * @param otp - The otp to send
24
+ * @param request - The request object
25
+ * @returns void | Promise<void>
26
+ */
27
+ sendOTP?: ((
28
+ /**
29
+ * The user to send the otp to
30
+ * @type UserWithTwoFactor
31
+ * @default UserWithTwoFactors
32
+ */
33
+ data: {
34
+ user: UserWithTwoFactor;
35
+ otp: string;
36
+ },
37
+ /**
38
+ * The request object
39
+ */
40
+ ctx?: GenericEndpointContext) => Awaitable<void>) | undefined;
41
+ /**
42
+ * The number of allowed attempts for the OTP
43
+ *
44
+ * @default 5
45
+ */
46
+ allowedAttempts?: number | undefined;
47
+ storeOTP?: ("plain" | "encrypted" | "hashed" | {
48
+ hash: (token: string) => Promise<string>;
49
+ } | {
50
+ encrypt: (token: string) => Promise<string>;
51
+ decrypt: (token: string) => Promise<string>;
52
+ }) | undefined;
53
+ }
54
+ /**
55
+ * The otp adapter is created from the totp adapter.
56
+ */
57
+ declare const otp2fa: (options?: OTPOptions | undefined) => {
58
+ id: string;
59
+ endpoints: {
60
+ /**
61
+ * ### Endpoint
62
+ *
63
+ * POST `/two-factor/send-otp`
64
+ *
65
+ * ### API Methods
66
+ *
67
+ * **server:**
68
+ * `auth.api.send2FaOTP`
69
+ *
70
+ * **client:**
71
+ * `authClient.twoFactor.sendOtp`
72
+ *
73
+ * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-send-otp)
74
+ */
75
+ sendTwoFactorOTP: any;
76
+ /**
77
+ * ### Endpoint
78
+ *
79
+ * POST `/two-factor/verify-otp`
80
+ *
81
+ * ### API Methods
82
+ *
83
+ * **server:**
84
+ * `auth.api.verifyOTP`
85
+ *
86
+ * **client:**
87
+ * `authClient.twoFactor.verifyOtp`
88
+ *
89
+ * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-verify-otp)
90
+ */
91
+ verifyTwoFactorOTP: any;
92
+ };
93
+ };
94
+ //#endregion
95
+ export { OTPOptions, otp2fa };
96
+ //# sourceMappingURL=index.d.mts.map
package/dist/plugins/two-factor/otp/index.mjs ADDED
@@ -0,0 +1,199 @@
1
+ import { constantTimeEqual } from "../../../crypto/buffer.mjs";
2
+ import { generateRandomString } from "../../../crypto/random.mjs";
3
+ import { symmetricDecrypt, symmetricEncrypt } from "../../../crypto/index.mjs";
4
+ import { parseUserOutput } from "../../../db/schema.mjs";
5
+ import { setSessionCookie } from "../../../cookies/index.mjs";
6
+ import { TWO_FACTOR_ERROR_CODES } from "../error-code.mjs";
7
+ import { verifyTwoFactor } from "../verify-two-factor.mjs";
8
+ import { defaultKeyHasher } from "../utils.mjs";
9
+ import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
10
+ import { createAuthEndpoint } from "@better-auth/core/api";
11
+ import * as z from "zod";
12
+
13
+ //#region src/plugins/two-factor/otp/index.ts
14
+ const verifyOTPBodySchema = z.object({
15
+ code: z.string().meta({ description: "The otp code to verify. Eg: \"012345\"" }),
16
+ trustDevice: z.boolean().optional().meta({ description: "If true, the device will be trusted for 30 days. It'll be refreshed on every sign in request within this time. Eg: true" })
17
+ });
18
+ const send2FaOTPBodySchema = z.object({ trustDevice: z.boolean().optional().meta({ description: "If true, the device will be trusted for 30 days. It'll be refreshed on every sign in request within this time. Eg: true" }) }).optional();
19
+ /**
20
+ * The otp adapter is created from the totp adapter.
21
+ */
22
+ const otp2fa = (options) => {
23
+ const opts = {
24
+ storeOTP: "plain",
25
+ digits: 6,
26
+ ...options,
27
+ period: (options?.period || 3) * 60 * 1e3
28
+ };
29
+ async function storeOTP(ctx, otp) {
30
+ if (opts.storeOTP === "hashed") return await defaultKeyHasher(otp);
31
+ if (typeof opts.storeOTP === "object" && "hash" in opts.storeOTP) return await opts.storeOTP.hash(otp);
32
+ if (typeof opts.storeOTP === "object" && "encrypt" in opts.storeOTP) return await opts.storeOTP.encrypt(otp);
33
+ if (opts.storeOTP === "encrypted") return await symmetricEncrypt({
34
+ key: ctx.context.secret,
35
+ data: otp
36
+ });
37
+ return otp;
38
+ }
39
+ async function decryptOrHashForComparison(ctx, storedOtp, userInput) {
40
+ if (opts.storeOTP === "hashed") return [storedOtp, await defaultKeyHasher(userInput)];
41
+ if (opts.storeOTP === "encrypted") return [await symmetricDecrypt({
42
+ key: ctx.context.secret,
43
+ data: storedOtp
44
+ }), userInput];
45
+ if (typeof opts.storeOTP === "object" && "encrypt" in opts.storeOTP) return [await opts.storeOTP.decrypt(storedOtp), userInput];
46
+ if (typeof opts.storeOTP === "object" && "hash" in opts.storeOTP) return [storedOtp, await opts.storeOTP.hash(userInput)];
47
+ return [storedOtp, userInput];
48
+ }
49
+ return {
50
+ id: "otp",
51
+ endpoints: {
52
+ sendTwoFactorOTP: createAuthEndpoint("/two-factor/send-otp", {
53
+ method: "POST",
54
+ body: send2FaOTPBodySchema,
55
+ metadata: { openapi: {
56
+ summary: "Send two factor OTP",
57
+ description: "Send two factor OTP to the user",
58
+ responses: { 200: {
59
+ description: "Successful response",
60
+ content: { "application/json": { schema: {
61
+ type: "object",
62
+ properties: { status: { type: "boolean" } }
63
+ } } }
64
+ } }
65
+ } }
66
+ }, async (ctx) => {
67
+ if (!options || !options.sendOTP) {
68
+ ctx.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options.");
69
+ throw APIError.from("BAD_REQUEST", {
70
+ message: "otp isn't configured",
71
+ code: "OTP_NOT_CONFIGURED"
72
+ });
73
+ }
74
+ const { session, key } = await verifyTwoFactor(ctx);
75
+ const code = generateRandomString(opts.digits, "0-9");
76
+ const hashedCode = await storeOTP(ctx, code);
77
+ await ctx.context.internalAdapter.createVerificationValue({
78
+ value: `${hashedCode}:0`,
79
+ identifier: `2fa-otp-${key}`,
80
+ expiresAt: new Date(Date.now() + opts.period)
81
+ });
82
+ const sendOTPResult = options.sendOTP({
83
+ user: session.user,
84
+ otp: code
85
+ }, ctx);
86
+ if (sendOTPResult instanceof Promise) await ctx.context.runInBackgroundOrAwait(sendOTPResult.catch((e) => {
87
+ ctx.context.logger.error("Failed to send two-factor OTP", e);
88
+ }));
89
+ return ctx.json({ status: true });
90
+ }),
91
+ verifyTwoFactorOTP: createAuthEndpoint("/two-factor/verify-otp", {
92
+ method: "POST",
93
+ body: verifyOTPBodySchema,
94
+ metadata: { openapi: {
95
+ summary: "Verify two factor OTP",
96
+ description: "Verify two factor OTP",
97
+ responses: { "200": {
98
+ description: "Two-factor OTP verified successfully",
99
+ content: { "application/json": { schema: {
100
+ type: "object",
101
+ properties: {
102
+ token: {
103
+ type: "string",
104
+ description: "Session token for the authenticated session"
105
+ },
106
+ user: {
107
+ type: "object",
108
+ properties: {
109
+ id: {
110
+ type: "string",
111
+ description: "Unique identifier of the user"
112
+ },
113
+ email: {
114
+ type: "string",
115
+ format: "email",
116
+ nullable: true,
117
+ description: "User's email address"
118
+ },
119
+ emailVerified: {
120
+ type: "boolean",
121
+ nullable: true,
122
+ description: "Whether the email is verified"
123
+ },
124
+ name: {
125
+ type: "string",
126
+ nullable: true,
127
+ description: "User's name"
128
+ },
129
+ image: {
130
+ type: "string",
131
+ format: "uri",
132
+ nullable: true,
133
+ description: "User's profile image URL"
134
+ },
135
+ createdAt: {
136
+ type: "string",
137
+ format: "date-time",
138
+ description: "Timestamp when the user was created"
139
+ },
140
+ updatedAt: {
141
+ type: "string",
142
+ format: "date-time",
143
+ description: "Timestamp when the user was last updated"
144
+ }
145
+ },
146
+ required: [
147
+ "id",
148
+ "createdAt",
149
+ "updatedAt"
150
+ ],
151
+ description: "The authenticated user object"
152
+ }
153
+ },
154
+ required: ["token", "user"]
155
+ } } }
156
+ } }
157
+ } }
158
+ }, async (ctx) => {
159
+ const { session, key, valid, invalid } = await verifyTwoFactor(ctx);
160
+ const toCheckOtp = await ctx.context.internalAdapter.findVerificationValue(`2fa-otp-${key}`);
161
+ const [otp, counter] = toCheckOtp?.value?.split(":") ?? [];
162
+ if (!toCheckOtp || toCheckOtp.expiresAt < /* @__PURE__ */ new Date()) {
163
+ if (toCheckOtp) await ctx.context.internalAdapter.deleteVerificationValue(toCheckOtp.id);
164
+ throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.OTP_HAS_EXPIRED);
165
+ }
166
+ const allowedAttempts = options?.allowedAttempts || 5;
167
+ if (parseInt(counter) >= allowedAttempts) {
168
+ await ctx.context.internalAdapter.deleteVerificationValue(toCheckOtp.id);
169
+ throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE);
170
+ }
171
+ const [storedValue, inputValue] = await decryptOrHashForComparison(ctx, otp, ctx.body.code);
172
+ if (constantTimeEqual(new TextEncoder().encode(storedValue), new TextEncoder().encode(inputValue))) {
173
+ if (!session.user.twoFactorEnabled) {
174
+ if (!session.session) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.FAILED_TO_CREATE_SESSION);
175
+ const updatedUser = await ctx.context.internalAdapter.updateUser(session.user.id, { twoFactorEnabled: true });
176
+ const newSession = await ctx.context.internalAdapter.createSession(session.user.id, false, session.session);
177
+ await ctx.context.internalAdapter.deleteSession(session.session.token);
178
+ await setSessionCookie(ctx, {
179
+ session: newSession,
180
+ user: updatedUser
181
+ });
182
+ return ctx.json({
183
+ token: newSession.token,
184
+ user: parseUserOutput(ctx.context.options, updatedUser)
185
+ });
186
+ }
187
+ return valid(ctx);
188
+ } else {
189
+ await ctx.context.internalAdapter.updateVerificationValue(toCheckOtp.id, { value: `${otp}:${(parseInt(counter, 10) || 0) + 1}` });
190
+ return invalid("INVALID_CODE");
191
+ }
192
+ })
193
+ }
194
+ };
195
+ };
196
+
197
+ //#endregion
198
+ export { otp2fa };
199
+ //# sourceMappingURL=index.mjs.map
package/dist/plugins/two-factor/otp/index.mjs.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.mjs","names":[],"sources":["../../../../src/plugins/two-factor/otp/index.ts"],"sourcesContent":["import type { Awaitable, GenericEndpointContext } from \"@better-auth/core\";\nimport { createAuthEndpoint } from \"@better-auth/core/api\";\nimport { APIError, BASE_ERROR_CODES } from \"@better-auth/core/error\";\nimport * as z from \"zod\";\nimport { setSessionCookie } from \"../../../cookies\";\nimport {\n\tconstantTimeEqual,\n\tgenerateRandomString,\n\tsymmetricDecrypt,\n\tsymmetricEncrypt,\n} from \"../../../crypto\";\nimport { parseUserOutput } from \"../../../db/schema\";\nimport { TWO_FACTOR_ERROR_CODES } from \"../error-code\";\nimport type { TwoFactorProvider, UserWithTwoFactor } from \"../types\";\nimport { defaultKeyHasher } from \"../utils\";\nimport { verifyTwoFactor } from \"../verify-two-factor\";\n\nexport interface OTPOptions {\n\t/**\n\t * How long the opt will be valid for in\n\t * minutes\n\t *\n\t * @default \"3 mins\"\n\t */\n\tperiod?: number | undefined;\n\t/**\n\t * Number of digits for the OTP code\n\t *\n\t * @default 6\n\t */\n\tdigits?: number | undefined;\n\t/**\n\t * Send the otp to the user\n\t *\n\t * @param user - The user to send the otp to\n\t * @param otp - The otp to send\n\t * @param request - The request object\n\t * @returns void | Promise<void>\n\t */\n\tsendOTP?:\n\t\t| ((\n\t\t\t\t/**\n\t\t\t\t * The user to send the otp to\n\t\t\t\t * @type UserWithTwoFactor\n\t\t\t\t * @default UserWithTwoFactors\n\t\t\t\t */\n\t\t\t\tdata: {\n\t\t\t\t\tuser: UserWithTwoFactor;\n\t\t\t\t\totp: string;\n\t\t\t\t},\n\t\t\t\t/**\n\t\t\t\t * The request object\n\t\t\t\t */\n\t\t\t\tctx?: GenericEndpointContext,\n\t\t ) => Awaitable<void>)\n\t\t| undefined;\n\t/**\n\t * The number of allowed attempts for the OTP\n\t *\n\t * @default 5\n\t */\n\tallowedAttempts?: number | undefined;\n\tstoreOTP?:\n\t\t| (\n\t\t\t\t| \"plain\"\n\t\t\t\t| \"encrypted\"\n\t\t\t\t| \"hashed\"\n\t\t\t\t| { hash: (token: string) => Promise<string> }\n\t\t\t\t| {\n\t\t\t\t\t\tencrypt: (token: string) => Promise<string>;\n\t\t\t\t\t\tdecrypt: (token: string) => Promise<string>;\n\t\t\t\t }\n\t\t )\n\t\t| undefined;\n}\n\nconst verifyOTPBodySchema = z.object({\n\tcode: z.string().meta({\n\t\tdescription: 'The otp code to verify. Eg: \"012345\"',\n\t}),\n\t/**\n\t * if true, the device will be trusted\n\t * for 30 days. It'll be refreshed on\n\t * every sign in request within this time.\n\t */\n\ttrustDevice: z.boolean().optional().meta({\n\t\tdescription:\n\t\t\t\"If true, the device will be trusted for 30 days. It'll be refreshed on every sign in request within this time. Eg: true\",\n\t}),\n});\n\nconst send2FaOTPBodySchema = z\n\t.object({\n\t\t/**\n\t\t * if true, the device will be trusted\n\t\t * for 30 days. It'll be refreshed on\n\t\t * every sign in request within this time.\n\t\t */\n\t\ttrustDevice: z.boolean().optional().meta({\n\t\t\tdescription:\n\t\t\t\t\"If true, the device will be trusted for 30 days. It'll be refreshed on every sign in request within this time. Eg: true\",\n\t\t}),\n\t})\n\t.optional();\n\n/**\n * The otp adapter is created from the totp adapter.\n */\nexport const otp2fa = (options?: OTPOptions | undefined) => {\n\tconst opts = {\n\t\tstoreOTP: \"plain\",\n\t\tdigits: 6,\n\t\t...options,\n\t\tperiod: (options?.period || 3) * 60 * 1000,\n\t};\n\n\tasync function storeOTP(ctx: GenericEndpointContext, otp: string) {\n\t\tif (opts.storeOTP === \"hashed\") {\n\t\t\treturn await defaultKeyHasher(otp);\n\t\t}\n\t\tif (typeof opts.storeOTP === \"object\" && \"hash\" in opts.storeOTP) {\n\t\t\treturn await opts.storeOTP.hash(otp);\n\t\t}\n\t\tif (typeof opts.storeOTP === \"object\" && \"encrypt\" in opts.storeOTP) {\n\t\t\treturn await opts.storeOTP.encrypt(otp);\n\t\t}\n\t\tif (opts.storeOTP === \"encrypted\") {\n\t\t\treturn await symmetricEncrypt({\n\t\t\t\tkey: ctx.context.secret,\n\t\t\t\tdata: otp,\n\t\t\t});\n\t\t}\n\t\treturn otp;\n\t}\n\n\tasync function decryptOrHashForComparison(\n\t\tctx: GenericEndpointContext,\n\t\tstoredOtp: string,\n\t\tuserInput: string,\n\t): Promise<[string, string]> {\n\t\tif (opts.storeOTP === \"hashed\") {\n\t\t\t// For hashed storage: hash the user input and compare with stored hash\n\t\t\treturn [storedOtp, await defaultKeyHasher(userInput)];\n\t\t}\n\t\tif (opts.storeOTP === \"encrypted\") {\n\t\t\t// For encrypted storage: decrypt stored value and compare with plain input\n\t\t\tconst decrypted = await symmetricDecrypt({\n\t\t\t\tkey: ctx.context.secret,\n\t\t\t\tdata: storedOtp,\n\t\t\t});\n\t\t\treturn [decrypted, userInput];\n\t\t}\n\t\tif (typeof opts.storeOTP === \"object\" && \"encrypt\" in opts.storeOTP) {\n\t\t\tconst decrypted = await opts.storeOTP.decrypt(storedOtp);\n\t\t\treturn [decrypted, userInput];\n\t\t}\n\t\tif (typeof opts.storeOTP === \"object\" && \"hash\" in opts.storeOTP) {\n\t\t\t// For custom hash: hash the user input and compare with stored hash\n\t\t\treturn [storedOtp, await opts.storeOTP.hash(userInput)];\n\t\t}\n\t\t// Plain storage: compare directly\n\t\treturn [storedOtp, userInput];\n\t}\n\n\t/**\n\t * Generate OTP and send it to the user.\n\t */\n\tconst send2FaOTP = createAuthEndpoint(\n\t\t\"/two-factor/send-otp\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: send2FaOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tsummary: \"Send two factor OTP\",\n\t\t\t\t\tdescription: \"Send two factor OTP to the user\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Successful response\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tstatus: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tif (!options || !options.sendOTP) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t\"send otp isn't configured. Please configure the send otp function on otp options.\",\n\t\t\t\t);\n\t\t\t\tthrow APIError.from(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: \"otp isn't configured\",\n\t\t\t\t\tcode: \"OTP_NOT_CONFIGURED\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst { session, key } = await verifyTwoFactor(ctx);\n\t\t\tconst code = generateRandomString(opts.digits, \"0-9\");\n\t\t\tconst hashedCode = await storeOTP(ctx, code);\n\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\tvalue: `${hashedCode}:0`,\n\t\t\t\tidentifier: `2fa-otp-${key}`,\n\t\t\t\texpiresAt: new Date(Date.now() + opts.period),\n\t\t\t});\n\t\t\tconst sendOTPResult = options.sendOTP(\n\t\t\t\t{ user: session.user as UserWithTwoFactor, otp: code },\n\t\t\t\tctx,\n\t\t\t);\n\t\t\tif (sendOTPResult instanceof Promise) {\n\t\t\t\tawait ctx.context.runInBackgroundOrAwait(\n\t\t\t\t\tsendOTPResult.catch((e: unknown) => {\n\t\t\t\t\t\tctx.context.logger.error(\"Failed to send two-factor OTP\", e);\n\t\t\t\t\t}),\n\t\t\t\t);\n\t\t\t}\n\t\t\treturn ctx.json({ status: true });\n\t\t},\n\t);\n\n\tconst verifyOTP = createAuthEndpoint(\n\t\t\"/two-factor/verify-otp\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: verifyOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tsummary: \"Verify two factor OTP\",\n\t\t\t\t\tdescription: \"Verify two factor OTP\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Two-factor OTP verified successfully\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\ttoken: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Session token for the authenticated session\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tid: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Unique identifier of the user\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\temail: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"email\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"User's email address\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\temailVerified: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Whether the email is verified\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tname: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"User's name\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\timage: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"User's profile image URL\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tcreatedAt: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"date-time\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Timestamp when the user was created\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tupdatedAt: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"date-time\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Timestamp when the user was last updated\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"id\", \"createdAt\", \"updatedAt\"],\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"The authenticated user object\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\trequired: [\"token\", \"user\"],\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst { session, key, valid, invalid } = await verifyTwoFactor(ctx);\n\t\t\tconst toCheckOtp =\n\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t`2fa-otp-${key}`,\n\t\t\t\t);\n\t\t\tconst [otp, counter] = toCheckOtp?.value?.split(\":\") ?? [];\n\t\t\tif (!toCheckOtp || toCheckOtp.expiresAt < new Date()) {\n\t\t\t\tif (toCheckOtp) {\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\t\ttoCheckOtp.id,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\"BAD_REQUEST\",\n\t\t\t\t\tTWO_FACTOR_ERROR_CODES.OTP_HAS_EXPIRED,\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst allowedAttempts = options?.allowedAttempts || 5;\n\t\t\tif (parseInt(counter!) >= allowedAttempts) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\ttoCheckOtp.id,\n\t\t\t\t);\n\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\"BAD_REQUEST\",\n\t\t\t\t\tTWO_FACTOR_ERROR_CODES.TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE,\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst [storedValue, inputValue] = await decryptOrHashForComparison(\n\t\t\t\tctx,\n\t\t\t\totp!,\n\t\t\t\tctx.body.code,\n\t\t\t);\n\t\t\tconst isCodeValid = constantTimeEqual(\n\t\t\t\tnew TextEncoder().encode(storedValue),\n\t\t\t\tnew TextEncoder().encode(inputValue),\n\t\t\t);\n\t\t\tif (isCodeValid) {\n\t\t\t\tif (!session.user.twoFactorEnabled) {\n\t\t\t\t\tif (!session.session) {\n\t\t\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\t\t\"BAD_REQUEST\",\n\t\t\t\t\t\t\tBASE_ERROR_CODES.FAILED_TO_CREATE_SESSION,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\t\t\tsession.user.id,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttwoFactorEnabled: true,\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\t\t\t\t\tconst newSession = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\tsession.user.id,\n\t\t\t\t\t\tfalse,\n\t\t\t\t\t\tsession.session,\n\t\t\t\t\t);\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(\n\t\t\t\t\t\tsession.session.token,\n\t\t\t\t\t);\n\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\tsession: newSession,\n\t\t\t\t\t\tuser: updatedUser,\n\t\t\t\t\t});\n\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\ttoken: newSession.token,\n\t\t\t\t\t\tuser: parseUserOutput(ctx.context.options, updatedUser),\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t\treturn valid(ctx);\n\t\t\t} else {\n\t\t\t\tawait ctx.context.internalAdapter.updateVerificationValue(\n\t\t\t\t\ttoCheckOtp.id,\n\t\t\t\t\t{\n\t\t\t\t\t\tvalue: `${otp}:${(parseInt(counter!, 10) || 0) + 1}`,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\treturn invalid(\"INVALID_CODE\");\n\t\t\t}\n\t\t},\n\t);\n\n\treturn {\n\t\tid: \"otp\",\n\t\tendpoints: {\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/send-otp`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.send2FaOTP`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.sendOtp`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-send-otp)\n\t\t\t */\n\t\t\tsendTwoFactorOTP: send2FaOTP,\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/verify-otp`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.verifyOTP`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.verifyOtp`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-verify-otp)\n\t\t\t */\n\t\t\tverifyTwoFactorOTP: verifyOTP,\n\t\t},\n\t} satisfies TwoFactorProvider;\n};\n"],"mappings":";;;;;;;;;;;;;AA4EA,MAAM,sBAAsB,EAAE,OAAO;CACpC,MAAM,EAAE,QAAQ,CAAC,KAAK,EACrB,aAAa,0CACb,CAAC;CAMF,aAAa,EAAE,SAAS,CAAC,UAAU,CAAC,KAAK,EACxC,aACC,2HACD,CAAC;CACF,CAAC;AAEF,MAAM,uBAAuB,EAC3B,OAAO,EAMP,aAAa,EAAE,SAAS,CAAC,UAAU,CAAC,KAAK,EACxC,aACC,2HACD,CAAC,EACF,CAAC,CACD,UAAU;;;;AAKZ,MAAa,UAAU,YAAqC;CAC3D,MAAM,OAAO;EACZ,UAAU;EACV,QAAQ;EACR,GAAG;EACH,SAAS,SAAS,UAAU,KAAK,KAAK;EACtC;CAED,eAAe,SAAS,KAA6B,KAAa;AACjE,MAAI,KAAK,aAAa,SACrB,QAAO,MAAM,iBAAiB,IAAI;AAEnC,MAAI,OAAO,KAAK,aAAa,YAAY,UAAU,KAAK,SACvD,QAAO,MAAM,KAAK,SAAS,KAAK,IAAI;AAErC,MAAI,OAAO,KAAK,aAAa,YAAY,aAAa,KAAK,SAC1D,QAAO,MAAM,KAAK,SAAS,QAAQ,IAAI;AAExC,MAAI,KAAK,aAAa,YACrB,QAAO,MAAM,iBAAiB;GAC7B,KAAK,IAAI,QAAQ;GACjB,MAAM;GACN,CAAC;AAEH,SAAO;;CAGR,eAAe,2BACd,KACA,WACA,WAC4B;AAC5B,MAAI,KAAK,aAAa,SAErB,QAAO,CAAC,WAAW,MAAM,iBAAiB,UAAU,CAAC;AAEtD,MAAI,KAAK,aAAa,YAMrB,QAAO,CAJW,MAAM,iBAAiB;GACxC,KAAK,IAAI,QAAQ;GACjB,MAAM;GACN,CAAC,EACiB,UAAU;AAE9B,MAAI,OAAO,KAAK,aAAa,YAAY,aAAa,KAAK,SAE1D,QAAO,CADW,MAAM,KAAK,SAAS,QAAQ,UAAU,EACrC,UAAU;AAE9B,MAAI,OAAO,KAAK,aAAa,YAAY,UAAU,KAAK,SAEvD,QAAO,CAAC,WAAW,MAAM,KAAK,SAAS,KAAK,UAAU,CAAC;AAGxD,SAAO,CAAC,WAAW,UAAU;;AAiO9B,QAAO;EACN,IAAI;EACJ,WAAW;GAgBV,kBA7OiB,mBAClB,wBACA;IACC,QAAQ;IACR,MAAM;IACN,UAAU,EACT,SAAS;KACR,SAAS;KACT,aAAa;KACb,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,QAAQ,EACP,MAAM,WACN,EACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;AACd,QAAI,CAAC,WAAW,CAAC,QAAQ,SAAS;AACjC,SAAI,QAAQ,OAAO,MAClB,oFACA;AACD,WAAM,SAAS,KAAK,eAAe;MAClC,SAAS;MACT,MAAM;MACN,CAAC;;IAEH,MAAM,EAAE,SAAS,QAAQ,MAAM,gBAAgB,IAAI;IACnD,MAAM,OAAO,qBAAqB,KAAK,QAAQ,MAAM;IACrD,MAAM,aAAa,MAAM,SAAS,KAAK,KAAK;AAC5C,UAAM,IAAI,QAAQ,gBAAgB,wBAAwB;KACzD,OAAO,GAAG,WAAW;KACrB,YAAY,WAAW;KACvB,WAAW,IAAI,KAAK,KAAK,KAAK,GAAG,KAAK,OAAO;KAC7C,CAAC;IACF,MAAM,gBAAgB,QAAQ,QAC7B;KAAE,MAAM,QAAQ;KAA2B,KAAK;KAAM,EACtD,IACA;AACD,QAAI,yBAAyB,QAC5B,OAAM,IAAI,QAAQ,uBACjB,cAAc,OAAO,MAAe;AACnC,SAAI,QAAQ,OAAO,MAAM,iCAAiC,EAAE;MAC3D,CACF;AAEF,WAAO,IAAI,KAAK,EAAE,QAAQ,MAAM,CAAC;KAElC;GAiMC,oBA/LgB,mBACjB,0BACA;IACC,QAAQ;IACR,MAAM;IACN,UAAU,EACT,SAAS;KACR,SAAS;KACT,aAAa;KACb,WAAW,EACV,OAAO;MACN,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY;QACX,OAAO;SACN,MAAM;SACN,aACC;SACD;QACD,MAAM;SACL,MAAM;SACN,YAAY;UACX,IAAI;WACH,MAAM;WACN,aAAa;WACb;UACD,OAAO;WACN,MAAM;WACN,QAAQ;WACR,UAAU;WACV,aAAa;WACb;UACD,eAAe;WACd,MAAM;WACN,UAAU;WACV,aAAa;WACb;UACD,MAAM;WACL,MAAM;WACN,UAAU;WACV,aAAa;WACb;UACD,OAAO;WACN,MAAM;WACN,QAAQ;WACR,UAAU;WACV,aAAa;WACb;UACD,WAAW;WACV,MAAM;WACN,QAAQ;WACR,aAAa;WACb;UACD,WAAW;WACV,MAAM;WACN,QAAQ;WACR,aACC;WACD;UACD;SACD,UAAU;UAAC;UAAM;UAAa;UAAY;SAC1C,aAAa;SACb;QACD;OACD,UAAU,CAAC,SAAS,OAAO;OAC3B,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,EAAE,SAAS,KAAK,OAAO,YAAY,MAAM,gBAAgB,IAAI;IACnE,MAAM,aACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,WAAW,MACX;IACF,MAAM,CAAC,KAAK,WAAW,YAAY,OAAO,MAAM,IAAI,IAAI,EAAE;AAC1D,QAAI,CAAC,cAAc,WAAW,4BAAY,IAAI,MAAM,EAAE;AACrD,SAAI,WACH,OAAM,IAAI,QAAQ,gBAAgB,wBACjC,WAAW,GACX;AAEF,WAAM,SAAS,KACd,eACA,uBAAuB,gBACvB;;IAEF,MAAM,kBAAkB,SAAS,mBAAmB;AACpD,QAAI,SAAS,QAAS,IAAI,iBAAiB;AAC1C,WAAM,IAAI,QAAQ,gBAAgB,wBACjC,WAAW,GACX;AACD,WAAM,SAAS,KACd,eACA,uBAAuB,mCACvB;;IAEF,MAAM,CAAC,aAAa,cAAc,MAAM,2BACvC,KACA,KACA,IAAI,KAAK,KACT;AAKD,QAJoB,kBACnB,IAAI,aAAa,CAAC,OAAO,YAAY,EACrC,IAAI,aAAa,CAAC,OAAO,WAAW,CACpC,EACgB;AAChB,SAAI,CAAC,QAAQ,KAAK,kBAAkB;AACnC,UAAI,CAAC,QAAQ,QACZ,OAAM,SAAS,KACd,eACA,iBAAiB,yBACjB;MAEF,MAAM,cAAc,MAAM,IAAI,QAAQ,gBAAgB,WACrD,QAAQ,KAAK,IACb,EACC,kBAAkB,MAClB,CACD;MACD,MAAM,aAAa,MAAM,IAAI,QAAQ,gBAAgB,cACpD,QAAQ,KAAK,IACb,OACA,QAAQ,QACR;AACD,YAAM,IAAI,QAAQ,gBAAgB,cACjC,QAAQ,QAAQ,MAChB;AACD,YAAM,iBAAiB,KAAK;OAC3B,SAAS;OACT,MAAM;OACN,CAAC;AACF,aAAO,IAAI,KAAK;OACf,OAAO,WAAW;OAClB,MAAM,gBAAgB,IAAI,QAAQ,SAAS,YAAY;OACvD,CAAC;;AAEH,YAAO,MAAM,IAAI;WACX;AACN,WAAM,IAAI,QAAQ,gBAAgB,wBACjC,WAAW,IACX,EACC,OAAO,GAAG,IAAI,IAAI,SAAS,SAAU,GAAG,IAAI,KAAK,KACjD,CACD;AACD,YAAO,QAAQ,eAAe;;KAGhC;GAqCC;EACD"}
package/dist/plugins/two-factor/schema.d.mts ADDED
@@ -0,0 +1,5 @@
1
+ //#region src/plugins/two-factor/schema.d.ts
2
+ declare const schema: BetterAuthPluginDBSchema;
3
+ //#endregion
4
+ export { schema };
5
+ //# sourceMappingURL=schema.d.mts.map
package/dist/plugins/two-factor/schema.mjs ADDED
@@ -0,0 +1,36 @@
1
+ //#region src/plugins/two-factor/schema.ts
2
+ const schema = {
3
+ user: { fields: { twoFactorEnabled: {
4
+ type: "boolean",
5
+ required: false,
6
+ defaultValue: false,
7
+ input: false
8
+ } } },
9
+ twoFactor: { fields: {
10
+ secret: {
11
+ type: "string",
12
+ required: true,
13
+ returned: false,
14
+ index: true
15
+ },
16
+ backupCodes: {
17
+ type: "string",
18
+ required: true,
19
+ returned: false
20
+ },
21
+ userId: {
22
+ type: "string",
23
+ required: true,
24
+ returned: false,
25
+ references: {
26
+ model: "user",
27
+ field: "id"
28
+ },
29
+ index: true
30
+ }
31
+ } }
32
+ };
33
+
34
+ //#endregion
35
+ export { schema };
36
+ //# sourceMappingURL=schema.mjs.map
package/dist/plugins/two-factor/schema.mjs.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"schema.mjs","names":[],"sources":["../../../src/plugins/two-factor/schema.ts"],"sourcesContent":["import type { BetterAuthPluginDBSchema } from \"@better-auth/core/db\";\n\nexport const schema = {\n\tuser: {\n\t\tfields: {\n\t\t\ttwoFactorEnabled: {\n\t\t\t\ttype: \"boolean\",\n\t\t\t\trequired: false,\n\t\t\t\tdefaultValue: false,\n\t\t\t\tinput: false,\n\t\t\t},\n\t\t},\n\t},\n\ttwoFactor: {\n\t\tfields: {\n\t\t\tsecret: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: true,\n\t\t\t\treturned: false,\n\t\t\t\tindex: true,\n\t\t\t},\n\t\t\tbackupCodes: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: true,\n\t\t\t\treturned: false,\n\t\t\t},\n\t\t\tuserId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: true,\n\t\t\t\treturned: false,\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"user\",\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t},\n\t\t\t\tindex: true,\n\t\t\t},\n\t\t},\n\t},\n} satisfies BetterAuthPluginDBSchema;\n"],"mappings":";AAEA,MAAa,SAAS;CACrB,MAAM,EACL,QAAQ,EACP,kBAAkB;EACjB,MAAM;EACN,UAAU;EACV,cAAc;EACd,OAAO;EACP,EACD,EACD;CACD,WAAW,EACV,QAAQ;EACP,QAAQ;GACP,MAAM;GACN,UAAU;GACV,UAAU;GACV,OAAO;GACP;EACD,aAAa;GACZ,MAAM;GACN,UAAU;GACV,UAAU;GACV;EACD,QAAQ;GACP,MAAM;GACN,UAAU;GACV,UAAU;GACV,YAAY;IACX,OAAO;IACP,OAAO;IACP;GACD,OAAO;GACP;EACD,EACD;CACD"}