@neondatabase/auth 0.1.0-beta.1

package/dist/supabase-adapter-ggmqWgPe.mjs

@@ -0,0 +1,1623 @@
+import { a as DEFAULT_SESSION_EXPIRY_MS, i as CURRENT_TAB_CLIENT_ID, n as BETTER_AUTH_METHODS_CACHE, r as BETTER_AUTH_METHODS_HOOKS, t as NeonAuthAdapterCore } from "./adapter-core-BDOw-gBC.mjs";
+import { createAuthClient, getGlobalBroadcastChannel } from "better-auth/client";
+import { AuthApiError, AuthError, isAuthError } from "@supabase/auth-js";
+import { base64url, decodeJwt, decodeProtectedHeader } from "jose";
+
+//#region src/adapters/better-auth-vanilla/better-auth-vanilla-adapter.ts
+/**
+* Internal implementation class - use BetterAuthVanillaAdapter factory function instead
+*/
+var BetterAuthVanillaAdapterImpl = class extends NeonAuthAdapterCore {
+	_betterAuth;
+	constructor(betterAuthClientOptions) {
+		super(betterAuthClientOptions);
+		this._betterAuth = createAuthClient(this.betterAuthOptions);
+	}
+	getBetterAuthInstance() {
+		return this._betterAuth;
+	}
+	async getJWTToken() {
+		const session = await this._betterAuth.getSession();
+		if (session.error) throw session.error;
+		return session.data?.session?.token ?? null;
+	}
+};
+/**
+* Factory function that returns an adapter builder.
+* The builder is called by createClient/createAuthClient with the URL.
+*
+* @param options - Optional adapter configuration (baseURL is injected separately)
+* @returns A builder function that creates the adapter instance
+*
+* @example
+* ```typescript
+* const client = createClient({
+*   auth: {
+*     url: 'https://auth.example.com',
+*     adapter: BetterAuthVanillaAdapter(),
+*   },
+*   dataApi: { url: 'https://data-api.example.com' },
+* });
+* ```
+*/
+function BetterAuthVanillaAdapter(options) {
+	return (url) => new BetterAuthVanillaAdapterImpl({
+		baseURL: url,
+		...options
+	});
+}
+
+//#endregion
+//#region src/utils/date.ts
+function toISOString(date) {
+	if (!date) return (/* @__PURE__ */ new Date()).toISOString();
+	if (typeof date === "string") return date;
+	if (typeof date === "number") return new Date(date).toISOString();
+	return date.toISOString();
+}
+
+//#endregion
+//#region src/adapters/supabase/errors/definitions.ts
+/**
+* Error codes for type-safe error handling
+*/
+const AuthErrorCode = {
+	BadJwt: "bad_jwt",
+	InvalidCredentials: "invalid_credentials",
+	SessionExpired: "session_expired",
+	SessionNotFound: "session_not_found",
+	InvalidGrant: "invalid_grant",
+	UserNotFound: "user_not_found",
+	UserAlreadyExists: "user_already_exists",
+	EmailExists: "email_exists",
+	PhoneExists: "phone_exists",
+	EmailNotConfirmed: "email_not_confirmed",
+	PhoneNotConfirmed: "phone_not_confirmed",
+	ValidationFailed: "validation_failed",
+	BadJson: "bad_json",
+	WeakPassword: "weak_password",
+	EmailAddressInvalid: "email_address_invalid",
+	FeatureNotSupported: "feature_not_supported",
+	NotImplemented: "not_implemented",
+	OAuthProviderNotSupported: "oauth_provider_not_supported",
+	PhoneProviderDisabled: "phone_provider_disabled",
+	SsoProviderDisabled: "sso_provider_disabled",
+	AnonymousProviderDisabled: "anonymous_provider_disabled",
+	Web3ProviderDisabled: "web3_provider_disabled",
+	BadOAuthCallback: "bad_oauth_callback",
+	OAuthCallbackFailed: "oauth_callback_failed",
+	OverRequestRateLimit: "over_request_rate_limit",
+	OverEmailSendRateLimit: "over_email_send_rate_limit",
+	OverSmsSendRateLimit: "over_sms_send_rate_limit",
+	UnexpectedFailure: "unexpected_failure",
+	InternalError: "internal_error",
+	IdentityNotFound: "identity_not_found",
+	UnknownError: "unknown_error"
+};
+/**
+* Complete error definitions map
+* Maps error codes to HTTP status codes and default messages
+*/
+const ERROR_DEFINITIONS = {
+	[AuthErrorCode.BadJwt]: {
+		code: AuthErrorCode.BadJwt,
+		status: 401,
+		message: "Invalid or expired session token",
+		description: "The JWT token is malformed, expired, or has an invalid signature"
+	},
+	[AuthErrorCode.InvalidCredentials]: {
+		code: AuthErrorCode.InvalidCredentials,
+		status: 401,
+		message: "Invalid email or password",
+		description: "The provided credentials do not match any user account"
+	},
+	[AuthErrorCode.SessionExpired]: {
+		code: AuthErrorCode.SessionExpired,
+		status: 401,
+		message: "Session has expired",
+		description: "The user session has exceeded its timeout period"
+	},
+	[AuthErrorCode.SessionNotFound]: {
+		code: AuthErrorCode.SessionNotFound,
+		status: 401,
+		message: "No active session found",
+		description: "The user does not have an active session or the session was invalidated"
+	},
+	[AuthErrorCode.InvalidGrant]: {
+		code: AuthErrorCode.InvalidGrant,
+		status: 401,
+		message: "Invalid authorization grant",
+		description: "OAuth/OIDC grant validation failed"
+	},
+	[AuthErrorCode.UserNotFound]: {
+		code: AuthErrorCode.UserNotFound,
+		status: 404,
+		message: "User not found",
+		description: "No user exists with the provided identifier"
+	},
+	[AuthErrorCode.UserAlreadyExists]: {
+		code: AuthErrorCode.UserAlreadyExists,
+		status: 409,
+		message: "User already exists",
+		description: "A user with this email or phone number is already registered"
+	},
+	[AuthErrorCode.EmailExists]: {
+		code: AuthErrorCode.EmailExists,
+		status: 409,
+		message: "Email address already registered",
+		description: "This email address is already associated with an account"
+	},
+	[AuthErrorCode.PhoneExists]: {
+		code: AuthErrorCode.PhoneExists,
+		status: 409,
+		message: "Phone number already registered",
+		description: "This phone number is already associated with an account"
+	},
+	[AuthErrorCode.EmailNotConfirmed]: {
+		code: AuthErrorCode.EmailNotConfirmed,
+		status: 422,
+		message: "Email verification required",
+		description: "The user must verify their email before signing in"
+	},
+	[AuthErrorCode.PhoneNotConfirmed]: {
+		code: AuthErrorCode.PhoneNotConfirmed,
+		status: 422,
+		message: "Phone verification required",
+		description: "The user must verify their phone number before signing in"
+	},
+	[AuthErrorCode.ValidationFailed]: {
+		code: AuthErrorCode.ValidationFailed,
+		status: 400,
+		message: "Invalid request parameters",
+		description: "One or more request parameters are invalid or missing"
+	},
+	[AuthErrorCode.BadJson]: {
+		code: AuthErrorCode.BadJson,
+		status: 400,
+		message: "Invalid JSON in request body",
+		description: "The request body contains malformed JSON"
+	},
+	[AuthErrorCode.WeakPassword]: {
+		code: AuthErrorCode.WeakPassword,
+		status: 400,
+		message: "Password does not meet security requirements",
+		description: "The password is too weak or does not meet complexity requirements"
+	},
+	[AuthErrorCode.EmailAddressInvalid]: {
+		code: AuthErrorCode.EmailAddressInvalid,
+		status: 400,
+		message: "Invalid email address format",
+		description: "The provided email address is not in a valid format"
+	},
+	[AuthErrorCode.FeatureNotSupported]: {
+		code: AuthErrorCode.FeatureNotSupported,
+		status: 403,
+		message: "Feature not available",
+		description: "This feature is not supported in the current configuration"
+	},
+	[AuthErrorCode.NotImplemented]: {
+		code: AuthErrorCode.NotImplemented,
+		status: 501,
+		message: "Feature not implemented",
+		description: "This feature has not been implemented yet"
+	},
+	[AuthErrorCode.OAuthProviderNotSupported]: {
+		code: AuthErrorCode.OAuthProviderNotSupported,
+		status: 403,
+		message: "OAuth provider not supported",
+		description: "The requested OAuth provider is not enabled"
+	},
+	[AuthErrorCode.PhoneProviderDisabled]: {
+		code: AuthErrorCode.PhoneProviderDisabled,
+		status: 403,
+		message: "Phone authentication not available",
+		description: "Phone number authentication is not enabled"
+	},
+	[AuthErrorCode.SsoProviderDisabled]: {
+		code: AuthErrorCode.SsoProviderDisabled,
+		status: 403,
+		message: "SSO not supported",
+		description: "Enterprise SSO authentication is not available"
+	},
+	[AuthErrorCode.AnonymousProviderDisabled]: {
+		code: AuthErrorCode.AnonymousProviderDisabled,
+		status: 403,
+		message: "Anonymous authentication not available",
+		description: "Anonymous sign-in is not enabled"
+	},
+	[AuthErrorCode.Web3ProviderDisabled]: {
+		code: AuthErrorCode.Web3ProviderDisabled,
+		status: 403,
+		message: "Web3 authentication not supported",
+		description: "Web3/blockchain authentication is not available"
+	},
+	[AuthErrorCode.BadOAuthCallback]: {
+		code: AuthErrorCode.BadOAuthCallback,
+		status: 400,
+		message: "Invalid OAuth callback",
+		description: "The OAuth callback request is missing required parameters"
+	},
+	[AuthErrorCode.OAuthCallbackFailed]: {
+		code: AuthErrorCode.OAuthCallbackFailed,
+		status: 500,
+		message: "OAuth authentication failed",
+		description: "The OAuth callback completed but no session was created"
+	},
+	[AuthErrorCode.OverRequestRateLimit]: {
+		code: AuthErrorCode.OverRequestRateLimit,
+		status: 429,
+		message: "Too many requests",
+		description: "Rate limit exceeded. Please try again later"
+	},
+	[AuthErrorCode.OverEmailSendRateLimit]: {
+		code: AuthErrorCode.OverEmailSendRateLimit,
+		status: 429,
+		message: "Too many email requests",
+		description: "Too many emails sent. Please wait before trying again"
+	},
+	[AuthErrorCode.OverSmsSendRateLimit]: {
+		code: AuthErrorCode.OverSmsSendRateLimit,
+		status: 429,
+		message: "Too many SMS requests",
+		description: "Too many SMS messages sent. Please wait before trying again"
+	},
+	[AuthErrorCode.UnexpectedFailure]: {
+		code: AuthErrorCode.UnexpectedFailure,
+		status: 500,
+		message: "An unexpected error occurred",
+		description: "The server encountered an unexpected condition"
+	},
+	[AuthErrorCode.InternalError]: {
+		code: AuthErrorCode.InternalError,
+		status: 500,
+		message: "Internal server error",
+		description: "An internal error occurred while processing the request"
+	},
+	[AuthErrorCode.IdentityNotFound]: {
+		code: AuthErrorCode.IdentityNotFound,
+		status: 404,
+		message: "Identity not found",
+		description: "The requested user identity does not exist"
+	},
+	[AuthErrorCode.UnknownError]: {
+		code: AuthErrorCode.UnknownError,
+		status: 500,
+		message: "An unknown error occurred",
+		description: "The error could not be categorized"
+	}
+};
+/**
+* Helper to get error definition by code
+*/
+function getErrorDefinition(code) {
+	return ERROR_DEFINITIONS[code];
+}
+/**
+* Create an AuthError or AuthApiError with proper status and message
+*
+* @param code - The error code from AuthErrorCode
+* @param customMessage - Optional custom message (defaults to error definition message)
+* @returns AuthError for 5xx errors, AuthApiError for 4xx errors
+*/
+function createAuthError(code, customMessage) {
+	const def = getErrorDefinition(code);
+	const message = customMessage || def.message;
+	const status = def.status;
+	if (status !== 500 && status !== 501 && status !== 503) return new AuthApiError(message, status, def.code);
+	return new AuthError(message, status, def.code);
+}
+
+//#endregion
+//#region src/adapters/supabase/errors/mappings.ts
+/**
+* Maps Better Auth error codes to AuthErrorCode
+* Based on Better Auth SDK error codes
+*
+* @see https://www.better-auth.com/docs/concepts/error-handling
+*/
+const BETTER_AUTH_ERROR_MAP = {
+	"INVALID_EMAIL_OR_PASSWORD": AuthErrorCode.InvalidCredentials,
+	"INVALID_PASSWORD": AuthErrorCode.InvalidCredentials,
+	"INVALID_EMAIL": AuthErrorCode.EmailAddressInvalid,
+	"USER_NOT_FOUND": AuthErrorCode.UserNotFound,
+	"INVALID_TOKEN": AuthErrorCode.BadJwt,
+	"SESSION_EXPIRED": AuthErrorCode.SessionExpired,
+	"FAILED_TO_GET_SESSION": AuthErrorCode.SessionNotFound,
+	"USER_ALREADY_EXISTS": AuthErrorCode.UserAlreadyExists,
+	"EMAIL_NOT_VERIFIED": AuthErrorCode.EmailNotConfirmed,
+	"USER_EMAIL_NOT_FOUND": AuthErrorCode.UserNotFound,
+	"PASSWORD_TOO_SHORT": AuthErrorCode.WeakPassword,
+	"PASSWORD_TOO_LONG": AuthErrorCode.WeakPassword,
+	"USER_ALREADY_HAS_PASSWORD": AuthErrorCode.ValidationFailed,
+	"CREDENTIAL_ACCOUNT_NOT_FOUND": AuthErrorCode.IdentityNotFound,
+	"FAILED_TO_UNLINK_LAST_ACCOUNT": AuthErrorCode.ValidationFailed,
+	"ACCOUNT_NOT_FOUND": AuthErrorCode.IdentityNotFound,
+	"SOCIAL_ACCOUNT_ALREADY_LINKED": AuthErrorCode.ValidationFailed,
+	"PROVIDER_NOT_FOUND": AuthErrorCode.OAuthProviderNotSupported,
+	"ID_TOKEN_NOT_SUPPORTED": AuthErrorCode.FeatureNotSupported,
+	"FAILED_TO_CREATE_USER": AuthErrorCode.InternalError,
+	"FAILED_TO_CREATE_SESSION": AuthErrorCode.InternalError,
+	"FAILED_TO_UPDATE_USER": AuthErrorCode.InternalError,
+	"EMAIL_CAN_NOT_BE_UPDATED": AuthErrorCode.FeatureNotSupported
+};
+/**
+* Maps HTTP status codes from Better Auth to AuthErrorCode
+*/
+const STATUS_CODE_ERROR_MAP = {
+	400: AuthErrorCode.ValidationFailed,
+	401: AuthErrorCode.BadJwt,
+	403: AuthErrorCode.FeatureNotSupported,
+	404: AuthErrorCode.UserNotFound,
+	409: AuthErrorCode.UserAlreadyExists,
+	422: AuthErrorCode.ValidationFailed,
+	429: AuthErrorCode.OverRequestRateLimit,
+	500: AuthErrorCode.UnexpectedFailure,
+	501: AuthErrorCode.NotImplemented,
+	503: AuthErrorCode.FeatureNotSupported
+};
+
+//#endregion
+//#region src/core/better-auth-helpers.ts
+/**
+* Normalize Better Auth errors to standard AuthError format
+*
+* Handles three error formats:
+* 1. BetterFetchError: { status, statusText, message?, code? }
+* 2. BetterAuthErrorResponse: { status, statusText, message?, code? }
+* 3. Standard Error: { message, name, stack }
+*
+* Maps Better Auth errors to appropriate AuthError/AuthApiError with:
+* - Correct HTTP status codes
+* - Standard error codes (snake_case)
+* - User-friendly, security-conscious messages
+*/
+function normalizeBetterAuthError(error) {
+	if (error !== null && error !== void 0 && typeof error === "object" && "status" in error && "statusText" in error) {
+		const betterError = error;
+		const status = betterError.status;
+		if ("code" in betterError && betterError.code && typeof betterError.code === "string") {
+			const mappedCode = BETTER_AUTH_ERROR_MAP[betterError.code];
+			if (mappedCode) {
+				const def$2 = getErrorDefinition(mappedCode);
+				return createNormalizedError(def$2.message, def$2.status, def$2.code, status);
+			}
+		}
+		const def$1 = getErrorDefinition(mapStatusCodeToErrorCode(status, betterError.message || betterError.statusText));
+		return createNormalizedError(betterError.message || def$1.message, status, def$1.code, status);
+	}
+	if (error instanceof Error) {
+		const def$1 = getErrorDefinition(mapMessageToErrorCode(error.message));
+		return createNormalizedError(error.message || def$1.message, def$1.status, def$1.code, def$1.status);
+	}
+	const def = getErrorDefinition(AuthErrorCode.UnknownError);
+	return new AuthError(def.message, def.status, def.code);
+}
+/**
+* Map HTTP status code to AuthErrorCode
+* Uses message content for disambiguation when status code is ambiguous
+*/
+function mapStatusCodeToErrorCode(status, message) {
+	const lowerMessage = message?.toLowerCase() || "";
+	switch (status) {
+		case 401:
+			if (lowerMessage.includes("token") || lowerMessage.includes("jwt")) return AuthErrorCode.BadJwt;
+			if (lowerMessage.includes("session")) return AuthErrorCode.SessionNotFound;
+			if (lowerMessage.includes("expired")) return AuthErrorCode.SessionExpired;
+			return AuthErrorCode.InvalidCredentials;
+		case 404:
+			if (lowerMessage.includes("identity") || lowerMessage.includes("account")) return AuthErrorCode.IdentityNotFound;
+			if (lowerMessage.includes("session")) return AuthErrorCode.SessionNotFound;
+			return AuthErrorCode.UserNotFound;
+		case 409:
+			if (lowerMessage.includes("email")) return AuthErrorCode.EmailExists;
+			if (lowerMessage.includes("phone")) return AuthErrorCode.PhoneExists;
+			return AuthErrorCode.UserAlreadyExists;
+		case 422:
+			if (lowerMessage.includes("email") && lowerMessage.includes("confirm")) return AuthErrorCode.EmailNotConfirmed;
+			if (lowerMessage.includes("phone") && lowerMessage.includes("confirm")) return AuthErrorCode.PhoneNotConfirmed;
+			return AuthErrorCode.ValidationFailed;
+		case 429:
+			if (lowerMessage.includes("email")) return AuthErrorCode.OverEmailSendRateLimit;
+			if (lowerMessage.includes("sms") || lowerMessage.includes("phone")) return AuthErrorCode.OverSmsSendRateLimit;
+			return AuthErrorCode.OverRequestRateLimit;
+		case 400:
+			if (lowerMessage.includes("password") && lowerMessage.includes("weak")) return AuthErrorCode.WeakPassword;
+			if (lowerMessage.includes("email") && lowerMessage.includes("invalid")) return AuthErrorCode.EmailAddressInvalid;
+			if (lowerMessage.includes("json")) return AuthErrorCode.BadJson;
+			if (lowerMessage.includes("oauth") || lowerMessage.includes("callback")) return AuthErrorCode.BadOAuthCallback;
+			return AuthErrorCode.ValidationFailed;
+		case 403:
+			if (lowerMessage.includes("provider") || lowerMessage.includes("oauth")) return AuthErrorCode.OAuthProviderNotSupported;
+			if (lowerMessage.includes("phone")) return AuthErrorCode.PhoneProviderDisabled;
+			if (lowerMessage.includes("sso")) return AuthErrorCode.SsoProviderDisabled;
+			return AuthErrorCode.FeatureNotSupported;
+		case 501: return AuthErrorCode.NotImplemented;
+		case 503: return AuthErrorCode.FeatureNotSupported;
+		default:
+			if (lowerMessage.includes("oauth")) return AuthErrorCode.OAuthCallbackFailed;
+			return AuthErrorCode.UnexpectedFailure;
+	}
+}
+/**
+* Map error message content to AuthErrorCode
+* Used as fallback when status code is not available
+*/
+function mapMessageToErrorCode(message) {
+	const lower = message.toLowerCase();
+	if (lower.includes("invalid login") || lower.includes("incorrect") || lower.includes("wrong password")) return AuthErrorCode.InvalidCredentials;
+	if (lower.includes("token") && (lower.includes("invalid") || lower.includes("expired"))) return AuthErrorCode.BadJwt;
+	if (lower.includes("session") && lower.includes("expired")) return AuthErrorCode.SessionExpired;
+	if (lower.includes("session") && lower.includes("not found")) return AuthErrorCode.SessionNotFound;
+	if (lower.includes("already exists") || lower.includes("already registered")) return AuthErrorCode.UserAlreadyExists;
+	if (lower.includes("not found") && lower.includes("user")) return AuthErrorCode.UserNotFound;
+	if (lower.includes("not found") && lower.includes("identity")) return AuthErrorCode.IdentityNotFound;
+	if (lower.includes("email") && lower.includes("not confirmed")) return AuthErrorCode.EmailNotConfirmed;
+	if (lower.includes("phone") && lower.includes("not confirmed")) return AuthErrorCode.PhoneNotConfirmed;
+	if (lower.includes("weak password") || lower.includes("password") && lower.includes("requirements")) return AuthErrorCode.WeakPassword;
+	if (lower.includes("email") && lower.includes("invalid")) return AuthErrorCode.EmailAddressInvalid;
+	if (lower.includes("rate limit") || lower.includes("too many requests")) return AuthErrorCode.OverRequestRateLimit;
+	if (lower.includes("oauth") && lower.includes("failed")) return AuthErrorCode.OAuthCallbackFailed;
+	if (lower.includes("provider") && lower.includes("not supported")) return AuthErrorCode.OAuthProviderNotSupported;
+	return AuthErrorCode.UnexpectedFailure;
+}
+/**
+* Create normalized error with correct type (AuthError vs AuthApiError)
+* Uses AuthApiError for non-500 status codes (API/client errors)
+* Uses AuthError for 500 status codes (server errors)
+*/
+function createNormalizedError(message, targetStatus, code, _originalStatus) {
+	const status = targetStatus;
+	if (status !== 500 && status !== 501 && status !== 503) return new AuthApiError(message, status, code);
+	return new AuthError(message, status, code);
+}
+/**
+* Map Better Auth session to Session format
+*/
+function mapBetterAuthSession(betterAuthSession, betterAuthUser) {
+	if (!betterAuthSession || !betterAuthUser) return null;
+	let expiresAt;
+	if (typeof betterAuthSession.expiresAt === "string") expiresAt = Math.floor(new Date(betterAuthSession.expiresAt).getTime() / 1e3);
+	else if (typeof betterAuthSession.expiresAt === "object" && betterAuthSession.expiresAt instanceof Date) expiresAt = Math.floor(betterAuthSession.expiresAt.getTime() / 1e3);
+	else expiresAt = Math.floor(Date.now() / 1e3) + Math.floor(DEFAULT_SESSION_EXPIRY_MS / 1e3);
+	const now = Math.floor(Date.now() / 1e3);
+	const expiresIn = Math.max(0, expiresAt - now);
+	return {
+		access_token: betterAuthSession.token,
+		refresh_token: "",
+		expires_at: expiresAt,
+		expires_in: expiresIn,
+		token_type: "bearer",
+		user: mapBetterAuthUser(betterAuthUser)
+	};
+}
+/**
+* Map Better Auth user to User format
+*/
+function mapBetterAuthUser(betterAuthUser) {
+	const createdAt = toISOString(betterAuthUser.createdAt);
+	const updatedAt = toISOString(betterAuthUser.updatedAt);
+	const userMetadata = {};
+	if (betterAuthUser.name) userMetadata.displayName = betterAuthUser.name;
+	if (betterAuthUser.image) userMetadata.profileImageUrl = betterAuthUser.image;
+	const userRecord = betterAuthUser;
+	for (const key of Object.keys(userRecord)) if (![
+		"id",
+		"email",
+		"emailVerified",
+		"name",
+		"image",
+		"createdAt",
+		"updatedAt"
+	].includes(key)) userMetadata[key] = userRecord[key];
+	return {
+		id: betterAuthUser.id,
+		email: betterAuthUser.email || "",
+		email_confirmed_at: betterAuthUser.emailVerified ? createdAt : void 0,
+		phone: void 0,
+		confirmed_at: betterAuthUser.emailVerified ? createdAt : void 0,
+		last_sign_in_at: updatedAt,
+		app_metadata: {},
+		user_metadata: userMetadata,
+		identities: [],
+		created_at: createdAt,
+		updated_at: updatedAt,
+		aud: "authenticated",
+		role: "authenticated"
+	};
+}
+function mapBetterAuthIdentity(betterAuthUserIdentityAccount, accountInfoData) {
+	return {
+		id: betterAuthUserIdentityAccount.id,
+		user_id: betterAuthUserIdentityAccount.id,
+		identity_id: betterAuthUserIdentityAccount.accountId,
+		provider: betterAuthUserIdentityAccount.providerId,
+		created_at: toISOString(betterAuthUserIdentityAccount.createdAt),
+		updated_at: toISOString(betterAuthUserIdentityAccount.updatedAt),
+		last_sign_in_at: toISOString(betterAuthUserIdentityAccount.updatedAt),
+		identity_data: accountInfoData ? {
+			provider: betterAuthUserIdentityAccount.providerId,
+			provider_id: betterAuthUserIdentityAccount.accountId,
+			scopes: betterAuthUserIdentityAccount.scopes,
+			email: accountInfoData.data.email,
+			name: accountInfoData.data.user.name,
+			picture: accountInfoData.data.user.picture,
+			email_verified: accountInfoData.data.user.email_verified,
+			...accountInfoData.data
+		} : {
+			provider: betterAuthUserIdentityAccount.providerId,
+			provider_id: betterAuthUserIdentityAccount.accountId,
+			scopes: betterAuthUserIdentityAccount.scopes
+		}
+	};
+}
+
+//#endregion
+//#region src/adapters/supabase/supabase-adapter.ts
+/**
+* Duck-type check for Better Auth API errors.
+* Replaces `instanceof APIError` to avoid importing server-side code.
+*/
+function isBetterAuthAPIError(error) {
+	return error !== null && typeof error === "object" && "status" in error && typeof error.status === "number";
+}
+/**
+* Internal implementation class - use SupabaseAuthAdapter factory function instead
+*/
+var SupabaseAuthAdapterImpl = class extends NeonAuthAdapterCore {
+	admin = void 0;
+	mfa = void 0;
+	oauth = void 0;
+	_betterAuth;
+	_stateChangeEmitters = /* @__PURE__ */ new Map();
+	constructor(betterAuthClientOptions) {
+		super(betterAuthClientOptions);
+		this._betterAuth = createAuthClient(this.betterAuthOptions);
+		/**
+		* useSession() - Automatic Session Management
+		*
+		* Enabled by Default:
+		* - ✅ Refetch on Window Focus: Automatically refetches session when user returns to the tab
+		* - ✅ Cross-Tab Sync: Syncs session state across all browser tabs (sign out in one = sign out in all)
+		* - ✅ Online/Offline Detection: Refetches session when network connection is restored
+		* - ❌ Interval Polling: Disabled (refetchInterval: 0)
+		*
+		* Returns:
+		* - data: Session object (user + session)
+		* - isPending: Loading state
+		* - isRefetching: Refetch in progress
+		* - error: Error object if any
+		* - refetch(): Manual refetch function
+		*
+		* Customize with:
+		* createAuthClient({
+		*   sessionOptions: {
+		*     refetchOnWindowFocus: true,  // default
+		*     refetchInterval: 0,           // default (seconds, 0 = off)
+		*     refetchWhenOffline: false     // default
+		*   }
+		* })
+		*/
+		this._betterAuth.useSession.subscribe((value) => {
+			if (!value.data?.session || !value.data?.user) {
+				BETTER_AUTH_METHODS_CACHE.clearSessionCache();
+				return;
+			}
+		});
+		getGlobalBroadcastChannel().subscribe((message) => {
+			if (message.clientId === CURRENT_TAB_CLIENT_ID) return;
+			if (message.data && "sessionData" in message.data) {
+				const sessionData = message.data.sessionData;
+				const trigger = message.data.trigger;
+				if (sessionData) BETTER_AUTH_METHODS_CACHE.setCachedSession(sessionData);
+				else BETTER_AUTH_METHODS_CACHE.clearSessionCache();
+				const supabaseSession = sessionData ? mapBetterAuthSession(sessionData.session, sessionData.user) : null;
+				const promises = [...this._stateChangeEmitters.values()].map((subscription) => {
+					try {
+						return Promise.resolve(subscription.callback(trigger, supabaseSession));
+					} catch {
+						return Promise.resolve();
+					}
+				});
+				Promise.allSettled(promises);
+			}
+		});
+	}
+	getBetterAuthInstance() {
+		return this._betterAuth;
+	}
+	async getJWTToken() {
+		const session = await this.getSession();
+		if (session.error) return null;
+		return session.data.session?.access_token ?? null;
+	}
+	initialize = async () => {
+		try {
+			const session = await this.getSession();
+			if (session.error) throw session.error;
+			return {
+				data: session.data,
+				error: null
+			};
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: { session: null },
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: { session: null },
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	async getSession(options) {
+		try {
+			const currentSession = await this._betterAuth.getSession(options?.forceFetch ? { fetchOptions: { headers: { "X-Force-Fetch": "true" } } } : void 0);
+			if (!currentSession.data?.session) return {
+				data: { session: null },
+				error: null
+			};
+			return {
+				data: { session: mapBetterAuthSession(currentSession.data.session, currentSession.data.user) },
+				error: null
+			};
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: { session: null },
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: { session: null },
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	}
+	refreshSession = async () => {
+		try {
+			const sessionResult = await this.getSession();
+			if (sessionResult.error) throw sessionResult.error;
+			return {
+				data: {
+					user: sessionResult.data.session?.user ?? null,
+					session: sessionResult.data.session
+				},
+				error: null
+			};
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	setSession = async () => {
+		return {
+			data: {
+				user: null,
+				session: null
+			},
+			error: createAuthError(AuthErrorCode.NotImplemented, "setSession() is not supported by Better Auth. Use signInWithPassword() instead.")
+		};
+	};
+	signUp = async (credentials) => {
+		try {
+			if ("email" in credentials && credentials.email && credentials.password) {
+				const displayName = credentials.options?.data && "displayName" in credentials.options.data && typeof credentials.options.data.displayName === "string" ? credentials.options.data.displayName : "";
+				const result = await this._betterAuth.signUp.email({
+					email: credentials.email,
+					password: credentials.password,
+					name: displayName,
+					callbackURL: credentials.options?.emailRedirectTo,
+					...credentials.options?.data
+				});
+				if (result.error) throw normalizeBetterAuthError(result.error);
+				const sessionResult = await this.getSession();
+				if (!sessionResult.data.session?.user) throw createAuthError(AuthErrorCode.SessionNotFound, "Failed to retrieve user session");
+				return {
+					data: {
+						user: sessionResult.data.session.user,
+						session: sessionResult.data.session
+					},
+					error: null
+				};
+			} else if ("phone" in credentials && credentials.phone) throw createAuthError(AuthErrorCode.PhoneProviderDisabled, "Phone sign-up not supported");
+			else throw createAuthError(AuthErrorCode.ValidationFailed, "Invalid credentials format");
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	signInAnonymously = async (credentials) => {
+		try {
+			const result = await this._betterAuth.signIn.anonymous({ query: credentials?.options?.data });
+			if (result.error) throw normalizeBetterAuthError(result.error);
+			const sessionResult = await this.getSession();
+			if (!sessionResult.data.session?.user) throw createAuthError(AuthErrorCode.SessionNotFound, "Failed to retrieve user session");
+			return {
+				data: {
+					user: sessionResult.data.session.user,
+					session: sessionResult.data.session
+				},
+				error: null
+			};
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	signInWithPassword = async (credentials) => {
+		try {
+			if ("email" in credentials && credentials.email) {
+				const result = await this._betterAuth.signIn.email({
+					email: credentials.email,
+					password: credentials.password
+				});
+				if (result.error) throw normalizeBetterAuthError(result.error);
+				const sessionResult = await this.getSession();
+				if (!sessionResult.data.session?.user) throw createAuthError(AuthErrorCode.SessionNotFound, "Failed to retrieve user session");
+				return {
+					data: {
+						user: sessionResult.data.session.user,
+						session: sessionResult.data.session
+					},
+					error: null
+				};
+			} else if ("phone" in credentials && credentials.phone) throw createAuthError(AuthErrorCode.PhoneProviderDisabled, "Phone sign-in not supported");
+			else throw createAuthError(AuthErrorCode.ValidationFailed, "Invalid credentials format");
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	signInWithOAuth = async (credentials) => {
+		try {
+			const { provider, options } = credentials;
+			await this._betterAuth.signIn.social({
+				provider,
+				scopes: options?.scopes?.split(" "),
+				disableRedirect: options?.skipBrowserRedirect,
+				callbackURL: options?.redirectTo || (globalThis.window === void 0 ? "" : globalThis.location.origin)
+			});
+			return {
+				data: {
+					provider,
+					url: options?.redirectTo || (globalThis.window === void 0 ? "" : globalThis.location.origin)
+				},
+				error: null
+			};
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: {
+					provider: credentials.provider,
+					url: null
+				},
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: {
+					provider: credentials.provider,
+					url: null
+				},
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	signInWithOtp = async (credentials) => {
+		try {
+			if ("email" in credentials) {
+				await this._betterAuth.emailOtp.sendVerificationOtp({
+					email: credentials.email,
+					type: "sign-in"
+				});
+				return {
+					data: {
+						user: null,
+						session: null,
+						messageId: void 0
+					},
+					error: null
+				};
+			}
+			throw createAuthError(AuthErrorCode.NotImplemented, `We haven't implemented this type of otp authentication.`);
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: {
+					user: null,
+					session: null,
+					messageId: void 0
+				},
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: {
+					user: null,
+					session: null,
+					messageId: void 0
+				},
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	signInWithIdToken = async (credentials) => {
+		try {
+			const result = await this._betterAuth.signIn.social({
+				provider: credentials.provider,
+				idToken: {
+					token: credentials.token,
+					accessToken: credentials.access_token,
+					nonce: credentials.nonce
+				}
+			});
+			if (result.error) throw normalizeBetterAuthError(result.error);
+			if (!("user" in result.data) || !result.data.user) throw createAuthError(AuthErrorCode.OAuthCallbackFailed, "Failed to sign in with ID token");
+			const session = await this.getSession();
+			if (session.error || !session.data.session) throw session.error || createAuthError(AuthErrorCode.SessionNotFound, "Failed to get session");
+			return {
+				data: {
+					user: session.data.session.user,
+					session: session.data.session
+				},
+				error: null
+			};
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	signInWithSSO = async (params) => {
+		const attemptedWith = "providerId" in params ? `provider ID: ${params.providerId}` : `domain: ${"domain" in params ? params.domain : "unknown"}`;
+		return {
+			data: null,
+			error: createAuthError(AuthErrorCode.SsoProviderDisabled, `Better Auth does not support enterprise SAML SSO. Attempted with ${attemptedWith}. Use signInWithOAuth() for OAuth providers instead.`)
+		};
+	};
+	signInWithWeb3 = async (credentials) => {
+		const attemptedChain = credentials.chain;
+		return {
+			data: {
+				user: null,
+				session: null
+			},
+			error: createAuthError(AuthErrorCode.Web3ProviderDisabled, `Better Auth does not support Web3 authentication. Attempted with chain: ${attemptedChain}. Supported: OAuth, email/password, magic link.`)
+		};
+	};
+	signOut = async () => {
+		try {
+			const result = await this._betterAuth.signOut();
+			if (result.error) throw normalizeBetterAuthError(result.error);
+			return { error: null };
+		} catch (error) {
+			if (isAuthError(error)) return { error };
+			if (isBetterAuthAPIError(error)) return { error: normalizeBetterAuthError(error) };
+			throw error;
+		}
+	};
+	getUser = async () => {
+		try {
+			const sessionResult = await this.getSession();
+			if (sessionResult.error || !sessionResult.data.session) throw sessionResult.error || createAuthError(AuthErrorCode.SessionNotFound, "No user session found");
+			return {
+				data: { user: sessionResult.data.session.user },
+				error: null
+			};
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: { user: null },
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: { user: null },
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	getClaims = async (jwtArg) => {
+		try {
+			let jwt = jwtArg;
+			if (!jwt) {
+				const sessionResult = await this.getSession();
+				if (sessionResult.error || !sessionResult.data?.session) throw sessionResult.error || createAuthError(AuthErrorCode.SessionNotFound, "No user session found");
+				jwt = sessionResult.data.session.access_token;
+			}
+			if (!jwt) throw createAuthError(AuthErrorCode.SessionNotFound, "No access token found");
+			if (jwt.split(".").length !== 3) throw createAuthError(AuthErrorCode.BadJwt, "Invalid token format");
+			return {
+				data: {
+					header: decodeProtectedHeader(jwt),
+					claims: decodeJwt(jwt),
+					signature: base64url.decode(jwt.split(".")[2])
+				},
+				error: null
+			};
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: null,
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: null,
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	updateUser = async (attributes) => {
+		try {
+			if (attributes.password) throw createAuthError(AuthErrorCode.FeatureNotSupported, "The password cannot be updated through the updateUser method, use the changePassword method instead.");
+			if (attributes.email) throw createAuthError(AuthErrorCode.FeatureNotSupported, "The email cannot be updated through the updateUser method, use the changeEmail method instead.");
+			const result = await this._betterAuth.updateUser({ ...attributes.data });
+			if (result.data?.status) throw createAuthError(AuthErrorCode.InternalError, "Failed to update user");
+			if (result?.error) throw normalizeBetterAuthError(result.error);
+			const updatedSessionResult = await this.getSession({ forceFetch: true });
+			if (!updatedSessionResult.data.session) throw createAuthError(AuthErrorCode.SessionNotFound, "Failed to retrieve updated user");
+			return {
+				data: { user: updatedSessionResult.data.session.user },
+				error: null
+			};
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: { user: null },
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: { user: null },
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	getUserIdentities = async () => {
+		try {
+			const sessionResult = await this.getSession();
+			if (sessionResult.error || !sessionResult.data.session) throw sessionResult.error || createAuthError(AuthErrorCode.SessionNotFound, "No user session found");
+			const result = await this._betterAuth.listAccounts();
+			if (!result) throw createAuthError(AuthErrorCode.InternalError, "Failed to list accounts");
+			if (result.error) throw normalizeBetterAuthError(result.error);
+			const identitiesPromises = result.data.map(async (account) => {
+				let accountInfo = null;
+				try {
+					accountInfo = (await this._betterAuth.accountInfo({ query: { accountId: account.accountId } })).data;
+				} catch (error) {
+					console.warn(`Failed to get account info for ${account.providerId}:`, error);
+				}
+				return mapBetterAuthIdentity(account, accountInfo ?? null);
+			});
+			return {
+				data: { identities: await Promise.all(identitiesPromises) },
+				error: null
+			};
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: null,
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: null,
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	linkIdentity = async (credentials) => {
+		const provider = credentials.provider;
+		try {
+			const sessionResult = await this.getSession();
+			if (sessionResult.error || !sessionResult.data.session) throw sessionResult.error || createAuthError(AuthErrorCode.SessionNotFound, "No user session found");
+			if ("token" in credentials) {
+				const result$1 = await this._betterAuth.linkSocial({
+					provider,
+					idToken: {
+						token: credentials.token,
+						accessToken: credentials.access_token,
+						nonce: credentials.nonce
+					}
+				});
+				if (result$1.error) throw normalizeBetterAuthError(result$1.error);
+				return {
+					data: {
+						user: sessionResult.data.session.user,
+						session: sessionResult.data.session,
+						provider,
+						url: result$1.data?.url
+					},
+					error: null
+				};
+			}
+			const callbackURL = credentials.options?.redirectTo || (globalThis.window === void 0 ? "" : globalThis.location.origin);
+			const scopes = credentials.options?.scopes?.split(" ").filter((s) => s.length > 0);
+			const result = await this._betterAuth.linkSocial({
+				provider,
+				callbackURL,
+				errorCallbackURL: callbackURL ? `${callbackURL}?error=linking-failed` : void 0,
+				scopes
+			});
+			if (result.error) throw normalizeBetterAuthError(result.error);
+			return {
+				data: {
+					provider,
+					url: result.data?.url,
+					user: sessionResult.data.session.user,
+					session: sessionResult.data.session
+				},
+				error: null
+			};
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: {
+					provider,
+					url: null,
+					user: null,
+					session: null
+				},
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: {
+					provider,
+					url: null,
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	unlinkIdentity = async (identity) => {
+		try {
+			const sessionResult = await this.getSession();
+			if (sessionResult.error || !sessionResult.data.session) throw sessionResult.error || createAuthError(AuthErrorCode.SessionNotFound, "No user session found");
+			const identities = await this.getUserIdentities();
+			if (identities.error || !identities.data) throw identities.error || createAuthError(AuthErrorCode.InternalError, "Failed to fetch identities");
+			const targetIdentity = identities.data.identities.find((i) => i.id === identity.identity_id);
+			if (!targetIdentity) throw createAuthError(AuthErrorCode.IdentityNotFound, "Identity not found");
+			const providerId = targetIdentity.provider;
+			const accountId = targetIdentity.identity_id;
+			const result = await this._betterAuth.unlinkAccount({
+				providerId,
+				accountId
+			});
+			if (result?.error) throw normalizeBetterAuthError(result.error);
+			const updatedSession = await this.getSession({ forceFetch: true });
+			if (updatedSession.data.session) BETTER_AUTH_METHODS_HOOKS["updateUser"].onSuccess(updatedSession.data.session);
+			return {
+				data: {},
+				error: null
+			};
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: null,
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: null,
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	verifyOtp = async (params) => {
+		try {
+			if ("email" in params && params.email) return await this.verifyEmailOtp(params);
+			if ("phone" in params && params.phone) return await this.verifyPhoneOtp(params);
+			if ("token_hash" in params && params.token_hash) throw createAuthError(AuthErrorCode.FeatureNotSupported, "Token hash verification not supported");
+			throw createAuthError(AuthErrorCode.ValidationFailed, "Invalid OTP verification parameters");
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	resetPasswordForEmail = async (email, options) => {
+		try {
+			const result = await this._betterAuth.requestPasswordReset({
+				email,
+				redirectTo: options?.redirectTo || (globalThis.window === void 0 ? "" : globalThis.location.origin)
+			});
+			if (result?.error) throw normalizeBetterAuthError(result.error);
+			return {
+				data: {},
+				error: null
+			};
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: null,
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: null,
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	reauthenticate = async () => {
+		try {
+			const newSession = await this.getSession();
+			if (newSession.error || !newSession.data.session) throw newSession.error || createAuthError(AuthErrorCode.SessionNotFound, "No session found");
+			return {
+				data: {
+					user: newSession.data.session?.user || null,
+					session: newSession.data.session
+				},
+				error: null
+			};
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	resend = async (credentials) => {
+		try {
+			if ("email" in credentials) {
+				const { email, type, options } = credentials;
+				if (type === "signup" || type === "email_change") {
+					const result = await this._betterAuth.sendVerificationEmail({
+						email,
+						callbackURL: options?.emailRedirectTo || (globalThis.window === void 0 ? "" : globalThis.location.origin)
+					});
+					if (result?.error) throw normalizeBetterAuthError(result.error);
+					return {
+						data: {
+							user: null,
+							session: null
+						},
+						error: null
+					};
+				}
+				throw createAuthError(AuthErrorCode.ValidationFailed, `Unsupported resend type: ${type}`);
+			}
+			if ("phone" in credentials) {
+				const { phone, type } = credentials;
+				if (type === "sms" || type === "phone_change") {
+					const result = await this._betterAuth.phoneNumber.sendOtp({ phoneNumber: phone });
+					if (result?.error) throw normalizeBetterAuthError(result.error);
+					return {
+						data: {
+							messageId: type === "sms" ? "sms-otp-sent" : "phone-change-otp-sent",
+							user: null,
+							session: null
+						},
+						error: null
+					};
+				}
+			}
+			throw createAuthError(AuthErrorCode.ValidationFailed, "Invalid credentials format");
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	exchangeCodeForSession = async (_authCode) => {
+		try {
+			const sessionResult = await this.getSession();
+			if (sessionResult.data.session) return {
+				data: {
+					session: sessionResult.data.session,
+					user: sessionResult.data.session.user
+				},
+				error: null
+			};
+			throw createAuthError(AuthErrorCode.OAuthCallbackFailed, "OAuth callback completed but no session was created. Make sure the OAuth callback has been processed.");
+		} catch (error) {
+			if (isAuthError(error)) return {
+				data: {
+					session: null,
+					user: null
+				},
+				error
+			};
+			if (isBetterAuthAPIError(error)) return {
+				data: {
+					session: null,
+					user: null
+				},
+				error: normalizeBetterAuthError(error)
+			};
+			throw error;
+		}
+	};
+	onAuthStateChange = (callback) => {
+		const id = crypto.randomUUID();
+		const subscription = {
+			id,
+			callback,
+			unsubscribe: () => {
+				this._stateChangeEmitters.delete(id);
+			}
+		};
+		this._stateChangeEmitters.set(id, subscription);
+		this.emitInitialSession(callback);
+		return { data: { subscription: {
+			id,
+			callback,
+			unsubscribe: subscription.unsubscribe
+		} } };
+	};
+	isThrowOnErrorEnabled = () => false;
+	startAutoRefresh = async () => {};
+	stopAutoRefresh = async () => {};
+	async verifyEmailOtp(params) {
+		const { type } = params;
+		if (type === "email") {
+			const result = await this._betterAuth.signIn.emailOtp({
+				email: params.email,
+				otp: params.token
+			});
+			if (result.error) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(result.error)
+			};
+			const sessionResult = await this.getSession({ forceFetch: true });
+			if (!sessionResult.data.session) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: createAuthError(AuthErrorCode.SessionNotFound, "Failed to retrieve session after OTP verification. Make sure the magic link callback has been processed.")
+			};
+			return {
+				data: {
+					user: sessionResult.data.session.user,
+					session: sessionResult.data.session
+				},
+				error: null
+			};
+		}
+		if (type === "magiclink") {
+			const result = await this._betterAuth.magicLink.verify({ query: {
+				token: params.token,
+				callbackURL: params.options?.redirectTo || (globalThis.window === void 0 ? "" : globalThis.location.origin)
+			} });
+			if (result?.error) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(result.error)
+			};
+			const sessionResult = await this.getSession({ forceFetch: true });
+			if (!sessionResult.data?.session) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: createAuthError(AuthErrorCode.SessionNotFound, "Failed to retrieve session after magic link verification")
+			};
+			return {
+				data: {
+					user: sessionResult.data.session?.user || null,
+					session: sessionResult.data.session
+				},
+				error: null
+			};
+		}
+		if (type === "signup" || type === "invite") {
+			const result = await this._betterAuth.emailOtp.verifyEmail({
+				email: params.email,
+				otp: params.token
+			});
+			if (result?.error) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(result.error)
+			};
+			const sessionResult = await this.getSession({ forceFetch: true });
+			return {
+				data: {
+					user: sessionResult.data.session?.user ?? null,
+					session: sessionResult.data.session
+				},
+				error: null
+			};
+		}
+		if (type === "recovery") {
+			const checkResult = await this._betterAuth.emailOtp.checkVerificationOtp({
+				email: params.email,
+				otp: params.token,
+				type: "forget-password"
+			});
+			if (checkResult.error || !checkResult.data?.success) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(checkResult.error)
+			};
+			return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: null
+			};
+		}
+		if (type === "email_change") {
+			const result = await this._betterAuth.verifyEmail({ query: {
+				token: params.token,
+				callbackURL: params.options?.redirectTo
+			} });
+			if (result?.error) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(result.error)
+			};
+			const sessionResult = await this.getSession({ forceFetch: true });
+			if (sessionResult.error || !sessionResult.data) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: sessionResult.error || createAuthError(AuthErrorCode.InternalError, "Failed to get session")
+			};
+			if (sessionResult.data.session) BETTER_AUTH_METHODS_HOOKS["updateUser"].onSuccess(sessionResult.data.session);
+			return {
+				data: {
+					user: sessionResult.data?.session?.user || null,
+					session: sessionResult.data?.session || null
+				},
+				error: null
+			};
+		}
+		if (type === "invite") {
+			const result = await this._betterAuth.organization.acceptInvitation({ invitationId: params.token });
+			if (result.error) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(result.error)
+			};
+			const sessionResult = await this.getSession({ forceFetch: true });
+			if (sessionResult.error || !sessionResult.data) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: sessionResult.error || createAuthError(AuthErrorCode.InternalError, "Failed to get session")
+			};
+			return {
+				data: {
+					user: sessionResult.data?.session?.user || null,
+					session: sessionResult.data?.session
+				},
+				error: null
+			};
+		}
+		return {
+			data: {
+				user: null,
+				session: null
+			},
+			error: createAuthError(AuthErrorCode.ValidationFailed, `Unsupported email OTP type: ${type}`)
+		};
+	}
+	async verifyPhoneOtp(params) {
+		if (params.type === "sms") {
+			const result = await this._betterAuth.phoneNumber.verify({
+				phoneNumber: params.phone,
+				code: params.token,
+				disableSession: false,
+				updatePhoneNumber: false
+			});
+			if (result.error) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(result.error)
+			};
+			const sessionResult = await this.getSession({ forceFetch: true });
+			if (sessionResult.error || !sessionResult.data) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: sessionResult.error || createAuthError(AuthErrorCode.InternalError, "Failed to get session")
+			};
+			return {
+				data: {
+					user: sessionResult.data?.session?.user || null,
+					session: sessionResult.data?.session || null
+				},
+				error: null
+			};
+		}
+		if (params.type === "phone_change") {
+			const currentSession = await this._betterAuth.getSession();
+			if (currentSession.error || !currentSession.data?.session) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: createAuthError(AuthErrorCode.SessionNotFound, "You must be signed in to change your phone number")
+			};
+			const result = await this._betterAuth.phoneNumber.verify({
+				phoneNumber: params.phone,
+				code: params.token,
+				disableSession: false,
+				updatePhoneNumber: true
+			});
+			if (result.error) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: normalizeBetterAuthError(result.error)
+			};
+			const sessionResult = await this.getSession({ forceFetch: true });
+			if (sessionResult.error || !sessionResult.data) return {
+				data: {
+					user: null,
+					session: null
+				},
+				error: sessionResult.error || createAuthError(AuthErrorCode.InternalError, "Failed to get updated session")
+			};
+			return {
+				data: {
+					user: sessionResult.data.session?.user || null,
+					session: sessionResult.data.session
+				},
+				error: null
+			};
+		}
+		return {
+			data: {
+				user: null,
+				session: null
+			},
+			error: createAuthError(AuthErrorCode.ValidationFailed, `Unsupported phone OTP type: ${params.type}`)
+		};
+	}
+	async emitInitialSession(callback) {
+		try {
+			const { data, error } = await this.getSession();
+			if (error) {
+				await callback("INITIAL_SESSION", null);
+				return;
+			}
+			await callback("INITIAL_SESSION", data.session);
+		} catch {
+			await callback("INITIAL_SESSION", null);
+		}
+	}
+};
+/**
+* Factory function that returns an adapter builder.
+* The builder is called by createClient/createAuthClient with the URL.
+*
+* @param options - Optional adapter configuration (baseURL is injected separately)
+* @returns A builder function that creates the adapter instance
+*
+* @example
+* ```typescript
+* const client = createClient({
+*   auth: {
+*     url: 'https://auth.example.com',
+*     adapter: SupabaseAuthAdapter(),
+*   },
+*   dataApi: { url: 'https://data-api.example.com' },
+* });
+* ```
+*/
+function SupabaseAuthAdapter(options) {
+	return (url) => new SupabaseAuthAdapterImpl({
+		baseURL: url,
+		...options
+	});
+}
+
+//#endregion
+export { BetterAuthVanillaAdapter as n, SupabaseAuthAdapter as t };