@neondatabase/auth 0.3.0-beta → 0.4.0-beta

package/dist/{adapter-core-D00qcqMo.mjs → adapter-core-Bt4M5I2g.mjs}

@@ -1,6 +1,6 @@
-import { a as NEON_AUTH_POPUP_PARAM_NAME, c as SESSION_CACHE_TTL_MS, i as NEON_AUTH_POPUP_CALLBACK_ROUTE, o as NEON_AUTH_SESSION_VERIFIER_PARAM_NAME, r as NEON_AUTH_POPUP_CALLBACK_PARAM_NAME, s as OAUTH_POPUP_MESSAGE_TYPE, t as CLOCK_SKEW_BUFFER_MS } from "./constants-Cupc_bln.mjs";
+import { d as NEON_AUTH_POPUP_CALLBACK_PARAM_NAME, f as NEON_AUTH_POPUP_CALLBACK_ROUTE, g as SESSION_CACHE_TTL_MS, h as OAUTH_POPUP_MESSAGE_TYPE, m as NEON_AUTH_SESSION_VERIFIER_PARAM_NAME, p as NEON_AUTH_POPUP_PARAM_NAME, r as normalizeBetterAuthError, u as CLOCK_SKEW_BUFFER_MS } from "./better-auth-helpers-Bkezghej.mjs";
 import { getGlobalBroadcastChannel } from "better-auth/client";
-import { adminClient, emailOTPClient, jwtClient, organizationClient } from "better-auth/client/plugins";
+import { adminClient, emailOTPClient, jwtClient, magicLinkClient, organizationClient } from "better-auth/client/plugins";
 import z from "zod";
 
 //#region src/core/in-flight-request-manager.ts
@@ -490,6 +490,9 @@ const BETTER_AUTH_METHODS_HOOKS = {
 	},
 	getSession: {
 		beforeFetch: () => {
+			if (isBrowser()) {
+				if (new URLSearchParams(globalThis.window.location.search).has(NEON_AUTH_SESSION_VERIFIER_PARAM_NAME)) return null;
+			}
 			const cachedData = BETTER_AUTH_METHODS_CACHE.getCachedSession();
 			if (!cachedData) return null;
 			return Response.json(cachedData, { status: 200 });
@@ -629,7 +632,7 @@ function initBroadcastChannel() {
 //#endregion
 //#region package.json
 var name = "@neondatabase/auth";
-var version = "0.3.0-beta";
+var version = "0.4.0-beta";
 
 //#endregion
 //#region ../internal/dist/index.mjs
@@ -724,6 +727,7 @@ const supportedBetterAuthClientPlugins = [
 	adminClient(),
 	organizationClient(),
 	emailOTPClient(),
+	magicLinkClient(),
 	anonymousTokenClient()
 ];
 var NeonAuthAdapterCore = class {
@@ -757,10 +761,13 @@ var NeonAuthAdapterCore = class {
 						});
 						if (!response$1.ok) {
 							const body = await response$1.clone().json().catch(() => ({}));
-							const err = new Error(body.message || `HTTP ${response$1.status} ${response$1.statusText}`);
-							err.status = response$1.status;
-							err.statusText = response$1.statusText;
-							throw err;
+							throw normalizeBetterAuthError({
+								status: response$1.status,
+								statusText: response$1.statusText,
+								message: body.message || `HTTP ${response$1.status} ${response$1.statusText}`,
+								code: body.code,
+								body
+							});
 						}
 						return response$1;
 					}
@@ -776,10 +783,13 @@ var NeonAuthAdapterCore = class {
 					}));
 					if (!response.ok) {
 						const errorBody = await response.clone().json().catch(() => ({}));
-						const err = new Error(errorBody.message || `HTTP ${response.status} ${response.statusText}`);
-						err.status = response.status;
-						err.statusText = response.statusText;
-						throw err;
+						throw normalizeBetterAuthError({
+							status: response.status,
+							statusText: response.statusText,
+							message: errorBody.message || `HTTP ${response.status} ${response.statusText}`,
+							code: errorBody.code,
+							body: errorBody
+						});
 					}
 					return response.clone();
 				},

package/dist/auth-interface-Clz-oWq1.d.mts

@@ -0,0 +1,8 @@
+import { AuthApiError, AuthClient, AuthError, isAuthApiError, isAuthError } from "@supabase/auth-js";
+
+//#region src/adapters/supabase/auth-interface.d.ts
+type _UpstreamAuthClientInstance = InstanceType<typeof AuthClient>;
+type _AuthClientBase = { [K in keyof _UpstreamAuthClientInstance as _UpstreamAuthClientInstance[K] extends never ? never : K]: _UpstreamAuthClientInstance[K] };
+type SupabaseAuthClientInterface = _AuthClientBase;
+//#endregion
+export { isAuthError as a, isAuthApiError as i, AuthError as n, SupabaseAuthClientInterface as r, AuthApiError as t };

package/dist/better-auth-helpers-Bkezghej.mjs

@@ -0,0 +1,541 @@
+import { AuthApiError, AuthError, isAuthApiError, isAuthError } from "@supabase/auth-js";
+
+//#region src/core/constants.ts
+/**
+* Session caching configuration constants
+*
+* Uses industry-standard 60s cache TTL (common across auth providers).
+*
+* Note: Token refresh detection is now automatic via Better Auth's
+* fetchOptions.onSuccess callback. No polling is needed.
+*/
+/** Session cache TTL in milliseconds (60 seconds) */
+const SESSION_CACHE_TTL_MS = 6e4;
+/** Clock skew buffer for token expiration checks in milliseconds (10 seconds) */
+const CLOCK_SKEW_BUFFER_MS = 1e4;
+/** Default session expiry duration in milliseconds (1 hour) */
+const DEFAULT_SESSION_EXPIRY_MS = 36e5;
+/** Name of the session verifier parameter in the URL, used for the OAUTH flow */
+const NEON_AUTH_SESSION_VERIFIER_PARAM_NAME = "neon_auth_session_verifier";
+/** Name of the popup marker parameter in the URL, used for OAuth popup flow in iframes */
+const NEON_AUTH_POPUP_PARAM_NAME = "neon_popup";
+/** Name of the original callback URL parameter, used in OAuth popup flow */
+const NEON_AUTH_POPUP_CALLBACK_PARAM_NAME = "neon_popup_callback";
+/** The callback route used for OAuth popup completion (must be in middleware SKIP_ROUTES) */
+const NEON_AUTH_POPUP_CALLBACK_ROUTE = "/auth/callback";
+/** Message type for OAuth popup completion postMessage */
+const OAUTH_POPUP_MESSAGE_TYPE = "neon-auth:oauth-complete";
+
+//#endregion
+//#region src/utils/date.ts
+function toISOString(date) {
+	if (!date) return (/* @__PURE__ */ new Date()).toISOString();
+	if (typeof date === "string") return date;
+	if (typeof date === "number") return new Date(date).toISOString();
+	return date.toISOString();
+}
+
+//#endregion
+//#region src/adapters/supabase/errors/definitions.ts
+/**
+* Error codes for type-safe error handling
+*/
+const AuthErrorCode = {
+	BadJwt: "bad_jwt",
+	InvalidCredentials: "invalid_credentials",
+	SessionExpired: "session_expired",
+	SessionNotFound: "session_not_found",
+	InvalidGrant: "invalid_grant",
+	UserNotFound: "user_not_found",
+	UserAlreadyExists: "user_already_exists",
+	EmailExists: "email_exists",
+	PhoneExists: "phone_exists",
+	EmailNotConfirmed: "email_not_confirmed",
+	PhoneNotConfirmed: "phone_not_confirmed",
+	ValidationFailed: "validation_failed",
+	BadJson: "bad_json",
+	WeakPassword: "weak_password",
+	EmailAddressInvalid: "email_address_invalid",
+	FeatureNotSupported: "feature_not_supported",
+	NotImplemented: "not_implemented",
+	OAuthProviderNotSupported: "oauth_provider_not_supported",
+	PhoneProviderDisabled: "phone_provider_disabled",
+	MagicLinkNotSupported: "magic_link_not_supported",
+	SsoProviderDisabled: "sso_provider_disabled",
+	AnonymousProviderDisabled: "anonymous_provider_disabled",
+	Web3ProviderDisabled: "web3_provider_disabled",
+	BadOAuthCallback: "bad_oauth_callback",
+	OAuthCallbackFailed: "oauth_callback_failed",
+	OverRequestRateLimit: "over_request_rate_limit",
+	OverEmailSendRateLimit: "over_email_send_rate_limit",
+	OverSmsSendRateLimit: "over_sms_send_rate_limit",
+	UnexpectedFailure: "unexpected_failure",
+	InternalError: "internal_error",
+	IdentityNotFound: "identity_not_found",
+	UnknownError: "unknown_error"
+};
+/**
+* Complete error definitions map
+* Maps error codes to HTTP status codes and default messages
+*/
+const ERROR_DEFINITIONS = {
+	[AuthErrorCode.BadJwt]: {
+		code: AuthErrorCode.BadJwt,
+		status: 401,
+		message: "Invalid or expired session token",
+		description: "The JWT token is malformed, expired, or has an invalid signature"
+	},
+	[AuthErrorCode.InvalidCredentials]: {
+		code: AuthErrorCode.InvalidCredentials,
+		status: 401,
+		message: "Invalid email or password",
+		description: "The provided credentials do not match any user account"
+	},
+	[AuthErrorCode.SessionExpired]: {
+		code: AuthErrorCode.SessionExpired,
+		status: 401,
+		message: "Session has expired",
+		description: "The user session has exceeded its timeout period"
+	},
+	[AuthErrorCode.SessionNotFound]: {
+		code: AuthErrorCode.SessionNotFound,
+		status: 401,
+		message: "No active session found",
+		description: "The user does not have an active session or the session was invalidated"
+	},
+	[AuthErrorCode.InvalidGrant]: {
+		code: AuthErrorCode.InvalidGrant,
+		status: 401,
+		message: "Invalid authorization grant",
+		description: "OAuth/OIDC grant validation failed"
+	},
+	[AuthErrorCode.UserNotFound]: {
+		code: AuthErrorCode.UserNotFound,
+		status: 404,
+		message: "User not found",
+		description: "No user exists with the provided identifier"
+	},
+	[AuthErrorCode.UserAlreadyExists]: {
+		code: AuthErrorCode.UserAlreadyExists,
+		status: 409,
+		message: "User already exists",
+		description: "A user with this email or phone number is already registered"
+	},
+	[AuthErrorCode.EmailExists]: {
+		code: AuthErrorCode.EmailExists,
+		status: 409,
+		message: "Email address already registered",
+		description: "This email address is already associated with an account"
+	},
+	[AuthErrorCode.PhoneExists]: {
+		code: AuthErrorCode.PhoneExists,
+		status: 409,
+		message: "Phone number already registered",
+		description: "This phone number is already associated with an account"
+	},
+	[AuthErrorCode.EmailNotConfirmed]: {
+		code: AuthErrorCode.EmailNotConfirmed,
+		status: 422,
+		message: "Email verification required",
+		description: "The user must verify their email before signing in"
+	},
+	[AuthErrorCode.PhoneNotConfirmed]: {
+		code: AuthErrorCode.PhoneNotConfirmed,
+		status: 422,
+		message: "Phone verification required",
+		description: "The user must verify their phone number before signing in"
+	},
+	[AuthErrorCode.ValidationFailed]: {
+		code: AuthErrorCode.ValidationFailed,
+		status: 400,
+		message: "Invalid request parameters",
+		description: "One or more request parameters are invalid or missing"
+	},
+	[AuthErrorCode.BadJson]: {
+		code: AuthErrorCode.BadJson,
+		status: 400,
+		message: "Invalid JSON in request body",
+		description: "The request body contains malformed JSON"
+	},
+	[AuthErrorCode.WeakPassword]: {
+		code: AuthErrorCode.WeakPassword,
+		status: 400,
+		message: "Password does not meet security requirements",
+		description: "The password is too weak or does not meet complexity requirements"
+	},
+	[AuthErrorCode.EmailAddressInvalid]: {
+		code: AuthErrorCode.EmailAddressInvalid,
+		status: 400,
+		message: "Invalid email address format",
+		description: "The provided email address is not in a valid format"
+	},
+	[AuthErrorCode.FeatureNotSupported]: {
+		code: AuthErrorCode.FeatureNotSupported,
+		status: 403,
+		message: "Feature not available",
+		description: "This feature is not supported in the current configuration"
+	},
+	[AuthErrorCode.NotImplemented]: {
+		code: AuthErrorCode.NotImplemented,
+		status: 501,
+		message: "Feature not implemented",
+		description: "This feature has not been implemented yet"
+	},
+	[AuthErrorCode.OAuthProviderNotSupported]: {
+		code: AuthErrorCode.OAuthProviderNotSupported,
+		status: 403,
+		message: "OAuth provider not supported",
+		description: "The requested OAuth provider is not enabled"
+	},
+	[AuthErrorCode.PhoneProviderDisabled]: {
+		code: AuthErrorCode.PhoneProviderDisabled,
+		status: 403,
+		message: "Phone authentication not available",
+		description: "Phone number authentication is not enabled"
+	},
+	[AuthErrorCode.MagicLinkNotSupported]: {
+		code: AuthErrorCode.MagicLinkNotSupported,
+		status: 403,
+		message: "Magic link authentication not available",
+		description: "Magic link authentication is not supported"
+	},
+	[AuthErrorCode.SsoProviderDisabled]: {
+		code: AuthErrorCode.SsoProviderDisabled,
+		status: 403,
+		message: "SSO not supported",
+		description: "Enterprise SSO authentication is not available"
+	},
+	[AuthErrorCode.AnonymousProviderDisabled]: {
+		code: AuthErrorCode.AnonymousProviderDisabled,
+		status: 403,
+		message: "Anonymous authentication not available",
+		description: "Anonymous sign-in is not enabled"
+	},
+	[AuthErrorCode.Web3ProviderDisabled]: {
+		code: AuthErrorCode.Web3ProviderDisabled,
+		status: 403,
+		message: "Web3 authentication not supported",
+		description: "Web3/blockchain authentication is not available"
+	},
+	[AuthErrorCode.BadOAuthCallback]: {
+		code: AuthErrorCode.BadOAuthCallback,
+		status: 400,
+		message: "Invalid OAuth callback",
+		description: "The OAuth callback request is missing required parameters"
+	},
+	[AuthErrorCode.OAuthCallbackFailed]: {
+		code: AuthErrorCode.OAuthCallbackFailed,
+		status: 500,
+		message: "OAuth authentication failed",
+		description: "The OAuth callback completed but no session was created"
+	},
+	[AuthErrorCode.OverRequestRateLimit]: {
+		code: AuthErrorCode.OverRequestRateLimit,
+		status: 429,
+		message: "Too many requests",
+		description: "Rate limit exceeded. Please try again later"
+	},
+	[AuthErrorCode.OverEmailSendRateLimit]: {
+		code: AuthErrorCode.OverEmailSendRateLimit,
+		status: 429,
+		message: "Too many email requests",
+		description: "Too many emails sent. Please wait before trying again"
+	},
+	[AuthErrorCode.OverSmsSendRateLimit]: {
+		code: AuthErrorCode.OverSmsSendRateLimit,
+		status: 429,
+		message: "Too many SMS requests",
+		description: "Too many SMS messages sent. Please wait before trying again"
+	},
+	[AuthErrorCode.UnexpectedFailure]: {
+		code: AuthErrorCode.UnexpectedFailure,
+		status: 500,
+		message: "An unexpected error occurred",
+		description: "The server encountered an unexpected condition"
+	},
+	[AuthErrorCode.InternalError]: {
+		code: AuthErrorCode.InternalError,
+		status: 500,
+		message: "Internal server error",
+		description: "An internal error occurred while processing the request"
+	},
+	[AuthErrorCode.IdentityNotFound]: {
+		code: AuthErrorCode.IdentityNotFound,
+		status: 404,
+		message: "Identity not found",
+		description: "The requested user identity does not exist"
+	},
+	[AuthErrorCode.UnknownError]: {
+		code: AuthErrorCode.UnknownError,
+		status: 500,
+		message: "An unknown error occurred",
+		description: "The error could not be categorized"
+	}
+};
+/**
+* Helper to get error definition by code
+*/
+function getErrorDefinition(code) {
+	return ERROR_DEFINITIONS[code];
+}
+/**
+* Create an AuthError or AuthApiError with proper status and message
+*
+* @param code - The error code from AuthErrorCode
+* @param customMessage - Optional custom message (defaults to error definition message)
+* @returns AuthError for 5xx errors, AuthApiError for 4xx errors
+*/
+function createAuthError(code, customMessage) {
+	const def = getErrorDefinition(code);
+	const message = customMessage || def.message;
+	const status = def.status;
+	if (status !== 500 && status !== 501 && status !== 503) return new AuthApiError(message, status, def.code);
+	return new AuthError(message, status, def.code);
+}
+
+//#endregion
+//#region src/adapters/supabase/errors/mappings.ts
+/**
+* Maps Better Auth error codes to AuthErrorCode
+* Based on Better Auth SDK error codes
+*
+* @see https://www.better-auth.com/docs/concepts/error-handling
+*/
+const BETTER_AUTH_ERROR_MAP = {
+	"INVALID_EMAIL_OR_PASSWORD": AuthErrorCode.InvalidCredentials,
+	"INVALID_PASSWORD": AuthErrorCode.InvalidCredentials,
+	"INVALID_EMAIL": AuthErrorCode.EmailAddressInvalid,
+	"USER_NOT_FOUND": AuthErrorCode.UserNotFound,
+	"INVALID_TOKEN": AuthErrorCode.BadJwt,
+	"SESSION_EXPIRED": AuthErrorCode.SessionExpired,
+	"FAILED_TO_GET_SESSION": AuthErrorCode.SessionNotFound,
+	"USER_ALREADY_EXISTS": AuthErrorCode.UserAlreadyExists,
+	"EMAIL_NOT_VERIFIED": AuthErrorCode.EmailNotConfirmed,
+	"USER_EMAIL_NOT_FOUND": AuthErrorCode.UserNotFound,
+	"PASSWORD_TOO_SHORT": AuthErrorCode.WeakPassword,
+	"PASSWORD_TOO_LONG": AuthErrorCode.WeakPassword,
+	"USER_ALREADY_HAS_PASSWORD": AuthErrorCode.ValidationFailed,
+	"CREDENTIAL_ACCOUNT_NOT_FOUND": AuthErrorCode.IdentityNotFound,
+	"FAILED_TO_UNLINK_LAST_ACCOUNT": AuthErrorCode.ValidationFailed,
+	"ACCOUNT_NOT_FOUND": AuthErrorCode.IdentityNotFound,
+	"SOCIAL_ACCOUNT_ALREADY_LINKED": AuthErrorCode.ValidationFailed,
+	"PROVIDER_NOT_FOUND": AuthErrorCode.OAuthProviderNotSupported,
+	"ID_TOKEN_NOT_SUPPORTED": AuthErrorCode.FeatureNotSupported,
+	"FAILED_TO_CREATE_USER": AuthErrorCode.InternalError,
+	"FAILED_TO_CREATE_SESSION": AuthErrorCode.InternalError,
+	"FAILED_TO_UPDATE_USER": AuthErrorCode.InternalError,
+	"EMAIL_CAN_NOT_BE_UPDATED": AuthErrorCode.FeatureNotSupported
+};
+/**
+* Maps HTTP status codes from Better Auth to AuthErrorCode
+*/
+const STATUS_CODE_ERROR_MAP = {
+	400: AuthErrorCode.ValidationFailed,
+	401: AuthErrorCode.BadJwt,
+	403: AuthErrorCode.FeatureNotSupported,
+	404: AuthErrorCode.UserNotFound,
+	409: AuthErrorCode.UserAlreadyExists,
+	422: AuthErrorCode.ValidationFailed,
+	429: AuthErrorCode.OverRequestRateLimit,
+	500: AuthErrorCode.UnexpectedFailure,
+	501: AuthErrorCode.NotImplemented,
+	503: AuthErrorCode.FeatureNotSupported
+};
+
+//#endregion
+//#region src/core/better-auth-helpers.ts
+/**
+* Normalize Better Auth errors to standard AuthError format
+*
+* Handles three error formats:
+* 1. BetterFetchError: { status, statusText, message?, code? }
+* 2. BetterAuthErrorResponse: { status, statusText, message?, code? }
+* 3. Standard Error: { message, name, stack }
+*
+* Maps Better Auth errors to appropriate AuthError/AuthApiError with:
+* - Correct HTTP status codes
+* - Standard error codes (snake_case)
+* - User-friendly, security-conscious messages
+*/
+function normalizeBetterAuthError(error) {
+	if (error !== null && error !== void 0 && typeof error === "object" && "status" in error && "statusText" in error) {
+		const betterError = error;
+		const status = betterError.status;
+		if ("code" in betterError && betterError.code && typeof betterError.code === "string") {
+			const mappedCode = BETTER_AUTH_ERROR_MAP[betterError.code];
+			if (mappedCode) {
+				const def$2 = getErrorDefinition(mappedCode);
+				return createNormalizedError(def$2.message, def$2.status, def$2.code, status);
+			}
+		}
+		const def$1 = getErrorDefinition(mapStatusCodeToErrorCode(status, betterError.message || betterError.statusText));
+		return createNormalizedError(betterError.message || def$1.message, status, def$1.code, status);
+	}
+	if (error instanceof Error) {
+		const def$1 = getErrorDefinition(mapMessageToErrorCode(error.message));
+		return createNormalizedError(error.message || def$1.message, def$1.status, def$1.code, def$1.status);
+	}
+	const def = getErrorDefinition(AuthErrorCode.UnknownError);
+	return new AuthError(def.message, def.status, def.code);
+}
+/**
+* Map HTTP status code to AuthErrorCode
+* Uses message content for disambiguation when status code is ambiguous
+*/
+function mapStatusCodeToErrorCode(status, message) {
+	const lowerMessage = message?.toLowerCase() || "";
+	switch (status) {
+		case 401:
+			if (lowerMessage.includes("token") || lowerMessage.includes("jwt")) return AuthErrorCode.BadJwt;
+			if (lowerMessage.includes("session")) return AuthErrorCode.SessionNotFound;
+			if (lowerMessage.includes("expired")) return AuthErrorCode.SessionExpired;
+			return AuthErrorCode.InvalidCredentials;
+		case 404:
+			if (lowerMessage.includes("identity") || lowerMessage.includes("account")) return AuthErrorCode.IdentityNotFound;
+			if (lowerMessage.includes("session")) return AuthErrorCode.SessionNotFound;
+			return AuthErrorCode.UserNotFound;
+		case 409:
+			if (lowerMessage.includes("email")) return AuthErrorCode.EmailExists;
+			if (lowerMessage.includes("phone")) return AuthErrorCode.PhoneExists;
+			return AuthErrorCode.UserAlreadyExists;
+		case 422:
+			if (lowerMessage.includes("email") && lowerMessage.includes("confirm")) return AuthErrorCode.EmailNotConfirmed;
+			if (lowerMessage.includes("phone") && lowerMessage.includes("confirm")) return AuthErrorCode.PhoneNotConfirmed;
+			return AuthErrorCode.ValidationFailed;
+		case 429:
+			if (lowerMessage.includes("email")) return AuthErrorCode.OverEmailSendRateLimit;
+			if (lowerMessage.includes("sms") || lowerMessage.includes("phone")) return AuthErrorCode.OverSmsSendRateLimit;
+			return AuthErrorCode.OverRequestRateLimit;
+		case 400:
+			if (lowerMessage.includes("password") && lowerMessage.includes("weak")) return AuthErrorCode.WeakPassword;
+			if (lowerMessage.includes("email") && lowerMessage.includes("invalid")) return AuthErrorCode.EmailAddressInvalid;
+			if (lowerMessage.includes("json")) return AuthErrorCode.BadJson;
+			if (lowerMessage.includes("oauth") || lowerMessage.includes("callback")) return AuthErrorCode.BadOAuthCallback;
+			return AuthErrorCode.ValidationFailed;
+		case 403:
+			if (lowerMessage.includes("provider") || lowerMessage.includes("oauth")) return AuthErrorCode.OAuthProviderNotSupported;
+			if (lowerMessage.includes("phone")) return AuthErrorCode.PhoneProviderDisabled;
+			if (lowerMessage.includes("sso")) return AuthErrorCode.SsoProviderDisabled;
+			return AuthErrorCode.FeatureNotSupported;
+		case 501: return AuthErrorCode.NotImplemented;
+		case 503: return AuthErrorCode.FeatureNotSupported;
+		default:
+			if (lowerMessage.includes("oauth")) return AuthErrorCode.OAuthCallbackFailed;
+			return AuthErrorCode.UnexpectedFailure;
+	}
+}
+/**
+* Map error message content to AuthErrorCode
+* Used as fallback when status code is not available
+*/
+function mapMessageToErrorCode(message) {
+	const lower = message.toLowerCase();
+	if (lower.includes("invalid login") || lower.includes("incorrect") || lower.includes("wrong password")) return AuthErrorCode.InvalidCredentials;
+	if (lower.includes("token") && (lower.includes("invalid") || lower.includes("expired"))) return AuthErrorCode.BadJwt;
+	if (lower.includes("session") && lower.includes("expired")) return AuthErrorCode.SessionExpired;
+	if (lower.includes("session") && lower.includes("not found")) return AuthErrorCode.SessionNotFound;
+	if (lower.includes("already exists") || lower.includes("already registered")) return AuthErrorCode.UserAlreadyExists;
+	if (lower.includes("not found") && lower.includes("user")) return AuthErrorCode.UserNotFound;
+	if (lower.includes("not found") && lower.includes("identity")) return AuthErrorCode.IdentityNotFound;
+	if (lower.includes("email") && lower.includes("not confirmed")) return AuthErrorCode.EmailNotConfirmed;
+	if (lower.includes("phone") && lower.includes("not confirmed")) return AuthErrorCode.PhoneNotConfirmed;
+	if (lower.includes("weak password") || lower.includes("password") && lower.includes("requirements")) return AuthErrorCode.WeakPassword;
+	if (lower.includes("email") && lower.includes("invalid")) return AuthErrorCode.EmailAddressInvalid;
+	if (lower.includes("rate limit") || lower.includes("too many requests")) return AuthErrorCode.OverRequestRateLimit;
+	if (lower.includes("oauth") && lower.includes("failed")) return AuthErrorCode.OAuthCallbackFailed;
+	if (lower.includes("provider") && lower.includes("not supported")) return AuthErrorCode.OAuthProviderNotSupported;
+	return AuthErrorCode.UnexpectedFailure;
+}
+/**
+* Create normalized error with correct type (AuthError vs AuthApiError)
+* Uses AuthApiError for non-500 status codes (API/client errors)
+* Uses AuthError for 500 status codes (server errors)
+*/
+function createNormalizedError(message, targetStatus, code, _originalStatus) {
+	const status = targetStatus;
+	if (status !== 500 && status !== 501 && status !== 503) return new AuthApiError(message, status, code);
+	return new AuthError(message, status, code);
+}
+/**
+* Map Better Auth session to Session format
+*/
+function mapBetterAuthSession(betterAuthSession, betterAuthUser) {
+	if (!betterAuthSession || !betterAuthUser) return null;
+	let expiresAt;
+	if (typeof betterAuthSession.expiresAt === "string") expiresAt = Math.floor(new Date(betterAuthSession.expiresAt).getTime() / 1e3);
+	else if (typeof betterAuthSession.expiresAt === "object" && betterAuthSession.expiresAt instanceof Date) expiresAt = Math.floor(betterAuthSession.expiresAt.getTime() / 1e3);
+	else expiresAt = Math.floor(Date.now() / 1e3) + Math.floor(DEFAULT_SESSION_EXPIRY_MS / 1e3);
+	const now = Math.floor(Date.now() / 1e3);
+	const expiresIn = Math.max(0, expiresAt - now);
+	return {
+		access_token: betterAuthSession.token,
+		refresh_token: "",
+		expires_at: expiresAt,
+		expires_in: expiresIn,
+		token_type: "bearer",
+		user: mapBetterAuthUser(betterAuthUser)
+	};
+}
+/**
+* Map Better Auth user to User format
+*/
+function mapBetterAuthUser(betterAuthUser) {
+	const createdAt = toISOString(betterAuthUser.createdAt);
+	const updatedAt = toISOString(betterAuthUser.updatedAt);
+	const userMetadata = {};
+	if (betterAuthUser.name) userMetadata.displayName = betterAuthUser.name;
+	if (betterAuthUser.image) userMetadata.profileImageUrl = betterAuthUser.image;
+	const userRecord = betterAuthUser;
+	for (const key of Object.keys(userRecord)) if (![
+		"id",
+		"email",
+		"emailVerified",
+		"name",
+		"image",
+		"createdAt",
+		"updatedAt"
+	].includes(key)) userMetadata[key] = userRecord[key];
+	return {
+		id: betterAuthUser.id,
+		email: betterAuthUser.email || "",
+		email_confirmed_at: betterAuthUser.emailVerified ? createdAt : void 0,
+		phone: void 0,
+		confirmed_at: betterAuthUser.emailVerified ? createdAt : void 0,
+		last_sign_in_at: updatedAt,
+		app_metadata: {},
+		user_metadata: userMetadata,
+		identities: [],
+		created_at: createdAt,
+		updated_at: updatedAt,
+		aud: "authenticated",
+		role: "authenticated"
+	};
+}
+function mapBetterAuthIdentity(betterAuthUserIdentityAccount, accountInfoData) {
+	return {
+		id: betterAuthUserIdentityAccount.id,
+		user_id: betterAuthUserIdentityAccount.id,
+		identity_id: betterAuthUserIdentityAccount.accountId,
+		provider: betterAuthUserIdentityAccount.providerId,
+		created_at: toISOString(betterAuthUserIdentityAccount.createdAt),
+		updated_at: toISOString(betterAuthUserIdentityAccount.updatedAt),
+		last_sign_in_at: toISOString(betterAuthUserIdentityAccount.updatedAt),
+		identity_data: accountInfoData ? {
+			provider: betterAuthUserIdentityAccount.providerId,
+			provider_id: betterAuthUserIdentityAccount.accountId,
+			scopes: betterAuthUserIdentityAccount.scopes,
+			email: accountInfoData.data.email,
+			name: accountInfoData.data.user.name,
+			picture: accountInfoData.data.user.picture,
+			email_verified: accountInfoData.data.user.email_verified,
+			...accountInfoData.data
+		} : {
+			provider: betterAuthUserIdentityAccount.providerId,
+			provider_id: betterAuthUserIdentityAccount.accountId,
+			scopes: betterAuthUserIdentityAccount.scopes
+		}
+	};
+}
+
+//#endregion
+export { createAuthError as a, isAuthApiError as c, NEON_AUTH_POPUP_CALLBACK_PARAM_NAME as d, NEON_AUTH_POPUP_CALLBACK_ROUTE as f, SESSION_CACHE_TTL_MS as g, OAUTH_POPUP_MESSAGE_TYPE as h, AuthErrorCode as i, isAuthError as l, NEON_AUTH_SESSION_VERIFIER_PARAM_NAME as m, mapBetterAuthSession as n, AuthApiError as o, NEON_AUTH_POPUP_PARAM_NAME as p, normalizeBetterAuthError as r, AuthError as s, mapBetterAuthIdentity as t, CLOCK_SKEW_BUFFER_MS as u };