@onmax/nuxt-better-auth 0.0.2-alpha.30 → 0.0.2-alpha.31

package/dist/module.d.mts

@@ -5,15 +5,6 @@ export { BetterAuthModuleOptions, defineClientAuth, defineServerAuth } from '../
 import { BetterAuthOptions } from 'better-auth';
 export { AppSession, Auth, AuthActionError, AuthMeta, AuthMode, AuthRouteRules, AuthSession, AuthSocialProviderId, AuthUser, InferSession, InferUser, RequireSessionOptions, ServerAuthContext, UserMatch } from '../dist/runtime/types.js';
 
-interface RuntimeDefineServerAuthFn {
-    (...args: unknown[]): unknown;
-    _count: number;
-}
-declare global {
-    var __nuxtBetterAuthDefineServerAuth: RuntimeDefineServerAuthFn | undefined;
-    var defineServerAuth: RuntimeDefineServerAuthFn | undefined;
-}
-
 type DbDialect = 'sqlite' | 'postgresql' | 'mysql';
 
 interface BetterAuthDatabaseProviderBuildContext {

package/dist/module.json

@@ -1,6 +1,6 @@
 {
   "name": "@onmax/nuxt-better-auth",
-  "version": "0.0.2-alpha.30",
+  "version": "0.0.2-alpha.31",
   "configKey": "auth",
   "compatibility": {
     "nuxt": ">=4.0.0"

package/dist/module.mjs

@@ -1,8 +1,8 @@
 import { existsSync, writeFileSync, readFileSync } from 'node:fs';
 import { mkdir, writeFile } from 'node:fs/promises';
-import { updateTemplates, addServerImportsDir, addServerImports, addServerScanDir, addServerHandler, addImportsDir, addPlugin, addComponentsDir, hasNuxtModule, installModule, extendPages, addTemplate, addTypeTemplate, defineNuxtModule, createResolver } from '@nuxt/kit';
+import { getLayerDirectories, updateTemplates, addServerImportsDir, addServerImports, addServerScanDir, addServerHandler, addImportsDir, addPlugin, addComponentsDir, hasNuxtModule, installModule, extendPages, addTemplate, addTypeTemplate, defineNuxtModule, createResolver } from '@nuxt/kit';
 import { consola as consola$1 } from 'consola';
-import { join, dirname } from 'pathe';
+import { isAbsolute, join, relative, dirname } from 'pathe';
 import { defu } from 'defu';
 import { toRouteMatcher, createRouter } from 'radix3';
 import { generateDrizzleSchema as generateDrizzleSchema$1 } from '@better-auth/cli/api';
@@ -10,7 +10,7 @@ import { randomBytes } from 'node:crypto';
 import { isCI, isTest } from 'std-env';
 export { defineClientAuth, defineServerAuth } from '../dist/runtime/config.js';
 
-const version = "0.0.2-alpha.30";
+const version = "0.0.2-alpha.31";
 
 function resolveDatabaseProvider(input) {
   const enabledProviders = Object.entries(input.providers).filter(([_id, provider]) => provider.isEnabled?.(input.context) ?? true);
@@ -22,6 +22,91 @@ function resolveDatabaseProvider(input) {
   return { id, definition };
 }
 
+const CONFIG_EXTENSIONS = [".ts", ".js"];
+const CONFIG_EXTENSION_RE = /\.(?:ts|js)$/;
+const DEFAULT_CONFIG_FILES = {
+  server: "server/auth.config",
+  client: "app/auth.config"
+};
+const OPTION_KEY_BY_KIND = {
+  server: "serverConfig",
+  client: "clientConfig"
+};
+function stripConfigExtension(path) {
+  return path.replace(CONFIG_EXTENSION_RE, "");
+}
+function configExists(path) {
+  return CONFIG_EXTENSIONS.some((ext) => existsSync(`${path}${ext}`));
+}
+function getLayerDirectoriesWithConfigs(nuxt) {
+  const directories = getLayerDirectories(nuxt);
+  const layers = nuxt.options._layers;
+  return directories.map((directory, index) => ({ directory, layer: layers[index] }));
+}
+function getProjectDirectory(nuxt) {
+  return getLayerDirectories(nuxt)[0];
+}
+function getDefaultConfigPath(nuxt, kind) {
+  const project = getProjectDirectory(nuxt);
+  return kind === "server" ? join(project.server, "auth.config") : join(project.app, "auth.config");
+}
+function getLayerDefaultConfigPath(nuxt, kind) {
+  for (const { directory } of getLayerDirectoriesWithConfigs(nuxt)) {
+    const candidate = kind === "server" ? join(directory.server, "auth.config") : join(directory.app, "auth.config");
+    if (configExists(candidate))
+      return candidate;
+  }
+}
+function resolveDeclaringLayerRoot(nuxt, kind, file) {
+  const optionKey = OPTION_KEY_BY_KIND[kind];
+  for (const { directory, layer } of getLayerDirectoriesWithConfigs(nuxt)) {
+    const declared = layer?.config?.auth?.[optionKey];
+    if (typeof declared === "string" && stripConfigExtension(declared) === file)
+      return directory.root;
+  }
+  return getProjectDirectory(nuxt).root;
+}
+function getRelativeConfigFile(nuxt, path) {
+  return relative(getProjectDirectory(nuxt).root, path);
+}
+function getEffectiveModuleConfigFile(nuxt, kind) {
+  const optionKey = OPTION_KEY_BY_KIND[kind];
+  const authOptions = nuxt.options.auth;
+  return authOptions?.[optionKey] ?? DEFAULT_CONFIG_FILES[kind];
+}
+function shouldCreateDefaultModuleConfig(nuxt, kind, file = getEffectiveModuleConfigFile(nuxt, kind)) {
+  const normalizedFile = stripConfigExtension(file);
+  if (normalizedFile !== DEFAULT_CONFIG_FILES[kind])
+    return false;
+  const resolved = resolveModuleConfigPath(nuxt, kind, normalizedFile);
+  return !configExists(resolved.path);
+}
+function resolveModuleConfigPath(nuxt, kind, file) {
+  const normalizedFile = stripConfigExtension(file);
+  if (isAbsolute(normalizedFile)) {
+    return {
+      file: normalizedFile,
+      path: normalizedFile,
+      isDefault: false
+    };
+  }
+  if (normalizedFile === DEFAULT_CONFIG_FILES[kind]) {
+    const discoveredPath = getLayerDefaultConfigPath(nuxt, kind) ?? getDefaultConfigPath(nuxt, kind);
+    return {
+      file: getRelativeConfigFile(nuxt, discoveredPath),
+      path: discoveredPath,
+      isDefault: true
+    };
+  }
+  const baseRoot = resolveDeclaringLayerRoot(nuxt, kind, normalizedFile);
+  const path = join(baseRoot, normalizedFile);
+  return {
+    file: getRelativeConfigFile(nuxt, path),
+    path,
+    isDefault: false
+  };
+}
+
 function setupDevTools(nuxt) {
   const hookable = nuxt;
   hookable.hook("devtools:customTabs", (tabs) => {
@@ -167,13 +252,13 @@ function setupRuntimeConfig(input) {
     return { useHubKV, secondaryStorageEnabled };
   }
   const currentSecret = nuxt.options.runtimeConfig.betterAuthSecret;
-  nuxt.options.runtimeConfig.betterAuthSecret = currentSecret || process.env.BETTER_AUTH_SECRET || "";
+  nuxt.options.runtimeConfig.betterAuthSecret = currentSecret || process.env.NUXT_BETTER_AUTH_SECRET || process.env.BETTER_AUTH_SECRET || "";
   const betterAuthSecret = nuxt.options.runtimeConfig.betterAuthSecret;
   if (!nuxt.options.dev && !nuxt.options._prepare && !betterAuthSecret) {
-    throw new Error("[nuxt-better-auth] BETTER_AUTH_SECRET is required in production. Set BETTER_AUTH_SECRET or NUXT_BETTER_AUTH_SECRET environment variable.");
+    throw new Error("[nuxt-better-auth] NUXT_BETTER_AUTH_SECRET is required in production. Set NUXT_BETTER_AUTH_SECRET or BETTER_AUTH_SECRET environment variable.");
   }
   if (betterAuthSecret && betterAuthSecret.length < 32) {
-    throw new Error("[nuxt-better-auth] BETTER_AUTH_SECRET must be at least 32 characters for security");
+    throw new Error("[nuxt-better-auth] NUXT_BETTER_AUTH_SECRET must be at least 32 characters for security");
   }
   nuxt.options.runtimeConfig.auth = defu(nuxt.options.runtimeConfig.auth, {
     hubSecondaryStorage: options.hubSecondaryStorage ?? false
@@ -217,14 +302,15 @@ async function loadUserAuthConfig(configPath, throwOnError = false) {
   const { createJiti } = await import('jiti');
   const { defineServerAuth: runtimeDefineServerAuth } = await import('../dist/runtime/config.js');
   const jiti = createJiti(import.meta.url, { interopDefault: true, moduleCache: false });
-  if (!globalThis.__nuxtBetterAuthDefineServerAuth) {
+  const schemaGlobals = globalThis;
+  if (!schemaGlobals.__nuxtBetterAuthDefineServerAuth) {
     runtimeDefineServerAuth._count = 0;
-    globalThis.__nuxtBetterAuthDefineServerAuth = runtimeDefineServerAuth;
+    schemaGlobals.__nuxtBetterAuthDefineServerAuth = runtimeDefineServerAuth;
   }
-  if (!globalThis.defineServerAuth) {
-    globalThis.defineServerAuth = globalThis.__nuxtBetterAuthDefineServerAuth;
+  if (!schemaGlobals.defineServerAuth) {
+    schemaGlobals.defineServerAuth = schemaGlobals.__nuxtBetterAuthDefineServerAuth;
   }
-  globalThis.__nuxtBetterAuthDefineServerAuth._count++;
+  schemaGlobals.__nuxtBetterAuthDefineServerAuth._count++;
   try {
     const mod = await jiti.import(configPath);
     const configFn = mod.default;
@@ -243,19 +329,20 @@ async function loadUserAuthConfig(configPath, throwOnError = false) {
     consola$1.error("[@onmax/nuxt-better-auth] Failed to load auth config for schema generation. Schema may be incomplete:", error);
     return {};
   } finally {
-    const sharedDefineServerAuth = globalThis.__nuxtBetterAuthDefineServerAuth;
+    const sharedDefineServerAuth = schemaGlobals.__nuxtBetterAuthDefineServerAuth;
     if (sharedDefineServerAuth) {
       sharedDefineServerAuth._count--;
       if (!sharedDefineServerAuth._count) {
-        globalThis.__nuxtBetterAuthDefineServerAuth = void 0;
-        if (globalThis.defineServerAuth === sharedDefineServerAuth) {
-          globalThis.defineServerAuth = void 0;
+        schemaGlobals.__nuxtBetterAuthDefineServerAuth = void 0;
+        if (schemaGlobals.defineServerAuth === sharedDefineServerAuth) {
+          schemaGlobals.defineServerAuth = void 0;
         }
       }
     }
   }
 }
 
+const NODE_MODULES_SEGMENT_RE = /[\\/]/;
 function resolveSchemaSecondaryStorageInjection(hubSecondaryStorage, userHasSecondaryStorage, isProduction) {
   if (hubSecondaryStorage === true)
     return { inject: false };
@@ -269,7 +356,7 @@ function resolveSchemaSecondaryStorageInjection(hubSecondaryStorage, userHasSeco
   return { inject: false, warn: message };
 }
 function isInsideNodeModules(path) {
-  return path.split(/[\\/]/).includes("node_modules");
+  return path.split(NODE_MODULES_SEGMENT_RE).includes("node_modules");
 }
 function resolveHubSchemaPath(buildDir, rootDir, dialect, exists = existsSync) {
   const rootTsPath = join(rootDir, ".nuxt", "better-auth", `schema.${dialect}.ts`);
@@ -348,21 +435,26 @@ async function setupBetterAuthSchema(nuxt, serverConfigPath, options, consola, h
   }
 }
 
+const DEFAULT_SECRET_ENV = "NUXT_BETTER_AUTH_SECRET";
+const FALLBACK_SECRET_ENV = "BETTER_AUTH_SECRET";
 const generateSecret = () => randomBytes(32).toString("hex");
 function readEnvFile(rootDir) {
   const envPath = join(rootDir, ".env");
   return existsSync(envPath) ? readFileSync(envPath, "utf-8") : "";
 }
 function hasEnvSecret(rootDir) {
-  const match = readEnvFile(rootDir).match(/^BETTER_AUTH_SECRET=(.+)$/m);
-  return !!match && !!match[1] && match[1].trim().length > 0;
+  const envFile = readEnvFile(rootDir);
+  return [DEFAULT_SECRET_ENV, FALLBACK_SECRET_ENV].some((name) => {
+    const match = envFile.match(new RegExp(`^${name}=(.+)$`, "m"));
+    return !!match && !!match[1] && match[1].trim().length > 0;
+  });
 }
 function appendSecretToEnv(rootDir, secret) {
   const envPath = join(rootDir, ".env");
   let content = readEnvFile(rootDir);
   if (content.length > 0 && !content.endsWith("\n"))
     content += "\n";
-  content += `BETTER_AUTH_SECRET=${secret}
+  content += `${DEFAULT_SECRET_ENV}=${secret}
 `;
   writeFileSync(envPath, content, "utf-8");
 }
@@ -370,20 +462,20 @@ async function promptForSecret(rootDir, consola, options = {}) {
   const configuredSecret = options.configuredSecret?.trim();
   if (configuredSecret)
     return void 0;
-  if (process.env.BETTER_AUTH_SECRET || hasEnvSecret(rootDir))
+  if (process.env.NUXT_BETTER_AUTH_SECRET || process.env.BETTER_AUTH_SECRET || hasEnvSecret(rootDir))
     return void 0;
   const hasTty = Boolean(process.stdin.isTTY && process.stdout.isTTY);
   if (options.prepare || !hasTty) {
-    consola.warn("[nuxt-better-auth] Skipping BETTER_AUTH_SECRET prompt (non-interactive). Set BETTER_AUTH_SECRET or NUXT_BETTER_AUTH_SECRET.");
+    consola.warn("[nuxt-better-auth] Skipping NUXT_BETTER_AUTH_SECRET prompt (non-interactive). Set NUXT_BETTER_AUTH_SECRET or BETTER_AUTH_SECRET.");
     return void 0;
   }
   if (isCI || isTest) {
     const secret2 = generateSecret();
     appendSecretToEnv(rootDir, secret2);
-    consola.info("Generated BETTER_AUTH_SECRET and added to .env (CI/test mode)");
+    consola.info("Generated NUXT_BETTER_AUTH_SECRET and added to .env (CI/test mode)");
     return secret2;
   }
-  consola.box("BETTER_AUTH_SECRET is required for authentication.\nThis will be appended to your .env file.");
+  consola.box("NUXT_BETTER_AUTH_SECRET is required for authentication.\nThis will be appended to your .env file.\nBETTER_AUTH_SECRET is still supported as a fallback.");
   const choice = await consola.prompt("How do you want to set it?", {
     type: "select",
     options: [
@@ -394,7 +486,7 @@ async function promptForSecret(rootDir, consola, options = {}) {
     cancel: "null"
   });
   if (typeof choice === "symbol" || choice === "skip") {
-    consola.warn("Skipping BETTER_AUTH_SECRET. Auth will fail without it in production.");
+    consola.warn("Skipping NUXT_BETTER_AUTH_SECRET. Auth will fail without it in production.");
     return void 0;
   }
   let secret;
@@ -410,14 +502,14 @@ async function promptForSecret(rootDir, consola, options = {}) {
   }
   const preview = `${secret.slice(0, 8)}...${secret.slice(-4)}`;
   const confirm = await consola.prompt(`Add to .env:
-BETTER_AUTH_SECRET=${preview}
+${DEFAULT_SECRET_ENV}=${preview}
 Proceed?`, { type: "confirm", initial: true, cancel: "null" });
   if (typeof confirm === "symbol" || !confirm) {
     consola.info("Cancelled. Secret not written.");
     return void 0;
   }
   appendSecretToEnv(rootDir, secret);
-  consola.success("Added BETTER_AUTH_SECRET to .env");
+  consola.success("Added NUXT_BETTER_AUTH_SECRET to .env");
   return secret;
 }
 
@@ -778,15 +870,13 @@ declare module '#nuxt-better-auth' {
 }
 
 const consola = consola$1.withTag("nuxt-better-auth");
-function resolveDefaultClientConfig(options, rootDir, srcDir) {
-  if (options.clientConfig !== "app/auth.config")
-    return;
-  const srcDirRelative = srcDir.replace(`${rootDir}/`, "");
-  options.clientConfig = srcDirRelative === srcDir ? "auth.config" : `${srcDirRelative}/auth.config`;
-}
-async function createDefaultAuthConfigFiles(rootDir, srcDir) {
-  const serverPath = join(rootDir, "server/auth.config.ts");
-  const clientPath = join(srcDir, "auth.config.ts");
+async function createDefaultAuthConfigFiles(nuxt) {
+  const project = getLayerDirectories(nuxt)[0];
+  const rootDir = project.root;
+  const serverPath = join(project.server, "auth.config.ts");
+  const clientPath = join(project.app, "auth.config.ts");
+  const serverConfigFile = getEffectiveModuleConfigFile(nuxt, "server");
+  const clientConfigFile = getEffectiveModuleConfigFile(nuxt, "client");
   const serverTemplate = `import { defineServerAuth } from '@onmax/nuxt-better-auth/config'
 
 export default defineServerAuth({
@@ -797,16 +887,15 @@ export default defineServerAuth({
 
 export default defineClientAuth({})
 `;
-  if (!existsSync(serverPath)) {
+  if (shouldCreateDefaultModuleConfig(nuxt, "server", serverConfigFile)) {
     await mkdir(dirname(serverPath), { recursive: true });
     await writeFile(serverPath, serverTemplate);
-    consola.success("Created server/auth.config.ts");
+    consola.success(`Created ${relative(rootDir, serverPath)}`);
   }
-  if (!existsSync(clientPath)) {
+  if (shouldCreateDefaultModuleConfig(nuxt, "client", clientConfigFile)) {
     await mkdir(dirname(clientPath), { recursive: true });
     await writeFile(clientPath, clientTemplate);
-    const relativePath = clientPath.replace(`${rootDir}/`, "");
-    consola.success(`Created ${relativePath}`);
+    consola.success(`Created ${relative(rootDir, clientPath)}`);
   }
 }
 const module$1 = defineNuxtModule({
@@ -824,32 +913,25 @@ const module$1 = defineNuxtModule({
     const configuredSecret = nuxt.options.runtimeConfig?.betterAuthSecret;
     const generatedSecret = await promptForSecret(nuxt.options.rootDir, consola, { configuredSecret, prepare: Boolean(nuxt.options._prepare) });
     if (generatedSecret)
-      process.env.BETTER_AUTH_SECRET = generatedSecret;
-    await createDefaultAuthConfigFiles(nuxt.options.rootDir, nuxt.options.srcDir);
+      process.env.NUXT_BETTER_AUTH_SECRET = generatedSecret;
+    await createDefaultAuthConfigFiles(nuxt);
   },
   async setup(options, nuxt) {
     const resolver = createResolver(import.meta.url);
-    resolveDefaultClientConfig(options, nuxt.options.rootDir, nuxt.options.srcDir);
     const clientOnly = options.clientOnly;
     const serverConfigFile = options.serverConfig;
     const clientConfigFile = options.clientConfig;
-    const serverConfigPath = resolver.resolve(nuxt.options.rootDir, serverConfigFile);
-    const clientConfigPath = resolver.resolve(nuxt.options.rootDir, clientConfigFile);
+    const { file: resolvedServerConfigFile, path: serverConfigPath } = resolveModuleConfigPath(nuxt, "server", serverConfigFile);
+    const { file: resolvedClientConfigFile, path: clientConfigPath } = resolveModuleConfigPath(nuxt, "client", clientConfigFile);
     const serverConfigExists = existsSync(`${serverConfigPath}.ts`) || existsSync(`${serverConfigPath}.js`);
     const clientConfigExists = existsSync(`${clientConfigPath}.ts`) || existsSync(`${clientConfigPath}.js`);
     if (!clientOnly && !serverConfigExists)
-      throw new Error(`[nuxt-better-auth] Missing ${serverConfigFile}.ts - export default defineServerAuth(...)`);
+      throw new Error(`[nuxt-better-auth] Missing ${resolvedServerConfigFile}.ts - export default defineServerAuth(...)`);
     if (!clientConfigExists)
-      throw new Error(`[nuxt-better-auth] Missing ${clientConfigFile}.ts - export default defineClientAuth(...)`);
+      throw new Error(`[nuxt-better-auth] Missing ${resolvedClientConfigFile}.ts - export default defineClientAuth(...)`);
     const hasNuxtHub = hasNuxtModule("@nuxthub/core", nuxt);
     const hub = hasNuxtHub ? nuxt.options.hub : void 0;
     const hasHubDbAvailable = !clientOnly && hasNuxtHub && !!hub?.db;
-    const deprecatedProvider = options.database?.provider;
-    if (deprecatedProvider) {
-      throw new Error(
-        `[nuxt-better-auth] auth.database.provider has been removed. Remove auth.database.provider="${deprecatedProvider}". To configure a database, either set "database" directly in server/auth.config.ts (defineServerAuth) or install a provider module that registers better-auth:database:providers.`
-      );
-    }
     let databaseProvider = "none";
     let hasHubDb = false;
     nuxt.options.alias["#nuxt-better-auth"] = resolver.resolve("./runtime/types/augment");

package/dist/runtime/app/composables/useUserSession.js

@@ -1,11 +1,13 @@
 import createAppAuthClient from "#auth/client";
-import { computed, navigateTo, nextTick, useNuxtApp, useRequestFetch, useRequestHeaders, useRequestURL, useRuntimeConfig, useState, watch } from "#imports";
+import { computed, navigateTo, nextTick, useNuxtApp, useRequestURL, useRuntimeConfig, useState, watch } from "#imports";
 import { normalizeAuthActionError } from "../internal/auth-action-error.js";
+import { resolvePostAuthSuccessRedirect, withFallbackSocialCallbackURL } from "../internal/redirect-helpers.js";
+import { fetchSessionClient, fetchSessionServer, stripToken } from "../internal/session-fetch.js";
+import { isRecord } from "../internal/utils.js";
+import { wrapAuthMethod } from "../internal/wrap-auth-method.js";
 let _sessionSignalListenerBound = false;
+let _signOutPromise = null;
 let _client = null;
-function isRecord(value) {
-  return Boolean(value && typeof value === "object");
-}
 function getClient(baseURL) {
   if (!_client)
     _client = createAppAuthClient(baseURL);
@@ -88,6 +90,12 @@ export function useUserSession() {
     session.value = null;
     user.value = null;
   }
+  async function fetchSession(options = {}) {
+    if (runtimeFlags.server)
+      return fetchSessionServer(session, user, authReady, options);
+    if (client)
+      return fetchSessionClient(client, session, user, authReady, options);
+  }
   async function updateUser(updates) {
     if (!user.value)
       return;
@@ -122,8 +130,7 @@ export function useUserSession() {
         if (shouldWaitForPrerenderResolution)
           return;
         if (newSession?.data?.session && newSession?.data?.user) {
-          const { token: _, ...safeSession } = newSession.data.session;
-          session.value = safeSession;
+          session.value = stripToken(newSession.data.session);
           user.value = newSession.data.user;
         } else if (!newSession?.isPending && !newSession?.isRefetching) {
           const isHydrationEmptySnapshot = nuxtApp.isHydrating && nuxtApp.payload.serverRendered && Boolean(session.value && user.value) && !newSession?.data?.session && !newSession?.data?.user;
@@ -163,107 +170,12 @@ export function useUserSession() {
       }, 5e3);
     });
   }
-  function isSafeLocalRedirect(redirect) {
-    if (typeof redirect !== "string")
-      return;
-    if (!redirect.startsWith("/") || redirect.startsWith("//"))
-      return;
-    return redirect;
-  }
-  function resolvePostAuthRedirect() {
-    const authConfig = runtimeConfig.public.auth;
-    const redirectQueryKey = authConfig?.redirectQueryKey ?? "redirect";
-    const queryRedirect = requestURL.searchParams?.get(redirectQueryKey);
-    const safeQueryRedirect = isSafeLocalRedirect(queryRedirect);
-    if (safeQueryRedirect)
-      return safeQueryRedirect;
-    return isSafeLocalRedirect(authConfig?.redirects?.authenticated);
-  }
-  function resolvePostAuthSuccessRedirect() {
-    const target = resolvePostAuthRedirect();
-    if (!target)
-      return;
-    return async () => {
-      await navigateTo(target);
-    };
-  }
-  function withFallbackSocialCallbackURL(data) {
-    const callbackURL = resolvePostAuthRedirect();
-    if (!callbackURL)
-      return data;
-    if (!isRecord(data))
-      return { callbackURL };
-    if (typeof data.callbackURL === "string")
-      return data;
-    return {
-      ...data,
-      callbackURL
-    };
-  }
-  function wrapOnSuccess(cb) {
-    return async (ctx) => {
-      await fetchSession({ force: true });
-      if (!loggedIn.value)
-        await waitForSession();
-      await nextTick();
-      await cb(ctx);
-    };
-  }
-  function wrapAuthMethod(method, wrapOptions = {}) {
-    return (async (...args) => {
-      const originalData = args[0];
-      const options = args[1];
-      const data = wrapOptions.transformData?.(originalData, options) ?? originalData;
-      const dataRecord = isRecord(data) ? data : void 0;
-      const optionsRecord = isRecord(options) ? options : void 0;
-      if (wrapOptions.shouldSkipSessionSync?.(data, options))
-        return method(data, options);
-      const fetchOptions = isRecord(dataRecord?.fetchOptions) ? dataRecord.fetchOptions : void 0;
-      const nestedOnSuccess = fetchOptions?.onSuccess;
-      const topLevelOnSuccess = optionsRecord?.onSuccess;
-      const fallbackOnSuccess = resolvePostAuthSuccessRedirect();
-      const wrappedFallbackOnSuccess = fallbackOnSuccess && wrapOnSuccess(async () => {
-        if (!loggedIn.value)
-          return;
-        await fallbackOnSuccess();
-      });
-      if (typeof nestedOnSuccess === "function") {
-        const nextData = {
-          ...dataRecord,
-          fetchOptions: {
-            ...fetchOptions,
-            onSuccess: wrapOnSuccess(nestedOnSuccess)
-          }
-        };
-        return method(nextData, options);
-      }
-      if (typeof topLevelOnSuccess === "function") {
-        const nextOptions = {
-          ...optionsRecord,
-          onSuccess: wrapOnSuccess(topLevelOnSuccess)
-        };
-        return method(data, nextOptions);
-      }
-      if (wrappedFallbackOnSuccess) {
-        if (fetchOptions) {
-          const nextData = {
-            ...dataRecord,
-            fetchOptions: {
-              ...fetchOptions,
-              onSuccess: wrappedFallbackOnSuccess
-            }
-          };
-          return method(nextData, options);
-        }
-        const nextOptions = {
-          ...optionsRecord,
-          onSuccess: wrappedFallbackOnSuccess
-        };
-        return method(data, nextOptions);
-      }
-      return method(data, options);
-    });
-  }
+  const wrapDeps = {
+    fetchSession,
+    loggedIn,
+    waitForSession,
+    resolvePostAuthSuccessRedirect: () => resolvePostAuthSuccessRedirect(requestURL)
+  };
   const signIn = client?.signIn ? new Proxy(client.signIn, {
     get(target, prop) {
       const targetRecord = target;
@@ -274,9 +186,10 @@ export function useUserSession() {
         const socialData = isRecord(data) ? data : void 0;
         return socialData?.disableRedirect !== true;
       } : void 0;
-      const transformData = prop === "social" ? withFallbackSocialCallbackURL : void 0;
+      const transformData = prop === "social" ? (data) => withFallbackSocialCallbackURL(data, requestURL) : void 0;
       return wrapAuthMethod(
         (...args) => targetRecord[prop](...args),
+        wrapDeps,
         { shouldSkipSessionSync, transformData }
       );
     }
@@ -291,73 +204,40 @@ export function useUserSession() {
       const method = targetRecord[prop];
       if (typeof method !== "function")
         return method;
-      return wrapAuthMethod((...args) => targetRecord[prop](...args));
+      return wrapAuthMethod((...args) => targetRecord[prop](...args), wrapDeps);
     }
   }) : new Proxy({}, {
     get: (_, prop) => {
       throw new Error(`signUp.${String(prop)}() can only be called on client-side`);
     }
   });
-  async function fetchSession(options = {}) {
-    if (runtimeFlags.server) {
-      try {
-        const headers = options.headers || useRequestHeaders(["cookie"]);
-        const requestFetch = useRequestFetch();
-        const data = await requestFetch("/api/auth/get-session", { headers });
-        if (data?.session && data?.user) {
-          const { token: _, ...safeSession } = data.session;
-          session.value = safeSession;
-          user.value = data.user;
-        } else {
-          clearSession();
-        }
-      } catch {
-        clearSession();
-      } finally {
-        if (!authReady.value)
-          authReady.value = true;
-      }
-      return;
-    }
-    if (client) {
-      try {
-        const headers = options.headers || useRequestHeaders(["cookie"]);
-        const fetchOptions = headers ? { headers } : void 0;
-        const query = options.force ? { disableCookieCache: true } : void 0;
-        const result = await client.getSession({ query }, fetchOptions);
-        const data = result.data;
-        if (data?.session && data?.user) {
-          const { token: _, ...safeSession } = data.session;
-          session.value = safeSession;
-          user.value = data.user;
-        } else {
-          clearSession();
-        }
-      } catch (error) {
-        clearSession();
-        console.error("[nuxt-better-auth] Failed to fetch session:", error);
-      } finally {
-        if (!authReady.value)
-          authReady.value = true;
-      }
-    }
-  }
   if (runtimeFlags.client && client && shouldSkipInitialClientSessionFetch.value) {
     ensureSessionSignalListener(client, () => fetchSession({ force: true }));
   }
   async function signOut(options) {
     if (!client)
       throw new Error("signOut can only be called on client-side");
-    await client.signOut();
-    clearSession();
-    if (options?.onSuccess) {
-      await options.onSuccess();
+    if (_signOutPromise) {
+      await _signOutPromise;
       return;
     }
-    const authConfig = runtimeConfig.public.auth;
-    const logoutRedirect = authConfig?.redirects?.logout;
-    if (logoutRedirect)
-      await navigateTo(logoutRedirect);
+    _signOutPromise = (async () => {
+      await client.signOut();
+      clearSession();
+      if (options?.onSuccess) {
+        await options.onSuccess();
+        return;
+      }
+      const authConfig = runtimeConfig.public.auth;
+      const logoutRedirect = authConfig?.redirects?.logout;
+      if (logoutRedirect) {
+        await nextTick();
+        await navigateTo(logoutRedirect);
+      }
+    })().finally(() => {
+      _signOutPromise = null;
+    });
+    await _signOutPromise;
   }
   return {
     client,

package/dist/runtime/app/internal/auth-action-error.js

@@ -1,7 +1,5 @@
+import { isRecord } from "./utils.js";
 export const DEFAULT_AUTH_ACTION_ERROR_MESSAGE = "Request failed. Please try again.";
-function isRecord(value) {
-  return Boolean(value && typeof value === "object");
-}
 function getMessage(value) {
   if (value instanceof Error)
     return value.message;

package/dist/runtime/app/internal/auth-action-handles.js

@@ -1,8 +1,6 @@
 import { ref } from "#imports";
 import { normalizeAuthActionError } from "./auth-action-error.js";
-function isRecord(value) {
-  return Boolean(value && typeof value === "object");
-}
+import { isRecord } from "./utils.js";
 function isErrorResult(value) {
   if (!isRecord(value))
     return false;

package/dist/runtime/app/internal/redirect-helpers.d.ts

@@ -0,0 +1,4 @@
+export declare function isSafeLocalRedirect(redirect: unknown): string | undefined;
+export declare function resolvePostAuthRedirect(requestURL: URL): string | undefined;
+export declare function resolvePostAuthSuccessRedirect(requestURL: URL): (() => Promise<void>) | undefined;
+export declare function withFallbackSocialCallbackURL(data: unknown, requestURL: URL): unknown;

package/dist/runtime/app/internal/redirect-helpers.js

@@ -0,0 +1,37 @@
+import { navigateTo, useRuntimeConfig } from "#imports";
+import { isRecord } from "./utils.js";
+export function isSafeLocalRedirect(redirect) {
+  if (typeof redirect !== "string")
+    return;
+  if (!redirect.startsWith("/") || redirect.startsWith("//"))
+    return;
+  return redirect;
+}
+export function resolvePostAuthRedirect(requestURL) {
+  const runtimeConfig = useRuntimeConfig();
+  const authConfig = runtimeConfig.public.auth;
+  const redirectQueryKey = authConfig?.redirectQueryKey ?? "redirect";
+  const queryRedirect = requestURL.searchParams?.get(redirectQueryKey);
+  const safeQueryRedirect = isSafeLocalRedirect(queryRedirect);
+  if (safeQueryRedirect)
+    return safeQueryRedirect;
+  return isSafeLocalRedirect(authConfig?.redirects?.authenticated);
+}
+export function resolvePostAuthSuccessRedirect(requestURL) {
+  const target = resolvePostAuthRedirect(requestURL);
+  if (!target)
+    return;
+  return async () => {
+    await navigateTo(target);
+  };
+}
+export function withFallbackSocialCallbackURL(data, requestURL) {
+  const callbackURL = resolvePostAuthRedirect(requestURL);
+  if (!callbackURL)
+    return data;
+  if (!isRecord(data))
+    return { callbackURL };
+  if (typeof data.callbackURL === "string")
+    return data;
+  return { ...data, callbackURL };
+}

package/dist/runtime/app/internal/session-fetch.d.ts

@@ -0,0 +1,12 @@
+import type { AppAuthClient, AuthSession, AuthUser } from '#nuxt-better-auth';
+import type { Ref } from 'vue';
+export declare function stripToken(session: AuthSession & {
+    token?: string;
+}): AuthSession;
+export declare function fetchSessionServer(session: Ref<AuthSession | null>, user: Ref<AuthUser | null>, authReady: Ref<boolean>, options?: {
+    headers?: HeadersInit;
+}): Promise<void>;
+export declare function fetchSessionClient(client: AppAuthClient, session: Ref<AuthSession | null>, user: Ref<AuthUser | null>, authReady: Ref<boolean>, options?: {
+    headers?: HeadersInit;
+    force?: boolean;
+}): Promise<void>;

package/dist/runtime/app/internal/session-fetch.js

@@ -0,0 +1,56 @@
+import { useRequestFetch, useRequestHeaders } from "#imports";
+import { normalizeAuthActionError } from "./auth-action-error.js";
+export function stripToken(session) {
+  const { token: _, ...safe } = session;
+  return safe;
+}
+function isExpectedSignedOutSessionError(error) {
+  const normalizedError = normalizeAuthActionError(error);
+  if (normalizedError.status === 401)
+    return true;
+  return normalizedError.code === "UNAUTHORIZED";
+}
+export async function fetchSessionServer(session, user, authReady, options = {}) {
+  try {
+    const headers = options.headers || useRequestHeaders(["cookie"]);
+    const requestFetch = useRequestFetch();
+    const data = await requestFetch("/api/auth/get-session", { headers });
+    if (data?.session && data?.user) {
+      session.value = stripToken(data.session);
+      user.value = data.user;
+    } else {
+      session.value = null;
+      user.value = null;
+    }
+  } catch {
+    session.value = null;
+    user.value = null;
+  } finally {
+    if (!authReady.value)
+      authReady.value = true;
+  }
+}
+export async function fetchSessionClient(client, session, user, authReady, options = {}) {
+  try {
+    const headers = options.headers || useRequestHeaders(["cookie"]);
+    const fetchOptions = headers ? { headers } : void 0;
+    const query = options.force ? { disableCookieCache: true } : void 0;
+    const result = await client.getSession({ query }, fetchOptions);
+    const data = result.data;
+    if (data?.session && data?.user) {
+      session.value = stripToken(data.session);
+      user.value = data.user;
+    } else {
+      session.value = null;
+      user.value = null;
+    }
+  } catch (error) {
+    session.value = null;
+    user.value = null;
+    if (!isExpectedSignedOutSessionError(error))
+      console.error("[nuxt-better-auth] Failed to fetch session:", error);
+  } finally {
+    if (!authReady.value)
+      authReady.value = true;
+  }
+}

package/dist/runtime/app/internal/utils.d.ts

@@ -0,0 +1 @@
+export declare function isRecord(value: unknown): value is Record<string, unknown>;

package/dist/runtime/app/internal/utils.js

@@ -0,0 +1,3 @@
+export function isRecord(value) {
+  return Boolean(value && typeof value === "object");
+}

package/dist/runtime/app/internal/wrap-auth-method.d.ts

@@ -0,0 +1,15 @@
+import type { ComputedRef } from 'vue';
+export declare function wrapOnSuccess(fetchSession: (options?: {
+    force?: boolean;
+}) => Promise<void>, loggedIn: ComputedRef<boolean>, waitForSession: () => Promise<void>, cb: (ctx: unknown) => void | Promise<void>): (ctx: unknown) => Promise<void>;
+export declare function wrapAuthMethod<T extends (...args: unknown[]) => Promise<unknown>>(method: T, deps: {
+    fetchSession: (options?: {
+        force?: boolean;
+    }) => Promise<void>;
+    loggedIn: ComputedRef<boolean>;
+    waitForSession: () => Promise<void>;
+    resolvePostAuthSuccessRedirect: () => (() => Promise<void>) | undefined;
+}, wrapOptions?: {
+    shouldSkipSessionSync?: (data: unknown, options: unknown) => boolean;
+    transformData?: (data: unknown, options: unknown) => unknown;
+}): T;

package/dist/runtime/app/internal/wrap-auth-method.js

@@ -0,0 +1,66 @@
+import { nextTick } from "#imports";
+import { isRecord } from "./utils.js";
+export function wrapOnSuccess(fetchSession, loggedIn, waitForSession, cb) {
+  return async (ctx) => {
+    await fetchSession({ force: true });
+    if (!loggedIn.value)
+      await waitForSession();
+    await nextTick();
+    await cb(ctx);
+  };
+}
+export function wrapAuthMethod(method, deps, wrapOptions = {}) {
+  return (async (...args) => {
+    const originalData = args[0];
+    const options = args[1];
+    const data = wrapOptions.transformData?.(originalData, options) ?? originalData;
+    const dataRecord = isRecord(data) ? data : void 0;
+    const optionsRecord = isRecord(options) ? options : void 0;
+    if (wrapOptions.shouldSkipSessionSync?.(data, options))
+      return method(data, options);
+    const fetchOptions = isRecord(dataRecord?.fetchOptions) ? dataRecord.fetchOptions : void 0;
+    const nestedOnSuccess = fetchOptions?.onSuccess;
+    const topLevelOnSuccess = optionsRecord?.onSuccess;
+    const fallbackOnSuccess = deps.resolvePostAuthSuccessRedirect();
+    const wrappedFallbackOnSuccess = fallbackOnSuccess && wrapOnSuccess(deps.fetchSession, deps.loggedIn, deps.waitForSession, async () => {
+      if (!deps.loggedIn.value)
+        return;
+      await fallbackOnSuccess();
+    });
+    if (typeof nestedOnSuccess === "function") {
+      const nextData = {
+        ...dataRecord,
+        fetchOptions: {
+          ...fetchOptions,
+          onSuccess: wrapOnSuccess(deps.fetchSession, deps.loggedIn, deps.waitForSession, nestedOnSuccess)
+        }
+      };
+      return method(nextData, options);
+    }
+    if (typeof topLevelOnSuccess === "function") {
+      const nextOptions = {
+        ...optionsRecord,
+        onSuccess: wrapOnSuccess(deps.fetchSession, deps.loggedIn, deps.waitForSession, topLevelOnSuccess)
+      };
+      return method(data, nextOptions);
+    }
+    if (wrappedFallbackOnSuccess) {
+      if (fetchOptions) {
+        const nextData = {
+          ...dataRecord,
+          fetchOptions: {
+            ...fetchOptions,
+            onSuccess: wrappedFallbackOnSuccess
+          }
+        };
+        return method(nextData, options);
+      }
+      const nextOptions = {
+        ...optionsRecord,
+        onSuccess: wrappedFallbackOnSuccess
+      };
+      return method(data, nextOptions);
+    }
+    return method(data, options);
+  });
+}

package/dist/runtime/config.d.ts

@@ -1,6 +1,6 @@
 import type { BetterAuthOptions, BetterAuthPlugin } from 'better-auth';
 import type { BetterAuthClientOptions } from 'better-auth/client';
-import type { CasingOption } from '../schema-generator.js';
+import type { Casing } from 'drizzle-orm/utils';
 import type { ServerAuthContext } from './types/augment.js';
 import { createAuthClient } from 'better-auth/vue';
 export type { ServerAuthContext };
@@ -20,9 +20,9 @@ export type EffectiveDatabaseProviderId = 'user' | ModuleDatabaseProviderId;
 export interface BetterAuthModuleOptions {
     /** Client-only mode - skip server setup for external auth backends */
     clientOnly?: boolean;
-    /** Server config path relative to rootDir. Default: 'server/auth.config' */
+    /** Server config path. Relative paths resolve from the layer that declares them. Default: 'server/auth.config' */
     serverConfig?: string;
-    /** Client config path relative to rootDir. Default: 'app/auth.config' */
+    /** Client config path. Relative paths resolve from the layer that declares them. Default: 'app/auth.config' */
     clientConfig?: string;
     redirects?: {
         /** Where to redirect unauthenticated users. Default: '/login' */
@@ -69,7 +69,7 @@ export interface BetterAuthModuleOptions {
         /** Plural table names: user → users. Default: false */
         usePlural?: boolean;
         /** Column/table name casing. Explicit value takes precedence over hub.db.casing. */
-        casing?: CasingOption;
+        casing?: Casing;
     };
 }
 export interface AuthRuntimeConfig {

package/dist/runtime/config.js

@@ -6,6 +6,8 @@ export function defineClientAuth(config) {
   return (baseURL) => {
     const ctx = { siteUrl: baseURL };
     const resolved = typeof config === "function" ? config(ctx) : config;
-    return createAuthClient({ ...resolved, baseURL });
+    const { baseURL: configuredBaseURL, ...resolvedOptions } = resolved;
+    const clientOptions = { ...resolvedOptions, baseURL: configuredBaseURL ?? baseURL };
+    return createAuthClient(clientOptions);
   };
 }

package/dist/runtime/server/api/_better-auth/_schema.js

@@ -1,4 +1,5 @@
 import { z } from "zod";
+const SQL_LIKE_ESCAPE_RE = /[%_\\]/g;
 export const paginationQuerySchema = z.object({
   page: z.coerce.number().int().min(1).default(1),
   limit: z.coerce.number().int().min(1).max(100).default(20),
@@ -7,5 +8,5 @@ export const paginationQuerySchema = z.object({
 export function sanitizeSearchPattern(search) {
   if (!search)
     return "";
-  return `%${search.replace(/[%_\\]/g, "\\$&")}%`;
+  return `%${search.replace(SQL_LIKE_ESCAPE_RE, "\\$&")}%`;
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@onmax/nuxt-better-auth",
   "type": "module",
-  "version": "0.0.2-alpha.30",
+  "version": "0.0.2-alpha.31",
   "packageManager": "pnpm@10.15.1",
   "description": "Nuxt module for Better Auth integration with NuxtHub, route protection, session management, and role-based access",
   "author": "onmax",
@@ -11,14 +11,6 @@
     "type": "git",
     "url": "https://github.com/nuxt-modules/better-auth"
   },
-  "agents": {
-    "skills": [
-      {
-        "name": "nuxt-better-auth",
-        "path": "./skills/nuxt-better-auth"
-      }
-    ]
-  },
   "exports": {
     ".": {
       "types": "./dist/types.d.mts",
@@ -41,8 +33,7 @@
     }
   },
   "files": [
-    "dist",
-    "skills"
+    "dist"
   ],
   "scripts": {
     "prepack": "nuxt-module-build build",
@@ -77,13 +68,13 @@
     "jiti": "^2.6.1",
     "pathe": "^2.0.3",
     "radix3": "^1.1.2",
-    "std-env": "^3.10.0"
+    "std-env": "^4.0.0"
   },
   "devDependencies": {
     "@antfu/eslint-config": "^7.6.1",
     "@libsql/client": "^0.17.0",
     "@libsql/linux-x64-gnu": "0.5.22",
-    "@nuxt/devtools": "^3.2.2",
+    "@nuxt/devtools": "^3.2.3",
     "@nuxt/devtools-kit": "^3.2.2",
     "@nuxt/module-builder": "^1.0.2",
     "@nuxt/schema": "^4.3.1",
@@ -91,14 +82,14 @@
     "@nuxthub/core": "^0.10.6",
     "@types/better-sqlite3": "^7.6.13",
     "@types/node": "latest",
-    "better-auth": "1.5.0",
+    "better-auth": "1.5.5",
     "better-sqlite3": "^12.6.2",
-    "bumpp": "^10.4.1",
+    "bumpp": "^11.0.0",
     "changelogen": "^0.6.2",
     "consola": "^3.4.2",
     "drizzle-kit": "^0.31.9",
     "drizzle-orm": "^0.45.1",
-    "eslint": "^10.0.2",
+    "eslint": "^10.0.3",
     "npm-agentskills": "https://pkg.pr.new/onmax/npm-agentskills@394499e",
     "nuxt": "^4.3.1",
     "tinyexec": "^1.0.2",