@revealui/auth 0.0.1-pre.0

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/index.js

@@ -0,0 +1,156 @@
+import { baModelFieldKeys, baModelKey, baseSlugs, defaults, supportedBAPluginIds } from "@/better-auth/plugin/constants";
+import { set } from "../../utils/set";
+import { getSchemaCollectionSlug, getSchemaFieldName } from "../build-collections/utils/collection-schema";
+import { configureAdminPlugin } from "./admin-plugin";
+import { configureApiKeyPlugin } from "./api-key-plugin";
+import { configureDeviceAuthorizationPlugin } from "./device-authorization-plugin";
+import { configureOidcPlugin } from "./oidc-plugin";
+import { configureOrganizationPlugin } from "./organizations-plugin";
+import { configurePasskeyPlugin } from "./passkey-plugin";
+import { configureSsoPlugin } from "./sso-plugin";
+import { configureTwoFactorPlugin } from "./two-factor-plugin";
+import { ensurePasswordSetBeforeUserCreate } from "./utils/ensure-password-set-before-create";
+import { hashPassword, verifyPassword } from "./utils/password";
+import { requireAdminInviteForSignUpMiddleware } from "./utils/require-admin-invite-for-sign-up-middleware";
+import { saveToJwtMiddleware } from "./utils/save-to-jwt-middleware";
+import { useAdminInviteAfterEmailSignUpMiddleware } from "./utils/use-admin-invite-after-email-sign-up-middleware";
+/**
+ * Sanitizes the BetterAuth options
+ */ export function sanitizeBetterAuthOptions({ config, pluginOptions, resolvedSchemas }) {
+    const betterAuthOptions = {
+        ...pluginOptions.betterAuthOptions ?? {}
+    };
+    // Ensure required option groups are always defined to satisfy exactOptionalPropertyTypes
+    betterAuthOptions.user = betterAuthOptions.user || {};
+    betterAuthOptions.session = betterAuthOptions.session || {};
+    betterAuthOptions.account = betterAuthOptions.account || {};
+    betterAuthOptions.verification = betterAuthOptions.verification || {};
+    betterAuthOptions.advanced = betterAuthOptions.advanced || {};
+    const userCollectionSlug = getSchemaCollectionSlug(resolvedSchemas, baModelKey.user);
+    const adminInvitationCollectionSlug = pluginOptions.adminInvitations?.slug ?? baseSlugs.adminInvitations;
+    set(betterAuthOptions, `${baModelKey.user}.modelName`, userCollectionSlug);
+    set(betterAuthOptions, `${baModelKey.user}.additionalFields.role`, {
+        defaultValue: pluginOptions.users?.defaultRole || defaults.userRole,
+        input: false,
+        type: 'string'
+    });
+    const baseModels = [
+        baModelKey.account,
+        baModelKey.session,
+        baModelKey.verification
+    ];
+    baseModels.forEach((model)=>set(betterAuthOptions, `${model}.modelName`, getSchemaCollectionSlug(resolvedSchemas, model)));
+    set(betterAuthOptions, `${baModelKey.account}.fields.userId`, getSchemaFieldName(resolvedSchemas, baModelKey.account, baModelFieldKeys.account.userId));
+    set(betterAuthOptions, `${baModelKey.session}.fields.userId`, getSchemaFieldName(resolvedSchemas, baModelKey.session, baModelFieldKeys.session.userId));
+    set(betterAuthOptions, 'emailAndPassword.enabled', betterAuthOptions.emailAndPassword?.enabled ?? true);
+    // Configure password handling
+    if (betterAuthOptions.emailAndPassword?.enabled && !pluginOptions.disableDefaultPayloadAuth) {
+        betterAuthOptions.emailAndPassword.password = {
+            ...betterAuthOptions.emailAndPassword.password || {},
+            hash: (password)=>hashPassword(password),
+            verify: ({ hash, password, salt })=>salt !== undefined ? verifyPassword({
+                    hash,
+                    password,
+                    salt
+                }) : verifyPassword({
+                    hash,
+                    password
+                })
+        };
+    }
+    // Handle admin invite for sign up
+    if (pluginOptions.requireAdminInviteForSignUp) {
+        betterAuthOptions.socialProviders = betterAuthOptions.socialProviders || {};
+        betterAuthOptions.socialProviders = Object.fromEntries(Object.entries(betterAuthOptions.socialProviders).map(([provider, config])=>[
+                provider,
+                // Using Record<string, unknown> because provider config structure varies by provider type and cannot be strictly typed
+                {
+                    ...config ?? {},
+                    disableImplicitSignUp: true
+                }
+            ]));
+        requireAdminInviteForSignUpMiddleware({
+            options: betterAuthOptions,
+            pluginOptions
+        });
+    }
+    // eslint-disable-next-line react-hooks/rules-of-hooks -- This is not a React hook, just misnamed (starts with "use")
+    useAdminInviteAfterEmailSignUpMiddleware({
+        adminInvitationCollectionSlug,
+        options: betterAuthOptions,
+        userCollectionSlug
+    });
+    // Handle verification email blocking
+    if (pluginOptions.users?.blockFirstBetterAuthVerificationEmail && !pluginOptions.disableDefaultPayloadAuth) {
+        const originalSendEmail = betterAuthOptions?.emailVerification?.sendVerificationEmail;
+        if (typeof originalSendEmail === 'function') {
+            betterAuthOptions.emailVerification = betterAuthOptions.emailVerification ?? {};
+            betterAuthOptions.emailVerification.sendVerificationEmail = async (...args)=>{
+                try {
+                    const [data] = args;
+                    const timeSinceCreation = new Date().getTime() - new Date(data.user.createdAt).getTime();
+                    // Skip if user was created less than a minute ago (rely on Payload's email)
+                    if (timeSinceCreation >= 60000) {
+                        await originalSendEmail(...args);
+                    }
+                } catch (error) {
+                    // Use payload logger if available in context
+                    const [, request] = args;
+                    // Using Record<string, unknown> because BetterAuth middleware request structure varies by context and cannot be strictly typed
+                    const payload = request?.payload;
+                    if (payload?.logger) {
+                        payload.logger.error('Error sending verification email', {
+                            error: error instanceof Error ? error.message : String(error),
+                            stack: error instanceof Error ? error.stack : undefined
+                        });
+                    } else {
+                        console.error('Error sending verification email:', error);
+                    }
+                }
+            };
+        }
+    }
+    // Ensure password is set before user creation
+    if (!pluginOptions.disableDefaultPayloadAuth) {
+        ensurePasswordSetBeforeUserCreate(betterAuthOptions);
+    }
+    // Process plugins
+    if (betterAuthOptions.plugins?.length) {
+        try {
+            // Filter to only supported plugins
+            const supportedPlugins = betterAuthOptions.plugins.filter((plugin)=>Object.values(supportedBAPluginIds).includes(plugin.id));
+            // Log warning for unsupported plugins
+            if (supportedPlugins.length !== betterAuthOptions.plugins.length) {
+                const unsupportedIds = betterAuthOptions.plugins.filter((p)=>!Object.values(supportedBAPluginIds).includes(p.id)).map((p)=>p.id).join(', ');
+                // Log warning for unsupported plugins - use console.warn as fallback since this runs during config initialization
+                console.warn(`Unsupported BetterAuth plugins: ${unsupportedIds}. Supported: ${Object.values(supportedBAPluginIds).join(', ')}`);
+            }
+            // Configure plugins by type
+            const pluginConfigurators = {
+                [supportedBAPluginIds.admin]: (p)=>configureAdminPlugin(p, pluginOptions),
+                [supportedBAPluginIds.apiKey]: (p)=>configureApiKeyPlugin(p, resolvedSchemas),
+                [supportedBAPluginIds.deviceAuthorization]: (p)=>configureDeviceAuthorizationPlugin(p, resolvedSchemas),
+                [supportedBAPluginIds.oidc]: (p)=>configureOidcPlugin(p, resolvedSchemas),
+                [supportedBAPluginIds.organization]: (p)=>configureOrganizationPlugin(p, resolvedSchemas),
+                [supportedBAPluginIds.passkey]: (p)=>configurePasskeyPlugin(p, resolvedSchemas),
+                [supportedBAPluginIds.sso]: (p)=>configureSsoPlugin(p, resolvedSchemas),
+                [supportedBAPluginIds.twoFactor]: (p)=>configureTwoFactorPlugin(p, resolvedSchemas)
+            };
+            supportedPlugins.forEach((plugin)=>{
+                const configurator = pluginConfigurators[plugin.id];
+                if (configurator) configurator(plugin);
+            });
+            betterAuthOptions.plugins = supportedPlugins;
+        } catch (error) {
+            throw new Error(`Error sanitizing BetterAuth plugins: ${error}`);
+        }
+    }
+    saveToJwtMiddleware({
+        config,
+        resolvedSchemas,
+        sanitizedOptions: betterAuthOptions
+    });
+    return betterAuthOptions;
+}
+
+//# sourceMappingURL=index.js.map

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../../src/better-auth/plugin/lib/sanitize-better-auth-options/index.ts"],"sourcesContent":["import {\n  baModelFieldKeys,\n  baModelKey,\n  baseSlugs,\n  defaults,\n  supportedBAPluginIds,\n} from '@/better-auth/plugin/constants';\n\nimport { set } from '../../utils/set';\nimport {\n  getSchemaCollectionSlug,\n  getSchemaFieldName,\n} from '../build-collections/utils/collection-schema';\nimport { configureAdminPlugin } from './admin-plugin';\nimport { configureApiKeyPlugin } from './api-key-plugin';\nimport { configureDeviceAuthorizationPlugin } from './device-authorization-plugin';\nimport { configureOidcPlugin } from './oidc-plugin';\nimport { configureOrganizationPlugin } from './organizations-plugin';\nimport { configurePasskeyPlugin } from './passkey-plugin';\nimport { configureSsoPlugin } from './sso-plugin';\nimport { configureTwoFactorPlugin } from './two-factor-plugin';\nimport { ensurePasswordSetBeforeUserCreate } from './utils/ensure-password-set-before-create';\nimport { hashPassword, verifyPassword } from './utils/password';\nimport { requireAdminInviteForSignUpMiddleware } from './utils/require-admin-invite-for-sign-up-middleware';\nimport { saveToJwtMiddleware } from './utils/save-to-jwt-middleware';\nimport { useAdminInviteAfterEmailSignUpMiddleware } from './utils/use-admin-invite-after-email-sign-up-middleware';\n\nimport type {\n  BetterAuthPluginOptions,\n  BetterAuthSchemas,\n  SanitizedBetterAuthOptions,\n} from '@/better-auth/plugin/types';\n// BetterAuthPlugin type - using any for plugin type since better-auth doesn't export a specific type\ntype BetterAuthPluginType = any;\nimport type { Config, Payload } from 'payload';\n\n/**\n * Sanitizes the BetterAuth options\n */\nexport function sanitizeBetterAuthOptions({\n  config,\n  pluginOptions,\n  resolvedSchemas,\n}: {\n  config: Payload['config'] | Config | Promise<Payload['config'] | Config>;\n  pluginOptions: BetterAuthPluginOptions;\n  resolvedSchemas: BetterAuthSchemas;\n}): SanitizedBetterAuthOptions {\n  const betterAuthOptions: Partial<SanitizedBetterAuthOptions> = {\n    ...(pluginOptions.betterAuthOptions ?? {}),\n  };\n\n  // Ensure required option groups are always defined to satisfy exactOptionalPropertyTypes\n  betterAuthOptions.user =\n    betterAuthOptions.user || ({} as NonNullable<SanitizedBetterAuthOptions['user']>);\n  betterAuthOptions.session =\n    betterAuthOptions.session || ({} as NonNullable<SanitizedBetterAuthOptions['session']>);\n  betterAuthOptions.account =\n    betterAuthOptions.account || ({} as NonNullable<SanitizedBetterAuthOptions['account']>);\n  betterAuthOptions.verification =\n    betterAuthOptions.verification ||\n    ({} as NonNullable<SanitizedBetterAuthOptions['verification']>);\n  betterAuthOptions.advanced =\n    betterAuthOptions.advanced || ({} as NonNullable<SanitizedBetterAuthOptions['advanced']>);\n\n  const userCollectionSlug = getSchemaCollectionSlug(resolvedSchemas, baModelKey.user);\n  const adminInvitationCollectionSlug =\n    pluginOptions.adminInvitations?.slug ?? baseSlugs.adminInvitations;\n\n  set(betterAuthOptions, `${baModelKey.user}.modelName`, userCollectionSlug);\n  set(betterAuthOptions, `${baModelKey.user}.additionalFields.role`, {\n    defaultValue: pluginOptions.users?.defaultRole || defaults.userRole,\n    input: false,\n    type: 'string',\n  });\n\n  const baseModels = [baModelKey.account, baModelKey.session, baModelKey.verification] as const;\n  baseModels.forEach(model =>\n    set(betterAuthOptions, `${model}.modelName`, getSchemaCollectionSlug(resolvedSchemas, model))\n  );\n\n  set(\n    betterAuthOptions,\n    `${baModelKey.account}.fields.userId`,\n    getSchemaFieldName(resolvedSchemas, baModelKey.account, baModelFieldKeys.account.userId)\n  );\n  set(\n    betterAuthOptions,\n    `${baModelKey.session}.fields.userId`,\n    getSchemaFieldName(resolvedSchemas, baModelKey.session, baModelFieldKeys.session.userId)\n  );\n\n  set(\n    betterAuthOptions,\n    'emailAndPassword.enabled',\n    betterAuthOptions.emailAndPassword?.enabled ?? true\n  );\n\n  // Configure password handling\n  if (betterAuthOptions.emailAndPassword?.enabled && !pluginOptions.disableDefaultPayloadAuth) {\n    betterAuthOptions.emailAndPassword.password = {\n      ...(betterAuthOptions.emailAndPassword.password || {}),\n      hash: (password: string) => hashPassword(password),\n      verify: ({ hash, password, salt }: { hash: string; password: string; salt?: string }) =>\n        salt !== undefined\n          ? verifyPassword({ hash, password, salt })\n          : verifyPassword({ hash, password }),\n    };\n  }\n\n  // Handle admin invite for sign up\n  if (pluginOptions.requireAdminInviteForSignUp) {\n    betterAuthOptions.socialProviders = betterAuthOptions.socialProviders || {};\n    betterAuthOptions.socialProviders = Object.fromEntries(\n      Object.entries(betterAuthOptions.socialProviders).map(([provider, config]) => [\n        provider,\n        // Using Record<string, unknown> because provider config structure varies by provider type and cannot be strictly typed\n        {\n          ...((config ??\n            {}) as unknown as /* Using Record<string, unknown> because provider config structure varies by provider type and cannot be strictly typed */ Record<\n            string,\n            unknown\n          >),\n          disableImplicitSignUp: true,\n        },\n      ])\n    );\n    requireAdminInviteForSignUpMiddleware({\n      options: betterAuthOptions,\n      pluginOptions,\n    });\n  }\n  // eslint-disable-next-line react-hooks/rules-of-hooks -- This is not a React hook, just misnamed (starts with \"use\")\n  useAdminInviteAfterEmailSignUpMiddleware({\n    adminInvitationCollectionSlug,\n    options: betterAuthOptions,\n    userCollectionSlug,\n  });\n\n  // Handle verification email blocking\n  if (\n    pluginOptions.users?.blockFirstBetterAuthVerificationEmail &&\n    !pluginOptions.disableDefaultPayloadAuth\n  ) {\n    const originalSendEmail = betterAuthOptions?.emailVerification?.sendVerificationEmail;\n    if (typeof originalSendEmail === 'function') {\n      betterAuthOptions.emailVerification = betterAuthOptions.emailVerification ?? {};\n      betterAuthOptions.emailVerification.sendVerificationEmail = async (\n        ...args: Parameters<typeof originalSendEmail>\n      ) => {\n        try {\n          const [data] = args;\n          const timeSinceCreation = new Date().getTime() - new Date(data.user.createdAt).getTime();\n          // Skip if user was created less than a minute ago (rely on Payload's email)\n          if (timeSinceCreation >= 60000) {\n            await originalSendEmail(...args);\n          }\n        } catch (error) {\n          // Use payload logger if available in context\n          const [, request] = args;\n          // Using Record<string, unknown> because BetterAuth middleware request structure varies by context and cannot be strictly typed\n          const payload = (\n            request as unknown as /* Using Record<string, unknown> because BetterAuth middleware request structure varies by context and cannot be strictly typed */ Record<\n              string,\n              unknown\n            >\n          )?.payload as Payload | undefined;\n          if (payload?.logger) {\n            payload.logger.error('Error sending verification email', {\n              error: error instanceof Error ? error.message : String(error),\n              stack: error instanceof Error ? error.stack : undefined,\n            });\n          } else {\n            console.error('Error sending verification email:', error);\n          }\n        }\n      };\n    }\n  }\n\n  // Ensure password is set before user creation\n  if (!pluginOptions.disableDefaultPayloadAuth) {\n    ensurePasswordSetBeforeUserCreate(betterAuthOptions);\n  }\n\n  // Process plugins\n  if (betterAuthOptions.plugins?.length) {\n    try {\n      // Filter to only supported plugins\n      const supportedPlugins = betterAuthOptions.plugins.filter((plugin: BetterAuthPluginType) =>\n        Object.values(supportedBAPluginIds).includes(\n          (plugin as { id: string })\n            .id as unknown as (typeof supportedBAPluginIds)[keyof typeof supportedBAPluginIds]\n        )\n      );\n\n      // Log warning for unsupported plugins\n      if (supportedPlugins.length !== betterAuthOptions.plugins.length) {\n        const unsupportedIds = betterAuthOptions.plugins\n          .filter(\n            (p: BetterAuthPluginType) =>\n              !Object.values(supportedBAPluginIds).includes(\n                (p as { id: string })\n                  .id as unknown as (typeof supportedBAPluginIds)[keyof typeof supportedBAPluginIds]\n              )\n          )\n          .map((p: BetterAuthPluginType) => (p as { id: string }).id)\n          .join(', ');\n\n        // Log warning for unsupported plugins - use console.warn as fallback since this runs during config initialization\n\n        console.warn(\n          `Unsupported BetterAuth plugins: ${unsupportedIds}. Supported: ${Object.values(supportedBAPluginIds).join(', ')}`\n        );\n      }\n\n      // Configure plugins by type\n      const pluginConfigurators = {\n        [supportedBAPluginIds.admin]: (p: BetterAuthPluginType) =>\n          configureAdminPlugin(p, pluginOptions),\n        [supportedBAPluginIds.apiKey]: (p: BetterAuthPluginType) =>\n          configureApiKeyPlugin(p, resolvedSchemas),\n        [supportedBAPluginIds.deviceAuthorization]: (p: BetterAuthPluginType) =>\n          configureDeviceAuthorizationPlugin(p, resolvedSchemas),\n        [supportedBAPluginIds.oidc]: (p: BetterAuthPluginType) =>\n          configureOidcPlugin(p, resolvedSchemas),\n        [supportedBAPluginIds.organization]: (p: BetterAuthPluginType) =>\n          configureOrganizationPlugin(p, resolvedSchemas),\n        [supportedBAPluginIds.passkey]: (p: BetterAuthPluginType) =>\n          configurePasskeyPlugin(p, resolvedSchemas),\n        [supportedBAPluginIds.sso]: (p: BetterAuthPluginType) =>\n          configureSsoPlugin(p, resolvedSchemas),\n        [supportedBAPluginIds.twoFactor]: (p: BetterAuthPluginType) =>\n          configureTwoFactorPlugin(p, resolvedSchemas),\n      };\n\n      supportedPlugins.forEach((plugin: BetterAuthPluginType) => {\n        const configurator =\n          pluginConfigurators[(plugin as { id: string }).id as keyof typeof pluginConfigurators];\n        if (configurator) configurator(plugin);\n      });\n\n      betterAuthOptions.plugins = supportedPlugins;\n    } catch (error) {\n      throw new Error(`Error sanitizing BetterAuth plugins: ${error}`);\n    }\n  }\n\n  saveToJwtMiddleware({\n    config,\n    resolvedSchemas,\n    sanitizedOptions: betterAuthOptions,\n  });\n\n  return betterAuthOptions as SanitizedBetterAuthOptions;\n}\n"],"names":["baModelFieldKeys","baModelKey","baseSlugs","defaults","supportedBAPluginIds","set","getSchemaCollectionSlug","getSchemaFieldName","configureAdminPlugin","configureApiKeyPlugin","configureDeviceAuthorizationPlugin","configureOidcPlugin","configureOrganizationPlugin","configurePasskeyPlugin","configureSsoPlugin","configureTwoFactorPlugin","ensurePasswordSetBeforeUserCreate","hashPassword","verifyPassword","requireAdminInviteForSignUpMiddleware","saveToJwtMiddleware","useAdminInviteAfterEmailSignUpMiddleware","sanitizeBetterAuthOptions","config","pluginOptions","resolvedSchemas","betterAuthOptions","user","session","account","verification","advanced","userCollectionSlug","adminInvitationCollectionSlug","adminInvitations","slug","defaultValue","users","defaultRole","userRole","input","type","baseModels","forEach","model","userId","emailAndPassword","enabled","disableDefaultPayloadAuth","password","hash","verify","salt","undefined","requireAdminInviteForSignUp","socialProviders","Object","fromEntries","entries","map","provider","disableImplicitSignUp","options","blockFirstBetterAuthVerificationEmail","originalSendEmail","emailVerification","sendVerificationEmail","args","data","timeSinceCreation","Date","getTime","createdAt","error","request","payload","logger","Error","message","String","stack","console","plugins","length","supportedPlugins","filter","plugin","values","includes","id","unsupportedIds","p","join","warn","pluginConfigurators","admin","apiKey","deviceAuthorization","oidc","organization","passkey","sso","twoFactor","configurator","sanitizedOptions"],"mappings":"AAAA,SACEA,gBAAgB,EAChBC,UAAU,EACVC,SAAS,EACTC,QAAQ,EACRC,oBAAoB,QACf,iCAAiC;AAExC,SAASC,GAAG,QAAQ,kBAAkB;AACtC,SACEC,uBAAuB,EACvBC,kBAAkB,QACb,+CAA+C;AACtD,SAASC,oBAAoB,QAAQ,iBAAiB;AACtD,SAASC,qBAAqB,QAAQ,mBAAmB;AACzD,SAASC,kCAAkC,QAAQ,gCAAgC;AACnF,SAASC,mBAAmB,QAAQ,gBAAgB;AACpD,SAASC,2BAA2B,QAAQ,yBAAyB;AACrE,SAASC,sBAAsB,QAAQ,mBAAmB;AAC1D,SAASC,kBAAkB,QAAQ,eAAe;AAClD,SAASC,wBAAwB,QAAQ,sBAAsB;AAC/D,SAASC,iCAAiC,QAAQ,4CAA4C;AAC9F,SAASC,YAAY,EAAEC,cAAc,QAAQ,mBAAmB;AAChE,SAASC,qCAAqC,QAAQ,sDAAsD;AAC5G,SAASC,mBAAmB,QAAQ,iCAAiC;AACrE,SAASC,wCAAwC,QAAQ,0DAA0D;AAWnH;;CAEC,GACD,OAAO,SAASC,0BAA0B,EACxCC,MAAM,EACNC,aAAa,EACbC,eAAe,EAKhB;IACC,MAAMC,oBAAyD;QAC7D,GAAIF,cAAcE,iBAAiB,IAAI,CAAC,CAAC;IAC3C;IAEA,yFAAyF;IACzFA,kBAAkBC,IAAI,GACpBD,kBAAkBC,IAAI,IAAK,CAAC;IAC9BD,kBAAkBE,OAAO,GACvBF,kBAAkBE,OAAO,IAAK,CAAC;IACjCF,kBAAkBG,OAAO,GACvBH,kBAAkBG,OAAO,IAAK,CAAC;IACjCH,kBAAkBI,YAAY,GAC5BJ,kBAAkBI,YAAY,IAC7B,CAAC;IACJJ,kBAAkBK,QAAQ,GACxBL,kBAAkBK,QAAQ,IAAK,CAAC;IAElC,MAAMC,qBAAqB1B,wBAAwBmB,iBAAiBxB,WAAW0B,IAAI;IACnF,MAAMM,gCACJT,cAAcU,gBAAgB,EAAEC,QAAQjC,UAAUgC,gBAAgB;IAEpE7B,IAAIqB,mBAAmB,GAAGzB,WAAW0B,IAAI,CAAC,UAAU,CAAC,EAAEK;IACvD3B,IAAIqB,mBAAmB,GAAGzB,WAAW0B,IAAI,CAAC,sBAAsB,CAAC,EAAE;QACjES,cAAcZ,cAAca,KAAK,EAAEC,eAAenC,SAASoC,QAAQ;QACnEC,OAAO;QACPC,MAAM;IACR;IAEA,MAAMC,aAAa;QAACzC,WAAW4B,OAAO;QAAE5B,WAAW2B,OAAO;QAAE3B,WAAW6B,YAAY;KAAC;IACpFY,WAAWC,OAAO,CAACC,CAAAA,QACjBvC,IAAIqB,mBAAmB,GAAGkB,MAAM,UAAU,CAAC,EAAEtC,wBAAwBmB,iBAAiBmB;IAGxFvC,IACEqB,mBACA,GAAGzB,WAAW4B,OAAO,CAAC,cAAc,CAAC,EACrCtB,mBAAmBkB,iBAAiBxB,WAAW4B,OAAO,EAAE7B,iBAAiB6B,OAAO,CAACgB,MAAM;IAEzFxC,IACEqB,mBACA,GAAGzB,WAAW2B,OAAO,CAAC,cAAc,CAAC,EACrCrB,mBAAmBkB,iBAAiBxB,WAAW2B,OAAO,EAAE5B,iBAAiB4B,OAAO,CAACiB,MAAM;IAGzFxC,IACEqB,mBACA,4BACAA,kBAAkBoB,gBAAgB,EAAEC,WAAW;IAGjD,8BAA8B;IAC9B,IAAIrB,kBAAkBoB,gBAAgB,EAAEC,WAAW,CAACvB,cAAcwB,yBAAyB,EAAE;QAC3FtB,kBAAkBoB,gBAAgB,CAACG,QAAQ,GAAG;YAC5C,GAAIvB,kBAAkBoB,gBAAgB,CAACG,QAAQ,IAAI,CAAC,CAAC;YACrDC,MAAM,CAACD,WAAqBhC,aAAagC;YACzCE,QAAQ,CAAC,EAAED,IAAI,EAAED,QAAQ,EAAEG,IAAI,EAAqD,GAClFA,SAASC,YACLnC,eAAe;oBAAEgC;oBAAMD;oBAAUG;gBAAK,KACtClC,eAAe;oBAAEgC;oBAAMD;gBAAS;QACxC;IACF;IAEA,kCAAkC;IAClC,IAAIzB,cAAc8B,2BAA2B,EAAE;QAC7C5B,kBAAkB6B,eAAe,GAAG7B,kBAAkB6B,eAAe,IAAI,CAAC;QAC1E7B,kBAAkB6B,eAAe,GAAGC,OAAOC,WAAW,CACpDD,OAAOE,OAAO,CAAChC,kBAAkB6B,eAAe,EAAEI,GAAG,CAAC,CAAC,CAACC,UAAUrC,OAAO,GAAK;gBAC5EqC;gBACA,uHAAuH;gBACvH;oBACE,GAAKrC,UACH,CAAC,CAAC;oBAIJsC,uBAAuB;gBACzB;aACD;QAEH1C,sCAAsC;YACpC2C,SAASpC;YACTF;QACF;IACF;IACA,qHAAqH;IACrHH,yCAAyC;QACvCY;QACA6B,SAASpC;QACTM;IACF;IAEA,qCAAqC;IACrC,IACER,cAAca,KAAK,EAAE0B,yCACrB,CAACvC,cAAcwB,yBAAyB,EACxC;QACA,MAAMgB,oBAAoBtC,mBAAmBuC,mBAAmBC;QAChE,IAAI,OAAOF,sBAAsB,YAAY;YAC3CtC,kBAAkBuC,iBAAiB,GAAGvC,kBAAkBuC,iBAAiB,IAAI,CAAC;YAC9EvC,kBAAkBuC,iBAAiB,CAACC,qBAAqB,GAAG,OAC1D,GAAGC;gBAEH,IAAI;oBACF,MAAM,CAACC,KAAK,GAAGD;oBACf,MAAME,oBAAoB,IAAIC,OAAOC,OAAO,KAAK,IAAID,KAAKF,KAAKzC,IAAI,CAAC6C,SAAS,EAAED,OAAO;oBACtF,4EAA4E;oBAC5E,IAAIF,qBAAqB,OAAO;wBAC9B,MAAML,qBAAqBG;oBAC7B;gBACF,EAAE,OAAOM,OAAO;oBACd,6CAA6C;oBAC7C,MAAM,GAAGC,QAAQ,GAAGP;oBACpB,+HAA+H;oBAC/H,MAAMQ,UACJD,SAICC;oBACH,IAAIA,SAASC,QAAQ;wBACnBD,QAAQC,MAAM,CAACH,KAAK,CAAC,oCAAoC;4BACvDA,OAAOA,iBAAiBI,QAAQJ,MAAMK,OAAO,GAAGC,OAAON;4BACvDO,OAAOP,iBAAiBI,QAAQJ,MAAMO,KAAK,GAAG3B;wBAChD;oBACF,OAAO;wBACL4B,QAAQR,KAAK,CAAC,qCAAqCA;oBACrD;gBACF;YACF;QACF;IACF;IAEA,8CAA8C;IAC9C,IAAI,CAACjD,cAAcwB,yBAAyB,EAAE;QAC5ChC,kCAAkCU;IACpC;IAEA,kBAAkB;IAClB,IAAIA,kBAAkBwD,OAAO,EAAEC,QAAQ;QACrC,IAAI;YACF,mCAAmC;YACnC,MAAMC,mBAAmB1D,kBAAkBwD,OAAO,CAACG,MAAM,CAAC,CAACC,SACzD9B,OAAO+B,MAAM,CAACnF,sBAAsBoF,QAAQ,CAC1C,AAACF,OACEG,EAAE;YAIT,sCAAsC;YACtC,IAAIL,iBAAiBD,MAAM,KAAKzD,kBAAkBwD,OAAO,CAACC,MAAM,EAAE;gBAChE,MAAMO,iBAAiBhE,kBAAkBwD,OAAO,CAC7CG,MAAM,CACL,CAACM,IACC,CAACnC,OAAO+B,MAAM,CAACnF,sBAAsBoF,QAAQ,CAC3C,AAACG,EACEF,EAAE,GAGV9B,GAAG,CAAC,CAACgC,IAA4B,AAACA,EAAqBF,EAAE,EACzDG,IAAI,CAAC;gBAER,kHAAkH;gBAElHX,QAAQY,IAAI,CACV,CAAC,gCAAgC,EAAEH,eAAe,aAAa,EAAElC,OAAO+B,MAAM,CAACnF,sBAAsBwF,IAAI,CAAC,OAAO;YAErH;YAEA,4BAA4B;YAC5B,MAAME,sBAAsB;gBAC1B,CAAC1F,qBAAqB2F,KAAK,CAAC,EAAE,CAACJ,IAC7BnF,qBAAqBmF,GAAGnE;gBAC1B,CAACpB,qBAAqB4F,MAAM,CAAC,EAAE,CAACL,IAC9BlF,sBAAsBkF,GAAGlE;gBAC3B,CAACrB,qBAAqB6F,mBAAmB,CAAC,EAAE,CAACN,IAC3CjF,mCAAmCiF,GAAGlE;gBACxC,CAACrB,qBAAqB8F,IAAI,CAAC,EAAE,CAACP,IAC5BhF,oBAAoBgF,GAAGlE;gBACzB,CAACrB,qBAAqB+F,YAAY,CAAC,EAAE,CAACR,IACpC/E,4BAA4B+E,GAAGlE;gBACjC,CAACrB,qBAAqBgG,OAAO,CAAC,EAAE,CAACT,IAC/B9E,uBAAuB8E,GAAGlE;gBAC5B,CAACrB,qBAAqBiG,GAAG,CAAC,EAAE,CAACV,IAC3B7E,mBAAmB6E,GAAGlE;gBACxB,CAACrB,qBAAqBkG,SAAS,CAAC,EAAE,CAACX,IACjC5E,yBAAyB4E,GAAGlE;YAChC;YAEA2D,iBAAiBzC,OAAO,CAAC,CAAC2C;gBACxB,MAAMiB,eACJT,mBAAmB,CAAC,AAACR,OAA0BG,EAAE,CAAqC;gBACxF,IAAIc,cAAcA,aAAajB;YACjC;YAEA5D,kBAAkBwD,OAAO,GAAGE;QAC9B,EAAE,OAAOX,OAAO;YACd,MAAM,IAAII,MAAM,CAAC,qCAAqC,EAAEJ,OAAO;QACjE;IACF;IAEArD,oBAAoB;QAClBG;QACAE;QACA+E,kBAAkB9E;IACpB;IAEA,OAAOA;AACT"}

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/oidc-plugin.d.ts

@@ -0,0 +1,2 @@
+import type { BetterAuthSchemas } from '@/better-auth/types';
+export declare function configureOidcPlugin(plugin: any, resolvedSchemas: BetterAuthSchemas): void;

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/oidc-plugin.js

@@ -0,0 +1,18 @@
+import { baModelFieldKeys, baModelKey } from "@/better-auth/plugin/constants";
+import { set } from "../../utils/set";
+import { getSchemaCollectionSlug, getSchemaFieldName } from "../build-collections/utils/collection-schema";
+export function configureOidcPlugin(plugin, resolvedSchemas) {
+    const models = [
+        baModelKey.oauthApplication,
+        baModelKey.oauthAccessToken,
+        baModelKey.oauthConsent
+    ];
+    models.forEach((model)=>set(plugin, `schema.${model}.modelName`, getSchemaCollectionSlug(resolvedSchemas, model)));
+    set(plugin, `schema.${baModelKey.oauthApplication}.fields.userId.fieldName`, getSchemaFieldName(resolvedSchemas, baModelKey.oauthApplication, baModelFieldKeys.oauthApplication.userId));
+    set(plugin, `schema.${baModelKey.oauthAccessToken}.fields.userId.fieldName`, getSchemaFieldName(resolvedSchemas, baModelKey.oauthAccessToken, baModelFieldKeys.oauthAccessToken.userId));
+    set(plugin, `schema.${baModelKey.oauthAccessToken}.fields.clientId.fieldName`, getSchemaFieldName(resolvedSchemas, baModelKey.oauthAccessToken, baModelFieldKeys.oauthAccessToken.clientId));
+    set(plugin, `schema.${baModelKey.oauthConsent}.fields.userId.fieldName`, getSchemaFieldName(resolvedSchemas, baModelKey.oauthConsent, baModelFieldKeys.oauthConsent.userId));
+    set(plugin, `schema.${baModelKey.oauthConsent}.fields.clientId.fieldName`, getSchemaFieldName(resolvedSchemas, baModelKey.oauthConsent, baModelFieldKeys.oauthConsent.clientId));
+}
+
+//# sourceMappingURL=oidc-plugin.js.map

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/oidc-plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../../src/better-auth/plugin/lib/sanitize-better-auth-options/oidc-plugin.ts"],"sourcesContent":["import { baModelFieldKeys, baModelKey } from '@/better-auth/plugin/constants';\nimport type { BetterAuthSchemas } from '@/better-auth/types';\nimport { set } from '../../utils/set';\nimport {\n  getSchemaCollectionSlug,\n  getSchemaFieldName,\n} from '../build-collections/utils/collection-schema';\n\nexport function configureOidcPlugin(plugin: any, resolvedSchemas: BetterAuthSchemas): void {\n  const models = [\n    baModelKey.oauthApplication,\n    baModelKey.oauthAccessToken,\n    baModelKey.oauthConsent,\n  ] as const;\n\n  models.forEach(model =>\n    set(plugin, `schema.${model}.modelName`, getSchemaCollectionSlug(resolvedSchemas, model))\n  );\n\n  set(\n    plugin,\n    `schema.${baModelKey.oauthApplication}.fields.userId.fieldName`,\n    getSchemaFieldName(\n      resolvedSchemas,\n      baModelKey.oauthApplication,\n      baModelFieldKeys.oauthApplication.userId\n    )\n  );\n\n  set(\n    plugin,\n    `schema.${baModelKey.oauthAccessToken}.fields.userId.fieldName`,\n    getSchemaFieldName(\n      resolvedSchemas,\n      baModelKey.oauthAccessToken,\n      baModelFieldKeys.oauthAccessToken.userId\n    )\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.oauthAccessToken}.fields.clientId.fieldName`,\n    getSchemaFieldName(\n      resolvedSchemas,\n      baModelKey.oauthAccessToken,\n      baModelFieldKeys.oauthAccessToken.clientId\n    )\n  );\n\n  set(\n    plugin,\n    `schema.${baModelKey.oauthConsent}.fields.userId.fieldName`,\n    getSchemaFieldName(\n      resolvedSchemas,\n      baModelKey.oauthConsent,\n      baModelFieldKeys.oauthConsent.userId\n    )\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.oauthConsent}.fields.clientId.fieldName`,\n    getSchemaFieldName(\n      resolvedSchemas,\n      baModelKey.oauthConsent,\n      baModelFieldKeys.oauthConsent.clientId\n    )\n  );\n}\n"],"names":["baModelFieldKeys","baModelKey","set","getSchemaCollectionSlug","getSchemaFieldName","configureOidcPlugin","plugin","resolvedSchemas","models","oauthApplication","oauthAccessToken","oauthConsent","forEach","model","userId","clientId"],"mappings":"AAAA,SAASA,gBAAgB,EAAEC,UAAU,QAAQ,iCAAiC;AAE9E,SAASC,GAAG,QAAQ,kBAAkB;AACtC,SACEC,uBAAuB,EACvBC,kBAAkB,QACb,+CAA+C;AAEtD,OAAO,SAASC,oBAAoBC,MAAW,EAAEC,eAAkC;IACjF,MAAMC,SAAS;QACbP,WAAWQ,gBAAgB;QAC3BR,WAAWS,gBAAgB;QAC3BT,WAAWU,YAAY;KACxB;IAEDH,OAAOI,OAAO,CAACC,CAAAA,QACbX,IAAII,QAAQ,CAAC,OAAO,EAAEO,MAAM,UAAU,CAAC,EAAEV,wBAAwBI,iBAAiBM;IAGpFX,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWQ,gBAAgB,CAAC,wBAAwB,CAAC,EAC/DL,mBACEG,iBACAN,WAAWQ,gBAAgB,EAC3BT,iBAAiBS,gBAAgB,CAACK,MAAM;IAI5CZ,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWS,gBAAgB,CAAC,wBAAwB,CAAC,EAC/DN,mBACEG,iBACAN,WAAWS,gBAAgB,EAC3BV,iBAAiBU,gBAAgB,CAACI,MAAM;IAG5CZ,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWS,gBAAgB,CAAC,0BAA0B,CAAC,EACjEN,mBACEG,iBACAN,WAAWS,gBAAgB,EAC3BV,iBAAiBU,gBAAgB,CAACK,QAAQ;IAI9Cb,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWU,YAAY,CAAC,wBAAwB,CAAC,EAC3DP,mBACEG,iBACAN,WAAWU,YAAY,EACvBX,iBAAiBW,YAAY,CAACG,MAAM;IAGxCZ,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWU,YAAY,CAAC,0BAA0B,CAAC,EAC7DP,mBACEG,iBACAN,WAAWU,YAAY,EACvBX,iBAAiBW,YAAY,CAACI,QAAQ;AAG5C"}

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/organizations-plugin.d.ts

@@ -0,0 +1,2 @@
+import type { BetterAuthSchemas } from '@/better-auth/types';
+export declare function configureOrganizationPlugin(plugin: any, resolvedSchemas: BetterAuthSchemas): void;

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/organizations-plugin.js

@@ -0,0 +1,34 @@
+import { baModelFieldKeys, baModelKey } from "@/better-auth/plugin/constants";
+import { set } from "../../utils/set";
+import { getSchemaCollectionSlug, getSchemaFieldName } from "../build-collections/utils/collection-schema";
+export function configureOrganizationPlugin(plugin, resolvedSchemas) {
+    const models = [
+        baModelKey.organization,
+        baModelKey.member,
+        baModelKey.invitation,
+        baModelKey.team,
+        baModelKey.session,
+        baModelKey.teamMember
+    ];
+    models.forEach((model)=>set(plugin, `schema.${model}.modelName`, getSchemaCollectionSlug(resolvedSchemas, model)));
+    set(plugin, `schema.${baModelKey.member}.fields.organizationId.fieldName`, getSchemaFieldName(resolvedSchemas, baModelKey.member, baModelFieldKeys.member.organizationId));
+    set(plugin, `schema.${baModelKey.member}.fields.organizationId.references.model`, getSchemaCollectionSlug(resolvedSchemas, baModelKey.organization));
+    set(plugin, `schema.${baModelKey.member}.fields.userId.fieldName`, getSchemaFieldName(resolvedSchemas, baModelKey.member, baModelFieldKeys.member.userId));
+    set(plugin, `schema.${baModelKey.member}.fields.userId.references.model`, getSchemaCollectionSlug(resolvedSchemas, baModelKey.user));
+    set(plugin, `schema.${baModelKey.invitation}.fields.organizationId.fieldName`, getSchemaFieldName(resolvedSchemas, baModelKey.invitation, baModelFieldKeys.invitation.organizationId));
+    set(plugin, `schema.${baModelKey.invitation}.fields.organizationId.references.model`, getSchemaCollectionSlug(resolvedSchemas, baModelKey.organization));
+    set(plugin, `schema.${baModelKey.invitation}.fields.inviterId.fieldName`, getSchemaFieldName(resolvedSchemas, baModelKey.invitation, baModelFieldKeys.invitation.inviterId));
+    set(plugin, `schema.${baModelKey.invitation}.fields.inviterId.references.model`, getSchemaCollectionSlug(resolvedSchemas, baModelKey.user));
+    set(plugin, `schema.${baModelKey.invitation}.fields.teamId.fieldName`, getSchemaFieldName(resolvedSchemas, baModelKey.invitation, baModelFieldKeys.invitation.teamId));
+    set(plugin, `schema.${baModelKey.invitation}.fields.teamId.references.model`, getSchemaCollectionSlug(resolvedSchemas, baModelKey.team));
+    set(plugin, `schema.${baModelKey.team}.fields.organizationId.fieldName`, getSchemaFieldName(resolvedSchemas, baModelKey.team, baModelFieldKeys.team.organizationId));
+    set(plugin, `schema.${baModelKey.team}.fields.organizationId.references.model`, getSchemaCollectionSlug(resolvedSchemas, baModelKey.user));
+    set(plugin, `schema.${baModelKey.teamMember}.fields.teamId.fieldName`, getSchemaFieldName(resolvedSchemas, baModelKey.teamMember, baModelFieldKeys.teamMember.teamId));
+    set(plugin, `schema.${baModelKey.teamMember}.fields.teamId.references.model`, getSchemaCollectionSlug(resolvedSchemas, baModelKey.team));
+    set(plugin, `schema.${baModelKey.teamMember}.fields.userId.fieldName`, getSchemaFieldName(resolvedSchemas, baModelKey.teamMember, baModelFieldKeys.teamMember.userId));
+    set(plugin, `schema.${baModelKey.teamMember}.fields.userId.references.model`, getSchemaCollectionSlug(resolvedSchemas, baModelKey.user));
+    set(plugin, `schema.${baModelKey.session}.fields.activeOrganizationId.fieldName`, getSchemaFieldName(resolvedSchemas, baModelKey.session, baModelFieldKeys.session.activeOrganizationId));
+    set(plugin, `schema.${baModelKey.session}.fields.activeTeamId.fieldName`, getSchemaFieldName(resolvedSchemas, baModelKey.session, baModelFieldKeys.session.activeTeamId));
+}
+
+//# sourceMappingURL=organizations-plugin.js.map

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/organizations-plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../../src/better-auth/plugin/lib/sanitize-better-auth-options/organizations-plugin.ts"],"sourcesContent":["import { baModelFieldKeys, baModelKey } from '@/better-auth/plugin/constants';\nimport type { BetterAuthSchemas } from '@/better-auth/types';\nimport { set } from '../../utils/set';\nimport {\n  getSchemaCollectionSlug,\n  getSchemaFieldName,\n} from '../build-collections/utils/collection-schema';\n\nexport function configureOrganizationPlugin(plugin: any, resolvedSchemas: BetterAuthSchemas): void {\n  const models = [\n    baModelKey.organization,\n    baModelKey.member,\n    baModelKey.invitation,\n    baModelKey.team,\n    baModelKey.session,\n    baModelKey.teamMember,\n  ] as const;\n  models.forEach(model =>\n    set(plugin, `schema.${model}.modelName`, getSchemaCollectionSlug(resolvedSchemas, model))\n  );\n\n  set(\n    plugin,\n    `schema.${baModelKey.member}.fields.organizationId.fieldName`,\n    getSchemaFieldName(resolvedSchemas, baModelKey.member, baModelFieldKeys.member.organizationId)\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.member}.fields.organizationId.references.model`,\n    getSchemaCollectionSlug(resolvedSchemas, baModelKey.organization)\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.member}.fields.userId.fieldName`,\n    getSchemaFieldName(resolvedSchemas, baModelKey.member, baModelFieldKeys.member.userId)\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.member}.fields.userId.references.model`,\n    getSchemaCollectionSlug(resolvedSchemas, baModelKey.user)\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.invitation}.fields.organizationId.fieldName`,\n    getSchemaFieldName(\n      resolvedSchemas,\n      baModelKey.invitation,\n      baModelFieldKeys.invitation.organizationId\n    )\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.invitation}.fields.organizationId.references.model`,\n    getSchemaCollectionSlug(resolvedSchemas, baModelKey.organization)\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.invitation}.fields.inviterId.fieldName`,\n    getSchemaFieldName(\n      resolvedSchemas,\n      baModelKey.invitation,\n      baModelFieldKeys.invitation.inviterId\n    )\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.invitation}.fields.inviterId.references.model`,\n    getSchemaCollectionSlug(resolvedSchemas, baModelKey.user)\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.invitation}.fields.teamId.fieldName`,\n    getSchemaFieldName(resolvedSchemas, baModelKey.invitation, baModelFieldKeys.invitation.teamId)\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.invitation}.fields.teamId.references.model`,\n    getSchemaCollectionSlug(resolvedSchemas, baModelKey.team)\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.team}.fields.organizationId.fieldName`,\n    getSchemaFieldName(resolvedSchemas, baModelKey.team, baModelFieldKeys.team.organizationId)\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.team}.fields.organizationId.references.model`,\n    getSchemaCollectionSlug(resolvedSchemas, baModelKey.user)\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.teamMember}.fields.teamId.fieldName`,\n    getSchemaFieldName(resolvedSchemas, baModelKey.teamMember, baModelFieldKeys.teamMember.teamId)\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.teamMember}.fields.teamId.references.model`,\n    getSchemaCollectionSlug(resolvedSchemas, baModelKey.team)\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.teamMember}.fields.userId.fieldName`,\n    getSchemaFieldName(resolvedSchemas, baModelKey.teamMember, baModelFieldKeys.teamMember.userId)\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.teamMember}.fields.userId.references.model`,\n    getSchemaCollectionSlug(resolvedSchemas, baModelKey.user)\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.session}.fields.activeOrganizationId.fieldName`,\n    getSchemaFieldName(\n      resolvedSchemas,\n      baModelKey.session,\n      baModelFieldKeys.session.activeOrganizationId\n    )\n  );\n  set(\n    plugin,\n    `schema.${baModelKey.session}.fields.activeTeamId.fieldName`,\n    getSchemaFieldName(resolvedSchemas, baModelKey.session, baModelFieldKeys.session.activeTeamId)\n  );\n}\n"],"names":["baModelFieldKeys","baModelKey","set","getSchemaCollectionSlug","getSchemaFieldName","configureOrganizationPlugin","plugin","resolvedSchemas","models","organization","member","invitation","team","session","teamMember","forEach","model","organizationId","userId","user","inviterId","teamId","activeOrganizationId","activeTeamId"],"mappings":"AAAA,SAASA,gBAAgB,EAAEC,UAAU,QAAQ,iCAAiC;AAE9E,SAASC,GAAG,QAAQ,kBAAkB;AACtC,SACEC,uBAAuB,EACvBC,kBAAkB,QACb,+CAA+C;AAEtD,OAAO,SAASC,4BAA4BC,MAAW,EAAEC,eAAkC;IACzF,MAAMC,SAAS;QACbP,WAAWQ,YAAY;QACvBR,WAAWS,MAAM;QACjBT,WAAWU,UAAU;QACrBV,WAAWW,IAAI;QACfX,WAAWY,OAAO;QAClBZ,WAAWa,UAAU;KACtB;IACDN,OAAOO,OAAO,CAACC,CAAAA,QACbd,IAAII,QAAQ,CAAC,OAAO,EAAEU,MAAM,UAAU,CAAC,EAAEb,wBAAwBI,iBAAiBS;IAGpFd,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWS,MAAM,CAAC,gCAAgC,CAAC,EAC7DN,mBAAmBG,iBAAiBN,WAAWS,MAAM,EAAEV,iBAAiBU,MAAM,CAACO,cAAc;IAE/Ff,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWS,MAAM,CAAC,uCAAuC,CAAC,EACpEP,wBAAwBI,iBAAiBN,WAAWQ,YAAY;IAElEP,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWS,MAAM,CAAC,wBAAwB,CAAC,EACrDN,mBAAmBG,iBAAiBN,WAAWS,MAAM,EAAEV,iBAAiBU,MAAM,CAACQ,MAAM;IAEvFhB,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWS,MAAM,CAAC,+BAA+B,CAAC,EAC5DP,wBAAwBI,iBAAiBN,WAAWkB,IAAI;IAE1DjB,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWU,UAAU,CAAC,gCAAgC,CAAC,EACjEP,mBACEG,iBACAN,WAAWU,UAAU,EACrBX,iBAAiBW,UAAU,CAACM,cAAc;IAG9Cf,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWU,UAAU,CAAC,uCAAuC,CAAC,EACxER,wBAAwBI,iBAAiBN,WAAWQ,YAAY;IAElEP,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWU,UAAU,CAAC,2BAA2B,CAAC,EAC5DP,mBACEG,iBACAN,WAAWU,UAAU,EACrBX,iBAAiBW,UAAU,CAACS,SAAS;IAGzClB,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWU,UAAU,CAAC,kCAAkC,CAAC,EACnER,wBAAwBI,iBAAiBN,WAAWkB,IAAI;IAE1DjB,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWU,UAAU,CAAC,wBAAwB,CAAC,EACzDP,mBAAmBG,iBAAiBN,WAAWU,UAAU,EAAEX,iBAAiBW,UAAU,CAACU,MAAM;IAE/FnB,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWU,UAAU,CAAC,+BAA+B,CAAC,EAChER,wBAAwBI,iBAAiBN,WAAWW,IAAI;IAE1DV,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWW,IAAI,CAAC,gCAAgC,CAAC,EAC3DR,mBAAmBG,iBAAiBN,WAAWW,IAAI,EAAEZ,iBAAiBY,IAAI,CAACK,cAAc;IAE3Ff,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWW,IAAI,CAAC,uCAAuC,CAAC,EAClET,wBAAwBI,iBAAiBN,WAAWkB,IAAI;IAE1DjB,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWa,UAAU,CAAC,wBAAwB,CAAC,EACzDV,mBAAmBG,iBAAiBN,WAAWa,UAAU,EAAEd,iBAAiBc,UAAU,CAACO,MAAM;IAE/FnB,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWa,UAAU,CAAC,+BAA+B,CAAC,EAChEX,wBAAwBI,iBAAiBN,WAAWW,IAAI;IAE1DV,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWa,UAAU,CAAC,wBAAwB,CAAC,EACzDV,mBAAmBG,iBAAiBN,WAAWa,UAAU,EAAEd,iBAAiBc,UAAU,CAACI,MAAM;IAE/FhB,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWa,UAAU,CAAC,+BAA+B,CAAC,EAChEX,wBAAwBI,iBAAiBN,WAAWkB,IAAI;IAE1DjB,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWY,OAAO,CAAC,sCAAsC,CAAC,EACpET,mBACEG,iBACAN,WAAWY,OAAO,EAClBb,iBAAiBa,OAAO,CAACS,oBAAoB;IAGjDpB,IACEI,QACA,CAAC,OAAO,EAAEL,WAAWY,OAAO,CAAC,8BAA8B,CAAC,EAC5DT,mBAAmBG,iBAAiBN,WAAWY,OAAO,EAAEb,iBAAiBa,OAAO,CAACU,YAAY;AAEjG"}

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/passkey-plugin.d.ts

@@ -0,0 +1,2 @@
+import type { BetterAuthSchemas } from '@/better-auth/types';
+export declare function configurePasskeyPlugin(plugin: any, resolvedSchemas: BetterAuthSchemas): void;

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/passkey-plugin.js

@@ -0,0 +1,11 @@
+import { baModelFieldKeys, baModelKey } from "@/better-auth/plugin/constants";
+import { set } from "../../utils/set";
+import { getSchemaCollectionSlug, getSchemaFieldName } from "../build-collections/utils/collection-schema";
+export function configurePasskeyPlugin(plugin, resolvedSchemas) {
+    const model = baModelKey.passkey;
+    set(plugin, `schema.${model}.modelName`, getSchemaCollectionSlug(resolvedSchemas, model));
+    set(plugin, `schema.${model}.fields.userId.fieldName`, getSchemaFieldName(resolvedSchemas, model, baModelFieldKeys.passkey.userId));
+    set(plugin, `schema.${model}.fields.userId.references.model`, getSchemaCollectionSlug(resolvedSchemas, baModelKey.user));
+}
+
+//# sourceMappingURL=passkey-plugin.js.map

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/passkey-plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../../src/better-auth/plugin/lib/sanitize-better-auth-options/passkey-plugin.ts"],"sourcesContent":["import { baModelFieldKeys, baModelKey } from '@/better-auth/plugin/constants';\nimport type { BetterAuthSchemas } from '@/better-auth/types';\nimport { set } from '../../utils/set';\nimport {\n  getSchemaCollectionSlug,\n  getSchemaFieldName,\n} from '../build-collections/utils/collection-schema';\n\nexport function configurePasskeyPlugin(plugin: any, resolvedSchemas: BetterAuthSchemas): void {\n  const model = baModelKey.passkey;\n  set(plugin, `schema.${model}.modelName`, getSchemaCollectionSlug(resolvedSchemas, model));\n  set(\n    plugin,\n    `schema.${model}.fields.userId.fieldName`,\n    getSchemaFieldName(resolvedSchemas, model, baModelFieldKeys.passkey.userId)\n  );\n  set(\n    plugin,\n    `schema.${model}.fields.userId.references.model`,\n    getSchemaCollectionSlug(resolvedSchemas, baModelKey.user)\n  );\n}\n"],"names":["baModelFieldKeys","baModelKey","set","getSchemaCollectionSlug","getSchemaFieldName","configurePasskeyPlugin","plugin","resolvedSchemas","model","passkey","userId","user"],"mappings":"AAAA,SAASA,gBAAgB,EAAEC,UAAU,QAAQ,iCAAiC;AAE9E,SAASC,GAAG,QAAQ,kBAAkB;AACtC,SACEC,uBAAuB,EACvBC,kBAAkB,QACb,+CAA+C;AAEtD,OAAO,SAASC,uBAAuBC,MAAW,EAAEC,eAAkC;IACpF,MAAMC,QAAQP,WAAWQ,OAAO;IAChCP,IAAII,QAAQ,CAAC,OAAO,EAAEE,MAAM,UAAU,CAAC,EAAEL,wBAAwBI,iBAAiBC;IAClFN,IACEI,QACA,CAAC,OAAO,EAAEE,MAAM,wBAAwB,CAAC,EACzCJ,mBAAmBG,iBAAiBC,OAAOR,iBAAiBS,OAAO,CAACC,MAAM;IAE5ER,IACEI,QACA,CAAC,OAAO,EAAEE,MAAM,+BAA+B,CAAC,EAChDL,wBAAwBI,iBAAiBN,WAAWU,IAAI;AAE5D"}

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/sso-plugin.d.ts

@@ -0,0 +1,2 @@
+import type { BetterAuthSchemas } from '@/better-auth/types';
+export declare function configureSsoPlugin(plugin: any, resolvedSchemas: BetterAuthSchemas): void;

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/sso-plugin.js

@@ -0,0 +1,10 @@
+import { baModelFieldKeys, baModelKey } from "@/better-auth/plugin/constants";
+import { set } from "@/better-auth/plugin/utils/set";
+import { getSchemaCollectionSlug, getSchemaFieldName } from "../build-collections/utils/collection-schema";
+export function configureSsoPlugin(plugin, resolvedSchemas) {
+    const model = baModelKey.ssoProvider;
+    set(plugin, `schema.${model}.modelName`, getSchemaCollectionSlug(resolvedSchemas, model));
+    set(plugin, `schema.${model}.fields.userId.fieldName`, getSchemaFieldName(resolvedSchemas, model, baModelFieldKeys.ssoProvider.userId));
+}
+
+//# sourceMappingURL=sso-plugin.js.map

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/sso-plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../../src/better-auth/plugin/lib/sanitize-better-auth-options/sso-plugin.ts"],"sourcesContent":["import { baModelFieldKeys, baModelKey } from '@/better-auth/plugin/constants';\nimport { set } from '@/better-auth/plugin/utils/set';\nimport type { BetterAuthSchemas } from '@/better-auth/types';\nimport {\n  getSchemaCollectionSlug,\n  getSchemaFieldName,\n} from '../build-collections/utils/collection-schema';\n\nexport function configureSsoPlugin(plugin: any, resolvedSchemas: BetterAuthSchemas): void {\n  const model = baModelKey.ssoProvider;\n  set(plugin, `schema.${model}.modelName`, getSchemaCollectionSlug(resolvedSchemas, model));\n  set(\n    plugin,\n    `schema.${model}.fields.userId.fieldName`,\n    getSchemaFieldName(resolvedSchemas, model, baModelFieldKeys.ssoProvider.userId)\n  );\n}\n"],"names":["baModelFieldKeys","baModelKey","set","getSchemaCollectionSlug","getSchemaFieldName","configureSsoPlugin","plugin","resolvedSchemas","model","ssoProvider","userId"],"mappings":"AAAA,SAASA,gBAAgB,EAAEC,UAAU,QAAQ,iCAAiC;AAC9E,SAASC,GAAG,QAAQ,iCAAiC;AAErD,SACEC,uBAAuB,EACvBC,kBAAkB,QACb,+CAA+C;AAEtD,OAAO,SAASC,mBAAmBC,MAAW,EAAEC,eAAkC;IAChF,MAAMC,QAAQP,WAAWQ,WAAW;IACpCP,IAAII,QAAQ,CAAC,OAAO,EAAEE,MAAM,UAAU,CAAC,EAAEL,wBAAwBI,iBAAiBC;IAClFN,IACEI,QACA,CAAC,OAAO,EAAEE,MAAM,wBAAwB,CAAC,EACzCJ,mBAAmBG,iBAAiBC,OAAOR,iBAAiBS,WAAW,CAACC,MAAM;AAElF"}

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/two-factor-plugin.d.ts

@@ -0,0 +1,2 @@
+import type { BetterAuthSchemas } from '@/better-auth/types';
+export declare function configureTwoFactorPlugin(plugin: any, resolvedSchemas: BetterAuthSchemas): void;

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/two-factor-plugin.js

@@ -0,0 +1,11 @@
+import { baModelFieldKeys, baModelKey } from "@/better-auth/plugin/constants";
+import { set } from "@/better-auth/plugin/utils/set";
+import { getSchemaCollectionSlug, getSchemaFieldName } from "../build-collections/utils/collection-schema";
+export function configureTwoFactorPlugin(plugin, resolvedSchemas) {
+    const model = baModelKey.twoFactor;
+    set(plugin, `schema.${model}.modelName`, getSchemaCollectionSlug(resolvedSchemas, model));
+    set(plugin, `schema.${model}.fields.userId.fieldName`, getSchemaFieldName(resolvedSchemas, model, baModelFieldKeys.twoFactor.userId));
+    set(plugin, `schema.${model}.fields.userId.references.model`, getSchemaCollectionSlug(resolvedSchemas, baModelKey.user));
+}
+
+//# sourceMappingURL=two-factor-plugin.js.map

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/two-factor-plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../../src/better-auth/plugin/lib/sanitize-better-auth-options/two-factor-plugin.ts"],"sourcesContent":["import { baModelFieldKeys, baModelKey } from '@/better-auth/plugin/constants';\nimport { set } from '@/better-auth/plugin/utils/set';\nimport type { BetterAuthSchemas } from '@/better-auth/types';\nimport {\n  getSchemaCollectionSlug,\n  getSchemaFieldName,\n} from '../build-collections/utils/collection-schema';\n\nexport function configureTwoFactorPlugin(plugin: any, resolvedSchemas: BetterAuthSchemas): void {\n  const model = baModelKey.twoFactor;\n  set(plugin, `schema.${model}.modelName`, getSchemaCollectionSlug(resolvedSchemas, model));\n  set(\n    plugin,\n    `schema.${model}.fields.userId.fieldName`,\n    getSchemaFieldName(resolvedSchemas, model, baModelFieldKeys.twoFactor.userId)\n  );\n  set(\n    plugin,\n    `schema.${model}.fields.userId.references.model`,\n    getSchemaCollectionSlug(resolvedSchemas, baModelKey.user)\n  );\n}\n"],"names":["baModelFieldKeys","baModelKey","set","getSchemaCollectionSlug","getSchemaFieldName","configureTwoFactorPlugin","plugin","resolvedSchemas","model","twoFactor","userId","user"],"mappings":"AAAA,SAASA,gBAAgB,EAAEC,UAAU,QAAQ,iCAAiC;AAC9E,SAASC,GAAG,QAAQ,iCAAiC;AAErD,SACEC,uBAAuB,EACvBC,kBAAkB,QACb,+CAA+C;AAEtD,OAAO,SAASC,yBAAyBC,MAAW,EAAEC,eAAkC;IACtF,MAAMC,QAAQP,WAAWQ,SAAS;IAClCP,IAAII,QAAQ,CAAC,OAAO,EAAEE,MAAM,UAAU,CAAC,EAAEL,wBAAwBI,iBAAiBC;IAClFN,IACEI,QACA,CAAC,OAAO,EAAEE,MAAM,wBAAwB,CAAC,EACzCJ,mBAAmBG,iBAAiBC,OAAOR,iBAAiBS,SAAS,CAACC,MAAM;IAE9ER,IACEI,QACA,CAAC,OAAO,EAAEE,MAAM,+BAA+B,CAAC,EAChDL,wBAAwBI,iBAAiBN,WAAWU,IAAI;AAE5D"}

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/utils/ensure-password-set-before-create.d.ts

@@ -0,0 +1,7 @@
+import type { SanitizedBetterAuthOptions } from '@/better-auth/plugin/types';
+/**
+ * Adds a before hook to the user create operation to ensure the password is set.
+ * This is necessary because the password is not set in the user create operation
+ * and is instead set in the sync password accounts hook.
+ */
+export declare function ensurePasswordSetBeforeUserCreate(options: SanitizedBetterAuthOptions): void;

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/utils/ensure-password-set-before-create.js

@@ -0,0 +1,23 @@
+/**
+ * Adds a before hook to the user create operation to ensure the password is set.
+ * This is necessary because the password is not set in the user create operation
+ * and is instead set in the sync password accounts hook.
+ */ export function ensurePasswordSetBeforeUserCreate(options) {
+    if (typeof options.databaseHooks !== 'object') options.databaseHooks = {};
+    if (typeof options.databaseHooks.user !== 'object') options.databaseHooks.user = {};
+    if (typeof options.databaseHooks.user.create !== 'object') options.databaseHooks.user.create = {};
+    const initialBeforeUserCreateHook = options.databaseHooks.user.create.before ?? null;
+    options.databaseHooks.user.create.before = async (user, ctx)=>{
+        if (!user.password) {
+            user.password = ctx?.body?.password ?? Array(3).fill(0).map(()=>Math.random().toString(36).slice(2)).join('');
+        }
+        if (typeof initialBeforeUserCreateHook === 'function') {
+            return initialBeforeUserCreateHook(user, ctx);
+        }
+        return {
+            data: user
+        };
+    };
+}
+
+//# sourceMappingURL=ensure-password-set-before-create.js.map

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/utils/ensure-password-set-before-create.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../../../src/better-auth/plugin/lib/sanitize-better-auth-options/utils/ensure-password-set-before-create.ts"],"sourcesContent":["import type { SanitizedBetterAuthOptions } from '@/better-auth/plugin/types';\n\n/**\n * Adds a before hook to the user create operation to ensure the password is set.\n * This is necessary because the password is not set in the user create operation\n * and is instead set in the sync password accounts hook.\n */\nexport function ensurePasswordSetBeforeUserCreate(options: SanitizedBetterAuthOptions) {\n  if (typeof options.databaseHooks !== 'object') options.databaseHooks = {};\n  if (typeof options.databaseHooks.user !== 'object') options.databaseHooks.user = {};\n  if (typeof options.databaseHooks.user.create !== 'object') options.databaseHooks.user.create = {};\n  const initialBeforeUserCreateHook = options.databaseHooks.user.create.before ?? null;\n\n  options.databaseHooks.user.create.before = async (user, ctx) => {\n    if (!(user as any).password) {\n      (user as any).password =\n        ctx?.body?.password ??\n        Array(3)\n          .fill(0)\n          .map(() => Math.random().toString(36).slice(2))\n          .join('');\n    }\n    if (typeof initialBeforeUserCreateHook === 'function') {\n      return initialBeforeUserCreateHook(user, ctx);\n    }\n    return { data: user };\n  };\n}\n"],"names":["ensurePasswordSetBeforeUserCreate","options","databaseHooks","user","create","initialBeforeUserCreateHook","before","ctx","password","body","Array","fill","map","Math","random","toString","slice","join","data"],"mappings":"AAEA;;;;CAIC,GACD,OAAO,SAASA,kCAAkCC,OAAmC;IACnF,IAAI,OAAOA,QAAQC,aAAa,KAAK,UAAUD,QAAQC,aAAa,GAAG,CAAC;IACxE,IAAI,OAAOD,QAAQC,aAAa,CAACC,IAAI,KAAK,UAAUF,QAAQC,aAAa,CAACC,IAAI,GAAG,CAAC;IAClF,IAAI,OAAOF,QAAQC,aAAa,CAACC,IAAI,CAACC,MAAM,KAAK,UAAUH,QAAQC,aAAa,CAACC,IAAI,CAACC,MAAM,GAAG,CAAC;IAChG,MAAMC,8BAA8BJ,QAAQC,aAAa,CAACC,IAAI,CAACC,MAAM,CAACE,MAAM,IAAI;IAEhFL,QAAQC,aAAa,CAACC,IAAI,CAACC,MAAM,CAACE,MAAM,GAAG,OAAOH,MAAMI;QACtD,IAAI,CAAC,AAACJ,KAAaK,QAAQ,EAAE;YAC1BL,KAAaK,QAAQ,GACpBD,KAAKE,MAAMD,YACXE,MAAM,GACHC,IAAI,CAAC,GACLC,GAAG,CAAC,IAAMC,KAAKC,MAAM,GAAGC,QAAQ,CAAC,IAAIC,KAAK,CAAC,IAC3CC,IAAI,CAAC;QACZ;QACA,IAAI,OAAOZ,gCAAgC,YAAY;YACrD,OAAOA,4BAA4BF,MAAMI;QAC3C;QACA,OAAO;YAAEW,MAAMf;QAAK;IACtB;AACF"}

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/utils/password.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Custom implementation of password hashing that matches Payload's format
+ *
+ * Instead of using better-auth's scrypt, this uses pbkdf2 with the same
+ * parameters as Payload CMS
+ *
+ * @param password The password to hash
+ * @returns A string in the format {salt}:{hash}
+ */
+export declare const hashPassword: (password: string) => Promise<string>;
+/**
+ * Verifies a password against a stored hash
+ *
+ * This function is flexible and can handle:
+ * 1. A combined string in format {salt}:{hash} (for account passwords)
+ * 2. When salt and hash need to be combined from user records
+ *
+ * @param params Object containing the hash and password
+ * @returns Boolean indicating if the password matches
+ */
+export declare const verifyPassword: ({ hash, password, salt, }: {
+    hash: string;
+    password: string;
+    salt?: string;
+}) => Promise<boolean>;

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/utils/password.js

@@ -0,0 +1,62 @@
+import crypto from "crypto";
+/**
+ * Mimics Payload's internal password hashing using pbkdf2
+ *
+ * This generates a hash compatible with Payload's internal auth system
+ * so that passwords set via better-auth can be used with Payload admin panel
+ */ function pbkdf2Promisified(password, salt) {
+    return new Promise((resolve, reject)=>crypto.pbkdf2(password, salt, 25000, 512, 'sha256', (err, hashRaw)=>err ? reject(err) : resolve(hashRaw)));
+}
+/**
+ * Generates random bytes for the salt
+ */ function randomBytes() {
+    return new Promise((resolve, reject)=>crypto.randomBytes(32, (err, saltBuffer)=>err ? reject(err) : resolve(saltBuffer)));
+}
+/**
+ * Custom implementation of password hashing that matches Payload's format
+ *
+ * Instead of using better-auth's scrypt, this uses pbkdf2 with the same
+ * parameters as Payload CMS
+ *
+ * @param password The password to hash
+ * @returns A string in the format {salt}:{hash}
+ */ export const hashPassword = async (password)=>{
+    const saltBuffer = await randomBytes();
+    const salt = saltBuffer.toString('hex');
+    const hashRaw = await pbkdf2Promisified(password, salt);
+    const hash = hashRaw.toString('hex');
+    return `${salt}:${hash}`;
+};
+/**
+ * Verifies a password against a stored hash
+ *
+ * This function is flexible and can handle:
+ * 1. A combined string in format {salt}:{hash} (for account passwords)
+ * 2. When salt and hash need to be combined from user records
+ *
+ * @param params Object containing the hash and password
+ * @returns Boolean indicating if the password matches
+ */ export const verifyPassword = async ({ hash, password, salt })=>{
+    let saltValue;
+    let storedHash;
+    // If salt is provided separately (from user record), use it with the hash
+    if (salt) {
+        saltValue = salt;
+        storedHash = hash;
+    } else {
+        // Otherwise, split the combined format (from account.password)
+        const parts = hash.split(':');
+        if (parts.length !== 2) {
+            return false;
+        }
+        [saltValue, storedHash] = parts;
+    }
+    if (!saltValue || !storedHash) {
+        return false;
+    }
+    const hashRaw = await pbkdf2Promisified(password, saltValue);
+    const computedHash = hashRaw.toString('hex');
+    return storedHash === computedHash;
+};
+
+//# sourceMappingURL=password.js.map

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/utils/password.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../../../src/better-auth/plugin/lib/sanitize-better-auth-options/utils/password.ts"],"sourcesContent":["import crypto from 'crypto';\n\n/**\n * Mimics Payload's internal password hashing using pbkdf2\n *\n * This generates a hash compatible with Payload's internal auth system\n * so that passwords set via better-auth can be used with Payload admin panel\n */\nfunction pbkdf2Promisified(password: string, salt: string): Promise<Buffer> {\n  return new Promise((resolve, reject) =>\n    crypto.pbkdf2(password, salt, 25000, 512, 'sha256', (err, hashRaw) =>\n      err ? reject(err) : resolve(hashRaw)\n    )\n  );\n}\n\n/**\n * Generates random bytes for the salt\n */\nfunction randomBytes(): Promise<Buffer> {\n  return new Promise((resolve, reject) =>\n    crypto.randomBytes(32, (err, saltBuffer) => (err ? reject(err) : resolve(saltBuffer)))\n  );\n}\n\n/**\n * Custom implementation of password hashing that matches Payload's format\n *\n * Instead of using better-auth's scrypt, this uses pbkdf2 with the same\n * parameters as Payload CMS\n *\n * @param password The password to hash\n * @returns A string in the format {salt}:{hash}\n */\nexport const hashPassword = async (password: string): Promise<string> => {\n  const saltBuffer = await randomBytes();\n  const salt = saltBuffer.toString('hex');\n\n  const hashRaw = await pbkdf2Promisified(password, salt);\n  const hash = hashRaw.toString('hex');\n\n  return `${salt}:${hash}`;\n};\n\n/**\n * Verifies a password against a stored hash\n *\n * This function is flexible and can handle:\n * 1. A combined string in format {salt}:{hash} (for account passwords)\n * 2. When salt and hash need to be combined from user records\n *\n * @param params Object containing the hash and password\n * @returns Boolean indicating if the password matches\n */\nexport const verifyPassword = async ({\n  hash,\n  password,\n  salt,\n}: {\n  hash: string;\n  password: string;\n  salt?: string;\n}): Promise<boolean> => {\n  let saltValue: string;\n  let storedHash: string;\n\n  // If salt is provided separately (from user record), use it with the hash\n  if (salt) {\n    saltValue = salt;\n    storedHash = hash;\n  } else {\n    // Otherwise, split the combined format (from account.password)\n    const parts = hash.split(':');\n    if (parts.length !== 2) {\n      return false;\n    }\n    [saltValue, storedHash] = parts as [string, string];\n  }\n\n  if (!saltValue || !storedHash) {\n    return false;\n  }\n\n  const hashRaw = await pbkdf2Promisified(password, saltValue);\n  const computedHash = hashRaw.toString('hex');\n\n  return storedHash === computedHash;\n};\n"],"names":["crypto","pbkdf2Promisified","password","salt","Promise","resolve","reject","pbkdf2","err","hashRaw","randomBytes","saltBuffer","hashPassword","toString","hash","verifyPassword","saltValue","storedHash","parts","split","length","computedHash"],"mappings":"AAAA,OAAOA,YAAY,SAAS;AAE5B;;;;;CAKC,GACD,SAASC,kBAAkBC,QAAgB,EAAEC,IAAY;IACvD,OAAO,IAAIC,QAAQ,CAACC,SAASC,SAC3BN,OAAOO,MAAM,CAACL,UAAUC,MAAM,OAAO,KAAK,UAAU,CAACK,KAAKC,UACxDD,MAAMF,OAAOE,OAAOH,QAAQI;AAGlC;AAEA;;CAEC,GACD,SAASC;IACP,OAAO,IAAIN,QAAQ,CAACC,SAASC,SAC3BN,OAAOU,WAAW,CAAC,IAAI,CAACF,KAAKG,aAAgBH,MAAMF,OAAOE,OAAOH,QAAQM;AAE7E;AAEA;;;;;;;;CAQC,GACD,OAAO,MAAMC,eAAe,OAAOV;IACjC,MAAMS,aAAa,MAAMD;IACzB,MAAMP,OAAOQ,WAAWE,QAAQ,CAAC;IAEjC,MAAMJ,UAAU,MAAMR,kBAAkBC,UAAUC;IAClD,MAAMW,OAAOL,QAAQI,QAAQ,CAAC;IAE9B,OAAO,GAAGV,KAAK,CAAC,EAAEW,MAAM;AAC1B,EAAE;AAEF;;;;;;;;;CASC,GACD,OAAO,MAAMC,iBAAiB,OAAO,EACnCD,IAAI,EACJZ,QAAQ,EACRC,IAAI,EAKL;IACC,IAAIa;IACJ,IAAIC;IAEJ,0EAA0E;IAC1E,IAAId,MAAM;QACRa,YAAYb;QACZc,aAAaH;IACf,OAAO;QACL,+DAA+D;QAC/D,MAAMI,QAAQJ,KAAKK,KAAK,CAAC;QACzB,IAAID,MAAME,MAAM,KAAK,GAAG;YACtB,OAAO;QACT;QACA,CAACJ,WAAWC,WAAW,GAAGC;IAC5B;IAEA,IAAI,CAACF,aAAa,CAACC,YAAY;QAC7B,OAAO;IACT;IAEA,MAAMR,UAAU,MAAMR,kBAAkBC,UAAUc;IAClD,MAAMK,eAAeZ,QAAQI,QAAQ,CAAC;IAEtC,OAAOI,eAAeI;AACxB,EAAE"}

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/utils/require-admin-invite-for-sign-up-middleware.d.ts

@@ -0,0 +1,9 @@
+import type { SanitizedBetterAuthOptions } from '@/better-auth/plugin/types';
+import type { BetterAuthPluginOptions } from '@/better-auth/types';
+/**
+ * Mofies options object and adds a middleware to check for admin invite for sign up
+ */
+export declare const requireAdminInviteForSignUpMiddleware: ({ options, pluginOptions, }: {
+    options: SanitizedBetterAuthOptions;
+    pluginOptions: BetterAuthPluginOptions;
+}) => Promise<void>;

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/utils/require-admin-invite-for-sign-up-middleware.js

@@ -0,0 +1,47 @@
+import { baseSlugs } from "@/better-auth/plugin/constants";
+import { APIError, createAuthMiddleware } from "better-auth/api";
+import { z } from "zod";
+const throwUnauthorizedError = ()=>{
+    throw new APIError('UNAUTHORIZED', {
+        message: 'signup disabled'
+    });
+};
+/**
+ * Mofies options object and adds a middleware to check for admin invite for sign up
+ */ export const requireAdminInviteForSignUpMiddleware = async ({ options, pluginOptions })=>{
+    options.hooks = options.hooks ?? {};
+    const originalBefore = options.hooks.before;
+    options.hooks.before = createAuthMiddleware(async (ctx)=>{
+        if (ctx.path !== '/sign-up/email' && // not an email sign-up request
+        !(ctx.path === '/sign-in/social' && ctx.body?.requestSignUp // not a social sign-in request with sign-up intent
+        )) return ctx;
+        // Using any because BetterAuth ctx.body structure varies by request type and cannot be strictly typed
+        const adminInviteToken = // biome-ignore lint/suspicious/noExplicitAny: BetterAuth ctx.body structure varies by request type
+        ctx?.query?.adminInviteToken ?? ctx.body.adminInviteToken;
+        if (!!pluginOptions.requireAdminInviteForSignUp && !z.string().uuid().safeParse(adminInviteToken).success) {
+            throwUnauthorizedError();
+            return ctx;
+        }
+        const query = {
+            field: 'token',
+            value: adminInviteToken,
+            operator: 'eq'
+        };
+        const isValidAdminInvitation = await ctx.context.adapter.count({
+            model: pluginOptions.adminInvitations?.slug ?? baseSlugs.adminInvitations,
+            where: [
+                query
+            ]
+        });
+        if (isValidAdminInvitation) {
+            // Using any because BetterAuth middleware functions have dynamic signatures that vary by context
+            // biome-ignore lint/suspicious/noExplicitAny: BetterAuth middleware functions have dynamic signatures
+            if (originalBefore) return originalBefore(ctx);
+            return ctx;
+        }
+        throwUnauthorizedError();
+        return ctx;
+    });
+};
+
+//# sourceMappingURL=require-admin-invite-for-sign-up-middleware.js.map

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/utils/require-admin-invite-for-sign-up-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../../../src/better-auth/plugin/lib/sanitize-better-auth-options/utils/require-admin-invite-for-sign-up-middleware.ts"],"sourcesContent":["import { baseSlugs } from '@/better-auth/plugin/constants';\nimport type { SanitizedBetterAuthOptions } from '@/better-auth/plugin/types';\nimport type { BetterAuthPluginOptions } from '@/better-auth/types';\nimport type { Where } from 'better-auth';\nimport { APIError, createAuthMiddleware } from 'better-auth/api';\nimport { z } from 'zod';\n\nconst throwUnauthorizedError = () => {\n  throw new APIError('UNAUTHORIZED', {\n    message: 'signup disabled', // mimic: https://github.com/better-auth/better-auth/blob/171fab5273cf38f46cf207b0d99c8ccdda64c2fb/packages/better-auth/src/oauth2/link-account.ts#L108\n  });\n};\n\n/**\n * Mofies options object and adds a middleware to check for admin invite for sign up\n */\nexport const requireAdminInviteForSignUpMiddleware = async ({\n  options,\n  pluginOptions,\n}: {\n  options: SanitizedBetterAuthOptions;\n  pluginOptions: BetterAuthPluginOptions;\n}) => {\n  options.hooks = options.hooks ?? {};\n  const originalBefore = options.hooks.before;\n  options.hooks.before = createAuthMiddleware(async ctx => {\n    if (\n      ctx.path !== '/sign-up/email' && // not an email sign-up request\n      !(ctx.path === '/sign-in/social' && ctx.body?.requestSignUp) // not a social sign-in request with sign-up intent\n    )\n      return ctx;\n    // Using any because BetterAuth ctx.body structure varies by request type and cannot be strictly typed\n    const adminInviteToken =\n      // biome-ignore lint/suspicious/noExplicitAny: BetterAuth ctx.body structure varies by request type\n      ctx?.query?.adminInviteToken ?? (ctx.body as any).adminInviteToken;\n    if (\n      !!pluginOptions.requireAdminInviteForSignUp &&\n      !z.string().uuid().safeParse(adminInviteToken).success\n    ) {\n      throwUnauthorizedError();\n      return ctx;\n    }\n    const query: Where = {\n      field: 'token',\n      value: adminInviteToken,\n      operator: 'eq',\n    };\n    const isValidAdminInvitation = await ctx.context.adapter.count({\n      model: pluginOptions.adminInvitations?.slug ?? baseSlugs.adminInvitations,\n      where: [query],\n    });\n    if (isValidAdminInvitation) {\n      // Using any because BetterAuth middleware functions have dynamic signatures that vary by context\n      // biome-ignore lint/suspicious/noExplicitAny: BetterAuth middleware functions have dynamic signatures\n      if (originalBefore) return (originalBefore as any)(ctx as any);\n      return ctx;\n    }\n    throwUnauthorizedError();\n    return ctx;\n  });\n};\n"],"names":["baseSlugs","APIError","createAuthMiddleware","z","throwUnauthorizedError","message","requireAdminInviteForSignUpMiddleware","options","pluginOptions","hooks","originalBefore","before","ctx","path","body","requestSignUp","adminInviteToken","query","requireAdminInviteForSignUp","string","uuid","safeParse","success","field","value","operator","isValidAdminInvitation","context","adapter","count","model","adminInvitations","slug","where"],"mappings":"AAAA,SAASA,SAAS,QAAQ,iCAAiC;AAI3D,SAASC,QAAQ,EAAEC,oBAAoB,QAAQ,kBAAkB;AACjE,SAASC,CAAC,QAAQ,MAAM;AAExB,MAAMC,yBAAyB;IAC7B,MAAM,IAAIH,SAAS,gBAAgB;QACjCI,SAAS;IACX;AACF;AAEA;;CAEC,GACD,OAAO,MAAMC,wCAAwC,OAAO,EAC1DC,OAAO,EACPC,aAAa,EAId;IACCD,QAAQE,KAAK,GAAGF,QAAQE,KAAK,IAAI,CAAC;IAClC,MAAMC,iBAAiBH,QAAQE,KAAK,CAACE,MAAM;IAC3CJ,QAAQE,KAAK,CAACE,MAAM,GAAGT,qBAAqB,OAAMU;QAChD,IACEA,IAAIC,IAAI,KAAK,oBAAoB,+BAA+B;QAChE,CAAED,CAAAA,IAAIC,IAAI,KAAK,qBAAqBD,IAAIE,IAAI,EAAEC,cAAe,mDAAmD;QAAtD,GAE1D,OAAOH;QACT,sGAAsG;QACtG,MAAMI,mBACJ,mGAAmG;QACnGJ,KAAKK,OAAOD,oBAAoB,AAACJ,IAAIE,IAAI,CAASE,gBAAgB;QACpE,IACE,CAAC,CAACR,cAAcU,2BAA2B,IAC3C,CAACf,EAAEgB,MAAM,GAAGC,IAAI,GAAGC,SAAS,CAACL,kBAAkBM,OAAO,EACtD;YACAlB;YACA,OAAOQ;QACT;QACA,MAAMK,QAAe;YACnBM,OAAO;YACPC,OAAOR;YACPS,UAAU;QACZ;QACA,MAAMC,yBAAyB,MAAMd,IAAIe,OAAO,CAACC,OAAO,CAACC,KAAK,CAAC;YAC7DC,OAAOtB,cAAcuB,gBAAgB,EAAEC,QAAQhC,UAAU+B,gBAAgB;YACzEE,OAAO;gBAAChB;aAAM;QAChB;QACA,IAAIS,wBAAwB;YAC1B,iGAAiG;YACjG,sGAAsG;YACtG,IAAIhB,gBAAgB,OAAO,AAACA,eAAuBE;YACnD,OAAOA;QACT;QACAR;QACA,OAAOQ;IACT;AACF,EAAE"}

package/dist/better-auth/plugin/lib/sanitize-better-auth-options/utils/save-to-jwt-middleware.d.ts

@@ -0,0 +1,15 @@
+import type { BetterAuthSchemas, SanitizedBetterAuthOptions } from '@/better-auth/plugin/types';
+import type { Config, Payload } from 'payload';
+/**
+ * Sets up a middleware that enforces the saveToJwt configuration when setting session data.
+ * This ensures that only fields specified in saveToJwt are included in the cookie cache
+ * for both user and session objects.
+ *
+ * The middleware runs after authentication and filters the session data based on
+ * the collection configurations before storing it in the cookie cache.
+ */
+export declare function saveToJwtMiddleware({ sanitizedOptions, config, resolvedSchemas, }: {
+    sanitizedOptions: SanitizedBetterAuthOptions;
+    config: Payload['config'] | Config | Promise<Payload['config'] | Config>;
+    resolvedSchemas: BetterAuthSchemas;
+}): void;