@sirketio/auth 0.0.1

package/dist/index.d.mts

@@ -0,0 +1,53 @@
+import { __exportAll, __reExport } from "./_virtual/_rolldown/runtime.mjs";
+import { HasRequiredKeys, Prettify, PrettifyDeep, RequiredKeysOf, StripEmptyObjects, UnionToIntersection } from "./types/helper.mjs";
+import { BetterAuthClientOptions, BetterAuthClientPlugin, ClientAtomListener, ClientStore, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferSessionFromClient, InferUserFromClient, IsSignal, SessionQueryParams } from "./client/types.mjs";
+import { DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, JoinConfig, JoinOption, Where } from "./types/adapter.mjs";
+import { FilteredAPI, InferAPI, InferSessionAPI } from "./types/api.mjs";
+import { Account, AdditionalUserFieldsInput, InferPluginTypes, RateLimit, Session, User, Verification } from "./types/models.mjs";
+import { InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginIDs } from "./types/plugins.mjs";
+import { Auth } from "./types/auth.mjs";
+import { BetterAuthAdvancedOptions, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, StoreIdentifierOption } from "./types/index.mjs";
+import { sirketioAuth } from "./auth/minimal.mjs";
+import { generateState, parseState } from "./oauth2/state.mjs";
+import { StateData, generateGenericState, parseGenericState } from "./state.mjs";
+import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
+import { getBaseURL, getHost, getOrigin, getProtocol } from "./utils/url.mjs";
+import "./utils/index.mjs";
+import { APIError } from "./api/index.mjs";
+import { StandardSchemaV1 } from "@better-auth/core";
+import { getCurrentAdapter } from "@better-auth/core/context";
+import { TelemetryEvent, createTelemetry, getTelemetryAuthConfig } from "@better-auth/telemetry";
+import { JSONWebKeySet, JWTPayload } from "jose";
+export * from "@better-auth/core";
+export * from "@better-auth/core/db";
+export * from "@better-auth/core/env";
+export * from "@better-auth/core/error";
+export * from "@better-auth/core/oauth2";
+export * from "@better-auth/core/utils/error-codes";
+export * from "@better-auth/core/utils/id";
+export * from "@better-auth/core/utils/json";
+export * from "@better-auth/core/social-providers";
+export * from "better-call";
+export * from "zod";
+export * from "zod/v4";
+export * from "zod/v4/core";
+
+//#region src/index.d.ts
+declare namespace index_d_exports {
+  export { APIError, Account, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, FilteredAPI, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsSignal, JSONWebKeySet, JWTPayload, JoinConfig, JoinOption, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, TelemetryEvent, UnionToIntersection, User, Verification, Where, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getOrigin, getProtocol, getTelemetryAuthConfig, parseGenericState, parseState, sirketioAuth };
+}
+import * as import__better_auth_core from "@better-auth/core";
+import * as import__better_auth_core_db from "@better-auth/core/db";
+import * as import__better_auth_core_env from "@better-auth/core/env";
+import * as import__better_auth_core_error from "@better-auth/core/error";
+import * as import__better_auth_core_oauth2 from "@better-auth/core/oauth2";
+import * as import__better_auth_core_utils_error_codes from "@better-auth/core/utils/error-codes";
+import * as import__better_auth_core_utils_id from "@better-auth/core/utils/id";
+import * as import__better_auth_core_utils_json from "@better-auth/core/utils/json";
+import * as import_better_call from "better-call";
+import * as import_zod from "zod";
+import * as import_zod_v4 from "zod/v4";
+import * as import_zod_v4_core from "zod/v4/core";
+//#endregion
+export { APIError, Account, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, FilteredAPI, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsSignal, type JSONWebKeySet, type JWTPayload, JoinConfig, JoinOption, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, type StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, type TelemetryEvent, UnionToIntersection, User, Verification, Where, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getOrigin, getProtocol, getTelemetryAuthConfig, index_d_exports, parseGenericState, parseState, sirketioAuth };
+//# sourceMappingURL=index.d.mts.map

package/dist/index.mjs

@@ -0,0 +1,27 @@
+import { getBaseURL, getHost, getOrigin, getProtocol } from "./utils/url.mjs";
+import { generateGenericState, parseGenericState } from "./state.mjs";
+import { generateState, parseState } from "./oauth2/state.mjs";
+import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
+import "./utils/index.mjs";
+import { APIError } from "./api/index.mjs";
+import { sirketioAuth } from "./auth/minimal.mjs";
+import { getCurrentAdapter } from "@better-auth/core/context";
+import { createTelemetry, getTelemetryAuthConfig } from "@better-auth/telemetry";
+
+export * from "@better-auth/core"
+
+export * from "@better-auth/core/db"
+
+export * from "@better-auth/core/env"
+
+export * from "@better-auth/core/error"
+
+export * from "@better-auth/core/oauth2"
+
+export * from "@better-auth/core/utils/error-codes"
+
+export * from "@better-auth/core/utils/id"
+
+export * from "@better-auth/core/utils/json"
+
+export { APIError, HIDE_METADATA, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getOrigin, getProtocol, getTelemetryAuthConfig, parseGenericState, parseState, sirketioAuth };

package/dist/integrations/next-js.d.mts

@@ -0,0 +1,29 @@
+import * as _better_auth_core0 from "@better-auth/core";
+import * as better_call0 from "better-call";
+
+//#region src/integrations/next-js.d.ts
+declare function toNextJsHandler(auth: {
+  handler: (request: Request) => Promise<Response>;
+} | ((request: Request) => Promise<Response>)): {
+  GET: (request: Request) => Promise<Response>;
+  POST: (request: Request) => Promise<Response>;
+  PATCH: (request: Request) => Promise<Response>;
+  PUT: (request: Request) => Promise<Response>;
+  DELETE: (request: Request) => Promise<Response>;
+};
+declare const nextCookies: () => {
+  id: "next-cookies";
+  hooks: {
+    before: {
+      matcher(ctx: _better_auth_core0.HookEndpointContext): boolean;
+      handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>;
+    }[];
+    after: {
+      matcher(ctx: _better_auth_core0.HookEndpointContext): true;
+      handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>;
+    }[];
+  };
+};
+//#endregion
+export { nextCookies, toNextJsHandler };
+//# sourceMappingURL=next-js.d.mts.map

package/dist/integrations/next-js.mjs

@@ -0,0 +1,85 @@
+import { parseSetCookieHeader } from "../cookies/cookie-utils.mjs";
+import "../cookies/index.mjs";
+import { setShouldSkipSessionRefresh } from "../api/state/should-session-refresh.mjs";
+import { createAuthMiddleware } from "@better-auth/core/api";
+
+//#region src/integrations/next-js.ts
+function toNextJsHandler(auth) {
+	const handler = async (request) => {
+		return "handler" in auth ? auth.handler(request) : auth(request);
+	};
+	return {
+		GET: handler,
+		POST: handler,
+		PATCH: handler,
+		PUT: handler,
+		DELETE: handler
+	};
+}
+const nextCookies = () => {
+	return {
+		id: "next-cookies",
+		hooks: {
+			before: [{
+				matcher(ctx) {
+					return ctx.path === "/get-session";
+				},
+				handler: createAuthMiddleware(async () => {
+					let cookieStore;
+					try {
+						const { cookies } = await import("next/headers");
+						cookieStore = await cookies();
+					} catch {
+						return;
+					}
+					try {
+						cookieStore.set("__better-auth-cookie-store", "1", { maxAge: 0 });
+					} catch {
+						await setShouldSkipSessionRefresh(true);
+					}
+				})
+			}],
+			after: [{
+				matcher(ctx) {
+					return true;
+				},
+				handler: createAuthMiddleware(async (ctx) => {
+					const returned = ctx.context.responseHeaders;
+					if ("_flag" in ctx && ctx._flag === "router") return;
+					if (returned instanceof Headers) {
+						const setCookies = returned?.get("set-cookie");
+						if (!setCookies) return;
+						const parsed = parseSetCookieHeader(setCookies);
+						const { cookies } = await import("next/headers");
+						let cookieHelper;
+						try {
+							cookieHelper = await cookies();
+						} catch (error) {
+							if (error instanceof Error && error.message.startsWith("`cookies` was called outside a request scope.")) return;
+							throw error;
+						}
+						parsed.forEach((value, key) => {
+							if (!key) return;
+							const opts = {
+								sameSite: value.samesite,
+								secure: value.secure,
+								maxAge: value["max-age"],
+								httpOnly: value.httponly,
+								domain: value.domain,
+								path: value.path
+							};
+							try {
+								cookieHelper.set(key, decodeURIComponent(value.value), opts);
+							} catch {}
+						});
+						return;
+					}
+				})
+			}]
+		}
+	};
+};
+
+//#endregion
+export { nextCookies, toNextJsHandler };
+//# sourceMappingURL=next-js.mjs.map

package/dist/integrations/next-js.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"next-js.mjs","names":[],"sources":["../../src/integrations/next-js.ts"],"sourcesContent":["import type { BetterAuthPlugin } from \"@better-auth/core\";\nimport { createAuthMiddleware } from \"@better-auth/core/api\";\nimport { setShouldSkipSessionRefresh } from \"../api/state/should-session-refresh\";\nimport { parseSetCookieHeader } from \"../cookies\";\n\nexport function toNextJsHandler(\n\tauth:\n\t\t| {\n\t\t\t\thandler: (request: Request) => Promise<Response>;\n\t\t  }\n\t\t| ((request: Request) => Promise<Response>),\n) {\n\tconst handler = async (request: Request) => {\n\t\treturn \"handler\" in auth ? auth.handler(request) : auth(request);\n\t};\n\treturn {\n\t\tGET: handler,\n\t\tPOST: handler,\n\t\tPATCH: handler,\n\t\tPUT: handler,\n\t\tDELETE: handler,\n\t};\n}\n\nexport const nextCookies = () => {\n\treturn {\n\t\tid: \"next-cookies\",\n\t\thooks: {\n\t\t\tbefore: [\n\t\t\t\t{\n\t\t\t\t\tmatcher(ctx) {\n\t\t\t\t\t\treturn ctx.path === \"/get-session\";\n\t\t\t\t\t},\n\t\t\t\t\thandler: createAuthMiddleware(async () => {\n\t\t\t\t\t\t// Detect Server Component by testing if cookies can be modified.\n\t\t\t\t\t\t// In Server Components, `cookies().set()` throws an error.\n\t\t\t\t\t\t// In Server Actions or Route Handlers, it succeeds.\n\t\t\t\t\t\tlet cookieStore: Awaited<\n\t\t\t\t\t\t\tReturnType<typeof import(\"next/headers\").cookies>\n\t\t\t\t\t\t>;\n\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\tconst { cookies } = await import(\"next/headers\");\n\t\t\t\t\t\t\tcookieStore = await cookies();\n\t\t\t\t\t\t} catch {\n\t\t\t\t\t\t\t// import failed or not in request context\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\tcookieStore.set(\"__better-auth-cookie-store\", \"1\", { maxAge: 0 });\n\t\t\t\t\t\t} catch {\n\t\t\t\t\t\t\tawait setShouldSkipSessionRefresh(true);\n\t\t\t\t\t\t}\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t],\n\t\t\tafter: [\n\t\t\t\t{\n\t\t\t\t\tmatcher(ctx) {\n\t\t\t\t\t\treturn true;\n\t\t\t\t\t},\n\t\t\t\t\thandler: createAuthMiddleware(async (ctx) => {\n\t\t\t\t\t\tconst returned = ctx.context.responseHeaders;\n\t\t\t\t\t\tif (\"_flag\" in ctx && ctx._flag === \"router\") {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (returned instanceof Headers) {\n\t\t\t\t\t\t\tconst setCookies = returned?.get(\"set-cookie\");\n\t\t\t\t\t\t\tif (!setCookies) return;\n\t\t\t\t\t\t\tconst parsed = parseSetCookieHeader(setCookies);\n\t\t\t\t\t\t\tconst { cookies } = await import(\"next/headers\");\n\t\t\t\t\t\t\tlet cookieHelper: Awaited<ReturnType<typeof cookies>>;\n\t\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\t\tcookieHelper = await cookies();\n\t\t\t\t\t\t\t} catch (error) {\n\t\t\t\t\t\t\t\tif (\n\t\t\t\t\t\t\t\t\terror instanceof Error &&\n\t\t\t\t\t\t\t\t\terror.message.startsWith(\n\t\t\t\t\t\t\t\t\t\t\"`cookies` was called outside a request scope.\",\n\t\t\t\t\t\t\t\t\t)\n\t\t\t\t\t\t\t\t) {\n\t\t\t\t\t\t\t\t\t// If error it means the `cookies` was called outside request scope.\n\t\t\t\t\t\t\t\t\t// NextJS docs on this: https://nextjs.org/docs/messages/next-dynamic-api-wrong-context\n\t\t\t\t\t\t\t\t\t// This often gets called in a monorepo workspace (outside of NextJS),\n\t\t\t\t\t\t\t\t\t// so we will try to catch this suppress it, and ignore using next-cookies.\n\t\t\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t\t// If it's an unexpected error, throw it.\n\t\t\t\t\t\t\t\tthrow error;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tparsed.forEach((value, key) => {\n\t\t\t\t\t\t\t\tif (!key) return;\n\t\t\t\t\t\t\t\tconst opts = {\n\t\t\t\t\t\t\t\t\tsameSite: value.samesite,\n\t\t\t\t\t\t\t\t\tsecure: value.secure,\n\t\t\t\t\t\t\t\t\tmaxAge: value[\"max-age\"],\n\t\t\t\t\t\t\t\t\thttpOnly: value.httponly,\n\t\t\t\t\t\t\t\t\tdomain: value.domain,\n\t\t\t\t\t\t\t\t\tpath: value.path,\n\t\t\t\t\t\t\t\t} as const;\n\t\t\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\t\t\tcookieHelper.set(key, decodeURIComponent(value.value), opts);\n\t\t\t\t\t\t\t\t} catch {\n\t\t\t\t\t\t\t\t\t// this will fail if the cookie is being set on server component\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t],\n\t\t},\n\t} satisfies BetterAuthPlugin;\n};\n"],"mappings":";;;;;;AAKA,SAAgB,gBACf,MAKC;CACD,MAAM,UAAU,OAAO,YAAqB;AAC3C,SAAO,aAAa,OAAO,KAAK,QAAQ,QAAQ,GAAG,KAAK,QAAQ;;AAEjE,QAAO;EACN,KAAK;EACL,MAAM;EACN,OAAO;EACP,KAAK;EACL,QAAQ;EACR;;AAGF,MAAa,oBAAoB;AAChC,QAAO;EACN,IAAI;EACJ,OAAO;GACN,QAAQ,CACP;IACC,QAAQ,KAAK;AACZ,YAAO,IAAI,SAAS;;IAErB,SAAS,qBAAqB,YAAY;KAIzC,IAAI;AAGJ,SAAI;MACH,MAAM,EAAE,YAAY,MAAM,OAAO;AACjC,oBAAc,MAAM,SAAS;aACtB;AAEP;;AAED,SAAI;AACH,kBAAY,IAAI,8BAA8B,KAAK,EAAE,QAAQ,GAAG,CAAC;aAC1D;AACP,YAAM,4BAA4B,KAAK;;MAEvC;IACF,CACD;GACD,OAAO,CACN;IACC,QAAQ,KAAK;AACZ,YAAO;;IAER,SAAS,qBAAqB,OAAO,QAAQ;KAC5C,MAAM,WAAW,IAAI,QAAQ;AAC7B,SAAI,WAAW,OAAO,IAAI,UAAU,SACnC;AAED,SAAI,oBAAoB,SAAS;MAChC,MAAM,aAAa,UAAU,IAAI,aAAa;AAC9C,UAAI,CAAC,WAAY;MACjB,MAAM,SAAS,qBAAqB,WAAW;MAC/C,MAAM,EAAE,YAAY,MAAM,OAAO;MACjC,IAAI;AACJ,UAAI;AACH,sBAAe,MAAM,SAAS;eACtB,OAAO;AACf,WACC,iBAAiB,SACjB,MAAM,QAAQ,WACb,gDACA,CAMD;AAGD,aAAM;;AAEP,aAAO,SAAS,OAAO,QAAQ;AAC9B,WAAI,CAAC,IAAK;OACV,MAAM,OAAO;QACZ,UAAU,MAAM;QAChB,QAAQ,MAAM;QACd,QAAQ,MAAM;QACd,UAAU,MAAM;QAChB,QAAQ,MAAM;QACd,MAAM,MAAM;QACZ;AACD,WAAI;AACH,qBAAa,IAAI,KAAK,mBAAmB,MAAM,MAAM,EAAE,KAAK;eACrD;QAGP;AACF;;MAEA;IACF,CACD;GACD;EACD"}

package/dist/oauth2/index.d.mts

@@ -0,0 +1,5 @@
+import { generateState, parseState } from "./state.mjs";
+import { handleOAuthUserInfo } from "./link-account.mjs";
+import { decryptOAuthToken, setTokenUtil } from "./utils.mjs";
+export * from "@better-auth/core/oauth2";
+export { decryptOAuthToken, generateState, handleOAuthUserInfo, parseState, setTokenUtil };

package/dist/oauth2/index.mjs

@@ -0,0 +1,7 @@
+import { generateState, parseState } from "./state.mjs";
+import { decryptOAuthToken, setTokenUtil } from "./utils.mjs";
+import { handleOAuthUserInfo } from "./link-account.mjs";
+
+export * from "@better-auth/core/oauth2"
+
+export { decryptOAuthToken, generateState, handleOAuthUserInfo, parseState, setTokenUtil };

package/dist/oauth2/link-account.d.mts

@@ -0,0 +1,48 @@
+import { Account, User } from "../types/models.mjs";
+import "../types/index.mjs";
+import { GenericEndpointContext } from "@better-auth/core";
+
+//#region src/oauth2/link-account.d.ts
+declare function handleOAuthUserInfo(c: GenericEndpointContext, opts: {
+  userInfo: Omit<User, "createdAt" | "updatedAt">;
+  account: Omit<Account, "id" | "userId" | "createdAt" | "updatedAt">;
+  callbackURL?: string | undefined;
+  disableSignUp?: boolean | undefined;
+  overrideUserInfo?: boolean | undefined;
+  isTrustedProvider?: boolean | undefined;
+}): Promise<{
+  error: string;
+  data: null;
+  isRegister?: undefined;
+} | {
+  error: string;
+  data: null;
+  isRegister: boolean;
+} | {
+  data: {
+    session: {
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      userId: string;
+      expiresAt: Date;
+      token: string;
+      ipAddress?: string | null | undefined;
+      userAgent?: string | null | undefined;
+    };
+    user: {
+      id: string;
+      createdAt: Date;
+      updatedAt: Date;
+      email: string;
+      emailVerified: boolean;
+      name: string;
+      image?: string | null | undefined;
+    };
+  };
+  error: null;
+  isRegister: boolean;
+}>;
+//#endregion
+export { handleOAuthUserInfo };
+//# sourceMappingURL=link-account.d.mts.map

package/dist/oauth2/link-account.mjs

@@ -0,0 +1,143 @@
+import { isAPIError } from "../utils/is-api-error.mjs";
+import { setAccountCookie } from "../cookies/session-store.mjs";
+import { setTokenUtil } from "./utils.mjs";
+import { createEmailVerificationToken } from "../api/routes/email-verification.mjs";
+import "../api/index.mjs";
+import { isDevelopment, logger } from "@better-auth/core/env";
+
+//#region src/oauth2/link-account.ts
+async function handleOAuthUserInfo(c, opts) {
+	const { userInfo, account, callbackURL, disableSignUp, overrideUserInfo } = opts;
+	const dbUser = await c.context.internalAdapter.findOAuthUser(userInfo.email.toLowerCase(), account.accountId, account.providerId).catch((e) => {
+		logger.error("Better auth was unable to query your database.\nError: ", e);
+		const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
+		throw c.redirect(`${errorURL}?error=internal_server_error`);
+	});
+	let user = dbUser?.user;
+	const isRegister = !user;
+	if (dbUser) {
+		const linkedAccount = dbUser.linkedAccount ?? dbUser.accounts.find((acc) => acc.providerId === account.providerId && acc.accountId === account.accountId);
+		if (!linkedAccount) {
+			const accountLinking = c.context.options.account?.accountLinking;
+			if (!(opts.isTrustedProvider || c.context.trustedProviders.includes(account.providerId)) && !userInfo.emailVerified || accountLinking?.enabled === false || accountLinking?.disableImplicitLinking === true) {
+				if (isDevelopment()) logger.warn(`User already exist but account isn't linked to ${account.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`);
+				return {
+					error: "account not linked",
+					data: null
+				};
+			}
+			try {
+				await c.context.internalAdapter.linkAccount({
+					providerId: account.providerId,
+					accountId: userInfo.id.toString(),
+					userId: dbUser.user.id,
+					accessToken: await setTokenUtil(account.accessToken, c.context),
+					refreshToken: await setTokenUtil(account.refreshToken, c.context),
+					idToken: account.idToken,
+					accessTokenExpiresAt: account.accessTokenExpiresAt,
+					refreshTokenExpiresAt: account.refreshTokenExpiresAt,
+					scope: account.scope
+				});
+			} catch (e) {
+				logger.error("Unable to link account", e);
+				return {
+					error: "unable to link account",
+					data: null
+				};
+			}
+			if (userInfo.emailVerified && !dbUser.user.emailVerified && userInfo.email.toLowerCase() === dbUser.user.email) await c.context.internalAdapter.updateUser(dbUser.user.id, { emailVerified: true });
+		} else {
+			const freshTokens = c.context.options.account?.updateAccountOnSignIn !== false ? Object.fromEntries(Object.entries({
+				idToken: account.idToken,
+				accessToken: await setTokenUtil(account.accessToken, c.context),
+				refreshToken: await setTokenUtil(account.refreshToken, c.context),
+				accessTokenExpiresAt: account.accessTokenExpiresAt,
+				refreshTokenExpiresAt: account.refreshTokenExpiresAt,
+				scope: account.scope
+			}).filter(([_, value]) => value !== void 0)) : {};
+			if (c.context.options.account?.storeAccountCookie) await setAccountCookie(c, {
+				...linkedAccount,
+				...freshTokens
+			});
+			if (Object.keys(freshTokens).length > 0) await c.context.internalAdapter.updateAccount(linkedAccount.id, freshTokens);
+			if (userInfo.emailVerified && !dbUser.user.emailVerified && userInfo.email.toLowerCase() === dbUser.user.email) await c.context.internalAdapter.updateUser(dbUser.user.id, { emailVerified: true });
+		}
+		if (overrideUserInfo) {
+			const { id: _, ...restUserInfo } = userInfo;
+			user = await c.context.internalAdapter.updateUser(dbUser.user.id, {
+				...restUserInfo,
+				email: userInfo.email.toLowerCase(),
+				emailVerified: userInfo.email.toLowerCase() === dbUser.user.email ? dbUser.user.emailVerified || userInfo.emailVerified : userInfo.emailVerified
+			});
+		}
+	} else {
+		if (disableSignUp) return {
+			error: "signup disabled",
+			data: null,
+			isRegister: false
+		};
+		try {
+			const { id: _, ...restUserInfo } = userInfo;
+			const accountData = {
+				accessToken: await setTokenUtil(account.accessToken, c.context),
+				refreshToken: await setTokenUtil(account.refreshToken, c.context),
+				idToken: account.idToken,
+				accessTokenExpiresAt: account.accessTokenExpiresAt,
+				refreshTokenExpiresAt: account.refreshTokenExpiresAt,
+				scope: account.scope,
+				providerId: account.providerId,
+				accountId: userInfo.id.toString()
+			};
+			const { user: createdUser, account: createdAccount } = await c.context.internalAdapter.createOAuthUser({
+				...restUserInfo,
+				email: userInfo.email.toLowerCase()
+			}, accountData);
+			user = createdUser;
+			if (c.context.options.account?.storeAccountCookie) await setAccountCookie(c, createdAccount);
+			if (!userInfo.emailVerified && user && c.context.options.emailVerification?.sendOnSignUp && c.context.options.emailVerification?.sendVerificationEmail) {
+				const token = await createEmailVerificationToken(c.context.secret, user.email, void 0, c.context.options.emailVerification?.expiresIn);
+				const url = `${c.context.baseURL}/verify-email?token=${token}&callbackURL=${callbackURL}`;
+				await c.context.runInBackgroundOrAwait(c.context.options.emailVerification.sendVerificationEmail({
+					user,
+					url,
+					token
+				}, c.request));
+			}
+		} catch (e) {
+			logger.error(e);
+			if (isAPIError(e)) return {
+				error: e.message,
+				data: null,
+				isRegister: false
+			};
+			return {
+				error: "unable to create user",
+				data: null,
+				isRegister: false
+			};
+		}
+	}
+	if (!user) return {
+		error: "unable to create user",
+		data: null,
+		isRegister: false
+	};
+	const session = await c.context.internalAdapter.createSession(user.id);
+	if (!session) return {
+		error: "unable to create session",
+		data: null,
+		isRegister: false
+	};
+	return {
+		data: {
+			session,
+			user
+		},
+		error: null,
+		isRegister
+	};
+}
+
+//#endregion
+export { handleOAuthUserInfo };
+//# sourceMappingURL=link-account.mjs.map

package/dist/oauth2/link-account.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"link-account.mjs","names":[],"sources":["../../src/oauth2/link-account.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { isDevelopment, logger } from \"@better-auth/core/env\";\nimport { createEmailVerificationToken } from \"../api\";\nimport { setAccountCookie } from \"../cookies/session-store\";\nimport type { Account, User } from \"../types\";\nimport { isAPIError } from \"../utils/is-api-error\";\nimport { setTokenUtil } from \"./utils\";\n\nexport async function handleOAuthUserInfo(\n\tc: GenericEndpointContext,\n\topts: {\n\t\tuserInfo: Omit<User, \"createdAt\" | \"updatedAt\">;\n\t\taccount: Omit<Account, \"id\" | \"userId\" | \"createdAt\" | \"updatedAt\">;\n\t\tcallbackURL?: string | undefined;\n\t\tdisableSignUp?: boolean | undefined;\n\t\toverrideUserInfo?: boolean | undefined;\n\t\tisTrustedProvider?: boolean | undefined;\n\t},\n) {\n\tconst { userInfo, account, callbackURL, disableSignUp, overrideUserInfo } =\n\t\topts;\n\tconst dbUser = await c.context.internalAdapter\n\t\t.findOAuthUser(\n\t\t\tuserInfo.email.toLowerCase(),\n\t\t\taccount.accountId,\n\t\t\taccount.providerId,\n\t\t)\n\t\t.catch((e) => {\n\t\t\tlogger.error(\n\t\t\t\t\"Better auth was unable to query your database.\\nError: \",\n\t\t\t\te,\n\t\t\t);\n\t\t\tconst errorURL =\n\t\t\t\tc.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;\n\t\t\tthrow c.redirect(`${errorURL}?error=internal_server_error`);\n\t\t});\n\tlet user = dbUser?.user;\n\tconst isRegister = !user;\n\n\tif (dbUser) {\n\t\tconst linkedAccount =\n\t\t\tdbUser.linkedAccount ??\n\t\t\tdbUser.accounts.find(\n\t\t\t\t(acc) =>\n\t\t\t\t\tacc.providerId === account.providerId &&\n\t\t\t\t\tacc.accountId === account.accountId,\n\t\t\t);\n\t\tif (!linkedAccount) {\n\t\t\tconst accountLinking = c.context.options.account?.accountLinking;\n\t\t\tconst isTrustedProvider =\n\t\t\t\topts.isTrustedProvider ||\n\t\t\t\tc.context.trustedProviders.includes(account.providerId);\n\t\t\tif (\n\t\t\t\t(!isTrustedProvider && !userInfo.emailVerified) ||\n\t\t\t\taccountLinking?.enabled === false ||\n\t\t\t\taccountLinking?.disableImplicitLinking === true\n\t\t\t) {\n\t\t\t\tif (isDevelopment()) {\n\t\t\t\t\tlogger.warn(\n\t\t\t\t\t\t`User already exist but account isn't linked to ${account.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\treturn {\n\t\t\t\t\terror: \"account not linked\",\n\t\t\t\t\tdata: null,\n\t\t\t\t};\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tawait c.context.internalAdapter.linkAccount({\n\t\t\t\t\tproviderId: account.providerId,\n\t\t\t\t\taccountId: userInfo.id.toString(),\n\t\t\t\t\tuserId: dbUser.user.id,\n\t\t\t\t\taccessToken: await setTokenUtil(account.accessToken, c.context),\n\t\t\t\t\trefreshToken: await setTokenUtil(account.refreshToken, c.context),\n\t\t\t\t\tidToken: account.idToken,\n\t\t\t\t\taccessTokenExpiresAt: account.accessTokenExpiresAt,\n\t\t\t\t\trefreshTokenExpiresAt: account.refreshTokenExpiresAt,\n\t\t\t\t\tscope: account.scope,\n\t\t\t\t});\n\t\t\t} catch (e) {\n\t\t\t\tlogger.error(\"Unable to link account\", e);\n\t\t\t\treturn {\n\t\t\t\t\terror: \"unable to link account\",\n\t\t\t\t\tdata: null,\n\t\t\t\t};\n\t\t\t}\n\n\t\t\tif (\n\t\t\t\tuserInfo.emailVerified &&\n\t\t\t\t!dbUser.user.emailVerified &&\n\t\t\t\tuserInfo.email.toLowerCase() === dbUser.user.email\n\t\t\t) {\n\t\t\t\tawait c.context.internalAdapter.updateUser(dbUser.user.id, {\n\t\t\t\t\temailVerified: true,\n\t\t\t\t});\n\t\t\t}\n\t\t} else {\n\t\t\tconst freshTokens =\n\t\t\t\tc.context.options.account?.updateAccountOnSignIn !== false\n\t\t\t\t\t? Object.fromEntries(\n\t\t\t\t\t\t\tObject.entries({\n\t\t\t\t\t\t\t\tidToken: account.idToken,\n\t\t\t\t\t\t\t\taccessToken: await setTokenUtil(account.accessToken, c.context),\n\t\t\t\t\t\t\t\trefreshToken: await setTokenUtil(\n\t\t\t\t\t\t\t\t\taccount.refreshToken,\n\t\t\t\t\t\t\t\t\tc.context,\n\t\t\t\t\t\t\t\t),\n\t\t\t\t\t\t\t\taccessTokenExpiresAt: account.accessTokenExpiresAt,\n\t\t\t\t\t\t\t\trefreshTokenExpiresAt: account.refreshTokenExpiresAt,\n\t\t\t\t\t\t\t\tscope: account.scope,\n\t\t\t\t\t\t\t}).filter(([_, value]) => value !== undefined),\n\t\t\t\t\t\t)\n\t\t\t\t\t: {};\n\n\t\t\tif (c.context.options.account?.storeAccountCookie) {\n\t\t\t\tawait setAccountCookie(c, {\n\t\t\t\t\t...linkedAccount,\n\t\t\t\t\t...freshTokens,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tif (Object.keys(freshTokens).length > 0) {\n\t\t\t\tawait c.context.internalAdapter.updateAccount(\n\t\t\t\t\tlinkedAccount.id,\n\t\t\t\t\tfreshTokens,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tif (\n\t\t\t\tuserInfo.emailVerified &&\n\t\t\t\t!dbUser.user.emailVerified &&\n\t\t\t\tuserInfo.email.toLowerCase() === dbUser.user.email\n\t\t\t) {\n\t\t\t\tawait c.context.internalAdapter.updateUser(dbUser.user.id, {\n\t\t\t\t\temailVerified: true,\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\t\tif (overrideUserInfo) {\n\t\t\tconst { id: _, ...restUserInfo } = userInfo;\n\t\t\t// update user info from the provider if overrideUserInfo is true\n\t\t\tuser = await c.context.internalAdapter.updateUser(dbUser.user.id, {\n\t\t\t\t...restUserInfo,\n\t\t\t\temail: userInfo.email.toLowerCase(),\n\t\t\t\temailVerified:\n\t\t\t\t\tuserInfo.email.toLowerCase() === dbUser.user.email\n\t\t\t\t\t\t? dbUser.user.emailVerified || userInfo.emailVerified\n\t\t\t\t\t\t: userInfo.emailVerified,\n\t\t\t});\n\t\t}\n\t} else {\n\t\tif (disableSignUp) {\n\t\t\treturn {\n\t\t\t\terror: \"signup disabled\",\n\t\t\t\tdata: null,\n\t\t\t\tisRegister: false,\n\t\t\t};\n\t\t}\n\t\ttry {\n\t\t\tconst { id: _, ...restUserInfo } = userInfo;\n\t\t\tconst accountData = {\n\t\t\t\taccessToken: await setTokenUtil(account.accessToken, c.context),\n\t\t\t\trefreshToken: await setTokenUtil(account.refreshToken, c.context),\n\t\t\t\tidToken: account.idToken,\n\t\t\t\taccessTokenExpiresAt: account.accessTokenExpiresAt,\n\t\t\t\trefreshTokenExpiresAt: account.refreshTokenExpiresAt,\n\t\t\t\tscope: account.scope,\n\t\t\t\tproviderId: account.providerId,\n\t\t\t\taccountId: userInfo.id.toString(),\n\t\t\t};\n\t\t\tconst { user: createdUser, account: createdAccount } =\n\t\t\t\tawait c.context.internalAdapter.createOAuthUser(\n\t\t\t\t\t{\n\t\t\t\t\t\t...restUserInfo,\n\t\t\t\t\t\temail: userInfo.email.toLowerCase(),\n\t\t\t\t\t},\n\t\t\t\t\taccountData,\n\t\t\t\t);\n\t\t\tuser = createdUser;\n\t\t\tif (c.context.options.account?.storeAccountCookie) {\n\t\t\t\tawait setAccountCookie(c, createdAccount);\n\t\t\t}\n\t\t\tif (\n\t\t\t\t!userInfo.emailVerified &&\n\t\t\t\tuser &&\n\t\t\t\tc.context.options.emailVerification?.sendOnSignUp &&\n\t\t\t\tc.context.options.emailVerification?.sendVerificationEmail\n\t\t\t) {\n\t\t\t\tconst token = await createEmailVerificationToken(\n\t\t\t\t\tc.context.secret,\n\t\t\t\t\tuser.email,\n\t\t\t\t\tundefined,\n\t\t\t\t\tc.context.options.emailVerification?.expiresIn,\n\t\t\t\t);\n\t\t\t\tconst url = `${c.context.baseURL}/verify-email?token=${token}&callbackURL=${callbackURL}`;\n\t\t\t\tawait c.context.runInBackgroundOrAwait(\n\t\t\t\t\tc.context.options.emailVerification.sendVerificationEmail(\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tuser,\n\t\t\t\t\t\t\turl,\n\t\t\t\t\t\t\ttoken,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tc.request,\n\t\t\t\t\t),\n\t\t\t\t);\n\t\t\t}\n\t\t} catch (e: any) {\n\t\t\tlogger.error(e);\n\t\t\tif (isAPIError(e)) {\n\t\t\t\treturn {\n\t\t\t\t\terror: e.message,\n\t\t\t\t\tdata: null,\n\t\t\t\t\tisRegister: false,\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn {\n\t\t\t\terror: \"unable to create user\",\n\t\t\t\tdata: null,\n\t\t\t\tisRegister: false,\n\t\t\t};\n\t\t}\n\t}\n\tif (!user) {\n\t\treturn {\n\t\t\terror: \"unable to create user\",\n\t\t\tdata: null,\n\t\t\tisRegister: false,\n\t\t};\n\t}\n\n\tconst session = await c.context.internalAdapter.createSession(user.id);\n\tif (!session) {\n\t\treturn {\n\t\t\terror: \"unable to create session\",\n\t\t\tdata: null,\n\t\t\tisRegister: false,\n\t\t};\n\t}\n\n\treturn {\n\t\tdata: {\n\t\t\tsession,\n\t\t\tuser,\n\t\t},\n\t\terror: null,\n\t\tisRegister,\n\t};\n}\n"],"mappings":";;;;;;;;AAQA,eAAsB,oBACrB,GACA,MAQC;CACD,MAAM,EAAE,UAAU,SAAS,aAAa,eAAe,qBACtD;CACD,MAAM,SAAS,MAAM,EAAE,QAAQ,gBAC7B,cACA,SAAS,MAAM,aAAa,EAC5B,QAAQ,WACR,QAAQ,WACR,CACA,OAAO,MAAM;AACb,SAAO,MACN,2DACA,EACA;EACD,MAAM,WACL,EAAE,QAAQ,QAAQ,YAAY,YAAY,GAAG,EAAE,QAAQ,QAAQ;AAChE,QAAM,EAAE,SAAS,GAAG,SAAS,8BAA8B;GAC1D;CACH,IAAI,OAAO,QAAQ;CACnB,MAAM,aAAa,CAAC;AAEpB,KAAI,QAAQ;EACX,MAAM,gBACL,OAAO,iBACP,OAAO,SAAS,MACd,QACA,IAAI,eAAe,QAAQ,cAC3B,IAAI,cAAc,QAAQ,UAC3B;AACF,MAAI,CAAC,eAAe;GACnB,MAAM,iBAAiB,EAAE,QAAQ,QAAQ,SAAS;AAIlD,OACE,EAHD,KAAK,qBACL,EAAE,QAAQ,iBAAiB,SAAS,QAAQ,WAAW,KAEhC,CAAC,SAAS,iBACjC,gBAAgB,YAAY,SAC5B,gBAAgB,2BAA2B,MAC1C;AACD,QAAI,eAAe,CAClB,QAAO,KACN,kDAAkD,QAAQ,WAAW,6IACrE;AAEF,WAAO;KACN,OAAO;KACP,MAAM;KACN;;AAEF,OAAI;AACH,UAAM,EAAE,QAAQ,gBAAgB,YAAY;KAC3C,YAAY,QAAQ;KACpB,WAAW,SAAS,GAAG,UAAU;KACjC,QAAQ,OAAO,KAAK;KACpB,aAAa,MAAM,aAAa,QAAQ,aAAa,EAAE,QAAQ;KAC/D,cAAc,MAAM,aAAa,QAAQ,cAAc,EAAE,QAAQ;KACjE,SAAS,QAAQ;KACjB,sBAAsB,QAAQ;KAC9B,uBAAuB,QAAQ;KAC/B,OAAO,QAAQ;KACf,CAAC;YACM,GAAG;AACX,WAAO,MAAM,0BAA0B,EAAE;AACzC,WAAO;KACN,OAAO;KACP,MAAM;KACN;;AAGF,OACC,SAAS,iBACT,CAAC,OAAO,KAAK,iBACb,SAAS,MAAM,aAAa,KAAK,OAAO,KAAK,MAE7C,OAAM,EAAE,QAAQ,gBAAgB,WAAW,OAAO,KAAK,IAAI,EAC1D,eAAe,MACf,CAAC;SAEG;GACN,MAAM,cACL,EAAE,QAAQ,QAAQ,SAAS,0BAA0B,QAClD,OAAO,YACP,OAAO,QAAQ;IACd,SAAS,QAAQ;IACjB,aAAa,MAAM,aAAa,QAAQ,aAAa,EAAE,QAAQ;IAC/D,cAAc,MAAM,aACnB,QAAQ,cACR,EAAE,QACF;IACD,sBAAsB,QAAQ;IAC9B,uBAAuB,QAAQ;IAC/B,OAAO,QAAQ;IACf,CAAC,CAAC,QAAQ,CAAC,GAAG,WAAW,UAAU,OAAU,CAC9C,GACA,EAAE;AAEN,OAAI,EAAE,QAAQ,QAAQ,SAAS,mBAC9B,OAAM,iBAAiB,GAAG;IACzB,GAAG;IACH,GAAG;IACH,CAAC;AAGH,OAAI,OAAO,KAAK,YAAY,CAAC,SAAS,EACrC,OAAM,EAAE,QAAQ,gBAAgB,cAC/B,cAAc,IACd,YACA;AAGF,OACC,SAAS,iBACT,CAAC,OAAO,KAAK,iBACb,SAAS,MAAM,aAAa,KAAK,OAAO,KAAK,MAE7C,OAAM,EAAE,QAAQ,gBAAgB,WAAW,OAAO,KAAK,IAAI,EAC1D,eAAe,MACf,CAAC;;AAGJ,MAAI,kBAAkB;GACrB,MAAM,EAAE,IAAI,GAAG,GAAG,iBAAiB;AAEnC,UAAO,MAAM,EAAE,QAAQ,gBAAgB,WAAW,OAAO,KAAK,IAAI;IACjE,GAAG;IACH,OAAO,SAAS,MAAM,aAAa;IACnC,eACC,SAAS,MAAM,aAAa,KAAK,OAAO,KAAK,QAC1C,OAAO,KAAK,iBAAiB,SAAS,gBACtC,SAAS;IACb,CAAC;;QAEG;AACN,MAAI,cACH,QAAO;GACN,OAAO;GACP,MAAM;GACN,YAAY;GACZ;AAEF,MAAI;GACH,MAAM,EAAE,IAAI,GAAG,GAAG,iBAAiB;GACnC,MAAM,cAAc;IACnB,aAAa,MAAM,aAAa,QAAQ,aAAa,EAAE,QAAQ;IAC/D,cAAc,MAAM,aAAa,QAAQ,cAAc,EAAE,QAAQ;IACjE,SAAS,QAAQ;IACjB,sBAAsB,QAAQ;IAC9B,uBAAuB,QAAQ;IAC/B,OAAO,QAAQ;IACf,YAAY,QAAQ;IACpB,WAAW,SAAS,GAAG,UAAU;IACjC;GACD,MAAM,EAAE,MAAM,aAAa,SAAS,mBACnC,MAAM,EAAE,QAAQ,gBAAgB,gBAC/B;IACC,GAAG;IACH,OAAO,SAAS,MAAM,aAAa;IACnC,EACD,YACA;AACF,UAAO;AACP,OAAI,EAAE,QAAQ,QAAQ,SAAS,mBAC9B,OAAM,iBAAiB,GAAG,eAAe;AAE1C,OACC,CAAC,SAAS,iBACV,QACA,EAAE,QAAQ,QAAQ,mBAAmB,gBACrC,EAAE,QAAQ,QAAQ,mBAAmB,uBACpC;IACD,MAAM,QAAQ,MAAM,6BACnB,EAAE,QAAQ,QACV,KAAK,OACL,QACA,EAAE,QAAQ,QAAQ,mBAAmB,UACrC;IACD,MAAM,MAAM,GAAG,EAAE,QAAQ,QAAQ,sBAAsB,MAAM,eAAe;AAC5E,UAAM,EAAE,QAAQ,uBACf,EAAE,QAAQ,QAAQ,kBAAkB,sBACnC;KACC;KACA;KACA;KACA,EACD,EAAE,QACF,CACD;;WAEM,GAAQ;AAChB,UAAO,MAAM,EAAE;AACf,OAAI,WAAW,EAAE,CAChB,QAAO;IACN,OAAO,EAAE;IACT,MAAM;IACN,YAAY;IACZ;AAEF,UAAO;IACN,OAAO;IACP,MAAM;IACN,YAAY;IACZ;;;AAGH,KAAI,CAAC,KACJ,QAAO;EACN,OAAO;EACP,MAAM;EACN,YAAY;EACZ;CAGF,MAAM,UAAU,MAAM,EAAE,QAAQ,gBAAgB,cAAc,KAAK,GAAG;AACtE,KAAI,CAAC,QACJ,QAAO;EACN,OAAO;EACP,MAAM;EACN,YAAY;EACZ;AAGF,QAAO;EACN,MAAM;GACL;GACA;GACA;EACD,OAAO;EACP;EACA"}

package/dist/oauth2/state.d.mts

@@ -0,0 +1,26 @@
+import { GenericEndpointContext } from "@better-auth/core";
+
+//#region src/oauth2/state.d.ts
+declare function generateState(c: GenericEndpointContext, link: {
+  email: string;
+  userId: string;
+} | undefined, additionalData: Record<string, any> | false | undefined): Promise<{
+  state: string;
+  codeVerifier: string;
+}>;
+declare function parseState(c: GenericEndpointContext): Promise<{
+  [x: string]: unknown;
+  callbackURL: string;
+  codeVerifier: string;
+  expiresAt: number;
+  errorURL?: string | undefined;
+  newUserURL?: string | undefined;
+  link?: {
+    email: string;
+    userId: string;
+  } | undefined;
+  requestSignUp?: boolean | undefined;
+}>;
+//#endregion
+export { generateState, parseState };
+//# sourceMappingURL=state.d.mts.map

package/dist/oauth2/state.mjs

@@ -0,0 +1,51 @@
+import { generateRandomString } from "../crypto/random.mjs";
+import "../crypto/index.mjs";
+import { setOAuthState } from "../api/state/oauth.mjs";
+import { StateError, generateGenericState, parseGenericState } from "../state.mjs";
+import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
+
+//#region src/oauth2/state.ts
+async function generateState(c, link, additionalData) {
+	const callbackURL = c.body?.callbackURL || c.context.options.baseURL;
+	if (!callbackURL) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.CALLBACK_URL_REQUIRED);
+	const codeVerifier = generateRandomString(128);
+	const stateData = {
+		...additionalData ? additionalData : {},
+		callbackURL,
+		codeVerifier,
+		errorURL: c.body?.errorCallbackURL,
+		newUserURL: c.body?.newUserCallbackURL,
+		link,
+		expiresAt: Date.now() + 600 * 1e3,
+		requestSignUp: c.body?.requestSignUp
+	};
+	await setOAuthState(stateData);
+	try {
+		return generateGenericState(c, stateData);
+	} catch (error) {
+		c.context.logger.error("Failed to create verification", error);
+		throw new APIError("INTERNAL_SERVER_ERROR", {
+			message: "Unable to create verification",
+			cause: error
+		});
+	}
+}
+async function parseState(c) {
+	const state = c.query.state || c.body.state;
+	const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
+	let parsedData;
+	try {
+		parsedData = await parseGenericState(c, state);
+	} catch (error) {
+		c.context.logger.error("Failed to parse state", error);
+		if (error instanceof StateError && error.code === "state_security_mismatch") throw c.redirect(`${errorURL}?error=state_mismatch`);
+		throw c.redirect(`${errorURL}?error=please_restart_the_process`);
+	}
+	if (!parsedData.errorURL) parsedData.errorURL = errorURL;
+	if (parsedData) await setOAuthState(parsedData);
+	return parsedData;
+}
+
+//#endregion
+export { generateState, parseState };
+//# sourceMappingURL=state.mjs.map

package/dist/oauth2/state.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"state.mjs","names":[],"sources":["../../src/oauth2/state.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError, BASE_ERROR_CODES } from \"@better-auth/core/error\";\nimport { setOAuthState } from \"../api/state/oauth\";\nimport { generateRandomString } from \"../crypto\";\nimport type { StateData } from \"../state\";\nimport { generateGenericState, parseGenericState, StateError } from \"../state\";\n\nexport async function generateState(\n\tc: GenericEndpointContext,\n\tlink:\n\t\t| {\n\t\t\t\temail: string;\n\t\t\t\tuserId: string;\n\t\t  }\n\t\t| undefined,\n\tadditionalData: Record<string, any> | false | undefined,\n) {\n\tconst callbackURL = c.body?.callbackURL || c.context.options.baseURL;\n\tif (!callbackURL) {\n\t\tthrow APIError.from(\"BAD_REQUEST\", BASE_ERROR_CODES.CALLBACK_URL_REQUIRED);\n\t}\n\n\tconst codeVerifier = generateRandomString(128);\n\n\tconst stateData: StateData = {\n\t\t...(additionalData ? additionalData : {}),\n\t\tcallbackURL,\n\t\tcodeVerifier,\n\t\terrorURL: c.body?.errorCallbackURL,\n\t\tnewUserURL: c.body?.newUserCallbackURL,\n\t\tlink,\n\t\texpiresAt: Date.now() + 10 * 60 * 1000,\n\t\trequestSignUp: c.body?.requestSignUp,\n\t};\n\n\tawait setOAuthState(stateData);\n\n\ttry {\n\t\treturn generateGenericState(c, stateData);\n\t} catch (error) {\n\t\tc.context.logger.error(\"Failed to create verification\", error);\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\tmessage: \"Unable to create verification\",\n\t\t\tcause: error,\n\t\t});\n\t}\n}\n\nexport async function parseState(c: GenericEndpointContext) {\n\tconst state = c.query.state || c.body.state;\n\tconst errorURL =\n\t\tc.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;\n\n\tlet parsedData: StateData;\n\n\ttry {\n\t\tparsedData = await parseGenericState(c, state);\n\t} catch (error) {\n\t\tc.context.logger.error(\"Failed to parse state\", error);\n\n\t\tif (\n\t\t\terror instanceof StateError &&\n\t\t\terror.code === \"state_security_mismatch\"\n\t\t) {\n\t\t\tthrow c.redirect(`${errorURL}?error=state_mismatch`);\n\t\t}\n\n\t\tthrow c.redirect(`${errorURL}?error=please_restart_the_process`);\n\t}\n\n\tif (!parsedData.errorURL) {\n\t\tparsedData.errorURL = errorURL;\n\t}\n\n\tif (parsedData) {\n\t\tawait setOAuthState(parsedData);\n\t}\n\n\treturn parsedData;\n}\n"],"mappings":";;;;;;;AAOA,eAAsB,cACrB,GACA,MAMA,gBACC;CACD,MAAM,cAAc,EAAE,MAAM,eAAe,EAAE,QAAQ,QAAQ;AAC7D,KAAI,CAAC,YACJ,OAAM,SAAS,KAAK,eAAe,iBAAiB,sBAAsB;CAG3E,MAAM,eAAe,qBAAqB,IAAI;CAE9C,MAAM,YAAuB;EAC5B,GAAI,iBAAiB,iBAAiB,EAAE;EACxC;EACA;EACA,UAAU,EAAE,MAAM;EAClB,YAAY,EAAE,MAAM;EACpB;EACA,WAAW,KAAK,KAAK,GAAG,MAAU;EAClC,eAAe,EAAE,MAAM;EACvB;AAED,OAAM,cAAc,UAAU;AAE9B,KAAI;AACH,SAAO,qBAAqB,GAAG,UAAU;UACjC,OAAO;AACf,IAAE,QAAQ,OAAO,MAAM,iCAAiC,MAAM;AAC9D,QAAM,IAAI,SAAS,yBAAyB;GAC3C,SAAS;GACT,OAAO;GACP,CAAC;;;AAIJ,eAAsB,WAAW,GAA2B;CAC3D,MAAM,QAAQ,EAAE,MAAM,SAAS,EAAE,KAAK;CACtC,MAAM,WACL,EAAE,QAAQ,QAAQ,YAAY,YAAY,GAAG,EAAE,QAAQ,QAAQ;CAEhE,IAAI;AAEJ,KAAI;AACH,eAAa,MAAM,kBAAkB,GAAG,MAAM;UACtC,OAAO;AACf,IAAE,QAAQ,OAAO,MAAM,yBAAyB,MAAM;AAEtD,MACC,iBAAiB,cACjB,MAAM,SAAS,0BAEf,OAAM,EAAE,SAAS,GAAG,SAAS,uBAAuB;AAGrD,QAAM,EAAE,SAAS,GAAG,SAAS,mCAAmC;;AAGjE,KAAI,CAAC,WAAW,SACf,YAAW,WAAW;AAGvB,KAAI,WACH,OAAM,cAAc,WAAW;AAGhC,QAAO"}

package/dist/oauth2/utils.d.mts

@@ -0,0 +1,8 @@
+import { AuthContext } from "@better-auth/core";
+
+//#region src/oauth2/utils.d.ts
+declare function decryptOAuthToken(token: string, ctx: AuthContext): string | Promise<string>;
+declare function setTokenUtil(token: string | null | undefined, ctx: AuthContext): string | Promise<string> | null | undefined;
+//#endregion
+export { decryptOAuthToken, setTokenUtil };
+//# sourceMappingURL=utils.d.mts.map

package/dist/oauth2/utils.mjs

@@ -0,0 +1,31 @@
+import { symmetricDecrypt, symmetricEncrypt } from "../crypto/index.mjs";
+
+//#region src/oauth2/utils.ts
+/**
+* Check if a string looks like encrypted data
+*/
+function isLikelyEncrypted(token) {
+	return token.length % 2 === 0 && /^[0-9a-f]+$/i.test(token);
+}
+function decryptOAuthToken(token, ctx) {
+	if (!token) return token;
+	if (ctx.options.account?.encryptOAuthTokens) {
+		if (!isLikelyEncrypted(token)) return token;
+		return symmetricDecrypt({
+			key: ctx.secret,
+			data: token
+		});
+	}
+	return token;
+}
+function setTokenUtil(token, ctx) {
+	if (ctx.options.account?.encryptOAuthTokens && token) return symmetricEncrypt({
+		key: ctx.secret,
+		data: token
+	});
+	return token;
+}
+
+//#endregion
+export { decryptOAuthToken, setTokenUtil };
+//# sourceMappingURL=utils.mjs.map

package/dist/oauth2/utils.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.mjs","names":[],"sources":["../../src/oauth2/utils.ts"],"sourcesContent":["import type { AuthContext } from \"@better-auth/core\";\nimport { symmetricDecrypt, symmetricEncrypt } from \"../crypto\";\n\n/**\n * Check if a string looks like encrypted data\n */\nfunction isLikelyEncrypted(token: string): boolean {\n\treturn token.length % 2 === 0 && /^[0-9a-f]+$/i.test(token);\n}\n\nexport function decryptOAuthToken(token: string, ctx: AuthContext) {\n\tif (!token) return token;\n\tif (ctx.options.account?.encryptOAuthTokens) {\n\t\tif (!isLikelyEncrypted(token)) {\n\t\t\treturn token;\n\t\t}\n\t\treturn symmetricDecrypt({\n\t\t\tkey: ctx.secret,\n\t\t\tdata: token,\n\t\t});\n\t}\n\treturn token;\n}\n\nexport function setTokenUtil(\n\ttoken: string | null | undefined,\n\tctx: AuthContext,\n) {\n\tif (ctx.options.account?.encryptOAuthTokens && token) {\n\t\treturn symmetricEncrypt({\n\t\t\tkey: ctx.secret,\n\t\t\tdata: token,\n\t\t});\n\t}\n\treturn token;\n}\n"],"mappings":";;;;;;AAMA,SAAS,kBAAkB,OAAwB;AAClD,QAAO,MAAM,SAAS,MAAM,KAAK,eAAe,KAAK,MAAM;;AAG5D,SAAgB,kBAAkB,OAAe,KAAkB;AAClE,KAAI,CAAC,MAAO,QAAO;AACnB,KAAI,IAAI,QAAQ,SAAS,oBAAoB;AAC5C,MAAI,CAAC,kBAAkB,MAAM,CAC5B,QAAO;AAER,SAAO,iBAAiB;GACvB,KAAK,IAAI;GACT,MAAM;GACN,CAAC;;AAEH,QAAO;;AAGR,SAAgB,aACf,OACA,KACC;AACD,KAAI,IAAI,QAAQ,SAAS,sBAAsB,MAC9C,QAAO,iBAAiB;EACvB,KAAK,IAAI;EACT,MAAM;EACN,CAAC;AAEH,QAAO"}

package/dist/plugins/access/access.d.mts

@@ -0,0 +1,30 @@
+import { Statements, Subset } from "./types.mjs";
+
+//#region src/plugins/access/access.d.ts
+type AuthorizeResponse = {
+  success: false;
+  error: string;
+} | {
+  success: true;
+  error?: never | undefined;
+};
+declare function role<TStatements extends Statements>(statements: TStatements): {
+  authorize<K extends keyof TStatements>(request: { [key in K]?: TStatements[key] | {
+    actions: TStatements[key];
+    connector: "OR" | "AND";
+  } }, connector?: "OR" | "AND"): AuthorizeResponse;
+  statements: TStatements;
+};
+declare function createAccessControl<const TStatements extends Statements>(s: TStatements): {
+  newRole<K extends keyof TStatements>(statements: Subset<K, TStatements>): {
+    authorize<K_1 extends K>(request: K_1 extends infer T extends keyof Subset<K, TStatements> ? { [key in T]?: Subset<K, TStatements>[key] | {
+      actions: Subset<K, TStatements>[key];
+      connector: "OR" | "AND";
+    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
+    statements: Subset<K, TStatements>;
+  };
+  statements: TStatements;
+};
+//#endregion
+export { AuthorizeResponse, createAccessControl, role };
+//# sourceMappingURL=access.d.mts.map