@sirketio/auth 0.0.1

package/dist/api/index.mjs

@@ -0,0 +1,206 @@
+import { isAPIError } from "../utils/is-api-error.mjs";
+import { formCsrfMiddleware, originCheck, originCheckMiddleware } from "./middlewares/origin-check.mjs";
+import "./middlewares/index.mjs";
+import { getIp } from "../utils/get-request-ip.mjs";
+import { onRequestRateLimit, onResponseRateLimit } from "./rate-limiter/index.mjs";
+import { getOAuthState } from "./state/oauth.mjs";
+import { getShouldSkipSessionRefresh, setShouldSkipSessionRefresh } from "./state/should-session-refresh.mjs";
+import { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
+import { accountInfo, getAccessToken, linkSocialAccount, listUserAccounts, refreshToken, unlinkAccount } from "./routes/account.mjs";
+import { callbackOAuth } from "./routes/callback.mjs";
+import { createEmailVerificationToken, sendVerificationEmail, sendVerificationEmailFn, verifyEmail } from "./routes/email-verification.mjs";
+import { error } from "./routes/error.mjs";
+import { ok } from "./routes/ok.mjs";
+import { requestPasswordReset, requestPasswordResetCallback, resetPassword, verifyPassword } from "./routes/password.mjs";
+import { signInEmail, signInSocial } from "./routes/sign-in.mjs";
+import { signOut } from "./routes/sign-out.mjs";
+import { signUpEmail } from "./routes/sign-up.mjs";
+import { changeEmail, changePassword, deleteUser, deleteUserCallback, setPassword, updateUser } from "./routes/update-user.mjs";
+import "./routes/index.mjs";
+import { toAuthEndpoints } from "./to-auth-endpoints.mjs";
+import { logger } from "@better-auth/core/env";
+import { APIError } from "@better-auth/core/error";
+import { normalizePathname } from "@better-auth/core/utils/url";
+import { createRouter } from "better-call";
+import { createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
+
+//#region src/api/index.ts
+function checkEndpointConflicts(options, logger) {
+	const endpointRegistry = /* @__PURE__ */ new Map();
+	options.plugins?.forEach((plugin) => {
+		if (plugin.endpoints) {
+			for (const [key, endpoint] of Object.entries(plugin.endpoints)) if (endpoint && "path" in endpoint && typeof endpoint.path === "string") {
+				const path = endpoint.path;
+				let methods = [];
+				if (endpoint.options && "method" in endpoint.options) {
+					if (Array.isArray(endpoint.options.method)) methods = endpoint.options.method;
+					else if (typeof endpoint.options.method === "string") methods = [endpoint.options.method];
+				}
+				if (methods.length === 0) methods = ["*"];
+				if (!endpointRegistry.has(path)) endpointRegistry.set(path, []);
+				endpointRegistry.get(path).push({
+					pluginId: plugin.id,
+					endpointKey: key,
+					methods
+				});
+			}
+		}
+	});
+	const conflicts = [];
+	for (const [path, entries] of endpointRegistry.entries()) if (entries.length > 1) {
+		const methodMap = /* @__PURE__ */ new Map();
+		let hasConflict = false;
+		for (const entry of entries) for (const method of entry.methods) {
+			if (!methodMap.has(method)) methodMap.set(method, []);
+			methodMap.get(method).push(entry.pluginId);
+			if (methodMap.get(method).length > 1) hasConflict = true;
+			if (method === "*" && entries.length > 1) hasConflict = true;
+			else if (method !== "*" && methodMap.has("*")) hasConflict = true;
+		}
+		if (hasConflict) {
+			const uniquePlugins = [...new Set(entries.map((e) => e.pluginId))];
+			const conflictingMethods = [];
+			for (const [method, plugins] of methodMap.entries()) if (plugins.length > 1 || method === "*" && entries.length > 1 || method !== "*" && methodMap.has("*")) conflictingMethods.push(method);
+			conflicts.push({
+				path,
+				plugins: uniquePlugins,
+				conflictingMethods
+			});
+		}
+	}
+	if (conflicts.length > 0) {
+		const conflictMessages = conflicts.map((conflict) => `  - "${conflict.path}" [${conflict.conflictingMethods.join(", ")}] used by plugins: ${conflict.plugins.join(", ")}`).join("\n");
+		logger.error(`Endpoint path conflicts detected! Multiple plugins are trying to use the same endpoint paths with conflicting HTTP methods:
+${conflictMessages}
+
+To resolve this, you can:
+	1. Use only one of the conflicting plugins
+	2. Configure the plugins to use different paths (if supported)
+	3. Ensure plugins use different HTTP methods for the same path
+`);
+	}
+}
+function getEndpoints(ctx, options) {
+	const pluginEndpoints = options.plugins?.reduce((acc, plugin) => {
+		return {
+			...acc,
+			...plugin.endpoints
+		};
+	}, {}) ?? {};
+	const middlewares = options.plugins?.map((plugin) => plugin.middlewares?.map((m) => {
+		const middleware = (async (context) => {
+			const authContext = await ctx;
+			return m.middleware({
+				...context,
+				context: {
+					...authContext,
+					...context.context
+				}
+			});
+		});
+		middleware.options = m.middleware.options;
+		return {
+			path: m.path,
+			middleware
+		};
+	})).filter((plugin) => plugin !== void 0).flat() || [];
+	return {
+		api: toAuthEndpoints({
+			signInSocial: signInSocial(),
+			callbackOAuth,
+			getSession: getSession(),
+			signOut,
+			signUpEmail: signUpEmail(),
+			signInEmail: signInEmail(),
+			resetPassword,
+			verifyPassword,
+			verifyEmail,
+			sendVerificationEmail,
+			changeEmail,
+			changePassword,
+			setPassword,
+			updateUser: updateUser(),
+			deleteUser,
+			requestPasswordReset,
+			requestPasswordResetCallback,
+			listSessions: listSessions(),
+			revokeSession,
+			revokeSessions,
+			revokeOtherSessions,
+			linkSocialAccount,
+			listUserAccounts,
+			deleteUserCallback,
+			unlinkAccount,
+			refreshToken,
+			getAccessToken,
+			accountInfo,
+			...pluginEndpoints,
+			ok,
+			error
+		}, ctx),
+		middlewares
+	};
+}
+const router = (ctx, options) => {
+	const { api, middlewares } = getEndpoints(ctx, options);
+	const basePath = new URL(ctx.baseURL).pathname;
+	return createRouter(api, {
+		routerContext: ctx,
+		openapi: { disabled: true },
+		basePath,
+		routerMiddleware: [{
+			path: "/**",
+			middleware: originCheckMiddleware
+		}, ...middlewares],
+		allowedMediaTypes: ["application/json"],
+		skipTrailingSlashes: options.advanced?.skipTrailingSlashes ?? false,
+		async onRequest(req) {
+			const disabledPaths = ctx.options.disabledPaths || [];
+			const normalizedPath = normalizePathname(req.url, basePath);
+			if (disabledPaths.includes(normalizedPath)) return new Response("Not Found", { status: 404 });
+			let currentRequest = req;
+			for (const plugin of ctx.options.plugins || []) if (plugin.onRequest) {
+				const response = await plugin.onRequest(currentRequest, ctx);
+				if (response && "response" in response) return response.response;
+				if (response && "request" in response) currentRequest = response.request;
+			}
+			const rateLimitResponse = await onRequestRateLimit(currentRequest, ctx);
+			if (rateLimitResponse) return rateLimitResponse;
+			return currentRequest;
+		},
+		async onResponse(res, req) {
+			await onResponseRateLimit(req, ctx);
+			for (const plugin of ctx.options.plugins || []) if (plugin.onResponse) {
+				const response = await plugin.onResponse(res, ctx);
+				if (response) return response.response;
+			}
+			return res;
+		},
+		onError(e) {
+			if (isAPIError(e) && e.status === "FOUND") return;
+			if (options.onAPIError?.throw) throw e;
+			if (options.onAPIError?.onError) {
+				options.onAPIError.onError(e, ctx);
+				return;
+			}
+			const optLogLevel = options.logger?.level;
+			const log = optLogLevel === "error" || optLogLevel === "warn" || optLogLevel === "debug" ? logger : void 0;
+			if (options.logger?.disabled !== true) {
+				if (e && typeof e === "object" && "message" in e && typeof e.message === "string") {
+					if (e.message.includes("no column") || e.message.includes("column") || e.message.includes("relation") || e.message.includes("table") || e.message.includes("does not exist")) {
+						ctx.logger?.error(e.message);
+						return;
+					}
+				}
+				if (isAPIError(e)) {
+					if (e.status === "INTERNAL_SERVER_ERROR") ctx.logger.error(e.status, e);
+					log?.error(e.message);
+				} else ctx.logger?.error(e && typeof e === "object" && "name" in e ? e.name : "", e);
+			}
+		}
+	});
+};
+
+//#endregion
+export { APIError, accountInfo, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateUser, verifyEmail, verifyPassword };
+//# sourceMappingURL=index.mjs.map

package/dist/api/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../src/api/index.ts"],"sourcesContent":["import type {\n\tAuthContext,\n\tAwaitable,\n\tBetterAuthOptions,\n\tBetterAuthPlugin,\n} from \"@better-auth/core\";\nimport type { InternalLogger } from \"@better-auth/core/env\";\nimport { logger } from \"@better-auth/core/env\";\nimport { normalizePathname } from \"@better-auth/core/utils/url\";\nimport type { Endpoint, Middleware } from \"better-call\";\nimport { createRouter } from \"better-call\";\nimport type { UnionToIntersection } from \"../types\";\nimport { isAPIError } from \"../utils/is-api-error\";\nimport { originCheckMiddleware } from \"./middlewares\";\nimport { onRequestRateLimit, onResponseRateLimit } from \"./rate-limiter\";\nimport {\n\taccountInfo,\n\tcallbackOAuth,\n\tchangeEmail,\n\tchangePassword,\n\tdeleteUser,\n\tdeleteUserCallback,\n\terror,\n\tgetAccessToken,\n\tgetSession,\n\tlinkSocialAccount,\n\tlistSessions,\n\tlistUserAccounts,\n\tok,\n\trefreshToken,\n\trequestPasswordReset,\n\trequestPasswordResetCallback,\n\tresetPassword,\n\trevokeOtherSessions,\n\trevokeSession,\n\trevokeSessions,\n\tsendVerificationEmail,\n\tsetPassword,\n\tsignInEmail,\n\tsignInSocial,\n\tsignOut,\n\tsignUpEmail,\n\tunlinkAccount,\n\tupdateUser,\n\tverifyEmail,\n\tverifyPassword,\n} from \"./routes\";\nimport { toAuthEndpoints } from \"./to-auth-endpoints\";\n\nexport function checkEndpointConflicts(\n\toptions: BetterAuthOptions,\n\tlogger: InternalLogger,\n) {\n\tconst endpointRegistry = new Map<\n\t\tstring,\n\t\t{ pluginId: string; endpointKey: string; methods: string[] }[]\n\t>();\n\n\toptions.plugins?.forEach((plugin) => {\n\t\tif (plugin.endpoints) {\n\t\t\tfor (const [key, endpoint] of Object.entries(plugin.endpoints)) {\n\t\t\t\tif (\n\t\t\t\t\tendpoint &&\n\t\t\t\t\t\"path\" in endpoint &&\n\t\t\t\t\ttypeof endpoint.path === \"string\"\n\t\t\t\t) {\n\t\t\t\t\tconst path = endpoint.path;\n\t\t\t\t\tlet methods: string[] = [];\n\t\t\t\t\tif (endpoint.options && \"method\" in endpoint.options) {\n\t\t\t\t\t\tif (Array.isArray(endpoint.options.method)) {\n\t\t\t\t\t\t\tmethods = endpoint.options.method;\n\t\t\t\t\t\t} else if (typeof endpoint.options.method === \"string\") {\n\t\t\t\t\t\t\tmethods = [endpoint.options.method];\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tif (methods.length === 0) {\n\t\t\t\t\t\tmethods = [\"*\"];\n\t\t\t\t\t}\n\n\t\t\t\t\tif (!endpointRegistry.has(path)) {\n\t\t\t\t\t\tendpointRegistry.set(path, []);\n\t\t\t\t\t}\n\t\t\t\t\tendpointRegistry.get(path)!.push({\n\t\t\t\t\t\tpluginId: plugin.id,\n\t\t\t\t\t\tendpointKey: key,\n\t\t\t\t\t\tmethods,\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t});\n\n\tconst conflicts: {\n\t\tpath: string;\n\t\tplugins: string[];\n\t\tconflictingMethods: string[];\n\t}[] = [];\n\tfor (const [path, entries] of endpointRegistry.entries()) {\n\t\tif (entries.length > 1) {\n\t\t\tconst methodMap = new Map<string, string[]>();\n\t\t\tlet hasConflict = false;\n\n\t\t\tfor (const entry of entries) {\n\t\t\t\tfor (const method of entry.methods) {\n\t\t\t\t\tif (!methodMap.has(method)) {\n\t\t\t\t\t\tmethodMap.set(method, []);\n\t\t\t\t\t}\n\t\t\t\t\tmethodMap.get(method)!.push(entry.pluginId);\n\n\t\t\t\t\tif (methodMap.get(method)!.length > 1) {\n\t\t\t\t\t\thasConflict = true;\n\t\t\t\t\t}\n\n\t\t\t\t\tif (method === \"*\" && entries.length > 1) {\n\t\t\t\t\t\thasConflict = true;\n\t\t\t\t\t} else if (method !== \"*\" && methodMap.has(\"*\")) {\n\t\t\t\t\t\thasConflict = true;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (hasConflict) {\n\t\t\t\tconst uniquePlugins = [...new Set(entries.map((e) => e.pluginId))];\n\t\t\t\tconst conflictingMethods: string[] = [];\n\n\t\t\t\tfor (const [method, plugins] of methodMap.entries()) {\n\t\t\t\t\tif (\n\t\t\t\t\t\tplugins.length > 1 ||\n\t\t\t\t\t\t(method === \"*\" && entries.length > 1) ||\n\t\t\t\t\t\t(method !== \"*\" && methodMap.has(\"*\"))\n\t\t\t\t\t) {\n\t\t\t\t\t\tconflictingMethods.push(method);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tconflicts.push({\n\t\t\t\t\tpath,\n\t\t\t\t\tplugins: uniquePlugins,\n\t\t\t\t\tconflictingMethods,\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\t}\n\n\tif (conflicts.length > 0) {\n\t\tconst conflictMessages = conflicts\n\t\t\t.map(\n\t\t\t\t(conflict) =>\n\t\t\t\t\t`  - \"${conflict.path}\" [${conflict.conflictingMethods.join(\", \")}] used by plugins: ${conflict.plugins.join(\", \")}`,\n\t\t\t)\n\t\t\t.join(\"\\n\");\n\t\tlogger.error(\n\t\t\t`Endpoint path conflicts detected! Multiple plugins are trying to use the same endpoint paths with conflicting HTTP methods:\n${conflictMessages}\n\nTo resolve this, you can:\n\t1. Use only one of the conflicting plugins\n\t2. Configure the plugins to use different paths (if supported)\n\t3. Ensure plugins use different HTTP methods for the same path\n`,\n\t\t);\n\t}\n}\n\nexport function getEndpoints<Option extends BetterAuthOptions>(\n\tctx: Awaitable<AuthContext>,\n\toptions: Option,\n) {\n\tconst pluginEndpoints =\n\t\toptions.plugins?.reduce<Record<string, Endpoint>>((acc, plugin) => {\n\t\t\treturn {\n\t\t\t\t...acc,\n\t\t\t\t...plugin.endpoints,\n\t\t\t};\n\t\t}, {}) ?? {};\n\n\ttype PluginEndpoint = UnionToIntersection<\n\t\tOption[\"plugins\"] extends Array<infer T>\n\t\t\t? T extends BetterAuthPlugin\n\t\t\t\t? T extends {\n\t\t\t\t\t\tendpoints: infer E;\n\t\t\t\t\t}\n\t\t\t\t\t? E\n\t\t\t\t\t: {}\n\t\t\t\t: {}\n\t\t\t: {}\n\t>;\n\n\tconst middlewares =\n\t\toptions.plugins\n\t\t\t?.map((plugin) =>\n\t\t\t\tplugin.middlewares?.map((m) => {\n\t\t\t\t\tconst middleware = (async (context: any) => {\n\t\t\t\t\t\tconst authContext = await ctx;\n\t\t\t\t\t\treturn m.middleware({\n\t\t\t\t\t\t\t...context,\n\t\t\t\t\t\t\tcontext: {\n\t\t\t\t\t\t\t\t...authContext,\n\t\t\t\t\t\t\t\t...context.context,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t});\n\t\t\t\t\t}) as Middleware;\n\t\t\t\t\tmiddleware.options = m.middleware.options;\n\t\t\t\t\treturn {\n\t\t\t\t\t\tpath: m.path,\n\t\t\t\t\t\tmiddleware,\n\t\t\t\t\t};\n\t\t\t\t}),\n\t\t\t)\n\t\t\t.filter((plugin) => plugin !== undefined)\n\t\t\t.flat() || [];\n\n\tconst baseEndpoints = {\n\t\tsignInSocial: signInSocial<Option>(),\n\t\tcallbackOAuth,\n\t\tgetSession: getSession<Option>(),\n\t\tsignOut,\n\t\tsignUpEmail: signUpEmail<Option>(),\n\t\tsignInEmail: signInEmail<Option>(),\n\t\tresetPassword,\n\t\tverifyPassword,\n\t\tverifyEmail,\n\t\tsendVerificationEmail,\n\t\tchangeEmail,\n\t\tchangePassword,\n\t\tsetPassword,\n\t\tupdateUser: updateUser<Option>(),\n\t\tdeleteUser,\n\t\trequestPasswordReset,\n\t\trequestPasswordResetCallback,\n\t\tlistSessions: listSessions<Option>(),\n\t\trevokeSession,\n\t\trevokeSessions,\n\t\trevokeOtherSessions,\n\t\tlinkSocialAccount,\n\t\tlistUserAccounts,\n\t\tdeleteUserCallback,\n\t\tunlinkAccount,\n\t\trefreshToken,\n\t\tgetAccessToken,\n\t\taccountInfo,\n\t};\n\tconst endpoints = {\n\t\t...baseEndpoints,\n\t\t...pluginEndpoints,\n\t\tok,\n\t\terror,\n\t} as const;\n\tconst api = toAuthEndpoints(endpoints, ctx);\n\treturn {\n\t\tapi: api as typeof endpoints & PluginEndpoint,\n\t\tmiddlewares,\n\t};\n}\nexport const router = <Option extends BetterAuthOptions>(\n\tctx: AuthContext,\n\toptions: Option,\n) => {\n\tconst { api, middlewares } = getEndpoints(ctx, options);\n\tconst basePath = new URL(ctx.baseURL).pathname;\n\n\treturn createRouter(api, {\n\t\trouterContext: ctx,\n\t\topenapi: {\n\t\t\tdisabled: true,\n\t\t},\n\t\tbasePath,\n\t\trouterMiddleware: [\n\t\t\t{\n\t\t\t\tpath: \"/**\",\n\t\t\t\tmiddleware: originCheckMiddleware,\n\t\t\t},\n\t\t\t...middlewares,\n\t\t],\n\t\tallowedMediaTypes: [\"application/json\"],\n\t\tskipTrailingSlashes: options.advanced?.skipTrailingSlashes ?? false,\n\t\tasync onRequest(req) {\n\t\t\t//handle disabled paths\n\t\t\tconst disabledPaths = ctx.options.disabledPaths || [];\n\t\t\tconst normalizedPath = normalizePathname(req.url, basePath);\n\t\t\tif (disabledPaths.includes(normalizedPath)) {\n\t\t\t\treturn new Response(\"Not Found\", { status: 404 });\n\t\t\t}\n\n\t\t\tlet currentRequest = req;\n\t\t\tfor (const plugin of ctx.options.plugins || []) {\n\t\t\t\tif (plugin.onRequest) {\n\t\t\t\t\tconst response = await plugin.onRequest(currentRequest, ctx);\n\t\t\t\t\tif (response && \"response\" in response) {\n\t\t\t\t\t\treturn response.response;\n\t\t\t\t\t}\n\t\t\t\t\tif (response && \"request\" in response) {\n\t\t\t\t\t\tcurrentRequest = response.request;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tconst rateLimitResponse = await onRequestRateLimit(currentRequest, ctx);\n\t\t\tif (rateLimitResponse) {\n\t\t\t\treturn rateLimitResponse;\n\t\t\t}\n\n\t\t\treturn currentRequest;\n\t\t},\n\t\tasync onResponse(res, req) {\n\t\t\tawait onResponseRateLimit(req, ctx);\n\t\t\tfor (const plugin of ctx.options.plugins || []) {\n\t\t\t\tif (plugin.onResponse) {\n\t\t\t\t\tconst response = await plugin.onResponse(res, ctx);\n\t\t\t\t\tif (response) {\n\t\t\t\t\t\treturn response.response;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn res;\n\t\t},\n\t\tonError(e) {\n\t\t\tif (isAPIError(e) && e.status === \"FOUND\") {\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tif (options.onAPIError?.throw) {\n\t\t\t\tthrow e;\n\t\t\t}\n\t\t\tif (options.onAPIError?.onError) {\n\t\t\t\toptions.onAPIError.onError(e, ctx);\n\t\t\t\treturn;\n\t\t\t}\n\n\t\t\tconst optLogLevel = options.logger?.level;\n\t\t\tconst log =\n\t\t\t\toptLogLevel === \"error\" ||\n\t\t\t\toptLogLevel === \"warn\" ||\n\t\t\t\toptLogLevel === \"debug\"\n\t\t\t\t\t? logger\n\t\t\t\t\t: undefined;\n\t\t\tif (options.logger?.disabled !== true) {\n\t\t\t\tif (\n\t\t\t\t\te &&\n\t\t\t\t\ttypeof e === \"object\" &&\n\t\t\t\t\t\"message\" in e &&\n\t\t\t\t\ttypeof e.message === \"string\"\n\t\t\t\t) {\n\t\t\t\t\tif (\n\t\t\t\t\t\te.message.includes(\"no column\") ||\n\t\t\t\t\t\te.message.includes(\"column\") ||\n\t\t\t\t\t\te.message.includes(\"relation\") ||\n\t\t\t\t\t\te.message.includes(\"table\") ||\n\t\t\t\t\t\te.message.includes(\"does not exist\")\n\t\t\t\t\t) {\n\t\t\t\t\t\tctx.logger?.error(e.message);\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif (isAPIError(e)) {\n\t\t\t\t\tif (e.status === \"INTERNAL_SERVER_ERROR\") {\n\t\t\t\t\t\tctx.logger.error(e.status, e);\n\t\t\t\t\t}\n\t\t\t\t\tlog?.error(e.message);\n\t\t\t\t} else {\n\t\t\t\t\tctx.logger?.error(\n\t\t\t\t\t\te && typeof e === \"object\" && \"name\" in e ? (e.name as string) : \"\",\n\t\t\t\t\t\te,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t}\n\t\t},\n\t});\n};\n\nexport {\n\ttype AuthEndpoint,\n\ttype AuthMiddleware,\n\tcreateAuthEndpoint,\n\tcreateAuthMiddleware,\n\toptionsMiddleware,\n} from \"@better-auth/core/api\";\nexport { APIError } from \"@better-auth/core/error\";\nexport { getIp } from \"../utils/get-request-ip\";\nexport { isAPIError } from \"../utils/is-api-error\";\nexport * from \"./middlewares\";\nexport * from \"./routes\";\nexport { getOAuthState } from \"./state/oauth\";\nexport {\n\tgetShouldSkipSessionRefresh,\n\tsetShouldSkipSessionRefresh,\n} from \"./state/should-session-refresh\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAiDA,SAAgB,uBACf,SACA,QACC;CACD,MAAM,mCAAmB,IAAI,KAG1B;AAEH,SAAQ,SAAS,SAAS,WAAW;AACpC,MAAI,OAAO,WACV;QAAK,MAAM,CAAC,KAAK,aAAa,OAAO,QAAQ,OAAO,UAAU,CAC7D,KACC,YACA,UAAU,YACV,OAAO,SAAS,SAAS,UACxB;IACD,MAAM,OAAO,SAAS;IACtB,IAAI,UAAoB,EAAE;AAC1B,QAAI,SAAS,WAAW,YAAY,SAAS,SAC5C;SAAI,MAAM,QAAQ,SAAS,QAAQ,OAAO,CACzC,WAAU,SAAS,QAAQ;cACjB,OAAO,SAAS,QAAQ,WAAW,SAC7C,WAAU,CAAC,SAAS,QAAQ,OAAO;;AAGrC,QAAI,QAAQ,WAAW,EACtB,WAAU,CAAC,IAAI;AAGhB,QAAI,CAAC,iBAAiB,IAAI,KAAK,CAC9B,kBAAiB,IAAI,MAAM,EAAE,CAAC;AAE/B,qBAAiB,IAAI,KAAK,CAAE,KAAK;KAChC,UAAU,OAAO;KACjB,aAAa;KACb;KACA,CAAC;;;GAIJ;CAEF,MAAM,YAIA,EAAE;AACR,MAAK,MAAM,CAAC,MAAM,YAAY,iBAAiB,SAAS,CACvD,KAAI,QAAQ,SAAS,GAAG;EACvB,MAAM,4BAAY,IAAI,KAAuB;EAC7C,IAAI,cAAc;AAElB,OAAK,MAAM,SAAS,QACnB,MAAK,MAAM,UAAU,MAAM,SAAS;AACnC,OAAI,CAAC,UAAU,IAAI,OAAO,CACzB,WAAU,IAAI,QAAQ,EAAE,CAAC;AAE1B,aAAU,IAAI,OAAO,CAAE,KAAK,MAAM,SAAS;AAE3C,OAAI,UAAU,IAAI,OAAO,CAAE,SAAS,EACnC,eAAc;AAGf,OAAI,WAAW,OAAO,QAAQ,SAAS,EACtC,eAAc;YACJ,WAAW,OAAO,UAAU,IAAI,IAAI,CAC9C,eAAc;;AAKjB,MAAI,aAAa;GAChB,MAAM,gBAAgB,CAAC,GAAG,IAAI,IAAI,QAAQ,KAAK,MAAM,EAAE,SAAS,CAAC,CAAC;GAClE,MAAM,qBAA+B,EAAE;AAEvC,QAAK,MAAM,CAAC,QAAQ,YAAY,UAAU,SAAS,CAClD,KACC,QAAQ,SAAS,KAChB,WAAW,OAAO,QAAQ,SAAS,KACnC,WAAW,OAAO,UAAU,IAAI,IAAI,CAErC,oBAAmB,KAAK,OAAO;AAIjC,aAAU,KAAK;IACd;IACA,SAAS;IACT;IACA,CAAC;;;AAKL,KAAI,UAAU,SAAS,GAAG;EACzB,MAAM,mBAAmB,UACvB,KACC,aACA,QAAQ,SAAS,KAAK,KAAK,SAAS,mBAAmB,KAAK,KAAK,CAAC,qBAAqB,SAAS,QAAQ,KAAK,KAAK,GACnH,CACA,KAAK,KAAK;AACZ,SAAO,MACN;EACD,iBAAiB;;;;;;EAOhB;;;AAIH,SAAgB,aACf,KACA,SACC;CACD,MAAM,kBACL,QAAQ,SAAS,QAAkC,KAAK,WAAW;AAClE,SAAO;GACN,GAAG;GACH,GAAG,OAAO;GACV;IACC,EAAE,CAAC,IAAI,EAAE;CAcb,MAAM,cACL,QAAQ,SACL,KAAK,WACN,OAAO,aAAa,KAAK,MAAM;EAC9B,MAAM,cAAc,OAAO,YAAiB;GAC3C,MAAM,cAAc,MAAM;AAC1B,UAAO,EAAE,WAAW;IACnB,GAAG;IACH,SAAS;KACR,GAAG;KACH,GAAG,QAAQ;KACX;IACD,CAAC;;AAEH,aAAW,UAAU,EAAE,WAAW;AAClC,SAAO;GACN,MAAM,EAAE;GACR;GACA;GACA,CACF,CACA,QAAQ,WAAW,WAAW,OAAU,CACxC,MAAM,IAAI,EAAE;AAuCf,QAAO;EACN,KAFW,gBANM;GA7BjB,cAAc,cAAsB;GACpC;GACA,YAAY,YAAoB;GAChC;GACA,aAAa,aAAqB;GAClC,aAAa,aAAqB;GAClC;GACA;GACA;GACA;GACA;GACA;GACA;GACA,YAAY,YAAoB;GAChC;GACA;GACA;GACA,cAAc,cAAsB;GACpC;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GAIA,GAAG;GACH;GACA;GACA,EACsC,IAAI;EAG1C;EACA;;AAEF,MAAa,UACZ,KACA,YACI;CACJ,MAAM,EAAE,KAAK,gBAAgB,aAAa,KAAK,QAAQ;CACvD,MAAM,WAAW,IAAI,IAAI,IAAI,QAAQ,CAAC;AAEtC,QAAO,aAAa,KAAK;EACxB,eAAe;EACf,SAAS,EACR,UAAU,MACV;EACD;EACA,kBAAkB,CACjB;GACC,MAAM;GACN,YAAY;GACZ,EACD,GAAG,YACH;EACD,mBAAmB,CAAC,mBAAmB;EACvC,qBAAqB,QAAQ,UAAU,uBAAuB;EAC9D,MAAM,UAAU,KAAK;GAEpB,MAAM,gBAAgB,IAAI,QAAQ,iBAAiB,EAAE;GACrD,MAAM,iBAAiB,kBAAkB,IAAI,KAAK,SAAS;AAC3D,OAAI,cAAc,SAAS,eAAe,CACzC,QAAO,IAAI,SAAS,aAAa,EAAE,QAAQ,KAAK,CAAC;GAGlD,IAAI,iBAAiB;AACrB,QAAK,MAAM,UAAU,IAAI,QAAQ,WAAW,EAAE,CAC7C,KAAI,OAAO,WAAW;IACrB,MAAM,WAAW,MAAM,OAAO,UAAU,gBAAgB,IAAI;AAC5D,QAAI,YAAY,cAAc,SAC7B,QAAO,SAAS;AAEjB,QAAI,YAAY,aAAa,SAC5B,kBAAiB,SAAS;;GAK7B,MAAM,oBAAoB,MAAM,mBAAmB,gBAAgB,IAAI;AACvE,OAAI,kBACH,QAAO;AAGR,UAAO;;EAER,MAAM,WAAW,KAAK,KAAK;AAC1B,SAAM,oBAAoB,KAAK,IAAI;AACnC,QAAK,MAAM,UAAU,IAAI,QAAQ,WAAW,EAAE,CAC7C,KAAI,OAAO,YAAY;IACtB,MAAM,WAAW,MAAM,OAAO,WAAW,KAAK,IAAI;AAClD,QAAI,SACH,QAAO,SAAS;;AAInB,UAAO;;EAER,QAAQ,GAAG;AACV,OAAI,WAAW,EAAE,IAAI,EAAE,WAAW,QACjC;AAED,OAAI,QAAQ,YAAY,MACvB,OAAM;AAEP,OAAI,QAAQ,YAAY,SAAS;AAChC,YAAQ,WAAW,QAAQ,GAAG,IAAI;AAClC;;GAGD,MAAM,cAAc,QAAQ,QAAQ;GACpC,MAAM,MACL,gBAAgB,WAChB,gBAAgB,UAChB,gBAAgB,UACb,SACA;AACJ,OAAI,QAAQ,QAAQ,aAAa,MAAM;AACtC,QACC,KACA,OAAO,MAAM,YACb,aAAa,KACb,OAAO,EAAE,YAAY,UAErB;SACC,EAAE,QAAQ,SAAS,YAAY,IAC/B,EAAE,QAAQ,SAAS,SAAS,IAC5B,EAAE,QAAQ,SAAS,WAAW,IAC9B,EAAE,QAAQ,SAAS,QAAQ,IAC3B,EAAE,QAAQ,SAAS,iBAAiB,EACnC;AACD,UAAI,QAAQ,MAAM,EAAE,QAAQ;AAC5B;;;AAIF,QAAI,WAAW,EAAE,EAAE;AAClB,SAAI,EAAE,WAAW,wBAChB,KAAI,OAAO,MAAM,EAAE,QAAQ,EAAE;AAE9B,UAAK,MAAM,EAAE,QAAQ;UAErB,KAAI,QAAQ,MACX,KAAK,OAAO,MAAM,YAAY,UAAU,IAAK,EAAE,OAAkB,IACjE,EACA;;;EAIJ,CAAC"}

package/dist/api/middlewares/index.d.mts

@@ -0,0 +1 @@
+import { formCsrfMiddleware, originCheck, originCheckMiddleware } from "./origin-check.mjs";

package/dist/api/middlewares/index.mjs

@@ -0,0 +1,3 @@
+import { formCsrfMiddleware, originCheck, originCheckMiddleware } from "./origin-check.mjs";
+
+export {  };

package/dist/api/middlewares/origin-check.d.mts

@@ -0,0 +1,18 @@
+import { GenericEndpointContext } from "@better-auth/core";
+import * as better_call0 from "better-call";
+
+//#region src/api/middlewares/origin-check.d.ts
+/**
+ * A middleware to validate callbackURL and origin against trustedOrigins.
+ * Also handles CSRF protection using Fetch Metadata for first-login scenarios.
+ */
+declare const originCheckMiddleware: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>;
+declare const originCheck: (getValue: (ctx: GenericEndpointContext) => string | string[]) => (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>;
+/**
+ * Middleware for CSRF protection using Fetch Metadata headers.
+ * This prevents cross-site navigation login attacks while supporting progressive enhancement.
+ */
+declare const formCsrfMiddleware: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>;
+//#endregion
+export { formCsrfMiddleware, originCheck, originCheckMiddleware };
+//# sourceMappingURL=origin-check.d.mts.map

package/dist/api/middlewares/origin-check.mjs

@@ -0,0 +1,140 @@
+import { matchesOriginPattern } from "../../auth/trusted-origins.mjs";
+import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
+import { normalizePathname } from "@better-auth/core/utils/url";
+import { createAuthMiddleware } from "@better-auth/core/api";
+import { deprecate } from "@better-auth/core/utils/deprecate";
+
+//#region src/api/middlewares/origin-check.ts
+/**
+* Checks if CSRF should be skipped for backward compatibility.
+* Previously, disableOriginCheck also disabled CSRF checks.
+* This maintains that behavior when disableCSRFCheck isn't explicitly set.
+* Only triggers for skipOriginCheck === true, not for path arrays.
+*/
+function shouldSkipCSRFForBackwardCompat(ctx) {
+	return ctx.context.skipOriginCheck === true && ctx.context.options.advanced?.disableCSRFCheck === void 0;
+}
+/**
+* Logs deprecation warning for users relying on coupled behavior.
+* Only logs if user explicitly set disableOriginCheck (not test environment default).
+*/
+const logBackwardCompatWarning = deprecate(function logBackwardCompatWarning() {}, "disableOriginCheck: true currently also disables CSRF checks. In a future version, disableOriginCheck will ONLY disable URL validation. To keep CSRF disabled, add disableCSRFCheck: true to your config.");
+/**
+* A middleware to validate callbackURL and origin against trustedOrigins.
+* Also handles CSRF protection using Fetch Metadata for first-login scenarios.
+*/
+const originCheckMiddleware = createAuthMiddleware(async (ctx) => {
+	if (ctx.request?.method === "GET" || ctx.request?.method === "OPTIONS" || ctx.request?.method === "HEAD" || !ctx.request) return;
+	await validateOrigin(ctx);
+	if (ctx.context.skipOriginCheck) return;
+	const { body, query } = ctx;
+	const callbackURL = body?.callbackURL || query?.callbackURL;
+	const redirectURL = body?.redirectTo;
+	const errorCallbackURL = body?.errorCallbackURL;
+	const newUserCallbackURL = body?.newUserCallbackURL;
+	const validateURL = (url, label) => {
+		if (!url) return;
+		if (!ctx.context.isTrustedOrigin(url, { allowRelativePaths: label !== "origin" })) {
+			ctx.context.logger.error(`Invalid ${label}: ${url}`);
+			ctx.context.logger.info(`If it's a valid URL, please add ${url} to trustedOrigins in your auth config\n`, `Current list of trustedOrigins: ${ctx.context.trustedOrigins}`);
+			if (label === "origin") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_ORIGIN);
+			if (label === "callbackURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_CALLBACK_URL);
+			if (label === "redirectURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_REDIRECT_URL);
+			if (label === "errorCallbackURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_ERROR_CALLBACK_URL);
+			if (label === "newUserCallbackURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_NEW_USER_CALLBACK_URL);
+			throw APIError.fromStatus("FORBIDDEN", { message: `Invalid ${label}` });
+		}
+	};
+	callbackURL && validateURL(callbackURL, "callbackURL");
+	redirectURL && validateURL(redirectURL, "redirectURL");
+	errorCallbackURL && validateURL(errorCallbackURL, "errorCallbackURL");
+	newUserCallbackURL && validateURL(newUserCallbackURL, "newUserCallbackURL");
+});
+const originCheck = (getValue) => createAuthMiddleware(async (ctx) => {
+	if (!ctx.request) return;
+	if (ctx.context.skipOriginCheck) return;
+	const callbackURL = getValue(ctx);
+	const validateURL = (url, label) => {
+		if (!url) return;
+		if (!ctx.context.isTrustedOrigin(url, { allowRelativePaths: label !== "origin" })) {
+			ctx.context.logger.error(`Invalid ${label}: ${url}`);
+			ctx.context.logger.info(`If it's a valid URL, please add ${url} to trustedOrigins in your auth config\n`, `Current list of trustedOrigins: ${ctx.context.trustedOrigins}`);
+			if (label === "origin") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_ORIGIN);
+			if (label === "callbackURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_CALLBACK_URL);
+			if (label === "redirectURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_REDIRECT_URL);
+			if (label === "errorCallbackURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_ERROR_CALLBACK_URL);
+			if (label === "newUserCallbackURL") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_NEW_USER_CALLBACK_URL);
+			throw APIError.fromStatus("FORBIDDEN", { message: `Invalid ${label}` });
+		}
+	};
+	const callbacks = Array.isArray(callbackURL) ? callbackURL : [callbackURL];
+	for (const url of callbacks) validateURL(url, "callbackURL");
+});
+/**
+* Validates origin header against trusted origins.
+* @param ctx - The endpoint context
+* @param forceValidate - If true, always validate origin regardless of cookies/skip flags
+*/
+async function validateOrigin(ctx, forceValidate = false) {
+	const headers = ctx.request?.headers;
+	if (!headers || !ctx.request) return;
+	const originHeader = headers.get("origin") || headers.get("referer") || "";
+	const useCookies = headers.has("cookie");
+	if (ctx.context.skipCSRFCheck) return;
+	if (shouldSkipCSRFForBackwardCompat(ctx)) {
+		ctx.context.options.advanced?.disableOriginCheck === true && logBackwardCompatWarning();
+		return;
+	}
+	const skipOriginCheck = ctx.context.skipOriginCheck;
+	if (Array.isArray(skipOriginCheck)) try {
+		const basePath = new URL(ctx.context.baseURL).pathname;
+		const currentPath = normalizePathname(ctx.request.url, basePath);
+		if (skipOriginCheck.some((skipPath) => currentPath.startsWith(skipPath))) return;
+	} catch {}
+	if (!(forceValidate || useCookies)) return;
+	if (!originHeader || originHeader === "null") throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.MISSING_OR_NULL_ORIGIN);
+	const trustedOrigins = Array.isArray(ctx.context.options.trustedOrigins) ? ctx.context.trustedOrigins : [...ctx.context.trustedOrigins, ...(await ctx.context.options.trustedOrigins?.(ctx.request))?.filter((v) => Boolean(v)) || []];
+	if (!trustedOrigins.some((origin) => matchesOriginPattern(originHeader, origin))) {
+		ctx.context.logger.error(`Invalid origin: ${originHeader}`);
+		ctx.context.logger.info(`If it's a valid URL, please add ${originHeader} to trustedOrigins in your auth config\n`, `Current list of trustedOrigins: ${trustedOrigins}`);
+		throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.INVALID_ORIGIN);
+	}
+}
+/**
+* Middleware for CSRF protection using Fetch Metadata headers.
+* This prevents cross-site navigation login attacks while supporting progressive enhancement.
+*/
+const formCsrfMiddleware = createAuthMiddleware(async (ctx) => {
+	if (!ctx.request) return;
+	await validateFormCsrf(ctx);
+});
+/**
+* Validates CSRF protection for first-login scenarios using Fetch Metadata headers.
+* This prevents cross-site form submission attacks while supporting progressive enhancement.
+*/
+async function validateFormCsrf(ctx) {
+	const req = ctx.request;
+	if (!req) return;
+	if (ctx.context.skipCSRFCheck) return;
+	if (shouldSkipCSRFForBackwardCompat(ctx)) return;
+	const headers = req.headers;
+	if (headers.has("cookie")) return await validateOrigin(ctx);
+	const site = headers.get("Sec-Fetch-Site");
+	const mode = headers.get("Sec-Fetch-Mode");
+	const dest = headers.get("Sec-Fetch-Dest");
+	if (Boolean(site && site.trim() || mode && mode.trim() || dest && dest.trim())) {
+		if (site === "cross-site" && mode === "navigate") {
+			ctx.context.logger.error("Blocked cross-site navigation login attempt (CSRF protection)", {
+				secFetchSite: site,
+				secFetchMode: mode,
+				secFetchDest: dest
+			});
+			throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.CROSS_SITE_NAVIGATION_LOGIN_BLOCKED);
+		}
+		return await validateOrigin(ctx, true);
+	}
+}
+
+//#endregion
+export { formCsrfMiddleware, originCheck, originCheckMiddleware };
+//# sourceMappingURL=origin-check.mjs.map

package/dist/api/middlewares/origin-check.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"origin-check.mjs","names":[],"sources":["../../../src/api/middlewares/origin-check.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { createAuthMiddleware } from \"@better-auth/core/api\";\nimport { APIError, BASE_ERROR_CODES } from \"@better-auth/core/error\";\nimport { deprecate } from \"@better-auth/core/utils/deprecate\";\nimport { normalizePathname } from \"@better-auth/core/utils/url\";\nimport { matchesOriginPattern } from \"../../auth/trusted-origins\";\n\n/**\n * Checks if CSRF should be skipped for backward compatibility.\n * Previously, disableOriginCheck also disabled CSRF checks.\n * This maintains that behavior when disableCSRFCheck isn't explicitly set.\n * Only triggers for skipOriginCheck === true, not for path arrays.\n */\nfunction shouldSkipCSRFForBackwardCompat(ctx: GenericEndpointContext): boolean {\n\treturn (\n\t\tctx.context.skipOriginCheck === true &&\n\t\tctx.context.options.advanced?.disableCSRFCheck === undefined\n\t);\n}\n\n/**\n * Logs deprecation warning for users relying on coupled behavior.\n * Only logs if user explicitly set disableOriginCheck (not test environment default).\n */\nconst logBackwardCompatWarning = deprecate(\n\tfunction logBackwardCompatWarning() {},\n\t\"disableOriginCheck: true currently also disables CSRF checks. \" +\n\t\t\"In a future version, disableOriginCheck will ONLY disable URL validation. \" +\n\t\t\"To keep CSRF disabled, add disableCSRFCheck: true to your config.\",\n);\n\n/**\n * A middleware to validate callbackURL and origin against trustedOrigins.\n * Also handles CSRF protection using Fetch Metadata for first-login scenarios.\n */\nexport const originCheckMiddleware = createAuthMiddleware(async (ctx) => {\n\t// Skip origin check for GET, OPTIONS, HEAD requests - we don't mutate state here.\n\tif (\n\t\tctx.request?.method === \"GET\" ||\n\t\tctx.request?.method === \"OPTIONS\" ||\n\t\tctx.request?.method === \"HEAD\" ||\n\t\t!ctx.request\n\t) {\n\t\treturn;\n\t}\n\tawait validateOrigin(ctx);\n\n\tif (ctx.context.skipOriginCheck) {\n\t\treturn;\n\t}\n\n\tconst { body, query } = ctx;\n\tconst callbackURL = body?.callbackURL || query?.callbackURL;\n\tconst redirectURL = body?.redirectTo;\n\tconst errorCallbackURL = body?.errorCallbackURL;\n\tconst newUserCallbackURL = body?.newUserCallbackURL;\n\n\tconst validateURL = (\n\t\turl: string | undefined,\n\t\tlabel:\n\t\t\t| \"origin\"\n\t\t\t| \"callbackURL\"\n\t\t\t| \"redirectURL\"\n\t\t\t| \"errorCallbackURL\"\n\t\t\t| \"newUserCallbackURL\",\n\t) => {\n\t\tif (!url) {\n\t\t\treturn;\n\t\t}\n\t\tconst isTrustedOrigin = ctx.context.isTrustedOrigin(url, {\n\t\t\tallowRelativePaths: label !== \"origin\",\n\t\t});\n\n\t\tif (!isTrustedOrigin) {\n\t\t\tctx.context.logger.error(`Invalid ${label}: ${url}`);\n\t\t\tctx.context.logger.info(\n\t\t\t\t`If it's a valid URL, please add ${url} to trustedOrigins in your auth config\\n`,\n\t\t\t\t`Current list of trustedOrigins: ${ctx.context.trustedOrigins}`,\n\t\t\t);\n\t\t\tif (label === \"origin\") {\n\t\t\t\tthrow APIError.from(\"FORBIDDEN\", BASE_ERROR_CODES.INVALID_ORIGIN);\n\t\t\t}\n\t\t\tif (label === \"callbackURL\") {\n\t\t\t\tthrow APIError.from(\"FORBIDDEN\", BASE_ERROR_CODES.INVALID_CALLBACK_URL);\n\t\t\t}\n\t\t\tif (label === \"redirectURL\") {\n\t\t\t\tthrow APIError.from(\"FORBIDDEN\", BASE_ERROR_CODES.INVALID_REDIRECT_URL);\n\t\t\t}\n\t\t\tif (label === \"errorCallbackURL\") {\n\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\"FORBIDDEN\",\n\t\t\t\t\tBASE_ERROR_CODES.INVALID_ERROR_CALLBACK_URL,\n\t\t\t\t);\n\t\t\t}\n\t\t\tif (label === \"newUserCallbackURL\") {\n\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\"FORBIDDEN\",\n\t\t\t\t\tBASE_ERROR_CODES.INVALID_NEW_USER_CALLBACK_URL,\n\t\t\t\t);\n\t\t\t}\n\t\t\tthrow APIError.fromStatus(\"FORBIDDEN\", {\n\t\t\t\tmessage: `Invalid ${label}`,\n\t\t\t});\n\t\t}\n\t};\n\n\tcallbackURL && validateURL(callbackURL, \"callbackURL\");\n\tredirectURL && validateURL(redirectURL, \"redirectURL\");\n\terrorCallbackURL && validateURL(errorCallbackURL, \"errorCallbackURL\");\n\tnewUserCallbackURL && validateURL(newUserCallbackURL, \"newUserCallbackURL\");\n});\n\nexport const originCheck = (\n\tgetValue: (ctx: GenericEndpointContext) => string | string[],\n) =>\n\tcreateAuthMiddleware(async (ctx) => {\n\t\tif (!ctx.request) {\n\t\t\treturn;\n\t\t}\n\t\tif (ctx.context.skipOriginCheck) {\n\t\t\treturn;\n\t\t}\n\t\tconst callbackURL = getValue(ctx);\n\t\tconst validateURL = (url: string | undefined, label: string) => {\n\t\t\tif (!url) {\n\t\t\t\treturn;\n\t\t\t}\n\t\t\tconst isTrustedOrigin = ctx.context.isTrustedOrigin(url, {\n\t\t\t\tallowRelativePaths: label !== \"origin\",\n\t\t\t});\n\n\t\t\tif (!isTrustedOrigin) {\n\t\t\t\tctx.context.logger.error(`Invalid ${label}: ${url}`);\n\t\t\t\tctx.context.logger.info(\n\t\t\t\t\t`If it's a valid URL, please add ${url} to trustedOrigins in your auth config\\n`,\n\t\t\t\t\t`Current list of trustedOrigins: ${ctx.context.trustedOrigins}`,\n\t\t\t\t);\n\t\t\t\tif (label === \"origin\") {\n\t\t\t\t\tthrow APIError.from(\"FORBIDDEN\", BASE_ERROR_CODES.INVALID_ORIGIN);\n\t\t\t\t}\n\t\t\t\tif (label === \"callbackURL\") {\n\t\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\t\"FORBIDDEN\",\n\t\t\t\t\t\tBASE_ERROR_CODES.INVALID_CALLBACK_URL,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\tif (label === \"redirectURL\") {\n\t\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\t\"FORBIDDEN\",\n\t\t\t\t\t\tBASE_ERROR_CODES.INVALID_REDIRECT_URL,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\tif (label === \"errorCallbackURL\") {\n\t\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\t\"FORBIDDEN\",\n\t\t\t\t\t\tBASE_ERROR_CODES.INVALID_ERROR_CALLBACK_URL,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\tif (label === \"newUserCallbackURL\") {\n\t\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\t\"FORBIDDEN\",\n\t\t\t\t\t\tBASE_ERROR_CODES.INVALID_NEW_USER_CALLBACK_URL,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\tthrow APIError.fromStatus(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: `Invalid ${label}`,\n\t\t\t\t});\n\t\t\t}\n\t\t};\n\t\tconst callbacks = Array.isArray(callbackURL) ? callbackURL : [callbackURL];\n\t\tfor (const url of callbacks) {\n\t\t\tvalidateURL(url, \"callbackURL\");\n\t\t}\n\t});\n\n/**\n * Validates origin header against trusted origins.\n * @param ctx - The endpoint context\n * @param forceValidate - If true, always validate origin regardless of cookies/skip flags\n */\nasync function validateOrigin(\n\tctx: GenericEndpointContext,\n\tforceValidate = false,\n): Promise<void> {\n\tconst headers = ctx.request?.headers;\n\tif (!headers || !ctx.request) {\n\t\treturn;\n\t}\n\tconst originHeader = headers.get(\"origin\") || headers.get(\"referer\") || \"\";\n\tconst useCookies = headers.has(\"cookie\");\n\n\tif (ctx.context.skipCSRFCheck) {\n\t\treturn;\n\t}\n\n\tif (shouldSkipCSRFForBackwardCompat(ctx)) {\n\t\tctx.context.options.advanced?.disableOriginCheck === true &&\n\t\t\tlogBackwardCompatWarning();\n\t\treturn;\n\t}\n\n\tconst skipOriginCheck = ctx.context.skipOriginCheck;\n\tif (Array.isArray(skipOriginCheck)) {\n\t\ttry {\n\t\t\tconst basePath = new URL(ctx.context.baseURL).pathname;\n\t\t\tconst currentPath = normalizePathname(ctx.request.url, basePath);\n\t\t\tconst shouldSkipPath = skipOriginCheck.some((skipPath) =>\n\t\t\t\tcurrentPath.startsWith(skipPath),\n\t\t\t);\n\t\t\tif (shouldSkipPath) {\n\t\t\t\treturn;\n\t\t\t}\n\t\t} catch {\n\t\t\t// If parsing fails, don't skip - continue with validation\n\t\t}\n\t}\n\n\tconst shouldValidate = forceValidate || useCookies;\n\n\tif (!shouldValidate) {\n\t\treturn;\n\t}\n\n\tif (!originHeader || originHeader === \"null\") {\n\t\tthrow APIError.from(\"FORBIDDEN\", BASE_ERROR_CODES.MISSING_OR_NULL_ORIGIN);\n\t}\n\n\tconst trustedOrigins: string[] = Array.isArray(\n\t\tctx.context.options.trustedOrigins,\n\t)\n\t\t? ctx.context.trustedOrigins\n\t\t: [\n\t\t\t\t...ctx.context.trustedOrigins,\n\t\t\t\t...((await ctx.context.options.trustedOrigins?.(ctx.request))?.filter(\n\t\t\t\t\t(v): v is string => Boolean(v),\n\t\t\t\t) || []),\n\t\t\t];\n\n\tconst isTrustedOrigin = trustedOrigins.some((origin) =>\n\t\tmatchesOriginPattern(originHeader, origin),\n\t);\n\tif (!isTrustedOrigin) {\n\t\tctx.context.logger.error(`Invalid origin: ${originHeader}`);\n\t\tctx.context.logger.info(\n\t\t\t`If it's a valid URL, please add ${originHeader} to trustedOrigins in your auth config\\n`,\n\t\t\t`Current list of trustedOrigins: ${trustedOrigins}`,\n\t\t);\n\t\tthrow APIError.from(\"FORBIDDEN\", BASE_ERROR_CODES.INVALID_ORIGIN);\n\t}\n}\n\n/**\n * Middleware for CSRF protection using Fetch Metadata headers.\n * This prevents cross-site navigation login attacks while supporting progressive enhancement.\n */\nexport const formCsrfMiddleware = createAuthMiddleware(async (ctx) => {\n\tconst request = ctx.request;\n\tif (!request) {\n\t\treturn;\n\t}\n\n\tawait validateFormCsrf(ctx);\n});\n\n/**\n * Validates CSRF protection for first-login scenarios using Fetch Metadata headers.\n * This prevents cross-site form submission attacks while supporting progressive enhancement.\n */\nasync function validateFormCsrf(ctx: GenericEndpointContext): Promise<void> {\n\tconst req = ctx.request;\n\tif (!req) {\n\t\treturn;\n\t}\n\n\tif (ctx.context.skipCSRFCheck) {\n\t\treturn;\n\t}\n\n\tif (shouldSkipCSRFForBackwardCompat(ctx)) {\n\t\treturn;\n\t}\n\n\tconst headers = req.headers;\n\tconst hasAnyCookies = headers.has(\"cookie\");\n\n\tif (hasAnyCookies) {\n\t\treturn await validateOrigin(ctx);\n\t}\n\n\tconst site = headers.get(\"Sec-Fetch-Site\");\n\tconst mode = headers.get(\"Sec-Fetch-Mode\");\n\tconst dest = headers.get(\"Sec-Fetch-Dest\");\n\n\tconst hasMetadata = Boolean(\n\t\t(site && site.trim()) || (mode && mode.trim()) || (dest && dest.trim()),\n\t);\n\n\tif (hasMetadata) {\n\t\t// Block cross-site navigation requests (classic CSRF attack pattern)\n\t\tif (site === \"cross-site\" && mode === \"navigate\") {\n\t\t\tctx.context.logger.error(\n\t\t\t\t\"Blocked cross-site navigation login attempt (CSRF protection)\",\n\t\t\t\t{\n\t\t\t\t\tsecFetchSite: site,\n\t\t\t\t\tsecFetchMode: mode,\n\t\t\t\t\tsecFetchDest: dest,\n\t\t\t\t},\n\t\t\t);\n\t\t\tthrow APIError.from(\n\t\t\t\t\"FORBIDDEN\",\n\t\t\t\tBASE_ERROR_CODES.CROSS_SITE_NAVIGATION_LOGIN_BLOCKED,\n\t\t\t);\n\t\t}\n\n\t\treturn await validateOrigin(ctx, true);\n\t}\n\n\t// No cookies, no Fetch Metadata → fallback to old behavior (no validation)\n\treturn;\n}\n"],"mappings":";;;;;;;;;;;;;AAaA,SAAS,gCAAgC,KAAsC;AAC9E,QACC,IAAI,QAAQ,oBAAoB,QAChC,IAAI,QAAQ,QAAQ,UAAU,qBAAqB;;;;;;AAQrD,MAAM,2BAA2B,UAChC,SAAS,2BAA2B,IACpC,4MAGA;;;;;AAMD,MAAa,wBAAwB,qBAAqB,OAAO,QAAQ;AAExE,KACC,IAAI,SAAS,WAAW,SACxB,IAAI,SAAS,WAAW,aACxB,IAAI,SAAS,WAAW,UACxB,CAAC,IAAI,QAEL;AAED,OAAM,eAAe,IAAI;AAEzB,KAAI,IAAI,QAAQ,gBACf;CAGD,MAAM,EAAE,MAAM,UAAU;CACxB,MAAM,cAAc,MAAM,eAAe,OAAO;CAChD,MAAM,cAAc,MAAM;CAC1B,MAAM,mBAAmB,MAAM;CAC/B,MAAM,qBAAqB,MAAM;CAEjC,MAAM,eACL,KACA,UAMI;AACJ,MAAI,CAAC,IACJ;AAMD,MAAI,CAJoB,IAAI,QAAQ,gBAAgB,KAAK,EACxD,oBAAoB,UAAU,UAC9B,CAAC,EAEoB;AACrB,OAAI,QAAQ,OAAO,MAAM,WAAW,MAAM,IAAI,MAAM;AACpD,OAAI,QAAQ,OAAO,KAClB,mCAAmC,IAAI,2CACvC,mCAAmC,IAAI,QAAQ,iBAC/C;AACD,OAAI,UAAU,SACb,OAAM,SAAS,KAAK,aAAa,iBAAiB,eAAe;AAElE,OAAI,UAAU,cACb,OAAM,SAAS,KAAK,aAAa,iBAAiB,qBAAqB;AAExE,OAAI,UAAU,cACb,OAAM,SAAS,KAAK,aAAa,iBAAiB,qBAAqB;AAExE,OAAI,UAAU,mBACb,OAAM,SAAS,KACd,aACA,iBAAiB,2BACjB;AAEF,OAAI,UAAU,qBACb,OAAM,SAAS,KACd,aACA,iBAAiB,8BACjB;AAEF,SAAM,SAAS,WAAW,aAAa,EACtC,SAAS,WAAW,SACpB,CAAC;;;AAIJ,gBAAe,YAAY,aAAa,cAAc;AACtD,gBAAe,YAAY,aAAa,cAAc;AACtD,qBAAoB,YAAY,kBAAkB,mBAAmB;AACrE,uBAAsB,YAAY,oBAAoB,qBAAqB;EAC1E;AAEF,MAAa,eACZ,aAEA,qBAAqB,OAAO,QAAQ;AACnC,KAAI,CAAC,IAAI,QACR;AAED,KAAI,IAAI,QAAQ,gBACf;CAED,MAAM,cAAc,SAAS,IAAI;CACjC,MAAM,eAAe,KAAyB,UAAkB;AAC/D,MAAI,CAAC,IACJ;AAMD,MAAI,CAJoB,IAAI,QAAQ,gBAAgB,KAAK,EACxD,oBAAoB,UAAU,UAC9B,CAAC,EAEoB;AACrB,OAAI,QAAQ,OAAO,MAAM,WAAW,MAAM,IAAI,MAAM;AACpD,OAAI,QAAQ,OAAO,KAClB,mCAAmC,IAAI,2CACvC,mCAAmC,IAAI,QAAQ,iBAC/C;AACD,OAAI,UAAU,SACb,OAAM,SAAS,KAAK,aAAa,iBAAiB,eAAe;AAElE,OAAI,UAAU,cACb,OAAM,SAAS,KACd,aACA,iBAAiB,qBACjB;AAEF,OAAI,UAAU,cACb,OAAM,SAAS,KACd,aACA,iBAAiB,qBACjB;AAEF,OAAI,UAAU,mBACb,OAAM,SAAS,KACd,aACA,iBAAiB,2BACjB;AAEF,OAAI,UAAU,qBACb,OAAM,SAAS,KACd,aACA,iBAAiB,8BACjB;AAEF,SAAM,SAAS,WAAW,aAAa,EACtC,SAAS,WAAW,SACpB,CAAC;;;CAGJ,MAAM,YAAY,MAAM,QAAQ,YAAY,GAAG,cAAc,CAAC,YAAY;AAC1E,MAAK,MAAM,OAAO,UACjB,aAAY,KAAK,cAAc;EAE/B;;;;;;AAOH,eAAe,eACd,KACA,gBAAgB,OACA;CAChB,MAAM,UAAU,IAAI,SAAS;AAC7B,KAAI,CAAC,WAAW,CAAC,IAAI,QACpB;CAED,MAAM,eAAe,QAAQ,IAAI,SAAS,IAAI,QAAQ,IAAI,UAAU,IAAI;CACxE,MAAM,aAAa,QAAQ,IAAI,SAAS;AAExC,KAAI,IAAI,QAAQ,cACf;AAGD,KAAI,gCAAgC,IAAI,EAAE;AACzC,MAAI,QAAQ,QAAQ,UAAU,uBAAuB,QACpD,0BAA0B;AAC3B;;CAGD,MAAM,kBAAkB,IAAI,QAAQ;AACpC,KAAI,MAAM,QAAQ,gBAAgB,CACjC,KAAI;EACH,MAAM,WAAW,IAAI,IAAI,IAAI,QAAQ,QAAQ,CAAC;EAC9C,MAAM,cAAc,kBAAkB,IAAI,QAAQ,KAAK,SAAS;AAIhE,MAHuB,gBAAgB,MAAM,aAC5C,YAAY,WAAW,SAAS,CAChC,CAEA;SAEM;AAOT,KAAI,EAFmB,iBAAiB,YAGvC;AAGD,KAAI,CAAC,gBAAgB,iBAAiB,OACrC,OAAM,SAAS,KAAK,aAAa,iBAAiB,uBAAuB;CAG1E,MAAM,iBAA2B,MAAM,QACtC,IAAI,QAAQ,QAAQ,eACpB,GACE,IAAI,QAAQ,iBACZ,CACA,GAAG,IAAI,QAAQ,gBACf,IAAK,MAAM,IAAI,QAAQ,QAAQ,iBAAiB,IAAI,QAAQ,GAAG,QAC7D,MAAmB,QAAQ,EAAE,CAC9B,IAAI,EAAE,CACP;AAKH,KAAI,CAHoB,eAAe,MAAM,WAC5C,qBAAqB,cAAc,OAAO,CAC1C,EACqB;AACrB,MAAI,QAAQ,OAAO,MAAM,mBAAmB,eAAe;AAC3D,MAAI,QAAQ,OAAO,KAClB,mCAAmC,aAAa,2CAChD,mCAAmC,iBACnC;AACD,QAAM,SAAS,KAAK,aAAa,iBAAiB,eAAe;;;;;;;AAQnE,MAAa,qBAAqB,qBAAqB,OAAO,QAAQ;AAErE,KAAI,CADY,IAAI,QAEnB;AAGD,OAAM,iBAAiB,IAAI;EAC1B;;;;;AAMF,eAAe,iBAAiB,KAA4C;CAC3E,MAAM,MAAM,IAAI;AAChB,KAAI,CAAC,IACJ;AAGD,KAAI,IAAI,QAAQ,cACf;AAGD,KAAI,gCAAgC,IAAI,CACvC;CAGD,MAAM,UAAU,IAAI;AAGpB,KAFsB,QAAQ,IAAI,SAAS,CAG1C,QAAO,MAAM,eAAe,IAAI;CAGjC,MAAM,OAAO,QAAQ,IAAI,iBAAiB;CAC1C,MAAM,OAAO,QAAQ,IAAI,iBAAiB;CAC1C,MAAM,OAAO,QAAQ,IAAI,iBAAiB;AAM1C,KAJoB,QAClB,QAAQ,KAAK,MAAM,IAAM,QAAQ,KAAK,MAAM,IAAM,QAAQ,KAAK,MAAM,CACtE,EAEgB;AAEhB,MAAI,SAAS,gBAAgB,SAAS,YAAY;AACjD,OAAI,QAAQ,OAAO,MAClB,iEACA;IACC,cAAc;IACd,cAAc;IACd,cAAc;IACd,CACD;AACD,SAAM,SAAS,KACd,aACA,iBAAiB,oCACjB;;AAGF,SAAO,MAAM,eAAe,KAAK,KAAK"}

package/dist/api/rate-limiter/index.mjs

@@ -0,0 +1,204 @@
+import { wildcardMatch } from "../../utils/wildcard.mjs";
+import { getIp } from "../../utils/get-request-ip.mjs";
+import { safeJSONParse } from "@better-auth/core/utils/json";
+import { normalizePathname } from "@better-auth/core/utils/url";
+import { createRateLimitKey } from "@better-auth/core/utils/ip";
+
+//#region src/api/rate-limiter/index.ts
+const memory = /* @__PURE__ */ new Map();
+function shouldRateLimit(max, window, rateLimitData) {
+	const now = Date.now();
+	const windowInMs = window * 1e3;
+	return now - rateLimitData.lastRequest < windowInMs && rateLimitData.count >= max;
+}
+function rateLimitResponse(retryAfter) {
+	return new Response(JSON.stringify({ message: "Too many requests. Please try again later." }), {
+		status: 429,
+		statusText: "Too Many Requests",
+		headers: { "X-Retry-After": retryAfter.toString() }
+	});
+}
+function getRetryAfter(lastRequest, window) {
+	const now = Date.now();
+	const windowInMs = window * 1e3;
+	return Math.ceil((lastRequest + windowInMs - now) / 1e3);
+}
+function createDatabaseStorageWrapper(ctx) {
+	const model = "rateLimit";
+	const db = ctx.adapter;
+	return {
+		get: async (key) => {
+			const data = (await db.findMany({
+				model,
+				where: [{
+					field: "key",
+					value: key
+				}]
+			}))[0];
+			if (typeof data?.lastRequest === "bigint") data.lastRequest = Number(data.lastRequest);
+			return data;
+		},
+		set: async (key, value, _update) => {
+			try {
+				if (_update) await db.updateMany({
+					model,
+					where: [{
+						field: "key",
+						value: key
+					}],
+					update: {
+						count: value.count,
+						lastRequest: value.lastRequest
+					}
+				});
+				else await db.create({
+					model,
+					data: {
+						key,
+						count: value.count,
+						lastRequest: value.lastRequest
+					}
+				});
+			} catch (e) {
+				ctx.logger.error("Error setting rate limit", e);
+			}
+		}
+	};
+}
+function getRateLimitStorage(ctx, rateLimitSettings) {
+	if (ctx.options.rateLimit?.customStorage) return ctx.options.rateLimit.customStorage;
+	const storage = ctx.rateLimit.storage;
+	if (storage === "secondary-storage") return {
+		get: async (key) => {
+			const data = await ctx.options.secondaryStorage?.get(key);
+			return data ? safeJSONParse(data) : null;
+		},
+		set: async (key, value, _update) => {
+			const ttl = rateLimitSettings?.window ?? ctx.options.rateLimit?.window ?? 10;
+			await ctx.options.secondaryStorage?.set?.(key, JSON.stringify(value), ttl);
+		}
+	};
+	else if (storage === "memory") return {
+		async get(key) {
+			const entry = memory.get(key);
+			if (!entry) return null;
+			if (Date.now() >= entry.expiresAt) {
+				memory.delete(key);
+				return null;
+			}
+			return entry.data;
+		},
+		async set(key, value, _update) {
+			const ttl = rateLimitSettings?.window ?? ctx.options.rateLimit?.window ?? 10;
+			const expiresAt = Date.now() + ttl * 1e3;
+			memory.set(key, {
+				data: value,
+				expiresAt
+			});
+		}
+	};
+	return createDatabaseStorageWrapper(ctx);
+}
+let ipWarningLogged = false;
+async function resolveRateLimitConfig(req, ctx) {
+	const basePath = new URL(ctx.baseURL).pathname;
+	const path = normalizePathname(req.url, basePath);
+	let currentWindow = ctx.rateLimit.window;
+	let currentMax = ctx.rateLimit.max;
+	const ip = getIp(req, ctx.options);
+	if (!ip) {
+		if (!ipWarningLogged) {
+			ctx.logger.warn("Rate limiting skipped: could not determine client IP address. If you're behind a reverse proxy, make sure to configure `trustedProxies` in your auth config.");
+			ipWarningLogged = true;
+		}
+		return null;
+	}
+	const key = createRateLimitKey(ip, path);
+	const specialRule = getDefaultSpecialRules().find((rule) => rule.pathMatcher(path));
+	if (specialRule) {
+		currentWindow = specialRule.window;
+		currentMax = specialRule.max;
+	}
+	for (const plugin of ctx.options.plugins || []) if (plugin.rateLimit) {
+		const matchedRule = plugin.rateLimit.find((rule) => rule.pathMatcher(path));
+		if (matchedRule) {
+			currentWindow = matchedRule.window;
+			currentMax = matchedRule.max;
+			break;
+		}
+	}
+	if (ctx.rateLimit.customRules) {
+		const _path = Object.keys(ctx.rateLimit.customRules).find((p) => {
+			if (p.includes("*")) return wildcardMatch(p)(path);
+			return p === path;
+		});
+		if (_path) {
+			const customRule = ctx.rateLimit.customRules[_path];
+			const resolved = typeof customRule === "function" ? await customRule(req, {
+				window: currentWindow,
+				max: currentMax
+			}) : customRule;
+			if (resolved) {
+				currentWindow = resolved.window;
+				currentMax = resolved.max;
+			}
+			if (resolved === false) return null;
+		}
+	}
+	return {
+		key,
+		currentWindow,
+		currentMax
+	};
+}
+async function onRequestRateLimit(req, ctx) {
+	if (!ctx.rateLimit.enabled) return;
+	const config = await resolveRateLimitConfig(req, ctx);
+	if (!config) return;
+	const { key, currentWindow, currentMax } = config;
+	const data = await getRateLimitStorage(ctx, { window: currentWindow }).get(key);
+	if (data && shouldRateLimit(currentMax, currentWindow, data)) return rateLimitResponse(getRetryAfter(data.lastRequest, currentWindow));
+}
+async function onResponseRateLimit(req, ctx) {
+	if (!ctx.rateLimit.enabled) return;
+	const config = await resolveRateLimitConfig(req, ctx);
+	if (!config) return;
+	const { key, currentWindow } = config;
+	const storage = getRateLimitStorage(ctx, { window: currentWindow });
+	const data = await storage.get(key);
+	const now = Date.now();
+	if (!data) await storage.set(key, {
+		key,
+		count: 1,
+		lastRequest: now
+	});
+	else if (now - data.lastRequest > currentWindow * 1e3) await storage.set(key, {
+		...data,
+		count: 1,
+		lastRequest: now
+	}, true);
+	else await storage.set(key, {
+		...data,
+		count: data.count + 1,
+		lastRequest: now
+	}, true);
+}
+function getDefaultSpecialRules() {
+	return [{
+		pathMatcher(path) {
+			return path.startsWith("/sign-in") || path.startsWith("/sign-up") || path.startsWith("/change-password") || path.startsWith("/change-email");
+		},
+		window: 10,
+		max: 3
+	}, {
+		pathMatcher(path) {
+			return path === "/request-password-reset" || path === "/send-verification-email" || path.startsWith("/forget-password") || path === "/email-otp/send-verification-otp" || path === "/email-otp/request-password-reset";
+		},
+		window: 60,
+		max: 3
+	}];
+}
+
+//#endregion
+export { onRequestRateLimit, onResponseRateLimit };
+//# sourceMappingURL=index.mjs.map