@sirketio/auth 0.0.1

package/dist/plugins/haveibeenpwned/index.d.mts

@@ -0,0 +1,46 @@
+import * as _better_auth_core0 from "@better-auth/core";
+import * as _better_auth_core_utils_error_codes0 from "@better-auth/core/utils/error-codes";
+
+//#region src/plugins/haveibeenpwned/index.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+    "have-i-been-pwned": {
+      creator: typeof haveIBeenPwned;
+    };
+  }
+}
+interface HaveIBeenPwnedOptions {
+  customPasswordCompromisedMessage?: string | undefined;
+  /**
+   * Paths to check for password
+   *
+   * @default ["/sign-up/email", "/change-password", "/reset-password"]
+   */
+  paths?: string[];
+}
+declare const haveIBeenPwned: (options?: HaveIBeenPwnedOptions | undefined) => {
+  id: "have-i-been-pwned";
+  init(ctx: _better_auth_core0.AuthContext): {
+    context: {
+      password: {
+        hash(password: string): Promise<string>;
+        verify: (data: {
+          password: string;
+          hash: string;
+        }) => Promise<boolean>;
+        config: {
+          minPasswordLength: number;
+          maxPasswordLength: number;
+        };
+        checkPassword: (userId: string, ctx: _better_auth_core0.GenericEndpointContext<_better_auth_core0.BetterAuthOptions>) => Promise<boolean>;
+      };
+    };
+  };
+  options: HaveIBeenPwnedOptions | undefined;
+  $ERROR_CODES: {
+    PASSWORD_COMPROMISED: _better_auth_core_utils_error_codes0.RawError<"PASSWORD_COMPROMISED">;
+  };
+};
+//#endregion
+export { HaveIBeenPwnedOptions, haveIBeenPwned };
+//# sourceMappingURL=index.d.mts.map

package/dist/plugins/haveibeenpwned/index.mjs

@@ -0,0 +1,57 @@
+import { isAPIError } from "../../utils/is-api-error.mjs";
+import { APIError } from "../../api/index.mjs";
+import { getCurrentAuthContext } from "@better-auth/core/context";
+import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
+import { createHash } from "@better-auth/utils/hash";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/plugins/haveibeenpwned/index.ts
+const ERROR_CODES = defineErrorCodes({ PASSWORD_COMPROMISED: "The password you entered has been compromised. Please choose a different password." });
+async function checkPasswordCompromise(password, customMessage) {
+	if (!password) return;
+	const sha1Hash = (await createHash("SHA-1", "hex").digest(password)).toUpperCase();
+	const prefix = sha1Hash.substring(0, 5);
+	const suffix = sha1Hash.substring(5);
+	try {
+		const { data, error } = await betterFetch(`https://api.pwnedpasswords.com/range/${prefix}`, { headers: {
+			"Add-Padding": "true",
+			"User-Agent": "BetterAuth Password Checker"
+		} });
+		if (error) throw new APIError("INTERNAL_SERVER_ERROR", { message: `Failed to check password. Status: ${error.status}` });
+		if (data.split("\n").some((line) => line.split(":")[0].toUpperCase() === suffix.toUpperCase())) throw APIError.from("BAD_REQUEST", {
+			message: customMessage || ERROR_CODES.PASSWORD_COMPROMISED.message,
+			code: ERROR_CODES.PASSWORD_COMPROMISED.code
+		});
+	} catch (error) {
+		if (isAPIError(error)) throw error;
+		throw new APIError("INTERNAL_SERVER_ERROR", { message: "Failed to check password. Please try again later." });
+	}
+}
+const haveIBeenPwned = (options) => {
+	const paths = options?.paths || [
+		"/sign-up/email",
+		"/change-password",
+		"/reset-password"
+	];
+	return {
+		id: "have-i-been-pwned",
+		init(ctx) {
+			const originalHash = ctx.password.hash;
+			return { context: { password: {
+				...ctx.password,
+				async hash(password) {
+					const c = await getCurrentAuthContext();
+					if (!c.path || !paths.includes(c.path)) return originalHash(password);
+					await checkPasswordCompromise(password, options?.customPasswordCompromisedMessage);
+					return originalHash(password);
+				}
+			} } };
+		},
+		options,
+		$ERROR_CODES: ERROR_CODES
+	};
+};
+
+//#endregion
+export { haveIBeenPwned };
+//# sourceMappingURL=index.mjs.map

package/dist/plugins/haveibeenpwned/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/haveibeenpwned/index.ts"],"sourcesContent":["import type { BetterAuthPlugin } from \"@better-auth/core\";\nimport { getCurrentAuthContext } from \"@better-auth/core/context\";\nimport { defineErrorCodes } from \"@better-auth/core/utils/error-codes\";\nimport { createHash } from \"@better-auth/utils/hash\";\nimport { betterFetch } from \"@better-fetch/fetch\";\nimport { APIError } from \"../../api\";\nimport { isAPIError } from \"../../utils/is-api-error\";\n\ndeclare module \"@better-auth/core\" {\n\tinterface BetterAuthPluginRegistry<AuthOptions, Options> {\n\t\t\"have-i-been-pwned\": {\n\t\t\tcreator: typeof haveIBeenPwned;\n\t\t};\n\t}\n}\n\nconst ERROR_CODES = defineErrorCodes({\n\tPASSWORD_COMPROMISED:\n\t\t\"The password you entered has been compromised. Please choose a different password.\",\n});\n\nasync function checkPasswordCompromise(\n\tpassword: string,\n\tcustomMessage?: string | undefined,\n) {\n\tif (!password) return;\n\n\tconst sha1Hash = (\n\t\tawait createHash(\"SHA-1\", \"hex\").digest(password)\n\t).toUpperCase();\n\tconst prefix = sha1Hash.substring(0, 5);\n\tconst suffix = sha1Hash.substring(5);\n\ttry {\n\t\tconst { data, error } = await betterFetch<string>(\n\t\t\t`https://api.pwnedpasswords.com/range/${prefix}`,\n\t\t\t{\n\t\t\t\theaders: {\n\t\t\t\t\t\"Add-Padding\": \"true\",\n\t\t\t\t\t\"User-Agent\": \"BetterAuth Password Checker\",\n\t\t\t\t},\n\t\t\t},\n\t\t);\n\n\t\tif (error) {\n\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\t\tmessage: `Failed to check password. Status: ${error.status}`,\n\t\t\t});\n\t\t}\n\t\tconst lines = data.split(\"\\n\");\n\t\tconst found = lines.some(\n\t\t\t(line) => line.split(\":\")[0]!.toUpperCase() === suffix.toUpperCase(),\n\t\t);\n\n\t\tif (found) {\n\t\t\tthrow APIError.from(\"BAD_REQUEST\", {\n\t\t\t\tmessage: customMessage || ERROR_CODES.PASSWORD_COMPROMISED.message,\n\t\t\t\tcode: ERROR_CODES.PASSWORD_COMPROMISED.code,\n\t\t\t});\n\t\t}\n\t} catch (error) {\n\t\tif (isAPIError(error)) throw error;\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\tmessage: \"Failed to check password. Please try again later.\",\n\t\t});\n\t}\n}\n\nexport interface HaveIBeenPwnedOptions {\n\tcustomPasswordCompromisedMessage?: string | undefined;\n\t/**\n\t * Paths to check for password\n\t *\n\t * @default [\"/sign-up/email\", \"/change-password\", \"/reset-password\"]\n\t */\n\tpaths?: string[];\n}\n\nexport const haveIBeenPwned = (options?: HaveIBeenPwnedOptions | undefined) => {\n\tconst paths = options?.paths || [\n\t\t\"/sign-up/email\",\n\t\t\"/change-password\",\n\t\t\"/reset-password\",\n\t];\n\n\treturn {\n\t\tid: \"have-i-been-pwned\",\n\t\tinit(ctx) {\n\t\t\tconst originalHash = ctx.password.hash;\n\t\t\treturn {\n\t\t\t\tcontext: {\n\t\t\t\t\tpassword: {\n\t\t\t\t\t\t...ctx.password,\n\t\t\t\t\t\tasync hash(password) {\n\t\t\t\t\t\t\tconst c = await getCurrentAuthContext();\n\t\t\t\t\t\t\tif (!c.path || !paths.includes(c.path)) {\n\t\t\t\t\t\t\t\treturn originalHash(password);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tawait checkPasswordCompromise(\n\t\t\t\t\t\t\t\tpassword,\n\t\t\t\t\t\t\t\toptions?.customPasswordCompromisedMessage,\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\treturn originalHash(password);\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t};\n\t\t},\n\t\toptions,\n\t\t$ERROR_CODES: ERROR_CODES,\n\t} satisfies BetterAuthPlugin;\n};\n"],"mappings":";;;;;;;;AAgBA,MAAM,cAAc,iBAAiB,EACpC,sBACC,sFACD,CAAC;AAEF,eAAe,wBACd,UACA,eACC;AACD,KAAI,CAAC,SAAU;CAEf,MAAM,YACL,MAAM,WAAW,SAAS,MAAM,CAAC,OAAO,SAAS,EAChD,aAAa;CACf,MAAM,SAAS,SAAS,UAAU,GAAG,EAAE;CACvC,MAAM,SAAS,SAAS,UAAU,EAAE;AACpC,KAAI;EACH,MAAM,EAAE,MAAM,UAAU,MAAM,YAC7B,wCAAwC,UACxC,EACC,SAAS;GACR,eAAe;GACf,cAAc;GACd,EACD,CACD;AAED,MAAI,MACH,OAAM,IAAI,SAAS,yBAAyB,EAC3C,SAAS,qCAAqC,MAAM,UACpD,CAAC;AAOH,MALc,KAAK,MAAM,KAAK,CACV,MAClB,SAAS,KAAK,MAAM,IAAI,CAAC,GAAI,aAAa,KAAK,OAAO,aAAa,CACpE,CAGA,OAAM,SAAS,KAAK,eAAe;GAClC,SAAS,iBAAiB,YAAY,qBAAqB;GAC3D,MAAM,YAAY,qBAAqB;GACvC,CAAC;UAEK,OAAO;AACf,MAAI,WAAW,MAAM,CAAE,OAAM;AAC7B,QAAM,IAAI,SAAS,yBAAyB,EAC3C,SAAS,qDACT,CAAC;;;AAcJ,MAAa,kBAAkB,YAAgD;CAC9E,MAAM,QAAQ,SAAS,SAAS;EAC/B;EACA;EACA;EACA;AAED,QAAO;EACN,IAAI;EACJ,KAAK,KAAK;GACT,MAAM,eAAe,IAAI,SAAS;AAClC,UAAO,EACN,SAAS,EACR,UAAU;IACT,GAAG,IAAI;IACP,MAAM,KAAK,UAAU;KACpB,MAAM,IAAI,MAAM,uBAAuB;AACvC,SAAI,CAAC,EAAE,QAAQ,CAAC,MAAM,SAAS,EAAE,KAAK,CACrC,QAAO,aAAa,SAAS;AAE9B,WAAM,wBACL,UACA,SAAS,iCACT;AACD,YAAO,aAAa,SAAS;;IAE9B,EACD,EACD;;EAEF;EACA,cAAc;EACd"}

package/dist/plugins/index.d.mts

@@ -0,0 +1,65 @@
+import { InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginIDs } from "../types/plugins.mjs";
+import { HIDE_METADATA } from "../utils/hide-metadata.mjs";
+import { AccessControl, Role, Statements, SubArray, Subset } from "./access/types.mjs";
+import { AuthorizeResponse, createAccessControl, role } from "./access/access.mjs";
+import "./access/index.mjs";
+import { OrganizationOptions } from "./organization/types.mjs";
+import { InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferTeam, Invitation, InvitationInput, InvitationStatus, Member, MemberInput, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, Team, TeamInput, TeamMember, TeamMemberInput, defaultRolesSchema, invitationSchema, invitationStatus, memberSchema, organizationRoleSchema, organizationSchema, roleSchema, teamMemberSchema, teamSchema } from "./organization/schema.mjs";
+import { getOrgAdapter } from "./organization/adapter.mjs";
+import { AdminOptions, InferAdminRolesFromOption, SessionWithImpersonatedBy, UserWithRole } from "./admin/types.mjs";
+import { admin } from "./admin/admin.mjs";
+import "./admin/index.mjs";
+import { ApiKey, ApiKeyOptions } from "./api-key/types.mjs";
+import { API_KEY_ERROR_CODES } from "./api-key/error-codes.mjs";
+import { API_KEY_TABLE_NAME, apiKey, defaultKeyHasher } from "./api-key/index.mjs";
+import { BearerOptions, bearer } from "./bearer/index.mjs";
+import { BaseCaptchaOptions, CaptchaFoxOptions, CaptchaOptions, CloudflareTurnstileOptions, GoogleRecaptchaOptions, HCaptchaOptions, Provider } from "./captcha/types.mjs";
+import { captcha } from "./captcha/index.mjs";
+import { CustomSessionPluginOptions, customSession } from "./custom-session/index.mjs";
+import { TimeString, ms, sec } from "../utils/time.mjs";
+import { DeviceAuthorizationOptions, deviceAuthorization, deviceAuthorizationOptionsSchema } from "./device-authorization/index.mjs";
+import { EmailOTPOptions } from "./email-otp/types.mjs";
+import { emailOTP } from "./email-otp/index.mjs";
+import { GenericOAuthConfig, GenericOAuthOptions } from "./generic-oauth/types.mjs";
+import { Auth0Options, auth0 } from "./generic-oauth/providers/auth0.mjs";
+import { GumroadOptions, gumroad } from "./generic-oauth/providers/gumroad.mjs";
+import { HubSpotOptions, hubspot } from "./generic-oauth/providers/hubspot.mjs";
+import { KeycloakOptions, keycloak } from "./generic-oauth/providers/keycloak.mjs";
+import { LineOptions, line } from "./generic-oauth/providers/line.mjs";
+import { MicrosoftEntraIdOptions, microsoftEntraId } from "./generic-oauth/providers/microsoft-entra-id.mjs";
+import { OktaOptions, okta } from "./generic-oauth/providers/okta.mjs";
+import { PatreonOptions, patreon } from "./generic-oauth/providers/patreon.mjs";
+import { SlackOptions, slack } from "./generic-oauth/providers/slack.mjs";
+import { BaseOAuthProviderOptions, genericOAuth } from "./generic-oauth/index.mjs";
+import { HaveIBeenPwnedOptions, haveIBeenPwned } from "./haveibeenpwned/index.mjs";
+import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions } from "./jwt/types.mjs";
+import { getJwtToken, signJWT } from "./jwt/sign.mjs";
+import { createJwk, generateExportedKeyPair, toExpJWT } from "./jwt/utils.mjs";
+import { verifyJWT } from "./jwt/verify.mjs";
+import { jwt } from "./jwt/index.mjs";
+import { LastLoginMethodOptions, lastLoginMethod } from "./last-login-method/index.mjs";
+import { MagicLinkOptions, magicLink } from "./magic-link/index.mjs";
+import { AuthorizationQuery, Client, CodeVerificationValue, OAuthAccessToken, OIDCMetadata, OIDCOptions, TokenBody } from "./oidc-provider/types.mjs";
+import { getClient, getMetadata, oidcProvider } from "./oidc-provider/index.mjs";
+import { getMCPProtectedResourceMetadata, getMCPProviderMetadata, mcp, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, withMcpAuth } from "./mcp/index.mjs";
+import { MULTI_SESSION_ERROR_CODES } from "./multi-session/error-codes.mjs";
+import { MultiSessionConfig, multiSession } from "./multi-session/index.mjs";
+import { OAuthProxyOptions, oAuthProxy } from "./oauth-proxy/index.mjs";
+import { OneTapOptions, oneTap } from "./one-tap/index.mjs";
+import { OneTimeTokenOptions, oneTimeToken } from "./one-time-token/index.mjs";
+import { FieldSchema, OpenAPIModelSchema, Path, generator } from "./open-api/generator.mjs";
+import { OpenAPIOptions, openAPI } from "./open-api/index.mjs";
+import { PhoneNumberOptions, UserWithPhoneNumber } from "./phone-number/types.mjs";
+import { phoneNumber } from "./phone-number/index.mjs";
+import { BackupCodeOptions, backupCode2fa, generateBackupCodes, getBackupCodes, verifyBackupCode } from "./two-factor/backup-codes/index.mjs";
+import { OTPOptions, otp2fa } from "./two-factor/otp/index.mjs";
+import { TOTPOptions, totp2fa } from "./two-factor/totp/index.mjs";
+import { TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor } from "./two-factor/types.mjs";
+import { TWO_FACTOR_ERROR_CODES } from "./two-factor/error-code.mjs";
+import { twoFactorClient } from "./two-factor/client.mjs";
+import { twoFactor } from "./two-factor/index.mjs";
+import { USERNAME_ERROR_CODES } from "./username/error-codes.mjs";
+import { UsernameOptions, username } from "./username/index.mjs";
+import { DefaultOrganizationPlugin, DynamicAccessControlEndpoints, OrganizationCreator, OrganizationEndpoints, OrganizationPlugin, TeamEndpoints, organization, parseRoles } from "./organization/organization.mjs";
+import "./organization/index.mjs";
+export { API_KEY_ERROR_CODES, API_KEY_TABLE_NAME, AccessControl, AdminOptions, ApiKey, ApiKeyOptions, Auth0Options, AuthorizationQuery, AuthorizeResponse, BackupCodeOptions, BaseCaptchaOptions, BaseOAuthProviderOptions, BearerOptions, CaptchaFoxOptions, CaptchaOptions, Client, CloudflareTurnstileOptions, CodeVerificationValue, CustomSessionPluginOptions, DefaultOrganizationPlugin, DeviceAuthorizationOptions, DynamicAccessControlEndpoints, MULTI_SESSION_ERROR_CODES as ERROR_CODES, EmailOTPOptions, FieldSchema, GenericOAuthConfig, GenericOAuthOptions, GoogleRecaptchaOptions, GumroadOptions, HCaptchaOptions, HIDE_METADATA, HaveIBeenPwnedOptions, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOptionSchema, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginContext, InferPluginErrorCodes, InferPluginIDs, InferTeam, Invitation, InvitationInput, InvitationStatus, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodOptions, LineOptions, MagicLinkOptions, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OAuthProxyOptions, OIDCMetadata, OIDCOptions, OTPOptions, OktaOptions, OneTapOptions, OneTimeTokenOptions, OpenAPIModelSchema, OpenAPIOptions, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, Path, PatreonOptions, PhoneNumberOptions, Provider, Role, SessionWithImpersonatedBy, SlackOptions, Statements, SubArray, Subset, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, TimeString, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, UsernameOptions, admin, apiKey, auth0, backupCode2fa, bearer, captcha, createAccessControl, createJwk, customSession, defaultKeyHasher, defaultRolesSchema, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, generateBackupCodes, generateExportedKeyPair, generator, genericOAuth, getBackupCodes, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, haveIBeenPwned, hubspot, invitationSchema, invitationStatus, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, memberSchema, microsoftEntraId, ms, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, organizationRoleSchema, organizationSchema, otp2fa, parseRoles, patreon, phoneNumber, role, roleSchema, sec, signJWT, slack, teamMemberSchema, teamSchema, toExpJWT, totp2fa, twoFactor, twoFactorClient, username, verifyBackupCode, verifyJWT, withMcpAuth };

package/dist/plugins/index.mjs

@@ -0,0 +1,48 @@
+import { HIDE_METADATA } from "../utils/hide-metadata.mjs";
+import { createAccessControl, role } from "./access/access.mjs";
+import "./access/index.mjs";
+import { API_KEY_ERROR_CODES } from "./api-key/error-codes.mjs";
+import { MULTI_SESSION_ERROR_CODES } from "./multi-session/error-codes.mjs";
+import { TWO_FACTOR_ERROR_CODES } from "./two-factor/error-code.mjs";
+import { twoFactorClient } from "./two-factor/client.mjs";
+import { USERNAME_ERROR_CODES } from "./username/error-codes.mjs";
+import { admin } from "./admin/admin.mjs";
+import "./admin/index.mjs";
+import { API_KEY_TABLE_NAME, apiKey, defaultKeyHasher } from "./api-key/index.mjs";
+import { bearer } from "./bearer/index.mjs";
+import { captcha } from "./captcha/index.mjs";
+import { customSession } from "./custom-session/index.mjs";
+import { deviceAuthorization, deviceAuthorizationOptionsSchema } from "./device-authorization/index.mjs";
+import { emailOTP } from "./email-otp/index.mjs";
+import { auth0 } from "./generic-oauth/providers/auth0.mjs";
+import { gumroad } from "./generic-oauth/providers/gumroad.mjs";
+import { hubspot } from "./generic-oauth/providers/hubspot.mjs";
+import { keycloak } from "./generic-oauth/providers/keycloak.mjs";
+import { line } from "./generic-oauth/providers/line.mjs";
+import { microsoftEntraId } from "./generic-oauth/providers/microsoft-entra-id.mjs";
+import { okta } from "./generic-oauth/providers/okta.mjs";
+import { patreon } from "./generic-oauth/providers/patreon.mjs";
+import { slack } from "./generic-oauth/providers/slack.mjs";
+import { genericOAuth } from "./generic-oauth/index.mjs";
+import { haveIBeenPwned } from "./haveibeenpwned/index.mjs";
+import { createJwk, generateExportedKeyPair, toExpJWT } from "./jwt/utils.mjs";
+import { getJwtToken, signJWT } from "./jwt/sign.mjs";
+import { verifyJWT } from "./jwt/verify.mjs";
+import { jwt } from "./jwt/index.mjs";
+import { lastLoginMethod } from "./last-login-method/index.mjs";
+import { magicLink } from "./magic-link/index.mjs";
+import { getClient, getMetadata, oidcProvider } from "./oidc-provider/index.mjs";
+import { getMCPProtectedResourceMetadata, getMCPProviderMetadata, mcp, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, withMcpAuth } from "./mcp/index.mjs";
+import { multiSession } from "./multi-session/index.mjs";
+import { oAuthProxy } from "./oauth-proxy/index.mjs";
+import { oneTap } from "./one-tap/index.mjs";
+import { oneTimeToken } from "./one-time-token/index.mjs";
+import { openAPI } from "./open-api/index.mjs";
+import { getOrgAdapter } from "./organization/adapter.mjs";
+import { organization, parseRoles } from "./organization/organization.mjs";
+import "./organization/index.mjs";
+import { phoneNumber } from "./phone-number/index.mjs";
+import { twoFactor } from "./two-factor/index.mjs";
+import { username } from "./username/index.mjs";
+
+export { API_KEY_ERROR_CODES, API_KEY_TABLE_NAME, MULTI_SESSION_ERROR_CODES as ERROR_CODES, HIDE_METADATA, TWO_FACTOR_ERROR_CODES, USERNAME_ERROR_CODES, admin, apiKey, auth0, bearer, captcha, createAccessControl, createJwk, customSession, defaultKeyHasher, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, generateExportedKeyPair, genericOAuth, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, haveIBeenPwned, hubspot, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, microsoftEntraId, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, parseRoles, patreon, phoneNumber, role, signJWT, slack, toExpJWT, twoFactor, twoFactorClient, username, verifyJWT, withMcpAuth };

package/dist/plugins/jwt/adapter.mjs

@@ -0,0 +1,27 @@
+//#region src/plugins/jwt/adapter.ts
+const getJwksAdapter = (adapter, options) => {
+	return {
+		getAllKeys: async (ctx) => {
+			if (options?.adapter?.getJwks) return await options.adapter.getJwks(ctx);
+			return await adapter.findMany({ model: "jwks" });
+		},
+		getLatestKey: async (ctx) => {
+			if (options?.adapter?.getJwks) return (await options.adapter.getJwks(ctx))?.sort((a, b) => b.createdAt.getTime() - a.createdAt.getTime())[0];
+			return (await adapter.findMany({ model: "jwks" }))?.sort((a, b) => b.createdAt.getTime() - a.createdAt.getTime())[0];
+		},
+		createJwk: async (ctx, webKey) => {
+			if (options?.adapter?.createJwk) return await options.adapter.createJwk(webKey, ctx);
+			return await adapter.create({
+				model: "jwks",
+				data: {
+					...webKey,
+					createdAt: /* @__PURE__ */ new Date()
+				}
+			});
+		}
+	};
+};
+
+//#endregion
+export { getJwksAdapter };
+//# sourceMappingURL=adapter.mjs.map

package/dist/plugins/jwt/adapter.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.mjs","names":[],"sources":["../../../src/plugins/jwt/adapter.ts"],"sourcesContent":["import type {\n\tBetterAuthOptions,\n\tGenericEndpointContext,\n} from \"@better-auth/core\";\nimport type { DBAdapter } from \"@better-auth/core/db/adapter\";\nimport type { Jwk, JwtOptions } from \"./types\";\n\nexport const getJwksAdapter = (\n\tadapter: DBAdapter<BetterAuthOptions>,\n\toptions?: JwtOptions,\n) => {\n\treturn {\n\t\tgetAllKeys: async (ctx: GenericEndpointContext) => {\n\t\t\tif (options?.adapter?.getJwks) {\n\t\t\t\treturn await options.adapter.getJwks(ctx);\n\t\t\t}\n\t\t\treturn await adapter.findMany<Jwk>({\n\t\t\t\tmodel: \"jwks\",\n\t\t\t});\n\t\t},\n\t\tgetLatestKey: async (ctx: GenericEndpointContext) => {\n\t\t\tif (options?.adapter?.getJwks) {\n\t\t\t\tconst keys = await options.adapter.getJwks(ctx);\n\t\t\t\treturn keys?.sort(\n\t\t\t\t\t(a, b) => b.createdAt.getTime() - a.createdAt.getTime(),\n\t\t\t\t)[0];\n\t\t\t}\n\t\t\tconst keys = await adapter.findMany<Jwk>({\n\t\t\t\tmodel: \"jwks\",\n\t\t\t});\n\t\t\treturn keys?.sort(\n\t\t\t\t(a, b) => b.createdAt.getTime() - a.createdAt.getTime(),\n\t\t\t)[0];\n\t\t},\n\t\tcreateJwk: async (ctx: GenericEndpointContext, webKey: Omit<Jwk, \"id\">) => {\n\t\t\tif (options?.adapter?.createJwk) {\n\t\t\t\treturn await options.adapter.createJwk(webKey, ctx);\n\t\t\t}\n\t\t\tconst jwk = await adapter.create<Omit<Jwk, \"id\">, Jwk>({\n\t\t\t\tmodel: \"jwks\",\n\t\t\t\tdata: {\n\t\t\t\t\t...webKey,\n\t\t\t\t\tcreatedAt: new Date(),\n\t\t\t\t},\n\t\t\t});\n\n\t\t\treturn jwk;\n\t\t},\n\t};\n};\n"],"mappings":";AAOA,MAAa,kBACZ,SACA,YACI;AACJ,QAAO;EACN,YAAY,OAAO,QAAgC;AAClD,OAAI,SAAS,SAAS,QACrB,QAAO,MAAM,QAAQ,QAAQ,QAAQ,IAAI;AAE1C,UAAO,MAAM,QAAQ,SAAc,EAClC,OAAO,QACP,CAAC;;EAEH,cAAc,OAAO,QAAgC;AACpD,OAAI,SAAS,SAAS,QAErB,SADa,MAAM,QAAQ,QAAQ,QAAQ,IAAI,GAClC,MACX,GAAG,MAAM,EAAE,UAAU,SAAS,GAAG,EAAE,UAAU,SAAS,CACvD,CAAC;AAKH,WAHa,MAAM,QAAQ,SAAc,EACxC,OAAO,QACP,CAAC,GACW,MACX,GAAG,MAAM,EAAE,UAAU,SAAS,GAAG,EAAE,UAAU,SAAS,CACvD,CAAC;;EAEH,WAAW,OAAO,KAA6B,WAA4B;AAC1E,OAAI,SAAS,SAAS,UACrB,QAAO,MAAM,QAAQ,QAAQ,UAAU,QAAQ,IAAI;AAUpD,UARY,MAAM,QAAQ,OAA6B;IACtD,OAAO;IACP,MAAM;KACL,GAAG;KACH,2BAAW,IAAI,MAAM;KACrB;IACD,CAAC;;EAIH"}

package/dist/plugins/jwt/client.d.mts

@@ -0,0 +1,40 @@
+import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions } from "./types.mjs";
+import { jwt } from "./index.mjs";
+import { JSONWebKeySet } from "jose";
+import * as _better_fetch_fetch0 from "@better-fetch/fetch";
+
+//#region src/plugins/jwt/client.d.ts
+interface JwtClientOptions {
+  jwks?: {
+    /**
+     * The path of the endpoint exposing the JWKS.
+     * Must match the server configuration.
+     *
+     * @default /jwks
+     */
+    jwksPath?: string;
+  };
+}
+declare const jwtClient: (options?: JwtClientOptions) => {
+  id: "better-auth-client";
+  $InferServerPlugin: ReturnType<typeof jwt>;
+  pathMethods: {
+    [x: string]: "GET";
+  };
+  getActions: ($fetch: _better_fetch_fetch0.BetterFetch) => {
+    jwks: (fetchOptions?: any) => Promise<{
+      data: null;
+      error: {
+        message?: string | undefined;
+        status: number;
+        statusText: string;
+      };
+    } | {
+      data: JSONWebKeySet;
+      error: null;
+    }>;
+  };
+};
+//#endregion
+export { jwtClient };
+//# sourceMappingURL=client.d.mts.map

package/dist/plugins/jwt/client.mjs

@@ -0,0 +1,19 @@
+//#region src/plugins/jwt/client.ts
+const jwtClient = (options) => {
+	const jwksPath = options?.jwks?.jwksPath ?? "/jwks";
+	return {
+		id: "better-auth-client",
+		$InferServerPlugin: {},
+		pathMethods: { [jwksPath]: "GET" },
+		getActions: ($fetch) => ({ jwks: async (fetchOptions) => {
+			return await $fetch(jwksPath, {
+				method: "GET",
+				...fetchOptions
+			});
+		} })
+	};
+};
+
+//#endregion
+export { jwtClient };
+//# sourceMappingURL=client.mjs.map

package/dist/plugins/jwt/client.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.mjs","names":[],"sources":["../../../src/plugins/jwt/client.ts"],"sourcesContent":["import type { BetterAuthClientPlugin } from \"@better-auth/core\";\nimport type { JSONWebKeySet } from \"jose\";\nimport type { jwt } from \"./index\";\n\ninterface JwtClientOptions {\n\tjwks?: {\n\t\t/**\n\t\t * The path of the endpoint exposing the JWKS.\n\t\t * Must match the server configuration.\n\t\t *\n\t\t * @default /jwks\n\t\t */\n\t\tjwksPath?: string;\n\t};\n}\n\nexport const jwtClient = (options?: JwtClientOptions) => {\n\tconst jwksPath = options?.jwks?.jwksPath ?? \"/jwks\";\n\n\treturn {\n\t\tid: \"better-auth-client\",\n\t\t$InferServerPlugin: {} as ReturnType<typeof jwt>,\n\t\tpathMethods: {\n\t\t\t[jwksPath]: \"GET\",\n\t\t},\n\t\tgetActions: ($fetch) => ({\n\t\t\tjwks: async (fetchOptions?: any) => {\n\t\t\t\treturn await $fetch<JSONWebKeySet>(jwksPath, {\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\t...fetchOptions,\n\t\t\t\t});\n\t\t\t},\n\t\t}),\n\t} satisfies BetterAuthClientPlugin;\n};\n\nexport type * from \"./types\";\n"],"mappings":";AAgBA,MAAa,aAAa,YAA+B;CACxD,MAAM,WAAW,SAAS,MAAM,YAAY;AAE5C,QAAO;EACN,IAAI;EACJ,oBAAoB,EAAE;EACtB,aAAa,GACX,WAAW,OACZ;EACD,aAAa,YAAY,EACxB,MAAM,OAAO,iBAAuB;AACnC,UAAO,MAAM,OAAsB,UAAU;IAC5C,QAAQ;IACR,GAAG;IACH,CAAC;KAEH;EACD"}

package/dist/plugins/jwt/index.d.mts

@@ -0,0 +1,224 @@
+import { JWKOptions, JWSAlgorithms, Jwk, JwtOptions } from "./types.mjs";
+import { getJwtToken, signJWT } from "./sign.mjs";
+import { createJwk, generateExportedKeyPair, toExpJWT } from "./utils.mjs";
+import { verifyJWT } from "./verify.mjs";
+import * as _better_auth_core0 from "@better-auth/core";
+import * as better_call0 from "better-call";
+import * as z from "zod";
+import { JSONWebKeySet, JWTPayload } from "jose";
+
+//#region src/plugins/jwt/index.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+    jwt: {
+      creator: typeof jwt;
+    };
+  }
+}
+declare const jwt: <O extends JwtOptions>(options?: O) => {
+  id: "jwt";
+  options: NoInfer<O>;
+  endpoints: {
+    getJwks: better_call0.StrictEndpoint<string, {
+      method: "GET";
+      metadata: {
+        openapi: {
+          operationId: string;
+          description: string;
+          responses: {
+            "200": {
+              description: string;
+              content: {
+                "application/json": {
+                  schema: {
+                    type: "object";
+                    properties: {
+                      keys: {
+                        type: string;
+                        description: string;
+                        items: {
+                          type: string;
+                          properties: {
+                            kid: {
+                              type: string;
+                              description: string;
+                            };
+                            kty: {
+                              type: string;
+                              description: string;
+                            };
+                            alg: {
+                              type: string;
+                              description: string;
+                            };
+                            use: {
+                              type: string;
+                              description: string;
+                              enum: string[];
+                              nullable: boolean;
+                            };
+                            n: {
+                              type: string;
+                              description: string;
+                              nullable: boolean;
+                            };
+                            e: {
+                              type: string;
+                              description: string;
+                              nullable: boolean;
+                            };
+                            crv: {
+                              type: string;
+                              description: string;
+                              nullable: boolean;
+                            };
+                            x: {
+                              type: string;
+                              description: string;
+                              nullable: boolean;
+                            };
+                            y: {
+                              type: string;
+                              description: string;
+                              nullable: boolean;
+                            };
+                          };
+                          required: string[];
+                        };
+                      };
+                    };
+                    required: string[];
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    }, JSONWebKeySet>;
+    getToken: better_call0.StrictEndpoint<"/token", {
+      method: "GET";
+      requireHeaders: true;
+      use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+        session: {
+          session: Record<string, any> & {
+            id: string;
+            createdAt: Date;
+            updatedAt: Date;
+            userId: string;
+            expiresAt: Date;
+            token: string;
+            ipAddress?: string | null | undefined;
+            userAgent?: string | null | undefined;
+          };
+          user: Record<string, any> & {
+            id: string;
+            createdAt: Date;
+            updatedAt: Date;
+            email: string;
+            emailVerified: boolean;
+            name: string;
+            image?: string | null | undefined;
+          };
+        };
+      }>)[];
+      metadata: {
+        openapi: {
+          operationId: string;
+          description: string;
+          responses: {
+            200: {
+              description: string;
+              content: {
+                "application/json": {
+                  schema: {
+                    type: "object";
+                    properties: {
+                      token: {
+                        type: string;
+                      };
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    }, {
+      token: string;
+    }>;
+    signJWT: better_call0.StrictEndpoint<string, {
+      method: "POST";
+      metadata: {
+        $Infer: {
+          body: {
+            payload: JWTPayload;
+            overrideOptions?: JwtOptions | undefined;
+          };
+        };
+      };
+      body: z.ZodObject<{
+        payload: z.ZodRecord<z.ZodString, z.ZodAny>;
+        overrideOptions: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
+      }, z.core.$strip>;
+    }, {
+      token: string;
+    }>;
+    verifyJWT: better_call0.StrictEndpoint<string, {
+      method: "POST";
+      metadata: {
+        $Infer: {
+          body: {
+            token: string;
+            issuer?: string;
+          };
+          response: {
+            payload: {
+              sub: string;
+              aud: string;
+              [key: string]: any;
+            } | null;
+          };
+        };
+      };
+      body: z.ZodObject<{
+        token: z.ZodString;
+        issuer: z.ZodOptional<z.ZodString>;
+      }, z.core.$strip>;
+    }, {
+      payload: (JWTPayload & Required<Pick<JWTPayload, "sub" | "aud">>) | null;
+    }>;
+  };
+  hooks: {
+    after: {
+      matcher(context: _better_auth_core0.HookEndpointContext): boolean;
+      handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>;
+    }[];
+  };
+  schema: {
+    jwks: {
+      fields: {
+        publicKey: {
+          type: "string";
+          required: true;
+        };
+        privateKey: {
+          type: "string";
+          required: true;
+        };
+        createdAt: {
+          type: "date";
+          required: true;
+        };
+        expiresAt: {
+          type: "date";
+          required: false;
+        };
+      };
+    };
+  };
+};
+//#endregion
+export { JWKOptions, JWSAlgorithms, Jwk, JwtOptions, createJwk, generateExportedKeyPair, getJwtToken, jwt, signJWT, toExpJWT, verifyJWT };
+//# sourceMappingURL=index.d.mts.map