@sirketio/auth 0.0.1

package/dist/plugins/two-factor/totp/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../../../../src/plugins/two-factor/totp/index.ts"],"sourcesContent":["import { createAuthEndpoint } from \"@better-auth/core/api\";\nimport { APIError, BASE_ERROR_CODES } from \"@better-auth/core/error\";\nimport { createOTP } from \"@better-auth/utils/otp\";\nimport * as z from \"zod\";\nimport { sessionMiddleware } from \"../../../api\";\nimport { setSessionCookie } from \"../../../cookies\";\nimport { symmetricDecrypt } from \"../../../crypto\";\nimport type { BackupCodeOptions } from \"../backup-codes\";\nimport { TWO_FACTOR_ERROR_CODES } from \"../error-code\";\nimport type {\n\tTwoFactorProvider,\n\tTwoFactorTable,\n\tUserWithTwoFactor,\n} from \"../types\";\nimport { verifyTwoFactor } from \"../verify-two-factor\";\n\nexport type TOTPOptions = {\n\t/**\n\t * Issuer\n\t */\n\tissuer?: string | undefined;\n\t/**\n\t * How many digits the otp to be\n\t *\n\t * @default 6\n\t */\n\tdigits?: (6 | 8) | undefined;\n\t/**\n\t * Period for otp in seconds.\n\t * @default 30\n\t */\n\tperiod?: number | undefined;\n\t/**\n\t * Backup codes configuration\n\t */\n\tbackupCodes?: BackupCodeOptions | undefined;\n\t/**\n\t * Disable totp\n\t */\n\tdisable?: boolean | undefined;\n};\n\nconst generateTOTPBodySchema = z.object({\n\tsecret: z.string().meta({\n\t\tdescription: \"The secret to generate the TOTP code\",\n\t}),\n});\n\nconst getTOTPURIBodySchema = z.object({\n\tpassword: z.string().meta({\n\t\tdescription: \"User password\",\n\t}),\n});\n\nconst verifyTOTPBodySchema = z.object({\n\tcode: z.string().meta({\n\t\tdescription: 'The otp code to verify. Eg: \"012345\"',\n\t}),\n\t/**\n\t * if true, the device will be trusted\n\t * for 30 days. It'll be refreshed on\n\t * every sign in request within this time.\n\t */\n\ttrustDevice: z\n\t\t.boolean()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t\"If true, the device will be trusted for 30 days. It'll be refreshed on every sign in request within this time. Eg: true\",\n\t\t})\n\t\t.optional(),\n});\n\nexport const totp2fa = (options?: TOTPOptions | undefined) => {\n\tconst opts = {\n\t\t...options,\n\t\tdigits: options?.digits || 6,\n\t\tperiod: options?.period || 30,\n\t};\n\n\tconst twoFactorTable = \"twoFactor\";\n\n\tconst generateTOTP = createAuthEndpoint(\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: generateTOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tsummary: \"Generate TOTP code\",\n\t\t\t\t\tdescription: \"Use this endpoint to generate a TOTP code\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Successful response\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tcode: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tif (options?.disable) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t\"totp isn't configured. please pass totp option on two factor plugin to enable totp\",\n\t\t\t\t);\n\t\t\t\tthrow APIError.from(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: \"totp isn't configured\",\n\t\t\t\t\tcode: \"TOTP_NOT_CONFIGURED\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst code = await createOTP(ctx.body.secret, {\n\t\t\t\tperiod: opts.period,\n\t\t\t\tdigits: opts.digits,\n\t\t\t}).totp();\n\t\t\treturn { code };\n\t\t},\n\t);\n\n\tconst getTOTPURI = createAuthEndpoint(\n\t\t\"/two-factor/get-totp-uri\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tuse: [sessionMiddleware],\n\t\t\tbody: getTOTPURIBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tsummary: \"Get TOTP URI\",\n\t\t\t\t\tdescription: \"Use this endpoint to get the TOTP URI\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Successful response\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\ttotpURI: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tif (options?.disable) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t\"totp isn't configured. please pass totp option on two factor plugin to enable totp\",\n\t\t\t\t);\n\t\t\t\tthrow APIError.from(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: \"totp isn't configured\",\n\t\t\t\t\tcode: \"TOTP_NOT_CONFIGURED\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst user = ctx.context.session.user as UserWithTwoFactor;\n\t\t\tconst twoFactor = await ctx.context.adapter.findOne<TwoFactorTable>({\n\t\t\t\tmodel: twoFactorTable,\n\t\t\t\twhere: [\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\t\tvalue: user.id,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t});\n\t\t\tif (!twoFactor) {\n\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\"BAD_REQUEST\",\n\t\t\t\t\tTWO_FACTOR_ERROR_CODES.TOTP_NOT_ENABLED,\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst secret = await symmetricDecrypt({\n\t\t\t\tkey: ctx.context.secret,\n\t\t\t\tdata: twoFactor.secret,\n\t\t\t});\n\t\t\tawait ctx.context.password.checkPassword(user.id, ctx);\n\t\t\tconst totpURI = createOTP(secret, {\n\t\t\t\tdigits: opts.digits,\n\t\t\t\tperiod: opts.period,\n\t\t\t}).url(options?.issuer || ctx.context.appName, user.email);\n\t\t\treturn {\n\t\t\t\ttotpURI,\n\t\t\t};\n\t\t},\n\t);\n\n\tconst verifyTOTP = createAuthEndpoint(\n\t\t\"/two-factor/verify-totp\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: verifyTOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tsummary: \"Verify two factor TOTP\",\n\t\t\t\t\tdescription: \"Verify two factor TOTP\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Successful response\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tstatus: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tif (options?.disable) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t\"totp isn't configured. please pass totp option on two factor plugin to enable totp\",\n\t\t\t\t);\n\t\t\t\tthrow APIError.from(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: \"totp isn't configured\",\n\t\t\t\t\tcode: \"TOTP_NOT_CONFIGURED\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst { session, valid, invalid } = await verifyTwoFactor(ctx);\n\t\t\tconst user = session.user as UserWithTwoFactor;\n\t\t\tconst twoFactor = await ctx.context.adapter.findOne<TwoFactorTable>({\n\t\t\t\tmodel: twoFactorTable,\n\t\t\t\twhere: [\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\t\tvalue: user.id,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t});\n\n\t\t\tif (!twoFactor) {\n\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\"BAD_REQUEST\",\n\t\t\t\t\tTWO_FACTOR_ERROR_CODES.TOTP_NOT_ENABLED,\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst decrypted = await symmetricDecrypt({\n\t\t\t\tkey: ctx.context.secret,\n\t\t\t\tdata: twoFactor.secret,\n\t\t\t});\n\t\t\tconst status = await createOTP(decrypted, {\n\t\t\t\tperiod: opts.period,\n\t\t\t\tdigits: opts.digits,\n\t\t\t}).verify(ctx.body.code);\n\t\t\tif (!status) {\n\t\t\t\treturn invalid(\"INVALID_CODE\");\n\t\t\t}\n\n\t\t\tif (!user.twoFactorEnabled) {\n\t\t\t\tif (!session.session) {\n\t\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\t\"BAD_REQUEST\",\n\t\t\t\t\t\tBASE_ERROR_CODES.FAILED_TO_CREATE_SESSION,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\t\tuser.id,\n\t\t\t\t\t{\n\t\t\t\t\t\ttwoFactorEnabled: true,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tconst newSession = await ctx.context.internalAdapter\n\t\t\t\t\t.createSession(user.id, false, session.session)\n\t\t\t\t\t.catch((e) => {\n\t\t\t\t\t\tthrow e;\n\t\t\t\t\t});\n\n\t\t\t\tawait ctx.context.internalAdapter.deleteSession(session.session.token);\n\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\tsession: newSession,\n\t\t\t\t\tuser: updatedUser,\n\t\t\t\t});\n\t\t\t}\n\t\t\treturn valid(ctx);\n\t\t},\n\t);\n\n\treturn {\n\t\tid: \"totp\",\n\t\tendpoints: {\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/totp/generate`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.generateTOTP`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#totp)\n\t\t\t */\n\t\t\tgenerateTOTP: generateTOTP,\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/get-totp-uri`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.getTOTPURI`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.getTotpUri`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#getting-totp-uri)\n\t\t\t */\n\t\t\tgetTOTPURI: getTOTPURI,\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/verify-totp`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.verifyTOTP`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.verifyTotp`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#verifying-totp)\n\t\t\t */\n\t\t\tverifyTOTP,\n\t\t},\n\t} satisfies TwoFactorProvider;\n};\n"],"mappings":";;;;;;;;;;;;AA0CA,MAAM,yBAAyB,EAAE,OAAO,EACvC,QAAQ,EAAE,QAAQ,CAAC,KAAK,EACvB,aAAa,wCACb,CAAC,EACF,CAAC;AAEF,MAAM,uBAAuB,EAAE,OAAO,EACrC,UAAU,EAAE,QAAQ,CAAC,KAAK,EACzB,aAAa,iBACb,CAAC,EACF,CAAC;AAEF,MAAM,uBAAuB,EAAE,OAAO;CACrC,MAAM,EAAE,QAAQ,CAAC,KAAK,EACrB,aAAa,0CACb,CAAC;CAMF,aAAa,EACX,SAAS,CACT,KAAK,EACL,aACC,2HACD,CAAC,CACD,UAAU;CACZ,CAAC;AAEF,MAAa,WAAW,YAAsC;CAC7D,MAAM,OAAO;EACZ,GAAG;EACH,QAAQ,SAAS,UAAU;EAC3B,QAAQ,SAAS,UAAU;EAC3B;CAED,MAAM,iBAAiB;AAyNvB,QAAO;EACN,IAAI;EACJ,WAAW;GAaV,cAtOmB,mBACpB;IACC,QAAQ;IACR,MAAM;IACN,UAAU,EACT,SAAS;KACR,SAAS;KACT,aAAa;KACb,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,MAAM,EACL,MAAM,UACN,EACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;AACd,QAAI,SAAS,SAAS;AACrB,SAAI,QAAQ,OAAO,MAClB,qFACA;AACD,WAAM,SAAS,KAAK,eAAe;MAClC,SAAS;MACT,MAAM;MACN,CAAC;;AAMH,WAAO,EAAE,MAJI,MAAM,UAAU,IAAI,KAAK,QAAQ;KAC7C,QAAQ,KAAK;KACb,QAAQ,KAAK;KACb,CAAC,CAAC,MAAM,EACM;KAEhB;GA0MC,YAxMiB,mBAClB,4BACA;IACC,QAAQ;IACR,KAAK,CAAC,kBAAkB;IACxB,MAAM;IACN,UAAU,EACT,SAAS;KACR,SAAS;KACT,aAAa;KACb,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,SAAS,EACR,MAAM,UACN,EACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;AACd,QAAI,SAAS,SAAS;AACrB,SAAI,QAAQ,OAAO,MAClB,qFACA;AACD,WAAM,SAAS,KAAK,eAAe;MAClC,SAAS;MACT,MAAM;MACN,CAAC;;IAEH,MAAM,OAAO,IAAI,QAAQ,QAAQ;IACjC,MAAM,YAAY,MAAM,IAAI,QAAQ,QAAQ,QAAwB;KACnE,OAAO;KACP,OAAO,CACN;MACC,OAAO;MACP,OAAO,KAAK;MACZ,CACD;KACD,CAAC;AACF,QAAI,CAAC,UACJ,OAAM,SAAS,KACd,eACA,uBAAuB,iBACvB;IAEF,MAAM,SAAS,MAAM,iBAAiB;KACrC,KAAK,IAAI,QAAQ;KACjB,MAAM,UAAU;KAChB,CAAC;AACF,UAAM,IAAI,QAAQ,SAAS,cAAc,KAAK,IAAI,IAAI;AAKtD,WAAO,EACN,SALe,UAAU,QAAQ;KACjC,QAAQ,KAAK;KACb,QAAQ,KAAK;KACb,CAAC,CAAC,IAAI,SAAS,UAAU,IAAI,QAAQ,SAAS,KAAK,MAAM,EAGzD;KAEF;GAmJC,YAjJiB,mBAClB,2BACA;IACC,QAAQ;IACR,MAAM;IACN,UAAU,EACT,SAAS;KACR,SAAS;KACT,aAAa;KACb,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,QAAQ,EACP,MAAM,WACN,EACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;AACd,QAAI,SAAS,SAAS;AACrB,SAAI,QAAQ,OAAO,MAClB,qFACA;AACD,WAAM,SAAS,KAAK,eAAe;MAClC,SAAS;MACT,MAAM;MACN,CAAC;;IAEH,MAAM,EAAE,SAAS,OAAO,YAAY,MAAM,gBAAgB,IAAI;IAC9D,MAAM,OAAO,QAAQ;IACrB,MAAM,YAAY,MAAM,IAAI,QAAQ,QAAQ,QAAwB;KACnE,OAAO;KACP,OAAO,CACN;MACC,OAAO;MACP,OAAO,KAAK;MACZ,CACD;KACD,CAAC;AAEF,QAAI,CAAC,UACJ,OAAM,SAAS,KACd,eACA,uBAAuB,iBACvB;AAUF,QAAI,CAJW,MAAM,UAJH,MAAM,iBAAiB;KACxC,KAAK,IAAI,QAAQ;KACjB,MAAM,UAAU;KAChB,CAAC,EACwC;KACzC,QAAQ,KAAK;KACb,QAAQ,KAAK;KACb,CAAC,CAAC,OAAO,IAAI,KAAK,KAAK,CAEvB,QAAO,QAAQ,eAAe;AAG/B,QAAI,CAAC,KAAK,kBAAkB;AAC3B,SAAI,CAAC,QAAQ,QACZ,OAAM,SAAS,KACd,eACA,iBAAiB,yBACjB;KAEF,MAAM,cAAc,MAAM,IAAI,QAAQ,gBAAgB,WACrD,KAAK,IACL,EACC,kBAAkB,MAClB,CACD;KACD,MAAM,aAAa,MAAM,IAAI,QAAQ,gBACnC,cAAc,KAAK,IAAI,OAAO,QAAQ,QAAQ,CAC9C,OAAO,MAAM;AACb,YAAM;OACL;AAEH,WAAM,IAAI,QAAQ,gBAAgB,cAAc,QAAQ,QAAQ,MAAM;AACtE,WAAM,iBAAiB,KAAK;MAC3B,SAAS;MACT,MAAM;MACN,CAAC;;AAEH,WAAO,MAAM,IAAI;KAElB;GAkDC;EACD"}

package/dist/plugins/two-factor/types.d.mts

@@ -0,0 +1,73 @@
+import { User } from "../../types/models.mjs";
+import { InferOptionSchema } from "../../types/plugins.mjs";
+import "../../types/index.mjs";
+import { BackupCodeOptions } from "./backup-codes/index.mjs";
+import { OTPOptions } from "./otp/index.mjs";
+import { schema } from "./schema.mjs";
+import { TOTPOptions } from "./totp/index.mjs";
+import { BetterAuthPlugin, LiteralString } from "@better-auth/core";
+
+//#region src/plugins/two-factor/types.d.ts
+interface TwoFactorOptions {
+  /**
+   * Application Name
+   */
+  issuer?: string | undefined;
+  /**
+   * TOTP OPtions
+   */
+  totpOptions?: Omit<TOTPOptions, "issuer"> | undefined;
+  /**
+   * OTP Options
+   */
+  otpOptions?: OTPOptions | undefined;
+  /**
+   * Backup code options
+   */
+  backupCodeOptions?: BackupCodeOptions | undefined;
+  /**
+   * Skip verification on enabling two factor authentication.
+   * @default false
+   */
+  skipVerificationOnEnable?: boolean | undefined;
+  /**
+   * Custom schema for the two factor plugin
+   */
+  schema?: InferOptionSchema<typeof schema> | undefined;
+  /**
+   * Maximum age (in seconds) for the two-factor verification cookie.
+   * This controls how long users have to complete the 2FA flow
+   * after signing in.
+   *
+   * @default 600 (10 minutes)
+   */
+  twoFactorCookieMaxAge?: number | undefined;
+  /**
+   * Maximum age (in seconds) for the trusted device cookie.
+   * When a user opts to trust a device, this controls how long
+   * the device stays trusted before requiring 2FA again.
+   *
+   * @default 2592000 (30 days)
+   */
+  trustDeviceMaxAge?: number | undefined;
+}
+interface UserWithTwoFactor extends User {
+  /**
+   * If the user has enabled two factor authentication.
+   */
+  twoFactorEnabled: boolean;
+}
+interface TwoFactorProvider {
+  id: LiteralString;
+  endpoints?: BetterAuthPlugin["endpoints"] | undefined;
+}
+interface TwoFactorTable {
+  id: string;
+  userId: string;
+  secret: string;
+  backupCodes: string;
+  enabled: boolean;
+}
+//#endregion
+export { TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor };
+//# sourceMappingURL=types.d.mts.map

package/dist/plugins/two-factor/utils.mjs

@@ -0,0 +1,12 @@
+import { base64Url } from "@better-auth/utils/base64";
+import { createHash } from "@better-auth/utils/hash";
+
+//#region src/plugins/two-factor/utils.ts
+const defaultKeyHasher = async (token) => {
+	const hash = await createHash("SHA-256").digest(new TextEncoder().encode(token));
+	return base64Url.encode(new Uint8Array(hash), { padding: false });
+};
+
+//#endregion
+export { defaultKeyHasher };
+//# sourceMappingURL=utils.mjs.map

package/dist/plugins/two-factor/utils.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.mjs","names":[],"sources":["../../../src/plugins/two-factor/utils.ts"],"sourcesContent":["import { base64Url } from \"@better-auth/utils/base64\";\nimport { createHash } from \"@better-auth/utils/hash\";\n\nexport const defaultKeyHasher = async (token: string) => {\n\tconst hash = await createHash(\"SHA-256\").digest(\n\t\tnew TextEncoder().encode(token),\n\t);\n\tconst hashed = base64Url.encode(new Uint8Array(hash), {\n\t\tpadding: false,\n\t});\n\treturn hashed;\n};\n"],"mappings":";;;;AAGA,MAAa,mBAAmB,OAAO,UAAkB;CACxD,MAAM,OAAO,MAAM,WAAW,UAAU,CAAC,OACxC,IAAI,aAAa,CAAC,OAAO,MAAM,CAC/B;AAID,QAHe,UAAU,OAAO,IAAI,WAAW,KAAK,EAAE,EACrD,SAAS,OACT,CAAC"}

package/dist/plugins/two-factor/verify-two-factor.mjs

@@ -0,0 +1,85 @@
+import { parseUserOutput } from "../../db/schema.mjs";
+import { generateRandomString } from "../../crypto/random.mjs";
+import { expireCookie, setSessionCookie } from "../../cookies/index.mjs";
+import { getSessionFromCtx } from "../../api/routes/session.mjs";
+import "../../api/index.mjs";
+import { TWO_FACTOR_ERROR_CODES } from "./error-code.mjs";
+import { TRUST_DEVICE_COOKIE_MAX_AGE, TRUST_DEVICE_COOKIE_NAME, TWO_FACTOR_COOKIE_NAME } from "./constant.mjs";
+import { APIError } from "@better-auth/core/error";
+import { createHMAC } from "@better-auth/utils/hmac";
+
+//#region src/plugins/two-factor/verify-two-factor.ts
+async function verifyTwoFactor(ctx) {
+	const invalid = (errorKey) => {
+		throw APIError.from("UNAUTHORIZED", TWO_FACTOR_ERROR_CODES[errorKey]);
+	};
+	const session = await getSessionFromCtx(ctx);
+	if (!session) {
+		const twoFactorCookie = ctx.context.createAuthCookie(TWO_FACTOR_COOKIE_NAME);
+		const signedTwoFactorCookie = await ctx.getSignedCookie(twoFactorCookie.name, ctx.context.secret);
+		if (!signedTwoFactorCookie) throw APIError.from("UNAUTHORIZED", TWO_FACTOR_ERROR_CODES.INVALID_TWO_FACTOR_COOKIE);
+		const verificationToken = await ctx.context.internalAdapter.findVerificationValue(signedTwoFactorCookie);
+		if (!verificationToken) throw APIError.from("UNAUTHORIZED", TWO_FACTOR_ERROR_CODES.INVALID_TWO_FACTOR_COOKIE);
+		const user = await ctx.context.internalAdapter.findUserById(verificationToken.value);
+		if (!user) throw APIError.from("UNAUTHORIZED", TWO_FACTOR_ERROR_CODES.INVALID_TWO_FACTOR_COOKIE);
+		const dontRememberMe = await ctx.getSignedCookie(ctx.context.authCookies.dontRememberToken.name, ctx.context.secret);
+		return {
+			valid: async (ctx) => {
+				const session = await ctx.context.internalAdapter.createSession(verificationToken.value, !!dontRememberMe);
+				if (!session) throw APIError.from("INTERNAL_SERVER_ERROR", {
+					message: "failed to create session",
+					code: "FAILED_TO_CREATE_SESSION"
+				});
+				await ctx.context.internalAdapter.deleteVerificationValue(verificationToken.id);
+				await setSessionCookie(ctx, {
+					session,
+					user
+				});
+				expireCookie(ctx, twoFactorCookie);
+				if (ctx.body.trustDevice) {
+					const maxAge = ctx.context.getPlugin("two-factor").options.trustDeviceMaxAge ?? TRUST_DEVICE_COOKIE_MAX_AGE;
+					const trustDeviceCookie = ctx.context.createAuthCookie(TRUST_DEVICE_COOKIE_NAME, { maxAge });
+					/**
+					* Create a random identifier for the trust device record.
+					* Store it in the verification table with an expiration
+					* so the server can validate and revoke it.
+					*/
+					const trustIdentifier = `trust-device-${generateRandomString(32)}`;
+					const token = await createHMAC("SHA-256", "base64urlnopad").sign(ctx.context.secret, `${user.id}!${trustIdentifier}`);
+					await ctx.context.internalAdapter.createVerificationValue({
+						value: user.id,
+						identifier: trustIdentifier,
+						expiresAt: new Date(Date.now() + maxAge * 1e3)
+					});
+					await ctx.setSignedCookie(trustDeviceCookie.name, `${token}!${trustIdentifier}`, ctx.context.secret, trustDeviceCookie.attributes);
+					expireCookie(ctx, ctx.context.authCookies.dontRememberToken);
+				}
+				return ctx.json({
+					token: session.token,
+					user: parseUserOutput(ctx.context.options, user)
+				});
+			},
+			invalid,
+			session: {
+				session: null,
+				user
+			},
+			key: signedTwoFactorCookie
+		};
+	}
+	return {
+		valid: async (ctx) => {
+			return ctx.json({
+				token: session.session.token,
+				user: parseUserOutput(ctx.context.options, session.user)
+			});
+		},
+		invalid,
+		session,
+		key: `${session.user.id}!${session.session.id}`
+	};
+}
+
+//#endregion
+export { verifyTwoFactor };
+//# sourceMappingURL=verify-two-factor.mjs.map

package/dist/plugins/two-factor/verify-two-factor.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-two-factor.mjs","names":[],"sources":["../../../src/plugins/two-factor/verify-two-factor.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError } from \"@better-auth/core/error\";\nimport { createHMAC } from \"@better-auth/utils/hmac\";\nimport { getSessionFromCtx } from \"../../api\";\nimport { expireCookie, setSessionCookie } from \"../../cookies\";\nimport { generateRandomString } from \"../../crypto/random\";\nimport { parseUserOutput } from \"../../db/schema\";\nimport {\n\tTRUST_DEVICE_COOKIE_MAX_AGE,\n\tTRUST_DEVICE_COOKIE_NAME,\n\tTWO_FACTOR_COOKIE_NAME,\n} from \"./constant\";\nimport { TWO_FACTOR_ERROR_CODES } from \"./error-code\";\nimport type { UserWithTwoFactor } from \"./types\";\n\nexport async function verifyTwoFactor(ctx: GenericEndpointContext) {\n\tconst invalid = (errorKey: keyof typeof TWO_FACTOR_ERROR_CODES) => {\n\t\tthrow APIError.from(\"UNAUTHORIZED\", TWO_FACTOR_ERROR_CODES[errorKey]);\n\t};\n\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) {\n\t\tconst twoFactorCookie = ctx.context.createAuthCookie(\n\t\t\tTWO_FACTOR_COOKIE_NAME,\n\t\t);\n\t\tconst signedTwoFactorCookie = await ctx.getSignedCookie(\n\t\t\ttwoFactorCookie.name,\n\t\t\tctx.context.secret,\n\t\t);\n\t\tif (!signedTwoFactorCookie) {\n\t\t\tthrow APIError.from(\n\t\t\t\t\"UNAUTHORIZED\",\n\t\t\t\tTWO_FACTOR_ERROR_CODES.INVALID_TWO_FACTOR_COOKIE,\n\t\t\t);\n\t\t}\n\t\tconst verificationToken =\n\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\tsignedTwoFactorCookie,\n\t\t\t);\n\t\tif (!verificationToken) {\n\t\t\tthrow APIError.from(\n\t\t\t\t\"UNAUTHORIZED\",\n\t\t\t\tTWO_FACTOR_ERROR_CODES.INVALID_TWO_FACTOR_COOKIE,\n\t\t\t);\n\t\t}\n\t\tconst user = (await ctx.context.internalAdapter.findUserById(\n\t\t\tverificationToken.value,\n\t\t)) as UserWithTwoFactor;\n\t\tif (!user) {\n\t\t\tthrow APIError.from(\n\t\t\t\t\"UNAUTHORIZED\",\n\t\t\t\tTWO_FACTOR_ERROR_CODES.INVALID_TWO_FACTOR_COOKIE,\n\t\t\t);\n\t\t}\n\t\tconst dontRememberMe = await ctx.getSignedCookie(\n\t\t\tctx.context.authCookies.dontRememberToken.name,\n\t\t\tctx.context.secret,\n\t\t);\n\t\treturn {\n\t\t\tvalid: async (ctx: GenericEndpointContext) => {\n\t\t\t\tconst session = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\tverificationToken.value,\n\t\t\t\t\t!!dontRememberMe,\n\t\t\t\t);\n\t\t\t\tif (!session) {\n\t\t\t\t\tthrow APIError.from(\"INTERNAL_SERVER_ERROR\", {\n\t\t\t\t\t\tmessage: \"failed to create session\",\n\t\t\t\t\t\tcode: \"FAILED_TO_CREATE_SESSION\",\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t\t// Delete the verification token from the database after successful verification\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\tverificationToken.id,\n\t\t\t\t);\n\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\tsession,\n\t\t\t\t\tuser,\n\t\t\t\t});\n\t\t\t\t// Always clear the two factor cookie after successful verification\n\t\t\t\texpireCookie(ctx, twoFactorCookie);\n\t\t\t\tif (ctx.body.trustDevice) {\n\t\t\t\t\tconst plugin = ctx.context.getPlugin(\"two-factor\");\n\t\t\t\t\tconst trustDeviceMaxAge = plugin!.options.trustDeviceMaxAge;\n\t\t\t\t\tconst maxAge = trustDeviceMaxAge ?? TRUST_DEVICE_COOKIE_MAX_AGE;\n\t\t\t\t\tconst trustDeviceCookie = ctx.context.createAuthCookie(\n\t\t\t\t\t\tTRUST_DEVICE_COOKIE_NAME,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tmaxAge,\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\t\t\t\t\t/**\n\t\t\t\t\t * Create a random identifier for the trust device record.\n\t\t\t\t\t * Store it in the verification table with an expiration\n\t\t\t\t\t * so the server can validate and revoke it.\n\t\t\t\t\t */\n\t\t\t\t\tconst trustIdentifier = `trust-device-${generateRandomString(32)}`;\n\t\t\t\t\tconst token = await createHMAC(\"SHA-256\", \"base64urlnopad\").sign(\n\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t`${user.id}!${trustIdentifier}`,\n\t\t\t\t\t);\n\t\t\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\t\t\tvalue: user.id,\n\t\t\t\t\t\tidentifier: trustIdentifier,\n\t\t\t\t\t\texpiresAt: new Date(Date.now() + maxAge * 1000),\n\t\t\t\t\t});\n\t\t\t\t\tawait ctx.setSignedCookie(\n\t\t\t\t\t\ttrustDeviceCookie.name,\n\t\t\t\t\t\t`${token}!${trustIdentifier}`,\n\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\ttrustDeviceCookie.attributes,\n\t\t\t\t\t);\n\t\t\t\t\t// delete the dont remember me cookie\n\t\t\t\t\texpireCookie(ctx, ctx.context.authCookies.dontRememberToken);\n\t\t\t\t}\n\t\t\t\treturn ctx.json({\n\t\t\t\t\ttoken: session.token,\n\t\t\t\t\tuser: parseUserOutput(ctx.context.options, user),\n\t\t\t\t});\n\t\t\t},\n\t\t\tinvalid,\n\t\t\tsession: {\n\t\t\t\tsession: null,\n\t\t\t\tuser,\n\t\t\t},\n\t\t\tkey: signedTwoFactorCookie,\n\t\t};\n\t}\n\treturn {\n\t\tvalid: async (ctx: GenericEndpointContext) => {\n\t\t\treturn ctx.json({\n\t\t\t\ttoken: session.session.token,\n\t\t\t\tuser: parseUserOutput(ctx.context.options, session.user),\n\t\t\t});\n\t\t},\n\t\tinvalid,\n\t\tsession,\n\t\tkey: `${session.user.id}!${session.session.id}`,\n\t};\n}\n"],"mappings":";;;;;;;;;;;AAeA,eAAsB,gBAAgB,KAA6B;CAClE,MAAM,WAAW,aAAkD;AAClE,QAAM,SAAS,KAAK,gBAAgB,uBAAuB,UAAU;;CAGtE,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,SAAS;EACb,MAAM,kBAAkB,IAAI,QAAQ,iBACnC,uBACA;EACD,MAAM,wBAAwB,MAAM,IAAI,gBACvC,gBAAgB,MAChB,IAAI,QAAQ,OACZ;AACD,MAAI,CAAC,sBACJ,OAAM,SAAS,KACd,gBACA,uBAAuB,0BACvB;EAEF,MAAM,oBACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,sBACA;AACF,MAAI,CAAC,kBACJ,OAAM,SAAS,KACd,gBACA,uBAAuB,0BACvB;EAEF,MAAM,OAAQ,MAAM,IAAI,QAAQ,gBAAgB,aAC/C,kBAAkB,MAClB;AACD,MAAI,CAAC,KACJ,OAAM,SAAS,KACd,gBACA,uBAAuB,0BACvB;EAEF,MAAM,iBAAiB,MAAM,IAAI,gBAChC,IAAI,QAAQ,YAAY,kBAAkB,MAC1C,IAAI,QAAQ,OACZ;AACD,SAAO;GACN,OAAO,OAAO,QAAgC;IAC7C,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,cACjD,kBAAkB,OAClB,CAAC,CAAC,eACF;AACD,QAAI,CAAC,QACJ,OAAM,SAAS,KAAK,yBAAyB;KAC5C,SAAS;KACT,MAAM;KACN,CAAC;AAGH,UAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;AACD,UAAM,iBAAiB,KAAK;KAC3B;KACA;KACA,CAAC;AAEF,iBAAa,KAAK,gBAAgB;AAClC,QAAI,IAAI,KAAK,aAAa;KAGzB,MAAM,SAFS,IAAI,QAAQ,UAAU,aAAa,CAChB,QAAQ,qBACN;KACpC,MAAM,oBAAoB,IAAI,QAAQ,iBACrC,0BACA,EACC,QACA,CACD;;;;;;KAMD,MAAM,kBAAkB,gBAAgB,qBAAqB,GAAG;KAChE,MAAM,QAAQ,MAAM,WAAW,WAAW,iBAAiB,CAAC,KAC3D,IAAI,QAAQ,QACZ,GAAG,KAAK,GAAG,GAAG,kBACd;AACD,WAAM,IAAI,QAAQ,gBAAgB,wBAAwB;MACzD,OAAO,KAAK;MACZ,YAAY;MACZ,WAAW,IAAI,KAAK,KAAK,KAAK,GAAG,SAAS,IAAK;MAC/C,CAAC;AACF,WAAM,IAAI,gBACT,kBAAkB,MAClB,GAAG,MAAM,GAAG,mBACZ,IAAI,QAAQ,QACZ,kBAAkB,WAClB;AAED,kBAAa,KAAK,IAAI,QAAQ,YAAY,kBAAkB;;AAE7D,WAAO,IAAI,KAAK;KACf,OAAO,QAAQ;KACf,MAAM,gBAAgB,IAAI,QAAQ,SAAS,KAAK;KAChD,CAAC;;GAEH;GACA,SAAS;IACR,SAAS;IACT;IACA;GACD,KAAK;GACL;;AAEF,QAAO;EACN,OAAO,OAAO,QAAgC;AAC7C,UAAO,IAAI,KAAK;IACf,OAAO,QAAQ,QAAQ;IACvB,MAAM,gBAAgB,IAAI,QAAQ,SAAS,QAAQ,KAAK;IACxD,CAAC;;EAEH;EACA;EACA,KAAK,GAAG,QAAQ,KAAK,GAAG,GAAG,QAAQ,QAAQ;EAC3C"}

package/dist/plugins/username/client.d.mts

@@ -0,0 +1,26 @@
+import { USERNAME_ERROR_CODES } from "./error-codes.mjs";
+import { username } from "./index.mjs";
+import * as _better_auth_core_utils_error_codes0 from "@better-auth/core/utils/error-codes";
+
+//#region src/plugins/username/client.d.ts
+declare const usernameClient: () => {
+  id: "username";
+  $InferServerPlugin: ReturnType<typeof username>;
+  atomListeners: {
+    matcher: (path: string) => path is "/sign-in/username";
+    signal: "$sessionSignal";
+  }[];
+  $ERROR_CODES: {
+    EMAIL_NOT_VERIFIED: _better_auth_core_utils_error_codes0.RawError<"EMAIL_NOT_VERIFIED">;
+    INVALID_USERNAME_OR_PASSWORD: _better_auth_core_utils_error_codes0.RawError<"INVALID_USERNAME_OR_PASSWORD">;
+    UNEXPECTED_ERROR: _better_auth_core_utils_error_codes0.RawError<"UNEXPECTED_ERROR">;
+    USERNAME_IS_ALREADY_TAKEN: _better_auth_core_utils_error_codes0.RawError<"USERNAME_IS_ALREADY_TAKEN">;
+    USERNAME_TOO_SHORT: _better_auth_core_utils_error_codes0.RawError<"USERNAME_TOO_SHORT">;
+    USERNAME_TOO_LONG: _better_auth_core_utils_error_codes0.RawError<"USERNAME_TOO_LONG">;
+    INVALID_USERNAME: _better_auth_core_utils_error_codes0.RawError<"INVALID_USERNAME">;
+    INVALID_DISPLAY_USERNAME: _better_auth_core_utils_error_codes0.RawError<"INVALID_DISPLAY_USERNAME">;
+  };
+};
+//#endregion
+export { usernameClient };
+//# sourceMappingURL=client.d.mts.map

package/dist/plugins/username/client.mjs

@@ -0,0 +1,18 @@
+import { USERNAME_ERROR_CODES } from "./error-codes.mjs";
+
+//#region src/plugins/username/client.ts
+const usernameClient = () => {
+	return {
+		id: "username",
+		$InferServerPlugin: {},
+		atomListeners: [{
+			matcher: (path) => path === "/sign-in/username",
+			signal: "$sessionSignal"
+		}],
+		$ERROR_CODES: USERNAME_ERROR_CODES
+	};
+};
+
+//#endregion
+export { usernameClient };
+//# sourceMappingURL=client.mjs.map

package/dist/plugins/username/client.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.mjs","names":[],"sources":["../../../src/plugins/username/client.ts"],"sourcesContent":["import type { BetterAuthClientPlugin } from \"@better-auth/core\";\nimport type { username } from \".\";\n\nimport { USERNAME_ERROR_CODES } from \"./error-codes\";\n\nexport * from \"./error-codes\";\n\nexport const usernameClient = () => {\n\treturn {\n\t\tid: \"username\",\n\t\t$InferServerPlugin: {} as ReturnType<typeof username>,\n\t\tatomListeners: [\n\t\t\t{\n\t\t\t\tmatcher: (path) => path === \"/sign-in/username\",\n\t\t\t\tsignal: \"$sessionSignal\",\n\t\t\t},\n\t\t],\n\t\t$ERROR_CODES: USERNAME_ERROR_CODES,\n\t} satisfies BetterAuthClientPlugin;\n};\n"],"mappings":";;;AAOA,MAAa,uBAAuB;AACnC,QAAO;EACN,IAAI;EACJ,oBAAoB,EAAE;EACtB,eAAe,CACd;GACC,UAAU,SAAS,SAAS;GAC5B,QAAQ;GACR,CACD;EACD,cAAc;EACd"}

package/dist/plugins/username/error-codes.d.mts

@@ -0,0 +1,16 @@
+import * as _better_auth_core_utils_error_codes0 from "@better-auth/core/utils/error-codes";
+
+//#region src/plugins/username/error-codes.d.ts
+declare const USERNAME_ERROR_CODES: {
+  EMAIL_NOT_VERIFIED: _better_auth_core_utils_error_codes0.RawError<"EMAIL_NOT_VERIFIED">;
+  INVALID_USERNAME_OR_PASSWORD: _better_auth_core_utils_error_codes0.RawError<"INVALID_USERNAME_OR_PASSWORD">;
+  UNEXPECTED_ERROR: _better_auth_core_utils_error_codes0.RawError<"UNEXPECTED_ERROR">;
+  USERNAME_IS_ALREADY_TAKEN: _better_auth_core_utils_error_codes0.RawError<"USERNAME_IS_ALREADY_TAKEN">;
+  USERNAME_TOO_SHORT: _better_auth_core_utils_error_codes0.RawError<"USERNAME_TOO_SHORT">;
+  USERNAME_TOO_LONG: _better_auth_core_utils_error_codes0.RawError<"USERNAME_TOO_LONG">;
+  INVALID_USERNAME: _better_auth_core_utils_error_codes0.RawError<"INVALID_USERNAME">;
+  INVALID_DISPLAY_USERNAME: _better_auth_core_utils_error_codes0.RawError<"INVALID_DISPLAY_USERNAME">;
+};
+//#endregion
+export { USERNAME_ERROR_CODES };
+//# sourceMappingURL=error-codes.d.mts.map

package/dist/plugins/username/error-codes.mjs

@@ -0,0 +1,17 @@
+import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
+
+//#region src/plugins/username/error-codes.ts
+const USERNAME_ERROR_CODES = defineErrorCodes({
+	INVALID_USERNAME_OR_PASSWORD: "Invalid username or password",
+	EMAIL_NOT_VERIFIED: "Email not verified",
+	UNEXPECTED_ERROR: "Unexpected error",
+	USERNAME_IS_ALREADY_TAKEN: "Username is already taken. Please try another.",
+	USERNAME_TOO_SHORT: "Username is too short",
+	USERNAME_TOO_LONG: "Username is too long",
+	INVALID_USERNAME: "Username is invalid",
+	INVALID_DISPLAY_USERNAME: "Display username is invalid"
+});
+
+//#endregion
+export { USERNAME_ERROR_CODES };
+//# sourceMappingURL=error-codes.mjs.map

package/dist/plugins/username/error-codes.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-codes.mjs","names":[],"sources":["../../../src/plugins/username/error-codes.ts"],"sourcesContent":["import { defineErrorCodes } from \"@better-auth/core/utils/error-codes\";\n\nexport const USERNAME_ERROR_CODES = defineErrorCodes({\n\tINVALID_USERNAME_OR_PASSWORD: \"Invalid username or password\",\n\tEMAIL_NOT_VERIFIED: \"Email not verified\",\n\tUNEXPECTED_ERROR: \"Unexpected error\",\n\tUSERNAME_IS_ALREADY_TAKEN: \"Username is already taken. Please try another.\",\n\tUSERNAME_TOO_SHORT: \"Username is too short\",\n\tUSERNAME_TOO_LONG: \"Username is too long\",\n\tINVALID_USERNAME: \"Username is invalid\",\n\tINVALID_DISPLAY_USERNAME: \"Display username is invalid\",\n});\n"],"mappings":";;;AAEA,MAAa,uBAAuB,iBAAiB;CACpD,8BAA8B;CAC9B,oBAAoB;CACpB,kBAAkB;CAClB,2BAA2B;CAC3B,oBAAoB;CACpB,mBAAmB;CACnB,kBAAkB;CAClB,0BAA0B;CAC1B,CAAC"}

package/dist/plugins/username/index.d.mts

@@ -0,0 +1,251 @@
+import { InferOptionSchema } from "../../types/plugins.mjs";
+import { UsernameSchema } from "./schema.mjs";
+import { USERNAME_ERROR_CODES } from "./error-codes.mjs";
+import * as _better_auth_core0 from "@better-auth/core";
+import * as _better_auth_core_db0 from "@better-auth/core/db";
+import * as _better_auth_core_utils_error_codes0 from "@better-auth/core/utils/error-codes";
+import * as better_call0 from "better-call";
+import * as z from "zod";
+
+//#region src/plugins/username/index.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+    username: {
+      creator: typeof username;
+    };
+  }
+}
+type UsernameOptions = {
+  schema?: InferOptionSchema<UsernameSchema> | undefined;
+  /**
+   * The minimum length of the username
+   *
+   * @default 3
+   */
+  minUsernameLength?: number | undefined;
+  /**
+   * The maximum length of the username
+   *
+   * @default 30
+   */
+  maxUsernameLength?: number | undefined;
+  /**
+   * A function to validate the username
+   *
+   * By default, the username should only contain alphanumeric characters and underscores
+   */
+  usernameValidator?: ((username: string) => boolean | Promise<boolean>) | undefined;
+  /**
+   * A function to validate the display username
+   *
+   * By default, no validation is applied to display username
+   */
+  displayUsernameValidator?: ((displayUsername: string) => boolean | Promise<boolean>) | undefined;
+  /**
+   * A function to normalize the username
+   *
+   * @default (username) => username.toLowerCase()
+   */
+  usernameNormalization?: (((username: string) => string) | false) | undefined;
+  /**
+   * A function to normalize the display username
+   *
+   * @default false
+   */
+  displayUsernameNormalization?: (((displayUsername: string) => string) | false) | undefined;
+  /**
+   * The order of validation
+   *
+   * @default { username: "pre-normalization", displayUsername: "pre-normalization" }
+   */
+  validationOrder?: {
+    /**
+     * The order of username validation
+     *
+     * @default "pre-normalization"
+     */
+    username?: "pre-normalization" | "post-normalization";
+    /**
+     * The order of display username validation
+     *
+     * @default "pre-normalization"
+     */
+    displayUsername?: "pre-normalization" | "post-normalization";
+  } | undefined;
+};
+declare const username: (options?: UsernameOptions | undefined) => {
+  id: "username";
+  init(ctx: _better_auth_core0.AuthContext): {
+    options: {
+      databaseHooks: {
+        user: {
+          create: {
+            before(user: {
+              id: string;
+              createdAt: Date;
+              updatedAt: Date;
+              email: string;
+              emailVerified: boolean;
+              name: string;
+              image?: string | null | undefined;
+            } & Record<string, unknown>, context: _better_auth_core0.GenericEndpointContext | null): Promise<{
+              data: {
+                displayUsername?: string | undefined;
+                username?: string | undefined;
+                id: string;
+                createdAt: Date;
+                updatedAt: Date;
+                email: string;
+                emailVerified: boolean;
+                name: string;
+                image?: string | null | undefined;
+              };
+            }>;
+          };
+          update: {
+            before(user: Partial<{
+              id: string;
+              createdAt: Date;
+              updatedAt: Date;
+              email: string;
+              emailVerified: boolean;
+              name: string;
+              image?: string | null | undefined;
+            }> & Record<string, unknown>, context: _better_auth_core0.GenericEndpointContext | null): Promise<{
+              data: {
+                displayUsername?: string | undefined;
+                username?: string | undefined;
+                id?: string | undefined;
+                createdAt?: Date | undefined;
+                updatedAt?: Date | undefined;
+                email?: string | undefined;
+                emailVerified?: boolean | undefined;
+                name?: string | undefined;
+                image?: string | null | undefined;
+              };
+            }>;
+          };
+        };
+      };
+    };
+  };
+  endpoints: {
+    signInUsername: better_call0.StrictEndpoint<"/sign-in/username", {
+      method: "POST";
+      body: z.ZodObject<{
+        username: z.ZodString;
+        password: z.ZodString;
+        rememberMe: z.ZodOptional<z.ZodBoolean>;
+        callbackURL: z.ZodOptional<z.ZodString>;
+      }, z.core.$strip>;
+      metadata: {
+        openapi: {
+          summary: string;
+          description: string;
+          responses: {
+            200: {
+              description: string;
+              content: {
+                "application/json": {
+                  schema: {
+                    type: "object";
+                    properties: {
+                      token: {
+                        type: string;
+                        description: string;
+                      };
+                      user: {
+                        $ref: string;
+                      };
+                    };
+                    required: string[];
+                  };
+                };
+              };
+            };
+            422: {
+              description: string;
+              content: {
+                "application/json": {
+                  schema: {
+                    type: "object";
+                    properties: {
+                      message: {
+                        type: string;
+                      };
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    }, {
+      token: string;
+      user: {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+      } & {
+        username: string;
+        displayUsername: string;
+      };
+    }>;
+    isUsernameAvailable: better_call0.StrictEndpoint<"/is-username-available", {
+      method: "POST";
+      body: z.ZodObject<{
+        username: z.ZodString;
+      }, z.core.$strip>;
+    }, {
+      available: boolean;
+    }>;
+  };
+  schema: {
+    user: {
+      fields: {
+        username: {
+          type: "string";
+          required: false;
+          sortable: true;
+          unique: true;
+          returned: true;
+          transform: {
+            input(value: _better_auth_core_db0.DBPrimitive): string | number | boolean | unknown[] | Date | Record<string, unknown> | null | undefined;
+          };
+        };
+        displayUsername: {
+          type: "string";
+          required: false;
+          transform: {
+            input(value: _better_auth_core_db0.DBPrimitive): string | number | boolean | unknown[] | Date | Record<string, unknown> | null | undefined;
+          };
+        };
+      };
+    };
+  };
+  hooks: {
+    before: {
+      matcher(context: _better_auth_core0.HookEndpointContext): boolean;
+      handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>;
+    }[];
+  };
+  options: UsernameOptions | undefined;
+  $ERROR_CODES: {
+    EMAIL_NOT_VERIFIED: _better_auth_core_utils_error_codes0.RawError<"EMAIL_NOT_VERIFIED">;
+    INVALID_USERNAME_OR_PASSWORD: _better_auth_core_utils_error_codes0.RawError<"INVALID_USERNAME_OR_PASSWORD">;
+    UNEXPECTED_ERROR: _better_auth_core_utils_error_codes0.RawError<"UNEXPECTED_ERROR">;
+    USERNAME_IS_ALREADY_TAKEN: _better_auth_core_utils_error_codes0.RawError<"USERNAME_IS_ALREADY_TAKEN">;
+    USERNAME_TOO_SHORT: _better_auth_core_utils_error_codes0.RawError<"USERNAME_TOO_SHORT">;
+    USERNAME_TOO_LONG: _better_auth_core_utils_error_codes0.RawError<"USERNAME_TOO_LONG">;
+    INVALID_USERNAME: _better_auth_core_utils_error_codes0.RawError<"INVALID_USERNAME">;
+    INVALID_DISPLAY_USERNAME: _better_auth_core_utils_error_codes0.RawError<"INVALID_DISPLAY_USERNAME">;
+  };
+};
+//#endregion
+export { USERNAME_ERROR_CODES, UsernameOptions, username };
+//# sourceMappingURL=index.d.mts.map