@stratal/framework 0.0.18 → 0.0.20

package/dist/auth/index.mjs

@@ -1,12 +1,15 @@
-import { t as __decorate } from "../decorate-C12QolJF.mjs";
-import { t as AuthContext } from "../auth-context-BfekHvM9.mjs";
-import { t as __decorateMetadata } from "../decorateMetadata-rWbWGUuO.mjs";
-import { t as __decorateParam } from "../decorateParam-WGqsyT5s.mjs";
+import { n as createStratalAcPlugin, t as AccessService } from "../access.service-BjYVtUJw.mjs";
+import { n as AC_TOKENS, t as __decorateParam } from "../decorateParam-Dc5DGEpb.mjs";
+import { t as __decorateMetadata } from "../decorateMetadata-CqtSx3_1.mjs";
+import { t as __decorate } from "../decorate-CdfCRvAc.mjs";
+import { t as AuthContext } from "../auth-context-6Li1JkIq.mjs";
+import { CONTAINER_TOKEN, DI_TOKENS, Transient } from "stratal/di";
+import { I18nModule } from "stratal/i18n";
 import { Module } from "stratal/module";
-import { DI_TOKENS, Transient } from "stratal/di";
-import { ApplicationError, ERROR_CODES, InternalError } from "stratal/errors";
+import { RATE_LIMITER_TOKENS, RateLimiterRegistry } from "stratal/rate-limiter";
+import { ApplicationError, ERROR_CODES } from "stratal/errors";
 import { LOGGER_TOKENS } from "stratal/logger";
-import { inject } from "tsyringe";
+import { inject as inject$1 } from "tsyringe";
 import { betterAuth } from "better-auth";
 import { APIError } from "better-auth/api";
 //#region src/auth/auth.tokens.ts
@@ -15,13 +18,63 @@ const AUTH_SERVICE = Symbol.for("stratal:auth:service");
 /** Token for Better Auth options configuration */
 const AUTH_OPTIONS = Symbol.for("stratal:auth:options");
 //#endregion
+//#region src/auth/i18n/en.ts
+const authMessages = { en: { auth: {
+	errors: {
+		tokenRequired: "Verification token is required",
+		invalidToken: "Invalid or expired verification token",
+		verificationFailed: "Verification failed. Please try again.",
+		userNotFound: "User not found. Please check your credentials.",
+		invalidCredentials: "Invalid email or password",
+		invalidPassword: "Invalid password",
+		invalidEmail: "Invalid email address",
+		sessionExpired: "Your session has expired. Please sign in again.",
+		emailNotVerified: "Please verify your email address before signing in",
+		passwordTooShort: "Password must be at least {minLength} characters",
+		passwordTooLong: "Password must be at most {maxLength} characters",
+		accountAlreadyExists: "An account with this email already exists",
+		failedToCreateUser: "Failed to create user account. Please try again.",
+		failedToCreateSession: "Failed to create session. Please try again.",
+		failedToGetSession: "Failed to retrieve session. Please try again.",
+		failedToUpdateUser: "Failed to update user information. Please try again.",
+		failedToGetUserInfo: "Failed to retrieve user information. Please try again.",
+		socialAccountLinked: "This social account is already linked to another user",
+		providerNotFound: "Authentication provider not found",
+		userEmailNotFound: "User email address not found",
+		accountNotFound: "Account not found",
+		credentialAccountNotFound: "Credential account not found",
+		cannotUnlinkLastAccount: "Cannot unlink your last account",
+		userAlreadyHasPassword: "User already has a password set",
+		emailCannotBeUpdated: "Email address cannot be updated at this time",
+		tokenExpired: "The verification token has expired. Please request a new verification email.",
+		invalidCallbackUrl: "Invalid callback URL",
+		invalidOrigin: "Request origin is not allowed",
+		validationFailed: "Authentication validation failed",
+		emailAlreadyVerified: "Email address is already verified",
+		emailMismatch: "Email address does not match",
+		unknownError: "An authentication error occurred"
+	},
+	org: {
+		organizationNotFound: "Organization not found",
+		memberNotFound: "Member not found",
+		invitationNotFound: "Invitation not found",
+		permissionDenied: "You do not have permission to perform this action",
+		invitationRecipientMismatch: "You are not the recipient of this invitation",
+		conflict: "A resource with this identifier already exists",
+		limitReached: "The maximum limit has been reached",
+		membershipError: "This action cannot be performed due to membership constraints",
+		teamNotFound: "Team not found",
+		roleNotFound: "Role not found"
+	}
+} } };
+//#endregion
 //#region src/auth/middleware/auth-context.middleware.ts
 let AuthContextMiddleware = class AuthContextMiddleware {
 	async handle(ctx, next) {
 		const requestContainer = ctx.getContainer();
 		const authContext = new AuthContext();
 		requestContainer.registerValue(DI_TOKENS.AuthContext, authContext);
-		await next();
+		return next();
 	}
 };
 AuthContextMiddleware = __decorate([Transient()], AuthContextMiddleware);
@@ -34,162 +87,326 @@ let SessionVerificationMiddleware = class SessionVerificationMiddleware {
 	}
 	async handle(ctx, next) {
 		try {
-			const session = await this.authService.auth.api.getSession({ headers: ctx.c.req.raw.headers });
-			if (session) ctx.getContainer().resolve(DI_TOKENS.AuthContext).setAuthContext({ userId: session.user.id });
-			await next();
+			const result = await this.authService.auth.api.getSession({ headers: ctx.c.req.raw.headers });
+			if (result) ctx.getContainer().resolve(DI_TOKENS.AuthContext).setAuthContext({ user: result.user });
 		} catch (error) {
 			this.logger.debug("Session validation failed (e.g., invalidated in DB)", { error });
-			await next();
 		}
+		return next();
 	}
 };
 SessionVerificationMiddleware = __decorate([
 	Transient(),
-	__decorateParam(0, inject(AUTH_SERVICE)),
-	__decorateParam(1, inject(LOGGER_TOKENS.LoggerService)),
+	__decorateParam(0, inject$1(AUTH_SERVICE)),
+	__decorateParam(1, inject$1(LOGGER_TOKENS.LoggerService)),
 	__decorateMetadata("design:paramtypes", [Object, Object])
 ], SessionVerificationMiddleware);
 //#endregion
+//#region src/auth/rate-limit-bridge.ts
+/**
+* Rate-limit bridge between Stratal's `RateLimiterModule` and better-auth.
+*
+* Importing this file (transitively, via `auth.module.ts`) does two things:
+*
+*  1. Augments `RateLimiterRegistry` with `forPath()` + `pathEntries()` via
+*     Stratal's `Macroable`. Path-keyed rules registered on the same registry
+*     used for Stratal's own throttling are projected into better-auth's
+*     `customRules` by {@link projectCustomRules}.
+*  2. Exports {@link createBetterAuthRateLimitStorage} — adapts Stratal's
+*     {@link IRateLimiterStore} into better-auth's `customStorage`, so both
+*     systems share one backing store.
+*
+* `AuthModule.forRootAsync` wires both automatically when `RateLimiterModule`
+* is imported. Users with explicit `rateLimit.customStorage` /
+* `rateLimit.customRules` keys in their auth factory keep precedence.
+*
+* Frictions, documented for path-keyed entries:
+*
+*  - `Limit.by(...)` is meaningless. Better-auth scopes per-IP+path.
+*  - Multiple `Limit`s reduce to the most restrictive (smallest max-per-second).
+*  - `Limit.none()` projects to `false` (better-auth's "disable" sentinel).
+*  - `Limit.response(...)` is a no-op. Better-auth renders its own 429.
+*  - Snapshot caveat: `customRules` is built once at AuthService construction,
+*    so register all `forPath()` entries inside `OnInitialize` hooks.
+*/
+const pathResolvers = /* @__PURE__ */ new WeakMap();
+function getOrCreatePathMap(registry) {
+	let map = pathResolvers.get(registry);
+	if (!map) {
+		map = /* @__PURE__ */ new Map();
+		pathResolvers.set(registry, map);
+	}
+	return map;
+}
+RateLimiterRegistry.macro("forPath", function(path, resolver) {
+	getOrCreatePathMap(this).set(path, resolver);
+});
+RateLimiterRegistry.macro("pathEntries", function() {
+	return (pathResolvers.get(this) ?? /* @__PURE__ */ new Map()).entries();
+});
+const BETTER_AUTH_TTL_SECONDS = 86400;
+const BETTER_AUTH_KEY_PREFIX = "ba-rl:";
+/**
+* Adapt Stratal's `IRateLimiterStore` into better-auth's `customStorage` shape.
+* Better-auth supplies its own `RateLimit` records (`{ key, count, lastRequest }`);
+* the adapter just persists them under a separate key namespace.
+*/
+function createBetterAuthRateLimitStorage(store) {
+	return {
+		async get(key) {
+			return await store.get(`${BETTER_AUTH_KEY_PREFIX}${key}`);
+		},
+		async set(key, value, _update) {
+			await store.set(`${BETTER_AUTH_KEY_PREFIX}${key}`, value, BETTER_AUTH_TTL_SECONDS);
+		}
+	};
+}
+/**
+* Project every `forPath` entry on the registry into better-auth's
+* `customRules` shape. Each entry becomes an async function that resolves
+* the user's `Limit`(s) and reduces them to a single `{ window, max }` pair
+* (or `false` for `Limit.none()`).
+*
+* Multi-`Limit` reduction picks the most restrictive — smallest
+* `max / windowSeconds` ratio; ties favour the first.
+*/
+function projectCustomRules(registry) {
+	const rules = {};
+	for (const [path, resolver] of registry.pathEntries()) rules[path] = async (req) => {
+		const resolved = await resolver(req);
+		const candidates = (Array.isArray(resolved) ? resolved : [resolved]).filter((l) => !l.disabled);
+		if (candidates.length === 0) return false;
+		const chosen = candidates.reduce((a, b) => a.max / a.windowSeconds <= b.max / b.windowSeconds ? a : b);
+		return {
+			window: chosen.windowSeconds,
+			max: chosen.max
+		};
+	};
+	return rules;
+}
+//#endregion
 //#region src/auth/errors/auth-errors.ts
 var UserNotFoundError = class extends ApplicationError {
 	constructor(email) {
-		super("errors.auth.userNotFound", ERROR_CODES.RESOURCE.NOT_FOUND, email ? { email } : void 0);
+		super("auth.errors.userNotFound", ERROR_CODES.RESOURCE.NOT_FOUND, email ? { email } : void 0);
 	}
 };
 var InvalidCredentialsError = class extends ApplicationError {
 	constructor() {
-		super("errors.auth.invalidCredentials", ERROR_CODES.AUTH.INVALID_CREDENTIALS);
+		super("auth.errors.invalidCredentials", ERROR_CODES.AUTH.INVALID_CREDENTIALS);
 	}
 };
 var InvalidPasswordError = class extends ApplicationError {
 	constructor() {
-		super("errors.auth.invalidPassword", ERROR_CODES.AUTH.INVALID_CREDENTIALS);
+		super("auth.errors.invalidPassword", ERROR_CODES.AUTH.INVALID_CREDENTIALS);
 	}
 };
 var InvalidEmailError = class extends ApplicationError {
 	constructor(email) {
-		super("errors.auth.invalidEmail", ERROR_CODES.VALIDATION.INVALID_FORMAT, email ? { email } : void 0);
+		super("auth.errors.invalidEmail", ERROR_CODES.VALIDATION.INVALID_FORMAT, email ? { email } : void 0);
 	}
 };
 var SessionExpiredError = class extends ApplicationError {
 	constructor() {
-		super("errors.auth.sessionExpired", ERROR_CODES.AUTH.SESSION_EXPIRED);
+		super("auth.errors.sessionExpired", ERROR_CODES.AUTH.SESSION_EXPIRED);
 	}
 };
 var EmailNotVerifiedError = class extends ApplicationError {
 	constructor(email) {
-		super("errors.auth.emailNotVerified", ERROR_CODES.AUTH.EMAIL_NOT_VERIFIED, email ? { email } : void 0);
+		super("auth.errors.emailNotVerified", ERROR_CODES.AUTH.EMAIL_NOT_VERIFIED, email ? { email } : void 0);
 	}
 };
 var PasswordTooShortError = class extends ApplicationError {
 	constructor(minLength) {
-		super("errors.auth.passwordTooShort", ERROR_CODES.AUTH.PASSWORD_TOO_SHORT, { minLength });
+		super("auth.errors.passwordTooShort", ERROR_CODES.AUTH.PASSWORD_TOO_SHORT, { minLength });
 	}
 };
 var PasswordTooLongError = class extends ApplicationError {
 	constructor(maxLength) {
-		super("errors.auth.passwordTooLong", ERROR_CODES.AUTH.PASSWORD_TOO_LONG, { maxLength });
+		super("auth.errors.passwordTooLong", ERROR_CODES.AUTH.PASSWORD_TOO_LONG, { maxLength });
 	}
 };
 var AccountAlreadyExistsError = class extends ApplicationError {
 	constructor(email) {
-		super("errors.auth.accountAlreadyExists", ERROR_CODES.AUTH.ACCOUNT_ALREADY_EXISTS, email ? { email } : void 0);
+		super("auth.errors.accountAlreadyExists", ERROR_CODES.AUTH.ACCOUNT_ALREADY_EXISTS, email ? { email } : void 0);
 	}
 };
 var FailedToCreateUserError = class extends ApplicationError {
 	constructor(reason) {
-		super("errors.auth.failedToCreateUser", ERROR_CODES.AUTH.FAILED_TO_CREATE_USER, reason ? { reason } : void 0);
+		super("auth.errors.failedToCreateUser", ERROR_CODES.AUTH.FAILED_TO_CREATE_USER, reason ? { reason } : void 0);
 	}
 };
 var FailedToCreateSessionError = class extends ApplicationError {
 	constructor(reason) {
-		super("errors.auth.failedToCreateSession", ERROR_CODES.AUTH.FAILED_TO_CREATE_SESSION, reason ? { reason } : void 0);
+		super("auth.errors.failedToCreateSession", ERROR_CODES.AUTH.FAILED_TO_CREATE_SESSION, reason ? { reason } : void 0);
 	}
 };
 var FailedToUpdateUserError = class extends ApplicationError {
 	constructor(reason) {
-		super("errors.auth.failedToUpdateUser", ERROR_CODES.AUTH.FAILED_TO_UPDATE_USER, reason ? { reason } : void 0);
+		super("auth.errors.failedToUpdateUser", ERROR_CODES.AUTH.FAILED_TO_UPDATE_USER, reason ? { reason } : void 0);
 	}
 };
 var SocialAccountLinkedError = class extends ApplicationError {
 	constructor(provider) {
-		super("errors.auth.socialAccountLinked", ERROR_CODES.AUTH.SOCIAL_ACCOUNT_LINKED, provider ? { provider } : void 0);
+		super("auth.errors.socialAccountLinked", ERROR_CODES.AUTH.SOCIAL_ACCOUNT_LINKED, provider ? { provider } : void 0);
 	}
 };
 var CannotUnlinkLastAccountError = class extends ApplicationError {
 	constructor() {
-		super("errors.auth.cannotUnlinkLastAccount", ERROR_CODES.AUTH.CANNOT_UNLINK_LAST_ACCOUNT);
+		super("auth.errors.cannotUnlinkLastAccount", ERROR_CODES.AUTH.CANNOT_UNLINK_LAST_ACCOUNT);
 	}
 };
 var ProviderNotFoundError = class extends ApplicationError {
 	constructor(provider) {
-		super("errors.auth.providerNotFound", ERROR_CODES.RESOURCE.NOT_FOUND, provider ? { provider } : void 0);
+		super("auth.errors.providerNotFound", ERROR_CODES.RESOURCE.NOT_FOUND, provider ? { provider } : void 0);
 	}
 };
 var UserEmailNotFoundError = class extends ApplicationError {
 	constructor() {
-		super("errors.auth.userEmailNotFound", ERROR_CODES.RESOURCE.NOT_FOUND);
+		super("auth.errors.userEmailNotFound", ERROR_CODES.RESOURCE.NOT_FOUND);
 	}
 };
 var AccountNotFoundError = class extends ApplicationError {
 	constructor() {
-		super("errors.auth.accountNotFound", ERROR_CODES.RESOURCE.NOT_FOUND);
+		super("auth.errors.accountNotFound", ERROR_CODES.RESOURCE.NOT_FOUND);
 	}
 };
 var CredentialAccountNotFoundError = class extends ApplicationError {
 	constructor() {
-		super("errors.auth.credentialAccountNotFound", ERROR_CODES.RESOURCE.NOT_FOUND);
+		super("auth.errors.credentialAccountNotFound", ERROR_CODES.RESOURCE.NOT_FOUND);
 	}
 };
 var UserAlreadyHasPasswordError = class extends ApplicationError {
 	constructor() {
-		super("errors.auth.userAlreadyHasPassword", ERROR_CODES.RESOURCE.CONFLICT);
+		super("auth.errors.userAlreadyHasPassword", ERROR_CODES.RESOURCE.CONFLICT);
 	}
 };
 var EmailCannotBeUpdatedError = class extends ApplicationError {
 	constructor(reason) {
-		super("errors.auth.emailCannotBeUpdated", ERROR_CODES.VALIDATION.GENERIC, reason ? { reason } : void 0);
+		super("auth.errors.emailCannotBeUpdated", ERROR_CODES.VALIDATION.GENERIC, reason ? { reason } : void 0);
 	}
 };
 var FailedToGetSessionError = class extends ApplicationError {
 	constructor(reason) {
-		super("errors.auth.failedToGetSession", ERROR_CODES.SYSTEM.INTERNAL_ERROR, reason ? { reason } : void 0);
+		super("auth.errors.failedToGetSession", ERROR_CODES.SYSTEM.INTERNAL_ERROR, reason ? { reason } : void 0);
 	}
 };
 var FailedToGetUserInfoError = class extends ApplicationError {
 	constructor(reason) {
-		super("errors.auth.failedToGetUserInfo", ERROR_CODES.SYSTEM.INTERNAL_ERROR, reason ? { reason } : void 0);
+		super("auth.errors.failedToGetUserInfo", ERROR_CODES.SYSTEM.INTERNAL_ERROR, reason ? { reason } : void 0);
 	}
 };
 var IdTokenNotSupportedError = class extends ApplicationError {
 	constructor() {
-		super("errors.auth.invalidToken", ERROR_CODES.VALIDATION.GENERIC);
+		super("auth.errors.invalidToken", ERROR_CODES.VALIDATION.GENERIC);
 	}
 };
 var TokenExpiredError = class extends ApplicationError {
 	constructor() {
-		super("errors.auth.tokenExpired", ERROR_CODES.VALIDATION.GENERIC);
+		super("auth.errors.tokenExpired", ERROR_CODES.VALIDATION.GENERIC);
+	}
+};
+var InvalidCallbackUrlError = class extends ApplicationError {
+	constructor() {
+		super("auth.errors.invalidCallbackUrl", ERROR_CODES.VALIDATION.INVALID_FORMAT);
+	}
+};
+var InvalidOriginError = class extends ApplicationError {
+	constructor() {
+		super("auth.errors.invalidOrigin", ERROR_CODES.AUTHZ.FORBIDDEN);
+	}
+};
+var AuthValidationFailedError = class extends ApplicationError {
+	constructor() {
+		super("auth.errors.validationFailed", ERROR_CODES.VALIDATION.GENERIC);
+	}
+};
+var EmailAlreadyVerifiedError = class extends ApplicationError {
+	constructor() {
+		super("auth.errors.emailAlreadyVerified", ERROR_CODES.RESOURCE.CONFLICT);
+	}
+};
+var EmailMismatchError = class extends ApplicationError {
+	constructor() {
+		super("auth.errors.emailMismatch", ERROR_CODES.VALIDATION.INVALID_FORMAT);
+	}
+};
+var BetterAuthUnknownError = class extends ApplicationError {
+	constructor(errorCode) {
+		super("auth.errors.unknownError", ERROR_CODES.SYSTEM.INTERNAL_ERROR, errorCode ? { errorCode } : void 0);
 	}
 };
 //#endregion
 //#region src/auth/errors/invalid-token.error.ts
 var InvalidTokenError = class extends ApplicationError {
 	constructor() {
-		super("errors.auth.invalidToken", ERROR_CODES.AUTH.INVALID_TOKEN);
+		super("auth.errors.invalidToken", ERROR_CODES.AUTH.INVALID_TOKEN);
+	}
+};
+//#endregion
+//#region src/auth/errors/organization-errors.ts
+var OrganizationNotFoundError = class extends ApplicationError {
+	constructor() {
+		super("auth.org.organizationNotFound", ERROR_CODES.AUTH.ORGANIZATION_NOT_FOUND);
+	}
+};
+var OrganizationMemberNotFoundError = class extends ApplicationError {
+	constructor() {
+		super("auth.org.memberNotFound", ERROR_CODES.AUTH.MEMBER_NOT_FOUND);
+	}
+};
+var OrganizationInvitationNotFoundError = class extends ApplicationError {
+	constructor() {
+		super("auth.org.invitationNotFound", ERROR_CODES.AUTH.INVITATION_NOT_FOUND);
+	}
+};
+var OrganizationPermissionDeniedError = class extends ApplicationError {
+	constructor() {
+		super("auth.org.permissionDenied", ERROR_CODES.AUTHZ.FORBIDDEN);
+	}
+};
+var OrganizationInvitationRecipientMismatchError = class extends ApplicationError {
+	constructor() {
+		super("auth.org.invitationRecipientMismatch", ERROR_CODES.AUTH.INVITATION_RECIPIENT_MISMATCH);
+	}
+};
+var OrganizationConflictError = class extends ApplicationError {
+	constructor() {
+		super("auth.org.conflict", ERROR_CODES.RESOURCE.CONFLICT);
+	}
+};
+var OrganizationLimitReachedError = class extends ApplicationError {
+	constructor() {
+		super("auth.org.limitReached", ERROR_CODES.AUTH.ORGANIZATION_LIMIT_REACHED);
+	}
+};
+var OrganizationMembershipError = class extends ApplicationError {
+	constructor() {
+		super("auth.org.membershipError", ERROR_CODES.AUTH.ORGANIZATION_MEMBERSHIP_REQUIRED);
+	}
+};
+var OrganizationTeamNotFoundError = class extends ApplicationError {
+	constructor() {
+		super("auth.org.teamNotFound", ERROR_CODES.RESOURCE.NOT_FOUND);
+	}
+};
+var OrganizationRoleNotFoundError = class extends ApplicationError {
+	constructor() {
+		super("auth.org.roleNotFound", ERROR_CODES.RESOURCE.NOT_FOUND);
 	}
 };
 //#endregion
 //#region src/auth/errors/token-required.error.ts
 var TokenRequiredError = class extends ApplicationError {
 	constructor() {
-		super("errors.auth.tokenRequired", ERROR_CODES.VALIDATION.REQUIRED_FIELD, { field: "token" });
+		super("auth.errors.tokenRequired", ERROR_CODES.VALIDATION.REQUIRED_FIELD, { field: "token" });
 	}
 };
 //#endregion
 //#region src/auth/errors/verification-failed.error.ts
 var VerificationFailedError = class extends ApplicationError {
 	constructor() {
-		super("errors.auth.verificationFailed", ERROR_CODES.AUTH.INVALID_CREDENTIALS);
+		super("auth.errors.verificationFailed", ERROR_CODES.AUTH.INVALID_CREDENTIALS);
 	}
 };
 //#endregion
@@ -208,20 +425,19 @@ function mapBetterAuthError(error) {
 		if (location.includes("failed_to_create_user")) return new FailedToCreateUserError();
 		if (location.includes("failed_to_create_session")) return new FailedToCreateSessionError();
 	}
-	if (!errorCode) return new InternalError({
-		originalError: `Better Auth error: ${error.message}`,
-		stack: error.stack
-	});
-	if (errorCode === "USER_NOT_FOUND") return new UserNotFoundError();
+	if (!errorCode) return new BetterAuthUnknownError();
+	if (errorCode === "USER_NOT_FOUND" || errorCode === "INVALID_USER") return new UserNotFoundError();
 	if (errorCode === "USER_EMAIL_NOT_FOUND") return new UserEmailNotFoundError();
 	if (errorCode === "INVALID_EMAIL_OR_PASSWORD") return new InvalidCredentialsError();
 	if (errorCode === "INVALID_PASSWORD") return new InvalidPasswordError();
 	if (errorCode === "INVALID_EMAIL") return new InvalidEmailError();
-	if (errorCode === "SESSION_EXPIRED") return new SessionExpiredError();
+	if (errorCode === "SESSION_EXPIRED" || errorCode === "SESSION_NOT_FRESH") return new SessionExpiredError();
 	if (errorCode === "FAILED_TO_CREATE_SESSION") return new FailedToCreateSessionError();
 	if (errorCode === "FAILED_TO_GET_SESSION") return new FailedToGetSessionError();
 	if (errorCode === "EMAIL_NOT_VERIFIED") return new EmailNotVerifiedError();
 	if (errorCode === "EMAIL_CAN_NOT_BE_UPDATED") return new EmailCannotBeUpdatedError();
+	if (errorCode === "EMAIL_ALREADY_VERIFIED") return new EmailAlreadyVerifiedError();
+	if (errorCode === "EMAIL_MISMATCH") return new EmailMismatchError();
 	if (errorCode === "PASSWORD_TOO_SHORT") return new PasswordTooShortError(8);
 	if (errorCode === "PASSWORD_TOO_LONG") return new PasswordTooLongError(128);
 	if (errorCode === "USER_ALREADY_EXISTS" || errorCode === "USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL") return new AccountAlreadyExistsError();
@@ -231,16 +447,27 @@ function mapBetterAuthError(error) {
 	if (errorCode === "FAILED_TO_CREATE_USER") return new FailedToCreateUserError();
 	if (errorCode === "FAILED_TO_UPDATE_USER") return new FailedToUpdateUserError();
 	if (errorCode === "FAILED_TO_GET_USER_INFO") return new FailedToGetUserInfoError();
-	if (errorCode === "SOCIAL_ACCOUNT_ALREADY_LINKED") return new SocialAccountLinkedError();
+	if (errorCode === "SOCIAL_ACCOUNT_ALREADY_LINKED" || errorCode === "LINKED_ACCOUNT_ALREADY_EXISTS") return new SocialAccountLinkedError();
 	if (errorCode === "PROVIDER_NOT_FOUND") return new ProviderNotFoundError();
 	if (errorCode === "ID_TOKEN_NOT_SUPPORTED") return new IdTokenNotSupportedError();
-	if (errorCode === "INVALID_TOKEN") return new IdTokenNotSupportedError();
+	if (errorCode === "INVALID_TOKEN") return new InvalidTokenError();
 	if (errorCode === "TOKEN_EXPIRED") return new TokenExpiredError();
-	if (errorCode === "USER_ALREADY_HAS_PASSWORD") return new UserAlreadyHasPasswordError();
-	return new InternalError({
-		originalError: `Better Auth error [${errorCode}]: ${error.message}`,
-		stack: error.stack
-	});
+	if (errorCode === "USER_ALREADY_HAS_PASSWORD" || errorCode === "PASSWORD_ALREADY_SET") return new UserAlreadyHasPasswordError();
+	if (errorCode === "INVALID_CALLBACK_URL" || errorCode === "INVALID_REDIRECT_URL" || errorCode === "INVALID_NEW_USER_CALLBACK_URL" || errorCode === "INVALID_ERROR_CALLBACK_URL" || errorCode === "CALLBACK_URL_REQUIRED") return new InvalidCallbackUrlError();
+	if (errorCode === "INVALID_ORIGIN" || errorCode === "MISSING_OR_NULL_ORIGIN" || errorCode === "CROSS_SITE_NAVIGATION_LOGIN_BLOCKED") return new InvalidOriginError();
+	if (errorCode === "VALIDATION_ERROR" || errorCode === "MISSING_FIELD" || errorCode === "FIELD_NOT_ALLOWED" || errorCode === "BODY_MUST_BE_AN_OBJECT" || errorCode === "ASYNC_VALIDATION_NOT_SUPPORTED" || errorCode === "METHOD_NOT_ALLOWED_DEFER_SESSION_REQUIRED") return new AuthValidationFailedError();
+	if (errorCode === "FAILED_TO_CREATE_VERIFICATION" || errorCode === "VERIFICATION_EMAIL_NOT_ENABLED") return new FailedToCreateSessionError();
+	if (errorCode === "ORGANIZATION_NOT_FOUND" || errorCode === "NO_ACTIVE_ORGANIZATION") return new OrganizationNotFoundError();
+	if (errorCode === "MEMBER_NOT_FOUND" || errorCode === "USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION" || errorCode === "USER_IS_NOT_A_MEMBER_OF_THE_TEAM") return new OrganizationMemberNotFoundError();
+	if (errorCode === "INVITATION_NOT_FOUND" || errorCode === "FAILED_TO_RETRIEVE_INVITATION") return new OrganizationInvitationNotFoundError();
+	if (errorCode === "YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION" || errorCode === "EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION") return new OrganizationInvitationRecipientMismatchError();
+	if (errorCode === "TEAM_NOT_FOUND" || errorCode === "YOU_DO_NOT_HAVE_AN_ACTIVE_TEAM") return new OrganizationTeamNotFoundError();
+	if (errorCode === "ROLE_NOT_FOUND" || errorCode === "INVALID_RESOURCE") return new OrganizationRoleNotFoundError();
+	if (errorCode === "ORGANIZATION_ALREADY_EXISTS" || errorCode === "ORGANIZATION_SLUG_ALREADY_TAKEN" || errorCode === "USER_IS_ALREADY_A_MEMBER_OF_THIS_ORGANIZATION" || errorCode === "USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION" || errorCode === "TEAM_ALREADY_EXISTS" || errorCode === "ROLE_NAME_IS_ALREADY_TAKEN") return new OrganizationConflictError();
+	if (errorCode === "YOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_ORGANIZATIONS" || errorCode === "YOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_TEAMS" || errorCode === "ORGANIZATION_MEMBERSHIP_LIMIT_REACHED" || errorCode === "INVITATION_LIMIT_REACHED" || errorCode === "TEAM_MEMBER_LIMIT_REACHED" || errorCode === "TOO_MANY_ROLES") return new OrganizationLimitReachedError();
+	if (errorCode === "YOU_CANNOT_LEAVE_THE_ORGANIZATION_AS_THE_ONLY_OWNER" || errorCode === "YOU_CANNOT_LEAVE_THE_ORGANIZATION_WITHOUT_AN_OWNER" || errorCode === "UNABLE_TO_REMOVE_LAST_TEAM" || errorCode === "CANNOT_DELETE_A_PRE_DEFINED_ROLE" || errorCode === "ROLE_IS_ASSIGNED_TO_MEMBERS" || errorCode === "YOU_CANNOT_IMPERSONATE_ADMINS" || errorCode === "YOU_CANNOT_BAN_YOURSELF" || errorCode === "YOU_CANNOT_REMOVE_YOURSELF" || errorCode === "INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION") return new OrganizationMembershipError();
+	if (errorCode.startsWith("YOU_ARE_NOT_ALLOWED_TO_") || errorCode === "YOU_ARE_NOT_A_MEMBER_OF_THIS_ORGANIZATION" || errorCode === "YOU_CAN_NOT_ACCESS_THE_MEMBERS_OF_THIS_TEAM" || errorCode === "YOU_MUST_BE_IN_AN_ORGANIZATION_TO_CREATE_A_ROLE" || errorCode === "MISSING_AC_INSTANCE") return new OrganizationPermissionDeniedError();
+	return new BetterAuthUnknownError(errorCode);
 }
 /**
 * Type guard to check if an error is a Better Auth APIError.
@@ -297,7 +524,7 @@ let AuthService = class AuthService {
 };
 AuthService = __decorate([
 	Transient(AUTH_SERVICE),
-	__decorateParam(0, inject(AUTH_OPTIONS)),
+	__decorateParam(0, inject$1(AUTH_OPTIONS)),
 	__decorateMetadata("design:paramtypes", [Object])
 ], AuthService);
 //#endregion
@@ -309,30 +536,77 @@ let AuthModule = _AuthModule = class AuthModule {
 	*
 	* Registers middlewares in order:
 	* 1. AuthContextMiddleware - Creates and registers AuthContext in request container
-	* 2. SessionVerificationMiddleware - Verifies session and populates AuthContext with userId
+	* 2. SessionVerificationMiddleware - Verifies session and populates AuthContext with userId + role
 	*/
 	configureRoutes(router) {
 		router.use(AuthContextMiddleware, SessionVerificationMiddleware);
 	}
 	/**
-	* Configure AuthModule with async options factory
+	* Configure AuthModule with async options factory.
+	* Optionally provide `accessControl` to enable permission-based authorization.
+	*
+	* When `RateLimiterModule` is also imported, better-auth's `rateLimit`
+	* block is auto-wired: `customStorage` shares Stratal's backing store, and
+	* any `RateLimiterRegistry.forPath(...)` entries are projected into
+	* `customRules`. User-supplied `rateLimit.{customStorage, customRules}` keys
+	* take precedence on a per-key basis.
 	*/
 	static forRootAsync(options) {
+		const { accessControl } = options;
+		const userInject = options.inject ?? [];
+		const userFactory = options.useFactory;
+		const authOptionsProvider = {
+			provide: AUTH_OPTIONS,
+			useFactory: (container, ...userDeps) => {
+				let raw = userFactory(...userDeps);
+				if (accessControl) raw = {
+					...raw,
+					plugins: [createStratalAcPlugin(accessControl), ...raw.plugins ?? []]
+				};
+				if (container.getTsyringeContainer().isRegistered(RATE_LIMITER_TOKENS.ModuleMarker, true)) {
+					const store = container.resolve(RATE_LIMITER_TOKENS.Store);
+					const registry = container.resolve(RATE_LIMITER_TOKENS.Registry);
+					raw = {
+						...raw,
+						rateLimit: {
+							enabled: true,
+							...raw.rateLimit,
+							customStorage: raw.rateLimit?.customStorage ?? createBetterAuthRateLimitStorage(store),
+							customRules: {
+								...projectCustomRules(registry),
+								...raw.rateLimit?.customRules ?? {}
+							}
+						}
+					};
+				}
+				return raw;
+			},
+			inject: [CONTAINER_TOKEN, ...userInject]
+		};
 		return {
 			module: _AuthModule,
-			providers: [{
-				provide: AUTH_OPTIONS,
-				useFactory: options.useFactory,
-				inject: options.inject
-			}, {
-				provide: AUTH_SERVICE,
-				useClass: AuthService
-			}]
+			providers: [
+				authOptionsProvider,
+				{
+					provide: AUTH_SERVICE,
+					useClass: AuthService
+				},
+				...accessControl ? [{
+					provide: AC_TOKENS.Options,
+					useValue: accessControl
+				}, {
+					provide: AC_TOKENS.AccessService,
+					useClass: AccessService
+				}] : []
+			]
 		};
 	}
 };
-AuthModule = _AuthModule = __decorate([Module({ providers: [] })], AuthModule);
+AuthModule = _AuthModule = __decorate([Module({
+	imports: [I18nModule.registerMessages(authMessages)],
+	providers: []
+})], AuthModule);
 //#endregion
-export { AUTH_OPTIONS, AUTH_SERVICE, AccountAlreadyExistsError, AccountNotFoundError, AuthContextMiddleware, AuthModule, AuthService, CannotUnlinkLastAccountError, CredentialAccountNotFoundError, EmailCannotBeUpdatedError, EmailNotVerifiedError, FailedToCreateSessionError, FailedToCreateUserError, FailedToGetSessionError, FailedToGetUserInfoError, FailedToUpdateUserError, IdTokenNotSupportedError, InvalidCredentialsError, InvalidEmailError, InvalidPasswordError, InvalidTokenError, PasswordTooLongError, PasswordTooShortError, ProviderNotFoundError, SessionExpiredError, SessionVerificationMiddleware, SocialAccountLinkedError, TokenExpiredError, TokenRequiredError, UserAlreadyHasPasswordError, UserEmailNotFoundError, UserNotFoundError, VerificationFailedError, getErrorHandlerConfig, isAPIError, mapBetterAuthError, wrapBetterAuth };
+export { AUTH_OPTIONS, AUTH_SERVICE, AccountAlreadyExistsError, AccountNotFoundError, AuthContextMiddleware, AuthModule, AuthService, AuthValidationFailedError, BetterAuthUnknownError, CannotUnlinkLastAccountError, CredentialAccountNotFoundError, EmailAlreadyVerifiedError, EmailCannotBeUpdatedError, EmailMismatchError, EmailNotVerifiedError, FailedToCreateSessionError, FailedToCreateUserError, FailedToGetSessionError, FailedToGetUserInfoError, FailedToUpdateUserError, IdTokenNotSupportedError, InvalidCallbackUrlError, InvalidCredentialsError, InvalidEmailError, InvalidOriginError, InvalidPasswordError, InvalidTokenError, OrganizationConflictError, OrganizationInvitationNotFoundError, OrganizationInvitationRecipientMismatchError, OrganizationLimitReachedError, OrganizationMemberNotFoundError, OrganizationMembershipError, OrganizationNotFoundError, OrganizationPermissionDeniedError, OrganizationRoleNotFoundError, OrganizationTeamNotFoundError, PasswordTooLongError, PasswordTooShortError, ProviderNotFoundError, SessionExpiredError, SessionVerificationMiddleware, SocialAccountLinkedError, TokenExpiredError, TokenRequiredError, UserAlreadyHasPasswordError, UserEmailNotFoundError, UserNotFoundError, VerificationFailedError, authMessages, getErrorHandlerConfig, isAPIError, mapBetterAuthError, wrapBetterAuth };
 
 //# sourceMappingURL=index.mjs.map