better-auth 0.0.2-beta.7 → 0.0.2

package/dist/index.js

@@ -1,81 +1,90 @@
-// src/cookies/index.ts
-function serialize(name, value, attributes) {
-  const keyValueEntries = [];
-  keyValueEntries.push([encodeURIComponent(name), encodeURIComponent(value)]);
-  if (attributes?.domain !== void 0) {
-    keyValueEntries.push(["Domain", attributes.domain]);
-  }
-  if (attributes?.expires !== void 0) {
-    keyValueEntries.push(["Expires", attributes.expires.toUTCString()]);
-  }
-  if (attributes?.httpOnly) {
-    keyValueEntries.push(["HttpOnly"]);
-  }
-  if (attributes?.maxAge !== void 0) {
-    keyValueEntries.push(["Max-Age", attributes.maxAge.toString()]);
-  }
-  if (attributes?.path !== void 0) {
-    keyValueEntries.push(["Path", attributes.path]);
-  }
-  if (attributes?.sameSite === "lax") {
-    keyValueEntries.push(["SameSite", "Lax"]);
-  }
-  if (attributes?.sameSite === "none") {
-    keyValueEntries.push(["SameSite", "None"]);
-  }
-  if (attributes?.sameSite === "strict") {
-    keyValueEntries.push(["SameSite", "Strict"]);
-  }
-  if (attributes?.secure) {
-    keyValueEntries.push(["Secure"]);
-  }
-  return keyValueEntries.map((pair) => pair.join("=")).join("; ");
-}
-function parse(header) {
-  const cookies = /* @__PURE__ */ new Map();
-  const items = header.split("; ");
-  for (const item of items) {
-    const pair = item.split("=");
-    const rawKey = pair[0];
-    const rawValue = pair[1] ?? "";
-    if (!rawKey)
+// src/api/index.ts
+import { createRouter } from "better-call";
+
+// src/adapters/schema.ts
+import { z } from "zod";
+var accountSchema = z.object({
+  id: z.string(),
+  providerId: z.string(),
+  accountId: z.string(),
+  userId: z.string(),
+  accessToken: z.string().nullable().optional(),
+  refreshToken: z.string().nullable().optional(),
+  idToken: z.string().nullable().optional(),
+  accessTokenExpiresAt: z.date().nullable().optional(),
+  refreshTokenExpiresAt: z.date().nullable().optional(),
+  /**
+   * Password is only stored in the credential provider
+   */
+  password: z.string().optional().nullable()
+});
+var userSchema = z.object({
+  id: z.string(),
+  email: z.string().transform((val) => val.toLowerCase()),
+  emailVerified: z.boolean().default(false),
+  name: z.string(),
+  image: z.string().optional(),
+  createdAt: z.date().default(/* @__PURE__ */ new Date()),
+  updatedAt: z.date().default(/* @__PURE__ */ new Date())
+});
+var sessionSchema = z.object({
+  id: z.string(),
+  userId: z.string(),
+  expiresAt: z.date(),
+  ipAddress: z.string().optional(),
+  userAgent: z.string().optional()
+});
+function parseData(data, schema) {
+  const fields = schema.fields;
+  const parsedData = {};
+  for (const key in data) {
+    const field = fields[key];
+    if (!field) {
+      parsedData[key] = data[key];
+      continue;
+    }
+    if (field.returned === false) {
       continue;
-    cookies.set(decodeURIComponent(rawKey), decodeURIComponent(rawValue));
+    }
+    parsedData[key] = data[key];
   }
-  return cookies;
+  return parsedData;
 }
-var cookieManager = (header) => {
-  return {
-    set(name, value, options = {}) {
-      const cookieStr = serialize(name, value, options);
-      header.append("set-cookie", cookieStr);
-    },
-    get(name) {
-      const cookie = header.get("cookie");
-      if (!cookie)
-        return null;
-      const cookies = parse(cookie);
-      const value = cookies.get(name);
-      return value;
+function getAllFields(options, table) {
+  let schema = {};
+  for (const plugin of options.plugins || []) {
+    if (plugin.schema && plugin.schema[table]) {
+      schema = {
+        ...schema,
+        ...plugin.schema[table].fields
+      };
     }
-  };
-};
-function setSessionCookie(context, sessionId) {
-  context.request.cookies.set(
-    context.cookies.sessionToken.name,
-    sessionId,
-    context.cookies.sessionToken.options
-  );
+  }
+  return schema;
 }
-function deleteSessionCooke(context) {
-  context.request.cookies.set(context.cookies.sessionToken.name, "", {
-    ...context.cookies.sessionToken.options,
-    maxAge: 0
-  });
+function parseUser(options, user) {
+  const schema = getAllFields(options, "user");
+  return parseData(user, { fields: schema });
 }
+function parseAccount(options, account) {
+  const schema = getAllFields(options, "account");
+  return parseData(account, { fields: schema });
+}
+function parseSession(options, session) {
+  const schema = getAllFields(options, "session");
+  return parseData(session, { fields: schema });
+}
+
+// src/api/middlewares/csrf.ts
+import { APIError } from "better-call";
+import { z as z2 } from "zod";
 
-// src/crypto/hmac.ts
-async function hmac(secretKey, message) {
+// src/crypto/index.ts
+import { xchacha20poly1305 } from "@noble/ciphers/chacha";
+import { bytesToHex, hexToBytes, utf8ToBytes } from "@noble/ciphers/utils";
+import { managedNonce } from "@noble/ciphers/webcrypto";
+import { sha256 } from "@noble/hashes/sha256";
+async function hs256(secretKey, message) {
   const enc = new TextEncoder();
   const algorithm = { name: "HMAC", hash: "SHA-256" };
   const key = await crypto.subtle.importKey(
@@ -93,638 +102,2089 @@ async function hmac(secretKey, message) {
   return btoa(String.fromCharCode(...new Uint8Array(signature)));
 }
 
-// src/crypto/random.ts
-function generateRandomString(size) {
-  const i2hex = (i) => `0${i.toString(16)}`.slice(-2);
-  const r = (a, i) => a + i2hex(i);
-  const bytes = crypto.getRandomValues(new Uint8Array(size));
-  return Array.from(bytes).reduce(r, "");
-}
+// src/api/call.ts
+import {
+  createEndpointCreator,
+  createMiddleware,
+  createMiddlewareCreator
+} from "better-call";
+var optionsMiddleware = createMiddleware(async () => {
+  return {};
+});
+var createAuthMiddleware = createMiddlewareCreator({
+  use: [optionsMiddleware]
+});
+var createAuthEndpoint = createEndpointCreator({
+  use: [optionsMiddleware]
+});
+
+// src/api/middlewares/csrf.ts
+var csrfMiddleware = createAuthMiddleware(
+  {
+    body: z2.object({
+      csrfToken: z2.string().optional()
+    }).optional()
+  },
+  async (ctx) => {
+    if (ctx.request?.method !== "POST" || ctx.context.options.advanced?.disableCSRFCheck) {
+      return;
+    }
+    const url = new URL(ctx.request.url);
+    console.log(url.origin, ctx.context.options.baseURL);
+    if (url.origin === ctx.context.options.baseURL || ctx.context.options.trustedOrigins?.includes(url.origin)) {
+      return;
+    }
+    const csrfToken = ctx.body?.csrfToken;
+    const csrfCookie = await ctx.getSignedCookie(
+      ctx.context.authCookies.csrfToken.name,
+      ctx.context.secret
+    );
+    const [token, hash] = csrfCookie?.split("!") || [null, null];
+    if (!csrfToken || !csrfCookie || !token || !hash || csrfCookie !== csrfToken) {
+      ctx.setCookie(ctx.context.authCookies.csrfToken.name, "", {
+        maxAge: 0
+      });
+      throw new APIError("UNAUTHORIZED", {
+        message: "Invalid CSRF Token"
+      });
+    }
+    const expectedHash = await hs256(ctx.context.secret, token);
+    if (hash !== expectedHash) {
+      ctx.setCookie(ctx.context.authCookies.csrfToken.name, "", {
+        maxAge: 0
+      });
+      throw new APIError("UNAUTHORIZED", {
+        message: "Invalid CSRF Token"
+      });
+    }
+  }
+);
+
+// src/api/routes/sign-in.ts
+import { APIError as APIError2 } from "better-call";
+import { generateCodeVerifier } from "oslo/oauth2";
+import { Argon2id } from "oslo/password";
+import { z as z3 } from "zod";
+
+// src/social-providers/apple.ts
+import "arctic";
+import { parseJWT } from "oslo/jwt";
+import { betterFetch } from "@better-fetch/fetch";
+
+// src/error/better-auth-error.ts
+var BetterAuthError = class extends Error {
+  constructor(message) {
+    super(message);
+  }
+};
 
-// src/plugins/csrf-check.ts
-var csrfHandler = async (context) => {
-  const csrfToken = context.request.cookies.get(context.cookies.csrfToken.name);
-  if (csrfToken) {
+// src/utils/base-url.ts
+function checkHasPath(url) {
+  try {
+    const parsedUrl = new URL(url);
+    return parsedUrl.pathname !== "/";
+  } catch (error2) {
+    console.error("Invalid URL:", error2);
+    return false;
+  }
+}
+function withPath(url, path = "/api/auth") {
+  const hasPath = checkHasPath(url);
+  if (hasPath) {
     return {
-      status: 200,
-      body: {
-        csrfToken
-      }
+      baseURL: new URL(url).origin,
+      withPath: url
+    };
+  }
+  path = path.startsWith("/") ? path : `/${path}`;
+  return {
+    baseURL: url,
+    withPath: `${url}${path}`
+  };
+}
+function getBaseURL(url, path) {
+  if (url) {
+    return withPath(url, path);
+  }
+  const env = typeof process !== "undefined" ? process.env : typeof import.meta !== "undefined" ? (
+    //@ts-ignore
+    import.meta.env
+  ) : {};
+  const fromEnv = env.BETTER_AUTH_URL || env.AUTH_URL || env.NEXT_PUBLIC_AUTH_URL || env.NEXT_PUBLIC_BETTER_AUTH_URL || env.PUBLIC_AUTH_URL || env.PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_AUTH_URL;
+  if (fromEnv) {
+    return withPath(fromEnv, path);
+  }
+  const isDev = !fromEnv && (env.NODE_ENV === "development" || env.NODE_ENV === "test");
+  if (isDev) {
+    return {
+      baseURL: "http://localhost:3000",
+      withPath: "http://localhost:3000/api/auth"
     };
   }
-  const token = generateRandomString(32);
-  const hash = await hmac(context.secret, token);
-  const cookie = `${token}!${hash}`;
-  context.request.cookies.set(
-    context.cookies.csrfToken.name,
-    cookie,
-    context.cookies.csrfToken.options
+  throw new BetterAuthError(
+    "Could not infer baseURL from environment variables"
   );
+}
+
+// src/social-providers/utils.ts
+function getRedirectURI(providerId, redirectURI) {
+  return redirectURI || `${getBaseURL()}/api/auth/callback/${providerId}`;
+}
+
+// src/social-providers/apple.ts
+var apple = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const tokenEndpoint = "https://appleid.apple.com/auth/token";
+  redirectURI = getRedirectURI("apple", redirectURI);
   return {
-    status: 200,
-    body: {
-      csrfToken: cookie
+    id: "apple",
+    name: "Apple",
+    createAuthorizationURL({ state, scopes }) {
+      const _scope = scopes || ["email", "name", "openid"];
+      return new URL(
+        `https://appleid.apple.com/auth/authorize?client_id=${clientId}&response_type=code&redirect_uri=${redirectURI}&scope=${_scope.join(
+          " "
+        )}&state=${state}`
+      );
+    },
+    validateAuthorizationCode: async (code) => {
+      const data = await betterFetch(tokenEndpoint, {
+        method: "POST",
+        body: new URLSearchParams({
+          client_id: clientId,
+          client_secret: clientSecret,
+          grant_type: "authorization_code",
+          code
+        }),
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded"
+        }
+      });
+      if (data.error) {
+        throw new BetterAuthError(data.error?.message || "");
+      }
+      return data.data;
+    },
+    async getUserInfo(token) {
+      const data = parseJWT(token.idToken())?.payload;
+      if (!data) {
+        return null;
+      }
+      return {
+        user: {
+          id: data.sub,
+          name: data.name,
+          email: data.email,
+          emailVerified: data.email_verified === "true"
+        },
+        data
+      };
     }
   };
 };
-var CSRFCheckPlugin = () => {
+
+// src/social-providers/discord.ts
+import { betterFetch as betterFetch2 } from "@better-fetch/fetch";
+import { Discord } from "arctic";
+var discord = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const discordArctic = new Discord(
+    clientId,
+    clientSecret,
+    getRedirectURI("discord", redirectURI)
+  );
   return {
-    id: "csrf",
-    name: "CSRF Check",
-    version: "1.0.0",
-    hooks: {
-      matcher: (context) => !context.disableCSRF,
-      before: async (context) => {
-        const csrfToken = context.request.body.csrfToken;
-        const csrfCookie = context.request.cookies.get(
-          context.cookies.csrfToken.name
-        );
-        const [token, hash] = csrfCookie?.split("!") || [null, null];
-        if (!csrfToken || !csrfCookie || !token || !hash || csrfCookie !== csrfToken) {
-          context.request.cookies.set(context.cookies.csrfToken.name, "", {
-            ...context.cookies.csrfToken.options,
-            maxAge: 0
-          });
-          return {
-            response: {
-              status: 403,
-              statusText: "Invalid CSRF Token"
-            }
-          };
-        }
-        const expectedHash = await hmac(context.secret, token);
-        if (hash !== expectedHash) {
-          context.request.cookies.set(context.cookies.csrfToken.name, "", {
-            ...context.cookies.csrfToken.options,
-            maxAge: 0
-          });
-          return {
-            response: {
-              status: 403,
-              statusText: "Invalid CSRF Token"
-            }
-          };
+    id: "discord",
+    name: "Discord",
+    createAuthorizationURL({ state, scopes }) {
+      const _scope = scopes || ["email"];
+      return discordArctic.createAuthorizationURL(state, _scope);
+    },
+    validateAuthorizationCode: discordArctic.validateAuthorizationCode,
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch2(
+        "https://discord.com/api/users/@me",
+        {
+          auth: {
+            type: "Bearer",
+            token: token.accessToken
+          }
         }
+      );
+      if (error2) {
         return null;
       }
-    },
-    handler: csrfHandler
+      return {
+        user: {
+          id: profile.id,
+          name: profile.display_name || profile.username || "",
+          email: profile.email,
+          emailVerified: profile.verified
+        },
+        data: profile
+      };
+    }
   };
 };
 
-// src/plugins/utils.ts
-var getPlugins = (options) => {
-  const plugins = {
-    post: [],
-    pre: [],
-    unordered: []
-  };
-  for (const plugin of options.plugins || []) {
-    plugins[plugin.order || "unordered"].push(plugin);
-  }
-  const internalPlugins = [CSRFCheckPlugin()];
-  return [
-    ...plugins.pre,
-    ...plugins.unordered,
-    ...internalPlugins,
-    ...plugins.post
-  ];
-};
-var usePlugins = (context, ignorePlugins) => {
-  const plugins = context.plugins.filter(
-    (pl) => pl.hooks && !ignorePlugins?.includes(pl.id)
+// src/social-providers/facebook.ts
+import { betterFetch as betterFetch3 } from "@better-fetch/fetch";
+import { Facebook } from "arctic";
+var facebook = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const facebookArctic = new Facebook(
+    clientId,
+    clientSecret,
+    getRedirectURI("facebook", redirectURI)
   );
-  const hooks = plugins.map((plugin) => {
-    return plugin.hooks;
-  });
-  const before = [];
-  const after = [];
-  for (const hook of hooks) {
-    if (hook.matcher(context)) {
-      hook.before && before.push(hook.before);
-      hook.after && after.push(hook.after);
-    }
-  }
   return {
-    before: async (context2) => {
-      let ctx = context2;
-      let response;
-      for (const hook of before) {
-        const res = await hook(ctx);
-        if (res?.context) {
-          ctx = res.context;
-        }
-        if (res?.response) {
-          response = res.response;
-          break;
+    id: "facebook",
+    name: "Facebook",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["email", "public_profile"];
+      return facebookArctic.createAuthorizationURL(state, _scopes);
+    },
+    validateAuthorizationCode: facebookArctic.validateAuthorizationCode,
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch3(
+        "https://graph.facebook.com/me",
+        {
+          auth: {
+            type: "Bearer",
+            token: token.accessToken
+          }
         }
+      );
+      if (error2) {
+        return null;
       }
       return {
-        context: ctx,
-        response
+        user: {
+          id: profile.id,
+          name: profile.name,
+          email: profile.email,
+          emailVerified: profile.email_verified
+        },
+        data: profile
       };
+    }
+  };
+};
+
+// src/social-providers/github.ts
+import { betterFetch as betterFetch4 } from "@better-fetch/fetch";
+import { GitHub } from "arctic";
+var github = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const githubArctic = new GitHub(
+    clientId,
+    clientSecret,
+    getRedirectURI("github", redirectURI)
+  );
+  return {
+    id: "github",
+    name: "Github",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["user:email"];
+      return githubArctic.createAuthorizationURL(state, _scopes);
     },
-    after: async (context2, fnResponse) => {
-      let ctx = context2;
-      let response;
-      for (const hook of after) {
-        const res = await hook(ctx, fnResponse);
-        if (res?.context) {
-          ctx = res.context;
+    validateAuthorizationCode: githubArctic.validateAuthorizationCode,
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch4(
+        "https://api.github.com/user",
+        {
+          method: "GET",
+          headers: {
+            Authorization: `Bearer ${token.accessToken}`
+          }
         }
-        if (res?.response) {
-          response = res.response;
-          break;
+      );
+      if (error2) {
+        return null;
+      }
+      let emailVerified = false;
+      if (!profile.email) {
+        const { data, error: error3 } = await betterFetch4("https://api.github.com/user/emails", {
+          headers: {
+            Authorization: `Bearer ${token.accessToken}`,
+            "User-Agent": "better-auth"
+          }
+        });
+        if (!error3) {
+          profile.email = (data.find((e) => e.primary) ?? data[0])?.email;
+          emailVerified = data.find((e) => e.email === profile.email)?.verified ?? false;
         }
       }
       return {
-        context: ctx,
-        response
+        user: {
+          id: profile.id,
+          name: profile.name,
+          email: profile.email,
+          image: profile.avatar_url,
+          emailVerified,
+          createdAt: /* @__PURE__ */ new Date(),
+          updatedAt: /* @__PURE__ */ new Date()
+        },
+        data: profile
       };
     }
   };
 };
-var withPlugins = (fn, ignorePlugins) => {
-  return async (ctx) => {
-    const { before, after } = usePlugins(ctx, ignorePlugins);
-    const { context, response } = await before(ctx);
-    if (response) {
-      return response;
-    }
-    const res = await fn(context);
-    const { response: afterResponse } = await after(context, res);
-    if (afterResponse) {
-      return afterResponse;
+
+// src/social-providers/google.ts
+import { Google } from "arctic";
+import { parseJWT as parseJWT2 } from "oslo/jwt";
+var google = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const googleArctic = new Google(
+    clientId,
+    clientSecret,
+    getRedirectURI("google", redirectURI)
+  );
+  return {
+    id: "google",
+    name: "Google",
+    createAuthorizationURL({ state, scopes, codeVerifier }) {
+      if (!codeVerifier) {
+        throw new BetterAuthError("codeVerifier is required for Google");
+      }
+      const _scopes = scopes || ["email", "profile"];
+      return googleArctic.createAuthorizationURL(state, codeVerifier, _scopes);
+    },
+    validateAuthorizationCode: async (code, codeVerifier) => {
+      if (!codeVerifier) {
+        throw new BetterAuthError("codeVerifier is required for Google");
+      }
+      return googleArctic.validateAuthorizationCode(code, codeVerifier);
+    },
+    async getUserInfo(token) {
+      if (!token.idToken) {
+        return null;
+      }
+      const user = parseJWT2(token.idToken())?.payload;
+      return {
+        user: {
+          id: user.sub,
+          name: user.name,
+          email: user.email,
+          image: user.picture,
+          emailVerified: user.email_verified
+        },
+        data: user
+      };
     }
-    return res;
   };
 };
 
-// src/routes/session.ts
-var session = async (context) => {
-  const session2 = await getServerSession(context);
-  if (!session2) {
-    return {
-      status: 401,
-      statusText: "Unauthorize"
-    };
-  }
+// src/social-providers/spotify.ts
+import { betterFetch as betterFetch5 } from "@better-fetch/fetch";
+import { Spotify } from "arctic";
+var spotify = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const spotifyArctic = new Spotify(
+    clientId,
+    clientSecret,
+    getRedirectURI("spotify", redirectURI)
+  );
   return {
-    status: 200,
-    body: session2
+    id: "spotify",
+    name: "Spotify",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["user-read-email"];
+      return spotifyArctic.createAuthorizationURL(state, _scopes);
+    },
+    validateAuthorizationCode: spotifyArctic.validateAuthorizationCode,
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch5(
+        "https://api.spotify.com/v1/me",
+        {
+          method: "GET",
+          headers: {
+            Authorization: `Bearer ${token.accessToken}`
+          }
+        }
+      );
+      if (error2) {
+        return null;
+      }
+      return {
+        user: {
+          id: profile.id,
+          name: profile.display_name,
+          email: profile.email,
+          image: profile.images[0]?.url,
+          emailVerified: false
+        },
+        data: profile
+      };
+    }
   };
 };
-var getServerSession = async (context) => {
-  const sessionFromCookie = context.request.cookies.get(
-    context.cookies.sessionToken.name
+
+// src/social-providers/twitch.ts
+import { betterFetch as betterFetch6 } from "@better-fetch/fetch";
+import { Twitch } from "arctic";
+var twitch = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const twitchArctic = new Twitch(
+    clientId,
+    clientSecret,
+    getRedirectURI("twitch", redirectURI)
   );
-  if (!sessionFromCookie) {
-    return null;
-  }
-  const session2 = await context.adapter.findSession(sessionFromCookie, context);
-  if (!session2 || session2.expiresAt < /* @__PURE__ */ new Date()) {
-    session2 && await context.adapter.deleteSession(session2.id, context);
-    deleteSessionCooke(context);
-    return null;
-  }
-  const user = await context.adapter.findUserById(session2.userId, context);
-  if (!user) {
-    return null;
-  }
-  const updatedSession = await context.adapter.updateSession(session2, context);
-  context.request.cookies.set(context.cookies.sessionToken.name, session2.id, {
-    ...context.cookies.sessionToken.options,
-    maxAge: updatedSession.expiresAt.valueOf() - Date.now()
-  });
-  sessionFromCookie;
   return {
-    user,
-    expiresAt: session2.expiresAt
+    id: "twitch",
+    name: "Twitch",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["activity:write", "read"];
+      return twitchArctic.createAuthorizationURL(state, _scopes);
+    },
+    validateAuthorizationCode: twitchArctic.validateAuthorizationCode,
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch6(
+        "https://api.twitch.tv/helix/users",
+        {
+          method: "GET",
+          headers: {
+            Authorization: `Bearer ${token.accessToken}`
+          }
+        }
+      );
+      if (error2) {
+        return null;
+      }
+      return {
+        user: {
+          id: profile.sub,
+          name: profile.preferred_username,
+          email: profile.email,
+          image: profile.picture,
+          emailVerified: false
+        },
+        data: profile
+      };
+    }
   };
 };
-var sessionHandler = withPlugins(session);
 
-// ../shared/src/error.ts
-var BetterAuthError = class extends Error {
-  constructor(message) {
-    super(`${message}`);
-    this.name = this.constructor.name;
-    Object.setPrototypeOf(this, new.target.prototype);
-    Error.captureStackTrace(this, this.constructor);
-  }
-};
-var MissingSecret = class extends BetterAuthError {
-  constructor() {
-    super("Missing Secret: A secret is required in a production environment.");
-  }
-};
-var InvalidURL = class extends BetterAuthError {
-  constructor(message) {
-    super(
-      message || "Please make sure your config includes valid base URL and base PATH."
-    );
-  }
-};
-var InvalidRequest = class extends BetterAuthError {
-  constructor() {
-    super("Post requests must include a valid JSON parsable body.");
-  }
-};
-var ProviderMissing = class extends BetterAuthError {
-  constructor(id) {
-    super(`Provider ${id} is missing on your configuration.`);
-  }
-};
-var ProviderError = class extends BetterAuthError {
+// src/social-providers/twitter.ts
+import { betterFetch as betterFetch7 } from "@better-fetch/fetch";
+import { Twitter } from "arctic";
+var twitter = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const twitterArctic = new Twitter(
+    clientId,
+    clientSecret,
+    getRedirectURI("twitter", redirectURI)
+  );
+  return {
+    id: "twitter",
+    name: "Twitter",
+    createAuthorizationURL(data) {
+      const _scopes = data.scopes || ["account_info.read"];
+      return twitterArctic.createAuthorizationURL(
+        data.state,
+        data.codeVerifier,
+        _scopes
+      );
+    },
+    validateAuthorizationCode: async (code, codeVerifier) => {
+      if (!codeVerifier) {
+        throw new BetterAuthError("codeVerifier is required for Twitter");
+      }
+      return twitterArctic.validateAuthorizationCode(code, codeVerifier);
+    },
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch7(
+        "https://api.x.com/2/users/me?user.fields=profile_image_url",
+        {
+          method: "GET",
+          headers: {
+            Authorization: `Bearer ${token.accessToken}`
+          }
+        }
+      );
+      if (error2) {
+        return null;
+      }
+      if (!profile.data.email) {
+        return null;
+      }
+      return {
+        user: {
+          id: profile.data.id,
+          name: profile.data.name,
+          email: profile.data.email,
+          image: profile.data.profile_image_url,
+          emailVerified: profile.data.verified || false
+        },
+        data: profile
+      };
+    }
+  };
 };
 
-// src/routes/signin.ts
-import { z } from "zod";
+// src/types/provider.ts
+import "arctic";
 
-// src/oauth2/signin.ts
-import { base64url } from "jose";
+// src/social-providers/index.ts
+var oAuthProviders = {
+  apple,
+  discord,
+  facebook,
+  github,
+  google,
+  spotify,
+  twitch,
+  twitter
+};
+var oAuthProviderList = Object.keys(oAuthProviders);
 
-// src/crypto/sha.ts
-async function sha256(data) {
-  return await crypto.subtle.digest("SHA-256", data);
+// src/utils/state.ts
+import { generateState as generateStateOAuth } from "oslo/oauth2";
+function generateState(callbackURL, currentURL) {
+  const code = generateStateOAuth();
+  const state = `${code}!${callbackURL}!${currentURL}`;
+  return { state, code };
+}
+function parseState(state) {
+  const [code, callbackURL, currentURL] = state.split("!");
+  return { code, callbackURL, currentURL };
 }
 
-// src/oauth2/utils.ts
-async function discoveryRequest(context, provider) {
-  const issuerIdentifier = new URL(provider.issuer);
-  if (!(issuerIdentifier instanceof URL)) {
-    throw new TypeError('"issuerIdentifier" must be an instance of URL');
-  }
-  if (issuerIdentifier.protocol !== "https:" && issuerIdentifier.protocol !== "http:") {
-    throw new TypeError('"issuer.protocol" must be "https:" or "http:"');
-  }
-  const url = new URL(issuerIdentifier.href);
-  switch (provider.type) {
-    case void 0:
-    case "oidc":
-      url.pathname = `${url.pathname}/.well-known/openid-configuration`.replace(
-        "//",
-        "/"
-      );
-      break;
-    case "oauth":
-      if (url.pathname === "/") {
-        url.pathname = ".well-known/oauth-authorization-server";
-      } else {
-        url.pathname = `.well-known/oauth-authorization-server/${url.pathname}`.replace(
-          "//",
-          "/"
-        );
-      }
-      break;
-    default:
-      throw new TypeError(`"provider.type" must be "oidc" or "oauth"`);
-  }
-  const headers = new Headers(context.request.headers);
-  headers.set("accept", "application/json");
-  return fetch(url.href, {
-    headers: Object.fromEntries(headers.entries()),
+// src/api/routes/session.ts
+var getSession = createAuthEndpoint(
+  "/session",
+  {
     method: "GET",
-    redirect: "manual"
-  }).then((res) => {
-    if (!res.ok) {
-      throw new Error(`HTTP error! status: ${res.status}`);
+    requireHeaders: true
+  },
+  async (ctx) => {
+    const sessionCookieToken = await ctx.getSignedCookie(
+      ctx.context.authCookies.sessionToken.name,
+      ctx.context.secret
+    );
+    if (!sessionCookieToken) {
+      return ctx.json(null, {
+        status: 401
+      });
     }
-    return res.json();
-  });
-}
-
-// src/oauth2/signin.ts
-async function signInOAuth(context, provider, {
-  onlySignUp,
-  autoCreateSession
-} = {
-  autoCreateSession: true,
-  onlySignUp: false
-}) {
-  if (!provider.params.clientId) {
-    throw new ProviderError("clientId is required");
-  }
-  const scopes = Array.from(new Set(provider?.scopes ?? []));
-  const { currentURL, callbackURL, data } = context.request.body;
-  const state = generateState(
-    currentURL,
-    callbackURL,
-    data,
-    autoCreateSession,
-    onlySignUp
-  );
-  let url = provider.params.authorizationEndpoint;
-  if (!url) {
-    const discovery = await discoveryRequest(context, provider);
-    if (!discovery.authorization_endpoint)
-      throw new ProviderError("Missing authorization endpoint");
-    url = discovery.authorization_endpoint;
-  }
-  const authorizationUrl = new URL(url);
-  authorizationUrl.searchParams.set("response_type", "code");
-  authorizationUrl.searchParams.set("client_id", provider.params.clientId);
-  authorizationUrl.searchParams.set("state", state);
-  authorizationUrl.searchParams.set("scope", scopes.join(" "));
-  authorizationUrl.searchParams.set(
-    "redirect_uri",
-    provider.params.redirectURL || `${context.request.url.toString()}/callback/${context.request.body.provider}`
-  );
-  if (provider.type === "oidc") {
-    if (provider.nonce) {
-      const nonce = generateRandomString(24);
-      authorizationUrl.searchParams.set("nonce", nonce);
-      context.request.cookies.set(
-        context.cookies.nonce.name,
-        nonce,
-        context.cookies.nonce.options
+    const session = await ctx.context.internalAdapter.findSession(sessionCookieToken);
+    if (!session || session.session.expiresAt < /* @__PURE__ */ new Date()) {
+      ctx.setSignedCookie(
+        ctx.context.authCookies.sessionToken.name,
+        "",
+        ctx.context.secret,
+        {
+          maxAge: 0
+        }
       );
+      return ctx.json(null, {
+        status: 401
+      });
     }
+    const updatedSession = await ctx.context.internalAdapter.updateSession(
+      session.session
+    );
+    await ctx.setSignedCookie(
+      ctx.context.authCookies.sessionToken.name,
+      updatedSession.id,
+      ctx.context.secret,
+      {
+        ...ctx.context.authCookies.sessionToken.options,
+        maxAge: updatedSession.expiresAt.valueOf() - Date.now()
+      }
+    );
+    return ctx.json({
+      session: updatedSession,
+      user: session.user
+    });
   }
-  provider.params.responseMode && authorizationUrl.searchParams.set(
-    "response_mode",
-    provider.params.responseMode
-  );
-  if (provider.params.extra) {
-    const extra = Object.entries(provider.params.extra);
-    for (const [key, value] of extra) {
-      authorizationUrl.searchParams.set(key, value);
-    }
-  }
-  const codeVerifier = provider.pkCodeVerifier ? generateCodeVerifier() : void 0;
-  if (provider.pkCodeVerifier && codeVerifier) {
-    const codeChallengeMethod = provider?.codeChallengeMethod ?? "S256";
-    if (codeChallengeMethod === "S256") {
-      const codeChallengeBuffer = await sha256(
-        new TextEncoder().encode(codeVerifier)
-      );
-      const codeChallenge = base64url.encode(
-        new Uint8Array(codeChallengeBuffer)
+);
+var getSessionFromCtx = async (ctx) => {
+  const session = await getSession({
+    ...ctx,
+    //@ts-expect-error: By default since this request context comes from a router it'll have a `router` flag which force it to be a request object
+    _flag: void 0
+  });
+  return session;
+};
+
+// src/api/routes/sign-in.ts
+var signInOAuth = createAuthEndpoint(
+  "/sign-in/social",
+  {
+    method: "POST",
+    requireHeaders: true,
+    query: z3.object({
+      /**
+       * Redirect to the current URL after the
+       * user has signed in.
+       */
+      currentURL: z3.string().optional()
+    }).optional(),
+    body: z3.object({
+      /**
+       * Callback URL to redirect to after the user has signed in.
+       */
+      callbackURL: z3.string().optional(),
+      /**
+       * OAuth2 provider to use`
+       */
+      provider: z3.enum(oAuthProviderList)
+    })
+  },
+  async (c) => {
+    const provider = c.context.options.socialProvider?.find(
+      (p) => p.id === c.body.provider
+    );
+    if (!provider) {
+      c.context.logger.error(
+        "Provider not found. Make sure to add the provider to your auth config",
+        {
+          provider: c.body.provider
+        }
       );
-      authorizationUrl.searchParams.set("code_challenge", codeChallenge);
-      authorizationUrl.searchParams.set("code_challenge_method", "S256");
-    } else {
-      authorizationUrl.searchParams.set("code_challenge", codeVerifier);
-      authorizationUrl.searchParams.set("code_challenge_method", "plain");
+      throw new APIError2("NOT_FOUND");
     }
-  }
-  context.request.cookies.set(
-    context.cookies.state.name,
-    state,
-    context.cookies.state.options
-  );
-  if (codeVerifier) {
-    context.request.cookies.set(
-      context.cookies.pkCodeVerifier.name,
-      codeVerifier,
-      context.cookies.pkCodeVerifier.options
+    const cookie = c.context.authCookies;
+    const currentURL = c.query?.currentURL ? new URL(c.query?.currentURL) : null;
+    const state = generateState(
+      c.body.callbackURL || currentURL?.origin || c.context.baseURL,
+      c.query?.currentURL
     );
+    try {
+      await c.setSignedCookie(
+        cookie.state.name,
+        state.code,
+        c.context.secret,
+        cookie.state.options
+      );
+      const codeVerifier = generateCodeVerifier();
+      await c.setSignedCookie(
+        cookie.pkCodeVerifier.name,
+        codeVerifier,
+        c.context.secret,
+        cookie.pkCodeVerifier.options
+      );
+      const url = provider.createAuthorizationURL({
+        state: state.state,
+        codeVerifier
+      });
+      return {
+        url: url.toString(),
+        state: state.state,
+        codeVerifier,
+        redirect: true
+      };
+    } catch (e) {
+      throw new APIError2("INTERNAL_SERVER_ERROR");
+    }
   }
-  return authorizationUrl.toString();
-}
-function generateCodeVerifier() {
-  const randomValues = new Uint8Array(32);
-  crypto.getRandomValues(randomValues);
-  return base64url.encode(randomValues);
-}
-function generateState(currentURL, callbackURL, signUp2, autoCreateSession, onlySignUp) {
-  let state = generateRandomString(24);
-  state += `!${currentURL}`;
-  state += `!${callbackURL || currentURL}`;
-  state += `!${JSON.stringify({
-    data: signUp2,
-    autoCreateSession,
-    onlySignUp
-  })}`;
-  return state;
-}
-function getState(state) {
-  const [hash, currentURL, callbackURL, signUpString] = state.split("!");
-  if (!hash || !currentURL || !callbackURL) {
-    throw new ProviderError("Invalid state");
-  }
-  const signUp2 = signUpString ? JSON.parse(signUpString) : void 0;
-  return {
-    hash,
-    currentURL,
-    callbackURL,
-    signUp: {
-      data: signUp2?.data,
-      autoCreateSession: signUp2?.autoCreateSession,
-      onlySignUp: signUp2?.onlySignUp
+);
+var signInEmail = createAuthEndpoint(
+  "/sign-in/email",
+  {
+    method: "POST",
+    body: z3.object({
+      email: z3.string().email(),
+      password: z3.string(),
+      callbackURL: z3.string().optional(),
+      /**
+       * If this is true the session will only be valid for the current browser session
+       * @default false
+       */
+      dontRememberMe: z3.boolean().default(false).optional()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options?.emailAndPassword?.enabled) {
+      ctx.context.logger.error("Email and password is not enabled");
+      throw new APIError2("BAD_REQUEST", {
+        message: "Email and password is not enabled"
+      });
     }
-  };
-}
+    const currentSession = await getSessionFromCtx(ctx);
+    if (currentSession) {
+      return ctx.json({
+        user: currentSession.user,
+        session: currentSession.session,
+        redirect: !!ctx.body.callbackURL,
+        url: ctx.body.callbackURL
+      });
+    }
+    const { email, password } = ctx.body;
+    const argon2id = new Argon2id();
+    const user = await ctx.context.internalAdapter.findUserByEmail(email);
+    if (!user) {
+      await argon2id.hash(password);
+      ctx.context.logger.error("User not found", { email });
+      throw new APIError2("UNAUTHORIZED", {
+        message: "Invalid email or password"
+      });
+    }
+    const credentialAccount = user.accounts.find(
+      (a) => a.providerId === "credential"
+    );
+    if (!credentialAccount) {
+      ctx.context.logger.error("Credential account not found", { email });
+      throw new APIError2("UNAUTHORIZED", {
+        message: "Invalid email or password"
+      });
+    }
+    const currentPassword = credentialAccount?.password;
+    if (!currentPassword) {
+      ctx.context.logger.error("Password not found", { email });
+      throw new APIError2("UNAUTHORIZED", {
+        message: "Unexpected error"
+      });
+    }
+    const validPassword = await argon2id.verify(currentPassword, password);
+    if (!validPassword) {
+      ctx.context.logger.error("Invalid password");
+      throw new APIError2("UNAUTHORIZED", {
+        message: "Invalid email or password"
+      });
+    }
+    const session = await ctx.context.internalAdapter.createSession(
+      user.user.id,
+      ctx.request
+    );
+    await ctx.setSignedCookie(
+      ctx.context.authCookies.sessionToken.name,
+      session.id,
+      ctx.context.secret,
+      ctx.body.dontRememberMe ? {
+        ...ctx.context.authCookies.sessionToken.options,
+        maxAge: void 0
+      } : ctx.context.authCookies.sessionToken.options
+    );
+    return ctx.json({
+      user: user.user,
+      session,
+      redirect: !!ctx.body.callbackURL,
+      url: ctx.body.callbackURL
+    });
+  }
+);
+
+// src/api/routes/callback.ts
+import { APIError as APIError3 } from "better-call";
+import { z as z4 } from "zod";
 
-// src/providers/utils.ts
-var getProvider = (context, providerId) => {
-  const providers = context.providers;
-  const provider = providers.find((provider2) => provider2.id === providerId);
-  return provider;
+// src/client/client-utils.ts
+var HIDE_ON_CLIENT_METADATA = {
+  onClient: "hide"
 };
 
-// src/routes/signin.ts
-var bodySchema = z.object({
-  provider: z.string(),
-  data: z.record(z.string(), z.any()).optional(),
-  callbackURL: z.string().optional(),
-  currentURL: z.string()
-});
-var signIn = async (context) => {
-  const data = bodySchema.parse(context.request.body);
-  const provider = getProvider(context, data.provider);
-  if (!provider) {
-    throw new ProviderMissing(data.provider);
+// src/utils/id.ts
+import { alphabet, generateRandomString } from "oslo/crypto";
+var generateId = () => {
+  return generateRandomString(36, alphabet("a-z", "0-9"));
+};
+
+// src/api/routes/callback.ts
+var callbackOAuth = createAuthEndpoint(
+  "/callback/:id",
+  {
+    method: "GET",
+    query: z4.object({
+      state: z4.string(),
+      code: z4.string(),
+      code_verifier: z4.string().optional()
+    }),
+    metadata: HIDE_ON_CLIENT_METADATA
+  },
+  async (c) => {
+    const provider = c.context.options.socialProvider?.find(
+      (p) => p.id === c.params.id
+    );
+    if (!provider) {
+      c.context.logger.error(
+        "Oauth provider with id",
+        c.params.id,
+        "not found"
+      );
+      throw new APIError3("NOT_FOUND");
+    }
+    const tokens = await provider.validateAuthorizationCode(
+      c.query.code,
+      c.query.code_verifier || ""
+    );
+    if (!tokens) {
+      c.context.logger.error("Code verification failed");
+      throw new APIError3("UNAUTHORIZED");
+    }
+    const user = await provider.getUserInfo(tokens).then((res) => res?.user);
+    const id = generateId();
+    const data = userSchema.safeParse({
+      ...user,
+      id
+    });
+    const { callbackURL, currentURL } = parseState(c.query.state);
+    if (!user || data.success === false) {
+      if (currentURL) {
+        throw c.redirect(`${currentURL}?error=oauth_validation_failed`);
+      } else {
+        throw new APIError3("BAD_REQUEST");
+      }
+    }
+    if (!callbackURL) {
+      c.context.logger.error("Callback URL not found");
+      throw new APIError3("FORBIDDEN");
+    }
+    const dbUser = await c.context.internalAdapter.findUserByEmail(user.email);
+    const userId = dbUser?.user.id;
+    if (dbUser) {
+      const hasBeenLinked = dbUser.accounts.find(
+        (a) => a.providerId === provider.id
+      );
+      if (!hasBeenLinked && !user.emailVerified) {
+        c.context.logger.error("User already exists");
+        const url = new URL(currentURL || callbackURL);
+        url.searchParams.set("error", "user_already_exists");
+        throw c.redirect(url.toString());
+      }
+      if (!hasBeenLinked && user.emailVerified) {
+        await c.context.internalAdapter.linkAccount({
+          providerId: provider.id,
+          accountId: user.id,
+          id: `${provider.id}:${user.id}`,
+          userId: dbUser.user.id,
+          ...tokens
+        });
+      }
+    } else {
+      try {
+        await c.context.internalAdapter.createOAuthUser(data.data, {
+          ...tokens,
+          id: `${provider.id}:${user.id}`,
+          providerId: provider.id,
+          accountId: user.id,
+          userId: id
+        });
+      } catch (e) {
+        const url = new URL(currentURL || callbackURL);
+        url.searchParams.set("error", "unable_to_create_user");
+        c.setHeader("Location", url.toString());
+        throw c.redirect(url.toString());
+      }
+    }
+    if (!userId && !id)
+      throw new APIError3("INTERNAL_SERVER_ERROR", {
+        message: "Unable to create user"
+      });
+    const session = await c.context.internalAdapter.createSession(
+      userId || id,
+      c.request
+    );
+    try {
+      await c.setSignedCookie(
+        c.context.authCookies.sessionToken.name,
+        session.id,
+        c.context.secret,
+        c.context.authCookies.sessionToken.options
+      );
+    } catch (e) {
+      c.context.logger.error("Unable to set session cookie", e);
+      const url = new URL(currentURL || callbackURL);
+      url.searchParams.set("error", "unable_to_create_session");
+      throw c.redirect(url.toString());
+    }
+    throw c.redirect(callbackURL);
   }
-  if (provider.type === "oauth" || provider.type === "oidc") {
-    const url = await signInOAuth(context, provider);
-    return {
-      status: 200,
+);
+
+// src/api/routes/sign-out.ts
+import { z as z5 } from "zod";
+var signOut = createAuthEndpoint(
+  "/sign-out",
+  {
+    method: "POST",
+    body: z5.object({
+      callbackURL: z5.string().optional()
+    }).optional()
+  },
+  async (ctx) => {
+    const sessionCookieToken = await ctx.getSignedCookie(
+      ctx.context.authCookies.sessionToken.name,
+      ctx.context.secret
+    );
+    if (!sessionCookieToken) {
+      return ctx.json(null);
+    }
+    await ctx.context.internalAdapter.deleteSession(sessionCookieToken);
+    ctx.setCookie(ctx.context.authCookies.sessionToken.name, "", {
+      maxAge: 0
+    });
+    return ctx.json(null, {
       body: {
-        url,
-        redirect: true
+        redirect: !!ctx.body?.callbackURL,
+        url: ctx.body?.callbackURL
       }
+    });
+  }
+);
+
+// src/api/routes/forget-password.ts
+import { TimeSpan } from "oslo";
+import { createJWT } from "oslo/jwt";
+import { validateJWT } from "oslo/jwt";
+import { Argon2id as Argon2id2 } from "oslo/password";
+import { z as z6 } from "zod";
+var forgetPassword = createAuthEndpoint(
+  "/forget-password",
+  {
+    method: "POST",
+    body: z6.object({
+      /**
+       * The email address of the user to send a password reset email to.
+       */
+      email: z6.string().email()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options.emailAndPassword?.sendResetPasswordToken) {
+      ctx.context.logger.error(
+        "Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function to your auth config!"
+      );
+      return ctx.json(null, {
+        status: 400,
+        statusText: "RESET_PASSWORD_EMAIL_NOT_SENT",
+        body: {
+          message: "Reset password isn't enabled"
+        }
+      });
+    }
+    const { email } = ctx.body;
+    const user = await ctx.context.internalAdapter.findUserByEmail(email);
+    if (!user) {
+      return ctx.json(
+        {
+          error: "User not found"
+        },
+        {
+          status: 400,
+          statusText: "USER_NOT_FOUND",
+          body: {
+            message: "User not found"
+          }
+        }
+      );
+    }
+    const token = await createJWT(
+      "HS256",
+      Buffer.from(ctx.context.secret),
+      {
+        email: user.user.email
+      },
+      {
+        expiresIn: new TimeSpan(1, "h"),
+        issuer: "better-auth",
+        subject: "forget-password",
+        audiences: [user.user.email],
+        includeIssuedTimestamp: true
+      }
+    );
+    await ctx.context.options.emailAndPassword.sendResetPasswordToken(
+      token,
+      user.user
+    );
+    return ctx.json({
+      status: true
+    });
+  }
+);
+var resetPassword = createAuthEndpoint(
+  "/reset-password",
+  {
+    method: "POST",
+    body: z6.object({
+      token: z6.string(),
+      newPassword: z6.string(),
+      callbackURL: z6.string().optional()
+    })
+  },
+  async (ctx) => {
+    const { token, newPassword } = ctx.body;
+    try {
+      const jwt = await validateJWT(
+        "HS256",
+        Buffer.from(ctx.context.secret),
+        token
+      );
+      const email = z6.string().email().parse(jwt.payload.email);
+      const user = await ctx.context.internalAdapter.findUserByEmail(email);
+      if (!user) {
+        return ctx.json(null, {
+          status: 400,
+          statusText: "USER_NOT_FOUND",
+          body: {
+            message: "User not found"
+          }
+        });
+      }
+      if (newPassword.length < (ctx.context.options.emailAndPassword?.minPasswordLength || 8) || newPassword.length > (ctx.context.options.emailAndPassword?.maxPasswordLength || 32)) {
+        return ctx.json(null, {
+          status: 400,
+          statusText: "INVALID_PASSWORD_LENGTH",
+          body: {
+            message: "Password length must be between 8 and 32"
+          }
+        });
+      }
+      const argon2id = new Argon2id2();
+      const hashedPassword = await argon2id.hash(newPassword);
+      const updatedUser = await ctx.context.internalAdapter.updatePassword(
+        user.user.id,
+        hashedPassword
+      );
+      if (!updatedUser) {
+        return ctx.json(null, {
+          status: 500,
+          statusText: "INTERNAL_SERVER_ERROR",
+          body: {
+            message: "Internal server error"
+          }
+        });
+      }
+      return ctx.json({
+        status: true,
+        url: ctx.body.callbackURL,
+        redirect: !!ctx.body.callbackURL
+      });
+    } catch (e) {
+      console.log(e);
+      return ctx.json(null, {
+        status: 400,
+        statusText: "INVALID_TOKEN",
+        body: {
+          message: "Invalid token"
+        }
+      });
+    }
+  }
+);
+
+// src/api/routes/verify-email.ts
+import { TimeSpan as TimeSpan2 } from "oslo";
+import { createJWT as createJWT2, validateJWT as validateJWT2 } from "oslo/jwt";
+import { z as z7 } from "zod";
+var sendVerificationEmail = createAuthEndpoint(
+  "/send-verification-email",
+  {
+    method: "POST",
+    body: z7.object({
+      email: z7.string().email(),
+      callbackURL: z7.string().optional()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options.emailAndPassword?.sendVerificationEmail) {
+      return ctx.json(null, {
+        status: 400,
+        statusText: "VERIFICATION_EMAIL_NOT_SENT",
+        body: {
+          message: "Verification email isn't enabled"
+        }
+      });
+    }
+    const { email } = ctx.body;
+    const token = await createJWT2(
+      "HS256",
+      Buffer.from(ctx.context.secret),
+      {
+        email: email.toLowerCase()
+      },
+      {
+        expiresIn: new TimeSpan2(1, "h"),
+        issuer: "better-auth",
+        subject: "verify-email",
+        audiences: [email],
+        includeIssuedTimestamp: true
+      }
+    );
+    const url = `${ctx.context.baseURL}/verify-email?token=${token}?callbackURL=${ctx.body.callbackURL}`;
+    await ctx.context.options.emailAndPassword.sendVerificationEmail(
+      email,
+      url
+    );
+    return ctx.json({
+      status: true
+    });
+  }
+);
+var verifyEmail = createAuthEndpoint(
+  "/verify-email",
+  {
+    method: "GET",
+    query: z7.object({
+      token: z7.string(),
+      callbackURL: z7.string()
+    })
+  },
+  async (ctx) => {
+    const { token } = ctx.query;
+    try {
+      const jwt = await validateJWT2(
+        "HS256",
+        Buffer.from(ctx.context.secret),
+        token
+      );
+      const schema = z7.object({
+        email: z7.string().email()
+      });
+      const parsed = schema.parse(jwt.payload);
+      const user = await ctx.context.internalAdapter.findUserByEmail(
+        parsed.email
+      );
+      if (!user) {
+        return ctx.json(null, {
+          status: 400,
+          statusText: "USER_NOT_FOUND",
+          body: {
+            message: "User not found"
+          }
+        });
+      }
+      const account = user.accounts.find((a) => a.providerId === "credential");
+      if (!account) {
+        return ctx.json(null, {
+          status: 400,
+          statusText: "ACCOUNT_NOT_FOUND",
+          body: {
+            message: "Account not found"
+          }
+        });
+      }
+      await ctx.context.internalAdapter.updateUserByEmail(parsed.email, {
+        emailVerified: true
+      });
+      if (ctx.query.callbackURL) {
+        throw ctx.redirect(ctx.query.callbackURL);
+      }
+      return ctx.json({
+        status: true
+      });
+    } catch (e) {
+      return ctx.json(null, {
+        status: 400,
+        statusText: "INVALID_TOKEN",
+        body: {
+          message: "Invalid token"
+        }
+      });
+    }
+  }
+);
+
+// src/api/routes/csrf.ts
+import { alphabet as alphabet2, generateRandomString as generateRandomString2 } from "oslo/crypto";
+var getCSRFToken = createAuthEndpoint(
+  "/csrf",
+  {
+    method: "GET",
+    metadata: HIDE_ON_CLIENT_METADATA
+  },
+  async (ctx) => {
+    const csrfToken = await ctx.getSignedCookie(
+      ctx.context.authCookies.csrfToken.name,
+      ctx.context.secret
+    );
+    if (csrfToken) {
+      return {
+        csrfToken
+      };
+    }
+    const token = generateRandomString2(32, alphabet2("a-z", "0-9", "A-Z"));
+    const hash = await hs256(ctx.context.secret, token);
+    const cookie = `${token}!${hash}`;
+    await ctx.setSignedCookie(
+      ctx.context.authCookies.csrfToken.name,
+      cookie,
+      ctx.context.secret,
+      ctx.context.authCookies.csrfToken.options
+    );
+    return {
+      csrfToken: token
     };
   }
-  if (provider.type === "custom") {
-    if (!provider.signIn) {
-      throw new ProviderError("Sign in method not implemented");
+);
+
+// src/api/routes/ok.ts
+var ok = createAuthEndpoint(
+  "/ok",
+  {
+    method: "GET"
+  },
+  async (ctx) => {
+    return ctx.json({
+      ok: true
+    });
+  }
+);
+var welcome = createAuthEndpoint(
+  "/welcome/ok",
+  {
+    method: "GET"
+  },
+  async () => {
+    return new Response("Welcome to Better Auth");
+  }
+);
+
+// src/api/routes/sign-up.ts
+import { alphabet as alphabet3, generateRandomString as generateRandomString3 } from "oslo/crypto";
+import { Argon2id as Argon2id3 } from "oslo/password";
+import { z as z8 } from "zod";
+var signUpEmail = createAuthEndpoint(
+  "/sign-up/email",
+  {
+    method: "POST",
+    body: z8.object({
+      name: z8.string(),
+      email: z8.string().email(),
+      password: z8.string(),
+      image: z8.string().optional(),
+      callbackURL: z8.string().optional()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options.emailAndPassword?.enabled) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Email and password is not enabled"
+        }
+      });
+    }
+    const { name, email, password, image } = ctx.body;
+    const minPasswordLength = ctx.context.options?.emailAndPassword?.minPasswordLength || 8;
+    if (password.length < minPasswordLength) {
+      ctx.context.logger.error("Password is too short");
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Password is too short" }
+      });
     }
-    const response = await provider.signIn(context);
-    return response;
+    const argon2id = new Argon2id3();
+    const dbUser = await ctx.context.internalAdapter.findUserByEmail(email);
+    const hash = await argon2id.hash(password);
+    if (dbUser?.user) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "User already exists"
+        }
+      });
+    }
+    const createdUser = await ctx.context.internalAdapter.createUser({
+      id: generateRandomString3(32, alphabet3("a-z", "0-9", "A-Z")),
+      email: email.toLowerCase(),
+      name,
+      image,
+      emailVerified: false,
+      createdAt: /* @__PURE__ */ new Date(),
+      updatedAt: /* @__PURE__ */ new Date()
+    });
+    await ctx.context.internalAdapter.linkAccount({
+      id: generateRandomString3(32, alphabet3("a-z", "0-9", "A-Z")),
+      userId: createdUser.id,
+      providerId: "credential",
+      accountId: createdUser.id,
+      password: hash
+    });
+    const session = await ctx.context.internalAdapter.createSession(
+      createdUser.id,
+      ctx.request
+    );
+    await ctx.setSignedCookie(
+      ctx.context.authCookies.sessionToken.name,
+      session.id,
+      ctx.context.secret,
+      ctx.context.authCookies.sessionToken.options
+    );
+    return ctx.json(
+      {
+        user: createdUser,
+        session
+      },
+      {
+        body: ctx.body.callbackURL ? {
+          url: ctx.body.callbackURL,
+          redirect: true
+        } : {
+          user: createdUser,
+          session
+        }
+      }
+    );
   }
-  throw new ProviderError("Invalid provider type");
+);
+
+// src/api/routes/error.ts
+var html = (errorCode = "Unknown") => `<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Authentication Error</title>
+    <style>
+        :root {
+            --bg-color: #f8f9fa;
+            --text-color: #212529;
+            --accent-color: #000000;
+            --error-color: #dc3545;
+            --border-color: #e9ecef;
+        }
+        body {
+            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
+            background-color: var(--bg-color);
+            color: var(--text-color);
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            height: 100vh;
+            margin: 0;
+            line-height: 1.5;
+        }
+        .error-container {
+            background-color: #ffffff;
+            border-radius: 12px;
+            box-shadow: 0 4px 6px rgba(0, 0, 0, 0.05);
+            padding: 2.5rem;
+            text-align: center;
+            max-width: 90%;
+            width: 400px;
+        }
+        h1 {
+            color: var(--error-color);
+            font-size: 1.75rem;
+            margin-bottom: 1rem;
+            font-weight: 600;
+        }
+        p {
+            margin-bottom: 1.5rem;
+            color: #495057;
+        }
+        .btn {
+            background-color: var(--accent-color);
+            color: #ffffff;
+            text-decoration: none;
+            padding: 0.75rem 1.5rem;
+            border-radius: 6px;
+            transition: all 0.3s ease;
+            display: inline-block;
+            font-weight: 500;
+            border: 2px solid var(--accent-color);
+        }
+        .btn:hover {
+            background-color: #131721;
+        }
+        .error-code {
+            font-size: 0.875rem;
+            color: #6c757d;
+            margin-top: 1.5rem;
+            padding-top: 1.5rem;
+            border-top: 1px solid var(--border-color);
+        }
+        .icon {
+            font-size: 3rem;
+            margin-bottom: 1rem;
+        }
+    </style>
+</head>
+<body>
+    <div class="error-container">
+        <div class="icon">\u26A0\uFE0F</div>
+        <h1>Better Auth Error</h1>
+        <p>We encountered an issue while processing your request. Please try again or contact the application owner if the problem persists.</p>
+        <a href="#" id="returnLink" class="btn">Return to Application</a>
+        <div class="error-code">Error Code: <span id="errorCode">${errorCode}</span></div>
+    </div>
+</body>
+</html>`;
+var error = createAuthEndpoint(
+  "/error",
+  {
+    method: "GET"
+  },
+  async (c) => {
+    const query = new URL(c.request?.url || "").searchParams.get("error") || "Unknown";
+    return new Response(html(query), {
+      headers: {
+        "Content-Type": "text/html"
+      }
+    });
+  }
+);
+
+// src/api/index.ts
+var router = (ctx) => {
+  const pluginEndpoints = ctx.options.plugins?.reduce(
+    (acc, plugin) => {
+      return {
+        ...acc,
+        ...plugin.endpoints
+      };
+    },
+    {}
+  );
+  const middlewares = ctx.options.plugins?.map(
+    (plugin) => plugin.middlewares?.map((m) => {
+      const middleware = async (context) => {
+        return m.middleware({
+          ...context,
+          context: {
+            ...ctx,
+            ...context.context
+          }
+        });
+      };
+      middleware.path = m.path;
+      middleware.options = m.middleware.options;
+      middleware.headers = m.middleware.headers;
+      return {
+        path: m.path,
+        middleware
+      };
+    })
+  ).filter((plugin) => plugin !== void 0).flat() || [];
+  async function typedSession(ctx2) {
+    const handler = await getSession(ctx2);
+    return handler;
+  }
+  typedSession.path = getSession.path;
+  typedSession.method = getSession.method;
+  typedSession.options = getSession.options;
+  typedSession.headers = getSession.headers;
+  const baseEndpoints = {
+    signInOAuth,
+    callbackOAuth,
+    getCSRFToken,
+    getSession: typedSession,
+    signOut,
+    signUpEmail,
+    signInEmail,
+    forgetPassword,
+    resetPassword,
+    verifyEmail,
+    sendVerificationEmail
+  };
+  const endpoints = {
+    ...baseEndpoints,
+    ...pluginEndpoints,
+    ok,
+    welcome,
+    error
+  };
+  let api = {};
+  for (const [key, value] of Object.entries(endpoints)) {
+    api[key] = async (context) => {
+      for (const plugin of ctx.options.plugins || []) {
+        if (plugin.hooks?.before) {
+          for (const hook of plugin.hooks.before) {
+            const match = hook.matcher({
+              ...context,
+              ...value
+            });
+            if (match) {
+              const hookRes = await hook.handler(context);
+              if (hookRes && "context" in hookRes) {
+                context = {
+                  ...context,
+                  ...hookRes.context,
+                  ...value
+                };
+              }
+            }
+          }
+        }
+      }
+      const endpointRes = value({
+        ...context,
+        context: {
+          ...ctx,
+          ...context.context
+        }
+      });
+      let response = endpointRes;
+      for (const plugin of ctx.options.plugins || []) {
+        if (plugin.hooks?.after) {
+          for (const hook of plugin.hooks.after) {
+            const match = hook.matcher(context);
+            if (match) {
+              const obj = Object.assign(context, {
+                returned: endpointRes
+              });
+              const hookRes = await hook.handler(obj);
+              if (hookRes && "response" in hookRes) {
+                response = hookRes.response;
+              }
+            }
+          }
+        }
+      }
+      return response;
+    };
+    api[key].path = value.path;
+    api[key].method = value.method;
+    api[key].options = value.options;
+    api[key].headers = value.headers;
+  }
+  return createRouter(api, {
+    extraContext: ctx,
+    basePath: ctx.options.basePath,
+    routerMiddleware: [
+      {
+        path: "/**",
+        middleware: csrfMiddleware
+      },
+      ...middlewares
+    ],
+    /**
+     * this is to remove any sensitive data from the response
+     */
+    async transformResponse(res) {
+      let body = {};
+      try {
+        body = await res.json();
+      } catch (e) {
+        return res;
+      }
+      if (body?.user) {
+        body.user = parseUser(ctx.options, body.user);
+      }
+      if (body?.session) {
+        body.session = parseSession(ctx.options, body.session);
+      }
+      if (body?.account) {
+        body.account = parseAccount(ctx.options, body.account);
+      }
+      return new Response(body ? JSON.stringify(body) : null, {
+        headers: res.headers,
+        status: res.status,
+        statusText: res.statusText
+      });
+    },
+    onError(e) {
+      console.log(e);
+    }
+  });
 };
-var signInHandler = withPlugins(signIn);
 
-// src/routes/signout.ts
-var signOut = async (context) => {
-  const session2 = context.request.cookies.get(
-    context.cookies.sessionToken.name
+// src/adapters/kysely.ts
+import Database from "better-sqlite3";
+import { Kysely } from "kysely";
+import {
+  MysqlDialect,
+  PostgresDialect,
+  SqliteDialect
+} from "kysely";
+import { createPool } from "mysql2";
+import pg from "pg";
+var { Pool } = pg;
+function convertWhere(w) {
+  if (!w)
+    return {
+      and: null,
+      or: null
+    };
+  const and = w?.filter((w2) => w2.connector === "AND" || !w2.connector).reduce(
+    (acc, w2) => ({
+      ...acc,
+      [w2.field]: w2.value
+    }),
+    {}
   );
-  deleteSessionCooke(context);
-  if (session2) {
-    try {
-      await context.adapter.deleteSession(session2, context);
-    } catch (e) {
+  const or = w?.filter((w2) => w2.connector === "OR").reduce(
+    (acc, w2) => ({
+      ...acc,
+      [w2.field]: w2.value
+    }),
+    {}
+  );
+  return {
+    and: Object.keys(and).length ? and : null,
+    or: Object.keys(or).length ? or : null
+  };
+}
+function transformTo(val, fields, transform) {
+  for (const key in val) {
+    if (val[key] === 0 && fields[key]?.type === "boolean" && transform?.boolean) {
+      val[key] = false;
+    }
+    if (val[key] === 1 && fields[key]?.type === "boolean" && transform?.boolean) {
+      val[key] = true;
+    }
+    if (fields[key]?.type === "date") {
+      if (!(val[key] instanceof Date)) {
+        val[key] = new Date(val[key]);
+      }
+    }
+  }
+  return val;
+}
+function transformFrom(val, transform) {
+  for (const key in val) {
+    if (typeof val[key] === "boolean" && transform?.boolean) {
+      val[key] = val[key] ? 1 : 0;
+    }
+    if (val[key] instanceof Date) {
+      val[key] = val[key].toISOString();
+    }
+  }
+  return val;
+}
+var kyselyAdapter = (db, config) => {
+  return {
+    async create(data) {
+      let { model, data: val, select } = data;
+      if (config?.transform) {
+        val = transformFrom(val, config.transform);
+      }
+      let res = await db.insertInto(model).values(val).returningAll().executeTakeFirst();
+      if (config?.transform) {
+        const schema = config.transform.schema[model];
+        res = schema ? transformTo(val, schema, config.transform) : res;
+      }
+      if (select?.length) {
+        const data2 = res ? select.reduce((acc, cur) => {
+          if (res?.[cur]) {
+            return {
+              ...acc,
+              [cur]: res[cur]
+            };
+          }
+          return acc;
+        }, {}) : null;
+        res = data2;
+      }
+      return res;
+    },
+    async findOne(data) {
+      const { model, where, select } = data;
+      const { and, or } = convertWhere(where);
+      let query = db.selectFrom(model).selectAll();
+      if (or) {
+        query = query.where((eb) => eb.or(or));
+      }
+      if (and) {
+        query = query.where((eb) => eb.and(and));
+      }
+      let res = await query.executeTakeFirst();
+      if (select?.length) {
+        const data2 = res ? select.reduce((acc, cur) => {
+          if (res?.[cur]) {
+            return {
+              ...acc,
+              [cur]: res[cur]
+            };
+          }
+          return acc;
+        }, {}) : null;
+        res = data2;
+      }
+      if (config?.transform) {
+        const schema = config.transform.schema[model];
+        res = res && schema ? transformTo(res, schema, config.transform) : res;
+        return res || null;
+      }
+      return res || null;
+    },
+    async findMany(data) {
+      const { model, where } = data;
+      let query = db.selectFrom(model);
+      const { and, or } = convertWhere(where);
+      if (and) {
+        query = query.where((eb) => eb.and(and));
+      }
+      if (or) {
+        query = query.where((eb) => eb.or(or));
+      }
+      const res = await query.selectAll().execute();
+      if (config?.transform) {
+        const schema = config.transform.schema[model];
+        return schema ? res.map((v) => transformTo(v, schema, config.transform)) : res;
+      }
+      return res;
+    },
+    async update(data) {
+      let { model, where, update: val } = data;
+      const { and, or } = convertWhere(where);
+      if (config?.transform) {
+        val = transformFrom(val, config.transform);
+      }
+      let query = db.updateTable(model).set(val);
+      if (and) {
+        query = query.where((eb) => eb.and(and));
+      }
+      if (or) {
+        query = query.where((eb) => eb.or(or));
+      }
+      const res = await query.returningAll().executeTakeFirst();
+      if (config?.transform) {
+        const schema = config.transform.schema[model];
+        return schema ? transformTo(res, schema, config.transform) : res;
+      }
+      return res;
+    },
+    async delete(data) {
+      const { model, where } = data;
+      const { and, or } = convertWhere(where);
+      let query = db.deleteFrom(model);
+      if (and) {
+        query = query.where((eb) => eb.and(and));
+      }
+      if (or) {
+        query = query.where((eb) => eb.or(or));
+      }
+      await query.execute();
+    }
+  };
+};
+var getDialect = (config) => {
+  if (!config.database) {
+    return null;
+  }
+  let dialect = null;
+  if ("provider" in config.database) {
+    const provider = config.database.provider;
+    const connectionString = config.database.url.trim();
+    if (provider === "postgres") {
+      const pool = new Pool({
+        connectionString
+      });
+      dialect = new PostgresDialect({
+        pool
+      });
+    }
+    if (provider === "mysql") {
+      const params = new URL(connectionString);
+      const pool = createPool({
+        host: params.hostname,
+        user: params.username,
+        password: params.password,
+        database: params.pathname.split("/")[1],
+        port: Number(params.port)
+      });
+      dialect = new MysqlDialect({ pool });
+    }
+    if (provider === "sqlite") {
+      const db = new Database(connectionString);
+      dialect = new SqliteDialect({
+        database: db
+      });
+    }
+  }
+  return dialect;
+};
+var createKyselyAdapter = (config) => {
+  const dialect = getDialect(config);
+  if (!dialect) {
+    return null;
+  }
+  const db = new Kysely({
+    dialect
+  });
+  return db;
+};
+var getDatabaseType = (config) => {
+  if ("provider" in config.database) {
+    return config.database.provider;
+  }
+  if ("dialect" in config.database) {
+    if (config.database.dialect instanceof PostgresDialect) {
+      return "postgres";
+    }
+    if (config.database.dialect instanceof MysqlDialect) {
+      return "mysql";
+    }
+    if (config.database.dialect instanceof SqliteDialect) {
+      return "sqlite";
+    }
+  }
+  return "sqlite";
+};
+
+// src/adapters/get-tables.ts
+var getAuthTables = (options) => {
+  const pluginSchema = options.plugins?.reduce((acc, plugin) => {
+    const schema = plugin.schema;
+    return {
+      ...acc,
+      ...schema
+    };
+  }, {});
+  return {
+    ...pluginSchema,
+    user: {
+      tableName: options.user?.modelName || "user",
+      fields: {
+        name: {
+          type: "string"
+        },
+        email: {
+          type: "string"
+        },
+        emailVerified: {
+          type: "boolean",
+          defaultValue: () => false
+        },
+        image: {
+          type: "string",
+          required: false
+        },
+        createdAt: {
+          type: "date",
+          defaultValue: () => /* @__PURE__ */ new Date()
+        },
+        updatedAt: {
+          type: "date",
+          defaultValue: () => /* @__PURE__ */ new Date()
+        }
+      }
+    },
+    session: {
+      tableName: options.session?.modelName || "session",
+      fields: {
+        expiresAt: {
+          type: "date"
+        },
+        ipAddress: {
+          type: "string",
+          required: false
+        },
+        userAgent: {
+          type: "string",
+          required: false
+        },
+        userId: {
+          type: "string",
+          references: {
+            model: "user",
+            field: "id",
+            onDelete: "cascade"
+          }
+        }
+      }
+    },
+    account: {
+      tableName: options.account?.modelName || "account",
+      fields: {
+        accountId: {
+          type: "string"
+        },
+        providerId: {
+          type: "string"
+        },
+        userId: {
+          type: "string",
+          references: {
+            model: "user",
+            field: "id",
+            onDelete: "cascade"
+          }
+        },
+        accessToken: {
+          type: "string",
+          required: false
+        },
+        refreshToken: {
+          type: "string",
+          required: false
+        },
+        idToken: {
+          type: "string",
+          required: false
+        },
+        accessTokenExpiresAt: {
+          type: "date",
+          required: false
+        },
+        refreshTokenExpiresAt: {
+          type: "date",
+          required: false
+        },
+        password: {
+          type: "string",
+          required: false
+        }
+      }
     }
-  }
-  return {
-    status: 200
   };
 };
-var signOutHandler = withPlugins(signOut);
 
-// src/actions/index.ts
-function getActions(options, handlerOptions) {
-  const actions = {
-    /**
-     * Sign in with a provider. This action will return response object. If
-     * it's oauth, it will redirect to the provider. If it's custom, it
-     * will return the response object and it'll set the cookies.
-     *
-     * ► In most cases you should just be using
-     * client sdk  for sign in instead unless you
-     * have a good reason to use this.
-     */
-    signIn: async (request, input) => {
-      const url = request instanceof Headers ? request.get("referer") : request.url;
-      const req = new Request(url, {
-        body: JSON.stringify(input),
-        method: "POST"
-      });
-      const context = await toContext(options, req);
-      context.disableCSRF = true;
-      context.request.body = {
-        currentURL: url,
-        provider: input.provider
-      };
-      const response = await signInHandler(context);
-      if (response.body.redirect) {
-        return toResponse(
-          {
-            status: 302,
-            headers: {
-              Location: response.body.url
-            }
-          },
-          context
-        );
-      }
-      return toResponse(response, context, handlerOptions);
-    },
-    /**
-     * Get the current logged in user session.
-     */
-    getSession: async (request) => {
-      const url = request instanceof Headers ? request.get("referer") || request.get("x-forwarded-host") || "http://localhost" : request.url;
-      const req = request instanceof Request ? request : new Request(url, {
-        method: "POST",
-        body: JSON.stringify({}),
-        headers: request
-      });
-      const context = await toContext(options, req);
-      context.disableCSRF = true;
-      const response = await getServerSession(context);
-      return response;
-    },
-    /**
-     * Signout the current user.
-     * Delete the session and clear the cookies.
-     */
-    signOut: async (request) => {
-      const url = request instanceof Headers ? request.get("referer") : request.url;
-      const req = request instanceof Request ? request : new Request(url, {
-        method: "POST",
-        body: JSON.stringify({}),
-        headers: request
-      });
-      const context = await toContext(options, req);
-      context.disableCSRF = true;
-      const response = await signOutHandler(context);
-      return toResponse(response, context, handlerOptions);
+// src/adapters/utils.ts
+function getAdapter(options) {
+  if (!options.database) {
+    throw new BetterAuthError("Database configuration is required");
+  }
+  if ("provider" in options.database) {
+    const db = createKyselyAdapter(options);
+    if (!db) {
+      throw new BetterAuthError("Failed to initialize database adapter");
     }
-  };
-  return actions;
+    const tables = getAuthTables(options);
+    return kyselyAdapter(db, {
+      transform: {
+        schema: {
+          [tables.user.tableName]: tables.user.fields,
+          [tables.session.tableName]: tables.session.fields,
+          [tables.account.tableName]: tables.account.fields
+        },
+        date: true,
+        boolean: getDatabaseType(options) === "sqlite"
+      }
+    });
+  }
+  return options.database;
 }
 
-// src/utils/time.ts
-var timeSpan = (span) => {
-  const [time, unit] = span;
-  const timeInMs = Number.parseInt(time) * 1e3;
-  switch (unit) {
-    case "s":
-      return timeInMs;
-    case "m":
-      return timeInMs * 60;
-    case "hr":
-      return timeInMs * 60 * 60;
-    case "d":
-      return timeInMs * 60 * 60 * 24;
-    case "w":
-      return timeInMs * 60 * 60 * 24 * 7;
-    default:
-      return 0;
-  }
-};
+// src/adapters/internal-adapter.ts
+import { alphabet as alphabet4, generateRandomString as generateRandomString4 } from "oslo/crypto";
+
+// src/utils/date.ts
 var getDate = (span) => {
-  const sec = typeof span === "number" ? span : timeSpan(span);
   const date = /* @__PURE__ */ new Date();
-  return new Date(date.getTime() + sec);
+  return new Date(date.getTime() + span);
 };
 
 // src/adapters/internal-adapter.ts
-var createInternalAdapter = (db) => {
+var createInternalAdapter = (adapter, options) => {
+  const sessionExpiration = options.session?.expiresIn || 60 * 60 * 24 * 7;
+  const tables = getAuthTables(options);
   return {
-    createSession: async (userId, context) => {
-      if (context.sessionAdapter) {
-        return context.sessionAdapter.create({
-          userId,
-          expiresAt: new Date(Date.now() + context.session.expiresIn)
+    createOAuthUser: async (user, account) => {
+      try {
+        const createdUser = await adapter.create({
+          model: tables.user.tableName,
+          data: user
+        });
+        const createdAccount = await adapter.create({
+          model: tables.account.tableName,
+          data: account
         });
+        return {
+          user: createdUser,
+          account: createdAccount
+        };
+      } catch (e) {
+        console.log(e);
+        return null;
       }
-      const session2 = await db.create({
-        model: context.session.modelName,
-        data: {
-          id: generateRandomString(32),
-          userId,
-          expiresAt: db.config?.dateFormat === "number" ? Date.now() + context.session.expiresIn : new Date(Date.now() + context.session.expiresIn)
-        },
-        select: context.session.selectFields
+    },
+    createUser: async (user) => {
+      const createdUser = await adapter.create({
+        model: tables.user.tableName,
+        data: user
+      });
+      return createdUser;
+    },
+    createSession: async (userId, request) => {
+      const data = {
+        id: generateRandomString4(32, alphabet4("a-z", "0-9", "A-Z")),
+        userId,
+        expiresAt: getDate(sessionExpiration),
+        ipAddress: request?.headers.get("x-forwarded-for") || "",
+        userAgent: request?.headers.get("user-agent") || ""
+      };
+      const session = adapter.create({
+        model: tables.session.tableName,
+        data
+      });
+      return session;
+    },
+    findSession: async (sessionId) => {
+      const session = await adapter.findOne({
+        model: tables.session.tableName,
+        where: [
+          {
+            value: sessionId,
+            field: "id"
+          }
+        ]
+      });
+      if (!session) {
+        return null;
+      }
+      const user = await adapter.findOne({
+        model: tables.user.tableName,
+        where: [
+          {
+            value: session.userId,
+            field: "id"
+          }
+        ]
       });
-      return session2;
+      if (!user) {
+        return null;
+      }
+      return {
+        session,
+        user
+      };
     },
-    updateSession: async (session2, context) => {
-      const updateDate = context.session.updateAge === 0 ? 0 : getDate(context.session.updateAge).valueOf();
-      const maxAge = getDate(context.session.expiresIn);
-      const shouldBeUpdated = session2.expiresAt.valueOf() - maxAge.valueOf() + updateDate <= Date.now();
+    updateSession: async (session) => {
+      const updateAge = options.session?.updateAge === void 0 ? 1e3 : options.session?.updateAge;
+      const updateDate = updateAge === 0 ? 0 : getDate(updateAge).valueOf();
+      const maxAge = getDate(sessionExpiration);
+      const shouldBeUpdated = session.expiresAt.valueOf() - maxAge.valueOf() + updateDate <= Date.now();
       if (shouldBeUpdated) {
-        if (context.sessionAdapter) {
-          return context.sessionAdapter.update({
-            id: session2.id,
-            userId: session2.userId,
-            expiresAt: new Date(Date.now() + context.session.expiresIn)
-          });
-        }
-        const updatedSession = await db.update({
-          model: context.session.modelName,
+        const updatedSession = await adapter.create({
+          model: tables.session.tableName,
+          data: {
+            ...session,
+            id: generateRandomString4(32, alphabet4("a-z", "0-9", "A-Z")),
+            expiresAt: new Date(Date.now() + sessionExpiration)
+          }
+        });
+        await adapter.update({
+          model: tables.session.tableName,
           where: [
             {
               field: "id",
-              value: session2.id
+              value: session.id
             }
           ],
           update: {
-            expiresAt: db.config?.dateFormat === "number" ? Date.now() + context.session.expiresIn : new Date(Date.now() + context.session.expiresIn)
+            /**
+             * update the session to expire in 2 minute. This is to prevent
+             * the session from expiring too quickly and logging the user out.
+             */
+            expiresAt: new Date(Date.now() + 1e3 * 60 * 2)
           }
         });
         return updatedSession;
       }
-      return session2;
+      return session;
     },
-    deleteSession: async (id, context) => {
-      const session2 = await db.delete({
-        model: context.session.modelName,
+    deleteSession: async (id) => {
+      const session = await adapter.delete({
+        model: tables.session.tableName,
         where: [
           {
             field: "id",
@@ -732,110 +2192,80 @@ var createInternalAdapter = (db) => {
           }
         ]
       });
-      return session2;
+      return session;
     },
-    createUser: async (data, context) => {
-      const user = await db.create({
-        model: context.user.modelName,
-        data: {
-          id: generateRandomString(32),
-          ...data.user
-        },
-        select: context.user.selectFields
-      });
-      const account = await db.create({
-        model: context.account.modelName,
-        data: {
-          ...data.account,
-          userId: user.id,
-          providerId: data.account.providerId.toString(),
-          accountId: data.account.accountId.toString()
-        }
-      });
-      return { user, account };
-    },
-    updateUserByEmail: async (email, data, context) => {
-      const user = await db.update({
-        model: context.user.modelName,
+    findUserByEmail: async (email) => {
+      const user = await adapter.findOne({
+        model: tables.user.tableName,
         where: [
           {
-            field: "email",
-            value: email
+            value: email.toLowerCase(),
+            field: "email"
           }
-        ],
-        update: data
+        ]
       });
-      return user;
-    },
-    findUserByEmail: async (email, context) => {
-      const user = await db.findOne({
-        model: context.user.modelName,
+      if (!user) return null;
+      const accounts = await adapter.findMany({
+        model: tables.account.tableName,
         where: [
           {
-            field: "email",
-            value: email
+            value: user.id,
+            field: "userId"
           }
-        ],
-        select: context.user.selectFields
+        ]
       });
-      return user;
+      return {
+        user,
+        accounts
+      };
     },
-    findSession: async (id, context) => {
-      if (context.sessionAdapter) {
-        return context.sessionAdapter.findOne({
-          userId: id
-        });
-      }
-      const session2 = await db.findOne({
-        model: context.session.modelName,
+    findUserById: async (userId) => {
+      const user = await adapter.findOne({
+        model: tables.user.tableName,
         where: [
           {
             field: "id",
-            value: id
+            value: userId
           }
-        ],
-        select: context.session.selectFields
+        ]
+      });
+      return user;
+    },
+    linkAccount: async (account) => {
+      const _account = await adapter.create({
+        model: tables.account.tableName,
+        data: account
       });
-      return session2;
+      return _account;
     },
-    findUserById: async (id, context) => {
-      const user = await db.findOne({
-        model: context.user.modelName,
+    updateUserByEmail: async (email, data) => {
+      const user = await adapter.update({
+        model: tables.user.tableName,
         where: [
           {
-            field: "id",
-            value: id
+            value: email,
+            field: "email"
           }
         ],
-        select: context.user.selectFields
+        update: data
       });
       return user;
     },
-    findAccount: async (input, context) => {
-      const account = await db.findOne({
-        model: context.account.modelName,
+    updatePassword: async (userId, password) => {
+      const account = await adapter.update({
+        model: tables.account.tableName,
         where: [
           {
-            field: "providerId",
-            value: input.providerId.toString()
+            value: userId,
+            field: "userId"
           },
           {
-            field: "accountId",
-            value: input.accountId.toString()
+            field: "providerId",
+            value: "credential"
           }
         ],
-        select: context.account.selectFields
-      });
-      return account;
-    },
-    linkAccount: async (input, context) => {
-      const { userId, providerId, accountId } = input;
-      const account = await db.create({
-        model: context.account.modelName,
-        data: {
-          userId,
-          providerId: providerId.toString(),
-          accountId: accountId.toString()
+        update: {
+          password
         }
       });
       return account;
@@ -843,51 +2273,21 @@ var createInternalAdapter = (db) => {
   };
 };
 
-// src/adapters/utils.ts
-import { z as z2 } from "zod";
-function toInternalFields(fields) {
-  const internalFields = {};
-  for (const field in fields) {
-    const { type, required, returned, hashValue, transform } = fields[field];
-    internalFields[field] = {
-      required: required ?? false,
-      returned: returned ?? true,
-      hashValue: hashValue ?? false,
-      validator: z2[type]().transform(transform || ((x) => x))
-    };
-  }
-  return internalFields;
-}
-function getSelectFields(fields, table) {
-  const select = Object.keys(fields).filter((column) => {
-    return fields[column]?.returned !== false;
-  });
-  const defaultSelect = {
-    session: ["id", "userId", "expiresAt"],
-    user: ["id", "email", "emailVerified"],
-    account: ["providerId", "accountId", "userId"]
+// src/db/field.ts
+var createFieldAttribute = (type, config) => {
+  return {
+    type,
+    ...config
   };
-  return [...defaultSelect[table], ...select];
-}
-var parseUser = (data, context) => {
-  const user = Object.keys(data).map((key) => {
-    const parsed = context.user.fields[key]?.validator.safeParse(data?.[key]);
-    return { key, value: parsed?.success ? parsed.data : data?.[key] };
-  }).reduce(
-    (acc, { key, value }) => {
-      acc[key] = value;
-      return acc;
-    },
-    {}
-  );
-  return user;
 };
 
-// src/cookies/cookies.ts
+// src/utils/cookies.ts
+import { TimeSpan as TimeSpan3 } from "oslo";
 function getCookies(options) {
-  const secure = !!options.advanced?.useSecureCookies;
+  const secure = !!options.advanced?.useSecureCookies || process.env.NODE_ENV === "production";
   const secureCookiePrefix = secure ? "__Secure-" : "";
   const cookiePrefix = "better-auth";
+  const sessionMaxAge = new TimeSpan3(7, "d").seconds();
   return {
     sessionToken: {
       name: `${secureCookiePrefix}${cookiePrefix}.session_token`,
@@ -896,17 +2296,17 @@ function getCookies(options) {
         sameSite: "lax",
         path: "/",
         secure,
-        maxAge: options.session?.expiresIn || timeSpan("7d"),
-        ...options.advanced?.sessionCookie
+        maxAge: sessionMaxAge
       }
     },
     csrfToken: {
-      name: `${secureCookiePrefix}${cookiePrefix}.csrf_token`,
+      name: `${secureCookiePrefix ? "__Host-" : ""}${cookiePrefix}.csrf_token`,
       options: {
         httpOnly: true,
         sameSite: "lax",
         path: "/",
-        secure
+        secure,
+        maxAge: 60 * 60 * 24 * 7
       }
     },
     state: {
@@ -944,496 +2344,100 @@ function getCookies(options) {
     }
   };
 }
-
-// src/routes/callback.ts
-import { z as z3 } from "zod";
-
-// src/oauth2/tokens.ts
-import { base64url as base64url2 } from "jose";
-async function getTokens(context, provider) {
-  const redirectURL = provider.params.redirectURL || `${context.baseURL}${context.basePath}/callback/${provider.id}`;
-  const headers = new Headers();
-  headers.set("Content-Type", "application/x-www-form-urlencoded");
-  headers.set("Accept", "application/json");
-  headers.set("User-Agent", "better-auth");
-  const encodedCredentials = base64url2.encode(
-    `${provider.params.clientId}:${provider.params.clientSecret}`
-  );
-  headers.set("Authorization", `Basic ${encodedCredentials}`);
-  const body = new URLSearchParams();
-  body.set("grant_type", "authorization_code");
-  body.set("code", context.request.query.code);
-  body.set("redirect_uri", redirectURL);
-  if (provider.pkCodeVerifier) {
-    const codeVerifier = context.request.cookies.get(
-      context.cookies.pkCodeVerifier.name
-    );
-    codeVerifier && body.set("code_verifier", codeVerifier);
-  }
-  body.set("client_id", provider.params.clientId);
-  body.set("client_secret", provider.params.clientSecret);
-  let url = provider.params.tokenEndpoint;
-  if (!url) {
-    const discovery = await discoveryRequest(context, provider);
-    if (!discovery.token_endpoint) {
-      throw new Error("Missing token endpoint");
-    }
-    url = discovery.token_endpoint;
-  }
-  const response = await fetch(url, {
-    method: "POST",
-    body,
-    headers
-  });
-  const data = await response.json();
-  return data;
-}
-
-// src/routes/callback.ts
-var callbackQuerySchema = z3.object({
-  code: z3.string(),
-  state: z3.string(),
-  provider: z3.string()
-});
-var callback = async (context) => {
-  const parsedQuery = callbackQuerySchema.safeParse(context.request.query);
-  if (!parsedQuery.success) {
-    const error = context.request.url.searchParams.get("error");
-    const errorDesc = context.request.url.searchParams.get("error_description");
-    const state = context.request.url.searchParams.get("state");
-    if (!state) {
-      throw new ProviderError(
-        `state is not returned from ${context.request.url.searchParams.get(
-          "provider"
-        )}`
-      );
-    }
-    const { currentURL } = getState(state);
+function createCookieGetter(options) {
+  const secure = !!options.advanced?.useSecureCookies || process.env.NODE_ENV === "production";
+  const secureCookiePrefix = secure ? "__Secure-" : "";
+  const cookiePrefix = "better-auth";
+  function getCookie(cookieName, options2) {
     return {
-      status: 302,
-      headers: {
-        Location: `${currentURL}?error=${error}&error_description=${errorDesc}`
-      }
-    };
-  }
-  const provider = getProvider(context, parsedQuery.data.provider);
-  if (provider?.type === "oauth" || provider?.type === "oidc") {
-    const storedState = context.request.cookies.get(context.cookies.state.name);
-    const state = parsedQuery.data.state;
-    const { currentURL } = getState(state);
-    if (storedState !== state) {
-      return {
-        status: 302,
-        headers: {
-          Location: `${currentURL}?error=invalid_state`
-        }
-      };
-    }
-    const tokens = await getTokens(context, provider);
-    if (tokens.error) {
-      return {
-        status: 302,
-        headers: {
-          Location: `${currentURL}?error=${tokens.error}`
-        }
-      };
-    }
-    if (provider.type === "oauth" || provider.type === "oidc") {
-      const profile = await provider.getUserInfo(tokens);
-      const {
-        callbackURL,
-        currentURL: currentURL2,
-        signUp: { data, autoCreateSession, onlySignUp }
-      } = getState(state);
-      let userAccount = await context.adapter.findAccount(
-        {
-          providerId: provider.id,
-          accountId: profile.id
-        },
-        context
-      );
-      if (provider.type === "oidc") {
-        if (profile.nonce) {
-          const nonce = context.request.cookies.get(context.cookies.nonce.name);
-          if (profile.nonce !== nonce) {
-            return {
-              status: 302,
-              headers: {
-                Location: `${currentURL2}?error=invalid_nonce`
-              }
-            };
-          }
-        }
-      }
-      if (onlySignUp && userAccount) {
-        return {
-          status: 302,
-          headers: {
-            Location: `${currentURL2}?error=user_already_exist`
-          }
-        };
-      }
-      let userData = null;
-      if (!userAccount) {
-        if (provider.params.linkAccounts) {
-          const shouldLink = provider.params.linkAccounts.enabler ? await provider.params.linkAccounts.enabler(profile) : true;
-          if (shouldLink) {
-            const { field, key } = provider.params.linkAccounts;
-            const user = await context._db.findOne({
-              model: context.user.modelName,
-              where: [
-                {
-                  field,
-                  value: profile[key]
-                }
-              ]
-            });
-            if (user) {
-              userAccount = await context.adapter.linkAccount(
-                {
-                  userId: user.id,
-                  providerId: provider.id,
-                  accountId: profile.id
-                },
-                context
-              );
-              userData = user;
-            }
-          }
-        }
-        if (!userData && !data) {
-          return {
-            status: 302,
-            headers: {
-              Location: `${callbackURL}?error=user_not_found`
-            }
-          };
-        }
-        if (!userData) {
-          let signUpData = {};
-          for (const key in data) {
-            if (typeof data[key] === "string") {
-              const constructedKey = data[key].split(".");
-              let value = profile;
-              for (const k of constructedKey) {
-                value = value[k];
-              }
-              signUpData[key] = value;
-            } else if ("value" in data[key]) {
-              signUpData[key] = data[key].value;
-            }
-          }
-          signUpData = parseUser(signUpData, context);
-          const accountData = {
-            providerId: provider.id,
-            accountId: profile.id
-          };
-          for (const key in context.account.additionalFields) {
-            accountData[key] = tokens[context.account.additionalFields[key]];
-          }
-          try {
-            const { user, account } = await context.adapter.createUser(
-              {
-                user: signUpData,
-                account: accountData
-              },
-              context
-            );
-            userAccount = account;
-            userData = user;
-          } catch (e) {
-            return {
-              status: 302,
-              headers: {
-                Location: `${currentURL2}?error=user_already_exist`
-              }
-            };
-          }
-        }
-      }
-      if (!userData) {
-        userData = await context.adapter.findUserById(
-          userAccount?.userId,
-          context
-        );
-      }
-      if (autoCreateSession) {
-        const session2 = await context.adapter.createSession(
-          userData?.id,
-          context
-        );
-        setSessionCookie(context, session2.id);
+      name: process.env.NODE_ENV === "production" ? `${secureCookiePrefix}${cookiePrefix}.${cookieName}` : `${cookiePrefix}.${cookieName}`,
+      options: {
+        secure,
+        sameSite: "lax",
+        path: "/",
+        maxAge: 60 * 15,
+        // 15 minutes in seconds
+        ...options2
       }
-      return {
-        status: 302,
-        headers: {
-          Location: callbackURL
-        }
-      };
-    }
-    return {
-      status: 200
     };
   }
-  throw new ProviderError("Invalid provider type");
-};
-var callbackHandler = withPlugins(callback, ["csrf"]);
+  return getCookie;
+}
 
-// src/routes/signup.ts
-import { z as z4 } from "zod";
-var signUpSchema = z4.object({
-  data: z4.record(z4.string(), z4.any()).optional(),
-  provider: z4.string(),
-  currentURL: z4.string(),
-  callbackURL: z4.string().optional(),
-  autoCreateSession: z4.boolean().optional()
-});
-var signUp = async (context) => {
-  const data = signUpSchema.parse(context.request.body);
-  const provider = getProvider(context, data.provider);
-  if (!provider) {
-    throw new ProviderMissing(data.provider);
-  }
-  if (provider?.type === "oauth" || provider?.type === "oidc") {
-    context.request.body.signUp = context.request.body.data;
-    const url = await signInOAuth(context, provider, {
-      autoCreateSession: data.autoCreateSession ?? true,
-      onlySignUp: true
-    });
-    return {
-      status: 200,
-      body: {
-        url,
-        redirect: true
-      }
-    };
-  }
-  if (!provider.signUp) {
-    throw new ProviderError("Sign up method not implemented");
+// src/utils/logger.ts
+import { createConsola } from "consola";
+var consola = createConsola({
+  formatOptions: {
+    date: false
   }
-  return await provider.signUp(context);
-};
-var signUpHandler = withPlugins(signUp);
-
-// src/routes/index.ts
-var router = async (context) => {
-  const action = context.request.action;
-  switch (action) {
-    case "signin":
-      return signInHandler(context);
-    case "callback":
-      return await callbackHandler(context);
-    case "signup":
-      return await signUpHandler(context);
-    case "signout":
-      return await signOutHandler(context);
-    case "session":
-      return await sessionHandler(context);
-    default: {
-      const plugin = context.plugins.find((plugin2) => {
-        return action.startsWith(plugin2.id);
-      });
-      const providerHandler = context.providers.find((provider) => {
-        return provider.type === "custom" && provider.handler?.matcher(context);
-      });
-      if (plugin?.handler) {
-        return await plugin.handler(context);
-      }
-      if (providerHandler?.handler) {
-        return await providerHandler.handler.handler(context);
-      }
-      return {
-        status: 404
-      };
+});
+var createLogger = (options) => {
+  return {
+    log: (...args) => {
+      !options?.disabled && consola.log("", ...args);
+    },
+    error: (...args) => {
+      !options?.disabled && consola.error("", ...args);
+    },
+    warn: (...args) => {
+      !options?.disabled && consola.warn("", ...args);
+    },
+    info: (...args) => {
+      !options?.disabled && consola.info("", ...args);
+    },
+    debug: (...args) => {
+      !options?.disabled && consola.debug("", ...args);
+    },
+    box: (...args) => {
+      !options?.disabled && consola.box("", ...args);
+    },
+    success: (...args) => {
+      !options?.disabled && consola.success("", ...args);
+    },
+    break: (...args) => {
+      !options?.disabled && console.log("\n");
     }
-  }
+  };
 };
+var logger = createLogger();
 
-// src/utils/request.ts
-import { IncomingMessage } from "http";
-import { z as z5 } from "zod";
-async function getBody(request) {
-  try {
-    if (request instanceof Request)
-      return await request.json();
-    return new Promise((resolve) => {
-      const bodyParts = [];
-      let body;
-      request.on("data", (chunk) => {
-        bodyParts.push(chunk);
-      }).on("end", () => {
-        body = Buffer.concat(bodyParts).toString();
-        resolve(JSON.parse(body));
-      });
-    });
-  } catch {
-    throw new InvalidRequest();
-  }
-}
-var toRequestHeader = (incomingHeaders) => {
-  if (incomingHeaders instanceof Headers)
-    return incomingHeaders;
-  const headers = new Headers();
-  for (const [key, value] of Object.entries(incomingHeaders)) {
-    if (Array.isArray(value)) {
-      for (const val of value) {
-        headers.append(key, val);
-      }
-    } else if (value) {
-      headers.append(key, value);
-    }
-  }
-  return headers;
-};
-function isValidHttpMethod(method) {
-  if (method?.toUpperCase() !== "POST" && method?.toUpperCase() !== "GET") {
-    return false;
-  }
-  return true;
-}
-function parseUrl(request, options) {
-  let requestStringURL = request instanceof IncomingMessage ? `${request.headers.host}${request.url}` : request.url;
-  if (!requestStringURL.startsWith("http")) {
-    if (requestStringURL.startsWith("localhost")) {
-      requestStringURL = `http://${requestStringURL}`;
-    } else {
-      requestStringURL = `https://${requestStringURL}`;
-    }
-  }
-  const requestURL = new URL(requestStringURL);
-  const baseURL = requestURL.origin;
-  const basePath = options.basePath || "/api/auth";
-  let urlString = `${baseURL}${basePath}`;
-  if (!urlString.startsWith("http")) {
-    urlString = `https://${urlString}`;
-  }
-  const isValidURL = z5.string().url().safeParse(urlString);
-  let action = requestURL.pathname.split(basePath)[1] || "";
-  action = action.replace("/", "");
-  if (isValidURL.error) {
-    throw new InvalidURL();
-  }
-  if (action.startsWith("callback")) {
-    const provider = action.split("/")[1];
-    if (!provider)
-      throw new InvalidURL("Provider is missing in the URL.");
-    action = "callback";
-    requestURL.searchParams.set("provider", provider);
-  }
-  const url = new URL(urlString);
-  requestURL.searchParams.forEach((value, key) => {
-    url.searchParams.set(key, value);
-  });
+// src/init.ts
+var init = (options) => {
+  const adapter = getAdapter(options);
+  const db = createKyselyAdapter(options);
+  const { baseURL, withPath: withPath2 } = getBaseURL(options.baseURL, options.basePath);
   return {
-    url,
-    action
+    options: {
+      ...options,
+      baseURL,
+      basePath: options.basePath || "/api/auth"
+    },
+    baseURL: withPath2,
+    secret: options.secret || process.env.BETTER_AUTH_SECRET || process.env.AUTH_SECRET || "better-auth-secret-123456789",
+    authCookies: getCookies(options),
+    logger: createLogger({
+      disabled: options.disableLog
+    }),
+    db,
+    adapter,
+    internalAdapter: createInternalAdapter(adapter, options),
+    createAuthCookie: createCookieGetter(options)
   };
-}
-
-// src/utils/secret.ts
-var DEFAULT_SECRET = "better-auth-secret-key-123456789";
-var getSecret = (secret) => {
-  secret = secret || process.env.BETTER_AUTH_SECRET || process.env.AUTH_SECRET;
-  if (process.env.NODE_ENV === "production" && !secret) {
-    throw new MissingSecret();
-  }
-  return secret || DEFAULT_SECRET;
 };
 
 // src/auth.ts
 var betterAuth = (options) => {
-  const defaultActions = getActions(options);
-  const auth = {
-    /**
-     * The handler for the better auth routes.
-     */
-    handler: async (request, opts) => {
-      const context = await toContext(options, request, opts);
-      if (!isValidHttpMethod(request.method)) {
-        return toResponse({ status: 200 }, context, opts);
-      }
-      const response = await router(context);
-      return toResponse(response, context, opts);
-    },
-    caller: {
-      ...defaultActions,
-      ...options.plugins?.map((plugin) => plugin.getActions?.(options))
-    },
-    options
-  };
-  return auth;
-};
-var toContext = async (options, request, handlerOptions) => {
-  const basePath = options.basePath || "/api/auth";
-  const headers = toRequestHeader(request.headers);
-  const { url, action } = parseUrl(request, options);
-  const body = request.method?.toUpperCase() === "POST" ? await getBody(request) : null;
+  const authContext = init(options);
+  const { handler, endpoints } = router(authContext);
   return {
-    baseURL: url.origin,
-    basePath,
-    request: {
-      method: request.method,
-      url,
-      query: Object.fromEntries(url.searchParams),
-      action,
-      body,
-      headers,
-      cookies: handlerOptions?.cookieManager || cookieManager(headers)
-    },
-    _db: options.adapter,
-    providers: options.providers,
-    secret: getSecret(options.secret),
-    adapter: createInternalAdapter(options.adapter),
-    plugins: getPlugins(options),
-    cookies: getCookies(options),
-    disableCSRF: options.advanced?.skipCSRFCheck || false,
-    session: {
-      modelName: options.session?.modelName || "session",
-      updateAge: options.session?.updateAge === void 0 ? timeSpan("1d") : options.session.updateAge,
-      expiresIn: options.session?.expiresIn || timeSpan("1w"),
-      additionalFields: options.session?.additionalFields ? toInternalFields(options.session.additionalFields) : {},
-      selectFields: getSelectFields(
-        options.session?.additionalFields || {},
-        "session"
-      )
-    },
-    user: {
-      modelName: options.user?.modelName || "user",
-      fields: options.user?.fields ? toInternalFields(options.user.fields) : {},
-      selectFields: getSelectFields(options.user?.fields || {}, "user")
-    },
-    account: {
-      modelName: options.account?.modelName || "account",
-      additionalFields: options.account?.additionalFields || {},
-      selectFields: [
-        ...Object.keys(options.account?.additionalFields || {}),
-        "userId",
-        "providerId",
-        "accountId"
-      ]
-    },
-    sessionAdapter: options.sessionAdapter
+    handler,
+    api: endpoints,
+    options
   };
 };
-var toResponse = (res, context, handlerOptions) => {
-  if (handlerOptions?.toResponse) {
-    return handlerOptions.toResponse(res, context);
-  }
-  context.request.headers.set("content-type", "application/json");
-  const response = new Response(res.body ? JSON.stringify(res.body) : null, {
-    headers: {
-      ...context.request.headers,
-      "Set-Cookie": context.request.headers.get("Set-Cookie") ?? "",
-      ...res.headers
-    },
-    status: res.status,
-    statusText: res.statusText
-  });
-  return response;
-};
 export {
   betterAuth,
-  toContext,
-  toResponse
+  createFieldAttribute,
+  createInternalAdapter
 };
 //# sourceMappingURL=index.js.map