better-auth 0.0.2-beta.7 → 0.0.2

package/dist/plugins.js

@@ -1,311 +1,4009 @@
-// src/plugins/email-verification.ts
-import { base64url } from "jose";
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/plugins/organization/organization.ts
+import { APIError as APIError5 } from "better-call";
+import {
+  z as z11
+} from "zod";
+
+// src/api/call.ts
+import {
+  createEndpointCreator,
+  createMiddleware,
+  createMiddlewareCreator
+} from "better-call";
+var optionsMiddleware = createMiddleware(async () => {
+  return {};
+});
+var createAuthMiddleware = createMiddlewareCreator({
+  use: [optionsMiddleware]
+});
+var createAuthEndpoint = createEndpointCreator({
+  use: [optionsMiddleware]
+});
+
+// src/api/routes/sign-in.ts
+import { APIError } from "better-call";
+import { generateCodeVerifier } from "oslo/oauth2";
+import { Argon2id } from "oslo/password";
 import { z } from "zod";
 
-// src/jwt/index.ts
-import { SignJWT, decodeJwt, jwtVerify } from "jose";
-function parseJWT(jwt) {
-  const decoded = decodeJwt(jwt);
-  return decoded;
+// src/social-providers/apple.ts
+import "arctic";
+import { parseJWT } from "oslo/jwt";
+import { betterFetch } from "@better-fetch/fetch";
+
+// src/error/better-auth-error.ts
+var BetterAuthError = class extends Error {
+  constructor(message) {
+    super(message);
+  }
+};
+
+// src/utils/base-url.ts
+function checkHasPath(url) {
+  try {
+    const parsedUrl = new URL(url);
+    return parsedUrl.pathname !== "/";
+  } catch (error) {
+    console.error("Invalid URL:", error);
+    return false;
+  }
+}
+function withPath(url, path = "/api/auth") {
+  const hasPath = checkHasPath(url);
+  if (hasPath) {
+    return {
+      baseURL: new URL(url).origin,
+      withPath: url
+    };
+  }
+  path = path.startsWith("/") ? path : `/${path}`;
+  return {
+    baseURL: url,
+    withPath: `${url}${path}`
+  };
 }
-function validateJWT(jwt, secret) {
-  return jwtVerify(jwt, new TextEncoder().encode(secret));
+function getBaseURL(url, path) {
+  if (url) {
+    return withPath(url, path);
+  }
+  const env = typeof process !== "undefined" ? process.env : typeof import.meta !== "undefined" ? (
+    //@ts-ignore
+    import.meta.env
+  ) : {};
+  const fromEnv = env.BETTER_AUTH_URL || env.AUTH_URL || env.NEXT_PUBLIC_AUTH_URL || env.NEXT_PUBLIC_BETTER_AUTH_URL || env.PUBLIC_AUTH_URL || env.PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_AUTH_URL;
+  if (fromEnv) {
+    return withPath(fromEnv, path);
+  }
+  const isDev = !fromEnv && (env.NODE_ENV === "development" || env.NODE_ENV === "test");
+  if (isDev) {
+    return {
+      baseURL: "http://localhost:3000",
+      withPath: "http://localhost:3000/api/auth"
+    };
+  }
+  throw new BetterAuthError(
+    "Could not infer baseURL from environment variables"
+  );
 }
-function createJWT({
-  payload,
-  secret,
-  expiresIn,
-  algorithm
-}) {
-  return new SignJWT(payload).setProtectedHeader({
-    alg: algorithm || "HS256"
-  }).setExpirationTime(Math.floor(Date.now() / 1e3) + expiresIn).sign(new TextEncoder().encode(secret));
+
+// src/social-providers/utils.ts
+function getRedirectURI(providerId, redirectURI) {
+  return redirectURI || `${getBaseURL()}/api/auth/callback/${providerId}`;
 }
 
-// src/plugins/email-verification.ts
-var emailVerification = (opts) => {
-  const options = {
-    expiresIn: 60 * 60 * 24,
-    providers: ["credential"],
-    ...opts
+// src/social-providers/apple.ts
+var apple = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const tokenEndpoint = "https://appleid.apple.com/auth/token";
+  redirectURI = getRedirectURI("apple", redirectURI);
+  return {
+    id: "apple",
+    name: "Apple",
+    createAuthorizationURL({ state, scopes }) {
+      const _scope = scopes || ["email", "name", "openid"];
+      return new URL(
+        `https://appleid.apple.com/auth/authorize?client_id=${clientId}&response_type=code&redirect_uri=${redirectURI}&scope=${_scope.join(
+          " "
+        )}&state=${state}`
+      );
+    },
+    validateAuthorizationCode: async (code) => {
+      const data = await betterFetch(tokenEndpoint, {
+        method: "POST",
+        body: new URLSearchParams({
+          client_id: clientId,
+          client_secret: clientSecret,
+          grant_type: "authorization_code",
+          code
+        }),
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded"
+        }
+      });
+      if (data.error) {
+        throw new BetterAuthError(data.error?.message || "");
+      }
+      return data.data;
+    },
+    async getUserInfo(token) {
+      const data = parseJWT(token.idToken())?.payload;
+      if (!data) {
+        return null;
+      }
+      return {
+        user: {
+          id: data.sub,
+          name: data.name,
+          email: data.email,
+          emailVerified: data.email_verified === "true"
+        },
+        data
+      };
+    }
   };
+};
+
+// src/social-providers/discord.ts
+import { betterFetch as betterFetch2 } from "@better-fetch/fetch";
+import { Discord } from "arctic";
+var discord = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const discordArctic = new Discord(
+    clientId,
+    clientSecret,
+    getRedirectURI("discord", redirectURI)
+  );
   return {
-    id: "verify-email",
-    name: "Email Verification",
-    version: "0.0.1",
-    hooks: {
-      matcher(context) {
-        const check = context.request.action === "signup" && options.providers.includes(context.request.body.provider);
-        return check;
-      },
-      async after(context, response) {
-        if (response.metadata?.isError) {
-          return null;
-        }
-        const {
-          data: { email }
-        } = z.object({
-          data: z.object({
-            email: z.string()
-          })
-        }).parse(context.request.body);
-        const token = await createJWT({
-          payload: {
-            email
-          },
-          secret: context.secret,
-          expiresIn: options.expiresIn || 60 * 60 * 24
-        });
-        const encoded = base64url.encode(token);
-        const url = `${context.request.url.toString()}/verify-email?token=${encoded}`;
-        await options.sendEmail(email, url);
+    id: "discord",
+    name: "Discord",
+    createAuthorizationURL({ state, scopes }) {
+      const _scope = scopes || ["email"];
+      return discordArctic.createAuthorizationURL(state, _scope);
+    },
+    validateAuthorizationCode: discordArctic.validateAuthorizationCode,
+    async getUserInfo(token) {
+      const { data: profile, error } = await betterFetch2(
+        "https://discord.com/api/users/@me",
+        {
+          auth: {
+            type: "Bearer",
+            token: token.accessToken
+          }
+        }
+      );
+      if (error) {
         return null;
       }
+      return {
+        user: {
+          id: profile.id,
+          name: profile.display_name || profile.username || "",
+          email: profile.email,
+          emailVerified: profile.verified
+        },
+        data: profile
+      };
+    }
+  };
+};
+
+// src/social-providers/facebook.ts
+import { betterFetch as betterFetch3 } from "@better-fetch/fetch";
+import { Facebook } from "arctic";
+var facebook = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const facebookArctic = new Facebook(
+    clientId,
+    clientSecret,
+    getRedirectURI("facebook", redirectURI)
+  );
+  return {
+    id: "facebook",
+    name: "Facebook",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["email", "public_profile"];
+      return facebookArctic.createAuthorizationURL(state, _scopes);
     },
-    handler: async (context) => {
-      const token = context.request.url.searchParams.get("token");
-      if (!token) {
-        return {
-          status: 302,
-          headers: {
-            Location: `${options.redirectURL.error}?error=Token not found`
-          },
-          metadata: {
-            isError: true
+    validateAuthorizationCode: facebookArctic.validateAuthorizationCode,
+    async getUserInfo(token) {
+      const { data: profile, error } = await betterFetch3(
+        "https://graph.facebook.com/me",
+        {
+          auth: {
+            type: "Bearer",
+            token: token.accessToken
           }
-        };
+        }
+      );
+      if (error) {
+        return null;
       }
-      const decoded = new TextDecoder().decode(base64url.decode(token));
-      const isValid = await validateJWT(decoded, context.secret);
-      if (!isValid) {
-        return {
-          status: 302,
+      return {
+        user: {
+          id: profile.id,
+          name: profile.name,
+          email: profile.email,
+          emailVerified: profile.email_verified
+        },
+        data: profile
+      };
+    }
+  };
+};
+
+// src/social-providers/github.ts
+import { betterFetch as betterFetch4 } from "@better-fetch/fetch";
+import { GitHub } from "arctic";
+var github = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const githubArctic = new GitHub(
+    clientId,
+    clientSecret,
+    getRedirectURI("github", redirectURI)
+  );
+  return {
+    id: "github",
+    name: "Github",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["user:email"];
+      return githubArctic.createAuthorizationURL(state, _scopes);
+    },
+    validateAuthorizationCode: githubArctic.validateAuthorizationCode,
+    async getUserInfo(token) {
+      const { data: profile, error } = await betterFetch4(
+        "https://api.github.com/user",
+        {
+          method: "GET",
           headers: {
-            Location: `${options.redirectURL.error}?error=Invalid token`
-          },
-          metadata: {
-            isError: true
+            Authorization: `Bearer ${token.accessToken}`
           }
-        };
+        }
+      );
+      if (error) {
+        return null;
       }
-      const payload = parseJWT(decoded);
-      if (payload.exp < Date.now() / 1e3) {
-        return {
-          status: 302,
+      let emailVerified = false;
+      if (!profile.email) {
+        const { data, error: error2 } = await betterFetch4("https://api.github.com/user/emails", {
           headers: {
-            Location: `${options.redirectURL.error}?error=Token expired`
-          },
-          metadata: {
-            isError: true
+            Authorization: `Bearer ${token.accessToken}`,
+            "User-Agent": "better-auth"
           }
-        };
+        });
+        if (!error2) {
+          profile.email = (data.find((e) => e.primary) ?? data[0])?.email;
+          emailVerified = data.find((e) => e.email === profile.email)?.verified ?? false;
+        }
       }
-      await context.adapter.updateUserByEmail(
-        payload.email,
-        {
-          emailVerified: true
-        },
-        context
-      );
       return {
-        status: 302,
-        headers: {
-          Location: options.redirectURL.success
-        }
+        user: {
+          id: profile.id,
+          name: profile.name,
+          email: profile.email,
+          image: profile.avatar_url,
+          emailVerified,
+          createdAt: /* @__PURE__ */ new Date(),
+          updatedAt: /* @__PURE__ */ new Date()
+        },
+        data: profile
       };
     }
   };
 };
 
-// src/crypto/hmac.ts
-async function hmac(secretKey, message) {
-  const enc = new TextEncoder();
-  const algorithm = { name: "HMAC", hash: "SHA-256" };
-  const key = await crypto.subtle.importKey(
-    "raw",
-    enc.encode(secretKey),
-    algorithm,
-    false,
-    ["sign", "verify"]
-  );
-  const signature = await crypto.subtle.sign(
-    algorithm.name,
-    key,
-    enc.encode(message)
-  );
-  return btoa(String.fromCharCode(...new Uint8Array(signature)));
-}
-
-// src/crypto/random.ts
-function generateRandomString(size) {
-  const i2hex = (i) => `0${i.toString(16)}`.slice(-2);
-  const r = (a, i) => a + i2hex(i);
-  const bytes = crypto.getRandomValues(new Uint8Array(size));
-  return Array.from(bytes).reduce(r, "");
-}
-
-// src/plugins/csrf-check.ts
-var csrfHandler = async (context) => {
-  const csrfToken = context.request.cookies.get(context.cookies.csrfToken.name);
-  if (csrfToken) {
-    return {
-      status: 200,
-      body: {
-        csrfToken
-      }
-    };
-  }
-  const token = generateRandomString(32);
-  const hash = await hmac(context.secret, token);
-  const cookie = `${token}!${hash}`;
-  context.request.cookies.set(
-    context.cookies.csrfToken.name,
-    cookie,
-    context.cookies.csrfToken.options
+// src/social-providers/google.ts
+import { Google } from "arctic";
+import { parseJWT as parseJWT2 } from "oslo/jwt";
+var google = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const googleArctic = new Google(
+    clientId,
+    clientSecret,
+    getRedirectURI("google", redirectURI)
   );
   return {
-    status: 200,
-    body: {
-      csrfToken: cookie
+    id: "google",
+    name: "Google",
+    createAuthorizationURL({ state, scopes, codeVerifier }) {
+      if (!codeVerifier) {
+        throw new BetterAuthError("codeVerifier is required for Google");
+      }
+      const _scopes = scopes || ["email", "profile"];
+      return googleArctic.createAuthorizationURL(state, codeVerifier, _scopes);
+    },
+    validateAuthorizationCode: async (code, codeVerifier) => {
+      if (!codeVerifier) {
+        throw new BetterAuthError("codeVerifier is required for Google");
+      }
+      return googleArctic.validateAuthorizationCode(code, codeVerifier);
+    },
+    async getUserInfo(token) {
+      if (!token.idToken) {
+        return null;
+      }
+      const user = parseJWT2(token.idToken())?.payload;
+      return {
+        user: {
+          id: user.sub,
+          name: user.name,
+          email: user.email,
+          image: user.picture,
+          emailVerified: user.email_verified
+        },
+        data: user
+      };
     }
   };
 };
-var CSRFCheckPlugin = () => {
+
+// src/social-providers/spotify.ts
+import { betterFetch as betterFetch5 } from "@better-fetch/fetch";
+import { Spotify } from "arctic";
+var spotify = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const spotifyArctic = new Spotify(
+    clientId,
+    clientSecret,
+    getRedirectURI("spotify", redirectURI)
+  );
   return {
-    id: "csrf",
-    name: "CSRF Check",
-    version: "1.0.0",
-    hooks: {
-      matcher: (context) => !context.disableCSRF,
-      before: async (context) => {
-        const csrfToken = context.request.body.csrfToken;
-        const csrfCookie = context.request.cookies.get(
-          context.cookies.csrfToken.name
-        );
-        const [token, hash] = csrfCookie?.split("!") || [null, null];
-        if (!csrfToken || !csrfCookie || !token || !hash || csrfCookie !== csrfToken) {
-          context.request.cookies.set(context.cookies.csrfToken.name, "", {
-            ...context.cookies.csrfToken.options,
-            maxAge: 0
-          });
-          return {
-            response: {
-              status: 403,
-              statusText: "Invalid CSRF Token"
-            }
-          };
-        }
-        const expectedHash = await hmac(context.secret, token);
-        if (hash !== expectedHash) {
-          context.request.cookies.set(context.cookies.csrfToken.name, "", {
-            ...context.cookies.csrfToken.options,
-            maxAge: 0
-          });
-          return {
-            response: {
-              status: 403,
-              statusText: "Invalid CSRF Token"
-            }
-          };
+    id: "spotify",
+    name: "Spotify",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["user-read-email"];
+      return spotifyArctic.createAuthorizationURL(state, _scopes);
+    },
+    validateAuthorizationCode: spotifyArctic.validateAuthorizationCode,
+    async getUserInfo(token) {
+      const { data: profile, error } = await betterFetch5(
+        "https://api.spotify.com/v1/me",
+        {
+          method: "GET",
+          headers: {
+            Authorization: `Bearer ${token.accessToken}`
+          }
         }
+      );
+      if (error) {
         return null;
       }
-    },
-    handler: csrfHandler
+      return {
+        user: {
+          id: profile.id,
+          name: profile.display_name,
+          email: profile.email,
+          image: profile.images[0]?.url,
+          emailVerified: false
+        },
+        data: profile
+      };
+    }
   };
 };
 
-// src/plugins/utils.ts
-var getPlugins = (options) => {
-  const plugins = {
-    post: [],
-    pre: [],
-    unordered: []
-  };
-  for (const plugin of options.plugins || []) {
-    plugins[plugin.order || "unordered"].push(plugin);
-  }
-  const internalPlugins = [CSRFCheckPlugin()];
-  return [
-    ...plugins.pre,
-    ...plugins.unordered,
-    ...internalPlugins,
-    ...plugins.post
-  ];
-};
-var usePlugins = (context, ignorePlugins) => {
-  const plugins = context.plugins.filter(
-    (pl) => pl.hooks && !ignorePlugins?.includes(pl.id)
+// src/social-providers/twitch.ts
+import { betterFetch as betterFetch6 } from "@better-fetch/fetch";
+import { Twitch } from "arctic";
+var twitch = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const twitchArctic = new Twitch(
+    clientId,
+    clientSecret,
+    getRedirectURI("twitch", redirectURI)
   );
-  const hooks = plugins.map((plugin) => {
-    return plugin.hooks;
-  });
-  const before = [];
-  const after = [];
-  for (const hook of hooks) {
-    if (hook.matcher(context)) {
-      hook.before && before.push(hook.before);
-      hook.after && after.push(hook.after);
-    }
-  }
   return {
-    before: async (context2) => {
-      let ctx = context2;
-      let response;
-      for (const hook of before) {
-        const res = await hook(ctx);
-        if (res?.context) {
-          ctx = res.context;
-        }
-        if (res?.response) {
-          response = res.response;
-          break;
+    id: "twitch",
+    name: "Twitch",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["activity:write", "read"];
+      return twitchArctic.createAuthorizationURL(state, _scopes);
+    },
+    validateAuthorizationCode: twitchArctic.validateAuthorizationCode,
+    async getUserInfo(token) {
+      const { data: profile, error } = await betterFetch6(
+        "https://api.twitch.tv/helix/users",
+        {
+          method: "GET",
+          headers: {
+            Authorization: `Bearer ${token.accessToken}`
+          }
         }
+      );
+      if (error) {
+        return null;
       }
       return {
-        context: ctx,
-        response
+        user: {
+          id: profile.sub,
+          name: profile.preferred_username,
+          email: profile.email,
+          image: profile.picture,
+          emailVerified: false
+        },
+        data: profile
       };
+    }
+  };
+};
+
+// src/social-providers/twitter.ts
+import { betterFetch as betterFetch7 } from "@better-fetch/fetch";
+import { Twitter } from "arctic";
+var twitter = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const twitterArctic = new Twitter(
+    clientId,
+    clientSecret,
+    getRedirectURI("twitter", redirectURI)
+  );
+  return {
+    id: "twitter",
+    name: "Twitter",
+    createAuthorizationURL(data) {
+      const _scopes = data.scopes || ["account_info.read"];
+      return twitterArctic.createAuthorizationURL(
+        data.state,
+        data.codeVerifier,
+        _scopes
+      );
     },
-    after: async (context2, fnResponse) => {
-      let ctx = context2;
-      let response;
-      for (const hook of after) {
-        const res = await hook(ctx, fnResponse);
-        if (res?.context) {
-          ctx = res.context;
-        }
-        if (res?.response) {
-          response = res.response;
-          break;
+    validateAuthorizationCode: async (code, codeVerifier) => {
+      if (!codeVerifier) {
+        throw new BetterAuthError("codeVerifier is required for Twitter");
+      }
+      return twitterArctic.validateAuthorizationCode(code, codeVerifier);
+    },
+    async getUserInfo(token) {
+      const { data: profile, error } = await betterFetch7(
+        "https://api.x.com/2/users/me?user.fields=profile_image_url",
+        {
+          method: "GET",
+          headers: {
+            Authorization: `Bearer ${token.accessToken}`
+          }
         }
+      );
+      if (error) {
+        return null;
+      }
+      if (!profile.data.email) {
+        return null;
       }
       return {
-        context: ctx,
-        response
+        user: {
+          id: profile.data.id,
+          name: profile.data.name,
+          email: profile.data.email,
+          image: profile.data.profile_image_url,
+          emailVerified: profile.data.verified || false
+        },
+        data: profile
       };
     }
   };
 };
-var withPlugins = (fn, ignorePlugins) => {
-  return async (ctx) => {
-    const { before, after } = usePlugins(ctx, ignorePlugins);
-    const { context, response } = await before(ctx);
-    if (response) {
-      return response;
+
+// src/types/provider.ts
+import "arctic";
+
+// src/social-providers/index.ts
+var oAuthProviders = {
+  apple,
+  discord,
+  facebook,
+  github,
+  google,
+  spotify,
+  twitch,
+  twitter
+};
+var oAuthProviderList = Object.keys(oAuthProviders);
+
+// src/utils/state.ts
+import { generateState as generateStateOAuth } from "oslo/oauth2";
+function generateState(callbackURL, currentURL) {
+  const code = generateStateOAuth();
+  const state = `${code}!${callbackURL}!${currentURL}`;
+  return { state, code };
+}
+function parseState(state) {
+  const [code, callbackURL, currentURL] = state.split("!");
+  return { code, callbackURL, currentURL };
+}
+
+// src/api/routes/session.ts
+var getSession = createAuthEndpoint(
+  "/session",
+  {
+    method: "GET",
+    requireHeaders: true
+  },
+  async (ctx) => {
+    const sessionCookieToken = await ctx.getSignedCookie(
+      ctx.context.authCookies.sessionToken.name,
+      ctx.context.secret
+    );
+    if (!sessionCookieToken) {
+      return ctx.json(null, {
+        status: 401
+      });
+    }
+    const session = await ctx.context.internalAdapter.findSession(sessionCookieToken);
+    if (!session || session.session.expiresAt < /* @__PURE__ */ new Date()) {
+      ctx.setSignedCookie(
+        ctx.context.authCookies.sessionToken.name,
+        "",
+        ctx.context.secret,
+        {
+          maxAge: 0
+        }
+      );
+      return ctx.json(null, {
+        status: 401
+      });
+    }
+    const updatedSession = await ctx.context.internalAdapter.updateSession(
+      session.session
+    );
+    await ctx.setSignedCookie(
+      ctx.context.authCookies.sessionToken.name,
+      updatedSession.id,
+      ctx.context.secret,
+      {
+        ...ctx.context.authCookies.sessionToken.options,
+        maxAge: updatedSession.expiresAt.valueOf() - Date.now()
+      }
+    );
+    return ctx.json({
+      session: updatedSession,
+      user: session.user
+    });
+  }
+);
+var getSessionFromCtx = async (ctx) => {
+  const session = await getSession({
+    ...ctx,
+    //@ts-expect-error: By default since this request context comes from a router it'll have a `router` flag which force it to be a request object
+    _flag: void 0
+  });
+  return session;
+};
+
+// src/api/routes/sign-in.ts
+var signInOAuth = createAuthEndpoint(
+  "/sign-in/social",
+  {
+    method: "POST",
+    requireHeaders: true,
+    query: z.object({
+      /**
+       * Redirect to the current URL after the
+       * user has signed in.
+       */
+      currentURL: z.string().optional()
+    }).optional(),
+    body: z.object({
+      /**
+       * Callback URL to redirect to after the user has signed in.
+       */
+      callbackURL: z.string().optional(),
+      /**
+       * OAuth2 provider to use`
+       */
+      provider: z.enum(oAuthProviderList)
+    })
+  },
+  async (c) => {
+    const provider = c.context.options.socialProvider?.find(
+      (p) => p.id === c.body.provider
+    );
+    if (!provider) {
+      c.context.logger.error(
+        "Provider not found. Make sure to add the provider to your auth config",
+        {
+          provider: c.body.provider
+        }
+      );
+      throw new APIError("NOT_FOUND");
+    }
+    const cookie = c.context.authCookies;
+    const currentURL = c.query?.currentURL ? new URL(c.query?.currentURL) : null;
+    const state = generateState(
+      c.body.callbackURL || currentURL?.origin || c.context.baseURL,
+      c.query?.currentURL
+    );
+    try {
+      await c.setSignedCookie(
+        cookie.state.name,
+        state.code,
+        c.context.secret,
+        cookie.state.options
+      );
+      const codeVerifier = generateCodeVerifier();
+      await c.setSignedCookie(
+        cookie.pkCodeVerifier.name,
+        codeVerifier,
+        c.context.secret,
+        cookie.pkCodeVerifier.options
+      );
+      const url = provider.createAuthorizationURL({
+        state: state.state,
+        codeVerifier
+      });
+      return {
+        url: url.toString(),
+        state: state.state,
+        codeVerifier,
+        redirect: true
+      };
+    } catch (e) {
+      throw new APIError("INTERNAL_SERVER_ERROR");
+    }
+  }
+);
+var signInEmail = createAuthEndpoint(
+  "/sign-in/email",
+  {
+    method: "POST",
+    body: z.object({
+      email: z.string().email(),
+      password: z.string(),
+      callbackURL: z.string().optional(),
+      /**
+       * If this is true the session will only be valid for the current browser session
+       * @default false
+       */
+      dontRememberMe: z.boolean().default(false).optional()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options?.emailAndPassword?.enabled) {
+      ctx.context.logger.error("Email and password is not enabled");
+      throw new APIError("BAD_REQUEST", {
+        message: "Email and password is not enabled"
+      });
+    }
+    const currentSession = await getSessionFromCtx(ctx);
+    if (currentSession) {
+      return ctx.json({
+        user: currentSession.user,
+        session: currentSession.session,
+        redirect: !!ctx.body.callbackURL,
+        url: ctx.body.callbackURL
+      });
+    }
+    const { email, password } = ctx.body;
+    const argon2id = new Argon2id();
+    const user = await ctx.context.internalAdapter.findUserByEmail(email);
+    if (!user) {
+      await argon2id.hash(password);
+      ctx.context.logger.error("User not found", { email });
+      throw new APIError("UNAUTHORIZED", {
+        message: "Invalid email or password"
+      });
+    }
+    const credentialAccount = user.accounts.find(
+      (a) => a.providerId === "credential"
+    );
+    if (!credentialAccount) {
+      ctx.context.logger.error("Credential account not found", { email });
+      throw new APIError("UNAUTHORIZED", {
+        message: "Invalid email or password"
+      });
+    }
+    const currentPassword = credentialAccount?.password;
+    if (!currentPassword) {
+      ctx.context.logger.error("Password not found", { email });
+      throw new APIError("UNAUTHORIZED", {
+        message: "Unexpected error"
+      });
+    }
+    const validPassword = await argon2id.verify(currentPassword, password);
+    if (!validPassword) {
+      ctx.context.logger.error("Invalid password");
+      throw new APIError("UNAUTHORIZED", {
+        message: "Invalid email or password"
+      });
+    }
+    const session = await ctx.context.internalAdapter.createSession(
+      user.user.id,
+      ctx.request
+    );
+    await ctx.setSignedCookie(
+      ctx.context.authCookies.sessionToken.name,
+      session.id,
+      ctx.context.secret,
+      ctx.body.dontRememberMe ? {
+        ...ctx.context.authCookies.sessionToken.options,
+        maxAge: void 0
+      } : ctx.context.authCookies.sessionToken.options
+    );
+    return ctx.json({
+      user: user.user,
+      session,
+      redirect: !!ctx.body.callbackURL,
+      url: ctx.body.callbackURL
+    });
+  }
+);
+
+// src/api/routes/callback.ts
+import { APIError as APIError2 } from "better-call";
+import { z as z3 } from "zod";
+
+// src/adapters/schema.ts
+import { z as z2 } from "zod";
+var accountSchema = z2.object({
+  id: z2.string(),
+  providerId: z2.string(),
+  accountId: z2.string(),
+  userId: z2.string(),
+  accessToken: z2.string().nullable().optional(),
+  refreshToken: z2.string().nullable().optional(),
+  idToken: z2.string().nullable().optional(),
+  accessTokenExpiresAt: z2.date().nullable().optional(),
+  refreshTokenExpiresAt: z2.date().nullable().optional(),
+  /**
+   * Password is only stored in the credential provider
+   */
+  password: z2.string().optional().nullable()
+});
+var userSchema = z2.object({
+  id: z2.string(),
+  email: z2.string().transform((val) => val.toLowerCase()),
+  emailVerified: z2.boolean().default(false),
+  name: z2.string(),
+  image: z2.string().optional(),
+  createdAt: z2.date().default(/* @__PURE__ */ new Date()),
+  updatedAt: z2.date().default(/* @__PURE__ */ new Date())
+});
+var sessionSchema = z2.object({
+  id: z2.string(),
+  userId: z2.string(),
+  expiresAt: z2.date(),
+  ipAddress: z2.string().optional(),
+  userAgent: z2.string().optional()
+});
+
+// src/client/client-utils.ts
+var HIDE_ON_CLIENT_METADATA = {
+  onClient: "hide"
+};
+
+// src/utils/id.ts
+import { alphabet, generateRandomString } from "oslo/crypto";
+var generateId = () => {
+  return generateRandomString(36, alphabet("a-z", "0-9"));
+};
+
+// src/api/routes/callback.ts
+var callbackOAuth = createAuthEndpoint(
+  "/callback/:id",
+  {
+    method: "GET",
+    query: z3.object({
+      state: z3.string(),
+      code: z3.string(),
+      code_verifier: z3.string().optional()
+    }),
+    metadata: HIDE_ON_CLIENT_METADATA
+  },
+  async (c) => {
+    const provider = c.context.options.socialProvider?.find(
+      (p) => p.id === c.params.id
+    );
+    if (!provider) {
+      c.context.logger.error(
+        "Oauth provider with id",
+        c.params.id,
+        "not found"
+      );
+      throw new APIError2("NOT_FOUND");
+    }
+    const tokens = await provider.validateAuthorizationCode(
+      c.query.code,
+      c.query.code_verifier || ""
+    );
+    if (!tokens) {
+      c.context.logger.error("Code verification failed");
+      throw new APIError2("UNAUTHORIZED");
+    }
+    const user = await provider.getUserInfo(tokens).then((res) => res?.user);
+    const id = generateId();
+    const data = userSchema.safeParse({
+      ...user,
+      id
+    });
+    const { callbackURL, currentURL } = parseState(c.query.state);
+    if (!user || data.success === false) {
+      if (currentURL) {
+        throw c.redirect(`${currentURL}?error=oauth_validation_failed`);
+      } else {
+        throw new APIError2("BAD_REQUEST");
+      }
+    }
+    if (!callbackURL) {
+      c.context.logger.error("Callback URL not found");
+      throw new APIError2("FORBIDDEN");
+    }
+    const dbUser = await c.context.internalAdapter.findUserByEmail(user.email);
+    const userId = dbUser?.user.id;
+    if (dbUser) {
+      const hasBeenLinked = dbUser.accounts.find(
+        (a) => a.providerId === provider.id
+      );
+      if (!hasBeenLinked && !user.emailVerified) {
+        c.context.logger.error("User already exists");
+        const url = new URL(currentURL || callbackURL);
+        url.searchParams.set("error", "user_already_exists");
+        throw c.redirect(url.toString());
+      }
+      if (!hasBeenLinked && user.emailVerified) {
+        await c.context.internalAdapter.linkAccount({
+          providerId: provider.id,
+          accountId: user.id,
+          id: `${provider.id}:${user.id}`,
+          userId: dbUser.user.id,
+          ...tokens
+        });
+      }
+    } else {
+      try {
+        await c.context.internalAdapter.createOAuthUser(data.data, {
+          ...tokens,
+          id: `${provider.id}:${user.id}`,
+          providerId: provider.id,
+          accountId: user.id,
+          userId: id
+        });
+      } catch (e) {
+        const url = new URL(currentURL || callbackURL);
+        url.searchParams.set("error", "unable_to_create_user");
+        c.setHeader("Location", url.toString());
+        throw c.redirect(url.toString());
+      }
+    }
+    if (!userId && !id)
+      throw new APIError2("INTERNAL_SERVER_ERROR", {
+        message: "Unable to create user"
+      });
+    const session = await c.context.internalAdapter.createSession(
+      userId || id,
+      c.request
+    );
+    try {
+      await c.setSignedCookie(
+        c.context.authCookies.sessionToken.name,
+        session.id,
+        c.context.secret,
+        c.context.authCookies.sessionToken.options
+      );
+    } catch (e) {
+      c.context.logger.error("Unable to set session cookie", e);
+      const url = new URL(currentURL || callbackURL);
+      url.searchParams.set("error", "unable_to_create_session");
+      throw c.redirect(url.toString());
+    }
+    throw c.redirect(callbackURL);
+  }
+);
+
+// src/api/routes/sign-out.ts
+import { z as z4 } from "zod";
+var signOut = createAuthEndpoint(
+  "/sign-out",
+  {
+    method: "POST",
+    body: z4.object({
+      callbackURL: z4.string().optional()
+    }).optional()
+  },
+  async (ctx) => {
+    const sessionCookieToken = await ctx.getSignedCookie(
+      ctx.context.authCookies.sessionToken.name,
+      ctx.context.secret
+    );
+    if (!sessionCookieToken) {
+      return ctx.json(null);
+    }
+    await ctx.context.internalAdapter.deleteSession(sessionCookieToken);
+    ctx.setCookie(ctx.context.authCookies.sessionToken.name, "", {
+      maxAge: 0
+    });
+    return ctx.json(null, {
+      body: {
+        redirect: !!ctx.body?.callbackURL,
+        url: ctx.body?.callbackURL
+      }
+    });
+  }
+);
+
+// src/api/routes/forget-password.ts
+import { TimeSpan } from "oslo";
+import { createJWT } from "oslo/jwt";
+import { validateJWT } from "oslo/jwt";
+import { Argon2id as Argon2id2 } from "oslo/password";
+import { z as z5 } from "zod";
+var forgetPassword = createAuthEndpoint(
+  "/forget-password",
+  {
+    method: "POST",
+    body: z5.object({
+      /**
+       * The email address of the user to send a password reset email to.
+       */
+      email: z5.string().email()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options.emailAndPassword?.sendResetPasswordToken) {
+      ctx.context.logger.error(
+        "Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function to your auth config!"
+      );
+      return ctx.json(null, {
+        status: 400,
+        statusText: "RESET_PASSWORD_EMAIL_NOT_SENT",
+        body: {
+          message: "Reset password isn't enabled"
+        }
+      });
     }
-    const res = await fn(context);
-    const { response: afterResponse } = await after(context, res);
-    if (afterResponse) {
-      return afterResponse;
+    const { email } = ctx.body;
+    const user = await ctx.context.internalAdapter.findUserByEmail(email);
+    if (!user) {
+      return ctx.json(
+        {
+          error: "User not found"
+        },
+        {
+          status: 400,
+          statusText: "USER_NOT_FOUND",
+          body: {
+            message: "User not found"
+          }
+        }
+      );
+    }
+    const token = await createJWT(
+      "HS256",
+      Buffer.from(ctx.context.secret),
+      {
+        email: user.user.email
+      },
+      {
+        expiresIn: new TimeSpan(1, "h"),
+        issuer: "better-auth",
+        subject: "forget-password",
+        audiences: [user.user.email],
+        includeIssuedTimestamp: true
+      }
+    );
+    await ctx.context.options.emailAndPassword.sendResetPasswordToken(
+      token,
+      user.user
+    );
+    return ctx.json({
+      status: true
+    });
+  }
+);
+var resetPassword = createAuthEndpoint(
+  "/reset-password",
+  {
+    method: "POST",
+    body: z5.object({
+      token: z5.string(),
+      newPassword: z5.string(),
+      callbackURL: z5.string().optional()
+    })
+  },
+  async (ctx) => {
+    const { token, newPassword } = ctx.body;
+    try {
+      const jwt = await validateJWT(
+        "HS256",
+        Buffer.from(ctx.context.secret),
+        token
+      );
+      const email = z5.string().email().parse(jwt.payload.email);
+      const user = await ctx.context.internalAdapter.findUserByEmail(email);
+      if (!user) {
+        return ctx.json(null, {
+          status: 400,
+          statusText: "USER_NOT_FOUND",
+          body: {
+            message: "User not found"
+          }
+        });
+      }
+      if (newPassword.length < (ctx.context.options.emailAndPassword?.minPasswordLength || 8) || newPassword.length > (ctx.context.options.emailAndPassword?.maxPasswordLength || 32)) {
+        return ctx.json(null, {
+          status: 400,
+          statusText: "INVALID_PASSWORD_LENGTH",
+          body: {
+            message: "Password length must be between 8 and 32"
+          }
+        });
+      }
+      const argon2id = new Argon2id2();
+      const hashedPassword = await argon2id.hash(newPassword);
+      const updatedUser = await ctx.context.internalAdapter.updatePassword(
+        user.user.id,
+        hashedPassword
+      );
+      if (!updatedUser) {
+        return ctx.json(null, {
+          status: 500,
+          statusText: "INTERNAL_SERVER_ERROR",
+          body: {
+            message: "Internal server error"
+          }
+        });
+      }
+      return ctx.json({
+        status: true,
+        url: ctx.body.callbackURL,
+        redirect: !!ctx.body.callbackURL
+      });
+    } catch (e) {
+      console.log(e);
+      return ctx.json(null, {
+        status: 400,
+        statusText: "INVALID_TOKEN",
+        body: {
+          message: "Invalid token"
+        }
+      });
+    }
+  }
+);
+
+// src/api/routes/verify-email.ts
+import { TimeSpan as TimeSpan2 } from "oslo";
+import { createJWT as createJWT2, validateJWT as validateJWT2 } from "oslo/jwt";
+import { z as z6 } from "zod";
+var sendVerificationEmail = createAuthEndpoint(
+  "/send-verification-email",
+  {
+    method: "POST",
+    body: z6.object({
+      email: z6.string().email(),
+      callbackURL: z6.string().optional()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options.emailAndPassword?.sendVerificationEmail) {
+      return ctx.json(null, {
+        status: 400,
+        statusText: "VERIFICATION_EMAIL_NOT_SENT",
+        body: {
+          message: "Verification email isn't enabled"
+        }
+      });
+    }
+    const { email } = ctx.body;
+    const token = await createJWT2(
+      "HS256",
+      Buffer.from(ctx.context.secret),
+      {
+        email: email.toLowerCase()
+      },
+      {
+        expiresIn: new TimeSpan2(1, "h"),
+        issuer: "better-auth",
+        subject: "verify-email",
+        audiences: [email],
+        includeIssuedTimestamp: true
+      }
+    );
+    const url = `${ctx.context.baseURL}/verify-email?token=${token}?callbackURL=${ctx.body.callbackURL}`;
+    await ctx.context.options.emailAndPassword.sendVerificationEmail(
+      email,
+      url
+    );
+    return ctx.json({
+      status: true
+    });
+  }
+);
+var verifyEmail = createAuthEndpoint(
+  "/verify-email",
+  {
+    method: "GET",
+    query: z6.object({
+      token: z6.string(),
+      callbackURL: z6.string()
+    })
+  },
+  async (ctx) => {
+    const { token } = ctx.query;
+    try {
+      const jwt = await validateJWT2(
+        "HS256",
+        Buffer.from(ctx.context.secret),
+        token
+      );
+      const schema = z6.object({
+        email: z6.string().email()
+      });
+      const parsed = schema.parse(jwt.payload);
+      const user = await ctx.context.internalAdapter.findUserByEmail(
+        parsed.email
+      );
+      if (!user) {
+        return ctx.json(null, {
+          status: 400,
+          statusText: "USER_NOT_FOUND",
+          body: {
+            message: "User not found"
+          }
+        });
+      }
+      const account = user.accounts.find((a) => a.providerId === "credential");
+      if (!account) {
+        return ctx.json(null, {
+          status: 400,
+          statusText: "ACCOUNT_NOT_FOUND",
+          body: {
+            message: "Account not found"
+          }
+        });
+      }
+      await ctx.context.internalAdapter.updateUserByEmail(parsed.email, {
+        emailVerified: true
+      });
+      if (ctx.query.callbackURL) {
+        throw ctx.redirect(ctx.query.callbackURL);
+      }
+      return ctx.json({
+        status: true
+      });
+    } catch (e) {
+      return ctx.json(null, {
+        status: 400,
+        statusText: "INVALID_TOKEN",
+        body: {
+          message: "Invalid token"
+        }
+      });
+    }
+  }
+);
+
+// src/utils/shim.ts
+var shimContext = (originalObject, newContext) => {
+  const shimmedObj = {};
+  for (const [key, value] of Object.entries(originalObject)) {
+    shimmedObj[key] = (ctx) => {
+      return value({
+        ...ctx,
+        context: {
+          ...newContext,
+          ...ctx.context
+        }
+      });
+    };
+    shimmedObj[key].path = value.path;
+    shimmedObj[key].method = value.method;
+    shimmedObj[key].options = value.options;
+    shimmedObj[key].headers = value.headers;
+  }
+  return shimmedObj;
+};
+
+// src/plugins/organization/access/index.ts
+var access_exports = {};
+__export(access_exports, {
+  AccessControl: () => AccessControl,
+  ParsingError: () => ParsingError,
+  Role: () => Role,
+  adminAc: () => adminAc,
+  createAccessControl: () => createAccessControl,
+  defaultAc: () => defaultAc,
+  defaultRoles: () => defaultRoles,
+  defaultStatements: () => defaultStatements,
+  memberAc: () => memberAc,
+  ownerAc: () => ownerAc,
+  permissionFromString: () => permissionFromString
+});
+
+// src/plugins/organization/access/src/access.ts
+var ParsingError = class extends Error {
+  path;
+  constructor(message, path) {
+    super(message);
+    this.path = path;
+  }
+};
+var AccessControl = class {
+  constructor(s) {
+    this.s = s;
+    this.statements = s;
+  }
+  statements;
+  newRole(statements) {
+    return new Role(statements);
+  }
+};
+var Role = class _Role {
+  statements;
+  constructor(statements) {
+    this.statements = statements;
+  }
+  authorize(request, connector) {
+    for (const [requestedResource, requestedActions] of Object.entries(
+      request
+    )) {
+      const allowedActions = this.statements[requestedResource];
+      if (!allowedActions) {
+        return {
+          success: false,
+          error: `You are not allowed to access resource: ${requestedResource}`
+        };
+      }
+      const success = connector === "OR" ? requestedActions.some(
+        (requestedAction) => allowedActions.includes(requestedAction)
+      ) : requestedActions.every(
+        (requestedAction) => allowedActions.includes(requestedAction)
+      );
+      if (success) {
+        return { success };
+      }
+      return {
+        success: false,
+        error: `unauthorized to access resource "${requestedResource}"`
+      };
+    }
+    return {
+      success: false,
+      error: "Not authorized"
+    };
+  }
+  static fromString(s) {
+    const statements = JSON.parse(s);
+    if (typeof statements !== "object") {
+      throw new ParsingError("statements is not an object", ".");
+    }
+    for (const [resource, actions] of Object.entries(statements)) {
+      if (typeof resource !== "string") {
+        throw new ParsingError("invalid resource identifier", resource);
+      }
+      if (!Array.isArray(actions)) {
+        throw new ParsingError("actions is not an array", resource);
+      }
+      for (let i = 0; i < actions.length; i++) {
+        if (typeof actions[i] !== "string") {
+          throw new ParsingError("action is not a string", `${resource}[${i}]`);
+        }
+      }
+    }
+    return new _Role(statements);
+  }
+  toString() {
+    return JSON.stringify(this.statements);
+  }
+};
+
+// src/plugins/organization/access/statement.ts
+var createAccessControl = (statements) => {
+  return new AccessControl(statements);
+};
+var defaultStatements = {
+  organization: ["update", "delete"],
+  member: ["create", "update", "delete"],
+  invitation: ["create", "cancel"]
+};
+var defaultAc = createAccessControl(defaultStatements);
+var adminAc = defaultAc.newRole({
+  organization: ["update"],
+  invitation: ["create", "cancel"],
+  member: ["create", "update", "delete"]
+});
+var ownerAc = defaultAc.newRole({
+  organization: ["update", "delete"],
+  member: ["create", "update", "delete"],
+  invitation: ["create", "cancel"]
+});
+var memberAc = defaultAc.newRole({
+  organization: [],
+  member: [],
+  invitation: []
+});
+var defaultRoles = {
+  admin: adminAc,
+  owner: ownerAc,
+  member: memberAc
+};
+
+// src/plugins/organization/access/utils.ts
+var permissionFromString = (permission) => {
+  return Role.fromString(permission ?? "");
+};
+
+// src/utils/date.ts
+var getDate = (span) => {
+  const date = /* @__PURE__ */ new Date();
+  return new Date(date.getTime() + span);
+};
+
+// src/plugins/organization/adapter.ts
+var getOrgAdapter = (adapter, options) => {
+  return {
+    findOrganizationBySlug: async (slug) => {
+      const organization2 = await adapter.findOne({
+        model: "organization",
+        where: [
+          {
+            field: "slug",
+            value: slug
+          }
+        ]
+      });
+      return organization2;
+    },
+    createOrganization: async (data) => {
+      const organization2 = await adapter.create({
+        model: "organization",
+        data: data.organization
+      });
+      const member = await adapter.create({
+        model: "member",
+        data: {
+          id: generateId(),
+          name: data.user.name,
+          organizationId: organization2.id,
+          userId: data.user.id,
+          email: data.user.email,
+          role: options?.creatorRole || "owner"
+        }
+      });
+      return {
+        ...organization2,
+        members: [member]
+      };
+    },
+    findMemberByEmail: async (data) => {
+      const member = await adapter.findOne({
+        model: "member",
+        where: [
+          {
+            field: "email",
+            value: data.email
+          },
+          {
+            field: "organizationId",
+            value: data.organizationId
+          }
+        ]
+      });
+      return member;
+    },
+    findMemberByOrgId: async (data) => {
+      const member = await adapter.findOne({
+        model: "member",
+        where: [
+          {
+            field: "userId",
+            value: data.userId
+          },
+          {
+            field: "organizationId",
+            value: data.organizationId
+          }
+        ]
+      });
+      return member;
+    },
+    findMemberById: async (memberId) => {
+      const member = await adapter.findOne({
+        model: "member",
+        where: [
+          {
+            field: "id",
+            value: memberId
+          }
+        ]
+      });
+      return member;
+    },
+    createMember: async (data) => {
+      const member = await adapter.create({
+        model: "member",
+        data
+      });
+      return member;
+    },
+    updateMember: async (memberId, role2) => {
+      const member = await adapter.update({
+        model: "member",
+        where: [
+          {
+            field: "id",
+            value: memberId
+          }
+        ],
+        update: {
+          role: role2
+        }
+      });
+      return member;
+    },
+    deleteMember: async (memberId) => {
+      const member = await adapter.delete({
+        model: "member",
+        where: [
+          {
+            field: "id",
+            value: memberId
+          }
+        ]
+      });
+      return member;
+    },
+    updateOrganization: async (orgId, data) => {
+      const organization2 = await adapter.update({
+        model: "organization",
+        where: [
+          {
+            field: "id",
+            value: orgId
+          }
+        ],
+        update: data
+      });
+      return organization2;
+    },
+    deleteOrganization: async (orgId) => {
+      const organization2 = await adapter.delete({
+        model: "organization",
+        where: [
+          {
+            field: "id",
+            value: orgId
+          }
+        ]
+      });
+      return organization2;
+    },
+    setActiveOrganization: async (sessionId, orgId) => {
+      const session = await adapter.update({
+        model: "session",
+        where: [
+          {
+            field: "id",
+            value: sessionId
+          }
+        ],
+        update: {
+          activeOrganizationId: orgId
+        }
+      });
+      return session;
+    },
+    findOrganizationById: async (orgId) => {
+      const organization2 = await adapter.findOne({
+        model: "organization",
+        where: [
+          {
+            field: "id",
+            value: orgId
+          }
+        ]
+      });
+      return organization2;
+    },
+    findFullOrganization: async (orgId) => {
+      const organization2 = await adapter.findOne({
+        model: "organization",
+        where: [
+          {
+            field: "id",
+            value: orgId
+          }
+        ]
+      });
+      if (!organization2) {
+        return null;
+      }
+      const members = await adapter.findMany({
+        model: "member",
+        where: [
+          {
+            field: "organizationId",
+            value: orgId
+          }
+        ]
+      });
+      const invitations = await adapter.findMany({
+        model: "invitation",
+        where: [
+          {
+            field: "organizationId",
+            value: orgId
+          }
+        ]
+      });
+      return {
+        ...organization2,
+        members,
+        invitations
+      };
+    },
+    listOrganizations: async (userId) => {
+      const members = await adapter.findMany({
+        model: "member",
+        where: [
+          {
+            field: "userId",
+            value: userId
+          }
+        ]
+      });
+      const organizationIds = members?.map((member) => member.organizationId);
+      console.log({ organizationIds });
+      if (!organizationIds) {
+        return [];
+      }
+      const organizations = [];
+      for (const id of organizationIds) {
+        const organization2 = await adapter.findOne({
+          model: "organization",
+          where: [
+            {
+              field: "id",
+              value: id
+            }
+          ]
+        });
+        if (organization2) {
+          organizations.push(organization2);
+        }
+      }
+      return organizations;
+    },
+    createInvitation: async ({
+      invitation,
+      user
+    }) => {
+      const defaultExpiration = 1e3 * 60 * 60 * 48;
+      const expiresAt = getDate(
+        options?.invitationExpiresIn || defaultExpiration
+      );
+      const invite = await adapter.create({
+        model: "invitation",
+        data: {
+          id: generateId(),
+          email: invitation.email,
+          role: invitation.role,
+          organizationId: invitation.organizationId,
+          status: "pending",
+          expiresAt,
+          inviterId: user.id
+        }
+      });
+      return invite;
+    },
+    findInvitationById: async (id) => {
+      const invitation = await adapter.findOne({
+        model: "invitation",
+        where: [
+          {
+            field: "id",
+            value: id
+          }
+        ]
+      });
+      return invitation;
+    },
+    findPendingInvitation: async (data) => {
+      const invitation = await adapter.findMany({
+        model: "invitation",
+        where: [
+          {
+            field: "email",
+            value: data.email
+          },
+          {
+            field: "organizationId",
+            value: data.organizationId
+          },
+          {
+            field: "status",
+            value: "pending"
+          }
+        ]
+      });
+      return invitation.filter(
+        (invite) => new Date(invite.expiresAt) > /* @__PURE__ */ new Date()
+      );
+    },
+    updateInvitation: async (data) => {
+      const invitation = await adapter.update({
+        model: "invitation",
+        where: [
+          {
+            field: "id",
+            value: data.invitationId
+          }
+        ],
+        update: {
+          status: data.status
+        }
+      });
+      return invitation;
+    }
+  };
+};
+
+// src/plugins/organization/call.ts
+import "better-call";
+
+// src/api/middlewares/session.ts
+import { APIError as APIError3 } from "better-call";
+var sessionMiddleware = createAuthMiddleware(async (ctx) => {
+  const session = await getSessionFromCtx(ctx);
+  if (!session?.session) {
+    throw new APIError3("UNAUTHORIZED");
+  }
+  return {
+    session
+  };
+});
+
+// src/plugins/organization/call.ts
+var orgMiddleware = createAuthMiddleware(async (ctx) => {
+  return {};
+});
+var orgSessionMiddleware = createAuthMiddleware(
+  {
+    use: [sessionMiddleware]
+  },
+  async (ctx) => {
+    const session = ctx.context.session;
+    return {
+      session
+    };
+  }
+);
+
+// src/plugins/organization/routes/crud-invites.ts
+import { z as z8 } from "zod";
+
+// src/plugins/organization/schema.ts
+import { z as z7 } from "zod";
+var role = z7.enum(["admin", "member", "owner"]);
+var invitationStatus = z7.enum(["pending", "accepted", "rejected", "canceled"]).default("pending");
+var organizationSchema = z7.object({
+  id: z7.string(),
+  name: z7.string(),
+  slug: z7.string()
+});
+var memberSchema = z7.object({
+  id: z7.string(),
+  name: z7.string(),
+  email: z7.string(),
+  organizationId: z7.string(),
+  userId: z7.string(),
+  role
+});
+var invitationSchema = z7.object({
+  id: z7.string(),
+  organizationId: z7.string(),
+  email: z7.string(),
+  role,
+  status: invitationStatus,
+  /**
+   * The id of the user who invited the user.
+   */
+  inviterId: z7.string(),
+  expiresAt: z7.date()
+});
+
+// src/plugins/organization/routes/crud-invites.ts
+var createInvitation = createAuthEndpoint(
+  "/organization/invite-member",
+  {
+    method: "POST",
+    use: [orgMiddleware, orgSessionMiddleware],
+    body: z8.object({
+      email: z8.string(),
+      role,
+      organizationId: z8.string().optional(),
+      resend: z8.boolean().optional()
+    })
+  },
+  async (ctx) => {
+    const session = ctx.context.session;
+    const orgId = ctx.body.organizationId || session.session.activeOrganizationId;
+    if (!orgId) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Organization id not found!"
+        }
+      });
+    }
+    const adapter = getOrgAdapter(ctx.context.adapter, ctx.context.orgOptions);
+    const member = await adapter.findMemberByOrgId({
+      userId: session.user.id,
+      organizationId: orgId
+    });
+    if (!member) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "User is not a member of this organization!"
+        }
+      });
+    }
+    const role2 = ctx.context.roles[member.role];
+    if (!role2) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Role not found!"
+        }
+      });
+    }
+    const canInvite = role2.authorize({
+      invitation: ["create"]
+    });
+    if (canInvite.error) {
+      return ctx.json(null, {
+        body: {
+          message: "You are not allowed to invite users to this organization"
+        },
+        status: 403
+      });
+    }
+    const alreadyMember = await adapter.findMemberByEmail({
+      email: ctx.body.email,
+      organizationId: orgId
+    });
+    if (alreadyMember) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "User is already a member of this organization"
+        }
+      });
+    }
+    const alreadyInvited = await adapter.findPendingInvitation({
+      email: ctx.body.email,
+      organizationId: orgId
+    });
+    if (alreadyInvited.length && !ctx.body.resend) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "User is already invited to this organization"
+        }
+      });
+    }
+    const invitation = await adapter.createInvitation({
+      invitation: {
+        role: ctx.body.role,
+        email: ctx.body.email,
+        organizationId: orgId
+      },
+      user: session.user
+    });
+    await ctx.context.orgOptions.sendInvitationEmail?.(
+      invitation,
+      ctx.body.email
+    );
+    return ctx.json(invitation);
+  }
+);
+var acceptInvitation = createAuthEndpoint(
+  "/organization/accept-invitation",
+  {
+    method: "POST",
+    body: z8.object({
+      invitationId: z8.string()
+    }),
+    use: [orgMiddleware, orgSessionMiddleware]
+  },
+  async (ctx) => {
+    const session = ctx.context.session;
+    const adapter = getOrgAdapter(ctx.context.adapter, ctx.context.orgOptions);
+    const invitation = await adapter.findInvitationById(ctx.body.invitationId);
+    if (!invitation || invitation.expiresAt < /* @__PURE__ */ new Date() || invitation.status !== "pending") {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Invitation not found!"
+        }
+      });
+    }
+    if (invitation.email !== session.user.email) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "You are not the repentant of the invitation"
+        }
+      });
+    }
+    const acceptedI = await adapter.updateInvitation({
+      invitationId: ctx.body.invitationId,
+      status: "accepted"
+    });
+    const member = await adapter.createMember({
+      id: generateId(),
+      organizationId: invitation.organizationId,
+      userId: session.user.id,
+      email: invitation.email,
+      role: invitation.role,
+      name: session.user.name
+    });
+    return ctx.json({
+      invitation: acceptedI,
+      member
+    });
+  }
+);
+var rejectInvitation = createAuthEndpoint(
+  "/organization/reject-invitation",
+  {
+    method: "POST",
+    body: z8.object({
+      invitationId: z8.string()
+    }),
+    use: [orgMiddleware, orgSessionMiddleware]
+  },
+  async (ctx) => {
+    const session = ctx.context.session;
+    const adapter = getOrgAdapter(ctx.context.adapter, ctx.context.orgOptions);
+    const invitation = await adapter.findInvitationById(ctx.body.invitationId);
+    if (!invitation || invitation.expiresAt < /* @__PURE__ */ new Date() || invitation.status !== "pending") {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Invitation not found!"
+        }
+      });
+    }
+    if (invitation.email !== session.user.email) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "You are not the repentant of the invitation"
+        }
+      });
+    }
+    const rejectedI = await adapter.updateInvitation({
+      invitationId: ctx.body.invitationId,
+      status: "rejected"
+    });
+    return ctx.json({
+      invitation: rejectedI,
+      member: null
+    });
+  }
+);
+var cancelInvitation = createAuthEndpoint(
+  "/organization/cancel-invitation",
+  {
+    method: "POST",
+    body: z8.object({
+      invitationId: z8.string()
+    }),
+    use: [orgMiddleware, orgSessionMiddleware]
+  },
+  async (ctx) => {
+    const session = ctx.context.session;
+    const adapter = getOrgAdapter(ctx.context.adapter, ctx.context.orgOptions);
+    const invitation = await adapter.findInvitationById(ctx.body.invitationId);
+    if (!invitation) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Invitation not found!"
+        }
+      });
+    }
+    const member = await adapter.findMemberByOrgId({
+      userId: session.user.id,
+      organizationId: invitation.organizationId
+    });
+    if (!member) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "User is not a member of this organization"
+        }
+      });
+    }
+    const canCancel = ctx.context.roles[member.role].authorize({
+      invitation: ["cancel"]
+    });
+    if (canCancel.error) {
+      return ctx.json(null, {
+        status: 403,
+        body: {
+          message: "You are not allowed to cancel this invitation"
+        }
+      });
+    }
+    const canceledI = await adapter.updateInvitation({
+      invitationId: ctx.body.invitationId,
+      status: "canceled"
+    });
+    return ctx.json(canceledI);
+  }
+);
+var getActiveInvitation = createAuthEndpoint(
+  "/organization/get-active-invitation",
+  {
+    method: "GET",
+    use: [orgMiddleware],
+    query: z8.object({
+      id: z8.string()
+    })
+  },
+  async (ctx) => {
+    const session = await getSessionFromCtx(ctx);
+    if (!session) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "User not logged in"
+        }
+      });
+    }
+    const adapter = getOrgAdapter(ctx.context.adapter, ctx.context.orgOptions);
+    const invitation = await adapter.findInvitationById(ctx.query.id);
+    if (!invitation || invitation.status !== "pending" || invitation.expiresAt < /* @__PURE__ */ new Date()) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Invitation not found!"
+        }
+      });
+    }
+    if (invitation.email !== session.user.email) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "You are not the repentant of the invitation"
+        }
+      });
+    }
+    const organization2 = await adapter.findOrganizationById(
+      invitation.organizationId
+    );
+    if (!organization2) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Organization not found!"
+        }
+      });
+    }
+    const member = await adapter.findMemberByOrgId({
+      userId: invitation.inviterId,
+      organizationId: invitation.organizationId
+    });
+    if (!member) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Inviter is no longer a member of this organization"
+        }
+      });
+    }
+    return ctx.json({
+      ...invitation,
+      organizationName: organization2.name,
+      organizationSlug: organization2.slug,
+      inviterEmail: member.email,
+      inviterName: member.name
+    });
+  }
+);
+
+// src/plugins/organization/routes/crud-members.ts
+import { z as z9 } from "zod";
+var removeMember = createAuthEndpoint(
+  "/organization/remove-member",
+  {
+    method: "POST",
+    body: z9.object({
+      memberId: z9.string()
+    }),
+    use: [orgMiddleware, orgSessionMiddleware]
+  },
+  async (ctx) => {
+    const session = ctx.context.session;
+    const orgId = session.session.activeOrganizationId;
+    if (!orgId) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "No active organization found!"
+        }
+      });
+    }
+    const adapter = getOrgAdapter(ctx.context.adapter, ctx.context.orgOptions);
+    const member = await adapter.findMemberByOrgId({
+      userId: session.user.id,
+      organizationId: orgId
+    });
+    if (!member) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Member not found!"
+        }
+      });
+    }
+    const role2 = ctx.context.roles[member.role];
+    if (!role2) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Role not found!"
+        }
+      });
+    }
+    if (session.user.id === member.userId && member.role === (ctx.context.orgOptions?.creatorRole || "owner")) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "You cannot delete yourself"
+        }
+      });
+    }
+    const canDeleteMember = role2.authorize({
+      member: ["delete"]
+    });
+    if (canDeleteMember.error) {
+      return ctx.json(null, {
+        body: {
+          message: "You are not allowed to delete this member"
+        },
+        status: 403
+      });
+    }
+    const existing = await adapter.findMemberById(ctx.body.memberId);
+    if (existing?.organizationId !== orgId) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Member not found!"
+        }
+      });
+    }
+    const deletedMember = await adapter.deleteMember(ctx.body.memberId);
+    if (session.user.id === existing.userId && session.session.activeOrganizationId === existing.organizationId) {
+      await adapter.setActiveOrganization(session.session.id, null);
+    }
+    return ctx.json(deletedMember);
+  }
+);
+var updateMember = createAuthEndpoint(
+  "/organization/update-member",
+  {
+    method: "POST",
+    body: z9.object({
+      memberId: z9.string(),
+      role: z9.string()
+    }),
+    use: [orgMiddleware, orgSessionMiddleware]
+  },
+  async (ctx) => {
+    const session = ctx.context.session;
+    const orgId = session.session.activeOrganizationId;
+    if (!orgId) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "No active organization found!"
+        }
+      });
+    }
+    const adapter = getOrgAdapter(ctx.context.adapter, ctx.context.orgOptions);
+    const member = await adapter.findMemberByOrgId({
+      userId: session.user.id,
+      organizationId: orgId
+    });
+    if (!member) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Member not found!"
+        }
+      });
+    }
+    const role2 = ctx.context.roles[member.role];
+    if (!role2) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Role not found!"
+        }
+      });
+    }
+    const canUpdateMember = role2.authorize({
+      member: ["update"]
+    });
+    if (canUpdateMember.error) {
+      return ctx.json(null, {
+        body: {
+          message: "You are not allowed to update this member"
+        },
+        status: 403
+      });
+    }
+    const updatedMember = await adapter.updateMember(
+      ctx.body.memberId,
+      ctx.body.role
+    );
+    return ctx.json(updatedMember);
+  }
+);
+
+// src/plugins/organization/routes/crud-org.ts
+import { z as z10 } from "zod";
+var createOrganization = createAuthEndpoint(
+  "/organization/create",
+  {
+    method: "POST",
+    body: z10.object({
+      name: z10.string(),
+      slug: z10.string(),
+      userId: z10.string().optional()
+    }),
+    use: [orgMiddleware, orgSessionMiddleware]
+  },
+  async (ctx) => {
+    const user = ctx.context.session.user;
+    if (!user) {
+      return ctx.json(null, {
+        status: 401
+      });
+    }
+    const options = ctx.context.orgOptions;
+    const canCreateOrg = typeof options?.allowUserToCreateOrganization === "function" ? await options.allowUserToCreateOrganization(user) : options?.allowUserToCreateOrganization === void 0 ? true : options.allowUserToCreateOrganization;
+    if (!canCreateOrg) {
+      return ctx.json(null, {
+        status: 403,
+        body: {
+          message: "You are not allowed to create organizations"
+        }
+      });
+    }
+    const adapter = getOrgAdapter(ctx.context.adapter, options);
+    const existingOrganization = await adapter.findOrganizationBySlug(
+      ctx.body.slug
+    );
+    if (existingOrganization) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Organization with this slug already exists"
+        }
+      });
+    }
+    const organization2 = await adapter.createOrganization({
+      organization: {
+        id: generateId(),
+        slug: ctx.body.slug,
+        name: ctx.body.name
+      },
+      user
+    });
+    return ctx.json(organization2);
+  }
+);
+var updateOrganization = createAuthEndpoint(
+  "/organization/update",
+  {
+    method: "POST",
+    body: z10.object({
+      name: z10.string().optional(),
+      slug: z10.string().optional(),
+      orgId: z10.string().optional()
+    }),
+    requireHeaders: true,
+    use: [orgMiddleware]
+  },
+  async (ctx) => {
+    const session = await ctx.context.getSession(ctx);
+    if (!session) {
+      return ctx.json(null, {
+        status: 401
+      });
+    }
+    const orgId = ctx.body.orgId || session.session.activeOrganizationId;
+    if (!orgId) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Organization id not found!"
+        }
+      });
+    }
+    const adapter = getOrgAdapter(ctx.context.adapter, ctx.context.orgOptions);
+    const member = await adapter.findMemberByOrgId({
+      userId: session.user.id,
+      organizationId: orgId
+    });
+    if (!member) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "User is not a member of this organization!"
+        }
+      });
+    }
+    const role2 = ctx.context.roles[member.role];
+    if (!role2) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Role not found!"
+        }
+      });
+    }
+    const canUpdateOrg = role2.authorize({
+      organization: ["update"]
+    });
+    if (canUpdateOrg.error) {
+      return ctx.json(null, {
+        body: {
+          message: "You are not allowed to update this organization"
+        },
+        status: 403
+      });
+    }
+    const updatedOrg = await adapter.updateOrganization(orgId, ctx.body);
+    return ctx.json(updatedOrg);
+  }
+);
+var deleteOrganization = createAuthEndpoint(
+  "/organization/delete",
+  {
+    method: "POST",
+    body: z10.object({
+      orgId: z10.string()
+    }),
+    requireHeaders: true,
+    use: [orgMiddleware]
+  },
+  async (ctx) => {
+    const session = await ctx.context.getSession(ctx);
+    if (!session) {
+      return ctx.json(null, {
+        status: 401
+      });
+    }
+    const orgId = ctx.body.orgId;
+    if (!orgId) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Organization id not found!"
+        }
+      });
+    }
+    const adapter = getOrgAdapter(ctx.context.adapter, ctx.context.orgOptions);
+    const member = await adapter.findMemberByOrgId({
+      userId: session.user.id,
+      organizationId: orgId
+    });
+    if (!member) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "User is not a member of this organization!"
+        }
+      });
+    }
+    const role2 = ctx.context.roles[member.role];
+    if (!role2) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Role not found!"
+        }
+      });
+    }
+    const canDeleteOrg = role2.authorize({
+      organization: ["delete"]
+    });
+    if (canDeleteOrg.error) {
+      return ctx.json(null, {
+        body: {
+          message: "You are not allowed to delete this organization"
+        },
+        status: 403
+      });
+    }
+    if (orgId === session.session.activeOrganizationId) {
+      await adapter.setActiveOrganization(session.session.id, null);
+    }
+    const deletedOrg = await adapter.deleteOrganization(orgId);
+    return ctx.json(deletedOrg);
+  }
+);
+var getFullOrganization = createAuthEndpoint(
+  "/organization/full",
+  {
+    method: "GET",
+    query: z10.object({
+      orgId: z10.string().optional()
+    }),
+    requireHeaders: true,
+    use: [orgMiddleware, orgSessionMiddleware]
+  },
+  async (ctx) => {
+    const session = ctx.context.session;
+    const orgId = ctx.query.orgId || session.session.activeOrganizationId;
+    if (!orgId) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Organization id not found!"
+        }
+      });
+    }
+    const adapter = getOrgAdapter(ctx.context.adapter, ctx.context.orgOptions);
+    const organization2 = await adapter.findFullOrganization(orgId);
+    if (!organization2) {
+      return ctx.json(null, {
+        status: 404,
+        body: {
+          message: "Organization not found!"
+        }
+      });
+    }
+    return ctx.json(organization2);
+  }
+);
+var setActiveOrganization = createAuthEndpoint(
+  "/organization/set-active",
+  {
+    method: "POST",
+    body: z10.object({
+      orgId: z10.string()
+    }),
+    use: [sessionMiddleware, orgMiddleware]
+  },
+  async (ctx) => {
+    const adapter = getOrgAdapter(ctx.context.adapter, ctx.context.orgOptions);
+    const session = ctx.context.session;
+    const orgId = ctx.body.orgId;
+    await adapter.setActiveOrganization(session.session.id, orgId);
+    const organization2 = await adapter.findFullOrganization(orgId);
+    return ctx.json(organization2);
+  }
+);
+var listOrganization = createAuthEndpoint(
+  "/organization/list",
+  {
+    method: "GET",
+    use: [orgMiddleware, orgSessionMiddleware]
+  },
+  async (ctx) => {
+    const adapter = getOrgAdapter(ctx.context.adapter, ctx.context.orgOptions);
+    const organizations = await adapter.listOrganizations(
+      ctx.context.session.user.id
+    );
+    return ctx.json(organizations);
+  }
+);
+
+// src/plugins/organization/organization.ts
+var organization = (options) => {
+  const endpoints = {
+    createOrganization,
+    updateOrganization,
+    setActiveOrganization,
+    getFullOrganization,
+    listOrganization,
+    createInvitation,
+    cancelInvitation,
+    acceptInvitation,
+    getActiveInvitation,
+    rejectInvitation,
+    removeMember,
+    updateMember
+  };
+  const roles = {
+    ...defaultRoles,
+    ...options?.roles
+  };
+  const api = shimContext(endpoints, {
+    orgOptions: options || {},
+    roles,
+    getSession: async (context) => {
+      return await getSessionFromCtx(context);
+    }
+  });
+  return {
+    id: "organization",
+    endpoints: {
+      ...api,
+      hasPermission: createAuthEndpoint(
+        "/organization/has-permission",
+        {
+          method: "POST",
+          requireHeaders: true,
+          body: z11.object({
+            permission: z11.record(z11.string(), z11.array(z11.string()))
+          }),
+          use: [orgSessionMiddleware]
+        },
+        async (ctx) => {
+          if (!ctx.context.session.session.activeOrganizationId) {
+            throw new APIError5("BAD_REQUEST", {
+              message: "No active organization"
+            });
+          }
+          const adapter = getOrgAdapter(ctx.context.adapter);
+          const member = await adapter.findMemberByOrgId({
+            userId: ctx.context.session.user.id,
+            organizationId: ctx.context.session.session.activeOrganizationId || ""
+          });
+          if (!member) {
+            throw new APIError5("UNAUTHORIZED", {
+              message: "You are not a member of this organization"
+            });
+          }
+          const role2 = roles[member.role];
+          const result = role2.authorize(ctx.body.permission);
+          if (result.error) {
+            return ctx.json(
+              {
+                error: result.error,
+                success: false
+              },
+              {
+                status: 403
+              }
+            );
+          }
+          return ctx.json({
+            error: null,
+            success: true
+          });
+        }
+      )
+    },
+    schema: {
+      session: {
+        fields: {
+          activeOrganizationId: {
+            type: "string",
+            required: false
+          }
+        }
+      },
+      organization: {
+        fields: {
+          name: {
+            type: "string"
+          },
+          slug: {
+            type: "string",
+            unique: true
+          }
+        }
+      },
+      member: {
+        fields: {
+          organizationId: {
+            type: "string",
+            required: true
+          },
+          userId: {
+            type: "string",
+            required: true
+          },
+          email: {
+            type: "string",
+            required: true
+          },
+          name: {
+            type: "string"
+          },
+          role: {
+            type: "string",
+            required: true,
+            defaultValue: "member"
+          }
+        }
+      },
+      invitation: {
+        fields: {
+          organizationId: {
+            type: "string",
+            required: true
+          },
+          email: {
+            type: "string",
+            required: true
+          },
+          role: {
+            type: "string",
+            required: false
+          },
+          status: {
+            type: "string",
+            required: true,
+            defaultValue: "pending"
+          },
+          expiresAt: {
+            type: "date",
+            required: true
+          },
+          inviterId: {
+            type: "string",
+            references: {
+              model: "user",
+              field: "id"
+            }
+          }
+        }
+      }
+    }
+  };
+};
+
+// src/plugins/two-factor/index.ts
+import { alphabet as alphabet3, generateRandomString as generateRandomString3 } from "oslo/crypto";
+import "zod";
+
+// src/crypto/index.ts
+import { xchacha20poly1305 } from "@noble/ciphers/chacha";
+import { bytesToHex, hexToBytes, utf8ToBytes } from "@noble/ciphers/utils";
+import { managedNonce } from "@noble/ciphers/webcrypto";
+import { sha256 } from "@noble/hashes/sha256";
+async function hs256(secretKey, message) {
+  const enc = new TextEncoder();
+  const algorithm = { name: "HMAC", hash: "SHA-256" };
+  const key = await crypto.subtle.importKey(
+    "raw",
+    enc.encode(secretKey),
+    algorithm,
+    false,
+    ["sign", "verify"]
+  );
+  const signature = await crypto.subtle.sign(
+    algorithm.name,
+    key,
+    enc.encode(message)
+  );
+  return btoa(String.fromCharCode(...new Uint8Array(signature)));
+}
+var symmetricEncrypt = ({ key, data }) => {
+  const keyAsBytes = sha256(key);
+  const dataAsBytes = utf8ToBytes(data);
+  const chacha = managedNonce(xchacha20poly1305)(keyAsBytes);
+  return bytesToHex(chacha.encrypt(dataAsBytes));
+};
+var symmetricDecrypt = ({ key, data }) => {
+  const keyAsBytes = sha256(key);
+  const dataAsBytes = hexToBytes(data);
+  const chacha = managedNonce(xchacha20poly1305)(keyAsBytes);
+  return chacha.decrypt(dataAsBytes);
+};
+
+// src/plugins/two-factor/backup-codes/index.ts
+import { alphabet as alphabet2, generateRandomString as generateRandomString2 } from "oslo/crypto";
+import { z as z12 } from "zod";
+
+// src/plugins/two-factor/verify-middleware.ts
+import { APIError as APIError6 } from "better-call";
+
+// src/plugins/two-factor/constant.ts
+var TWO_FACTOR_COOKIE_NAME = "better-auth.two-factor";
+var OTP_RANDOM_NUMBER_COOKIE_NAME = "otp.counter";
+
+// src/plugins/two-factor/verify-middleware.ts
+var verifyTwoFactorMiddleware = createAuthMiddleware(async (ctx) => {
+  const cookie = await ctx.getSignedCookie(
+    TWO_FACTOR_COOKIE_NAME,
+    ctx.context.secret
+  );
+  if (!cookie) {
+    throw new APIError6("UNAUTHORIZED", {
+      message: "two factor isn't enabled"
+    });
+  }
+  const [userId, hash] = cookie.split("!");
+  if (!userId || !hash) {
+    throw new APIError6("UNAUTHORIZED", {
+      message: "invalid two factor cookie"
+    });
+  }
+  const sessions = await ctx.context.adapter.findMany({
+    model: "session",
+    where: [
+      {
+        field: "userId",
+        value: userId
+      }
+    ]
+  });
+  if (!sessions.length) {
+    throw new APIError6("UNAUTHORIZED", {
+      message: "invalid session"
+    });
+  }
+  const activeSessions = sessions.filter(
+    (session) => session.expiresAt > /* @__PURE__ */ new Date()
+  );
+  if (!activeSessions) {
+    throw new APIError6("UNAUTHORIZED", {
+      message: "invalid session"
+    });
+  }
+  for (const session of activeSessions) {
+    const hashToMatch = await hs256(ctx.context.secret, session.id);
+    const user = await ctx.context.adapter.findOne({
+      model: "user",
+      where: [
+        {
+          field: "id",
+          value: session.userId
+        }
+      ]
+    });
+    if (!user) {
+      throw new APIError6("UNAUTHORIZED", {
+        message: "invalid session"
+      });
+    }
+    if (hashToMatch === hash) {
+      return {
+        valid: async () => {
+          await ctx.setSignedCookie(
+            ctx.context.authCookies.sessionToken.name,
+            session.id,
+            ctx.context.secret,
+            ctx.context.authCookies.sessionToken.options
+          );
+          if (ctx.body.callbackURL) {
+            return ctx.json({
+              status: true,
+              callbackURL: ctx.body.callbackURL,
+              redirect: true
+            });
+          }
+          return ctx.json({ status: true });
+        },
+        invalid: async () => {
+          return ctx.json(
+            { status: false },
+            {
+              status: 401,
+              body: {
+                message: "Invalid code"
+              }
+            }
+          );
+        },
+        session: {
+          id: session.id,
+          userId: session.userId,
+          expiresAt: session.expiresAt,
+          user
+        }
+      };
+    }
+  }
+  throw new APIError6("UNAUTHORIZED", {
+    message: "invalid two factor authentication"
+  });
+});
+
+// src/plugins/two-factor/backup-codes/index.ts
+function generateBackupCodesFn(options) {
+  return Array.from({ length: options?.amount ?? 10 }).fill(null).map(
+    () => generateRandomString2(options?.length ?? 10, alphabet2("a-z", "0-9"))
+  ).map((code) => `${code.slice(0, 5)}-${code.slice(5)}`);
+}
+async function generateBackupCodes(secret, options) {
+  const key = secret;
+  const backupCodes = options?.customBackupCodesGenerate ? options.customBackupCodesGenerate() : generateBackupCodesFn();
+  const encCodes = symmetricEncrypt({
+    data: JSON.stringify(backupCodes),
+    key
+  });
+  return {
+    backupCodes,
+    encryptedBackupCodes: encCodes
+  };
+}
+async function verifyBackupCode(data, key) {
+  const codes = await getBackupCodes(data.user, key);
+  if (!codes) {
+    return false;
+  }
+  return codes.includes(data.code);
+}
+async function getBackupCodes(user, key) {
+  const secret = Buffer.from(
+    await symmetricDecrypt({ key, data: user.twoFactorBackupCodes })
+  ).toString("utf-8");
+  const data = JSON.parse(secret);
+  const result = z12.array(z12.string()).safeParse(data);
+  if (result.success) {
+    return result.data;
+  }
+  return null;
+}
+var backupCode2fa = (options) => {
+  return {
+    id: "backup_code",
+    endpoints: {
+      verifyBackupCode: createAuthEndpoint(
+        "/two-factor/verify-backup-code",
+        {
+          method: "POST",
+          body: z12.object({
+            code: z12.string()
+          }),
+          use: [verifyTwoFactorMiddleware]
+        },
+        async (ctx) => {
+          const validate = verifyBackupCode(
+            {
+              user: ctx.context.session.user,
+              code: ctx.body.code
+            },
+            ctx.context.secret
+          );
+          if (!validate) {
+            return ctx.json(
+              { status: false },
+              {
+                status: 401
+              }
+            );
+          }
+          return ctx.json({ status: true });
+        }
+      ),
+      generateBackupCodes: createAuthEndpoint(
+        "/two-factor/generate-backup-codes",
+        {
+          method: "POST",
+          use: [sessionMiddleware]
+        },
+        async (ctx) => {
+          const backupCodes = await generateBackupCodes(
+            ctx.context.secret,
+            options
+          );
+          await ctx.context.adapter.update({
+            model: "user",
+            update: {
+              twoFactorEnabled: true,
+              twoFactorBackupCodes: backupCodes.encryptedBackupCodes
+            },
+            where: [
+              {
+                field: "id",
+                value: ctx.context.session.user.id
+              }
+            ]
+          });
+          return ctx.json({
+            status: true,
+            backupCodes: backupCodes.backupCodes
+          });
+        }
+      ),
+      viewBackupCodes: createAuthEndpoint(
+        "/view/backup-codes",
+        {
+          method: "GET",
+          use: [sessionMiddleware]
+        },
+        async (ctx) => {
+          const user = ctx.context.session.user;
+          const backupCodes = getBackupCodes(user, ctx.context.secret);
+          return ctx.json({
+            status: true,
+            backupCodes
+          });
+        }
+      )
+    }
+  };
+};
+
+// src/plugins/two-factor/otp/index.ts
+import { APIError as APIError7 } from "better-call";
+import { generateRandomInteger } from "oslo/crypto";
+import { generateHOTP } from "oslo/otp";
+import { z as z13 } from "zod";
+var otp2fa = (options) => {
+  const send2FaOTP = createAuthEndpoint(
+    "/two-factor/send-otp",
+    {
+      method: "POST",
+      use: [verifyTwoFactorMiddleware]
+    },
+    async (ctx) => {
+      if (!options || !options.sendOTP) {
+        ctx.context.logger.error(
+          "otp isn't configured. please pass otp option on two factor plugin to enable otp"
+        );
+        throw new APIError7("BAD_REQUEST", {
+          message: "otp isn't configured"
+        });
+      }
+      const randomNumber = generateRandomInteger(1e5);
+      const otp = await generateHOTP(
+        Buffer.from(ctx.context.secret),
+        randomNumber
+      );
+      await options.sendOTP(ctx.context.session.user, otp);
+      const cookie = ctx.context.createAuthCookie(
+        OTP_RANDOM_NUMBER_COOKIE_NAME,
+        {
+          maxAge: options.period
+        }
+      );
+      await ctx.setSignedCookie(
+        cookie.name,
+        randomNumber.toString(),
+        ctx.context.secret,
+        cookie.options
+      );
+      return ctx.json({ status: true });
+    }
+  );
+  const verifyOTP = createAuthEndpoint(
+    "/two-factor/verify-otp",
+    {
+      method: "POST",
+      body: z13.object({
+        code: z13.string()
+      }),
+      use: [verifyTwoFactorMiddleware]
+    },
+    async (ctx) => {
+      const user = ctx.context.session.user;
+      if (!user.twoFactorEnabled) {
+        throw new APIError7("BAD_REQUEST", {
+          message: "two factor isn't enabled"
+        });
+      }
+      const cookie = ctx.context.createAuthCookie(
+        OTP_RANDOM_NUMBER_COOKIE_NAME
+      );
+      const randomNumber = await ctx.getSignedCookie(
+        cookie.name,
+        ctx.context.secret
+      );
+      if (!randomNumber) {
+        throw new APIError7("UNAUTHORIZED", {
+          message: "OTP is expired"
+        });
+      }
+      const toCheckOtp = await generateHOTP(
+        Buffer.from(ctx.context.secret),
+        parseInt(randomNumber)
+      );
+      if (toCheckOtp === ctx.body.code) {
+        ctx.setCookie(cookie.name, "", {
+          path: "/",
+          sameSite: "lax",
+          httpOnly: true,
+          secure: false,
+          maxAge: 0
+        });
+        return ctx.context.valid();
+      } else {
+        return ctx.context.invalid();
+      }
+    }
+  );
+  return {
+    id: "otp",
+    endpoints: {
+      send2FaOTP,
+      verifyOTP
+    }
+  };
+};
+
+// src/plugins/two-factor/totp/index.ts
+import { APIError as APIError8 } from "better-call";
+import { TimeSpan as TimeSpan3 } from "oslo";
+import { TOTPController, createTOTPKeyURI } from "oslo/otp";
+import { z as z14 } from "zod";
+var totp2fa = (options) => {
+  const opts = {
+    digits: 6,
+    period: new TimeSpan3(options?.period || 30, "s")
+  };
+  const generateTOTP = createAuthEndpoint(
+    "/totp/generate",
+    {
+      method: "POST",
+      use: [sessionMiddleware]
+    },
+    async (ctx) => {
+      if (!options) {
+        ctx.context.logger.error(
+          "totp isn't configured. please pass totp option on two factor plugin to enable totp"
+        );
+        throw new APIError8("BAD_REQUEST", {
+          message: "totp isn't configured"
+        });
+      }
+      const session = ctx.context.session.user;
+      const totp = new TOTPController(opts);
+      const code = await totp.generate(Buffer.from(session.twoFactorSecret));
+      return { code };
+    }
+  );
+  const getTOTPURI = createAuthEndpoint(
+    "/two-factor/get-totp-uri",
+    {
+      method: "GET",
+      use: [sessionMiddleware]
+    },
+    async (ctx) => {
+      if (!options) {
+        ctx.context.logger.error(
+          "totp isn't configured. please pass totp option on two factor plugin to enable totp"
+        );
+        throw new APIError8("BAD_REQUEST", {
+          message: "totp isn't configured"
+        });
+      }
+      const user = ctx.context.session.user;
+      return {
+        totpURI: createTOTPKeyURI(
+          options?.issuer || "BetterAuth",
+          user.email,
+          Buffer.from(user.twoFactorSecret),
+          opts
+        )
+      };
+    }
+  );
+  const verifyTOTP = createAuthEndpoint(
+    "/two-factor/verify-totp",
+    {
+      method: "POST",
+      body: z14.object({
+        code: z14.string(),
+        callbackURL: z14.string().optional()
+      }),
+      use: [verifyTwoFactorMiddleware]
+    },
+    async (ctx) => {
+      if (!options) {
+        ctx.context.logger.error(
+          "totp isn't configured. please pass totp option on two factor plugin to enable totp"
+        );
+        throw new APIError8("BAD_REQUEST", {
+          message: "totp isn't configured"
+        });
+      }
+      const totp = new TOTPController(opts);
+      const secret = Buffer.from(
+        await symmetricDecrypt({
+          key: ctx.context.secret,
+          data: ctx.context.session.user.twoFactorSecret
+        })
+      );
+      const status = await totp.verify(ctx.body.code, secret);
+      if (!status) {
+        return ctx.context.invalid();
+      }
+      return ctx.context.valid();
+    }
+  );
+  return {
+    id: "totp",
+    endpoints: {
+      generateTOTP,
+      viewTOTPURI: getTOTPURI,
+      verifyTOTP
+    }
+  };
+};
+
+// src/client/create-client-plugin.ts
+var createClientPlugin = () => {
+  return ($fn) => {
+    return ($fetch) => {
+      const data = $fn($fetch);
+      return {
+        ...data,
+        integrations: data.integrations,
+        plugin: {}
+      };
+    };
+  };
+};
+
+// src/plugins/two-factor/client.ts
+var twoFactorClient = (options = {
+  redirect: true,
+  twoFactorPage: "/"
+}) => {
+  return createClientPlugin()(($fetch) => {
+    return {
+      id: "two-factor",
+      authProxySignal: [
+        {
+          matcher: (path) => path === "/two-factor/enable" || path === "/two-factor/send-otp",
+          atom: "$sessionSignal"
+        }
+      ],
+      pathMethods: {
+        "enable/totp": "POST",
+        "/two-factor/disable": "POST",
+        "/two-factor/enable": "POST",
+        "/two-factor/send-otp": "POST"
+      },
+      fetchPlugins: [
+        {
+          id: "two-factor",
+          name: "two-factor",
+          hooks: {
+            async onSuccess(context) {
+              if (context.data?.twoFactorRedirect) {
+                if (options.redirect) {
+                  window.location.href = options.twoFactorPage;
+                }
+              }
+            }
+          }
+        }
+      ]
+    };
+  });
+};
+
+// src/plugins/two-factor/index.ts
+var twoFactor = (options) => {
+  const totp = totp2fa({
+    issuer: options.issuer,
+    ...options.totpOptions
+  });
+  const backupCode = backupCode2fa(options.backupCodeOptions);
+  const otp = otp2fa(options.otpOptions);
+  const providers = [totp, backupCode, otp];
+  return {
+    id: "two-factor",
+    endpoints: {
+      ...totp.endpoints,
+      ...otp.endpoints,
+      ...backupCode.endpoints,
+      enableTwoFactor: createAuthEndpoint(
+        "/two-factor/enable",
+        {
+          method: "POST",
+          use: [sessionMiddleware]
+        },
+        async (ctx) => {
+          const user = ctx.context.session.user;
+          const secret = generateRandomString3(16, alphabet3("a-z", "0-9", "-"));
+          const encryptedSecret = await symmetricEncrypt({
+            key: ctx.context.secret,
+            data: secret
+          });
+          const backupCodes = await generateBackupCodes(
+            ctx.context.secret,
+            options.backupCodeOptions
+          );
+          await ctx.context.adapter.update({
+            model: "user",
+            update: {
+              twoFactorSecret: encryptedSecret,
+              twoFactorEnabled: true,
+              twoFactorBackupCodes: backupCodes.encryptedBackupCodes
+            },
+            where: [
+              {
+                field: "id",
+                value: user.id
+              }
+            ]
+          });
+          return ctx.json({ status: true });
+        }
+      ),
+      disableTwoFactor: createAuthEndpoint(
+        "/two-factor/disable",
+        {
+          method: "POST",
+          use: [sessionMiddleware]
+        },
+        async (ctx) => {
+          const user = ctx.context.session.user;
+          await ctx.context.adapter.update({
+            model: "user",
+            update: {
+              twoFactorEnabled: false
+            },
+            where: [
+              {
+                field: "id",
+                value: user.id
+              }
+            ]
+          });
+          return ctx.json({ status: true });
+        }
+      )
+    },
+    options,
+    hooks: {
+      after: [
+        {
+          matcher(context) {
+            return context.path === "/sign-in/email" || context.path === "/sign-in/username";
+          },
+          handler: createAuthMiddleware(async (ctx) => {
+            const returned = await ctx.returned;
+            if (returned?.status !== 200) {
+              return;
+            }
+            const response = await returned.json();
+            if (!response.user.twoFactorEnabled) {
+              return;
+            }
+            ctx.setCookie(ctx.context.authCookies.sessionToken.name, "", {
+              path: "/",
+              sameSite: "lax",
+              httpOnly: true,
+              secure: false,
+              maxAge: 0
+            });
+            const hash = await hs256(ctx.context.secret, response.session.id);
+            await ctx.setSignedCookie(
+              "better-auth.two-factor",
+              `${response.session.userId}!${hash}`,
+              ctx.context.secret,
+              ctx.context.authCookies.sessionToken.options
+            );
+            const res = new Response(
+              JSON.stringify({
+                twoFactorRedirect: true
+              }),
+              {
+                headers: ctx.responseHeader
+              }
+            );
+            return {
+              response: res
+            };
+          })
+        }
+      ]
+    },
+    schema: {
+      user: {
+        fields: {
+          twoFactorEnabled: {
+            type: "boolean",
+            required: false,
+            defaultValue: false
+          },
+          twoFactorSecret: {
+            type: "string",
+            required: false
+          },
+          twoFactorBackupCodes: {
+            type: "string",
+            required: false,
+            returned: false
+          }
+        }
+      }
+    }
+  };
+};
+
+// src/plugins/passkey/index.ts
+import {
+  generateAuthenticationOptions,
+  generateRegistrationOptions,
+  verifyAuthenticationResponse,
+  verifyRegistrationResponse
+} from "@simplewebauthn/server";
+import { APIError as APIError9 } from "better-call";
+import { alphabet as alphabet4, generateRandomString as generateRandomString4 } from "oslo/crypto";
+import { z as z16 } from "zod";
+
+// src/plugins/passkey/client.ts
+import {
+  WebAuthnError,
+  startAuthentication,
+  startRegistration
+} from "@simplewebauthn/browser";
+var getPasskeyActions = ($fetch) => {
+  const signInPasskey = async (opts) => {
+    const response = await $fetch(
+      "/passkey/generate-authenticate-options",
+      {
+        method: "POST",
+        body: {
+          email: opts?.email
+        }
+      }
+    );
+    if (!response.data) {
+      return response;
+    }
+    try {
+      const res = await startAuthentication(
+        response.data,
+        opts?.autoFill || false
+      );
+      const verified = await $fetch("/passkey/verify-authentication", {
+        body: {
+          response: res,
+          type: "authenticate"
+        }
+      });
+      if (!verified.data) {
+        return verified;
+      }
+    } catch (e) {
+      console.log(e);
+    }
+  };
+  const registerPasskey = async () => {
+    const options = await $fetch(
+      "/passkey/generate-register-options",
+      {
+        method: "GET"
+      }
+    );
+    if (!options.data) {
+      return options;
+    }
+    try {
+      const res = await startRegistration(options.data);
+      const verified = await $fetch("/passkey/verify-registration", {
+        body: {
+          response: res,
+          type: "register"
+        }
+      });
+      if (!verified.data) {
+        return verified;
+      }
+    } catch (e) {
+      if (e instanceof WebAuthnError) {
+        if (e.code === "ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED") {
+          return {
+            data: null,
+            error: {
+              message: "previously registered",
+              status: 400,
+              statusText: "BAD_REQUEST"
+            }
+          };
+        }
+      }
+    }
+  };
+  return {
+    signInPasskey,
+    registerPasskey
+  };
+};
+var passkeyClient = createClientPlugin()(
+  ($fetch) => {
+    return {
+      id: "passkey",
+      actions: getPasskeyActions($fetch)
+    };
+  }
+);
+
+// src/plugins/passkey/index.ts
+var passkey = (options) => {
+  const opts = {
+    origin: null,
+    ...options,
+    rpID: process.env.NODE_ENV === "development" ? "localhost" : options.rpID,
+    advanced: {
+      webAuthnChallengeCookie: "better-auth-passkey",
+      ...options.advanced
+    }
+  };
+  const webAuthnChallengeCookieExpiration = 60 * 60 * 24;
+  return {
+    id: "passkey",
+    endpoints: {
+      generatePasskeyRegistrationOptions: createAuthEndpoint(
+        "/passkey/generate-register-options",
+        {
+          method: "GET",
+          use: [sessionMiddleware],
+          metadata: {
+            client: false
+          }
+        },
+        async (ctx) => {
+          const session = ctx.context.session;
+          const userPasskeys = await ctx.context.adapter.findMany({
+            model: "passkey",
+            where: [
+              {
+                field: "userId",
+                value: session.user.id
+              }
+            ]
+          });
+          const userID = new Uint8Array(
+            Buffer.from(generateRandomString4(32, alphabet4("a-z", "0-9")))
+          );
+          let options2;
+          options2 = await generateRegistrationOptions({
+            rpName: opts.rpName,
+            rpID: opts.rpID,
+            userID,
+            userName: session.user.email || session.user.id,
+            attestationType: "none",
+            excludeCredentials: userPasskeys.map((passkey2) => ({
+              id: passkey2.id,
+              transports: passkey2.transports?.split(
+                ","
+              )
+            })),
+            authenticatorSelection: {
+              residentKey: "preferred",
+              userVerification: "preferred",
+              authenticatorAttachment: "platform"
+            }
+          });
+          const data = {
+            expectedChallenge: options2.challenge,
+            userData: {
+              ...session.user,
+              email: session.user.email || session.user.id
+            }
+          };
+          await ctx.setSignedCookie(
+            opts.advanced.webAuthnChallengeCookie,
+            JSON.stringify(data),
+            ctx.context.secret,
+            {
+              secure: true,
+              httpOnly: true,
+              sameSite: "lax",
+              maxAge: webAuthnChallengeCookieExpiration
+            }
+          );
+          return ctx.json(options2, {
+            status: 200
+          });
+        }
+      ),
+      generatePasskeyAuthenticationOptions: createAuthEndpoint(
+        "/passkey/generate-authenticate-options",
+        {
+          method: "POST",
+          body: z16.object({
+            email: z16.string().optional(),
+            callbackURL: z16.string().optional()
+          }).optional()
+        },
+        async (ctx) => {
+          const session = await getSessionFromCtx(ctx);
+          let userPasskeys = [];
+          if (session) {
+            userPasskeys = await ctx.context.adapter.findMany({
+              model: "passkey",
+              where: [
+                {
+                  field: "userId",
+                  value: session.user.id
+                }
+              ]
+            });
+          }
+          const options2 = await generateAuthenticationOptions({
+            rpID: opts.rpID,
+            userVerification: "preferred",
+            ...userPasskeys.length ? {
+              allowCredentials: userPasskeys.map((passkey2) => ({
+                id: passkey2.id,
+                transports: passkey2.transports?.split(
+                  ","
+                )
+              }))
+            } : {}
+          });
+          const data = {
+            expectedChallenge: options2.challenge,
+            userData: {
+              email: session?.user.email || session?.user.id || "",
+              id: session?.user.id || ""
+            },
+            callbackURL: ctx.body?.callbackURL
+          };
+          await ctx.setSignedCookie(
+            opts.advanced.webAuthnChallengeCookie,
+            JSON.stringify(data),
+            ctx.context.secret,
+            {
+              secure: true,
+              httpOnly: true,
+              sameSite: "lax",
+              maxAge: webAuthnChallengeCookieExpiration
+            }
+          );
+          return ctx.json(options2, {
+            status: 200
+          });
+        }
+      ),
+      verifyPasskeyRegistration: createAuthEndpoint(
+        "/passkey/verify-registration",
+        {
+          method: "POST",
+          body: z16.object({
+            response: z16.any()
+          }),
+          use: [sessionMiddleware]
+        },
+        async (ctx) => {
+          const origin = options.origin || ctx.headers?.get("origin") || "";
+          if (!origin) {
+            return ctx.json(null, {
+              status: 400
+            });
+          }
+          const resp = ctx.body.response;
+          const challengeString = await ctx.getSignedCookie(
+            opts.advanced.webAuthnChallengeCookie,
+            ctx.context.secret
+          );
+          if (!challengeString) {
+            return ctx.json(null, {
+              status: 400
+            });
+          }
+          const { userData, expectedChallenge } = JSON.parse(
+            challengeString
+          );
+          if (userData.id !== ctx.context.session.user.id) {
+            throw new APIError9("UNAUTHORIZED", {
+              message: "You are not authorized to register this passkey"
+            });
+          }
+          try {
+            const verification = await verifyRegistrationResponse({
+              response: resp,
+              expectedChallenge,
+              expectedOrigin: origin,
+              expectedRPID: options.rpID
+            });
+            const { verified, registrationInfo } = verification;
+            if (!verified || !registrationInfo) {
+              return ctx.json(null, {
+                status: 400
+              });
+            }
+            const {
+              credentialID,
+              credentialPublicKey,
+              counter,
+              credentialDeviceType,
+              credentialBackedUp
+            } = registrationInfo;
+            const pubKey = Buffer.from(credentialPublicKey).toString("base64");
+            const userID = generateRandomString4(32, alphabet4("a-z", "0-9"));
+            const newPasskey = {
+              userId: userData.id,
+              webauthnUserID: userID,
+              id: credentialID,
+              publicKey: pubKey,
+              counter,
+              deviceType: credentialDeviceType,
+              transports: resp.response.transports.join(","),
+              backedUp: credentialBackedUp,
+              createdAt: /* @__PURE__ */ new Date()
+            };
+            const newPasskeyRes = await ctx.context.adapter.create({
+              model: "passkey",
+              data: newPasskey
+            });
+            return ctx.json(newPasskeyRes, {
+              status: 200
+            });
+          } catch (e) {
+            console.log(e);
+            return ctx.json(null, {
+              status: 400,
+              body: {
+                message: "Registration failed"
+              }
+            });
+          }
+        }
+      ),
+      verifyPasskeyAuthentication: createAuthEndpoint(
+        "/passkey/verify-authentication",
+        {
+          method: "POST",
+          body: z16.object({
+            response: z16.any()
+          })
+        },
+        async (ctx) => {
+          const origin = options.origin || ctx.headers?.get("origin") || "";
+          if (!origin) {
+            return ctx.json(null, {
+              status: 400
+            });
+          }
+          const resp = ctx.body.response;
+          const challengeString = await ctx.getSignedCookie(
+            opts.advanced.webAuthnChallengeCookie,
+            ctx.context.secret
+          );
+          if (!challengeString) {
+            return ctx.json(null, {
+              status: 400
+            });
+          }
+          const { expectedChallenge, callbackURL } = JSON.parse(
+            challengeString
+          );
+          const passkey2 = await ctx.context.adapter.findOne({
+            model: "passkey",
+            where: [
+              {
+                field: "id",
+                value: resp.id
+              }
+            ]
+          });
+          if (!passkey2) {
+            return ctx.json(null, {
+              status: 401,
+              body: {
+                message: "Passkey not found"
+              }
+            });
+          }
+          try {
+            const verification = await verifyAuthenticationResponse({
+              response: resp,
+              expectedChallenge,
+              expectedOrigin: origin,
+              expectedRPID: opts.rpID,
+              authenticator: {
+                credentialID: passkey2.id,
+                credentialPublicKey: new Uint8Array(
+                  Buffer.from(passkey2.publicKey, "base64")
+                ),
+                counter: passkey2.counter,
+                transports: passkey2.transports?.split(
+                  ","
+                )
+              }
+            });
+            const { verified } = verification;
+            if (!verified)
+              return ctx.json(null, {
+                status: 401,
+                body: {
+                  message: "verification failed"
+                }
+              });
+            await ctx.context.adapter.update({
+              model: "passkey",
+              where: [
+                {
+                  field: "id",
+                  value: passkey2.id
+                }
+              ],
+              update: {
+                counter: verification.authenticationInfo.newCounter
+              }
+            });
+            const s = await ctx.context.internalAdapter.createSession(
+              passkey2.userId,
+              ctx.request
+            );
+            await ctx.setSignedCookie(
+              ctx.context.authCookies.sessionToken.name,
+              s.id,
+              ctx.context.secret,
+              ctx.context.authCookies.sessionToken.options
+            );
+            if (callbackURL) {
+              return ctx.json({
+                url: callbackURL,
+                redirect: true,
+                session: s
+              });
+            }
+            return ctx.json(
+              {
+                session: s
+              },
+              {
+                status: 200
+              }
+            );
+          } catch (e) {
+            ctx.context.logger.error(e);
+            return ctx.json(null, {
+              status: 400,
+              body: {
+                message: "Authentication failed"
+              }
+            });
+          }
+        }
+      )
+    },
+    schema: {
+      passkey: {
+        fields: {
+          publicKey: {
+            type: "string"
+          },
+          userId: {
+            type: "string",
+            references: {
+              model: "user",
+              field: "id"
+            }
+          },
+          webauthnUserID: {
+            type: "string"
+          },
+          counter: {
+            type: "number"
+          },
+          deviceType: {
+            type: "string"
+          },
+          backedUp: {
+            type: "boolean"
+          },
+          transports: {
+            type: "string",
+            required: false
+          },
+          createdAt: {
+            type: "date",
+            defaultValue: /* @__PURE__ */ new Date(),
+            required: false
+          }
+        }
+      }
+    }
+  };
+};
+
+// src/plugins/username/index.ts
+import { z as z18 } from "zod";
+import { Argon2id as Argon2id4 } from "oslo/password";
+import { APIError as APIError10 } from "better-call";
+
+// src/api/routes/sign-up.ts
+import { alphabet as alphabet5, generateRandomString as generateRandomString5 } from "oslo/crypto";
+import { Argon2id as Argon2id3 } from "oslo/password";
+import { z as z17 } from "zod";
+var signUpEmail = createAuthEndpoint(
+  "/sign-up/email",
+  {
+    method: "POST",
+    body: z17.object({
+      name: z17.string(),
+      email: z17.string().email(),
+      password: z17.string(),
+      image: z17.string().optional(),
+      callbackURL: z17.string().optional()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options.emailAndPassword?.enabled) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Email and password is not enabled"
+        }
+      });
+    }
+    const { name, email, password, image } = ctx.body;
+    const minPasswordLength = ctx.context.options?.emailAndPassword?.minPasswordLength || 8;
+    if (password.length < minPasswordLength) {
+      ctx.context.logger.error("Password is too short");
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Password is too short" }
+      });
+    }
+    const argon2id = new Argon2id3();
+    const dbUser = await ctx.context.internalAdapter.findUserByEmail(email);
+    const hash = await argon2id.hash(password);
+    if (dbUser?.user) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "User already exists"
+        }
+      });
+    }
+    const createdUser = await ctx.context.internalAdapter.createUser({
+      id: generateRandomString5(32, alphabet5("a-z", "0-9", "A-Z")),
+      email: email.toLowerCase(),
+      name,
+      image,
+      emailVerified: false,
+      createdAt: /* @__PURE__ */ new Date(),
+      updatedAt: /* @__PURE__ */ new Date()
+    });
+    await ctx.context.internalAdapter.linkAccount({
+      id: generateRandomString5(32, alphabet5("a-z", "0-9", "A-Z")),
+      userId: createdUser.id,
+      providerId: "credential",
+      accountId: createdUser.id,
+      password: hash
+    });
+    const session = await ctx.context.internalAdapter.createSession(
+      createdUser.id,
+      ctx.request
+    );
+    await ctx.setSignedCookie(
+      ctx.context.authCookies.sessionToken.name,
+      session.id,
+      ctx.context.secret,
+      ctx.context.authCookies.sessionToken.options
+    );
+    return ctx.json(
+      {
+        user: createdUser,
+        session
+      },
+      {
+        body: ctx.body.callbackURL ? {
+          url: ctx.body.callbackURL,
+          redirect: true
+        } : {
+          user: createdUser,
+          session
+        }
+      }
+    );
+  }
+);
+
+// src/plugins/username/index.ts
+var username = () => {
+  return {
+    id: "username",
+    endpoints: {
+      signInUsername: createAuthEndpoint(
+        "/sign-in/username",
+        {
+          method: "POST",
+          body: z18.object({
+            username: z18.string(),
+            password: z18.string(),
+            dontRememberMe: z18.boolean().optional(),
+            callbackURL: z18.string().optional()
+          })
+        },
+        async (ctx) => {
+          const user = await ctx.context.adapter.findOne({
+            model: "user",
+            where: [
+              {
+                field: "username",
+                value: ctx.body.username
+              }
+            ]
+          });
+          const argon2id = new Argon2id4();
+          if (!user) {
+            await argon2id.hash(ctx.body.password);
+            ctx.context.logger.error("User not found", { username });
+            throw new APIError10("UNAUTHORIZED", {
+              message: "Invalid email or password"
+            });
+          }
+          const account = await ctx.context.adapter.findOne({
+            model: "account",
+            where: [
+              {
+                field: "userId",
+                value: user.id
+              },
+              {
+                field: "providerId",
+                value: "credential"
+              }
+            ]
+          });
+          if (!account) {
+            throw new APIError10("UNAUTHORIZED", {
+              message: "Invalid email or password"
+            });
+          }
+          const currentPassword = account?.password;
+          if (!currentPassword) {
+            ctx.context.logger.error("Password not found", { username });
+            throw new APIError10("UNAUTHORIZED", {
+              message: "Unexpected error"
+            });
+          }
+          const validPassword = await argon2id.verify(
+            currentPassword,
+            ctx.body.password
+          );
+          if (!validPassword) {
+            ctx.context.logger.error("Invalid password");
+            throw new APIError10("UNAUTHORIZED", {
+              message: "Invalid email or password"
+            });
+          }
+          const session = await ctx.context.internalAdapter.createSession(
+            user.id,
+            ctx.request
+          );
+          await ctx.setSignedCookie(
+            ctx.context.authCookies.sessionToken.name,
+            session.id,
+            ctx.context.secret,
+            ctx.body.dontRememberMe ? {
+              ...ctx.context.authCookies.sessionToken.options,
+              maxAge: void 0
+            } : ctx.context.authCookies.sessionToken.options
+          );
+          return ctx.json({
+            user,
+            session,
+            redirect: !!ctx.body.callbackURL,
+            url: ctx.body.callbackURL
+          });
+        }
+      ),
+      signUpUsername: createAuthEndpoint(
+        "/sign-up/username",
+        {
+          method: "POST",
+          body: z18.object({
+            username: z18.string().min(3).max(20),
+            name: z18.string(),
+            email: z18.string().email(),
+            password: z18.string(),
+            image: z18.string().optional(),
+            callbackURL: z18.string().optional()
+          })
+        },
+        async (ctx) => {
+          const res = await signUpEmail({
+            ...ctx,
+            //@ts-expect-error
+            _flag: void 0
+          });
+          if (!res) {
+            return ctx.json(null, {
+              status: 400,
+              body: {
+                message: "Sign up failed",
+                status: 400
+              }
+            });
+          }
+          await ctx.context.internalAdapter.updateUserByEmail(res.user.email, {
+            username: ctx.body.username
+          });
+          if (ctx.body.callbackURL) {
+            return ctx.json(res, {
+              body: {
+                url: ctx.body.callbackURL,
+                redirect: true,
+                ...res
+              }
+            });
+          }
+          return ctx.json(res);
+        }
+      )
+    },
+    schema: {
+      user: {
+        fields: {
+          username: {
+            type: "string",
+            required: false,
+            unique: true,
+            returned: true
+          }
+        }
+      }
+    }
+  };
+};
+
+// src/plugins/bearer/index.ts
+import { serializeSigned } from "better-call";
+var bearer = () => {
+  return {
+    id: "bearer",
+    hooks: {
+      before: [
+        {
+          matcher(context) {
+            return context.request?.headers.get("authorization")?.startsWith("Bearer ") || false;
+          },
+          handler: async (ctx) => {
+            const token = ctx.request?.headers.get("authorization")?.replace("Bearer ", "");
+            if (!token) {
+              throw new BetterAuthError("No token found");
+            }
+            const headers = ctx.headers || new Headers();
+            const signedToken = await serializeSigned(
+              "",
+              token,
+              ctx.context.secret
+            );
+            headers.set(
+              "cookie",
+              `${ctx.context.authCookies.sessionToken.name}=${signedToken.replace("=", "")}`
+            );
+          }
+        }
+      ]
     }
-    return res;
   };
 };
 export {
-  emailVerification,
-  getPlugins,
-  usePlugins,
-  withPlugins
+  access_exports as ac,
+  bearer,
+  getPasskeyActions,
+  organization,
+  passkey,
+  passkeyClient,
+  twoFactor,
+  twoFactorClient,
+  username
 };
 //# sourceMappingURL=plugins.js.map