better-auth 0.0.8-beta.2 → 0.0.8-beta.21

package/dist/index.js

@@ -1,89 +1,24 @@
-// src/api/index.ts
-import { createRouter } from "better-call";
-
-// src/adapters/schema.ts
-import { z } from "zod";
-var accountSchema = z.object({
-  id: z.string(),
-  providerId: z.string(),
-  accountId: z.string(),
-  userId: z.string(),
-  accessToken: z.string().nullable().optional(),
-  refreshToken: z.string().nullable().optional(),
-  idToken: z.string().nullable().optional(),
-  accessTokenExpiresAt: z.date().nullable().optional(),
-  refreshTokenExpiresAt: z.date().nullable().optional(),
-  /**
-   * Password is only stored in the credential provider
-   */
-  password: z.string().optional().nullable()
-});
-var userSchema = z.object({
-  id: z.string(),
-  email: z.string().transform((val) => val.toLowerCase()),
-  emailVerified: z.boolean().default(false),
-  name: z.string(),
-  image: z.string().optional(),
-  createdAt: z.date().default(/* @__PURE__ */ new Date()),
-  updatedAt: z.date().default(/* @__PURE__ */ new Date())
-});
-var sessionSchema = z.object({
-  id: z.string(),
-  userId: z.string(),
-  expiresAt: z.date(),
-  ipAddress: z.string().optional(),
-  userAgent: z.string().optional()
-});
-function parseData(data, schema) {
-  const fields = schema.fields;
-  const parsedData = {};
-  for (const key in data) {
-    const field = fields[key];
-    if (!field) {
-      parsedData[key] = data[key];
-      continue;
-    }
-    if (field.returned === false) {
-      continue;
-    }
-    parsedData[key] = data[key];
-  }
-  return parsedData;
-}
-function getAllFields(options, table) {
-  let schema = {};
-  for (const plugin of options.plugins || []) {
-    if (plugin.schema && plugin.schema[table]) {
-      schema = {
-        ...schema,
-        ...plugin.schema[table].fields
-      };
-    }
-  }
-  return schema;
-}
-function parseUser(options, user) {
-  const schema = getAllFields(options, "user");
-  return parseData(user, { fields: schema });
-}
-function parseAccount(options, account) {
-  const schema = getAllFields(options, "account");
-  return parseData(account, { fields: schema });
-}
-function parseSession(options, session) {
-  const schema = getAllFields(options, "session");
-  return parseData(session, { fields: schema });
-}
-
-// src/api/middlewares/csrf.ts
-import { APIError } from "better-call";
-import { z as z2 } from "zod";
+import { createMiddleware, createMiddlewareCreator, createEndpointCreator, APIError, createRouter } from 'better-call';
+import { z } from 'zod';
+import '@noble/ciphers/chacha';
+import '@noble/ciphers/utils';
+import '@noble/ciphers/webcrypto';
+import '@noble/hashes/sha256';
+import { generateCodeVerifier, generateState as generateState$1 } from 'oslo/oauth2';
+import { Discord, Facebook, GitHub, Google, Spotify, Twitch, Twitter } from 'arctic';
+import { createJWT, validateJWT, parseJWT } from 'oslo/jwt';
+import { betterFetch } from '@better-fetch/fetch';
+import { createOAuth2Request, sendTokenRequest } from 'arctic/dist/request';
+import { createConsola } from 'consola';
+import { TimeSpan } from 'oslo';
+import { generateRandomString, alphabet } from 'oslo/crypto';
+import Database from 'better-sqlite3';
+import { Kysely, MysqlDialect, PostgresDialect, SqliteDialect } from 'kysely';
+import { createPool } from 'mysql2';
+import pg from 'pg';
+import * as argon2 from 'argon2';
 
-// src/crypto/index.ts
-import { xchacha20poly1305 } from "@noble/ciphers/chacha";
-import { bytesToHex, hexToBytes, utf8ToBytes } from "@noble/ciphers/utils";
-import { managedNonce } from "@noble/ciphers/webcrypto";
-import { sha256 } from "@noble/hashes/sha256";
+// src/api/index.ts
 async function hs256(secretKey, message) {
   const enc = new TextEncoder();
   const algorithm = { name: "HMAC", hash: "SHA-256" };
@@ -101,18 +36,20 @@ async function hs256(secretKey, message) {
   );
   return btoa(String.fromCharCode(...new Uint8Array(signature)));
 }
-
-// src/api/call.ts
-import {
-  createEndpointCreator,
-  createMiddleware,
-  createMiddlewareCreator
-} from "better-call";
 var optionsMiddleware = createMiddleware(async () => {
   return {};
 });
 var createAuthMiddleware = createMiddlewareCreator({
-  use: [optionsMiddleware]
+  use: [
+    optionsMiddleware,
+    /**
+     * This of for hooks. to tell ts there will a
+     * return response object
+     */
+    createMiddleware(async () => {
+      return {};
+    })
+  ]
 });
 var createAuthEndpoint = createEndpointCreator({
   use: [optionsMiddleware]
@@ -121,8 +58,8 @@ var createAuthEndpoint = createEndpointCreator({
 // src/api/middlewares/csrf.ts
 var csrfMiddleware = createAuthMiddleware(
   {
-    body: z2.object({
-      csrfToken: z2.string().optional()
+    body: z.object({
+      csrfToken: z.string().optional()
     }).optional()
   },
   async (ctx) => {
@@ -130,8 +67,7 @@ var csrfMiddleware = createAuthMiddleware(
       return;
     }
     const url = new URL(ctx.request.url);
-    console.log(url.origin, ctx.context.options.baseURL);
-    if (url.origin === ctx.context.options.baseURL || ctx.context.options.trustedOrigins?.includes(url.origin)) {
+    if (url.origin === new URL(ctx.context.baseURL).origin || ctx.context.options.trustedOrigins?.includes(url.origin)) {
       return;
     }
     const csrfToken = ctx.body?.csrfToken;
@@ -139,8 +75,8 @@ var csrfMiddleware = createAuthMiddleware(
       ctx.context.authCookies.csrfToken.name,
       ctx.context.secret
     );
-    const [token, hash] = csrfCookie?.split("!") || [null, null];
-    if (!csrfToken || !csrfCookie || !token || !hash || csrfCookie !== csrfToken) {
+    const [token, hash2] = csrfCookie?.split("!") || [null, null];
+    if (!csrfToken || !csrfCookie || !token || !hash2 || csrfCookie !== csrfToken) {
       ctx.setCookie(ctx.context.authCookies.csrfToken.name, "", {
         maxAge: 0
       });
@@ -149,7 +85,7 @@ var csrfMiddleware = createAuthMiddleware(
       });
     }
     const expectedHash = await hs256(ctx.context.secret, token);
-    if (hash !== expectedHash) {
+    if (hash2 !== expectedHash) {
       ctx.setCookie(ctx.context.authCookies.csrfToken.name, "", {
         maxAge: 0
       });
@@ -160,17 +96,6 @@ var csrfMiddleware = createAuthMiddleware(
   }
 );
 
-// src/api/routes/sign-in.ts
-import { APIError as APIError2 } from "better-call";
-import { generateCodeVerifier } from "oslo/oauth2";
-import { Argon2id } from "oslo/password";
-import { z as z3 } from "zod";
-
-// src/social-providers/apple.ts
-import "arctic";
-import { parseJWT } from "oslo/jwt";
-import { betterFetch } from "@better-fetch/fetch";
-
 // src/error/better-auth-error.ts
 var BetterAuthError = class extends Error {
   constructor(message) {
@@ -191,41 +116,47 @@ function checkHasPath(url) {
 function withPath(url, path = "/api/auth") {
   const hasPath = checkHasPath(url);
   if (hasPath) {
-    return {
-      baseURL: new URL(url).origin,
-      withPath: url
-    };
+    return url;
   }
   path = path.startsWith("/") ? path : `/${path}`;
-  return {
-    baseURL: url,
-    withPath: `${url}${path}`
-  };
+  return `${url}${path}`;
 }
 function getBaseURL(url, path) {
   if (url) {
     return withPath(url, path);
   }
   const env = typeof process !== "undefined" ? process.env : {};
-  const fromEnv = env.BETTER_AUTH_URL || env.AUTH_URL || env.NEXT_PUBLIC_AUTH_URL || env.NEXT_PUBLIC_BETTER_AUTH_URL || env.PUBLIC_AUTH_URL || env.PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_AUTH_URL;
+  const fromEnv = env.BETTER_AUTH_URL || env.NEXT_PUBLIC_BETTER_AUTH_URL || env.PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_AUTH_URL;
   if (fromEnv) {
     return withPath(fromEnv, path);
   }
-  const isDev = !fromEnv && (env.NODE_ENV === "development" || env.NODE_ENV === "test");
-  if (isDev) {
-    return {
-      baseURL: "http://localhost:3000",
-      withPath: "http://localhost:3000/api/auth"
-    };
+  if (typeof window !== "undefined") {
+    return withPath(window.location.origin, path);
   }
-  throw new BetterAuthError(
-    "Could not infer baseURL from environment variables"
-  );
+  return void 0;
 }
 
 // src/social-providers/utils.ts
 function getRedirectURI(providerId, redirectURI) {
-  return redirectURI || `${getBaseURL()}/api/auth/callback/${providerId}`;
+  return redirectURI || `${getBaseURL()}/callback/${providerId}`;
+}
+async function validateAuthorizationCode({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  tokenEndpoint
+}) {
+  const body = new URLSearchParams();
+  body.set("grant_type", "authorization_code");
+  body.set("code", code);
+  body.set("code_verifier", codeVerifier || "");
+  body.set("redirect_uri", redirectURI);
+  body.set("client_id", options.clientId);
+  body.set("client_secret", options.clientSecret);
+  const request = createOAuth2Request(tokenEndpoint, body);
+  const tokens = await sendTokenRequest(request);
+  return tokens;
 }
 
 // src/social-providers/apple.ts
@@ -282,19 +213,11 @@ var apple = ({
     }
   };
 };
-
-// src/social-providers/discord.ts
-import { betterFetch as betterFetch2 } from "@better-fetch/fetch";
-import { Discord } from "arctic";
-var discord = ({
-  clientId,
-  clientSecret,
-  redirectURI
-}) => {
+var discord = (options) => {
   const discordArctic = new Discord(
-    clientId,
-    clientSecret,
-    getRedirectURI("discord", redirectURI)
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("discord", options.redirectURI)
   );
   return {
     id: "discord",
@@ -303,14 +226,22 @@ var discord = ({
       const _scope = scopes || ["email"];
       return discordArctic.createAuthorizationURL(state, _scope);
     },
-    validateAuthorizationCode: discordArctic.validateAuthorizationCode,
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("discord", options.redirectURI),
+        options,
+        tokenEndpoint: "https://discord.com/api/oauth2/token"
+      });
+    },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch2(
+      const { data: profile, error: error2 } = await betterFetch(
         "https://discord.com/api/users/@me",
         {
           auth: {
             type: "Bearer",
-            token: token.accessToken
+            token: token.accessToken()
           }
         }
       );
@@ -329,19 +260,11 @@ var discord = ({
     }
   };
 };
-
-// src/social-providers/facebook.ts
-import { betterFetch as betterFetch3 } from "@better-fetch/fetch";
-import { Facebook } from "arctic";
-var facebook = ({
-  clientId,
-  clientSecret,
-  redirectURI
-}) => {
+var facebook = (options) => {
   const facebookArctic = new Facebook(
-    clientId,
-    clientSecret,
-    getRedirectURI("facebook", redirectURI)
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("facebook", options.redirectURI)
   );
   return {
     id: "facebook",
@@ -350,14 +273,22 @@ var facebook = ({
       const _scopes = scopes || ["email", "public_profile"];
       return facebookArctic.createAuthorizationURL(state, _scopes);
     },
-    validateAuthorizationCode: facebookArctic.validateAuthorizationCode,
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("facebook", options.redirectURI),
+        options,
+        tokenEndpoint: "https://graph.facebook.com/v16.0/oauth/access_token"
+      });
+    },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch3(
+      const { data: profile, error: error2 } = await betterFetch(
         "https://graph.facebook.com/me",
         {
           auth: {
             type: "Bearer",
-            token: token.accessToken
+            token: token.accessToken()
           }
         }
       );
@@ -376,10 +307,6 @@ var facebook = ({
     }
   };
 };
-
-// src/social-providers/github.ts
-import { betterFetch as betterFetch4 } from "@better-fetch/fetch";
-import { GitHub } from "arctic";
 var github = ({
   clientId,
   clientSecret,
@@ -397,14 +324,17 @@ var github = ({
       const _scopes = scopes || ["user:email"];
       return githubArctic.createAuthorizationURL(state, _scopes);
     },
-    validateAuthorizationCode: githubArctic.validateAuthorizationCode,
+    validateAuthorizationCode: async (state) => {
+      return await githubArctic.validateAuthorizationCode(state);
+    },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch4(
+      console.log(`Bearer ${token.accessToken()}`);
+      const { data: profile, error: error2 } = await betterFetch(
         "https://api.github.com/user",
         {
-          method: "GET",
-          headers: {
-            Authorization: `Bearer ${token.accessToken}`
+          auth: {
+            type: "Bearer",
+            token: token.accessToken()
           }
         }
       );
@@ -413,10 +343,10 @@ var github = ({
       }
       let emailVerified = false;
       if (!profile.email) {
-        const { data, error: error3 } = await betterFetch4("https://api.github.com/user/emails", {
-          headers: {
-            Authorization: `Bearer ${token.accessToken}`,
-            "User-Agent": "better-auth"
+        const { data, error: error3 } = await betterFetch("https://api.github.com/user/emails", {
+          auth: {
+            type: "Bearer",
+            token: token.accessToken()
           }
         });
         if (!error3) {
@@ -439,41 +369,81 @@ var github = ({
     }
   };
 };
-
-// src/social-providers/google.ts
-import { Google } from "arctic";
-import { parseJWT as parseJWT2 } from "oslo/jwt";
-var google = ({
-  clientId,
-  clientSecret,
-  redirectURI
-}) => {
+var consola = createConsola({
+  formatOptions: {
+    date: false,
+    colors: true,
+    compact: true
+  },
+  defaults: {
+    tag: "Better Auth"
+  }
+});
+var createLogger = (options) => {
+  return {
+    log: (...args) => {
+      !options?.disabled && consola.log("", ...args);
+    },
+    error: (...args) => {
+      !options?.disabled && consola.error("", ...args);
+    },
+    warn: (...args) => {
+      !options?.disabled && consola.warn("", ...args);
+    },
+    info: (...args) => {
+      !options?.disabled && consola.info("", ...args);
+    },
+    debug: (...args) => {
+      !options?.disabled && consola.debug("", ...args);
+    },
+    box: (...args) => {
+      !options?.disabled && consola.box("", ...args);
+    },
+    success: (...args) => {
+      !options?.disabled && consola.success("", ...args);
+    },
+    break: (...args) => {
+      !options?.disabled && console.log("\n");
+    }
+  };
+};
+var logger = createLogger();
+var google = (options) => {
   const googleArctic = new Google(
-    clientId,
-    clientSecret,
-    getRedirectURI("google", redirectURI)
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("google", options.redirectURI)
   );
   return {
     id: "google",
     name: "Google",
-    createAuthorizationURL({ state, scopes, codeVerifier }) {
+    createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+      if (!options.clientId || !options.clientSecret) {
+        logger.error(
+          "clientId and clientSecret is required for Google. Make sure to you have provided them in the options"
+        );
+        throw new BetterAuthError("clientId is required for Google");
+      }
       if (!codeVerifier) {
         throw new BetterAuthError("codeVerifier is required for Google");
       }
       const _scopes = scopes || ["email", "profile"];
       return googleArctic.createAuthorizationURL(state, codeVerifier, _scopes);
     },
-    validateAuthorizationCode: async (code, codeVerifier) => {
-      if (!codeVerifier) {
-        throw new BetterAuthError("codeVerifier is required for Google");
-      }
-      return googleArctic.validateAuthorizationCode(code, codeVerifier);
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("google", options.redirectURI),
+        options,
+        tokenEndpoint: "https://oauth2.googleapis.com/token"
+      });
     },
     async getUserInfo(token) {
       if (!token.idToken) {
         return null;
       }
-      const user = parseJWT2(token.idToken())?.payload;
+      const user = parseJWT(token.idToken())?.payload;
       return {
         user: {
           id: user.sub,
@@ -487,19 +457,11 @@ var google = ({
     }
   };
 };
-
-// src/social-providers/spotify.ts
-import { betterFetch as betterFetch5 } from "@better-fetch/fetch";
-import { Spotify } from "arctic";
-var spotify = ({
-  clientId,
-  clientSecret,
-  redirectURI
-}) => {
+var spotify = (options) => {
   const spotifyArctic = new Spotify(
-    clientId,
-    clientSecret,
-    getRedirectURI("spotify", redirectURI)
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("spotify", options.redirectURI)
   );
   return {
     id: "spotify",
@@ -508,14 +470,22 @@ var spotify = ({
       const _scopes = scopes || ["user-read-email"];
       return spotifyArctic.createAuthorizationURL(state, _scopes);
     },
-    validateAuthorizationCode: spotifyArctic.validateAuthorizationCode,
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("spotify", options.redirectURI),
+        options,
+        tokenEndpoint: "https://accounts.spotify.com/api/token"
+      });
+    },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch5(
+      const { data: profile, error: error2 } = await betterFetch(
         "https://api.spotify.com/v1/me",
         {
           method: "GET",
           headers: {
-            Authorization: `Bearer ${token.accessToken}`
+            Authorization: `Bearer ${token.accessToken()}`
           }
         }
       );
@@ -535,19 +505,11 @@ var spotify = ({
     }
   };
 };
-
-// src/social-providers/twitch.ts
-import { betterFetch as betterFetch6 } from "@better-fetch/fetch";
-import { Twitch } from "arctic";
-var twitch = ({
-  clientId,
-  clientSecret,
-  redirectURI
-}) => {
+var twitch = (options) => {
   const twitchArctic = new Twitch(
-    clientId,
-    clientSecret,
-    getRedirectURI("twitch", redirectURI)
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("twitch", options.redirectURI)
   );
   return {
     id: "twitch",
@@ -556,14 +518,22 @@ var twitch = ({
       const _scopes = scopes || ["activity:write", "read"];
       return twitchArctic.createAuthorizationURL(state, _scopes);
     },
-    validateAuthorizationCode: twitchArctic.validateAuthorizationCode,
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("twitch", options.redirectURI),
+        options,
+        tokenEndpoint: "https://id.twitch.tv/oauth2/token"
+      });
+    },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch6(
+      const { data: profile, error: error2 } = await betterFetch(
         "https://api.twitch.tv/helix/users",
         {
           method: "GET",
           headers: {
-            Authorization: `Bearer ${token.accessToken}`
+            Authorization: `Bearer ${token.accessToken()}`
           }
         }
       );
@@ -583,19 +553,11 @@ var twitch = ({
     }
   };
 };
-
-// src/social-providers/twitter.ts
-import { betterFetch as betterFetch7 } from "@better-fetch/fetch";
-import { Twitter } from "arctic";
-var twitter = ({
-  clientId,
-  clientSecret,
-  redirectURI
-}) => {
+var twitter = (options) => {
   const twitterArctic = new Twitter(
-    clientId,
-    clientSecret,
-    getRedirectURI("twitter", redirectURI)
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("twitter", options.redirectURI)
   );
   return {
     id: "twitter",
@@ -608,19 +570,22 @@ var twitter = ({
         _scopes
       );
     },
-    validateAuthorizationCode: async (code, codeVerifier) => {
-      if (!codeVerifier) {
-        throw new BetterAuthError("codeVerifier is required for Twitter");
-      }
-      return twitterArctic.validateAuthorizationCode(code, codeVerifier);
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("twitch", options.redirectURI),
+        options,
+        tokenEndpoint: "https://id.twitch.tv/oauth2/token"
+      });
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch7(
+      const { data: profile, error: error2 } = await betterFetch(
         "https://api.x.com/2/users/me?user.fields=profile_image_url",
         {
           method: "GET",
           headers: {
-            Authorization: `Bearer ${token.accessToken}`
+            Authorization: `Bearer ${token.accessToken()}`
           }
         }
       );
@@ -644,9 +609,6 @@ var twitter = ({
   };
 };
 
-// src/types/provider.ts
-import "arctic";
-
 // src/social-providers/index.ts
 var oAuthProviders = {
   apple,
@@ -659,17 +621,151 @@ var oAuthProviders = {
   twitter
 };
 var oAuthProviderList = Object.keys(oAuthProviders);
-
-// src/utils/state.ts
-import { generateState as generateStateOAuth } from "oslo/oauth2";
-function generateState(callbackURL, currentURL) {
-  const code = generateStateOAuth();
-  const state = `${code}!${callbackURL}!${currentURL}`;
+function generateState(callbackURL, currentURL, dontRememberMe) {
+  const code = generateState$1();
+  const state = JSON.stringify({
+    code,
+    callbackURL,
+    currentURL,
+    dontRememberMe
+  });
   return { state, code };
 }
 function parseState(state) {
-  const [code, callbackURL, currentURL] = state.split("!");
-  return { code, callbackURL, currentURL };
+  const data = z.object({
+    code: z.string(),
+    callbackURL: z.string().optional(),
+    currentURL: z.string().optional(),
+    dontRememberMe: z.boolean().optional()
+  }).safeParse(JSON.parse(state));
+  return data;
+}
+
+// src/utils/date.ts
+var getDate = (span, isSeconds = false) => {
+  const date = /* @__PURE__ */ new Date();
+  return new Date(date.getTime() + (isSeconds ? span * 1e3 : span));
+};
+function getCookies(options) {
+  const secure = !!options.advanced?.useSecureCookies || process.env.NODE_ENV === "production";
+  const secureCookiePrefix = secure ? "__Secure-" : "";
+  const cookiePrefix = "better-auth";
+  const sessionMaxAge = new TimeSpan(7, "d").seconds();
+  return {
+    sessionToken: {
+      name: `${secureCookiePrefix}${cookiePrefix}.session_token`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure,
+        maxAge: sessionMaxAge
+      }
+    },
+    csrfToken: {
+      name: `${secureCookiePrefix ? "__Host-" : ""}${cookiePrefix}.csrf_token`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure,
+        maxAge: 60 * 60 * 24 * 7
+      }
+    },
+    state: {
+      name: `${secureCookiePrefix}${cookiePrefix}.state`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure,
+        maxAge: 60 * 15
+        // 15 minutes in seconds
+      }
+    },
+    pkCodeVerifier: {
+      name: `${secureCookiePrefix}${cookiePrefix}.pk_code_verifier`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure,
+        maxAge: 60 * 15
+        // 15 minutes in seconds
+      }
+    },
+    dontRememberToken: {
+      name: `${secureCookiePrefix}${cookiePrefix}.dont_remember`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure
+        //no max age so it expires when the browser closes
+      }
+    },
+    nonce: {
+      name: `${secureCookiePrefix}${cookiePrefix}.nonce`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure,
+        maxAge: 60 * 15
+        // 15 minutes in seconds
+      }
+    }
+  };
+}
+function createCookieGetter(options) {
+  const secure = !!options.advanced?.useSecureCookies || process.env.NODE_ENV === "production";
+  const secureCookiePrefix = secure ? "__Secure-" : "";
+  const cookiePrefix = "better-auth";
+  function getCookie(cookieName, options2) {
+    return {
+      name: process.env.NODE_ENV === "production" ? `${secureCookiePrefix}${cookiePrefix}.${cookieName}` : `${cookiePrefix}.${cookieName}`,
+      options: {
+        secure,
+        sameSite: "lax",
+        path: "/",
+        maxAge: 60 * 15,
+        // 15 minutes in seconds
+        ...options2
+      }
+    };
+  }
+  return getCookie;
+}
+async function setSessionCookie(ctx, sessionToken, dontRememberMe, overrides) {
+  await ctx.setSignedCookie(
+    ctx.context.authCookies.sessionToken.name,
+    sessionToken,
+    ctx.context.secret,
+    dontRememberMe ? {
+      ...ctx.context.authCookies.sessionToken.options,
+      maxAge: void 0,
+      ...overrides
+    } : {
+      ...ctx.context.authCookies.sessionToken.options,
+      ...overrides
+    }
+  );
+  if (dontRememberMe) {
+    await ctx.setSignedCookie(
+      ctx.context.authCookies.dontRememberToken.name,
+      "true",
+      ctx.context.secret,
+      ctx.context.authCookies.dontRememberToken.options
+    );
+  }
+}
+function deleteSessionCookie(ctx) {
+  ctx.setCookie(ctx.context.authCookies.sessionToken.name, "", {
+    maxAge: 0
+  });
+  ctx.setCookie(ctx.context.authCookies.dontRememberToken.name, "", {
+    maxAge: 0
+  });
 }
 
 // src/api/routes/session.ts
@@ -680,45 +776,62 @@ var getSession = createAuthEndpoint(
     requireHeaders: true
   },
   async (ctx) => {
-    const sessionCookieToken = await ctx.getSignedCookie(
-      ctx.context.authCookies.sessionToken.name,
-      ctx.context.secret
-    );
-    if (!sessionCookieToken) {
-      return ctx.json(null, {
-        status: 401
-      });
-    }
-    const session = await ctx.context.internalAdapter.findSession(sessionCookieToken);
-    if (!session || session.session.expiresAt < /* @__PURE__ */ new Date()) {
-      ctx.setSignedCookie(
+    try {
+      const sessionCookieToken = await ctx.getSignedCookie(
         ctx.context.authCookies.sessionToken.name,
-        "",
-        ctx.context.secret,
-        {
-          maxAge: 0
+        ctx.context.secret
+      );
+      if (!sessionCookieToken) {
+        return ctx.json(null, {
+          status: 401
+        });
+      }
+      const session = await ctx.context.internalAdapter.findSession(sessionCookieToken);
+      if (!session || session.session.expiresAt < /* @__PURE__ */ new Date()) {
+        deleteSessionCookie(ctx);
+        if (session) {
+          await ctx.context.internalAdapter.deleteSession(session.session.id);
         }
+        return ctx.json(null, {
+          status: 401
+        });
+      }
+      const dontRememberMe = await ctx.getSignedCookie(
+        ctx.context.authCookies.dontRememberToken.name,
+        ctx.context.secret
       );
-      return ctx.json(null, {
-        status: 401
-      });
-    }
-    const updatedSession = await ctx.context.internalAdapter.updateSession(
-      session.session
-    );
-    await ctx.setSignedCookie(
-      ctx.context.authCookies.sessionToken.name,
-      updatedSession.id,
-      ctx.context.secret,
-      {
-        ...ctx.context.authCookies.sessionToken.options,
-        maxAge: updatedSession.expiresAt.valueOf() - Date.now()
+      if (dontRememberMe) {
+        return ctx.json(session);
       }
-    );
-    return ctx.json({
-      session: updatedSession,
-      user: session.user
-    });
+      const expiresIn = ctx.context.session.expiresIn;
+      const updateAge = ctx.context.session.updateAge;
+      const sessionIsDueToBeUpdatedDate = session.session.expiresAt.valueOf() - expiresIn * 1e3 + updateAge * 1e3;
+      const shouldBeUpdated = sessionIsDueToBeUpdatedDate <= Date.now();
+      if (shouldBeUpdated) {
+        const updatedSession = await ctx.context.internalAdapter.updateSession(
+          session.session.id,
+          {
+            expiresAt: getDate(ctx.context.session.expiresIn, true)
+          }
+        );
+        if (!updatedSession) {
+          deleteSessionCookie(ctx);
+          return ctx.json(null, { status: 401 });
+        }
+        const maxAge = (updatedSession.expiresAt.valueOf() - Date.now()) / 1e3;
+        await setSessionCookie(ctx, updatedSession.id, false, {
+          maxAge
+        });
+        return ctx.json({
+          session: updatedSession,
+          user: session.user
+        });
+      }
+      return ctx.json(session);
+    } catch (error2) {
+      ctx.context.logger.error(error2);
+      return ctx.json(null, { status: 500 });
+    }
   }
 );
 var getSessionFromCtx = async (ctx) => {
@@ -736,22 +849,26 @@ var signInOAuth = createAuthEndpoint(
   {
     method: "POST",
     requireHeaders: true,
-    query: z3.object({
+    query: z.object({
       /**
        * Redirect to the current URL after the
        * user has signed in.
        */
-      currentURL: z3.string().optional()
+      currentURL: z.string().optional()
     }).optional(),
-    body: z3.object({
+    body: z.object({
       /**
        * Callback URL to redirect to after the user has signed in.
        */
-      callbackURL: z3.string().optional(),
+      callbackURL: z.string().optional(),
       /**
        * OAuth2 provider to use`
        */
-      provider: z3.enum(oAuthProviderList)
+      provider: z.enum(oAuthProviderList),
+      /**
+       * If this is true the session will only be valid for the current browser session
+       */
+      dontRememberMe: z.boolean().default(false).optional()
     })
   },
   async (c) => {
@@ -765,7 +882,9 @@ var signInOAuth = createAuthEndpoint(
           provider: c.body.provider
         }
       );
-      throw new APIError2("NOT_FOUND");
+      throw new APIError("NOT_FOUND", {
+        message: "Provider not found"
+      });
     }
     const cookie = c.context.authCookies;
     const currentURL = c.query?.currentURL ? new URL(c.query?.currentURL) : null;
@@ -791,6 +910,10 @@ var signInOAuth = createAuthEndpoint(
         state: state.state,
         codeVerifier
       });
+      url.searchParams.set(
+        "redirect_uri",
+        `${c.context.baseURL}/callback/${c.body.provider}`
+      );
       return {
         url: url.toString(),
         state: state.state,
@@ -798,7 +921,7 @@ var signInOAuth = createAuthEndpoint(
         redirect: true
       };
     } catch (e) {
-      throw new APIError2("INTERNAL_SERVER_ERROR");
+      throw new APIError("INTERNAL_SERVER_ERROR");
     }
   }
 );
@@ -806,40 +929,42 @@ var signInEmail = createAuthEndpoint(
   "/sign-in/email",
   {
     method: "POST",
-    body: z3.object({
-      email: z3.string().email(),
-      password: z3.string(),
-      callbackURL: z3.string().optional(),
+    body: z.object({
+      email: z.string().email(),
+      password: z.string(),
+      callbackURL: z.string().optional(),
       /**
        * If this is true the session will only be valid for the current browser session
        * @default false
        */
-      dontRememberMe: z3.boolean().default(false).optional()
+      dontRememberMe: z.boolean().default(false).optional()
     })
   },
   async (ctx) => {
     if (!ctx.context.options?.emailAndPassword?.enabled) {
       ctx.context.logger.error("Email and password is not enabled");
-      throw new APIError2("BAD_REQUEST", {
+      throw new APIError("BAD_REQUEST", {
         message: "Email and password is not enabled"
       });
     }
     const currentSession = await getSessionFromCtx(ctx);
     if (currentSession) {
-      return ctx.json({
-        user: currentSession.user,
-        session: currentSession.session,
-        redirect: !!ctx.body.callbackURL,
-        url: ctx.body.callbackURL
-      });
+      await ctx.context.internalAdapter.deleteSession(
+        currentSession.session.id
+      );
     }
     const { email, password } = ctx.body;
-    const argon2id = new Argon2id();
+    const checkEmail = z.string().email().safeParse(email);
+    if (!checkEmail.success) {
+      throw new APIError("BAD_REQUEST", {
+        message: "Invalid email"
+      });
+    }
     const user = await ctx.context.internalAdapter.findUserByEmail(email);
     if (!user) {
-      await argon2id.hash(password);
+      await ctx.context.password.hash(password);
       ctx.context.logger.error("User not found", { email });
-      throw new APIError2("UNAUTHORIZED", {
+      throw new APIError("UNAUTHORIZED", {
         message: "Invalid email or password"
       });
     }
@@ -848,37 +973,33 @@ var signInEmail = createAuthEndpoint(
     );
     if (!credentialAccount) {
       ctx.context.logger.error("Credential account not found", { email });
-      throw new APIError2("UNAUTHORIZED", {
+      throw new APIError("UNAUTHORIZED", {
         message: "Invalid email or password"
       });
     }
     const currentPassword = credentialAccount?.password;
     if (!currentPassword) {
       ctx.context.logger.error("Password not found", { email });
-      throw new APIError2("UNAUTHORIZED", {
+      throw new APIError("UNAUTHORIZED", {
         message: "Unexpected error"
       });
     }
-    const validPassword = await argon2id.verify(currentPassword, password);
+    const validPassword = await ctx.context.password.verify(
+      currentPassword,
+      password
+    );
     if (!validPassword) {
       ctx.context.logger.error("Invalid password");
-      throw new APIError2("UNAUTHORIZED", {
+      throw new APIError("UNAUTHORIZED", {
         message: "Invalid email or password"
       });
     }
     const session = await ctx.context.internalAdapter.createSession(
       user.user.id,
-      ctx.request
-    );
-    await ctx.setSignedCookie(
-      ctx.context.authCookies.sessionToken.name,
-      session.id,
-      ctx.context.secret,
-      ctx.body.dontRememberMe ? {
-        ...ctx.context.authCookies.sessionToken.options,
-        maxAge: void 0
-      } : ctx.context.authCookies.sessionToken.options
+      ctx.request,
+      ctx.body.dontRememberMe
     );
+    await setSessionCookie(ctx, session.id, ctx.body.dontRememberMe);
     return ctx.json({
       user: user.user,
       session,
@@ -887,31 +1008,80 @@ var signInEmail = createAuthEndpoint(
     });
   }
 );
-
-// src/api/routes/callback.ts
-import { APIError as APIError3 } from "better-call";
-import { z as z4 } from "zod";
+z.object({
+  id: z.string(),
+  providerId: z.string(),
+  accountId: z.string(),
+  userId: z.string(),
+  accessToken: z.string().nullable().optional(),
+  refreshToken: z.string().nullable().optional(),
+  idToken: z.string().nullable().optional(),
+  accessTokenExpiresAt: z.date().nullable().optional(),
+  refreshTokenExpiresAt: z.date().nullable().optional(),
+  /**
+   * Password is only stored in the credential provider
+   */
+  password: z.string().optional().nullable()
+});
+var userSchema = z.object({
+  id: z.string(),
+  email: z.string().transform((val) => val.toLowerCase()),
+  emailVerified: z.boolean().default(false),
+  name: z.string(),
+  image: z.string().optional(),
+  createdAt: z.date().default(/* @__PURE__ */ new Date()),
+  updatedAt: z.date().default(/* @__PURE__ */ new Date())
+});
+z.object({
+  id: z.string(),
+  userId: z.string(),
+  expiresAt: z.date(),
+  ipAddress: z.string().optional(),
+  userAgent: z.string().optional()
+});
+var generateId = () => {
+  return generateRandomString(36, alphabet("a-z", "0-9"));
+};
 
 // src/client/client-utils.ts
 var HIDE_ON_CLIENT_METADATA = {
   onClient: "hide"
 };
 
-// src/utils/id.ts
-import { alphabet, generateRandomString } from "oslo/crypto";
-var generateId = () => {
-  return generateRandomString(36, alphabet("a-z", "0-9"));
-};
-
+// src/utils/getAccount.ts
+function getAccountTokens(tokens) {
+  const accessToken = tokens.accessToken();
+  let refreshToken = void 0;
+  try {
+    refreshToken = tokens.refreshToken();
+  } catch {
+  }
+  let accessTokenExpiresAt = void 0;
+  let refreshTokenExpiresAt = void 0;
+  try {
+    accessTokenExpiresAt = tokens.accessTokenExpiresAt();
+  } catch {
+  }
+  try {
+    refreshTokenExpiresAt = tokens.refreshTokenExpiresAt();
+  } catch {
+  }
+  return {
+    accessToken,
+    refreshToken,
+    accessTokenExpiresAt,
+    refreshTokenExpiresAt
+  };
+}
+
 // src/api/routes/callback.ts
 var callbackOAuth = createAuthEndpoint(
   "/callback/:id",
   {
     method: "GET",
-    query: z4.object({
-      state: z4.string(),
-      code: z4.string(),
-      code_verifier: z4.string().optional()
+    query: z.object({
+      state: z.string(),
+      code: z.string()
     }),
     metadata: HIDE_ON_CLIENT_METADATA
   },
@@ -925,15 +1095,20 @@ var callbackOAuth = createAuthEndpoint(
         c.params.id,
         "not found"
       );
-      throw new APIError3("NOT_FOUND");
+      throw new APIError("NOT_FOUND");
     }
+    const codeVerifier = await c.getSignedCookie(
+      c.context.authCookies.pkCodeVerifier.name,
+      c.context.secret
+    );
     const tokens = await provider.validateAuthorizationCode(
       c.query.code,
-      c.query.code_verifier || ""
+      codeVerifier,
+      `${c.context.baseURL}/callback/${provider.id}`
     );
     if (!tokens) {
       c.context.logger.error("Code verification failed");
-      throw new APIError3("UNAUTHORIZED");
+      throw new APIError("UNAUTHORIZED");
     }
     const user = await provider.getUserInfo(tokens).then((res) => res?.user);
     const id = generateId();
@@ -941,17 +1116,24 @@ var callbackOAuth = createAuthEndpoint(
       ...user,
       id
     });
-    const { callbackURL, currentURL } = parseState(c.query.state);
+    const parsedState = parseState(c.query.state);
+    if (!parsedState.success) {
+      c.context.logger.error("Unable to parse state");
+      throw new APIError("BAD_REQUEST", {
+        message: "invalid state"
+      });
+    }
+    const { callbackURL, currentURL, dontRememberMe } = parsedState.data;
     if (!user || data.success === false) {
       if (currentURL) {
         throw c.redirect(`${currentURL}?error=oauth_validation_failed`);
       } else {
-        throw new APIError3("BAD_REQUEST");
+        throw new APIError("BAD_REQUEST");
       }
     }
     if (!callbackURL) {
       c.context.logger.error("Callback URL not found");
-      throw new APIError3("FORBIDDEN");
+      throw new APIError("FORBIDDEN");
     }
     const dbUser = await c.context.internalAdapter.findUserByEmail(user.email);
     const userId = dbUser?.user.id;
@@ -971,13 +1153,13 @@ var callbackOAuth = createAuthEndpoint(
           accountId: user.id,
           id: `${provider.id}:${user.id}`,
           userId: dbUser.user.id,
-          ...tokens
+          ...getAccountTokens(tokens)
         });
       }
     } else {
       try {
         await c.context.internalAdapter.createOAuthUser(data.data, {
-          ...tokens,
+          ...getAccountTokens(tokens),
           id: `${provider.id}:${user.id}`,
           providerId: provider.id,
           accountId: user.id,
@@ -991,20 +1173,16 @@ var callbackOAuth = createAuthEndpoint(
       }
     }
     if (!userId && !id)
-      throw new APIError3("INTERNAL_SERVER_ERROR", {
+      throw new APIError("INTERNAL_SERVER_ERROR", {
         message: "Unable to create user"
       });
     const session = await c.context.internalAdapter.createSession(
       userId || id,
-      c.request
+      c.request,
+      dontRememberMe
     );
     try {
-      await c.setSignedCookie(
-        c.context.authCookies.sessionToken.name,
-        session.id,
-        c.context.secret,
-        c.context.authCookies.sessionToken.options
-      );
+      await setSessionCookie(c, session.id, dontRememberMe);
     } catch (e) {
       c.context.logger.error("Unable to set session cookie", e);
       const url = new URL(currentURL || callbackURL);
@@ -1014,15 +1192,12 @@ var callbackOAuth = createAuthEndpoint(
     throw c.redirect(callbackURL);
   }
 );
-
-// src/api/routes/sign-out.ts
-import { z as z5 } from "zod";
 var signOut = createAuthEndpoint(
   "/sign-out",
   {
     method: "POST",
-    body: z5.object({
-      callbackURL: z5.string().optional()
+    body: z.object({
+      callbackURL: z.string().optional()
     }).optional()
   },
   async (ctx) => {
@@ -1034,9 +1209,7 @@ var signOut = createAuthEndpoint(
       return ctx.json(null);
     }
     await ctx.context.internalAdapter.deleteSession(sessionCookieToken);
-    ctx.setCookie(ctx.context.authCookies.sessionToken.name, "", {
-      maxAge: 0
-    });
+    deleteSessionCookie(ctx);
     return ctx.json(null, {
       body: {
         redirect: !!ctx.body?.callbackURL,
@@ -1045,22 +1218,15 @@ var signOut = createAuthEndpoint(
     });
   }
 );
-
-// src/api/routes/forget-password.ts
-import { TimeSpan } from "oslo";
-import { createJWT } from "oslo/jwt";
-import { validateJWT } from "oslo/jwt";
-import { Argon2id as Argon2id2 } from "oslo/password";
-import { z as z6 } from "zod";
 var forgetPassword = createAuthEndpoint(
   "/forget-password",
   {
     method: "POST",
-    body: z6.object({
+    body: z.object({
       /**
        * The email address of the user to send a password reset email to.
        */
-      email: z6.string().email()
+      email: z.string().email()
     })
   },
   async (ctx) => {
@@ -1119,10 +1285,10 @@ var resetPassword = createAuthEndpoint(
   "/reset-password",
   {
     method: "POST",
-    body: z6.object({
-      token: z6.string(),
-      newPassword: z6.string(),
-      callbackURL: z6.string().optional()
+    body: z.object({
+      token: z.string(),
+      newPassword: z.string(),
+      callbackURL: z.string().optional()
     })
   },
   async (ctx) => {
@@ -1133,7 +1299,7 @@ var resetPassword = createAuthEndpoint(
         Buffer.from(ctx.context.secret),
         token
       );
-      const email = z6.string().email().parse(jwt.payload.email);
+      const email = z.string().email().parse(jwt.payload.email);
       const user = await ctx.context.internalAdapter.findUserByEmail(email);
       if (!user) {
         return ctx.json(null, {
@@ -1153,8 +1319,7 @@ var resetPassword = createAuthEndpoint(
           }
         });
       }
-      const argon2id = new Argon2id2();
-      const hashedPassword = await argon2id.hash(newPassword);
+      const hashedPassword = await ctx.context.password.hash(newPassword);
       const updatedUser = await ctx.context.internalAdapter.updatePassword(
         user.user.id,
         hashedPassword
@@ -1185,18 +1350,30 @@ var resetPassword = createAuthEndpoint(
     }
   }
 );
-
-// src/api/routes/verify-email.ts
-import { TimeSpan as TimeSpan2 } from "oslo";
-import { createJWT as createJWT2, validateJWT as validateJWT2 } from "oslo/jwt";
-import { z as z7 } from "zod";
+async function createEmailVerificationToken(secret, email) {
+  const token = await createJWT(
+    "HS256",
+    Buffer.from(secret),
+    {
+      email: email.toLowerCase()
+    },
+    {
+      expiresIn: new TimeSpan(1, "h"),
+      issuer: "better-auth",
+      subject: "verify-email",
+      audiences: [email],
+      includeIssuedTimestamp: true
+    }
+  );
+  return token;
+}
 var sendVerificationEmail = createAuthEndpoint(
   "/send-verification-email",
   {
     method: "POST",
-    body: z7.object({
-      email: z7.string().email(),
-      callbackURL: z7.string().optional()
+    body: z.object({
+      email: z.string().email(),
+      callbackURL: z.string().optional()
     })
   },
   async (ctx) => {
@@ -1210,24 +1387,12 @@ var sendVerificationEmail = createAuthEndpoint(
       });
     }
     const { email } = ctx.body;
-    const token = await createJWT2(
-      "HS256",
-      Buffer.from(ctx.context.secret),
-      {
-        email: email.toLowerCase()
-      },
-      {
-        expiresIn: new TimeSpan2(1, "h"),
-        issuer: "better-auth",
-        subject: "verify-email",
-        audiences: [email],
-        includeIssuedTimestamp: true
-      }
-    );
+    const token = await createEmailVerificationToken(ctx.context.secret, email);
     const url = `${ctx.context.baseURL}/verify-email?token=${token}?callbackURL=${ctx.body.callbackURL}`;
     await ctx.context.options.emailAndPassword.sendVerificationEmail(
       email,
-      url
+      url,
+      token
     );
     return ctx.json({
       status: true
@@ -1238,55 +1403,18 @@ var verifyEmail = createAuthEndpoint(
   "/verify-email",
   {
     method: "GET",
-    query: z7.object({
-      token: z7.string(),
-      callbackURL: z7.string()
+    query: z.object({
+      token: z.string(),
+      callbackURL: z.string().optional()
     })
   },
   async (ctx) => {
     const { token } = ctx.query;
+    let jwt;
     try {
-      const jwt = await validateJWT2(
-        "HS256",
-        Buffer.from(ctx.context.secret),
-        token
-      );
-      const schema = z7.object({
-        email: z7.string().email()
-      });
-      const parsed = schema.parse(jwt.payload);
-      const user = await ctx.context.internalAdapter.findUserByEmail(
-        parsed.email
-      );
-      if (!user) {
-        return ctx.json(null, {
-          status: 400,
-          statusText: "USER_NOT_FOUND",
-          body: {
-            message: "User not found"
-          }
-        });
-      }
-      const account = user.accounts.find((a) => a.providerId === "credential");
-      if (!account) {
-        return ctx.json(null, {
-          status: 400,
-          statusText: "ACCOUNT_NOT_FOUND",
-          body: {
-            message: "Account not found"
-          }
-        });
-      }
-      await ctx.context.internalAdapter.updateUserByEmail(parsed.email, {
-        emailVerified: true
-      });
-      if (ctx.query.callbackURL) {
-        throw ctx.redirect(ctx.query.callbackURL);
-      }
-      return ctx.json({
-        status: true
-      });
+      jwt = await validateJWT("HS256", Buffer.from(ctx.context.secret), token);
     } catch (e) {
+      ctx.context.logger.error("Failed to verify email", e);
       return ctx.json(null, {
         status: 400,
         statusText: "INVALID_TOKEN",
@@ -1295,11 +1423,43 @@ var verifyEmail = createAuthEndpoint(
         }
       });
     }
+    const schema = z.object({
+      email: z.string().email()
+    });
+    const parsed = schema.parse(jwt.payload);
+    const user = await ctx.context.internalAdapter.findUserByEmail(
+      parsed.email
+    );
+    if (!user) {
+      return ctx.json(null, {
+        status: 400,
+        statusText: "USER_NOT_FOUND",
+        body: {
+          message: "User not found"
+        }
+      });
+    }
+    const account = user.accounts.find((a) => a.providerId === "credential");
+    if (!account) {
+      return ctx.json(null, {
+        status: 400,
+        statusText: "ACCOUNT_NOT_FOUND",
+        body: {
+          message: "Account not found"
+        }
+      });
+    }
+    await ctx.context.internalAdapter.updateUserByEmail(parsed.email, {
+      emailVerified: true
+    });
+    if (ctx.query.callbackURL) {
+      throw ctx.redirect(ctx.query.callbackURL);
+    }
+    return ctx.json({
+      status: true
+    });
   }
 );
-
-// src/api/routes/csrf.ts
-import { alphabet as alphabet2, generateRandomString as generateRandomString2 } from "oslo/crypto";
 var getCSRFToken = createAuthEndpoint(
   "/csrf",
   {
@@ -1316,9 +1476,9 @@ var getCSRFToken = createAuthEndpoint(
         csrfToken
       };
     }
-    const token = generateRandomString2(32, alphabet2("a-z", "0-9", "A-Z"));
-    const hash = await hs256(ctx.context.secret, token);
-    const cookie = `${token}!${hash}`;
+    const token = generateRandomString(32, alphabet("a-z", "0-9", "A-Z"));
+    const hash2 = await hs256(ctx.context.secret, token);
+    const cookie = `${token}!${hash2}`;
     await ctx.setSignedCookie(
       ctx.context.authCookies.csrfToken.name,
       cookie,
@@ -1335,7 +1495,8 @@ var getCSRFToken = createAuthEndpoint(
 var ok = createAuthEndpoint(
   "/ok",
   {
-    method: "GET"
+    method: "GET",
+    metadata: HIDE_ON_CLIENT_METADATA
   },
   async (ctx) => {
     return ctx.json({
@@ -1346,27 +1507,23 @@ var ok = createAuthEndpoint(
 var welcome = createAuthEndpoint(
   "/welcome/ok",
   {
-    method: "GET"
+    method: "GET",
+    metadata: HIDE_ON_CLIENT_METADATA
   },
   async () => {
     return new Response("Welcome to Better Auth");
   }
 );
-
-// src/api/routes/sign-up.ts
-import { alphabet as alphabet3, generateRandomString as generateRandomString3 } from "oslo/crypto";
-import { Argon2id as Argon2id3 } from "oslo/password";
-import { z as z8 } from "zod";
 var signUpEmail = createAuthEndpoint(
   "/sign-up/email",
   {
     method: "POST",
-    body: z8.object({
-      name: z8.string(),
-      email: z8.string().email(),
-      password: z8.string(),
-      image: z8.string().optional(),
-      callbackURL: z8.string().optional()
+    body: z.object({
+      name: z.string(),
+      email: z.string().email(),
+      password: z.string(),
+      image: z.string().optional(),
+      callbackURL: z.string().optional()
     })
   },
   async (ctx) => {
@@ -1387,9 +1544,8 @@ var signUpEmail = createAuthEndpoint(
         body: { message: "Password is too short" }
       });
     }
-    const argon2id = new Argon2id3();
     const dbUser = await ctx.context.internalAdapter.findUserByEmail(email);
-    const hash = await argon2id.hash(password);
+    const hash2 = await ctx.context.password.hash(password);
     if (dbUser?.user) {
       return ctx.json(null, {
         status: 400,
@@ -1399,7 +1555,7 @@ var signUpEmail = createAuthEndpoint(
       });
     }
     const createdUser = await ctx.context.internalAdapter.createUser({
-      id: generateRandomString3(32, alphabet3("a-z", "0-9", "A-Z")),
+      id: generateRandomString(32, alphabet("a-z", "0-9", "A-Z")),
       email: email.toLowerCase(),
       name,
       image,
@@ -1408,11 +1564,11 @@ var signUpEmail = createAuthEndpoint(
       updatedAt: /* @__PURE__ */ new Date()
     });
     await ctx.context.internalAdapter.linkAccount({
-      id: generateRandomString3(32, alphabet3("a-z", "0-9", "A-Z")),
+      id: generateRandomString(32, alphabet("a-z", "0-9", "A-Z")),
       userId: createdUser.id,
       providerId: "credential",
       accountId: createdUser.id,
-      password: hash
+      password: hash2
     });
     const session = await ctx.context.internalAdapter.createSession(
       createdUser.id,
@@ -1424,6 +1580,18 @@ var signUpEmail = createAuthEndpoint(
       ctx.context.secret,
       ctx.context.authCookies.sessionToken.options
     );
+    if (ctx.context.options.emailAndPassword.sendEmailVerificationOnSignUp) {
+      const token = await createEmailVerificationToken(
+        ctx.context.secret,
+        createdUser.email
+      );
+      const url = `${ctx.context.baseURL}/verify-email?token=${token}?callbackURL=${ctx.body.callbackURL}`;
+      await ctx.context.options.emailAndPassword.sendVerificationEmail?.(
+        createdUser.email,
+        url,
+        token
+      );
+    }
     return ctx.json(
       {
         user: createdUser,
@@ -1527,7 +1695,8 @@ var html = (errorCode = "Unknown") => `<!DOCTYPE html>
 var error = createAuthEndpoint(
   "/error",
   {
-    method: "GET"
+    method: "GET",
+    metadata: HIDE_ON_CLIENT_METADATA
   },
   async (c) => {
     const query = new URL(c.request?.url || "").searchParams.get("error") || "Unknown";
@@ -1540,7 +1709,7 @@ var error = createAuthEndpoint(
 );
 
 // src/api/index.ts
-var router = (ctx) => {
+function getEndpoints(ctx, options) {
   const pluginEndpoints = ctx.options.plugins?.reduce(
     (acc, plugin) => {
       return {
@@ -1621,7 +1790,7 @@ var router = (ctx) => {
           }
         }
       }
-      const endpointRes = value({
+      const endpointRes = await value({
         ...context,
         context: {
           ...ctx,
@@ -1635,7 +1804,10 @@ var router = (ctx) => {
             const match = hook.matcher(context);
             if (match) {
               const obj = Object.assign(context, {
-                returned: endpointRes
+                context: {
+                  ...ctx,
+                  returned: response
+                }
               });
               const hookRes = await hook.handler(obj);
               if (hookRes && "response" in hookRes) {
@@ -1652,9 +1824,17 @@ var router = (ctx) => {
     api[key].options = value.options;
     api[key].headers = value.headers;
   }
+  return {
+    api,
+    middlewares
+  };
+}
+var router = (ctx, _options) => {
+  const { api, middlewares } = getEndpoints(ctx);
+  const basePath = new URL(ctx.baseURL).pathname;
   return createRouter(api, {
     extraContext: ctx,
-    basePath: ctx.options.basePath,
+    basePath,
     routerMiddleware: [
       {
         path: "/**",
@@ -1662,47 +1842,15 @@ var router = (ctx) => {
       },
       ...middlewares
     ],
-    /**
-     * this is to remove any sensitive data from the response
-     */
-    async transformResponse(res) {
-      let body = {};
-      try {
-        body = await res.json();
-      } catch (e) {
-        return res;
-      }
-      if (body?.user) {
-        body.user = parseUser(ctx.options, body.user);
-      }
-      if (body?.session) {
-        body.session = parseSession(ctx.options, body.session);
-      }
-      if (body?.account) {
-        body.account = parseAccount(ctx.options, body.account);
-      }
-      return new Response(body ? JSON.stringify(body) : null, {
-        headers: res.headers,
-        status: res.status,
-        statusText: res.statusText
-      });
-    },
     onError(e) {
-      console.log(e);
+      if (e instanceof APIError) {
+        if (e.status === "INTERNAL_SERVER_ERROR") {
+          logger.error(e);
+        }
+      }
     }
   });
 };
-
-// src/adapters/kysely.ts
-import Database from "better-sqlite3";
-import { Kysely } from "kysely";
-import {
-  MysqlDialect,
-  PostgresDialect,
-  SqliteDialect
-} from "kysely";
-import { createPool } from "mysql2";
-import pg from "pg";
 var { Pool } = pg;
 function convertWhere(w) {
   if (!w)
@@ -1842,7 +1990,7 @@ var kyselyAdapter = (db, config) => {
       if (or) {
         query = query.where((eb) => eb.or(or));
       }
-      const res = await query.returningAll().executeTakeFirst();
+      const res = await query.returningAll().executeTakeFirst() || null;
       if (config?.transform) {
         const schema = config.transform.schema[model];
         return schema ? transformTo(res, schema, config.transform) : res;
@@ -1867,10 +2015,13 @@ var getDialect = (config) => {
   if (!config.database) {
     return null;
   }
+  if (config.database instanceof MysqlDialect || config.database instanceof PostgresDialect || config.database instanceof SqliteDialect) {
+    return config.database;
+  }
   let dialect = null;
   if ("provider" in config.database) {
     const provider = config.database.provider;
-    const connectionString = config.database.url.trim();
+    const connectionString = config.database?.url?.trim();
     if (provider === "postgres") {
       const pool = new Pool({
         connectionString
@@ -2040,37 +2191,25 @@ function getAdapter(options) {
   if (!options.database) {
     throw new BetterAuthError("Database configuration is required");
   }
-  if ("provider" in options.database) {
-    const db = createKyselyAdapter(options);
-    if (!db) {
-      throw new BetterAuthError("Failed to initialize database adapter");
-    }
-    const tables = getAuthTables(options);
-    return kyselyAdapter(db, {
-      transform: {
-        schema: {
-          [tables.user.tableName]: tables.user.fields,
-          [tables.session.tableName]: tables.session.fields,
-          [tables.account.tableName]: tables.account.fields
-        },
-        date: true,
-        boolean: getDatabaseType(options) === "sqlite"
-      }
-    });
+  const db = createKyselyAdapter(options);
+  if (!db) {
+    throw new BetterAuthError("Failed to initialize database adapter");
   }
-  return options.database;
+  const tables = getAuthTables(options);
+  return kyselyAdapter(db, {
+    transform: {
+      schema: {
+        [tables.user.tableName]: tables.user.fields,
+        [tables.session.tableName]: tables.session.fields,
+        [tables.account.tableName]: tables.account.fields
+      },
+      date: true,
+      boolean: getDatabaseType(options) === "sqlite"
+    }
+  });
 }
-
-// src/adapters/internal-adapter.ts
-import { alphabet as alphabet4, generateRandomString as generateRandomString4 } from "oslo/crypto";
-
-// src/utils/date.ts
-var getDate = (span) => {
-  const date = /* @__PURE__ */ new Date();
-  return new Date(date.getTime() + span);
-};
-
-// src/adapters/internal-adapter.ts
+var hashPassword = argon2.hash;
+var verifyPassword = argon2.verify;
 var createInternalAdapter = (adapter, options) => {
   const sessionExpiration = options.session?.expiresIn || 60 * 60 * 24 * 7;
   const tables = getAuthTables(options);
@@ -2101,11 +2240,16 @@ var createInternalAdapter = (adapter, options) => {
       });
       return createdUser;
     },
-    createSession: async (userId, request) => {
+    createSession: async (userId, request, dontRememberMe) => {
       const data = {
-        id: generateRandomString4(32, alphabet4("a-z", "0-9", "A-Z")),
+        id: generateRandomString(32, alphabet("a-z", "0-9", "A-Z")),
         userId,
-        expiresAt: getDate(sessionExpiration),
+        /**
+         * If the user doesn't want to be remembered
+         * set the session to expire in 1 day.
+         * The cookie will be set to expire at the end of the session
+         */
+        expiresAt: dontRememberMe ? getDate(1e3 * 60 * 60 * 24) : getDate(sessionExpiration, true),
         ipAddress: request?.headers.get("x-forwarded-for") || "",
         userAgent: request?.headers.get("user-agent") || ""
       };
@@ -2145,39 +2289,18 @@ var createInternalAdapter = (adapter, options) => {
         user
       };
     },
-    updateSession: async (session) => {
-      const updateAge = options.session?.updateAge === void 0 ? 1e3 : options.session?.updateAge;
-      const updateDate = updateAge === 0 ? 0 : getDate(updateAge).valueOf();
-      const maxAge = getDate(sessionExpiration);
-      const shouldBeUpdated = session.expiresAt.valueOf() - maxAge.valueOf() + updateDate <= Date.now();
-      if (shouldBeUpdated) {
-        const updatedSession = await adapter.create({
-          model: tables.session.tableName,
-          data: {
-            ...session,
-            id: generateRandomString4(32, alphabet4("a-z", "0-9", "A-Z")),
-            expiresAt: new Date(Date.now() + sessionExpiration)
-          }
-        });
-        await adapter.update({
-          model: tables.session.tableName,
-          where: [
-            {
-              field: "id",
-              value: session.id
-            }
-          ],
-          update: {
-            /**
-             * update the session to expire in 2 minute. This is to prevent
-             * the session from expiring too quickly and logging the user out.
-             */
-            expiresAt: new Date(Date.now() + 1e3 * 60 * 2)
+    updateSession: async (sessionId, session) => {
+      const updatedSession = await adapter.update({
+        model: tables.session.tableName,
+        where: [
+          {
+            field: "id",
+            value: sessionId
           }
-        });
-        return updatedSession;
-      }
-      return session;
+        ],
+        update: session
+      });
+      return updatedSession;
     },
     deleteSession: async (id) => {
       const session = await adapter.delete({
@@ -2278,144 +2401,37 @@ var createFieldAttribute = (type, config) => {
   };
 };
 
-// src/utils/cookies.ts
-import { TimeSpan as TimeSpan3 } from "oslo";
-function getCookies(options) {
-  const secure = !!options.advanced?.useSecureCookies || process.env.NODE_ENV === "production";
-  const secureCookiePrefix = secure ? "__Secure-" : "";
-  const cookiePrefix = "better-auth";
-  const sessionMaxAge = new TimeSpan3(7, "d").seconds();
-  return {
-    sessionToken: {
-      name: `${secureCookiePrefix}${cookiePrefix}.session_token`,
-      options: {
-        httpOnly: true,
-        sameSite: "lax",
-        path: "/",
-        secure,
-        maxAge: sessionMaxAge
-      }
-    },
-    csrfToken: {
-      name: `${secureCookiePrefix ? "__Host-" : ""}${cookiePrefix}.csrf_token`,
-      options: {
-        httpOnly: true,
-        sameSite: "lax",
-        path: "/",
-        secure,
-        maxAge: 60 * 60 * 24 * 7
-      }
-    },
-    state: {
-      name: `${secureCookiePrefix}${cookiePrefix}.state`,
-      options: {
-        httpOnly: true,
-        sameSite: "lax",
-        path: "/",
-        secure,
-        maxAge: 60 * 15
-        // 15 minutes in seconds
-      }
-    },
-    pkCodeVerifier: {
-      name: `${secureCookiePrefix}${cookiePrefix}.pk_code_verifier`,
-      options: {
-        httpOnly: true,
-        sameSite: "lax",
-        path: "/",
-        secure,
-        maxAge: 60 * 15
-        // 15 minutes in seconds
-      }
-    },
-    nonce: {
-      name: `${secureCookiePrefix}${cookiePrefix}.nonce`,
-      options: {
-        httpOnly: true,
-        sameSite: "lax",
-        path: "/",
-        secure,
-        maxAge: 60 * 15
-        // 15 minutes in seconds
-      }
-    }
-  };
-}
-function createCookieGetter(options) {
-  const secure = !!options.advanced?.useSecureCookies || process.env.NODE_ENV === "production";
-  const secureCookiePrefix = secure ? "__Secure-" : "";
-  const cookiePrefix = "better-auth";
-  function getCookie(cookieName, options2) {
-    return {
-      name: process.env.NODE_ENV === "production" ? `${secureCookiePrefix}${cookiePrefix}.${cookieName}` : `${cookiePrefix}.${cookieName}`,
-      options: {
-        secure,
-        sameSite: "lax",
-        path: "/",
-        maxAge: 60 * 15,
-        // 15 minutes in seconds
-        ...options2
-      }
-    };
-  }
-  return getCookie;
-}
-
-// src/utils/logger.ts
-import { createConsola } from "consola";
-var consola = createConsola({
-  formatOptions: {
-    date: false
-  }
-});
-var createLogger = (options) => {
-  return {
-    log: (...args) => {
-      !options?.disabled && consola.log("", ...args);
-    },
-    error: (...args) => {
-      !options?.disabled && consola.error("", ...args);
-    },
-    warn: (...args) => {
-      !options?.disabled && consola.warn("", ...args);
-    },
-    info: (...args) => {
-      !options?.disabled && consola.info("", ...args);
-    },
-    debug: (...args) => {
-      !options?.disabled && consola.debug("", ...args);
-    },
-    box: (...args) => {
-      !options?.disabled && consola.box("", ...args);
-    },
-    success: (...args) => {
-      !options?.disabled && consola.success("", ...args);
-    },
-    break: (...args) => {
-      !options?.disabled && console.log("\n");
-    }
-  };
-};
-var logger = createLogger();
+// src/utils/constants.ts
+var DEFAULT_SECRET = "better-auth-secret-123456789";
 
 // src/init.ts
 var init = (options) => {
   const adapter = getAdapter(options);
   const db = createKyselyAdapter(options);
-  const { baseURL, withPath: withPath2 } = getBaseURL(options.baseURL, options.basePath);
+  const baseURL = getBaseURL(options.baseURL, options.basePath);
   return {
     options: {
       ...options,
-      baseURL,
+      baseURL: baseURL ? new URL(baseURL).origin : "",
       basePath: options.basePath || "/api/auth"
     },
-    baseURL: withPath2,
-    secret: options.secret || process.env.BETTER_AUTH_SECRET || process.env.AUTH_SECRET || "better-auth-secret-123456789",
+    baseURL: baseURL || "",
+    session: {
+      updateAge: options.session?.updateAge || 24 * 60 * 60,
+      // 24 hours
+      expiresIn: options.session?.expiresIn || 60 * 60 * 24 * 7
+      // 7 days
+    },
+    secret: options.secret || process.env.BETTER_AUTH_SECRET || process.env.AUTH_SECRET || DEFAULT_SECRET,
     authCookies: getCookies(options),
     logger: createLogger({
       disabled: options.disableLog
     }),
     db,
+    password: {
+      hash: options.emailAndPassword?.password?.hash || hashPassword,
+      verify: options.emailAndPassword?.password?.verify || verifyPassword
+    },
     adapter,
     internalAdapter: createInternalAdapter(adapter, options),
     createAuthCookie: createCookieGetter(options)
@@ -2425,16 +2441,30 @@ var init = (options) => {
 // src/auth.ts
 var betterAuth = (options) => {
   const authContext = init(options);
-  const { handler, endpoints } = router(authContext);
+  const { api } = getEndpoints(authContext);
   return {
-    handler,
-    api: endpoints,
-    options
+    handler: async (request) => {
+      const basePath = authContext.options.basePath;
+      const url = new URL(request.url);
+      if (!authContext.options.baseURL) {
+        const baseURL = `${url.origin}/api/auth`;
+        authContext.options.baseURL = baseURL;
+        authContext.baseURL = baseURL;
+      }
+      if (!authContext.options.baseURL) {
+        return new Response("Base URL not set", { status: 400 });
+      }
+      if (url.pathname === basePath || url.pathname === `${basePath}/`) {
+        return new Response("Welcome to BetterAuth", { status: 200 });
+      }
+      const { handler } = router(authContext);
+      return handler(request);
+    },
+    api,
+    options: authContext.options
   };
 };
-export {
-  betterAuth,
-  createFieldAttribute,
-  createInternalAdapter
-};
+
+export { betterAuth, createFieldAttribute, createInternalAdapter };
+//# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map