better-auth 0.0.8-beta.2 → 0.0.8-beta.21

package/dist/plugins.js

@@ -1,42 +1,45 @@
+import { createMiddleware, createMiddlewareCreator, createEndpointCreator, APIError, serializeSigned } from 'better-call';
+import { z } from 'zod';
+import { generateCodeVerifier, generateState as generateState$1 } from 'oslo/oauth2';
+import { Discord, Facebook, GitHub, Google, Spotify, Twitch, Twitter } from 'arctic';
+import { createJWT, validateJWT, parseJWT } from 'oslo/jwt';
+import { betterFetch } from '@better-fetch/fetch';
+import { createOAuth2Request, sendTokenRequest } from 'arctic/dist/request';
+import { createConsola } from 'consola';
+import { TimeSpan } from 'oslo';
+import { generateRandomString, alphabet, generateRandomInteger } from 'oslo/crypto';
+import { xchacha20poly1305 } from '@noble/ciphers/chacha';
+import { utf8ToBytes, bytesToHex, hexToBytes } from '@noble/ciphers/utils';
+import { managedNonce } from '@noble/ciphers/webcrypto';
+import { sha256 } from '@noble/hashes/sha256';
+import { generateHOTP, TOTPController, createTOTPKeyURI } from 'oslo/otp';
+import { generateRegistrationOptions, generateAuthenticationOptions, verifyRegistrationResponse, verifyAuthenticationResponse } from '@simplewebauthn/server';
+import { startAuthentication, startRegistration, WebAuthnError } from '@simplewebauthn/browser';
+
 var __defProp = Object.defineProperty;
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
 };
-
-// src/plugins/organization/organization.ts
-import { APIError as APIError5 } from "better-call";
-import {
-  z as z11
-} from "zod";
-
-// src/api/call.ts
-import {
-  createEndpointCreator,
-  createMiddleware,
-  createMiddlewareCreator
-} from "better-call";
 var optionsMiddleware = createMiddleware(async () => {
   return {};
 });
 var createAuthMiddleware = createMiddlewareCreator({
-  use: [optionsMiddleware]
+  use: [
+    optionsMiddleware,
+    /**
+     * This of for hooks. to tell ts there will a
+     * return response object
+     */
+    createMiddleware(async () => {
+      return {};
+    })
+  ]
 });
 var createAuthEndpoint = createEndpointCreator({
   use: [optionsMiddleware]
 });
 
-// src/api/routes/sign-in.ts
-import { APIError } from "better-call";
-import { generateCodeVerifier } from "oslo/oauth2";
-import { Argon2id } from "oslo/password";
-import { z } from "zod";
-
-// src/social-providers/apple.ts
-import "arctic";
-import { parseJWT } from "oslo/jwt";
-import { betterFetch } from "@better-fetch/fetch";
-
 // src/error/better-auth-error.ts
 var BetterAuthError = class extends Error {
   constructor(message) {
@@ -57,41 +60,44 @@ function checkHasPath(url) {
 function withPath(url, path = "/api/auth") {
   const hasPath = checkHasPath(url);
   if (hasPath) {
-    return {
-      baseURL: new URL(url).origin,
-      withPath: url
-    };
+    return url;
   }
   path = path.startsWith("/") ? path : `/${path}`;
-  return {
-    baseURL: url,
-    withPath: `${url}${path}`
-  };
+  return `${url}${path}`;
 }
 function getBaseURL(url, path) {
-  if (url) {
-    return withPath(url, path);
-  }
   const env = typeof process !== "undefined" ? process.env : {};
-  const fromEnv = env.BETTER_AUTH_URL || env.AUTH_URL || env.NEXT_PUBLIC_AUTH_URL || env.NEXT_PUBLIC_BETTER_AUTH_URL || env.PUBLIC_AUTH_URL || env.PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_AUTH_URL;
+  const fromEnv = env.BETTER_AUTH_URL || env.NEXT_PUBLIC_BETTER_AUTH_URL || env.PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_AUTH_URL;
   if (fromEnv) {
     return withPath(fromEnv, path);
   }
-  const isDev = !fromEnv && (env.NODE_ENV === "development" || env.NODE_ENV === "test");
-  if (isDev) {
-    return {
-      baseURL: "http://localhost:3000",
-      withPath: "http://localhost:3000/api/auth"
-    };
+  if (typeof window !== "undefined") {
+    return withPath(window.location.origin, path);
   }
-  throw new BetterAuthError(
-    "Could not infer baseURL from environment variables"
-  );
+  return void 0;
 }
 
 // src/social-providers/utils.ts
 function getRedirectURI(providerId, redirectURI) {
-  return redirectURI || `${getBaseURL()}/api/auth/callback/${providerId}`;
+  return redirectURI || `${getBaseURL()}/callback/${providerId}`;
+}
+async function validateAuthorizationCode({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  tokenEndpoint
+}) {
+  const body = new URLSearchParams();
+  body.set("grant_type", "authorization_code");
+  body.set("code", code);
+  body.set("code_verifier", codeVerifier || "");
+  body.set("redirect_uri", redirectURI);
+  body.set("client_id", options.clientId);
+  body.set("client_secret", options.clientSecret);
+  const request = createOAuth2Request(tokenEndpoint, body);
+  const tokens = await sendTokenRequest(request);
+  return tokens;
 }
 
 // src/social-providers/apple.ts
@@ -148,19 +154,11 @@ var apple = ({
     }
   };
 };
-
-// src/social-providers/discord.ts
-import { betterFetch as betterFetch2 } from "@better-fetch/fetch";
-import { Discord } from "arctic";
-var discord = ({
-  clientId,
-  clientSecret,
-  redirectURI
-}) => {
+var discord = (options) => {
   const discordArctic = new Discord(
-    clientId,
-    clientSecret,
-    getRedirectURI("discord", redirectURI)
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("discord", options.redirectURI)
   );
   return {
     id: "discord",
@@ -169,14 +167,22 @@ var discord = ({
       const _scope = scopes || ["email"];
       return discordArctic.createAuthorizationURL(state, _scope);
     },
-    validateAuthorizationCode: discordArctic.validateAuthorizationCode,
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("discord", options.redirectURI),
+        options,
+        tokenEndpoint: "https://discord.com/api/oauth2/token"
+      });
+    },
     async getUserInfo(token) {
-      const { data: profile, error } = await betterFetch2(
+      const { data: profile, error } = await betterFetch(
         "https://discord.com/api/users/@me",
         {
           auth: {
             type: "Bearer",
-            token: token.accessToken
+            token: token.accessToken()
           }
         }
       );
@@ -195,19 +201,11 @@ var discord = ({
     }
   };
 };
-
-// src/social-providers/facebook.ts
-import { betterFetch as betterFetch3 } from "@better-fetch/fetch";
-import { Facebook } from "arctic";
-var facebook = ({
-  clientId,
-  clientSecret,
-  redirectURI
-}) => {
+var facebook = (options) => {
   const facebookArctic = new Facebook(
-    clientId,
-    clientSecret,
-    getRedirectURI("facebook", redirectURI)
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("facebook", options.redirectURI)
   );
   return {
     id: "facebook",
@@ -216,14 +214,22 @@ var facebook = ({
       const _scopes = scopes || ["email", "public_profile"];
       return facebookArctic.createAuthorizationURL(state, _scopes);
     },
-    validateAuthorizationCode: facebookArctic.validateAuthorizationCode,
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("facebook", options.redirectURI),
+        options,
+        tokenEndpoint: "https://graph.facebook.com/v16.0/oauth/access_token"
+      });
+    },
     async getUserInfo(token) {
-      const { data: profile, error } = await betterFetch3(
+      const { data: profile, error } = await betterFetch(
         "https://graph.facebook.com/me",
         {
           auth: {
             type: "Bearer",
-            token: token.accessToken
+            token: token.accessToken()
           }
         }
       );
@@ -242,10 +248,6 @@ var facebook = ({
     }
   };
 };
-
-// src/social-providers/github.ts
-import { betterFetch as betterFetch4 } from "@better-fetch/fetch";
-import { GitHub } from "arctic";
 var github = ({
   clientId,
   clientSecret,
@@ -263,14 +265,17 @@ var github = ({
       const _scopes = scopes || ["user:email"];
       return githubArctic.createAuthorizationURL(state, _scopes);
     },
-    validateAuthorizationCode: githubArctic.validateAuthorizationCode,
+    validateAuthorizationCode: async (state) => {
+      return await githubArctic.validateAuthorizationCode(state);
+    },
     async getUserInfo(token) {
-      const { data: profile, error } = await betterFetch4(
+      console.log(`Bearer ${token.accessToken()}`);
+      const { data: profile, error } = await betterFetch(
         "https://api.github.com/user",
         {
-          method: "GET",
-          headers: {
-            Authorization: `Bearer ${token.accessToken}`
+          auth: {
+            type: "Bearer",
+            token: token.accessToken()
           }
         }
       );
@@ -279,10 +284,10 @@ var github = ({
       }
       let emailVerified = false;
       if (!profile.email) {
-        const { data, error: error2 } = await betterFetch4("https://api.github.com/user/emails", {
-          headers: {
-            Authorization: `Bearer ${token.accessToken}`,
-            "User-Agent": "better-auth"
+        const { data, error: error2 } = await betterFetch("https://api.github.com/user/emails", {
+          auth: {
+            type: "Bearer",
+            token: token.accessToken()
           }
         });
         if (!error2) {
@@ -305,41 +310,81 @@ var github = ({
     }
   };
 };
-
-// src/social-providers/google.ts
-import { Google } from "arctic";
-import { parseJWT as parseJWT2 } from "oslo/jwt";
-var google = ({
-  clientId,
-  clientSecret,
-  redirectURI
-}) => {
+var consola = createConsola({
+  formatOptions: {
+    date: false,
+    colors: true,
+    compact: true
+  },
+  defaults: {
+    tag: "Better Auth"
+  }
+});
+var createLogger = (options) => {
+  return {
+    log: (...args) => {
+      consola.log("", ...args);
+    },
+    error: (...args) => {
+      consola.error("", ...args);
+    },
+    warn: (...args) => {
+      consola.warn("", ...args);
+    },
+    info: (...args) => {
+      consola.info("", ...args);
+    },
+    debug: (...args) => {
+      consola.debug("", ...args);
+    },
+    box: (...args) => {
+      consola.box("", ...args);
+    },
+    success: (...args) => {
+      consola.success("", ...args);
+    },
+    break: (...args) => {
+      console.log("\n");
+    }
+  };
+};
+var logger = createLogger();
+var google = (options) => {
   const googleArctic = new Google(
-    clientId,
-    clientSecret,
-    getRedirectURI("google", redirectURI)
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("google", options.redirectURI)
   );
   return {
     id: "google",
     name: "Google",
-    createAuthorizationURL({ state, scopes, codeVerifier }) {
+    createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+      if (!options.clientId || !options.clientSecret) {
+        logger.error(
+          "clientId and clientSecret is required for Google. Make sure to you have provided them in the options"
+        );
+        throw new BetterAuthError("clientId is required for Google");
+      }
       if (!codeVerifier) {
         throw new BetterAuthError("codeVerifier is required for Google");
       }
       const _scopes = scopes || ["email", "profile"];
       return googleArctic.createAuthorizationURL(state, codeVerifier, _scopes);
     },
-    validateAuthorizationCode: async (code, codeVerifier) => {
-      if (!codeVerifier) {
-        throw new BetterAuthError("codeVerifier is required for Google");
-      }
-      return googleArctic.validateAuthorizationCode(code, codeVerifier);
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("google", options.redirectURI),
+        options,
+        tokenEndpoint: "https://oauth2.googleapis.com/token"
+      });
     },
     async getUserInfo(token) {
       if (!token.idToken) {
         return null;
       }
-      const user = parseJWT2(token.idToken())?.payload;
+      const user = parseJWT(token.idToken())?.payload;
       return {
         user: {
           id: user.sub,
@@ -353,19 +398,11 @@ var google = ({
     }
   };
 };
-
-// src/social-providers/spotify.ts
-import { betterFetch as betterFetch5 } from "@better-fetch/fetch";
-import { Spotify } from "arctic";
-var spotify = ({
-  clientId,
-  clientSecret,
-  redirectURI
-}) => {
+var spotify = (options) => {
   const spotifyArctic = new Spotify(
-    clientId,
-    clientSecret,
-    getRedirectURI("spotify", redirectURI)
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("spotify", options.redirectURI)
   );
   return {
     id: "spotify",
@@ -374,14 +411,22 @@ var spotify = ({
       const _scopes = scopes || ["user-read-email"];
       return spotifyArctic.createAuthorizationURL(state, _scopes);
     },
-    validateAuthorizationCode: spotifyArctic.validateAuthorizationCode,
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("spotify", options.redirectURI),
+        options,
+        tokenEndpoint: "https://accounts.spotify.com/api/token"
+      });
+    },
     async getUserInfo(token) {
-      const { data: profile, error } = await betterFetch5(
+      const { data: profile, error } = await betterFetch(
         "https://api.spotify.com/v1/me",
         {
           method: "GET",
           headers: {
-            Authorization: `Bearer ${token.accessToken}`
+            Authorization: `Bearer ${token.accessToken()}`
           }
         }
       );
@@ -401,19 +446,11 @@ var spotify = ({
     }
   };
 };
-
-// src/social-providers/twitch.ts
-import { betterFetch as betterFetch6 } from "@better-fetch/fetch";
-import { Twitch } from "arctic";
-var twitch = ({
-  clientId,
-  clientSecret,
-  redirectURI
-}) => {
+var twitch = (options) => {
   const twitchArctic = new Twitch(
-    clientId,
-    clientSecret,
-    getRedirectURI("twitch", redirectURI)
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("twitch", options.redirectURI)
   );
   return {
     id: "twitch",
@@ -422,14 +459,22 @@ var twitch = ({
       const _scopes = scopes || ["activity:write", "read"];
       return twitchArctic.createAuthorizationURL(state, _scopes);
     },
-    validateAuthorizationCode: twitchArctic.validateAuthorizationCode,
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("twitch", options.redirectURI),
+        options,
+        tokenEndpoint: "https://id.twitch.tv/oauth2/token"
+      });
+    },
     async getUserInfo(token) {
-      const { data: profile, error } = await betterFetch6(
+      const { data: profile, error } = await betterFetch(
         "https://api.twitch.tv/helix/users",
         {
           method: "GET",
           headers: {
-            Authorization: `Bearer ${token.accessToken}`
+            Authorization: `Bearer ${token.accessToken()}`
           }
         }
       );
@@ -449,19 +494,11 @@ var twitch = ({
     }
   };
 };
-
-// src/social-providers/twitter.ts
-import { betterFetch as betterFetch7 } from "@better-fetch/fetch";
-import { Twitter } from "arctic";
-var twitter = ({
-  clientId,
-  clientSecret,
-  redirectURI
-}) => {
+var twitter = (options) => {
   const twitterArctic = new Twitter(
-    clientId,
-    clientSecret,
-    getRedirectURI("twitter", redirectURI)
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("twitter", options.redirectURI)
   );
   return {
     id: "twitter",
@@ -474,19 +511,22 @@ var twitter = ({
         _scopes
       );
     },
-    validateAuthorizationCode: async (code, codeVerifier) => {
-      if (!codeVerifier) {
-        throw new BetterAuthError("codeVerifier is required for Twitter");
-      }
-      return twitterArctic.validateAuthorizationCode(code, codeVerifier);
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("twitch", options.redirectURI),
+        options,
+        tokenEndpoint: "https://id.twitch.tv/oauth2/token"
+      });
     },
     async getUserInfo(token) {
-      const { data: profile, error } = await betterFetch7(
+      const { data: profile, error } = await betterFetch(
         "https://api.x.com/2/users/me?user.fields=profile_image_url",
         {
           method: "GET",
           headers: {
-            Authorization: `Bearer ${token.accessToken}`
+            Authorization: `Bearer ${token.accessToken()}`
           }
         }
       );
@@ -510,9 +550,6 @@ var twitter = ({
   };
 };
 
-// src/types/provider.ts
-import "arctic";
-
 // src/social-providers/index.ts
 var oAuthProviders = {
   apple,
@@ -525,17 +562,61 @@ var oAuthProviders = {
   twitter
 };
 var oAuthProviderList = Object.keys(oAuthProviders);
-
-// src/utils/state.ts
-import { generateState as generateStateOAuth } from "oslo/oauth2";
-function generateState(callbackURL, currentURL) {
-  const code = generateStateOAuth();
-  const state = `${code}!${callbackURL}!${currentURL}`;
+function generateState(callbackURL, currentURL, dontRememberMe) {
+  const code = generateState$1();
+  const state = JSON.stringify({
+    code,
+    callbackURL,
+    currentURL,
+    dontRememberMe
+  });
   return { state, code };
 }
 function parseState(state) {
-  const [code, callbackURL, currentURL] = state.split("!");
-  return { code, callbackURL, currentURL };
+  const data = z.object({
+    code: z.string(),
+    callbackURL: z.string().optional(),
+    currentURL: z.string().optional(),
+    dontRememberMe: z.boolean().optional()
+  }).safeParse(JSON.parse(state));
+  return data;
+}
+
+// src/utils/date.ts
+var getDate = (span, isSeconds = false) => {
+  const date = /* @__PURE__ */ new Date();
+  return new Date(date.getTime() + (isSeconds ? span * 1e3 : span));
+};
+async function setSessionCookie(ctx, sessionToken, dontRememberMe, overrides) {
+  await ctx.setSignedCookie(
+    ctx.context.authCookies.sessionToken.name,
+    sessionToken,
+    ctx.context.secret,
+    dontRememberMe ? {
+      ...ctx.context.authCookies.sessionToken.options,
+      maxAge: void 0,
+      ...overrides
+    } : {
+      ...ctx.context.authCookies.sessionToken.options,
+      ...overrides
+    }
+  );
+  if (dontRememberMe) {
+    await ctx.setSignedCookie(
+      ctx.context.authCookies.dontRememberToken.name,
+      "true",
+      ctx.context.secret,
+      ctx.context.authCookies.dontRememberToken.options
+    );
+  }
+}
+function deleteSessionCookie(ctx) {
+  ctx.setCookie(ctx.context.authCookies.sessionToken.name, "", {
+    maxAge: 0
+  });
+  ctx.setCookie(ctx.context.authCookies.dontRememberToken.name, "", {
+    maxAge: 0
+  });
 }
 
 // src/api/routes/session.ts
@@ -546,45 +627,62 @@ var getSession = createAuthEndpoint(
     requireHeaders: true
   },
   async (ctx) => {
-    const sessionCookieToken = await ctx.getSignedCookie(
-      ctx.context.authCookies.sessionToken.name,
-      ctx.context.secret
-    );
-    if (!sessionCookieToken) {
-      return ctx.json(null, {
-        status: 401
-      });
-    }
-    const session = await ctx.context.internalAdapter.findSession(sessionCookieToken);
-    if (!session || session.session.expiresAt < /* @__PURE__ */ new Date()) {
-      ctx.setSignedCookie(
+    try {
+      const sessionCookieToken = await ctx.getSignedCookie(
         ctx.context.authCookies.sessionToken.name,
-        "",
-        ctx.context.secret,
-        {
-          maxAge: 0
+        ctx.context.secret
+      );
+      if (!sessionCookieToken) {
+        return ctx.json(null, {
+          status: 401
+        });
+      }
+      const session = await ctx.context.internalAdapter.findSession(sessionCookieToken);
+      if (!session || session.session.expiresAt < /* @__PURE__ */ new Date()) {
+        deleteSessionCookie(ctx);
+        if (session) {
+          await ctx.context.internalAdapter.deleteSession(session.session.id);
         }
+        return ctx.json(null, {
+          status: 401
+        });
+      }
+      const dontRememberMe = await ctx.getSignedCookie(
+        ctx.context.authCookies.dontRememberToken.name,
+        ctx.context.secret
       );
-      return ctx.json(null, {
-        status: 401
-      });
-    }
-    const updatedSession = await ctx.context.internalAdapter.updateSession(
-      session.session
-    );
-    await ctx.setSignedCookie(
-      ctx.context.authCookies.sessionToken.name,
-      updatedSession.id,
-      ctx.context.secret,
-      {
-        ...ctx.context.authCookies.sessionToken.options,
-        maxAge: updatedSession.expiresAt.valueOf() - Date.now()
+      if (dontRememberMe) {
+        return ctx.json(session);
       }
-    );
-    return ctx.json({
-      session: updatedSession,
-      user: session.user
-    });
+      const expiresIn = ctx.context.session.expiresIn;
+      const updateAge = ctx.context.session.updateAge;
+      const sessionIsDueToBeUpdatedDate = session.session.expiresAt.valueOf() - expiresIn * 1e3 + updateAge * 1e3;
+      const shouldBeUpdated = sessionIsDueToBeUpdatedDate <= Date.now();
+      if (shouldBeUpdated) {
+        const updatedSession = await ctx.context.internalAdapter.updateSession(
+          session.session.id,
+          {
+            expiresAt: getDate(ctx.context.session.expiresIn, true)
+          }
+        );
+        if (!updatedSession) {
+          deleteSessionCookie(ctx);
+          return ctx.json(null, { status: 401 });
+        }
+        const maxAge = (updatedSession.expiresAt.valueOf() - Date.now()) / 1e3;
+        await setSessionCookie(ctx, updatedSession.id, false, {
+          maxAge
+        });
+        return ctx.json({
+          session: updatedSession,
+          user: session.user
+        });
+      }
+      return ctx.json(session);
+    } catch (error) {
+      ctx.context.logger.error(error);
+      return ctx.json(null, { status: 500 });
+    }
   }
 );
 var getSessionFromCtx = async (ctx) => {
@@ -597,7 +695,7 @@ var getSessionFromCtx = async (ctx) => {
 };
 
 // src/api/routes/sign-in.ts
-var signInOAuth = createAuthEndpoint(
+createAuthEndpoint(
   "/sign-in/social",
   {
     method: "POST",
@@ -617,7 +715,11 @@ var signInOAuth = createAuthEndpoint(
       /**
        * OAuth2 provider to use`
        */
-      provider: z.enum(oAuthProviderList)
+      provider: z.enum(oAuthProviderList),
+      /**
+       * If this is true the session will only be valid for the current browser session
+       */
+      dontRememberMe: z.boolean().default(false).optional()
     })
   },
   async (c) => {
@@ -631,7 +733,9 @@ var signInOAuth = createAuthEndpoint(
           provider: c.body.provider
         }
       );
-      throw new APIError("NOT_FOUND");
+      throw new APIError("NOT_FOUND", {
+        message: "Provider not found"
+      });
     }
     const cookie = c.context.authCookies;
     const currentURL = c.query?.currentURL ? new URL(c.query?.currentURL) : null;
@@ -657,6 +761,10 @@ var signInOAuth = createAuthEndpoint(
         state: state.state,
         codeVerifier
       });
+      url.searchParams.set(
+        "redirect_uri",
+        `${c.context.baseURL}/callback/${c.body.provider}`
+      );
       return {
         url: url.toString(),
         state: state.state,
@@ -668,7 +776,7 @@ var signInOAuth = createAuthEndpoint(
     }
   }
 );
-var signInEmail = createAuthEndpoint(
+createAuthEndpoint(
   "/sign-in/email",
   {
     method: "POST",
@@ -692,18 +800,20 @@ var signInEmail = createAuthEndpoint(
     }
     const currentSession = await getSessionFromCtx(ctx);
     if (currentSession) {
-      return ctx.json({
-        user: currentSession.user,
-        session: currentSession.session,
-        redirect: !!ctx.body.callbackURL,
-        url: ctx.body.callbackURL
-      });
+      await ctx.context.internalAdapter.deleteSession(
+        currentSession.session.id
+      );
     }
     const { email, password } = ctx.body;
-    const argon2id = new Argon2id();
+    const checkEmail = z.string().email().safeParse(email);
+    if (!checkEmail.success) {
+      throw new APIError("BAD_REQUEST", {
+        message: "Invalid email"
+      });
+    }
     const user = await ctx.context.internalAdapter.findUserByEmail(email);
     if (!user) {
-      await argon2id.hash(password);
+      await ctx.context.password.hash(password);
       ctx.context.logger.error("User not found", { email });
       throw new APIError("UNAUTHORIZED", {
         message: "Invalid email or password"
@@ -725,7 +835,10 @@ var signInEmail = createAuthEndpoint(
         message: "Unexpected error"
       });
     }
-    const validPassword = await argon2id.verify(currentPassword, password);
+    const validPassword = await ctx.context.password.verify(
+      currentPassword,
+      password
+    );
     if (!validPassword) {
       ctx.context.logger.error("Invalid password");
       throw new APIError("UNAUTHORIZED", {
@@ -734,17 +847,10 @@ var signInEmail = createAuthEndpoint(
     }
     const session = await ctx.context.internalAdapter.createSession(
       user.user.id,
-      ctx.request
-    );
-    await ctx.setSignedCookie(
-      ctx.context.authCookies.sessionToken.name,
-      session.id,
-      ctx.context.secret,
-      ctx.body.dontRememberMe ? {
-        ...ctx.context.authCookies.sessionToken.options,
-        maxAge: void 0
-      } : ctx.context.authCookies.sessionToken.options
+      ctx.request,
+      ctx.body.dontRememberMe
     );
+    await setSessionCookie(ctx, session.id, ctx.body.dontRememberMe);
     return ctx.json({
       user: user.user,
       session,
@@ -753,65 +859,80 @@ var signInEmail = createAuthEndpoint(
     });
   }
 );
-
-// src/api/routes/callback.ts
-import { APIError as APIError2 } from "better-call";
-import { z as z3 } from "zod";
-
-// src/adapters/schema.ts
-import { z as z2 } from "zod";
-var accountSchema = z2.object({
-  id: z2.string(),
-  providerId: z2.string(),
-  accountId: z2.string(),
-  userId: z2.string(),
-  accessToken: z2.string().nullable().optional(),
-  refreshToken: z2.string().nullable().optional(),
-  idToken: z2.string().nullable().optional(),
-  accessTokenExpiresAt: z2.date().nullable().optional(),
-  refreshTokenExpiresAt: z2.date().nullable().optional(),
+z.object({
+  id: z.string(),
+  providerId: z.string(),
+  accountId: z.string(),
+  userId: z.string(),
+  accessToken: z.string().nullable().optional(),
+  refreshToken: z.string().nullable().optional(),
+  idToken: z.string().nullable().optional(),
+  accessTokenExpiresAt: z.date().nullable().optional(),
+  refreshTokenExpiresAt: z.date().nullable().optional(),
   /**
    * Password is only stored in the credential provider
    */
-  password: z2.string().optional().nullable()
+  password: z.string().optional().nullable()
 });
-var userSchema = z2.object({
-  id: z2.string(),
-  email: z2.string().transform((val) => val.toLowerCase()),
-  emailVerified: z2.boolean().default(false),
-  name: z2.string(),
-  image: z2.string().optional(),
-  createdAt: z2.date().default(/* @__PURE__ */ new Date()),
-  updatedAt: z2.date().default(/* @__PURE__ */ new Date())
+var userSchema = z.object({
+  id: z.string(),
+  email: z.string().transform((val) => val.toLowerCase()),
+  emailVerified: z.boolean().default(false),
+  name: z.string(),
+  image: z.string().optional(),
+  createdAt: z.date().default(/* @__PURE__ */ new Date()),
+  updatedAt: z.date().default(/* @__PURE__ */ new Date())
 });
-var sessionSchema = z2.object({
-  id: z2.string(),
-  userId: z2.string(),
-  expiresAt: z2.date(),
-  ipAddress: z2.string().optional(),
-  userAgent: z2.string().optional()
+z.object({
+  id: z.string(),
+  userId: z.string(),
+  expiresAt: z.date(),
+  ipAddress: z.string().optional(),
+  userAgent: z.string().optional()
 });
+var generateId = () => {
+  return generateRandomString(36, alphabet("a-z", "0-9"));
+};
 
 // src/client/client-utils.ts
 var HIDE_ON_CLIENT_METADATA = {
   onClient: "hide"
 };
 
-// src/utils/id.ts
-import { alphabet, generateRandomString } from "oslo/crypto";
-var generateId = () => {
-  return generateRandomString(36, alphabet("a-z", "0-9"));
-};
+// src/utils/getAccount.ts
+function getAccountTokens(tokens) {
+  const accessToken = tokens.accessToken();
+  let refreshToken = void 0;
+  try {
+    refreshToken = tokens.refreshToken();
+  } catch {
+  }
+  let accessTokenExpiresAt = void 0;
+  let refreshTokenExpiresAt = void 0;
+  try {
+    accessTokenExpiresAt = tokens.accessTokenExpiresAt();
+  } catch {
+  }
+  try {
+    refreshTokenExpiresAt = tokens.refreshTokenExpiresAt();
+  } catch {
+  }
+  return {
+    accessToken,
+    refreshToken,
+    accessTokenExpiresAt,
+    refreshTokenExpiresAt
+  };
+}
 
 // src/api/routes/callback.ts
-var callbackOAuth = createAuthEndpoint(
+createAuthEndpoint(
   "/callback/:id",
   {
     method: "GET",
-    query: z3.object({
-      state: z3.string(),
-      code: z3.string(),
-      code_verifier: z3.string().optional()
+    query: z.object({
+      state: z.string(),
+      code: z.string()
     }),
     metadata: HIDE_ON_CLIENT_METADATA
   },
@@ -825,15 +946,20 @@ var callbackOAuth = createAuthEndpoint(
         c.params.id,
         "not found"
       );
-      throw new APIError2("NOT_FOUND");
+      throw new APIError("NOT_FOUND");
     }
+    const codeVerifier = await c.getSignedCookie(
+      c.context.authCookies.pkCodeVerifier.name,
+      c.context.secret
+    );
     const tokens = await provider.validateAuthorizationCode(
       c.query.code,
-      c.query.code_verifier || ""
+      codeVerifier,
+      `${c.context.baseURL}/callback/${provider.id}`
     );
     if (!tokens) {
       c.context.logger.error("Code verification failed");
-      throw new APIError2("UNAUTHORIZED");
+      throw new APIError("UNAUTHORIZED");
     }
     const user = await provider.getUserInfo(tokens).then((res) => res?.user);
     const id = generateId();
@@ -841,17 +967,24 @@ var callbackOAuth = createAuthEndpoint(
       ...user,
       id
     });
-    const { callbackURL, currentURL } = parseState(c.query.state);
+    const parsedState = parseState(c.query.state);
+    if (!parsedState.success) {
+      c.context.logger.error("Unable to parse state");
+      throw new APIError("BAD_REQUEST", {
+        message: "invalid state"
+      });
+    }
+    const { callbackURL, currentURL, dontRememberMe } = parsedState.data;
     if (!user || data.success === false) {
       if (currentURL) {
         throw c.redirect(`${currentURL}?error=oauth_validation_failed`);
       } else {
-        throw new APIError2("BAD_REQUEST");
+        throw new APIError("BAD_REQUEST");
       }
     }
     if (!callbackURL) {
       c.context.logger.error("Callback URL not found");
-      throw new APIError2("FORBIDDEN");
+      throw new APIError("FORBIDDEN");
     }
     const dbUser = await c.context.internalAdapter.findUserByEmail(user.email);
     const userId = dbUser?.user.id;
@@ -871,13 +1004,13 @@ var callbackOAuth = createAuthEndpoint(
           accountId: user.id,
           id: `${provider.id}:${user.id}`,
           userId: dbUser.user.id,
-          ...tokens
+          ...getAccountTokens(tokens)
         });
       }
     } else {
       try {
         await c.context.internalAdapter.createOAuthUser(data.data, {
-          ...tokens,
+          ...getAccountTokens(tokens),
           id: `${provider.id}:${user.id}`,
           providerId: provider.id,
           accountId: user.id,
@@ -891,20 +1024,16 @@ var callbackOAuth = createAuthEndpoint(
       }
     }
     if (!userId && !id)
-      throw new APIError2("INTERNAL_SERVER_ERROR", {
+      throw new APIError("INTERNAL_SERVER_ERROR", {
         message: "Unable to create user"
       });
     const session = await c.context.internalAdapter.createSession(
       userId || id,
-      c.request
+      c.request,
+      dontRememberMe
     );
     try {
-      await c.setSignedCookie(
-        c.context.authCookies.sessionToken.name,
-        session.id,
-        c.context.secret,
-        c.context.authCookies.sessionToken.options
-      );
+      await setSessionCookie(c, session.id, dontRememberMe);
     } catch (e) {
       c.context.logger.error("Unable to set session cookie", e);
       const url = new URL(currentURL || callbackURL);
@@ -914,15 +1043,12 @@ var callbackOAuth = createAuthEndpoint(
     throw c.redirect(callbackURL);
   }
 );
-
-// src/api/routes/sign-out.ts
-import { z as z4 } from "zod";
-var signOut = createAuthEndpoint(
+createAuthEndpoint(
   "/sign-out",
   {
     method: "POST",
-    body: z4.object({
-      callbackURL: z4.string().optional()
+    body: z.object({
+      callbackURL: z.string().optional()
     }).optional()
   },
   async (ctx) => {
@@ -934,9 +1060,7 @@ var signOut = createAuthEndpoint(
       return ctx.json(null);
     }
     await ctx.context.internalAdapter.deleteSession(sessionCookieToken);
-    ctx.setCookie(ctx.context.authCookies.sessionToken.name, "", {
-      maxAge: 0
-    });
+    deleteSessionCookie(ctx);
     return ctx.json(null, {
       body: {
         redirect: !!ctx.body?.callbackURL,
@@ -945,22 +1069,15 @@ var signOut = createAuthEndpoint(
     });
   }
 );
-
-// src/api/routes/forget-password.ts
-import { TimeSpan } from "oslo";
-import { createJWT } from "oslo/jwt";
-import { validateJWT } from "oslo/jwt";
-import { Argon2id as Argon2id2 } from "oslo/password";
-import { z as z5 } from "zod";
-var forgetPassword = createAuthEndpoint(
+createAuthEndpoint(
   "/forget-password",
   {
     method: "POST",
-    body: z5.object({
+    body: z.object({
       /**
        * The email address of the user to send a password reset email to.
        */
-      email: z5.string().email()
+      email: z.string().email()
     })
   },
   async (ctx) => {
@@ -1015,14 +1132,14 @@ var forgetPassword = createAuthEndpoint(
     });
   }
 );
-var resetPassword = createAuthEndpoint(
+createAuthEndpoint(
   "/reset-password",
   {
     method: "POST",
-    body: z5.object({
-      token: z5.string(),
-      newPassword: z5.string(),
-      callbackURL: z5.string().optional()
+    body: z.object({
+      token: z.string(),
+      newPassword: z.string(),
+      callbackURL: z.string().optional()
     })
   },
   async (ctx) => {
@@ -1033,7 +1150,7 @@ var resetPassword = createAuthEndpoint(
         Buffer.from(ctx.context.secret),
         token
       );
-      const email = z5.string().email().parse(jwt.payload.email);
+      const email = z.string().email().parse(jwt.payload.email);
       const user = await ctx.context.internalAdapter.findUserByEmail(email);
       if (!user) {
         return ctx.json(null, {
@@ -1053,8 +1170,7 @@ var resetPassword = createAuthEndpoint(
           }
         });
       }
-      const argon2id = new Argon2id2();
-      const hashedPassword = await argon2id.hash(newPassword);
+      const hashedPassword = await ctx.context.password.hash(newPassword);
       const updatedUser = await ctx.context.internalAdapter.updatePassword(
         user.user.id,
         hashedPassword
@@ -1085,18 +1201,30 @@ var resetPassword = createAuthEndpoint(
     }
   }
 );
-
-// src/api/routes/verify-email.ts
-import { TimeSpan as TimeSpan2 } from "oslo";
-import { createJWT as createJWT2, validateJWT as validateJWT2 } from "oslo/jwt";
-import { z as z6 } from "zod";
-var sendVerificationEmail = createAuthEndpoint(
+async function createEmailVerificationToken(secret, email) {
+  const token = await createJWT(
+    "HS256",
+    Buffer.from(secret),
+    {
+      email: email.toLowerCase()
+    },
+    {
+      expiresIn: new TimeSpan(1, "h"),
+      issuer: "better-auth",
+      subject: "verify-email",
+      audiences: [email],
+      includeIssuedTimestamp: true
+    }
+  );
+  return token;
+}
+createAuthEndpoint(
   "/send-verification-email",
   {
     method: "POST",
-    body: z6.object({
-      email: z6.string().email(),
-      callbackURL: z6.string().optional()
+    body: z.object({
+      email: z.string().email(),
+      callbackURL: z.string().optional()
     })
   },
   async (ctx) => {
@@ -1110,83 +1238,34 @@ var sendVerificationEmail = createAuthEndpoint(
       });
     }
     const { email } = ctx.body;
-    const token = await createJWT2(
-      "HS256",
-      Buffer.from(ctx.context.secret),
-      {
-        email: email.toLowerCase()
-      },
-      {
-        expiresIn: new TimeSpan2(1, "h"),
-        issuer: "better-auth",
-        subject: "verify-email",
-        audiences: [email],
-        includeIssuedTimestamp: true
-      }
-    );
+    const token = await createEmailVerificationToken(ctx.context.secret, email);
     const url = `${ctx.context.baseURL}/verify-email?token=${token}?callbackURL=${ctx.body.callbackURL}`;
     await ctx.context.options.emailAndPassword.sendVerificationEmail(
       email,
-      url
+      url,
+      token
     );
     return ctx.json({
       status: true
     });
   }
 );
-var verifyEmail = createAuthEndpoint(
+createAuthEndpoint(
   "/verify-email",
   {
     method: "GET",
-    query: z6.object({
-      token: z6.string(),
-      callbackURL: z6.string()
+    query: z.object({
+      token: z.string(),
+      callbackURL: z.string().optional()
     })
   },
   async (ctx) => {
     const { token } = ctx.query;
+    let jwt;
     try {
-      const jwt = await validateJWT2(
-        "HS256",
-        Buffer.from(ctx.context.secret),
-        token
-      );
-      const schema = z6.object({
-        email: z6.string().email()
-      });
-      const parsed = schema.parse(jwt.payload);
-      const user = await ctx.context.internalAdapter.findUserByEmail(
-        parsed.email
-      );
-      if (!user) {
-        return ctx.json(null, {
-          status: 400,
-          statusText: "USER_NOT_FOUND",
-          body: {
-            message: "User not found"
-          }
-        });
-      }
-      const account = user.accounts.find((a) => a.providerId === "credential");
-      if (!account) {
-        return ctx.json(null, {
-          status: 400,
-          statusText: "ACCOUNT_NOT_FOUND",
-          body: {
-            message: "Account not found"
-          }
-        });
-      }
-      await ctx.context.internalAdapter.updateUserByEmail(parsed.email, {
-        emailVerified: true
-      });
-      if (ctx.query.callbackURL) {
-        throw ctx.redirect(ctx.query.callbackURL);
-      }
-      return ctx.json({
-        status: true
-      });
+      jwt = await validateJWT("HS256", Buffer.from(ctx.context.secret), token);
     } catch (e) {
+      ctx.context.logger.error("Failed to verify email", e);
       return ctx.json(null, {
         status: 400,
         statusText: "INVALID_TOKEN",
@@ -1195,6 +1274,41 @@ var verifyEmail = createAuthEndpoint(
         }
       });
     }
+    const schema = z.object({
+      email: z.string().email()
+    });
+    const parsed = schema.parse(jwt.payload);
+    const user = await ctx.context.internalAdapter.findUserByEmail(
+      parsed.email
+    );
+    if (!user) {
+      return ctx.json(null, {
+        status: 400,
+        statusText: "USER_NOT_FOUND",
+        body: {
+          message: "User not found"
+        }
+      });
+    }
+    const account = user.accounts.find((a) => a.providerId === "credential");
+    if (!account) {
+      return ctx.json(null, {
+        status: 400,
+        statusText: "ACCOUNT_NOT_FOUND",
+        body: {
+          message: "Account not found"
+        }
+      });
+    }
+    await ctx.context.internalAdapter.updateUserByEmail(parsed.email, {
+      emailVerified: true
+    });
+    if (ctx.query.callbackURL) {
+      throw ctx.redirect(ctx.query.callbackURL);
+    }
+    return ctx.json({
+      status: true
+    });
   }
 );
 
@@ -1348,12 +1462,6 @@ var permissionFromString = (permission) => {
   return Role.fromString(permission ?? "");
 };
 
-// src/utils/date.ts
-var getDate = (span) => {
-  const date = /* @__PURE__ */ new Date();
-  return new Date(date.getTime() + span);
-};
-
 // src/plugins/organization/adapter.ts
 var getOrgAdapter = (adapter, options) => {
   return {
@@ -1482,7 +1590,7 @@ var getOrgAdapter = (adapter, options) => {
       return organization2;
     },
     deleteOrganization: async (orgId) => {
-      const organization2 = await adapter.delete({
+      await adapter.delete({
         model: "organization",
         where: [
           {
@@ -1491,7 +1599,7 @@ var getOrgAdapter = (adapter, options) => {
           }
         ]
       });
-      return organization2;
+      return orgId;
     },
     setActiveOrganization: async (sessionId, orgId) => {
       const session = await adapter.update({
@@ -1568,7 +1676,6 @@ var getOrgAdapter = (adapter, options) => {
         ]
       });
       const organizationIds = members?.map((member) => member.organizationId);
-      console.log({ organizationIds });
       if (!organizationIds) {
         return [];
       }
@@ -1662,16 +1769,10 @@ var getOrgAdapter = (adapter, options) => {
     }
   };
 };
-
-// src/plugins/organization/call.ts
-import "better-call";
-
-// src/api/middlewares/session.ts
-import { APIError as APIError3 } from "better-call";
 var sessionMiddleware = createAuthMiddleware(async (ctx) => {
   const session = await getSessionFromCtx(ctx);
   if (!session?.session) {
-    throw new APIError3("UNAUTHORIZED");
+    throw new APIError("UNAUTHORIZED");
   }
   return {
     session
@@ -1693,38 +1794,32 @@ var orgSessionMiddleware = createAuthMiddleware(
     };
   }
 );
-
-// src/plugins/organization/routes/crud-invites.ts
-import { z as z8 } from "zod";
-
-// src/plugins/organization/schema.ts
-import { z as z7 } from "zod";
-var role = z7.enum(["admin", "member", "owner"]);
-var invitationStatus = z7.enum(["pending", "accepted", "rejected", "canceled"]).default("pending");
-var organizationSchema = z7.object({
-  id: z7.string(),
-  name: z7.string(),
-  slug: z7.string()
+var role = z.enum(["admin", "member", "owner"]);
+var invitationStatus = z.enum(["pending", "accepted", "rejected", "canceled"]).default("pending");
+z.object({
+  id: z.string(),
+  name: z.string(),
+  slug: z.string()
 });
-var memberSchema = z7.object({
-  id: z7.string(),
-  name: z7.string(),
-  email: z7.string(),
-  organizationId: z7.string(),
-  userId: z7.string(),
+z.object({
+  id: z.string(),
+  name: z.string(),
+  email: z.string(),
+  organizationId: z.string(),
+  userId: z.string(),
   role
 });
-var invitationSchema = z7.object({
-  id: z7.string(),
-  organizationId: z7.string(),
-  email: z7.string(),
+z.object({
+  id: z.string(),
+  organizationId: z.string(),
+  email: z.string(),
   role,
   status: invitationStatus,
   /**
    * The id of the user who invited the user.
    */
-  inviterId: z7.string(),
-  expiresAt: z7.date()
+  inviterId: z.string(),
+  expiresAt: z.date()
 });
 
 // src/plugins/organization/routes/crud-invites.ts
@@ -1733,11 +1828,11 @@ var createInvitation = createAuthEndpoint(
   {
     method: "POST",
     use: [orgMiddleware, orgSessionMiddleware],
-    body: z8.object({
-      email: z8.string(),
+    body: z.object({
+      email: z.string(),
       role,
-      organizationId: z8.string().optional(),
-      resend: z8.boolean().optional()
+      organizationId: z.string().optional(),
+      resend: z.boolean().optional()
     })
   },
   async (ctx) => {
@@ -1827,8 +1922,8 @@ var acceptInvitation = createAuthEndpoint(
   "/organization/accept-invitation",
   {
     method: "POST",
-    body: z8.object({
-      invitationId: z8.string()
+    body: z.object({
+      invitationId: z.string()
     }),
     use: [orgMiddleware, orgSessionMiddleware]
   },
@@ -1864,6 +1959,18 @@ var acceptInvitation = createAuthEndpoint(
       role: invitation.role,
       name: session.user.name
     });
+    await adapter.setActiveOrganization(
+      session.session.id,
+      invitation.organizationId
+    );
+    if (!acceptedI) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Invitation not found!"
+        }
+      });
+    }
     return ctx.json({
       invitation: acceptedI,
       member
@@ -1874,8 +1981,8 @@ var rejectInvitation = createAuthEndpoint(
   "/organization/reject-invitation",
   {
     method: "POST",
-    body: z8.object({
-      invitationId: z8.string()
+    body: z.object({
+      invitationId: z.string()
     }),
     use: [orgMiddleware, orgSessionMiddleware]
   },
@@ -1913,8 +2020,8 @@ var cancelInvitation = createAuthEndpoint(
   "/organization/cancel-invitation",
   {
     method: "POST",
-    body: z8.object({
-      invitationId: z8.string()
+    body: z.object({
+      invitationId: z.string()
     }),
     use: [orgMiddleware, orgSessionMiddleware]
   },
@@ -1965,8 +2072,8 @@ var getActiveInvitation = createAuthEndpoint(
   {
     method: "GET",
     use: [orgMiddleware],
-    query: z8.object({
-      id: z8.string()
+    query: z.object({
+      id: z.string()
     })
   },
   async (ctx) => {
@@ -2029,21 +2136,22 @@ var getActiveInvitation = createAuthEndpoint(
     });
   }
 );
-
-// src/plugins/organization/routes/crud-members.ts
-import { z as z9 } from "zod";
 var removeMember = createAuthEndpoint(
   "/organization/remove-member",
   {
     method: "POST",
-    body: z9.object({
-      memberId: z9.string()
+    body: z.object({
+      memberIdOrEmail: z.string(),
+      /**
+       * If not provided, the active organization will be used
+       */
+      organizationId: z.string().optional()
     }),
     use: [orgMiddleware, orgSessionMiddleware]
   },
   async (ctx) => {
     const session = ctx.context.session;
-    const orgId = session.session.activeOrganizationId;
+    const orgId = ctx.body.organizationId || session.session.activeOrganizationId;
     if (!orgId) {
       return ctx.json(null, {
         status: 400,
@@ -2074,7 +2182,7 @@ var removeMember = createAuthEndpoint(
         }
       });
     }
-    if (session.user.id === member.userId && member.role === (ctx.context.orgOptions?.creatorRole || "owner")) {
+    if ((session.user.email === ctx.body.memberIdOrEmail || session.user.id === ctx.body.memberIdOrEmail) && member.role === (ctx.context.orgOptions?.creatorRole || "owner")) {
       return ctx.json(null, {
         status: 400,
         body: {
@@ -2093,7 +2201,15 @@ var removeMember = createAuthEndpoint(
         status: 403
       });
     }
-    const existing = await adapter.findMemberById(ctx.body.memberId);
+    let existing = null;
+    if (ctx.body.memberIdOrEmail.includes("@")) {
+      existing = await adapter.findMemberByEmail({
+        email: ctx.body.memberIdOrEmail,
+        organizationId: orgId
+      });
+    } else {
+      existing = await adapter.findMemberById(ctx.body.memberIdOrEmail);
+    }
     if (existing?.organizationId !== orgId) {
       return ctx.json(null, {
         status: 400,
@@ -2102,26 +2218,32 @@ var removeMember = createAuthEndpoint(
         }
       });
     }
-    const deletedMember = await adapter.deleteMember(ctx.body.memberId);
+    await adapter.deleteMember(existing.id);
     if (session.user.id === existing.userId && session.session.activeOrganizationId === existing.organizationId) {
       await adapter.setActiveOrganization(session.session.id, null);
     }
-    return ctx.json(deletedMember);
+    return ctx.json({
+      member: existing
+    });
   }
 );
-var updateMember = createAuthEndpoint(
-  "/organization/update-member",
+var updateMemberRole = createAuthEndpoint(
+  "/organization/update-member-role",
   {
     method: "POST",
-    body: z9.object({
-      memberId: z9.string(),
-      role: z9.string()
+    body: z.object({
+      role: z.enum(["admin", "member", "owner"]),
+      memberId: z.string(),
+      /**
+       * If not provided, the active organization will be used
+       */
+      organizationId: z.string().optional()
     }),
     use: [orgMiddleware, orgSessionMiddleware]
   },
   async (ctx) => {
     const session = ctx.context.session;
-    const orgId = session.session.activeOrganizationId;
+    const orgId = ctx.body.organizationId || session.session.activeOrganizationId;
     if (!orgId) {
       return ctx.json(null, {
         status: 400,
@@ -2154,8 +2276,8 @@ var updateMember = createAuthEndpoint(
     }
     const canUpdateMember = role2.authorize({
       member: ["update"]
-    });
-    if (canUpdateMember.error) {
+    }).error || ctx.body.role === "owner" && member.role !== "owner";
+    if (canUpdateMember) {
       return ctx.json(null, {
         body: {
           message: "You are not allowed to update this member"
@@ -2167,20 +2289,25 @@ var updateMember = createAuthEndpoint(
       ctx.body.memberId,
       ctx.body.role
     );
+    if (!updatedMember) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Member not found!"
+        }
+      });
+    }
     return ctx.json(updatedMember);
   }
 );
-
-// src/plugins/organization/routes/crud-org.ts
-import { z as z10 } from "zod";
 var createOrganization = createAuthEndpoint(
   "/organization/create",
   {
     method: "POST",
-    body: z10.object({
-      name: z10.string(),
-      slug: z10.string(),
-      userId: z10.string().optional()
+    body: z.object({
+      name: z.string(),
+      slug: z.string(),
+      userId: z.string().optional()
     }),
     use: [orgMiddleware, orgSessionMiddleware]
   },
@@ -2228,10 +2355,12 @@ var updateOrganization = createAuthEndpoint(
   "/organization/update",
   {
     method: "POST",
-    body: z10.object({
-      name: z10.string().optional(),
-      slug: z10.string().optional(),
-      orgId: z10.string().optional()
+    body: z.object({
+      data: z.object({
+        name: z.string().optional(),
+        slug: z.string().optional()
+      }).partial(),
+      orgId: z.string().optional()
     }),
     requireHeaders: true,
     use: [orgMiddleware]
@@ -2285,7 +2414,7 @@ var updateOrganization = createAuthEndpoint(
         status: 403
       });
     }
-    const updatedOrg = await adapter.updateOrganization(orgId, ctx.body);
+    const updatedOrg = await adapter.updateOrganization(orgId, ctx.body.data);
     return ctx.json(updatedOrg);
   }
 );
@@ -2293,8 +2422,8 @@ var deleteOrganization = createAuthEndpoint(
   "/organization/delete",
   {
     method: "POST",
-    body: z10.object({
-      orgId: z10.string()
+    body: z.object({
+      orgId: z.string()
     }),
     requireHeaders: true,
     use: [orgMiddleware]
@@ -2351,16 +2480,16 @@ var deleteOrganization = createAuthEndpoint(
     if (orgId === session.session.activeOrganizationId) {
       await adapter.setActiveOrganization(session.session.id, null);
     }
-    const deletedOrg = await adapter.deleteOrganization(orgId);
-    return ctx.json(deletedOrg);
+    await adapter.deleteOrganization(orgId);
+    return ctx.json(orgId);
   }
 );
 var getFullOrganization = createAuthEndpoint(
-  "/organization/full",
+  "/organization/get-full",
   {
     method: "GET",
-    query: z10.object({
-      orgId: z10.string().optional()
+    query: z.object({
+      orgId: z.string().optional()
     }),
     requireHeaders: true,
     use: [orgMiddleware, orgSessionMiddleware]
@@ -2390,11 +2519,11 @@ var getFullOrganization = createAuthEndpoint(
   }
 );
 var setActiveOrganization = createAuthEndpoint(
-  "/organization/set-active",
+  "/organization/activate",
   {
     method: "POST",
-    body: z10.object({
-      orgId: z10.string()
+    body: z.object({
+      orgId: z.string()
     }),
     use: [sessionMiddleware, orgMiddleware]
   },
@@ -2427,6 +2556,7 @@ var organization = (options) => {
   const endpoints = {
     createOrganization,
     updateOrganization,
+    deleteOrganization,
     setActiveOrganization,
     getFullOrganization,
     listOrganization,
@@ -2436,7 +2566,7 @@ var organization = (options) => {
     getActiveInvitation,
     rejectInvitation,
     removeMember,
-    updateMember
+    updateMemberRole
   };
   const roles = {
     ...defaultRoles,
@@ -2458,14 +2588,14 @@ var organization = (options) => {
         {
           method: "POST",
           requireHeaders: true,
-          body: z11.object({
-            permission: z11.record(z11.string(), z11.array(z11.string()))
+          body: z.object({
+            permission: z.record(z.string(), z.array(z.string()))
           }),
           use: [orgSessionMiddleware]
         },
         async (ctx) => {
           if (!ctx.context.session.session.activeOrganizationId) {
-            throw new APIError5("BAD_REQUEST", {
+            throw new APIError("BAD_REQUEST", {
               message: "No active organization"
             });
           }
@@ -2475,7 +2605,7 @@ var organization = (options) => {
             organizationId: ctx.context.session.session.activeOrganizationId || ""
           });
           if (!member) {
-            throw new APIError5("UNAUTHORIZED", {
+            throw new APIError("UNAUTHORIZED", {
               message: "You are not a member of this organization"
             });
           }
@@ -2578,16 +2708,6 @@ var organization = (options) => {
     }
   };
 };
-
-// src/plugins/two-factor/index.ts
-import { alphabet as alphabet3, generateRandomString as generateRandomString3 } from "oslo/crypto";
-import "zod";
-
-// src/crypto/index.ts
-import { xchacha20poly1305 } from "@noble/ciphers/chacha";
-import { bytesToHex, hexToBytes, utf8ToBytes } from "@noble/ciphers/utils";
-import { managedNonce } from "@noble/ciphers/webcrypto";
-import { sha256 } from "@noble/hashes/sha256";
 async function hs256(secretKey, message) {
   const enc = new TextEncoder();
   const algorithm = { name: "HMAC", hash: "SHA-256" };
@@ -2618,13 +2738,6 @@ var symmetricDecrypt = ({ key, data }) => {
   return chacha.decrypt(dataAsBytes);
 };
 
-// src/plugins/two-factor/backup-codes/index.ts
-import { alphabet as alphabet2, generateRandomString as generateRandomString2 } from "oslo/crypto";
-import { z as z12 } from "zod";
-
-// src/plugins/two-factor/verify-middleware.ts
-import { APIError as APIError6 } from "better-call";
-
 // src/plugins/two-factor/constant.ts
 var TWO_FACTOR_COOKIE_NAME = "better-auth.two-factor";
 var OTP_RANDOM_NUMBER_COOKIE_NAME = "otp.counter";
@@ -2636,13 +2749,13 @@ var verifyTwoFactorMiddleware = createAuthMiddleware(async (ctx) => {
     ctx.context.secret
   );
   if (!cookie) {
-    throw new APIError6("UNAUTHORIZED", {
+    throw new APIError("UNAUTHORIZED", {
       message: "two factor isn't enabled"
     });
   }
   const [userId, hash] = cookie.split("!");
   if (!userId || !hash) {
-    throw new APIError6("UNAUTHORIZED", {
+    throw new APIError("UNAUTHORIZED", {
       message: "invalid two factor cookie"
     });
   }
@@ -2656,7 +2769,7 @@ var verifyTwoFactorMiddleware = createAuthMiddleware(async (ctx) => {
     ]
   });
   if (!sessions.length) {
-    throw new APIError6("UNAUTHORIZED", {
+    throw new APIError("UNAUTHORIZED", {
       message: "invalid session"
     });
   }
@@ -2664,7 +2777,7 @@ var verifyTwoFactorMiddleware = createAuthMiddleware(async (ctx) => {
     (session) => session.expiresAt > /* @__PURE__ */ new Date()
   );
   if (!activeSessions) {
-    throw new APIError6("UNAUTHORIZED", {
+    throw new APIError("UNAUTHORIZED", {
       message: "invalid session"
     });
   }
@@ -2680,19 +2793,14 @@ var verifyTwoFactorMiddleware = createAuthMiddleware(async (ctx) => {
       ]
     });
     if (!user) {
-      throw new APIError6("UNAUTHORIZED", {
+      throw new APIError("UNAUTHORIZED", {
         message: "invalid session"
       });
     }
     if (hashToMatch === hash) {
       return {
         valid: async () => {
-          await ctx.setSignedCookie(
-            ctx.context.authCookies.sessionToken.name,
-            session.id,
-            ctx.context.secret,
-            ctx.context.authCookies.sessionToken.options
-          );
+          await setSessionCookie(ctx, session.id, false);
           if (ctx.body.callbackURL) {
             return ctx.json({
               status: true,
@@ -2722,15 +2830,15 @@ var verifyTwoFactorMiddleware = createAuthMiddleware(async (ctx) => {
       };
     }
   }
-  throw new APIError6("UNAUTHORIZED", {
+  throw new APIError("UNAUTHORIZED", {
     message: "invalid two factor authentication"
   });
 });
 
 // src/plugins/two-factor/backup-codes/index.ts
 function generateBackupCodesFn(options) {
-  return Array.from({ length: options?.amount ?? 10 }).fill(null).map(
-    () => generateRandomString2(options?.length ?? 10, alphabet2("a-z", "0-9"))
+  return Array.from({ length: 10 }).fill(null).map(
+    () => generateRandomString(10, alphabet("a-z", "0-9"))
   ).map((code) => `${code.slice(0, 5)}-${code.slice(5)}`);
 }
 async function generateBackupCodes(secret, options) {
@@ -2757,7 +2865,7 @@ async function getBackupCodes(user, key) {
     await symmetricDecrypt({ key, data: user.twoFactorBackupCodes })
   ).toString("utf-8");
   const data = JSON.parse(secret);
-  const result = z12.array(z12.string()).safeParse(data);
+  const result = z.array(z.string()).safeParse(data);
   if (result.success) {
     return result.data;
   }
@@ -2771,8 +2879,8 @@ var backupCode2fa = (options) => {
         "/two-factor/verify-backup-code",
         {
           method: "POST",
-          body: z12.object({
-            code: z12.string()
+          body: z.object({
+            code: z.string()
           }),
           use: [verifyTwoFactorMiddleware]
         },
@@ -2843,17 +2951,19 @@ var backupCode2fa = (options) => {
     }
   };
 };
-
-// src/plugins/two-factor/otp/index.ts
-import { APIError as APIError7 } from "better-call";
-import { generateRandomInteger } from "oslo/crypto";
-import { generateHOTP } from "oslo/otp";
-import { z as z13 } from "zod";
 var otp2fa = (options) => {
   const send2FaOTP = createAuthEndpoint(
     "/two-factor/send-otp",
     {
       method: "POST",
+      body: z.object({
+        /**
+         * should only be used for testing
+         * purposes. This will return the otp
+         * on the response body.
+         */
+        returnOTP: z.boolean().default(false)
+      }).optional(),
       use: [verifyTwoFactorMiddleware]
     },
     async (ctx) => {
@@ -2861,7 +2971,7 @@ var otp2fa = (options) => {
         ctx.context.logger.error(
           "otp isn't configured. please pass otp option on two factor plugin to enable otp"
         );
-        throw new APIError7("BAD_REQUEST", {
+        throw new APIError("BAD_REQUEST", {
           message: "otp isn't configured"
         });
       }
@@ -2883,22 +2993,25 @@ var otp2fa = (options) => {
         ctx.context.secret,
         cookie.options
       );
-      return ctx.json({ status: true });
+      if (ctx.body?.returnOTP) {
+        return ctx.json({ OTP: otp, status: true });
+      }
+      return ctx.json({ status: true, OTP: void 0 });
     }
   );
   const verifyOTP = createAuthEndpoint(
     "/two-factor/verify-otp",
     {
       method: "POST",
-      body: z13.object({
-        code: z13.string()
+      body: z.object({
+        code: z.string()
       }),
       use: [verifyTwoFactorMiddleware]
     },
     async (ctx) => {
       const user = ctx.context.session.user;
       if (!user.twoFactorEnabled) {
-        throw new APIError7("BAD_REQUEST", {
+        throw new APIError("BAD_REQUEST", {
           message: "two factor isn't enabled"
         });
       }
@@ -2910,7 +3023,7 @@ var otp2fa = (options) => {
         ctx.context.secret
       );
       if (!randomNumber) {
-        throw new APIError7("UNAUTHORIZED", {
+        throw new APIError("UNAUTHORIZED", {
           message: "OTP is expired"
         });
       }
@@ -2940,16 +3053,10 @@ var otp2fa = (options) => {
     }
   };
 };
-
-// src/plugins/two-factor/totp/index.ts
-import { APIError as APIError8 } from "better-call";
-import { TimeSpan as TimeSpan3 } from "oslo";
-import { TOTPController, createTOTPKeyURI } from "oslo/otp";
-import { z as z14 } from "zod";
 var totp2fa = (options) => {
   const opts = {
     digits: 6,
-    period: new TimeSpan3(options?.period || 30, "s")
+    period: new TimeSpan(options?.period || 30, "s")
   };
   const generateTOTP = createAuthEndpoint(
     "/totp/generate",
@@ -2962,7 +3069,7 @@ var totp2fa = (options) => {
         ctx.context.logger.error(
           "totp isn't configured. please pass totp option on two factor plugin to enable totp"
         );
-        throw new APIError8("BAD_REQUEST", {
+        throw new APIError("BAD_REQUEST", {
           message: "totp isn't configured"
         });
       }
@@ -2983,7 +3090,7 @@ var totp2fa = (options) => {
         ctx.context.logger.error(
           "totp isn't configured. please pass totp option on two factor plugin to enable totp"
         );
-        throw new APIError8("BAD_REQUEST", {
+        throw new APIError("BAD_REQUEST", {
           message: "totp isn't configured"
         });
       }
@@ -3002,9 +3109,9 @@ var totp2fa = (options) => {
     "/two-factor/verify-totp",
     {
       method: "POST",
-      body: z14.object({
-        code: z14.string(),
-        callbackURL: z14.string().optional()
+      body: z.object({
+        code: z.string(),
+        callbackURL: z.string().optional()
       }),
       use: [verifyTwoFactorMiddleware]
     },
@@ -3013,7 +3120,7 @@ var totp2fa = (options) => {
         ctx.context.logger.error(
           "totp isn't configured. please pass totp option on two factor plugin to enable totp"
         );
-        throw new APIError8("BAD_REQUEST", {
+        throw new APIError("BAD_REQUEST", {
           message: "totp isn't configured"
         });
       }
@@ -3041,57 +3148,42 @@ var totp2fa = (options) => {
   };
 };
 
-// src/client/create-client-plugin.ts
-var createClientPlugin = () => {
-  return ($fn) => {
-    return ($fetch) => {
-      const data = $fn($fetch);
-      return {
-        ...data,
-        integrations: data.integrations,
-        plugin: {}
-      };
-    };
-  };
-};
-
 // src/plugins/two-factor/client.ts
 var twoFactorClient = (options = {
   redirect: true,
   twoFactorPage: "/"
 }) => {
-  return createClientPlugin()(($fetch) => {
-    return {
-      id: "two-factor",
-      authProxySignal: [
-        {
-          matcher: (path) => path === "/two-factor/enable" || path === "/two-factor/send-otp",
-          atom: "$sessionSignal"
-        }
-      ],
-      pathMethods: {
-        "enable/totp": "POST",
-        "/two-factor/disable": "POST",
-        "/two-factor/enable": "POST",
-        "/two-factor/send-otp": "POST"
-      },
-      fetchPlugins: [
-        {
-          id: "two-factor",
-          name: "two-factor",
-          hooks: {
-            async onSuccess(context) {
-              if (context.data?.twoFactorRedirect) {
-                if (options.redirect) {
-                  window.location.href = options.twoFactorPage;
-                }
+  return {
+    id: "two-factor",
+    $InferServerPlugin: {},
+    atomListeners: [
+      {
+        matcher: (path) => path === "/two-factor/enable" || path === "/two-factor/send-otp" || path === "/two-factor/disable",
+        signal: "_sessionSignal"
+      }
+    ],
+    pathMethods: {
+      "enable/totp": "POST",
+      "/two-factor/disable": "POST",
+      "/two-factor/enable": "POST",
+      "/two-factor/send-otp": "POST"
+    },
+    fetchPlugins: [
+      {
+        id: "two-factor",
+        name: "two-factor",
+        hooks: {
+          async onSuccess(context) {
+            if (context.data?.twoFactorRedirect) {
+              if (options.redirect || options.twoFactorPage) {
+                window.location.href = options.twoFactorPage;
               }
             }
           }
         }
-      ]
-    };
-  });
+      }
+    ]
+  };
 };
 
 // src/plugins/two-factor/index.ts
@@ -3102,7 +3194,6 @@ var twoFactor = (options) => {
   });
   const backupCode = backupCode2fa(options.backupCodeOptions);
   const otp = otp2fa(options.otpOptions);
-  const providers = [totp, backupCode, otp];
   return {
     id: "two-factor",
     endpoints: {
@@ -3117,7 +3208,7 @@ var twoFactor = (options) => {
         },
         async (ctx) => {
           const user = ctx.context.session.user;
-          const secret = generateRandomString3(16, alphabet3("a-z", "0-9", "-"));
+          const secret = generateRandomString(16, alphabet("a-z", "0-9", "-"));
           const encryptedSecret = await symmetricEncrypt({
             key: ctx.context.secret,
             data: secret
@@ -3175,11 +3266,11 @@ var twoFactor = (options) => {
             return context.path === "/sign-in/email" || context.path === "/sign-in/username";
           },
           handler: createAuthMiddleware(async (ctx) => {
-            const returned = await ctx.returned;
+            const returned = ctx.context.returned;
             if (returned?.status !== 200) {
               return;
             }
-            const response = await returned.json();
+            const response = await returned.clone().json();
             if (!response.user.twoFactorEnabled) {
               return;
             }
@@ -3234,24 +3325,6 @@ var twoFactor = (options) => {
     }
   };
 };
-
-// src/plugins/passkey/index.ts
-import {
-  generateAuthenticationOptions,
-  generateRegistrationOptions,
-  verifyAuthenticationResponse,
-  verifyRegistrationResponse
-} from "@simplewebauthn/server";
-import { APIError as APIError9 } from "better-call";
-import { alphabet as alphabet4, generateRandomString as generateRandomString4 } from "oslo/crypto";
-import { z as z16 } from "zod";
-
-// src/plugins/passkey/client.ts
-import {
-  WebAuthnError,
-  startAuthentication,
-  startRegistration
-} from "@simplewebauthn/browser";
 var getPasskeyActions = ($fetch) => {
   const signInPasskey = async (opts) => {
     const response = await $fetch(
@@ -3321,18 +3394,25 @@ var getPasskeyActions = ($fetch) => {
     }
   };
   return {
-    signInPasskey,
-    registerPasskey
+    signIn: {
+      passkey: signInPasskey
+    },
+    passkey: {
+      register: registerPasskey
+    }
+  };
+};
+var passkeyClient = () => {
+  return {
+    id: "passkey",
+    $InferServerPlugin: {},
+    getActions: ($fetch) => getPasskeyActions($fetch),
+    pathMethods: {
+      "/passkey/register": "POST",
+      "/passkey/authenticate": "POST"
+    }
   };
 };
-var passkeyClient = createClientPlugin()(
-  ($fetch) => {
-    return {
-      id: "passkey",
-      actions: getPasskeyActions($fetch)
-    };
-  }
-);
 
 // src/plugins/passkey/index.ts
 var passkey = (options) => {
@@ -3370,7 +3450,7 @@ var passkey = (options) => {
             ]
           });
           const userID = new Uint8Array(
-            Buffer.from(generateRandomString4(32, alphabet4("a-z", "0-9")))
+            Buffer.from(generateRandomString(32, alphabet("a-z", "0-9")))
           );
           let options2;
           options2 = await generateRegistrationOptions({
@@ -3418,9 +3498,9 @@ var passkey = (options) => {
         "/passkey/generate-authenticate-options",
         {
           method: "POST",
-          body: z16.object({
-            email: z16.string().optional(),
-            callbackURL: z16.string().optional()
+          body: z.object({
+            email: z.string().optional(),
+            callbackURL: z.string().optional()
           }).optional()
         },
         async (ctx) => {
@@ -3477,8 +3557,8 @@ var passkey = (options) => {
         "/passkey/verify-registration",
         {
           method: "POST",
-          body: z16.object({
-            response: z16.any()
+          body: z.object({
+            response: z.any()
           }),
           use: [sessionMiddleware]
         },
@@ -3503,7 +3583,7 @@ var passkey = (options) => {
             challengeString
           );
           if (userData.id !== ctx.context.session.user.id) {
-            throw new APIError9("UNAUTHORIZED", {
+            throw new APIError("UNAUTHORIZED", {
               message: "You are not authorized to register this passkey"
             });
           }
@@ -3528,7 +3608,7 @@ var passkey = (options) => {
               credentialBackedUp
             } = registrationInfo;
             const pubKey = Buffer.from(credentialPublicKey).toString("base64");
-            const userID = generateRandomString4(32, alphabet4("a-z", "0-9"));
+            const userID = generateRandomString(32, alphabet("a-z", "0-9"));
             const newPasskey = {
               userId: userData.id,
               webauthnUserID: userID,
@@ -3562,8 +3642,8 @@ var passkey = (options) => {
         "/passkey/verify-authentication",
         {
           method: "POST",
-          body: z16.object({
-            response: z16.any()
+          body: z.object({
+            response: z.any()
           })
         },
         async (ctx) => {
@@ -3644,12 +3724,7 @@ var passkey = (options) => {
               passkey2.userId,
               ctx.request
             );
-            await ctx.setSignedCookie(
-              ctx.context.authCookies.sessionToken.name,
-              s.id,
-              ctx.context.secret,
-              ctx.context.authCookies.sessionToken.options
-            );
+            await setSessionCookie(ctx, s.id);
             if (callbackURL) {
               return ctx.json({
                 url: callbackURL,
@@ -3716,26 +3791,16 @@ var passkey = (options) => {
     }
   };
 };
-
-// src/plugins/username/index.ts
-import { z as z18 } from "zod";
-import { Argon2id as Argon2id4 } from "oslo/password";
-import { APIError as APIError10 } from "better-call";
-
-// src/api/routes/sign-up.ts
-import { alphabet as alphabet5, generateRandomString as generateRandomString5 } from "oslo/crypto";
-import { Argon2id as Argon2id3 } from "oslo/password";
-import { z as z17 } from "zod";
 var signUpEmail = createAuthEndpoint(
   "/sign-up/email",
   {
     method: "POST",
-    body: z17.object({
-      name: z17.string(),
-      email: z17.string().email(),
-      password: z17.string(),
-      image: z17.string().optional(),
-      callbackURL: z17.string().optional()
+    body: z.object({
+      name: z.string(),
+      email: z.string().email(),
+      password: z.string(),
+      image: z.string().optional(),
+      callbackURL: z.string().optional()
     })
   },
   async (ctx) => {
@@ -3756,9 +3821,8 @@ var signUpEmail = createAuthEndpoint(
         body: { message: "Password is too short" }
       });
     }
-    const argon2id = new Argon2id3();
     const dbUser = await ctx.context.internalAdapter.findUserByEmail(email);
-    const hash = await argon2id.hash(password);
+    const hash = await ctx.context.password.hash(password);
     if (dbUser?.user) {
       return ctx.json(null, {
         status: 400,
@@ -3768,7 +3832,7 @@ var signUpEmail = createAuthEndpoint(
       });
     }
     const createdUser = await ctx.context.internalAdapter.createUser({
-      id: generateRandomString5(32, alphabet5("a-z", "0-9", "A-Z")),
+      id: generateRandomString(32, alphabet("a-z", "0-9", "A-Z")),
       email: email.toLowerCase(),
       name,
       image,
@@ -3777,7 +3841,7 @@ var signUpEmail = createAuthEndpoint(
       updatedAt: /* @__PURE__ */ new Date()
     });
     await ctx.context.internalAdapter.linkAccount({
-      id: generateRandomString5(32, alphabet5("a-z", "0-9", "A-Z")),
+      id: generateRandomString(32, alphabet("a-z", "0-9", "A-Z")),
       userId: createdUser.id,
       providerId: "credential",
       accountId: createdUser.id,
@@ -3793,6 +3857,18 @@ var signUpEmail = createAuthEndpoint(
       ctx.context.secret,
       ctx.context.authCookies.sessionToken.options
     );
+    if (ctx.context.options.emailAndPassword.sendEmailVerificationOnSignUp) {
+      const token = await createEmailVerificationToken(
+        ctx.context.secret,
+        createdUser.email
+      );
+      const url = `${ctx.context.baseURL}/verify-email?token=${token}?callbackURL=${ctx.body.callbackURL}`;
+      await ctx.context.options.emailAndPassword.sendVerificationEmail?.(
+        createdUser.email,
+        url,
+        token
+      );
+    }
     return ctx.json(
       {
         user: createdUser,
@@ -3820,11 +3896,11 @@ var username = () => {
         "/sign-in/username",
         {
           method: "POST",
-          body: z18.object({
-            username: z18.string(),
-            password: z18.string(),
-            dontRememberMe: z18.boolean().optional(),
-            callbackURL: z18.string().optional()
+          body: z.object({
+            username: z.string(),
+            password: z.string(),
+            dontRememberMe: z.boolean().optional(),
+            callbackURL: z.string().optional()
           })
         },
         async (ctx) => {
@@ -3837,11 +3913,10 @@ var username = () => {
               }
             ]
           });
-          const argon2id = new Argon2id4();
           if (!user) {
-            await argon2id.hash(ctx.body.password);
+            await ctx.context.password.hash(ctx.body.password);
             ctx.context.logger.error("User not found", { username });
-            throw new APIError10("UNAUTHORIZED", {
+            throw new APIError("UNAUTHORIZED", {
               message: "Invalid email or password"
             });
           }
@@ -3859,24 +3934,24 @@ var username = () => {
             ]
           });
           if (!account) {
-            throw new APIError10("UNAUTHORIZED", {
+            throw new APIError("UNAUTHORIZED", {
               message: "Invalid email or password"
             });
           }
           const currentPassword = account?.password;
           if (!currentPassword) {
             ctx.context.logger.error("Password not found", { username });
-            throw new APIError10("UNAUTHORIZED", {
+            throw new APIError("UNAUTHORIZED", {
               message: "Unexpected error"
             });
           }
-          const validPassword = await argon2id.verify(
+          const validPassword = await ctx.context.password.verify(
             currentPassword,
             ctx.body.password
           );
           if (!validPassword) {
             ctx.context.logger.error("Invalid password");
-            throw new APIError10("UNAUTHORIZED", {
+            throw new APIError("UNAUTHORIZED", {
               message: "Invalid email or password"
             });
           }
@@ -3905,13 +3980,13 @@ var username = () => {
         "/sign-up/username",
         {
           method: "POST",
-          body: z18.object({
-            username: z18.string().min(3).max(20),
-            name: z18.string(),
-            email: z18.string().email(),
-            password: z18.string(),
-            image: z18.string().optional(),
-            callbackURL: z18.string().optional()
+          body: z.object({
+            username: z.string().min(3).max(20),
+            name: z.string(),
+            email: z.string().email(),
+            password: z.string(),
+            image: z.string().optional(),
+            callbackURL: z.string().optional()
           })
         },
         async (ctx) => {
@@ -3959,9 +4034,6 @@ var username = () => {
     }
   };
 };
-
-// src/plugins/bearer/index.ts
-import { serializeSigned } from "better-call";
 var bearer = () => {
   return {
     id: "bearer",
@@ -3992,15 +4064,7 @@ var bearer = () => {
     }
   };
 };
-export {
-  access_exports as ac,
-  bearer,
-  getPasskeyActions,
-  organization,
-  passkey,
-  passkeyClient,
-  twoFactor,
-  twoFactorClient,
-  username
-};
+
+export { access_exports as ac, bearer, getPasskeyActions, organization, passkey, passkeyClient, twoFactor, twoFactorClient, username };
+//# sourceMappingURL=plugins.js.map
 //# sourceMappingURL=plugins.js.map