better-auth 0.2.3-beta.8 → 0.2.4

package/dist/api.js

@@ -1,5 +1,1931 @@
-import{APIError as Et,createRouter as Ot}from"better-call";import{APIError as Q}from"better-call";import{z as X}from"zod";import{xchacha20poly1305 as $t}from"@noble/ciphers/chacha";import{bytesToHex as zt,hexToBytes as qt,utf8ToBytes as Vt}from"@noble/ciphers/utils";import{managedNonce as Mt}from"@noble/ciphers/webcrypto";import{sha256 as Ft}from"@noble/hashes/sha256";async function j(e,t){let o=new TextEncoder,r={name:"HMAC",hash:"SHA-256"},n=await crypto.subtle.importKey("raw",o.encode(e),r,!1,["sign","verify"]),s=await crypto.subtle.sign(r.name,n,o.encode(t));return btoa(String.fromCharCode(...new Uint8Array(s)))}import{createEndpointCreator as qe,createMiddleware as Z,createMiddlewareCreator as Ve}from"better-call";var K=Z(async()=>({})),D=Ve({use:[K,Z(async()=>({}))]}),l=qe({use:[K]});var Y=D({body:X.object({csrfToken:X.string().optional()}).optional()},async e=>{if(e.request?.method!=="POST"||e.context.options.advanced?.disableCSRFCheck)return;let t=new URL(e.request.url);if(t.origin===new URL(e.context.baseURL).origin||e.context.options.trustedOrigins?.includes(t.origin))return;let o=e.body?.csrfToken,r=await e.getSignedCookie(e.context.authCookies.csrfToken.name,e.context.secret),[n,s]=r?.split("!")||[null,null];if(!o||!r||!n||!s||r!==o)throw e.setCookie(e.context.authCookies.csrfToken.name,"",{maxAge:0}),new Q("UNAUTHORIZED",{message:"Invalid CSRF Token"});let i=await j(e.context.secret,n);if(s!==i)throw e.setCookie(e.context.authCookies.csrfToken.name,"",{maxAge:0}),new Q("UNAUTHORIZED",{message:"Invalid CSRF Token"})});import{APIError as v}from"better-call";import{generateCodeVerifier as ut}from"oslo/oauth2";import{z as A}from"zod";import"arctic";import{parseJWT as Fe}from"oslo/jwt";import"@better-fetch/fetch";var I=class extends Error{constructor(t,o,r){super(t),this.name="BetterAuthError",this.message=t,this.cause=o}};import{OAuth2Tokens as Me}from"arctic";function Ne(e){try{return new URL(e).pathname!=="/"}catch{throw new I(`Invalid base URL: ${e}. Please provide a valid base URL.`)}}function q(e,t="/api/auth"){return Ne(e)?e:(t=t.startsWith("/")?t:`/${t}`,`${e}${t}`)}function ee(e,t){if(e)return q(e,t);let o=process?.env||{},r=o.BETTER_AUTH_URL||o.NEXT_PUBLIC_BETTER_AUTH_URL||o.PUBLIC_BETTER_AUTH_URL||o.NUXT_PUBLIC_BETTER_AUTH_URL||o.NUXT_PUBLIC_AUTH_URL||(o.BASE_URL!=="/"?o.BASE_URL:void 0);if(r)return q(r,t);if(typeof window<"u")return q(window.location.origin,t)}import{betterFetch as He}from"@better-fetch/fetch";function f(e,t){return t||`${ee()}/callback/${e}`}async function y({code:e,codeVerifier:t,redirectURI:o,options:r,tokenEndpoint:n}){let s=new URLSearchParams;s.set("grant_type","authorization_code"),s.set("code",e),t&&s.set("code_verifier",t),s.set("redirect_uri",o),s.set("client_id",r.clientId),s.set("client_secret",r.clientSecret);let{data:i,error:a}=await He(n,{method:"POST",body:s,headers:{"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"}});if(a)throw a;return new Me(i)}var te=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:o,scopes:r,redirectURI:n}){let s=r||["email","name","openid"];return new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${n||e.redirectURI}&scope=${s.join(" ")}&state=${o}`)},validateAuthorizationCode:async(o,r,n)=>y({code:o,codeVerifier:r,redirectURI:n||f("apple",e.redirectURI),options:e,tokenEndpoint:t}),async getUserInfo(o){let r=Fe(o.idToken())?.payload;return r?{user:{id:r.sub,name:r.name,email:r.email,emailVerified:r.email_verified==="true"},data:r}:null}}};import{betterFetch as Ge}from"@better-fetch/fetch";import{Discord as We}from"arctic";var re=e=>{let t=new We(e.clientId,e.clientSecret,f("discord",e.redirectURI));return{id:"discord",name:"Discord",createAuthorizationURL({state:o,scopes:r}){let n=r||["email"];return t.createAuthorizationURL(o,n)},validateAuthorizationCode:async(o,r,n)=>y({code:o,codeVerifier:r,redirectURI:n||f("discord",e.redirectURI),options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(o){let{data:r,error:n}=await Ge("https://discord.com/api/users/@me",{auth:{type:"Bearer",token:o.accessToken()}});return n?null:{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified},data:r}}}};import{betterFetch as Je}from"@better-fetch/fetch";import{Facebook as Ze}from"arctic";var oe=e=>{let t=new Ze(e.clientId,e.clientSecret,f("facebook",e.redirectURI));return{id:"facebook",name:"Facebook",createAuthorizationURL({state:o,scopes:r}){let n=r||["email","public_profile"];return t.createAuthorizationURL(o,n)},validateAuthorizationCode:async(o,r,n)=>y({code:o,codeVerifier:r,redirectURI:n||f("facebook",e.redirectURI),options:e,tokenEndpoint:"https://graph.facebook.com/v16.0/oauth/access_token"}),async getUserInfo(o){let{data:r,error:n}=await Je("https://graph.facebook.com/me",{auth:{type:"Bearer",token:o.accessToken()}});return n?null:{user:{id:r.id,name:r.name,email:r.email,emailVerified:r.email_verified},data:r}}}};import{betterFetch as ne}from"@better-fetch/fetch";import{GitHub as Ke}from"arctic";var se=({clientId:e,clientSecret:t,redirectURI:o})=>{let r=new Ke(e,t,f("github",o));return{id:"github",name:"Github",createAuthorizationURL({state:n,scopes:s}){let i=s||["user:email"];return r.createAuthorizationURL(n,i)},validateAuthorizationCode:async n=>await r.validateAuthorizationCode(n),async getUserInfo(n){let{data:s,error:i}=await ne("https://api.github.com/user",{auth:{type:"Bearer",token:n.accessToken()}});if(i)return null;let a=!1;if(!s.email){let{data:d,error:u}=await ne("https://api.github.com/user/emails",{auth:{type:"Bearer",token:n.accessToken()}});u||(s.email=(d.find(c=>c.primary)??d[0])?.email,a=d.find(c=>c.email===s.email)?.verified??!1)}return{user:{id:s.id,name:s.name,email:s.email,image:s.avatar_url,emailVerified:a,createdAt:new Date,updatedAt:new Date},data:s}}}};import{Google as Ye}from"arctic";import{parseJWT as et}from"oslo/jwt";import{createConsola as Qe}from"consola";var L=Qe({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),Xe=e=>({log:(...t)=>{!e?.disabled&&L.log("",...t)},error:(...t)=>{!e?.disabled&&L.error("",...t)},warn:(...t)=>{!e?.disabled&&L.warn("",...t)},info:(...t)=>{!e?.disabled&&L.info("",...t)},debug:(...t)=>{!e?.disabled&&L.debug("",...t)},box:(...t)=>{!e?.disabled&&L.box("",...t)},success:(...t)=>{!e?.disabled&&L.success("",...t)},break:(...t)=>{!e?.disabled&&console.log(`
-`)}}),P=Xe();var ie=e=>{let t=new Ye(e.clientId,e.clientSecret,f("google",e.redirectURI));return{id:"google",name:"Google",createAuthorizationURL({state:o,scopes:r,codeVerifier:n,redirectURI:s}){if(!e.clientId||!e.clientSecret)throw P.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new I("CLIENT_ID_AND_SECRET_REQUIRED");if(!n)throw new I("codeVerifier is required for Google");let i=r||["email","profile"];return t.createAuthorizationURL(o,n,i)},validateAuthorizationCode:async(o,r,n)=>y({code:o,codeVerifier:r,redirectURI:n||f("google",e.redirectURI),options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async getUserInfo(o){if(!o.idToken)return null;let r=et(o.idToken())?.payload;return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified},data:r}}}};import{betterFetch as tt}from"@better-fetch/fetch";import{Spotify as rt}from"arctic";var ae=e=>{let t=new rt(e.clientId,e.clientSecret,f("spotify",e.redirectURI));return{id:"spotify",name:"Spotify",createAuthorizationURL({state:o,scopes:r}){let n=r||["user-read-email"];return t.createAuthorizationURL(o,n)},validateAuthorizationCode:async(o,r,n)=>y({code:o,codeVerifier:r,redirectURI:n||f("spotify",e.redirectURI),options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(o){let{data:r,error:n}=await tt("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken()}`}});return n?null:{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1},data:r}}}};import{betterFetch as ot}from"@better-fetch/fetch";import{Twitch as nt}from"arctic";var de=e=>{let t=new nt(e.clientId,e.clientSecret,f("twitch",e.redirectURI));return{id:"twitch",name:"Twitch",createAuthorizationURL({state:o,scopes:r}){let n=r||["activity:write","read"];return t.createAuthorizationURL(o,n)},validateAuthorizationCode:async(o,r,n)=>y({code:o,codeVerifier:r,redirectURI:n||f("twitch",e.redirectURI),options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(o){let{data:r,error:n}=await ot("https://api.twitch.tv/helix/users",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken()}`}});return n?null:{user:{id:r.sub,name:r.preferred_username,email:r.email,image:r.picture,emailVerified:!1},data:r}}}};import{betterFetch as st}from"@better-fetch/fetch";import{Twitter as it}from"arctic";var ce=e=>{let t=new it(e.clientId,e.clientSecret,f("twitter",e.redirectURI));return{id:"twitter",name:"Twitter",createAuthorizationURL(o){let r=o.scopes||["account_info.read"];return t.createAuthorizationURL(o.state,o.codeVerifier,r)},validateAuthorizationCode:async(o,r,n)=>y({code:o,codeVerifier:r,redirectURI:n||f("twitch",e.redirectURI),options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(o){let{data:r,error:n}=await st("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken()}`}});return n||!r.data.email?null:{user:{id:r.data.id,name:r.data.name,email:r.data.email,image:r.data.profile_image_url,emailVerified:r.data.verified||!1},data:r}}}};import"arctic";var at={apple:te,discord:re,facebook:oe,github:se,google:ie,spotify:ae,twitch:de,twitter:ce},le=Object.keys(at);import{generateState as dt}from"oslo/oauth2";import{z as O}from"zod";function ue(e,t,o){let r=dt();return{state:JSON.stringify({code:r,callbackURL:e,currentURL:t,dontRememberMe:o}),code:r}}function V(e){return O.object({code:O.string(),callbackURL:O.string().optional(),currentURL:O.string().optional(),dontRememberMe:O.boolean().optional()}).safeParse(JSON.parse(e))}import{APIError as ct}from"better-call";var pe=(e,t=!1)=>{let o=new Date;return new Date(o.getTime()+(t?e*1e3:e))};import{TimeSpan as Ro}from"oslo";async function U(e,t,o,r){let n=e.context.authCookies.sessionToken.options;n.maxAge=o?void 0:n.maxAge,await e.setSignedCookie(e.context.authCookies.sessionToken.name,t,e.context.secret,n),o&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options)}function C(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{maxAge:0})}import{z as me}from"zod";function $(e){let t="127.0.0.1";if(process.env.NODE_ENV==="test")return t;let o=["x-client-ip","x-forwarded-for","cf-connecting-ip","fastly-client-ip","x-real-ip","x-cluster-client-ip","x-forwarded","forwarded-for","forwarded"];for(let r of o){let n=e.headers.get(r);if(typeof n=="string"){let s=n.split(",")[0].trim();if(s)return s}}return null}var N=new Map;function lt(e,t){if(!e.request)return"";let{method:o,url:r,headers:n}=e.request,s=e.request.headers.get("User-Agent")||"",i=$(e.request)||"",a=JSON.stringify(n);return`${o}:${r}:${a}:${s}:${i}:${t}`}var M=()=>l("/session",{method:"GET",requireHeaders:!0},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null,{status:401});let o=lt(e,t),r=N.get(o);if(r){if(r.expiresAt>Date.now())return e.json(r.data);N.delete(o)}let n=await e.context.internalAdapter.findSession(t);if(!n||n.session.expiresAt<new Date)return C(e),n&&await e.context.internalAdapter.deleteSession(n.session.id),e.json(null,{status:401});if(await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret))return e.json(n);let i=e.context.sessionConfig.expiresIn,a=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-i*1e3+a*1e3<=Date.now()){let c=await e.context.internalAdapter.updateSession(n.session.id,{expiresAt:pe(e.context.sessionConfig.expiresIn,!0)});if(!c)return C(e),e.json(null,{status:401});let m=(c.expiresAt.valueOf()-Date.now())/1e3;return await U(e,c.id,!1,{maxAge:m}),e.json({session:c,user:n.user})}return N.set(o,{data:n,expiresAt:Date.now()+5e3}),e.json(n)}catch(t){return e.context.logger.error(t),e.json(null,{status:500})}}),H=async e=>await M()({...e,_flag:void 0}),E=D(async e=>{let t=await H(e);if(!t?.session)throw new ct("UNAUTHORIZED");return{session:t}}),fe=()=>l("/user/list-sessions",{method:"GET",use:[E],requireHeaders:!0},async e=>{let o=(await e.context.adapter.findMany({model:e.context.tables.session.tableName,where:[{field:"userId",value:e.context.session.user.id}]})).filter(r=>r.expiresAt>new Date);return e.json(o)}),ge=l("/user/revoke-session",{method:"POST",body:me.object({id:me.string()}),use:[E],requireHeaders:!0},async e=>{let t=e.body.id,o=await e.context.internalAdapter.findSession(t);if(!o)return e.json(null,{status:400});if(o.session.userId!==e.context.session.user.id)return e.json(null,{status:403});try{await e.context.internalAdapter.deleteSession(t)}catch(r){return e.context.logger.error(r),e.json(null,{status:500})}return e.json({status:!0})}),he=l("/user/revoke-sessions",{method:"POST",use:[E],requireHeaders:!0},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){return e.context.logger.error(t),e.json(null,{status:500})}return e.json({status:!0})});var ye=l("/sign-in/social",{method:"POST",requireHeaders:!0,query:A.object({currentURL:A.string().optional()}).optional(),body:A.object({callbackURL:A.string().optional(),provider:A.enum(le),dontRememberMe:A.boolean().default(!1).optional()})},async e=>{let t=e.context.socialProviders.find(i=>i.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider to your auth config",{provider:e.body.provider}),new v("NOT_FOUND",{message:"Provider not found"});let o=e.context.authCookies,r=e.query?.currentURL?new URL(e.query?.currentURL):null,n=e.body.callbackURL?.startsWith("http")?e.body.callbackURL:`${r?.origin}${e.body.callbackURL||""}`,s=ue(n||r?.origin||e.context.baseURL,e.query?.currentURL);try{await e.setSignedCookie(o.state.name,s.code,e.context.secret,o.state.options);let i=ut();await e.setSignedCookie(o.pkCodeVerifier.name,i,e.context.secret,o.pkCodeVerifier.options);let a=t.createAuthorizationURL({state:s.state,codeVerifier:i});return a.searchParams.set("redirect_uri",`${e.context.baseURL}/callback/${e.body.provider}`),{url:a.toString(),state:s.state,codeVerifier:i,redirect:!0}}catch{throw new v("INTERNAL_SERVER_ERROR")}}),we=l("/sign-in/email",{method:"POST",body:A.object({email:A.string().email(),password:A.string(),callbackURL:A.string().optional(),dontRememberMe:A.boolean().default(!1).optional()})},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new v("BAD_REQUEST",{message:"Email and password is not enabled"});let t=await H(e);t&&await e.context.internalAdapter.deleteSession(t.session.id);let{email:o,password:r}=e.body;if(!A.string().email().safeParse(o).success)throw new v("BAD_REQUEST",{message:"Invalid email"});let s=await e.context.internalAdapter.findUserByEmail(o);if(!s)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:o}),new v("UNAUTHORIZED",{message:"Invalid email or password"});let i=s.accounts.find(c=>c.providerId==="credential");if(!i)throw e.context.logger.error("Credential account not found",{email:o}),new v("UNAUTHORIZED",{message:"Invalid email or password"});let a=i?.password;if(!a)throw e.context.logger.error("Password not found",{email:o}),new v("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(a,r))throw e.context.logger.error("Invalid password"),new v("UNAUTHORIZED",{message:"Invalid email or password"});let u=await e.context.internalAdapter.createSession(s.user.id,e.headers,e.body.dontRememberMe);if(!u)throw e.context.logger.error("Failed to create session"),new v("INTERNAL_SERVER_ERROR");return await U(e,u.id,e.body.dontRememberMe),e.json({user:s.user,session:u,redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{APIError as ft}from"better-call";import{z as B}from"zod";import{z as p}from"zod";var No=p.object({id:p.string(),providerId:p.string(),accountId:p.string(),userId:p.string(),accessToken:p.string().nullable().optional(),refreshToken:p.string().nullable().optional(),idToken:p.string().nullable().optional(),expiresAt:p.date().nullable().optional(),password:p.string().optional().nullable()}),be=p.object({id:p.string(),email:p.string().transform(e=>e.toLowerCase()),emailVerified:p.boolean().default(!1),name:p.string(),image:p.string().optional(),createdAt:p.date().default(new Date),updatedAt:p.date().default(new Date)}),Mo=p.object({id:p.string(),userId:p.string(),expiresAt:p.date(),ipAddress:p.string().optional(),userAgent:p.string().optional()});import{alphabet as pt,generateRandomString as mt}from"oslo/crypto";var Ae=()=>mt(36,pt("a-z","0-9"));var _={isAction:!1};function F(e){let t=e.accessToken(),o=e.hasRefreshToken()?e.refreshToken():void 0,r;try{r=e.accessTokenExpiresAt()}catch{}return{accessToken:t,refreshToken:o,expiresAt:r}}var ke=l("/callback/:id",{method:"GET",query:B.object({state:B.string(),code:B.string().optional(),error:B.string().optional()}),metadata:_},async e=>{if(e.query.error||!e.query.code){let b=V(e.query.state).data?.callbackURL||`${e.context.baseURL}/error`;throw e.context.logger.error(e.query.error,e.params.id),e.redirect(`${b}?error=${e.query.error||"oAuth_code_missing"}`)}let t=e.context.socialProviders.find(h=>h.id===e.params.id);if(!t)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let o=await e.getSignedCookie(e.context.authCookies.pkCodeVerifier.name,e.context.secret),r;try{r=await t.validateAuthorizationCode(e.query.code,o,`${e.context.baseURL}/callback/${t.id}`)}catch(h){throw e.context.logger.error(h),e.redirect(`${e.context.baseURL}/error?error=oauth_code_verification_failed`)}let n=await t.getUserInfo(r).then(h=>h?.user),s=Ae(),i=be.safeParse({...n,id:s}),a=V(e.query.state);if(!a.success)throw e.context.logger.error("Unable to parse state"),e.redirect(`${e.context.baseURL}/error?error=invalid_state_parameter`);let{callbackURL:d,currentURL:u,dontRememberMe:c}=a.data;if(!n||i.success===!1)throw e.redirect(`${e.context.baseURL}/error?error=oauth_validation_failed`);if(!d)throw e.redirect(`${e.context.baseURL}/error?error=oauth_callback_url_not_found`);let m=await e.context.internalAdapter.findUserByEmail(n.email),g=m?.user.id;if(m){let h=m.accounts.find(R=>R.providerId===t.id),b=e.context.options.account?.accountLinking?.trustedProviders,z=b?b.includes(t.id):!0;if(!h&&(!n.emailVerified||!z)){let R;try{R=new URL(u||d),R.searchParams.set("error","account_not_linked")}catch{throw e.redirect(`${e.context.baseURL}/error?error=account_not_linked`)}throw e.redirect(R.toString())}if(!h)try{await e.context.internalAdapter.linkAccount({providerId:t.id,accountId:n.id,id:`${t.id}:${n.id}`,userId:m.user.id,...F(r)})}catch(R){throw console.log(R),e.redirect(`${e.context.baseURL}/error?error=failed_linking_account`)}}else try{await e.context.internalAdapter.createOAuthUser(i.data,{...F(r),id:`${t.id}:${n.id}`,providerId:t.id,accountId:n.id,userId:s})}catch{let b=new URL(u||d);throw b.searchParams.set("error","unable_to_create_user"),e.setHeader("Location",b.toString()),e.redirect(b.toString())}if(!g&&!s)throw new ft("INTERNAL_SERVER_ERROR",{message:"Unable to create user"});let w=await e.context.internalAdapter.createSession(g||s,e.request,c);if(!w){let h=new URL(u||d);throw h.searchParams.set("error","unable_to_create_session"),e.redirect(h.toString())}try{await U(e,w.id,c)}catch(h){e.context.logger.error("Unable to set session cookie",h);let b=new URL(u||d);throw b.searchParams.set("error","unable_to_create_session"),e.redirect(b.toString())}throw e.redirect(d)});import{z as G}from"zod";var Re=l("/sign-out",{method:"POST",body:G.optional(G.object({callbackURL:G.string().optional()}))},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);return t?(await e.context.internalAdapter.deleteSession(t),C(e),e.json(null,{body:{redirect:!!e.body?.callbackURL,url:e.body?.callbackURL}})):e.json(null)});import{TimeSpan as gt}from"oslo";import{createJWT as ht,parseJWT as yt}from"oslo/jwt";import{validateJWT as Ue}from"oslo/jwt";import{z as k}from"zod";var Te=l("/forget-password",{method:"POST",body:k.object({email:k.string().email(),redirectTo:k.string()})},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)return e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function to your auth config!"),e.json(null,{status:400,statusText:"RESET_PASSWORD_EMAIL_NOT_SENT",body:{message:"Reset password isn't enabled"}});let{email:t}=e.body,o=await e.context.internalAdapter.findUserByEmail(t);if(!o)return e.json({status:!1},{body:{status:!0}});let r=await ht("HS256",Buffer.from(e.context.secret),{email:o.user.email,redirectTo:e.body.redirectTo},{expiresIn:new gt(1,"h"),issuer:"better-auth",subject:"forget-password",audiences:[o.user.email],includeIssuedTimestamp:!0}),n=`${e.context.baseURL}/reset-password/${r}`;return await e.context.options.emailAndPassword.sendResetPassword(n,o.user),e.json({status:!0})}),Pe=l("/reset-password/:token",{method:"GET"},async e=>{let{token:t}=e.params,o,r=k.object({email:k.string(),redirectTo:k.string()});try{if(o=await Ue("HS256",Buffer.from(e.context.secret),t),!o.expiresAt||o.expiresAt<new Date)throw Error("Token expired")}catch{let i=yt(t),a=r.safeParse(i?.payload);throw a.success?e.redirect(`${a.data?.redirectTo}?error=invalid_token`):e.redirect(`${e.context.baseURL}/error?error=invalid_token`)}let{redirectTo:n}=r.parse(o.payload);throw e.redirect(`${n}?token=${t}`)}),ve=l("/reset-password",{method:"POST",query:k.object({currentURL:k.string()}).optional(),body:k.object({newPassword:k.string(),callbackURL:k.string().optional()})},async e=>{let t=e.query?.currentURL.split("?token=")[1];if(!t)return e.json({error:"Invalid token",data:null},{status:400,statusText:"INVALID_TOKEN",body:{message:"Invalid token"}});let{newPassword:o}=e.body;try{let r=await Ue("HS256",Buffer.from(e.context.secret),t),n=k.string().email().parse(r.payload.email),s=await e.context.internalAdapter.findUserByEmail(n);if(!s)return e.json({error:"User not found",data:null},{status:400,body:{message:"failed to reset password"}});if(o.length<(e.context.options.emailAndPassword?.minPasswordLength||8)||o.length>(e.context.options.emailAndPassword?.maxPasswordLength||32))return e.json({data:null,error:"password is too short or too long"},{status:400,statusText:"INVALID_PASSWORD_LENGTH",body:{message:"password is too short or too long"}});let i=await e.context.password.hash(o);return await e.context.internalAdapter.updatePassword(s.user.id,i)?e.json({error:null,data:{status:!0,url:e.body.callbackURL,redirect:!!e.body.callbackURL}},{body:{status:!0,url:e.body.callbackURL,redirect:!!e.body.callbackURL}}):e.json(null,{status:400,statusText:"USER_NOT_FOUND",body:{message:"User doesn't have a credential account"}})}catch(r){return console.log(r),e.json({error:"Invalid token",data:null},{status:400,statusText:"INVALID_TOKEN",body:{message:"Invalid token"}})}});import{TimeSpan as wt}from"oslo";import{createJWT as bt,validateJWT as At}from"oslo/jwt";import{z as T}from"zod";async function W(e,t){return await bt("HS256",Buffer.from(e),{email:t.toLowerCase()},{expiresIn:new wt(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}var xe=l("/send-verification-email",{method:"POST",query:T.object({currentURL:T.string().optional()}).optional(),body:T.object({email:T.string().email(),callbackURL:T.string().optional()})},async e=>{if(!e.context.options.emailAndPassword?.sendVerificationEmail)return e.context.logger.error("Verification email isn't enabled. Pass `sendVerificationEmail` in `emailAndPassword` options to enable it."),e.json(null,{status:400,statusText:"VERIFICATION_EMAIL_NOT_SENT",body:{message:"Verification email isn't enabled"}});let{email:t}=e.body,o=await W(e.context.secret,t),r=`${e.context.baseURL}/verify-email?token=${o}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.emailAndPassword.sendVerificationEmail(t,r,o),e.json({status:!0})}),Se=l("/verify-email",{method:"GET",query:T.object({token:T.string(),callbackURL:T.string().optional()})},async e=>{let{token:t}=e.query,o;try{o=await At("HS256",Buffer.from(e.context.secret),t)}catch(a){return e.context.logger.error("Failed to verify email",a),e.json(null,{status:400,statusText:"INVALID_TOKEN",body:{message:"Invalid token"}})}let n=T.object({email:T.string().email()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(n.email);if(!s)return e.json(null,{status:400,statusText:"USER_NOT_FOUND",body:{message:"User not found"}});if(!s.accounts.find(a=>a.providerId==="credential"))throw e.redirect;if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.query.callbackURL)throw console.log("Redirecting to",e.query.callbackURL),e.redirect("/");return e.json({status:!0})});import{z as x}from"zod";import{alphabet as kt,generateRandomString as Rt}from"oslo/crypto";import"better-call";var _e=l("/user/update",{method:"POST",body:x.object({name:x.string().optional(),image:x.string().optional()}),use:[E]},async e=>{let{name:t,image:o}=e.body,r=e.context.session;if(!o&&!t)return e.json(r.user);let n=await e.context.internalAdapter.updateUserByEmail(r.user.email,{name:t,image:o});return e.json(n)}),Ie=l("/user/change-password",{method:"POST",body:x.object({newPassword:x.string(),currentPassword:x.string(),revokeOtherSessions:x.boolean().optional()}),use:[E]},async e=>{let{newPassword:t,currentPassword:o,revokeOtherSessions:r}=e.body,n=e.context.session,s=e.context.password.config.minPasswordLength;if(t.length<s)return e.context.logger.error("Password is too short"),e.json(null,{status:400,body:{message:"Password is too short"}});let i=e.context.password.config.maxPasswordLength;if(t.length>i)return e.context.logger.error("Password is too long"),e.json(null,{status:400,body:{message:"Password is too long"}});let d=(await e.context.internalAdapter.findAccounts(n.user.id)).find(m=>m.providerId==="credential"&&m.password);if(!d||!d.password)return e.json(null,{status:400,body:{message:"User does not have a password"}});let u=await e.context.password.hash(t);if(!await e.context.password.verify(d.password,o))return e.json(null,{status:400,body:{message:"Invalid password"}});if(await e.context.internalAdapter.updateAccount(d.id,{password:u}),r){await e.context.internalAdapter.deleteSessions(n.user.id);let m=await e.context.internalAdapter.createSession(n.user.id,e.headers);if(!m)return e.json(null,{status:500,body:{message:"Failed to create session"}});await U(e,m.id)}return e.json(n.user)}),Le=l("/user/set-password",{method:"POST",body:x.object({newPassword:x.string()}),use:[E]},async e=>{let{newPassword:t}=e.body,o=e.context.session,r=e.context.password.config.minPasswordLength;if(t.length<r)return e.context.logger.error("Password is too short"),e.json(null,{status:400,body:{message:"Password is too short"}});let n=e.context.password.config.maxPasswordLength;if(t.length>n)return e.context.logger.error("Password is too long"),e.json(null,{status:400,body:{message:"Password is too long"}});let i=(await e.context.internalAdapter.findAccounts(o.user.id)).find(d=>d.providerId==="credential"&&d.password),a=await e.context.password.hash(t);return i?e.json(null,{status:400,body:{message:"User already has a password"}}):(await e.context.internalAdapter.linkAccount({id:Rt(32,kt("a-z","0-9","A-Z")),userId:o.user.id,providerId:"credential",accountId:o.user.id,password:a}),e.json(o.user))});import{alphabet as Ut,generateRandomString as Tt}from"oslo/crypto";var Ee=l("/csrf",{method:"GET",metadata:_},async e=>{let t=await e.getSignedCookie(e.context.authCookies.csrfToken.name,e.context.secret);if(t)return{csrfToken:t};let o=Tt(32,Ut("a-z","0-9","A-Z")),r=await j(e.context.secret,o),n=`${o}!${r}`;return await e.setSignedCookie(e.context.authCookies.csrfToken.name,n,e.context.secret,e.context.authCookies.csrfToken.options),{csrfToken:o}});var Pt=(e="Unknown")=>`<!DOCTYPE html>
+// src/api/index.ts
+import {
+  APIError as APIError6,
+  createRouter
+} from "better-call";
+
+// src/api/middlewares/csrf.ts
+import { APIError } from "better-call";
+import { z } from "zod";
+
+// src/crypto/index.ts
+import { xchacha20poly1305 } from "@noble/ciphers/chacha";
+import { bytesToHex, hexToBytes, utf8ToBytes } from "@noble/ciphers/utils";
+import { managedNonce } from "@noble/ciphers/webcrypto";
+import { sha256 } from "@noble/hashes/sha256";
+async function hs256(secretKey, message) {
+  const enc = new TextEncoder();
+  const algorithm = { name: "HMAC", hash: "SHA-256" };
+  const key = await crypto.subtle.importKey(
+    "raw",
+    enc.encode(secretKey),
+    algorithm,
+    false,
+    ["sign", "verify"]
+  );
+  const signature = await crypto.subtle.sign(
+    algorithm.name,
+    key,
+    enc.encode(message)
+  );
+  return btoa(String.fromCharCode(...new Uint8Array(signature)));
+}
+
+// src/api/call.ts
+import {
+  createEndpointCreator,
+  createMiddleware,
+  createMiddlewareCreator
+} from "better-call";
+var optionsMiddleware = createMiddleware(async () => {
+  return {};
+});
+var createAuthMiddleware = createMiddlewareCreator({
+  use: [
+    optionsMiddleware,
+    /**
+     * Only use for post hooks
+     */
+    createMiddleware(async () => {
+      return {};
+    })
+  ]
+});
+var createAuthEndpoint = createEndpointCreator({
+  use: [optionsMiddleware]
+});
+
+// src/api/middlewares/csrf.ts
+var csrfMiddleware = createAuthMiddleware(
+  {
+    body: z.object({
+      csrfToken: z.string().optional()
+    }).optional()
+  },
+  async (ctx) => {
+    if (ctx.request?.method !== "POST" || ctx.context.options.advanced?.disableCSRFCheck) {
+      return;
+    }
+    const url = new URL(ctx.request.url);
+    if (url.origin === new URL(ctx.context.baseURL).origin || ctx.context.options.trustedOrigins?.includes(url.origin)) {
+      return;
+    }
+    const csrfToken = ctx.body?.csrfToken;
+    const csrfCookie = await ctx.getSignedCookie(
+      ctx.context.authCookies.csrfToken.name,
+      ctx.context.secret
+    );
+    const [token, hash] = csrfCookie?.split("!") || [null, null];
+    if (!csrfToken || !csrfCookie || !token || !hash || csrfCookie !== csrfToken) {
+      ctx.setCookie(ctx.context.authCookies.csrfToken.name, "", {
+        maxAge: 0
+      });
+      throw new APIError("UNAUTHORIZED", {
+        message: "Invalid CSRF Token"
+      });
+    }
+    const expectedHash = await hs256(ctx.context.secret, token);
+    if (hash !== expectedHash) {
+      ctx.setCookie(ctx.context.authCookies.csrfToken.name, "", {
+        maxAge: 0
+      });
+      throw new APIError("UNAUTHORIZED", {
+        message: "Invalid CSRF Token"
+      });
+    }
+  }
+);
+
+// src/api/routes/sign-in.ts
+import { APIError as APIError3 } from "better-call";
+import { generateCodeVerifier } from "oslo/oauth2";
+import { z as z4 } from "zod";
+
+// src/social-providers/apple.ts
+import "arctic";
+import { parseJWT } from "oslo/jwt";
+import "@better-fetch/fetch";
+
+// src/error/better-auth-error.ts
+var BetterAuthError = class extends Error {
+  constructor(message, cause, docsLink) {
+    super(message);
+    this.name = "BetterAuthError";
+    this.message = message;
+    this.cause = cause;
+    this.stack = "";
+  }
+};
+
+// src/social-providers/utils.ts
+import { OAuth2Tokens } from "arctic";
+
+// src/utils/base-url.ts
+function checkHasPath(url) {
+  try {
+    const parsedUrl = new URL(url);
+    return parsedUrl.pathname !== "/";
+  } catch (error2) {
+    throw new BetterAuthError(
+      `Invalid base URL: ${url}. Please provide a valid base URL.`
+    );
+  }
+}
+function withPath(url, path = "/api/auth") {
+  const hasPath = checkHasPath(url);
+  if (hasPath) {
+    return url;
+  }
+  path = path.startsWith("/") ? path : `/${path}`;
+  return `${url}${path}`;
+}
+function getBaseURL(url, path) {
+  if (url) {
+    return withPath(url, path);
+  }
+  const env = process?.env || {};
+  const fromEnv = env.BETTER_AUTH_URL || env.NEXT_PUBLIC_BETTER_AUTH_URL || env.PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_AUTH_URL || (env.BASE_URL !== "/" ? env.BASE_URL : void 0);
+  if (fromEnv) {
+    return withPath(fromEnv, path);
+  }
+  if (typeof window !== "undefined") {
+    return withPath(window.location.origin, path);
+  }
+  return void 0;
+}
+
+// src/social-providers/utils.ts
+import { betterFetch } from "@better-fetch/fetch";
+function getRedirectURI(providerId, redirectURI) {
+  return redirectURI || `${getBaseURL()}/callback/${providerId}`;
+}
+async function validateAuthorizationCode({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  tokenEndpoint
+}) {
+  const body = new URLSearchParams();
+  body.set("grant_type", "authorization_code");
+  body.set("code", code);
+  codeVerifier && body.set("code_verifier", codeVerifier);
+  body.set("redirect_uri", redirectURI);
+  body.set("client_id", options.clientId);
+  body.set("client_secret", options.clientSecret);
+  const { data, error: error2 } = await betterFetch(tokenEndpoint, {
+    method: "POST",
+    body,
+    headers: {
+      "content-type": "application/x-www-form-urlencoded",
+      accept: "application/json",
+      "user-agent": "better-auth"
+    }
+  });
+  if (error2) {
+    throw error2;
+  }
+  const tokens = new OAuth2Tokens(data);
+  return tokens;
+}
+
+// src/social-providers/apple.ts
+var apple = (options) => {
+  const tokenEndpoint = "https://appleid.apple.com/auth/token";
+  return {
+    id: "apple",
+    name: "Apple",
+    createAuthorizationURL({ state, scopes, redirectURI }) {
+      const _scope = scopes || ["email", "name", "openid"];
+      return new URL(
+        `https://appleid.apple.com/auth/authorize?client_id=${options.clientId}&response_type=code&redirect_uri=${redirectURI || options.redirectURI}&scope=${_scope.join(" ")}&state=${state}`
+      );
+    },
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("apple", options.redirectURI),
+        options,
+        tokenEndpoint
+      });
+    },
+    async getUserInfo(token) {
+      const data = parseJWT(token.idToken())?.payload;
+      if (!data) {
+        return null;
+      }
+      return {
+        user: {
+          id: data.sub,
+          name: data.name,
+          email: data.email,
+          emailVerified: data.email_verified === "true"
+        },
+        data
+      };
+    }
+  };
+};
+
+// src/social-providers/discord.ts
+import { betterFetch as betterFetch3 } from "@better-fetch/fetch";
+import { Discord } from "arctic";
+var discord = (options) => {
+  const discordArctic = new Discord(
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("discord", options.redirectURI)
+  );
+  return {
+    id: "discord",
+    name: "Discord",
+    createAuthorizationURL({ state, scopes }) {
+      const _scope = scopes || ["email"];
+      return discordArctic.createAuthorizationURL(state, _scope);
+    },
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("discord", options.redirectURI),
+        options,
+        tokenEndpoint: "https://discord.com/api/oauth2/token"
+      });
+    },
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch3(
+        "https://discord.com/api/users/@me",
+        {
+          auth: {
+            type: "Bearer",
+            token: token.accessToken()
+          }
+        }
+      );
+      if (error2) {
+        return null;
+      }
+      return {
+        user: {
+          id: profile.id,
+          name: profile.display_name || profile.username || "",
+          email: profile.email,
+          emailVerified: profile.verified
+        },
+        data: profile
+      };
+    }
+  };
+};
+
+// src/social-providers/facebook.ts
+import { betterFetch as betterFetch4 } from "@better-fetch/fetch";
+import { Facebook } from "arctic";
+var facebook = (options) => {
+  const facebookArctic = new Facebook(
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("facebook", options.redirectURI)
+  );
+  return {
+    id: "facebook",
+    name: "Facebook",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["email", "public_profile"];
+      return facebookArctic.createAuthorizationURL(state, _scopes);
+    },
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("facebook", options.redirectURI),
+        options,
+        tokenEndpoint: "https://graph.facebook.com/v16.0/oauth/access_token"
+      });
+    },
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch4(
+        "https://graph.facebook.com/me",
+        {
+          auth: {
+            type: "Bearer",
+            token: token.accessToken()
+          }
+        }
+      );
+      if (error2) {
+        return null;
+      }
+      return {
+        user: {
+          id: profile.id,
+          name: profile.name,
+          email: profile.email,
+          emailVerified: profile.email_verified
+        },
+        data: profile
+      };
+    }
+  };
+};
+
+// src/social-providers/github.ts
+import { betterFetch as betterFetch5 } from "@better-fetch/fetch";
+import { GitHub } from "arctic";
+var github = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const githubArctic = new GitHub(
+    clientId,
+    clientSecret,
+    getRedirectURI("github", redirectURI)
+  );
+  return {
+    id: "github",
+    name: "Github",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["user:email"];
+      return githubArctic.createAuthorizationURL(state, _scopes);
+    },
+    validateAuthorizationCode: async (state) => {
+      return await githubArctic.validateAuthorizationCode(state);
+    },
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch5(
+        "https://api.github.com/user",
+        {
+          auth: {
+            type: "Bearer",
+            token: token.accessToken()
+          }
+        }
+      );
+      if (error2) {
+        return null;
+      }
+      let emailVerified = false;
+      if (!profile.email) {
+        const { data, error: error3 } = await betterFetch5("https://api.github.com/user/emails", {
+          auth: {
+            type: "Bearer",
+            token: token.accessToken()
+          }
+        });
+        if (!error3) {
+          profile.email = (data.find((e) => e.primary) ?? data[0])?.email;
+          emailVerified = data.find((e) => e.email === profile.email)?.verified ?? false;
+        }
+      }
+      return {
+        user: {
+          id: profile.id,
+          name: profile.name,
+          email: profile.email,
+          image: profile.avatar_url,
+          emailVerified,
+          createdAt: /* @__PURE__ */ new Date(),
+          updatedAt: /* @__PURE__ */ new Date()
+        },
+        data: profile
+      };
+    }
+  };
+};
+
+// src/social-providers/google.ts
+import { Google } from "arctic";
+import { parseJWT as parseJWT2 } from "oslo/jwt";
+
+// src/utils/logger.ts
+import { createConsola } from "consola";
+var consola = createConsola({
+  formatOptions: {
+    date: false,
+    colors: true,
+    compact: true
+  },
+  defaults: {
+    tag: "Better Auth"
+  }
+});
+var createLogger = (options) => {
+  return {
+    log: (...args) => {
+      !options?.disabled && consola.log("", ...args);
+    },
+    error: (...args) => {
+      !options?.disabled && consola.error("", ...args);
+    },
+    warn: (...args) => {
+      !options?.disabled && consola.warn("", ...args);
+    },
+    info: (...args) => {
+      !options?.disabled && consola.info("", ...args);
+    },
+    debug: (...args) => {
+      !options?.disabled && consola.debug("", ...args);
+    },
+    box: (...args) => {
+      !options?.disabled && consola.box("", ...args);
+    },
+    success: (...args) => {
+      !options?.disabled && consola.success("", ...args);
+    },
+    break: (...args) => {
+      !options?.disabled && console.log("\n");
+    }
+  };
+};
+var logger = createLogger();
+
+// src/social-providers/google.ts
+var google = (options) => {
+  const googleArctic = new Google(
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("google", options.redirectURI)
+  );
+  return {
+    id: "google",
+    name: "Google",
+    createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+      if (!options.clientId || !options.clientSecret) {
+        logger.error(
+          "Client Id and Client Secret is required for Google. Make sure to provide them in the options."
+        );
+        throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+      }
+      if (!codeVerifier) {
+        throw new BetterAuthError("codeVerifier is required for Google");
+      }
+      const _scopes = scopes || ["email", "profile"];
+      const url = googleArctic.createAuthorizationURL(
+        state,
+        codeVerifier,
+        _scopes
+      );
+      return url;
+    },
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("google", options.redirectURI),
+        options,
+        tokenEndpoint: "https://oauth2.googleapis.com/token"
+      });
+    },
+    async getUserInfo(token) {
+      if (!token.idToken) {
+        return null;
+      }
+      const user = parseJWT2(token.idToken())?.payload;
+      return {
+        user: {
+          id: user.sub,
+          name: user.name,
+          email: user.email,
+          image: user.picture,
+          emailVerified: user.email_verified
+        },
+        data: user
+      };
+    }
+  };
+};
+
+// src/social-providers/spotify.ts
+import { betterFetch as betterFetch6 } from "@better-fetch/fetch";
+import { Spotify } from "arctic";
+var spotify = (options) => {
+  const spotifyArctic = new Spotify(
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("spotify", options.redirectURI)
+  );
+  return {
+    id: "spotify",
+    name: "Spotify",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["user-read-email"];
+      return spotifyArctic.createAuthorizationURL(state, _scopes);
+    },
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("spotify", options.redirectURI),
+        options,
+        tokenEndpoint: "https://accounts.spotify.com/api/token"
+      });
+    },
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch6(
+        "https://api.spotify.com/v1/me",
+        {
+          method: "GET",
+          headers: {
+            Authorization: `Bearer ${token.accessToken()}`
+          }
+        }
+      );
+      if (error2) {
+        return null;
+      }
+      return {
+        user: {
+          id: profile.id,
+          name: profile.display_name,
+          email: profile.email,
+          image: profile.images[0]?.url,
+          emailVerified: false
+        },
+        data: profile
+      };
+    }
+  };
+};
+
+// src/social-providers/twitch.ts
+import { betterFetch as betterFetch7 } from "@better-fetch/fetch";
+import { Twitch } from "arctic";
+var twitch = (options) => {
+  const twitchArctic = new Twitch(
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("twitch", options.redirectURI)
+  );
+  return {
+    id: "twitch",
+    name: "Twitch",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["activity:write", "read"];
+      return twitchArctic.createAuthorizationURL(state, _scopes);
+    },
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("twitch", options.redirectURI),
+        options,
+        tokenEndpoint: "https://id.twitch.tv/oauth2/token"
+      });
+    },
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch7(
+        "https://api.twitch.tv/helix/users",
+        {
+          method: "GET",
+          headers: {
+            Authorization: `Bearer ${token.accessToken()}`
+          }
+        }
+      );
+      if (error2) {
+        return null;
+      }
+      return {
+        user: {
+          id: profile.sub,
+          name: profile.preferred_username,
+          email: profile.email,
+          image: profile.picture,
+          emailVerified: false
+        },
+        data: profile
+      };
+    }
+  };
+};
+
+// src/social-providers/twitter.ts
+import { betterFetch as betterFetch8 } from "@better-fetch/fetch";
+import { Twitter } from "arctic";
+var twitter = (options) => {
+  const twitterArctic = new Twitter(
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("twitter", options.redirectURI)
+  );
+  return {
+    id: "twitter",
+    name: "Twitter",
+    createAuthorizationURL(data) {
+      const _scopes = data.scopes || ["account_info.read"];
+      return twitterArctic.createAuthorizationURL(
+        data.state,
+        data.codeVerifier,
+        _scopes
+      );
+    },
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("twitch", options.redirectURI),
+        options,
+        tokenEndpoint: "https://id.twitch.tv/oauth2/token"
+      });
+    },
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch8(
+        "https://api.x.com/2/users/me?user.fields=profile_image_url",
+        {
+          method: "GET",
+          headers: {
+            Authorization: `Bearer ${token.accessToken()}`
+          }
+        }
+      );
+      if (error2) {
+        return null;
+      }
+      if (!profile.data.email) {
+        return null;
+      }
+      return {
+        user: {
+          id: profile.data.id,
+          name: profile.data.name,
+          email: profile.data.email,
+          image: profile.data.profile_image_url,
+          emailVerified: profile.data.verified || false
+        },
+        data: profile
+      };
+    }
+  };
+};
+
+// src/types/provider.ts
+import "arctic";
+
+// src/social-providers/index.ts
+var oAuthProviders = {
+  apple,
+  discord,
+  facebook,
+  github,
+  google,
+  spotify,
+  twitch,
+  twitter
+};
+var oAuthProviderList = Object.keys(oAuthProviders);
+
+// src/utils/state.ts
+import { generateState as generateStateOAuth } from "oslo/oauth2";
+import { z as z2 } from "zod";
+function generateState(callbackURL, currentURL, dontRememberMe) {
+  const code = generateStateOAuth();
+  const state = JSON.stringify({
+    code,
+    callbackURL,
+    currentURL,
+    dontRememberMe
+  });
+  return { state, code };
+}
+function parseState(state) {
+  const data = z2.object({
+    code: z2.string(),
+    callbackURL: z2.string().optional(),
+    currentURL: z2.string().optional(),
+    dontRememberMe: z2.boolean().optional()
+  }).safeParse(JSON.parse(state));
+  return data;
+}
+
+// src/api/routes/session.ts
+import { APIError as APIError2 } from "better-call";
+
+// src/utils/date.ts
+var getDate = (span, isSeconds = false) => {
+  const date = /* @__PURE__ */ new Date();
+  return new Date(date.getTime() + (isSeconds ? span * 1e3 : span));
+};
+
+// src/utils/cookies.ts
+import { TimeSpan } from "oslo";
+async function setSessionCookie(ctx, sessionToken, dontRememberMe, overrides) {
+  const options = ctx.context.authCookies.sessionToken.options;
+  options.maxAge = dontRememberMe ? void 0 : options.maxAge;
+  await ctx.setSignedCookie(
+    ctx.context.authCookies.sessionToken.name,
+    sessionToken,
+    ctx.context.secret,
+    options
+  );
+  if (dontRememberMe) {
+    await ctx.setSignedCookie(
+      ctx.context.authCookies.dontRememberToken.name,
+      "true",
+      ctx.context.secret,
+      ctx.context.authCookies.dontRememberToken.options
+    );
+  }
+}
+function deleteSessionCookie(ctx) {
+  ctx.setCookie(ctx.context.authCookies.sessionToken.name, "", {
+    maxAge: 0
+  });
+  ctx.setCookie(ctx.context.authCookies.dontRememberToken.name, "", {
+    maxAge: 0
+  });
+}
+
+// src/api/routes/session.ts
+import { z as z3 } from "zod";
+
+// src/utils/get-request-ip.ts
+function getIp(req) {
+  const testIP = "127.0.0.1";
+  if (process.env.NODE_ENV === "test") {
+    return testIP;
+  }
+  const headers = [
+    "x-client-ip",
+    "x-forwarded-for",
+    "cf-connecting-ip",
+    "fastly-client-ip",
+    "x-real-ip",
+    "x-cluster-client-ip",
+    "x-forwarded",
+    "forwarded-for",
+    "forwarded"
+  ];
+  for (const header of headers) {
+    const value = req.headers.get(header);
+    if (typeof value === "string") {
+      const ip = value.split(",")[0].trim();
+      if (ip) return ip;
+    }
+  }
+  return null;
+}
+
+// src/api/routes/session.ts
+var sessionCache = /* @__PURE__ */ new Map();
+function getRequestUniqueKey(ctx, token) {
+  if (!ctx.request) {
+    return "";
+  }
+  const { method, url, headers } = ctx.request;
+  const userAgent = ctx.request.headers.get("User-Agent") || "";
+  const ip = getIp(ctx.request) || "";
+  const headerString = JSON.stringify(headers);
+  const uniqueString = `${method}:${url}:${headerString}:${userAgent}:${ip}:${token}`;
+  return uniqueString;
+}
+var getSession = () => createAuthEndpoint(
+  "/session",
+  {
+    method: "GET",
+    requireHeaders: true
+  },
+  async (ctx) => {
+    try {
+      const sessionCookieToken = await ctx.getSignedCookie(
+        ctx.context.authCookies.sessionToken.name,
+        ctx.context.secret
+      );
+      if (!sessionCookieToken) {
+        return ctx.json(null, {
+          status: 401
+        });
+      }
+      const key = getRequestUniqueKey(ctx, sessionCookieToken);
+      const cachedSession = sessionCache.get(key);
+      if (cachedSession) {
+        if (cachedSession.expiresAt > Date.now()) {
+          return ctx.json(
+            cachedSession.data
+          );
+        }
+        sessionCache.delete(key);
+      }
+      const session = await ctx.context.internalAdapter.findSession(sessionCookieToken);
+      if (!session || session.session.expiresAt < /* @__PURE__ */ new Date()) {
+        deleteSessionCookie(ctx);
+        if (session) {
+          await ctx.context.internalAdapter.deleteSession(session.session.id);
+        }
+        return ctx.json(null, {
+          status: 401
+        });
+      }
+      const dontRememberMe = await ctx.getSignedCookie(
+        ctx.context.authCookies.dontRememberToken.name,
+        ctx.context.secret
+      );
+      if (dontRememberMe) {
+        return ctx.json(
+          session
+        );
+      }
+      const expiresIn = ctx.context.sessionConfig.expiresIn;
+      const updateAge = ctx.context.sessionConfig.updateAge;
+      const sessionIsDueToBeUpdatedDate = session.session.expiresAt.valueOf() - expiresIn * 1e3 + updateAge * 1e3;
+      const shouldBeUpdated = sessionIsDueToBeUpdatedDate <= Date.now();
+      if (shouldBeUpdated) {
+        const updatedSession = await ctx.context.internalAdapter.updateSession(
+          session.session.id,
+          {
+            expiresAt: getDate(ctx.context.sessionConfig.expiresIn, true)
+          }
+        );
+        if (!updatedSession) {
+          deleteSessionCookie(ctx);
+          return ctx.json(null, { status: 401 });
+        }
+        const maxAge = (updatedSession.expiresAt.valueOf() - Date.now()) / 1e3;
+        await setSessionCookie(ctx, updatedSession.id, false, {
+          maxAge
+        });
+        return ctx.json({
+          session: updatedSession,
+          user: session.user
+        });
+      }
+      sessionCache.set(key, {
+        data: session,
+        expiresAt: Date.now() + 5e3
+      });
+      return ctx.json(
+        session
+      );
+    } catch (error2) {
+      ctx.context.logger.error(error2);
+      return ctx.json(null, { status: 500 });
+    }
+  }
+);
+var getSessionFromCtx = async (ctx) => {
+  const session = await getSession()({
+    ...ctx,
+    //@ts-expect-error: By default since this request context comes from a router it'll have a `router` flag which force it to be a request object
+    _flag: void 0
+  });
+  return session;
+};
+var sessionMiddleware = createAuthMiddleware(async (ctx) => {
+  const session = await getSessionFromCtx(ctx);
+  if (!session?.session) {
+    throw new APIError2("UNAUTHORIZED");
+  }
+  return {
+    session
+  };
+});
+var listSessions = () => createAuthEndpoint(
+  "/user/list-sessions",
+  {
+    method: "GET",
+    use: [sessionMiddleware],
+    requireHeaders: true
+  },
+  async (ctx) => {
+    const sessions = await ctx.context.adapter.findMany({
+      model: ctx.context.tables.session.tableName,
+      where: [
+        {
+          field: "userId",
+          value: ctx.context.session.user.id
+        }
+      ]
+    });
+    const activeSessions = sessions.filter((session) => {
+      return session.expiresAt > /* @__PURE__ */ new Date();
+    });
+    return ctx.json(
+      activeSessions
+    );
+  }
+);
+var revokeSession = createAuthEndpoint(
+  "/user/revoke-session",
+  {
+    method: "POST",
+    body: z3.object({
+      id: z3.string()
+    }),
+    use: [sessionMiddleware],
+    requireHeaders: true
+  },
+  async (ctx) => {
+    const id = ctx.body.id;
+    const findSession = await ctx.context.internalAdapter.findSession(id);
+    if (!findSession) {
+      return ctx.json(null, { status: 400 });
+    }
+    if (findSession.session.userId !== ctx.context.session.user.id) {
+      return ctx.json(null, { status: 403 });
+    }
+    try {
+      await ctx.context.internalAdapter.deleteSession(id);
+    } catch (error2) {
+      ctx.context.logger.error(error2);
+      return ctx.json(null, { status: 500 });
+    }
+    return ctx.json({
+      status: true
+    });
+  }
+);
+var revokeSessions = createAuthEndpoint(
+  "/user/revoke-sessions",
+  {
+    method: "POST",
+    use: [sessionMiddleware],
+    requireHeaders: true
+  },
+  async (ctx) => {
+    try {
+      await ctx.context.internalAdapter.deleteSessions(
+        ctx.context.session.user.id
+      );
+    } catch (error2) {
+      ctx.context.logger.error(error2);
+      return ctx.json(null, { status: 500 });
+    }
+    return ctx.json({
+      status: true
+    });
+  }
+);
+
+// src/api/routes/sign-in.ts
+var signInOAuth = createAuthEndpoint(
+  "/sign-in/social",
+  {
+    method: "POST",
+    requireHeaders: true,
+    query: z4.object({
+      /**
+       * Redirect to the current URL after the
+       * user has signed in.
+       */
+      currentURL: z4.string().optional()
+    }).optional(),
+    body: z4.object({
+      /**
+       * Callback URL to redirect to after the user has signed in.
+       */
+      callbackURL: z4.string().optional(),
+      /**
+       * OAuth2 provider to use`
+       */
+      provider: z4.enum(oAuthProviderList),
+      /**
+       * If this is true the session will only be valid for the current browser session
+       */
+      dontRememberMe: z4.boolean().default(false).optional()
+    })
+  },
+  async (c) => {
+    const provider = c.context.socialProviders.find(
+      (p) => p.id === c.body.provider
+    );
+    if (!provider) {
+      c.context.logger.error(
+        "Provider not found. Make sure to add the provider to your auth config",
+        {
+          provider: c.body.provider
+        }
+      );
+      throw new APIError3("NOT_FOUND", {
+        message: "Provider not found"
+      });
+    }
+    const cookie = c.context.authCookies;
+    const currentURL = c.query?.currentURL ? new URL(c.query?.currentURL) : null;
+    const callbackURL = c.body.callbackURL?.startsWith("http") ? c.body.callbackURL : `${currentURL?.origin}${c.body.callbackURL || ""}`;
+    const state = generateState(
+      callbackURL || currentURL?.origin || c.context.baseURL,
+      c.query?.currentURL
+    );
+    try {
+      await c.setSignedCookie(
+        cookie.state.name,
+        state.code,
+        c.context.secret,
+        cookie.state.options
+      );
+      const codeVerifier = generateCodeVerifier();
+      await c.setSignedCookie(
+        cookie.pkCodeVerifier.name,
+        codeVerifier,
+        c.context.secret,
+        cookie.pkCodeVerifier.options
+      );
+      const url = provider.createAuthorizationURL({
+        state: state.state,
+        codeVerifier
+      });
+      url.searchParams.set(
+        "redirect_uri",
+        `${c.context.baseURL}/callback/${c.body.provider}`
+      );
+      return {
+        url: url.toString(),
+        state: state.state,
+        codeVerifier,
+        redirect: true
+      };
+    } catch (e) {
+      throw new APIError3("INTERNAL_SERVER_ERROR");
+    }
+  }
+);
+var signInEmail = createAuthEndpoint(
+  "/sign-in/email",
+  {
+    method: "POST",
+    body: z4.object({
+      email: z4.string().email(),
+      password: z4.string(),
+      callbackURL: z4.string().optional(),
+      /**
+       * If this is true the session will only be valid for the current browser session
+       * @default false
+       */
+      dontRememberMe: z4.boolean().default(false).optional()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options?.emailAndPassword?.enabled) {
+      ctx.context.logger.error(
+        "Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"
+      );
+      throw new APIError3("BAD_REQUEST", {
+        message: "Email and password is not enabled"
+      });
+    }
+    const currentSession = await getSessionFromCtx(ctx);
+    if (currentSession) {
+      await ctx.context.internalAdapter.deleteSession(
+        currentSession.session.id
+      );
+    }
+    const { email, password } = ctx.body;
+    const checkEmail = z4.string().email().safeParse(email);
+    if (!checkEmail.success) {
+      throw new APIError3("BAD_REQUEST", {
+        message: "Invalid email"
+      });
+    }
+    const user = await ctx.context.internalAdapter.findUserByEmail(email);
+    if (!user) {
+      await ctx.context.password.hash(password);
+      ctx.context.logger.error("User not found", { email });
+      throw new APIError3("UNAUTHORIZED", {
+        message: "Invalid email or password"
+      });
+    }
+    const credentialAccount = user.accounts.find(
+      (a) => a.providerId === "credential"
+    );
+    if (!credentialAccount) {
+      ctx.context.logger.error("Credential account not found", { email });
+      throw new APIError3("UNAUTHORIZED", {
+        message: "Invalid email or password"
+      });
+    }
+    const currentPassword = credentialAccount?.password;
+    if (!currentPassword) {
+      ctx.context.logger.error("Password not found", { email });
+      throw new APIError3("UNAUTHORIZED", {
+        message: "Unexpected error"
+      });
+    }
+    const validPassword = await ctx.context.password.verify(
+      currentPassword,
+      password
+    );
+    if (!validPassword) {
+      ctx.context.logger.error("Invalid password");
+      throw new APIError3("UNAUTHORIZED", {
+        message: "Invalid email or password"
+      });
+    }
+    const session = await ctx.context.internalAdapter.createSession(
+      user.user.id,
+      ctx.headers,
+      ctx.body.dontRememberMe
+    );
+    if (!session) {
+      ctx.context.logger.error("Failed to create session");
+      throw new APIError3("INTERNAL_SERVER_ERROR");
+    }
+    await setSessionCookie(ctx, session.id, ctx.body.dontRememberMe);
+    return ctx.json({
+      user: user.user,
+      session,
+      redirect: !!ctx.body.callbackURL,
+      url: ctx.body.callbackURL
+    });
+  }
+);
+
+// src/api/routes/callback.ts
+import { APIError as APIError4 } from "better-call";
+import { z as z6 } from "zod";
+
+// src/db/schema.ts
+import { z as z5 } from "zod";
+var accountSchema = z5.object({
+  id: z5.string(),
+  providerId: z5.string(),
+  accountId: z5.string(),
+  userId: z5.string(),
+  accessToken: z5.string().nullable().optional(),
+  refreshToken: z5.string().nullable().optional(),
+  idToken: z5.string().nullable().optional(),
+  /**
+   * Access token expires at
+   */
+  expiresAt: z5.date().nullable().optional(),
+  /**
+   * Password is only stored in the credential provider
+   */
+  password: z5.string().optional().nullable()
+});
+var userSchema = z5.object({
+  id: z5.string(),
+  email: z5.string().transform((val) => val.toLowerCase()),
+  emailVerified: z5.boolean().default(false),
+  name: z5.string(),
+  image: z5.string().optional(),
+  createdAt: z5.date().default(/* @__PURE__ */ new Date()),
+  updatedAt: z5.date().default(/* @__PURE__ */ new Date())
+});
+var sessionSchema = z5.object({
+  id: z5.string(),
+  userId: z5.string(),
+  expiresAt: z5.date(),
+  ipAddress: z5.string().optional(),
+  userAgent: z5.string().optional()
+});
+
+// src/utils/id.ts
+import { alphabet, generateRandomString } from "oslo/crypto";
+var generateId = () => {
+  return generateRandomString(36, alphabet("a-z", "0-9"));
+};
+
+// src/utils/hide-metadata.ts
+var HIDE_METADATA = {
+  isAction: false
+};
+
+// src/utils/getAccount.ts
+function getAccountTokens(tokens) {
+  const accessToken = tokens.accessToken();
+  let refreshToken = tokens.hasRefreshToken() ? tokens.refreshToken() : void 0;
+  let accessTokenExpiresAt = void 0;
+  try {
+    accessTokenExpiresAt = tokens.accessTokenExpiresAt();
+  } catch {
+  }
+  return {
+    accessToken,
+    refreshToken,
+    expiresAt: accessTokenExpiresAt
+  };
+}
+
+// src/api/routes/callback.ts
+var callbackOAuth = createAuthEndpoint(
+  "/callback/:id",
+  {
+    method: "GET",
+    query: z6.object({
+      state: z6.string(),
+      code: z6.string().optional(),
+      error: z6.string().optional()
+    }),
+    metadata: HIDE_METADATA
+  },
+  async (c) => {
+    if (c.query.error || !c.query.code) {
+      const parsedState2 = parseState(c.query.state);
+      const callbackURL2 = parsedState2.data?.callbackURL || `${c.context.baseURL}/error`;
+      c.context.logger.error(c.query.error, c.params.id);
+      throw c.redirect(
+        `${callbackURL2}?error=${c.query.error || "oAuth_code_missing"}`
+      );
+    }
+    const provider = c.context.socialProviders.find(
+      (p) => p.id === c.params.id
+    );
+    if (!provider) {
+      c.context.logger.error(
+        "Oauth provider with id",
+        c.params.id,
+        "not found"
+      );
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=oauth_provider_not_found`
+      );
+    }
+    const codeVerifier = await c.getSignedCookie(
+      c.context.authCookies.pkCodeVerifier.name,
+      c.context.secret
+    );
+    let tokens;
+    try {
+      tokens = await provider.validateAuthorizationCode(
+        c.query.code,
+        codeVerifier,
+        `${c.context.baseURL}/callback/${provider.id}`
+      );
+    } catch (e) {
+      c.context.logger.error(e);
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=oauth_code_verification_failed`
+      );
+    }
+    const user = await provider.getUserInfo(tokens).then((res) => res?.user);
+    const id = generateId();
+    const data = userSchema.safeParse({
+      ...user,
+      id
+    });
+    const parsedState = parseState(c.query.state);
+    if (!parsedState.success) {
+      c.context.logger.error("Unable to parse state");
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=invalid_state_parameter`
+      );
+    }
+    const { callbackURL, currentURL, dontRememberMe } = parsedState.data;
+    if (!user || data.success === false) {
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=oauth_validation_failed`
+      );
+    }
+    if (!callbackURL) {
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=oauth_callback_url_not_found`
+      );
+    }
+    const dbUser = await c.context.internalAdapter.findUserByEmail(user.email);
+    const userId = dbUser?.user.id;
+    if (dbUser) {
+      const hasBeenLinked = dbUser.accounts.find(
+        (a) => a.providerId === provider.id
+      );
+      const trustedProviders = c.context.options.account?.accountLinking?.trustedProviders;
+      const isTrustedProvider = trustedProviders ? trustedProviders.includes(provider.id) : true;
+      if (!hasBeenLinked && (!user.emailVerified || !isTrustedProvider)) {
+        let url;
+        try {
+          url = new URL(currentURL || callbackURL);
+          url.searchParams.set("error", "account_not_linked");
+        } catch (e) {
+          throw c.redirect(
+            `${c.context.baseURL}/error?error=account_not_linked`
+          );
+        }
+        throw c.redirect(url.toString());
+      }
+      if (!hasBeenLinked) {
+        try {
+          await c.context.internalAdapter.linkAccount({
+            providerId: provider.id,
+            accountId: user.id,
+            id: `${provider.id}:${user.id}`,
+            userId: dbUser.user.id,
+            ...getAccountTokens(tokens)
+          });
+        } catch (e) {
+          console.log(e);
+          throw c.redirect(
+            `${c.context.baseURL}/error?error=failed_linking_account`
+          );
+        }
+      }
+    } else {
+      try {
+        await c.context.internalAdapter.createOAuthUser(data.data, {
+          ...getAccountTokens(tokens),
+          id: `${provider.id}:${user.id}`,
+          providerId: provider.id,
+          accountId: user.id,
+          userId: id
+        });
+      } catch (e) {
+        const url = new URL(currentURL || callbackURL);
+        url.searchParams.set("error", "unable_to_create_user");
+        c.setHeader("Location", url.toString());
+        throw c.redirect(url.toString());
+      }
+    }
+    if (!userId && !id)
+      throw new APIError4("INTERNAL_SERVER_ERROR", {
+        message: "Unable to create user"
+      });
+    const session = await c.context.internalAdapter.createSession(
+      userId || id,
+      c.request,
+      dontRememberMe
+    );
+    if (!session) {
+      const url = new URL(currentURL || callbackURL);
+      url.searchParams.set("error", "unable_to_create_session");
+      throw c.redirect(url.toString());
+    }
+    try {
+      await setSessionCookie(c, session.id, dontRememberMe);
+    } catch (e) {
+      c.context.logger.error("Unable to set session cookie", e);
+      const url = new URL(currentURL || callbackURL);
+      url.searchParams.set("error", "unable_to_create_session");
+      throw c.redirect(url.toString());
+    }
+    throw c.redirect(callbackURL);
+  }
+);
+
+// src/api/routes/sign-out.ts
+import { z as z7 } from "zod";
+var signOut = createAuthEndpoint(
+  "/sign-out",
+  {
+    method: "POST",
+    body: z7.optional(
+      z7.object({
+        callbackURL: z7.string().optional()
+      })
+    )
+  },
+  async (ctx) => {
+    const sessionCookieToken = await ctx.getSignedCookie(
+      ctx.context.authCookies.sessionToken.name,
+      ctx.context.secret
+    );
+    if (!sessionCookieToken) {
+      return ctx.json(null);
+    }
+    await ctx.context.internalAdapter.deleteSession(sessionCookieToken);
+    deleteSessionCookie(ctx);
+    return ctx.json(null, {
+      body: {
+        redirect: !!ctx.body?.callbackURL,
+        url: ctx.body?.callbackURL
+      }
+    });
+  }
+);
+
+// src/api/routes/forget-password.ts
+import { TimeSpan as TimeSpan2 } from "oslo";
+import { createJWT, parseJWT as parseJWT3 } from "oslo/jwt";
+import { validateJWT } from "oslo/jwt";
+import { z as z8 } from "zod";
+var forgetPassword = createAuthEndpoint(
+  "/forget-password",
+  {
+    method: "POST",
+    body: z8.object({
+      /**
+       * The email address of the user to send a password reset email to.
+       */
+      email: z8.string().email(),
+      /**
+       * The URL to redirect the user to reset their password.
+       * If the token isn't valid or expired, it'll be redirected with a query parameter `?
+       * error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?
+       * token=VALID_TOKEN
+       */
+      redirectTo: z8.string()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options.emailAndPassword?.sendResetPassword) {
+      ctx.context.logger.error(
+        "Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function to your auth config!"
+      );
+      return ctx.json(null, {
+        status: 400,
+        statusText: "RESET_PASSWORD_EMAIL_NOT_SENT",
+        body: {
+          message: "Reset password isn't enabled"
+        }
+      });
+    }
+    const { email } = ctx.body;
+    const user = await ctx.context.internalAdapter.findUserByEmail(email);
+    if (!user) {
+      return ctx.json(
+        {
+          status: false
+        },
+        {
+          body: {
+            status: true
+          }
+        }
+      );
+    }
+    const token = await createJWT(
+      "HS256",
+      Buffer.from(ctx.context.secret),
+      {
+        email: user.user.email,
+        redirectTo: ctx.body.redirectTo
+      },
+      {
+        expiresIn: new TimeSpan2(1, "h"),
+        issuer: "better-auth",
+        subject: "forget-password",
+        audiences: [user.user.email],
+        includeIssuedTimestamp: true
+      }
+    );
+    const url = `${ctx.context.baseURL}/reset-password/${token}`;
+    await ctx.context.options.emailAndPassword.sendResetPassword(
+      url,
+      user.user
+    );
+    return ctx.json({
+      status: true
+    });
+  }
+);
+var forgetPasswordCallback = createAuthEndpoint(
+  "/reset-password/:token",
+  {
+    method: "GET"
+  },
+  async (ctx) => {
+    const { token } = ctx.params;
+    let decodedToken;
+    const schema = z8.object({
+      email: z8.string(),
+      redirectTo: z8.string()
+    });
+    try {
+      decodedToken = await validateJWT(
+        "HS256",
+        Buffer.from(ctx.context.secret),
+        token
+      );
+      if (!decodedToken.expiresAt || decodedToken.expiresAt < /* @__PURE__ */ new Date()) {
+        throw Error("Token expired");
+      }
+    } catch (e) {
+      const decoded = parseJWT3(token);
+      const jwt = schema.safeParse(decoded?.payload);
+      if (jwt.success) {
+        throw ctx.redirect(`${jwt.data?.redirectTo}?error=invalid_token`);
+      } else {
+        throw ctx.redirect(`${ctx.context.baseURL}/error?error=invalid_token`);
+      }
+    }
+    const { redirectTo } = schema.parse(decodedToken.payload);
+    throw ctx.redirect(`${redirectTo}?token=${token}`);
+  }
+);
+var resetPassword = createAuthEndpoint(
+  "/reset-password",
+  {
+    method: "POST",
+    query: z8.object({
+      currentURL: z8.string()
+    }).optional(),
+    body: z8.object({
+      newPassword: z8.string(),
+      callbackURL: z8.string().optional()
+    })
+  },
+  async (ctx) => {
+    const token = ctx.query?.currentURL.split("?token=")[1];
+    if (!token) {
+      return ctx.json(
+        {
+          error: "Invalid token",
+          data: null
+        },
+        {
+          status: 400,
+          statusText: "INVALID_TOKEN",
+          body: {
+            message: "Invalid token"
+          }
+        }
+      );
+    }
+    const { newPassword } = ctx.body;
+    try {
+      const jwt = await validateJWT(
+        "HS256",
+        Buffer.from(ctx.context.secret),
+        token
+      );
+      const email = z8.string().email().parse(jwt.payload.email);
+      const user = await ctx.context.internalAdapter.findUserByEmail(email);
+      if (!user) {
+        return ctx.json(
+          {
+            error: "User not found",
+            data: null
+          },
+          {
+            status: 400,
+            body: {
+              message: "failed to reset password"
+            }
+          }
+        );
+      }
+      if (newPassword.length < (ctx.context.options.emailAndPassword?.minPasswordLength || 8) || newPassword.length > (ctx.context.options.emailAndPassword?.maxPasswordLength || 32)) {
+        return ctx.json(
+          {
+            data: null,
+            error: "password is too short or too long"
+          },
+          {
+            status: 400,
+            statusText: "INVALID_PASSWORD_LENGTH",
+            body: {
+              message: "password is too short or too long"
+            }
+          }
+        );
+      }
+      const hashedPassword = await ctx.context.password.hash(newPassword);
+      const updatedUser = await ctx.context.internalAdapter.updatePassword(
+        user.user.id,
+        hashedPassword
+      );
+      if (!updatedUser) {
+        return ctx.json(null, {
+          status: 400,
+          statusText: "USER_NOT_FOUND",
+          body: {
+            message: "User doesn't have a credential account"
+          }
+        });
+      }
+      return ctx.json(
+        {
+          error: null,
+          data: {
+            status: true,
+            url: ctx.body.callbackURL,
+            redirect: !!ctx.body.callbackURL
+          }
+        },
+        {
+          body: {
+            status: true,
+            url: ctx.body.callbackURL,
+            redirect: !!ctx.body.callbackURL
+          }
+        }
+      );
+    } catch (e) {
+      console.log(e);
+      return ctx.json(
+        {
+          error: "Invalid token",
+          data: null
+        },
+        {
+          status: 400,
+          statusText: "INVALID_TOKEN",
+          body: {
+            message: "Invalid token"
+          }
+        }
+      );
+    }
+  }
+);
+
+// src/api/routes/verify-email.ts
+import { TimeSpan as TimeSpan3 } from "oslo";
+import { createJWT as createJWT2, validateJWT as validateJWT2 } from "oslo/jwt";
+import { z as z9 } from "zod";
+async function createEmailVerificationToken(secret, email) {
+  const token = await createJWT2(
+    "HS256",
+    Buffer.from(secret),
+    {
+      email: email.toLowerCase()
+    },
+    {
+      expiresIn: new TimeSpan3(1, "h"),
+      issuer: "better-auth",
+      subject: "verify-email",
+      audiences: [email],
+      includeIssuedTimestamp: true
+    }
+  );
+  return token;
+}
+var sendVerificationEmail = createAuthEndpoint(
+  "/send-verification-email",
+  {
+    method: "POST",
+    query: z9.object({
+      currentURL: z9.string().optional()
+    }).optional(),
+    body: z9.object({
+      email: z9.string().email(),
+      callbackURL: z9.string().optional()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options.emailAndPassword?.sendVerificationEmail) {
+      ctx.context.logger.error(
+        "Verification email isn't enabled. Pass `sendVerificationEmail` in `emailAndPassword` options to enable it."
+      );
+      return ctx.json(null, {
+        status: 400,
+        statusText: "VERIFICATION_EMAIL_NOT_SENT",
+        body: {
+          message: "Verification email isn't enabled"
+        }
+      });
+    }
+    const { email } = ctx.body;
+    const token = await createEmailVerificationToken(ctx.context.secret, email);
+    const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${ctx.body.callbackURL || ctx.query?.currentURL || "/"}`;
+    await ctx.context.options.emailAndPassword.sendVerificationEmail(
+      email,
+      url,
+      token
+    );
+    return ctx.json({
+      status: true
+    });
+  }
+);
+var verifyEmail = createAuthEndpoint(
+  "/verify-email",
+  {
+    method: "GET",
+    query: z9.object({
+      token: z9.string(),
+      callbackURL: z9.string().optional()
+    })
+  },
+  async (ctx) => {
+    const { token } = ctx.query;
+    let jwt;
+    try {
+      jwt = await validateJWT2("HS256", Buffer.from(ctx.context.secret), token);
+    } catch (e) {
+      ctx.context.logger.error("Failed to verify email", e);
+      return ctx.json(null, {
+        status: 400,
+        statusText: "INVALID_TOKEN",
+        body: {
+          message: "Invalid token"
+        }
+      });
+    }
+    const schema = z9.object({
+      email: z9.string().email()
+    });
+    const parsed = schema.parse(jwt.payload);
+    const user = await ctx.context.internalAdapter.findUserByEmail(
+      parsed.email
+    );
+    if (!user) {
+      return ctx.json(null, {
+        status: 400,
+        statusText: "USER_NOT_FOUND",
+        body: {
+          message: "User not found"
+        }
+      });
+    }
+    const account = user.accounts.find((a) => a.providerId === "credential");
+    if (!account) {
+      throw ctx.redirect;
+    }
+    await ctx.context.internalAdapter.updateUserByEmail(parsed.email, {
+      emailVerified: true
+    });
+    if (ctx.query.callbackURL) {
+      console.log("Redirecting to", ctx.query.callbackURL);
+      throw ctx.redirect("/");
+    }
+    return ctx.json({
+      status: true
+    });
+  }
+);
+
+// src/api/routes/update-user.ts
+import { z as z10 } from "zod";
+import { alphabet as alphabet2, generateRandomString as generateRandomString2 } from "oslo/crypto";
+import "better-call";
+var updateUser = createAuthEndpoint(
+  "/user/update",
+  {
+    method: "POST",
+    body: z10.object({
+      name: z10.string().optional(),
+      image: z10.string().optional()
+    }),
+    use: [sessionMiddleware]
+  },
+  async (ctx) => {
+    const { name, image } = ctx.body;
+    const session = ctx.context.session;
+    if (!image && !name) {
+      return ctx.json(session.user);
+    }
+    const user = await ctx.context.internalAdapter.updateUserByEmail(
+      session.user.email,
+      {
+        name,
+        image
+      }
+    );
+    return ctx.json(user);
+  }
+);
+var changePassword = createAuthEndpoint(
+  "/user/change-password",
+  {
+    method: "POST",
+    body: z10.object({
+      /**
+       * The new password to set
+       */
+      newPassword: z10.string(),
+      /**
+       * The current password of the user
+       */
+      currentPassword: z10.string(),
+      /**
+       * revoke all sessions that are not the
+       * current one logged in by the user
+       */
+      revokeOtherSessions: z10.boolean().optional()
+    }),
+    use: [sessionMiddleware]
+  },
+  async (ctx) => {
+    const { newPassword, currentPassword, revokeOtherSessions } = ctx.body;
+    const session = ctx.context.session;
+    const minPasswordLength = ctx.context.password.config.minPasswordLength;
+    if (newPassword.length < minPasswordLength) {
+      ctx.context.logger.error("Password is too short");
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Password is too short" }
+      });
+    }
+    const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
+    if (newPassword.length > maxPasswordLength) {
+      ctx.context.logger.error("Password is too long");
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Password is too long" }
+      });
+    }
+    const accounts = await ctx.context.internalAdapter.findAccounts(
+      session.user.id
+    );
+    const account = accounts.find(
+      (account2) => account2.providerId === "credential" && account2.password
+    );
+    if (!account || !account.password) {
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "User does not have a password" }
+      });
+    }
+    const passwordHash = await ctx.context.password.hash(newPassword);
+    const verify = await ctx.context.password.verify(
+      account.password,
+      currentPassword
+    );
+    if (!verify) {
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Invalid password" }
+      });
+    }
+    await ctx.context.internalAdapter.updateAccount(account.id, {
+      password: passwordHash
+    });
+    if (revokeOtherSessions) {
+      await ctx.context.internalAdapter.deleteSessions(session.user.id);
+      const newSession = await ctx.context.internalAdapter.createSession(
+        session.user.id,
+        ctx.headers
+      );
+      if (!newSession) {
+        return ctx.json(null, {
+          status: 500,
+          body: { message: "Failed to create session" }
+        });
+      }
+      await setSessionCookie(ctx, newSession.id);
+    }
+    return ctx.json(session.user);
+  }
+);
+var setPassword = createAuthEndpoint(
+  "/user/set-password",
+  {
+    method: "POST",
+    body: z10.object({
+      /**
+       * The new password to set
+       */
+      newPassword: z10.string()
+    }),
+    use: [sessionMiddleware]
+  },
+  async (ctx) => {
+    const { newPassword } = ctx.body;
+    const session = ctx.context.session;
+    const minPasswordLength = ctx.context.password.config.minPasswordLength;
+    if (newPassword.length < minPasswordLength) {
+      ctx.context.logger.error("Password is too short");
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Password is too short" }
+      });
+    }
+    const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
+    if (newPassword.length > maxPasswordLength) {
+      ctx.context.logger.error("Password is too long");
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Password is too long" }
+      });
+    }
+    const accounts = await ctx.context.internalAdapter.findAccounts(
+      session.user.id
+    );
+    const account = accounts.find(
+      (account2) => account2.providerId === "credential" && account2.password
+    );
+    const passwordHash = await ctx.context.password.hash(newPassword);
+    if (!account) {
+      await ctx.context.internalAdapter.linkAccount({
+        id: generateRandomString2(32, alphabet2("a-z", "0-9", "A-Z")),
+        userId: session.user.id,
+        providerId: "credential",
+        accountId: session.user.id,
+        password: passwordHash
+      });
+      return ctx.json(session.user);
+    }
+    return ctx.json(null, {
+      status: 400,
+      body: { message: "User already has a password" }
+    });
+  }
+);
+
+// src/api/routes/csrf.ts
+import { alphabet as alphabet3, generateRandomString as generateRandomString3 } from "oslo/crypto";
+var getCSRFToken = createAuthEndpoint(
+  "/csrf",
+  {
+    method: "GET",
+    metadata: HIDE_METADATA
+  },
+  async (ctx) => {
+    const csrfToken = await ctx.getSignedCookie(
+      ctx.context.authCookies.csrfToken.name,
+      ctx.context.secret
+    );
+    if (csrfToken) {
+      return {
+        csrfToken
+      };
+    }
+    const token = generateRandomString3(32, alphabet3("a-z", "0-9", "A-Z"));
+    const hash = await hs256(ctx.context.secret, token);
+    const cookie = `${token}!${hash}`;
+    await ctx.setSignedCookie(
+      ctx.context.authCookies.csrfToken.name,
+      cookie,
+      ctx.context.secret,
+      ctx.context.authCookies.csrfToken.options
+    );
+    return {
+      csrfToken: token
+    };
+  }
+);
+
+// src/api/routes/error.ts
+var html = (errorCode = "Unknown") => `<!DOCTYPE html>
 <html lang="en">
 <head>
     <meta charset="UTF-8">
@@ -76,7 +2002,535 @@ import{APIError as Et,createRouter as Ot}from"better-call";import{APIError as Q}
         <h1>Better Auth Error</h1>
         <p>We encountered an issue while processing your request. Please try again or contact the application owner if the problem persists.</p>
         <a href="/" id="returnLink" class="btn">Return to Application</a>
-        <div class="error-code">Error Code: <span id="errorCode">${e}</span></div>
+        <div class="error-code">Error Code: <span id="errorCode">${errorCode}</span></div>
     </div>
 </body>
-</html>`,Oe=l("/error",{method:"GET",metadata:_},async e=>{let t=new URL(e.request?.url||"").searchParams.get("error")||"Unknown";return new Response(Pt(t),{headers:{"Content-Type":"text/html"}})});var Ce=l("/ok",{method:"GET",metadata:_},async e=>e.json({ok:!0}));import{alphabet as je,generateRandomString as De}from"oslo/crypto";import{z as S}from"zod";var $e=l("/sign-up/email",{method:"POST",query:S.object({currentURL:S.string().optional()}).optional(),body:S.object({name:S.string(),email:S.string(),password:S.string(),image:S.string().optional(),callbackURL:S.string().optional()})},async e=>{if(!e.context.options.emailAndPassword?.enabled)return e.json(null,{status:400,body:{message:"Email and password is not enabled"}});let{name:t,email:o,password:r,image:n}=e.body;if(!S.string().email().safeParse(o).success)return e.json(null,{status:400,body:{message:"Invalid email address"}});let i=e.context.password.config.minPasswordLength;if(r.length<i)return e.context.logger.error("Password is too short"),e.json(null,{status:400,body:{message:"Password is too short"}});let a=e.context.password.config.maxPasswordLength;if(r.length>a)return e.context.logger.error("Password is too long"),e.json(null,{status:400,body:{message:"Password is too long"}});let d=await e.context.internalAdapter.findUserByEmail(o),u=await e.context.password.hash(r);if(d?.user)return e.json(null,{status:400,body:{message:"User already exists"}});let c=await e.context.internalAdapter.createUser({id:De(32,je("a-z","0-9","A-Z")),email:o.toLowerCase(),name:t,image:n,emailVerified:!1,createdAt:new Date,updatedAt:new Date});if(!c)return e.json(null,{status:400,body:{message:"Could not create user"}});await e.context.internalAdapter.linkAccount({id:De(32,je("a-z","0-9","A-Z")),userId:c.id,providerId:"credential",accountId:c.id,password:u});let m=await e.context.internalAdapter.createSession(c.id,e.request);if(!m)return e.json(null,{status:400,body:{message:"Could not create session"}});if(await U(e,m.id),e.context.options.emailAndPassword.sendEmailVerificationOnSignUp){let g=await W(e.context.secret,c.email),w=`${e.context.baseURL}/verify-email?token=${g}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailAndPassword.sendVerificationEmail?.(c.email,w,g)}return e.json({user:c,session:m},{body:e.body.callbackURL?{url:e.body.callbackURL,redirect:!0}:{user:c,session:m}})});import J from"chalk";function vt(e,t,o){let r=Date.now(),n=t*1e3;return r-o.lastRequest<n&&o.count>=e}function xt(e){return new Response(JSON.stringify({message:"Too many requests. Please try again later."}),{status:429,statusText:"Too Many Requests",headers:{"X-Retry-After":e.toString()}})}function St(e,t){let o=Date.now(),r=t*1e3;return Math.ceil((e+r-o)/1e3)}function _t(e,t){let o=t??"rateLimit",r=e.adapter;return{get:async n=>await r.findOne({model:o,where:[{field:"key",value:n}]}),set:async(n,s,i)=>{try{i?await r.update({model:t??"rateLimit",where:[{field:"key",value:n}],update:{count:s.count,lastRequest:s.lastRequest}}):await r.create({model:t??"rateLimit",data:{key:n,count:s.count,lastRequest:s.lastRequest}})}catch(a){P.error("Error setting rate limit",a)}}}}var Be=new Map;function It(e){return e.rateLimit.customStorage?e.rateLimit.customStorage:e.rateLimit.storage==="memory"?{async get(o){return Be.get(o)},async set(o,r,n){Be.set(o,r)}}:_t(e,e.rateLimit.tableName)}async function ze(e,t){if(!t.rateLimit.enabled)return;let o=t.baseURL,r=e.url.replace(o,""),n=t.rateLimit.window,s=t.rateLimit.max,i=$(e)+r,d=Lt().find(g=>g.pathMatcher(r));d&&(n=d.window,s=d.max);for(let g of t.options.plugins||[])if(g.rateLimit){let w=g.rateLimit.find(h=>h.pathMatcher(r));if(w){n=w.window,s=w.max;break}}if(t.rateLimit.customRules){let g=t.rateLimit.customRules[r];g&&(n=g.window,s=g.max)}let u=It(t),c=await u.get(i),m=Date.now();if(!c)await u.set(i,{key:i,count:1,lastRequest:m});else{let g=m-c.lastRequest;if(vt(s,n,c)){let w=St(c.lastRequest,n);return xt(w)}else g>n*1e3?await u.set(i,{...c,count:1,lastRequest:m}):await u.set(i,{...c,count:c.count+1,lastRequest:m})}}function Lt(){return[{pathMatcher(t){return t.startsWith("/sign-in")||t.startsWith("/sign-up")},window:10,max:7}]}function Ct(e,t){let o=t.plugins?.reduce((a,d)=>({...a,...d.endpoints}),{}),r=t.plugins?.map(a=>a.middlewares?.map(d=>{let u=async c=>d.middleware({...c,context:{...e,...c.context}});return u.path=d.path,u.options=d.middleware.options,u.headers=d.middleware.headers,{path:d.path,middleware:u}})).filter(a=>a!==void 0).flat()||[],s={...{signInOAuth:ye,callbackOAuth:ke,getCSRFToken:Ee,getSession:M(),signOut:Re,signUpEmail:$e,signInEmail:we,forgetPassword:Te,resetPassword:ve,verifyEmail:Se,sendVerificationEmail:xe,changePassword:Ie,setPassword:Le,updateUser:_e,forgetPasswordCallback:Pe,listSessions:fe(),revokeSession:ge,revokeSessions:he},...o,ok:Ce,error:Oe},i={};for(let[a,d]of Object.entries(s))i[a]=async u=>{let c=await e,g=await d({...u,context:{...c,...u.context}});for(let w of t.plugins||[])if(w.hooks?.after){for(let h of w.hooks.after)if(h.matcher(u)){let z=Object.assign(u,{context:{...e,returned:g}}),R=await h.handler(z);R&&"response"in R&&(g=R.response)}}return g},i[a].path=d.path,i[a].method=d.method,i[a].options=d.options,i[a].headers=d.headers;return{api:i,middlewares:r}}var Ns=(e,t)=>{let{api:o,middlewares:r}=Ct(e,t),n=new URL(e.baseURL).pathname;return Ot(o,{extraContext:e,basePath:n,routerMiddleware:[{path:"/**",middleware:Y},...r],async onRequest(s){for(let i of e.options.plugins||[])if(i.onRequest){let a=await i.onRequest(s,e);if(a)return a}return ze(s,e)},async onResponse(s){for(let i of e.options.plugins||[])if(i.onResponse){let a=await i.onResponse(s,e);if(a)return a.response}return s},onError(s){let i=t.logger?.verboseLogging?P:void 0;if(t.logger?.disabled!==!0)if(s instanceof Et)i?.warn(s);else if(typeof s=="object"&&s!==null&&"message"in s){let a=s.message;if(!a||typeof a!="string"){i?.error(s);return}a.includes("no such table")?P?.error(`Please run ${J.green("npx better-auth migrate")} to create the tables. There are missing tables in your SQLite database.`):a.includes("relation")&&a.includes("does not exist")?P.error(`Please run ${J.green("npx better-auth migrate")} to create the tables. There are missing tables in your PostgreSQL database.`):a.includes("Table")&&a.includes("doesn't exist")?P?.error(`Please run ${J.green("npx better-auth migrate")} to create the tables. There are missing tables in your MySQL database.`):i?.error(s)}else i?.error(s)}})};export{ke as callbackOAuth,Ie as changePassword,l as createAuthEndpoint,D as createAuthMiddleware,W as createEmailVerificationToken,Y as csrfMiddleware,Oe as error,Te as forgetPassword,Pe as forgetPasswordCallback,Ee as getCSRFToken,Ct as getEndpoints,M as getSession,H as getSessionFromCtx,fe as listSessions,Ce as ok,K as optionsMiddleware,ve as resetPassword,ge as revokeSession,he as revokeSessions,Ns as router,xe as sendVerificationEmail,E as sessionMiddleware,Le as setPassword,we as signInEmail,ye as signInOAuth,Re as signOut,$e as signUpEmail,_e as updateUser,Se as verifyEmail};
+</html>`;
+var error = createAuthEndpoint(
+  "/error",
+  {
+    method: "GET",
+    metadata: HIDE_METADATA
+  },
+  async (c) => {
+    const query = new URL(c.request?.url || "").searchParams.get("error") || "Unknown";
+    return new Response(html(query), {
+      headers: {
+        "Content-Type": "text/html"
+      }
+    });
+  }
+);
+
+// src/api/routes/ok.ts
+var ok = createAuthEndpoint(
+  "/ok",
+  {
+    method: "GET",
+    metadata: HIDE_METADATA
+  },
+  async (ctx) => {
+    return ctx.json({
+      ok: true
+    });
+  }
+);
+
+// src/api/routes/sign-up.ts
+import { alphabet as alphabet4, generateRandomString as generateRandomString4 } from "oslo/crypto";
+import { z as z11 } from "zod";
+var signUpEmail = createAuthEndpoint(
+  "/sign-up/email",
+  {
+    method: "POST",
+    query: z11.object({
+      currentURL: z11.string().optional()
+    }).optional(),
+    body: z11.object({
+      name: z11.string(),
+      email: z11.string(),
+      password: z11.string(),
+      image: z11.string().optional(),
+      callbackURL: z11.string().optional()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options.emailAndPassword?.enabled) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Email and password is not enabled"
+        }
+      });
+    }
+    const { name, email, password, image } = ctx.body;
+    const isValidEmail = z11.string().email().safeParse(email);
+    if (!isValidEmail.success) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Invalid email address"
+        }
+      });
+    }
+    const minPasswordLength = ctx.context.password.config.minPasswordLength;
+    if (password.length < minPasswordLength) {
+      ctx.context.logger.error("Password is too short");
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Password is too short" }
+      });
+    }
+    const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
+    if (password.length > maxPasswordLength) {
+      ctx.context.logger.error("Password is too long");
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Password is too long" }
+      });
+    }
+    const dbUser = await ctx.context.internalAdapter.findUserByEmail(email);
+    const hash = await ctx.context.password.hash(password);
+    if (dbUser?.user) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "User already exists"
+        }
+      });
+    }
+    const createdUser = await ctx.context.internalAdapter.createUser({
+      id: generateRandomString4(32, alphabet4("a-z", "0-9", "A-Z")),
+      email: email.toLowerCase(),
+      name,
+      image,
+      emailVerified: false,
+      createdAt: /* @__PURE__ */ new Date(),
+      updatedAt: /* @__PURE__ */ new Date()
+    });
+    if (!createdUser) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Could not create user"
+        }
+      });
+    }
+    await ctx.context.internalAdapter.linkAccount({
+      id: generateRandomString4(32, alphabet4("a-z", "0-9", "A-Z")),
+      userId: createdUser.id,
+      providerId: "credential",
+      accountId: createdUser.id,
+      password: hash
+    });
+    const session = await ctx.context.internalAdapter.createSession(
+      createdUser.id,
+      ctx.request
+    );
+    if (!session) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Could not create session"
+        }
+      });
+    }
+    await setSessionCookie(ctx, session.id);
+    if (ctx.context.options.emailAndPassword.sendEmailVerificationOnSignUp) {
+      const token = await createEmailVerificationToken(
+        ctx.context.secret,
+        createdUser.email
+      );
+      const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${ctx.body.callbackURL || ctx.query?.currentURL || "/"}`;
+      await ctx.context.options.emailAndPassword.sendVerificationEmail?.(
+        createdUser.email,
+        url,
+        token
+      );
+    }
+    return ctx.json(
+      {
+        user: createdUser,
+        session
+      },
+      {
+        body: ctx.body.callbackURL ? {
+          url: ctx.body.callbackURL,
+          redirect: true
+        } : {
+          user: createdUser,
+          session
+        }
+      }
+    );
+  }
+);
+
+// src/api/index.ts
+import chalk from "chalk";
+
+// src/api/rate-limiter.ts
+function shouldRateLimit(max, window2, rateLimitData) {
+  const now = Date.now();
+  const windowInMs = window2 * 1e3;
+  const timeSinceLastRequest = now - rateLimitData.lastRequest;
+  return timeSinceLastRequest < windowInMs && rateLimitData.count >= max;
+}
+function rateLimitResponse(retryAfter) {
+  return new Response(
+    JSON.stringify({
+      message: "Too many requests. Please try again later."
+    }),
+    {
+      status: 429,
+      statusText: "Too Many Requests",
+      headers: {
+        "X-Retry-After": retryAfter.toString()
+      }
+    }
+  );
+}
+function getRetryAfter(lastRequest, window2) {
+  const now = Date.now();
+  const windowInMs = window2 * 1e3;
+  return Math.ceil((lastRequest + windowInMs - now) / 1e3);
+}
+function createDBStorage(ctx, tableName) {
+  const model = tableName ?? "rateLimit";
+  const db = ctx.adapter;
+  return {
+    get: async (key) => {
+      const res = await db.findOne({
+        model,
+        where: [{ field: "key", value: key }]
+      });
+      return res;
+    },
+    set: async (key, value, _update) => {
+      try {
+        if (_update) {
+          await db.update({
+            model: tableName ?? "rateLimit",
+            where: [{ field: "key", value: key }],
+            update: {
+              count: value.count,
+              lastRequest: value.lastRequest
+            }
+          });
+        } else {
+          await db.create({
+            model: tableName ?? "rateLimit",
+            data: {
+              key,
+              count: value.count,
+              lastRequest: value.lastRequest
+            }
+          });
+        }
+      } catch (e) {
+        logger.error("Error setting rate limit", e);
+      }
+    }
+  };
+}
+var memory = /* @__PURE__ */ new Map();
+function getRateLimitStorage(ctx) {
+  if (ctx.rateLimit.customStorage) {
+    return ctx.rateLimit.customStorage;
+  }
+  const storage = ctx.rateLimit.storage;
+  if (storage === "memory") {
+    return {
+      async get(key) {
+        return memory.get(key);
+      },
+      async set(key, value, _update) {
+        memory.set(key, value);
+      }
+    };
+  }
+  return createDBStorage(ctx, ctx.rateLimit.tableName);
+}
+async function onRequestRateLimit(req, ctx) {
+  if (!ctx.rateLimit.enabled) {
+    return;
+  }
+  const baseURL = ctx.baseURL;
+  const path = req.url.replace(baseURL, "");
+  let window2 = ctx.rateLimit.window;
+  let max = ctx.rateLimit.max;
+  const key = getIp(req) + path;
+  const specialRules = getDefaultSpecialRules();
+  const specialRule = specialRules.find((rule) => rule.pathMatcher(path));
+  if (specialRule) {
+    window2 = specialRule.window;
+    max = specialRule.max;
+  }
+  for (const plugin of ctx.options.plugins || []) {
+    if (plugin.rateLimit) {
+      const matchedRule = plugin.rateLimit.find(
+        (rule) => rule.pathMatcher(path)
+      );
+      if (matchedRule) {
+        window2 = matchedRule.window;
+        max = matchedRule.max;
+        break;
+      }
+    }
+  }
+  if (ctx.rateLimit.customRules) {
+    const customRule = ctx.rateLimit.customRules[path];
+    if (customRule) {
+      window2 = customRule.window;
+      max = customRule.max;
+    }
+  }
+  const storage = getRateLimitStorage(ctx);
+  const data = await storage.get(key);
+  const now = Date.now();
+  if (!data) {
+    await storage.set(key, {
+      key,
+      count: 1,
+      lastRequest: now
+    });
+  } else {
+    const timeSinceLastRequest = now - data.lastRequest;
+    if (shouldRateLimit(max, window2, data)) {
+      const retryAfter = getRetryAfter(data.lastRequest, window2);
+      return rateLimitResponse(retryAfter);
+    } else if (timeSinceLastRequest > window2 * 1e3) {
+      await storage.set(key, {
+        ...data,
+        count: 1,
+        lastRequest: now
+      });
+    } else {
+      await storage.set(key, {
+        ...data,
+        count: data.count + 1,
+        lastRequest: now
+      });
+    }
+  }
+}
+function getDefaultSpecialRules() {
+  const specialRules = [
+    {
+      pathMatcher(path) {
+        return path.startsWith("/sign-in") || path.startsWith("/sign-up");
+      },
+      window: 10,
+      max: 7
+    }
+  ];
+  return specialRules;
+}
+
+// src/api/index.ts
+function getEndpoints(ctx, options) {
+  const pluginEndpoints = options.plugins?.reduce(
+    (acc, plugin) => {
+      return {
+        ...acc,
+        ...plugin.endpoints
+      };
+    },
+    {}
+  );
+  const middlewares = options.plugins?.map(
+    (plugin) => plugin.middlewares?.map((m) => {
+      const middleware = async (context) => {
+        return m.middleware({
+          ...context,
+          context: {
+            ...ctx,
+            ...context.context
+          }
+        });
+      };
+      middleware.path = m.path;
+      middleware.options = m.middleware.options;
+      middleware.headers = m.middleware.headers;
+      return {
+        path: m.path,
+        middleware
+      };
+    })
+  ).filter((plugin) => plugin !== void 0).flat() || [];
+  const baseEndpoints = {
+    signInOAuth,
+    callbackOAuth,
+    getCSRFToken,
+    getSession: getSession(),
+    signOut,
+    signUpEmail,
+    signInEmail,
+    forgetPassword,
+    resetPassword,
+    verifyEmail,
+    sendVerificationEmail,
+    changePassword,
+    setPassword,
+    updateUser,
+    forgetPasswordCallback,
+    listSessions: listSessions(),
+    revokeSession,
+    revokeSessions
+  };
+  const endpoints = {
+    ...baseEndpoints,
+    ...pluginEndpoints,
+    ok,
+    error
+  };
+  let api = {};
+  for (const [key, value] of Object.entries(endpoints)) {
+    api[key] = async (context) => {
+      const c = await ctx;
+      const endpointRes = await value({
+        ...context,
+        context: {
+          ...c,
+          ...context.context
+        }
+      });
+      let response = endpointRes;
+      for (const plugin of options.plugins || []) {
+        if (plugin.hooks?.after) {
+          for (const hook of plugin.hooks.after) {
+            const match = hook.matcher(context);
+            if (match) {
+              const obj = Object.assign(context, {
+                context: {
+                  ...ctx,
+                  returned: response
+                }
+              });
+              const hookRes = await hook.handler(obj);
+              if (hookRes && "response" in hookRes) {
+                response = hookRes.response;
+              }
+            }
+          }
+        }
+      }
+      return response;
+    };
+    api[key].path = value.path;
+    api[key].method = value.method;
+    api[key].options = value.options;
+    api[key].headers = value.headers;
+  }
+  return {
+    api,
+    middlewares
+  };
+}
+var router = (ctx, options) => {
+  const { api, middlewares } = getEndpoints(ctx, options);
+  const basePath = new URL(ctx.baseURL).pathname;
+  return createRouter(api, {
+    extraContext: ctx,
+    basePath,
+    routerMiddleware: [
+      {
+        path: "/**",
+        middleware: csrfMiddleware
+      },
+      ...middlewares
+    ],
+    async onRequest(req) {
+      for (const plugin of ctx.options.plugins || []) {
+        if (plugin.onRequest) {
+          const response = await plugin.onRequest(req, ctx);
+          if (response) {
+            return response;
+          }
+        }
+      }
+      return onRequestRateLimit(req, ctx);
+    },
+    async onResponse(res) {
+      for (const plugin of ctx.options.plugins || []) {
+        if (plugin.onResponse) {
+          const response = await plugin.onResponse(res, ctx);
+          if (response) {
+            return response.response;
+          }
+        }
+      }
+      return res;
+    },
+    onError(e) {
+      const log = options.logger?.verboseLogging ? logger : void 0;
+      if (options.logger?.disabled !== true) {
+        if (e instanceof APIError6) {
+          log?.warn(e);
+        } else {
+          if (typeof e === "object" && e !== null && "message" in e) {
+            const errorMessage = e.message;
+            if (!errorMessage || typeof errorMessage !== "string") {
+              log?.error(e);
+              return;
+            }
+            if (errorMessage.includes("no such table")) {
+              logger?.error(
+                `Please run ${chalk.green(
+                  "npx better-auth migrate"
+                )} to create the tables. There are missing tables in your SQLite database.`
+              );
+            } else if (errorMessage.includes("relation") && errorMessage.includes("does not exist")) {
+              logger.error(
+                `Please run ${chalk.green(
+                  "npx better-auth migrate"
+                )} to create the tables. There are missing tables in your PostgreSQL database.`
+              );
+            } else if (errorMessage.includes("Table") && errorMessage.includes("doesn't exist")) {
+              logger?.error(
+                `Please run ${chalk.green(
+                  "npx better-auth migrate"
+                )} to create the tables. There are missing tables in your MySQL database.`
+              );
+            } else {
+              log?.error(e);
+            }
+          } else {
+            log?.error(e);
+          }
+        }
+      }
+    }
+  });
+};
+export {
+  callbackOAuth,
+  changePassword,
+  createAuthEndpoint,
+  createAuthMiddleware,
+  createEmailVerificationToken,
+  csrfMiddleware,
+  error,
+  forgetPassword,
+  forgetPasswordCallback,
+  getCSRFToken,
+  getEndpoints,
+  getSession,
+  getSessionFromCtx,
+  listSessions,
+  ok,
+  optionsMiddleware,
+  resetPassword,
+  revokeSession,
+  revokeSessions,
+  router,
+  sendVerificationEmail,
+  sessionMiddleware,
+  setPassword,
+  signInEmail,
+  signInOAuth,
+  signOut,
+  signUpEmail,
+  updateUser,
+  verifyEmail
+};