better-auth 0.2.3-beta.8 → 0.2.4

package/dist/index.js

@@ -1,5 +1,2029 @@
-import{APIError as ir,createRouter as ar}from"better-call";import{APIError as ce}from"better-call";import{z as le}from"zod";import{xchacha20poly1305 as xr}from"@noble/ciphers/chacha";import{bytesToHex as Pr,hexToBytes as vr,utf8ToBytes as Ir}from"@noble/ciphers/utils";import{managedNonce as Or}from"@noble/ciphers/webcrypto";import{sha256 as Cr}from"@noble/hashes/sha256";async function F(e,t){let o=new TextEncoder,r={name:"HMAC",hash:"SHA-256"},n=await crypto.subtle.importKey("raw",o.encode(e),r,!1,["sign","verify"]),s=await crypto.subtle.sign(r.name,n,o.encode(t));return btoa(String.fromCharCode(...new Uint8Array(s)))}import{createEndpointCreator as gt,createMiddleware as ae,createMiddlewareCreator as ht}from"better-call";var de=ae(async()=>({})),z=ht({use:[de,ae(async()=>({}))]}),g=gt({use:[de]});var ue=z({body:le.object({csrfToken:le.string().optional()}).optional()},async e=>{if(e.request?.method!=="POST"||e.context.options.advanced?.disableCSRFCheck)return;let t=new URL(e.request.url);if(t.origin===new URL(e.context.baseURL).origin||e.context.options.trustedOrigins?.includes(t.origin))return;let o=e.body?.csrfToken,r=await e.getSignedCookie(e.context.authCookies.csrfToken.name,e.context.secret),[n,s]=r?.split("!")||[null,null];if(!o||!r||!n||!s||r!==o)throw e.setCookie(e.context.authCookies.csrfToken.name,"",{maxAge:0}),new ce("UNAUTHORIZED",{message:"Invalid CSRF Token"});let i=await F(e.context.secret,n);if(s!==i)throw e.setCookie(e.context.authCookies.csrfToken.name,"",{maxAge:0}),new ce("UNAUTHORIZED",{message:"Invalid CSRF Token"})});import{APIError as I}from"better-call";import{generateCodeVerifier as Nt}from"oslo/oauth2";import{z as x}from"zod";import"arctic";import{parseJWT as At}from"oslo/jwt";import"@better-fetch/fetch";var k=class extends Error{constructor(t,o,r){super(t),this.name="BetterAuthError",this.message=t,this.cause=o}};import{OAuth2Tokens as bt}from"arctic";function yt(e){try{return new URL(e).pathname!=="/"}catch{throw new k(`Invalid base URL: ${e}. Please provide a valid base URL.`)}}function J(e,t="/api/auth"){return yt(e)?e:(t=t.startsWith("/")?t:`/${t}`,`${e}${t}`)}function V(e,t){if(e)return J(e,t);let o=process?.env||{},r=o.BETTER_AUTH_URL||o.NEXT_PUBLIC_BETTER_AUTH_URL||o.PUBLIC_BETTER_AUTH_URL||o.NUXT_PUBLIC_BETTER_AUTH_URL||o.NUXT_PUBLIC_AUTH_URL||(o.BASE_URL!=="/"?o.BASE_URL:void 0);if(r)return J(r,t);if(typeof window<"u")return J(window.location.origin,t)}import{betterFetch as wt}from"@better-fetch/fetch";function w(e,t){return t||`${V()}/callback/${e}`}async function R({code:e,codeVerifier:t,redirectURI:o,options:r,tokenEndpoint:n}){let s=new URLSearchParams;s.set("grant_type","authorization_code"),s.set("code",e),t&&s.set("code_verifier",t),s.set("redirect_uri",o),s.set("client_id",r.clientId),s.set("client_secret",r.clientSecret);let{data:i,error:a}=await wt(n,{method:"POST",body:s,headers:{"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"}});if(a)throw a;return new bt(i)}var pe=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:o,scopes:r,redirectURI:n}){let s=r||["email","name","openid"];return new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${n||e.redirectURI}&scope=${s.join(" ")}&state=${o}`)},validateAuthorizationCode:async(o,r,n)=>R({code:o,codeVerifier:r,redirectURI:n||w("apple",e.redirectURI),options:e,tokenEndpoint:t}),async getUserInfo(o){let r=At(o.idToken())?.payload;return r?{user:{id:r.sub,name:r.name,email:r.email,emailVerified:r.email_verified==="true"},data:r}:null}}};import{betterFetch as kt}from"@better-fetch/fetch";import{Discord as Rt}from"arctic";var me=e=>{let t=new Rt(e.clientId,e.clientSecret,w("discord",e.redirectURI));return{id:"discord",name:"Discord",createAuthorizationURL({state:o,scopes:r}){let n=r||["email"];return t.createAuthorizationURL(o,n)},validateAuthorizationCode:async(o,r,n)=>R({code:o,codeVerifier:r,redirectURI:n||w("discord",e.redirectURI),options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(o){let{data:r,error:n}=await kt("https://discord.com/api/users/@me",{auth:{type:"Bearer",token:o.accessToken()}});return n?null:{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified},data:r}}}};import{betterFetch as Tt}from"@better-fetch/fetch";import{Facebook as xt}from"arctic";var fe=e=>{let t=new xt(e.clientId,e.clientSecret,w("facebook",e.redirectURI));return{id:"facebook",name:"Facebook",createAuthorizationURL({state:o,scopes:r}){let n=r||["email","public_profile"];return t.createAuthorizationURL(o,n)},validateAuthorizationCode:async(o,r,n)=>R({code:o,codeVerifier:r,redirectURI:n||w("facebook",e.redirectURI),options:e,tokenEndpoint:"https://graph.facebook.com/v16.0/oauth/access_token"}),async getUserInfo(o){let{data:r,error:n}=await Tt("https://graph.facebook.com/me",{auth:{type:"Bearer",token:o.accessToken()}});return n?null:{user:{id:r.id,name:r.name,email:r.email,emailVerified:r.email_verified},data:r}}}};import{betterFetch as ge}from"@better-fetch/fetch";import{GitHub as Ut}from"arctic";var he=({clientId:e,clientSecret:t,redirectURI:o})=>{let r=new Ut(e,t,w("github",o));return{id:"github",name:"Github",createAuthorizationURL({state:n,scopes:s}){let i=s||["user:email"];return r.createAuthorizationURL(n,i)},validateAuthorizationCode:async n=>await r.validateAuthorizationCode(n),async getUserInfo(n){let{data:s,error:i}=await ge("https://api.github.com/user",{auth:{type:"Bearer",token:n.accessToken()}});if(i)return null;let a=!1;if(!s.email){let{data:d,error:c}=await ge("https://api.github.com/user/emails",{auth:{type:"Bearer",token:n.accessToken()}});c||(s.email=(d.find(l=>l.primary)??d[0])?.email,a=d.find(l=>l.email===s.email)?.verified??!1)}return{user:{id:s.id,name:s.name,email:s.email,image:s.avatar_url,emailVerified:a,createdAt:new Date,updatedAt:new Date},data:s}}}};import{Google as vt}from"arctic";import{parseJWT as It}from"oslo/jwt";import{createConsola as Pt}from"consola";var E=Pt({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),Z=e=>({log:(...t)=>{!e?.disabled&&E.log("",...t)},error:(...t)=>{!e?.disabled&&E.error("",...t)},warn:(...t)=>{!e?.disabled&&E.warn("",...t)},info:(...t)=>{!e?.disabled&&E.info("",...t)},debug:(...t)=>{!e?.disabled&&E.debug("",...t)},box:(...t)=>{!e?.disabled&&E.box("",...t)},success:(...t)=>{!e?.disabled&&E.success("",...t)},break:(...t)=>{!e?.disabled&&console.log(`
-`)}}),T=Z();var ye=e=>{let t=new vt(e.clientId,e.clientSecret,w("google",e.redirectURI));return{id:"google",name:"Google",createAuthorizationURL({state:o,scopes:r,codeVerifier:n,redirectURI:s}){if(!e.clientId||!e.clientSecret)throw T.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new k("CLIENT_ID_AND_SECRET_REQUIRED");if(!n)throw new k("codeVerifier is required for Google");let i=r||["email","profile"];return t.createAuthorizationURL(o,n,i)},validateAuthorizationCode:async(o,r,n)=>R({code:o,codeVerifier:r,redirectURI:n||w("google",e.redirectURI),options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async getUserInfo(o){if(!o.idToken)return null;let r=It(o.idToken())?.payload;return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified},data:r}}}};import{betterFetch as St}from"@better-fetch/fetch";import{Spotify as Ot}from"arctic";var be=e=>{let t=new Ot(e.clientId,e.clientSecret,w("spotify",e.redirectURI));return{id:"spotify",name:"Spotify",createAuthorizationURL({state:o,scopes:r}){let n=r||["user-read-email"];return t.createAuthorizationURL(o,n)},validateAuthorizationCode:async(o,r,n)=>R({code:o,codeVerifier:r,redirectURI:n||w("spotify",e.redirectURI),options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(o){let{data:r,error:n}=await St("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken()}`}});return n?null:{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1},data:r}}}};import{betterFetch as Lt}from"@better-fetch/fetch";import{Twitch as Ct}from"arctic";var we=e=>{let t=new Ct(e.clientId,e.clientSecret,w("twitch",e.redirectURI));return{id:"twitch",name:"Twitch",createAuthorizationURL({state:o,scopes:r}){let n=r||["activity:write","read"];return t.createAuthorizationURL(o,n)},validateAuthorizationCode:async(o,r,n)=>R({code:o,codeVerifier:r,redirectURI:n||w("twitch",e.redirectURI),options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(o){let{data:r,error:n}=await Lt("https://api.twitch.tv/helix/users",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken()}`}});return n?null:{user:{id:r.sub,name:r.preferred_username,email:r.email,image:r.picture,emailVerified:!1},data:r}}}};import{betterFetch as Et}from"@better-fetch/fetch";import{Twitter as _t}from"arctic";var Ae=e=>{let t=new _t(e.clientId,e.clientSecret,w("twitter",e.redirectURI));return{id:"twitter",name:"Twitter",createAuthorizationURL(o){let r=o.scopes||["account_info.read"];return t.createAuthorizationURL(o.state,o.codeVerifier,r)},validateAuthorizationCode:async(o,r,n)=>R({code:o,codeVerifier:r,redirectURI:n||w("twitch",e.redirectURI),options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(o){let{data:r,error:n}=await Et("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken()}`}});return n||!r.data.email?null:{user:{id:r.data.id,name:r.data.name,email:r.data.email,image:r.data.profile_image_url,emailVerified:r.data.verified||!1},data:r}}}};import"arctic";var Q={apple:pe,discord:me,facebook:fe,github:he,google:ye,spotify:be,twitch:we,twitter:Ae},ke=Object.keys(Q);import{generateState as Bt}from"oslo/oauth2";import{z as D}from"zod";function Re(e,t,o){let r=Bt();return{state:JSON.stringify({code:r,callbackURL:e,currentURL:t,dontRememberMe:o}),code:r}}function X(e){return D.object({code:D.string(),callbackURL:D.string().optional(),currentURL:D.string().optional(),dontRememberMe:D.boolean().optional()}).safeParse(JSON.parse(e))}import{APIError as jt}from"better-call";var N=(e,t=!1)=>{let o=new Date;return new Date(o.getTime()+(t?e*1e3:e))};import{TimeSpan as qt}from"oslo";function Te(e){let o=!!e.advanced?.useSecureCookies||process.env.NODE_ENV!=="development"&&process.env.NODE_ENV!=="test"?"__Secure-":"",r="better-auth",n=new qt(7,"d").seconds();return{sessionToken:{name:`${o}${r}.session_token`,options:{httpOnly:!0,sameSite:"lax",path:"/",secure:!!o,maxAge:n}},csrfToken:{name:`${o?"__Host-":""}${r}.csrf_token`,options:{httpOnly:!0,sameSite:"lax",path:"/",secure:!!o,maxAge:60*60*24*7}},state:{name:`${o}${r}.state`,options:{httpOnly:!0,sameSite:"lax",path:"/",secure:!!o,maxAge:60*15}},pkCodeVerifier:{name:`${o}${r}.pk_code_verifier`,options:{httpOnly:!0,sameSite:"lax",path:"/",secure:!!o,maxAge:60*15}},dontRememberToken:{name:`${o}${r}.dont_remember`,options:{httpOnly:!0,sameSite:"lax",path:"/",secure:!!o}},nonce:{name:`${o}${r}.nonce`,options:{httpOnly:!0,sameSite:"lax",path:"/",secure:!!o,maxAge:60*15}}}}function xe(e){let o=!!e.advanced?.useSecureCookies||process.env.NODE_ENV==="production"?"__Secure-":"",r="better-auth";function n(s,i){return{name:process.env.NODE_ENV==="production"?`${o}${r}.${s}`:`${r}.${s}`,options:{secure:!!o,sameSite:"lax",path:"/",maxAge:60*15,...i}}}return n}async function P(e,t,o,r){let n=e.context.authCookies.sessionToken.options;n.maxAge=o?void 0:n.maxAge,await e.setSignedCookie(e.context.authCookies.sessionToken.name,t,e.context.secret,n),o&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options)}function $(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{maxAge:0})}import{z as Ue}from"zod";function M(e){let t="127.0.0.1";if(process.env.NODE_ENV==="test")return t;let o=["x-client-ip","x-forwarded-for","cf-connecting-ip","fastly-client-ip","x-real-ip","x-cluster-client-ip","x-forwarded","forwarded-for","forwarded"];for(let r of o){let n=e.headers.get(r);if(typeof n=="string"){let s=n.split(",")[0].trim();if(s)return s}}return null}var Y=new Map;function Dt(e,t){if(!e.request)return"";let{method:o,url:r,headers:n}=e.request,s=e.request.headers.get("User-Agent")||"",i=M(e.request)||"",a=JSON.stringify(n);return`${o}:${r}:${a}:${s}:${i}:${t}`}var ee=()=>g("/session",{method:"GET",requireHeaders:!0},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null,{status:401});let o=Dt(e,t),r=Y.get(o);if(r){if(r.expiresAt>Date.now())return e.json(r.data);Y.delete(o)}let n=await e.context.internalAdapter.findSession(t);if(!n||n.session.expiresAt<new Date)return $(e),n&&await e.context.internalAdapter.deleteSession(n.session.id),e.json(null,{status:401});if(await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret))return e.json(n);let i=e.context.sessionConfig.expiresIn,a=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-i*1e3+a*1e3<=Date.now()){let l=await e.context.internalAdapter.updateSession(n.session.id,{expiresAt:N(e.context.sessionConfig.expiresIn,!0)});if(!l)return $(e),e.json(null,{status:401});let u=(l.expiresAt.valueOf()-Date.now())/1e3;return await P(e,l.id,!1,{maxAge:u}),e.json({session:l,user:n.user})}return Y.set(o,{data:n,expiresAt:Date.now()+5e3}),e.json(n)}catch(t){return e.context.logger.error(t),e.json(null,{status:500})}}),te=async e=>await ee()({...e,_flag:void 0}),_=z(async e=>{let t=await te(e);if(!t?.session)throw new jt("UNAUTHORIZED");return{session:t}}),Pe=()=>g("/user/list-sessions",{method:"GET",use:[_],requireHeaders:!0},async e=>{let o=(await e.context.adapter.findMany({model:e.context.tables.session.tableName,where:[{field:"userId",value:e.context.session.user.id}]})).filter(r=>r.expiresAt>new Date);return e.json(o)}),ve=g("/user/revoke-session",{method:"POST",body:Ue.object({id:Ue.string()}),use:[_],requireHeaders:!0},async e=>{let t=e.body.id,o=await e.context.internalAdapter.findSession(t);if(!o)return e.json(null,{status:400});if(o.session.userId!==e.context.session.user.id)return e.json(null,{status:403});try{await e.context.internalAdapter.deleteSession(t)}catch(r){return e.context.logger.error(r),e.json(null,{status:500})}return e.json({status:!0})}),Ie=g("/user/revoke-sessions",{method:"POST",use:[_],requireHeaders:!0},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){return e.context.logger.error(t),e.json(null,{status:500})}return e.json({status:!0})});var Se=g("/sign-in/social",{method:"POST",requireHeaders:!0,query:x.object({currentURL:x.string().optional()}).optional(),body:x.object({callbackURL:x.string().optional(),provider:x.enum(ke),dontRememberMe:x.boolean().default(!1).optional()})},async e=>{let t=e.context.socialProviders.find(i=>i.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider to your auth config",{provider:e.body.provider}),new I("NOT_FOUND",{message:"Provider not found"});let o=e.context.authCookies,r=e.query?.currentURL?new URL(e.query?.currentURL):null,n=e.body.callbackURL?.startsWith("http")?e.body.callbackURL:`${r?.origin}${e.body.callbackURL||""}`,s=Re(n||r?.origin||e.context.baseURL,e.query?.currentURL);try{await e.setSignedCookie(o.state.name,s.code,e.context.secret,o.state.options);let i=Nt();await e.setSignedCookie(o.pkCodeVerifier.name,i,e.context.secret,o.pkCodeVerifier.options);let a=t.createAuthorizationURL({state:s.state,codeVerifier:i});return a.searchParams.set("redirect_uri",`${e.context.baseURL}/callback/${e.body.provider}`),{url:a.toString(),state:s.state,codeVerifier:i,redirect:!0}}catch{throw new I("INTERNAL_SERVER_ERROR")}}),Oe=g("/sign-in/email",{method:"POST",body:x.object({email:x.string().email(),password:x.string(),callbackURL:x.string().optional(),dontRememberMe:x.boolean().default(!1).optional()})},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new I("BAD_REQUEST",{message:"Email and password is not enabled"});let t=await te(e);t&&await e.context.internalAdapter.deleteSession(t.session.id);let{email:o,password:r}=e.body;if(!x.string().email().safeParse(o).success)throw new I("BAD_REQUEST",{message:"Invalid email"});let s=await e.context.internalAdapter.findUserByEmail(o);if(!s)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:o}),new I("UNAUTHORIZED",{message:"Invalid email or password"});let i=s.accounts.find(l=>l.providerId==="credential");if(!i)throw e.context.logger.error("Credential account not found",{email:o}),new I("UNAUTHORIZED",{message:"Invalid email or password"});let a=i?.password;if(!a)throw e.context.logger.error("Password not found",{email:o}),new I("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(a,r))throw e.context.logger.error("Invalid password"),new I("UNAUTHORIZED",{message:"Invalid email or password"});let c=await e.context.internalAdapter.createSession(s.user.id,e.headers,e.body.dontRememberMe);if(!c)throw e.context.logger.error("Failed to create session"),new I("INTERNAL_SERVER_ERROR");return await P(e,c.id,e.body.dontRememberMe),e.json({user:s.user,session:c,redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{APIError as zt}from"better-call";import{z as H}from"zod";import{z as b}from"zod";var Sn=b.object({id:b.string(),providerId:b.string(),accountId:b.string(),userId:b.string(),accessToken:b.string().nullable().optional(),refreshToken:b.string().nullable().optional(),idToken:b.string().nullable().optional(),expiresAt:b.date().nullable().optional(),password:b.string().optional().nullable()}),Le=b.object({id:b.string(),email:b.string().transform(e=>e.toLowerCase()),emailVerified:b.boolean().default(!1),name:b.string(),image:b.string().optional(),createdAt:b.date().default(new Date),updatedAt:b.date().default(new Date)}),On=b.object({id:b.string(),userId:b.string(),expiresAt:b.date(),ipAddress:b.string().optional(),userAgent:b.string().optional()});import{alphabet as $t,generateRandomString as Ft}from"oslo/crypto";var Ce=()=>Ft(36,$t("a-z","0-9"));var L={isAction:!1};function re(e){let t=e.accessToken(),o=e.hasRefreshToken()?e.refreshToken():void 0,r;try{r=e.accessTokenExpiresAt()}catch{}return{accessToken:t,refreshToken:o,expiresAt:r}}var Ee=g("/callback/:id",{method:"GET",query:H.object({state:H.string(),code:H.string().optional(),error:H.string().optional()}),metadata:L},async e=>{if(e.query.error||!e.query.code){let y=X(e.query.state).data?.callbackURL||`${e.context.baseURL}/error`;throw e.context.logger.error(e.query.error,e.params.id),e.redirect(`${y}?error=${e.query.error||"oAuth_code_missing"}`)}let t=e.context.socialProviders.find(f=>f.id===e.params.id);if(!t)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let o=await e.getSignedCookie(e.context.authCookies.pkCodeVerifier.name,e.context.secret),r;try{r=await t.validateAuthorizationCode(e.query.code,o,`${e.context.baseURL}/callback/${t.id}`)}catch(f){throw e.context.logger.error(f),e.redirect(`${e.context.baseURL}/error?error=oauth_code_verification_failed`)}let n=await t.getUserInfo(r).then(f=>f?.user),s=Ce(),i=Le.safeParse({...n,id:s}),a=X(e.query.state);if(!a.success)throw e.context.logger.error("Unable to parse state"),e.redirect(`${e.context.baseURL}/error?error=invalid_state_parameter`);let{callbackURL:d,currentURL:c,dontRememberMe:l}=a.data;if(!n||i.success===!1)throw e.redirect(`${e.context.baseURL}/error?error=oauth_validation_failed`);if(!d)throw e.redirect(`${e.context.baseURL}/error?error=oauth_callback_url_not_found`);let u=await e.context.internalAdapter.findUserByEmail(n.email),p=u?.user.id;if(u){let f=u.accounts.find(A=>A.providerId===t.id),y=e.context.options.account?.accountLinking?.trustedProviders,h=y?y.includes(t.id):!0;if(!f&&(!n.emailVerified||!h)){let A;try{A=new URL(c||d),A.searchParams.set("error","account_not_linked")}catch{throw e.redirect(`${e.context.baseURL}/error?error=account_not_linked`)}throw e.redirect(A.toString())}if(!f)try{await e.context.internalAdapter.linkAccount({providerId:t.id,accountId:n.id,id:`${t.id}:${n.id}`,userId:u.user.id,...re(r)})}catch(A){throw console.log(A),e.redirect(`${e.context.baseURL}/error?error=failed_linking_account`)}}else try{await e.context.internalAdapter.createOAuthUser(i.data,{...re(r),id:`${t.id}:${n.id}`,providerId:t.id,accountId:n.id,userId:s})}catch{let y=new URL(c||d);throw y.searchParams.set("error","unable_to_create_user"),e.setHeader("Location",y.toString()),e.redirect(y.toString())}if(!p&&!s)throw new zt("INTERNAL_SERVER_ERROR",{message:"Unable to create user"});let m=await e.context.internalAdapter.createSession(p||s,e.request,l);if(!m){let f=new URL(c||d);throw f.searchParams.set("error","unable_to_create_session"),e.redirect(f.toString())}try{await P(e,m.id,l)}catch(f){e.context.logger.error("Unable to set session cookie",f);let y=new URL(c||d);throw y.searchParams.set("error","unable_to_create_session"),e.redirect(y.toString())}throw e.redirect(d)});import{z as oe}from"zod";var _e=g("/sign-out",{method:"POST",body:oe.optional(oe.object({callbackURL:oe.string().optional()}))},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);return t?(await e.context.internalAdapter.deleteSession(t),$(e),e.json(null,{body:{redirect:!!e.body?.callbackURL,url:e.body?.callbackURL}})):e.json(null)});import{TimeSpan as Vt}from"oslo";import{createJWT as Mt,parseJWT as Ht}from"oslo/jwt";import{validateJWT as Be}from"oslo/jwt";import{z as U}from"zod";var qe=g("/forget-password",{method:"POST",body:U.object({email:U.string().email(),redirectTo:U.string()})},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)return e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function to your auth config!"),e.json(null,{status:400,statusText:"RESET_PASSWORD_EMAIL_NOT_SENT",body:{message:"Reset password isn't enabled"}});let{email:t}=e.body,o=await e.context.internalAdapter.findUserByEmail(t);if(!o)return e.json({status:!1},{body:{status:!0}});let r=await Mt("HS256",Buffer.from(e.context.secret),{email:o.user.email,redirectTo:e.body.redirectTo},{expiresIn:new Vt(1,"h"),issuer:"better-auth",subject:"forget-password",audiences:[o.user.email],includeIssuedTimestamp:!0}),n=`${e.context.baseURL}/reset-password/${r}`;return await e.context.options.emailAndPassword.sendResetPassword(n,o.user),e.json({status:!0})}),je=g("/reset-password/:token",{method:"GET"},async e=>{let{token:t}=e.params,o,r=U.object({email:U.string(),redirectTo:U.string()});try{if(o=await Be("HS256",Buffer.from(e.context.secret),t),!o.expiresAt||o.expiresAt<new Date)throw Error("Token expired")}catch{let i=Ht(t),a=r.safeParse(i?.payload);throw a.success?e.redirect(`${a.data?.redirectTo}?error=invalid_token`):e.redirect(`${e.context.baseURL}/error?error=invalid_token`)}let{redirectTo:n}=r.parse(o.payload);throw e.redirect(`${n}?token=${t}`)}),De=g("/reset-password",{method:"POST",query:U.object({currentURL:U.string()}).optional(),body:U.object({newPassword:U.string(),callbackURL:U.string().optional()})},async e=>{let t=e.query?.currentURL.split("?token=")[1];if(!t)return e.json({error:"Invalid token",data:null},{status:400,statusText:"INVALID_TOKEN",body:{message:"Invalid token"}});let{newPassword:o}=e.body;try{let r=await Be("HS256",Buffer.from(e.context.secret),t),n=U.string().email().parse(r.payload.email),s=await e.context.internalAdapter.findUserByEmail(n);if(!s)return e.json({error:"User not found",data:null},{status:400,body:{message:"failed to reset password"}});if(o.length<(e.context.options.emailAndPassword?.minPasswordLength||8)||o.length>(e.context.options.emailAndPassword?.maxPasswordLength||32))return e.json({data:null,error:"password is too short or too long"},{status:400,statusText:"INVALID_PASSWORD_LENGTH",body:{message:"password is too short or too long"}});let i=await e.context.password.hash(o);return await e.context.internalAdapter.updatePassword(s.user.id,i)?e.json({error:null,data:{status:!0,url:e.body.callbackURL,redirect:!!e.body.callbackURL}},{body:{status:!0,url:e.body.callbackURL,redirect:!!e.body.callbackURL}}):e.json(null,{status:400,statusText:"USER_NOT_FOUND",body:{message:"User doesn't have a credential account"}})}catch(r){return console.log(r),e.json({error:"Invalid token",data:null},{status:400,statusText:"INVALID_TOKEN",body:{message:"Invalid token"}})}});import{TimeSpan as Gt}from"oslo";import{createJWT as Kt,validateJWT as Wt}from"oslo/jwt";import{z as v}from"zod";async function ne(e,t){return await Kt("HS256",Buffer.from(e),{email:t.toLowerCase()},{expiresIn:new Gt(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}var Ne=g("/send-verification-email",{method:"POST",query:v.object({currentURL:v.string().optional()}).optional(),body:v.object({email:v.string().email(),callbackURL:v.string().optional()})},async e=>{if(!e.context.options.emailAndPassword?.sendVerificationEmail)return e.context.logger.error("Verification email isn't enabled. Pass `sendVerificationEmail` in `emailAndPassword` options to enable it."),e.json(null,{status:400,statusText:"VERIFICATION_EMAIL_NOT_SENT",body:{message:"Verification email isn't enabled"}});let{email:t}=e.body,o=await ne(e.context.secret,t),r=`${e.context.baseURL}/verify-email?token=${o}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.emailAndPassword.sendVerificationEmail(t,r,o),e.json({status:!0})}),$e=g("/verify-email",{method:"GET",query:v.object({token:v.string(),callbackURL:v.string().optional()})},async e=>{let{token:t}=e.query,o;try{o=await Wt("HS256",Buffer.from(e.context.secret),t)}catch(a){return e.context.logger.error("Failed to verify email",a),e.json(null,{status:400,statusText:"INVALID_TOKEN",body:{message:"Invalid token"}})}let n=v.object({email:v.string().email()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(n.email);if(!s)return e.json(null,{status:400,statusText:"USER_NOT_FOUND",body:{message:"User not found"}});if(!s.accounts.find(a=>a.providerId==="credential"))throw e.redirect;if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.query.callbackURL)throw console.log("Redirecting to",e.query.callbackURL),e.redirect("/");return e.json({status:!0})});import{z as S}from"zod";import{alphabet as Jt,generateRandomString as Zt}from"oslo/crypto";import"better-call";var Fe=g("/user/update",{method:"POST",body:S.object({name:S.string().optional(),image:S.string().optional()}),use:[_]},async e=>{let{name:t,image:o}=e.body,r=e.context.session;if(!o&&!t)return e.json(r.user);let n=await e.context.internalAdapter.updateUserByEmail(r.user.email,{name:t,image:o});return e.json(n)}),ze=g("/user/change-password",{method:"POST",body:S.object({newPassword:S.string(),currentPassword:S.string(),revokeOtherSessions:S.boolean().optional()}),use:[_]},async e=>{let{newPassword:t,currentPassword:o,revokeOtherSessions:r}=e.body,n=e.context.session,s=e.context.password.config.minPasswordLength;if(t.length<s)return e.context.logger.error("Password is too short"),e.json(null,{status:400,body:{message:"Password is too short"}});let i=e.context.password.config.maxPasswordLength;if(t.length>i)return e.context.logger.error("Password is too long"),e.json(null,{status:400,body:{message:"Password is too long"}});let d=(await e.context.internalAdapter.findAccounts(n.user.id)).find(u=>u.providerId==="credential"&&u.password);if(!d||!d.password)return e.json(null,{status:400,body:{message:"User does not have a password"}});let c=await e.context.password.hash(t);if(!await e.context.password.verify(d.password,o))return e.json(null,{status:400,body:{message:"Invalid password"}});if(await e.context.internalAdapter.updateAccount(d.id,{password:c}),r){await e.context.internalAdapter.deleteSessions(n.user.id);let u=await e.context.internalAdapter.createSession(n.user.id,e.headers);if(!u)return e.json(null,{status:500,body:{message:"Failed to create session"}});await P(e,u.id)}return e.json(n.user)}),Ve=g("/user/set-password",{method:"POST",body:S.object({newPassword:S.string()}),use:[_]},async e=>{let{newPassword:t}=e.body,o=e.context.session,r=e.context.password.config.minPasswordLength;if(t.length<r)return e.context.logger.error("Password is too short"),e.json(null,{status:400,body:{message:"Password is too short"}});let n=e.context.password.config.maxPasswordLength;if(t.length>n)return e.context.logger.error("Password is too long"),e.json(null,{status:400,body:{message:"Password is too long"}});let i=(await e.context.internalAdapter.findAccounts(o.user.id)).find(d=>d.providerId==="credential"&&d.password),a=await e.context.password.hash(t);return i?e.json(null,{status:400,body:{message:"User already has a password"}}):(await e.context.internalAdapter.linkAccount({id:Zt(32,Jt("a-z","0-9","A-Z")),userId:o.user.id,providerId:"credential",accountId:o.user.id,password:a}),e.json(o.user))});import{alphabet as Qt,generateRandomString as Xt}from"oslo/crypto";var Me=g("/csrf",{method:"GET",metadata:L},async e=>{let t=await e.getSignedCookie(e.context.authCookies.csrfToken.name,e.context.secret);if(t)return{csrfToken:t};let o=Xt(32,Qt("a-z","0-9","A-Z")),r=await F(e.context.secret,o),n=`${o}!${r}`;return await e.setSignedCookie(e.context.authCookies.csrfToken.name,n,e.context.secret,e.context.authCookies.csrfToken.options),{csrfToken:o}});var Yt=(e="Unknown")=>`<!DOCTYPE html>
+// src/api/index.ts
+import {
+  APIError as APIError6,
+  createRouter
+} from "better-call";
+
+// src/api/middlewares/csrf.ts
+import { APIError } from "better-call";
+import { z } from "zod";
+
+// src/crypto/index.ts
+import { xchacha20poly1305 } from "@noble/ciphers/chacha";
+import { bytesToHex, hexToBytes, utf8ToBytes } from "@noble/ciphers/utils";
+import { managedNonce } from "@noble/ciphers/webcrypto";
+import { sha256 } from "@noble/hashes/sha256";
+async function hs256(secretKey, message) {
+  const enc = new TextEncoder();
+  const algorithm = { name: "HMAC", hash: "SHA-256" };
+  const key = await crypto.subtle.importKey(
+    "raw",
+    enc.encode(secretKey),
+    algorithm,
+    false,
+    ["sign", "verify"]
+  );
+  const signature = await crypto.subtle.sign(
+    algorithm.name,
+    key,
+    enc.encode(message)
+  );
+  return btoa(String.fromCharCode(...new Uint8Array(signature)));
+}
+
+// src/api/call.ts
+import {
+  createEndpointCreator,
+  createMiddleware,
+  createMiddlewareCreator
+} from "better-call";
+var optionsMiddleware = createMiddleware(async () => {
+  return {};
+});
+var createAuthMiddleware = createMiddlewareCreator({
+  use: [
+    optionsMiddleware,
+    /**
+     * Only use for post hooks
+     */
+    createMiddleware(async () => {
+      return {};
+    })
+  ]
+});
+var createAuthEndpoint = createEndpointCreator({
+  use: [optionsMiddleware]
+});
+
+// src/api/middlewares/csrf.ts
+var csrfMiddleware = createAuthMiddleware(
+  {
+    body: z.object({
+      csrfToken: z.string().optional()
+    }).optional()
+  },
+  async (ctx) => {
+    if (ctx.request?.method !== "POST" || ctx.context.options.advanced?.disableCSRFCheck) {
+      return;
+    }
+    const url = new URL(ctx.request.url);
+    if (url.origin === new URL(ctx.context.baseURL).origin || ctx.context.options.trustedOrigins?.includes(url.origin)) {
+      return;
+    }
+    const csrfToken = ctx.body?.csrfToken;
+    const csrfCookie = await ctx.getSignedCookie(
+      ctx.context.authCookies.csrfToken.name,
+      ctx.context.secret
+    );
+    const [token, hash] = csrfCookie?.split("!") || [null, null];
+    if (!csrfToken || !csrfCookie || !token || !hash || csrfCookie !== csrfToken) {
+      ctx.setCookie(ctx.context.authCookies.csrfToken.name, "", {
+        maxAge: 0
+      });
+      throw new APIError("UNAUTHORIZED", {
+        message: "Invalid CSRF Token"
+      });
+    }
+    const expectedHash = await hs256(ctx.context.secret, token);
+    if (hash !== expectedHash) {
+      ctx.setCookie(ctx.context.authCookies.csrfToken.name, "", {
+        maxAge: 0
+      });
+      throw new APIError("UNAUTHORIZED", {
+        message: "Invalid CSRF Token"
+      });
+    }
+  }
+);
+
+// src/api/routes/sign-in.ts
+import { APIError as APIError3 } from "better-call";
+import { generateCodeVerifier } from "oslo/oauth2";
+import { z as z4 } from "zod";
+
+// src/social-providers/apple.ts
+import "arctic";
+import { parseJWT } from "oslo/jwt";
+import "@better-fetch/fetch";
+
+// src/error/better-auth-error.ts
+var BetterAuthError = class extends Error {
+  constructor(message, cause, docsLink) {
+    super(message);
+    this.name = "BetterAuthError";
+    this.message = message;
+    this.cause = cause;
+    this.stack = "";
+  }
+};
+var MissingDependencyError = class extends BetterAuthError {
+  constructor(pkgName) {
+    super(
+      `The package "${pkgName}" is required. Make sure it is installed.`,
+      pkgName
+    );
+  }
+};
+
+// src/social-providers/utils.ts
+import { OAuth2Tokens } from "arctic";
+
+// src/utils/base-url.ts
+function checkHasPath(url) {
+  try {
+    const parsedUrl = new URL(url);
+    return parsedUrl.pathname !== "/";
+  } catch (error2) {
+    throw new BetterAuthError(
+      `Invalid base URL: ${url}. Please provide a valid base URL.`
+    );
+  }
+}
+function withPath(url, path = "/api/auth") {
+  const hasPath = checkHasPath(url);
+  if (hasPath) {
+    return url;
+  }
+  path = path.startsWith("/") ? path : `/${path}`;
+  return `${url}${path}`;
+}
+function getBaseURL(url, path) {
+  if (url) {
+    return withPath(url, path);
+  }
+  const env = process?.env || {};
+  const fromEnv = env.BETTER_AUTH_URL || env.NEXT_PUBLIC_BETTER_AUTH_URL || env.PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_AUTH_URL || (env.BASE_URL !== "/" ? env.BASE_URL : void 0);
+  if (fromEnv) {
+    return withPath(fromEnv, path);
+  }
+  if (typeof window !== "undefined") {
+    return withPath(window.location.origin, path);
+  }
+  return void 0;
+}
+
+// src/social-providers/utils.ts
+import { betterFetch } from "@better-fetch/fetch";
+function getRedirectURI(providerId, redirectURI) {
+  return redirectURI || `${getBaseURL()}/callback/${providerId}`;
+}
+async function validateAuthorizationCode({
+  code,
+  codeVerifier,
+  redirectURI,
+  options,
+  tokenEndpoint
+}) {
+  const body = new URLSearchParams();
+  body.set("grant_type", "authorization_code");
+  body.set("code", code);
+  codeVerifier && body.set("code_verifier", codeVerifier);
+  body.set("redirect_uri", redirectURI);
+  body.set("client_id", options.clientId);
+  body.set("client_secret", options.clientSecret);
+  const { data, error: error2 } = await betterFetch(tokenEndpoint, {
+    method: "POST",
+    body,
+    headers: {
+      "content-type": "application/x-www-form-urlencoded",
+      accept: "application/json",
+      "user-agent": "better-auth"
+    }
+  });
+  if (error2) {
+    throw error2;
+  }
+  const tokens = new OAuth2Tokens(data);
+  return tokens;
+}
+
+// src/social-providers/apple.ts
+var apple = (options) => {
+  const tokenEndpoint = "https://appleid.apple.com/auth/token";
+  return {
+    id: "apple",
+    name: "Apple",
+    createAuthorizationURL({ state, scopes, redirectURI }) {
+      const _scope = scopes || ["email", "name", "openid"];
+      return new URL(
+        `https://appleid.apple.com/auth/authorize?client_id=${options.clientId}&response_type=code&redirect_uri=${redirectURI || options.redirectURI}&scope=${_scope.join(" ")}&state=${state}`
+      );
+    },
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("apple", options.redirectURI),
+        options,
+        tokenEndpoint
+      });
+    },
+    async getUserInfo(token) {
+      const data = parseJWT(token.idToken())?.payload;
+      if (!data) {
+        return null;
+      }
+      return {
+        user: {
+          id: data.sub,
+          name: data.name,
+          email: data.email,
+          emailVerified: data.email_verified === "true"
+        },
+        data
+      };
+    }
+  };
+};
+
+// src/social-providers/discord.ts
+import { betterFetch as betterFetch3 } from "@better-fetch/fetch";
+import { Discord } from "arctic";
+var discord = (options) => {
+  const discordArctic = new Discord(
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("discord", options.redirectURI)
+  );
+  return {
+    id: "discord",
+    name: "Discord",
+    createAuthorizationURL({ state, scopes }) {
+      const _scope = scopes || ["email"];
+      return discordArctic.createAuthorizationURL(state, _scope);
+    },
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("discord", options.redirectURI),
+        options,
+        tokenEndpoint: "https://discord.com/api/oauth2/token"
+      });
+    },
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch3(
+        "https://discord.com/api/users/@me",
+        {
+          auth: {
+            type: "Bearer",
+            token: token.accessToken()
+          }
+        }
+      );
+      if (error2) {
+        return null;
+      }
+      return {
+        user: {
+          id: profile.id,
+          name: profile.display_name || profile.username || "",
+          email: profile.email,
+          emailVerified: profile.verified
+        },
+        data: profile
+      };
+    }
+  };
+};
+
+// src/social-providers/facebook.ts
+import { betterFetch as betterFetch4 } from "@better-fetch/fetch";
+import { Facebook } from "arctic";
+var facebook = (options) => {
+  const facebookArctic = new Facebook(
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("facebook", options.redirectURI)
+  );
+  return {
+    id: "facebook",
+    name: "Facebook",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["email", "public_profile"];
+      return facebookArctic.createAuthorizationURL(state, _scopes);
+    },
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("facebook", options.redirectURI),
+        options,
+        tokenEndpoint: "https://graph.facebook.com/v16.0/oauth/access_token"
+      });
+    },
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch4(
+        "https://graph.facebook.com/me",
+        {
+          auth: {
+            type: "Bearer",
+            token: token.accessToken()
+          }
+        }
+      );
+      if (error2) {
+        return null;
+      }
+      return {
+        user: {
+          id: profile.id,
+          name: profile.name,
+          email: profile.email,
+          emailVerified: profile.email_verified
+        },
+        data: profile
+      };
+    }
+  };
+};
+
+// src/social-providers/github.ts
+import { betterFetch as betterFetch5 } from "@better-fetch/fetch";
+import { GitHub } from "arctic";
+var github = ({
+  clientId,
+  clientSecret,
+  redirectURI
+}) => {
+  const githubArctic = new GitHub(
+    clientId,
+    clientSecret,
+    getRedirectURI("github", redirectURI)
+  );
+  return {
+    id: "github",
+    name: "Github",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["user:email"];
+      return githubArctic.createAuthorizationURL(state, _scopes);
+    },
+    validateAuthorizationCode: async (state) => {
+      return await githubArctic.validateAuthorizationCode(state);
+    },
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch5(
+        "https://api.github.com/user",
+        {
+          auth: {
+            type: "Bearer",
+            token: token.accessToken()
+          }
+        }
+      );
+      if (error2) {
+        return null;
+      }
+      let emailVerified = false;
+      if (!profile.email) {
+        const { data, error: error3 } = await betterFetch5("https://api.github.com/user/emails", {
+          auth: {
+            type: "Bearer",
+            token: token.accessToken()
+          }
+        });
+        if (!error3) {
+          profile.email = (data.find((e) => e.primary) ?? data[0])?.email;
+          emailVerified = data.find((e) => e.email === profile.email)?.verified ?? false;
+        }
+      }
+      return {
+        user: {
+          id: profile.id,
+          name: profile.name,
+          email: profile.email,
+          image: profile.avatar_url,
+          emailVerified,
+          createdAt: /* @__PURE__ */ new Date(),
+          updatedAt: /* @__PURE__ */ new Date()
+        },
+        data: profile
+      };
+    }
+  };
+};
+
+// src/social-providers/google.ts
+import { Google } from "arctic";
+import { parseJWT as parseJWT2 } from "oslo/jwt";
+
+// src/utils/logger.ts
+import { createConsola } from "consola";
+var consola = createConsola({
+  formatOptions: {
+    date: false,
+    colors: true,
+    compact: true
+  },
+  defaults: {
+    tag: "Better Auth"
+  }
+});
+var createLogger = (options) => {
+  return {
+    log: (...args) => {
+      !options?.disabled && consola.log("", ...args);
+    },
+    error: (...args) => {
+      !options?.disabled && consola.error("", ...args);
+    },
+    warn: (...args) => {
+      !options?.disabled && consola.warn("", ...args);
+    },
+    info: (...args) => {
+      !options?.disabled && consola.info("", ...args);
+    },
+    debug: (...args) => {
+      !options?.disabled && consola.debug("", ...args);
+    },
+    box: (...args) => {
+      !options?.disabled && consola.box("", ...args);
+    },
+    success: (...args) => {
+      !options?.disabled && consola.success("", ...args);
+    },
+    break: (...args) => {
+      !options?.disabled && console.log("\n");
+    }
+  };
+};
+var logger = createLogger();
+
+// src/social-providers/google.ts
+var google = (options) => {
+  const googleArctic = new Google(
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("google", options.redirectURI)
+  );
+  return {
+    id: "google",
+    name: "Google",
+    createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+      if (!options.clientId || !options.clientSecret) {
+        logger.error(
+          "Client Id and Client Secret is required for Google. Make sure to provide them in the options."
+        );
+        throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
+      }
+      if (!codeVerifier) {
+        throw new BetterAuthError("codeVerifier is required for Google");
+      }
+      const _scopes = scopes || ["email", "profile"];
+      const url = googleArctic.createAuthorizationURL(
+        state,
+        codeVerifier,
+        _scopes
+      );
+      return url;
+    },
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("google", options.redirectURI),
+        options,
+        tokenEndpoint: "https://oauth2.googleapis.com/token"
+      });
+    },
+    async getUserInfo(token) {
+      if (!token.idToken) {
+        return null;
+      }
+      const user = parseJWT2(token.idToken())?.payload;
+      return {
+        user: {
+          id: user.sub,
+          name: user.name,
+          email: user.email,
+          image: user.picture,
+          emailVerified: user.email_verified
+        },
+        data: user
+      };
+    }
+  };
+};
+
+// src/social-providers/spotify.ts
+import { betterFetch as betterFetch6 } from "@better-fetch/fetch";
+import { Spotify } from "arctic";
+var spotify = (options) => {
+  const spotifyArctic = new Spotify(
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("spotify", options.redirectURI)
+  );
+  return {
+    id: "spotify",
+    name: "Spotify",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["user-read-email"];
+      return spotifyArctic.createAuthorizationURL(state, _scopes);
+    },
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("spotify", options.redirectURI),
+        options,
+        tokenEndpoint: "https://accounts.spotify.com/api/token"
+      });
+    },
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch6(
+        "https://api.spotify.com/v1/me",
+        {
+          method: "GET",
+          headers: {
+            Authorization: `Bearer ${token.accessToken()}`
+          }
+        }
+      );
+      if (error2) {
+        return null;
+      }
+      return {
+        user: {
+          id: profile.id,
+          name: profile.display_name,
+          email: profile.email,
+          image: profile.images[0]?.url,
+          emailVerified: false
+        },
+        data: profile
+      };
+    }
+  };
+};
+
+// src/social-providers/twitch.ts
+import { betterFetch as betterFetch7 } from "@better-fetch/fetch";
+import { Twitch } from "arctic";
+var twitch = (options) => {
+  const twitchArctic = new Twitch(
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("twitch", options.redirectURI)
+  );
+  return {
+    id: "twitch",
+    name: "Twitch",
+    createAuthorizationURL({ state, scopes }) {
+      const _scopes = scopes || ["activity:write", "read"];
+      return twitchArctic.createAuthorizationURL(state, _scopes);
+    },
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("twitch", options.redirectURI),
+        options,
+        tokenEndpoint: "https://id.twitch.tv/oauth2/token"
+      });
+    },
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch7(
+        "https://api.twitch.tv/helix/users",
+        {
+          method: "GET",
+          headers: {
+            Authorization: `Bearer ${token.accessToken()}`
+          }
+        }
+      );
+      if (error2) {
+        return null;
+      }
+      return {
+        user: {
+          id: profile.sub,
+          name: profile.preferred_username,
+          email: profile.email,
+          image: profile.picture,
+          emailVerified: false
+        },
+        data: profile
+      };
+    }
+  };
+};
+
+// src/social-providers/twitter.ts
+import { betterFetch as betterFetch8 } from "@better-fetch/fetch";
+import { Twitter } from "arctic";
+var twitter = (options) => {
+  const twitterArctic = new Twitter(
+    options.clientId,
+    options.clientSecret,
+    getRedirectURI("twitter", options.redirectURI)
+  );
+  return {
+    id: "twitter",
+    name: "Twitter",
+    createAuthorizationURL(data) {
+      const _scopes = data.scopes || ["account_info.read"];
+      return twitterArctic.createAuthorizationURL(
+        data.state,
+        data.codeVerifier,
+        _scopes
+      );
+    },
+    validateAuthorizationCode: async (code, codeVerifier, redirectURI) => {
+      return validateAuthorizationCode({
+        code,
+        codeVerifier,
+        redirectURI: redirectURI || getRedirectURI("twitch", options.redirectURI),
+        options,
+        tokenEndpoint: "https://id.twitch.tv/oauth2/token"
+      });
+    },
+    async getUserInfo(token) {
+      const { data: profile, error: error2 } = await betterFetch8(
+        "https://api.x.com/2/users/me?user.fields=profile_image_url",
+        {
+          method: "GET",
+          headers: {
+            Authorization: `Bearer ${token.accessToken()}`
+          }
+        }
+      );
+      if (error2) {
+        return null;
+      }
+      if (!profile.data.email) {
+        return null;
+      }
+      return {
+        user: {
+          id: profile.data.id,
+          name: profile.data.name,
+          email: profile.data.email,
+          image: profile.data.profile_image_url,
+          emailVerified: profile.data.verified || false
+        },
+        data: profile
+      };
+    }
+  };
+};
+
+// src/types/provider.ts
+import "arctic";
+
+// src/social-providers/index.ts
+var oAuthProviders = {
+  apple,
+  discord,
+  facebook,
+  github,
+  google,
+  spotify,
+  twitch,
+  twitter
+};
+var oAuthProviderList = Object.keys(oAuthProviders);
+
+// src/utils/state.ts
+import { generateState as generateStateOAuth } from "oslo/oauth2";
+import { z as z2 } from "zod";
+function generateState(callbackURL, currentURL, dontRememberMe) {
+  const code = generateStateOAuth();
+  const state = JSON.stringify({
+    code,
+    callbackURL,
+    currentURL,
+    dontRememberMe
+  });
+  return { state, code };
+}
+function parseState(state) {
+  const data = z2.object({
+    code: z2.string(),
+    callbackURL: z2.string().optional(),
+    currentURL: z2.string().optional(),
+    dontRememberMe: z2.boolean().optional()
+  }).safeParse(JSON.parse(state));
+  return data;
+}
+
+// src/api/routes/session.ts
+import { APIError as APIError2 } from "better-call";
+
+// src/utils/date.ts
+var getDate = (span, isSeconds = false) => {
+  const date = /* @__PURE__ */ new Date();
+  return new Date(date.getTime() + (isSeconds ? span * 1e3 : span));
+};
+
+// src/utils/cookies.ts
+import { TimeSpan } from "oslo";
+function getCookies(options) {
+  const secure = !!options.advanced?.useSecureCookies || process.env.NODE_ENV !== "development" && process.env.NODE_ENV !== "test";
+  const secureCookiePrefix = secure ? "__Secure-" : "";
+  const cookiePrefix = "better-auth";
+  const sessionMaxAge = new TimeSpan(7, "d").seconds();
+  return {
+    sessionToken: {
+      name: `${secureCookiePrefix}${cookiePrefix}.session_token`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: !!secureCookiePrefix,
+        maxAge: sessionMaxAge
+      }
+    },
+    csrfToken: {
+      name: `${secureCookiePrefix ? "__Host-" : ""}${cookiePrefix}.csrf_token`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: !!secureCookiePrefix,
+        maxAge: 60 * 60 * 24 * 7
+      }
+    },
+    state: {
+      name: `${secureCookiePrefix}${cookiePrefix}.state`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: !!secureCookiePrefix,
+        maxAge: 60 * 15
+        // 15 minutes in seconds
+      }
+    },
+    pkCodeVerifier: {
+      name: `${secureCookiePrefix}${cookiePrefix}.pk_code_verifier`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: !!secureCookiePrefix,
+        maxAge: 60 * 15
+        // 15 minutes in seconds
+      }
+    },
+    dontRememberToken: {
+      name: `${secureCookiePrefix}${cookiePrefix}.dont_remember`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: !!secureCookiePrefix
+        //no max age so it expires when the browser closes
+      }
+    },
+    nonce: {
+      name: `${secureCookiePrefix}${cookiePrefix}.nonce`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: !!secureCookiePrefix,
+        maxAge: 60 * 15
+        // 15 minutes in seconds
+      }
+    }
+  };
+}
+function createCookieGetter(options) {
+  const secure = !!options.advanced?.useSecureCookies || process.env.NODE_ENV === "production";
+  const secureCookiePrefix = secure ? "__Secure-" : "";
+  const cookiePrefix = "better-auth";
+  function getCookie(cookieName, options2) {
+    return {
+      name: process.env.NODE_ENV === "production" ? `${secureCookiePrefix}${cookiePrefix}.${cookieName}` : `${cookiePrefix}.${cookieName}`,
+      options: {
+        secure: !!secureCookiePrefix,
+        sameSite: "lax",
+        path: "/",
+        maxAge: 60 * 15,
+        // 15 minutes in seconds
+        ...options2
+      }
+    };
+  }
+  return getCookie;
+}
+async function setSessionCookie(ctx, sessionToken, dontRememberMe, overrides) {
+  const options = ctx.context.authCookies.sessionToken.options;
+  options.maxAge = dontRememberMe ? void 0 : options.maxAge;
+  await ctx.setSignedCookie(
+    ctx.context.authCookies.sessionToken.name,
+    sessionToken,
+    ctx.context.secret,
+    options
+  );
+  if (dontRememberMe) {
+    await ctx.setSignedCookie(
+      ctx.context.authCookies.dontRememberToken.name,
+      "true",
+      ctx.context.secret,
+      ctx.context.authCookies.dontRememberToken.options
+    );
+  }
+}
+function deleteSessionCookie(ctx) {
+  ctx.setCookie(ctx.context.authCookies.sessionToken.name, "", {
+    maxAge: 0
+  });
+  ctx.setCookie(ctx.context.authCookies.dontRememberToken.name, "", {
+    maxAge: 0
+  });
+}
+
+// src/api/routes/session.ts
+import { z as z3 } from "zod";
+
+// src/utils/get-request-ip.ts
+function getIp(req) {
+  const testIP = "127.0.0.1";
+  if (process.env.NODE_ENV === "test") {
+    return testIP;
+  }
+  const headers = [
+    "x-client-ip",
+    "x-forwarded-for",
+    "cf-connecting-ip",
+    "fastly-client-ip",
+    "x-real-ip",
+    "x-cluster-client-ip",
+    "x-forwarded",
+    "forwarded-for",
+    "forwarded"
+  ];
+  for (const header of headers) {
+    const value = req.headers.get(header);
+    if (typeof value === "string") {
+      const ip = value.split(",")[0].trim();
+      if (ip) return ip;
+    }
+  }
+  return null;
+}
+
+// src/api/routes/session.ts
+var sessionCache = /* @__PURE__ */ new Map();
+function getRequestUniqueKey(ctx, token) {
+  if (!ctx.request) {
+    return "";
+  }
+  const { method, url, headers } = ctx.request;
+  const userAgent = ctx.request.headers.get("User-Agent") || "";
+  const ip = getIp(ctx.request) || "";
+  const headerString = JSON.stringify(headers);
+  const uniqueString = `${method}:${url}:${headerString}:${userAgent}:${ip}:${token}`;
+  return uniqueString;
+}
+var getSession = () => createAuthEndpoint(
+  "/session",
+  {
+    method: "GET",
+    requireHeaders: true
+  },
+  async (ctx) => {
+    try {
+      const sessionCookieToken = await ctx.getSignedCookie(
+        ctx.context.authCookies.sessionToken.name,
+        ctx.context.secret
+      );
+      if (!sessionCookieToken) {
+        return ctx.json(null, {
+          status: 401
+        });
+      }
+      const key = getRequestUniqueKey(ctx, sessionCookieToken);
+      const cachedSession = sessionCache.get(key);
+      if (cachedSession) {
+        if (cachedSession.expiresAt > Date.now()) {
+          return ctx.json(
+            cachedSession.data
+          );
+        }
+        sessionCache.delete(key);
+      }
+      const session = await ctx.context.internalAdapter.findSession(sessionCookieToken);
+      if (!session || session.session.expiresAt < /* @__PURE__ */ new Date()) {
+        deleteSessionCookie(ctx);
+        if (session) {
+          await ctx.context.internalAdapter.deleteSession(session.session.id);
+        }
+        return ctx.json(null, {
+          status: 401
+        });
+      }
+      const dontRememberMe = await ctx.getSignedCookie(
+        ctx.context.authCookies.dontRememberToken.name,
+        ctx.context.secret
+      );
+      if (dontRememberMe) {
+        return ctx.json(
+          session
+        );
+      }
+      const expiresIn = ctx.context.sessionConfig.expiresIn;
+      const updateAge = ctx.context.sessionConfig.updateAge;
+      const sessionIsDueToBeUpdatedDate = session.session.expiresAt.valueOf() - expiresIn * 1e3 + updateAge * 1e3;
+      const shouldBeUpdated = sessionIsDueToBeUpdatedDate <= Date.now();
+      if (shouldBeUpdated) {
+        const updatedSession = await ctx.context.internalAdapter.updateSession(
+          session.session.id,
+          {
+            expiresAt: getDate(ctx.context.sessionConfig.expiresIn, true)
+          }
+        );
+        if (!updatedSession) {
+          deleteSessionCookie(ctx);
+          return ctx.json(null, { status: 401 });
+        }
+        const maxAge = (updatedSession.expiresAt.valueOf() - Date.now()) / 1e3;
+        await setSessionCookie(ctx, updatedSession.id, false, {
+          maxAge
+        });
+        return ctx.json({
+          session: updatedSession,
+          user: session.user
+        });
+      }
+      sessionCache.set(key, {
+        data: session,
+        expiresAt: Date.now() + 5e3
+      });
+      return ctx.json(
+        session
+      );
+    } catch (error2) {
+      ctx.context.logger.error(error2);
+      return ctx.json(null, { status: 500 });
+    }
+  }
+);
+var getSessionFromCtx = async (ctx) => {
+  const session = await getSession()({
+    ...ctx,
+    //@ts-expect-error: By default since this request context comes from a router it'll have a `router` flag which force it to be a request object
+    _flag: void 0
+  });
+  return session;
+};
+var sessionMiddleware = createAuthMiddleware(async (ctx) => {
+  const session = await getSessionFromCtx(ctx);
+  if (!session?.session) {
+    throw new APIError2("UNAUTHORIZED");
+  }
+  return {
+    session
+  };
+});
+var listSessions = () => createAuthEndpoint(
+  "/user/list-sessions",
+  {
+    method: "GET",
+    use: [sessionMiddleware],
+    requireHeaders: true
+  },
+  async (ctx) => {
+    const sessions = await ctx.context.adapter.findMany({
+      model: ctx.context.tables.session.tableName,
+      where: [
+        {
+          field: "userId",
+          value: ctx.context.session.user.id
+        }
+      ]
+    });
+    const activeSessions = sessions.filter((session) => {
+      return session.expiresAt > /* @__PURE__ */ new Date();
+    });
+    return ctx.json(
+      activeSessions
+    );
+  }
+);
+var revokeSession = createAuthEndpoint(
+  "/user/revoke-session",
+  {
+    method: "POST",
+    body: z3.object({
+      id: z3.string()
+    }),
+    use: [sessionMiddleware],
+    requireHeaders: true
+  },
+  async (ctx) => {
+    const id = ctx.body.id;
+    const findSession = await ctx.context.internalAdapter.findSession(id);
+    if (!findSession) {
+      return ctx.json(null, { status: 400 });
+    }
+    if (findSession.session.userId !== ctx.context.session.user.id) {
+      return ctx.json(null, { status: 403 });
+    }
+    try {
+      await ctx.context.internalAdapter.deleteSession(id);
+    } catch (error2) {
+      ctx.context.logger.error(error2);
+      return ctx.json(null, { status: 500 });
+    }
+    return ctx.json({
+      status: true
+    });
+  }
+);
+var revokeSessions = createAuthEndpoint(
+  "/user/revoke-sessions",
+  {
+    method: "POST",
+    use: [sessionMiddleware],
+    requireHeaders: true
+  },
+  async (ctx) => {
+    try {
+      await ctx.context.internalAdapter.deleteSessions(
+        ctx.context.session.user.id
+      );
+    } catch (error2) {
+      ctx.context.logger.error(error2);
+      return ctx.json(null, { status: 500 });
+    }
+    return ctx.json({
+      status: true
+    });
+  }
+);
+
+// src/api/routes/sign-in.ts
+var signInOAuth = createAuthEndpoint(
+  "/sign-in/social",
+  {
+    method: "POST",
+    requireHeaders: true,
+    query: z4.object({
+      /**
+       * Redirect to the current URL after the
+       * user has signed in.
+       */
+      currentURL: z4.string().optional()
+    }).optional(),
+    body: z4.object({
+      /**
+       * Callback URL to redirect to after the user has signed in.
+       */
+      callbackURL: z4.string().optional(),
+      /**
+       * OAuth2 provider to use`
+       */
+      provider: z4.enum(oAuthProviderList),
+      /**
+       * If this is true the session will only be valid for the current browser session
+       */
+      dontRememberMe: z4.boolean().default(false).optional()
+    })
+  },
+  async (c) => {
+    const provider = c.context.socialProviders.find(
+      (p) => p.id === c.body.provider
+    );
+    if (!provider) {
+      c.context.logger.error(
+        "Provider not found. Make sure to add the provider to your auth config",
+        {
+          provider: c.body.provider
+        }
+      );
+      throw new APIError3("NOT_FOUND", {
+        message: "Provider not found"
+      });
+    }
+    const cookie = c.context.authCookies;
+    const currentURL = c.query?.currentURL ? new URL(c.query?.currentURL) : null;
+    const callbackURL = c.body.callbackURL?.startsWith("http") ? c.body.callbackURL : `${currentURL?.origin}${c.body.callbackURL || ""}`;
+    const state = generateState(
+      callbackURL || currentURL?.origin || c.context.baseURL,
+      c.query?.currentURL
+    );
+    try {
+      await c.setSignedCookie(
+        cookie.state.name,
+        state.code,
+        c.context.secret,
+        cookie.state.options
+      );
+      const codeVerifier = generateCodeVerifier();
+      await c.setSignedCookie(
+        cookie.pkCodeVerifier.name,
+        codeVerifier,
+        c.context.secret,
+        cookie.pkCodeVerifier.options
+      );
+      const url = provider.createAuthorizationURL({
+        state: state.state,
+        codeVerifier
+      });
+      url.searchParams.set(
+        "redirect_uri",
+        `${c.context.baseURL}/callback/${c.body.provider}`
+      );
+      return {
+        url: url.toString(),
+        state: state.state,
+        codeVerifier,
+        redirect: true
+      };
+    } catch (e) {
+      throw new APIError3("INTERNAL_SERVER_ERROR");
+    }
+  }
+);
+var signInEmail = createAuthEndpoint(
+  "/sign-in/email",
+  {
+    method: "POST",
+    body: z4.object({
+      email: z4.string().email(),
+      password: z4.string(),
+      callbackURL: z4.string().optional(),
+      /**
+       * If this is true the session will only be valid for the current browser session
+       * @default false
+       */
+      dontRememberMe: z4.boolean().default(false).optional()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options?.emailAndPassword?.enabled) {
+      ctx.context.logger.error(
+        "Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"
+      );
+      throw new APIError3("BAD_REQUEST", {
+        message: "Email and password is not enabled"
+      });
+    }
+    const currentSession = await getSessionFromCtx(ctx);
+    if (currentSession) {
+      await ctx.context.internalAdapter.deleteSession(
+        currentSession.session.id
+      );
+    }
+    const { email, password } = ctx.body;
+    const checkEmail = z4.string().email().safeParse(email);
+    if (!checkEmail.success) {
+      throw new APIError3("BAD_REQUEST", {
+        message: "Invalid email"
+      });
+    }
+    const user = await ctx.context.internalAdapter.findUserByEmail(email);
+    if (!user) {
+      await ctx.context.password.hash(password);
+      ctx.context.logger.error("User not found", { email });
+      throw new APIError3("UNAUTHORIZED", {
+        message: "Invalid email or password"
+      });
+    }
+    const credentialAccount = user.accounts.find(
+      (a) => a.providerId === "credential"
+    );
+    if (!credentialAccount) {
+      ctx.context.logger.error("Credential account not found", { email });
+      throw new APIError3("UNAUTHORIZED", {
+        message: "Invalid email or password"
+      });
+    }
+    const currentPassword = credentialAccount?.password;
+    if (!currentPassword) {
+      ctx.context.logger.error("Password not found", { email });
+      throw new APIError3("UNAUTHORIZED", {
+        message: "Unexpected error"
+      });
+    }
+    const validPassword = await ctx.context.password.verify(
+      currentPassword,
+      password
+    );
+    if (!validPassword) {
+      ctx.context.logger.error("Invalid password");
+      throw new APIError3("UNAUTHORIZED", {
+        message: "Invalid email or password"
+      });
+    }
+    const session = await ctx.context.internalAdapter.createSession(
+      user.user.id,
+      ctx.headers,
+      ctx.body.dontRememberMe
+    );
+    if (!session) {
+      ctx.context.logger.error("Failed to create session");
+      throw new APIError3("INTERNAL_SERVER_ERROR");
+    }
+    await setSessionCookie(ctx, session.id, ctx.body.dontRememberMe);
+    return ctx.json({
+      user: user.user,
+      session,
+      redirect: !!ctx.body.callbackURL,
+      url: ctx.body.callbackURL
+    });
+  }
+);
+
+// src/api/routes/callback.ts
+import { APIError as APIError4 } from "better-call";
+import { z as z6 } from "zod";
+
+// src/db/schema.ts
+import { z as z5 } from "zod";
+var accountSchema = z5.object({
+  id: z5.string(),
+  providerId: z5.string(),
+  accountId: z5.string(),
+  userId: z5.string(),
+  accessToken: z5.string().nullable().optional(),
+  refreshToken: z5.string().nullable().optional(),
+  idToken: z5.string().nullable().optional(),
+  /**
+   * Access token expires at
+   */
+  expiresAt: z5.date().nullable().optional(),
+  /**
+   * Password is only stored in the credential provider
+   */
+  password: z5.string().optional().nullable()
+});
+var userSchema = z5.object({
+  id: z5.string(),
+  email: z5.string().transform((val) => val.toLowerCase()),
+  emailVerified: z5.boolean().default(false),
+  name: z5.string(),
+  image: z5.string().optional(),
+  createdAt: z5.date().default(/* @__PURE__ */ new Date()),
+  updatedAt: z5.date().default(/* @__PURE__ */ new Date())
+});
+var sessionSchema = z5.object({
+  id: z5.string(),
+  userId: z5.string(),
+  expiresAt: z5.date(),
+  ipAddress: z5.string().optional(),
+  userAgent: z5.string().optional()
+});
+
+// src/utils/id.ts
+import { alphabet, generateRandomString } from "oslo/crypto";
+var generateId = () => {
+  return generateRandomString(36, alphabet("a-z", "0-9"));
+};
+
+// src/utils/hide-metadata.ts
+var HIDE_METADATA = {
+  isAction: false
+};
+
+// src/utils/getAccount.ts
+function getAccountTokens(tokens) {
+  const accessToken = tokens.accessToken();
+  let refreshToken = tokens.hasRefreshToken() ? tokens.refreshToken() : void 0;
+  let accessTokenExpiresAt = void 0;
+  try {
+    accessTokenExpiresAt = tokens.accessTokenExpiresAt();
+  } catch {
+  }
+  return {
+    accessToken,
+    refreshToken,
+    expiresAt: accessTokenExpiresAt
+  };
+}
+
+// src/api/routes/callback.ts
+var callbackOAuth = createAuthEndpoint(
+  "/callback/:id",
+  {
+    method: "GET",
+    query: z6.object({
+      state: z6.string(),
+      code: z6.string().optional(),
+      error: z6.string().optional()
+    }),
+    metadata: HIDE_METADATA
+  },
+  async (c) => {
+    if (c.query.error || !c.query.code) {
+      const parsedState2 = parseState(c.query.state);
+      const callbackURL2 = parsedState2.data?.callbackURL || `${c.context.baseURL}/error`;
+      c.context.logger.error(c.query.error, c.params.id);
+      throw c.redirect(
+        `${callbackURL2}?error=${c.query.error || "oAuth_code_missing"}`
+      );
+    }
+    const provider = c.context.socialProviders.find(
+      (p) => p.id === c.params.id
+    );
+    if (!provider) {
+      c.context.logger.error(
+        "Oauth provider with id",
+        c.params.id,
+        "not found"
+      );
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=oauth_provider_not_found`
+      );
+    }
+    const codeVerifier = await c.getSignedCookie(
+      c.context.authCookies.pkCodeVerifier.name,
+      c.context.secret
+    );
+    let tokens;
+    try {
+      tokens = await provider.validateAuthorizationCode(
+        c.query.code,
+        codeVerifier,
+        `${c.context.baseURL}/callback/${provider.id}`
+      );
+    } catch (e) {
+      c.context.logger.error(e);
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=oauth_code_verification_failed`
+      );
+    }
+    const user = await provider.getUserInfo(tokens).then((res) => res?.user);
+    const id = generateId();
+    const data = userSchema.safeParse({
+      ...user,
+      id
+    });
+    const parsedState = parseState(c.query.state);
+    if (!parsedState.success) {
+      c.context.logger.error("Unable to parse state");
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=invalid_state_parameter`
+      );
+    }
+    const { callbackURL, currentURL, dontRememberMe } = parsedState.data;
+    if (!user || data.success === false) {
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=oauth_validation_failed`
+      );
+    }
+    if (!callbackURL) {
+      throw c.redirect(
+        `${c.context.baseURL}/error?error=oauth_callback_url_not_found`
+      );
+    }
+    const dbUser = await c.context.internalAdapter.findUserByEmail(user.email);
+    const userId = dbUser?.user.id;
+    if (dbUser) {
+      const hasBeenLinked = dbUser.accounts.find(
+        (a) => a.providerId === provider.id
+      );
+      const trustedProviders = c.context.options.account?.accountLinking?.trustedProviders;
+      const isTrustedProvider = trustedProviders ? trustedProviders.includes(provider.id) : true;
+      if (!hasBeenLinked && (!user.emailVerified || !isTrustedProvider)) {
+        let url;
+        try {
+          url = new URL(currentURL || callbackURL);
+          url.searchParams.set("error", "account_not_linked");
+        } catch (e) {
+          throw c.redirect(
+            `${c.context.baseURL}/error?error=account_not_linked`
+          );
+        }
+        throw c.redirect(url.toString());
+      }
+      if (!hasBeenLinked) {
+        try {
+          await c.context.internalAdapter.linkAccount({
+            providerId: provider.id,
+            accountId: user.id,
+            id: `${provider.id}:${user.id}`,
+            userId: dbUser.user.id,
+            ...getAccountTokens(tokens)
+          });
+        } catch (e) {
+          console.log(e);
+          throw c.redirect(
+            `${c.context.baseURL}/error?error=failed_linking_account`
+          );
+        }
+      }
+    } else {
+      try {
+        await c.context.internalAdapter.createOAuthUser(data.data, {
+          ...getAccountTokens(tokens),
+          id: `${provider.id}:${user.id}`,
+          providerId: provider.id,
+          accountId: user.id,
+          userId: id
+        });
+      } catch (e) {
+        const url = new URL(currentURL || callbackURL);
+        url.searchParams.set("error", "unable_to_create_user");
+        c.setHeader("Location", url.toString());
+        throw c.redirect(url.toString());
+      }
+    }
+    if (!userId && !id)
+      throw new APIError4("INTERNAL_SERVER_ERROR", {
+        message: "Unable to create user"
+      });
+    const session = await c.context.internalAdapter.createSession(
+      userId || id,
+      c.request,
+      dontRememberMe
+    );
+    if (!session) {
+      const url = new URL(currentURL || callbackURL);
+      url.searchParams.set("error", "unable_to_create_session");
+      throw c.redirect(url.toString());
+    }
+    try {
+      await setSessionCookie(c, session.id, dontRememberMe);
+    } catch (e) {
+      c.context.logger.error("Unable to set session cookie", e);
+      const url = new URL(currentURL || callbackURL);
+      url.searchParams.set("error", "unable_to_create_session");
+      throw c.redirect(url.toString());
+    }
+    throw c.redirect(callbackURL);
+  }
+);
+
+// src/api/routes/sign-out.ts
+import { z as z7 } from "zod";
+var signOut = createAuthEndpoint(
+  "/sign-out",
+  {
+    method: "POST",
+    body: z7.optional(
+      z7.object({
+        callbackURL: z7.string().optional()
+      })
+    )
+  },
+  async (ctx) => {
+    const sessionCookieToken = await ctx.getSignedCookie(
+      ctx.context.authCookies.sessionToken.name,
+      ctx.context.secret
+    );
+    if (!sessionCookieToken) {
+      return ctx.json(null);
+    }
+    await ctx.context.internalAdapter.deleteSession(sessionCookieToken);
+    deleteSessionCookie(ctx);
+    return ctx.json(null, {
+      body: {
+        redirect: !!ctx.body?.callbackURL,
+        url: ctx.body?.callbackURL
+      }
+    });
+  }
+);
+
+// src/api/routes/forget-password.ts
+import { TimeSpan as TimeSpan2 } from "oslo";
+import { createJWT, parseJWT as parseJWT3 } from "oslo/jwt";
+import { validateJWT } from "oslo/jwt";
+import { z as z8 } from "zod";
+var forgetPassword = createAuthEndpoint(
+  "/forget-password",
+  {
+    method: "POST",
+    body: z8.object({
+      /**
+       * The email address of the user to send a password reset email to.
+       */
+      email: z8.string().email(),
+      /**
+       * The URL to redirect the user to reset their password.
+       * If the token isn't valid or expired, it'll be redirected with a query parameter `?
+       * error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?
+       * token=VALID_TOKEN
+       */
+      redirectTo: z8.string()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options.emailAndPassword?.sendResetPassword) {
+      ctx.context.logger.error(
+        "Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function to your auth config!"
+      );
+      return ctx.json(null, {
+        status: 400,
+        statusText: "RESET_PASSWORD_EMAIL_NOT_SENT",
+        body: {
+          message: "Reset password isn't enabled"
+        }
+      });
+    }
+    const { email } = ctx.body;
+    const user = await ctx.context.internalAdapter.findUserByEmail(email);
+    if (!user) {
+      return ctx.json(
+        {
+          status: false
+        },
+        {
+          body: {
+            status: true
+          }
+        }
+      );
+    }
+    const token = await createJWT(
+      "HS256",
+      Buffer.from(ctx.context.secret),
+      {
+        email: user.user.email,
+        redirectTo: ctx.body.redirectTo
+      },
+      {
+        expiresIn: new TimeSpan2(1, "h"),
+        issuer: "better-auth",
+        subject: "forget-password",
+        audiences: [user.user.email],
+        includeIssuedTimestamp: true
+      }
+    );
+    const url = `${ctx.context.baseURL}/reset-password/${token}`;
+    await ctx.context.options.emailAndPassword.sendResetPassword(
+      url,
+      user.user
+    );
+    return ctx.json({
+      status: true
+    });
+  }
+);
+var forgetPasswordCallback = createAuthEndpoint(
+  "/reset-password/:token",
+  {
+    method: "GET"
+  },
+  async (ctx) => {
+    const { token } = ctx.params;
+    let decodedToken;
+    const schema = z8.object({
+      email: z8.string(),
+      redirectTo: z8.string()
+    });
+    try {
+      decodedToken = await validateJWT(
+        "HS256",
+        Buffer.from(ctx.context.secret),
+        token
+      );
+      if (!decodedToken.expiresAt || decodedToken.expiresAt < /* @__PURE__ */ new Date()) {
+        throw Error("Token expired");
+      }
+    } catch (e) {
+      const decoded = parseJWT3(token);
+      const jwt = schema.safeParse(decoded?.payload);
+      if (jwt.success) {
+        throw ctx.redirect(`${jwt.data?.redirectTo}?error=invalid_token`);
+      } else {
+        throw ctx.redirect(`${ctx.context.baseURL}/error?error=invalid_token`);
+      }
+    }
+    const { redirectTo } = schema.parse(decodedToken.payload);
+    throw ctx.redirect(`${redirectTo}?token=${token}`);
+  }
+);
+var resetPassword = createAuthEndpoint(
+  "/reset-password",
+  {
+    method: "POST",
+    query: z8.object({
+      currentURL: z8.string()
+    }).optional(),
+    body: z8.object({
+      newPassword: z8.string(),
+      callbackURL: z8.string().optional()
+    })
+  },
+  async (ctx) => {
+    const token = ctx.query?.currentURL.split("?token=")[1];
+    if (!token) {
+      return ctx.json(
+        {
+          error: "Invalid token",
+          data: null
+        },
+        {
+          status: 400,
+          statusText: "INVALID_TOKEN",
+          body: {
+            message: "Invalid token"
+          }
+        }
+      );
+    }
+    const { newPassword } = ctx.body;
+    try {
+      const jwt = await validateJWT(
+        "HS256",
+        Buffer.from(ctx.context.secret),
+        token
+      );
+      const email = z8.string().email().parse(jwt.payload.email);
+      const user = await ctx.context.internalAdapter.findUserByEmail(email);
+      if (!user) {
+        return ctx.json(
+          {
+            error: "User not found",
+            data: null
+          },
+          {
+            status: 400,
+            body: {
+              message: "failed to reset password"
+            }
+          }
+        );
+      }
+      if (newPassword.length < (ctx.context.options.emailAndPassword?.minPasswordLength || 8) || newPassword.length > (ctx.context.options.emailAndPassword?.maxPasswordLength || 32)) {
+        return ctx.json(
+          {
+            data: null,
+            error: "password is too short or too long"
+          },
+          {
+            status: 400,
+            statusText: "INVALID_PASSWORD_LENGTH",
+            body: {
+              message: "password is too short or too long"
+            }
+          }
+        );
+      }
+      const hashedPassword = await ctx.context.password.hash(newPassword);
+      const updatedUser = await ctx.context.internalAdapter.updatePassword(
+        user.user.id,
+        hashedPassword
+      );
+      if (!updatedUser) {
+        return ctx.json(null, {
+          status: 400,
+          statusText: "USER_NOT_FOUND",
+          body: {
+            message: "User doesn't have a credential account"
+          }
+        });
+      }
+      return ctx.json(
+        {
+          error: null,
+          data: {
+            status: true,
+            url: ctx.body.callbackURL,
+            redirect: !!ctx.body.callbackURL
+          }
+        },
+        {
+          body: {
+            status: true,
+            url: ctx.body.callbackURL,
+            redirect: !!ctx.body.callbackURL
+          }
+        }
+      );
+    } catch (e) {
+      console.log(e);
+      return ctx.json(
+        {
+          error: "Invalid token",
+          data: null
+        },
+        {
+          status: 400,
+          statusText: "INVALID_TOKEN",
+          body: {
+            message: "Invalid token"
+          }
+        }
+      );
+    }
+  }
+);
+
+// src/api/routes/verify-email.ts
+import { TimeSpan as TimeSpan3 } from "oslo";
+import { createJWT as createJWT2, validateJWT as validateJWT2 } from "oslo/jwt";
+import { z as z9 } from "zod";
+async function createEmailVerificationToken(secret, email) {
+  const token = await createJWT2(
+    "HS256",
+    Buffer.from(secret),
+    {
+      email: email.toLowerCase()
+    },
+    {
+      expiresIn: new TimeSpan3(1, "h"),
+      issuer: "better-auth",
+      subject: "verify-email",
+      audiences: [email],
+      includeIssuedTimestamp: true
+    }
+  );
+  return token;
+}
+var sendVerificationEmail = createAuthEndpoint(
+  "/send-verification-email",
+  {
+    method: "POST",
+    query: z9.object({
+      currentURL: z9.string().optional()
+    }).optional(),
+    body: z9.object({
+      email: z9.string().email(),
+      callbackURL: z9.string().optional()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options.emailAndPassword?.sendVerificationEmail) {
+      ctx.context.logger.error(
+        "Verification email isn't enabled. Pass `sendVerificationEmail` in `emailAndPassword` options to enable it."
+      );
+      return ctx.json(null, {
+        status: 400,
+        statusText: "VERIFICATION_EMAIL_NOT_SENT",
+        body: {
+          message: "Verification email isn't enabled"
+        }
+      });
+    }
+    const { email } = ctx.body;
+    const token = await createEmailVerificationToken(ctx.context.secret, email);
+    const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${ctx.body.callbackURL || ctx.query?.currentURL || "/"}`;
+    await ctx.context.options.emailAndPassword.sendVerificationEmail(
+      email,
+      url,
+      token
+    );
+    return ctx.json({
+      status: true
+    });
+  }
+);
+var verifyEmail = createAuthEndpoint(
+  "/verify-email",
+  {
+    method: "GET",
+    query: z9.object({
+      token: z9.string(),
+      callbackURL: z9.string().optional()
+    })
+  },
+  async (ctx) => {
+    const { token } = ctx.query;
+    let jwt;
+    try {
+      jwt = await validateJWT2("HS256", Buffer.from(ctx.context.secret), token);
+    } catch (e) {
+      ctx.context.logger.error("Failed to verify email", e);
+      return ctx.json(null, {
+        status: 400,
+        statusText: "INVALID_TOKEN",
+        body: {
+          message: "Invalid token"
+        }
+      });
+    }
+    const schema = z9.object({
+      email: z9.string().email()
+    });
+    const parsed = schema.parse(jwt.payload);
+    const user = await ctx.context.internalAdapter.findUserByEmail(
+      parsed.email
+    );
+    if (!user) {
+      return ctx.json(null, {
+        status: 400,
+        statusText: "USER_NOT_FOUND",
+        body: {
+          message: "User not found"
+        }
+      });
+    }
+    const account = user.accounts.find((a) => a.providerId === "credential");
+    if (!account) {
+      throw ctx.redirect;
+    }
+    await ctx.context.internalAdapter.updateUserByEmail(parsed.email, {
+      emailVerified: true
+    });
+    if (ctx.query.callbackURL) {
+      console.log("Redirecting to", ctx.query.callbackURL);
+      throw ctx.redirect("/");
+    }
+    return ctx.json({
+      status: true
+    });
+  }
+);
+
+// src/api/routes/update-user.ts
+import { z as z10 } from "zod";
+import { alphabet as alphabet2, generateRandomString as generateRandomString2 } from "oslo/crypto";
+import "better-call";
+var updateUser = createAuthEndpoint(
+  "/user/update",
+  {
+    method: "POST",
+    body: z10.object({
+      name: z10.string().optional(),
+      image: z10.string().optional()
+    }),
+    use: [sessionMiddleware]
+  },
+  async (ctx) => {
+    const { name, image } = ctx.body;
+    const session = ctx.context.session;
+    if (!image && !name) {
+      return ctx.json(session.user);
+    }
+    const user = await ctx.context.internalAdapter.updateUserByEmail(
+      session.user.email,
+      {
+        name,
+        image
+      }
+    );
+    return ctx.json(user);
+  }
+);
+var changePassword = createAuthEndpoint(
+  "/user/change-password",
+  {
+    method: "POST",
+    body: z10.object({
+      /**
+       * The new password to set
+       */
+      newPassword: z10.string(),
+      /**
+       * The current password of the user
+       */
+      currentPassword: z10.string(),
+      /**
+       * revoke all sessions that are not the
+       * current one logged in by the user
+       */
+      revokeOtherSessions: z10.boolean().optional()
+    }),
+    use: [sessionMiddleware]
+  },
+  async (ctx) => {
+    const { newPassword, currentPassword, revokeOtherSessions } = ctx.body;
+    const session = ctx.context.session;
+    const minPasswordLength = ctx.context.password.config.minPasswordLength;
+    if (newPassword.length < minPasswordLength) {
+      ctx.context.logger.error("Password is too short");
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Password is too short" }
+      });
+    }
+    const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
+    if (newPassword.length > maxPasswordLength) {
+      ctx.context.logger.error("Password is too long");
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Password is too long" }
+      });
+    }
+    const accounts = await ctx.context.internalAdapter.findAccounts(
+      session.user.id
+    );
+    const account = accounts.find(
+      (account2) => account2.providerId === "credential" && account2.password
+    );
+    if (!account || !account.password) {
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "User does not have a password" }
+      });
+    }
+    const passwordHash = await ctx.context.password.hash(newPassword);
+    const verify = await ctx.context.password.verify(
+      account.password,
+      currentPassword
+    );
+    if (!verify) {
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Invalid password" }
+      });
+    }
+    await ctx.context.internalAdapter.updateAccount(account.id, {
+      password: passwordHash
+    });
+    if (revokeOtherSessions) {
+      await ctx.context.internalAdapter.deleteSessions(session.user.id);
+      const newSession = await ctx.context.internalAdapter.createSession(
+        session.user.id,
+        ctx.headers
+      );
+      if (!newSession) {
+        return ctx.json(null, {
+          status: 500,
+          body: { message: "Failed to create session" }
+        });
+      }
+      await setSessionCookie(ctx, newSession.id);
+    }
+    return ctx.json(session.user);
+  }
+);
+var setPassword = createAuthEndpoint(
+  "/user/set-password",
+  {
+    method: "POST",
+    body: z10.object({
+      /**
+       * The new password to set
+       */
+      newPassword: z10.string()
+    }),
+    use: [sessionMiddleware]
+  },
+  async (ctx) => {
+    const { newPassword } = ctx.body;
+    const session = ctx.context.session;
+    const minPasswordLength = ctx.context.password.config.minPasswordLength;
+    if (newPassword.length < minPasswordLength) {
+      ctx.context.logger.error("Password is too short");
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Password is too short" }
+      });
+    }
+    const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
+    if (newPassword.length > maxPasswordLength) {
+      ctx.context.logger.error("Password is too long");
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Password is too long" }
+      });
+    }
+    const accounts = await ctx.context.internalAdapter.findAccounts(
+      session.user.id
+    );
+    const account = accounts.find(
+      (account2) => account2.providerId === "credential" && account2.password
+    );
+    const passwordHash = await ctx.context.password.hash(newPassword);
+    if (!account) {
+      await ctx.context.internalAdapter.linkAccount({
+        id: generateRandomString2(32, alphabet2("a-z", "0-9", "A-Z")),
+        userId: session.user.id,
+        providerId: "credential",
+        accountId: session.user.id,
+        password: passwordHash
+      });
+      return ctx.json(session.user);
+    }
+    return ctx.json(null, {
+      status: 400,
+      body: { message: "User already has a password" }
+    });
+  }
+);
+
+// src/api/routes/csrf.ts
+import { alphabet as alphabet3, generateRandomString as generateRandomString3 } from "oslo/crypto";
+var getCSRFToken = createAuthEndpoint(
+  "/csrf",
+  {
+    method: "GET",
+    metadata: HIDE_METADATA
+  },
+  async (ctx) => {
+    const csrfToken = await ctx.getSignedCookie(
+      ctx.context.authCookies.csrfToken.name,
+      ctx.context.secret
+    );
+    if (csrfToken) {
+      return {
+        csrfToken
+      };
+    }
+    const token = generateRandomString3(32, alphabet3("a-z", "0-9", "A-Z"));
+    const hash = await hs256(ctx.context.secret, token);
+    const cookie = `${token}!${hash}`;
+    await ctx.setSignedCookie(
+      ctx.context.authCookies.csrfToken.name,
+      cookie,
+      ctx.context.secret,
+      ctx.context.authCookies.csrfToken.options
+    );
+    return {
+      csrfToken: token
+    };
+  }
+);
+
+// src/api/routes/error.ts
+var html = (errorCode = "Unknown") => `<!DOCTYPE html>
 <html lang="en">
 <head>
     <meta charset="UTF-8">
@@ -76,9 +2100,1650 @@ import{APIError as ir,createRouter as ar}from"better-call";import{APIError as ce
         <h1>Better Auth Error</h1>
         <p>We encountered an issue while processing your request. Please try again or contact the application owner if the problem persists.</p>
         <a href="/" id="returnLink" class="btn">Return to Application</a>
-        <div class="error-code">Error Code: <span id="errorCode">${e}</span></div>
+        <div class="error-code">Error Code: <span id="errorCode">${errorCode}</span></div>
     </div>
 </body>
-</html>`,He=g("/error",{method:"GET",metadata:L},async e=>{let t=new URL(e.request?.url||"").searchParams.get("error")||"Unknown";return new Response(Yt(t),{headers:{"Content-Type":"text/html"}})});var Ge=g("/ok",{method:"GET",metadata:L},async e=>e.json({ok:!0}));import{alphabet as Ke,generateRandomString as We}from"oslo/crypto";import{z as O}from"zod";var Je=g("/sign-up/email",{method:"POST",query:O.object({currentURL:O.string().optional()}).optional(),body:O.object({name:O.string(),email:O.string(),password:O.string(),image:O.string().optional(),callbackURL:O.string().optional()})},async e=>{if(!e.context.options.emailAndPassword?.enabled)return e.json(null,{status:400,body:{message:"Email and password is not enabled"}});let{name:t,email:o,password:r,image:n}=e.body;if(!O.string().email().safeParse(o).success)return e.json(null,{status:400,body:{message:"Invalid email address"}});let i=e.context.password.config.minPasswordLength;if(r.length<i)return e.context.logger.error("Password is too short"),e.json(null,{status:400,body:{message:"Password is too short"}});let a=e.context.password.config.maxPasswordLength;if(r.length>a)return e.context.logger.error("Password is too long"),e.json(null,{status:400,body:{message:"Password is too long"}});let d=await e.context.internalAdapter.findUserByEmail(o),c=await e.context.password.hash(r);if(d?.user)return e.json(null,{status:400,body:{message:"User already exists"}});let l=await e.context.internalAdapter.createUser({id:We(32,Ke("a-z","0-9","A-Z")),email:o.toLowerCase(),name:t,image:n,emailVerified:!1,createdAt:new Date,updatedAt:new Date});if(!l)return e.json(null,{status:400,body:{message:"Could not create user"}});await e.context.internalAdapter.linkAccount({id:We(32,Ke("a-z","0-9","A-Z")),userId:l.id,providerId:"credential",accountId:l.id,password:c});let u=await e.context.internalAdapter.createSession(l.id,e.request);if(!u)return e.json(null,{status:400,body:{message:"Could not create session"}});if(await P(e,u.id),e.context.options.emailAndPassword.sendEmailVerificationOnSignUp){let p=await ne(e.context.secret,l.email),m=`${e.context.baseURL}/verify-email?token=${p}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailAndPassword.sendVerificationEmail?.(l.email,m,p)}return e.json({user:l,session:u},{body:e.body.callbackURL?{url:e.body.callbackURL,redirect:!0}:{user:l,session:u}})});import se from"chalk";function er(e,t,o){let r=Date.now(),n=t*1e3;return r-o.lastRequest<n&&o.count>=e}function tr(e){return new Response(JSON.stringify({message:"Too many requests. Please try again later."}),{status:429,statusText:"Too Many Requests",headers:{"X-Retry-After":e.toString()}})}function rr(e,t){let o=Date.now(),r=t*1e3;return Math.ceil((e+r-o)/1e3)}function or(e,t){let o=t??"rateLimit",r=e.adapter;return{get:async n=>await r.findOne({model:o,where:[{field:"key",value:n}]}),set:async(n,s,i)=>{try{i?await r.update({model:t??"rateLimit",where:[{field:"key",value:n}],update:{count:s.count,lastRequest:s.lastRequest}}):await r.create({model:t??"rateLimit",data:{key:n,count:s.count,lastRequest:s.lastRequest}})}catch(a){T.error("Error setting rate limit",a)}}}}var Ze=new Map;function nr(e){return e.rateLimit.customStorage?e.rateLimit.customStorage:e.rateLimit.storage==="memory"?{async get(o){return Ze.get(o)},async set(o,r,n){Ze.set(o,r)}}:or(e,e.rateLimit.tableName)}async function Qe(e,t){if(!t.rateLimit.enabled)return;let o=t.baseURL,r=e.url.replace(o,""),n=t.rateLimit.window,s=t.rateLimit.max,i=M(e)+r,d=sr().find(p=>p.pathMatcher(r));d&&(n=d.window,s=d.max);for(let p of t.options.plugins||[])if(p.rateLimit){let m=p.rateLimit.find(f=>f.pathMatcher(r));if(m){n=m.window,s=m.max;break}}if(t.rateLimit.customRules){let p=t.rateLimit.customRules[r];p&&(n=p.window,s=p.max)}let c=nr(t),l=await c.get(i),u=Date.now();if(!l)await c.set(i,{key:i,count:1,lastRequest:u});else{let p=u-l.lastRequest;if(er(s,n,l)){let m=rr(l.lastRequest,n);return tr(m)}else p>n*1e3?await c.set(i,{...l,count:1,lastRequest:u}):await c.set(i,{...l,count:l.count+1,lastRequest:u})}}function sr(){return[{pathMatcher(t){return t.startsWith("/sign-in")||t.startsWith("/sign-up")},window:10,max:7}]}function ie(e,t){let o=t.plugins?.reduce((a,d)=>({...a,...d.endpoints}),{}),r=t.plugins?.map(a=>a.middlewares?.map(d=>{let c=async l=>d.middleware({...l,context:{...e,...l.context}});return c.path=d.path,c.options=d.middleware.options,c.headers=d.middleware.headers,{path:d.path,middleware:c}})).filter(a=>a!==void 0).flat()||[],s={...{signInOAuth:Se,callbackOAuth:Ee,getCSRFToken:Me,getSession:ee(),signOut:_e,signUpEmail:Je,signInEmail:Oe,forgetPassword:qe,resetPassword:De,verifyEmail:$e,sendVerificationEmail:Ne,changePassword:ze,setPassword:Ve,updateUser:Fe,forgetPasswordCallback:je,listSessions:Pe(),revokeSession:ve,revokeSessions:Ie},...o,ok:Ge,error:He},i={};for(let[a,d]of Object.entries(s))i[a]=async c=>{let l=await e,p=await d({...c,context:{...l,...c.context}});for(let m of t.plugins||[])if(m.hooks?.after){for(let f of m.hooks.after)if(f.matcher(c)){let h=Object.assign(c,{context:{...e,returned:p}}),A=await f.handler(h);A&&"response"in A&&(p=A.response)}}return p},i[a].path=d.path,i[a].method=d.method,i[a].options=d.options,i[a].headers=d.headers;return{api:i,middlewares:r}}var Xe=(e,t)=>{let{api:o,middlewares:r}=ie(e,t),n=new URL(e.baseURL).pathname;return ar(o,{extraContext:e,basePath:n,routerMiddleware:[{path:"/**",middleware:ue},...r],async onRequest(s){for(let i of e.options.plugins||[])if(i.onRequest){let a=await i.onRequest(s,e);if(a)return a}return Qe(s,e)},async onResponse(s){for(let i of e.options.plugins||[])if(i.onResponse){let a=await i.onResponse(s,e);if(a)return a.response}return s},onError(s){let i=t.logger?.verboseLogging?T:void 0;if(t.logger?.disabled!==!0)if(s instanceof ir)i?.warn(s);else if(typeof s=="object"&&s!==null&&"message"in s){let a=s.message;if(!a||typeof a!="string"){i?.error(s);return}a.includes("no such table")?T?.error(`Please run ${se.green("npx better-auth migrate")} to create the tables. There are missing tables in your SQLite database.`):a.includes("relation")&&a.includes("does not exist")?T.error(`Please run ${se.green("npx better-auth migrate")} to create the tables. There are missing tables in your PostgreSQL database.`):a.includes("Table")&&a.includes("doesn't exist")?T?.error(`Please run ${se.green("npx better-auth migrate")} to create the tables. There are missing tables in your MySQL database.`):i?.error(s)}else i?.error(s)}})};var C=e=>{let t=e.plugins?.reduce((d,c)=>{let l=c.schema;if(!l)return d;for(let[u,p]of Object.entries(l))d[u]={fields:{...d[u]?.fields,...p.fields},tableName:u};return d},{}),o=e.rateLimit?.storage==="database",r={rateLimit:{tableName:e.rateLimit?.tableName||"rateLimit",fields:{key:{type:"string"},count:{type:"number"},lastRequest:{type:"number"}}}},{user:n,session:s,account:i,...a}=t||{};return{user:{tableName:e.user?.modelName||"user",fields:{name:{type:"string",required:!0},email:{type:"string",unique:!0,required:!0},emailVerified:{type:"boolean",defaultValue:()=>!1,required:!0},image:{type:"string",required:!1},createdAt:{type:"date",defaultValue:()=>new Date,required:!0},updatedAt:{type:"date",defaultValue:()=>new Date,required:!0},...n?.fields},order:0},session:{tableName:e.session?.modelName||"session",fields:{expiresAt:{type:"date",required:!0},ipAddress:{type:"string",required:!1},userAgent:{type:"string",required:!1},userId:{type:"string",references:{model:"user",field:"id",onDelete:"cascade"},required:!0},...s?.fields},order:1},account:{tableName:e.account?.modelName||"account",fields:{accountId:{type:"string",required:!0},providerId:{type:"string",required:!0},userId:{type:"string",references:{model:"user",field:"id",onDelete:"cascade"},required:!0},accessToken:{type:"string",required:!1},refreshToken:{type:"string",required:!1},idToken:{type:"string",required:!1},expiresAt:{type:"date",required:!1},password:{type:"string",required:!1},...i?.fields},order:2},...a,...o?r:{}}};import{Kysely as dr}from"kysely";import{MysqlDialect as Ye,PostgresDialect as et,SqliteDialect as tt}from"kysely";var cr=async e=>{if(!e.database)return;if("createDriver"in e.database)return e.database;let t;if("provider"in e.database){let o=e.database.provider,r=e.database?.url?.trim();if(o==="postgres"){let s=(await import("pg").catch(i=>{throw new k("Please install `pg` to use postgres database")})).Pool;t=new et({pool:new s({connectionString:r})})}if(o==="mysql")try{let{createPool:n}=await import("mysql2/promise").catch(a=>{throw new k("Please install `mysql2` to use mysql database")}),s=new URL(r),i=n({host:s.hostname,user:s.username,password:s.password,database:s.pathname.split("/")[1],port:Number(s.port)});t=new Ye({pool:i})}catch(n){if(n instanceof TypeError)throw new k("Invalid database URL")}if(o==="sqlite")try{let n=await import("better-sqlite3").catch(a=>{throw new k("Please install `better-sqlite3` to use sqlite database")}),s=n.default||n;if(!s)throw new k("Failed to import better-sqlite3. Please ensure `better-sqlite3` is properly installed.");let i=new s(r);t=new tt({database:i})}catch(n){throw console.error(n),new k("Failed to initialize SQLite. Please ensure `better-sqlite3` is properly installed.")}}return t},q=async e=>{let t=await cr(e);return t&&new dr({dialect:t})},G=e=>{if("provider"in e.database)return e.database.provider;if("dialect"in e.database){if(e.database.dialect instanceof et)return"postgres";if(e.database.dialect instanceof Ye)return"mysql";if(e.database.dialect instanceof tt)return"sqlite"}return"sqlite"};import"kysely";function lr(e){return e.plugins?.flatMap(o=>Object.keys(o.schema||{}).map(r=>{let s=(o.schema||{})[r];if(!s?.disableMigration)return{tableName:r,fields:s?.fields}}).filter(r=>r!==void 0))||[]}function rt(e){let t=C(e),o=lr(e);return[t.user,t.session,t.account,...o].reduce((n,s)=>(n[s.tableName]={fields:{...n[s.tableName]?.fields,...s.fields}},n),{})}var ur={string:["character varying","text"],number:["int4","integer","bigint","smallint","numeric","real","double precision"],boolean:["bool","boolean"],date:["timestamp","date"]},pr={string:["varchar","text"],number:["integer","int","bigint","smallint","decimal","float","double"],boolean:["boolean"],date:["date","datetime"]},mr={string:["TEXT"],number:["INTEGER","REAL"],boolean:["INTEGER","BOOLEAN"],date:["DATE","INTEGER"]},fr={postgres:ur,mysql:pr,sqlite:mr};function gr(e,t,o){return fr[o][t].map(i=>i.toLowerCase()).includes(e.toLowerCase())}async function ot(e){let t=rt(e),o=G(e),r=await q(e);r||(T.error("Invalid database configuration."),process.exit(1));let n=await r.introspection.getTables(),s=[],i=[];for(let[u,p]of Object.entries(t)){let m=n.find(y=>y.name===u);if(!m){let y=s.findIndex(B=>B.table===u),h={table:u,fields:p.fields,order:p.order||1/0},A=s.findIndex(B=>(B.order||1/0)>h.order);A===-1?y===-1?s.push(h):s[y].fields={...s[y].fields,...p.fields}:s.splice(A,0,h);continue}let f={};for(let[y,h]of Object.entries(p.fields)){let A=m.columns.find(B=>B.name===y);if(!A){f[y]=h;continue}gr(A.dataType,h.type,o)||T.warn(`Field ${y} in table ${u} has a different type in the database. Expected ${h.type} but got ${A.dataType}.`)}Object.keys(f).length>0&&i.push({table:u,fields:f,order:p.order||1/0})}let a=[];function d(u){let p={string:"text",boolean:"boolean",number:"integer",date:"date"};return o==="mysql"&&u==="string"?"varchar(255)":p[u]}if(i.length)for(let u of i)for(let[p,m]of Object.entries(u.fields)){let f=d(m.type),y=r.schema.alterTable(u.table).addColumn(p,f,h=>(h=m.required!==!1?h.notNull():h,m.references&&(h=h.references(`${m.references.model}.${m.references.field}`)),h));a.push(y)}if(s.length)for(let u of s){let p=r.schema.createTable(u.table).addColumn("id",d("string"),m=>m.primaryKey());for(let[m,f]of Object.entries(u.fields)){let y=d(f.type);p=p.addColumn(m,y,h=>(h=f.required!==!1?h.notNull():h,f.references&&(h=h.references(`${f.references.model}.${f.references.field}`)),f.unique&&(h=h.unique()),h))}a.push(p)}async function c(){for(let u of a)await u.execute()}async function l(){return a.map(p=>p.compile().sql).join(`;
+</html>`;
+var error = createAuthEndpoint(
+  "/error",
+  {
+    method: "GET",
+    metadata: HIDE_METADATA
+  },
+  async (c) => {
+    const query = new URL(c.request?.url || "").searchParams.get("error") || "Unknown";
+    return new Response(html(query), {
+      headers: {
+        "Content-Type": "text/html"
+      }
+    });
+  }
+);
+
+// src/api/routes/ok.ts
+var ok = createAuthEndpoint(
+  "/ok",
+  {
+    method: "GET",
+    metadata: HIDE_METADATA
+  },
+  async (ctx) => {
+    return ctx.json({
+      ok: true
+    });
+  }
+);
+
+// src/api/routes/sign-up.ts
+import { alphabet as alphabet4, generateRandomString as generateRandomString4 } from "oslo/crypto";
+import { z as z11 } from "zod";
+var signUpEmail = createAuthEndpoint(
+  "/sign-up/email",
+  {
+    method: "POST",
+    query: z11.object({
+      currentURL: z11.string().optional()
+    }).optional(),
+    body: z11.object({
+      name: z11.string(),
+      email: z11.string(),
+      password: z11.string(),
+      image: z11.string().optional(),
+      callbackURL: z11.string().optional()
+    })
+  },
+  async (ctx) => {
+    if (!ctx.context.options.emailAndPassword?.enabled) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Email and password is not enabled"
+        }
+      });
+    }
+    const { name, email, password, image } = ctx.body;
+    const isValidEmail = z11.string().email().safeParse(email);
+    if (!isValidEmail.success) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Invalid email address"
+        }
+      });
+    }
+    const minPasswordLength = ctx.context.password.config.minPasswordLength;
+    if (password.length < minPasswordLength) {
+      ctx.context.logger.error("Password is too short");
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Password is too short" }
+      });
+    }
+    const maxPasswordLength = ctx.context.password.config.maxPasswordLength;
+    if (password.length > maxPasswordLength) {
+      ctx.context.logger.error("Password is too long");
+      return ctx.json(null, {
+        status: 400,
+        body: { message: "Password is too long" }
+      });
+    }
+    const dbUser = await ctx.context.internalAdapter.findUserByEmail(email);
+    const hash = await ctx.context.password.hash(password);
+    if (dbUser?.user) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "User already exists"
+        }
+      });
+    }
+    const createdUser = await ctx.context.internalAdapter.createUser({
+      id: generateRandomString4(32, alphabet4("a-z", "0-9", "A-Z")),
+      email: email.toLowerCase(),
+      name,
+      image,
+      emailVerified: false,
+      createdAt: /* @__PURE__ */ new Date(),
+      updatedAt: /* @__PURE__ */ new Date()
+    });
+    if (!createdUser) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Could not create user"
+        }
+      });
+    }
+    await ctx.context.internalAdapter.linkAccount({
+      id: generateRandomString4(32, alphabet4("a-z", "0-9", "A-Z")),
+      userId: createdUser.id,
+      providerId: "credential",
+      accountId: createdUser.id,
+      password: hash
+    });
+    const session = await ctx.context.internalAdapter.createSession(
+      createdUser.id,
+      ctx.request
+    );
+    if (!session) {
+      return ctx.json(null, {
+        status: 400,
+        body: {
+          message: "Could not create session"
+        }
+      });
+    }
+    await setSessionCookie(ctx, session.id);
+    if (ctx.context.options.emailAndPassword.sendEmailVerificationOnSignUp) {
+      const token = await createEmailVerificationToken(
+        ctx.context.secret,
+        createdUser.email
+      );
+      const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${ctx.body.callbackURL || ctx.query?.currentURL || "/"}`;
+      await ctx.context.options.emailAndPassword.sendVerificationEmail?.(
+        createdUser.email,
+        url,
+        token
+      );
+    }
+    return ctx.json(
+      {
+        user: createdUser,
+        session
+      },
+      {
+        body: ctx.body.callbackURL ? {
+          url: ctx.body.callbackURL,
+          redirect: true
+        } : {
+          user: createdUser,
+          session
+        }
+      }
+    );
+  }
+);
+
+// src/api/index.ts
+import chalk from "chalk";
+
+// src/api/rate-limiter.ts
+function shouldRateLimit(max, window2, rateLimitData) {
+  const now = Date.now();
+  const windowInMs = window2 * 1e3;
+  const timeSinceLastRequest = now - rateLimitData.lastRequest;
+  return timeSinceLastRequest < windowInMs && rateLimitData.count >= max;
+}
+function rateLimitResponse(retryAfter) {
+  return new Response(
+    JSON.stringify({
+      message: "Too many requests. Please try again later."
+    }),
+    {
+      status: 429,
+      statusText: "Too Many Requests",
+      headers: {
+        "X-Retry-After": retryAfter.toString()
+      }
+    }
+  );
+}
+function getRetryAfter(lastRequest, window2) {
+  const now = Date.now();
+  const windowInMs = window2 * 1e3;
+  return Math.ceil((lastRequest + windowInMs - now) / 1e3);
+}
+function createDBStorage(ctx, tableName) {
+  const model = tableName ?? "rateLimit";
+  const db = ctx.adapter;
+  return {
+    get: async (key) => {
+      const res = await db.findOne({
+        model,
+        where: [{ field: "key", value: key }]
+      });
+      return res;
+    },
+    set: async (key, value, _update) => {
+      try {
+        if (_update) {
+          await db.update({
+            model: tableName ?? "rateLimit",
+            where: [{ field: "key", value: key }],
+            update: {
+              count: value.count,
+              lastRequest: value.lastRequest
+            }
+          });
+        } else {
+          await db.create({
+            model: tableName ?? "rateLimit",
+            data: {
+              key,
+              count: value.count,
+              lastRequest: value.lastRequest
+            }
+          });
+        }
+      } catch (e) {
+        logger.error("Error setting rate limit", e);
+      }
+    }
+  };
+}
+var memory = /* @__PURE__ */ new Map();
+function getRateLimitStorage(ctx) {
+  if (ctx.rateLimit.customStorage) {
+    return ctx.rateLimit.customStorage;
+  }
+  const storage = ctx.rateLimit.storage;
+  if (storage === "memory") {
+    return {
+      async get(key) {
+        return memory.get(key);
+      },
+      async set(key, value, _update) {
+        memory.set(key, value);
+      }
+    };
+  }
+  return createDBStorage(ctx, ctx.rateLimit.tableName);
+}
+async function onRequestRateLimit(req, ctx) {
+  if (!ctx.rateLimit.enabled) {
+    return;
+  }
+  const baseURL = ctx.baseURL;
+  const path = req.url.replace(baseURL, "");
+  let window2 = ctx.rateLimit.window;
+  let max = ctx.rateLimit.max;
+  const key = getIp(req) + path;
+  const specialRules = getDefaultSpecialRules();
+  const specialRule = specialRules.find((rule) => rule.pathMatcher(path));
+  if (specialRule) {
+    window2 = specialRule.window;
+    max = specialRule.max;
+  }
+  for (const plugin of ctx.options.plugins || []) {
+    if (plugin.rateLimit) {
+      const matchedRule = plugin.rateLimit.find(
+        (rule) => rule.pathMatcher(path)
+      );
+      if (matchedRule) {
+        window2 = matchedRule.window;
+        max = matchedRule.max;
+        break;
+      }
+    }
+  }
+  if (ctx.rateLimit.customRules) {
+    const customRule = ctx.rateLimit.customRules[path];
+    if (customRule) {
+      window2 = customRule.window;
+      max = customRule.max;
+    }
+  }
+  const storage = getRateLimitStorage(ctx);
+  const data = await storage.get(key);
+  const now = Date.now();
+  if (!data) {
+    await storage.set(key, {
+      key,
+      count: 1,
+      lastRequest: now
+    });
+  } else {
+    const timeSinceLastRequest = now - data.lastRequest;
+    if (shouldRateLimit(max, window2, data)) {
+      const retryAfter = getRetryAfter(data.lastRequest, window2);
+      return rateLimitResponse(retryAfter);
+    } else if (timeSinceLastRequest > window2 * 1e3) {
+      await storage.set(key, {
+        ...data,
+        count: 1,
+        lastRequest: now
+      });
+    } else {
+      await storage.set(key, {
+        ...data,
+        count: data.count + 1,
+        lastRequest: now
+      });
+    }
+  }
+}
+function getDefaultSpecialRules() {
+  const specialRules = [
+    {
+      pathMatcher(path) {
+        return path.startsWith("/sign-in") || path.startsWith("/sign-up");
+      },
+      window: 10,
+      max: 7
+    }
+  ];
+  return specialRules;
+}
+
+// src/api/index.ts
+function getEndpoints(ctx, options) {
+  const pluginEndpoints = options.plugins?.reduce(
+    (acc, plugin) => {
+      return {
+        ...acc,
+        ...plugin.endpoints
+      };
+    },
+    {}
+  );
+  const middlewares = options.plugins?.map(
+    (plugin) => plugin.middlewares?.map((m) => {
+      const middleware = async (context) => {
+        return m.middleware({
+          ...context,
+          context: {
+            ...ctx,
+            ...context.context
+          }
+        });
+      };
+      middleware.path = m.path;
+      middleware.options = m.middleware.options;
+      middleware.headers = m.middleware.headers;
+      return {
+        path: m.path,
+        middleware
+      };
+    })
+  ).filter((plugin) => plugin !== void 0).flat() || [];
+  const baseEndpoints = {
+    signInOAuth,
+    callbackOAuth,
+    getCSRFToken,
+    getSession: getSession(),
+    signOut,
+    signUpEmail,
+    signInEmail,
+    forgetPassword,
+    resetPassword,
+    verifyEmail,
+    sendVerificationEmail,
+    changePassword,
+    setPassword,
+    updateUser,
+    forgetPasswordCallback,
+    listSessions: listSessions(),
+    revokeSession,
+    revokeSessions
+  };
+  const endpoints = {
+    ...baseEndpoints,
+    ...pluginEndpoints,
+    ok,
+    error
+  };
+  let api = {};
+  for (const [key, value] of Object.entries(endpoints)) {
+    api[key] = async (context) => {
+      const c = await ctx;
+      const endpointRes = await value({
+        ...context,
+        context: {
+          ...c,
+          ...context.context
+        }
+      });
+      let response = endpointRes;
+      for (const plugin of options.plugins || []) {
+        if (plugin.hooks?.after) {
+          for (const hook of plugin.hooks.after) {
+            const match = hook.matcher(context);
+            if (match) {
+              const obj = Object.assign(context, {
+                context: {
+                  ...ctx,
+                  returned: response
+                }
+              });
+              const hookRes = await hook.handler(obj);
+              if (hookRes && "response" in hookRes) {
+                response = hookRes.response;
+              }
+            }
+          }
+        }
+      }
+      return response;
+    };
+    api[key].path = value.path;
+    api[key].method = value.method;
+    api[key].options = value.options;
+    api[key].headers = value.headers;
+  }
+  return {
+    api,
+    middlewares
+  };
+}
+var router = (ctx, options) => {
+  const { api, middlewares } = getEndpoints(ctx, options);
+  const basePath = new URL(ctx.baseURL).pathname;
+  return createRouter(api, {
+    extraContext: ctx,
+    basePath,
+    routerMiddleware: [
+      {
+        path: "/**",
+        middleware: csrfMiddleware
+      },
+      ...middlewares
+    ],
+    async onRequest(req) {
+      for (const plugin of ctx.options.plugins || []) {
+        if (plugin.onRequest) {
+          const response = await plugin.onRequest(req, ctx);
+          if (response) {
+            return response;
+          }
+        }
+      }
+      return onRequestRateLimit(req, ctx);
+    },
+    async onResponse(res) {
+      for (const plugin of ctx.options.plugins || []) {
+        if (plugin.onResponse) {
+          const response = await plugin.onResponse(res, ctx);
+          if (response) {
+            return response.response;
+          }
+        }
+      }
+      return res;
+    },
+    onError(e) {
+      const log = options.logger?.verboseLogging ? logger : void 0;
+      if (options.logger?.disabled !== true) {
+        if (e instanceof APIError6) {
+          log?.warn(e);
+        } else {
+          if (typeof e === "object" && e !== null && "message" in e) {
+            const errorMessage = e.message;
+            if (!errorMessage || typeof errorMessage !== "string") {
+              log?.error(e);
+              return;
+            }
+            if (errorMessage.includes("no such table")) {
+              logger?.error(
+                `Please run ${chalk.green(
+                  "npx better-auth migrate"
+                )} to create the tables. There are missing tables in your SQLite database.`
+              );
+            } else if (errorMessage.includes("relation") && errorMessage.includes("does not exist")) {
+              logger.error(
+                `Please run ${chalk.green(
+                  "npx better-auth migrate"
+                )} to create the tables. There are missing tables in your PostgreSQL database.`
+              );
+            } else if (errorMessage.includes("Table") && errorMessage.includes("doesn't exist")) {
+              logger?.error(
+                `Please run ${chalk.green(
+                  "npx better-auth migrate"
+                )} to create the tables. There are missing tables in your MySQL database.`
+              );
+            } else {
+              log?.error(e);
+            }
+          } else {
+            log?.error(e);
+          }
+        }
+      }
+    }
+  });
+};
+
+// src/db/get-tables.ts
+var getAuthTables = (options) => {
+  const pluginSchema = options.plugins?.reduce(
+    (acc, plugin) => {
+      const schema = plugin.schema;
+      if (!schema) return acc;
+      for (const [key, value] of Object.entries(schema)) {
+        acc[key] = {
+          fields: {
+            ...acc[key]?.fields,
+            ...value.fields
+          },
+          tableName: key
+        };
+      }
+      return acc;
+    },
+    {}
+  );
+  const shouldAddRateLimitTable = options.rateLimit?.storage === "database";
+  const rateLimitTable = {
+    rateLimit: {
+      tableName: options.rateLimit?.tableName || "rateLimit",
+      fields: {
+        key: {
+          type: "string"
+        },
+        count: {
+          type: "number"
+        },
+        lastRequest: {
+          type: "number"
+        }
+      }
+    }
+  };
+  const { user, session, account, ...pluginTables } = pluginSchema || {};
+  return {
+    user: {
+      tableName: options.user?.modelName || "user",
+      fields: {
+        name: {
+          type: "string",
+          required: true
+        },
+        email: {
+          type: "string",
+          unique: true,
+          required: true
+        },
+        emailVerified: {
+          type: "boolean",
+          defaultValue: () => false,
+          required: true
+        },
+        image: {
+          type: "string",
+          required: false
+        },
+        createdAt: {
+          type: "date",
+          defaultValue: () => /* @__PURE__ */ new Date(),
+          required: true
+        },
+        updatedAt: {
+          type: "date",
+          defaultValue: () => /* @__PURE__ */ new Date(),
+          required: true
+        },
+        ...user?.fields
+      },
+      order: 0
+    },
+    session: {
+      tableName: options.session?.modelName || "session",
+      fields: {
+        expiresAt: {
+          type: "date",
+          required: true
+        },
+        ipAddress: {
+          type: "string",
+          required: false
+        },
+        userAgent: {
+          type: "string",
+          required: false
+        },
+        userId: {
+          type: "string",
+          references: {
+            model: "user",
+            field: "id",
+            onDelete: "cascade"
+          },
+          required: true
+        },
+        ...session?.fields
+      },
+      order: 1
+    },
+    account: {
+      tableName: options.account?.modelName || "account",
+      fields: {
+        accountId: {
+          type: "string",
+          required: true
+        },
+        providerId: {
+          type: "string",
+          required: true
+        },
+        userId: {
+          type: "string",
+          references: {
+            model: "user",
+            field: "id",
+            onDelete: "cascade"
+          },
+          required: true
+        },
+        accessToken: {
+          type: "string",
+          required: false
+        },
+        refreshToken: {
+          type: "string",
+          required: false
+        },
+        idToken: {
+          type: "string",
+          required: false
+        },
+        expiresAt: {
+          type: "date",
+          required: false
+        },
+        password: {
+          type: "string",
+          required: false
+        },
+        ...account?.fields
+      },
+      order: 2
+    },
+    ...pluginTables,
+    ...shouldAddRateLimitTable ? rateLimitTable : {}
+  };
+};
+
+// src/adapters/kysely-adapter/dialect.ts
+import { Kysely } from "kysely";
+import {
+  MysqlDialect,
+  PostgresDialect,
+  SqliteDialect
+} from "kysely";
+import "execa";
+import "prompts";
+
+// src/cli/utils/get-package-manager.ts
+import { detect } from "@antfu/ni";
+
+// src/adapters/kysely-adapter/dialect.ts
+import "ora";
+var getDialect = async (config2, isCli) => {
+  if (!config2.database) {
+    return void 0;
+  }
+  if ("createDriver" in config2.database) {
+    return config2.database;
+  }
+  let dialect = void 0;
+  if ("provider" in config2.database) {
+    const provider = config2.database.provider;
+    const connectionString = config2.database?.url?.trim();
+    if (provider === "postgres") {
+      const pg = await import("pg").catch(async (e) => {
+        throw new MissingDependencyError("pg");
+      });
+      const Pool = pg.default?.Pool || pg.Pool;
+      const pool = new Pool({
+        connectionString
+      });
+      dialect = new PostgresDialect({
+        pool
+      });
+    }
+    if (provider === "mysql") {
+      try {
+        const { createPool } = await import("mysql2/promise").catch(
+          async (e) => {
+            throw new MissingDependencyError("mysql2");
+          }
+        );
+        const params = new URL(connectionString);
+        const pool = createPool({
+          host: params.hostname,
+          user: params.username,
+          password: params.password,
+          database: params.pathname.split("/")[1],
+          port: Number(params.port)
+        });
+        dialect = new MysqlDialect({ pool });
+      } catch (e) {
+        if (e instanceof TypeError) {
+          throw new BetterAuthError("Invalid database URL");
+        }
+        throw e;
+      }
+    }
+    if (provider === "sqlite") {
+      try {
+        const database = await import("better-sqlite3").catch(async (e) => {
+          throw new MissingDependencyError("better-sqlite3");
+        });
+        const Database = database.default || database;
+        const db = new Database(connectionString);
+        dialect = new SqliteDialect({
+          database: db
+        });
+      } catch (e) {
+        console.error(e);
+        throw new BetterAuthError(
+          "Failed to initialize SQLite. Make sure `better-sqlite3` is properly installed."
+        );
+      }
+    }
+  }
+  return dialect;
+};
+var createKyselyAdapter = async (config2, isCli) => {
+  const dialect = await getDialect(config2, isCli);
+  if (!dialect) {
+    return dialect;
+  }
+  const db = new Kysely({
+    dialect
+  });
+  return db;
+};
+var getDatabaseType = (config2) => {
+  if ("provider" in config2.database) {
+    return config2.database.provider;
+  }
+  if ("dialect" in config2.database) {
+    if (config2.database.dialect instanceof PostgresDialect) {
+      return "postgres";
+    }
+    if (config2.database.dialect instanceof MysqlDialect) {
+      return "mysql";
+    }
+    if (config2.database.dialect instanceof SqliteDialect) {
+      return "sqlite";
+    }
+  }
+  return "sqlite";
+};
+
+// src/cli/utils/get-migration.ts
+import "kysely";
+
+// src/cli/utils/get-schema.ts
+function getPluginTable(config2) {
+  const pluginsMigrations = config2.plugins?.flatMap(
+    (plugin) => Object.keys(plugin.schema || {}).map((key) => {
+      const schema = plugin.schema || {};
+      const table = schema[key];
+      if (table?.disableMigration) {
+        return;
+      }
+      return {
+        tableName: key,
+        fields: table?.fields
+      };
+    }).filter((value) => value !== void 0)
+  ) || [];
+  return pluginsMigrations;
+}
+function getSchema(config2) {
+  const baseSchema = getAuthTables(config2);
+  const pluginSchema = getPluginTable(config2);
+  const schema = [
+    baseSchema.user,
+    baseSchema.session,
+    baseSchema.account,
+    ...pluginSchema
+  ].reduce((acc, curr) => {
+    acc[curr.tableName] = {
+      fields: {
+        ...acc[curr.tableName]?.fields,
+        ...curr.fields
+      }
+    };
+    return acc;
+  }, {});
+  return schema;
+}
+
+// src/cli/utils/get-migration.ts
+var postgresMap = {
+  string: ["character varying", "text"],
+  number: [
+    "int4",
+    "integer",
+    "bigint",
+    "smallint",
+    "numeric",
+    "real",
+    "double precision"
+  ],
+  boolean: ["bool", "boolean"],
+  date: ["timestamp", "date"]
+};
+var mysqlMap = {
+  string: ["varchar", "text"],
+  number: [
+    "integer",
+    "int",
+    "bigint",
+    "smallint",
+    "decimal",
+    "float",
+    "double"
+  ],
+  boolean: ["boolean"],
+  date: ["date", "datetime"]
+};
+var sqliteMap = {
+  string: ["TEXT"],
+  number: ["INTEGER", "REAL"],
+  boolean: ["INTEGER", "BOOLEAN"],
+  // 0 or 1
+  date: ["DATE", "INTEGER"]
+};
+var map = {
+  postgres: postgresMap,
+  mysql: mysqlMap,
+  sqlite: sqliteMap
+};
+function matchType(columnDataType, fieldType, dbType) {
+  const types = map[dbType];
+  const type = types[fieldType].map((t) => t.toLowerCase());
+  const matches = type.includes(columnDataType.toLowerCase());
+  return matches;
+}
+async function getMigrations(config2) {
+  const betterAuthSchema = getSchema(config2);
+  const dbType = getDatabaseType(config2);
+  const db = await createKyselyAdapter(config2);
+  if (!db) {
+    logger.error("Invalid database configuration.");
+    process.exit(1);
+  }
+  const tableMetadata = await db.introspection.getTables();
+  const toBeCreated = [];
+  const toBeAdded = [];
+  for (const [key, value] of Object.entries(betterAuthSchema)) {
+    const table = tableMetadata.find((t) => t.name === key);
+    if (!table) {
+      const tIndex = toBeCreated.findIndex((t) => t.table === key);
+      const tableData = {
+        table: key,
+        fields: value.fields,
+        order: value.order || Infinity
+      };
+      const insertIndex = toBeCreated.findIndex(
+        (t) => (t.order || Infinity) > tableData.order
+      );
+      if (insertIndex === -1) {
+        if (tIndex === -1) {
+          toBeCreated.push(tableData);
+        } else {
+          toBeCreated[tIndex].fields = {
+            ...toBeCreated[tIndex].fields,
+            ...value.fields
+          };
+        }
+      } else {
+        toBeCreated.splice(insertIndex, 0, tableData);
+      }
+      continue;
+    }
+    let toBeAddedFields = {};
+    for (const [fieldName, field] of Object.entries(value.fields)) {
+      const column = table.columns.find((c) => c.name === fieldName);
+      if (!column) {
+        toBeAddedFields[fieldName] = field;
+        continue;
+      }
+      if (matchType(column.dataType, field.type, dbType)) {
+        continue;
+      } else {
+        logger.warn(
+          `Field ${fieldName} in table ${key} has a different type in the database. Expected ${field.type} but got ${column.dataType}.`
+        );
+      }
+    }
+    if (Object.keys(toBeAddedFields).length > 0) {
+      toBeAdded.push({
+        table: key,
+        fields: toBeAddedFields,
+        order: value.order || Infinity
+      });
+    }
+  }
+  const migrations = [];
+  function getType(type) {
+    const typeMap = {
+      string: "text",
+      boolean: "boolean",
+      number: "integer",
+      date: "date"
+    };
+    if (dbType === "mysql" && type === "string") {
+      return "varchar(255)";
+    }
+    return typeMap[type];
+  }
+  if (toBeAdded.length) {
+    for (const table of toBeAdded) {
+      for (const [fieldName, field] of Object.entries(table.fields)) {
+        const type = getType(field.type);
+        const exec = db.schema.alterTable(table.table).addColumn(fieldName, type, (col) => {
+          col = field.required !== false ? col.notNull() : col;
+          if (field.references) {
+            col = col.references(
+              `${field.references.model}.${field.references.field}`
+            );
+          }
+          return col;
+        });
+        migrations.push(exec);
+      }
+    }
+  }
+  if (toBeCreated.length) {
+    for (const table of toBeCreated) {
+      let dbT = db.schema.createTable(table.table).addColumn("id", getType("string"), (col) => col.primaryKey());
+      for (const [fieldName, field] of Object.entries(table.fields)) {
+        const type = getType(field.type);
+        dbT = dbT.addColumn(fieldName, type, (col) => {
+          col = field.required !== false ? col.notNull() : col;
+          if (field.references) {
+            col = col.references(
+              `${field.references.model}.${field.references.field}`
+            );
+          }
+          if (field.unique) {
+            col = col.unique();
+          }
+          return col;
+        });
+      }
+      migrations.push(dbT);
+    }
+  }
+  async function runMigrations() {
+    for (const migration of migrations) {
+      await migration.execute();
+    }
+  }
+  async function compileMigrations() {
+    const compiled = migrations.map((m) => m.compile().sql);
+    return compiled.join(";\n\n");
+  }
+  return { toBeCreated, toBeAdded, runMigrations, compileMigrations };
+}
+
+// src/adapters/kysely-adapter/index.ts
+function convertWhere(w) {
+  if (!w)
+    return {
+      and: null,
+      or: null
+    };
+  const and = w?.filter((w2) => w2.connector === "AND" || !w2.connector).reduce(
+    (acc, w2) => ({
+      ...acc,
+      [w2.field]: w2.value
+    }),
+    {}
+  );
+  const or = w?.filter((w2) => w2.connector === "OR").reduce(
+    (acc, w2) => ({
+      ...acc,
+      [w2.field]: w2.value
+    }),
+    {}
+  );
+  return {
+    and: Object.keys(and).length ? and : null,
+    or: Object.keys(or).length ? or : null
+  };
+}
+function transformTo(val, fields, transform) {
+  for (const key in val) {
+    if (val[key] === 0 && fields[key]?.type === "boolean" && transform?.boolean) {
+      val[key] = false;
+    }
+    if (val[key] === 1 && fields[key]?.type === "boolean" && transform?.boolean) {
+      val[key] = true;
+    }
+    if (fields[key]?.type === "date") {
+      if (!(val[key] instanceof Date)) {
+        val[key] = new Date(val[key]);
+      }
+    }
+  }
+  return val;
+}
+function transformFrom(val, transform) {
+  for (const key in val) {
+    if (typeof val[key] === "boolean" && transform?.boolean) {
+      val[key] = val[key] ? 1 : 0;
+    }
+    if (val[key] instanceof Date) {
+      val[key] = val[key].toISOString();
+    }
+  }
+  return val;
+}
+var kyselyAdapter = (db, config2) => {
+  return {
+    id: "kysely",
+    async create(data) {
+      let { model, data: val, select } = data;
+      if (config2?.transform) {
+        val = transformFrom(val, config2.transform);
+      }
+      let res = await db.insertInto(model).values(val).returningAll().executeTakeFirst();
+      if (config2?.transform) {
+        const schema = config2.transform.schema[model];
+        res = schema ? transformTo(val, schema, config2.transform) : res;
+      }
+      if (select?.length) {
+        const data2 = res ? select.reduce((acc, cur) => {
+          if (res?.[cur]) {
+            return {
+              ...acc,
+              [cur]: res[cur]
+            };
+          }
+          return acc;
+        }, {}) : null;
+        res = data2;
+      }
+      return res;
+    },
+    async findOne(data) {
+      const { model, where, select } = data;
+      const { and, or } = convertWhere(where);
+      let query = db.selectFrom(model).selectAll();
+      if (or) {
+        query = query.where((eb) => eb.or(or));
+      }
+      if (and) {
+        query = query.where((eb) => eb.and(and));
+      }
+      let res = await query.executeTakeFirst();
+      if (select?.length) {
+        const data2 = res ? select.reduce((acc, cur) => {
+          if (res?.[cur]) {
+            return {
+              ...acc,
+              [cur]: res[cur]
+            };
+          }
+          return acc;
+        }, {}) : null;
+        res = data2;
+      }
+      if (config2?.transform) {
+        const schema = config2.transform.schema[model];
+        res = res && schema ? transformTo(res, schema, config2.transform) : res;
+        return res || null;
+      }
+      return res || null;
+    },
+    async findMany(data) {
+      const { model, where } = data;
+      let query = db.selectFrom(model);
+      const { and, or } = convertWhere(where);
+      if (and) {
+        query = query.where((eb) => eb.and(and));
+      }
+      if (or) {
+        query = query.where((eb) => eb.or(or));
+      }
+      const res = await query.selectAll().execute();
+      if (config2?.transform) {
+        const schema = config2.transform.schema[model];
+        return schema ? res.map((v) => transformTo(v, schema, config2.transform)) : res;
+      }
+      return res;
+    },
+    async update(data) {
+      let { model, where, update: val } = data;
+      const { and, or } = convertWhere(where);
+      if (config2?.transform) {
+        val = transformFrom(val, config2.transform);
+      }
+      let query = db.updateTable(model).set(val);
+      if (and) {
+        query = query.where((eb) => eb.and(and));
+      }
+      if (or) {
+        query = query.where((eb) => eb.or(or));
+      }
+      const res = await query.returningAll().executeTakeFirst() || null;
+      if (config2?.transform) {
+        const schema = config2.transform.schema[model];
+        return schema ? transformTo(res, schema, config2.transform) : res;
+      }
+      return res;
+    },
+    async delete(data) {
+      const { model, where } = data;
+      const { and, or } = convertWhere(where);
+      let query = db.deleteFrom(model);
+      if (and) {
+        query = query.where((eb) => eb.and(and));
+      }
+      if (or) {
+        query = query.where((eb) => eb.or(or));
+      }
+      await query.execute();
+    },
+    async createSchema(options) {
+      const { compileMigrations } = await getMigrations(options);
+      const migrations = await compileMigrations();
+      return {
+        code: migrations,
+        fileName: `./better-auth_migrations/${(/* @__PURE__ */ new Date()).toISOString()}.sql`
+      };
+    }
+  };
+};
+
+// src/db/utils.ts
+async function getAdapter(options, isCli) {
+  if (!options.database) {
+    throw new BetterAuthError("Database configuration is required");
+  }
+  if ("create" in options.database) {
+    return options.database;
+  }
+  const db = await createKyselyAdapter(options, isCli);
+  if (!db) {
+    throw new BetterAuthError("Failed to initialize database adapter");
+  }
+  const tables = getAuthTables(options);
+  let schema = {};
+  for (const table of Object.values(tables)) {
+    schema[table.tableName] = table.fields;
+  }
+  return kyselyAdapter(db, {
+    transform: {
+      schema,
+      date: true,
+      boolean: getDatabaseType(options) === "sqlite"
+    }
+  });
+}
+
+// src/crypto/password.ts
+import { scrypt } from "node:crypto";
+import { decodeHex, encodeHex } from "oslo/encoding";
+import { constantTimeEqual } from "oslo/crypto";
+var config = {
+  N: 16384,
+  r: 16,
+  p: 1,
+  dkLen: 64
+};
+async function generateKey(password, salt) {
+  return await new Promise((resolve, reject) => {
+    scrypt(
+      password.normalize("NFKC"),
+      salt,
+      config.dkLen,
+      {
+        N: config.N,
+        p: config.p,
+        r: config.r,
+        // errors when 128 * N * r > `maxmem` (approximately)
+        maxmem: 128 * config.N * config.r * 2
+      },
+      (err, buff) => {
+        if (err) return reject(err);
+        return resolve(buff);
+      }
+    );
+  });
+}
+var hashPassword = async (password) => {
+  const salt = encodeHex(crypto.getRandomValues(new Uint8Array(16)));
+  const key = await generateKey(password, salt);
+  return `${salt}:${encodeHex(key)}`;
+};
+var verifyPassword = async (hash, password) => {
+  const [salt, key] = hash.split(":");
+  const targetKey = await generateKey(password, salt);
+  return constantTimeEqual(targetKey, decodeHex(key));
+};
+
+// src/db/internal-adapter.ts
+import { alphabet as alphabet5, generateRandomString as generateRandomString5 } from "oslo/crypto";
+var createInternalAdapter = (adapter, options) => {
+  const sessionExpiration = options.session?.expiresIn || 60 * 60 * 24 * 7;
+  const tables = getAuthTables(options);
+  const hooks = options.databaseHooks;
+  async function createWithHooks(data, model) {
+    let actualData = data;
+    if (hooks?.[model]?.create?.before) {
+      const result = await hooks[model].create.before(data);
+      if (result === false) {
+        return null;
+      }
+      const isObject = typeof result === "object";
+      actualData = isObject ? result.data : result;
+    }
+    const created = await adapter.create({
+      model,
+      data
+    });
+    if (hooks?.[model]?.create?.after && created) {
+      await hooks[model].create.after(created);
+    }
+    return created;
+  }
+  return {
+    createOAuthUser: async (user, account) => {
+      try {
+        const createdUser = await createWithHooks(user, "user");
+        const createdAccount = await createWithHooks(account, "account");
+        return {
+          user: createdUser,
+          account: createdAccount
+        };
+      } catch (e) {
+        console.log(e);
+        return null;
+      }
+    },
+    createUser: async (user) => {
+      const createdUser = await createWithHooks(user, "user");
+      return createdUser;
+    },
+    createSession: async (userId, request, dontRememberMe) => {
+      const headers = request instanceof Request ? request.headers : request;
+      const data = {
+        id: generateRandomString5(32, alphabet5("a-z", "0-9", "A-Z")),
+        userId,
+        /**
+         * If the user doesn't want to be remembered
+         * set the session to expire in 1 day.
+         * The cookie will be set to expire at the end of the session
+         */
+        expiresAt: dontRememberMe ? getDate(1e3 * 60 * 60 * 24) : getDate(sessionExpiration, true),
+        ipAddress: headers?.get("x-forwarded-for") || "",
+        userAgent: headers?.get("user-agent") || ""
+      };
+      const session = await createWithHooks(data, "session");
+      return session;
+    },
+    findSession: async (sessionId) => {
+      const session = await adapter.findOne({
+        model: tables.session.tableName,
+        where: [
+          {
+            value: sessionId,
+            field: "id"
+          }
+        ]
+      });
+      if (!session) {
+        return null;
+      }
+      const user = await adapter.findOne({
+        model: tables.user.tableName,
+        where: [
+          {
+            value: session.userId,
+            field: "id"
+          }
+        ]
+      });
+      if (!user) {
+        return null;
+      }
+      return {
+        session,
+        user
+      };
+    },
+    updateSession: async (sessionId, session) => {
+      if (hooks?.session?.update?.before) {
+        const result = await hooks.session.update.before(session);
+        if (result === false) {
+          return null;
+        }
+        session = typeof result === "object" ? result.data : result;
+      }
+      const updatedSession = await adapter.update({
+        model: tables.session.tableName,
+        where: [
+          {
+            field: "id",
+            value: sessionId
+          }
+        ],
+        update: session
+      });
+      if (hooks?.session?.update?.after && updatedSession) {
+        await hooks.session.update.after(updatedSession);
+      }
+      return updatedSession;
+    },
+    deleteSession: async (id) => {
+      const session = await adapter.delete({
+        model: tables.session.tableName,
+        where: [
+          {
+            field: "id",
+            value: id
+          }
+        ]
+      });
+      return session;
+    },
+    deleteSessions: async (userId) => {
+      return await adapter.delete({
+        model: tables.session.tableName,
+        where: [
+          {
+            field: "userId",
+            value: userId
+          }
+        ]
+      });
+    },
+    findUserByEmail: async (email) => {
+      const user = await adapter.findOne({
+        model: tables.user.tableName,
+        where: [
+          {
+            value: email.toLowerCase(),
+            field: "email"
+          }
+        ]
+      });
+      if (!user) return null;
+      const accounts = await adapter.findMany({
+        model: tables.account.tableName,
+        where: [
+          {
+            value: user.id,
+            field: "userId"
+          }
+        ]
+      });
+      return {
+        user,
+        accounts
+      };
+    },
+    findUserById: async (userId) => {
+      const user = await adapter.findOne({
+        model: tables.user.tableName,
+        where: [
+          {
+            field: "id",
+            value: userId
+          }
+        ]
+      });
+      return user;
+    },
+    linkAccount: async (account) => {
+      const _account = await createWithHooks(account, "account");
+      return _account;
+    },
+    updateUserByEmail: async (email, data) => {
+      if (hooks?.user?.update?.before) {
+        const result = await hooks.user.update.before(data);
+        if (result === false) {
+          return null;
+        }
+        data = typeof result === "object" ? result.data : result;
+      }
+      const user = await adapter.update({
+        model: tables.user.tableName,
+        where: [
+          {
+            value: email,
+            field: "email"
+          }
+        ],
+        update: data
+      });
+      if (hooks?.user?.update?.after && user) {
+        await hooks.user.update.after(user);
+      }
+      return user;
+    },
+    updatePassword: async (userId, password) => {
+      const account = await adapter.update({
+        model: tables.account.tableName,
+        where: [
+          {
+            value: userId,
+            field: "userId"
+          },
+          {
+            field: "providerId",
+            value: "credential"
+          }
+        ],
+        update: {
+          password
+        }
+      });
+      return account;
+    },
+    findAccounts: async (userId) => {
+      const accounts = await adapter.findMany({
+        model: tables.account.tableName,
+        where: [
+          {
+            field: "userId",
+            value: userId
+          }
+        ]
+      });
+      return accounts;
+    },
+    updateAccount: async (accountId, data) => {
+      if (hooks?.account?.update?.before) {
+        const result = await hooks.account.update.before(data);
+        if (result === false) {
+          return null;
+        }
+        data = typeof result === "object" ? result.data : result;
+      }
+      const account = await adapter.update({
+        model: tables.account.tableName,
+        where: [
+          {
+            field: "id",
+            value: accountId
+          }
+        ],
+        update: data
+      });
+      if (hooks?.account?.update?.after && account) {
+        await hooks.account.update.after(account);
+      }
+      return account;
+    }
+  };
+};
+
+// src/utils/constants.ts
+var DEFAULT_SECRET = "better-auth-secret-123456789";
+
+// src/internal-plugins/cross-subdomain/index.ts
+var crossSubdomainCookies = (options) => {
+  return {
+    id: "cross-subdomain-cookies",
+    async onResponse(response, ctx) {
+      const setCookie = response.headers.get("set-cookie");
+      if (!setCookie) return;
+      const baseURL = ctx.baseURL;
+      const cookieParts = setCookie.split(";");
+      const domain = options?.domainName || new URL(baseURL).hostname;
+      const authCookies = ctx.authCookies;
+      const cookieNamesEligibleForDomain = [
+        authCookies.sessionToken.name,
+        authCookies.csrfToken.name,
+        authCookies.dontRememberToken.name
+      ];
+      if (!cookieNamesEligibleForDomain.some((name) => setCookie.includes(name))) {
+        return;
+      }
+      const updatedCookies = cookieParts.map((part) => {
+        if (!cookieNamesEligibleForDomain.some(
+          (name) => part.toLowerCase().includes(name.toLowerCase())
+        )) {
+          return part;
+        }
+        const trimmedPart = part.trim();
+        if (trimmedPart.toLowerCase().startsWith("domain=")) {
+          return `Domain=${domain}`;
+        }
+        if (!trimmedPart.toLowerCase().includes("domain=")) {
+          return `${trimmedPart}; Domain=${domain}`;
+        }
+        return trimmedPart;
+      }).filter(
+        (part, index, self) => index === self.findIndex((p) => p.split(";")[0] === part.split(";")[0])
+      ).join("; ");
+      response.headers.set("set-cookie", updatedCookies);
+      return {
+        response
+      };
+    }
+  };
+};
+
+// src/init.ts
+var init = async (opts) => {
+  const { options, context } = runPluginInit(opts);
+  const plugins = options.plugins || [];
+  const internalPlugins = getInternalPlugins(options);
+  const adapter = await getAdapter(options);
+  const db = await createKyselyAdapter(options);
+  const baseURL = getBaseURL(options.baseURL, options.basePath) || "";
+  const secret = options.secret || process.env.BETTER_AUTH_SECRET || process.env.AUTH_SECRET || DEFAULT_SECRET;
+  const cookies = getCookies(options);
+  const tables = getAuthTables(options);
+  const socialProviders = Object.keys(options.socialProviders || {}).map((key) => {
+    const value = options.socialProviders?.[key];
+    if (value.enabled === false) {
+      return null;
+    }
+    if (!value.clientId || !value.clientSecret) {
+      logger.warn(
+        `Social provider ${key} is missing clientId or clientSecret`
+      );
+    }
+    return oAuthProviders[key](value);
+  }).filter((x) => x !== null);
+  return {
+    appName: options.appName || "Better Auth",
+    socialProviders,
+    options: {
+      ...options,
+      baseURL: baseURL ? new URL(baseURL).origin : "",
+      basePath: options.basePath || "/api/auth",
+      plugins: plugins.concat(internalPlugins)
+    },
+    tables,
+    baseURL,
+    sessionConfig: {
+      updateAge: options.session?.updateAge || 24 * 60 * 60,
+      // 24 hours
+      expiresIn: options.session?.expiresIn || 60 * 60 * 24 * 7
+      // 7 days
+    },
+    secret,
+    rateLimit: {
+      ...options.rateLimit,
+      enabled: options.rateLimit?.enabled ?? process.env.NODE_ENV !== "development",
+      window: options.rateLimit?.window || 60,
+      max: options.rateLimit?.max || 100,
+      storage: options.rateLimit?.storage || "memory"
+    },
+    authCookies: cookies,
+    logger: createLogger({
+      disabled: options.logger?.disabled || false
+    }),
+    db,
+    password: {
+      hash: options.emailAndPassword?.password?.hash || hashPassword,
+      verify: options.emailAndPassword?.password?.verify || verifyPassword,
+      config: {
+        minPasswordLength: options.emailAndPassword?.minPasswordLength || 8,
+        maxPasswordLength: options.emailAndPassword?.maxPasswordLength || 128
+      }
+    },
+    adapter,
+    internalAdapter: createInternalAdapter(adapter, options),
+    createAuthCookie: createCookieGetter(options),
+    ...context
+  };
+};
+function runPluginInit(options) {
+  const plugins = options.plugins || [];
+  let context = {};
+  for (const plugin of plugins) {
+    if (plugin.init) {
+      const result = plugin.init(options);
+      if (typeof result === "object") {
+        if (result.options) {
+          options = {
+            ...options,
+            ...result.options
+          };
+        }
+        context = {
+          ...result
+        };
+      }
+    }
+  }
+  const { options: _, ...rest } = context;
+  return {
+    options,
+    context: rest
+  };
+}
+function getInternalPlugins(options) {
+  const plugins = [];
+  if (options.advanced?.crossSubDomainCookies?.enabled) {
+    plugins.push(
+      crossSubdomainCookies({
+        eligibleCookies: options.advanced.crossSubDomainCookies.eligibleCookies
+      })
+    );
+  }
+  return plugins;
+}
 
-`)}return{toBeCreated:s,toBeAdded:i,runMigrations:c,compileMigrations:l}}function K(e){if(!e)return{and:null,or:null};let t=e?.filter(r=>r.connector==="AND"||!r.connector).reduce((r,n)=>({...r,[n.field]:n.value}),{}),o=e?.filter(r=>r.connector==="OR").reduce((r,n)=>({...r,[n.field]:n.value}),{});return{and:Object.keys(t).length?t:null,or:Object.keys(o).length?o:null}}function W(e,t,o){for(let r in e)e[r]===0&&t[r]?.type==="boolean"&&o?.boolean&&(e[r]=!1),e[r]===1&&t[r]?.type==="boolean"&&o?.boolean&&(e[r]=!0),t[r]?.type==="date"&&(e[r]instanceof Date||(e[r]=new Date(e[r])));return e}function nt(e,t){for(let o in e)typeof e[o]=="boolean"&&t?.boolean&&(e[o]=e[o]?1:0),e[o]instanceof Date&&(e[o]=e[o].toISOString());return e}var st=(e,t)=>({id:"kysely",async create(o){let{model:r,data:n,select:s}=o;t?.transform&&(n=nt(n,t.transform));let i=await e.insertInto(r).values(n).returningAll().executeTakeFirst();if(t?.transform){let a=t.transform.schema[r];i=a?W(n,a,t.transform):i}return s?.length&&(i=i?s.reduce((d,c)=>i?.[c]?{...d,[c]:i[c]}:d,{}):null),i},async findOne(o){let{model:r,where:n,select:s}=o,{and:i,or:a}=K(n),d=e.selectFrom(r).selectAll();a&&(d=d.where(l=>l.or(a))),i&&(d=d.where(l=>l.and(i)));let c=await d.executeTakeFirst();if(s?.length&&(c=c?s.reduce((u,p)=>c?.[p]?{...u,[p]:c[p]}:u,{}):null),t?.transform){let l=t.transform.schema[r];return c=c&&l?W(c,l,t.transform):c,c||null}return c||null},async findMany(o){let{model:r,where:n}=o,s=e.selectFrom(r),{and:i,or:a}=K(n);i&&(s=s.where(c=>c.and(i))),a&&(s=s.where(c=>c.or(a)));let d=await s.selectAll().execute();if(t?.transform){let c=t.transform.schema[r];return c?d.map(l=>W(l,c,t.transform)):d}return d},async update(o){let{model:r,where:n,update:s}=o,{and:i,or:a}=K(n);t?.transform&&(s=nt(s,t.transform));let d=e.updateTable(r).set(s);i&&(d=d.where(l=>l.and(i))),a&&(d=d.where(l=>l.or(a)));let c=await d.returningAll().executeTakeFirst()||null;if(t?.transform){let l=t.transform.schema[r];return l?W(c,l,t.transform):c}return c},async delete(o){let{model:r,where:n}=o,{and:s,or:i}=K(n),a=e.deleteFrom(r);s&&(a=a.where(d=>d.and(s))),i&&(a=a.where(d=>d.or(i))),await a.execute()},async createSchema(o){let{compileMigrations:r}=await ot(o);return console.log(r),{code:await r(),fileName:`./better-auth_migrations/${new Date().toISOString()}.sql`}}});async function it(e){if(!e.database)throw new k("Database configuration is required");if("create"in e.database)return e.database;let t=await q(e);if(!t)throw new k("Failed to initialize database adapter");let o=C(e),r={};for(let n of Object.values(o))r[n.tableName]=n.fields;return st(t,{transform:{schema:r,date:!0,boolean:G(e)==="sqlite"}})}import{scrypt as hr}from"node:crypto";import{decodeHex as yr,encodeHex as at}from"oslo/encoding";import{constantTimeEqual as br}from"oslo/crypto";var j={N:16384,r:16,p:1,dkLen:64};async function dt(e,t){return await new Promise((o,r)=>{hr(e.normalize("NFKC"),t,j.dkLen,{N:j.N,p:j.p,r:j.r,maxmem:128*j.N*j.r*2},(n,s)=>n?r(n):o(s))})}var ct=async e=>{let t=at(crypto.getRandomValues(new Uint8Array(16))),o=await dt(e,t);return`${t}:${at(o)}`},lt=async(e,t)=>{let[o,r]=e.split(":"),n=await dt(t,o);return br(n,yr(r))};import{alphabet as wr,generateRandomString as Ar}from"oslo/crypto";var ut=(e,t)=>{let o=t.session?.expiresIn||604800,r=C(t),n=t.databaseHooks;async function s(i,a){let d=i;if(n?.[a]?.create?.before){let l=await n[a].create.before(i);if(l===!1)return null;d=typeof l=="object"?l.data:l}let c=await e.create({model:a,data:i});return n?.[a]?.create?.after&&c&&await n[a].create.after(c),c}return{createOAuthUser:async(i,a)=>{try{let d=await s(i,"user"),c=await s(a,"account");return{user:d,account:c}}catch(d){return console.log(d),null}},createUser:async i=>await s(i,"user"),createSession:async(i,a,d)=>{let c=a instanceof Request?a.headers:a,l={id:Ar(32,wr("a-z","0-9","A-Z")),userId:i,expiresAt:d?N(1e3*60*60*24):N(o,!0),ipAddress:c?.get("x-forwarded-for")||"",userAgent:c?.get("user-agent")||""};return await s(l,"session")},findSession:async i=>{let a=await e.findOne({model:r.session.tableName,where:[{value:i,field:"id"}]});if(!a)return null;let d=await e.findOne({model:r.user.tableName,where:[{value:a.userId,field:"id"}]});return d?{session:a,user:d}:null},updateSession:async(i,a)=>{if(n?.session?.update?.before){let c=await n.session.update.before(a);if(c===!1)return null;a=typeof c=="object"?c.data:c}let d=await e.update({model:r.session.tableName,where:[{field:"id",value:i}],update:a});return n?.session?.update?.after&&d&&await n.session.update.after(d),d},deleteSession:async i=>await e.delete({model:r.session.tableName,where:[{field:"id",value:i}]}),deleteSessions:async i=>await e.delete({model:r.session.tableName,where:[{field:"userId",value:i}]}),findUserByEmail:async i=>{let a=await e.findOne({model:r.user.tableName,where:[{value:i.toLowerCase(),field:"email"}]});if(!a)return null;let d=await e.findMany({model:r.account.tableName,where:[{value:a.id,field:"userId"}]});return{user:a,accounts:d}},findUserById:async i=>await e.findOne({model:r.user.tableName,where:[{field:"id",value:i}]}),linkAccount:async i=>await s(i,"account"),updateUserByEmail:async(i,a)=>{if(n?.user?.update?.before){let c=await n.user.update.before(a);if(c===!1)return null;a=typeof c=="object"?c.data:c}let d=await e.update({model:r.user.tableName,where:[{value:i,field:"email"}],update:a});return n?.user?.update?.after&&d&&await n.user.update.after(d),d},updatePassword:async(i,a)=>await e.update({model:r.account.tableName,where:[{value:i,field:"userId"},{field:"providerId",value:"credential"}],update:{password:a}}),findAccounts:async i=>await e.findMany({model:r.account.tableName,where:[{field:"userId",value:i}]}),updateAccount:async(i,a)=>{if(n?.account?.update?.before){let c=await n.account.update.before(a);if(c===!1)return null;a=typeof c=="object"?c.data:c}let d=await e.update({model:r.account.tableName,where:[{field:"id",value:i}],update:a});return n?.account?.update?.after&&d&&await n.account.update.after(d),d}}};var pt="better-auth-secret-123456789";var mt=e=>({id:"cross-subdomain-cookies",async onResponse(t,o){let r=t.headers.get("set-cookie");if(!r)return;let n=o.baseURL,s=r.split(";"),i=e?.domainName||new URL(n).hostname,a=o.authCookies,d=[a.sessionToken.name,a.csrfToken.name,a.dontRememberToken.name];if(!d.some(l=>r.includes(l)))return;let c=s.map(l=>{if(!d.some(p=>l.toLowerCase().includes(p.toLowerCase())))return l;let u=l.trim();return u.toLowerCase().startsWith("domain=")?`Domain=${i}`:u.toLowerCase().includes("domain=")?u:`${u}; Domain=${i}`}).filter((l,u,p)=>u===p.findIndex(m=>m.split(";")[0]===l.split(";")[0])).join("; ");return t.headers.set("set-cookie",c),{response:t}}});var ft=async e=>{let{options:t,context:o}=kr(e),r=t.plugins||[],n=Rr(t),s=await it(t),i=await q(t),a=V(t.baseURL,t.basePath)||"",d=t.secret||process.env.BETTER_AUTH_SECRET||process.env.AUTH_SECRET||pt,c=Te(t),l=C(t),u=Object.keys(t.socialProviders||{}).map(p=>{let m=t.socialProviders?.[p];return m.enabled===!1?null:((!m.clientId||!m.clientSecret)&&T.warn(`Social provider ${p} is missing clientId or clientSecret`),Q[p](m))}).filter(p=>p!==null);return{appName:t.appName||"Better Auth",socialProviders:u,options:{...t,baseURL:a?new URL(a).origin:"",basePath:t.basePath||"/api/auth",plugins:r.concat(n)},tables:l,baseURL:a,sessionConfig:{updateAge:t.session?.updateAge||24*60*60,expiresIn:t.session?.expiresIn||60*60*24*7},secret:d,rateLimit:{...t.rateLimit,enabled:t.rateLimit?.enabled??process.env.NODE_ENV!=="development",window:t.rateLimit?.window||60,max:t.rateLimit?.max||100,storage:t.rateLimit?.storage||"memory"},authCookies:c,logger:Z({disabled:t.logger?.disabled||!1}),db:i,password:{hash:t.emailAndPassword?.password?.hash||ct,verify:t.emailAndPassword?.password?.verify||lt,config:{minPasswordLength:t.emailAndPassword?.minPasswordLength||8,maxPasswordLength:t.emailAndPassword?.maxPasswordLength||128}},adapter:s,internalAdapter:ut(s,t),createAuthCookie:xe(t),...o}};function kr(e){let t=e.plugins||[],o={};for(let s of t)if(s.init){let i=s.init(e);typeof i=="object"&&(i.options&&(e={...e,...i.options}),o={...i})}let{options:r,...n}=o;return{options:e,context:n}}function Rr(e){let t=[];return e.advanced?.crossSubDomainCookies?.enabled&&t.push(mt({eligibleCookies:e.advanced.crossSubDomainCookies.eligibleCookies})),t}var La=e=>{let t=ft(e),{api:o}=ie(t,e);return{handler:async r=>{let n=await t,s=n.options.basePath,i=new URL(r.url);if(!n.options.baseURL){let d=`${i.origin}/api/auth`;n.options.baseURL=d,n.baseURL=d}if(!n.options.baseURL)return new Response("Base URL not set",{status:400});if(i.pathname===s||i.pathname===`${s}/`)return new Response("Welcome to BetterAuth",{status:200});let{handler:a}=Xe(n,e);return a(r)},api:o,options:e,$Infer:{}}};export{La as betterAuth};
+// src/auth.ts
+var betterAuth = (options) => {
+  const authContext = init(options);
+  const { api } = getEndpoints(authContext, options);
+  return {
+    handler: async (request) => {
+      const ctx = await authContext;
+      const basePath = ctx.options.basePath;
+      const url = new URL(request.url);
+      if (!ctx.options.baseURL) {
+        const baseURL = `${url.origin}/api/auth`;
+        ctx.options.baseURL = baseURL;
+        ctx.baseURL = baseURL;
+      }
+      if (!ctx.options.baseURL) {
+        return new Response("Base URL not set", { status: 400 });
+      }
+      if (url.pathname === basePath || url.pathname === `${basePath}/`) {
+        return new Response("Welcome to BetterAuth", { status: 200 });
+      }
+      const { handler } = router(ctx, options);
+      return handler(request);
+    },
+    api,
+    options,
+    $Infer: {}
+  };
+};
+export {
+  betterAuth
+};