better-auth 0.2.8-beta.8 → 0.2.8

package/dist/index.js

@@ -1,23 +1,18 @@
-import { createMiddleware, createMiddlewareCreator, createEndpointCreator, APIError, createRouter } from 'better-call';
-import { z } from 'zod';
-import '@noble/ciphers/chacha';
-import '@noble/ciphers/utils';
-import '@noble/ciphers/webcrypto';
-import '@noble/hashes/sha256';
-import { generateCodeVerifier, generateState as generateState$1 } from 'oslo/oauth2';
-import { Facebook, GitHub, Google, Spotify, Twitch, Twitter, OAuth2Tokens } from 'arctic';
-import { createJWT, validateJWT, parseJWT } from 'oslo/jwt';
-import { betterFetch } from '@better-fetch/fetch';
-import { TimeSpan } from 'oslo';
-import { nanoid } from 'nanoid';
-import { createConsola } from 'consola';
-import chalk from 'chalk';
-import { SqliteDialect, MysqlDialect, PostgresDialect, Kysely } from 'kysely';
-import { scrypt } from 'node:crypto';
-import { encodeHex, decodeHex } from 'oslo/encoding';
-import { defu } from 'defu';
-
 // src/api/index.ts
+import {
+  APIError as APIError5,
+  createRouter
+} from "better-call";
+
+// src/api/middlewares/csrf.ts
+import { APIError } from "better-call";
+import { z } from "zod";
+
+// src/crypto/index.ts
+import { xchacha20poly1305 } from "@noble/ciphers/chacha";
+import { bytesToHex, hexToBytes, utf8ToBytes } from "@noble/ciphers/utils";
+import { managedNonce } from "@noble/ciphers/webcrypto";
+import { sha256 } from "@noble/hashes/sha256";
 async function hs256(secretKey, message) {
   const enc = new TextEncoder();
   const algorithm = { name: "HMAC", hash: "SHA-256" };
@@ -35,6 +30,13 @@ async function hs256(secretKey, message) {
   );
   return btoa(String.fromCharCode(...new Uint8Array(signature)));
 }
+
+// src/api/call.ts
+import {
+  createEndpointCreator,
+  createMiddleware,
+  createMiddlewareCreator
+} from "better-call";
 var optionsMiddleware = createMiddleware(async () => {
   return {};
 });
@@ -94,6 +96,30 @@ var csrfMiddleware = createAuthMiddleware(
   }
 );
 
+// src/api/routes/sign-in.ts
+import { APIError as APIError3 } from "better-call";
+import { generateCodeVerifier } from "oslo/oauth2";
+import { z as z4 } from "zod";
+
+// src/social-providers/apple.ts
+import "arctic";
+import { parseJWT } from "oslo/jwt";
+import "@better-fetch/fetch";
+
+// src/error/better-auth-error.ts
+var BetterAuthError = class extends Error {
+  constructor(message, cause) {
+    super(message);
+    this.name = "BetterAuthError";
+    this.message = message;
+    this.cause = cause;
+    this.stack = "";
+  }
+};
+
+// src/social-providers/utils.ts
+import { OAuth2Tokens } from "arctic";
+
 // src/utils/base-url.ts
 function checkHasPath(url) {
   try {
@@ -127,232 +153,9 @@ function getBaseURL(url, path) {
   }
   return void 0;
 }
-function getCookies(options) {
-  const secure = !!options.advanced?.useSecureCookies || process.env.NODE_ENV !== "development" && process.env.NODE_ENV !== "test";
-  const secureCookiePrefix = secure ? "__Secure-" : "";
-  const cookiePrefix = "better-auth";
-  const sessionMaxAge = new TimeSpan(7, "d").seconds();
-  return {
-    sessionToken: {
-      name: `${secureCookiePrefix}${cookiePrefix}.session_token`,
-      options: {
-        httpOnly: true,
-        sameSite: "lax",
-        path: "/",
-        secure: !!secureCookiePrefix,
-        maxAge: sessionMaxAge
-      }
-    },
-    csrfToken: {
-      name: `${secureCookiePrefix ? "__Host-" : ""}${cookiePrefix}.csrf_token`,
-      options: {
-        httpOnly: true,
-        sameSite: "lax",
-        path: "/",
-        secure: !!secureCookiePrefix,
-        maxAge: 60 * 60 * 24 * 7
-      }
-    },
-    state: {
-      name: `${secureCookiePrefix}${cookiePrefix}.state`,
-      options: {
-        httpOnly: true,
-        sameSite: "lax",
-        path: "/",
-        secure: !!secureCookiePrefix,
-        maxAge: 60 * 15
-        // 15 minutes in seconds
-      }
-    },
-    pkCodeVerifier: {
-      name: `${secureCookiePrefix}${cookiePrefix}.pk_code_verifier`,
-      options: {
-        httpOnly: true,
-        sameSite: "lax",
-        path: "/",
-        secure: !!secureCookiePrefix,
-        maxAge: 60 * 15
-        // 15 minutes in seconds
-      }
-    },
-    dontRememberToken: {
-      name: `${secureCookiePrefix}${cookiePrefix}.dont_remember`,
-      options: {
-        httpOnly: true,
-        sameSite: "lax",
-        path: "/",
-        secure: !!secureCookiePrefix
-        //no max age so it expires when the browser closes
-      }
-    },
-    nonce: {
-      name: `${secureCookiePrefix}${cookiePrefix}.nonce`,
-      options: {
-        httpOnly: true,
-        sameSite: "lax",
-        path: "/",
-        secure: !!secureCookiePrefix,
-        maxAge: 60 * 15
-        // 15 minutes in seconds
-      }
-    }
-  };
-}
-function createCookieGetter(options) {
-  const secure = !!options.advanced?.useSecureCookies || process.env.NODE_ENV === "production";
-  const secureCookiePrefix = secure ? "__Secure-" : "";
-  const cookiePrefix = "better-auth";
-  function getCookie(cookieName, options2) {
-    return {
-      name: process.env.NODE_ENV === "production" ? `${secureCookiePrefix}${cookiePrefix}.${cookieName}` : `${cookiePrefix}.${cookieName}`,
-      options: {
-        secure: !!secureCookiePrefix,
-        sameSite: "lax",
-        path: "/",
-        maxAge: 60 * 15,
-        // 15 minutes in seconds
-        ...options2
-      }
-    };
-  }
-  return getCookie;
-}
-async function setSessionCookie(ctx, sessionToken, dontRememberMe, overrides) {
-  const options = ctx.context.authCookies.sessionToken.options;
-  options.maxAge = dontRememberMe ? void 0 : options.maxAge;
-  await ctx.setSignedCookie(
-    ctx.context.authCookies.sessionToken.name,
-    sessionToken,
-    ctx.context.secret,
-    options
-  );
-  if (dontRememberMe) {
-    await ctx.setSignedCookie(
-      ctx.context.authCookies.dontRememberToken.name,
-      "true",
-      ctx.context.secret,
-      ctx.context.authCookies.dontRememberToken.options
-    );
-  }
-}
-function deleteSessionCookie(ctx) {
-  ctx.setCookie(ctx.context.authCookies.sessionToken.name, "", {
-    maxAge: 0
-  });
-  ctx.setCookie(ctx.context.authCookies.dontRememberToken.name, "", {
-    maxAge: 0
-  });
-}
-
-// src/utils/date.ts
-var getDate = (span, unit = "ms") => {
-  const date = /* @__PURE__ */ new Date();
-  return new Date(date.getTime() + (unit === "sec" ? span * 1e3 : span));
-};
-
-// src/utils/get-request-ip.ts
-function getIp(req) {
-  const testIP = "127.0.0.1";
-  if (process.env.NODE_ENV === "test") {
-    return testIP;
-  }
-  const headers = [
-    "x-client-ip",
-    "x-forwarded-for",
-    "cf-connecting-ip",
-    "fastly-client-ip",
-    "x-real-ip",
-    "x-cluster-client-ip",
-    "x-forwarded",
-    "forwarded-for",
-    "forwarded"
-  ];
-  for (const header of headers) {
-    const value = req.headers.get(header);
-    if (typeof value === "string") {
-      const ip = value.split(",")[0].trim();
-      if (ip) return ip;
-    }
-  }
-  return null;
-}
-
-// src/utils/hide-metadata.ts
-var HIDE_METADATA = {
-  isAction: false
-};
-var generateId = (size) => {
-  return nanoid(size);
-};
-var consola = createConsola({
-  formatOptions: {
-    date: false,
-    colors: true,
-    compact: true
-  },
-  defaults: {
-    tag: "Better Auth"
-  }
-});
-var createLogger = (options) => {
-  return {
-    log: (...args) => {
-      !options?.disabled && consola.log("", ...args);
-    },
-    error: (...args) => {
-      !options?.disabled && consola.error("", ...args);
-    },
-    warn: (...args) => {
-      !options?.disabled && consola.warn("", ...args);
-    },
-    info: (...args) => {
-      !options?.disabled && consola.info("", ...args);
-    },
-    debug: (...args) => {
-      !options?.disabled && consola.debug("", ...args);
-    },
-    box: (...args) => {
-      !options?.disabled && consola.box("", ...args);
-    },
-    success: (...args) => {
-      !options?.disabled && consola.success("", ...args);
-    },
-    break: (...args) => {
-      !options?.disabled && console.log("\n");
-    }
-  };
-};
-var logger = createLogger();
-function generateState(callbackURL, currentURL, dontRememberMe) {
-  const code = generateState$1();
-  const state = JSON.stringify({
-    code,
-    callbackURL,
-    currentURL,
-    dontRememberMe
-  });
-  return { state, code };
-}
-function parseState(state) {
-  const data = z.object({
-    code: z.string(),
-    callbackURL: z.string().optional(),
-    currentURL: z.string().optional(),
-    dontRememberMe: z.boolean().optional()
-  }).safeParse(JSON.parse(state));
-  return data;
-}
 
-// src/error/better-auth-error.ts
-var BetterAuthError = class extends Error {
-  constructor(message, cause) {
-    super(message);
-    this.name = "BetterAuthError";
-    this.message = message;
-    this.cause = cause;
-    this.stack = "";
-  }
-};
+// src/social-providers/utils.ts
+import { betterFetch } from "@better-fetch/fetch";
 function getRedirectURI(providerId, redirectURI) {
   return redirectURI || `${getBaseURL()}/callback/${providerId}`;
 }
@@ -424,6 +227,9 @@ var apple = (options) => {
     }
   };
 };
+
+// src/social-providers/discord.ts
+import { betterFetch as betterFetch3 } from "@better-fetch/fetch";
 var discord = (options) => {
   return {
     id: "discord",
@@ -447,7 +253,7 @@ var discord = (options) => {
       });
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch(
+      const { data: profile, error: error2 } = await betterFetch3(
         "https://discord.com/api/users/@me",
         {
           headers: {
@@ -478,6 +284,10 @@ var discord = (options) => {
     }
   };
 };
+
+// src/social-providers/facebook.ts
+import { betterFetch as betterFetch4 } from "@better-fetch/fetch";
+import { Facebook } from "arctic";
 var facebook = (options) => {
   const facebookArctic = new Facebook(
     options.clientId,
@@ -501,7 +311,7 @@ var facebook = (options) => {
       });
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch(
+      const { data: profile, error: error2 } = await betterFetch4(
         "https://graph.facebook.com/me",
         {
           auth: {
@@ -525,6 +335,10 @@ var facebook = (options) => {
     }
   };
 };
+
+// src/social-providers/github.ts
+import { betterFetch as betterFetch5 } from "@better-fetch/fetch";
+import { GitHub } from "arctic";
 var github = ({
   clientId,
   clientSecret,
@@ -546,7 +360,7 @@ var github = ({
       return await githubArctic.validateAuthorizationCode(state);
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch(
+      const { data: profile, error: error2 } = await betterFetch5(
         "https://api.github.com/user",
         {
           auth: {
@@ -560,7 +374,7 @@ var github = ({
       }
       let emailVerified = false;
       if (!profile.email) {
-        const { data, error: error3 } = await betterFetch("https://api.github.com/user/emails", {
+        const { data, error: error3 } = await betterFetch5("https://api.github.com/user/emails", {
           auth: {
             type: "Bearer",
             token: token.accessToken()
@@ -586,6 +400,54 @@ var github = ({
     }
   };
 };
+
+// src/social-providers/google.ts
+import { Google } from "arctic";
+import { parseJWT as parseJWT2 } from "oslo/jwt";
+
+// src/utils/logger.ts
+import { createConsola } from "consola";
+var consola = createConsola({
+  formatOptions: {
+    date: false,
+    colors: true,
+    compact: true
+  },
+  defaults: {
+    tag: "Better Auth"
+  }
+});
+var createLogger = (options) => {
+  return {
+    log: (...args) => {
+      !options?.disabled && consola.log("", ...args);
+    },
+    error: (...args) => {
+      !options?.disabled && consola.error("", ...args);
+    },
+    warn: (...args) => {
+      !options?.disabled && consola.warn("", ...args);
+    },
+    info: (...args) => {
+      !options?.disabled && consola.info("", ...args);
+    },
+    debug: (...args) => {
+      !options?.disabled && consola.debug("", ...args);
+    },
+    box: (...args) => {
+      !options?.disabled && consola.box("", ...args);
+    },
+    success: (...args) => {
+      !options?.disabled && consola.success("", ...args);
+    },
+    break: (...args) => {
+      !options?.disabled && console.log("\n");
+    }
+  };
+};
+var logger = createLogger();
+
+// src/social-providers/google.ts
 var google = (options) => {
   const googleArctic = new Google(
     options.clientId,
@@ -626,7 +488,7 @@ var google = (options) => {
       if (!token.idToken) {
         return null;
       }
-      const user = parseJWT(token.idToken())?.payload;
+      const user = parseJWT2(token.idToken())?.payload;
       return {
         user: {
           id: user.sub,
@@ -640,6 +502,10 @@ var google = (options) => {
     }
   };
 };
+
+// src/social-providers/spotify.ts
+import { betterFetch as betterFetch6 } from "@better-fetch/fetch";
+import { Spotify } from "arctic";
 var spotify = (options) => {
   const spotifyArctic = new Spotify(
     options.clientId,
@@ -663,7 +529,7 @@ var spotify = (options) => {
       });
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch(
+      const { data: profile, error: error2 } = await betterFetch6(
         "https://api.spotify.com/v1/me",
         {
           method: "GET",
@@ -688,6 +554,10 @@ var spotify = (options) => {
     }
   };
 };
+
+// src/social-providers/twitch.ts
+import { betterFetch as betterFetch7 } from "@better-fetch/fetch";
+import { Twitch } from "arctic";
 var twitch = (options) => {
   const twitchArctic = new Twitch(
     options.clientId,
@@ -710,7 +580,7 @@ var twitch = (options) => {
       });
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch(
+      const { data: profile, error: error2 } = await betterFetch7(
         "https://api.twitch.tv/helix/users",
         {
           method: "GET",
@@ -735,6 +605,10 @@ var twitch = (options) => {
     }
   };
 };
+
+// src/social-providers/twitter.ts
+import { betterFetch as betterFetch8 } from "@better-fetch/fetch";
+import { Twitter } from "arctic";
 var twitter = (options) => {
   const twitterArctic = new Twitter(
     options.clientId,
@@ -762,7 +636,7 @@ var twitter = (options) => {
       });
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch(
+      const { data: profile, error: error2 } = await betterFetch8(
         "https://api.x.com/2/users/me?user.fields=profile_image_url",
         {
           method: "GET",
@@ -791,6 +665,9 @@ var twitter = (options) => {
   };
 };
 
+// src/types/provider.ts
+import "arctic";
+
 // src/social-providers/index.ts
 var oAuthProviders = {
   apple,
@@ -803,6 +680,189 @@ var oAuthProviders = {
   twitter
 };
 var oAuthProviderList = Object.keys(oAuthProviders);
+
+// src/utils/state.ts
+import { generateState as generateStateOAuth } from "oslo/oauth2";
+import { z as z2 } from "zod";
+function generateState(callbackURL, currentURL, dontRememberMe) {
+  const code = generateStateOAuth();
+  const state = JSON.stringify({
+    code,
+    callbackURL,
+    currentURL,
+    dontRememberMe
+  });
+  return { state, code };
+}
+function parseState(state) {
+  const data = z2.object({
+    code: z2.string(),
+    callbackURL: z2.string().optional(),
+    currentURL: z2.string().optional(),
+    dontRememberMe: z2.boolean().optional()
+  }).safeParse(JSON.parse(state));
+  return data;
+}
+
+// src/api/routes/session.ts
+import { APIError as APIError2 } from "better-call";
+
+// src/utils/date.ts
+var getDate = (span, unit = "ms") => {
+  const date = /* @__PURE__ */ new Date();
+  return new Date(date.getTime() + (unit === "sec" ? span * 1e3 : span));
+};
+
+// src/utils/cookies.ts
+import { TimeSpan } from "oslo";
+function getCookies(options) {
+  const secure = !!options.advanced?.useSecureCookies || process.env.NODE_ENV !== "development" && process.env.NODE_ENV !== "test";
+  const secureCookiePrefix = secure ? "__Secure-" : "";
+  const cookiePrefix = "better-auth";
+  const sessionMaxAge = new TimeSpan(7, "d").seconds();
+  return {
+    sessionToken: {
+      name: `${secureCookiePrefix}${cookiePrefix}.session_token`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: !!secureCookiePrefix,
+        maxAge: sessionMaxAge
+      }
+    },
+    csrfToken: {
+      name: `${secureCookiePrefix ? "__Host-" : ""}${cookiePrefix}.csrf_token`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: !!secureCookiePrefix,
+        maxAge: 60 * 60 * 24 * 7
+      }
+    },
+    state: {
+      name: `${secureCookiePrefix}${cookiePrefix}.state`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: !!secureCookiePrefix,
+        maxAge: 60 * 15
+        // 15 minutes in seconds
+      }
+    },
+    pkCodeVerifier: {
+      name: `${secureCookiePrefix}${cookiePrefix}.pk_code_verifier`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: !!secureCookiePrefix,
+        maxAge: 60 * 15
+        // 15 minutes in seconds
+      }
+    },
+    dontRememberToken: {
+      name: `${secureCookiePrefix}${cookiePrefix}.dont_remember`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: !!secureCookiePrefix
+        //no max age so it expires when the browser closes
+      }
+    },
+    nonce: {
+      name: `${secureCookiePrefix}${cookiePrefix}.nonce`,
+      options: {
+        httpOnly: true,
+        sameSite: "lax",
+        path: "/",
+        secure: !!secureCookiePrefix,
+        maxAge: 60 * 15
+        // 15 minutes in seconds
+      }
+    }
+  };
+}
+function createCookieGetter(options) {
+  const secure = !!options.advanced?.useSecureCookies || process.env.NODE_ENV === "production";
+  const secureCookiePrefix = secure ? "__Secure-" : "";
+  const cookiePrefix = "better-auth";
+  function getCookie(cookieName, options2) {
+    return {
+      name: process.env.NODE_ENV === "production" ? `${secureCookiePrefix}${cookiePrefix}.${cookieName}` : `${cookiePrefix}.${cookieName}`,
+      options: {
+        secure: !!secureCookiePrefix,
+        sameSite: "lax",
+        path: "/",
+        maxAge: 60 * 15,
+        // 15 minutes in seconds
+        ...options2
+      }
+    };
+  }
+  return getCookie;
+}
+async function setSessionCookie(ctx, sessionToken, dontRememberMe, overrides) {
+  const options = ctx.context.authCookies.sessionToken.options;
+  options.maxAge = dontRememberMe ? void 0 : options.maxAge;
+  await ctx.setSignedCookie(
+    ctx.context.authCookies.sessionToken.name,
+    sessionToken,
+    ctx.context.secret,
+    options
+  );
+  if (dontRememberMe) {
+    await ctx.setSignedCookie(
+      ctx.context.authCookies.dontRememberToken.name,
+      "true",
+      ctx.context.secret,
+      ctx.context.authCookies.dontRememberToken.options
+    );
+  }
+}
+function deleteSessionCookie(ctx) {
+  ctx.setCookie(ctx.context.authCookies.sessionToken.name, "", {
+    maxAge: 0
+  });
+  ctx.setCookie(ctx.context.authCookies.dontRememberToken.name, "", {
+    maxAge: 0
+  });
+}
+
+// src/api/routes/session.ts
+import { z as z3 } from "zod";
+
+// src/utils/get-request-ip.ts
+function getIp(req) {
+  const testIP = "127.0.0.1";
+  if (process.env.NODE_ENV === "test") {
+    return testIP;
+  }
+  const headers = [
+    "x-client-ip",
+    "x-forwarded-for",
+    "cf-connecting-ip",
+    "fastly-client-ip",
+    "x-real-ip",
+    "x-cluster-client-ip",
+    "x-forwarded",
+    "forwarded-for",
+    "forwarded"
+  ];
+  for (const header of headers) {
+    const value = req.headers.get(header);
+    if (typeof value === "string") {
+      const ip = value.split(",")[0].trim();
+      if (ip) return ip;
+    }
+  }
+  return null;
+}
+
+// src/api/routes/session.ts
 function getRequestUniqueKey(ctx, token) {
   if (!ctx.request) {
     return "";
@@ -895,7 +955,7 @@ var getSessionFromCtx = async (ctx) => {
 var sessionMiddleware = createAuthMiddleware(async (ctx) => {
   const session = await getSessionFromCtx(ctx);
   if (!session?.session) {
-    throw new APIError("UNAUTHORIZED");
+    throw new APIError2("UNAUTHORIZED");
   }
   return {
     session
@@ -930,8 +990,8 @@ var revokeSession = createAuthEndpoint(
   "/user/revoke-session",
   {
     method: "POST",
-    body: z.object({
-      id: z.string()
+    body: z3.object({
+      id: z3.string()
     }),
     use: [sessionMiddleware],
     requireHeaders: true
@@ -984,26 +1044,26 @@ var signInOAuth = createAuthEndpoint(
   {
     method: "POST",
     requireHeaders: true,
-    query: z.object({
+    query: z4.object({
       /**
        * Redirect to the current URL after the
        * user has signed in.
        */
-      currentURL: z.string().optional()
+      currentURL: z4.string().optional()
     }).optional(),
-    body: z.object({
+    body: z4.object({
       /**
        * Callback URL to redirect to after the user has signed in.
        */
-      callbackURL: z.string().optional(),
+      callbackURL: z4.string().optional(),
       /**
        * OAuth2 provider to use`
        */
-      provider: z.enum(oAuthProviderList),
+      provider: z4.enum(oAuthProviderList),
       /**
        * If this is true the session will only be valid for the current browser session
        */
-      dontRememberMe: z.boolean().default(false).optional()
+      dontRememberMe: z4.boolean().default(false).optional()
     })
   },
   async (c) => {
@@ -1017,7 +1077,7 @@ var signInOAuth = createAuthEndpoint(
           provider: c.body.provider
         }
       );
-      throw new APIError("NOT_FOUND", {
+      throw new APIError3("NOT_FOUND", {
         message: "Provider not found"
       });
     }
@@ -1057,7 +1117,7 @@ var signInOAuth = createAuthEndpoint(
         redirect: true
       };
     } catch (e) {
-      throw new APIError("INTERNAL_SERVER_ERROR");
+      throw new APIError3("INTERNAL_SERVER_ERROR");
     }
   }
 );
@@ -1065,15 +1125,15 @@ var signInEmail = createAuthEndpoint(
   "/sign-in/email",
   {
     method: "POST",
-    body: z.object({
-      email: z.string().email(),
-      password: z.string(),
-      callbackURL: z.string().optional(),
+    body: z4.object({
+      email: z4.string().email(),
+      password: z4.string(),
+      callbackURL: z4.string().optional(),
       /**
        * If this is true the session will only be valid for the current browser session
        * @default false
        */
-      dontRememberMe: z.boolean().default(false).optional()
+      dontRememberMe: z4.boolean().default(false).optional()
     })
   },
   async (ctx) => {
@@ -1081,7 +1141,7 @@ var signInEmail = createAuthEndpoint(
       ctx.context.logger.error(
         "Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"
       );
-      throw new APIError("BAD_REQUEST", {
+      throw new APIError3("BAD_REQUEST", {
         message: "Email and password is not enabled"
       });
     }
@@ -1092,9 +1152,9 @@ var signInEmail = createAuthEndpoint(
       );
     }
     const { email, password } = ctx.body;
-    const checkEmail = z.string().email().safeParse(email);
+    const checkEmail = z4.string().email().safeParse(email);
     if (!checkEmail.success) {
-      throw new APIError("BAD_REQUEST", {
+      throw new APIError3("BAD_REQUEST", {
         message: "Invalid email"
       });
     }
@@ -1102,7 +1162,7 @@ var signInEmail = createAuthEndpoint(
     if (!user) {
       await ctx.context.password.hash(password);
       ctx.context.logger.error("User not found", { email });
-      throw new APIError("UNAUTHORIZED", {
+      throw new APIError3("UNAUTHORIZED", {
         message: "Invalid email or password"
       });
     }
@@ -1111,14 +1171,14 @@ var signInEmail = createAuthEndpoint(
     );
     if (!credentialAccount) {
       ctx.context.logger.error("Credential account not found", { email });
-      throw new APIError("UNAUTHORIZED", {
+      throw new APIError3("UNAUTHORIZED", {
         message: "Invalid email or password"
       });
     }
     const currentPassword = credentialAccount?.password;
     if (!currentPassword) {
       ctx.context.logger.error("Password not found", { email });
-      throw new APIError("UNAUTHORIZED", {
+      throw new APIError3("UNAUTHORIZED", {
         message: "Unexpected error"
       });
     }
@@ -1128,7 +1188,7 @@ var signInEmail = createAuthEndpoint(
     );
     if (!validPassword) {
       ctx.context.logger.error("Invalid password");
-      throw new APIError("UNAUTHORIZED", {
+      throw new APIError3("UNAUTHORIZED", {
         message: "Invalid email or password"
       });
     }
@@ -1139,7 +1199,7 @@ var signInEmail = createAuthEndpoint(
     );
     if (!session) {
       ctx.context.logger.error("Failed to create session");
-      throw new APIError("INTERNAL_SERVER_ERROR");
+      throw new APIError3("INTERNAL_SERVER_ERROR");
     }
     await setSessionCookie(ctx, session.id, ctx.body.dontRememberMe);
     return ctx.json({
@@ -1150,46 +1210,64 @@ var signInEmail = createAuthEndpoint(
     });
   }
 );
-z.object({
-  id: z.string(),
-  providerId: z.string(),
-  accountId: z.string(),
-  userId: z.string(),
-  accessToken: z.string().nullable().optional(),
-  refreshToken: z.string().nullable().optional(),
-  idToken: z.string().nullable().optional(),
+
+// src/api/routes/callback.ts
+import { APIError as APIError4 } from "better-call";
+import { z as z6 } from "zod";
+
+// src/db/schema.ts
+import { z as z5 } from "zod";
+var accountSchema = z5.object({
+  id: z5.string(),
+  providerId: z5.string(),
+  accountId: z5.string(),
+  userId: z5.string(),
+  accessToken: z5.string().nullable().optional(),
+  refreshToken: z5.string().nullable().optional(),
+  idToken: z5.string().nullable().optional(),
   /**
    * Access token expires at
    */
-  expiresAt: z.date().nullable().optional(),
+  expiresAt: z5.date().nullable().optional(),
   /**
    * Password is only stored in the credential provider
    */
-  password: z.string().optional().nullable()
+  password: z5.string().optional().nullable()
 });
-var userSchema = z.object({
-  id: z.string(),
-  email: z.string().transform((val) => val.toLowerCase()),
-  emailVerified: z.boolean().default(false),
-  name: z.string(),
-  image: z.string().optional(),
-  createdAt: z.date().default(/* @__PURE__ */ new Date()),
-  updatedAt: z.date().default(/* @__PURE__ */ new Date())
+var userSchema = z5.object({
+  id: z5.string(),
+  email: z5.string().transform((val) => val.toLowerCase()),
+  emailVerified: z5.boolean().default(false),
+  name: z5.string(),
+  image: z5.string().optional(),
+  createdAt: z5.date().default(/* @__PURE__ */ new Date()),
+  updatedAt: z5.date().default(/* @__PURE__ */ new Date())
 });
-z.object({
-  id: z.string(),
-  userId: z.string(),
-  expiresAt: z.date(),
-  ipAddress: z.string().optional(),
-  userAgent: z.string().optional()
+var sessionSchema = z5.object({
+  id: z5.string(),
+  userId: z5.string(),
+  expiresAt: z5.date(),
+  ipAddress: z5.string().optional(),
+  userAgent: z5.string().optional()
 });
-z.object({
-  id: z.string(),
-  value: z.string(),
-  expiresAt: z.date(),
-  identifier: z.string()
+var verificationSchema = z5.object({
+  id: z5.string(),
+  value: z5.string(),
+  expiresAt: z5.date(),
+  identifier: z5.string()
 });
 
+// src/utils/id.ts
+import { nanoid } from "nanoid";
+var generateId = (size) => {
+  return nanoid(size);
+};
+
+// src/utils/hide-metadata.ts
+var HIDE_METADATA = {
+  isAction: false
+};
+
 // src/utils/getAccount.ts
 function getAccountTokens(tokens) {
   const accessToken = tokens.accessToken();
@@ -1211,10 +1289,10 @@ var callbackOAuth = createAuthEndpoint(
   "/callback/:id",
   {
     method: "GET",
-    query: z.object({
-      state: z.string(),
-      code: z.string().optional(),
-      error: z.string().optional()
+    query: z6.object({
+      state: z6.string(),
+      code: z6.string().optional(),
+      error: z6.string().optional()
     }),
     metadata: HIDE_METADATA
   },
@@ -1342,7 +1420,7 @@ var callbackOAuth = createAuthEndpoint(
       }
     }
     if (!userId && !id)
-      throw new APIError("INTERNAL_SERVER_ERROR", {
+      throw new APIError4("INTERNAL_SERVER_ERROR", {
         message: "Unable to create user"
       });
     try {
@@ -1372,13 +1450,16 @@ var callbackOAuth = createAuthEndpoint(
     throw c.redirect(callbackURL);
   }
 );
+
+// src/api/routes/sign-out.ts
+import { z as z7 } from "zod";
 var signOut = createAuthEndpoint(
   "/sign-out",
   {
     method: "POST",
-    body: z.optional(
-      z.object({
-        callbackURL: z.string().optional()
+    body: z7.optional(
+      z7.object({
+        callbackURL: z7.string().optional()
       })
     )
   },
@@ -1400,22 +1481,28 @@ var signOut = createAuthEndpoint(
     });
   }
 );
+
+// src/api/routes/forget-password.ts
+import { TimeSpan as TimeSpan2 } from "oslo";
+import { createJWT, parseJWT as parseJWT3 } from "oslo/jwt";
+import { validateJWT } from "oslo/jwt";
+import { z as z8 } from "zod";
 var forgetPassword = createAuthEndpoint(
   "/forget-password",
   {
     method: "POST",
-    body: z.object({
+    body: z8.object({
       /**
        * The email address of the user to send a password reset email to.
        */
-      email: z.string().email(),
+      email: z8.string().email(),
       /**
        * The URL to redirect the user to reset their password.
        * If the token isn't valid or expired, it'll be redirected with a query parameter `?
        * error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?
        * token=VALID_TOKEN
        */
-      redirectTo: z.string()
+      redirectTo: z8.string()
     })
   },
   async (ctx) => {
@@ -1453,7 +1540,7 @@ var forgetPassword = createAuthEndpoint(
         redirectTo: ctx.body.redirectTo
       },
       {
-        expiresIn: new TimeSpan(1, "h"),
+        expiresIn: new TimeSpan2(1, "h"),
         issuer: "better-auth",
         subject: "forget-password",
         audiences: [user.user.email],
@@ -1478,9 +1565,9 @@ var forgetPasswordCallback = createAuthEndpoint(
   async (ctx) => {
     const { token } = ctx.params;
     let decodedToken;
-    const schema = z.object({
-      email: z.string(),
-      redirectTo: z.string()
+    const schema = z8.object({
+      email: z8.string(),
+      redirectTo: z8.string()
     });
     try {
       decodedToken = await validateJWT(
@@ -1492,7 +1579,7 @@ var forgetPasswordCallback = createAuthEndpoint(
         throw Error("Token expired");
       }
     } catch (e) {
-      const decoded = parseJWT(token);
+      const decoded = parseJWT3(token);
       const jwt = schema.safeParse(decoded?.payload);
       if (jwt.success) {
         throw ctx.redirect(`${jwt.data?.redirectTo}?error=invalid_token`);
@@ -1508,12 +1595,12 @@ var resetPassword = createAuthEndpoint(
   "/reset-password",
   {
     method: "POST",
-    query: z.object({
-      currentURL: z.string()
+    query: z8.object({
+      currentURL: z8.string()
     }).optional(),
-    body: z.object({
-      newPassword: z.string(),
-      callbackURL: z.string().optional()
+    body: z8.object({
+      newPassword: z8.string(),
+      callbackURL: z8.string().optional()
     })
   },
   async (ctx) => {
@@ -1540,7 +1627,7 @@ var resetPassword = createAuthEndpoint(
         Buffer.from(ctx.context.secret),
         token
       );
-      const email = z.string().email().parse(jwt.payload.email);
+      const email = z8.string().email().parse(jwt.payload.email);
       const user = await ctx.context.internalAdapter.findUserByEmail(email);
       if (!user) {
         return ctx.json(
@@ -1620,15 +1707,20 @@ var resetPassword = createAuthEndpoint(
     }
   }
 );
+
+// src/api/routes/verify-email.ts
+import { TimeSpan as TimeSpan3 } from "oslo";
+import { createJWT as createJWT2, validateJWT as validateJWT2 } from "oslo/jwt";
+import { z as z9 } from "zod";
 async function createEmailVerificationToken(secret, email) {
-  const token = await createJWT(
+  const token = await createJWT2(
     "HS256",
     Buffer.from(secret),
     {
       email: email.toLowerCase()
     },
     {
-      expiresIn: new TimeSpan(1, "h"),
+      expiresIn: new TimeSpan3(1, "h"),
       issuer: "better-auth",
       subject: "verify-email",
       audiences: [email],
@@ -1641,12 +1733,12 @@ var sendVerificationEmail = createAuthEndpoint(
   "/send-verification-email",
   {
     method: "POST",
-    query: z.object({
-      currentURL: z.string().optional()
+    query: z9.object({
+      currentURL: z9.string().optional()
     }).optional(),
-    body: z.object({
-      email: z.string().email(),
-      callbackURL: z.string().optional()
+    body: z9.object({
+      email: z9.string().email(),
+      callbackURL: z9.string().optional()
     })
   },
   async (ctx) => {
@@ -1679,16 +1771,16 @@ var verifyEmail = createAuthEndpoint(
   "/verify-email",
   {
     method: "GET",
-    query: z.object({
-      token: z.string(),
-      callbackURL: z.string().optional()
+    query: z9.object({
+      token: z9.string(),
+      callbackURL: z9.string().optional()
     })
   },
   async (ctx) => {
     const { token } = ctx.query;
     let jwt;
     try {
-      jwt = await validateJWT("HS256", Buffer.from(ctx.context.secret), token);
+      jwt = await validateJWT2("HS256", Buffer.from(ctx.context.secret), token);
     } catch (e) {
       ctx.context.logger.error("Failed to verify email", e);
       return ctx.json(null, {
@@ -1699,8 +1791,8 @@ var verifyEmail = createAuthEndpoint(
         }
       });
     }
-    const schema = z.object({
-      email: z.string().email()
+    const schema = z9.object({
+      email: z9.string().email()
     });
     const parsed = schema.parse(jwt.payload);
     const user = await ctx.context.internalAdapter.findUserByEmail(
@@ -1732,6 +1824,9 @@ var verifyEmail = createAuthEndpoint(
   }
 );
 
+// src/api/routes/update-user.ts
+import { z as z10 } from "zod";
+
 // src/crypto/random.ts
 function byteToBinary(byte) {
   return byte.toString(2).padStart(8, "0");
@@ -1794,9 +1889,9 @@ var updateUser = createAuthEndpoint(
   "/user/update",
   {
     method: "POST",
-    body: z.object({
-      name: z.string().optional(),
-      image: z.string().optional()
+    body: z10.object({
+      name: z10.string().optional(),
+      image: z10.string().optional()
     }),
     use: [sessionMiddleware]
   },
@@ -1820,20 +1915,20 @@ var changePassword = createAuthEndpoint(
   "/user/change-password",
   {
     method: "POST",
-    body: z.object({
+    body: z10.object({
       /**
        * The new password to set
        */
-      newPassword: z.string(),
+      newPassword: z10.string(),
       /**
        * The current password of the user
        */
-      currentPassword: z.string(),
+      currentPassword: z10.string(),
       /**
        * revoke all sessions that are not the
        * current one logged in by the user
        */
-      revokeOtherSessions: z.boolean().optional()
+      revokeOtherSessions: z10.boolean().optional()
     }),
     use: [sessionMiddleware]
   },
@@ -1903,11 +1998,11 @@ var setPassword = createAuthEndpoint(
   "/user/set-password",
   {
     method: "POST",
-    body: z.object({
+    body: z10.object({
       /**
        * The new password to set
        */
-      newPassword: z.string()
+      newPassword: z10.string()
     }),
     use: [sessionMiddleware]
   },
@@ -1957,8 +2052,8 @@ var deleteUser = createAuthEndpoint(
   "/user/delete",
   {
     method: "POST",
-    body: z.object({
-      password: z.string()
+    body: z10.object({
+      password: z10.string()
     }),
     use: [sessionMiddleware]
   },
@@ -2136,19 +2231,22 @@ var ok = createAuthEndpoint(
     });
   }
 );
+
+// src/api/routes/sign-up.ts
+import { z as z11 } from "zod";
 var signUpEmail = createAuthEndpoint(
   "/sign-up/email",
   {
     method: "POST",
-    query: z.object({
-      currentURL: z.string().optional()
+    query: z11.object({
+      currentURL: z11.string().optional()
     }).optional(),
-    body: z.object({
-      name: z.string(),
-      email: z.string(),
-      password: z.string(),
-      image: z.string().optional(),
-      callbackURL: z.string().optional()
+    body: z11.object({
+      name: z11.string(),
+      email: z11.string(),
+      password: z11.string(),
+      image: z11.string().optional(),
+      callbackURL: z11.string().optional()
     })
   },
   async (ctx) => {
@@ -2161,7 +2259,7 @@ var signUpEmail = createAuthEndpoint(
       });
     }
     const { name, email, password, image } = ctx.body;
-    const isValidEmail = z.string().email().safeParse(email);
+    const isValidEmail = z11.string().email().safeParse(email);
     if (!isValidEmail.success) {
       return ctx.json(null, {
         status: 400,
@@ -2263,6 +2361,9 @@ var signUpEmail = createAuthEndpoint(
   }
 );
 
+// src/api/index.ts
+import chalk from "chalk";
+
 // src/api/rate-limiter.ts
 function shouldRateLimit(max, window2, rateLimitData) {
   const now = Date.now();
@@ -2560,7 +2661,7 @@ var router = (ctx, options) => {
     onError(e) {
       const log = options.logger?.verboseLogging ? logger : void 0;
       if (options.logger?.disabled !== true) {
-        if (e instanceof APIError) {
+        if (e instanceof APIError5) {
           if (e.status === "INTERNAL_SERVER_ERROR") {
             logger.error(e);
           }
@@ -2770,6 +2871,14 @@ var getAuthTables = (options) => {
     ...shouldAddRateLimitTable ? rateLimitTable : {}
   };
 };
+
+// src/adapters/kysely-adapter/dialect.ts
+import { Kysely } from "kysely";
+import {
+  MysqlDialect,
+  PostgresDialect,
+  SqliteDialect
+} from "kysely";
 var createKyselyAdapter = async (config2) => {
   const db = config2.database;
   let dialect = void 0;
@@ -2811,6 +2920,9 @@ var createKyselyAdapter = async (config2) => {
   };
 };
 
+// src/cli/utils/get-migration.ts
+import "kysely";
+
 // src/cli/utils/get-schema.ts
 function getSchema(config2) {
   const tables = getAuthTables(config2);
@@ -3197,6 +3309,10 @@ async function getAdapter(options, isCli) {
   });
 }
 
+// src/crypto/password.ts
+import { scrypt } from "node:crypto";
+import { decodeHex, encodeHex } from "oslo/encoding";
+
 // src/crypto/buffer.ts
 function constantTimeEqual(a, b) {
   const aBuffer = new Uint8Array(a);
@@ -3250,9 +3366,9 @@ var verifyPassword = async (hash, password) => {
 };
 
 // src/db/with-hooks.ts
-function getWithHooks(adapter, options) {
-  const hooks = options.databaseHooks;
-  const tables = getAuthTables(options);
+function getWithHooks(adapter, ctx) {
+  const hooks = ctx.hooks;
+  const tables = getAuthTables(ctx.options);
   async function createWithHooks(data, model) {
     let actualData = data;
     for (const hook of hooks || []) {
@@ -3314,10 +3430,11 @@ function getWithHooks(adapter, options) {
 }
 
 // src/db/internal-adapter.ts
-var createInternalAdapter = (adapter, options) => {
+var createInternalAdapter = (adapter, ctx) => {
+  const options = ctx.options;
   const sessionExpiration = options.session?.expiresIn || 60 * 60 * 24 * 7;
   const tables = getAuthTables(options);
-  const { createWithHooks, updateWithHooks } = getWithHooks(adapter, options);
+  const { createWithHooks, updateWithHooks } = getWithHooks(adapter, ctx);
   return {
     createOAuthUser: async (user, account) => {
       try {
@@ -3403,7 +3520,7 @@ var createInternalAdapter = (adapter, options) => {
       return updatedSession;
     },
     deleteSession: async (id) => {
-      await adapter.delete({
+      const session = await adapter.delete({
         model: tables.session.tableName,
         where: [
           {
@@ -3569,6 +3686,9 @@ var createInternalAdapter = (adapter, options) => {
   };
 };
 
+// src/init.ts
+import { defu } from "defu";
+
 // src/utils/constants.ts
 var DEFAULT_SECRET = "better-auth-secret-123456789";
 
@@ -3618,7 +3738,7 @@ var crossSubdomainCookies = (options) => {
 
 // src/init.ts
 var init = async (opts) => {
-  const { options, context } = runPluginInit(opts);
+  const { options, context, dbHooks } = runPluginInit(opts);
   const plugins = options.plugins || [];
   const internalPlugins = getInternalPlugins(options);
   const adapter = await getAdapter(options);
@@ -3678,7 +3798,10 @@ var init = async (opts) => {
       }
     },
     adapter,
-    internalAdapter: createInternalAdapter(adapter, options),
+    internalAdapter: createInternalAdapter(adapter, {
+      options,
+      hooks: dbHooks.filter((u) => u !== void 0)
+    }),
     createAuthCookie: createCookieGetter(options),
     ...context
   };
@@ -3686,11 +3809,15 @@ var init = async (opts) => {
 function runPluginInit(options) {
   const plugins = options.plugins || [];
   let context = {};
+  const dbHooks = [options.databaseHooks];
   for (const plugin of plugins) {
     if (plugin.init) {
       const result = plugin.init(options);
       if (typeof result === "object") {
         if (result.options) {
+          if (result.options.databaseHooks) {
+            dbHooks.push(result.options.databaseHooks);
+          }
           options = defu(options, result.options);
         }
         if (result.context) {
@@ -3701,7 +3828,8 @@ function runPluginInit(options) {
   }
   return {
     options,
-    context
+    context,
+    dbHooks
   };
 }
 function getInternalPlugins(options) {
@@ -3744,5 +3872,6 @@ var betterAuth = (options) => {
     $Infer: {}
   };
 };
-
-export { betterAuth };
+export {
+  betterAuth
+};