better-auth 0.2.8-beta.8 → 0.2.8

package/dist/plugins.js

@@ -1,29 +1,21 @@
-import { createMiddleware, createMiddlewareCreator, createEndpointCreator, APIError, serializeSigned } from 'better-call';
-import { z } from 'zod';
-import { generateCodeVerifier, generateState as generateState$1 } from 'oslo/oauth2';
-import { Facebook, GitHub, Google, Spotify, Twitch, Twitter, OAuth2Tokens } from 'arctic';
-import { createJWT, validateJWT, parseJWT } from 'oslo/jwt';
-import { betterFetch } from '@better-fetch/fetch';
-import { TimeSpan } from 'oslo';
-import { nanoid } from 'nanoid';
-import { createConsola } from 'consola';
-import { xchacha20poly1305 } from '@noble/ciphers/chacha';
-import { utf8ToBytes, bytesToHex, hexToBytes } from '@noble/ciphers/utils';
-import { managedNonce } from '@noble/ciphers/webcrypto';
-import { sha256 } from '@noble/hashes/sha256';
-import 'chalk';
-import 'kysely';
-import { TOTPController, createTOTPKeyURI } from 'oslo/otp';
-import { generateRegistrationOptions, generateAuthenticationOptions, verifyRegistrationResponse, verifyAuthenticationResponse } from '@simplewebauthn/server';
-import { startAuthentication, startRegistration, WebAuthnError } from '@simplewebauthn/browser';
-import { atom, onMount } from 'nanostores';
-import 'process';
-
 var __defProp = Object.defineProperty;
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
 };
+
+// src/plugins/organization/organization.ts
+import { APIError as APIError7 } from "better-call";
+import {
+  z as z16
+} from "zod";
+
+// src/api/call.ts
+import {
+  createEndpointCreator,
+  createMiddleware,
+  createMiddlewareCreator
+} from "better-call";
 var optionsMiddleware = createMiddleware(async () => {
   return {};
 });
@@ -42,27 +34,30 @@ var createAuthEndpoint = createEndpointCreator({
   use: [optionsMiddleware]
 });
 
-// src/utils/shim.ts
-var shimContext = (originalObject, newContext) => {
-  const shimmedObj = {};
-  for (const [key, value] of Object.entries(originalObject)) {
-    shimmedObj[key] = (ctx) => {
-      return value({
-        ...ctx,
-        context: {
-          ...newContext,
-          ...ctx.context
-        }
-      });
-    };
-    shimmedObj[key].path = value.path;
-    shimmedObj[key].method = value.method;
-    shimmedObj[key].options = value.options;
-    shimmedObj[key].headers = value.headers;
+// src/api/routes/sign-in.ts
+import { APIError as APIError2 } from "better-call";
+import { generateCodeVerifier } from "oslo/oauth2";
+import { z as z3 } from "zod";
+
+// src/social-providers/apple.ts
+import "arctic";
+import { parseJWT } from "oslo/jwt";
+import "@better-fetch/fetch";
+
+// src/error/better-auth-error.ts
+var BetterAuthError = class extends Error {
+  constructor(message, cause) {
+    super(message);
+    this.name = "BetterAuthError";
+    this.message = message;
+    this.cause = cause;
+    this.stack = "";
   }
-  return shimmedObj;
 };
 
+// src/social-providers/utils.ts
+import { OAuth2Tokens } from "arctic";
+
 // src/utils/base-url.ts
 function checkHasPath(url) {
   try {
@@ -83,6 +78,9 @@ function withPath(url, path = "/api/auth") {
   return `${url}${path}`;
 }
 function getBaseURL(url, path) {
+  if (url) {
+    return withPath(url, path);
+  }
   const env = process?.env || {};
   const fromEnv = env.BETTER_AUTH_URL || env.NEXT_PUBLIC_BETTER_AUTH_URL || env.PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_BETTER_AUTH_URL || env.NUXT_PUBLIC_AUTH_URL || (env.BASE_URL !== "/" ? env.BASE_URL : void 0);
   if (fromEnv) {
@@ -93,159 +91,9 @@ function getBaseURL(url, path) {
   }
   return void 0;
 }
-async function setSessionCookie(ctx, sessionToken, dontRememberMe, overrides) {
-  const options = ctx.context.authCookies.sessionToken.options;
-  options.maxAge = dontRememberMe ? void 0 : options.maxAge;
-  await ctx.setSignedCookie(
-    ctx.context.authCookies.sessionToken.name,
-    sessionToken,
-    ctx.context.secret,
-    options
-  );
-  if (dontRememberMe) {
-    await ctx.setSignedCookie(
-      ctx.context.authCookies.dontRememberToken.name,
-      "true",
-      ctx.context.secret,
-      ctx.context.authCookies.dontRememberToken.options
-    );
-  }
-}
-function deleteSessionCookie(ctx) {
-  ctx.setCookie(ctx.context.authCookies.sessionToken.name, "", {
-    maxAge: 0
-  });
-  ctx.setCookie(ctx.context.authCookies.dontRememberToken.name, "", {
-    maxAge: 0
-  });
-}
 
-// src/utils/date.ts
-var getDate = (span, unit = "ms") => {
-  const date = /* @__PURE__ */ new Date();
-  return new Date(date.getTime() + (unit === "sec" ? span * 1e3 : span));
-};
-
-// src/utils/get-request-ip.ts
-function getIp(req) {
-  const testIP = "127.0.0.1";
-  if (process.env.NODE_ENV === "test") {
-    return testIP;
-  }
-  const headers = [
-    "x-client-ip",
-    "x-forwarded-for",
-    "cf-connecting-ip",
-    "fastly-client-ip",
-    "x-real-ip",
-    "x-cluster-client-ip",
-    "x-forwarded",
-    "forwarded-for",
-    "forwarded"
-  ];
-  for (const header of headers) {
-    const value = req.headers.get(header);
-    if (typeof value === "string") {
-      const ip = value.split(",")[0].trim();
-      if (ip) return ip;
-    }
-  }
-  return null;
-}
-
-// src/utils/hide-metadata.ts
-var HIDE_METADATA = {
-  isAction: false
-};
-var generateId = (size) => {
-  return nanoid(size);
-};
-var consola = createConsola({
-  formatOptions: {
-    date: false,
-    colors: true,
-    compact: true
-  },
-  defaults: {
-    tag: "Better Auth"
-  }
-});
-var createLogger = (options) => {
-  return {
-    log: (...args) => {
-      consola.log("", ...args);
-    },
-    error: (...args) => {
-      consola.error("", ...args);
-    },
-    warn: (...args) => {
-      consola.warn("", ...args);
-    },
-    info: (...args) => {
-      consola.info("", ...args);
-    },
-    debug: (...args) => {
-      consola.debug("", ...args);
-    },
-    box: (...args) => {
-      consola.box("", ...args);
-    },
-    success: (...args) => {
-      consola.success("", ...args);
-    },
-    break: (...args) => {
-      console.log("\n");
-    }
-  };
-};
-var logger = createLogger();
-
-// src/utils/password.ts
-async function validatePassword(ctx, data) {
-  const accounts = await ctx.context.internalAdapter.findAccounts(data.userId);
-  const credentialAccount = accounts?.find(
-    (account) => account.providerId === "credential"
-  );
-  const currentPassword = credentialAccount?.password;
-  if (!credentialAccount || !currentPassword) {
-    return false;
-  }
-  const compare = await ctx.context.password.verify(
-    currentPassword,
-    data.password
-  );
-  return compare;
-}
-function generateState(callbackURL, currentURL, dontRememberMe) {
-  const code = generateState$1();
-  const state = JSON.stringify({
-    code,
-    callbackURL,
-    currentURL,
-    dontRememberMe
-  });
-  return { state, code };
-}
-function parseState(state) {
-  const data = z.object({
-    code: z.string(),
-    callbackURL: z.string().optional(),
-    currentURL: z.string().optional(),
-    dontRememberMe: z.boolean().optional()
-  }).safeParse(JSON.parse(state));
-  return data;
-}
-
-// src/error/better-auth-error.ts
-var BetterAuthError = class extends Error {
-  constructor(message, cause) {
-    super(message);
-    this.name = "BetterAuthError";
-    this.message = message;
-    this.cause = cause;
-    this.stack = "";
-  }
-};
+// src/social-providers/utils.ts
+import { betterFetch } from "@better-fetch/fetch";
 function getRedirectURI(providerId, redirectURI) {
   return redirectURI || `${getBaseURL()}/callback/${providerId}`;
 }
@@ -317,6 +165,9 @@ var apple = (options) => {
     }
   };
 };
+
+// src/social-providers/discord.ts
+import { betterFetch as betterFetch3 } from "@better-fetch/fetch";
 var discord = (options) => {
   return {
     id: "discord",
@@ -340,7 +191,7 @@ var discord = (options) => {
       });
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch(
+      const { data: profile, error: error2 } = await betterFetch3(
         "https://discord.com/api/users/@me",
         {
           headers: {
@@ -371,6 +222,10 @@ var discord = (options) => {
     }
   };
 };
+
+// src/social-providers/facebook.ts
+import { betterFetch as betterFetch4 } from "@better-fetch/fetch";
+import { Facebook } from "arctic";
 var facebook = (options) => {
   const facebookArctic = new Facebook(
     options.clientId,
@@ -394,7 +249,7 @@ var facebook = (options) => {
       });
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch(
+      const { data: profile, error: error2 } = await betterFetch4(
         "https://graph.facebook.com/me",
         {
           auth: {
@@ -418,6 +273,10 @@ var facebook = (options) => {
     }
   };
 };
+
+// src/social-providers/github.ts
+import { betterFetch as betterFetch5 } from "@better-fetch/fetch";
+import { GitHub } from "arctic";
 var github = ({
   clientId,
   clientSecret,
@@ -439,7 +298,7 @@ var github = ({
       return await githubArctic.validateAuthorizationCode(state);
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch(
+      const { data: profile, error: error2 } = await betterFetch5(
         "https://api.github.com/user",
         {
           auth: {
@@ -453,7 +312,7 @@ var github = ({
       }
       let emailVerified = false;
       if (!profile.email) {
-        const { data, error: error3 } = await betterFetch("https://api.github.com/user/emails", {
+        const { data, error: error3 } = await betterFetch5("https://api.github.com/user/emails", {
           auth: {
             type: "Bearer",
             token: token.accessToken()
@@ -479,6 +338,54 @@ var github = ({
     }
   };
 };
+
+// src/social-providers/google.ts
+import { Google } from "arctic";
+import { parseJWT as parseJWT2 } from "oslo/jwt";
+
+// src/utils/logger.ts
+import { createConsola } from "consola";
+var consola = createConsola({
+  formatOptions: {
+    date: false,
+    colors: true,
+    compact: true
+  },
+  defaults: {
+    tag: "Better Auth"
+  }
+});
+var createLogger = (options) => {
+  return {
+    log: (...args) => {
+      !options?.disabled && consola.log("", ...args);
+    },
+    error: (...args) => {
+      !options?.disabled && consola.error("", ...args);
+    },
+    warn: (...args) => {
+      !options?.disabled && consola.warn("", ...args);
+    },
+    info: (...args) => {
+      !options?.disabled && consola.info("", ...args);
+    },
+    debug: (...args) => {
+      !options?.disabled && consola.debug("", ...args);
+    },
+    box: (...args) => {
+      !options?.disabled && consola.box("", ...args);
+    },
+    success: (...args) => {
+      !options?.disabled && consola.success("", ...args);
+    },
+    break: (...args) => {
+      !options?.disabled && console.log("\n");
+    }
+  };
+};
+var logger = createLogger();
+
+// src/social-providers/google.ts
 var google = (options) => {
   const googleArctic = new Google(
     options.clientId,
@@ -519,7 +426,7 @@ var google = (options) => {
       if (!token.idToken) {
         return null;
       }
-      const user = parseJWT(token.idToken())?.payload;
+      const user = parseJWT2(token.idToken())?.payload;
       return {
         user: {
           id: user.sub,
@@ -533,6 +440,10 @@ var google = (options) => {
     }
   };
 };
+
+// src/social-providers/spotify.ts
+import { betterFetch as betterFetch6 } from "@better-fetch/fetch";
+import { Spotify } from "arctic";
 var spotify = (options) => {
   const spotifyArctic = new Spotify(
     options.clientId,
@@ -556,7 +467,7 @@ var spotify = (options) => {
       });
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch(
+      const { data: profile, error: error2 } = await betterFetch6(
         "https://api.spotify.com/v1/me",
         {
           method: "GET",
@@ -581,6 +492,10 @@ var spotify = (options) => {
     }
   };
 };
+
+// src/social-providers/twitch.ts
+import { betterFetch as betterFetch7 } from "@better-fetch/fetch";
+import { Twitch } from "arctic";
 var twitch = (options) => {
   const twitchArctic = new Twitch(
     options.clientId,
@@ -603,7 +518,7 @@ var twitch = (options) => {
       });
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch(
+      const { data: profile, error: error2 } = await betterFetch7(
         "https://api.twitch.tv/helix/users",
         {
           method: "GET",
@@ -628,6 +543,10 @@ var twitch = (options) => {
     }
   };
 };
+
+// src/social-providers/twitter.ts
+import { betterFetch as betterFetch8 } from "@better-fetch/fetch";
+import { Twitter } from "arctic";
 var twitter = (options) => {
   const twitterArctic = new Twitter(
     options.clientId,
@@ -655,7 +574,7 @@ var twitter = (options) => {
       });
     },
     async getUserInfo(token) {
-      const { data: profile, error: error2 } = await betterFetch(
+      const { data: profile, error: error2 } = await betterFetch8(
         "https://api.x.com/2/users/me?user.fields=profile_image_url",
         {
           method: "GET",
@@ -684,6 +603,9 @@ var twitter = (options) => {
   };
 };
 
+// src/types/provider.ts
+import "arctic";
+
 // src/social-providers/index.ts
 var oAuthProviders = {
   apple,
@@ -696,6 +618,99 @@ var oAuthProviders = {
   twitter
 };
 var oAuthProviderList = Object.keys(oAuthProviders);
+
+// src/utils/state.ts
+import { generateState as generateStateOAuth } from "oslo/oauth2";
+import { z } from "zod";
+function generateState(callbackURL, currentURL, dontRememberMe) {
+  const code = generateStateOAuth();
+  const state = JSON.stringify({
+    code,
+    callbackURL,
+    currentURL,
+    dontRememberMe
+  });
+  return { state, code };
+}
+function parseState(state) {
+  const data = z.object({
+    code: z.string(),
+    callbackURL: z.string().optional(),
+    currentURL: z.string().optional(),
+    dontRememberMe: z.boolean().optional()
+  }).safeParse(JSON.parse(state));
+  return data;
+}
+
+// src/api/routes/session.ts
+import { APIError } from "better-call";
+
+// src/utils/date.ts
+var getDate = (span, unit = "ms") => {
+  const date = /* @__PURE__ */ new Date();
+  return new Date(date.getTime() + (unit === "sec" ? span * 1e3 : span));
+};
+
+// src/utils/cookies.ts
+import { TimeSpan } from "oslo";
+async function setSessionCookie(ctx, sessionToken, dontRememberMe, overrides) {
+  const options = ctx.context.authCookies.sessionToken.options;
+  options.maxAge = dontRememberMe ? void 0 : options.maxAge;
+  await ctx.setSignedCookie(
+    ctx.context.authCookies.sessionToken.name,
+    sessionToken,
+    ctx.context.secret,
+    options
+  );
+  if (dontRememberMe) {
+    await ctx.setSignedCookie(
+      ctx.context.authCookies.dontRememberToken.name,
+      "true",
+      ctx.context.secret,
+      ctx.context.authCookies.dontRememberToken.options
+    );
+  }
+}
+function deleteSessionCookie(ctx) {
+  ctx.setCookie(ctx.context.authCookies.sessionToken.name, "", {
+    maxAge: 0
+  });
+  ctx.setCookie(ctx.context.authCookies.dontRememberToken.name, "", {
+    maxAge: 0
+  });
+}
+
+// src/api/routes/session.ts
+import { z as z2 } from "zod";
+
+// src/utils/get-request-ip.ts
+function getIp(req) {
+  const testIP = "127.0.0.1";
+  if (process.env.NODE_ENV === "test") {
+    return testIP;
+  }
+  const headers = [
+    "x-client-ip",
+    "x-forwarded-for",
+    "cf-connecting-ip",
+    "fastly-client-ip",
+    "x-real-ip",
+    "x-cluster-client-ip",
+    "x-forwarded",
+    "forwarded-for",
+    "forwarded"
+  ];
+  for (const header of headers) {
+    const value = req.headers.get(header);
+    if (typeof value === "string") {
+      const ip = value.split(",")[0].trim();
+      if (ip) return ip;
+    }
+  }
+  return null;
+}
+
+// src/api/routes/session.ts
 function getRequestUniqueKey(ctx, token) {
   if (!ctx.request) {
     return "";
@@ -794,12 +809,12 @@ var sessionMiddleware = createAuthMiddleware(async (ctx) => {
     session
   };
 });
-createAuthEndpoint(
+var revokeSession = createAuthEndpoint(
   "/user/revoke-session",
   {
     method: "POST",
-    body: z.object({
-      id: z.string()
+    body: z2.object({
+      id: z2.string()
     }),
     use: [sessionMiddleware],
     requireHeaders: true
@@ -824,7 +839,7 @@ createAuthEndpoint(
     });
   }
 );
-createAuthEndpoint(
+var revokeSessions = createAuthEndpoint(
   "/user/revoke-sessions",
   {
     method: "POST",
@@ -847,31 +862,31 @@ createAuthEndpoint(
 );
 
 // src/api/routes/sign-in.ts
-createAuthEndpoint(
+var signInOAuth = createAuthEndpoint(
   "/sign-in/social",
   {
     method: "POST",
     requireHeaders: true,
-    query: z.object({
+    query: z3.object({
       /**
        * Redirect to the current URL after the
        * user has signed in.
        */
-      currentURL: z.string().optional()
+      currentURL: z3.string().optional()
     }).optional(),
-    body: z.object({
+    body: z3.object({
       /**
        * Callback URL to redirect to after the user has signed in.
        */
-      callbackURL: z.string().optional(),
+      callbackURL: z3.string().optional(),
       /**
        * OAuth2 provider to use`
        */
-      provider: z.enum(oAuthProviderList),
+      provider: z3.enum(oAuthProviderList),
       /**
        * If this is true the session will only be valid for the current browser session
        */
-      dontRememberMe: z.boolean().default(false).optional()
+      dontRememberMe: z3.boolean().default(false).optional()
     })
   },
   async (c) => {
@@ -885,7 +900,7 @@ createAuthEndpoint(
           provider: c.body.provider
         }
       );
-      throw new APIError("NOT_FOUND", {
+      throw new APIError2("NOT_FOUND", {
         message: "Provider not found"
       });
     }
@@ -925,23 +940,23 @@ createAuthEndpoint(
         redirect: true
       };
     } catch (e) {
-      throw new APIError("INTERNAL_SERVER_ERROR");
+      throw new APIError2("INTERNAL_SERVER_ERROR");
     }
   }
 );
-createAuthEndpoint(
+var signInEmail = createAuthEndpoint(
   "/sign-in/email",
   {
     method: "POST",
-    body: z.object({
-      email: z.string().email(),
-      password: z.string(),
-      callbackURL: z.string().optional(),
+    body: z3.object({
+      email: z3.string().email(),
+      password: z3.string(),
+      callbackURL: z3.string().optional(),
       /**
        * If this is true the session will only be valid for the current browser session
        * @default false
        */
-      dontRememberMe: z.boolean().default(false).optional()
+      dontRememberMe: z3.boolean().default(false).optional()
     })
   },
   async (ctx) => {
@@ -949,7 +964,7 @@ createAuthEndpoint(
       ctx.context.logger.error(
         "Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"
       );
-      throw new APIError("BAD_REQUEST", {
+      throw new APIError2("BAD_REQUEST", {
         message: "Email and password is not enabled"
       });
     }
@@ -960,9 +975,9 @@ createAuthEndpoint(
       );
     }
     const { email, password } = ctx.body;
-    const checkEmail = z.string().email().safeParse(email);
+    const checkEmail = z3.string().email().safeParse(email);
     if (!checkEmail.success) {
-      throw new APIError("BAD_REQUEST", {
+      throw new APIError2("BAD_REQUEST", {
         message: "Invalid email"
       });
     }
@@ -970,7 +985,7 @@ createAuthEndpoint(
     if (!user) {
       await ctx.context.password.hash(password);
       ctx.context.logger.error("User not found", { email });
-      throw new APIError("UNAUTHORIZED", {
+      throw new APIError2("UNAUTHORIZED", {
         message: "Invalid email or password"
       });
     }
@@ -979,14 +994,14 @@ createAuthEndpoint(
     );
     if (!credentialAccount) {
       ctx.context.logger.error("Credential account not found", { email });
-      throw new APIError("UNAUTHORIZED", {
+      throw new APIError2("UNAUTHORIZED", {
         message: "Invalid email or password"
       });
     }
     const currentPassword = credentialAccount?.password;
     if (!currentPassword) {
       ctx.context.logger.error("Password not found", { email });
-      throw new APIError("UNAUTHORIZED", {
+      throw new APIError2("UNAUTHORIZED", {
         message: "Unexpected error"
       });
     }
@@ -996,7 +1011,7 @@ createAuthEndpoint(
     );
     if (!validPassword) {
       ctx.context.logger.error("Invalid password");
-      throw new APIError("UNAUTHORIZED", {
+      throw new APIError2("UNAUTHORIZED", {
         message: "Invalid email or password"
       });
     }
@@ -1007,7 +1022,7 @@ createAuthEndpoint(
     );
     if (!session) {
       ctx.context.logger.error("Failed to create session");
-      throw new APIError("INTERNAL_SERVER_ERROR");
+      throw new APIError2("INTERNAL_SERVER_ERROR");
     }
     await setSessionCookie(ctx, session.id, ctx.body.dontRememberMe);
     return ctx.json({
@@ -1018,46 +1033,64 @@ createAuthEndpoint(
     });
   }
 );
-z.object({
-  id: z.string(),
-  providerId: z.string(),
-  accountId: z.string(),
-  userId: z.string(),
-  accessToken: z.string().nullable().optional(),
-  refreshToken: z.string().nullable().optional(),
-  idToken: z.string().nullable().optional(),
+
+// src/api/routes/callback.ts
+import { APIError as APIError3 } from "better-call";
+import { z as z5 } from "zod";
+
+// src/db/schema.ts
+import { z as z4 } from "zod";
+var accountSchema = z4.object({
+  id: z4.string(),
+  providerId: z4.string(),
+  accountId: z4.string(),
+  userId: z4.string(),
+  accessToken: z4.string().nullable().optional(),
+  refreshToken: z4.string().nullable().optional(),
+  idToken: z4.string().nullable().optional(),
   /**
    * Access token expires at
    */
-  expiresAt: z.date().nullable().optional(),
+  expiresAt: z4.date().nullable().optional(),
   /**
    * Password is only stored in the credential provider
    */
-  password: z.string().optional().nullable()
+  password: z4.string().optional().nullable()
 });
-var userSchema = z.object({
-  id: z.string(),
-  email: z.string().transform((val) => val.toLowerCase()),
-  emailVerified: z.boolean().default(false),
-  name: z.string(),
-  image: z.string().optional(),
-  createdAt: z.date().default(/* @__PURE__ */ new Date()),
-  updatedAt: z.date().default(/* @__PURE__ */ new Date())
+var userSchema = z4.object({
+  id: z4.string(),
+  email: z4.string().transform((val) => val.toLowerCase()),
+  emailVerified: z4.boolean().default(false),
+  name: z4.string(),
+  image: z4.string().optional(),
+  createdAt: z4.date().default(/* @__PURE__ */ new Date()),
+  updatedAt: z4.date().default(/* @__PURE__ */ new Date())
 });
-z.object({
-  id: z.string(),
-  userId: z.string(),
-  expiresAt: z.date(),
-  ipAddress: z.string().optional(),
-  userAgent: z.string().optional()
+var sessionSchema = z4.object({
+  id: z4.string(),
+  userId: z4.string(),
+  expiresAt: z4.date(),
+  ipAddress: z4.string().optional(),
+  userAgent: z4.string().optional()
 });
-z.object({
-  id: z.string(),
-  value: z.string(),
-  expiresAt: z.date(),
-  identifier: z.string()
+var verificationSchema = z4.object({
+  id: z4.string(),
+  value: z4.string(),
+  expiresAt: z4.date(),
+  identifier: z4.string()
 });
 
+// src/utils/id.ts
+import { nanoid } from "nanoid";
+var generateId = (size) => {
+  return nanoid(size);
+};
+
+// src/utils/hide-metadata.ts
+var HIDE_METADATA = {
+  isAction: false
+};
+
 // src/utils/getAccount.ts
 function getAccountTokens(tokens) {
   const accessToken = tokens.accessToken();
@@ -1075,14 +1108,14 @@ function getAccountTokens(tokens) {
 }
 
 // src/api/routes/callback.ts
-createAuthEndpoint(
+var callbackOAuth = createAuthEndpoint(
   "/callback/:id",
   {
     method: "GET",
-    query: z.object({
-      state: z.string(),
-      code: z.string().optional(),
-      error: z.string().optional()
+    query: z5.object({
+      state: z5.string(),
+      code: z5.string().optional(),
+      error: z5.string().optional()
     }),
     metadata: HIDE_METADATA
   },
@@ -1210,7 +1243,7 @@ createAuthEndpoint(
       }
     }
     if (!userId && !id)
-      throw new APIError("INTERNAL_SERVER_ERROR", {
+      throw new APIError3("INTERNAL_SERVER_ERROR", {
         message: "Unable to create user"
       });
     try {
@@ -1240,13 +1273,16 @@ createAuthEndpoint(
     throw c.redirect(callbackURL);
   }
 );
-createAuthEndpoint(
+
+// src/api/routes/sign-out.ts
+import { z as z6 } from "zod";
+var signOut = createAuthEndpoint(
   "/sign-out",
   {
     method: "POST",
-    body: z.optional(
-      z.object({
-        callbackURL: z.string().optional()
+    body: z6.optional(
+      z6.object({
+        callbackURL: z6.string().optional()
       })
     )
   },
@@ -1268,22 +1304,28 @@ createAuthEndpoint(
     });
   }
 );
-createAuthEndpoint(
+
+// src/api/routes/forget-password.ts
+import { TimeSpan as TimeSpan2 } from "oslo";
+import { createJWT, parseJWT as parseJWT3 } from "oslo/jwt";
+import { validateJWT } from "oslo/jwt";
+import { z as z7 } from "zod";
+var forgetPassword = createAuthEndpoint(
   "/forget-password",
   {
     method: "POST",
-    body: z.object({
+    body: z7.object({
       /**
        * The email address of the user to send a password reset email to.
        */
-      email: z.string().email(),
+      email: z7.string().email(),
       /**
        * The URL to redirect the user to reset their password.
        * If the token isn't valid or expired, it'll be redirected with a query parameter `?
        * error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?
        * token=VALID_TOKEN
        */
-      redirectTo: z.string()
+      redirectTo: z7.string()
     })
   },
   async (ctx) => {
@@ -1321,7 +1363,7 @@ createAuthEndpoint(
         redirectTo: ctx.body.redirectTo
       },
       {
-        expiresIn: new TimeSpan(1, "h"),
+        expiresIn: new TimeSpan2(1, "h"),
         issuer: "better-auth",
         subject: "forget-password",
         audiences: [user.user.email],
@@ -1338,7 +1380,7 @@ createAuthEndpoint(
     });
   }
 );
-createAuthEndpoint(
+var forgetPasswordCallback = createAuthEndpoint(
   "/reset-password/:token",
   {
     method: "GET"
@@ -1346,9 +1388,9 @@ createAuthEndpoint(
   async (ctx) => {
     const { token } = ctx.params;
     let decodedToken;
-    const schema = z.object({
-      email: z.string(),
-      redirectTo: z.string()
+    const schema = z7.object({
+      email: z7.string(),
+      redirectTo: z7.string()
     });
     try {
       decodedToken = await validateJWT(
@@ -1360,7 +1402,7 @@ createAuthEndpoint(
         throw Error("Token expired");
       }
     } catch (e) {
-      const decoded = parseJWT(token);
+      const decoded = parseJWT3(token);
       const jwt = schema.safeParse(decoded?.payload);
       if (jwt.success) {
         throw ctx.redirect(`${jwt.data?.redirectTo}?error=invalid_token`);
@@ -1372,16 +1414,16 @@ createAuthEndpoint(
     throw ctx.redirect(`${redirectTo}?token=${token}`);
   }
 );
-createAuthEndpoint(
+var resetPassword = createAuthEndpoint(
   "/reset-password",
   {
     method: "POST",
-    query: z.object({
-      currentURL: z.string()
+    query: z7.object({
+      currentURL: z7.string()
     }).optional(),
-    body: z.object({
-      newPassword: z.string(),
-      callbackURL: z.string().optional()
+    body: z7.object({
+      newPassword: z7.string(),
+      callbackURL: z7.string().optional()
     })
   },
   async (ctx) => {
@@ -1408,7 +1450,7 @@ createAuthEndpoint(
         Buffer.from(ctx.context.secret),
         token
       );
-      const email = z.string().email().parse(jwt.payload.email);
+      const email = z7.string().email().parse(jwt.payload.email);
       const user = await ctx.context.internalAdapter.findUserByEmail(email);
       if (!user) {
         return ctx.json(
@@ -1488,15 +1530,20 @@ createAuthEndpoint(
     }
   }
 );
+
+// src/api/routes/verify-email.ts
+import { TimeSpan as TimeSpan3 } from "oslo";
+import { createJWT as createJWT2, validateJWT as validateJWT2 } from "oslo/jwt";
+import { z as z8 } from "zod";
 async function createEmailVerificationToken(secret, email) {
-  const token = await createJWT(
+  const token = await createJWT2(
     "HS256",
     Buffer.from(secret),
     {
       email: email.toLowerCase()
     },
     {
-      expiresIn: new TimeSpan(1, "h"),
+      expiresIn: new TimeSpan3(1, "h"),
       issuer: "better-auth",
       subject: "verify-email",
       audiences: [email],
@@ -1505,16 +1552,16 @@ async function createEmailVerificationToken(secret, email) {
   );
   return token;
 }
-createAuthEndpoint(
+var sendVerificationEmail = createAuthEndpoint(
   "/send-verification-email",
   {
     method: "POST",
-    query: z.object({
-      currentURL: z.string().optional()
+    query: z8.object({
+      currentURL: z8.string().optional()
     }).optional(),
-    body: z.object({
-      email: z.string().email(),
-      callbackURL: z.string().optional()
+    body: z8.object({
+      email: z8.string().email(),
+      callbackURL: z8.string().optional()
     })
   },
   async (ctx) => {
@@ -1543,20 +1590,20 @@ createAuthEndpoint(
     });
   }
 );
-createAuthEndpoint(
+var verifyEmail = createAuthEndpoint(
   "/verify-email",
   {
     method: "GET",
-    query: z.object({
-      token: z.string(),
-      callbackURL: z.string().optional()
+    query: z8.object({
+      token: z8.string(),
+      callbackURL: z8.string().optional()
     })
   },
   async (ctx) => {
     const { token } = ctx.query;
     let jwt;
     try {
-      jwt = await validateJWT("HS256", Buffer.from(ctx.context.secret), token);
+      jwt = await validateJWT2("HS256", Buffer.from(ctx.context.secret), token);
     } catch (e) {
       ctx.context.logger.error("Failed to verify email", e);
       return ctx.json(null, {
@@ -1567,8 +1614,8 @@ createAuthEndpoint(
         }
       });
     }
-    const schema = z.object({
-      email: z.string().email()
+    const schema = z8.object({
+      email: z8.string().email()
     });
     const parsed = schema.parse(jwt.payload);
     const user = await ctx.context.internalAdapter.findUserByEmail(
@@ -1600,6 +1647,9 @@ createAuthEndpoint(
   }
 );
 
+// src/api/routes/update-user.ts
+import { z as z9 } from "zod";
+
 // src/crypto/random.ts
 function byteToBinary(byte) {
   return byte.toString(2).padStart(8, "0");
@@ -1658,13 +1708,13 @@ function alphabet(...patterns) {
 }
 
 // src/api/routes/update-user.ts
-createAuthEndpoint(
+var updateUser = createAuthEndpoint(
   "/user/update",
   {
     method: "POST",
-    body: z.object({
-      name: z.string().optional(),
-      image: z.string().optional()
+    body: z9.object({
+      name: z9.string().optional(),
+      image: z9.string().optional()
     }),
     use: [sessionMiddleware]
   },
@@ -1684,24 +1734,24 @@ createAuthEndpoint(
     return ctx.json(user);
   }
 );
-createAuthEndpoint(
+var changePassword = createAuthEndpoint(
   "/user/change-password",
   {
     method: "POST",
-    body: z.object({
+    body: z9.object({
       /**
        * The new password to set
        */
-      newPassword: z.string(),
+      newPassword: z9.string(),
       /**
        * The current password of the user
        */
-      currentPassword: z.string(),
+      currentPassword: z9.string(),
       /**
        * revoke all sessions that are not the
        * current one logged in by the user
        */
-      revokeOtherSessions: z.boolean().optional()
+      revokeOtherSessions: z9.boolean().optional()
     }),
     use: [sessionMiddleware]
   },
@@ -1767,15 +1817,15 @@ createAuthEndpoint(
     return ctx.json(session.user);
   }
 );
-createAuthEndpoint(
+var setPassword = createAuthEndpoint(
   "/user/set-password",
   {
     method: "POST",
-    body: z.object({
+    body: z9.object({
       /**
        * The new password to set
        */
-      newPassword: z.string()
+      newPassword: z9.string()
     }),
     use: [sessionMiddleware]
   },
@@ -1821,12 +1871,12 @@ createAuthEndpoint(
     });
   }
 );
-createAuthEndpoint(
+var deleteUser = createAuthEndpoint(
   "/user/delete",
   {
     method: "POST",
-    body: z.object({
-      password: z.string()
+    body: z9.object({
+      password: z9.string()
     }),
     use: [sessionMiddleware]
   },
@@ -1860,6 +1910,12 @@ createAuthEndpoint(
     return ctx.json(null);
   }
 );
+
+// src/crypto/index.ts
+import { xchacha20poly1305 } from "@noble/ciphers/chacha";
+import { bytesToHex, hexToBytes, utf8ToBytes } from "@noble/ciphers/utils";
+import { managedNonce } from "@noble/ciphers/webcrypto";
+import { sha256 } from "@noble/hashes/sha256";
 async function hs256(secretKey, message) {
   const enc = new TextEncoder();
   const algorithm = { name: "HMAC", hash: "SHA-256" };
@@ -1891,7 +1947,7 @@ var symmetricDecrypt = ({ key, data }) => {
 };
 
 // src/api/routes/csrf.ts
-createAuthEndpoint(
+var getCSRFToken = createAuthEndpoint(
   "/csrf",
   {
     method: "GET",
@@ -2004,7 +2060,7 @@ var html = (errorCode = "Unknown") => `<!DOCTYPE html>
     </div>
 </body>
 </html>`;
-createAuthEndpoint(
+var error = createAuthEndpoint(
   "/error",
   {
     method: "GET",
@@ -2021,7 +2077,7 @@ createAuthEndpoint(
 );
 
 // src/api/routes/ok.ts
-createAuthEndpoint(
+var ok = createAuthEndpoint(
   "/ok",
   {
     method: "GET",
@@ -2033,19 +2089,22 @@ createAuthEndpoint(
     });
   }
 );
+
+// src/api/routes/sign-up.ts
+import { z as z10 } from "zod";
 var signUpEmail = createAuthEndpoint(
   "/sign-up/email",
   {
     method: "POST",
-    query: z.object({
-      currentURL: z.string().optional()
+    query: z10.object({
+      currentURL: z10.string().optional()
     }).optional(),
-    body: z.object({
-      name: z.string(),
-      email: z.string(),
-      password: z.string(),
-      image: z.string().optional(),
-      callbackURL: z.string().optional()
+    body: z10.object({
+      name: z10.string(),
+      email: z10.string(),
+      password: z10.string(),
+      image: z10.string().optional(),
+      callbackURL: z10.string().optional()
     })
   },
   async (ctx) => {
@@ -2058,7 +2117,7 @@ var signUpEmail = createAuthEndpoint(
       });
     }
     const { name, email, password, image } = ctx.body;
-    const isValidEmail = z.string().email().safeParse(email);
+    const isValidEmail = z10.string().email().safeParse(email);
     if (!isValidEmail.success) {
       return ctx.json(null, {
         status: 400,
@@ -2160,6 +2219,27 @@ var signUpEmail = createAuthEndpoint(
   }
 );
 
+// src/utils/shim.ts
+var shimContext = (originalObject, newContext) => {
+  const shimmedObj = {};
+  for (const [key, value] of Object.entries(originalObject)) {
+    shimmedObj[key] = (ctx) => {
+      return value({
+        ...ctx,
+        context: {
+          ...newContext,
+          ...ctx.context
+        }
+      });
+    };
+    shimmedObj[key].path = value.path;
+    shimmedObj[key].method = value.method;
+    shimmedObj[key].options = value.options;
+    shimmedObj[key].headers = value.headers;
+  }
+  return shimmedObj;
+};
+
 // src/plugins/organization/access/index.ts
 var access_exports = {};
 __export(access_exports, {
@@ -2806,10 +2886,23 @@ var getOrgAdapter = (adapter, options) => {
     }
   };
 };
-createAuthMiddleware(
+
+// src/plugins/organization/call.ts
+import "better-call";
+
+// src/api/index.ts
+import {
+  APIError as APIError5,
+  createRouter
+} from "better-call";
+
+// src/api/middlewares/csrf.ts
+import { APIError as APIError4 } from "better-call";
+import { z as z11 } from "zod";
+var csrfMiddleware = createAuthMiddleware(
   {
-    body: z.object({
-      csrfToken: z.string().optional()
+    body: z11.object({
+      csrfToken: z11.string().optional()
     }).optional()
   },
   async (ctx) => {
@@ -2830,7 +2923,7 @@ createAuthMiddleware(
       ctx.setCookie(ctx.context.authCookies.csrfToken.name, "", {
         maxAge: 0
       });
-      throw new APIError("UNAUTHORIZED", {
+      throw new APIError4("UNAUTHORIZED", {
         message: "Invalid CSRF Token"
       });
     }
@@ -2839,13 +2932,16 @@ createAuthMiddleware(
       ctx.setCookie(ctx.context.authCookies.csrfToken.name, "", {
         maxAge: 0
       });
-      throw new APIError("UNAUTHORIZED", {
+      throw new APIError4("UNAUTHORIZED", {
         message: "Invalid CSRF Token"
       });
     }
   }
 );
 
+// src/api/index.ts
+import chalk from "chalk";
+
 // src/plugins/organization/call.ts
 var orgMiddleware = createAuthMiddleware(async (ctx) => {
   return {};
@@ -2861,35 +2957,41 @@ var orgSessionMiddleware = createAuthMiddleware(
     };
   }
 );
-var role = z.enum(["admin", "member", "owner"]);
-var invitationStatus = z.enum(["pending", "accepted", "rejected", "canceled"]).default("pending");
-z.object({
-  id: z.string(),
-  name: z.string(),
-  slug: z.string(),
-  logo: z.string().optional(),
-  metadata: z.record(z.string()).or(z.string().transform((v) => JSON.parse(v))).optional(),
-  createdAt: z.date()
+
+// src/plugins/organization/routes/crud-invites.ts
+import { z as z13 } from "zod";
+
+// src/plugins/organization/schema.ts
+import { z as z12 } from "zod";
+var role = z12.enum(["admin", "member", "owner"]);
+var invitationStatus = z12.enum(["pending", "accepted", "rejected", "canceled"]).default("pending");
+var organizationSchema = z12.object({
+  id: z12.string(),
+  name: z12.string(),
+  slug: z12.string(),
+  logo: z12.string().optional(),
+  metadata: z12.record(z12.string()).or(z12.string().transform((v) => JSON.parse(v))).optional(),
+  createdAt: z12.date()
 });
-z.object({
-  id: z.string(),
-  email: z.string(),
-  organizationId: z.string(),
-  userId: z.string(),
+var memberSchema = z12.object({
+  id: z12.string(),
+  email: z12.string(),
+  organizationId: z12.string(),
+  userId: z12.string(),
   role,
-  createdAt: z.date()
+  createdAt: z12.date()
 });
-z.object({
-  id: z.string(),
-  organizationId: z.string(),
-  email: z.string(),
+var invitationSchema = z12.object({
+  id: z12.string(),
+  organizationId: z12.string(),
+  email: z12.string(),
   role,
   status: invitationStatus,
   /**
    * The id of the user who invited the user.
    */
-  inviterId: z.string(),
-  expiresAt: z.date()
+  inviterId: z12.string(),
+  expiresAt: z12.date()
 });
 
 // src/plugins/organization/routes/crud-invites.ts
@@ -2898,11 +3000,11 @@ var createInvitation = createAuthEndpoint(
   {
     method: "POST",
     use: [orgMiddleware, orgSessionMiddleware],
-    body: z.object({
-      email: z.string(),
+    body: z13.object({
+      email: z13.string(),
       role,
-      organizationId: z.string().optional(),
-      resend: z.boolean().optional()
+      organizationId: z13.string().optional(),
+      resend: z13.boolean().optional()
     })
   },
   async (ctx) => {
@@ -3021,8 +3123,8 @@ var acceptInvitation = createAuthEndpoint(
   "/organization/accept-invitation",
   {
     method: "POST",
-    body: z.object({
-      invitationId: z.string()
+    body: z13.object({
+      invitationId: z13.string()
     }),
     use: [orgMiddleware, orgSessionMiddleware]
   },
@@ -3080,8 +3182,8 @@ var rejectInvitation = createAuthEndpoint(
   "/organization/reject-invitation",
   {
     method: "POST",
-    body: z.object({
-      invitationId: z.string()
+    body: z13.object({
+      invitationId: z13.string()
     }),
     use: [orgMiddleware, orgSessionMiddleware]
   },
@@ -3119,8 +3221,8 @@ var cancelInvitation = createAuthEndpoint(
   "/organization/cancel-invitation",
   {
     method: "POST",
-    body: z.object({
-      invitationId: z.string()
+    body: z13.object({
+      invitationId: z13.string()
     }),
     use: [orgMiddleware, orgSessionMiddleware]
   },
@@ -3172,8 +3274,8 @@ var getInvitation = createAuthEndpoint(
     method: "GET",
     use: [orgMiddleware],
     requireHeaders: true,
-    query: z.object({
-      id: z.string()
+    query: z13.object({
+      id: z13.string()
     })
   },
   async (ctx) => {
@@ -3235,16 +3337,19 @@ var getInvitation = createAuthEndpoint(
     });
   }
 );
+
+// src/plugins/organization/routes/crud-members.ts
+import { z as z14 } from "zod";
 var removeMember = createAuthEndpoint(
   "/organization/remove-member",
   {
     method: "POST",
-    body: z.object({
-      memberIdOrEmail: z.string(),
+    body: z14.object({
+      memberIdOrEmail: z14.string(),
       /**
        * If not provided, the active organization will be used
        */
-      organizationId: z.string().optional()
+      organizationId: z14.string().optional()
     }),
     use: [orgMiddleware, orgSessionMiddleware]
   },
@@ -3332,13 +3437,13 @@ var updateMemberRole = createAuthEndpoint(
   "/organization/update-member-role",
   {
     method: "POST",
-    body: z.object({
-      role: z.enum(["admin", "member", "owner"]),
-      memberId: z.string(),
+    body: z14.object({
+      role: z14.enum(["admin", "member", "owner"]),
+      memberId: z14.string(),
       /**
        * If not provided, the active organization will be used
        */
-      organizationId: z.string().optional()
+      organizationId: z14.string().optional()
     }),
     use: [orgMiddleware, orgSessionMiddleware]
   },
@@ -3401,16 +3506,19 @@ var updateMemberRole = createAuthEndpoint(
     return ctx.json(updatedMember);
   }
 );
+
+// src/plugins/organization/routes/crud-org.ts
+import { z as z15 } from "zod";
 var createOrganization = createAuthEndpoint(
   "/organization/create",
   {
     method: "POST",
-    body: z.object({
-      name: z.string(),
-      slug: z.string(),
-      userId: z.string().optional(),
-      logo: z.string().optional(),
-      metadata: z.record(z.string()).optional()
+    body: z15.object({
+      name: z15.string(),
+      slug: z15.string(),
+      userId: z15.string().optional(),
+      logo: z15.string().optional(),
+      metadata: z15.record(z15.string()).optional()
     }),
     use: [orgMiddleware, orgSessionMiddleware]
   },
@@ -3471,12 +3579,12 @@ var updateOrganization = createAuthEndpoint(
   "/organization/update",
   {
     method: "POST",
-    body: z.object({
-      data: z.object({
-        name: z.string().optional(),
-        slug: z.string().optional()
+    body: z15.object({
+      data: z15.object({
+        name: z15.string().optional(),
+        slug: z15.string().optional()
       }).partial(),
-      orgId: z.string().optional()
+      orgId: z15.string().optional()
     }),
     requireHeaders: true,
     use: [orgMiddleware]
@@ -3538,8 +3646,8 @@ var deleteOrganization = createAuthEndpoint(
   "/organization/delete",
   {
     method: "POST",
-    body: z.object({
-      orgId: z.string()
+    body: z15.object({
+      orgId: z15.string()
     }),
     requireHeaders: true,
     use: [orgMiddleware]
@@ -3604,8 +3712,8 @@ var getFullOrganization = createAuthEndpoint(
   "/organization/get-full",
   {
     method: "GET",
-    query: z.object({
-      orgId: z.string().optional()
+    query: z15.object({
+      orgId: z15.string().optional()
     }),
     requireHeaders: true,
     use: [orgMiddleware, orgSessionMiddleware]
@@ -3641,8 +3749,8 @@ var setActiveOrganization = createAuthEndpoint(
   "/organization/activate",
   {
     method: "POST",
-    body: z.object({
-      orgId: z.string().nullable().optional()
+    body: z15.object({
+      orgId: z15.string().nullable().optional()
     }),
     use: [orgSessionMiddleware, orgMiddleware]
   },
@@ -3738,14 +3846,14 @@ var organization = (options) => {
         {
           method: "POST",
           requireHeaders: true,
-          body: z.object({
-            permission: z.record(z.string(), z.array(z.string()))
+          body: z16.object({
+            permission: z16.record(z16.string(), z16.array(z16.string()))
           }),
           use: [orgSessionMiddleware]
         },
         async (ctx) => {
           if (!ctx.context.session.session.activeOrganizationId) {
-            throw new APIError("BAD_REQUEST", {
+            throw new APIError7("BAD_REQUEST", {
               message: "No active organization"
             });
           }
@@ -3755,7 +3863,7 @@ var organization = (options) => {
             organizationId: ctx.context.session.session.activeOrganizationId || ""
           });
           if (!member) {
-            throw new APIError("UNAUTHORIZED", {
+            throw new APIError7("UNAUTHORIZED", {
               message: "You are not a member of this organization"
             });
           }
@@ -3888,19 +3996,31 @@ var organization = (options) => {
   };
 };
 
+// src/plugins/two-factor/index.ts
+import { z as z21 } from "zod";
+
+// src/plugins/two-factor/backup-codes/index.ts
+import { z as z18 } from "zod";
+
+// src/plugins/two-factor/verify-middleware.ts
+import { APIError as APIError8 } from "better-call";
+
 // src/plugins/two-factor/constant.ts
 var TWO_FACTOR_COOKIE_NAME = "two-factor";
 var TRUST_DEVICE_COOKIE_NAME = "trust-device";
+
+// src/plugins/two-factor/verify-middleware.ts
+import { z as z17 } from "zod";
 var verifyTwoFactorMiddleware = createAuthMiddleware(
   {
-    body: z.object({
+    body: z17.object({
       /**
        * if true, the device will be trusted
        * for 30 days. It'll be refreshed on
        * every sign in request within this time.
        */
-      trustDevice: z.boolean().optional(),
-      callbackURL: z.string().optional()
+      trustDevice: z17.boolean().optional(),
+      callbackURL: z17.string().optional()
     })
   },
   async (ctx) => {
@@ -3910,13 +4030,13 @@ var verifyTwoFactorMiddleware = createAuthMiddleware(
       ctx.context.secret
     );
     if (!cookie) {
-      throw new APIError("UNAUTHORIZED", {
+      throw new APIError8("UNAUTHORIZED", {
         message: "invalid two factor cookie"
       });
     }
     const [userId, hash] = cookie.split("!");
     if (!userId || !hash) {
-      throw new APIError("UNAUTHORIZED", {
+      throw new APIError8("UNAUTHORIZED", {
         message: "invalid two factor cookie"
       });
     }
@@ -3930,7 +4050,7 @@ var verifyTwoFactorMiddleware = createAuthMiddleware(
       ]
     });
     if (!sessions.length) {
-      throw new APIError("UNAUTHORIZED", {
+      throw new APIError8("UNAUTHORIZED", {
         message: "invalid session"
       });
     }
@@ -3938,7 +4058,7 @@ var verifyTwoFactorMiddleware = createAuthMiddleware(
       (session) => session.expiresAt > /* @__PURE__ */ new Date()
     );
     if (!activeSessions) {
-      throw new APIError("UNAUTHORIZED", {
+      throw new APIError8("UNAUTHORIZED", {
         message: "invalid session"
       });
     }
@@ -3954,7 +4074,7 @@ var verifyTwoFactorMiddleware = createAuthMiddleware(
         ]
       });
       if (!user) {
-        throw new APIError("UNAUTHORIZED", {
+        throw new APIError8("UNAUTHORIZED", {
           message: "invalid session"
         });
       }
@@ -4010,7 +4130,7 @@ var verifyTwoFactorMiddleware = createAuthMiddleware(
         };
       }
     }
-    throw new APIError("UNAUTHORIZED", {
+    throw new APIError8("UNAUTHORIZED", {
       message: "invalid two factor authentication"
     });
   }
@@ -4018,8 +4138,8 @@ var verifyTwoFactorMiddleware = createAuthMiddleware(
 
 // src/plugins/two-factor/backup-codes/index.ts
 function generateBackupCodesFn(options) {
-  return Array.from({ length: 10 }).fill(null).map(
-    () => generateRandomString(10, alphabet("a-z", "0-9"))
+  return Array.from({ length: options?.amount ?? 10 }).fill(null).map(
+    () => generateRandomString(options?.length ?? 10, alphabet("a-z", "0-9"))
   ).map((code) => `${code.slice(0, 5)}-${code.slice(5)}`);
 }
 async function generateBackupCodes(secret, options) {
@@ -4046,7 +4166,7 @@ async function getBackupCodes(user, key) {
     await symmetricDecrypt({ key, data: user.twoFactorBackupCodes })
   ).toString("utf-8");
   const data = JSON.parse(secret);
-  const result = z.array(z.string()).safeParse(data);
+  const result = z18.array(z18.string()).safeParse(data);
   if (result.success) {
     return result.data;
   }
@@ -4060,8 +4180,8 @@ var backupCode2fa = (options) => {
         "/two-factor/verify-backup-code",
         {
           method: "POST",
-          body: z.object({
-            code: z.string()
+          body: z18.object({
+            code: z18.string()
           }),
           use: [verifyTwoFactorMiddleware]
         },
@@ -4132,9 +4252,15 @@ var backupCode2fa = (options) => {
     }
   };
 };
+
+// src/plugins/two-factor/otp/index.ts
+import { APIError as APIError9 } from "better-call";
+import { TOTPController } from "oslo/otp";
+import { z as z19 } from "zod";
+import { TimeSpan as TimeSpan4 } from "oslo";
 var otp2fa = (options) => {
   const opts = {
-    period: new TimeSpan(options?.period || 3, "m")
+    period: new TimeSpan4(options?.period || 3, "m")
   };
   const totp = new TOTPController({
     digits: 6,
@@ -4151,7 +4277,7 @@ var otp2fa = (options) => {
         ctx.context.logger.error(
           "send otp isn't configured. Please configure the send otp function on otp options."
         );
-        throw new APIError("BAD_REQUEST", {
+        throw new APIError9("BAD_REQUEST", {
           message: "otp isn't configured"
         });
       }
@@ -4165,15 +4291,15 @@ var otp2fa = (options) => {
     "/two-factor/verify-otp",
     {
       method: "POST",
-      body: z.object({
-        code: z.string()
+      body: z19.object({
+        code: z19.string()
       }),
       use: [verifyTwoFactorMiddleware]
     },
     async (ctx) => {
       const user = ctx.context.session.user;
       if (!user.twoFactorEnabled) {
-        throw new APIError("BAD_REQUEST", {
+        throw new APIError9("BAD_REQUEST", {
           message: "two factor isn't enabled"
         });
       }
@@ -4193,10 +4319,16 @@ var otp2fa = (options) => {
     }
   };
 };
+
+// src/plugins/two-factor/totp/index.ts
+import { APIError as APIError10 } from "better-call";
+import { TimeSpan as TimeSpan5 } from "oslo";
+import { TOTPController as TOTPController2, createTOTPKeyURI } from "oslo/otp";
+import { z as z20 } from "zod";
 var totp2fa = (options) => {
   const opts = {
     digits: 6,
-    period: new TimeSpan(options?.period || 30, "s")
+    period: new TimeSpan5(options?.period || 30, "s")
   };
   const generateTOTP = createAuthEndpoint(
     "/totp/generate",
@@ -4209,12 +4341,12 @@ var totp2fa = (options) => {
         ctx.context.logger.error(
           "totp isn't configured. please pass totp option on two factor plugin to enable totp"
         );
-        throw new APIError("BAD_REQUEST", {
+        throw new APIError10("BAD_REQUEST", {
           message: "totp isn't configured"
         });
       }
       const session = ctx.context.session.user;
-      const totp = new TOTPController(opts);
+      const totp = new TOTPController2(opts);
       const code = await totp.generate(Buffer.from(session.twoFactorSecret));
       return { code };
     }
@@ -4230,13 +4362,13 @@ var totp2fa = (options) => {
         ctx.context.logger.error(
           "totp isn't configured. please pass totp option on two factor plugin to enable totp"
         );
-        throw new APIError("BAD_REQUEST", {
+        throw new APIError10("BAD_REQUEST", {
           message: "totp isn't configured"
         });
       }
       const user = ctx.context.session.user;
       if (!user.twoFactorSecret) {
-        throw new APIError("BAD_REQUEST", {
+        throw new APIError10("BAD_REQUEST", {
           message: "totp isn't enabled"
         });
       }
@@ -4254,9 +4386,9 @@ var totp2fa = (options) => {
     "/two-factor/verify-totp",
     {
       method: "POST",
-      body: z.object({
-        code: z.string(),
-        callbackURL: z.string().optional()
+      body: z20.object({
+        code: z20.string(),
+        callbackURL: z20.string().optional()
       }),
       use: [verifyTwoFactorMiddleware]
     },
@@ -4265,11 +4397,11 @@ var totp2fa = (options) => {
         ctx.context.logger.error(
           "totp isn't configured. please pass totp option on two factor plugin to enable totp"
         );
-        throw new APIError("BAD_REQUEST", {
+        throw new APIError10("BAD_REQUEST", {
           message: "totp isn't configured"
         });
       }
-      const totp = new TOTPController(opts);
+      const totp = new TOTPController2(opts);
       const secret = Buffer.from(
         await symmetricDecrypt({
           key: ctx.context.secret,
@@ -4293,6 +4425,23 @@ var totp2fa = (options) => {
   };
 };
 
+// src/utils/password.ts
+async function validatePassword(ctx, data) {
+  const accounts = await ctx.context.internalAdapter.findAccounts(data.userId);
+  const credentialAccount = accounts?.find(
+    (account) => account.providerId === "credential"
+  );
+  const currentPassword = credentialAccount?.password;
+  if (!credentialAccount || !currentPassword) {
+    return false;
+  }
+  const compare = await ctx.context.password.verify(
+    currentPassword,
+    data.password
+  );
+  return compare;
+}
+
 // src/plugins/two-factor/client.ts
 var twoFactorClient = (options = {
   redirect: true,
@@ -4350,8 +4499,8 @@ var twoFactor = (options) => {
         "/two-factor/enable",
         {
           method: "POST",
-          body: z.object({
-            password: z.string().min(8)
+          body: z21.object({
+            password: z21.string().min(8)
           }),
           use: [sessionMiddleware]
         },
@@ -4403,8 +4552,8 @@ var twoFactor = (options) => {
         "/two-factor/disable",
         {
           method: "POST",
-          body: z.object({
-            password: z.string().min(8)
+          body: z21.object({
+            password: z21.string().min(8)
           }),
           use: [sessionMiddleware]
         },
@@ -4557,11 +4706,43 @@ var twoFactor = (options) => {
     ]
   };
 };
+
+// src/plugins/passkey/index.ts
+import {
+  generateAuthenticationOptions,
+  generateRegistrationOptions,
+  verifyAuthenticationResponse,
+  verifyRegistrationResponse
+} from "@simplewebauthn/server";
+import { APIError as APIError11 } from "better-call";
+import { z as z22 } from "zod";
+
+// src/plugins/passkey/client.ts
+import {
+  WebAuthnError,
+  startAuthentication,
+  startRegistration
+} from "@simplewebauthn/browser";
+
+// src/client/config.ts
+import { createFetch } from "@better-fetch/fetch";
+import "nanostores";
+
+// src/client/fetch-plugins.ts
+import { betterFetch as betterFetch9 } from "@better-fetch/fetch";
+
+// src/client/session-atom.ts
+import { atom as atom2 } from "nanostores";
+
+// src/client/query.ts
+import "@better-fetch/fetch";
+import { atom, onMount } from "nanostores";
 var useAuthQuery = (initializedAtom, path, $fetch, options) => {
   const value = atom({
     data: null,
     error: null,
-    isPending: false
+    isPending: false,
+    isRefetching: false
   });
   const fn = () => {
     const opts = typeof options === "function" ? options({
@@ -4575,24 +4756,27 @@ var useAuthQuery = (initializedAtom, path, $fetch, options) => {
         value.set({
           data: context.data,
           error: null,
-          isPending: false
+          isPending: false,
+          isRefetching: false
         });
         await opts?.onSuccess?.(context);
       },
       async onError(context) {
         value.set({
           error: context.error,
-          data: null,
-          isPending: false
+          data: value.get().data,
+          isPending: false,
+          isRefetching: false
         });
         await opts?.onError?.(context);
       },
       async onRequest(context) {
         const currentValue = value.get();
         value.set({
-          isPending: true,
+          isPending: currentValue.data === null,
           data: currentValue.data,
-          error: currentValue.error
+          error: null,
+          isRefetching: true
         });
         await opts?.onRequest?.(context);
       }
@@ -4618,6 +4802,9 @@ var useAuthQuery = (initializedAtom, path, $fetch, options) => {
   }
   return value;
 };
+
+// src/plugins/passkey/client.ts
+import { atom as atom3 } from "nanostores";
 var getPasskeyActions = ($fetch, {
   _listPasskeys
 }) => {
@@ -4739,7 +4926,7 @@ var getPasskeyActions = ($fetch, {
   };
 };
 var passkeyClient = () => {
-  const _listPasskeys = atom();
+  const _listPasskeys = atom3();
   return {
     id: "passkey",
     $InferServerPlugin: {},
@@ -4866,9 +5053,9 @@ var passkey = (options) => {
         "/passkey/generate-authenticate-options",
         {
           method: "POST",
-          body: z.object({
-            email: z.string().optional(),
-            callbackURL: z.string().optional()
+          body: z22.object({
+            email: z22.string().optional(),
+            callbackURL: z22.string().optional()
           }).optional()
         },
         async (ctx) => {
@@ -4924,9 +5111,9 @@ var passkey = (options) => {
         "/passkey/verify-registration",
         {
           method: "POST",
-          body: z.object({
-            response: z.any(),
-            name: z.string().optional()
+          body: z22.object({
+            response: z22.any(),
+            name: z22.string().optional()
           }),
           use: [sessionMiddleware]
         },
@@ -4951,7 +5138,7 @@ var passkey = (options) => {
             challengeString
           );
           if (userData.id !== ctx.context.session.user.id) {
-            throw new APIError("UNAUTHORIZED", {
+            throw new APIError11("UNAUTHORIZED", {
               message: "You are not authorized to register this passkey"
             });
           }
@@ -5011,8 +5198,8 @@ var passkey = (options) => {
         "/passkey/verify-authentication",
         {
           method: "POST",
-          body: z.object({
-            response: z.any()
+          body: z22.object({
+            response: z22.any()
           })
         },
         async (ctx) => {
@@ -5148,8 +5335,8 @@ var passkey = (options) => {
         "/passkey/delete-passkey",
         {
           method: "POST",
-          body: z.object({
-            id: z.string()
+          body: z22.object({
+            id: z22.string()
           }),
           use: [sessionMiddleware]
         },
@@ -5218,6 +5405,10 @@ var passkey = (options) => {
     }
   };
 };
+
+// src/plugins/username/index.ts
+import { z as z23 } from "zod";
+import { APIError as APIError12 } from "better-call";
 var username = () => {
   return {
     id: "username",
@@ -5226,11 +5417,11 @@ var username = () => {
         "/sign-in/username",
         {
           method: "POST",
-          body: z.object({
-            username: z.string(),
-            password: z.string(),
-            dontRememberMe: z.boolean().optional(),
-            callbackURL: z.string().optional()
+          body: z23.object({
+            username: z23.string(),
+            password: z23.string(),
+            dontRememberMe: z23.boolean().optional(),
+            callbackURL: z23.string().optional()
           })
         },
         async (ctx) => {
@@ -5246,7 +5437,7 @@ var username = () => {
           if (!user) {
             await ctx.context.password.hash(ctx.body.password);
             ctx.context.logger.error("User not found", { username });
-            throw new APIError("UNAUTHORIZED", {
+            throw new APIError12("UNAUTHORIZED", {
               message: "Invalid email or password"
             });
           }
@@ -5264,14 +5455,14 @@ var username = () => {
             ]
           });
           if (!account) {
-            throw new APIError("UNAUTHORIZED", {
+            throw new APIError12("UNAUTHORIZED", {
               message: "Invalid email or password"
             });
           }
           const currentPassword = account?.password;
           if (!currentPassword) {
             ctx.context.logger.error("Password not found", { username });
-            throw new APIError("UNAUTHORIZED", {
+            throw new APIError12("UNAUTHORIZED", {
               message: "Unexpected error"
             });
           }
@@ -5281,7 +5472,7 @@ var username = () => {
           );
           if (!validPassword) {
             ctx.context.logger.error("Invalid password");
-            throw new APIError("UNAUTHORIZED", {
+            throw new APIError12("UNAUTHORIZED", {
               message: "Invalid email or password"
             });
           }
@@ -5319,13 +5510,13 @@ var username = () => {
         "/sign-up/username",
         {
           method: "POST",
-          body: z.object({
-            username: z.string().min(3).max(20),
-            name: z.string(),
-            email: z.string().email(),
-            password: z.string(),
-            image: z.string().optional(),
-            callbackURL: z.string().optional()
+          body: z23.object({
+            username: z23.string().min(3).max(20),
+            name: z23.string(),
+            email: z23.string().email(),
+            password: z23.string(),
+            image: z23.string().optional(),
+            callbackURL: z23.string().optional()
           })
         },
         async (ctx) => {
@@ -5385,6 +5576,9 @@ var username = () => {
     }
   };
 };
+
+// src/plugins/bearer/index.ts
+import { serializeSigned } from "better-call";
 var bearer = () => {
   return {
     id: "bearer",
@@ -5415,6 +5609,11 @@ var bearer = () => {
     }
   };
 };
+
+// src/plugins/magic-link/index.ts
+import { z as z24 } from "zod";
+import { APIError as APIError13 } from "better-call";
+import { validateJWT as validateJWT3 } from "oslo/jwt";
 var magicLink = (options) => {
   return {
     id: "magic-link",
@@ -5424,17 +5623,17 @@ var magicLink = (options) => {
         {
           method: "POST",
           requireHeaders: true,
-          body: z.object({
-            email: z.string().email(),
-            callbackURL: z.string().optional(),
-            currentURL: z.string().optional()
+          body: z24.object({
+            email: z24.string().email(),
+            callbackURL: z24.string().optional(),
+            currentURL: z24.string().optional()
           })
         },
         async (ctx) => {
           const { email } = ctx.body;
           const user = await ctx.context.internalAdapter.findUserByEmail(email);
           if (!user) {
-            throw new APIError("UNAUTHORIZED", {
+            throw new APIError13("UNAUTHORIZED", {
               message: "User not found"
             });
           }
@@ -5451,7 +5650,7 @@ var magicLink = (options) => {
             });
           } catch (e) {
             ctx.context.logger.error("Failed to send magic link", e);
-            throw new APIError("INTERNAL_SERVER_ERROR", {
+            throw new APIError13("INTERNAL_SERVER_ERROR", {
               message: "Failed to send magic link"
             });
           }
@@ -5464,9 +5663,9 @@ var magicLink = (options) => {
         "/magic-link/verify",
         {
           method: "GET",
-          query: z.object({
-            token: z.string(),
-            callbackURL: z.string().optional()
+          query: z24.object({
+            token: z24.string(),
+            callbackURL: z24.string().optional()
           }),
           requireHeaders: true
         },
@@ -5474,7 +5673,7 @@ var magicLink = (options) => {
           const { token, callbackURL } = ctx.query;
           let jwt;
           try {
-            jwt = await validateJWT(
+            jwt = await validateJWT3(
               "HS256",
               Buffer.from(ctx.context.secret),
               token
@@ -5492,8 +5691,8 @@ var magicLink = (options) => {
               }
             });
           }
-          const schema = z.object({
-            email: z.string().email()
+          const schema = z24.object({
+            email: z24.string().email()
           });
           const parsed = schema.parse(jwt.payload);
           const user = await ctx.context.internalAdapter.findUserByEmail(
@@ -5539,6 +5738,10 @@ var magicLink = (options) => {
     }
   };
 };
+
+// src/plugins/phone-number/index.ts
+import { z as z25 } from "zod";
+import { APIError as APIError14 } from "better-call";
 function generateOTP(size) {
   return generateRandomString(size, alphabet("0-9"));
 }
@@ -5560,11 +5763,11 @@ var phoneNumber = (options) => {
         "/sign-in/phone-number",
         {
           method: "POST",
-          body: z.object({
-            phoneNumber: z.string(),
-            password: z.string(),
-            dontRememberMe: z.boolean().optional(),
-            callbackURL: z.string().optional()
+          body: z25.object({
+            phoneNumber: z25.string(),
+            password: z25.string(),
+            dontRememberMe: z25.boolean().optional(),
+            callbackURL: z25.string().optional()
           })
         },
         async (ctx) => {
@@ -5579,7 +5782,7 @@ var phoneNumber = (options) => {
           });
           if (!user) {
             await ctx.context.password.hash(ctx.body.password);
-            throw new APIError("UNAUTHORIZED", {
+            throw new APIError14("UNAUTHORIZED", {
               message: "Invalid email or password"
             });
           }
@@ -5597,7 +5800,7 @@ var phoneNumber = (options) => {
             ]
           });
           if (!account) {
-            throw new APIError("UNAUTHORIZED", {
+            throw new APIError14("UNAUTHORIZED", {
               message: "Invalid email or password"
             });
           }
@@ -5607,7 +5810,7 @@ var phoneNumber = (options) => {
               "Unexpectedly password is missing for the user",
               user
             );
-            throw new APIError("UNAUTHORIZED", {
+            throw new APIError14("UNAUTHORIZED", {
               message: "Unexpected error"
             });
           }
@@ -5617,7 +5820,7 @@ var phoneNumber = (options) => {
           );
           if (!validPassword) {
             ctx.context.logger.error("Invalid password");
-            throw new APIError("UNAUTHORIZED", {
+            throw new APIError14("UNAUTHORIZED", {
               message: "Invalid email or password"
             });
           }
@@ -5655,13 +5858,13 @@ var phoneNumber = (options) => {
         "/sign-up/phone-number",
         {
           method: "POST",
-          body: z.object({
-            phoneNumber: z.string().min(3).max(20),
-            name: z.string(),
-            email: z.string().email(),
-            password: z.string(),
-            image: z.string().optional(),
-            callbackURL: z.string().optional()
+          body: z25.object({
+            phoneNumber: z25.string().min(3).max(20),
+            name: z25.string(),
+            email: z25.string().email(),
+            password: z25.string(),
+            image: z25.string().optional(),
+            callbackURL: z25.string().optional()
           })
         },
         async (ctx) => {
@@ -5682,7 +5885,7 @@ var phoneNumber = (options) => {
           if (options?.otp?.sendOTPonSignUp) {
             if (!options.otp.sendOTP) {
               logger.warn("sendOTP not implemented");
-              throw new APIError("NOT_IMPLEMENTED", {
+              throw new APIError14("NOT_IMPLEMENTED", {
                 message: "sendOTP not implemented"
               });
             }
@@ -5725,14 +5928,14 @@ var phoneNumber = (options) => {
         "/phone-number/send-verification-code",
         {
           method: "POST",
-          body: z.object({
-            phoneNumber: z.string()
+          body: z25.object({
+            phoneNumber: z25.string()
           })
         },
         async (ctx) => {
           if (!options?.otp?.sendOTP) {
             logger.warn("sendOTP not implemented");
-            throw new APIError("NOT_IMPLEMENTED", {
+            throw new APIError14("NOT_IMPLEMENTED", {
               message: "sendOTP not implemented"
             });
           }
@@ -5757,9 +5960,9 @@ var phoneNumber = (options) => {
         "/phone-number/verify",
         {
           method: "POST",
-          body: z.object({
-            phoneNumber: z.string(),
-            code: z.string()
+          body: z25.object({
+            phoneNumber: z25.string(),
+            code: z25.string()
           })
         },
         async (ctx) => {
@@ -5802,7 +6005,7 @@ var phoneNumber = (options) => {
             ]
           });
           if (!user) {
-            throw new APIError("NOT_FOUND", {
+            throw new APIError14("NOT_FOUND", {
               message: "User with phone number not found"
             });
           }
@@ -5841,8 +6044,8 @@ var phoneNumber = (options) => {
         "/phone-number/update",
         {
           method: "POST",
-          body: z.object({
-            phoneNumber: z.string()
+          body: z25.object({
+            phoneNumber: z25.string()
           }),
           use: [sessionMiddleware]
         },
@@ -5850,7 +6053,7 @@ var phoneNumber = (options) => {
           if (options?.otp?.sendOTPonUpdate) {
             if (!options.otp.sendOTP) {
               logger.warn("sendOTP not implemented");
-              throw new APIError("NOT_IMPLEMENTED", {
+              throw new APIError14("NOT_IMPLEMENTED", {
                 message: "sendOTP not implemented"
               });
             }
@@ -5897,5 +6100,20 @@ var phoneNumber = (options) => {
     }
   };
 };
-
-export { HIDE_METADATA, access_exports as ac, bearer, createAuthEndpoint, createAuthMiddleware, getPasskeyActions, magicLink, optionsMiddleware, organization, passkey, passkeyClient, phoneNumber, twoFactor, twoFactorClient, username };
+export {
+  HIDE_METADATA,
+  access_exports as ac,
+  bearer,
+  createAuthEndpoint,
+  createAuthMiddleware,
+  getPasskeyActions,
+  magicLink,
+  optionsMiddleware,
+  organization,
+  passkey,
+  passkeyClient,
+  phoneNumber,
+  twoFactor,
+  twoFactorClient,
+  username
+};