better-auth 0.7.3-beta.4 → 0.7.3-beta.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/plugins.cjs +6 -6
- package/dist/plugins.js +6 -6
- package/package.json +1 -1
package/dist/plugins.cjs
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
"use strict";var ro=Object.create;var He=Object.defineProperty;var oo=Object.getOwnPropertyDescriptor;var no=Object.getOwnPropertyNames;var io=Object.getPrototypeOf,so=Object.prototype.hasOwnProperty;var ao=(e,t)=>{for(var r in t)He(e,r,{get:t[r],enumerable:!0})},
|
|
2
|
-
`)}}),y=mo();function Je(e){try{return new URL(e).origin}catch{return null}}async function ke(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?Je(e.query?.currentURL):"");if(!r)throw new mt.APIError("BAD_REQUEST",{message:"callbackURL is required"});let o=(0,Ze.generateCodeVerifier)(),n=(0,Ze.generateState)(),i=JSON.stringify({callbackURL:r,codeVerifier:o,errorURL:e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),a=new Date;a.setMinutes(a.getMinutes()+10);let s=await e.context.internalAdapter.createVerificationValue({value:i,identifier:n,expiresAt:a});if(!s)throw y.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new mt.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:s.identifier,codeVerifier:o}}async function Ye(e){let t=e.query.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw y.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=re.z.object({callbackURL:re.z.string(),codeVerifier:re.z.string(),errorURL:re.z.string().optional(),expiresAt:re.z.number(),link:re.z.object({email:re.z.string(),userId:re.z.string()}).optional()}).parse(JSON.parse(r.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),y.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),o}var Ht=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:o,redirectURI:n}){let i=o||["email","name","openid"];return e.scope&&i.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${n||e.redirectURI}&scope=${i.join(" ")}&state=${r}`)},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>v({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){if(!r.idToken)return null;let o=(0,Qt.parseJWT)(r.idToken)?.payload;return o?{user:{id:o.sub,name:o.name,email:o.email,emailVerified:o.email_verified==="true"},data:o}:null}}};var Wt=require("@better-fetch/fetch");var Gt=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["identify","email"];return e.scope&&n.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${n.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>v({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){let{data:r,error:o}=await(0,Wt.betterFetch)("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(r.avatar===null){let n=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${n}.png`}else{let n=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${n}`}return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url},data:r}}});var Kt=require("@better-fetch/fetch");var Jt=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["email","public_profile"];return e.scope&&n.push(...e.scope),await I({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:n,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:r})=>v({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){let{data:r,error:o}=await(0,Kt.betterFetch)("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});return o?null:{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified},data:r}}});var ft=require("@better-fetch/fetch");var Zt=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:o,codeVerifier:n,redirectURI:i}){let a=o||["user:email"];return e.scope&&a.push(...e.scope),I({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:a,state:r,redirectURI:i,codeVerifier:n})},validateAuthorizationCode:async({code:r,redirectURI:o})=>v({code:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){let{data:o,error:n}=await(0,ft.betterFetch)("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(n)return null;let i=!1;if(!o.email){let{data:a,error:s}=await(0,ft.betterFetch)("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});s||(o.email=(a.find(d=>d.primary)??a[0])?.email,i=a.find(d=>d.email===o.email)?.verified??!1)}return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:i},data:o}}}};var Yt=require("oslo/jwt");var Xt=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){if(!e.clientId||!e.clientSecret)throw y.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new G("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new G("codeVerifier is required for Google");let i=r||["email","profile","openid"];e.scope&&i.push(...e.scope);let a=await I({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:i,state:t,codeVerifier:o,redirectURI:n});return e.accessType&&a.searchParams.set("access_type",e.accessType),e.prompt&&a.searchParams.set("prompt",e.prompt),a},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>v({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async getUserInfo(t){if(!t.idToken)return null;let r=(0,Yt.parseJWT)(t.idToken)?.payload;return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified},data:r}}});var er=require("@better-fetch/fetch"),tr=require("oslo/jwt");var rr=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(n){let i=n.scopes||["openid","profile","email","User.Read"];return e.scope&&i.push(...e.scope),I({id:"microsoft",options:e,authorizationEndpoint:r,state:n.state,codeVerifier:n.codeVerifier,scopes:i,redirectURI:n.redirectURI})},validateAuthorizationCode({code:n,codeVerifier:i,redirectURI:a}){return v({code:n,codeVerifier:i,redirectURI:e.redirectURI||a,options:e,tokenEndpoint:o})},async getUserInfo(n){if(!n.idToken)return null;let i=(0,tr.parseJWT)(n.idToken)?.payload,a=e.profilePhotoSize||48;return await(0,er.betterFetch)(`https://graph.microsoft.com/v1.0/me/photos/${a}x${a}/$value`,{headers:{Authorization:`Bearer ${n.accessToken}`},async onResponse(s){if(!(e.disableProfilePhoto||!s.response.ok))try{let c=await s.response.clone().arrayBuffer(),l=Buffer.from(c).toString("base64");i.picture=`data:image/jpeg;base64, ${l}`}catch(d){y.error(d)}}}),{user:{id:i.sub,name:i.name,email:i.email,image:i.picture,emailVerified:!0},data:i}}}};var or=require("@better-fetch/fetch");var nr=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){let i=r||["user-read-email"];return e.scope&&i.push(...e.scope),I({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:i,state:t,codeVerifier:o,redirectURI:n})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>v({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){let{data:r,error:o}=await(0,or.betterFetch)("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1},data:r}}});var vi=require("@better-fetch/fetch");var ir=require("oslo/jwt");var sr=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["user:read:email","openid"];return e.scope&&n.push(...e.scope),I({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:n,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>v({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){let r=t.idToken;if(!r)return y.error("No idToken found in token"),null;let o=(0,ir.parseJWT)(r)?.payload;return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1},data:o}}});var ar=require("@better-fetch/fetch");var dr=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["account_info.read"];return e.scope&&r.push(...e.scope),I({id:"twitter",options:e,authorizationEndpoint:"https://twitter.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>v({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){let{data:r,error:o}=await(0,ar.betterFetch)("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o||!r.data.email?null:{user:{id:r.data.id,name:r.data.name,email:r.data.email,image:r.data.profile_image_url,emailVerified:r.data.verified||!1},data:r}}});var cr=require("@better-fetch/fetch");var ur=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:o,codeVerifier:n,redirectURI:i})=>{let a=o||["account_info.read"];return e.scope&&a.push(...e.scope),await I({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:a,state:r,redirectURI:i,codeVerifier:n})},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>await v({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){let{data:o,error:n}=await(0,cr.betterFetch)("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});return n?null:{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url},data:o}}}};var lr=require("@better-fetch/fetch");var pr=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:n,redirectURI:i})=>{let a=n||["profile","email","openid"];return e.scope&&a.push(...e.scope),await I({id:"linkedin",options:e,authorizationEndpoint:t,scopes:a,state:o,redirectURI:i})},validateAuthorizationCode:async({code:o,redirectURI:n})=>await v({code:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:r}),async getUserInfo(o){let{data:n,error:i}=await(0,lr.betterFetch)("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});return i?null:{user:{id:n.sub,name:n.name,email:n.email,emailVerified:n.email_verified||!1,image:n.picture},data:n}}}};var mr=require("@better-fetch/fetch");var gt=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),fo=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:gt(`${t}/oauth/authorize`),tokenEndpoint:gt(`${t}/oauth/token`),userinfoEndpoint:gt(`${t}/api/v4/user`)}},fr=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:o}=fo(e.issuer),n="gitlab";return{id:n,name:"Gitlab",createAuthorizationURL:async({state:a,scopes:s,codeVerifier:d,redirectURI:c})=>{let l=s||["read_user"];return e.scope&&l.push(...e.scope),await I({id:n,options:e,authorizationEndpoint:t,scopes:l,state:a,redirectURI:c,codeVerifier:d})},validateAuthorizationCode:async({code:a,redirectURI:s})=>v({code:a,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:r}),async getUserInfo(a){let{data:s,error:d}=await(0,mr.betterFetch)(o,{headers:{authorization:`Bearer ${a.accessToken}`}});return d||s.state!=="active"||s.locked?null:{user:{id:s.id.toString(),name:s.name??s.username,email:s.email,image:s.avatar_url,emailVerified:!0},data:s}}}};var go={apple:Ht,discord:Gt,facebook:Jt,github:Zt,microsoft:rr,google:Xt,spotify:nr,twitch:sr,twitter:dr,dropbox:ur,linkedin:pr,gitlab:fr},Xe=Object.keys(go);var hr=require("oslo"),et=require("oslo/jwt"),M=require("zod");var fe=require("better-call");var Oe=require("better-call");var ve=require("zod"),gr=()=>u("/get-session",{method:"GET",query:ve.z.optional(ve.z.object({disableCookieCache:ve.z.boolean().optional()})),requireHeaders:!0},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null,{status:401});let r=await e.getSignedCookie(e.context.authCookies.sessionData.name,e.context.secret),o=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(r&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let c=JSON.parse(r)?.session;if(c?.expiresAt>new Date)return e.json(c)}let n=await e.context.internalAdapter.findSession(t);if(!n||n.session.expiresAt<new Date)return te(e),n&&await e.context.internalAdapter.deleteSession(n.session.id),e.json(null,{status:401});if(o)return e.json(n);let i=e.context.sessionConfig.expiresIn,a=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-i*1e3+a*1e3<=Date.now()){let c=await e.context.internalAdapter.updateSession(n.session.id,{expiresAt:C(e.context.sessionConfig.expiresIn,"sec")});if(!c)return te(e),e.json(null,{status:401});let l=(c.expiresAt.valueOf()-Date.now())/1e3;return await w(e,{session:c,user:n.user},!1,{maxAge:l}),e.json({session:c,user:n.user})}return e.json(n)}catch(t){return e.context.logger.error(t),e.json(null,{status:500})}}),D=async e=>await gr()({...e,_flag:"json",headers:e.headers}),b=S(async e=>{let t=await D(e);if(!t?.session)throw new Oe.APIError("UNAUTHORIZED");return{session:t}});var ho=u("/revoke-session",{method:"POST",body:ve.z.object({id:ve.z.string()}),use:[b],requireHeaders:!0},async e=>{let t=e.body.id,r=await e.context.internalAdapter.findSession(t);if(!r)throw new Oe.APIError("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new Oe.APIError("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o),new Oe.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),wo=u("/revoke-sessions",{method:"POST",use:[b],requireHeaders:!0},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t),new Oe.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})});async function ie(e,t,r){return await(0,et.createJWT)("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new hr.TimeSpan(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}var yo=u("/send-verification-email",{method:"POST",query:M.z.object({currentURL:M.z.string().optional()}).optional(),body:M.z.object({email:M.z.string().email(),callbackURL:M.z.string().optional()})},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new fe.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new fe.APIError("BAD_REQUEST",{message:"User not found"});let o=await ie(e.context.secret,t),n=`${e.context.baseURL}/verify-email?token=${o}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.emailVerification.sendVerificationEmail(r.user,n,o),e.json({status:!0})}),bo=u("/verify-email",{method:"GET",query:M.z.object({token:M.z.string(),callbackURL:M.z.string().optional()})},async e=>{let{token:t}=e.query,r;try{r=await(0,et.validateJWT)("HS256",Buffer.from(e.context.secret),t)}catch(a){throw e.context.logger.error("Failed to verify email",a),new fe.APIError("BAD_REQUEST",{message:"Invalid token"})}let n=M.z.object({email:M.z.string().email(),updateTo:M.z.string().optional()}).parse(r.payload);if(!await e.context.internalAdapter.findUserByEmail(n.email))throw new fe.APIError("BAD_REQUEST",{message:"User not found"});if(n.updateTo){let a=await D(e);if(!a)throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=unauthorized`):new fe.APIError("UNAUTHORIZED",{message:"Session not found"});if(a.user.email!==n.email)throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=unauthorized`):new fe.APIError("UNAUTHORIZED",{message:"Invalid session"});let s=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo});if(await e.context.options.emailVerification?.sendVerificationEmail?.(s,`${e.context.baseURL}/verify-email?token=${t}`,t),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:s,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});var Ao=u("/sign-in/social",{method:"POST",requireHeaders:!0,query:N.z.object({currentURL:N.z.string().optional()}).optional(),body:N.z.object({callbackURL:N.z.string().optional(),provider:N.z.enum(Xe)})},async e=>{let t=e.context.socialProviders.find(i=>i.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new $.APIError("NOT_FOUND",{message:"Provider not found"});let{codeVerifier:r,state:o}=await ke(e),n=await t.createAuthorizationURL({state:o,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:n.toString(),redirect:!0})}),ko=u("/sign-in/email",{method:"POST",body:N.z.object({email:N.z.string(),password:N.z.string(),callbackURL:N.z.string().optional(),dontRememberMe:N.z.boolean().default(!1).optional()})},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new $.APIError("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!N.z.string().email().safeParse(t).success)throw new $.APIError("BAD_REQUEST",{message:"Invalid email"});if(!N.z.string().email().safeParse(t).success)throw new $.APIError("BAD_REQUEST",{message:"Invalid email"});let i=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!i)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new $.APIError("UNAUTHORIZED",{message:"Invalid email or password"});let a=i.accounts.find(l=>l.providerId==="credential");if(!a)throw e.context.logger.error("Credential account not found",{email:t}),new $.APIError("UNAUTHORIZED",{message:"Invalid email or password"});let s=a?.password;if(!s)throw e.context.logger.error("Password not found",{email:t}),new $.APIError("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(s,r))throw e.context.logger.error("Invalid password"),new $.APIError("UNAUTHORIZED",{message:"Invalid email or password"});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!i.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw y.error("Email verification is required but no email verification handler is provided"),new $.APIError("INTERNAL_SERVER_ERROR",{message:"Email is not verified."});let l=await ie(e.context.secret,i.user.email),p=`${e.context.options.baseURL}/verify-email?token=${l}`;throw await e.context.options.emailVerification.sendVerificationEmail(i.user,p,l),e.context.logger.error("Email not verified",{email:t}),new $.APIError("FORBIDDEN",{message:"Email is not verified. Check your email for a verification link"})}let c=await e.context.internalAdapter.createSession(i.user.id,e.headers,e.body.dontRememberMe);if(!c)throw e.context.logger.error("Failed to create session"),new $.APIError("UNAUTHORIZED",{message:"Failed to create session"});return await w(e,{session:c,user:i.user},e.body.dontRememberMe),e.json({user:i.user,session:c,redirect:!!e.body.callbackURL,url:e.body.callbackURL})});var xe=require("zod");var O=require("zod"),As=O.z.object({id:O.z.string(),providerId:O.z.string(),accountId:O.z.string(),userId:O.z.string(),accessToken:O.z.string().nullable().optional(),refreshToken:O.z.string().nullable().optional(),idToken:O.z.string().nullable().optional(),expiresAt:O.z.date().nullable().optional(),password:O.z.string().optional().nullable()}),tt=O.z.object({id:O.z.string(),email:O.z.string().transform(e=>e.toLowerCase()),emailVerified:O.z.boolean().default(!1),name:O.z.string(),image:O.z.string().optional(),createdAt:O.z.date().default(new Date),updatedAt:O.z.date().default(new Date)}),ks=O.z.object({id:O.z.string(),userId:O.z.string(),expiresAt:O.z.date(),ipAddress:O.z.string().optional(),userAgent:O.z.string().optional()}),Os=O.z.object({id:O.z.string(),value:O.z.string(),expiresAt:O.z.date(),identifier:O.z.string()});var Oo=u("/callback/:id",{method:"GET",query:xe.z.object({state:xe.z.string(),code:xe.z.string().optional(),error:xe.z.string().optional()}),metadata:pe},async e=>{if(!e.query.code)throw e.redirect(`${e.context.baseURL}/error?error=${e.query.error||"no_code"}`);let t=e.context.socialProviders.find(A=>A.id===e.params.id);if(!t)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:r,callbackURL:o,link:n,errorURL:i}=await Ye(e),a;try{a=await t.validateAuthorizationCode({code:e.query.code,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`})}catch(A){throw e.context.logger.error(A),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let s=await t.getUserInfo(a).then(A=>A?.user),d=z(),c=tt.safeParse({...s,id:d});if(!s||c.success===!1)throw y.error("Unable to get user info",c.error),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(!o)throw y.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(n){if(n.email!==s.email.toLowerCase())return l("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:n.userId,providerId:t.id,accountId:s.id}))return l("unable_to_link_account");let h;try{h=new URL(o).toString()}catch{h=o}throw e.redirect(h)}function l(A){throw e.redirect(`${i||o||`${e.context.baseURL}/error`}?error=${A}`)}let p=await e.context.internalAdapter.findUserByEmail(s.email,{includeAccounts:!0}).catch(A=>{throw y.error(`Better auth was unable to query your database.
|
|
3
|
-
Error: `,A),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),m=p?.user;if(p){let A=p.accounts.find(h=>h.providerId===t.id);if(A)await e.context.internalAdapter.updateAccount(A.id,{accessToken:a.accessToken,idToken:a.idToken,refreshToken:a.refreshToken,expiresAt:a.accessTokenExpiresAt});else{(!e.context.options.account?.accountLinking?.trustedProviders?.includes(t.id)&&!s.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)&&(
|
|
1
|
+
"use strict";var ro=Object.create;var He=Object.defineProperty;var oo=Object.getOwnPropertyDescriptor;var no=Object.getOwnPropertyNames;var io=Object.getPrototypeOf,so=Object.prototype.hasOwnProperty;var ao=(e,t)=>{for(var r in t)He(e,r,{get:t[r],enumerable:!0})},Dt=(e,t,r,o)=>{if(t&&typeof t=="object"||typeof t=="function")for(let n of no(t))!so.call(e,n)&&n!==r&&He(e,n,{get:()=>t[n],enumerable:!(o=oo(t,n))||o.enumerable});return e};var xt=(e,t,r)=>(r=e!=null?ro(io(e)):{},Dt(t||!e||!e.__esModule?He(r,"default",{value:e,enumerable:!0}):r,e)),co=e=>Dt(He({},"__esModule",{value:!0}),e);var kn={};ao(kn,{HIDE_METADATA:()=>pe,admin:()=>fn,adminMiddleware:()=>K,anonymous:()=>mn,bearer:()=>cn,createAuthEndpoint:()=>u,createAuthMiddleware:()=>S,emailOTP:()=>bn,genericOAuth:()=>hn,getPasskeyActions:()=>Gr,jwt:()=>wn,magicLink:()=>un,multiSession:()=>yn,oneTap:()=>An,optionsMiddleware:()=>lt,organization:()=>Wo,passkey:()=>dn,passkeyClient:()=>an,phoneNumber:()=>pn,twoFactor:()=>on,twoFactorClient:()=>rn,username:()=>_t});module.exports=co(kn);var bt=require("better-call"),Te=require("zod");var le=require("better-call"),lt=(0,le.createMiddleware)(async()=>({})),S=(0,le.createMiddlewareCreator)({use:[lt,(0,le.createMiddleware)(async()=>({}))]}),u=(0,le.createEndpointCreator)({use:[lt]});var $=require("better-call"),N=require("zod");var po=require("oslo");var G=class extends Error{constructor(t,r){super(t),this.name="BetterAuthError",this.message=t,this.cause=r}};var We=Object.create(null),De=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?We:globalThis),Ge=new Proxy(We,{get(e,t){return De()[t]??We[t]},has(e,t){let r=De();return t in r||t in We},set(e,t,r){let o=De(!0);return o[t]=r,!0},deleteProperty(e,t){if(!t)return!1;let r=De(!0);return delete r[t],!0},ownKeys(){let e=De(!0);return Object.keys(e)}});function uo(e){return e?e!=="false":!1}var pt=typeof process<"u"&&process.env&&process.env.NODE_ENV||"";var Lt=pt==="dev"||pt==="development",lo=pt==="test"||uo(Ge.TEST);async function w(e,t,r,o){let n=e.context.authCookies.sessionToken.options;n.maxAge=r?void 0:e.context.sessionConfig.expiresIn,await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.id,e.context.secret,{...n,...o}),r&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled&&await e.setSignedCookie(e.context.authCookies.sessionData.name,JSON.stringify(t),e.context.secret,e.context.authCookies.sessionData.options),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.id,JSON.stringify({user:t.user,session:t.session}),t.session.expiresAt.getTime()-Date.now())}function te(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{maxAge:0})}function jt(e){let t=new Map;return e.split(", ").forEach(o=>{let[n,...i]=o.split("; "),[a,s]=n.split("="),d={value:s};i.forEach(c=>{let[l,p]=c.split("=");d[l.toLowerCase()]=p||!0}),t.set(a,d)}),t}function Ke(e){let t=e.split("; "),r=new Map;return t.forEach(o=>{let[n,i]=o.split("=");r.set(n,i)}),r}var Ht=require("oslo/jwt");var Nt=require("oslo/crypto"),Ft=require("oslo/encoding");var C=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));async function Vt(e){let t=await(0,Nt.sha256)(new TextEncoder().encode(e));return Ft.base64url.encode(new Uint8Array(t),{includePadding:!1})}function qt(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?C(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function I({id:e,options:t,authorizationEndpoint:r,state:o,codeVerifier:n,scopes:i,claims:a,disablePkce:s,redirectURI:d}){let c=new URL(r);if(c.searchParams.set("response_type","code"),c.searchParams.set("client_id",t.clientId),c.searchParams.set("state",o),c.searchParams.set("scope",i.join(" ")),c.searchParams.set("redirect_uri",t.redirectURI||d),!s&&n){let l=await Vt(n);c.searchParams.set("code_challenge_method","S256"),c.searchParams.set("code_challenge",l)}if(a){let l=a.reduce((p,m)=>(p[m]=null,p),{});c.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...l}}))}return c}var Mt=require("@better-fetch/fetch");async function v({code:e,codeVerifier:t,redirectURI:r,options:o,tokenEndpoint:n}){let i=new URLSearchParams;i.set("grant_type","authorization_code"),i.set("code",e),t&&i.set("code_verifier",t),i.set("redirect_uri",r),i.set("client_id",o.clientId),i.set("client_secret",o.clientSecret);let{data:a,error:s}=await(0,Mt.betterFetch)(n,{method:"POST",body:i,headers:{"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"}});if(s)throw s;return qt(a)}var Ze=require("oslo/oauth2"),re=require("zod"),mt=require("better-call");var pe={isAction:!1};var $t=require("nanoid"),z=e=>(0,$t.nanoid)(e);var Qt=require("consola"),me=(0,Qt.createConsola)({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),mo=e=>({log:(...t)=>{!e?.disabled&&me.log("",...t)},error:(...t)=>{!e?.disabled&&me.error("",...t)},warn:(...t)=>{!e?.disabled&&me.warn("",...t)},info:(...t)=>{!e?.disabled&&me.info("",...t)},debug:(...t)=>{!e?.disabled&&me.debug("",...t)},box:(...t)=>{!e?.disabled&&me.box("",...t)},success:(...t)=>{!e?.disabled&&me.success("",...t)},break:(...t)=>{!e?.disabled&&console.log(`
|
|
2
|
+
`)}}),y=mo();function Je(e){try{return new URL(e).origin}catch{return null}}async function ke(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?Je(e.query?.currentURL):"");if(!r)throw new mt.APIError("BAD_REQUEST",{message:"callbackURL is required"});let o=(0,Ze.generateCodeVerifier)(),n=(0,Ze.generateState)(),i=JSON.stringify({callbackURL:r,codeVerifier:o,errorURL:e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),a=new Date;a.setMinutes(a.getMinutes()+10);let s=await e.context.internalAdapter.createVerificationValue({value:i,identifier:n,expiresAt:a});if(!s)throw y.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new mt.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:s.identifier,codeVerifier:o}}async function Ye(e){let t=e.query.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw y.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=re.z.object({callbackURL:re.z.string(),codeVerifier:re.z.string(),errorURL:re.z.string().optional(),expiresAt:re.z.number(),link:re.z.object({email:re.z.string(),userId:re.z.string()}).optional()}).parse(JSON.parse(r.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),y.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),o}var Wt=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:o,redirectURI:n}){let i=o||["email","name","openid"];return e.scope&&i.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${n||e.redirectURI}&scope=${i.join(" ")}&state=${r}`)},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>v({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){if(!r.idToken)return null;let o=(0,Ht.parseJWT)(r.idToken)?.payload;return o?{user:{id:o.sub,name:o.name,email:o.email,emailVerified:o.email_verified==="true"},data:o}:null}}};var Gt=require("@better-fetch/fetch");var Kt=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["identify","email"];return e.scope&&n.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${n.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>v({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){let{data:r,error:o}=await(0,Gt.betterFetch)("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(r.avatar===null){let n=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${n}.png`}else{let n=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${n}`}return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url},data:r}}});var Jt=require("@better-fetch/fetch");var Zt=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["email","public_profile"];return e.scope&&n.push(...e.scope),await I({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:n,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:r})=>v({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){let{data:r,error:o}=await(0,Jt.betterFetch)("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});return o?null:{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified},data:r}}});var ft=require("@better-fetch/fetch");var Yt=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:o,codeVerifier:n,redirectURI:i}){let a=o||["user:email"];return e.scope&&a.push(...e.scope),I({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:a,state:r,redirectURI:i,codeVerifier:n})},validateAuthorizationCode:async({code:r,redirectURI:o})=>v({code:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){let{data:o,error:n}=await(0,ft.betterFetch)("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(n)return null;let i=!1;if(!o.email){let{data:a,error:s}=await(0,ft.betterFetch)("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});s||(o.email=(a.find(d=>d.primary)??a[0])?.email,i=a.find(d=>d.email===o.email)?.verified??!1)}return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:i},data:o}}}};var Xt=require("oslo/jwt");var er=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){if(!e.clientId||!e.clientSecret)throw y.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new G("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new G("codeVerifier is required for Google");let i=r||["email","profile","openid"];e.scope&&i.push(...e.scope);let a=await I({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:i,state:t,codeVerifier:o,redirectURI:n});return e.accessType&&a.searchParams.set("access_type",e.accessType),e.prompt&&a.searchParams.set("prompt",e.prompt),a},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>v({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async getUserInfo(t){if(!t.idToken)return null;let r=(0,Xt.parseJWT)(t.idToken)?.payload;return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified},data:r}}});var tr=require("@better-fetch/fetch"),rr=require("oslo/jwt");var or=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(n){let i=n.scopes||["openid","profile","email","User.Read"];return e.scope&&i.push(...e.scope),I({id:"microsoft",options:e,authorizationEndpoint:r,state:n.state,codeVerifier:n.codeVerifier,scopes:i,redirectURI:n.redirectURI})},validateAuthorizationCode({code:n,codeVerifier:i,redirectURI:a}){return v({code:n,codeVerifier:i,redirectURI:e.redirectURI||a,options:e,tokenEndpoint:o})},async getUserInfo(n){if(!n.idToken)return null;let i=(0,rr.parseJWT)(n.idToken)?.payload,a=e.profilePhotoSize||48;return await(0,tr.betterFetch)(`https://graph.microsoft.com/v1.0/me/photos/${a}x${a}/$value`,{headers:{Authorization:`Bearer ${n.accessToken}`},async onResponse(s){if(!(e.disableProfilePhoto||!s.response.ok))try{let c=await s.response.clone().arrayBuffer(),l=Buffer.from(c).toString("base64");i.picture=`data:image/jpeg;base64, ${l}`}catch(d){y.error(d)}}}),{user:{id:i.sub,name:i.name,email:i.email,image:i.picture,emailVerified:!0},data:i}}}};var nr=require("@better-fetch/fetch");var ir=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){let i=r||["user-read-email"];return e.scope&&i.push(...e.scope),I({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:i,state:t,codeVerifier:o,redirectURI:n})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>v({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){let{data:r,error:o}=await(0,nr.betterFetch)("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1},data:r}}});var vi=require("@better-fetch/fetch");var sr=require("oslo/jwt");var ar=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["user:read:email","openid"];return e.scope&&n.push(...e.scope),I({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:n,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>v({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){let r=t.idToken;if(!r)return y.error("No idToken found in token"),null;let o=(0,sr.parseJWT)(r)?.payload;return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1},data:o}}});var dr=require("@better-fetch/fetch");var cr=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["account_info.read"];return e.scope&&r.push(...e.scope),I({id:"twitter",options:e,authorizationEndpoint:"https://twitter.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>v({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){let{data:r,error:o}=await(0,dr.betterFetch)("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o||!r.data.email?null:{user:{id:r.data.id,name:r.data.name,email:r.data.email,image:r.data.profile_image_url,emailVerified:r.data.verified||!1},data:r}}});var ur=require("@better-fetch/fetch");var lr=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:o,codeVerifier:n,redirectURI:i})=>{let a=o||["account_info.read"];return e.scope&&a.push(...e.scope),await I({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:a,state:r,redirectURI:i,codeVerifier:n})},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>await v({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){let{data:o,error:n}=await(0,ur.betterFetch)("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});return n?null:{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url},data:o}}}};var pr=require("@better-fetch/fetch");var mr=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:n,redirectURI:i})=>{let a=n||["profile","email","openid"];return e.scope&&a.push(...e.scope),await I({id:"linkedin",options:e,authorizationEndpoint:t,scopes:a,state:o,redirectURI:i})},validateAuthorizationCode:async({code:o,redirectURI:n})=>await v({code:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:r}),async getUserInfo(o){let{data:n,error:i}=await(0,pr.betterFetch)("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});return i?null:{user:{id:n.sub,name:n.name,email:n.email,emailVerified:n.email_verified||!1,image:n.picture},data:n}}}};var fr=require("@better-fetch/fetch");var gt=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),fo=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:gt(`${t}/oauth/authorize`),tokenEndpoint:gt(`${t}/oauth/token`),userinfoEndpoint:gt(`${t}/api/v4/user`)}},gr=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:o}=fo(e.issuer),n="gitlab";return{id:n,name:"Gitlab",createAuthorizationURL:async({state:a,scopes:s,codeVerifier:d,redirectURI:c})=>{let l=s||["read_user"];return e.scope&&l.push(...e.scope),await I({id:n,options:e,authorizationEndpoint:t,scopes:l,state:a,redirectURI:c,codeVerifier:d})},validateAuthorizationCode:async({code:a,redirectURI:s})=>v({code:a,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:r}),async getUserInfo(a){let{data:s,error:d}=await(0,fr.betterFetch)(o,{headers:{authorization:`Bearer ${a.accessToken}`}});return d||s.state!=="active"||s.locked?null:{user:{id:s.id.toString(),name:s.name??s.username,email:s.email,image:s.avatar_url,emailVerified:!0},data:s}}}};var go={apple:Wt,discord:Kt,facebook:Zt,github:Yt,microsoft:or,google:er,spotify:ir,twitch:ar,twitter:cr,dropbox:lr,linkedin:mr,gitlab:gr},Xe=Object.keys(go);var wr=require("oslo"),et=require("oslo/jwt"),M=require("zod");var fe=require("better-call");var Oe=require("better-call");var ve=require("zod"),hr=()=>u("/get-session",{method:"GET",query:ve.z.optional(ve.z.object({disableCookieCache:ve.z.boolean().optional()})),requireHeaders:!0},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null,{status:401});let r=await e.getSignedCookie(e.context.authCookies.sessionData.name,e.context.secret),o=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(r&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let c=JSON.parse(r)?.session;if(c?.expiresAt>new Date)return e.json(c)}let n=await e.context.internalAdapter.findSession(t);if(!n||n.session.expiresAt<new Date)return te(e),n&&await e.context.internalAdapter.deleteSession(n.session.id),e.json(null,{status:401});if(o)return e.json(n);let i=e.context.sessionConfig.expiresIn,a=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-i*1e3+a*1e3<=Date.now()){let c=await e.context.internalAdapter.updateSession(n.session.id,{expiresAt:C(e.context.sessionConfig.expiresIn,"sec")});if(!c)return te(e),e.json(null,{status:401});let l=(c.expiresAt.valueOf()-Date.now())/1e3;return await w(e,{session:c,user:n.user},!1,{maxAge:l}),e.json({session:c,user:n.user})}return e.json(n)}catch(t){return e.context.logger.error(t),e.json(null,{status:500})}}),D=async e=>await hr()({...e,_flag:"json",headers:e.headers}),b=S(async e=>{let t=await D(e);if(!t?.session)throw new Oe.APIError("UNAUTHORIZED");return{session:t}});var ho=u("/revoke-session",{method:"POST",body:ve.z.object({id:ve.z.string()}),use:[b],requireHeaders:!0},async e=>{let t=e.body.id,r=await e.context.internalAdapter.findSession(t);if(!r)throw new Oe.APIError("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new Oe.APIError("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o),new Oe.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),wo=u("/revoke-sessions",{method:"POST",use:[b],requireHeaders:!0},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t),new Oe.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})});async function ie(e,t,r){return await(0,et.createJWT)("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new wr.TimeSpan(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}var yo=u("/send-verification-email",{method:"POST",query:M.z.object({currentURL:M.z.string().optional()}).optional(),body:M.z.object({email:M.z.string().email(),callbackURL:M.z.string().optional()})},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new fe.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new fe.APIError("BAD_REQUEST",{message:"User not found"});let o=await ie(e.context.secret,t),n=`${e.context.baseURL}/verify-email?token=${o}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.emailVerification.sendVerificationEmail(r.user,n,o),e.json({status:!0})}),bo=u("/verify-email",{method:"GET",query:M.z.object({token:M.z.string(),callbackURL:M.z.string().optional()})},async e=>{let{token:t}=e.query,r;try{r=await(0,et.validateJWT)("HS256",Buffer.from(e.context.secret),t)}catch(a){throw e.context.logger.error("Failed to verify email",a),new fe.APIError("BAD_REQUEST",{message:"Invalid token"})}let n=M.z.object({email:M.z.string().email(),updateTo:M.z.string().optional()}).parse(r.payload);if(!await e.context.internalAdapter.findUserByEmail(n.email))throw new fe.APIError("BAD_REQUEST",{message:"User not found"});if(n.updateTo){let a=await D(e);if(!a)throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=unauthorized`):new fe.APIError("UNAUTHORIZED",{message:"Session not found"});if(a.user.email!==n.email)throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=unauthorized`):new fe.APIError("UNAUTHORIZED",{message:"Invalid session"});let s=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo});if(await e.context.options.emailVerification?.sendVerificationEmail?.(s,`${e.context.baseURL}/verify-email?token=${t}`,t),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:s,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});var Ao=u("/sign-in/social",{method:"POST",requireHeaders:!0,query:N.z.object({currentURL:N.z.string().optional()}).optional(),body:N.z.object({callbackURL:N.z.string().optional(),provider:N.z.enum(Xe)})},async e=>{let t=e.context.socialProviders.find(i=>i.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new $.APIError("NOT_FOUND",{message:"Provider not found"});let{codeVerifier:r,state:o}=await ke(e),n=await t.createAuthorizationURL({state:o,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:n.toString(),redirect:!0})}),ko=u("/sign-in/email",{method:"POST",body:N.z.object({email:N.z.string(),password:N.z.string(),callbackURL:N.z.string().optional(),dontRememberMe:N.z.boolean().default(!1).optional()})},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new $.APIError("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!N.z.string().email().safeParse(t).success)throw new $.APIError("BAD_REQUEST",{message:"Invalid email"});if(!N.z.string().email().safeParse(t).success)throw new $.APIError("BAD_REQUEST",{message:"Invalid email"});let i=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!i)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new $.APIError("UNAUTHORIZED",{message:"Invalid email or password"});let a=i.accounts.find(l=>l.providerId==="credential");if(!a)throw e.context.logger.error("Credential account not found",{email:t}),new $.APIError("UNAUTHORIZED",{message:"Invalid email or password"});let s=a?.password;if(!s)throw e.context.logger.error("Password not found",{email:t}),new $.APIError("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(s,r))throw e.context.logger.error("Invalid password"),new $.APIError("UNAUTHORIZED",{message:"Invalid email or password"});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!i.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw y.error("Email verification is required but no email verification handler is provided"),new $.APIError("INTERNAL_SERVER_ERROR",{message:"Email is not verified."});let l=await ie(e.context.secret,i.user.email),p=`${e.context.options.baseURL}/verify-email?token=${l}`;throw await e.context.options.emailVerification.sendVerificationEmail(i.user,p,l),e.context.logger.error("Email not verified",{email:t}),new $.APIError("FORBIDDEN",{message:"Email is not verified. Check your email for a verification link"})}let c=await e.context.internalAdapter.createSession(i.user.id,e.headers,e.body.dontRememberMe);if(!c)throw e.context.logger.error("Failed to create session"),new $.APIError("UNAUTHORIZED",{message:"Failed to create session"});return await w(e,{session:c,user:i.user},e.body.dontRememberMe),e.json({user:i.user,session:c,redirect:!!e.body.callbackURL,url:e.body.callbackURL})});var xe=require("zod");var O=require("zod"),As=O.z.object({id:O.z.string(),providerId:O.z.string(),accountId:O.z.string(),userId:O.z.string(),accessToken:O.z.string().nullable().optional(),refreshToken:O.z.string().nullable().optional(),idToken:O.z.string().nullable().optional(),expiresAt:O.z.date().nullable().optional(),password:O.z.string().optional().nullable()}),tt=O.z.object({id:O.z.string(),email:O.z.string().transform(e=>e.toLowerCase()),emailVerified:O.z.boolean().default(!1),name:O.z.string(),image:O.z.string().optional(),createdAt:O.z.date().default(new Date),updatedAt:O.z.date().default(new Date)}),ks=O.z.object({id:O.z.string(),userId:O.z.string(),expiresAt:O.z.date(),ipAddress:O.z.string().optional(),userAgent:O.z.string().optional()}),Os=O.z.object({id:O.z.string(),value:O.z.string(),expiresAt:O.z.date(),identifier:O.z.string()});var Oo=u("/callback/:id",{method:"GET",query:xe.z.object({state:xe.z.string(),code:xe.z.string().optional(),error:xe.z.string().optional()}),metadata:pe},async e=>{if(!e.query.code)throw e.redirect(`${e.context.baseURL}/error?error=${e.query.error||"no_code"}`);let t=e.context.socialProviders.find(A=>A.id===e.params.id);if(!t)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:r,callbackURL:o,link:n,errorURL:i}=await Ye(e),a;try{a=await t.validateAuthorizationCode({code:e.query.code,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`})}catch(A){throw e.context.logger.error(A),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let s=await t.getUserInfo(a).then(A=>A?.user),d=z(),c=tt.safeParse({...s,id:d});if(!s||c.success===!1)throw y.error("Unable to get user info",c.error),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(!o)throw y.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(n){if(n.email!==s.email.toLowerCase())return l("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:n.userId,providerId:t.id,accountId:s.id}))return l("unable_to_link_account");let h;try{h=new URL(o).toString()}catch{h=o}throw e.redirect(h)}function l(A){throw e.redirect(`${i||o||`${e.context.baseURL}/error`}?error=${A}`)}let p=await e.context.internalAdapter.findUserByEmail(s.email,{includeAccounts:!0}).catch(A=>{throw y.error(`Better auth was unable to query your database.
|
|
3
|
+
Error: `,A),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),m=p?.user;if(p){let A=p.accounts.find(h=>h.providerId===t.id);if(A)await e.context.internalAdapter.updateAccount(A.id,{accessToken:a.accessToken,idToken:a.idToken,refreshToken:a.refreshToken,expiresAt:a.accessTokenExpiresAt});else{(!e.context.options.account?.accountLinking?.trustedProviders?.includes(t.id)&&!s.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)&&(Lt&&y.warn(`User already exist but account isn't linked to ${t.id}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),l("account_not_linked"));try{await e.context.internalAdapter.linkAccount({providerId:t.id,accountId:s.id.toString(),id:`${t.id}:${s.id}`,userId:p.user.id,accessToken:a.accessToken,idToken:a.idToken,refreshToken:a.refreshToken,expiresAt:a.accessTokenExpiresAt})}catch(be){y.error("Unable to link account",be),l("unable_to_link_account")}}}else try{let A=s.emailVerified||!1;if(m=await e.context.internalAdapter.createOAuthUser({...c.data,emailVerified:A},{accessToken:a.accessToken,idToken:a.idToken,refreshToken:a.refreshToken,expiresAt:a.accessTokenExpiresAt,providerId:t.id,accountId:s.id.toString()}).then(h=>h?.user),!A&&m&&e.context.options.emailVerification?.sendOnSignUp){let h=await ie(e.context.secret,m.email),_=`${e.context.baseURL}/verify-email?token=${h}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.(m,_,h)}}catch(A){y.error("Unable to create user",A),l("unable_to_create_user")}if(!m)return l("unable_to_create_user");let f=await e.context.internalAdapter.createSession(m.id,e.request);f||l("unable_to_create_session"),await w(e,{session:f,user:m});let k;try{k=new URL(o).toString()}catch{k=o}throw e.redirect(k)});var Bs=require("zod");var yr=require("better-call"),vo=u("/sign-out",{method:"POST"},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw new yr.APIError("BAD_REQUEST",{message:"Session not found"});return await e.context.internalAdapter.deleteSession(t),te(e),e.json({success:!0})});var Q=require("zod");var Le=require("better-call");function br(e,t,r){let o=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return r&&Object.entries(r).forEach(([n,i])=>o.searchParams.set(n,i)),o.href}function Eo(e,t,r){let o=new URL(t,e.baseURL);return r&&Object.entries(r).forEach(([n,i])=>o.searchParams.set(n,i)),o.href}var Ro=u("/forget-password",{method:"POST",body:Q.z.object({email:Q.z.string().email(),redirectTo:Q.z.string()})},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new Le.APIError("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:r}=e.body,o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let n=60*60*1,i=new Date(Date.now()+1e3*(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||n)),a=e.context.uuid();await e.context.internalAdapter.createVerificationValue({value:o.user.id,identifier:`reset-password:${a}`,expiresAt:i});let s=`${e.context.baseURL}/reset-password/${a}?callbackURL=${r}`;return await e.context.options.emailAndPassword.sendResetPassword(o.user,s),e.json({status:!0})}),Io=u("/reset-password/:token",{method:"GET",query:Q.z.object({callbackURL:Q.z.string()})},async e=>{let{token:t}=e.params,{callbackURL:r}=e.query;if(!t||!r)throw e.redirect(br(e.context,r,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!o||o.expiresAt<new Date?e.redirect(br(e.context,r,{error:"INVALID_TOKEN"})):e.redirect(Eo(e.context,r,{token:t}))}),To=u("/reset-password",{query:Q.z.optional(Q.z.object({token:Q.z.string().optional(),currentURL:Q.z.string().optional()})),method:"POST",body:Q.z.object({newPassword:Q.z.string()})},async e=>{let t=e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new Le.APIError("BAD_REQUEST",{message:"Token not found"});let{newPassword:r}=e.body,o=`reset-password:${t}`,n=await e.context.internalAdapter.findVerificationValue(o);if(!n||n.expiresAt<new Date)throw new Le.APIError("BAD_REQUEST",{message:"Invalid token"});await e.context.internalAdapter.deleteVerificationValue(n.id);let i=n.value,a=await e.context.password.hash(r);if(!(await e.context.internalAdapter.findAccounts(i)).find(l=>l.providerId==="credential"))return await e.context.internalAdapter.createAccount({userId:i,providerId:"credential",password:a,accountId:e.context.uuid()}),e.json({status:!0});if(!await e.context.internalAdapter.updatePassword(i,a))throw new Le.APIError("BAD_REQUEST",{message:"Failed to update password"});return e.json({status:!0})});var j=require("zod");var x=require("better-call");var So=u("/change-password",{method:"POST",body:j.z.object({newPassword:j.z.string(),currentPassword:j.z.string(),revokeOtherSessions:j.z.boolean().optional()}),use:[b]},async e=>{let{newPassword:t,currentPassword:r,revokeOtherSessions:o}=e.body,n=e.context.session,i=e.context.password.config.minPasswordLength;if(t.length<i)throw e.context.logger.error("Password is too short"),new x.APIError("BAD_REQUEST",{message:"Password is too short"});let a=e.context.password.config.maxPasswordLength;if(t.length>a)throw e.context.logger.error("Password is too long"),new x.APIError("BAD_REQUEST",{message:"Password too long"});let d=(await e.context.internalAdapter.findAccounts(n.user.id)).find(p=>p.providerId==="credential"&&p.password);if(!d||!d.password)throw new x.APIError("BAD_REQUEST",{message:"User does not have a password"});let c=await e.context.password.hash(t);if(!await e.context.password.verify(d.password,r))throw new x.APIError("BAD_REQUEST",{message:"Incorrect password"});if(await e.context.internalAdapter.updateAccount(d.id,{password:c}),o){await e.context.internalAdapter.deleteSessions(n.user.id);let p=await e.context.internalAdapter.createSession(n.user.id,e.headers);if(!p)throw new x.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});await w(e,{session:p,user:n.user})}return e.json(n.user)}),Po=u("/set-password",{method:"POST",body:j.z.object({newPassword:j.z.string()}),metadata:{SERVER_ONLY:!0},use:[b]},async e=>{let{newPassword:t}=e.body,r=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new x.APIError("BAD_REQUEST",{message:"Password is too short"});let n=e.context.password.config.maxPasswordLength;if(t.length>n)throw e.context.logger.error("Password is too long"),new x.APIError("BAD_REQUEST",{message:"Password too long"});let a=(await e.context.internalAdapter.findAccounts(r.user.id)).find(d=>d.providerId==="credential"&&d.password),s=await e.context.password.hash(t);if(!a)return await e.context.internalAdapter.linkAccount({userId:r.user.id,providerId:"credential",accountId:r.user.id,password:s}),e.json(r.user);throw new x.APIError("BAD_REQUEST",{message:"user already has a password"})}),_o=u("/delete-user",{method:"POST",body:j.z.object({password:j.z.string()}),use:[b]},async e=>{let{password:t}=e.body,r=e.context.session,n=(await e.context.internalAdapter.findAccounts(r.user.id)).find(a=>a.providerId==="credential"&&a.password);if(!n||!n.password)throw new x.APIError("BAD_REQUEST",{message:"User does not have a password"});if(!await e.context.password.verify(n.password,t))throw new x.APIError("BAD_REQUEST",{message:"Incorrect password"});return await e.context.internalAdapter.deleteUser(r.user.id),await e.context.internalAdapter.deleteSessions(r.user.id),te(e),e.json(null)}),Co=u("/change-email",{method:"POST",query:j.z.object({currentURL:j.z.string().optional()}).optional(),body:j.z.object({newEmail:j.z.string().email(),callbackURL:j.z.string().optional()}),use:[b]},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new x.APIError("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new x.APIError("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new x.APIError("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let n=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:n,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new x.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await ie(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification(e.context.session.user,e.body.newEmail,o,r),e.json({user:null,status:!0})});var zo=(e="Unknown")=>`<!DOCTYPE html>
|
|
4
4
|
<html lang="en">
|
|
5
5
|
<head>
|
|
6
6
|
<meta charset="UTF-8">
|
|
@@ -80,6 +80,6 @@ Error: `,A),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)
|
|
|
80
80
|
<div class="error-code">Error Code: <span id="errorCode">${e}</span></div>
|
|
81
81
|
</div>
|
|
82
82
|
</body>
|
|
83
|
-
</html>`,Bo=u("/error",{method:"GET",metadata:pe},async e=>{let t=new URL(e.request?.url||"").searchParams.get("error")||"Unknown";return new Response(zo(t),{headers:{"Content-Type":"text/html"}})});var Do=u("/ok",{method:"GET",metadata:pe},async e=>e.json({ok:!0}));var xo=require("zod");var Lo=require("better-call");var Ee=require("zod");var ht=require("better-call");var jo=u("/list-accounts",{method:"GET",use:[b]},async e=>{let t=e.context.session,r=await e.context.internalAdapter.findAccounts(t.user.id);return e.json(r)}),No=u("/link-social",{method:"POST",requireHeaders:!0,query:Ee.z.object({currentURL:Ee.z.string().optional()}).optional(),body:Ee.z.object({callbackURL:Ee.z.string().optional(),provider:Ee.z.enum(Xe)}),use:[b]},async e=>{let t=e.context.session;if((await e.context.internalAdapter.findAccounts(t.user.id)).find(s=>s.providerId===e.body.provider))throw new ht.APIError("BAD_REQUEST",{message:"Social Account is already linked."});let n=e.context.socialProviders.find(s=>s.id===e.body.provider);if(!n)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new ht.APIError("NOT_FOUND",{message:"Provider not found"});let i=await ke(e,{userId:t.user.id,email:t.user.email}),a=await n.createAuthorizationURL({state:i.state,codeVerifier:i.codeVerifier,redirectURI:`${e.context.baseURL}/callback/${n.id}`});return e.json({url:a.toString(),redirect:!0})});var
|
|
84
|
-
`,`Current list of trustedOrigins: ${d}`),new kr.APIError("FORBIDDEN",{message:`Invalid ${m}`})};c&&!e.context.options.advanced?.disableCSRFCheck&&l(n,"origin"),i&&l(i,"callbackURL"),a&&l(a,"redirectURL"),s&&l(s,"currentURL")});var E=require("better-call");var B=S(async e=>({})),L=S({use:[b]},async e=>({session:e.context.session}));var F=require("zod");var R=require("zod"),nt=R.z.enum(["admin","member","owner"]),Ho=R.z.enum(["pending","accepted","rejected","canceled"]).default("pending"),Ad=R.z.object({id:R.z.string(),name:R.z.string(),slug:R.z.string(),logo:R.z.string().optional(),metadata:R.z.record(R.z.string()).or(R.z.string().transform(e=>JSON.parse(e))).optional(),createdAt:R.z.date()}),kd=R.z.object({id:R.z.string(),email:R.z.string(),organizationId:R.z.string(),userId:R.z.string(),role:nt,createdAt:R.z.date()}),Od=R.z.object({id:R.z.string(),organizationId:R.z.string(),email:R.z.string(),role:nt,status:Ho,inviterId:R.z.string(),expiresAt:R.z.date()});var T=require("better-call"),Or=u("/organization/invite-member",{method:"POST",use:[B,L],body:F.z.object({email:F.z.string(),role:nt,organizationId:F.z.string().optional(),resend:F.z.boolean().optional()})},async e=>{if(!e.context.orgOptions.sendInvitationEmail)throw y.warn("Invitation email is not enabled. Pass `sendInvitationEmail` to the plugin options to enable it."),new T.APIError("BAD_REQUEST",{message:"Invitation email is not enabled"});let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)throw new T.APIError("BAD_REQUEST",{message:"Organization not found"});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)throw new T.APIError("BAD_REQUEST",{message:"Member not found!"});let i=e.context.roles[n.role];if(!i)throw new T.APIError("BAD_REQUEST",{message:"Role not found!"});if(i.authorize({invitation:["create"]}).error)throw new T.APIError("FORBIDDEN",{message:"You are not allowed to invite members"});if(await o.findMemberByEmail({email:e.body.email,organizationId:r}))throw new T.APIError("BAD_REQUEST",{message:"User is already a member of this organization"});if((await o.findPendingInvitation({email:e.body.email,organizationId:r})).length&&!e.body.resend)throw new T.APIError("BAD_REQUEST",{message:"User is already invited to this organization"});let c=await o.createInvitation({invitation:{role:e.body.role,email:e.body.email,organizationId:r},user:t.user}),l=await o.findOrganizationById(r);if(!l)throw new T.APIError("BAD_REQUEST",{message:"Organization not found"});return await e.context.orgOptions.sendInvitationEmail?.({id:c.id,role:c.role,email:c.email,organization:l,inviter:{...n,user:t.user}},e.request),e.json(c)}),vr=u("/organization/accept-invitation",{method:"POST",body:F.z.object({invitationId:F.z.string()}),use:[B,L]},async e=>{let t=e.context.session,r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new T.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new T.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.updateInvitation({invitationId:e.body.invitationId,status:"accepted"}),i=await r.createMember({id:z(),organizationId:o.organizationId,userId:t.user.id,email:o.email,role:o.role,createdAt:new Date});return await r.setActiveOrganization(t.session.id,o.organizationId),n?e.json({invitation:n,member:i}):e.json(null,{status:400,body:{message:"Invitation not found!"}})}),Er=u("/organization/reject-invitation",{method:"POST",body:F.z.object({invitationId:F.z.string()}),use:[B,L]},async e=>{let t=e.context.session,r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new T.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new T.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.updateInvitation({invitationId:e.body.invitationId,status:"rejected"});return e.json({invitation:n,member:null})}),Rr=u("/organization/cancel-invitation",{method:"POST",body:F.z.object({invitationId:F.z.string()}),use:[B,L]},async e=>{let t=e.context.session,r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o)throw new T.APIError("BAD_REQUEST",{message:"Invitation not found!"});let n=await r.findMemberByOrgId({userId:t.user.id,organizationId:o.organizationId});if(!n)throw new T.APIError("BAD_REQUEST",{message:"Member not found!"});if(e.context.roles[n.role].authorize({invitation:["cancel"]}).error)throw new T.APIError("FORBIDDEN",{message:"You are not allowed to cancel this invitation"});let a=await r.updateInvitation({invitationId:e.body.invitationId,status:"canceled"});return e.json(a)}),Ir=u("/organization/get-invitation",{method:"GET",use:[B],requireHeaders:!0,query:F.z.object({id:F.z.string()})},async e=>{let t=await D(e);if(!t)throw new T.APIError("UNAUTHORIZED",{message:"Not authenticated"});let r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.query.id);if(!o||o.status!=="pending"||o.expiresAt<new Date)throw new T.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new T.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.findOrganizationById(o.organizationId);if(!n)throw new T.APIError("BAD_REQUEST",{message:"Organization not found"});let i=await r.findMemberByOrgId({userId:o.inviterId,organizationId:o.organizationId});if(!i)throw new T.APIError("BAD_REQUEST",{message:"Inviter is no longer a member of the organization"});return e.json({...o,organizationName:n.name,organizationSlug:n.slug,inviterEmail:i.email})});var se=require("zod");var Ie=require("better-call"),Tr=u("/organization/remove-member",{method:"POST",body:se.z.object({memberIdOrEmail:se.z.string(),organizationId:se.z.string().optional()}),use:[B,L]},async e=>{let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)throw new Ie.APIError("BAD_REQUEST",{message:"Member not found!"});let i=e.context.roles[n.role];if(!i)throw new Ie.APIError("BAD_REQUEST",{message:"Role not found!"});let a=t.user.email===e.body.memberIdOrEmail||n.id===e.body.memberIdOrEmail;if(a&&n.role===(e.context.orgOptions?.creatorRole||"owner"))throw new Ie.APIError("BAD_REQUEST",{message:"You cannot leave the organization as the owner"});if(!(a||i.authorize({member:["delete"]}).success))throw new Ie.APIError("UNAUTHORIZED",{message:"You are not allowed to delete this member"});let c=null;if(e.body.memberIdOrEmail.includes("@")?c=await o.findMemberByEmail({email:e.body.memberIdOrEmail,organizationId:r}):c=await o.findMemberById(e.body.memberIdOrEmail),c?.organizationId!==r)throw new Ie.APIError("BAD_REQUEST",{message:"Member not found!"});return await o.deleteMember(c.id),t.user.id===c.userId&&t.session.activeOrganizationId===c.organizationId&&await o.setActiveOrganization(t.session.id,null),e.json({member:c})}),Ur=u("/organization/update-member-role",{method:"POST",body:se.z.object({role:se.z.enum(["admin","member","owner"]),memberId:se.z.string(),organizationId:se.z.string().optional()}),use:[B,L]},async e=>{let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"Member not found!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({member:["update"]}).error||e.body.role==="owner"&&n.role!=="owner")return e.json(null,{body:{message:"You are not allowed to update this member"},status:403});let s=await o.updateMember(e.body.memberId,e.body.role);return s?e.json(s):e.json(null,{status:400,body:{message:"Member not found!"}})});var U=require("zod");var ae=require("better-call"),Sr=u("/organization/create",{method:"POST",body:U.z.object({name:U.z.string(),slug:U.z.string(),userId:U.z.string().optional(),logo:U.z.string().optional(),metadata:U.z.record(U.z.string()).optional()}),use:[B,L]},async e=>{let t=e.context.session.user;if(!t)return e.json(null,{status:401});let r=e.context.orgOptions;if(!(typeof r?.allowUserToCreateOrganization=="function"?await r.allowUserToCreateOrganization(t):r?.allowUserToCreateOrganization===void 0?!0:r.allowUserToCreateOrganization))throw new ae.APIError("FORBIDDEN",{message:"You are not allowed to create an organization"});let n=P(e.context,r),i=await n.listOrganizations(t.id);if(typeof r.organizationLimit=="number"?i.length>=r.organizationLimit:typeof r.organizationLimit=="function"?await r.organizationLimit(t):!1)throw new ae.APIError("FORBIDDEN",{message:"You have reached the organization limit"});if(await n.findOrganizationBySlug(e.body.slug))throw new ae.APIError("BAD_REQUEST",{message:"Organization with this slug already exists"});let d=await n.createOrganization({organization:{id:z(),slug:e.body.slug,name:e.body.name,logo:e.body.logo,createdAt:new Date,metadata:e.body.metadata},user:t});return e.json(d)}),Pr=u("/organization/update",{method:"POST",body:U.z.object({data:U.z.object({name:U.z.string().optional(),slug:U.z.string().optional()}).partial(),orgId:U.z.string().optional()}),requireHeaders:!0,use:[B]},async e=>{let t=await e.context.getSession(e);if(!t)throw new ae.APIError("UNAUTHORIZED",{message:"User not found"});let r=e.body.orgId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({organization:["update"]}).error)return e.json(null,{body:{message:"You are not allowed to update this organization"},status:403});let s=await o.updateOrganization(r,e.body.data);return e.json(s)}),_r=u("/organization/delete",{method:"POST",body:U.z.object({orgId:U.z.string()}),requireHeaders:!0,use:[B]},async e=>{let t=await e.context.getSession(e);if(!t)return e.json(null,{status:401});let r=e.body.orgId;if(!r)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({organization:["delete"]}).error)throw new ae.APIError("FORBIDDEN",{message:"You are not allowed to delete this organization"});return r===t.session.activeOrganizationId&&await o.setActiveOrganization(t.session.id,null),await o.deleteOrganization(r),e.json(r)}),Cr=u("/organization/get-full",{method:"GET",query:U.z.optional(U.z.object({orgId:U.z.string().optional()})),requireHeaders:!0,use:[B,L]},async e=>{let t=e.context.session,r=e.query?.orgId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:200});let n=await P(e.context,e.context.orgOptions).findFullOrganization(r,e.context.db||void 0);if(!n)throw new ae.APIError("BAD_REQUEST",{message:"Organization not found"});return e.json(n)}),zr=u("/organization/activate",{method:"POST",body:U.z.object({orgId:U.z.string().nullable().optional()}),use:[L,B]},async e=>{let t=P(e.context,e.context.orgOptions),r=e.context.session,o=e.body.orgId;if(o===null)return r.session.activeOrganizationId&&await t.setActiveOrganization(r.session.id,null),e.json(null);if(!o){let a=r.session.activeOrganizationId;if(!a)return e.json(null);o=a}if(!await t.findMemberByOrgId({userId:r.user.id,organizationId:o}))throw await t.setActiveOrganization(r.session.id,null),new ae.APIError("FORBIDDEN",{message:"You are not a member of this organization"});await t.setActiveOrganization(r.session.id,o);let i=await t.findFullOrganization(o,e.context.db||void 0);return e.json(i)}),Br=u("/organization/list",{method:"GET",use:[B,L]},async e=>{let r=await P(e.context,e.context.orgOptions).listOrganizations(e.context.session.user.id);return e.json(r)});var Wo=e=>{let t={createOrganization:Sr,updateOrganization:Pr,deleteOrganization:_r,setActiveOrganization:zr,getFullOrganization:Cr,listOrganization:Br,createInvitation:Or,cancelInvitation:Rr,acceptInvitation:vr,getInvitation:Ir,rejectInvitation:Er,removeMember:Tr,updateMemberRole:Ur},r={...Ar,...e?.roles};return{id:"organization",endpoints:{...br(t,{orgOptions:e||{},roles:r,getSession:async n=>await D(n)}),hasPermission:u("/organization/has-permission",{method:"POST",requireHeaders:!0,body:Te.z.object({permission:Te.z.record(Te.z.string(),Te.z.array(Te.z.string()))}),use:[L]},async n=>{if(!n.context.session.session.activeOrganizationId)throw new bt.APIError("BAD_REQUEST",{message:"No active organization"});let a=await P(n.context).findMemberByOrgId({userId:n.context.session.user.id,organizationId:n.context.session.session.activeOrganizationId||""});if(!a)throw new bt.APIError("UNAUTHORIZED",{message:"You are not a member of this organization"});let d=r[a.role].authorize(n.body.permission);return d.error?n.json({error:d.error,success:!1},{status:403}):n.json({error:null,success:!0})})},schema:{session:{fields:{activeOrganizationId:{type:"string",required:!1}}},organization:{fields:{name:{type:"string",required:!0},slug:{type:"string",unique:!0},logo:{type:"string",required:!1},createdAt:{type:"date",required:!0},metadata:{type:"string",required:!1}}},member:{fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"}},userId:{type:"string",required:!0},email:{type:"string",required:!0},role:{type:"string",required:!0,defaultValue:"member"},createdAt:{type:"date",required:!0}}},invitation:{fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"}},email:{type:"string",required:!0},role:{type:"string",required:!1},status:{type:"string",required:!0,defaultValue:"pending"},expiresAt:{type:"date",required:!0},inviterId:{type:"string",references:{model:"user",field:"id"},required:!0}}}},$Infer:{Organization:{},Invitation:{},Member:{},ActiveOrganization:{}}}};var At=Dt(require("uncrypto"),1);function Go(e){return e.toString(2).padStart(8,"0")}function Ko(e){return[...e].map(t=>Go(t)).join("")}function Dr(e){return parseInt(Ko(e),2)}function Jo(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,o=new Uint8Array(Math.ceil(t/8));At.default.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1);let n=Dr(o);for(;n>=e;)At.default.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1),n=Dr(o);return n}function V(e,t){let r="";for(let o=0;o<e;o++)r+=t[Jo(t.length)];return r}function q(...e){let t=new Set(e),r="";for(let o of t)o==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?r+="0123456789":r+=o;return r}var Ve=require("zod");var Ot=require("@noble/ciphers/chacha"),Ue=require("@noble/ciphers/utils"),vt=require("@noble/ciphers/webcrypto"),Et=require("oslo/crypto"),kt=Dt(require("uncrypto"),1);var xr=require("oslo/encoding");var Zo=require("@noble/hashes/scrypt"),Yo=require("uncrypto");async function ge(e,t){let r=new TextEncoder,o={name:"HMAC",hash:"SHA-256"},n=await kt.default.subtle.importKey("raw",r.encode(e),o,!1,["sign","verify"]),i=await kt.default.subtle.sign(o.name,n,r.encode(t));return btoa(String.fromCharCode(...new Uint8Array(i)))}var Se=async({key:e,data:t})=>{let r=await(0,Et.sha256)(new TextEncoder().encode(e)),o=(0,Ue.utf8ToBytes)(t),n=(0,vt.managedNonce)(Ot.xchacha20poly1305)(new Uint8Array(r));return(0,Ue.bytesToHex)(n.encrypt(o))},Pe=async({key:e,data:t})=>{let r=await(0,Et.sha256)(new TextEncoder().encode(e)),o=(0,Ue.hexToBytes)(t),n=(0,vt.managedNonce)(Ot.xchacha20poly1305)(new Uint8Array(r));return new TextDecoder().decode(n.decrypt(o))};var J=require("zod");var oe=require("better-call");var it="two_factor";var st="trust_device";var Rt=require("zod");var he=S({body:Rt.z.object({trustDevice:Rt.z.boolean().optional()})},async e=>{let t=await D(e);if(!t){let r=e.context.createAuthCookie(it),o=await e.getSignedCookie(r.name,e.context.secret);if(!o)throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"});let[n,i]=o.split("!");if(!n||!i)throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"});let a=await e.context.adapter.findMany({model:e.context.tables.session.tableName,where:[{field:"userId",value:n}]});if(!a.length)throw new oe.APIError("UNAUTHORIZED",{message:"invalid session"});let s=a.filter(d=>d.expiresAt>new Date);if(!s)throw new oe.APIError("UNAUTHORIZED",{message:"invalid session"});for(let d of s){let c=await ge(e.context.secret,d.id),l=await e.context.adapter.findOne({model:e.context.tables.user.tableName,where:[{field:"id",value:d.userId}]});if(!l)throw new oe.APIError("UNAUTHORIZED",{message:"invalid session"});if(c===i)return{valid:async()=>{if(await w(e,{session:d,user:l},!1),e.body.trustDevice){let p=e.context.createAuthCookie(st,{maxAge:2592e3}),m=await ge(e.context.secret,`${l.id}!${d.id}`);await e.setSignedCookie(p.name,`${m}!${d.id}`,e.context.secret,p.attributes)}return e.json({session:d,user:l})},invalid:async()=>{throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:{id:d.id,userId:d.userId,expiresAt:d.expiresAt,user:l}}}throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"})}return{valid:async()=>e.json({session:t,user:t.user}),invalid:async()=>{throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:t}});var _e=require("better-call");function Xo(e){return Array.from({length:e?.amount??10}).fill(null).map(()=>V(e?.length??10,q("a-z","0-9"))).map(t=>`${t.slice(0,5)}-${t.slice(5)}`)}async function It(e,t){let r=e,o=t?.customBackupCodesGenerate?t.customBackupCodesGenerate():Xo(),n=await Se({data:JSON.stringify(o),key:r});return{backupCodes:o,encryptedBackupCodes:n}}async function en(e,t){let r=await Lr(e.backupCodes,t);return r?r.includes(e.code):!1}async function Lr(e,t){let r=Buffer.from(await Pe({key:t,data:e})).toString("utf-8"),o=JSON.parse(r),n=J.z.array(J.z.string()).safeParse(o);return n.success?n.data:null}var jr=(e,t)=>({id:"backup_code",endpoints:{verifyBackupCode:u("/two-factor/verify-backup-code",{method:"POST",body:J.z.object({code:J.z.string(),disableSession:J.z.boolean().optional()}),use:[he]},async r=>{let o=r.context.session.user,n=await r.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!n)throw new _e.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});if(!en({backupCodes:n.backupCodes,code:r.body.code},r.context.secret))throw new _e.APIError("BAD_REQUEST",{message:"Invalid backup code"});return r.body.disableSession||await w(r,{session:r.context.session,user:o}),r.json({user:o,session:r.context.session})}),generateBackupCodes:u("/two-factor/generate-backup-codes",{method:"POST",body:J.z.object({password:J.z.string()}),use:[b]},async r=>{let o=r.context.session.user;if(!o.twoFactorEnabled)throw new _e.APIError("BAD_REQUEST",{message:"Two factor isn't enabled"});await r.context.password.checkPassword(o.id,r);let n=await It(r.context.secret,e);return await r.context.adapter.update({model:t,update:{backupCodes:n.encryptedBackupCodes},where:[{field:"userId",value:r.context.session.user.id}]}),r.json({status:!0,backupCodes:n.backupCodes})}),viewBackupCodes:u("/view/backup-codes",{method:"GET",body:J.z.object({password:J.z.string()}),use:[b]},async r=>{let o=r.context.session.user,n=await r.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!n)throw new _e.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});await r.context.password.checkPassword(o.id,r);let i=Lr(n.backupCodes,r.context.secret);if(!i)throw new _e.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});return r.json({status:!0,backupCodes:i})})}});var je=require("better-call"),Nr=require("oslo/otp"),Tt=require("zod");var Fr=require("oslo"),Vr=(e,t)=>{let r={...e,period:new Fr.TimeSpan(e?.period||3,"m")},o=new Nr.TOTPController({digits:6,period:r.period}),n=u("/two-factor/send-otp",{method:"POST",use:[he]},async a=>{if(!e||!e.sendOTP)throw a.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options."),new je.APIError("BAD_REQUEST",{message:"otp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new je.APIError("BAD_REQUEST",{message:"OTP isn't enabled"});let c=await o.generate(Buffer.from(d.secret));return await e.sendOTP(s,c),a.json({status:!0})}),i=u("/two-factor/verify-otp",{method:"POST",body:Tt.z.object({code:Tt.z.string()}),use:[he]},async a=>{let s=a.context.session.user;if(!s.twoFactorEnabled)throw new je.APIError("BAD_REQUEST",{message:"two factor isn't enabled"});let d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new je.APIError("BAD_REQUEST",{message:"OTP isn't enabled"});return await o.generate(Buffer.from(d.secret))===a.body.code?a.context.valid():a.context.invalid()});return{id:"otp",endpoints:{send2FaOTP:n,verifyOTP:i}}};var we=require("better-call"),qr=require("oslo"),Fe=require("oslo/otp"),Ne=require("zod");var Mr=(e,t)=>{let r={...e,digits:6,period:new qr.TimeSpan(e?.period||30,"s")},o=u("/totp/generate",{method:"POST",use:[b]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new we.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new we.APIError("BAD_REQUEST",{message:"totp isn't enabled"});return{code:await new Fe.TOTPController(r).generate(Buffer.from(d.secret))}}),n=u("/two-factor/get-totp-uri",{method:"POST",use:[b],body:Ne.z.object({password:Ne.z.string()})},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new we.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d||!s.twoFactorEnabled)throw new we.APIError("BAD_REQUEST",{message:"totp isn't enabled"});return await a.context.password.checkPassword(s.id,a),{totpURI:(0,Fe.createTOTPKeyURI)(e?.issuer||"BetterAuth",s.email,Buffer.from(d.secret),r)}}),i=u("/two-factor/verify-totp",{method:"POST",body:Ne.z.object({code:Ne.z.string()}),use:[he]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new we.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new we.APIError("BAD_REQUEST",{message:"totp isn't enabled"});let c=new Fe.TOTPController(r),l=await Pe({key:a.context.secret,data:d.secret}),p=Buffer.from(l);if(!await c.verify(a.body.code,p))return a.context.invalid();if(!s.twoFactorEnabled){let f=await a.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!0}),k=await a.context.internalAdapter.createSession(s.id,a.request);await w(a,{session:k,user:f})}return a.context.valid()});return{id:"totp",endpoints:{generateTOTP:o,viewTOTPURI:n,verifyTOTP:i}}};var tn=require("better-call");async function Ut(e,t){let o=(await e.context.internalAdapter.findAccounts(t.userId))?.find(a=>a.providerId==="credential"),n=o?.password;return!o||!n?!1:await e.context.password.verify(n,t.password)}var St=require("better-call"),$r=require("oslo/otp"),Qr=require("oslo");var rn=(e={redirect:!0,twoFactorPage:"/"})=>({id:"two-factor",$InferServerPlugin:{},atomListeners:[{matcher:t=>t.startsWith("/two-factor/"),signal:"$sessionSignal"}],pathMethods:{"/two-factor/disable":"POST","/two-factor/enable":"POST","/two-factor/send-otp":"POST","/two-factor/generate-backup-codes":"POST"},fetchPlugins:[{id:"two-factor",name:"two-factor",hooks:{async onSuccess(t){t.data?.twoFactorRedirect&&(e.redirect||e.twoFactorPage)&&typeof window<"u"&&(window.location.href=e.twoFactorPage)}}}]});var on=e=>{let t={twoFactorTable:e?.twoFactorTable||"twoFactor"},r=Mr({issuer:e?.issuer||"better-auth",...e?.totpOptions},t.twoFactorTable),o=jr({...e?.backupCodeOptions},t.twoFactorTable),n=Vr({...e?.otpOptions},t.twoFactorTable);return{id:"two-factor",endpoints:{...r.endpoints,...n.endpoints,...o.endpoints,enableTwoFactor:u("/two-factor/enable",{method:"POST",body:Ve.z.object({password:Ve.z.string().min(8)}),use:[b]},async i=>{let a=i.context.session.user,{password:s}=i.body;if(!await Ut(i,{password:s,userId:a.id}))throw new St.APIError("BAD_REQUEST",{message:"Invalid password"});let c=V(16,q("a-z","0-9","-")),l=await Se({key:i.context.secret,data:c}),p=await It(i.context.secret,e?.backupCodeOptions);if(e?.skipVerificationOnEnable){let f=await i.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!0}),k=await i.context.internalAdapter.createSession(f.id,i.request);await w(i,{session:k,user:a})}await i.context.adapter.deleteMany({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),await i.context.adapter.create({model:t.twoFactorTable,data:{id:i.context.uuid(),secret:l,backupCodes:p.encryptedBackupCodes,userId:a.id}});let m=(0,$r.createTOTPKeyURI)(e?.issuer||"BetterAuth",a.email,Buffer.from(c),{digits:e?.totpOptions?.digits||6,period:new Qr.TimeSpan(e?.totpOptions?.period||30,"s")});return i.json({totpURI:m,backupCodes:p.backupCodes})}),disableTwoFactor:u("/two-factor/disable",{method:"POST",body:Ve.z.object({password:Ve.z.string().min(8)}),use:[b]},async i=>{let a=i.context.session.user,{password:s}=i.body;if(!await Ut(i,{password:s,userId:a.id}))throw new St.APIError("BAD_REQUEST",{message:"Invalid password"});return await i.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!1}),await i.context.adapter.delete({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),i.json({status:!0})})},options:e,hooks:{after:[{matcher(i){return i.path==="/sign-in/email"||i.path==="/sign-in/username"},handler:S(async i=>{let a=i.context.returned;if(a?.status!==200)return;let s=await a.clone().json();if(!s.user.twoFactorEnabled)return;let d=i.context.createAuthCookie(st,{maxAge:30*24*60*60}),c=await i.getSignedCookie(d.name,i.context.secret);if(c){let[f,k]=c.split("!"),A=await ge(i.context.secret,`${s.user.id}!${k}`);if(f===A){let h=await ge(i.context.secret,`${s.user.id}!${s.session.id}`);await i.setSignedCookie(d.name,`${h}!${s.session.id}`,i.context.secret,d.attributes);return}}te(i);let l=await ge(i.context.secret,s.session.id),p=i.context.createAuthCookie(it,{maxAge:60*60*24});return await i.setSignedCookie(p.name,`${s.session.userId}!${l}`,i.context.secret,p.attributes),{response:new Response(JSON.stringify({twoFactorRedirect:!0}),{headers:i.responseHeader})}})}]},schema:{user:{fields:{twoFactorEnabled:{type:"boolean",required:!1,defaultValue:!1,input:!1}}},twoFactor:{tableName:t.twoFactorTable,fields:{secret:{type:"string",required:!0,returned:!1},backupCodes:{type:"string",required:!0,returned:!1},userId:{type:"string",required:!0,returned:!1,references:{model:"user",field:"id"}}}}},rateLimit:[{pathMatcher(i){return i.startsWith("/two-factor/")},window:10,max:3}]}};var de=require("@simplewebauthn/server"),H=require("better-call");var Z=require("zod");var Ce=require("@simplewebauthn/browser");var sn=require("@better-fetch/fetch");var nu=require("nanostores");var Hc=require("@better-fetch/fetch");var nn=require("nanostores");var Gc=require("@better-fetch/fetch"),at=require("nanostores"),Pt=(e,t,r,o)=>{let n=(0,at.atom)({data:null,error:null,isPending:!0,isRefetching:!1}),i=()=>{let s=typeof o=="function"?o({data:n.get().data,error:n.get().error,isPending:n.get().isPending}):o;return r(t,{...s,onSuccess:async d=>{n.set({data:d.data,error:null,isPending:!1,isRefetching:!1}),await s?.onSuccess?.(d)},async onError(d){n.set({error:d.error,data:null,isPending:!1,isRefetching:!1}),await s?.onError?.(d)},async onRequest(d){let c=n.get();n.set({isPending:c.data===null,data:c.data,error:null,isRefetching:!0}),await s?.onRequest?.(d)}})};e=Array.isArray(e)?e:[e];let a=!1;for(let s of e)s.subscribe(()=>{a?i():(0,at.onMount)(n,()=>(i(),a=!0,()=>{n.off(),s.off()}))});return n};var Hr=require("nanostores"),Wr=(e,{_listPasskeys:t})=>({signIn:{passkey:async(n,i)=>{let a=await e("/passkey/generate-authenticate-options",{method:"POST",body:{email:n?.email}});if(!a.data)return a;try{let s=await(0,Ce.startAuthentication)(a.data,n?.autoFill||!1),d=await e("/passkey/verify-authentication",{body:{response:s},...n?.fetchOptions,...i,method:"POST"});if(!d.data)return d}catch{return{data:null,error:{message:"auth cancelled",status:400,statusText:"BAD_REQUEST"}}}}},passkey:{addPasskey:async(n,i)=>{let a=await e("/passkey/generate-register-options",{method:"GET"});if(!a.data)return a;try{let s=await(0,Ce.startRegistration)(a.data),d=await e("/passkey/verify-registration",{...n?.fetchOptions,...i,body:{response:s,name:n?.name},method:"POST"});if(!d.data)return d;t.set(Math.random())}catch(s){return s instanceof Ce.WebAuthnError?s.code==="ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED"?{data:null,error:{message:"previously registered",status:400,statusText:"BAD_REQUEST"}}:s.code==="ERROR_CEREMONY_ABORTED"?{data:null,error:{message:"registration cancelled",status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s.message,status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s instanceof Error?s.message:"unknown error",status:500,statusText:"INTERNAL_SERVER_ERROR"}}}}},$Infer:{}}),an=()=>{let e=(0,Hr.atom)();return{id:"passkey",$InferServerPlugin:{},getActions:t=>Wr(t,{_listPasskeys:e}),getAtoms(t){return{listPasskeys:Pt(e,"/passkey/list-user-passkeys",t,{method:"GET"}),_listPasskeys:e}},pathMethods:{"/passkey/register":"POST","/passkey/authenticate":"POST"},atomListeners:[{matcher(t){return t==="/passkey/verify-registration"||t==="/passkey/delete-passkey"},signal:"_listPasskeys"}]}};var dn=e=>{let t=Ge.BETTER_AUTH_URL,r=e?.rpID||t?.replace("http://","").replace("https://","").split(":")[0]||"localhost";if(!r)throw new G("passkey rpID not found. Please provide a rpID in the options or set the BETTER_AUTH_URL environment variable.");let o={origin:null,...e,rpID:r,advanced:{webAuthnChallengeCookie:"better-auth-passkey",...e?.advanced}},n=new Date(Date.now()+1e3*60*5),i=new Date,a=Math.floor((n.getTime()-i.getTime())/1e3);return{id:"passkey",endpoints:{generatePasskeyRegistrationOptions:u("/passkey/generate-register-options",{method:"GET",use:[b],metadata:{client:!1}},async s=>{let d=s.context.session,c=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}),l=new Uint8Array(Buffer.from(V(32,q("a-z","0-9")))),p;p=await(0,de.generateRegistrationOptions)({rpName:o.rpName||s.context.appName,rpID:o.rpID,userID:l,userName:d.user.email||d.user.id,attestationType:"none",excludeCredentials:c.map(f=>({id:f.id,transports:f.transports?.split(",")})),authenticatorSelection:{residentKey:"preferred",userVerification:"preferred",authenticatorAttachment:"platform"}});let m=z();return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,m,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:m,value:JSON.stringify({expectedChallenge:p.challenge,userData:{id:d.user.id}}),expiresAt:n}),s.json(p,{status:200})}),generatePasskeyAuthenticationOptions:u("/passkey/generate-authenticate-options",{method:"POST",body:Z.z.object({email:Z.z.string().optional()}).optional()},async s=>{let d=await D(s),c=[];d&&(c=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}));let l=await(0,de.generateAuthenticationOptions)({rpID:o.rpID,userVerification:"preferred",...c.length?{allowCredentials:c.map(f=>({id:f.id,transports:f.transports?.split(",")}))}:{}}),p={expectedChallenge:l.challenge,userData:{id:d?.user.id||""}},m=z();return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,m,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:m,value:JSON.stringify(p),expiresAt:n}),s.json(l,{status:200})}),verifyPasskeyRegistration:u("/passkey/verify-registration",{method:"POST",body:Z.z.object({response:Z.z.any(),name:Z.z.string().optional()}),use:[b]},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)return s.json(null,{status:400});let c=s.body.response,l=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!l)throw new H.APIError("BAD_REQUEST",{message:"Challenge not found"});let p=await s.context.internalAdapter.findVerificationValue(l);if(!p)return s.json(null,{status:400});let{expectedChallenge:m,userData:f}=JSON.parse(p.value);if(f.id!==s.context.session.user.id)throw new H.APIError("UNAUTHORIZED",{message:"You are not authorized to register this passkey"});try{let k=await(0,de.verifyRegistrationResponse)({response:c,expectedChallenge:m,expectedOrigin:d,expectedRPID:e?.rpID}),{verified:A,registrationInfo:h}=k;if(!A||!h)return s.json(null,{status:400});let{credentialID:_,credentialPublicKey:be,counter:W,credentialDeviceType:Qe,credentialBackedUp:Ae}=h,ue=Buffer.from(be).toString("base64"),ut=z(),eo={name:s.body.name,userId:f.id,webauthnUserID:ut,id:_,publicKey:ue,counter:W,deviceType:Qe,transports:c.response.transports.join(","),backedUp:Ae,createdAt:new Date},to=await s.context.adapter.create({model:"passkey",data:eo});return s.json(to,{status:200})}catch(k){throw console.log(k),new H.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to verify registration"})}}),verifyPasskeyAuthentication:u("/passkey/verify-authentication",{method:"POST",body:Z.z.object({response:Z.z.any()})},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)throw new H.APIError("BAD_REQUEST",{message:"origin missing"});let c=s.body.response,l=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!l)throw new H.APIError("BAD_REQUEST",{message:"Challenge not found"});let p=await s.context.internalAdapter.findVerificationValue(l);if(!p)throw new H.APIError("BAD_REQUEST",{message:"Challenge not found"});let{expectedChallenge:m}=JSON.parse(p.value),f=await s.context.adapter.findOne({model:"passkey",where:[{field:"id",value:c.id}]});if(!f)throw new H.APIError("UNAUTHORIZED",{message:"Passkey not found"});try{let k=await(0,de.verifyAuthenticationResponse)({response:c,expectedChallenge:m,expectedOrigin:d,expectedRPID:o.rpID,authenticator:{credentialID:f.id,credentialPublicKey:new Uint8Array(Buffer.from(f.publicKey,"base64")),counter:f.counter,transports:f.transports?.split(",")}}),{verified:A}=k;if(!A)throw new H.APIError("UNAUTHORIZED",{message:"Authentication failed"});await s.context.adapter.update({model:"passkey",where:[{field:"id",value:f.id}],update:{counter:k.authenticationInfo.newCounter}});let h=await s.context.internalAdapter.createSession(f.userId,s.request);if(!h)throw new H.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});let _=await s.context.internalAdapter.findUserById(f.userId);if(!_)throw new H.APIError("INTERNAL_SERVER_ERROR",{message:"User not found"});return await w(s,{session:h,user:_}),s.json({session:h},{status:200})}catch(k){throw s.context.logger.error(k),new H.APIError("BAD_REQUEST",{message:"Failed to verify authentication"})}}),listPasskeys:u("/passkey/list-user-passkeys",{method:"GET",use:[b]},async s=>{let d=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:s.context.session.user.id}]});return s.json(d,{status:200})}),deletePasskey:u("/passkey/delete-passkey",{method:"POST",body:Z.z.object({id:Z.z.string()}),use:[b]},async s=>(await s.context.adapter.delete({model:"passkey",where:[{field:"id",value:s.body.id}]}),s.json(null,{status:200})))},schema:{passkey:{fields:{name:{type:"string",required:!1},publicKey:{type:"string",required:!0},userId:{type:"string",references:{model:"user",field:"id"},required:!0},webauthnUserID:{type:"string",required:!0},counter:{type:"number",required:!0},deviceType:{type:"string",required:!0},backedUp:{type:"boolean",required:!0},transports:{type:"string",required:!1},createdAt:{type:"date",defaultValue:new Date,required:!1}}}}}};var qe=require("zod");var Me=require("better-call"),_t=()=>({id:"username",endpoints:{signInUsername:u("/sign-in/username",{method:"POST",body:qe.z.object({username:qe.z.string(),password:qe.z.string(),dontRememberMe:qe.z.boolean().optional()})},async e=>{let t=await e.context.adapter.findOne({model:e.context.tables.user.tableName,where:[{field:"username",value:e.body.username}]});if(!t)throw await e.context.password.hash(e.body.password),e.context.logger.error("User not found",{username:_t}),new Me.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let r=await e.context.adapter.findOne({model:e.context.tables.account.tableName,where:[{field:e.context.tables.account.fields.userId.fieldName||"userId",value:t.id},{field:e.context.tables.account.fields.providerId.fieldName||"providerId",value:"credential"}]});if(!r)throw new Me.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let o=r?.password;if(!o)throw e.context.logger.error("Password not found",{username:_t}),new Me.APIError("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(o,e.body.password))throw e.context.logger.error("Invalid password"),new Me.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let i=await e.context.internalAdapter.createSession(t.id,e.request);return i?(await e.setSignedCookie(e.context.authCookies.sessionToken.name,i.id,e.context.secret,e.body.dontRememberMe?{...e.context.authCookies.sessionToken.options,maxAge:void 0}:e.context.authCookies.sessionToken.options),e.json({user:t,session:i})):e.json(null,{status:500,body:{message:"Failed to create session",status:500}})})},schema:{user:{fields:{username:{type:"string",required:!1,unique:!0,returned:!0}}}}});var Gr=require("better-call"),cn=()=>({id:"bearer",hooks:{before:[{matcher(e){return!!(e.request?.headers.get("authorization")||e.headers?.get("authorization"))},handler:async e=>{let t=e.request?.headers.get("authorization")?.replace("Bearer ","")||e.headers?.get("authorization")?.replace("Bearer ","");if(!t)return;let r="";return t.includes(".")?r=t:r=await(0,Gr.serializeSigned)("",t,e.context.secret),e.request&&e.request.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${r.replace("=","")}`),e.headers&&e.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${r.replace("=","")}`),{context:e}}}]}});var ye=require("zod");var Kr=require("better-call");var un=e=>({id:"magic-link",endpoints:{signInMagicLink:u("/sign-in/magic-link",{method:"POST",requireHeaders:!0,body:ye.z.object({email:ye.z.string().email(),callbackURL:ye.z.string().optional()})},async t=>{let{email:r}=t.body,o=V(32,q("a-z","A-Z"));await t.context.internalAdapter.createVerificationValue({identifier:o,value:r,expiresAt:new Date(Date.now()+(e.expiresIn||60*5)*1e3)});let n=`${t.context.baseURL}/magic-link/verify?token=${o}&callbackURL=${t.body.callbackURL||"/"}`;try{await e.sendMagicLink({email:r,url:n,token:o})}catch(i){throw t.context.logger.error("Failed to send magic link",i),new Kr.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to send magic link"})}return t.json({status:!0})}),magicLinkVerify:u("/magic-link/verify",{method:"GET",query:ye.z.object({token:ye.z.string(),callbackURL:ye.z.string().optional()}),requireHeaders:!0},async t=>{let{token:r,callbackURL:o}=t.query,n=o?.startsWith("http")?o:o?`${t.context.options.baseURL}${o}`:t.context.options.baseURL,i=await t.context.internalAdapter.findVerificationValue(r);if(!i)throw t.redirect(`${n}?error=INVALID_TOKEN`);if(i.expiresAt<new Date)throw await t.context.internalAdapter.deleteVerificationValue(i.id),t.redirect(`${n}?error=EXPIRED_TOKEN`);await t.context.internalAdapter.deleteVerificationValue(i.id);let a=i.value,s=await t.context.internalAdapter.findUserByEmail(a),d=s?.user.id||"";if(!s){if(e.disableSignUp)throw t.redirect(`${n}?error=USER_NOT_FOUND`);if(d=(await t.context.internalAdapter.createUser({email:a,emailVerified:!0,name:a})).id,!d)throw t.redirect(`${n}?error=USER_NOT_CREATED`)}let c=await t.context.internalAdapter.createSession(d,t.headers);if(!c)throw t.redirect(`${n}?error=SESSION_NOT_CREATED`);if(await w(t,{session:c,user:s?.user}),!o)return t.json({status:!0});throw t.redirect(o)})},rateLimit:[{pathMatcher(t){return t.startsWith("/sign-in/magic-link")||t.startsWith("/magic-link/verify")},window:e.rateLimit?.window||60,max:e.rateLimit?.max||5}]});var ce=require("zod");var Y=require("better-call");function ln(e){return V(e,q("0-9"))}var pn=e=>{let t={phoneNumber:"phoneNumber",phoneNumberVerified:"phoneNumberVerified",code:"code",createdAt:"createdAt",expiresIn:e?.expiresIn||300,otpLength:e?.otpLength||6};return{id:"phone-number",endpoints:{sendPhoneNumberOTP:u("/phone-number/send-otp",{method:"POST",body:ce.z.object({phoneNumber:ce.z.string()})},async r=>{if(!e?.sendOTP)throw y.warn("sendOTP not implemented"),new Y.APIError("NOT_IMPLEMENTED",{message:"sendOTP not implemented"});let o=ln(t.otpLength);return await r.context.internalAdapter.createVerificationValue({value:o,identifier:r.body.phoneNumber,expiresAt:C(t.expiresIn,"sec")}),await e.sendOTP(r.body.phoneNumber,o),r.json({code:o},{body:{message:"Code sent"}})}),verifyPhoneNumber:u("/phone-number/verify",{method:"POST",body:ce.z.object({phoneNumber:ce.z.string(),code:ce.z.string(),disableSession:ce.z.boolean().optional(),updatePhoneNumber:ce.z.boolean().optional()})},async r=>{let o=await r.context.internalAdapter.findVerificationValue(r.body.phoneNumber);if(!o||o.expiresAt<new Date)throw o&&o.expiresAt<new Date?(await r.context.internalAdapter.deleteVerificationValue(o.id),new Y.APIError("BAD_REQUEST",{message:"OTP expired"})):new Y.APIError("BAD_REQUEST",{message:"OTP not found"});if(o.value!==r.body.code)throw new Y.APIError("BAD_REQUEST",{message:"Invalid OTP"});if(await r.context.internalAdapter.deleteVerificationValue(o.id),r.body.updatePhoneNumber){let i=await D(r);if(!i)throw new Y.APIError("UNAUTHORIZED",{message:"Session not found"});let a=await r.context.internalAdapter.updateUser(i.user.id,{[t.phoneNumber]:r.body.phoneNumber,[t.phoneNumberVerified]:!0});return r.json({user:a,session:i.session})}let n=await r.context.adapter.findOne({model:r.context.tables.user.tableName,where:[{value:r.body.phoneNumber,field:t.phoneNumber}]});if(n)n=await r.context.internalAdapter.updateUser(n.id,{[t.phoneNumberVerified]:!0});else if(e?.signUpOnVerification){if(n=await r.context.internalAdapter.createUser({email:e.signUpOnVerification.getTempEmail(r.body.phoneNumber),name:e.signUpOnVerification.getTempName?e.signUpOnVerification.getTempName(r.body.phoneNumber):r.body.phoneNumber,[t.phoneNumber]:r.body.phoneNumber,[t.phoneNumberVerified]:!0}),!n)throw new Y.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create user"})}else throw new Y.APIError("BAD_REQUEST",{message:"Phone number not found"});if(!n)throw new Y.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to update user"});if(!r.body.disableSession){let i=await r.context.internalAdapter.createSession(n.id,r.request);if(!i)throw new Y.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await w(r,{session:i,user:n}),r.json({user:n,session:i})}return r.json({user:n,session:null})})},schema:{user:{fields:{phoneNumber:{type:"string",required:!1,unique:!0,returned:!0},phoneNumberVerified:{type:"boolean",required:!1,returned:!0,input:!1}}}}}};var dt=require("zod");var mn=e=>({id:"anonymous",endpoints:{signInAnonymous:u("/sign-in/anonymous",{method:"POST"},async t=>{let{emailDomainName:r=Je(t.context.baseURL)}=e||{},o=z(),n=`temp-${o}@${r}`,i=await t.context.internalAdapter.createUser({id:o,email:n,emailVerified:!1,isAnonymous:!0,name:"Anonymous",createdAt:new Date,updatedAt:new Date});if(!i)return t.json(null,{status:500,body:{message:"Failed to create user",status:500}});let a=await t.context.internalAdapter.createSession(i.id,t.request);return a?(await w(t,{session:a,user:i}),t.json({user:i,session:a})):t.json(null,{status:400,body:{message:"Could not create session"}})}),linkAccount:u("/anonymous/link-account",{method:"POST",body:dt.z.object({email:dt.z.string().email().optional(),password:dt.z.string().min(6)}),use:[b]},async t=>{let r=t.context.session.user.id,{email:o,password:n}=t.body,i=null;if(o&&n&&(i=await t.context.internalAdapter.updateUser(r,{email:o,isAnonymous:!1})),!i)return t.json(null,{status:500,body:{message:"Failed to update user",status:500}});let a=await t.context.password.hash(n);if(!await t.context.internalAdapter.linkAccount({userId:i.id,providerId:"credential",password:a,accountId:i.id}))return t.json(null,{status:500,body:{message:"Failed to update account",status:500}});let d=await t.context.internalAdapter.createSession(i.id,t.request);return d?(await w(t,{session:d,user:i}),t.json({session:d,user:i})):t.json(null,{status:400,body:{message:"Could not create session"}})})},schema:{user:{fields:{isAnonymous:{type:"boolean",required:!1}}}}});var g=require("zod");var K=S(async e=>{let t=await D(e);if(!t?.session)throw new E.APIError("UNAUTHORIZED");let r=t.user;if(r.role!=="admin")throw new E.APIError("FORBIDDEN",{message:"Only admins can access this endpoint"});return{session:{user:r,session:t.session}}}),fn=e=>({id:"admin",init(t){return{options:{databaseHooks:{user:{create:{async before(r){if(e?.defaultRole!==!1)return{data:{role:e?.defaultRole??"user",...r}}}}},session:{create:{async before(r){let o=await t.internalAdapter.findUserById(r.userId);if(o.banned){if(o.banExpires&&o.banExpires<Date.now()){await t.internalAdapter.updateUser(r.userId,{banned:!1,banReason:null,banExpires:null});return}return!1}}}}}}}},hooks:{after:[{matcher(t){return t.path==="/list-sessions"},handler:S(async t=>{let r=t.context.returned;if(r){let n=(await r.json()).filter(a=>!a.impersonatedBy),i=new Response(JSON.stringify(n),{status:200,statusText:"OK",headers:r.headers});return t.json({response:i})}})}]},endpoints:{setRole:u("/admin/set-role",{method:"POST",body:g.z.object({userId:g.z.string(),role:g.z.string()}),use:[K]},async t=>{let r=await t.context.internalAdapter.updateUser(t.body.userId,{role:t.body.role});return t.json({user:r})}),createUser:u("/admin/create-user",{method:"POST",body:g.z.object({email:g.z.string(),password:g.z.string(),name:g.z.string(),role:g.z.string(),data:g.z.optional(g.z.record(g.z.any()))}),use:[K]},async t=>{if(await t.context.internalAdapter.findUserByEmail(t.body.email))throw new E.APIError("BAD_REQUEST",{message:"User already exists"});let o=await t.context.internalAdapter.createUser({email:t.body.email,name:t.body.name,role:t.body.role,...t.body.data});if(!o)throw new E.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create user"});let n=await t.context.password.hash(t.body.password);return await t.context.internalAdapter.linkAccount({accountId:o.id,providerId:"credential",password:n,userId:o.id}),t.json({user:o})}),listUsers:u("/admin/list-users",{method:"GET",use:[K],query:g.z.object({search:g.z.object({field:g.z.enum(["email","name"]),operator:g.z.enum(["contains","starts_with","ends_with"]).default("contains"),value:g.z.string()}).optional(),limit:g.z.string().or(g.z.number()).optional(),offset:g.z.string().or(g.z.number()).optional(),sortBy:g.z.string().optional(),sortDirection:g.z.enum(["asc","desc"]).optional(),filter:g.z.array(g.z.object({field:g.z.string(),value:g.z.string().or(g.z.number()).or(g.z.boolean()),operator:g.z.enum(["eq","ne","lt","lte","gt","gte"]),connector:g.z.enum(["AND","OR"]).optional()})).optional()})},async t=>{let r=[];t.query?.search&&r.push({field:t.query.search.field,operator:t.query.search.operator,value:t.query.search.value}),t.query?.filter&&r.push(...t.query.filter||[]);let o=await t.context.internalAdapter.listUsers(Number(t.query?.limit)||void 0,Number(t.query?.offset)||void 0,t.query?.sortBy?{field:t.query.sortBy,direction:t.query.sortDirection||"asc"}:void 0,r.length?r:void 0);return t.json({users:o})}),listUserSessions:u("/admin/list-user-sessions",{method:"POST",use:[K],body:g.z.object({userId:g.z.string()})},async t=>({sessions:await t.context.internalAdapter.listSessions(t.body.userId)})),unbanUser:u("/admin/unban-user",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>{let r=await t.context.internalAdapter.updateUser(t.body.userId,{banned:!1});return t.json({user:r})}),banUser:u("/admin/ban-user",{method:"POST",body:g.z.object({userId:g.z.string(),banReason:g.z.string().optional(),banExpiresIn:g.z.number().optional()}),use:[K]},async t=>{if(t.body.userId===t.context.session.user.id)throw new E.APIError("BAD_REQUEST",{message:"You cannot ban yourself"});let r=await t.context.internalAdapter.updateUser(t.body.userId,{banned:!0,banReason:t.body.banReason||e?.defaultBanReason||"No reason",banExpires:t.body.banExpiresIn?C(t.body.banExpiresIn,"sec"):e?.defaultBanExpiresIn?C(e.defaultBanExpiresIn,"sec"):void 0});return await t.context.internalAdapter.deleteSessions(t.body.userId),t.json({user:r})}),impersonateUser:u("/admin/impersonate-user",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>{let r=await t.context.internalAdapter.findUserById(t.body.userId);if(!r)throw new E.APIError("NOT_FOUND",{message:"User not found"});let o=await t.context.internalAdapter.createSession(r.id,void 0,!0,{impersonatedBy:t.context.session.user.id,expiresAt:e?.impersonationSessionDuration?C(e.impersonationSessionDuration,"sec"):C(60*60,"sec")});if(!o)throw new E.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await w(t,{session:o,user:r},!0),t.json({session:o,user:r})}),revokeUserSession:u("/admin/revoke-user-session",{method:"POST",body:g.z.object({sessionId:g.z.string()}),use:[K]},async t=>(await t.context.internalAdapter.deleteSession(t.body.sessionId),t.json({success:!0}))),revokeUserSessions:u("/admin/revoke-user-sessions",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>(await t.context.internalAdapter.deleteSessions(t.body.userId),t.json({success:!0}))),removeUser:u("/admin/remove-user",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>(await t.context.internalAdapter.deleteUser(t.body.userId),t.json({success:!0})))},schema:{user:{fields:{role:{type:"string",required:!1,input:!1},banned:{type:"boolean",defaultValue:!1,required:!1,input:!1},banReason:{type:"string",required:!1,input:!1},banExpires:{type:"date",required:!1,input:!1}}},session:{fields:{impersonatedBy:{type:"string",required:!1}}}}});var X=require("zod"),ze=require("better-call");var ct=require("@better-fetch/fetch");var Jr=require("oslo/jwt");async function gn(e,t,r){if(t==="oidc"&&e.idToken){let n=(0,Jr.parseJWT)(e.idToken);if(n?.payload)return n.payload}return r?(await(0,ct.betterFetch)(r,{method:"GET",headers:{Authorization:`Bearer ${e.accessToken}`}})).data:null}var hn=e=>({id:"generic-oauth",endpoints:{signInWithOAuth2:u("/sign-in/oauth2",{method:"POST",query:X.z.object({currentURL:X.z.string().optional()}).optional(),body:X.z.object({providerId:X.z.string(),callbackURL:X.z.string().optional()})},async t=>{let{providerId:r}=t.body,o=e.config.find(ue=>ue.providerId===r);if(!o)throw new ze.APIError("BAD_REQUEST",{message:`No config found for provider ${r}`});let{discoveryUrl:n,authorizationUrl:i,tokenUrl:a,clientId:s,clientSecret:d,scopes:c,redirectURI:l,responseType:p,pkce:m,prompt:f,accessType:k}=o,A=i,h=a;if(n){let ue=await(0,ct.betterFetch)(n,{onError(ut){y.error(ut.error,{discoveryUrl:n})}});ue.data&&(A=ue.data.authorization_endpoint,h=ue.data.token_endpoint)}if(!A||!h)throw new ze.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});let _=t.query?.currentURL?new URL(t.query?.currentURL):null,be=t.body.callbackURL?.startsWith("http")?t.body.callbackURL:`${_?.origin}${t.body.callbackURL||""}`,{state:W,codeVerifier:Qe}=await ke(t),Ae=await I({id:r,options:{clientId:s,clientSecret:d,redirectURI:l},authorizationEndpoint:A,state:W,codeVerifier:Qe,scopes:c||[],disablePkce:!m,redirectURI:`${t.context.baseURL}/oauth2/callback/${r}`});return p&&p!=="code"&&Ae.searchParams.set("response_type",p),f&&Ae.searchParams.set("prompt",f),k&&Ae.searchParams.set("access_type",k),t.json({url:Ae.toString(),redirect:!0})}),oAuth2Callback:u("/oauth2/callback/:providerId",{method:"GET",query:X.z.object({code:X.z.string().optional(),error:X.z.string().optional(),state:X.z.string()})},async t=>{if(t.query.error||!t.query.code)throw t.redirect(`${t.context.baseURL}?error=${t.query.error||"oAuth_code_missing"}`);let r=e.config.find(h=>h.providerId===t.params.providerId);if(!r)throw new ze.APIError("BAD_REQUEST",{message:`No config found for provider ${t.params.providerId}`});let o,n=await Ye(t),{callbackURL:i,codeVerifier:a,errorURL:s}=n,d=t.query.code,c=r.tokenUrl,l=r.userInfoUrl;if(r.discoveryUrl){let h=await(0,ct.betterFetch)(r.discoveryUrl,{method:"GET"});h.data&&(c=h.data.token_endpoint,l=h.data.userinfo_endpoint)}try{if(!c)throw new ze.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});o=await v({code:d,codeVerifier:a,redirectURI:`${t.context.baseURL}/oauth2/callback/${r.providerId}`,options:{clientId:r.clientId,clientSecret:r.clientSecret},tokenEndpoint:c})}catch(h){throw t.context.logger.error(h),t.redirect(`${s}?error=oauth_code_verification_failed`)}if(!o)throw new ze.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});let p=r.getUserInfo?await r.getUserInfo(o):await gn(o,r.type||"oauth2",l),m=z(),f=p?tt.safeParse({...p,id:m}):null;if(!f?.success)throw t.redirect(`${s}?error=oauth_user_info_invalid`);let k=await t.context.internalAdapter.findUserByEmail(f.data.email,{includeAccounts:!0}).catch(h=>{throw y.error(`Better auth was unable to query your database.
|
|
85
|
-
Error: `,h),t.redirect(`${s}?error=internal_server_error`)}),A=k?.user.id||m;if(k){let h=k.accounts.find(W=>W.providerId===r.providerId),_=t.context.options.account?.accountLinking?.trustedProviders,be=_?_.includes(r.providerId):!0;if(!h&&(!f?.data.emailVerified||!be)){let W;try{W=new URL(s),W.searchParams.set("error","account_not_linked")}catch{throw t.redirect(`${s}?error=account_not_linked`)}throw t.redirect(W.toString())}if(h)await t.context.internalAdapter.updateAccount(h.id,{accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt});else try{await t.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:f.data.id,id:`${r.providerId}:${f.data.id}`,userId:k.user.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch(W){throw console.log(W),t.redirect(`${s}?error=failed_linking_account`)}}else try{await t.context.internalAdapter.createOAuthUser(f.data,{id:`${r.providerId}:${f.data.id}`,providerId:r.providerId,accountId:f.data.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch{let _=new URL(s);throw _.searchParams.set("error","unable_to_create_user"),t.setHeader("Location",_.toString()),t.redirect(_.toString())}try{let h=await t.context.internalAdapter.createSession(A||m,t.request);if(!h)throw t.redirect(`${s}?error=unable_to_create_session`);await w(t,{session:h,user:f.data})}catch{throw t.redirect(`${s}?error=unable_to_create_session`)}throw t.redirect(i)})}});var Be=require("zod"),Zr={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},cl=Be.z.object({id:Be.z.string(),publicKey:Be.z.string(),privateKey:Be.z.string(),createdAt:Be.z.date()});var Ct=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async t=>await e.create({model:"jwks",data:{...t,createdAt:new Date}})});var ne=require("jose");var wn=e=>({id:"jwt",endpoints:{getJwks:u("/jwks",{method:"GET"},async t=>{let o=await Ct(t.context.adapter).getAllKeys();return t.json({keys:o.map(n=>({...JSON.parse(n.publicKey),kid:n.id}))})}),getToken:u("/token",{method:"GET",requireHeaders:!0,use:[b]},async t=>{let r=Ct(t.context.adapter),o=await r.getLatestKey(),n=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:c,privateKey:l}=await(0,ne.generateKeyPair)(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),p=await(0,ne.exportJWK)(c),m=await(0,ne.exportJWK)(l),f=JSON.stringify(m),k={id:crypto.randomUUID(),publicKey:JSON.stringify(p),privateKey:n?JSON.stringify(await Se({key:t.context.options.secret,data:f})):f,createdAt:new Date};o=await r.createJwk(k)}let i=n?await Pe({key:t.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,a=await(0,ne.importJWK)(JSON.parse(i)),s=e?.jwt?.definePayload?await e?.jwt.definePayload(t.context.session.user):t.context.session.user,d=await new ne.SignJWT({...s,...t.context.session.session.impersonatedBy?{impersonatedBy:t.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??t.context.options.baseURL).setAudience(e?.jwt?.audience??t.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(t.context.session.user.id).sign(a);return t.json({token:d})})},schema:Zr});var $e=require("zod");var yn=e=>{let t={maximumSessions:5,...e},r=o=>o.includes("_multi-");return{id:"multi-session",endpoints:{listDeviceSessions:u("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async o=>{let n=o.headers?.get("cookie");if(!n)return o.json([]);let i=Object.fromEntries(Ke(n)),a=(await Promise.all(Object.entries(i).filter(([c])=>r(c)).map(async([c])=>await o.getSignedCookie(c,o.context.secret)))).filter(c=>c!==void 0);if(!a.length)return o.json([]);let d=(await o.context.internalAdapter.findSessions(a)).filter(c=>c&&c.session.expiresAt>new Date).filter((c,l,p)=>l===p.findIndex(m=>m.user.id===c.user.id));return Object.entries(i).filter(([c])=>r(c)).forEach(([c,l])=>{d.some(p=>p.session.id===l)||o.setCookie(c,"",{...o.context.authCookies.sessionToken.options,maxAge:0})}),o.json(d)}),setActiveSession:u("/multi-session/set-active",{method:"POST",body:$e.z.object({sessionId:$e.z.string()}),requireHeaders:!0,use:[b]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new E.APIError("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);if(!s||s.session.expiresAt<new Date)throw o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),new E.APIError("UNAUTHORIZED",{message:"Invalid session id"});return await o.setSignedCookie(o.context.authCookies.sessionToken.name,n,o.context.secret,o.context.authCookies.sessionToken.options),o.json(s)}),revokeDeviceSession:u("/multi-session/revoke",{method:"POST",body:$e.z.object({sessionId:$e.z.string()}),requireHeaders:!0,use:[b]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new E.APIError("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);return o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),s?(await o.context.internalAdapter.deleteSession(n),o.json({success:!0})):o.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:S(async o=>{if(!o.context.returned||!(o.context.returned instanceof Response))return;let n=o.context.returned.headers.get("set-cookie");if(!n)return;let i=Lt(n),a=o.context.authCookies.sessionToken,s=i.get(a.name)?.value;if(!s)return;let d=Ke(o.headers?.get("cookie")||""),c=s.split(".")[0],l=`${a.name}_multi-${c}`;if(i.get(l)||d.get(l)||Object.keys(Object.fromEntries(d)).filter(r).length+(n.includes("session_token")?1:0)>t.maximumSessions)return;await o.setSignedCookie(l,c,o.context.secret,a.options);let m=o.context.returned;return m.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:m}})},{matcher:o=>o.path==="/sign-out",handler:S(async o=>{let n=o.headers?.get("cookie");if(!n)return;let i=Object.fromEntries(Ke(n));await Promise.all(Object.entries(i).map(async([s,d])=>{if(r(s)){o.setCookie(s,"",{maxAge:0});let c=s.split("_multi-")[1];await o.context.internalAdapter.deleteSession(c)}}));let a=o.context.returned;return a?.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:a}})}]}}};var ee=require("zod");var bn=e=>{let t={expireIn:300,otpLength:6,...e};return{id:"email-otp",endpoints:{sendVerificationOTP:u("/email-otp/send-verification-otp",{method:"POST",body:ee.z.object({email:ee.z.string(),type:ee.z.enum(["email-verification","sign-in"])})},async r=>{if(!e?.sendVerificationOTP)throw y.error("send email verification is not implemented"),new E.APIError("BAD_REQUEST",{message:"send email verification is not implemented"});let o=r.body.email,n=V(t.otpLength,q("0-9"));return await r.context.internalAdapter.createVerificationValue({value:n,identifier:`${r.body.type}-otp-${o}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o,otp:n,type:r.body.type}),r.json({success:!0})}),verifyEmailOTP:u("/email-otp/verify-email",{method:"POST",body:ee.z.object({email:ee.z.string(),otp:ee.z.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`email-verification-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a)throw new E.APIError("BAD_REQUEST",{message:"User not found"});let s=await r.context.internalAdapter.updateUser(a.user.id,{email:o,emailVerified:!0});return r.json({user:s})}),signInEmailOTP:u("/sign-in/email-otp",{method:"POST",body:ee.z.object({email:ee.z.string(),otp:ee.z.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`sign-in-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a)throw new E.APIError("BAD_REQUEST",{message:"User not found"});let s=await r.context.internalAdapter.createSession(a.user.id,r.request);return await w(r,{session:s,user:a.user}),r.json({session:s,user:a})})},hooks:{after:[{matcher(r){return!!(r.path?.startsWith("/sign-up")&&t.sendVerificationOnSignUp)},async handler(r){let o=r.context.returned;if(o?.status!==200)return;let n=await o.clone().json();if(n.user.email&&n.user.emailVerified===!1){let i=V(t.otpLength,q("0-9"));await r.context.internalAdapter.createVerificationValue({value:i,identifier:`email-verification-otp-${n.user.email}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:n.user.email,otp:i,type:"email-verification"})}}}]}}};var zt=require("zod");var Xr=require("@better-fetch/fetch");function Yr(e){return e==="true"||e===!0}var An=e=>({id:"one-tap",endpoints:{oneTapCallback:u("/one-tap/callback",{method:"POST",body:zt.z.object({idToken:zt.z.string()})},async t=>{let{idToken:r}=t.body,{data:o,error:n}=await(0,Xr.betterFetch)("https://oauth2.googleapis.com/tokeninfo?id_token="+r);if(n)return t.json({error:"Invalid token"});let i=await t.context.internalAdapter.findUserByEmail(o.email);if(!i){if(e?.disableSignup)throw new E.APIError("BAD_GATEWAY",{message:"User not found"});let s=await t.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:Yr(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!s)throw new E.APIError("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let d=await t.context.internalAdapter.createSession(s?.user.id,t.request);return await w(t,{user:s.user,session:d}),t.json({session:d,user:s})}let a=await t.context.internalAdapter.createSession(i.user.id,t.request);return await w(t,{user:i.user,session:a}),t.json({session:a,user:i})})}});0&&(module.exports={HIDE_METADATA,admin,adminMiddleware,anonymous,bearer,createAuthEndpoint,createAuthMiddleware,emailOTP,genericOAuth,getPasskeyActions,jwt,magicLink,multiSession,oneTap,optionsMiddleware,organization,passkey,passkeyClient,phoneNumber,twoFactor,twoFactorClient,username});
|
|
83
|
+
</html>`,Bo=u("/error",{method:"GET",metadata:pe},async e=>{let t=new URL(e.request?.url||"").searchParams.get("error")||"Unknown";return new Response(zo(t),{headers:{"Content-Type":"text/html"}})});var Do=u("/ok",{method:"GET",metadata:pe},async e=>e.json({ok:!0}));var xo=require("zod");var Lo=require("better-call");var Ee=require("zod");var ht=require("better-call");var jo=u("/list-accounts",{method:"GET",use:[b]},async e=>{let t=e.context.session,r=await e.context.internalAdapter.findAccounts(t.user.id);return e.json(r)}),No=u("/link-social",{method:"POST",requireHeaders:!0,query:Ee.z.object({currentURL:Ee.z.string().optional()}).optional(),body:Ee.z.object({callbackURL:Ee.z.string().optional(),provider:Ee.z.enum(Xe)}),use:[b]},async e=>{let t=e.context.session;if((await e.context.internalAdapter.findAccounts(t.user.id)).find(s=>s.providerId===e.body.provider))throw new ht.APIError("BAD_REQUEST",{message:"Social Account is already linked."});let n=e.context.socialProviders.find(s=>s.id===e.body.provider);if(!n)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new ht.APIError("NOT_FOUND",{message:"Provider not found"});let i=await ke(e,{userId:t.user.id,email:t.user.email}),a=await n.createAuthorizationURL({state:i.state,codeVerifier:i.codeVerifier,redirectURI:`${e.context.baseURL}/callback/${n.id}`});return e.json({url:a.toString(),redirect:!0})});var Ar=(e,t)=>{let r={};for(let[o,n]of Object.entries(e))r[o]=i=>n({...i,context:{...t,...i.context}}),r[o].path=n.path,r[o].method=n.method,r[o].options=n.options,r[o].headers=n.headers;return r};var Re=class extends Error{path;constructor(t,r){super(t),this.path=r}},rt=class{constructor(t){this.s=t;this.statements=t}statements;newRole(t){return new ot(t)}},ot=class e{statements;constructor(t){this.statements=t}authorize(t,r){for(let[o,n]of Object.entries(t)){let i=this.statements[o];if(!i)return{success:!1,error:`You are not allowed to access resource: ${o}`};let a=r==="OR"?n.some(s=>i.includes(s)):n.every(s=>i.includes(s));return a?{success:a}:{success:!1,error:`unauthorized to access resource "${o}"`}}return{success:!1,error:"Not authorized"}}static fromString(t){let r=JSON.parse(t);if(typeof r!="object")throw new Re("statements is not an object",".");for(let[o,n]of Object.entries(r)){if(typeof o!="string")throw new Re("invalid resource identifier",o);if(!Array.isArray(n))throw new Re("actions is not an array",o);for(let i=0;i<n.length;i++)if(typeof n[i]!="string")throw new Re("action is not a string",`${o}[${i}]`)}return new e(r)}toString(){return JSON.stringify(this.statements)}};var Fo=e=>new rt(e),Vo={organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]},wt=Fo(Vo),qo=wt.newRole({organization:["update"],invitation:["create","cancel"],member:["create","update","delete"]}),Mo=wt.newRole({organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]}),$o=wt.newRole({organization:[],member:[],invitation:[]}),kr={admin:qo,owner:Mo,member:$o};var P=(e,t)=>{let r=e.adapter;return{findOrganizationBySlug:async o=>await r.findOne({model:"organization",where:[{field:"slug",value:o}]}),createOrganization:async o=>{let n=await r.create({model:"organization",data:{...o.organization,metadata:o.organization.metadata?JSON.stringify(o.organization.metadata):void 0}}),i=await r.create({model:"member",data:{id:z(),organizationId:n.id,userId:o.user.id,createdAt:new Date,email:o.user.email,role:t?.creatorRole||"owner"}});return{...n,metadata:n.metadata?JSON.parse(n.metadata):void 0,members:[{...i,user:{id:o.user.id,name:o.user.name,email:o.user.email,image:o.user.image}}]}},findMemberByEmail:async o=>{let n=await r.findOne({model:"member",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId}]});if(!n)return null;let i=await r.findOne({model:e.tables.user.tableName,where:[{field:"id",value:n.userId}]});return i?{...n,user:{id:i.id,name:i.name,email:i.email,image:i.image}}:null},findMemberByOrgId:async o=>{let[n,i]=await Promise.all([await r.findOne({model:"member",where:[{field:"userId",value:o.userId},{field:"organizationId",value:o.organizationId}]}),await r.findOne({model:e.tables.user.tableName,where:[{field:"id",value:o.userId}]})]);return!i||!n?null:{...n,user:{id:i.id,name:i.name,email:i.email,image:i.image}}},findMemberById:async o=>{let n=await r.findOne({model:"member",where:[{field:"id",value:o}]});if(!n)return null;let i=await r.findOne({model:e.tables.user.tableName,where:[{field:"id",value:n.userId}]});return i?{...n,user:{id:i.id,name:i.name,email:i.email,image:i.image}}:null},createMember:async o=>await r.create({model:"member",data:o}),updateMember:async(o,n)=>await r.update({model:"member",where:[{field:"id",value:o}],update:{role:n}}),deleteMember:async o=>await r.delete({model:"member",where:[{field:"id",value:o}]}),updateOrganization:async(o,n)=>await r.update({model:"organization",where:[{field:"id",value:o}],update:n}),deleteOrganization:async o=>(await r.delete({model:"member",where:[{field:"organizationId",value:o}]}),await r.delete({model:"invitation",where:[{field:"organizationId",value:o}]}),await r.delete({model:"organization",where:[{field:"id",value:o}]}),o),setActiveOrganization:async(o,n)=>await r.update({model:e.tables.session.tableName,where:[{field:"id",value:o}],update:{activeOrganizationId:n}}),findOrganizationById:async o=>await r.findOne({model:"organization",where:[{field:"id",value:o}]}),findFullOrganization:async(o,n)=>{let[i,a,s]=await Promise.all([r.findOne({model:"organization",where:[{field:"id",value:o}]}),r.findMany({model:"invitation",where:[{field:"organizationId",value:o}]}),r.findMany({model:"member",where:[{field:"organizationId",value:o}]})]);if(!i)return null;let d=s.map(m=>m.userId),c=await r.findMany({model:e.tables.user.tableName,where:[{field:"id",value:d,operator:"in"}]}),l=new Map(c.map(m=>[m.id,m])),p=s.map(m=>{let f=l.get(m.userId);if(!f)throw new G("Unexpected error: User not found for member");return{...m,user:{id:f.id,name:f.name,email:f.email,image:f.image}}});return{...i,invitations:a,members:p}},listOrganizations:async o=>{let n=await r.findMany({model:"member",where:[{field:"userId",value:o}]});if(!n||n.length===0)return[];let i=n.map(s=>s.organizationId);return await r.findMany({model:"organization",where:[{field:"id",value:i,operator:"in"}]})},createInvitation:async({invitation:o,user:n})=>{let a=C(t?.invitationExpiresIn||1728e5);return await r.create({model:"invitation",data:{id:z(),email:o.email,role:o.role,organizationId:o.organizationId,status:"pending",expiresAt:a,inviterId:n.id}})},findInvitationById:async o=>await r.findOne({model:"invitation",where:[{field:"id",value:o}]}),findPendingInvitation:async o=>(await r.findMany({model:"invitation",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId},{field:"status",value:"pending"}]})).filter(i=>new Date(i.expiresAt)>new Date),updateInvitation:async o=>await r.update({model:"invitation",where:[{field:"id",value:o.invitationId}],update:{status:o.status}})}};var hd=require("better-call");var yt=require("better-call");var Or=require("better-call");var Qo=S(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:r,context:o}=e,n=e.headers?.get("origin")||e.headers?.get("referer")||"",i=t?.callbackURL,a=t?.redirectTo,s=r?.currentURL,d=o.trustedOrigins,c=e.headers?.has("cookie"),l=(p,m)=>{if(!d.some(k=>p?.startsWith(k)||p?.startsWith("/")&&m!=="origin"))throw y.error(`Invalid ${m}: ${p}`),y.info(`If it's a valid URL, please add ${p} to trustedOrigins in your auth config
|
|
84
|
+
`,`Current list of trustedOrigins: ${d}`),new Or.APIError("FORBIDDEN",{message:`Invalid ${m}`})};c&&!e.context.options.advanced?.disableCSRFCheck&&l(n,"origin"),i&&l(i,"callbackURL"),a&&l(a,"redirectURL"),s&&l(s,"currentURL")});var E=require("better-call");var B=S(async e=>({})),L=S({use:[b]},async e=>({session:e.context.session}));var F=require("zod");var R=require("zod"),nt=R.z.enum(["admin","member","owner"]),Ho=R.z.enum(["pending","accepted","rejected","canceled"]).default("pending"),Ad=R.z.object({id:R.z.string(),name:R.z.string(),slug:R.z.string(),logo:R.z.string().optional(),metadata:R.z.record(R.z.string()).or(R.z.string().transform(e=>JSON.parse(e))).optional(),createdAt:R.z.date()}),kd=R.z.object({id:R.z.string(),email:R.z.string(),organizationId:R.z.string(),userId:R.z.string(),role:nt,createdAt:R.z.date()}),Od=R.z.object({id:R.z.string(),organizationId:R.z.string(),email:R.z.string(),role:nt,status:Ho,inviterId:R.z.string(),expiresAt:R.z.date()});var T=require("better-call"),vr=u("/organization/invite-member",{method:"POST",use:[B,L],body:F.z.object({email:F.z.string(),role:nt,organizationId:F.z.string().optional(),resend:F.z.boolean().optional()})},async e=>{if(!e.context.orgOptions.sendInvitationEmail)throw y.warn("Invitation email is not enabled. Pass `sendInvitationEmail` to the plugin options to enable it."),new T.APIError("BAD_REQUEST",{message:"Invitation email is not enabled"});let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)throw new T.APIError("BAD_REQUEST",{message:"Organization not found"});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)throw new T.APIError("BAD_REQUEST",{message:"Member not found!"});let i=e.context.roles[n.role];if(!i)throw new T.APIError("BAD_REQUEST",{message:"Role not found!"});if(i.authorize({invitation:["create"]}).error)throw new T.APIError("FORBIDDEN",{message:"You are not allowed to invite members"});if(await o.findMemberByEmail({email:e.body.email,organizationId:r}))throw new T.APIError("BAD_REQUEST",{message:"User is already a member of this organization"});if((await o.findPendingInvitation({email:e.body.email,organizationId:r})).length&&!e.body.resend)throw new T.APIError("BAD_REQUEST",{message:"User is already invited to this organization"});let c=await o.createInvitation({invitation:{role:e.body.role,email:e.body.email,organizationId:r},user:t.user}),l=await o.findOrganizationById(r);if(!l)throw new T.APIError("BAD_REQUEST",{message:"Organization not found"});return await e.context.orgOptions.sendInvitationEmail?.({id:c.id,role:c.role,email:c.email,organization:l,inviter:{...n,user:t.user}},e.request),e.json(c)}),Er=u("/organization/accept-invitation",{method:"POST",body:F.z.object({invitationId:F.z.string()}),use:[B,L]},async e=>{let t=e.context.session,r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new T.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new T.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.updateInvitation({invitationId:e.body.invitationId,status:"accepted"}),i=await r.createMember({id:z(),organizationId:o.organizationId,userId:t.user.id,email:o.email,role:o.role,createdAt:new Date});return await r.setActiveOrganization(t.session.id,o.organizationId),n?e.json({invitation:n,member:i}):e.json(null,{status:400,body:{message:"Invitation not found!"}})}),Rr=u("/organization/reject-invitation",{method:"POST",body:F.z.object({invitationId:F.z.string()}),use:[B,L]},async e=>{let t=e.context.session,r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new T.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new T.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.updateInvitation({invitationId:e.body.invitationId,status:"rejected"});return e.json({invitation:n,member:null})}),Ir=u("/organization/cancel-invitation",{method:"POST",body:F.z.object({invitationId:F.z.string()}),use:[B,L]},async e=>{let t=e.context.session,r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o)throw new T.APIError("BAD_REQUEST",{message:"Invitation not found!"});let n=await r.findMemberByOrgId({userId:t.user.id,organizationId:o.organizationId});if(!n)throw new T.APIError("BAD_REQUEST",{message:"Member not found!"});if(e.context.roles[n.role].authorize({invitation:["cancel"]}).error)throw new T.APIError("FORBIDDEN",{message:"You are not allowed to cancel this invitation"});let a=await r.updateInvitation({invitationId:e.body.invitationId,status:"canceled"});return e.json(a)}),Tr=u("/organization/get-invitation",{method:"GET",use:[B],requireHeaders:!0,query:F.z.object({id:F.z.string()})},async e=>{let t=await D(e);if(!t)throw new T.APIError("UNAUTHORIZED",{message:"Not authenticated"});let r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.query.id);if(!o||o.status!=="pending"||o.expiresAt<new Date)throw new T.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new T.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.findOrganizationById(o.organizationId);if(!n)throw new T.APIError("BAD_REQUEST",{message:"Organization not found"});let i=await r.findMemberByOrgId({userId:o.inviterId,organizationId:o.organizationId});if(!i)throw new T.APIError("BAD_REQUEST",{message:"Inviter is no longer a member of the organization"});return e.json({...o,organizationName:n.name,organizationSlug:n.slug,inviterEmail:i.email})});var se=require("zod");var Ie=require("better-call"),Ur=u("/organization/remove-member",{method:"POST",body:se.z.object({memberIdOrEmail:se.z.string(),organizationId:se.z.string().optional()}),use:[B,L]},async e=>{let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)throw new Ie.APIError("BAD_REQUEST",{message:"Member not found!"});let i=e.context.roles[n.role];if(!i)throw new Ie.APIError("BAD_REQUEST",{message:"Role not found!"});let a=t.user.email===e.body.memberIdOrEmail||n.id===e.body.memberIdOrEmail;if(a&&n.role===(e.context.orgOptions?.creatorRole||"owner"))throw new Ie.APIError("BAD_REQUEST",{message:"You cannot leave the organization as the owner"});if(!(a||i.authorize({member:["delete"]}).success))throw new Ie.APIError("UNAUTHORIZED",{message:"You are not allowed to delete this member"});let c=null;if(e.body.memberIdOrEmail.includes("@")?c=await o.findMemberByEmail({email:e.body.memberIdOrEmail,organizationId:r}):c=await o.findMemberById(e.body.memberIdOrEmail),c?.organizationId!==r)throw new Ie.APIError("BAD_REQUEST",{message:"Member not found!"});return await o.deleteMember(c.id),t.user.id===c.userId&&t.session.activeOrganizationId===c.organizationId&&await o.setActiveOrganization(t.session.id,null),e.json({member:c})}),Sr=u("/organization/update-member-role",{method:"POST",body:se.z.object({role:se.z.enum(["admin","member","owner"]),memberId:se.z.string(),organizationId:se.z.string().optional()}),use:[B,L]},async e=>{let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"Member not found!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({member:["update"]}).error||e.body.role==="owner"&&n.role!=="owner")return e.json(null,{body:{message:"You are not allowed to update this member"},status:403});let s=await o.updateMember(e.body.memberId,e.body.role);return s?e.json(s):e.json(null,{status:400,body:{message:"Member not found!"}})});var U=require("zod");var ae=require("better-call"),Pr=u("/organization/create",{method:"POST",body:U.z.object({name:U.z.string(),slug:U.z.string(),userId:U.z.string().optional(),logo:U.z.string().optional(),metadata:U.z.record(U.z.string()).optional()}),use:[B,L]},async e=>{let t=e.context.session.user;if(!t)return e.json(null,{status:401});let r=e.context.orgOptions;if(!(typeof r?.allowUserToCreateOrganization=="function"?await r.allowUserToCreateOrganization(t):r?.allowUserToCreateOrganization===void 0?!0:r.allowUserToCreateOrganization))throw new ae.APIError("FORBIDDEN",{message:"You are not allowed to create an organization"});let n=P(e.context,r),i=await n.listOrganizations(t.id);if(typeof r.organizationLimit=="number"?i.length>=r.organizationLimit:typeof r.organizationLimit=="function"?await r.organizationLimit(t):!1)throw new ae.APIError("FORBIDDEN",{message:"You have reached the organization limit"});if(await n.findOrganizationBySlug(e.body.slug))throw new ae.APIError("BAD_REQUEST",{message:"Organization with this slug already exists"});let d=await n.createOrganization({organization:{id:z(),slug:e.body.slug,name:e.body.name,logo:e.body.logo,createdAt:new Date,metadata:e.body.metadata},user:t});return e.json(d)}),_r=u("/organization/update",{method:"POST",body:U.z.object({data:U.z.object({name:U.z.string().optional(),slug:U.z.string().optional()}).partial(),orgId:U.z.string().optional()}),requireHeaders:!0,use:[B]},async e=>{let t=await e.context.getSession(e);if(!t)throw new ae.APIError("UNAUTHORIZED",{message:"User not found"});let r=e.body.orgId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({organization:["update"]}).error)return e.json(null,{body:{message:"You are not allowed to update this organization"},status:403});let s=await o.updateOrganization(r,e.body.data);return e.json(s)}),Cr=u("/organization/delete",{method:"POST",body:U.z.object({orgId:U.z.string()}),requireHeaders:!0,use:[B]},async e=>{let t=await e.context.getSession(e);if(!t)return e.json(null,{status:401});let r=e.body.orgId;if(!r)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({organization:["delete"]}).error)throw new ae.APIError("FORBIDDEN",{message:"You are not allowed to delete this organization"});return r===t.session.activeOrganizationId&&await o.setActiveOrganization(t.session.id,null),await o.deleteOrganization(r),e.json(r)}),zr=u("/organization/get-full",{method:"GET",query:U.z.optional(U.z.object({orgId:U.z.string().optional()})),requireHeaders:!0,use:[B,L]},async e=>{let t=e.context.session,r=e.query?.orgId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:200});let n=await P(e.context,e.context.orgOptions).findFullOrganization(r,e.context.db||void 0);if(!n)throw new ae.APIError("BAD_REQUEST",{message:"Organization not found"});return e.json(n)}),Br=u("/organization/activate",{method:"POST",body:U.z.object({orgId:U.z.string().nullable().optional()}),use:[L,B]},async e=>{let t=P(e.context,e.context.orgOptions),r=e.context.session,o=e.body.orgId;if(o===null)return r.session.activeOrganizationId&&await t.setActiveOrganization(r.session.id,null),e.json(null);if(!o){let a=r.session.activeOrganizationId;if(!a)return e.json(null);o=a}if(!await t.findMemberByOrgId({userId:r.user.id,organizationId:o}))throw await t.setActiveOrganization(r.session.id,null),new ae.APIError("FORBIDDEN",{message:"You are not a member of this organization"});await t.setActiveOrganization(r.session.id,o);let i=await t.findFullOrganization(o,e.context.db||void 0);return e.json(i)}),Dr=u("/organization/list",{method:"GET",use:[B,L]},async e=>{let r=await P(e.context,e.context.orgOptions).listOrganizations(e.context.session.user.id);return e.json(r)});var Wo=e=>{let t={createOrganization:Pr,updateOrganization:_r,deleteOrganization:Cr,setActiveOrganization:Br,getFullOrganization:zr,listOrganization:Dr,createInvitation:vr,cancelInvitation:Ir,acceptInvitation:Er,getInvitation:Tr,rejectInvitation:Rr,removeMember:Ur,updateMemberRole:Sr},r={...kr,...e?.roles};return{id:"organization",endpoints:{...Ar(t,{orgOptions:e||{},roles:r,getSession:async n=>await D(n)}),hasPermission:u("/organization/has-permission",{method:"POST",requireHeaders:!0,body:Te.z.object({permission:Te.z.record(Te.z.string(),Te.z.array(Te.z.string()))}),use:[L]},async n=>{if(!n.context.session.session.activeOrganizationId)throw new bt.APIError("BAD_REQUEST",{message:"No active organization"});let a=await P(n.context).findMemberByOrgId({userId:n.context.session.user.id,organizationId:n.context.session.session.activeOrganizationId||""});if(!a)throw new bt.APIError("UNAUTHORIZED",{message:"You are not a member of this organization"});let d=r[a.role].authorize(n.body.permission);return d.error?n.json({error:d.error,success:!1},{status:403}):n.json({error:null,success:!0})})},schema:{session:{fields:{activeOrganizationId:{type:"string",required:!1}}},organization:{fields:{name:{type:"string",required:!0},slug:{type:"string",unique:!0},logo:{type:"string",required:!1},createdAt:{type:"date",required:!0},metadata:{type:"string",required:!1}}},member:{fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"}},userId:{type:"string",required:!0},email:{type:"string",required:!0},role:{type:"string",required:!0,defaultValue:"member"},createdAt:{type:"date",required:!0}}},invitation:{fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"}},email:{type:"string",required:!0},role:{type:"string",required:!1},status:{type:"string",required:!0,defaultValue:"pending"},expiresAt:{type:"date",required:!0},inviterId:{type:"string",references:{model:"user",field:"id"},required:!0}}}},$Infer:{Organization:{},Invitation:{},Member:{},ActiveOrganization:{}}}};var At=xt(require("uncrypto"),1);function Go(e){return e.toString(2).padStart(8,"0")}function Ko(e){return[...e].map(t=>Go(t)).join("")}function xr(e){return parseInt(Ko(e),2)}function Jo(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,o=new Uint8Array(Math.ceil(t/8));At.default.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1);let n=xr(o);for(;n>=e;)At.default.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1),n=xr(o);return n}function V(e,t){let r="";for(let o=0;o<e;o++)r+=t[Jo(t.length)];return r}function q(...e){let t=new Set(e),r="";for(let o of t)o==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?r+="0123456789":r+=o;return r}var Ve=require("zod");var Ot=require("@noble/ciphers/chacha"),Ue=require("@noble/ciphers/utils"),vt=require("@noble/ciphers/webcrypto"),Et=require("oslo/crypto"),kt=xt(require("uncrypto"),1);var Lr=require("oslo/encoding");var Zo=require("@noble/hashes/scrypt"),Yo=require("uncrypto");async function ge(e,t){let r=new TextEncoder,o={name:"HMAC",hash:"SHA-256"},n=await kt.default.subtle.importKey("raw",r.encode(e),o,!1,["sign","verify"]),i=await kt.default.subtle.sign(o.name,n,r.encode(t));return btoa(String.fromCharCode(...new Uint8Array(i)))}var Se=async({key:e,data:t})=>{let r=await(0,Et.sha256)(new TextEncoder().encode(e)),o=(0,Ue.utf8ToBytes)(t),n=(0,vt.managedNonce)(Ot.xchacha20poly1305)(new Uint8Array(r));return(0,Ue.bytesToHex)(n.encrypt(o))},Pe=async({key:e,data:t})=>{let r=await(0,Et.sha256)(new TextEncoder().encode(e)),o=(0,Ue.hexToBytes)(t),n=(0,vt.managedNonce)(Ot.xchacha20poly1305)(new Uint8Array(r));return new TextDecoder().decode(n.decrypt(o))};var J=require("zod");var oe=require("better-call");var it="two_factor";var st="trust_device";var Rt=require("zod");var he=S({body:Rt.z.object({trustDevice:Rt.z.boolean().optional()})},async e=>{let t=await D(e);if(!t){let r=e.context.createAuthCookie(it),o=await e.getSignedCookie(r.name,e.context.secret);if(!o)throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"});let[n,i]=o.split("!");if(!n||!i)throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"});let a=await e.context.adapter.findMany({model:e.context.tables.session.tableName,where:[{field:"userId",value:n}]});if(!a.length)throw new oe.APIError("UNAUTHORIZED",{message:"invalid session"});let s=a.filter(d=>d.expiresAt>new Date);if(!s)throw new oe.APIError("UNAUTHORIZED",{message:"invalid session"});for(let d of s){let c=await ge(e.context.secret,d.id),l=await e.context.adapter.findOne({model:e.context.tables.user.tableName,where:[{field:"id",value:d.userId}]});if(!l)throw new oe.APIError("UNAUTHORIZED",{message:"invalid session"});if(c===i)return{valid:async()=>{if(await w(e,{session:d,user:l},!1),e.body.trustDevice){let p=e.context.createAuthCookie(st,{maxAge:2592e3}),m=await ge(e.context.secret,`${l.id}!${d.id}`);await e.setSignedCookie(p.name,`${m}!${d.id}`,e.context.secret,p.attributes)}return e.json({session:d,user:l})},invalid:async()=>{throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:{id:d.id,userId:d.userId,expiresAt:d.expiresAt,user:l}}}throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"})}return{valid:async()=>e.json({session:t,user:t.user}),invalid:async()=>{throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:t}});var _e=require("better-call");function Xo(e){return Array.from({length:e?.amount??10}).fill(null).map(()=>V(e?.length??10,q("a-z","0-9"))).map(t=>`${t.slice(0,5)}-${t.slice(5)}`)}async function It(e,t){let r=e,o=t?.customBackupCodesGenerate?t.customBackupCodesGenerate():Xo(),n=await Se({data:JSON.stringify(o),key:r});return{backupCodes:o,encryptedBackupCodes:n}}async function en(e,t){let r=await jr(e.backupCodes,t);return r?r.includes(e.code):!1}async function jr(e,t){let r=Buffer.from(await Pe({key:t,data:e})).toString("utf-8"),o=JSON.parse(r),n=J.z.array(J.z.string()).safeParse(o);return n.success?n.data:null}var Nr=(e,t)=>({id:"backup_code",endpoints:{verifyBackupCode:u("/two-factor/verify-backup-code",{method:"POST",body:J.z.object({code:J.z.string(),disableSession:J.z.boolean().optional()}),use:[he]},async r=>{let o=r.context.session.user,n=await r.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!n)throw new _e.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});if(!en({backupCodes:n.backupCodes,code:r.body.code},r.context.secret))throw new _e.APIError("BAD_REQUEST",{message:"Invalid backup code"});return r.body.disableSession||await w(r,{session:r.context.session,user:o}),r.json({user:o,session:r.context.session})}),generateBackupCodes:u("/two-factor/generate-backup-codes",{method:"POST",body:J.z.object({password:J.z.string()}),use:[b]},async r=>{let o=r.context.session.user;if(!o.twoFactorEnabled)throw new _e.APIError("BAD_REQUEST",{message:"Two factor isn't enabled"});await r.context.password.checkPassword(o.id,r);let n=await It(r.context.secret,e);return await r.context.adapter.update({model:t,update:{backupCodes:n.encryptedBackupCodes},where:[{field:"userId",value:r.context.session.user.id}]}),r.json({status:!0,backupCodes:n.backupCodes})}),viewBackupCodes:u("/view/backup-codes",{method:"GET",body:J.z.object({password:J.z.string()}),use:[b]},async r=>{let o=r.context.session.user,n=await r.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!n)throw new _e.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});await r.context.password.checkPassword(o.id,r);let i=jr(n.backupCodes,r.context.secret);if(!i)throw new _e.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});return r.json({status:!0,backupCodes:i})})}});var je=require("better-call"),Fr=require("oslo/otp"),Tt=require("zod");var Vr=require("oslo"),qr=(e,t)=>{let r={...e,period:new Vr.TimeSpan(e?.period||3,"m")},o=new Fr.TOTPController({digits:6,period:r.period}),n=u("/two-factor/send-otp",{method:"POST",use:[he]},async a=>{if(!e||!e.sendOTP)throw a.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options."),new je.APIError("BAD_REQUEST",{message:"otp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new je.APIError("BAD_REQUEST",{message:"OTP isn't enabled"});let c=await o.generate(Buffer.from(d.secret));return await e.sendOTP(s,c),a.json({status:!0})}),i=u("/two-factor/verify-otp",{method:"POST",body:Tt.z.object({code:Tt.z.string()}),use:[he]},async a=>{let s=a.context.session.user;if(!s.twoFactorEnabled)throw new je.APIError("BAD_REQUEST",{message:"two factor isn't enabled"});let d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new je.APIError("BAD_REQUEST",{message:"OTP isn't enabled"});return await o.generate(Buffer.from(d.secret))===a.body.code?a.context.valid():a.context.invalid()});return{id:"otp",endpoints:{send2FaOTP:n,verifyOTP:i}}};var we=require("better-call"),Mr=require("oslo"),Fe=require("oslo/otp"),Ne=require("zod");var $r=(e,t)=>{let r={...e,digits:6,period:new Mr.TimeSpan(e?.period||30,"s")},o=u("/totp/generate",{method:"POST",use:[b]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new we.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new we.APIError("BAD_REQUEST",{message:"totp isn't enabled"});return{code:await new Fe.TOTPController(r).generate(Buffer.from(d.secret))}}),n=u("/two-factor/get-totp-uri",{method:"POST",use:[b],body:Ne.z.object({password:Ne.z.string()})},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new we.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d||!s.twoFactorEnabled)throw new we.APIError("BAD_REQUEST",{message:"totp isn't enabled"});return await a.context.password.checkPassword(s.id,a),{totpURI:(0,Fe.createTOTPKeyURI)(e?.issuer||"BetterAuth",s.email,Buffer.from(d.secret),r)}}),i=u("/two-factor/verify-totp",{method:"POST",body:Ne.z.object({code:Ne.z.string()}),use:[he]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new we.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new we.APIError("BAD_REQUEST",{message:"totp isn't enabled"});let c=new Fe.TOTPController(r),l=await Pe({key:a.context.secret,data:d.secret}),p=Buffer.from(l);if(!await c.verify(a.body.code,p))return a.context.invalid();if(!s.twoFactorEnabled){let f=await a.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!0}),k=await a.context.internalAdapter.createSession(s.id,a.request);await w(a,{session:k,user:f})}return a.context.valid()});return{id:"totp",endpoints:{generateTOTP:o,viewTOTPURI:n,verifyTOTP:i}}};var tn=require("better-call");async function Ut(e,t){let o=(await e.context.internalAdapter.findAccounts(t.userId))?.find(a=>a.providerId==="credential"),n=o?.password;return!o||!n?!1:await e.context.password.verify(n,t.password)}var St=require("better-call"),Qr=require("oslo/otp"),Hr=require("oslo");var rn=(e={redirect:!0,twoFactorPage:"/"})=>({id:"two-factor",$InferServerPlugin:{},atomListeners:[{matcher:t=>t.startsWith("/two-factor/"),signal:"$sessionSignal"}],pathMethods:{"/two-factor/disable":"POST","/two-factor/enable":"POST","/two-factor/send-otp":"POST","/two-factor/generate-backup-codes":"POST"},fetchPlugins:[{id:"two-factor",name:"two-factor",hooks:{async onSuccess(t){t.data?.twoFactorRedirect&&(e.redirect||e.twoFactorPage)&&typeof window<"u"&&(window.location.href=e.twoFactorPage)}}}]});var on=e=>{let t={twoFactorTable:e?.twoFactorTable||"twoFactor"},r=$r({issuer:e?.issuer||"better-auth",...e?.totpOptions},t.twoFactorTable),o=Nr({...e?.backupCodeOptions},t.twoFactorTable),n=qr({...e?.otpOptions},t.twoFactorTable);return{id:"two-factor",endpoints:{...r.endpoints,...n.endpoints,...o.endpoints,enableTwoFactor:u("/two-factor/enable",{method:"POST",body:Ve.z.object({password:Ve.z.string().min(8)}),use:[b]},async i=>{let a=i.context.session.user,{password:s}=i.body;if(!await Ut(i,{password:s,userId:a.id}))throw new St.APIError("BAD_REQUEST",{message:"Invalid password"});let c=V(16,q("a-z","0-9","-")),l=await Se({key:i.context.secret,data:c}),p=await It(i.context.secret,e?.backupCodeOptions);if(e?.skipVerificationOnEnable){let f=await i.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!0}),k=await i.context.internalAdapter.createSession(f.id,i.request);await w(i,{session:k,user:a})}await i.context.adapter.deleteMany({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),await i.context.adapter.create({model:t.twoFactorTable,data:{id:i.context.uuid(),secret:l,backupCodes:p.encryptedBackupCodes,userId:a.id}});let m=(0,Qr.createTOTPKeyURI)(e?.issuer||"BetterAuth",a.email,Buffer.from(c),{digits:e?.totpOptions?.digits||6,period:new Hr.TimeSpan(e?.totpOptions?.period||30,"s")});return i.json({totpURI:m,backupCodes:p.backupCodes})}),disableTwoFactor:u("/two-factor/disable",{method:"POST",body:Ve.z.object({password:Ve.z.string().min(8)}),use:[b]},async i=>{let a=i.context.session.user,{password:s}=i.body;if(!await Ut(i,{password:s,userId:a.id}))throw new St.APIError("BAD_REQUEST",{message:"Invalid password"});return await i.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!1}),await i.context.adapter.delete({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),i.json({status:!0})})},options:e,hooks:{after:[{matcher(i){return i.path==="/sign-in/email"||i.path==="/sign-in/username"},handler:S(async i=>{let a=i.context.returned;if(a?.status!==200)return;let s=await a.clone().json();if(!s.user.twoFactorEnabled)return;let d=i.context.createAuthCookie(st,{maxAge:30*24*60*60}),c=await i.getSignedCookie(d.name,i.context.secret);if(c){let[f,k]=c.split("!"),A=await ge(i.context.secret,`${s.user.id}!${k}`);if(f===A){let h=await ge(i.context.secret,`${s.user.id}!${s.session.id}`);await i.setSignedCookie(d.name,`${h}!${s.session.id}`,i.context.secret,d.attributes);return}}te(i);let l=await ge(i.context.secret,s.session.id),p=i.context.createAuthCookie(it,{maxAge:60*60*24});return await i.setSignedCookie(p.name,`${s.session.userId}!${l}`,i.context.secret,p.attributes),{response:new Response(JSON.stringify({twoFactorRedirect:!0}),{headers:i.responseHeader})}})}]},schema:{user:{fields:{twoFactorEnabled:{type:"boolean",required:!1,defaultValue:!1,input:!1}}},twoFactor:{tableName:t.twoFactorTable,fields:{secret:{type:"string",required:!0,returned:!1},backupCodes:{type:"string",required:!0,returned:!1},userId:{type:"string",required:!0,returned:!1,references:{model:"user",field:"id"}}}}},rateLimit:[{pathMatcher(i){return i.startsWith("/two-factor/")},window:10,max:3}]}};var de=require("@simplewebauthn/server"),H=require("better-call");var Z=require("zod");var Ce=require("@simplewebauthn/browser");var sn=require("@better-fetch/fetch");var nu=require("nanostores");var Hc=require("@better-fetch/fetch");var nn=require("nanostores");var Gc=require("@better-fetch/fetch"),at=require("nanostores"),Pt=(e,t,r,o)=>{let n=(0,at.atom)({data:null,error:null,isPending:!0,isRefetching:!1}),i=()=>{let s=typeof o=="function"?o({data:n.get().data,error:n.get().error,isPending:n.get().isPending}):o;return r(t,{...s,onSuccess:async d=>{n.set({data:d.data,error:null,isPending:!1,isRefetching:!1}),await s?.onSuccess?.(d)},async onError(d){n.set({error:d.error,data:null,isPending:!1,isRefetching:!1}),await s?.onError?.(d)},async onRequest(d){let c=n.get();n.set({isPending:c.data===null,data:c.data,error:null,isRefetching:!0}),await s?.onRequest?.(d)}})};e=Array.isArray(e)?e:[e];let a=!1;for(let s of e)s.subscribe(()=>{a?i():(0,at.onMount)(n,()=>(i(),a=!0,()=>{n.off(),s.off()}))});return n};var Wr=require("nanostores"),Gr=(e,{_listPasskeys:t})=>({signIn:{passkey:async(n,i)=>{let a=await e("/passkey/generate-authenticate-options",{method:"POST",body:{email:n?.email}});if(!a.data)return a;try{let s=await(0,Ce.startAuthentication)(a.data,n?.autoFill||!1),d=await e("/passkey/verify-authentication",{body:{response:s},...n?.fetchOptions,...i,method:"POST"});if(!d.data)return d}catch{return{data:null,error:{message:"auth cancelled",status:400,statusText:"BAD_REQUEST"}}}}},passkey:{addPasskey:async(n,i)=>{let a=await e("/passkey/generate-register-options",{method:"GET"});if(!a.data)return a;try{let s=await(0,Ce.startRegistration)(a.data),d=await e("/passkey/verify-registration",{...n?.fetchOptions,...i,body:{response:s,name:n?.name},method:"POST"});if(!d.data)return d;t.set(Math.random())}catch(s){return s instanceof Ce.WebAuthnError?s.code==="ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED"?{data:null,error:{message:"previously registered",status:400,statusText:"BAD_REQUEST"}}:s.code==="ERROR_CEREMONY_ABORTED"?{data:null,error:{message:"registration cancelled",status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s.message,status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s instanceof Error?s.message:"unknown error",status:500,statusText:"INTERNAL_SERVER_ERROR"}}}}},$Infer:{}}),an=()=>{let e=(0,Wr.atom)();return{id:"passkey",$InferServerPlugin:{},getActions:t=>Gr(t,{_listPasskeys:e}),getAtoms(t){return{listPasskeys:Pt(e,"/passkey/list-user-passkeys",t,{method:"GET"}),_listPasskeys:e}},pathMethods:{"/passkey/register":"POST","/passkey/authenticate":"POST"},atomListeners:[{matcher(t){return t==="/passkey/verify-registration"||t==="/passkey/delete-passkey"},signal:"_listPasskeys"}]}};var dn=e=>{let t=Ge.BETTER_AUTH_URL,r=e?.rpID||t?.replace("http://","").replace("https://","").split(":")[0]||"localhost";if(!r)throw new G("passkey rpID not found. Please provide a rpID in the options or set the BETTER_AUTH_URL environment variable.");let o={origin:null,...e,rpID:r,advanced:{webAuthnChallengeCookie:"better-auth-passkey",...e?.advanced}},n=new Date(Date.now()+1e3*60*5),i=new Date,a=Math.floor((n.getTime()-i.getTime())/1e3);return{id:"passkey",endpoints:{generatePasskeyRegistrationOptions:u("/passkey/generate-register-options",{method:"GET",use:[b],metadata:{client:!1}},async s=>{let d=s.context.session,c=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}),l=new Uint8Array(Buffer.from(V(32,q("a-z","0-9")))),p;p=await(0,de.generateRegistrationOptions)({rpName:o.rpName||s.context.appName,rpID:o.rpID,userID:l,userName:d.user.email||d.user.id,attestationType:"none",excludeCredentials:c.map(f=>({id:f.id,transports:f.transports?.split(",")})),authenticatorSelection:{residentKey:"preferred",userVerification:"preferred",authenticatorAttachment:"platform"}});let m=z();return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,m,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:m,value:JSON.stringify({expectedChallenge:p.challenge,userData:{id:d.user.id}}),expiresAt:n}),s.json(p,{status:200})}),generatePasskeyAuthenticationOptions:u("/passkey/generate-authenticate-options",{method:"POST",body:Z.z.object({email:Z.z.string().optional()}).optional()},async s=>{let d=await D(s),c=[];d&&(c=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}));let l=await(0,de.generateAuthenticationOptions)({rpID:o.rpID,userVerification:"preferred",...c.length?{allowCredentials:c.map(f=>({id:f.id,transports:f.transports?.split(",")}))}:{}}),p={expectedChallenge:l.challenge,userData:{id:d?.user.id||""}},m=z();return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,m,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:m,value:JSON.stringify(p),expiresAt:n}),s.json(l,{status:200})}),verifyPasskeyRegistration:u("/passkey/verify-registration",{method:"POST",body:Z.z.object({response:Z.z.any(),name:Z.z.string().optional()}),use:[b]},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)return s.json(null,{status:400});let c=s.body.response,l=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!l)throw new H.APIError("BAD_REQUEST",{message:"Challenge not found"});let p=await s.context.internalAdapter.findVerificationValue(l);if(!p)return s.json(null,{status:400});let{expectedChallenge:m,userData:f}=JSON.parse(p.value);if(f.id!==s.context.session.user.id)throw new H.APIError("UNAUTHORIZED",{message:"You are not authorized to register this passkey"});try{let k=await(0,de.verifyRegistrationResponse)({response:c,expectedChallenge:m,expectedOrigin:d,expectedRPID:e?.rpID}),{verified:A,registrationInfo:h}=k;if(!A||!h)return s.json(null,{status:400});let{credentialID:_,credentialPublicKey:be,counter:W,credentialDeviceType:Qe,credentialBackedUp:Ae}=h,ue=Buffer.from(be).toString("base64"),ut=z(),eo={name:s.body.name,userId:f.id,webauthnUserID:ut,id:_,publicKey:ue,counter:W,deviceType:Qe,transports:c.response.transports.join(","),backedUp:Ae,createdAt:new Date},to=await s.context.adapter.create({model:"passkey",data:eo});return s.json(to,{status:200})}catch(k){throw console.log(k),new H.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to verify registration"})}}),verifyPasskeyAuthentication:u("/passkey/verify-authentication",{method:"POST",body:Z.z.object({response:Z.z.any()})},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)throw new H.APIError("BAD_REQUEST",{message:"origin missing"});let c=s.body.response,l=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!l)throw new H.APIError("BAD_REQUEST",{message:"Challenge not found"});let p=await s.context.internalAdapter.findVerificationValue(l);if(!p)throw new H.APIError("BAD_REQUEST",{message:"Challenge not found"});let{expectedChallenge:m}=JSON.parse(p.value),f=await s.context.adapter.findOne({model:"passkey",where:[{field:"id",value:c.id}]});if(!f)throw new H.APIError("UNAUTHORIZED",{message:"Passkey not found"});try{let k=await(0,de.verifyAuthenticationResponse)({response:c,expectedChallenge:m,expectedOrigin:d,expectedRPID:o.rpID,authenticator:{credentialID:f.id,credentialPublicKey:new Uint8Array(Buffer.from(f.publicKey,"base64")),counter:f.counter,transports:f.transports?.split(",")}}),{verified:A}=k;if(!A)throw new H.APIError("UNAUTHORIZED",{message:"Authentication failed"});await s.context.adapter.update({model:"passkey",where:[{field:"id",value:f.id}],update:{counter:k.authenticationInfo.newCounter}});let h=await s.context.internalAdapter.createSession(f.userId,s.request);if(!h)throw new H.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});let _=await s.context.internalAdapter.findUserById(f.userId);if(!_)throw new H.APIError("INTERNAL_SERVER_ERROR",{message:"User not found"});return await w(s,{session:h,user:_}),s.json({session:h},{status:200})}catch(k){throw s.context.logger.error(k),new H.APIError("BAD_REQUEST",{message:"Failed to verify authentication"})}}),listPasskeys:u("/passkey/list-user-passkeys",{method:"GET",use:[b]},async s=>{let d=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:s.context.session.user.id}]});return s.json(d,{status:200})}),deletePasskey:u("/passkey/delete-passkey",{method:"POST",body:Z.z.object({id:Z.z.string()}),use:[b]},async s=>(await s.context.adapter.delete({model:"passkey",where:[{field:"id",value:s.body.id}]}),s.json(null,{status:200})))},schema:{passkey:{fields:{name:{type:"string",required:!1},publicKey:{type:"string",required:!0},userId:{type:"string",references:{model:"user",field:"id"},required:!0},webauthnUserID:{type:"string",required:!0},counter:{type:"number",required:!0},deviceType:{type:"string",required:!0},backedUp:{type:"boolean",required:!0},transports:{type:"string",required:!1},createdAt:{type:"date",defaultValue:new Date,required:!1}}}}}};var qe=require("zod");var Me=require("better-call"),_t=()=>({id:"username",endpoints:{signInUsername:u("/sign-in/username",{method:"POST",body:qe.z.object({username:qe.z.string(),password:qe.z.string(),dontRememberMe:qe.z.boolean().optional()})},async e=>{let t=await e.context.adapter.findOne({model:e.context.tables.user.tableName,where:[{field:"username",value:e.body.username}]});if(!t)throw await e.context.password.hash(e.body.password),e.context.logger.error("User not found",{username:_t}),new Me.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let r=await e.context.adapter.findOne({model:e.context.tables.account.tableName,where:[{field:e.context.tables.account.fields.userId.fieldName||"userId",value:t.id},{field:e.context.tables.account.fields.providerId.fieldName||"providerId",value:"credential"}]});if(!r)throw new Me.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let o=r?.password;if(!o)throw e.context.logger.error("Password not found",{username:_t}),new Me.APIError("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(o,e.body.password))throw e.context.logger.error("Invalid password"),new Me.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let i=await e.context.internalAdapter.createSession(t.id,e.request);return i?(await e.setSignedCookie(e.context.authCookies.sessionToken.name,i.id,e.context.secret,e.body.dontRememberMe?{...e.context.authCookies.sessionToken.options,maxAge:void 0}:e.context.authCookies.sessionToken.options),e.json({user:t,session:i})):e.json(null,{status:500,body:{message:"Failed to create session",status:500}})})},schema:{user:{fields:{username:{type:"string",required:!1,unique:!0,returned:!0}}}}});var Kr=require("better-call"),cn=()=>({id:"bearer",hooks:{before:[{matcher(e){return!!(e.request?.headers.get("authorization")||e.headers?.get("authorization"))},handler:async e=>{let t=e.request?.headers.get("authorization")?.replace("Bearer ","")||e.headers?.get("authorization")?.replace("Bearer ","");if(!t)return;let r="";return t.includes(".")?r=t:r=await(0,Kr.serializeSigned)("",t,e.context.secret),e.request&&e.request.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${r.replace("=","")}`),e.headers&&e.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${r.replace("=","")}`),{context:e}}}]}});var ye=require("zod");var Ct=require("better-call");var un=e=>({id:"magic-link",endpoints:{signInMagicLink:u("/sign-in/magic-link",{method:"POST",requireHeaders:!0,body:ye.z.object({email:ye.z.string().email(),callbackURL:ye.z.string().optional()})},async t=>{let{email:r}=t.body;if(e.disableSignUp&&!await t.context.internalAdapter.findUserByEmail(r))throw new Ct.APIError("BAD_REQUEST",{message:"User not found"});let o=V(32,q("a-z","A-Z"));await t.context.internalAdapter.createVerificationValue({identifier:o,value:r,expiresAt:new Date(Date.now()+(e.expiresIn||60*5)*1e3)});let n=`${t.context.baseURL}/magic-link/verify?token=${o}&callbackURL=${t.body.callbackURL||"/"}`;try{await e.sendMagicLink({email:r,url:n,token:o})}catch(i){throw t.context.logger.error("Failed to send magic link",i),new Ct.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to send magic link"})}return t.json({status:!0})}),magicLinkVerify:u("/magic-link/verify",{method:"GET",query:ye.z.object({token:ye.z.string(),callbackURL:ye.z.string().optional()}),requireHeaders:!0},async t=>{let{token:r,callbackURL:o}=t.query,n=o?.startsWith("http")?o:o?`${t.context.options.baseURL}${o}`:t.context.options.baseURL,i=await t.context.internalAdapter.findVerificationValue(r);if(!i)throw t.redirect(`${n}?error=INVALID_TOKEN`);if(i.expiresAt<new Date)throw await t.context.internalAdapter.deleteVerificationValue(i.id),t.redirect(`${n}?error=EXPIRED_TOKEN`);await t.context.internalAdapter.deleteVerificationValue(i.id);let a=i.value,s=await t.context.internalAdapter.findUserByEmail(a),d=s?.user.id||"";if(!s){if(e.disableSignUp)throw t.redirect(`${n}?error=USER_NOT_FOUND`);if(d=(await t.context.internalAdapter.createUser({email:a,emailVerified:!0,name:a})).id,!d)throw t.redirect(`${n}?error=USER_NOT_CREATED`)}let c=await t.context.internalAdapter.createSession(d,t.headers);if(!c)throw t.redirect(`${n}?error=SESSION_NOT_CREATED`);if(await w(t,{session:c,user:s?.user}),!o)return t.json({status:!0});throw t.redirect(o)})},rateLimit:[{pathMatcher(t){return t.startsWith("/sign-in/magic-link")||t.startsWith("/magic-link/verify")},window:e.rateLimit?.window||60,max:e.rateLimit?.max||5}]});var ce=require("zod");var Y=require("better-call");function ln(e){return V(e,q("0-9"))}var pn=e=>{let t={phoneNumber:"phoneNumber",phoneNumberVerified:"phoneNumberVerified",code:"code",createdAt:"createdAt",expiresIn:e?.expiresIn||300,otpLength:e?.otpLength||6};return{id:"phone-number",endpoints:{sendPhoneNumberOTP:u("/phone-number/send-otp",{method:"POST",body:ce.z.object({phoneNumber:ce.z.string()})},async r=>{if(!e?.sendOTP)throw y.warn("sendOTP not implemented"),new Y.APIError("NOT_IMPLEMENTED",{message:"sendOTP not implemented"});let o=ln(t.otpLength);return await r.context.internalAdapter.createVerificationValue({value:o,identifier:r.body.phoneNumber,expiresAt:C(t.expiresIn,"sec")}),await e.sendOTP(r.body.phoneNumber,o),r.json({code:o},{body:{message:"Code sent"}})}),verifyPhoneNumber:u("/phone-number/verify",{method:"POST",body:ce.z.object({phoneNumber:ce.z.string(),code:ce.z.string(),disableSession:ce.z.boolean().optional(),updatePhoneNumber:ce.z.boolean().optional()})},async r=>{let o=await r.context.internalAdapter.findVerificationValue(r.body.phoneNumber);if(!o||o.expiresAt<new Date)throw o&&o.expiresAt<new Date?(await r.context.internalAdapter.deleteVerificationValue(o.id),new Y.APIError("BAD_REQUEST",{message:"OTP expired"})):new Y.APIError("BAD_REQUEST",{message:"OTP not found"});if(o.value!==r.body.code)throw new Y.APIError("BAD_REQUEST",{message:"Invalid OTP"});if(await r.context.internalAdapter.deleteVerificationValue(o.id),r.body.updatePhoneNumber){let i=await D(r);if(!i)throw new Y.APIError("UNAUTHORIZED",{message:"Session not found"});let a=await r.context.internalAdapter.updateUser(i.user.id,{[t.phoneNumber]:r.body.phoneNumber,[t.phoneNumberVerified]:!0});return r.json({user:a,session:i.session})}let n=await r.context.adapter.findOne({model:r.context.tables.user.tableName,where:[{value:r.body.phoneNumber,field:t.phoneNumber}]});if(n)n=await r.context.internalAdapter.updateUser(n.id,{[t.phoneNumberVerified]:!0});else if(e?.signUpOnVerification){if(n=await r.context.internalAdapter.createUser({email:e.signUpOnVerification.getTempEmail(r.body.phoneNumber),name:e.signUpOnVerification.getTempName?e.signUpOnVerification.getTempName(r.body.phoneNumber):r.body.phoneNumber,[t.phoneNumber]:r.body.phoneNumber,[t.phoneNumberVerified]:!0}),!n)throw new Y.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create user"})}else throw new Y.APIError("BAD_REQUEST",{message:"Phone number not found"});if(!n)throw new Y.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to update user"});if(!r.body.disableSession){let i=await r.context.internalAdapter.createSession(n.id,r.request);if(!i)throw new Y.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await w(r,{session:i,user:n}),r.json({user:n,session:i})}return r.json({user:n,session:null})})},schema:{user:{fields:{phoneNumber:{type:"string",required:!1,unique:!0,returned:!0},phoneNumberVerified:{type:"boolean",required:!1,returned:!0,input:!1}}}}}};var dt=require("zod");var mn=e=>({id:"anonymous",endpoints:{signInAnonymous:u("/sign-in/anonymous",{method:"POST"},async t=>{let{emailDomainName:r=Je(t.context.baseURL)}=e||{},o=z(),n=`temp-${o}@${r}`,i=await t.context.internalAdapter.createUser({id:o,email:n,emailVerified:!1,isAnonymous:!0,name:"Anonymous",createdAt:new Date,updatedAt:new Date});if(!i)return t.json(null,{status:500,body:{message:"Failed to create user",status:500}});let a=await t.context.internalAdapter.createSession(i.id,t.request);return a?(await w(t,{session:a,user:i}),t.json({user:i,session:a})):t.json(null,{status:400,body:{message:"Could not create session"}})}),linkAccount:u("/anonymous/link-account",{method:"POST",body:dt.z.object({email:dt.z.string().email().optional(),password:dt.z.string().min(6)}),use:[b]},async t=>{let r=t.context.session.user.id,{email:o,password:n}=t.body,i=null;if(o&&n&&(i=await t.context.internalAdapter.updateUser(r,{email:o,isAnonymous:!1})),!i)return t.json(null,{status:500,body:{message:"Failed to update user",status:500}});let a=await t.context.password.hash(n);if(!await t.context.internalAdapter.linkAccount({userId:i.id,providerId:"credential",password:a,accountId:i.id}))return t.json(null,{status:500,body:{message:"Failed to update account",status:500}});let d=await t.context.internalAdapter.createSession(i.id,t.request);return d?(await w(t,{session:d,user:i}),t.json({session:d,user:i})):t.json(null,{status:400,body:{message:"Could not create session"}})})},schema:{user:{fields:{isAnonymous:{type:"boolean",required:!1}}}}});var g=require("zod");var K=S(async e=>{let t=await D(e);if(!t?.session)throw new E.APIError("UNAUTHORIZED");let r=t.user;if(r.role!=="admin")throw new E.APIError("FORBIDDEN",{message:"Only admins can access this endpoint"});return{session:{user:r,session:t.session}}}),fn=e=>({id:"admin",init(t){return{options:{databaseHooks:{user:{create:{async before(r){if(e?.defaultRole!==!1)return{data:{role:e?.defaultRole??"user",...r}}}}},session:{create:{async before(r){let o=await t.internalAdapter.findUserById(r.userId);if(o.banned){if(o.banExpires&&o.banExpires<Date.now()){await t.internalAdapter.updateUser(r.userId,{banned:!1,banReason:null,banExpires:null});return}return!1}}}}}}}},hooks:{after:[{matcher(t){return t.path==="/list-sessions"},handler:S(async t=>{let r=t.context.returned;if(r){let n=(await r.json()).filter(a=>!a.impersonatedBy),i=new Response(JSON.stringify(n),{status:200,statusText:"OK",headers:r.headers});return t.json({response:i})}})}]},endpoints:{setRole:u("/admin/set-role",{method:"POST",body:g.z.object({userId:g.z.string(),role:g.z.string()}),use:[K]},async t=>{let r=await t.context.internalAdapter.updateUser(t.body.userId,{role:t.body.role});return t.json({user:r})}),createUser:u("/admin/create-user",{method:"POST",body:g.z.object({email:g.z.string(),password:g.z.string(),name:g.z.string(),role:g.z.string(),data:g.z.optional(g.z.record(g.z.any()))}),use:[K]},async t=>{if(await t.context.internalAdapter.findUserByEmail(t.body.email))throw new E.APIError("BAD_REQUEST",{message:"User already exists"});let o=await t.context.internalAdapter.createUser({email:t.body.email,name:t.body.name,role:t.body.role,...t.body.data});if(!o)throw new E.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create user"});let n=await t.context.password.hash(t.body.password);return await t.context.internalAdapter.linkAccount({accountId:o.id,providerId:"credential",password:n,userId:o.id}),t.json({user:o})}),listUsers:u("/admin/list-users",{method:"GET",use:[K],query:g.z.object({search:g.z.object({field:g.z.enum(["email","name"]),operator:g.z.enum(["contains","starts_with","ends_with"]).default("contains"),value:g.z.string()}).optional(),limit:g.z.string().or(g.z.number()).optional(),offset:g.z.string().or(g.z.number()).optional(),sortBy:g.z.string().optional(),sortDirection:g.z.enum(["asc","desc"]).optional(),filter:g.z.array(g.z.object({field:g.z.string(),value:g.z.string().or(g.z.number()).or(g.z.boolean()),operator:g.z.enum(["eq","ne","lt","lte","gt","gte"]),connector:g.z.enum(["AND","OR"]).optional()})).optional()})},async t=>{let r=[];t.query?.search&&r.push({field:t.query.search.field,operator:t.query.search.operator,value:t.query.search.value}),t.query?.filter&&r.push(...t.query.filter||[]);let o=await t.context.internalAdapter.listUsers(Number(t.query?.limit)||void 0,Number(t.query?.offset)||void 0,t.query?.sortBy?{field:t.query.sortBy,direction:t.query.sortDirection||"asc"}:void 0,r.length?r:void 0);return t.json({users:o})}),listUserSessions:u("/admin/list-user-sessions",{method:"POST",use:[K],body:g.z.object({userId:g.z.string()})},async t=>({sessions:await t.context.internalAdapter.listSessions(t.body.userId)})),unbanUser:u("/admin/unban-user",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>{let r=await t.context.internalAdapter.updateUser(t.body.userId,{banned:!1});return t.json({user:r})}),banUser:u("/admin/ban-user",{method:"POST",body:g.z.object({userId:g.z.string(),banReason:g.z.string().optional(),banExpiresIn:g.z.number().optional()}),use:[K]},async t=>{if(t.body.userId===t.context.session.user.id)throw new E.APIError("BAD_REQUEST",{message:"You cannot ban yourself"});let r=await t.context.internalAdapter.updateUser(t.body.userId,{banned:!0,banReason:t.body.banReason||e?.defaultBanReason||"No reason",banExpires:t.body.banExpiresIn?C(t.body.banExpiresIn,"sec"):e?.defaultBanExpiresIn?C(e.defaultBanExpiresIn,"sec"):void 0});return await t.context.internalAdapter.deleteSessions(t.body.userId),t.json({user:r})}),impersonateUser:u("/admin/impersonate-user",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>{let r=await t.context.internalAdapter.findUserById(t.body.userId);if(!r)throw new E.APIError("NOT_FOUND",{message:"User not found"});let o=await t.context.internalAdapter.createSession(r.id,void 0,!0,{impersonatedBy:t.context.session.user.id,expiresAt:e?.impersonationSessionDuration?C(e.impersonationSessionDuration,"sec"):C(60*60,"sec")});if(!o)throw new E.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await w(t,{session:o,user:r},!0),t.json({session:o,user:r})}),revokeUserSession:u("/admin/revoke-user-session",{method:"POST",body:g.z.object({sessionId:g.z.string()}),use:[K]},async t=>(await t.context.internalAdapter.deleteSession(t.body.sessionId),t.json({success:!0}))),revokeUserSessions:u("/admin/revoke-user-sessions",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>(await t.context.internalAdapter.deleteSessions(t.body.userId),t.json({success:!0}))),removeUser:u("/admin/remove-user",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>(await t.context.internalAdapter.deleteUser(t.body.userId),t.json({success:!0})))},schema:{user:{fields:{role:{type:"string",required:!1,input:!1},banned:{type:"boolean",defaultValue:!1,required:!1,input:!1},banReason:{type:"string",required:!1,input:!1},banExpires:{type:"date",required:!1,input:!1}}},session:{fields:{impersonatedBy:{type:"string",required:!1}}}}});var X=require("zod"),ze=require("better-call");var ct=require("@better-fetch/fetch");var Jr=require("oslo/jwt");async function gn(e,t,r){if(t==="oidc"&&e.idToken){let n=(0,Jr.parseJWT)(e.idToken);if(n?.payload)return n.payload}return r?(await(0,ct.betterFetch)(r,{method:"GET",headers:{Authorization:`Bearer ${e.accessToken}`}})).data:null}var hn=e=>({id:"generic-oauth",endpoints:{signInWithOAuth2:u("/sign-in/oauth2",{method:"POST",query:X.z.object({currentURL:X.z.string().optional()}).optional(),body:X.z.object({providerId:X.z.string(),callbackURL:X.z.string().optional()})},async t=>{let{providerId:r}=t.body,o=e.config.find(ue=>ue.providerId===r);if(!o)throw new ze.APIError("BAD_REQUEST",{message:`No config found for provider ${r}`});let{discoveryUrl:n,authorizationUrl:i,tokenUrl:a,clientId:s,clientSecret:d,scopes:c,redirectURI:l,responseType:p,pkce:m,prompt:f,accessType:k}=o,A=i,h=a;if(n){let ue=await(0,ct.betterFetch)(n,{onError(ut){y.error(ut.error,{discoveryUrl:n})}});ue.data&&(A=ue.data.authorization_endpoint,h=ue.data.token_endpoint)}if(!A||!h)throw new ze.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});let _=t.query?.currentURL?new URL(t.query?.currentURL):null,be=t.body.callbackURL?.startsWith("http")?t.body.callbackURL:`${_?.origin}${t.body.callbackURL||""}`,{state:W,codeVerifier:Qe}=await ke(t),Ae=await I({id:r,options:{clientId:s,clientSecret:d,redirectURI:l},authorizationEndpoint:A,state:W,codeVerifier:Qe,scopes:c||[],disablePkce:!m,redirectURI:`${t.context.baseURL}/oauth2/callback/${r}`});return p&&p!=="code"&&Ae.searchParams.set("response_type",p),f&&Ae.searchParams.set("prompt",f),k&&Ae.searchParams.set("access_type",k),t.json({url:Ae.toString(),redirect:!0})}),oAuth2Callback:u("/oauth2/callback/:providerId",{method:"GET",query:X.z.object({code:X.z.string().optional(),error:X.z.string().optional(),state:X.z.string()})},async t=>{if(t.query.error||!t.query.code)throw t.redirect(`${t.context.baseURL}?error=${t.query.error||"oAuth_code_missing"}`);let r=e.config.find(h=>h.providerId===t.params.providerId);if(!r)throw new ze.APIError("BAD_REQUEST",{message:`No config found for provider ${t.params.providerId}`});let o,n=await Ye(t),{callbackURL:i,codeVerifier:a,errorURL:s}=n,d=t.query.code,c=r.tokenUrl,l=r.userInfoUrl;if(r.discoveryUrl){let h=await(0,ct.betterFetch)(r.discoveryUrl,{method:"GET"});h.data&&(c=h.data.token_endpoint,l=h.data.userinfo_endpoint)}try{if(!c)throw new ze.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});o=await v({code:d,codeVerifier:a,redirectURI:`${t.context.baseURL}/oauth2/callback/${r.providerId}`,options:{clientId:r.clientId,clientSecret:r.clientSecret},tokenEndpoint:c})}catch(h){throw t.context.logger.error(h),t.redirect(`${s}?error=oauth_code_verification_failed`)}if(!o)throw new ze.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});let p=r.getUserInfo?await r.getUserInfo(o):await gn(o,r.type||"oauth2",l),m=z(),f=p?tt.safeParse({...p,id:m}):null;if(!f?.success)throw t.redirect(`${s}?error=oauth_user_info_invalid`);let k=await t.context.internalAdapter.findUserByEmail(f.data.email,{includeAccounts:!0}).catch(h=>{throw y.error(`Better auth was unable to query your database.
|
|
85
|
+
Error: `,h),t.redirect(`${s}?error=internal_server_error`)}),A=k?.user.id||m;if(k){let h=k.accounts.find(W=>W.providerId===r.providerId),_=t.context.options.account?.accountLinking?.trustedProviders,be=_?_.includes(r.providerId):!0;if(!h&&(!f?.data.emailVerified||!be)){let W;try{W=new URL(s),W.searchParams.set("error","account_not_linked")}catch{throw t.redirect(`${s}?error=account_not_linked`)}throw t.redirect(W.toString())}if(h)await t.context.internalAdapter.updateAccount(h.id,{accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt});else try{await t.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:f.data.id,id:`${r.providerId}:${f.data.id}`,userId:k.user.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch(W){throw console.log(W),t.redirect(`${s}?error=failed_linking_account`)}}else try{await t.context.internalAdapter.createOAuthUser(f.data,{id:`${r.providerId}:${f.data.id}`,providerId:r.providerId,accountId:f.data.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch{let _=new URL(s);throw _.searchParams.set("error","unable_to_create_user"),t.setHeader("Location",_.toString()),t.redirect(_.toString())}try{let h=await t.context.internalAdapter.createSession(A||m,t.request);if(!h)throw t.redirect(`${s}?error=unable_to_create_session`);await w(t,{session:h,user:f.data})}catch{throw t.redirect(`${s}?error=unable_to_create_session`)}throw t.redirect(i)})}});var Be=require("zod"),Zr={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},cl=Be.z.object({id:Be.z.string(),publicKey:Be.z.string(),privateKey:Be.z.string(),createdAt:Be.z.date()});var zt=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async t=>await e.create({model:"jwks",data:{...t,createdAt:new Date}})});var ne=require("jose");var wn=e=>({id:"jwt",endpoints:{getJwks:u("/jwks",{method:"GET"},async t=>{let o=await zt(t.context.adapter).getAllKeys();return t.json({keys:o.map(n=>({...JSON.parse(n.publicKey),kid:n.id}))})}),getToken:u("/token",{method:"GET",requireHeaders:!0,use:[b]},async t=>{let r=zt(t.context.adapter),o=await r.getLatestKey(),n=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:c,privateKey:l}=await(0,ne.generateKeyPair)(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),p=await(0,ne.exportJWK)(c),m=await(0,ne.exportJWK)(l),f=JSON.stringify(m),k={id:crypto.randomUUID(),publicKey:JSON.stringify(p),privateKey:n?JSON.stringify(await Se({key:t.context.options.secret,data:f})):f,createdAt:new Date};o=await r.createJwk(k)}let i=n?await Pe({key:t.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,a=await(0,ne.importJWK)(JSON.parse(i)),s=e?.jwt?.definePayload?await e?.jwt.definePayload(t.context.session.user):t.context.session.user,d=await new ne.SignJWT({...s,...t.context.session.session.impersonatedBy?{impersonatedBy:t.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??t.context.options.baseURL).setAudience(e?.jwt?.audience??t.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(t.context.session.user.id).sign(a);return t.json({token:d})})},schema:Zr});var $e=require("zod");var yn=e=>{let t={maximumSessions:5,...e},r=o=>o.includes("_multi-");return{id:"multi-session",endpoints:{listDeviceSessions:u("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async o=>{let n=o.headers?.get("cookie");if(!n)return o.json([]);let i=Object.fromEntries(Ke(n)),a=(await Promise.all(Object.entries(i).filter(([c])=>r(c)).map(async([c])=>await o.getSignedCookie(c,o.context.secret)))).filter(c=>c!==void 0);if(!a.length)return o.json([]);let d=(await o.context.internalAdapter.findSessions(a)).filter(c=>c&&c.session.expiresAt>new Date).filter((c,l,p)=>l===p.findIndex(m=>m.user.id===c.user.id));return Object.entries(i).filter(([c])=>r(c)).forEach(([c,l])=>{d.some(p=>p.session.id===l)||o.setCookie(c,"",{...o.context.authCookies.sessionToken.options,maxAge:0})}),o.json(d)}),setActiveSession:u("/multi-session/set-active",{method:"POST",body:$e.z.object({sessionId:$e.z.string()}),requireHeaders:!0,use:[b]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new E.APIError("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);if(!s||s.session.expiresAt<new Date)throw o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),new E.APIError("UNAUTHORIZED",{message:"Invalid session id"});return await o.setSignedCookie(o.context.authCookies.sessionToken.name,n,o.context.secret,o.context.authCookies.sessionToken.options),o.json(s)}),revokeDeviceSession:u("/multi-session/revoke",{method:"POST",body:$e.z.object({sessionId:$e.z.string()}),requireHeaders:!0,use:[b]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new E.APIError("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);return o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),s?(await o.context.internalAdapter.deleteSession(n),o.json({success:!0})):o.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:S(async o=>{if(!o.context.returned||!(o.context.returned instanceof Response))return;let n=o.context.returned.headers.get("set-cookie");if(!n)return;let i=jt(n),a=o.context.authCookies.sessionToken,s=i.get(a.name)?.value;if(!s)return;let d=Ke(o.headers?.get("cookie")||""),c=s.split(".")[0],l=`${a.name}_multi-${c}`;if(i.get(l)||d.get(l)||Object.keys(Object.fromEntries(d)).filter(r).length+(n.includes("session_token")?1:0)>t.maximumSessions)return;await o.setSignedCookie(l,c,o.context.secret,a.options);let m=o.context.returned;return m.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:m}})},{matcher:o=>o.path==="/sign-out",handler:S(async o=>{let n=o.headers?.get("cookie");if(!n)return;let i=Object.fromEntries(Ke(n));await Promise.all(Object.entries(i).map(async([s,d])=>{if(r(s)){o.setCookie(s,"",{maxAge:0});let c=s.split("_multi-")[1];await o.context.internalAdapter.deleteSession(c)}}));let a=o.context.returned;return a?.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:a}})}]}}};var ee=require("zod");var bn=e=>{let t={expireIn:300,otpLength:6,...e};return{id:"email-otp",endpoints:{sendVerificationOTP:u("/email-otp/send-verification-otp",{method:"POST",body:ee.z.object({email:ee.z.string(),type:ee.z.enum(["email-verification","sign-in"])})},async r=>{if(!e?.sendVerificationOTP)throw y.error("send email verification is not implemented"),new E.APIError("BAD_REQUEST",{message:"send email verification is not implemented"});let o=r.body.email,n=V(t.otpLength,q("0-9"));return await r.context.internalAdapter.createVerificationValue({value:n,identifier:`${r.body.type}-otp-${o}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o,otp:n,type:r.body.type}),r.json({success:!0})}),verifyEmailOTP:u("/email-otp/verify-email",{method:"POST",body:ee.z.object({email:ee.z.string(),otp:ee.z.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`email-verification-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a)throw new E.APIError("BAD_REQUEST",{message:"User not found"});let s=await r.context.internalAdapter.updateUser(a.user.id,{email:o,emailVerified:!0});return r.json({user:s})}),signInEmailOTP:u("/sign-in/email-otp",{method:"POST",body:ee.z.object({email:ee.z.string(),otp:ee.z.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`sign-in-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a)throw new E.APIError("BAD_REQUEST",{message:"User not found"});let s=await r.context.internalAdapter.createSession(a.user.id,r.request);return await w(r,{session:s,user:a.user}),r.json({session:s,user:a})})},hooks:{after:[{matcher(r){return!!(r.path?.startsWith("/sign-up")&&t.sendVerificationOnSignUp)},async handler(r){let o=r.context.returned;if(o?.status!==200)return;let n=await o.clone().json();if(n.user.email&&n.user.emailVerified===!1){let i=V(t.otpLength,q("0-9"));await r.context.internalAdapter.createVerificationValue({value:i,identifier:`email-verification-otp-${n.user.email}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:n.user.email,otp:i,type:"email-verification"})}}}]}}};var Bt=require("zod");var Xr=require("@better-fetch/fetch");function Yr(e){return e==="true"||e===!0}var An=e=>({id:"one-tap",endpoints:{oneTapCallback:u("/one-tap/callback",{method:"POST",body:Bt.z.object({idToken:Bt.z.string()})},async t=>{let{idToken:r}=t.body,{data:o,error:n}=await(0,Xr.betterFetch)("https://oauth2.googleapis.com/tokeninfo?id_token="+r);if(n)return t.json({error:"Invalid token"});let i=await t.context.internalAdapter.findUserByEmail(o.email);if(!i){if(e?.disableSignup)throw new E.APIError("BAD_GATEWAY",{message:"User not found"});let s=await t.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:Yr(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!s)throw new E.APIError("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let d=await t.context.internalAdapter.createSession(s?.user.id,t.request);return await w(t,{user:s.user,session:d}),t.json({session:d,user:s})}let a=await t.context.internalAdapter.createSession(i.user.id,t.request);return await w(t,{user:i.user,session:a}),t.json({session:a,user:i})})}});0&&(module.exports={HIDE_METADATA,admin,adminMiddleware,anonymous,bearer,createAuthEndpoint,createAuthMiddleware,emailOTP,genericOAuth,getPasskeyActions,jwt,magicLink,multiSession,oneTap,optionsMiddleware,organization,passkey,passkeyClient,phoneNumber,twoFactor,twoFactorClient,username});
|