better-auth 0.7.3-beta.5 → 0.7.3-beta.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/client/plugins.d.cts +2 -2
  2. package/dist/client/plugins.d.ts +2 -2
  3. package/dist/{index-D7B6tRWQ.d.cts → index-Ce4x5r90.d.cts} +24 -0
  4. package/dist/{index-QYPscBrJ.d.ts → index-D1xP80c-.d.ts} +24 -0
  5. package/dist/plugins.cjs +1 -1
  6. package/dist/plugins.d.cts +1 -1
  7. package/dist/plugins.d.ts +1 -1
  8. package/dist/plugins.js +1 -1
  9. package/package.json +1 -1
package/dist/client/plugins.d.cts CHANGED
@@ -1,6 +1,6 @@
1
1
  import * as nanostores from 'nanostores';
2
- import { o as organization, q as Organization, M as Member, I as Invitation, r as AccessControl, S as StatementsPrimitive, R as Role, u as username, m as magicLink, d as phoneNumber, e as anonymous, i as admin, j as genericOAuth, k as jwt, l as multiSession, n as emailOTP } from '../index-D7B6tRWQ.cjs';
3
- export { g as getPasskeyActions, c as passkeyClient, a as twoFactorClient } from '../index-D7B6tRWQ.cjs';
2
+ import { o as organization, q as Organization, M as Member, I as Invitation, r as AccessControl, S as StatementsPrimitive, R as Role, u as username, m as magicLink, d as phoneNumber, e as anonymous, i as admin, j as genericOAuth, k as jwt, l as multiSession, n as emailOTP } from '../index-Ce4x5r90.cjs';
3
+ export { g as getPasskeyActions, c as passkeyClient, a as twoFactorClient } from '../index-Ce4x5r90.cjs';
4
4
  import * as _better_fetch_fetch from '@better-fetch/fetch';
5
5
  import { BetterFetchOption } from '@better-fetch/fetch';
6
6
  import { P as Prettify } from '../index-DUqGSAH3.cjs';
package/dist/client/plugins.d.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  import * as nanostores from 'nanostores';
2
- import { o as organization, q as Organization, M as Member, I as Invitation, r as AccessControl, S as StatementsPrimitive, R as Role, u as username, m as magicLink, d as phoneNumber, e as anonymous, i as admin, j as genericOAuth, k as jwt, l as multiSession, n as emailOTP } from '../index-QYPscBrJ.js';
3
- export { g as getPasskeyActions, c as passkeyClient, a as twoFactorClient } from '../index-QYPscBrJ.js';
2
+ import { o as organization, q as Organization, M as Member, I as Invitation, r as AccessControl, S as StatementsPrimitive, R as Role, u as username, m as magicLink, d as phoneNumber, e as anonymous, i as admin, j as genericOAuth, k as jwt, l as multiSession, n as emailOTP } from '../index-D1xP80c-.js';
3
+ export { g as getPasskeyActions, c as passkeyClient, a as twoFactorClient } from '../index-D1xP80c-.js';
4
4
  import * as _better_fetch_fetch from '@better-fetch/fetch';
5
5
  import { BetterFetchOption } from '@better-fetch/fetch';
6
6
  import { P as Prettify } from '../index-DUqGSAH3.js';
package/dist/{index-D7B6tRWQ.d.cts → index-Ce4x5r90.d.cts} RENAMED
@@ -6658,6 +6658,13 @@ interface EmailOTPOptions {
6658
6658
  * @Default false
6659
6659
  */
6660
6660
  sendVerificationOnSignUp?: boolean;
6661
+ /**
6662
+ * A boolean value that determines whether to prevent
6663
+ * automatic sign-up when the user is not registered.
6664
+ *
6665
+ * @Default false
6666
+ */
6667
+ disableSignUp?: boolean;
6661
6668
  }
6662
6669
  declare const emailOTP: (options: EmailOTPOptions) => {
6663
6670
  id: "email-otp";
@@ -6748,6 +6755,23 @@ declare const emailOTP: (options: EmailOTPOptions) => {
6748
6755
  }>]>(...ctx: C): Promise<C extends [{
6749
6756
  asResponse: true;
6750
6757
  }] ? Response : {
6758
+ user: {
6759
+ id: string;
6760
+ email: string;
6761
+ emailVerified: boolean;
6762
+ name: string;
6763
+ createdAt: Date;
6764
+ updatedAt: Date;
6765
+ image?: string | undefined;
6766
+ };
6767
+ session: {
6768
+ id: string;
6769
+ userId: string;
6770
+ expiresAt: Date;
6771
+ ipAddress?: string | undefined;
6772
+ userAgent?: string | undefined;
6773
+ };
6774
+ } | {
6751
6775
  session: {
6752
6776
  id: string;
6753
6777
  userId: string;
package/dist/{index-QYPscBrJ.d.ts → index-D1xP80c-.d.ts} RENAMED
@@ -6658,6 +6658,13 @@ interface EmailOTPOptions {
6658
6658
  * @Default false
6659
6659
  */
6660
6660
  sendVerificationOnSignUp?: boolean;
6661
+ /**
6662
+ * A boolean value that determines whether to prevent
6663
+ * automatic sign-up when the user is not registered.
6664
+ *
6665
+ * @Default false
6666
+ */
6667
+ disableSignUp?: boolean;
6661
6668
  }
6662
6669
  declare const emailOTP: (options: EmailOTPOptions) => {
6663
6670
  id: "email-otp";
@@ -6748,6 +6755,23 @@ declare const emailOTP: (options: EmailOTPOptions) => {
6748
6755
  }>]>(...ctx: C): Promise<C extends [{
6749
6756
  asResponse: true;
6750
6757
  }] ? Response : {
6758
+ user: {
6759
+ id: string;
6760
+ email: string;
6761
+ emailVerified: boolean;
6762
+ name: string;
6763
+ createdAt: Date;
6764
+ updatedAt: Date;
6765
+ image?: string | undefined;
6766
+ };
6767
+ session: {
6768
+ id: string;
6769
+ userId: string;
6770
+ expiresAt: Date;
6771
+ ipAddress?: string | undefined;
6772
+ userAgent?: string | undefined;
6773
+ };
6774
+ } | {
6751
6775
  session: {
6752
6776
  id: string;
6753
6777
  userId: string;
package/dist/plugins.cjs CHANGED
@@ -82,4 +82,4 @@ Error: `,A),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)
82
82
  </body>
83
83
  </html>`,Bo=u("/error",{method:"GET",metadata:pe},async e=>{let t=new URL(e.request?.url||"").searchParams.get("error")||"Unknown";return new Response(zo(t),{headers:{"Content-Type":"text/html"}})});var Do=u("/ok",{method:"GET",metadata:pe},async e=>e.json({ok:!0}));var xo=require("zod");var Lo=require("better-call");var Ee=require("zod");var ht=require("better-call");var jo=u("/list-accounts",{method:"GET",use:[b]},async e=>{let t=e.context.session,r=await e.context.internalAdapter.findAccounts(t.user.id);return e.json(r)}),No=u("/link-social",{method:"POST",requireHeaders:!0,query:Ee.z.object({currentURL:Ee.z.string().optional()}).optional(),body:Ee.z.object({callbackURL:Ee.z.string().optional(),provider:Ee.z.enum(Xe)}),use:[b]},async e=>{let t=e.context.session;if((await e.context.internalAdapter.findAccounts(t.user.id)).find(s=>s.providerId===e.body.provider))throw new ht.APIError("BAD_REQUEST",{message:"Social Account is already linked."});let n=e.context.socialProviders.find(s=>s.id===e.body.provider);if(!n)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new ht.APIError("NOT_FOUND",{message:"Provider not found"});let i=await ke(e,{userId:t.user.id,email:t.user.email}),a=await n.createAuthorizationURL({state:i.state,codeVerifier:i.codeVerifier,redirectURI:`${e.context.baseURL}/callback/${n.id}`});return e.json({url:a.toString(),redirect:!0})});var Ar=(e,t)=>{let r={};for(let[o,n]of Object.entries(e))r[o]=i=>n({...i,context:{...t,...i.context}}),r[o].path=n.path,r[o].method=n.method,r[o].options=n.options,r[o].headers=n.headers;return r};var Re=class extends Error{path;constructor(t,r){super(t),this.path=r}},rt=class{constructor(t){this.s=t;this.statements=t}statements;newRole(t){return new ot(t)}},ot=class e{statements;constructor(t){this.statements=t}authorize(t,r){for(let[o,n]of Object.entries(t)){let i=this.statements[o];if(!i)return{success:!1,error:`You are not allowed to access resource: ${o}`};let a=r==="OR"?n.some(s=>i.includes(s)):n.every(s=>i.includes(s));return a?{success:a}:{success:!1,error:`unauthorized to access resource "${o}"`}}return{success:!1,error:"Not authorized"}}static fromString(t){let r=JSON.parse(t);if(typeof r!="object")throw new Re("statements is not an object",".");for(let[o,n]of Object.entries(r)){if(typeof o!="string")throw new Re("invalid resource identifier",o);if(!Array.isArray(n))throw new Re("actions is not an array",o);for(let i=0;i<n.length;i++)if(typeof n[i]!="string")throw new Re("action is not a string",`${o}[${i}]`)}return new e(r)}toString(){return JSON.stringify(this.statements)}};var Fo=e=>new rt(e),Vo={organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]},wt=Fo(Vo),qo=wt.newRole({organization:["update"],invitation:["create","cancel"],member:["create","update","delete"]}),Mo=wt.newRole({organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]}),$o=wt.newRole({organization:[],member:[],invitation:[]}),kr={admin:qo,owner:Mo,member:$o};var P=(e,t)=>{let r=e.adapter;return{findOrganizationBySlug:async o=>await r.findOne({model:"organization",where:[{field:"slug",value:o}]}),createOrganization:async o=>{let n=await r.create({model:"organization",data:{...o.organization,metadata:o.organization.metadata?JSON.stringify(o.organization.metadata):void 0}}),i=await r.create({model:"member",data:{id:z(),organizationId:n.id,userId:o.user.id,createdAt:new Date,email:o.user.email,role:t?.creatorRole||"owner"}});return{...n,metadata:n.metadata?JSON.parse(n.metadata):void 0,members:[{...i,user:{id:o.user.id,name:o.user.name,email:o.user.email,image:o.user.image}}]}},findMemberByEmail:async o=>{let n=await r.findOne({model:"member",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId}]});if(!n)return null;let i=await r.findOne({model:e.tables.user.tableName,where:[{field:"id",value:n.userId}]});return i?{...n,user:{id:i.id,name:i.name,email:i.email,image:i.image}}:null},findMemberByOrgId:async o=>{let[n,i]=await Promise.all([await r.findOne({model:"member",where:[{field:"userId",value:o.userId},{field:"organizationId",value:o.organizationId}]}),await r.findOne({model:e.tables.user.tableName,where:[{field:"id",value:o.userId}]})]);return!i||!n?null:{...n,user:{id:i.id,name:i.name,email:i.email,image:i.image}}},findMemberById:async o=>{let n=await r.findOne({model:"member",where:[{field:"id",value:o}]});if(!n)return null;let i=await r.findOne({model:e.tables.user.tableName,where:[{field:"id",value:n.userId}]});return i?{...n,user:{id:i.id,name:i.name,email:i.email,image:i.image}}:null},createMember:async o=>await r.create({model:"member",data:o}),updateMember:async(o,n)=>await r.update({model:"member",where:[{field:"id",value:o}],update:{role:n}}),deleteMember:async o=>await r.delete({model:"member",where:[{field:"id",value:o}]}),updateOrganization:async(o,n)=>await r.update({model:"organization",where:[{field:"id",value:o}],update:n}),deleteOrganization:async o=>(await r.delete({model:"member",where:[{field:"organizationId",value:o}]}),await r.delete({model:"invitation",where:[{field:"organizationId",value:o}]}),await r.delete({model:"organization",where:[{field:"id",value:o}]}),o),setActiveOrganization:async(o,n)=>await r.update({model:e.tables.session.tableName,where:[{field:"id",value:o}],update:{activeOrganizationId:n}}),findOrganizationById:async o=>await r.findOne({model:"organization",where:[{field:"id",value:o}]}),findFullOrganization:async(o,n)=>{let[i,a,s]=await Promise.all([r.findOne({model:"organization",where:[{field:"id",value:o}]}),r.findMany({model:"invitation",where:[{field:"organizationId",value:o}]}),r.findMany({model:"member",where:[{field:"organizationId",value:o}]})]);if(!i)return null;let d=s.map(m=>m.userId),c=await r.findMany({model:e.tables.user.tableName,where:[{field:"id",value:d,operator:"in"}]}),l=new Map(c.map(m=>[m.id,m])),p=s.map(m=>{let f=l.get(m.userId);if(!f)throw new G("Unexpected error: User not found for member");return{...m,user:{id:f.id,name:f.name,email:f.email,image:f.image}}});return{...i,invitations:a,members:p}},listOrganizations:async o=>{let n=await r.findMany({model:"member",where:[{field:"userId",value:o}]});if(!n||n.length===0)return[];let i=n.map(s=>s.organizationId);return await r.findMany({model:"organization",where:[{field:"id",value:i,operator:"in"}]})},createInvitation:async({invitation:o,user:n})=>{let a=C(t?.invitationExpiresIn||1728e5);return await r.create({model:"invitation",data:{id:z(),email:o.email,role:o.role,organizationId:o.organizationId,status:"pending",expiresAt:a,inviterId:n.id}})},findInvitationById:async o=>await r.findOne({model:"invitation",where:[{field:"id",value:o}]}),findPendingInvitation:async o=>(await r.findMany({model:"invitation",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId},{field:"status",value:"pending"}]})).filter(i=>new Date(i.expiresAt)>new Date),updateInvitation:async o=>await r.update({model:"invitation",where:[{field:"id",value:o.invitationId}],update:{status:o.status}})}};var hd=require("better-call");var yt=require("better-call");var Or=require("better-call");var Qo=S(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:r,context:o}=e,n=e.headers?.get("origin")||e.headers?.get("referer")||"",i=t?.callbackURL,a=t?.redirectTo,s=r?.currentURL,d=o.trustedOrigins,c=e.headers?.has("cookie"),l=(p,m)=>{if(!d.some(k=>p?.startsWith(k)||p?.startsWith("/")&&m!=="origin"))throw y.error(`Invalid ${m}: ${p}`),y.info(`If it's a valid URL, please add ${p} to trustedOrigins in your auth config
84
84
  `,`Current list of trustedOrigins: ${d}`),new Or.APIError("FORBIDDEN",{message:`Invalid ${m}`})};c&&!e.context.options.advanced?.disableCSRFCheck&&l(n,"origin"),i&&l(i,"callbackURL"),a&&l(a,"redirectURL"),s&&l(s,"currentURL")});var E=require("better-call");var B=S(async e=>({})),L=S({use:[b]},async e=>({session:e.context.session}));var F=require("zod");var R=require("zod"),nt=R.z.enum(["admin","member","owner"]),Ho=R.z.enum(["pending","accepted","rejected","canceled"]).default("pending"),Ad=R.z.object({id:R.z.string(),name:R.z.string(),slug:R.z.string(),logo:R.z.string().optional(),metadata:R.z.record(R.z.string()).or(R.z.string().transform(e=>JSON.parse(e))).optional(),createdAt:R.z.date()}),kd=R.z.object({id:R.z.string(),email:R.z.string(),organizationId:R.z.string(),userId:R.z.string(),role:nt,createdAt:R.z.date()}),Od=R.z.object({id:R.z.string(),organizationId:R.z.string(),email:R.z.string(),role:nt,status:Ho,inviterId:R.z.string(),expiresAt:R.z.date()});var T=require("better-call"),vr=u("/organization/invite-member",{method:"POST",use:[B,L],body:F.z.object({email:F.z.string(),role:nt,organizationId:F.z.string().optional(),resend:F.z.boolean().optional()})},async e=>{if(!e.context.orgOptions.sendInvitationEmail)throw y.warn("Invitation email is not enabled. Pass `sendInvitationEmail` to the plugin options to enable it."),new T.APIError("BAD_REQUEST",{message:"Invitation email is not enabled"});let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)throw new T.APIError("BAD_REQUEST",{message:"Organization not found"});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)throw new T.APIError("BAD_REQUEST",{message:"Member not found!"});let i=e.context.roles[n.role];if(!i)throw new T.APIError("BAD_REQUEST",{message:"Role not found!"});if(i.authorize({invitation:["create"]}).error)throw new T.APIError("FORBIDDEN",{message:"You are not allowed to invite members"});if(await o.findMemberByEmail({email:e.body.email,organizationId:r}))throw new T.APIError("BAD_REQUEST",{message:"User is already a member of this organization"});if((await o.findPendingInvitation({email:e.body.email,organizationId:r})).length&&!e.body.resend)throw new T.APIError("BAD_REQUEST",{message:"User is already invited to this organization"});let c=await o.createInvitation({invitation:{role:e.body.role,email:e.body.email,organizationId:r},user:t.user}),l=await o.findOrganizationById(r);if(!l)throw new T.APIError("BAD_REQUEST",{message:"Organization not found"});return await e.context.orgOptions.sendInvitationEmail?.({id:c.id,role:c.role,email:c.email,organization:l,inviter:{...n,user:t.user}},e.request),e.json(c)}),Er=u("/organization/accept-invitation",{method:"POST",body:F.z.object({invitationId:F.z.string()}),use:[B,L]},async e=>{let t=e.context.session,r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new T.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new T.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.updateInvitation({invitationId:e.body.invitationId,status:"accepted"}),i=await r.createMember({id:z(),organizationId:o.organizationId,userId:t.user.id,email:o.email,role:o.role,createdAt:new Date});return await r.setActiveOrganization(t.session.id,o.organizationId),n?e.json({invitation:n,member:i}):e.json(null,{status:400,body:{message:"Invitation not found!"}})}),Rr=u("/organization/reject-invitation",{method:"POST",body:F.z.object({invitationId:F.z.string()}),use:[B,L]},async e=>{let t=e.context.session,r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new T.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new T.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.updateInvitation({invitationId:e.body.invitationId,status:"rejected"});return e.json({invitation:n,member:null})}),Ir=u("/organization/cancel-invitation",{method:"POST",body:F.z.object({invitationId:F.z.string()}),use:[B,L]},async e=>{let t=e.context.session,r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o)throw new T.APIError("BAD_REQUEST",{message:"Invitation not found!"});let n=await r.findMemberByOrgId({userId:t.user.id,organizationId:o.organizationId});if(!n)throw new T.APIError("BAD_REQUEST",{message:"Member not found!"});if(e.context.roles[n.role].authorize({invitation:["cancel"]}).error)throw new T.APIError("FORBIDDEN",{message:"You are not allowed to cancel this invitation"});let a=await r.updateInvitation({invitationId:e.body.invitationId,status:"canceled"});return e.json(a)}),Tr=u("/organization/get-invitation",{method:"GET",use:[B],requireHeaders:!0,query:F.z.object({id:F.z.string()})},async e=>{let t=await D(e);if(!t)throw new T.APIError("UNAUTHORIZED",{message:"Not authenticated"});let r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.query.id);if(!o||o.status!=="pending"||o.expiresAt<new Date)throw new T.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new T.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.findOrganizationById(o.organizationId);if(!n)throw new T.APIError("BAD_REQUEST",{message:"Organization not found"});let i=await r.findMemberByOrgId({userId:o.inviterId,organizationId:o.organizationId});if(!i)throw new T.APIError("BAD_REQUEST",{message:"Inviter is no longer a member of the organization"});return e.json({...o,organizationName:n.name,organizationSlug:n.slug,inviterEmail:i.email})});var se=require("zod");var Ie=require("better-call"),Ur=u("/organization/remove-member",{method:"POST",body:se.z.object({memberIdOrEmail:se.z.string(),organizationId:se.z.string().optional()}),use:[B,L]},async e=>{let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)throw new Ie.APIError("BAD_REQUEST",{message:"Member not found!"});let i=e.context.roles[n.role];if(!i)throw new Ie.APIError("BAD_REQUEST",{message:"Role not found!"});let a=t.user.email===e.body.memberIdOrEmail||n.id===e.body.memberIdOrEmail;if(a&&n.role===(e.context.orgOptions?.creatorRole||"owner"))throw new Ie.APIError("BAD_REQUEST",{message:"You cannot leave the organization as the owner"});if(!(a||i.authorize({member:["delete"]}).success))throw new Ie.APIError("UNAUTHORIZED",{message:"You are not allowed to delete this member"});let c=null;if(e.body.memberIdOrEmail.includes("@")?c=await o.findMemberByEmail({email:e.body.memberIdOrEmail,organizationId:r}):c=await o.findMemberById(e.body.memberIdOrEmail),c?.organizationId!==r)throw new Ie.APIError("BAD_REQUEST",{message:"Member not found!"});return await o.deleteMember(c.id),t.user.id===c.userId&&t.session.activeOrganizationId===c.organizationId&&await o.setActiveOrganization(t.session.id,null),e.json({member:c})}),Sr=u("/organization/update-member-role",{method:"POST",body:se.z.object({role:se.z.enum(["admin","member","owner"]),memberId:se.z.string(),organizationId:se.z.string().optional()}),use:[B,L]},async e=>{let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"Member not found!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({member:["update"]}).error||e.body.role==="owner"&&n.role!=="owner")return e.json(null,{body:{message:"You are not allowed to update this member"},status:403});let s=await o.updateMember(e.body.memberId,e.body.role);return s?e.json(s):e.json(null,{status:400,body:{message:"Member not found!"}})});var U=require("zod");var ae=require("better-call"),Pr=u("/organization/create",{method:"POST",body:U.z.object({name:U.z.string(),slug:U.z.string(),userId:U.z.string().optional(),logo:U.z.string().optional(),metadata:U.z.record(U.z.string()).optional()}),use:[B,L]},async e=>{let t=e.context.session.user;if(!t)return e.json(null,{status:401});let r=e.context.orgOptions;if(!(typeof r?.allowUserToCreateOrganization=="function"?await r.allowUserToCreateOrganization(t):r?.allowUserToCreateOrganization===void 0?!0:r.allowUserToCreateOrganization))throw new ae.APIError("FORBIDDEN",{message:"You are not allowed to create an organization"});let n=P(e.context,r),i=await n.listOrganizations(t.id);if(typeof r.organizationLimit=="number"?i.length>=r.organizationLimit:typeof r.organizationLimit=="function"?await r.organizationLimit(t):!1)throw new ae.APIError("FORBIDDEN",{message:"You have reached the organization limit"});if(await n.findOrganizationBySlug(e.body.slug))throw new ae.APIError("BAD_REQUEST",{message:"Organization with this slug already exists"});let d=await n.createOrganization({organization:{id:z(),slug:e.body.slug,name:e.body.name,logo:e.body.logo,createdAt:new Date,metadata:e.body.metadata},user:t});return e.json(d)}),_r=u("/organization/update",{method:"POST",body:U.z.object({data:U.z.object({name:U.z.string().optional(),slug:U.z.string().optional()}).partial(),orgId:U.z.string().optional()}),requireHeaders:!0,use:[B]},async e=>{let t=await e.context.getSession(e);if(!t)throw new ae.APIError("UNAUTHORIZED",{message:"User not found"});let r=e.body.orgId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({organization:["update"]}).error)return e.json(null,{body:{message:"You are not allowed to update this organization"},status:403});let s=await o.updateOrganization(r,e.body.data);return e.json(s)}),Cr=u("/organization/delete",{method:"POST",body:U.z.object({orgId:U.z.string()}),requireHeaders:!0,use:[B]},async e=>{let t=await e.context.getSession(e);if(!t)return e.json(null,{status:401});let r=e.body.orgId;if(!r)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({organization:["delete"]}).error)throw new ae.APIError("FORBIDDEN",{message:"You are not allowed to delete this organization"});return r===t.session.activeOrganizationId&&await o.setActiveOrganization(t.session.id,null),await o.deleteOrganization(r),e.json(r)}),zr=u("/organization/get-full",{method:"GET",query:U.z.optional(U.z.object({orgId:U.z.string().optional()})),requireHeaders:!0,use:[B,L]},async e=>{let t=e.context.session,r=e.query?.orgId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:200});let n=await P(e.context,e.context.orgOptions).findFullOrganization(r,e.context.db||void 0);if(!n)throw new ae.APIError("BAD_REQUEST",{message:"Organization not found"});return e.json(n)}),Br=u("/organization/activate",{method:"POST",body:U.z.object({orgId:U.z.string().nullable().optional()}),use:[L,B]},async e=>{let t=P(e.context,e.context.orgOptions),r=e.context.session,o=e.body.orgId;if(o===null)return r.session.activeOrganizationId&&await t.setActiveOrganization(r.session.id,null),e.json(null);if(!o){let a=r.session.activeOrganizationId;if(!a)return e.json(null);o=a}if(!await t.findMemberByOrgId({userId:r.user.id,organizationId:o}))throw await t.setActiveOrganization(r.session.id,null),new ae.APIError("FORBIDDEN",{message:"You are not a member of this organization"});await t.setActiveOrganization(r.session.id,o);let i=await t.findFullOrganization(o,e.context.db||void 0);return e.json(i)}),Dr=u("/organization/list",{method:"GET",use:[B,L]},async e=>{let r=await P(e.context,e.context.orgOptions).listOrganizations(e.context.session.user.id);return e.json(r)});var Wo=e=>{let t={createOrganization:Pr,updateOrganization:_r,deleteOrganization:Cr,setActiveOrganization:Br,getFullOrganization:zr,listOrganization:Dr,createInvitation:vr,cancelInvitation:Ir,acceptInvitation:Er,getInvitation:Tr,rejectInvitation:Rr,removeMember:Ur,updateMemberRole:Sr},r={...kr,...e?.roles};return{id:"organization",endpoints:{...Ar(t,{orgOptions:e||{},roles:r,getSession:async n=>await D(n)}),hasPermission:u("/organization/has-permission",{method:"POST",requireHeaders:!0,body:Te.z.object({permission:Te.z.record(Te.z.string(),Te.z.array(Te.z.string()))}),use:[L]},async n=>{if(!n.context.session.session.activeOrganizationId)throw new bt.APIError("BAD_REQUEST",{message:"No active organization"});let a=await P(n.context).findMemberByOrgId({userId:n.context.session.user.id,organizationId:n.context.session.session.activeOrganizationId||""});if(!a)throw new bt.APIError("UNAUTHORIZED",{message:"You are not a member of this organization"});let d=r[a.role].authorize(n.body.permission);return d.error?n.json({error:d.error,success:!1},{status:403}):n.json({error:null,success:!0})})},schema:{session:{fields:{activeOrganizationId:{type:"string",required:!1}}},organization:{fields:{name:{type:"string",required:!0},slug:{type:"string",unique:!0},logo:{type:"string",required:!1},createdAt:{type:"date",required:!0},metadata:{type:"string",required:!1}}},member:{fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"}},userId:{type:"string",required:!0},email:{type:"string",required:!0},role:{type:"string",required:!0,defaultValue:"member"},createdAt:{type:"date",required:!0}}},invitation:{fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"}},email:{type:"string",required:!0},role:{type:"string",required:!1},status:{type:"string",required:!0,defaultValue:"pending"},expiresAt:{type:"date",required:!0},inviterId:{type:"string",references:{model:"user",field:"id"},required:!0}}}},$Infer:{Organization:{},Invitation:{},Member:{},ActiveOrganization:{}}}};var At=xt(require("uncrypto"),1);function Go(e){return e.toString(2).padStart(8,"0")}function Ko(e){return[...e].map(t=>Go(t)).join("")}function xr(e){return parseInt(Ko(e),2)}function Jo(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,o=new Uint8Array(Math.ceil(t/8));At.default.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1);let n=xr(o);for(;n>=e;)At.default.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1),n=xr(o);return n}function V(e,t){let r="";for(let o=0;o<e;o++)r+=t[Jo(t.length)];return r}function q(...e){let t=new Set(e),r="";for(let o of t)o==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?r+="0123456789":r+=o;return r}var Ve=require("zod");var Ot=require("@noble/ciphers/chacha"),Ue=require("@noble/ciphers/utils"),vt=require("@noble/ciphers/webcrypto"),Et=require("oslo/crypto"),kt=xt(require("uncrypto"),1);var Lr=require("oslo/encoding");var Zo=require("@noble/hashes/scrypt"),Yo=require("uncrypto");async function ge(e,t){let r=new TextEncoder,o={name:"HMAC",hash:"SHA-256"},n=await kt.default.subtle.importKey("raw",r.encode(e),o,!1,["sign","verify"]),i=await kt.default.subtle.sign(o.name,n,r.encode(t));return btoa(String.fromCharCode(...new Uint8Array(i)))}var Se=async({key:e,data:t})=>{let r=await(0,Et.sha256)(new TextEncoder().encode(e)),o=(0,Ue.utf8ToBytes)(t),n=(0,vt.managedNonce)(Ot.xchacha20poly1305)(new Uint8Array(r));return(0,Ue.bytesToHex)(n.encrypt(o))},Pe=async({key:e,data:t})=>{let r=await(0,Et.sha256)(new TextEncoder().encode(e)),o=(0,Ue.hexToBytes)(t),n=(0,vt.managedNonce)(Ot.xchacha20poly1305)(new Uint8Array(r));return new TextDecoder().decode(n.decrypt(o))};var J=require("zod");var oe=require("better-call");var it="two_factor";var st="trust_device";var Rt=require("zod");var he=S({body:Rt.z.object({trustDevice:Rt.z.boolean().optional()})},async e=>{let t=await D(e);if(!t){let r=e.context.createAuthCookie(it),o=await e.getSignedCookie(r.name,e.context.secret);if(!o)throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"});let[n,i]=o.split("!");if(!n||!i)throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"});let a=await e.context.adapter.findMany({model:e.context.tables.session.tableName,where:[{field:"userId",value:n}]});if(!a.length)throw new oe.APIError("UNAUTHORIZED",{message:"invalid session"});let s=a.filter(d=>d.expiresAt>new Date);if(!s)throw new oe.APIError("UNAUTHORIZED",{message:"invalid session"});for(let d of s){let c=await ge(e.context.secret,d.id),l=await e.context.adapter.findOne({model:e.context.tables.user.tableName,where:[{field:"id",value:d.userId}]});if(!l)throw new oe.APIError("UNAUTHORIZED",{message:"invalid session"});if(c===i)return{valid:async()=>{if(await w(e,{session:d,user:l},!1),e.body.trustDevice){let p=e.context.createAuthCookie(st,{maxAge:2592e3}),m=await ge(e.context.secret,`${l.id}!${d.id}`);await e.setSignedCookie(p.name,`${m}!${d.id}`,e.context.secret,p.attributes)}return e.json({session:d,user:l})},invalid:async()=>{throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:{id:d.id,userId:d.userId,expiresAt:d.expiresAt,user:l}}}throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"})}return{valid:async()=>e.json({session:t,user:t.user}),invalid:async()=>{throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:t}});var _e=require("better-call");function Xo(e){return Array.from({length:e?.amount??10}).fill(null).map(()=>V(e?.length??10,q("a-z","0-9"))).map(t=>`${t.slice(0,5)}-${t.slice(5)}`)}async function It(e,t){let r=e,o=t?.customBackupCodesGenerate?t.customBackupCodesGenerate():Xo(),n=await Se({data:JSON.stringify(o),key:r});return{backupCodes:o,encryptedBackupCodes:n}}async function en(e,t){let r=await jr(e.backupCodes,t);return r?r.includes(e.code):!1}async function jr(e,t){let r=Buffer.from(await Pe({key:t,data:e})).toString("utf-8"),o=JSON.parse(r),n=J.z.array(J.z.string()).safeParse(o);return n.success?n.data:null}var Nr=(e,t)=>({id:"backup_code",endpoints:{verifyBackupCode:u("/two-factor/verify-backup-code",{method:"POST",body:J.z.object({code:J.z.string(),disableSession:J.z.boolean().optional()}),use:[he]},async r=>{let o=r.context.session.user,n=await r.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!n)throw new _e.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});if(!en({backupCodes:n.backupCodes,code:r.body.code},r.context.secret))throw new _e.APIError("BAD_REQUEST",{message:"Invalid backup code"});return r.body.disableSession||await w(r,{session:r.context.session,user:o}),r.json({user:o,session:r.context.session})}),generateBackupCodes:u("/two-factor/generate-backup-codes",{method:"POST",body:J.z.object({password:J.z.string()}),use:[b]},async r=>{let o=r.context.session.user;if(!o.twoFactorEnabled)throw new _e.APIError("BAD_REQUEST",{message:"Two factor isn't enabled"});await r.context.password.checkPassword(o.id,r);let n=await It(r.context.secret,e);return await r.context.adapter.update({model:t,update:{backupCodes:n.encryptedBackupCodes},where:[{field:"userId",value:r.context.session.user.id}]}),r.json({status:!0,backupCodes:n.backupCodes})}),viewBackupCodes:u("/view/backup-codes",{method:"GET",body:J.z.object({password:J.z.string()}),use:[b]},async r=>{let o=r.context.session.user,n=await r.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!n)throw new _e.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});await r.context.password.checkPassword(o.id,r);let i=jr(n.backupCodes,r.context.secret);if(!i)throw new _e.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});return r.json({status:!0,backupCodes:i})})}});var je=require("better-call"),Fr=require("oslo/otp"),Tt=require("zod");var Vr=require("oslo"),qr=(e,t)=>{let r={...e,period:new Vr.TimeSpan(e?.period||3,"m")},o=new Fr.TOTPController({digits:6,period:r.period}),n=u("/two-factor/send-otp",{method:"POST",use:[he]},async a=>{if(!e||!e.sendOTP)throw a.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options."),new je.APIError("BAD_REQUEST",{message:"otp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new je.APIError("BAD_REQUEST",{message:"OTP isn't enabled"});let c=await o.generate(Buffer.from(d.secret));return await e.sendOTP(s,c),a.json({status:!0})}),i=u("/two-factor/verify-otp",{method:"POST",body:Tt.z.object({code:Tt.z.string()}),use:[he]},async a=>{let s=a.context.session.user;if(!s.twoFactorEnabled)throw new je.APIError("BAD_REQUEST",{message:"two factor isn't enabled"});let d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new je.APIError("BAD_REQUEST",{message:"OTP isn't enabled"});return await o.generate(Buffer.from(d.secret))===a.body.code?a.context.valid():a.context.invalid()});return{id:"otp",endpoints:{send2FaOTP:n,verifyOTP:i}}};var we=require("better-call"),Mr=require("oslo"),Fe=require("oslo/otp"),Ne=require("zod");var $r=(e,t)=>{let r={...e,digits:6,period:new Mr.TimeSpan(e?.period||30,"s")},o=u("/totp/generate",{method:"POST",use:[b]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new we.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new we.APIError("BAD_REQUEST",{message:"totp isn't enabled"});return{code:await new Fe.TOTPController(r).generate(Buffer.from(d.secret))}}),n=u("/two-factor/get-totp-uri",{method:"POST",use:[b],body:Ne.z.object({password:Ne.z.string()})},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new we.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d||!s.twoFactorEnabled)throw new we.APIError("BAD_REQUEST",{message:"totp isn't enabled"});return await a.context.password.checkPassword(s.id,a),{totpURI:(0,Fe.createTOTPKeyURI)(e?.issuer||"BetterAuth",s.email,Buffer.from(d.secret),r)}}),i=u("/two-factor/verify-totp",{method:"POST",body:Ne.z.object({code:Ne.z.string()}),use:[he]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new we.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new we.APIError("BAD_REQUEST",{message:"totp isn't enabled"});let c=new Fe.TOTPController(r),l=await Pe({key:a.context.secret,data:d.secret}),p=Buffer.from(l);if(!await c.verify(a.body.code,p))return a.context.invalid();if(!s.twoFactorEnabled){let f=await a.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!0}),k=await a.context.internalAdapter.createSession(s.id,a.request);await w(a,{session:k,user:f})}return a.context.valid()});return{id:"totp",endpoints:{generateTOTP:o,viewTOTPURI:n,verifyTOTP:i}}};var tn=require("better-call");async function Ut(e,t){let o=(await e.context.internalAdapter.findAccounts(t.userId))?.find(a=>a.providerId==="credential"),n=o?.password;return!o||!n?!1:await e.context.password.verify(n,t.password)}var St=require("better-call"),Qr=require("oslo/otp"),Hr=require("oslo");var rn=(e={redirect:!0,twoFactorPage:"/"})=>({id:"two-factor",$InferServerPlugin:{},atomListeners:[{matcher:t=>t.startsWith("/two-factor/"),signal:"$sessionSignal"}],pathMethods:{"/two-factor/disable":"POST","/two-factor/enable":"POST","/two-factor/send-otp":"POST","/two-factor/generate-backup-codes":"POST"},fetchPlugins:[{id:"two-factor",name:"two-factor",hooks:{async onSuccess(t){t.data?.twoFactorRedirect&&(e.redirect||e.twoFactorPage)&&typeof window<"u"&&(window.location.href=e.twoFactorPage)}}}]});var on=e=>{let t={twoFactorTable:e?.twoFactorTable||"twoFactor"},r=$r({issuer:e?.issuer||"better-auth",...e?.totpOptions},t.twoFactorTable),o=Nr({...e?.backupCodeOptions},t.twoFactorTable),n=qr({...e?.otpOptions},t.twoFactorTable);return{id:"two-factor",endpoints:{...r.endpoints,...n.endpoints,...o.endpoints,enableTwoFactor:u("/two-factor/enable",{method:"POST",body:Ve.z.object({password:Ve.z.string().min(8)}),use:[b]},async i=>{let a=i.context.session.user,{password:s}=i.body;if(!await Ut(i,{password:s,userId:a.id}))throw new St.APIError("BAD_REQUEST",{message:"Invalid password"});let c=V(16,q("a-z","0-9","-")),l=await Se({key:i.context.secret,data:c}),p=await It(i.context.secret,e?.backupCodeOptions);if(e?.skipVerificationOnEnable){let f=await i.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!0}),k=await i.context.internalAdapter.createSession(f.id,i.request);await w(i,{session:k,user:a})}await i.context.adapter.deleteMany({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),await i.context.adapter.create({model:t.twoFactorTable,data:{id:i.context.uuid(),secret:l,backupCodes:p.encryptedBackupCodes,userId:a.id}});let m=(0,Qr.createTOTPKeyURI)(e?.issuer||"BetterAuth",a.email,Buffer.from(c),{digits:e?.totpOptions?.digits||6,period:new Hr.TimeSpan(e?.totpOptions?.period||30,"s")});return i.json({totpURI:m,backupCodes:p.backupCodes})}),disableTwoFactor:u("/two-factor/disable",{method:"POST",body:Ve.z.object({password:Ve.z.string().min(8)}),use:[b]},async i=>{let a=i.context.session.user,{password:s}=i.body;if(!await Ut(i,{password:s,userId:a.id}))throw new St.APIError("BAD_REQUEST",{message:"Invalid password"});return await i.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!1}),await i.context.adapter.delete({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),i.json({status:!0})})},options:e,hooks:{after:[{matcher(i){return i.path==="/sign-in/email"||i.path==="/sign-in/username"},handler:S(async i=>{let a=i.context.returned;if(a?.status!==200)return;let s=await a.clone().json();if(!s.user.twoFactorEnabled)return;let d=i.context.createAuthCookie(st,{maxAge:30*24*60*60}),c=await i.getSignedCookie(d.name,i.context.secret);if(c){let[f,k]=c.split("!"),A=await ge(i.context.secret,`${s.user.id}!${k}`);if(f===A){let h=await ge(i.context.secret,`${s.user.id}!${s.session.id}`);await i.setSignedCookie(d.name,`${h}!${s.session.id}`,i.context.secret,d.attributes);return}}te(i);let l=await ge(i.context.secret,s.session.id),p=i.context.createAuthCookie(it,{maxAge:60*60*24});return await i.setSignedCookie(p.name,`${s.session.userId}!${l}`,i.context.secret,p.attributes),{response:new Response(JSON.stringify({twoFactorRedirect:!0}),{headers:i.responseHeader})}})}]},schema:{user:{fields:{twoFactorEnabled:{type:"boolean",required:!1,defaultValue:!1,input:!1}}},twoFactor:{tableName:t.twoFactorTable,fields:{secret:{type:"string",required:!0,returned:!1},backupCodes:{type:"string",required:!0,returned:!1},userId:{type:"string",required:!0,returned:!1,references:{model:"user",field:"id"}}}}},rateLimit:[{pathMatcher(i){return i.startsWith("/two-factor/")},window:10,max:3}]}};var de=require("@simplewebauthn/server"),H=require("better-call");var Z=require("zod");var Ce=require("@simplewebauthn/browser");var sn=require("@better-fetch/fetch");var nu=require("nanostores");var Hc=require("@better-fetch/fetch");var nn=require("nanostores");var Gc=require("@better-fetch/fetch"),at=require("nanostores"),Pt=(e,t,r,o)=>{let n=(0,at.atom)({data:null,error:null,isPending:!0,isRefetching:!1}),i=()=>{let s=typeof o=="function"?o({data:n.get().data,error:n.get().error,isPending:n.get().isPending}):o;return r(t,{...s,onSuccess:async d=>{n.set({data:d.data,error:null,isPending:!1,isRefetching:!1}),await s?.onSuccess?.(d)},async onError(d){n.set({error:d.error,data:null,isPending:!1,isRefetching:!1}),await s?.onError?.(d)},async onRequest(d){let c=n.get();n.set({isPending:c.data===null,data:c.data,error:null,isRefetching:!0}),await s?.onRequest?.(d)}})};e=Array.isArray(e)?e:[e];let a=!1;for(let s of e)s.subscribe(()=>{a?i():(0,at.onMount)(n,()=>(i(),a=!0,()=>{n.off(),s.off()}))});return n};var Wr=require("nanostores"),Gr=(e,{_listPasskeys:t})=>({signIn:{passkey:async(n,i)=>{let a=await e("/passkey/generate-authenticate-options",{method:"POST",body:{email:n?.email}});if(!a.data)return a;try{let s=await(0,Ce.startAuthentication)(a.data,n?.autoFill||!1),d=await e("/passkey/verify-authentication",{body:{response:s},...n?.fetchOptions,...i,method:"POST"});if(!d.data)return d}catch{return{data:null,error:{message:"auth cancelled",status:400,statusText:"BAD_REQUEST"}}}}},passkey:{addPasskey:async(n,i)=>{let a=await e("/passkey/generate-register-options",{method:"GET"});if(!a.data)return a;try{let s=await(0,Ce.startRegistration)(a.data),d=await e("/passkey/verify-registration",{...n?.fetchOptions,...i,body:{response:s,name:n?.name},method:"POST"});if(!d.data)return d;t.set(Math.random())}catch(s){return s instanceof Ce.WebAuthnError?s.code==="ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED"?{data:null,error:{message:"previously registered",status:400,statusText:"BAD_REQUEST"}}:s.code==="ERROR_CEREMONY_ABORTED"?{data:null,error:{message:"registration cancelled",status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s.message,status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s instanceof Error?s.message:"unknown error",status:500,statusText:"INTERNAL_SERVER_ERROR"}}}}},$Infer:{}}),an=()=>{let e=(0,Wr.atom)();return{id:"passkey",$InferServerPlugin:{},getActions:t=>Gr(t,{_listPasskeys:e}),getAtoms(t){return{listPasskeys:Pt(e,"/passkey/list-user-passkeys",t,{method:"GET"}),_listPasskeys:e}},pathMethods:{"/passkey/register":"POST","/passkey/authenticate":"POST"},atomListeners:[{matcher(t){return t==="/passkey/verify-registration"||t==="/passkey/delete-passkey"},signal:"_listPasskeys"}]}};var dn=e=>{let t=Ge.BETTER_AUTH_URL,r=e?.rpID||t?.replace("http://","").replace("https://","").split(":")[0]||"localhost";if(!r)throw new G("passkey rpID not found. Please provide a rpID in the options or set the BETTER_AUTH_URL environment variable.");let o={origin:null,...e,rpID:r,advanced:{webAuthnChallengeCookie:"better-auth-passkey",...e?.advanced}},n=new Date(Date.now()+1e3*60*5),i=new Date,a=Math.floor((n.getTime()-i.getTime())/1e3);return{id:"passkey",endpoints:{generatePasskeyRegistrationOptions:u("/passkey/generate-register-options",{method:"GET",use:[b],metadata:{client:!1}},async s=>{let d=s.context.session,c=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}),l=new Uint8Array(Buffer.from(V(32,q("a-z","0-9")))),p;p=await(0,de.generateRegistrationOptions)({rpName:o.rpName||s.context.appName,rpID:o.rpID,userID:l,userName:d.user.email||d.user.id,attestationType:"none",excludeCredentials:c.map(f=>({id:f.id,transports:f.transports?.split(",")})),authenticatorSelection:{residentKey:"preferred",userVerification:"preferred",authenticatorAttachment:"platform"}});let m=z();return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,m,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:m,value:JSON.stringify({expectedChallenge:p.challenge,userData:{id:d.user.id}}),expiresAt:n}),s.json(p,{status:200})}),generatePasskeyAuthenticationOptions:u("/passkey/generate-authenticate-options",{method:"POST",body:Z.z.object({email:Z.z.string().optional()}).optional()},async s=>{let d=await D(s),c=[];d&&(c=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}));let l=await(0,de.generateAuthenticationOptions)({rpID:o.rpID,userVerification:"preferred",...c.length?{allowCredentials:c.map(f=>({id:f.id,transports:f.transports?.split(",")}))}:{}}),p={expectedChallenge:l.challenge,userData:{id:d?.user.id||""}},m=z();return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,m,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:m,value:JSON.stringify(p),expiresAt:n}),s.json(l,{status:200})}),verifyPasskeyRegistration:u("/passkey/verify-registration",{method:"POST",body:Z.z.object({response:Z.z.any(),name:Z.z.string().optional()}),use:[b]},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)return s.json(null,{status:400});let c=s.body.response,l=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!l)throw new H.APIError("BAD_REQUEST",{message:"Challenge not found"});let p=await s.context.internalAdapter.findVerificationValue(l);if(!p)return s.json(null,{status:400});let{expectedChallenge:m,userData:f}=JSON.parse(p.value);if(f.id!==s.context.session.user.id)throw new H.APIError("UNAUTHORIZED",{message:"You are not authorized to register this passkey"});try{let k=await(0,de.verifyRegistrationResponse)({response:c,expectedChallenge:m,expectedOrigin:d,expectedRPID:e?.rpID}),{verified:A,registrationInfo:h}=k;if(!A||!h)return s.json(null,{status:400});let{credentialID:_,credentialPublicKey:be,counter:W,credentialDeviceType:Qe,credentialBackedUp:Ae}=h,ue=Buffer.from(be).toString("base64"),ut=z(),eo={name:s.body.name,userId:f.id,webauthnUserID:ut,id:_,publicKey:ue,counter:W,deviceType:Qe,transports:c.response.transports.join(","),backedUp:Ae,createdAt:new Date},to=await s.context.adapter.create({model:"passkey",data:eo});return s.json(to,{status:200})}catch(k){throw console.log(k),new H.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to verify registration"})}}),verifyPasskeyAuthentication:u("/passkey/verify-authentication",{method:"POST",body:Z.z.object({response:Z.z.any()})},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)throw new H.APIError("BAD_REQUEST",{message:"origin missing"});let c=s.body.response,l=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!l)throw new H.APIError("BAD_REQUEST",{message:"Challenge not found"});let p=await s.context.internalAdapter.findVerificationValue(l);if(!p)throw new H.APIError("BAD_REQUEST",{message:"Challenge not found"});let{expectedChallenge:m}=JSON.parse(p.value),f=await s.context.adapter.findOne({model:"passkey",where:[{field:"id",value:c.id}]});if(!f)throw new H.APIError("UNAUTHORIZED",{message:"Passkey not found"});try{let k=await(0,de.verifyAuthenticationResponse)({response:c,expectedChallenge:m,expectedOrigin:d,expectedRPID:o.rpID,authenticator:{credentialID:f.id,credentialPublicKey:new Uint8Array(Buffer.from(f.publicKey,"base64")),counter:f.counter,transports:f.transports?.split(",")}}),{verified:A}=k;if(!A)throw new H.APIError("UNAUTHORIZED",{message:"Authentication failed"});await s.context.adapter.update({model:"passkey",where:[{field:"id",value:f.id}],update:{counter:k.authenticationInfo.newCounter}});let h=await s.context.internalAdapter.createSession(f.userId,s.request);if(!h)throw new H.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});let _=await s.context.internalAdapter.findUserById(f.userId);if(!_)throw new H.APIError("INTERNAL_SERVER_ERROR",{message:"User not found"});return await w(s,{session:h,user:_}),s.json({session:h},{status:200})}catch(k){throw s.context.logger.error(k),new H.APIError("BAD_REQUEST",{message:"Failed to verify authentication"})}}),listPasskeys:u("/passkey/list-user-passkeys",{method:"GET",use:[b]},async s=>{let d=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:s.context.session.user.id}]});return s.json(d,{status:200})}),deletePasskey:u("/passkey/delete-passkey",{method:"POST",body:Z.z.object({id:Z.z.string()}),use:[b]},async s=>(await s.context.adapter.delete({model:"passkey",where:[{field:"id",value:s.body.id}]}),s.json(null,{status:200})))},schema:{passkey:{fields:{name:{type:"string",required:!1},publicKey:{type:"string",required:!0},userId:{type:"string",references:{model:"user",field:"id"},required:!0},webauthnUserID:{type:"string",required:!0},counter:{type:"number",required:!0},deviceType:{type:"string",required:!0},backedUp:{type:"boolean",required:!0},transports:{type:"string",required:!1},createdAt:{type:"date",defaultValue:new Date,required:!1}}}}}};var qe=require("zod");var Me=require("better-call"),_t=()=>({id:"username",endpoints:{signInUsername:u("/sign-in/username",{method:"POST",body:qe.z.object({username:qe.z.string(),password:qe.z.string(),dontRememberMe:qe.z.boolean().optional()})},async e=>{let t=await e.context.adapter.findOne({model:e.context.tables.user.tableName,where:[{field:"username",value:e.body.username}]});if(!t)throw await e.context.password.hash(e.body.password),e.context.logger.error("User not found",{username:_t}),new Me.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let r=await e.context.adapter.findOne({model:e.context.tables.account.tableName,where:[{field:e.context.tables.account.fields.userId.fieldName||"userId",value:t.id},{field:e.context.tables.account.fields.providerId.fieldName||"providerId",value:"credential"}]});if(!r)throw new Me.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let o=r?.password;if(!o)throw e.context.logger.error("Password not found",{username:_t}),new Me.APIError("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(o,e.body.password))throw e.context.logger.error("Invalid password"),new Me.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let i=await e.context.internalAdapter.createSession(t.id,e.request);return i?(await e.setSignedCookie(e.context.authCookies.sessionToken.name,i.id,e.context.secret,e.body.dontRememberMe?{...e.context.authCookies.sessionToken.options,maxAge:void 0}:e.context.authCookies.sessionToken.options),e.json({user:t,session:i})):e.json(null,{status:500,body:{message:"Failed to create session",status:500}})})},schema:{user:{fields:{username:{type:"string",required:!1,unique:!0,returned:!0}}}}});var Kr=require("better-call"),cn=()=>({id:"bearer",hooks:{before:[{matcher(e){return!!(e.request?.headers.get("authorization")||e.headers?.get("authorization"))},handler:async e=>{let t=e.request?.headers.get("authorization")?.replace("Bearer ","")||e.headers?.get("authorization")?.replace("Bearer ","");if(!t)return;let r="";return t.includes(".")?r=t:r=await(0,Kr.serializeSigned)("",t,e.context.secret),e.request&&e.request.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${r.replace("=","")}`),e.headers&&e.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${r.replace("=","")}`),{context:e}}}]}});var ye=require("zod");var Ct=require("better-call");var un=e=>({id:"magic-link",endpoints:{signInMagicLink:u("/sign-in/magic-link",{method:"POST",requireHeaders:!0,body:ye.z.object({email:ye.z.string().email(),callbackURL:ye.z.string().optional()})},async t=>{let{email:r}=t.body;if(e.disableSignUp&&!await t.context.internalAdapter.findUserByEmail(r))throw new Ct.APIError("BAD_REQUEST",{message:"User not found"});let o=V(32,q("a-z","A-Z"));await t.context.internalAdapter.createVerificationValue({identifier:o,value:r,expiresAt:new Date(Date.now()+(e.expiresIn||60*5)*1e3)});let n=`${t.context.baseURL}/magic-link/verify?token=${o}&callbackURL=${t.body.callbackURL||"/"}`;try{await e.sendMagicLink({email:r,url:n,token:o})}catch(i){throw t.context.logger.error("Failed to send magic link",i),new Ct.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to send magic link"})}return t.json({status:!0})}),magicLinkVerify:u("/magic-link/verify",{method:"GET",query:ye.z.object({token:ye.z.string(),callbackURL:ye.z.string().optional()}),requireHeaders:!0},async t=>{let{token:r,callbackURL:o}=t.query,n=o?.startsWith("http")?o:o?`${t.context.options.baseURL}${o}`:t.context.options.baseURL,i=await t.context.internalAdapter.findVerificationValue(r);if(!i)throw t.redirect(`${n}?error=INVALID_TOKEN`);if(i.expiresAt<new Date)throw await t.context.internalAdapter.deleteVerificationValue(i.id),t.redirect(`${n}?error=EXPIRED_TOKEN`);await t.context.internalAdapter.deleteVerificationValue(i.id);let a=i.value,s=await t.context.internalAdapter.findUserByEmail(a),d=s?.user.id||"";if(!s){if(e.disableSignUp)throw t.redirect(`${n}?error=USER_NOT_FOUND`);if(d=(await t.context.internalAdapter.createUser({email:a,emailVerified:!0,name:a})).id,!d)throw t.redirect(`${n}?error=USER_NOT_CREATED`)}let c=await t.context.internalAdapter.createSession(d,t.headers);if(!c)throw t.redirect(`${n}?error=SESSION_NOT_CREATED`);if(await w(t,{session:c,user:s?.user}),!o)return t.json({status:!0});throw t.redirect(o)})},rateLimit:[{pathMatcher(t){return t.startsWith("/sign-in/magic-link")||t.startsWith("/magic-link/verify")},window:e.rateLimit?.window||60,max:e.rateLimit?.max||5}]});var ce=require("zod");var Y=require("better-call");function ln(e){return V(e,q("0-9"))}var pn=e=>{let t={phoneNumber:"phoneNumber",phoneNumberVerified:"phoneNumberVerified",code:"code",createdAt:"createdAt",expiresIn:e?.expiresIn||300,otpLength:e?.otpLength||6};return{id:"phone-number",endpoints:{sendPhoneNumberOTP:u("/phone-number/send-otp",{method:"POST",body:ce.z.object({phoneNumber:ce.z.string()})},async r=>{if(!e?.sendOTP)throw y.warn("sendOTP not implemented"),new Y.APIError("NOT_IMPLEMENTED",{message:"sendOTP not implemented"});let o=ln(t.otpLength);return await r.context.internalAdapter.createVerificationValue({value:o,identifier:r.body.phoneNumber,expiresAt:C(t.expiresIn,"sec")}),await e.sendOTP(r.body.phoneNumber,o),r.json({code:o},{body:{message:"Code sent"}})}),verifyPhoneNumber:u("/phone-number/verify",{method:"POST",body:ce.z.object({phoneNumber:ce.z.string(),code:ce.z.string(),disableSession:ce.z.boolean().optional(),updatePhoneNumber:ce.z.boolean().optional()})},async r=>{let o=await r.context.internalAdapter.findVerificationValue(r.body.phoneNumber);if(!o||o.expiresAt<new Date)throw o&&o.expiresAt<new Date?(await r.context.internalAdapter.deleteVerificationValue(o.id),new Y.APIError("BAD_REQUEST",{message:"OTP expired"})):new Y.APIError("BAD_REQUEST",{message:"OTP not found"});if(o.value!==r.body.code)throw new Y.APIError("BAD_REQUEST",{message:"Invalid OTP"});if(await r.context.internalAdapter.deleteVerificationValue(o.id),r.body.updatePhoneNumber){let i=await D(r);if(!i)throw new Y.APIError("UNAUTHORIZED",{message:"Session not found"});let a=await r.context.internalAdapter.updateUser(i.user.id,{[t.phoneNumber]:r.body.phoneNumber,[t.phoneNumberVerified]:!0});return r.json({user:a,session:i.session})}let n=await r.context.adapter.findOne({model:r.context.tables.user.tableName,where:[{value:r.body.phoneNumber,field:t.phoneNumber}]});if(n)n=await r.context.internalAdapter.updateUser(n.id,{[t.phoneNumberVerified]:!0});else if(e?.signUpOnVerification){if(n=await r.context.internalAdapter.createUser({email:e.signUpOnVerification.getTempEmail(r.body.phoneNumber),name:e.signUpOnVerification.getTempName?e.signUpOnVerification.getTempName(r.body.phoneNumber):r.body.phoneNumber,[t.phoneNumber]:r.body.phoneNumber,[t.phoneNumberVerified]:!0}),!n)throw new Y.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create user"})}else throw new Y.APIError("BAD_REQUEST",{message:"Phone number not found"});if(!n)throw new Y.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to update user"});if(!r.body.disableSession){let i=await r.context.internalAdapter.createSession(n.id,r.request);if(!i)throw new Y.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await w(r,{session:i,user:n}),r.json({user:n,session:i})}return r.json({user:n,session:null})})},schema:{user:{fields:{phoneNumber:{type:"string",required:!1,unique:!0,returned:!0},phoneNumberVerified:{type:"boolean",required:!1,returned:!0,input:!1}}}}}};var dt=require("zod");var mn=e=>({id:"anonymous",endpoints:{signInAnonymous:u("/sign-in/anonymous",{method:"POST"},async t=>{let{emailDomainName:r=Je(t.context.baseURL)}=e||{},o=z(),n=`temp-${o}@${r}`,i=await t.context.internalAdapter.createUser({id:o,email:n,emailVerified:!1,isAnonymous:!0,name:"Anonymous",createdAt:new Date,updatedAt:new Date});if(!i)return t.json(null,{status:500,body:{message:"Failed to create user",status:500}});let a=await t.context.internalAdapter.createSession(i.id,t.request);return a?(await w(t,{session:a,user:i}),t.json({user:i,session:a})):t.json(null,{status:400,body:{message:"Could not create session"}})}),linkAccount:u("/anonymous/link-account",{method:"POST",body:dt.z.object({email:dt.z.string().email().optional(),password:dt.z.string().min(6)}),use:[b]},async t=>{let r=t.context.session.user.id,{email:o,password:n}=t.body,i=null;if(o&&n&&(i=await t.context.internalAdapter.updateUser(r,{email:o,isAnonymous:!1})),!i)return t.json(null,{status:500,body:{message:"Failed to update user",status:500}});let a=await t.context.password.hash(n);if(!await t.context.internalAdapter.linkAccount({userId:i.id,providerId:"credential",password:a,accountId:i.id}))return t.json(null,{status:500,body:{message:"Failed to update account",status:500}});let d=await t.context.internalAdapter.createSession(i.id,t.request);return d?(await w(t,{session:d,user:i}),t.json({session:d,user:i})):t.json(null,{status:400,body:{message:"Could not create session"}})})},schema:{user:{fields:{isAnonymous:{type:"boolean",required:!1}}}}});var g=require("zod");var K=S(async e=>{let t=await D(e);if(!t?.session)throw new E.APIError("UNAUTHORIZED");let r=t.user;if(r.role!=="admin")throw new E.APIError("FORBIDDEN",{message:"Only admins can access this endpoint"});return{session:{user:r,session:t.session}}}),fn=e=>({id:"admin",init(t){return{options:{databaseHooks:{user:{create:{async before(r){if(e?.defaultRole!==!1)return{data:{role:e?.defaultRole??"user",...r}}}}},session:{create:{async before(r){let o=await t.internalAdapter.findUserById(r.userId);if(o.banned){if(o.banExpires&&o.banExpires<Date.now()){await t.internalAdapter.updateUser(r.userId,{banned:!1,banReason:null,banExpires:null});return}return!1}}}}}}}},hooks:{after:[{matcher(t){return t.path==="/list-sessions"},handler:S(async t=>{let r=t.context.returned;if(r){let n=(await r.json()).filter(a=>!a.impersonatedBy),i=new Response(JSON.stringify(n),{status:200,statusText:"OK",headers:r.headers});return t.json({response:i})}})}]},endpoints:{setRole:u("/admin/set-role",{method:"POST",body:g.z.object({userId:g.z.string(),role:g.z.string()}),use:[K]},async t=>{let r=await t.context.internalAdapter.updateUser(t.body.userId,{role:t.body.role});return t.json({user:r})}),createUser:u("/admin/create-user",{method:"POST",body:g.z.object({email:g.z.string(),password:g.z.string(),name:g.z.string(),role:g.z.string(),data:g.z.optional(g.z.record(g.z.any()))}),use:[K]},async t=>{if(await t.context.internalAdapter.findUserByEmail(t.body.email))throw new E.APIError("BAD_REQUEST",{message:"User already exists"});let o=await t.context.internalAdapter.createUser({email:t.body.email,name:t.body.name,role:t.body.role,...t.body.data});if(!o)throw new E.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create user"});let n=await t.context.password.hash(t.body.password);return await t.context.internalAdapter.linkAccount({accountId:o.id,providerId:"credential",password:n,userId:o.id}),t.json({user:o})}),listUsers:u("/admin/list-users",{method:"GET",use:[K],query:g.z.object({search:g.z.object({field:g.z.enum(["email","name"]),operator:g.z.enum(["contains","starts_with","ends_with"]).default("contains"),value:g.z.string()}).optional(),limit:g.z.string().or(g.z.number()).optional(),offset:g.z.string().or(g.z.number()).optional(),sortBy:g.z.string().optional(),sortDirection:g.z.enum(["asc","desc"]).optional(),filter:g.z.array(g.z.object({field:g.z.string(),value:g.z.string().or(g.z.number()).or(g.z.boolean()),operator:g.z.enum(["eq","ne","lt","lte","gt","gte"]),connector:g.z.enum(["AND","OR"]).optional()})).optional()})},async t=>{let r=[];t.query?.search&&r.push({field:t.query.search.field,operator:t.query.search.operator,value:t.query.search.value}),t.query?.filter&&r.push(...t.query.filter||[]);let o=await t.context.internalAdapter.listUsers(Number(t.query?.limit)||void 0,Number(t.query?.offset)||void 0,t.query?.sortBy?{field:t.query.sortBy,direction:t.query.sortDirection||"asc"}:void 0,r.length?r:void 0);return t.json({users:o})}),listUserSessions:u("/admin/list-user-sessions",{method:"POST",use:[K],body:g.z.object({userId:g.z.string()})},async t=>({sessions:await t.context.internalAdapter.listSessions(t.body.userId)})),unbanUser:u("/admin/unban-user",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>{let r=await t.context.internalAdapter.updateUser(t.body.userId,{banned:!1});return t.json({user:r})}),banUser:u("/admin/ban-user",{method:"POST",body:g.z.object({userId:g.z.string(),banReason:g.z.string().optional(),banExpiresIn:g.z.number().optional()}),use:[K]},async t=>{if(t.body.userId===t.context.session.user.id)throw new E.APIError("BAD_REQUEST",{message:"You cannot ban yourself"});let r=await t.context.internalAdapter.updateUser(t.body.userId,{banned:!0,banReason:t.body.banReason||e?.defaultBanReason||"No reason",banExpires:t.body.banExpiresIn?C(t.body.banExpiresIn,"sec"):e?.defaultBanExpiresIn?C(e.defaultBanExpiresIn,"sec"):void 0});return await t.context.internalAdapter.deleteSessions(t.body.userId),t.json({user:r})}),impersonateUser:u("/admin/impersonate-user",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>{let r=await t.context.internalAdapter.findUserById(t.body.userId);if(!r)throw new E.APIError("NOT_FOUND",{message:"User not found"});let o=await t.context.internalAdapter.createSession(r.id,void 0,!0,{impersonatedBy:t.context.session.user.id,expiresAt:e?.impersonationSessionDuration?C(e.impersonationSessionDuration,"sec"):C(60*60,"sec")});if(!o)throw new E.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await w(t,{session:o,user:r},!0),t.json({session:o,user:r})}),revokeUserSession:u("/admin/revoke-user-session",{method:"POST",body:g.z.object({sessionId:g.z.string()}),use:[K]},async t=>(await t.context.internalAdapter.deleteSession(t.body.sessionId),t.json({success:!0}))),revokeUserSessions:u("/admin/revoke-user-sessions",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>(await t.context.internalAdapter.deleteSessions(t.body.userId),t.json({success:!0}))),removeUser:u("/admin/remove-user",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>(await t.context.internalAdapter.deleteUser(t.body.userId),t.json({success:!0})))},schema:{user:{fields:{role:{type:"string",required:!1,input:!1},banned:{type:"boolean",defaultValue:!1,required:!1,input:!1},banReason:{type:"string",required:!1,input:!1},banExpires:{type:"date",required:!1,input:!1}}},session:{fields:{impersonatedBy:{type:"string",required:!1}}}}});var X=require("zod"),ze=require("better-call");var ct=require("@better-fetch/fetch");var Jr=require("oslo/jwt");async function gn(e,t,r){if(t==="oidc"&&e.idToken){let n=(0,Jr.parseJWT)(e.idToken);if(n?.payload)return n.payload}return r?(await(0,ct.betterFetch)(r,{method:"GET",headers:{Authorization:`Bearer ${e.accessToken}`}})).data:null}var hn=e=>({id:"generic-oauth",endpoints:{signInWithOAuth2:u("/sign-in/oauth2",{method:"POST",query:X.z.object({currentURL:X.z.string().optional()}).optional(),body:X.z.object({providerId:X.z.string(),callbackURL:X.z.string().optional()})},async t=>{let{providerId:r}=t.body,o=e.config.find(ue=>ue.providerId===r);if(!o)throw new ze.APIError("BAD_REQUEST",{message:`No config found for provider ${r}`});let{discoveryUrl:n,authorizationUrl:i,tokenUrl:a,clientId:s,clientSecret:d,scopes:c,redirectURI:l,responseType:p,pkce:m,prompt:f,accessType:k}=o,A=i,h=a;if(n){let ue=await(0,ct.betterFetch)(n,{onError(ut){y.error(ut.error,{discoveryUrl:n})}});ue.data&&(A=ue.data.authorization_endpoint,h=ue.data.token_endpoint)}if(!A||!h)throw new ze.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});let _=t.query?.currentURL?new URL(t.query?.currentURL):null,be=t.body.callbackURL?.startsWith("http")?t.body.callbackURL:`${_?.origin}${t.body.callbackURL||""}`,{state:W,codeVerifier:Qe}=await ke(t),Ae=await I({id:r,options:{clientId:s,clientSecret:d,redirectURI:l},authorizationEndpoint:A,state:W,codeVerifier:Qe,scopes:c||[],disablePkce:!m,redirectURI:`${t.context.baseURL}/oauth2/callback/${r}`});return p&&p!=="code"&&Ae.searchParams.set("response_type",p),f&&Ae.searchParams.set("prompt",f),k&&Ae.searchParams.set("access_type",k),t.json({url:Ae.toString(),redirect:!0})}),oAuth2Callback:u("/oauth2/callback/:providerId",{method:"GET",query:X.z.object({code:X.z.string().optional(),error:X.z.string().optional(),state:X.z.string()})},async t=>{if(t.query.error||!t.query.code)throw t.redirect(`${t.context.baseURL}?error=${t.query.error||"oAuth_code_missing"}`);let r=e.config.find(h=>h.providerId===t.params.providerId);if(!r)throw new ze.APIError("BAD_REQUEST",{message:`No config found for provider ${t.params.providerId}`});let o,n=await Ye(t),{callbackURL:i,codeVerifier:a,errorURL:s}=n,d=t.query.code,c=r.tokenUrl,l=r.userInfoUrl;if(r.discoveryUrl){let h=await(0,ct.betterFetch)(r.discoveryUrl,{method:"GET"});h.data&&(c=h.data.token_endpoint,l=h.data.userinfo_endpoint)}try{if(!c)throw new ze.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});o=await v({code:d,codeVerifier:a,redirectURI:`${t.context.baseURL}/oauth2/callback/${r.providerId}`,options:{clientId:r.clientId,clientSecret:r.clientSecret},tokenEndpoint:c})}catch(h){throw t.context.logger.error(h),t.redirect(`${s}?error=oauth_code_verification_failed`)}if(!o)throw new ze.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});let p=r.getUserInfo?await r.getUserInfo(o):await gn(o,r.type||"oauth2",l),m=z(),f=p?tt.safeParse({...p,id:m}):null;if(!f?.success)throw t.redirect(`${s}?error=oauth_user_info_invalid`);let k=await t.context.internalAdapter.findUserByEmail(f.data.email,{includeAccounts:!0}).catch(h=>{throw y.error(`Better auth was unable to query your database.
85
- Error: `,h),t.redirect(`${s}?error=internal_server_error`)}),A=k?.user.id||m;if(k){let h=k.accounts.find(W=>W.providerId===r.providerId),_=t.context.options.account?.accountLinking?.trustedProviders,be=_?_.includes(r.providerId):!0;if(!h&&(!f?.data.emailVerified||!be)){let W;try{W=new URL(s),W.searchParams.set("error","account_not_linked")}catch{throw t.redirect(`${s}?error=account_not_linked`)}throw t.redirect(W.toString())}if(h)await t.context.internalAdapter.updateAccount(h.id,{accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt});else try{await t.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:f.data.id,id:`${r.providerId}:${f.data.id}`,userId:k.user.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch(W){throw console.log(W),t.redirect(`${s}?error=failed_linking_account`)}}else try{await t.context.internalAdapter.createOAuthUser(f.data,{id:`${r.providerId}:${f.data.id}`,providerId:r.providerId,accountId:f.data.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch{let _=new URL(s);throw _.searchParams.set("error","unable_to_create_user"),t.setHeader("Location",_.toString()),t.redirect(_.toString())}try{let h=await t.context.internalAdapter.createSession(A||m,t.request);if(!h)throw t.redirect(`${s}?error=unable_to_create_session`);await w(t,{session:h,user:f.data})}catch{throw t.redirect(`${s}?error=unable_to_create_session`)}throw t.redirect(i)})}});var Be=require("zod"),Zr={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},cl=Be.z.object({id:Be.z.string(),publicKey:Be.z.string(),privateKey:Be.z.string(),createdAt:Be.z.date()});var zt=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async t=>await e.create({model:"jwks",data:{...t,createdAt:new Date}})});var ne=require("jose");var wn=e=>({id:"jwt",endpoints:{getJwks:u("/jwks",{method:"GET"},async t=>{let o=await zt(t.context.adapter).getAllKeys();return t.json({keys:o.map(n=>({...JSON.parse(n.publicKey),kid:n.id}))})}),getToken:u("/token",{method:"GET",requireHeaders:!0,use:[b]},async t=>{let r=zt(t.context.adapter),o=await r.getLatestKey(),n=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:c,privateKey:l}=await(0,ne.generateKeyPair)(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),p=await(0,ne.exportJWK)(c),m=await(0,ne.exportJWK)(l),f=JSON.stringify(m),k={id:crypto.randomUUID(),publicKey:JSON.stringify(p),privateKey:n?JSON.stringify(await Se({key:t.context.options.secret,data:f})):f,createdAt:new Date};o=await r.createJwk(k)}let i=n?await Pe({key:t.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,a=await(0,ne.importJWK)(JSON.parse(i)),s=e?.jwt?.definePayload?await e?.jwt.definePayload(t.context.session.user):t.context.session.user,d=await new ne.SignJWT({...s,...t.context.session.session.impersonatedBy?{impersonatedBy:t.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??t.context.options.baseURL).setAudience(e?.jwt?.audience??t.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(t.context.session.user.id).sign(a);return t.json({token:d})})},schema:Zr});var $e=require("zod");var yn=e=>{let t={maximumSessions:5,...e},r=o=>o.includes("_multi-");return{id:"multi-session",endpoints:{listDeviceSessions:u("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async o=>{let n=o.headers?.get("cookie");if(!n)return o.json([]);let i=Object.fromEntries(Ke(n)),a=(await Promise.all(Object.entries(i).filter(([c])=>r(c)).map(async([c])=>await o.getSignedCookie(c,o.context.secret)))).filter(c=>c!==void 0);if(!a.length)return o.json([]);let d=(await o.context.internalAdapter.findSessions(a)).filter(c=>c&&c.session.expiresAt>new Date).filter((c,l,p)=>l===p.findIndex(m=>m.user.id===c.user.id));return Object.entries(i).filter(([c])=>r(c)).forEach(([c,l])=>{d.some(p=>p.session.id===l)||o.setCookie(c,"",{...o.context.authCookies.sessionToken.options,maxAge:0})}),o.json(d)}),setActiveSession:u("/multi-session/set-active",{method:"POST",body:$e.z.object({sessionId:$e.z.string()}),requireHeaders:!0,use:[b]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new E.APIError("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);if(!s||s.session.expiresAt<new Date)throw o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),new E.APIError("UNAUTHORIZED",{message:"Invalid session id"});return await o.setSignedCookie(o.context.authCookies.sessionToken.name,n,o.context.secret,o.context.authCookies.sessionToken.options),o.json(s)}),revokeDeviceSession:u("/multi-session/revoke",{method:"POST",body:$e.z.object({sessionId:$e.z.string()}),requireHeaders:!0,use:[b]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new E.APIError("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);return o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),s?(await o.context.internalAdapter.deleteSession(n),o.json({success:!0})):o.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:S(async o=>{if(!o.context.returned||!(o.context.returned instanceof Response))return;let n=o.context.returned.headers.get("set-cookie");if(!n)return;let i=jt(n),a=o.context.authCookies.sessionToken,s=i.get(a.name)?.value;if(!s)return;let d=Ke(o.headers?.get("cookie")||""),c=s.split(".")[0],l=`${a.name}_multi-${c}`;if(i.get(l)||d.get(l)||Object.keys(Object.fromEntries(d)).filter(r).length+(n.includes("session_token")?1:0)>t.maximumSessions)return;await o.setSignedCookie(l,c,o.context.secret,a.options);let m=o.context.returned;return m.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:m}})},{matcher:o=>o.path==="/sign-out",handler:S(async o=>{let n=o.headers?.get("cookie");if(!n)return;let i=Object.fromEntries(Ke(n));await Promise.all(Object.entries(i).map(async([s,d])=>{if(r(s)){o.setCookie(s,"",{maxAge:0});let c=s.split("_multi-")[1];await o.context.internalAdapter.deleteSession(c)}}));let a=o.context.returned;return a?.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:a}})}]}}};var ee=require("zod");var bn=e=>{let t={expireIn:300,otpLength:6,...e};return{id:"email-otp",endpoints:{sendVerificationOTP:u("/email-otp/send-verification-otp",{method:"POST",body:ee.z.object({email:ee.z.string(),type:ee.z.enum(["email-verification","sign-in"])})},async r=>{if(!e?.sendVerificationOTP)throw y.error("send email verification is not implemented"),new E.APIError("BAD_REQUEST",{message:"send email verification is not implemented"});let o=r.body.email,n=V(t.otpLength,q("0-9"));return await r.context.internalAdapter.createVerificationValue({value:n,identifier:`${r.body.type}-otp-${o}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o,otp:n,type:r.body.type}),r.json({success:!0})}),verifyEmailOTP:u("/email-otp/verify-email",{method:"POST",body:ee.z.object({email:ee.z.string(),otp:ee.z.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`email-verification-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a)throw new E.APIError("BAD_REQUEST",{message:"User not found"});let s=await r.context.internalAdapter.updateUser(a.user.id,{email:o,emailVerified:!0});return r.json({user:s})}),signInEmailOTP:u("/sign-in/email-otp",{method:"POST",body:ee.z.object({email:ee.z.string(),otp:ee.z.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`sign-in-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a)throw new E.APIError("BAD_REQUEST",{message:"User not found"});let s=await r.context.internalAdapter.createSession(a.user.id,r.request);return await w(r,{session:s,user:a.user}),r.json({session:s,user:a})})},hooks:{after:[{matcher(r){return!!(r.path?.startsWith("/sign-up")&&t.sendVerificationOnSignUp)},async handler(r){let o=r.context.returned;if(o?.status!==200)return;let n=await o.clone().json();if(n.user.email&&n.user.emailVerified===!1){let i=V(t.otpLength,q("0-9"));await r.context.internalAdapter.createVerificationValue({value:i,identifier:`email-verification-otp-${n.user.email}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:n.user.email,otp:i,type:"email-verification"})}}}]}}};var Bt=require("zod");var Xr=require("@better-fetch/fetch");function Yr(e){return e==="true"||e===!0}var An=e=>({id:"one-tap",endpoints:{oneTapCallback:u("/one-tap/callback",{method:"POST",body:Bt.z.object({idToken:Bt.z.string()})},async t=>{let{idToken:r}=t.body,{data:o,error:n}=await(0,Xr.betterFetch)("https://oauth2.googleapis.com/tokeninfo?id_token="+r);if(n)return t.json({error:"Invalid token"});let i=await t.context.internalAdapter.findUserByEmail(o.email);if(!i){if(e?.disableSignup)throw new E.APIError("BAD_GATEWAY",{message:"User not found"});let s=await t.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:Yr(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!s)throw new E.APIError("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let d=await t.context.internalAdapter.createSession(s?.user.id,t.request);return await w(t,{user:s.user,session:d}),t.json({session:d,user:s})}let a=await t.context.internalAdapter.createSession(i.user.id,t.request);return await w(t,{user:i.user,session:a}),t.json({session:a,user:i})})}});0&&(module.exports={HIDE_METADATA,admin,adminMiddleware,anonymous,bearer,createAuthEndpoint,createAuthMiddleware,emailOTP,genericOAuth,getPasskeyActions,jwt,magicLink,multiSession,oneTap,optionsMiddleware,organization,passkey,passkeyClient,phoneNumber,twoFactor,twoFactorClient,username});
85
+ Error: `,h),t.redirect(`${s}?error=internal_server_error`)}),A=k?.user.id||m;if(k){let h=k.accounts.find(W=>W.providerId===r.providerId),_=t.context.options.account?.accountLinking?.trustedProviders,be=_?_.includes(r.providerId):!0;if(!h&&(!f?.data.emailVerified||!be)){let W;try{W=new URL(s),W.searchParams.set("error","account_not_linked")}catch{throw t.redirect(`${s}?error=account_not_linked`)}throw t.redirect(W.toString())}if(h)await t.context.internalAdapter.updateAccount(h.id,{accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt});else try{await t.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:f.data.id,id:`${r.providerId}:${f.data.id}`,userId:k.user.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch(W){throw console.log(W),t.redirect(`${s}?error=failed_linking_account`)}}else try{await t.context.internalAdapter.createOAuthUser(f.data,{id:`${r.providerId}:${f.data.id}`,providerId:r.providerId,accountId:f.data.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch{let _=new URL(s);throw _.searchParams.set("error","unable_to_create_user"),t.setHeader("Location",_.toString()),t.redirect(_.toString())}try{let h=await t.context.internalAdapter.createSession(A||m,t.request);if(!h)throw t.redirect(`${s}?error=unable_to_create_session`);await w(t,{session:h,user:f.data})}catch{throw t.redirect(`${s}?error=unable_to_create_session`)}throw t.redirect(i)})}});var Be=require("zod"),Zr={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},cl=Be.z.object({id:Be.z.string(),publicKey:Be.z.string(),privateKey:Be.z.string(),createdAt:Be.z.date()});var zt=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async t=>await e.create({model:"jwks",data:{...t,createdAt:new Date}})});var ne=require("jose");var wn=e=>({id:"jwt",endpoints:{getJwks:u("/jwks",{method:"GET"},async t=>{let o=await zt(t.context.adapter).getAllKeys();return t.json({keys:o.map(n=>({...JSON.parse(n.publicKey),kid:n.id}))})}),getToken:u("/token",{method:"GET",requireHeaders:!0,use:[b]},async t=>{let r=zt(t.context.adapter),o=await r.getLatestKey(),n=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:c,privateKey:l}=await(0,ne.generateKeyPair)(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),p=await(0,ne.exportJWK)(c),m=await(0,ne.exportJWK)(l),f=JSON.stringify(m),k={id:crypto.randomUUID(),publicKey:JSON.stringify(p),privateKey:n?JSON.stringify(await Se({key:t.context.options.secret,data:f})):f,createdAt:new Date};o=await r.createJwk(k)}let i=n?await Pe({key:t.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,a=await(0,ne.importJWK)(JSON.parse(i)),s=e?.jwt?.definePayload?await e?.jwt.definePayload(t.context.session.user):t.context.session.user,d=await new ne.SignJWT({...s,...t.context.session.session.impersonatedBy?{impersonatedBy:t.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??t.context.options.baseURL).setAudience(e?.jwt?.audience??t.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(t.context.session.user.id).sign(a);return t.json({token:d})})},schema:Zr});var $e=require("zod");var yn=e=>{let t={maximumSessions:5,...e},r=o=>o.includes("_multi-");return{id:"multi-session",endpoints:{listDeviceSessions:u("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async o=>{let n=o.headers?.get("cookie");if(!n)return o.json([]);let i=Object.fromEntries(Ke(n)),a=(await Promise.all(Object.entries(i).filter(([c])=>r(c)).map(async([c])=>await o.getSignedCookie(c,o.context.secret)))).filter(c=>c!==void 0);if(!a.length)return o.json([]);let d=(await o.context.internalAdapter.findSessions(a)).filter(c=>c&&c.session.expiresAt>new Date).filter((c,l,p)=>l===p.findIndex(m=>m.user.id===c.user.id));return Object.entries(i).filter(([c])=>r(c)).forEach(([c,l])=>{d.some(p=>p.session.id===l)||o.setCookie(c,"",{...o.context.authCookies.sessionToken.options,maxAge:0})}),o.json(d)}),setActiveSession:u("/multi-session/set-active",{method:"POST",body:$e.z.object({sessionId:$e.z.string()}),requireHeaders:!0,use:[b]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new E.APIError("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);if(!s||s.session.expiresAt<new Date)throw o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),new E.APIError("UNAUTHORIZED",{message:"Invalid session id"});return await o.setSignedCookie(o.context.authCookies.sessionToken.name,n,o.context.secret,o.context.authCookies.sessionToken.options),o.json(s)}),revokeDeviceSession:u("/multi-session/revoke",{method:"POST",body:$e.z.object({sessionId:$e.z.string()}),requireHeaders:!0,use:[b]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new E.APIError("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);return o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),s?(await o.context.internalAdapter.deleteSession(n),o.json({success:!0})):o.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:S(async o=>{if(!o.context.returned||!(o.context.returned instanceof Response))return;let n=o.context.returned.headers.get("set-cookie");if(!n)return;let i=jt(n),a=o.context.authCookies.sessionToken,s=i.get(a.name)?.value;if(!s)return;let d=Ke(o.headers?.get("cookie")||""),c=s.split(".")[0],l=`${a.name}_multi-${c}`;if(i.get(l)||d.get(l)||Object.keys(Object.fromEntries(d)).filter(r).length+(n.includes("session_token")?1:0)>t.maximumSessions)return;await o.setSignedCookie(l,c,o.context.secret,a.options);let m=o.context.returned;return m.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:m}})},{matcher:o=>o.path==="/sign-out",handler:S(async o=>{let n=o.headers?.get("cookie");if(!n)return;let i=Object.fromEntries(Ke(n));await Promise.all(Object.entries(i).map(async([s,d])=>{if(r(s)){o.setCookie(s,"",{maxAge:0});let c=s.split("_multi-")[1];await o.context.internalAdapter.deleteSession(c)}}));let a=o.context.returned;return a?.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:a}})}]}}};var ee=require("zod");var bn=e=>{let t={expireIn:300,otpLength:6,...e};return{id:"email-otp",endpoints:{sendVerificationOTP:u("/email-otp/send-verification-otp",{method:"POST",body:ee.z.object({email:ee.z.string(),type:ee.z.enum(["email-verification","sign-in"])})},async r=>{if(!e?.sendVerificationOTP)throw y.error("send email verification is not implemented"),new E.APIError("BAD_REQUEST",{message:"send email verification is not implemented"});let o=r.body.email,n=V(t.otpLength,q("0-9"));return await r.context.internalAdapter.createVerificationValue({value:n,identifier:`${r.body.type}-otp-${o}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o,otp:n,type:r.body.type}),r.json({success:!0})}),verifyEmailOTP:u("/email-otp/verify-email",{method:"POST",body:ee.z.object({email:ee.z.string(),otp:ee.z.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`email-verification-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a)throw new E.APIError("BAD_REQUEST",{message:"User not found"});let s=await r.context.internalAdapter.updateUser(a.user.id,{email:o,emailVerified:!0});return r.json({user:s})}),signInEmailOTP:u("/sign-in/email-otp",{method:"POST",body:ee.z.object({email:ee.z.string(),otp:ee.z.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`sign-in-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a){if(t.disableSignUp)throw new E.APIError("BAD_REQUEST",{message:"User not found"});let d=await r.context.internalAdapter.createUser({email:o,emailVerified:!0,name:o}),c=await r.context.internalAdapter.createSession(d.id,r.request);return await w(r,{session:c,user:d}),r.json({user:d,session:c})}let s=await r.context.internalAdapter.createSession(a.user.id,r.request);return await w(r,{session:s,user:a.user}),r.json({session:s,user:a})})},hooks:{after:[{matcher(r){return!!(r.path?.startsWith("/sign-up")&&t.sendVerificationOnSignUp)},async handler(r){let o=r.context.returned;if(o?.status!==200)return;let n=await o.clone().json();if(n.user.email&&n.user.emailVerified===!1){let i=V(t.otpLength,q("0-9"));await r.context.internalAdapter.createVerificationValue({value:i,identifier:`email-verification-otp-${n.user.email}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:n.user.email,otp:i,type:"email-verification"})}}}]}}};var Bt=require("zod");var Xr=require("@better-fetch/fetch");function Yr(e){return e==="true"||e===!0}var An=e=>({id:"one-tap",endpoints:{oneTapCallback:u("/one-tap/callback",{method:"POST",body:Bt.z.object({idToken:Bt.z.string()})},async t=>{let{idToken:r}=t.body,{data:o,error:n}=await(0,Xr.betterFetch)("https://oauth2.googleapis.com/tokeninfo?id_token="+r);if(n)return t.json({error:"Invalid token"});let i=await t.context.internalAdapter.findUserByEmail(o.email);if(!i){if(e?.disableSignup)throw new E.APIError("BAD_GATEWAY",{message:"User not found"});let s=await t.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:Yr(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!s)throw new E.APIError("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let d=await t.context.internalAdapter.createSession(s?.user.id,t.request);return await w(t,{user:s.user,session:d}),t.json({session:d,user:s})}let a=await t.context.internalAdapter.createSession(i.user.id,t.request);return await w(t,{user:i.user,session:a}),t.json({session:a,user:i})})}});0&&(module.exports={HIDE_METADATA,admin,adminMiddleware,anonymous,bearer,createAuthEndpoint,createAuthMiddleware,emailOTP,genericOAuth,getPasskeyActions,jwt,magicLink,multiSession,oneTap,optionsMiddleware,organization,passkey,passkeyClient,phoneNumber,twoFactor,twoFactorClient,username});
package/dist/plugins.d.cts CHANGED
@@ -1,4 +1,4 @@
1
- export { A as AnonymousOptions, J as JwtOptions, O as OrganizationOptions, b as Passkey, P as PasskeyOptions, U as UserWithPhoneNumber, f as UserWithRole, i as admin, h as adminMiddleware, e as anonymous, n as emailOTP, j as genericOAuth, g as getPasskeyActions, k as jwt, m as magicLink, l as multiSession, o as organization, p as passkey, c as passkeyClient, d as phoneNumber, t as twoFactor, a as twoFactorClient, u as username } from './index-D7B6tRWQ.cjs';
1
+ export { A as AnonymousOptions, J as JwtOptions, O as OrganizationOptions, b as Passkey, P as PasskeyOptions, U as UserWithPhoneNumber, f as UserWithRole, i as admin, h as adminMiddleware, e as anonymous, n as emailOTP, j as genericOAuth, g as getPasskeyActions, k as jwt, m as magicLink, l as multiSession, o as organization, p as passkey, c as passkeyClient, d as phoneNumber, t as twoFactor, a as twoFactorClient, u as username } from './index-Ce4x5r90.cjs';
2
2
  import { H as HookEndpointContext } from './auth-DxQns91s.cjs';
3
3
  export { e as AuthEndpoint, f as AuthMiddleware, b as BetterAuthPlugin, P as PluginSchema, d as createAuthEndpoint, c as createAuthMiddleware, o as optionsMiddleware } from './auth-DxQns91s.cjs';
4
4
  export { H as HIDE_METADATA } from './hide-metadata-DEHJp1rk.cjs';
package/dist/plugins.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- export { A as AnonymousOptions, J as JwtOptions, O as OrganizationOptions, b as Passkey, P as PasskeyOptions, U as UserWithPhoneNumber, f as UserWithRole, i as admin, h as adminMiddleware, e as anonymous, n as emailOTP, j as genericOAuth, g as getPasskeyActions, k as jwt, m as magicLink, l as multiSession, o as organization, p as passkey, c as passkeyClient, d as phoneNumber, t as twoFactor, a as twoFactorClient, u as username } from './index-QYPscBrJ.js';
1
+ export { A as AnonymousOptions, J as JwtOptions, O as OrganizationOptions, b as Passkey, P as PasskeyOptions, U as UserWithPhoneNumber, f as UserWithRole, i as admin, h as adminMiddleware, e as anonymous, n as emailOTP, j as genericOAuth, g as getPasskeyActions, k as jwt, m as magicLink, l as multiSession, o as organization, p as passkey, c as passkeyClient, d as phoneNumber, t as twoFactor, a as twoFactorClient, u as username } from './index-D1xP80c-.js';
2
2
  import { H as HookEndpointContext } from './auth-BRu7J8sN.js';
3
3
  export { e as AuthEndpoint, f as AuthMiddleware, b as BetterAuthPlugin, P as PluginSchema, d as createAuthEndpoint, c as createAuthMiddleware, o as optionsMiddleware } from './auth-BRu7J8sN.js';
4
4
  export { H as HIDE_METADATA } from './hide-metadata-DEHJp1rk.js';
package/dist/plugins.js CHANGED
@@ -82,4 +82,4 @@ Error: `,A),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)
82
82
  </body>
83
83
  </html>`,uo=u("/error",{method:"GET",metadata:fe},async e=>{let t=new URL(e.request?.url||"").searchParams.get("error")||"Unknown";return new Response(co(t),{headers:{"Content-Type":"text/html"}})});var lo=u("/ok",{method:"GET",metadata:fe},async e=>e.json({ok:!0}));import{z as ka}from"zod";import{APIError as Sa}from"better-call";import{z as Re}from"zod";import{APIError as Pt}from"better-call";var po=u("/list-accounts",{method:"GET",use:[b]},async e=>{let t=e.context.session,r=await e.context.internalAdapter.findAccounts(t.user.id);return e.json(r)}),mo=u("/link-social",{method:"POST",requireHeaders:!0,query:Re.object({currentURL:Re.string().optional()}).optional(),body:Re.object({callbackURL:Re.string().optional(),provider:Re.enum(Le)}),use:[b]},async e=>{let t=e.context.session;if((await e.context.internalAdapter.findAccounts(t.user.id)).find(s=>s.providerId===e.body.provider))throw new Pt("BAD_REQUEST",{message:"Social Account is already linked."});let n=e.context.socialProviders.find(s=>s.id===e.body.provider);if(!n)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new Pt("NOT_FOUND",{message:"Provider not found"});let i=await ge(e,{userId:t.user.id,email:t.user.email}),a=await n.createAuthorizationURL({state:i.state,codeVerifier:i.codeVerifier,redirectURI:`${e.context.baseURL}/callback/${n.id}`});return e.json({url:a.toString(),redirect:!0})});var _t=(e,t)=>{let r={};for(let[o,n]of Object.entries(e))r[o]=i=>n({...i,context:{...t,...i.context}}),r[o].path=n.path,r[o].method=n.method,r[o].options=n.options,r[o].headers=n.headers;return r};var we=class extends Error{path;constructor(t,r){super(t),this.path=r}},Ve=class{constructor(t){this.s=t;this.statements=t}statements;newRole(t){return new qe(t)}},qe=class e{statements;constructor(t){this.statements=t}authorize(t,r){for(let[o,n]of Object.entries(t)){let i=this.statements[o];if(!i)return{success:!1,error:`You are not allowed to access resource: ${o}`};let a=r==="OR"?n.some(s=>i.includes(s)):n.every(s=>i.includes(s));return a?{success:a}:{success:!1,error:`unauthorized to access resource "${o}"`}}return{success:!1,error:"Not authorized"}}static fromString(t){let r=JSON.parse(t);if(typeof r!="object")throw new we("statements is not an object",".");for(let[o,n]of Object.entries(r)){if(typeof o!="string")throw new we("invalid resource identifier",o);if(!Array.isArray(n))throw new we("actions is not an array",o);for(let i=0;i<n.length;i++)if(typeof n[i]!="string")throw new we("action is not a string",`${o}[${i}]`)}return new e(r)}toString(){return JSON.stringify(this.statements)}};var fo=e=>new Ve(e),go={organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]},tt=fo(go),ho=tt.newRole({organization:["update"],invitation:["create","cancel"],member:["create","update","delete"]}),wo=tt.newRole({organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]}),yo=tt.newRole({organization:[],member:[],invitation:[]}),Ct={admin:ho,owner:wo,member:yo};var S=(e,t)=>{let r=e.adapter;return{findOrganizationBySlug:async o=>await r.findOne({model:"organization",where:[{field:"slug",value:o}]}),createOrganization:async o=>{let n=await r.create({model:"organization",data:{...o.organization,metadata:o.organization.metadata?JSON.stringify(o.organization.metadata):void 0}}),i=await r.create({model:"member",data:{id:z(),organizationId:n.id,userId:o.user.id,createdAt:new Date,email:o.user.email,role:t?.creatorRole||"owner"}});return{...n,metadata:n.metadata?JSON.parse(n.metadata):void 0,members:[{...i,user:{id:o.user.id,name:o.user.name,email:o.user.email,image:o.user.image}}]}},findMemberByEmail:async o=>{let n=await r.findOne({model:"member",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId}]});if(!n)return null;let i=await r.findOne({model:e.tables.user.tableName,where:[{field:"id",value:n.userId}]});return i?{...n,user:{id:i.id,name:i.name,email:i.email,image:i.image}}:null},findMemberByOrgId:async o=>{let[n,i]=await Promise.all([await r.findOne({model:"member",where:[{field:"userId",value:o.userId},{field:"organizationId",value:o.organizationId}]}),await r.findOne({model:e.tables.user.tableName,where:[{field:"id",value:o.userId}]})]);return!i||!n?null:{...n,user:{id:i.id,name:i.name,email:i.email,image:i.image}}},findMemberById:async o=>{let n=await r.findOne({model:"member",where:[{field:"id",value:o}]});if(!n)return null;let i=await r.findOne({model:e.tables.user.tableName,where:[{field:"id",value:n.userId}]});return i?{...n,user:{id:i.id,name:i.name,email:i.email,image:i.image}}:null},createMember:async o=>await r.create({model:"member",data:o}),updateMember:async(o,n)=>await r.update({model:"member",where:[{field:"id",value:o}],update:{role:n}}),deleteMember:async o=>await r.delete({model:"member",where:[{field:"id",value:o}]}),updateOrganization:async(o,n)=>await r.update({model:"organization",where:[{field:"id",value:o}],update:n}),deleteOrganization:async o=>(await r.delete({model:"member",where:[{field:"organizationId",value:o}]}),await r.delete({model:"invitation",where:[{field:"organizationId",value:o}]}),await r.delete({model:"organization",where:[{field:"id",value:o}]}),o),setActiveOrganization:async(o,n)=>await r.update({model:e.tables.session.tableName,where:[{field:"id",value:o}],update:{activeOrganizationId:n}}),findOrganizationById:async o=>await r.findOne({model:"organization",where:[{field:"id",value:o}]}),findFullOrganization:async(o,n)=>{let[i,a,s]=await Promise.all([r.findOne({model:"organization",where:[{field:"id",value:o}]}),r.findMany({model:"invitation",where:[{field:"organizationId",value:o}]}),r.findMany({model:"member",where:[{field:"organizationId",value:o}]})]);if(!i)return null;let d=s.map(m=>m.userId),c=await r.findMany({model:e.tables.user.tableName,where:[{field:"id",value:d,operator:"in"}]}),l=new Map(c.map(m=>[m.id,m])),p=s.map(m=>{let f=l.get(m.userId);if(!f)throw new $("Unexpected error: User not found for member");return{...m,user:{id:f.id,name:f.name,email:f.email,image:f.image}}});return{...i,invitations:a,members:p}},listOrganizations:async o=>{let n=await r.findMany({model:"member",where:[{field:"userId",value:o}]});if(!n||n.length===0)return[];let i=n.map(s=>s.organizationId);return await r.findMany({model:"organization",where:[{field:"id",value:i,operator:"in"}]})},createInvitation:async({invitation:o,user:n})=>{let a=C(t?.invitationExpiresIn||1728e5);return await r.create({model:"invitation",data:{id:z(),email:o.email,role:o.role,organizationId:o.organizationId,status:"pending",expiresAt:a,inviterId:n.id}})},findInvitationById:async o=>await r.findOne({model:"invitation",where:[{field:"id",value:o}]}),findPendingInvitation:async o=>(await r.findMany({model:"invitation",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId},{field:"status",value:"pending"}]})).filter(i=>new Date(i.expiresAt)>new Date),updateInvitation:async o=>await r.update({model:"invitation",where:[{field:"id",value:o.invitationId}],update:{status:o.status}})}};import"better-call";import{APIError as _d,createRouter as Cd,statusCode as zd}from"better-call";import{APIError as bo}from"better-call";var Ao=_(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:r,context:o}=e,n=e.headers?.get("origin")||e.headers?.get("referer")||"",i=t?.callbackURL,a=t?.redirectTo,s=r?.currentURL,d=o.trustedOrigins,c=e.headers?.has("cookie"),l=(p,m)=>{if(!d.some(k=>p?.startsWith(k)||p?.startsWith("/")&&m!=="origin"))throw y.error(`Invalid ${m}: ${p}`),y.info(`If it's a valid URL, please add ${p} to trustedOrigins in your auth config
84
84
  `,`Current list of trustedOrigins: ${d}`),new bo("FORBIDDEN",{message:`Invalid ${m}`})};c&&!e.context.options.advanced?.disableCSRFCheck&&l(n,"origin"),i&&l(i,"callbackURL"),a&&l(a,"redirectURL"),s&&l(s,"currentURL")});import{APIError as E}from"better-call";var B=_(async e=>({})),x=_({use:[b]},async e=>({session:e.context.session}));import{z as q}from"zod";import{z as R}from"zod";var Me=R.enum(["admin","member","owner"]),ko=R.enum(["pending","accepted","rejected","canceled"]).default("pending"),Zd=R.object({id:R.string(),name:R.string(),slug:R.string(),logo:R.string().optional(),metadata:R.record(R.string()).or(R.string().transform(e=>JSON.parse(e))).optional(),createdAt:R.date()}),Yd=R.object({id:R.string(),email:R.string(),organizationId:R.string(),userId:R.string(),role:Me,createdAt:R.date()}),Xd=R.object({id:R.string(),organizationId:R.string(),email:R.string(),role:Me,status:ko,inviterId:R.string(),expiresAt:R.date()});import{APIError as T}from"better-call";var zt=u("/organization/invite-member",{method:"POST",use:[B,x],body:q.object({email:q.string(),role:Me,organizationId:q.string().optional(),resend:q.boolean().optional()})},async e=>{if(!e.context.orgOptions.sendInvitationEmail)throw y.warn("Invitation email is not enabled. Pass `sendInvitationEmail` to the plugin options to enable it."),new T("BAD_REQUEST",{message:"Invitation email is not enabled"});let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)throw new T("BAD_REQUEST",{message:"Organization not found"});let o=S(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)throw new T("BAD_REQUEST",{message:"Member not found!"});let i=e.context.roles[n.role];if(!i)throw new T("BAD_REQUEST",{message:"Role not found!"});if(i.authorize({invitation:["create"]}).error)throw new T("FORBIDDEN",{message:"You are not allowed to invite members"});if(await o.findMemberByEmail({email:e.body.email,organizationId:r}))throw new T("BAD_REQUEST",{message:"User is already a member of this organization"});if((await o.findPendingInvitation({email:e.body.email,organizationId:r})).length&&!e.body.resend)throw new T("BAD_REQUEST",{message:"User is already invited to this organization"});let c=await o.createInvitation({invitation:{role:e.body.role,email:e.body.email,organizationId:r},user:t.user}),l=await o.findOrganizationById(r);if(!l)throw new T("BAD_REQUEST",{message:"Organization not found"});return await e.context.orgOptions.sendInvitationEmail?.({id:c.id,role:c.role,email:c.email,organization:l,inviter:{...n,user:t.user}},e.request),e.json(c)}),Bt=u("/organization/accept-invitation",{method:"POST",body:q.object({invitationId:q.string()}),use:[B,x]},async e=>{let t=e.context.session,r=S(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new T("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new T("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.updateInvitation({invitationId:e.body.invitationId,status:"accepted"}),i=await r.createMember({id:z(),organizationId:o.organizationId,userId:t.user.id,email:o.email,role:o.role,createdAt:new Date});return await r.setActiveOrganization(t.session.id,o.organizationId),n?e.json({invitation:n,member:i}):e.json(null,{status:400,body:{message:"Invitation not found!"}})}),Dt=u("/organization/reject-invitation",{method:"POST",body:q.object({invitationId:q.string()}),use:[B,x]},async e=>{let t=e.context.session,r=S(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new T("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new T("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.updateInvitation({invitationId:e.body.invitationId,status:"rejected"});return e.json({invitation:n,member:null})}),xt=u("/organization/cancel-invitation",{method:"POST",body:q.object({invitationId:q.string()}),use:[B,x]},async e=>{let t=e.context.session,r=S(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o)throw new T("BAD_REQUEST",{message:"Invitation not found!"});let n=await r.findMemberByOrgId({userId:t.user.id,organizationId:o.organizationId});if(!n)throw new T("BAD_REQUEST",{message:"Member not found!"});if(e.context.roles[n.role].authorize({invitation:["cancel"]}).error)throw new T("FORBIDDEN",{message:"You are not allowed to cancel this invitation"});let a=await r.updateInvitation({invitationId:e.body.invitationId,status:"canceled"});return e.json(a)}),Lt=u("/organization/get-invitation",{method:"GET",use:[B],requireHeaders:!0,query:q.object({id:q.string()})},async e=>{let t=await D(e);if(!t)throw new T("UNAUTHORIZED",{message:"Not authenticated"});let r=S(e.context,e.context.orgOptions),o=await r.findInvitationById(e.query.id);if(!o||o.status!=="pending"||o.expiresAt<new Date)throw new T("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new T("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.findOrganizationById(o.organizationId);if(!n)throw new T("BAD_REQUEST",{message:"Organization not found"});let i=await r.findMemberByOrgId({userId:o.inviterId,organizationId:o.organizationId});if(!i)throw new T("BAD_REQUEST",{message:"Inviter is no longer a member of the organization"});return e.json({...o,organizationName:n.name,organizationSlug:n.slug,inviterEmail:i.email})});import{z as ae}from"zod";import{APIError as Ie}from"better-call";var jt=u("/organization/remove-member",{method:"POST",body:ae.object({memberIdOrEmail:ae.string(),organizationId:ae.string().optional()}),use:[B,x]},async e=>{let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=S(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)throw new Ie("BAD_REQUEST",{message:"Member not found!"});let i=e.context.roles[n.role];if(!i)throw new Ie("BAD_REQUEST",{message:"Role not found!"});let a=t.user.email===e.body.memberIdOrEmail||n.id===e.body.memberIdOrEmail;if(a&&n.role===(e.context.orgOptions?.creatorRole||"owner"))throw new Ie("BAD_REQUEST",{message:"You cannot leave the organization as the owner"});if(!(a||i.authorize({member:["delete"]}).success))throw new Ie("UNAUTHORIZED",{message:"You are not allowed to delete this member"});let c=null;if(e.body.memberIdOrEmail.includes("@")?c=await o.findMemberByEmail({email:e.body.memberIdOrEmail,organizationId:r}):c=await o.findMemberById(e.body.memberIdOrEmail),c?.organizationId!==r)throw new Ie("BAD_REQUEST",{message:"Member not found!"});return await o.deleteMember(c.id),t.user.id===c.userId&&t.session.activeOrganizationId===c.organizationId&&await o.setActiveOrganization(t.session.id,null),e.json({member:c})}),Nt=u("/organization/update-member-role",{method:"POST",body:ae.object({role:ae.enum(["admin","member","owner"]),memberId:ae.string(),organizationId:ae.string().optional()}),use:[B,x]},async e=>{let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=S(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"Member not found!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({member:["update"]}).error||e.body.role==="owner"&&n.role!=="owner")return e.json(null,{body:{message:"You are not allowed to update this member"},status:403});let s=await o.updateMember(e.body.memberId,e.body.role);return s?e.json(s):e.json(null,{status:400,body:{message:"Member not found!"}})});import{z as U}from"zod";import{APIError as de}from"better-call";var Ft=u("/organization/create",{method:"POST",body:U.object({name:U.string(),slug:U.string(),userId:U.string().optional(),logo:U.string().optional(),metadata:U.record(U.string()).optional()}),use:[B,x]},async e=>{let t=e.context.session.user;if(!t)return e.json(null,{status:401});let r=e.context.orgOptions;if(!(typeof r?.allowUserToCreateOrganization=="function"?await r.allowUserToCreateOrganization(t):r?.allowUserToCreateOrganization===void 0?!0:r.allowUserToCreateOrganization))throw new de("FORBIDDEN",{message:"You are not allowed to create an organization"});let n=S(e.context,r),i=await n.listOrganizations(t.id);if(typeof r.organizationLimit=="number"?i.length>=r.organizationLimit:typeof r.organizationLimit=="function"?await r.organizationLimit(t):!1)throw new de("FORBIDDEN",{message:"You have reached the organization limit"});if(await n.findOrganizationBySlug(e.body.slug))throw new de("BAD_REQUEST",{message:"Organization with this slug already exists"});let d=await n.createOrganization({organization:{id:z(),slug:e.body.slug,name:e.body.name,logo:e.body.logo,createdAt:new Date,metadata:e.body.metadata},user:t});return e.json(d)}),Vt=u("/organization/update",{method:"POST",body:U.object({data:U.object({name:U.string().optional(),slug:U.string().optional()}).partial(),orgId:U.string().optional()}),requireHeaders:!0,use:[B]},async e=>{let t=await e.context.getSession(e);if(!t)throw new de("UNAUTHORIZED",{message:"User not found"});let r=e.body.orgId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=S(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({organization:["update"]}).error)return e.json(null,{body:{message:"You are not allowed to update this organization"},status:403});let s=await o.updateOrganization(r,e.body.data);return e.json(s)}),qt=u("/organization/delete",{method:"POST",body:U.object({orgId:U.string()}),requireHeaders:!0,use:[B]},async e=>{let t=await e.context.getSession(e);if(!t)return e.json(null,{status:401});let r=e.body.orgId;if(!r)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=S(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({organization:["delete"]}).error)throw new de("FORBIDDEN",{message:"You are not allowed to delete this organization"});return r===t.session.activeOrganizationId&&await o.setActiveOrganization(t.session.id,null),await o.deleteOrganization(r),e.json(r)}),Mt=u("/organization/get-full",{method:"GET",query:U.optional(U.object({orgId:U.string().optional()})),requireHeaders:!0,use:[B,x]},async e=>{let t=e.context.session,r=e.query?.orgId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:200});let n=await S(e.context,e.context.orgOptions).findFullOrganization(r,e.context.db||void 0);if(!n)throw new de("BAD_REQUEST",{message:"Organization not found"});return e.json(n)}),$t=u("/organization/activate",{method:"POST",body:U.object({orgId:U.string().nullable().optional()}),use:[x,B]},async e=>{let t=S(e.context,e.context.orgOptions),r=e.context.session,o=e.body.orgId;if(o===null)return r.session.activeOrganizationId&&await t.setActiveOrganization(r.session.id,null),e.json(null);if(!o){let a=r.session.activeOrganizationId;if(!a)return e.json(null);o=a}if(!await t.findMemberByOrgId({userId:r.user.id,organizationId:o}))throw await t.setActiveOrganization(r.session.id,null),new de("FORBIDDEN",{message:"You are not a member of this organization"});await t.setActiveOrganization(r.session.id,o);let i=await t.findFullOrganization(o,e.context.db||void 0);return e.json(i)}),Qt=u("/organization/list",{method:"GET",use:[B,x]},async e=>{let r=await S(e.context,e.context.orgOptions).listOrganizations(e.context.session.user.id);return e.json(r)});var Dc=e=>{let t={createOrganization:Ft,updateOrganization:Vt,deleteOrganization:qt,setActiveOrganization:$t,getFullOrganization:Mt,listOrganization:Qt,createInvitation:zt,cancelInvitation:xt,acceptInvitation:Bt,getInvitation:Lt,rejectInvitation:Dt,removeMember:jt,updateMemberRole:Nt},r={...Ct,...e?.roles};return{id:"organization",endpoints:{..._t(t,{orgOptions:e||{},roles:r,getSession:async n=>await D(n)}),hasPermission:u("/organization/has-permission",{method:"POST",requireHeaders:!0,body:Te.object({permission:Te.record(Te.string(),Te.array(Te.string()))}),use:[x]},async n=>{if(!n.context.session.session.activeOrganizationId)throw new Ht("BAD_REQUEST",{message:"No active organization"});let a=await S(n.context).findMemberByOrgId({userId:n.context.session.user.id,organizationId:n.context.session.session.activeOrganizationId||""});if(!a)throw new Ht("UNAUTHORIZED",{message:"You are not a member of this organization"});let d=r[a.role].authorize(n.body.permission);return d.error?n.json({error:d.error,success:!1},{status:403}):n.json({error:null,success:!0})})},schema:{session:{fields:{activeOrganizationId:{type:"string",required:!1}}},organization:{fields:{name:{type:"string",required:!0},slug:{type:"string",unique:!0},logo:{type:"string",required:!1},createdAt:{type:"date",required:!0},metadata:{type:"string",required:!1}}},member:{fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"}},userId:{type:"string",required:!0},email:{type:"string",required:!0},role:{type:"string",required:!0,defaultValue:"member"},createdAt:{type:"date",required:!0}}},invitation:{fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"}},email:{type:"string",required:!0},role:{type:"string",required:!1},status:{type:"string",required:!0,defaultValue:"pending"},expiresAt:{type:"date",required:!0},inviterId:{type:"string",references:{model:"user",field:"id"},required:!0}}}},$Infer:{Organization:{},Invitation:{},Member:{},ActiveOrganization:{}}}};import Wt from"uncrypto";function Oo(e){return e.toString(2).padStart(8,"0")}function vo(e){return[...e].map(t=>Oo(t)).join("")}function Gt(e){return parseInt(vo(e),2)}function Eo(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,o=new Uint8Array(Math.ceil(t/8));Wt.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1);let n=Gt(o);for(;n>=e;)Wt.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1),n=Gt(o);return n}function N(e,t){let r="";for(let o=0;o<e;o++)r+=t[Eo(t.length)];return r}function F(...e){let t=new Set(e),r="";for(let o of t)o==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?r+="0123456789":r+=o;return r}import{z as Ge}from"zod";import{xchacha20poly1305 as Jt}from"@noble/ciphers/chacha";import{bytesToHex as Ro,hexToBytes as Io,utf8ToBytes as To}from"@noble/ciphers/utils";import{managedNonce as Zt}from"@noble/ciphers/webcrypto";import{sha256 as Yt}from"oslo/crypto";import Kt from"uncrypto";import{decodeHex as $c,encodeHex as Qc}from"oslo/encoding";import{scryptAsync as Gc}from"@noble/hashes/scrypt";import{getRandomValues as Jc}from"uncrypto";async function ce(e,t){let r=new TextEncoder,o={name:"HMAC",hash:"SHA-256"},n=await Kt.subtle.importKey("raw",r.encode(e),o,!1,["sign","verify"]),i=await Kt.subtle.sign(o.name,n,r.encode(t));return btoa(String.fromCharCode(...new Uint8Array(i)))}var ye=async({key:e,data:t})=>{let r=await Yt(new TextEncoder().encode(e)),o=To(t),n=Zt(Jt)(new Uint8Array(r));return Ro(n.encrypt(o))},be=async({key:e,data:t})=>{let r=await Yt(new TextEncoder().encode(e)),o=Io(t),n=Zt(Jt)(new Uint8Array(r));return new TextDecoder().decode(n.decrypt(o))};import{z as Z}from"zod";import{APIError as ne}from"better-call";var $e="two_factor";var Qe="trust_device";import{z as Xt}from"zod";var ue=_({body:Xt.object({trustDevice:Xt.boolean().optional()})},async e=>{let t=await D(e);if(!t){let r=e.context.createAuthCookie($e),o=await e.getSignedCookie(r.name,e.context.secret);if(!o)throw new ne("UNAUTHORIZED",{message:"invalid two factor cookie"});let[n,i]=o.split("!");if(!n||!i)throw new ne("UNAUTHORIZED",{message:"invalid two factor cookie"});let a=await e.context.adapter.findMany({model:e.context.tables.session.tableName,where:[{field:"userId",value:n}]});if(!a.length)throw new ne("UNAUTHORIZED",{message:"invalid session"});let s=a.filter(d=>d.expiresAt>new Date);if(!s)throw new ne("UNAUTHORIZED",{message:"invalid session"});for(let d of s){let c=await ce(e.context.secret,d.id),l=await e.context.adapter.findOne({model:e.context.tables.user.tableName,where:[{field:"id",value:d.userId}]});if(!l)throw new ne("UNAUTHORIZED",{message:"invalid session"});if(c===i)return{valid:async()=>{if(await w(e,{session:d,user:l},!1),e.body.trustDevice){let p=e.context.createAuthCookie(Qe,{maxAge:2592e3}),m=await ce(e.context.secret,`${l.id}!${d.id}`);await e.setSignedCookie(p.name,`${m}!${d.id}`,e.context.secret,p.attributes)}return e.json({session:d,user:l})},invalid:async()=>{throw new ne("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:{id:d.id,userId:d.userId,expiresAt:d.expiresAt,user:l}}}throw new ne("UNAUTHORIZED",{message:"invalid two factor cookie"})}return{valid:async()=>e.json({session:t,user:t.user}),invalid:async()=>{throw new ne("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:t}});import{APIError as Ue}from"better-call";function Uo(e){return Array.from({length:e?.amount??10}).fill(null).map(()=>N(e?.length??10,F("a-z","0-9"))).map(t=>`${t.slice(0,5)}-${t.slice(5)}`)}async function rt(e,t){let r=e,o=t?.customBackupCodesGenerate?t.customBackupCodesGenerate():Uo(),n=await ye({data:JSON.stringify(o),key:r});return{backupCodes:o,encryptedBackupCodes:n}}async function So(e,t){let r=await er(e.backupCodes,t);return r?r.includes(e.code):!1}async function er(e,t){let r=Buffer.from(await be({key:t,data:e})).toString("utf-8"),o=JSON.parse(r),n=Z.array(Z.string()).safeParse(o);return n.success?n.data:null}var tr=(e,t)=>({id:"backup_code",endpoints:{verifyBackupCode:u("/two-factor/verify-backup-code",{method:"POST",body:Z.object({code:Z.string(),disableSession:Z.boolean().optional()}),use:[ue]},async r=>{let o=r.context.session.user,n=await r.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!n)throw new Ue("BAD_REQUEST",{message:"Backup codes aren't enabled"});if(!So({backupCodes:n.backupCodes,code:r.body.code},r.context.secret))throw new Ue("BAD_REQUEST",{message:"Invalid backup code"});return r.body.disableSession||await w(r,{session:r.context.session,user:o}),r.json({user:o,session:r.context.session})}),generateBackupCodes:u("/two-factor/generate-backup-codes",{method:"POST",body:Z.object({password:Z.string()}),use:[b]},async r=>{let o=r.context.session.user;if(!o.twoFactorEnabled)throw new Ue("BAD_REQUEST",{message:"Two factor isn't enabled"});await r.context.password.checkPassword(o.id,r);let n=await rt(r.context.secret,e);return await r.context.adapter.update({model:t,update:{backupCodes:n.encryptedBackupCodes},where:[{field:"userId",value:r.context.session.user.id}]}),r.json({status:!0,backupCodes:n.backupCodes})}),viewBackupCodes:u("/view/backup-codes",{method:"GET",body:Z.object({password:Z.string()}),use:[b]},async r=>{let o=r.context.session.user,n=await r.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!n)throw new Ue("BAD_REQUEST",{message:"Backup codes aren't enabled"});await r.context.password.checkPassword(o.id,r);let i=er(n.backupCodes,r.context.secret);if(!i)throw new Ue("BAD_REQUEST",{message:"Backup codes aren't enabled"});return r.json({status:!0,backupCodes:i})})}});import{APIError as He}from"better-call";import{TOTPController as Po}from"oslo/otp";import{z as rr}from"zod";import{TimeSpan as _o}from"oslo";var or=(e,t)=>{let r={...e,period:new _o(e?.period||3,"m")},o=new Po({digits:6,period:r.period}),n=u("/two-factor/send-otp",{method:"POST",use:[ue]},async a=>{if(!e||!e.sendOTP)throw a.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options."),new He("BAD_REQUEST",{message:"otp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new He("BAD_REQUEST",{message:"OTP isn't enabled"});let c=await o.generate(Buffer.from(d.secret));return await e.sendOTP(s,c),a.json({status:!0})}),i=u("/two-factor/verify-otp",{method:"POST",body:rr.object({code:rr.string()}),use:[ue]},async a=>{let s=a.context.session.user;if(!s.twoFactorEnabled)throw new He("BAD_REQUEST",{message:"two factor isn't enabled"});let d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new He("BAD_REQUEST",{message:"OTP isn't enabled"});return await o.generate(Buffer.from(d.secret))===a.body.code?a.context.valid():a.context.invalid()});return{id:"otp",endpoints:{send2FaOTP:n,verifyOTP:i}}};import{APIError as Ae}from"better-call";import{TimeSpan as Co}from"oslo";import{TOTPController as nr,createTOTPKeyURI as zo}from"oslo/otp";import{z as We}from"zod";var ir=(e,t)=>{let r={...e,digits:6,period:new Co(e?.period||30,"s")},o=u("/totp/generate",{method:"POST",use:[b]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ae("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Ae("BAD_REQUEST",{message:"totp isn't enabled"});return{code:await new nr(r).generate(Buffer.from(d.secret))}}),n=u("/two-factor/get-totp-uri",{method:"POST",use:[b],body:We.object({password:We.string()})},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ae("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d||!s.twoFactorEnabled)throw new Ae("BAD_REQUEST",{message:"totp isn't enabled"});return await a.context.password.checkPassword(s.id,a),{totpURI:zo(e?.issuer||"BetterAuth",s.email,Buffer.from(d.secret),r)}}),i=u("/two-factor/verify-totp",{method:"POST",body:We.object({code:We.string()}),use:[ue]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ae("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Ae("BAD_REQUEST",{message:"totp isn't enabled"});let c=new nr(r),l=await be({key:a.context.secret,data:d.secret}),p=Buffer.from(l);if(!await c.verify(a.body.code,p))return a.context.invalid();if(!s.twoFactorEnabled){let f=await a.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!0}),k=await a.context.internalAdapter.createSession(s.id,a.request);await w(a,{session:k,user:f})}return a.context.valid()});return{id:"totp",endpoints:{generateTOTP:o,viewTOTPURI:n,verifyTOTP:i}}};import{APIError as $u}from"better-call";async function ot(e,t){let o=(await e.context.internalAdapter.findAccounts(t.userId))?.find(a=>a.providerId==="credential"),n=o?.password;return!o||!n?!1:await e.context.password.verify(n,t.password)}import{APIError as sr}from"better-call";import{createTOTPKeyURI as Bo}from"oslo/otp";import{TimeSpan as Do}from"oslo";var Hu=(e={redirect:!0,twoFactorPage:"/"})=>({id:"two-factor",$InferServerPlugin:{},atomListeners:[{matcher:t=>t.startsWith("/two-factor/"),signal:"$sessionSignal"}],pathMethods:{"/two-factor/disable":"POST","/two-factor/enable":"POST","/two-factor/send-otp":"POST","/two-factor/generate-backup-codes":"POST"},fetchPlugins:[{id:"two-factor",name:"two-factor",hooks:{async onSuccess(t){t.data?.twoFactorRedirect&&(e.redirect||e.twoFactorPage)&&typeof window<"u"&&(window.location.href=e.twoFactorPage)}}}]});var dl=e=>{let t={twoFactorTable:e?.twoFactorTable||"twoFactor"},r=ir({issuer:e?.issuer||"better-auth",...e?.totpOptions},t.twoFactorTable),o=tr({...e?.backupCodeOptions},t.twoFactorTable),n=or({...e?.otpOptions},t.twoFactorTable);return{id:"two-factor",endpoints:{...r.endpoints,...n.endpoints,...o.endpoints,enableTwoFactor:u("/two-factor/enable",{method:"POST",body:Ge.object({password:Ge.string().min(8)}),use:[b]},async i=>{let a=i.context.session.user,{password:s}=i.body;if(!await ot(i,{password:s,userId:a.id}))throw new sr("BAD_REQUEST",{message:"Invalid password"});let c=N(16,F("a-z","0-9","-")),l=await ye({key:i.context.secret,data:c}),p=await rt(i.context.secret,e?.backupCodeOptions);if(e?.skipVerificationOnEnable){let f=await i.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!0}),k=await i.context.internalAdapter.createSession(f.id,i.request);await w(i,{session:k,user:a})}await i.context.adapter.deleteMany({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),await i.context.adapter.create({model:t.twoFactorTable,data:{id:i.context.uuid(),secret:l,backupCodes:p.encryptedBackupCodes,userId:a.id}});let m=Bo(e?.issuer||"BetterAuth",a.email,Buffer.from(c),{digits:e?.totpOptions?.digits||6,period:new Do(e?.totpOptions?.period||30,"s")});return i.json({totpURI:m,backupCodes:p.backupCodes})}),disableTwoFactor:u("/two-factor/disable",{method:"POST",body:Ge.object({password:Ge.string().min(8)}),use:[b]},async i=>{let a=i.context.session.user,{password:s}=i.body;if(!await ot(i,{password:s,userId:a.id}))throw new sr("BAD_REQUEST",{message:"Invalid password"});return await i.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!1}),await i.context.adapter.delete({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),i.json({status:!0})})},options:e,hooks:{after:[{matcher(i){return i.path==="/sign-in/email"||i.path==="/sign-in/username"},handler:_(async i=>{let a=i.context.returned;if(a?.status!==200)return;let s=await a.clone().json();if(!s.user.twoFactorEnabled)return;let d=i.context.createAuthCookie(Qe,{maxAge:30*24*60*60}),c=await i.getSignedCookie(d.name,i.context.secret);if(c){let[f,k]=c.split("!"),A=await ce(i.context.secret,`${s.user.id}!${k}`);if(f===A){let h=await ce(i.context.secret,`${s.user.id}!${s.session.id}`);await i.setSignedCookie(d.name,`${h}!${s.session.id}`,i.context.secret,d.attributes);return}}J(i);let l=await ce(i.context.secret,s.session.id),p=i.context.createAuthCookie($e,{maxAge:60*60*24});return await i.setSignedCookie(p.name,`${s.session.userId}!${l}`,i.context.secret,p.attributes),{response:new Response(JSON.stringify({twoFactorRedirect:!0}),{headers:i.responseHeader})}})}]},schema:{user:{fields:{twoFactorEnabled:{type:"boolean",required:!1,defaultValue:!1,input:!1}}},twoFactor:{tableName:t.twoFactorTable,fields:{secret:{type:"string",required:!0,returned:!1},backupCodes:{type:"string",required:!0,returned:!1},userId:{type:"string",required:!0,returned:!1,references:{model:"user",field:"id"}}}}},rateLimit:[{pathMatcher(i){return i.startsWith("/two-factor/")},window:10,max:3}]}};import{generateAuthenticationOptions as Mo,generateRegistrationOptions as $o,verifyAuthenticationResponse as Qo,verifyRegistrationResponse as Ho}from"@simplewebauthn/server";import{APIError as G}from"better-call";import{z as Y}from"zod";import{WebAuthnError as jo,startAuthentication as No,startRegistration as Fo}from"@simplewebauthn/browser";import{createFetch as Il}from"@better-fetch/fetch";import"nanostores";import"@better-fetch/fetch";import{atom as yl}from"nanostores";import"@better-fetch/fetch";import{atom as xo,onMount as Lo}from"nanostores";var nt=(e,t,r,o)=>{let n=xo({data:null,error:null,isPending:!0,isRefetching:!1}),i=()=>{let s=typeof o=="function"?o({data:n.get().data,error:n.get().error,isPending:n.get().isPending}):o;return r(t,{...s,onSuccess:async d=>{n.set({data:d.data,error:null,isPending:!1,isRefetching:!1}),await s?.onSuccess?.(d)},async onError(d){n.set({error:d.error,data:null,isPending:!1,isRefetching:!1}),await s?.onError?.(d)},async onRequest(d){let c=n.get();n.set({isPending:c.data===null,data:c.data,error:null,isRefetching:!0}),await s?.onRequest?.(d)}})};e=Array.isArray(e)?e:[e];let a=!1;for(let s of e)s.subscribe(()=>{a?i():Lo(n,()=>(i(),a=!0,()=>{n.off(),s.off()}))});return n};import{atom as Vo}from"nanostores";var qo=(e,{_listPasskeys:t})=>({signIn:{passkey:async(n,i)=>{let a=await e("/passkey/generate-authenticate-options",{method:"POST",body:{email:n?.email}});if(!a.data)return a;try{let s=await No(a.data,n?.autoFill||!1),d=await e("/passkey/verify-authentication",{body:{response:s},...n?.fetchOptions,...i,method:"POST"});if(!d.data)return d}catch{return{data:null,error:{message:"auth cancelled",status:400,statusText:"BAD_REQUEST"}}}}},passkey:{addPasskey:async(n,i)=>{let a=await e("/passkey/generate-register-options",{method:"GET"});if(!a.data)return a;try{let s=await Fo(a.data),d=await e("/passkey/verify-registration",{...n?.fetchOptions,...i,body:{response:s,name:n?.name},method:"POST"});if(!d.data)return d;t.set(Math.random())}catch(s){return s instanceof jo?s.code==="ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED"?{data:null,error:{message:"previously registered",status:400,statusText:"BAD_REQUEST"}}:s.code==="ERROR_CEREMONY_ABORTED"?{data:null,error:{message:"registration cancelled",status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s.message,status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s instanceof Error?s.message:"unknown error",status:500,statusText:"INTERNAL_SERVER_ERROR"}}}}},$Infer:{}}),Wl=()=>{let e=Vo();return{id:"passkey",$InferServerPlugin:{},getActions:t=>qo(t,{_listPasskeys:e}),getAtoms(t){return{listPasskeys:nt(e,"/passkey/list-user-passkeys",t,{method:"GET"}),_listPasskeys:e}},pathMethods:{"/passkey/register":"POST","/passkey/authenticate":"POST"},atomListeners:[{matcher(t){return t==="/passkey/verify-registration"||t==="/passkey/delete-passkey"},signal:"_listPasskeys"}]}};var sp=e=>{let t=ze.BETTER_AUTH_URL,r=e?.rpID||t?.replace("http://","").replace("https://","").split(":")[0]||"localhost";if(!r)throw new $("passkey rpID not found. Please provide a rpID in the options or set the BETTER_AUTH_URL environment variable.");let o={origin:null,...e,rpID:r,advanced:{webAuthnChallengeCookie:"better-auth-passkey",...e?.advanced}},n=new Date(Date.now()+1e3*60*5),i=new Date,a=Math.floor((n.getTime()-i.getTime())/1e3);return{id:"passkey",endpoints:{generatePasskeyRegistrationOptions:u("/passkey/generate-register-options",{method:"GET",use:[b],metadata:{client:!1}},async s=>{let d=s.context.session,c=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}),l=new Uint8Array(Buffer.from(N(32,F("a-z","0-9")))),p;p=await $o({rpName:o.rpName||s.context.appName,rpID:o.rpID,userID:l,userName:d.user.email||d.user.id,attestationType:"none",excludeCredentials:c.map(f=>({id:f.id,transports:f.transports?.split(",")})),authenticatorSelection:{residentKey:"preferred",userVerification:"preferred",authenticatorAttachment:"platform"}});let m=z();return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,m,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:m,value:JSON.stringify({expectedChallenge:p.challenge,userData:{id:d.user.id}}),expiresAt:n}),s.json(p,{status:200})}),generatePasskeyAuthenticationOptions:u("/passkey/generate-authenticate-options",{method:"POST",body:Y.object({email:Y.string().optional()}).optional()},async s=>{let d=await D(s),c=[];d&&(c=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}));let l=await Mo({rpID:o.rpID,userVerification:"preferred",...c.length?{allowCredentials:c.map(f=>({id:f.id,transports:f.transports?.split(",")}))}:{}}),p={expectedChallenge:l.challenge,userData:{id:d?.user.id||""}},m=z();return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,m,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:m,value:JSON.stringify(p),expiresAt:n}),s.json(l,{status:200})}),verifyPasskeyRegistration:u("/passkey/verify-registration",{method:"POST",body:Y.object({response:Y.any(),name:Y.string().optional()}),use:[b]},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)return s.json(null,{status:400});let c=s.body.response,l=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!l)throw new G("BAD_REQUEST",{message:"Challenge not found"});let p=await s.context.internalAdapter.findVerificationValue(l);if(!p)return s.json(null,{status:400});let{expectedChallenge:m,userData:f}=JSON.parse(p.value);if(f.id!==s.context.session.user.id)throw new G("UNAUTHORIZED",{message:"You are not authorized to register this passkey"});try{let k=await Ho({response:c,expectedChallenge:m,expectedOrigin:d,expectedRPID:e?.rpID}),{verified:A,registrationInfo:h}=k;if(!A||!h)return s.json(null,{status:400});let{credentialID:P,credentialPublicKey:pe,counter:M,credentialDeviceType:_e,credentialBackedUp:me}=h,ie=Buffer.from(pe).toString("base64"),Ye=z(),mr={name:s.body.name,userId:f.id,webauthnUserID:Ye,id:P,publicKey:ie,counter:M,deviceType:_e,transports:c.response.transports.join(","),backedUp:me,createdAt:new Date},fr=await s.context.adapter.create({model:"passkey",data:mr});return s.json(fr,{status:200})}catch(k){throw console.log(k),new G("INTERNAL_SERVER_ERROR",{message:"Failed to verify registration"})}}),verifyPasskeyAuthentication:u("/passkey/verify-authentication",{method:"POST",body:Y.object({response:Y.any()})},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)throw new G("BAD_REQUEST",{message:"origin missing"});let c=s.body.response,l=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!l)throw new G("BAD_REQUEST",{message:"Challenge not found"});let p=await s.context.internalAdapter.findVerificationValue(l);if(!p)throw new G("BAD_REQUEST",{message:"Challenge not found"});let{expectedChallenge:m}=JSON.parse(p.value),f=await s.context.adapter.findOne({model:"passkey",where:[{field:"id",value:c.id}]});if(!f)throw new G("UNAUTHORIZED",{message:"Passkey not found"});try{let k=await Qo({response:c,expectedChallenge:m,expectedOrigin:d,expectedRPID:o.rpID,authenticator:{credentialID:f.id,credentialPublicKey:new Uint8Array(Buffer.from(f.publicKey,"base64")),counter:f.counter,transports:f.transports?.split(",")}}),{verified:A}=k;if(!A)throw new G("UNAUTHORIZED",{message:"Authentication failed"});await s.context.adapter.update({model:"passkey",where:[{field:"id",value:f.id}],update:{counter:k.authenticationInfo.newCounter}});let h=await s.context.internalAdapter.createSession(f.userId,s.request);if(!h)throw new G("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});let P=await s.context.internalAdapter.findUserById(f.userId);if(!P)throw new G("INTERNAL_SERVER_ERROR",{message:"User not found"});return await w(s,{session:h,user:P}),s.json({session:h},{status:200})}catch(k){throw s.context.logger.error(k),new G("BAD_REQUEST",{message:"Failed to verify authentication"})}}),listPasskeys:u("/passkey/list-user-passkeys",{method:"GET",use:[b]},async s=>{let d=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:s.context.session.user.id}]});return s.json(d,{status:200})}),deletePasskey:u("/passkey/delete-passkey",{method:"POST",body:Y.object({id:Y.string()}),use:[b]},async s=>(await s.context.adapter.delete({model:"passkey",where:[{field:"id",value:s.body.id}]}),s.json(null,{status:200})))},schema:{passkey:{fields:{name:{type:"string",required:!1},publicKey:{type:"string",required:!0},userId:{type:"string",references:{model:"user",field:"id"},required:!0},webauthnUserID:{type:"string",required:!0},counter:{type:"number",required:!0},deviceType:{type:"string",required:!0},backedUp:{type:"boolean",required:!0},transports:{type:"string",required:!1},createdAt:{type:"date",defaultValue:new Date,required:!1}}}}}};import{z as Ke}from"zod";import{APIError as Je}from"better-call";var ar=()=>({id:"username",endpoints:{signInUsername:u("/sign-in/username",{method:"POST",body:Ke.object({username:Ke.string(),password:Ke.string(),dontRememberMe:Ke.boolean().optional()})},async e=>{let t=await e.context.adapter.findOne({model:e.context.tables.user.tableName,where:[{field:"username",value:e.body.username}]});if(!t)throw await e.context.password.hash(e.body.password),e.context.logger.error("User not found",{username:ar}),new Je("UNAUTHORIZED",{message:"Invalid username or password"});let r=await e.context.adapter.findOne({model:e.context.tables.account.tableName,where:[{field:e.context.tables.account.fields.userId.fieldName||"userId",value:t.id},{field:e.context.tables.account.fields.providerId.fieldName||"providerId",value:"credential"}]});if(!r)throw new Je("UNAUTHORIZED",{message:"Invalid username or password"});let o=r?.password;if(!o)throw e.context.logger.error("Password not found",{username:ar}),new Je("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(o,e.body.password))throw e.context.logger.error("Invalid password"),new Je("UNAUTHORIZED",{message:"Invalid username or password"});let i=await e.context.internalAdapter.createSession(t.id,e.request);return i?(await e.setSignedCookie(e.context.authCookies.sessionToken.name,i.id,e.context.secret,e.body.dontRememberMe?{...e.context.authCookies.sessionToken.options,maxAge:void 0}:e.context.authCookies.sessionToken.options),e.json({user:t,session:i})):e.json(null,{status:500,body:{message:"Failed to create session",status:500}})})},schema:{user:{fields:{username:{type:"string",required:!1,unique:!0,returned:!0}}}}});import{serializeSigned as Wo}from"better-call";var fp=()=>({id:"bearer",hooks:{before:[{matcher(e){return!!(e.request?.headers.get("authorization")||e.headers?.get("authorization"))},handler:async e=>{let t=e.request?.headers.get("authorization")?.replace("Bearer ","")||e.headers?.get("authorization")?.replace("Bearer ","");if(!t)return;let r="";return t.includes(".")?r=t:r=await Wo("",t,e.context.secret),e.request&&e.request.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${r.replace("=","")}`),e.headers&&e.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${r.replace("=","")}`),{context:e}}}]}});import{z as ke}from"zod";import{APIError as dr}from"better-call";var kp=e=>({id:"magic-link",endpoints:{signInMagicLink:u("/sign-in/magic-link",{method:"POST",requireHeaders:!0,body:ke.object({email:ke.string().email(),callbackURL:ke.string().optional()})},async t=>{let{email:r}=t.body;if(e.disableSignUp&&!await t.context.internalAdapter.findUserByEmail(r))throw new dr("BAD_REQUEST",{message:"User not found"});let o=N(32,F("a-z","A-Z"));await t.context.internalAdapter.createVerificationValue({identifier:o,value:r,expiresAt:new Date(Date.now()+(e.expiresIn||60*5)*1e3)});let n=`${t.context.baseURL}/magic-link/verify?token=${o}&callbackURL=${t.body.callbackURL||"/"}`;try{await e.sendMagicLink({email:r,url:n,token:o})}catch(i){throw t.context.logger.error("Failed to send magic link",i),new dr("INTERNAL_SERVER_ERROR",{message:"Failed to send magic link"})}return t.json({status:!0})}),magicLinkVerify:u("/magic-link/verify",{method:"GET",query:ke.object({token:ke.string(),callbackURL:ke.string().optional()}),requireHeaders:!0},async t=>{let{token:r,callbackURL:o}=t.query,n=o?.startsWith("http")?o:o?`${t.context.options.baseURL}${o}`:t.context.options.baseURL,i=await t.context.internalAdapter.findVerificationValue(r);if(!i)throw t.redirect(`${n}?error=INVALID_TOKEN`);if(i.expiresAt<new Date)throw await t.context.internalAdapter.deleteVerificationValue(i.id),t.redirect(`${n}?error=EXPIRED_TOKEN`);await t.context.internalAdapter.deleteVerificationValue(i.id);let a=i.value,s=await t.context.internalAdapter.findUserByEmail(a),d=s?.user.id||"";if(!s){if(e.disableSignUp)throw t.redirect(`${n}?error=USER_NOT_FOUND`);if(d=(await t.context.internalAdapter.createUser({email:a,emailVerified:!0,name:a})).id,!d)throw t.redirect(`${n}?error=USER_NOT_CREATED`)}let c=await t.context.internalAdapter.createSession(d,t.headers);if(!c)throw t.redirect(`${n}?error=SESSION_NOT_CREATED`);if(await w(t,{session:c,user:s?.user}),!o)return t.json({status:!0});throw t.redirect(o)})},rateLimit:[{pathMatcher(t){return t.startsWith("/sign-in/magic-link")||t.startsWith("/magic-link/verify")},window:e.rateLimit?.window||60,max:e.rateLimit?.max||5}]});import{z as le}from"zod";import{APIError as X}from"better-call";function Go(e){return N(e,F("0-9"))}var _p=e=>{let t={phoneNumber:"phoneNumber",phoneNumberVerified:"phoneNumberVerified",code:"code",createdAt:"createdAt",expiresIn:e?.expiresIn||300,otpLength:e?.otpLength||6};return{id:"phone-number",endpoints:{sendPhoneNumberOTP:u("/phone-number/send-otp",{method:"POST",body:le.object({phoneNumber:le.string()})},async r=>{if(!e?.sendOTP)throw y.warn("sendOTP not implemented"),new X("NOT_IMPLEMENTED",{message:"sendOTP not implemented"});let o=Go(t.otpLength);return await r.context.internalAdapter.createVerificationValue({value:o,identifier:r.body.phoneNumber,expiresAt:C(t.expiresIn,"sec")}),await e.sendOTP(r.body.phoneNumber,o),r.json({code:o},{body:{message:"Code sent"}})}),verifyPhoneNumber:u("/phone-number/verify",{method:"POST",body:le.object({phoneNumber:le.string(),code:le.string(),disableSession:le.boolean().optional(),updatePhoneNumber:le.boolean().optional()})},async r=>{let o=await r.context.internalAdapter.findVerificationValue(r.body.phoneNumber);if(!o||o.expiresAt<new Date)throw o&&o.expiresAt<new Date?(await r.context.internalAdapter.deleteVerificationValue(o.id),new X("BAD_REQUEST",{message:"OTP expired"})):new X("BAD_REQUEST",{message:"OTP not found"});if(o.value!==r.body.code)throw new X("BAD_REQUEST",{message:"Invalid OTP"});if(await r.context.internalAdapter.deleteVerificationValue(o.id),r.body.updatePhoneNumber){let i=await D(r);if(!i)throw new X("UNAUTHORIZED",{message:"Session not found"});let a=await r.context.internalAdapter.updateUser(i.user.id,{[t.phoneNumber]:r.body.phoneNumber,[t.phoneNumberVerified]:!0});return r.json({user:a,session:i.session})}let n=await r.context.adapter.findOne({model:r.context.tables.user.tableName,where:[{value:r.body.phoneNumber,field:t.phoneNumber}]});if(n)n=await r.context.internalAdapter.updateUser(n.id,{[t.phoneNumberVerified]:!0});else if(e?.signUpOnVerification){if(n=await r.context.internalAdapter.createUser({email:e.signUpOnVerification.getTempEmail(r.body.phoneNumber),name:e.signUpOnVerification.getTempName?e.signUpOnVerification.getTempName(r.body.phoneNumber):r.body.phoneNumber,[t.phoneNumber]:r.body.phoneNumber,[t.phoneNumberVerified]:!0}),!n)throw new X("INTERNAL_SERVER_ERROR",{message:"Failed to create user"})}else throw new X("BAD_REQUEST",{message:"Phone number not found"});if(!n)throw new X("INTERNAL_SERVER_ERROR",{message:"Failed to update user"});if(!r.body.disableSession){let i=await r.context.internalAdapter.createSession(n.id,r.request);if(!i)throw new X("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await w(r,{session:i,user:n}),r.json({user:n,session:i})}return r.json({user:n,session:null})})},schema:{user:{fields:{phoneNumber:{type:"string",required:!1,unique:!0,returned:!0},phoneNumberVerified:{type:"boolean",required:!1,returned:!0,input:!1}}}}}};import{z as it}from"zod";var jp=e=>({id:"anonymous",endpoints:{signInAnonymous:u("/sign-in/anonymous",{method:"POST"},async t=>{let{emailDomainName:r=De(t.context.baseURL)}=e||{},o=z(),n=`temp-${o}@${r}`,i=await t.context.internalAdapter.createUser({id:o,email:n,emailVerified:!1,isAnonymous:!0,name:"Anonymous",createdAt:new Date,updatedAt:new Date});if(!i)return t.json(null,{status:500,body:{message:"Failed to create user",status:500}});let a=await t.context.internalAdapter.createSession(i.id,t.request);return a?(await w(t,{session:a,user:i}),t.json({user:i,session:a})):t.json(null,{status:400,body:{message:"Could not create session"}})}),linkAccount:u("/anonymous/link-account",{method:"POST",body:it.object({email:it.string().email().optional(),password:it.string().min(6)}),use:[b]},async t=>{let r=t.context.session.user.id,{email:o,password:n}=t.body,i=null;if(o&&n&&(i=await t.context.internalAdapter.updateUser(r,{email:o,isAnonymous:!1})),!i)return t.json(null,{status:500,body:{message:"Failed to update user",status:500}});let a=await t.context.password.hash(n);if(!await t.context.internalAdapter.linkAccount({userId:i.id,providerId:"credential",password:a,accountId:i.id}))return t.json(null,{status:500,body:{message:"Failed to update account",status:500}});let d=await t.context.internalAdapter.createSession(i.id,t.request);return d?(await w(t,{session:d,user:i}),t.json({session:d,user:i})):t.json(null,{status:400,body:{message:"Could not create session"}})})},schema:{user:{fields:{isAnonymous:{type:"boolean",required:!1}}}}});import{z as g}from"zod";var K=_(async e=>{let t=await D(e);if(!t?.session)throw new E("UNAUTHORIZED");let r=t.user;if(r.role!=="admin")throw new E("FORBIDDEN",{message:"Only admins can access this endpoint"});return{session:{user:r,session:t.session}}}),$p=e=>({id:"admin",init(t){return{options:{databaseHooks:{user:{create:{async before(r){if(e?.defaultRole!==!1)return{data:{role:e?.defaultRole??"user",...r}}}}},session:{create:{async before(r){let o=await t.internalAdapter.findUserById(r.userId);if(o.banned){if(o.banExpires&&o.banExpires<Date.now()){await t.internalAdapter.updateUser(r.userId,{banned:!1,banReason:null,banExpires:null});return}return!1}}}}}}}},hooks:{after:[{matcher(t){return t.path==="/list-sessions"},handler:_(async t=>{let r=t.context.returned;if(r){let n=(await r.json()).filter(a=>!a.impersonatedBy),i=new Response(JSON.stringify(n),{status:200,statusText:"OK",headers:r.headers});return t.json({response:i})}})}]},endpoints:{setRole:u("/admin/set-role",{method:"POST",body:g.object({userId:g.string(),role:g.string()}),use:[K]},async t=>{let r=await t.context.internalAdapter.updateUser(t.body.userId,{role:t.body.role});return t.json({user:r})}),createUser:u("/admin/create-user",{method:"POST",body:g.object({email:g.string(),password:g.string(),name:g.string(),role:g.string(),data:g.optional(g.record(g.any()))}),use:[K]},async t=>{if(await t.context.internalAdapter.findUserByEmail(t.body.email))throw new E("BAD_REQUEST",{message:"User already exists"});let o=await t.context.internalAdapter.createUser({email:t.body.email,name:t.body.name,role:t.body.role,...t.body.data});if(!o)throw new E("INTERNAL_SERVER_ERROR",{message:"Failed to create user"});let n=await t.context.password.hash(t.body.password);return await t.context.internalAdapter.linkAccount({accountId:o.id,providerId:"credential",password:n,userId:o.id}),t.json({user:o})}),listUsers:u("/admin/list-users",{method:"GET",use:[K],query:g.object({search:g.object({field:g.enum(["email","name"]),operator:g.enum(["contains","starts_with","ends_with"]).default("contains"),value:g.string()}).optional(),limit:g.string().or(g.number()).optional(),offset:g.string().or(g.number()).optional(),sortBy:g.string().optional(),sortDirection:g.enum(["asc","desc"]).optional(),filter:g.array(g.object({field:g.string(),value:g.string().or(g.number()).or(g.boolean()),operator:g.enum(["eq","ne","lt","lte","gt","gte"]),connector:g.enum(["AND","OR"]).optional()})).optional()})},async t=>{let r=[];t.query?.search&&r.push({field:t.query.search.field,operator:t.query.search.operator,value:t.query.search.value}),t.query?.filter&&r.push(...t.query.filter||[]);let o=await t.context.internalAdapter.listUsers(Number(t.query?.limit)||void 0,Number(t.query?.offset)||void 0,t.query?.sortBy?{field:t.query.sortBy,direction:t.query.sortDirection||"asc"}:void 0,r.length?r:void 0);return t.json({users:o})}),listUserSessions:u("/admin/list-user-sessions",{method:"POST",use:[K],body:g.object({userId:g.string()})},async t=>({sessions:await t.context.internalAdapter.listSessions(t.body.userId)})),unbanUser:u("/admin/unban-user",{method:"POST",body:g.object({userId:g.string()}),use:[K]},async t=>{let r=await t.context.internalAdapter.updateUser(t.body.userId,{banned:!1});return t.json({user:r})}),banUser:u("/admin/ban-user",{method:"POST",body:g.object({userId:g.string(),banReason:g.string().optional(),banExpiresIn:g.number().optional()}),use:[K]},async t=>{if(t.body.userId===t.context.session.user.id)throw new E("BAD_REQUEST",{message:"You cannot ban yourself"});let r=await t.context.internalAdapter.updateUser(t.body.userId,{banned:!0,banReason:t.body.banReason||e?.defaultBanReason||"No reason",banExpires:t.body.banExpiresIn?C(t.body.banExpiresIn,"sec"):e?.defaultBanExpiresIn?C(e.defaultBanExpiresIn,"sec"):void 0});return await t.context.internalAdapter.deleteSessions(t.body.userId),t.json({user:r})}),impersonateUser:u("/admin/impersonate-user",{method:"POST",body:g.object({userId:g.string()}),use:[K]},async t=>{let r=await t.context.internalAdapter.findUserById(t.body.userId);if(!r)throw new E("NOT_FOUND",{message:"User not found"});let o=await t.context.internalAdapter.createSession(r.id,void 0,!0,{impersonatedBy:t.context.session.user.id,expiresAt:e?.impersonationSessionDuration?C(e.impersonationSessionDuration,"sec"):C(60*60,"sec")});if(!o)throw new E("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await w(t,{session:o,user:r},!0),t.json({session:o,user:r})}),revokeUserSession:u("/admin/revoke-user-session",{method:"POST",body:g.object({sessionId:g.string()}),use:[K]},async t=>(await t.context.internalAdapter.deleteSession(t.body.sessionId),t.json({success:!0}))),revokeUserSessions:u("/admin/revoke-user-sessions",{method:"POST",body:g.object({userId:g.string()}),use:[K]},async t=>(await t.context.internalAdapter.deleteSessions(t.body.userId),t.json({success:!0}))),removeUser:u("/admin/remove-user",{method:"POST",body:g.object({userId:g.string()}),use:[K]},async t=>(await t.context.internalAdapter.deleteUser(t.body.userId),t.json({success:!0})))},schema:{user:{fields:{role:{type:"string",required:!1,input:!1},banned:{type:"boolean",defaultValue:!1,required:!1,input:!1},banReason:{type:"string",required:!1,input:!1},banExpires:{type:"date",required:!1,input:!1}}},session:{fields:{impersonatedBy:{type:"string",required:!1}}}}});import{z as ee}from"zod";import{APIError as Se}from"better-call";import{betterFetch as st}from"@better-fetch/fetch";import{parseJWT as Ko}from"oslo/jwt";async function Jo(e,t,r){if(t==="oidc"&&e.idToken){let n=Ko(e.idToken);if(n?.payload)return n.payload}return r?(await st(r,{method:"GET",headers:{Authorization:`Bearer ${e.accessToken}`}})).data:null}var om=e=>({id:"generic-oauth",endpoints:{signInWithOAuth2:u("/sign-in/oauth2",{method:"POST",query:ee.object({currentURL:ee.string().optional()}).optional(),body:ee.object({providerId:ee.string(),callbackURL:ee.string().optional()})},async t=>{let{providerId:r}=t.body,o=e.config.find(ie=>ie.providerId===r);if(!o)throw new Se("BAD_REQUEST",{message:`No config found for provider ${r}`});let{discoveryUrl:n,authorizationUrl:i,tokenUrl:a,clientId:s,clientSecret:d,scopes:c,redirectURI:l,responseType:p,pkce:m,prompt:f,accessType:k}=o,A=i,h=a;if(n){let ie=await st(n,{onError(Ye){y.error(Ye.error,{discoveryUrl:n})}});ie.data&&(A=ie.data.authorization_endpoint,h=ie.data.token_endpoint)}if(!A||!h)throw new Se("BAD_REQUEST",{message:"Invalid OAuth configuration."});let P=t.query?.currentURL?new URL(t.query?.currentURL):null,pe=t.body.callbackURL?.startsWith("http")?t.body.callbackURL:`${P?.origin}${t.body.callbackURL||""}`,{state:M,codeVerifier:_e}=await ge(t),me=await I({id:r,options:{clientId:s,clientSecret:d,redirectURI:l},authorizationEndpoint:A,state:M,codeVerifier:_e,scopes:c||[],disablePkce:!m,redirectURI:`${t.context.baseURL}/oauth2/callback/${r}`});return p&&p!=="code"&&me.searchParams.set("response_type",p),f&&me.searchParams.set("prompt",f),k&&me.searchParams.set("access_type",k),t.json({url:me.toString(),redirect:!0})}),oAuth2Callback:u("/oauth2/callback/:providerId",{method:"GET",query:ee.object({code:ee.string().optional(),error:ee.string().optional(),state:ee.string()})},async t=>{if(t.query.error||!t.query.code)throw t.redirect(`${t.context.baseURL}?error=${t.query.error||"oAuth_code_missing"}`);let r=e.config.find(h=>h.providerId===t.params.providerId);if(!r)throw new Se("BAD_REQUEST",{message:`No config found for provider ${t.params.providerId}`});let o,n=await xe(t),{callbackURL:i,codeVerifier:a,errorURL:s}=n,d=t.query.code,c=r.tokenUrl,l=r.userInfoUrl;if(r.discoveryUrl){let h=await st(r.discoveryUrl,{method:"GET"});h.data&&(c=h.data.token_endpoint,l=h.data.userinfo_endpoint)}try{if(!c)throw new Se("BAD_REQUEST",{message:"Invalid OAuth configuration."});o=await v({code:d,codeVerifier:a,redirectURI:`${t.context.baseURL}/oauth2/callback/${r.providerId}`,options:{clientId:r.clientId,clientSecret:r.clientSecret},tokenEndpoint:c})}catch(h){throw t.context.logger.error(h),t.redirect(`${s}?error=oauth_code_verification_failed`)}if(!o)throw new Se("BAD_REQUEST",{message:"Invalid OAuth configuration."});let p=r.getUserInfo?await r.getUserInfo(o):await Jo(o,r.type||"oauth2",l),m=z(),f=p?je.safeParse({...p,id:m}):null;if(!f?.success)throw t.redirect(`${s}?error=oauth_user_info_invalid`);let k=await t.context.internalAdapter.findUserByEmail(f.data.email,{includeAccounts:!0}).catch(h=>{throw y.error(`Better auth was unable to query your database.
85
- Error: `,h),t.redirect(`${s}?error=internal_server_error`)}),A=k?.user.id||m;if(k){let h=k.accounts.find(M=>M.providerId===r.providerId),P=t.context.options.account?.accountLinking?.trustedProviders,pe=P?P.includes(r.providerId):!0;if(!h&&(!f?.data.emailVerified||!pe)){let M;try{M=new URL(s),M.searchParams.set("error","account_not_linked")}catch{throw t.redirect(`${s}?error=account_not_linked`)}throw t.redirect(M.toString())}if(h)await t.context.internalAdapter.updateAccount(h.id,{accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt});else try{await t.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:f.data.id,id:`${r.providerId}:${f.data.id}`,userId:k.user.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch(M){throw console.log(M),t.redirect(`${s}?error=failed_linking_account`)}}else try{await t.context.internalAdapter.createOAuthUser(f.data,{id:`${r.providerId}:${f.data.id}`,providerId:r.providerId,accountId:f.data.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch{let P=new URL(s);throw P.searchParams.set("error","unable_to_create_user"),t.setHeader("Location",P.toString()),t.redirect(P.toString())}try{let h=await t.context.internalAdapter.createSession(A||m,t.request);if(!h)throw t.redirect(`${s}?error=unable_to_create_session`);await w(t,{session:h,user:f.data})}catch{throw t.redirect(`${s}?error=unable_to_create_session`)}throw t.redirect(i)})}});import{z as Pe}from"zod";var cr={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},sm=Pe.object({id:Pe.string(),publicKey:Pe.string(),privateKey:Pe.string(),createdAt:Pe.date()});var at=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async t=>await e.create({model:"jwks",data:{...t,createdAt:new Date}})});import{exportJWK as ur,generateKeyPair as Zo,importJWK as Yo,SignJWT as Xo}from"jose";var fm=e=>({id:"jwt",endpoints:{getJwks:u("/jwks",{method:"GET"},async t=>{let o=await at(t.context.adapter).getAllKeys();return t.json({keys:o.map(n=>({...JSON.parse(n.publicKey),kid:n.id}))})}),getToken:u("/token",{method:"GET",requireHeaders:!0,use:[b]},async t=>{let r=at(t.context.adapter),o=await r.getLatestKey(),n=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:c,privateKey:l}=await Zo(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),p=await ur(c),m=await ur(l),f=JSON.stringify(m),k={id:crypto.randomUUID(),publicKey:JSON.stringify(p),privateKey:n?JSON.stringify(await ye({key:t.context.options.secret,data:f})):f,createdAt:new Date};o=await r.createJwk(k)}let i=n?await be({key:t.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,a=await Yo(JSON.parse(i)),s=e?.jwt?.definePayload?await e?.jwt.definePayload(t.context.session.user):t.context.session.user,d=await new Xo({...s,...t.context.session.session.impersonatedBy?{impersonatedBy:t.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??t.context.options.baseURL).setAudience(e?.jwt?.audience??t.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(t.context.session.user.id).sign(a);return t.json({token:d})})},schema:cr});import{z as Ze}from"zod";var bm=e=>{let t={maximumSessions:5,...e},r=o=>o.includes("_multi-");return{id:"multi-session",endpoints:{listDeviceSessions:u("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async o=>{let n=o.headers?.get("cookie");if(!n)return o.json([]);let i=Object.fromEntries(Be(n)),a=(await Promise.all(Object.entries(i).filter(([c])=>r(c)).map(async([c])=>await o.getSignedCookie(c,o.context.secret)))).filter(c=>c!==void 0);if(!a.length)return o.json([]);let d=(await o.context.internalAdapter.findSessions(a)).filter(c=>c&&c.session.expiresAt>new Date).filter((c,l,p)=>l===p.findIndex(m=>m.user.id===c.user.id));return Object.entries(i).filter(([c])=>r(c)).forEach(([c,l])=>{d.some(p=>p.session.id===l)||o.setCookie(c,"",{...o.context.authCookies.sessionToken.options,maxAge:0})}),o.json(d)}),setActiveSession:u("/multi-session/set-active",{method:"POST",body:Ze.object({sessionId:Ze.string()}),requireHeaders:!0,use:[b]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new E("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);if(!s||s.session.expiresAt<new Date)throw o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),new E("UNAUTHORIZED",{message:"Invalid session id"});return await o.setSignedCookie(o.context.authCookies.sessionToken.name,n,o.context.secret,o.context.authCookies.sessionToken.options),o.json(s)}),revokeDeviceSession:u("/multi-session/revoke",{method:"POST",body:Ze.object({sessionId:Ze.string()}),requireHeaders:!0,use:[b]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new E("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);return o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),s?(await o.context.internalAdapter.deleteSession(n),o.json({success:!0})):o.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:_(async o=>{if(!o.context.returned||!(o.context.returned instanceof Response))return;let n=o.context.returned.headers.get("set-cookie");if(!n)return;let i=lt(n),a=o.context.authCookies.sessionToken,s=i.get(a.name)?.value;if(!s)return;let d=Be(o.headers?.get("cookie")||""),c=s.split(".")[0],l=`${a.name}_multi-${c}`;if(i.get(l)||d.get(l)||Object.keys(Object.fromEntries(d)).filter(r).length+(n.includes("session_token")?1:0)>t.maximumSessions)return;await o.setSignedCookie(l,c,o.context.secret,a.options);let m=o.context.returned;return m.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:m}})},{matcher:o=>o.path==="/sign-out",handler:_(async o=>{let n=o.headers?.get("cookie");if(!n)return;let i=Object.fromEntries(Be(n));await Promise.all(Object.entries(i).map(async([s,d])=>{if(r(s)){o.setCookie(s,"",{maxAge:0});let c=s.split("_multi-")[1];await o.context.internalAdapter.deleteSession(c)}}));let a=o.context.returned;return a?.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:a}})}]}}};import{z as te}from"zod";var Um=e=>{let t={expireIn:300,otpLength:6,...e};return{id:"email-otp",endpoints:{sendVerificationOTP:u("/email-otp/send-verification-otp",{method:"POST",body:te.object({email:te.string(),type:te.enum(["email-verification","sign-in"])})},async r=>{if(!e?.sendVerificationOTP)throw y.error("send email verification is not implemented"),new E("BAD_REQUEST",{message:"send email verification is not implemented"});let o=r.body.email,n=N(t.otpLength,F("0-9"));return await r.context.internalAdapter.createVerificationValue({value:n,identifier:`${r.body.type}-otp-${o}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o,otp:n,type:r.body.type}),r.json({success:!0})}),verifyEmailOTP:u("/email-otp/verify-email",{method:"POST",body:te.object({email:te.string(),otp:te.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`email-verification-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new E("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new E("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a)throw new E("BAD_REQUEST",{message:"User not found"});let s=await r.context.internalAdapter.updateUser(a.user.id,{email:o,emailVerified:!0});return r.json({user:s})}),signInEmailOTP:u("/sign-in/email-otp",{method:"POST",body:te.object({email:te.string(),otp:te.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`sign-in-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new E("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new E("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a)throw new E("BAD_REQUEST",{message:"User not found"});let s=await r.context.internalAdapter.createSession(a.user.id,r.request);return await w(r,{session:s,user:a.user}),r.json({session:s,user:a})})},hooks:{after:[{matcher(r){return!!(r.path?.startsWith("/sign-up")&&t.sendVerificationOnSignUp)},async handler(r){let o=r.context.returned;if(o?.status!==200)return;let n=await o.clone().json();if(n.user.email&&n.user.emailVerified===!1){let i=N(t.otpLength,F("0-9"));await r.context.internalAdapter.createVerificationValue({value:i,identifier:`email-verification-otp-${n.user.email}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:n.user.email,otp:i,type:"email-verification"})}}}]}}};import{z as pr}from"zod";import{betterFetch as en}from"@better-fetch/fetch";function lr(e){return e==="true"||e===!0}var xm=e=>({id:"one-tap",endpoints:{oneTapCallback:u("/one-tap/callback",{method:"POST",body:pr.object({idToken:pr.string()})},async t=>{let{idToken:r}=t.body,{data:o,error:n}=await en("https://oauth2.googleapis.com/tokeninfo?id_token="+r);if(n)return t.json({error:"Invalid token"});let i=await t.context.internalAdapter.findUserByEmail(o.email);if(!i){if(e?.disableSignup)throw new E("BAD_GATEWAY",{message:"User not found"});let s=await t.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:lr(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!s)throw new E("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let d=await t.context.internalAdapter.createSession(s?.user.id,t.request);return await w(t,{user:s.user,session:d}),t.json({session:d,user:s})}let a=await t.context.internalAdapter.createSession(i.user.id,t.request);return await w(t,{user:i.user,session:a}),t.json({session:a,user:i})})}});export{fe as HIDE_METADATA,$p as admin,K as adminMiddleware,jp as anonymous,fp as bearer,u as createAuthEndpoint,_ as createAuthMiddleware,Um as emailOTP,om as genericOAuth,qo as getPasskeyActions,fm as jwt,kp as magicLink,bm as multiSession,xm as oneTap,ct as optionsMiddleware,Dc as organization,sp as passkey,Wl as passkeyClient,_p as phoneNumber,dl as twoFactor,Hu as twoFactorClient,ar as username};
85
+ Error: `,h),t.redirect(`${s}?error=internal_server_error`)}),A=k?.user.id||m;if(k){let h=k.accounts.find(M=>M.providerId===r.providerId),P=t.context.options.account?.accountLinking?.trustedProviders,pe=P?P.includes(r.providerId):!0;if(!h&&(!f?.data.emailVerified||!pe)){let M;try{M=new URL(s),M.searchParams.set("error","account_not_linked")}catch{throw t.redirect(`${s}?error=account_not_linked`)}throw t.redirect(M.toString())}if(h)await t.context.internalAdapter.updateAccount(h.id,{accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt});else try{await t.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:f.data.id,id:`${r.providerId}:${f.data.id}`,userId:k.user.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch(M){throw console.log(M),t.redirect(`${s}?error=failed_linking_account`)}}else try{await t.context.internalAdapter.createOAuthUser(f.data,{id:`${r.providerId}:${f.data.id}`,providerId:r.providerId,accountId:f.data.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch{let P=new URL(s);throw P.searchParams.set("error","unable_to_create_user"),t.setHeader("Location",P.toString()),t.redirect(P.toString())}try{let h=await t.context.internalAdapter.createSession(A||m,t.request);if(!h)throw t.redirect(`${s}?error=unable_to_create_session`);await w(t,{session:h,user:f.data})}catch{throw t.redirect(`${s}?error=unable_to_create_session`)}throw t.redirect(i)})}});import{z as Pe}from"zod";var cr={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},sm=Pe.object({id:Pe.string(),publicKey:Pe.string(),privateKey:Pe.string(),createdAt:Pe.date()});var at=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async t=>await e.create({model:"jwks",data:{...t,createdAt:new Date}})});import{exportJWK as ur,generateKeyPair as Zo,importJWK as Yo,SignJWT as Xo}from"jose";var fm=e=>({id:"jwt",endpoints:{getJwks:u("/jwks",{method:"GET"},async t=>{let o=await at(t.context.adapter).getAllKeys();return t.json({keys:o.map(n=>({...JSON.parse(n.publicKey),kid:n.id}))})}),getToken:u("/token",{method:"GET",requireHeaders:!0,use:[b]},async t=>{let r=at(t.context.adapter),o=await r.getLatestKey(),n=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:c,privateKey:l}=await Zo(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),p=await ur(c),m=await ur(l),f=JSON.stringify(m),k={id:crypto.randomUUID(),publicKey:JSON.stringify(p),privateKey:n?JSON.stringify(await ye({key:t.context.options.secret,data:f})):f,createdAt:new Date};o=await r.createJwk(k)}let i=n?await be({key:t.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,a=await Yo(JSON.parse(i)),s=e?.jwt?.definePayload?await e?.jwt.definePayload(t.context.session.user):t.context.session.user,d=await new Xo({...s,...t.context.session.session.impersonatedBy?{impersonatedBy:t.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??t.context.options.baseURL).setAudience(e?.jwt?.audience??t.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(t.context.session.user.id).sign(a);return t.json({token:d})})},schema:cr});import{z as Ze}from"zod";var bm=e=>{let t={maximumSessions:5,...e},r=o=>o.includes("_multi-");return{id:"multi-session",endpoints:{listDeviceSessions:u("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async o=>{let n=o.headers?.get("cookie");if(!n)return o.json([]);let i=Object.fromEntries(Be(n)),a=(await Promise.all(Object.entries(i).filter(([c])=>r(c)).map(async([c])=>await o.getSignedCookie(c,o.context.secret)))).filter(c=>c!==void 0);if(!a.length)return o.json([]);let d=(await o.context.internalAdapter.findSessions(a)).filter(c=>c&&c.session.expiresAt>new Date).filter((c,l,p)=>l===p.findIndex(m=>m.user.id===c.user.id));return Object.entries(i).filter(([c])=>r(c)).forEach(([c,l])=>{d.some(p=>p.session.id===l)||o.setCookie(c,"",{...o.context.authCookies.sessionToken.options,maxAge:0})}),o.json(d)}),setActiveSession:u("/multi-session/set-active",{method:"POST",body:Ze.object({sessionId:Ze.string()}),requireHeaders:!0,use:[b]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new E("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);if(!s||s.session.expiresAt<new Date)throw o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),new E("UNAUTHORIZED",{message:"Invalid session id"});return await o.setSignedCookie(o.context.authCookies.sessionToken.name,n,o.context.secret,o.context.authCookies.sessionToken.options),o.json(s)}),revokeDeviceSession:u("/multi-session/revoke",{method:"POST",body:Ze.object({sessionId:Ze.string()}),requireHeaders:!0,use:[b]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new E("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);return o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),s?(await o.context.internalAdapter.deleteSession(n),o.json({success:!0})):o.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:_(async o=>{if(!o.context.returned||!(o.context.returned instanceof Response))return;let n=o.context.returned.headers.get("set-cookie");if(!n)return;let i=lt(n),a=o.context.authCookies.sessionToken,s=i.get(a.name)?.value;if(!s)return;let d=Be(o.headers?.get("cookie")||""),c=s.split(".")[0],l=`${a.name}_multi-${c}`;if(i.get(l)||d.get(l)||Object.keys(Object.fromEntries(d)).filter(r).length+(n.includes("session_token")?1:0)>t.maximumSessions)return;await o.setSignedCookie(l,c,o.context.secret,a.options);let m=o.context.returned;return m.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:m}})},{matcher:o=>o.path==="/sign-out",handler:_(async o=>{let n=o.headers?.get("cookie");if(!n)return;let i=Object.fromEntries(Be(n));await Promise.all(Object.entries(i).map(async([s,d])=>{if(r(s)){o.setCookie(s,"",{maxAge:0});let c=s.split("_multi-")[1];await o.context.internalAdapter.deleteSession(c)}}));let a=o.context.returned;return a?.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:a}})}]}}};import{z as te}from"zod";var Um=e=>{let t={expireIn:300,otpLength:6,...e};return{id:"email-otp",endpoints:{sendVerificationOTP:u("/email-otp/send-verification-otp",{method:"POST",body:te.object({email:te.string(),type:te.enum(["email-verification","sign-in"])})},async r=>{if(!e?.sendVerificationOTP)throw y.error("send email verification is not implemented"),new E("BAD_REQUEST",{message:"send email verification is not implemented"});let o=r.body.email,n=N(t.otpLength,F("0-9"));return await r.context.internalAdapter.createVerificationValue({value:n,identifier:`${r.body.type}-otp-${o}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o,otp:n,type:r.body.type}),r.json({success:!0})}),verifyEmailOTP:u("/email-otp/verify-email",{method:"POST",body:te.object({email:te.string(),otp:te.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`email-verification-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new E("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new E("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a)throw new E("BAD_REQUEST",{message:"User not found"});let s=await r.context.internalAdapter.updateUser(a.user.id,{email:o,emailVerified:!0});return r.json({user:s})}),signInEmailOTP:u("/sign-in/email-otp",{method:"POST",body:te.object({email:te.string(),otp:te.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`sign-in-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new E("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new E("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a){if(t.disableSignUp)throw new E("BAD_REQUEST",{message:"User not found"});let d=await r.context.internalAdapter.createUser({email:o,emailVerified:!0,name:o}),c=await r.context.internalAdapter.createSession(d.id,r.request);return await w(r,{session:c,user:d}),r.json({user:d,session:c})}let s=await r.context.internalAdapter.createSession(a.user.id,r.request);return await w(r,{session:s,user:a.user}),r.json({session:s,user:a})})},hooks:{after:[{matcher(r){return!!(r.path?.startsWith("/sign-up")&&t.sendVerificationOnSignUp)},async handler(r){let o=r.context.returned;if(o?.status!==200)return;let n=await o.clone().json();if(n.user.email&&n.user.emailVerified===!1){let i=N(t.otpLength,F("0-9"));await r.context.internalAdapter.createVerificationValue({value:i,identifier:`email-verification-otp-${n.user.email}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:n.user.email,otp:i,type:"email-verification"})}}}]}}};import{z as pr}from"zod";import{betterFetch as en}from"@better-fetch/fetch";function lr(e){return e==="true"||e===!0}var xm=e=>({id:"one-tap",endpoints:{oneTapCallback:u("/one-tap/callback",{method:"POST",body:pr.object({idToken:pr.string()})},async t=>{let{idToken:r}=t.body,{data:o,error:n}=await en("https://oauth2.googleapis.com/tokeninfo?id_token="+r);if(n)return t.json({error:"Invalid token"});let i=await t.context.internalAdapter.findUserByEmail(o.email);if(!i){if(e?.disableSignup)throw new E("BAD_GATEWAY",{message:"User not found"});let s=await t.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:lr(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!s)throw new E("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let d=await t.context.internalAdapter.createSession(s?.user.id,t.request);return await w(t,{user:s.user,session:d}),t.json({session:d,user:s})}let a=await t.context.internalAdapter.createSession(i.user.id,t.request);return await w(t,{user:i.user,session:a}),t.json({session:a,user:i})})}});export{fe as HIDE_METADATA,$p as admin,K as adminMiddleware,jp as anonymous,fp as bearer,u as createAuthEndpoint,_ as createAuthMiddleware,Um as emailOTP,om as genericOAuth,qo as getPasskeyActions,fm as jwt,kp as magicLink,bm as multiSession,xm as oneTap,ct as optionsMiddleware,Dc as organization,sp as passkey,Wl as passkeyClient,_p as phoneNumber,dl as twoFactor,Hu as twoFactorClient,ar as username};
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "better-auth",
3
- "version": "0.7.3-beta.5",
3
+ "version": "0.7.3-beta.6",
4
4
  "description": "The most comprehensive authentication library for TypeScript.",
5
5
  "type": "module",
6
6
  "repository": {