better-auth 0.7.3 → 0.7.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/adapters/drizzle.d.cts +1 -1
- package/dist/adapters/drizzle.d.ts +1 -1
- package/dist/adapters/kysely.d.cts +1 -1
- package/dist/adapters/kysely.d.ts +1 -1
- package/dist/adapters/mongodb.d.cts +1 -1
- package/dist/adapters/mongodb.d.ts +1 -1
- package/dist/adapters/prisma.d.cts +1 -1
- package/dist/adapters/prisma.d.ts +1 -1
- package/dist/api.cjs +5 -5
- package/dist/api.d.cts +1 -1
- package/dist/api.d.ts +1 -1
- package/dist/api.js +5 -5
- package/dist/{auth-BkJnc76F.d.cts → auth-B5ozNy5X.d.cts} +1 -1
- package/dist/{auth-G61_RA8H.d.ts → auth-BBUjEh9D.d.ts} +1 -1
- package/dist/client/plugins.d.cts +4 -4
- package/dist/client/plugins.d.ts +4 -4
- package/dist/client.d.cts +1 -1
- package/dist/client.d.ts +1 -1
- package/dist/cookies.d.cts +1 -1
- package/dist/cookies.d.ts +1 -1
- package/dist/db.d.cts +2 -2
- package/dist/db.d.ts +2 -2
- package/dist/{index-cKD4sHma.d.ts → index-CQluFeIi.d.ts} +2 -2
- package/dist/{index-KdWDL1fo.d.cts → index-DK55nobk.d.cts} +2 -2
- package/dist/index.cjs +4 -4
- package/dist/index.d.cts +2 -2
- package/dist/index.d.ts +2 -2
- package/dist/index.js +5 -5
- package/dist/node.d.cts +1 -1
- package/dist/node.d.ts +1 -1
- package/dist/oauth2.d.cts +2 -2
- package/dist/oauth2.d.ts +2 -2
- package/dist/plugins.cjs +6 -6
- package/dist/plugins.d.cts +73 -4
- package/dist/plugins.d.ts +73 -4
- package/dist/plugins.js +6 -6
- package/dist/react.d.cts +1 -1
- package/dist/react.d.ts +1 -1
- package/dist/solid-start.d.cts +1 -1
- package/dist/solid-start.d.ts +1 -1
- package/dist/solid.d.cts +1 -1
- package/dist/solid.d.ts +1 -1
- package/dist/{state-UgidHWa5.d.cts → state-8Gh7gmo8.d.cts} +1 -1
- package/dist/{state-CTWPRYsC.d.ts → state-BU1iZb12.d.ts} +1 -1
- package/dist/svelte-kit.d.cts +1 -1
- package/dist/svelte-kit.d.ts +1 -1
- package/dist/svelte.d.cts +1 -1
- package/dist/svelte.d.ts +1 -1
- package/dist/types.d.cts +2 -2
- package/dist/types.d.ts +2 -2
- package/dist/vue.d.cts +1 -1
- package/dist/vue.d.ts +1 -1
- package/package.json +1 -1
package/dist/plugins.cjs
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
"use strict";var
|
|
2
|
-
`)}}),y=mo();function Je(e){try{return new URL(e).origin}catch{return null}}async function ke(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?Je(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new mt.APIError("BAD_REQUEST",{message:"callbackURL is required"});let o=(0,Ze.generateCodeVerifier)(),n=(0,Ze.generateState)(),i=JSON.stringify({callbackURL:r,codeVerifier:o,errorURL:e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),a=new Date;a.setMinutes(a.getMinutes()+10);let s=await e.context.internalAdapter.createVerificationValue({value:i,identifier:n,expiresAt:a});if(!s)throw y.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new mt.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:s.identifier,codeVerifier:o}}async function Ye(e){let t=e.query.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw y.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=re.z.object({callbackURL:re.z.string(),codeVerifier:re.z.string(),errorURL:re.z.string().optional(),expiresAt:re.z.number(),link:re.z.object({email:re.z.string(),userId:re.z.string()}).optional()}).parse(JSON.parse(r.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),y.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),o}var Wt=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:o,redirectURI:n}){let i=o||["email","name","openid"];return e.scope&&i.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${n||e.redirectURI}&scope=${i.join(" ")}&state=${r}`)},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>v({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){if(!r.idToken)return null;let o=(0,Ht.parseJWT)(r.idToken)?.payload;return o?{user:{id:o.sub,name:o.name,email:o.email,emailVerified:o.email_verified==="true"},data:o}:null}}};var Gt=require("@better-fetch/fetch");var Kt=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["identify","email"];return e.scope&&n.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${n.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>v({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){let{data:r,error:o}=await(0,Gt.betterFetch)("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(r.avatar===null){let n=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${n}.png`}else{let n=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${n}`}return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url},data:r}}});var Jt=require("@better-fetch/fetch");var Zt=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["email","public_profile"];return e.scope&&n.push(...e.scope),await I({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:n,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:r})=>v({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){let{data:r,error:o}=await(0,Jt.betterFetch)("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});return o?null:{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified},data:r}}});var ft=require("@better-fetch/fetch");var Yt=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:o,codeVerifier:n,redirectURI:i}){let a=o||["user:email"];return e.scope&&a.push(...e.scope),I({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:a,state:r,redirectURI:i,codeVerifier:n})},validateAuthorizationCode:async({code:r,redirectURI:o})=>v({code:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){let{data:o,error:n}=await(0,ft.betterFetch)("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(n)return null;let i=!1;if(!o.email){let{data:a,error:s}=await(0,ft.betterFetch)("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});s||(o.email=(a.find(d=>d.primary)??a[0])?.email,i=a.find(d=>d.email===o.email)?.verified??!1)}return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:i},data:o}}}};var Xt=require("oslo/jwt");var er=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){if(!e.clientId||!e.clientSecret)throw y.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new G("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new G("codeVerifier is required for Google");let i=r||["email","profile","openid"];e.scope&&i.push(...e.scope);let a=await I({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:i,state:t,codeVerifier:o,redirectURI:n});return e.accessType&&a.searchParams.set("access_type",e.accessType),e.prompt&&a.searchParams.set("prompt",e.prompt),a},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>v({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async getUserInfo(t){if(!t.idToken)return null;let r=(0,Xt.parseJWT)(t.idToken)?.payload;return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified},data:r}}});var tr=require("@better-fetch/fetch"),rr=require("oslo/jwt");var or=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(n){let i=n.scopes||["openid","profile","email","User.Read"];return e.scope&&i.push(...e.scope),I({id:"microsoft",options:e,authorizationEndpoint:r,state:n.state,codeVerifier:n.codeVerifier,scopes:i,redirectURI:n.redirectURI})},validateAuthorizationCode({code:n,codeVerifier:i,redirectURI:a}){return v({code:n,codeVerifier:i,redirectURI:e.redirectURI||a,options:e,tokenEndpoint:o})},async getUserInfo(n){if(!n.idToken)return null;let i=(0,rr.parseJWT)(n.idToken)?.payload,a=e.profilePhotoSize||48;return await(0,tr.betterFetch)(`https://graph.microsoft.com/v1.0/me/photos/${a}x${a}/$value`,{headers:{Authorization:`Bearer ${n.accessToken}`},async onResponse(s){if(!(e.disableProfilePhoto||!s.response.ok))try{let c=await s.response.clone().arrayBuffer(),l=Buffer.from(c).toString("base64");i.picture=`data:image/jpeg;base64, ${l}`}catch(d){y.error(d)}}}),{user:{id:i.sub,name:i.name,email:i.email,image:i.picture,emailVerified:!0},data:i}}}};var nr=require("@better-fetch/fetch");var ir=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){let i=r||["user-read-email"];return e.scope&&i.push(...e.scope),I({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:i,state:t,codeVerifier:o,redirectURI:n})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>v({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){let{data:r,error:o}=await(0,nr.betterFetch)("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1},data:r}}});var vi=require("@better-fetch/fetch");var sr=require("oslo/jwt");var ar=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["user:read:email","openid"];return e.scope&&n.push(...e.scope),I({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:n,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>v({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){let r=t.idToken;if(!r)return y.error("No idToken found in token"),null;let o=(0,sr.parseJWT)(r)?.payload;return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1},data:o}}});var dr=require("@better-fetch/fetch");var cr=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["account_info.read"];return e.scope&&r.push(...e.scope),I({id:"twitter",options:e,authorizationEndpoint:"https://twitter.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>v({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){let{data:r,error:o}=await(0,dr.betterFetch)("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o||!r.data.email?null:{user:{id:r.data.id,name:r.data.name,email:r.data.email,image:r.data.profile_image_url,emailVerified:r.data.verified||!1},data:r}}});var ur=require("@better-fetch/fetch");var lr=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:o,codeVerifier:n,redirectURI:i})=>{let a=o||["account_info.read"];return e.scope&&a.push(...e.scope),await I({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:a,state:r,redirectURI:i,codeVerifier:n})},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>await v({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){let{data:o,error:n}=await(0,ur.betterFetch)("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});return n?null:{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url},data:o}}}};var pr=require("@better-fetch/fetch");var mr=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:n,redirectURI:i})=>{let a=n||["profile","email","openid"];return e.scope&&a.push(...e.scope),await I({id:"linkedin",options:e,authorizationEndpoint:t,scopes:a,state:o,redirectURI:i})},validateAuthorizationCode:async({code:o,redirectURI:n})=>await v({code:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:r}),async getUserInfo(o){let{data:n,error:i}=await(0,pr.betterFetch)("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});return i?null:{user:{id:n.sub,name:n.name,email:n.email,emailVerified:n.email_verified||!1,image:n.picture},data:n}}}};var fr=require("@better-fetch/fetch");var gt=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),fo=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:gt(`${t}/oauth/authorize`),tokenEndpoint:gt(`${t}/oauth/token`),userinfoEndpoint:gt(`${t}/api/v4/user`)}},gr=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:o}=fo(e.issuer),n="gitlab";return{id:n,name:"Gitlab",createAuthorizationURL:async({state:a,scopes:s,codeVerifier:d,redirectURI:c})=>{let l=s||["read_user"];return e.scope&&l.push(...e.scope),await I({id:n,options:e,authorizationEndpoint:t,scopes:l,state:a,redirectURI:c,codeVerifier:d})},validateAuthorizationCode:async({code:a,redirectURI:s})=>v({code:a,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:r}),async getUserInfo(a){let{data:s,error:d}=await(0,fr.betterFetch)(o,{headers:{authorization:`Bearer ${a.accessToken}`}});return d||s.state!=="active"||s.locked?null:{user:{id:s.id.toString(),name:s.name??s.username,email:s.email,image:s.avatar_url,emailVerified:!0},data:s}}}};var go={apple:Wt,discord:Kt,facebook:Zt,github:Yt,microsoft:or,google:er,spotify:ir,twitch:ar,twitter:cr,dropbox:lr,linkedin:mr,gitlab:gr},Xe=Object.keys(go);var wr=require("oslo"),et=require("oslo/jwt"),M=require("zod");var fe=require("better-call");var Oe=require("better-call");var ve=require("zod"),hr=()=>u("/get-session",{method:"GET",query:ve.z.optional(ve.z.object({disableCookieCache:ve.z.boolean().optional()})),requireHeaders:!0},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null,{status:401});let r=await e.getSignedCookie(e.context.authCookies.sessionData.name,e.context.secret),o=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(r&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let c=JSON.parse(r)?.session;if(c?.expiresAt>new Date)return e.json(c)}let n=await e.context.internalAdapter.findSession(t);if(!n||n.session.expiresAt<new Date)return te(e),n&&await e.context.internalAdapter.deleteSession(n.session.id),e.json(null,{status:401});if(o)return e.json(n);let i=e.context.sessionConfig.expiresIn,a=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-i*1e3+a*1e3<=Date.now()){let c=await e.context.internalAdapter.updateSession(n.session.id,{expiresAt:C(e.context.sessionConfig.expiresIn,"sec")});if(!c)return te(e),e.json(null,{status:401});let l=(c.expiresAt.valueOf()-Date.now())/1e3;return await w(e,{session:c,user:n.user},!1,{maxAge:l}),e.json({session:c,user:n.user})}return e.json(n)}catch(t){return e.context.logger.error(t),e.json(null,{status:500})}}),D=async e=>await hr()({...e,_flag:"json",headers:e.headers}),b=S(async e=>{let t=await D(e);if(!t?.session)throw new Oe.APIError("UNAUTHORIZED");return{session:t}});var ho=u("/revoke-session",{method:"POST",body:ve.z.object({id:ve.z.string()}),use:[b],requireHeaders:!0},async e=>{let t=e.body.id,r=await e.context.internalAdapter.findSession(t);if(!r)throw new Oe.APIError("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new Oe.APIError("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o),new Oe.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),wo=u("/revoke-sessions",{method:"POST",use:[b],requireHeaders:!0},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t),new Oe.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})});async function ie(e,t,r){return await(0,et.createJWT)("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new wr.TimeSpan(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}var yo=u("/send-verification-email",{method:"POST",query:M.z.object({currentURL:M.z.string().optional()}).optional(),body:M.z.object({email:M.z.string().email(),callbackURL:M.z.string().optional()})},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new fe.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new fe.APIError("BAD_REQUEST",{message:"User not found"});let o=await ie(e.context.secret,t),n=`${e.context.baseURL}/verify-email?token=${o}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.emailVerification.sendVerificationEmail(r.user,n,o),e.json({status:!0})}),bo=u("/verify-email",{method:"GET",query:M.z.object({token:M.z.string(),callbackURL:M.z.string().optional()})},async e=>{let{token:t}=e.query,r;try{r=await(0,et.validateJWT)("HS256",Buffer.from(e.context.secret),t)}catch(a){throw e.context.logger.error("Failed to verify email",a),new fe.APIError("BAD_REQUEST",{message:"Invalid token"})}let n=M.z.object({email:M.z.string().email(),updateTo:M.z.string().optional()}).parse(r.payload);if(!await e.context.internalAdapter.findUserByEmail(n.email))throw new fe.APIError("BAD_REQUEST",{message:"User not found"});if(n.updateTo){let a=await D(e);if(!a)throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=unauthorized`):new fe.APIError("UNAUTHORIZED",{message:"Session not found"});if(a.user.email!==n.email)throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=unauthorized`):new fe.APIError("UNAUTHORIZED",{message:"Invalid session"});let s=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo});if(await e.context.options.emailVerification?.sendVerificationEmail?.(s,`${e.context.baseURL}/verify-email?token=${t}`,t),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:s,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});var Ao=u("/sign-in/social",{method:"POST",query:N.z.object({currentURL:N.z.string().optional()}).optional(),body:N.z.object({callbackURL:N.z.string().optional(),provider:N.z.enum(Xe)})},async e=>{let t=e.context.socialProviders.find(i=>i.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new $.APIError("NOT_FOUND",{message:"Provider not found"});let{codeVerifier:r,state:o}=await ke(e),n=await t.createAuthorizationURL({state:o,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:n.toString(),redirect:!0})}),ko=u("/sign-in/email",{method:"POST",body:N.z.object({email:N.z.string(),password:N.z.string(),callbackURL:N.z.string().optional(),dontRememberMe:N.z.boolean().default(!1).optional()})},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new $.APIError("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!N.z.string().email().safeParse(t).success)throw new $.APIError("BAD_REQUEST",{message:"Invalid email"});if(!N.z.string().email().safeParse(t).success)throw new $.APIError("BAD_REQUEST",{message:"Invalid email"});let i=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!i)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new $.APIError("UNAUTHORIZED",{message:"Invalid email or password"});let a=i.accounts.find(l=>l.providerId==="credential");if(!a)throw e.context.logger.error("Credential account not found",{email:t}),new $.APIError("UNAUTHORIZED",{message:"Invalid email or password"});let s=a?.password;if(!s)throw e.context.logger.error("Password not found",{email:t}),new $.APIError("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(s,r))throw e.context.logger.error("Invalid password"),new $.APIError("UNAUTHORIZED",{message:"Invalid email or password"});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!i.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw y.error("Email verification is required but no email verification handler is provided"),new $.APIError("INTERNAL_SERVER_ERROR",{message:"Email is not verified."});let l=await ie(e.context.secret,i.user.email),p=`${e.context.options.baseURL}/verify-email?token=${l}`;throw await e.context.options.emailVerification.sendVerificationEmail(i.user,p,l),e.context.logger.error("Email not verified",{email:t}),new $.APIError("FORBIDDEN",{message:"Email is not verified. Check your email for a verification link"})}let c=await e.context.internalAdapter.createSession(i.user.id,e.headers,e.body.dontRememberMe);if(!c)throw e.context.logger.error("Failed to create session"),new $.APIError("UNAUTHORIZED",{message:"Failed to create session"});return await w(e,{session:c,user:i.user},e.body.dontRememberMe),e.json({user:i.user,session:c,redirect:!!e.body.callbackURL,url:e.body.callbackURL})});var xe=require("zod");var O=require("zod"),As=O.z.object({id:O.z.string(),providerId:O.z.string(),accountId:O.z.string(),userId:O.z.string(),accessToken:O.z.string().nullable().optional(),refreshToken:O.z.string().nullable().optional(),idToken:O.z.string().nullable().optional(),expiresAt:O.z.date().nullable().optional(),password:O.z.string().optional().nullable()}),tt=O.z.object({id:O.z.string(),email:O.z.string().transform(e=>e.toLowerCase()),emailVerified:O.z.boolean().default(!1),name:O.z.string(),image:O.z.string().optional(),createdAt:O.z.date().default(new Date),updatedAt:O.z.date().default(new Date)}),ks=O.z.object({id:O.z.string(),userId:O.z.string(),expiresAt:O.z.date(),ipAddress:O.z.string().optional(),userAgent:O.z.string().optional()}),Os=O.z.object({id:O.z.string(),value:O.z.string(),expiresAt:O.z.date(),identifier:O.z.string()});var Oo=u("/callback/:id",{method:"GET",query:xe.z.object({state:xe.z.string(),code:xe.z.string().optional(),error:xe.z.string().optional()}),metadata:pe},async e=>{if(!e.query.code)throw e.redirect(`${e.context.baseURL}/error?error=${e.query.error||"no_code"}`);let t=e.context.socialProviders.find(A=>A.id===e.params.id);if(!t)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:r,callbackURL:o,link:n,errorURL:i}=await Ye(e),a;try{a=await t.validateAuthorizationCode({code:e.query.code,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`})}catch(A){throw e.context.logger.error(A),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let s=await t.getUserInfo(a).then(A=>A?.user),d=z(),c=tt.safeParse({...s,id:d});if(!s||c.success===!1)throw y.error("Unable to get user info",c.error),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(!o)throw y.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(n){if(n.email!==s.email.toLowerCase())return l("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:n.userId,providerId:t.id,accountId:s.id}))return l("unable_to_link_account");let h;try{h=new URL(o).toString()}catch{h=o}throw e.redirect(h)}function l(A){throw e.redirect(`${i||o||`${e.context.baseURL}/error`}?error=${A}`)}let p=await e.context.internalAdapter.findUserByEmail(s.email,{includeAccounts:!0}).catch(A=>{throw y.error(`Better auth was unable to query your database.
|
|
3
|
-
Error: `,
|
|
1
|
+
"use strict";var oo=Object.create;var We=Object.defineProperty;var no=Object.getOwnPropertyDescriptor;var io=Object.getOwnPropertyNames;var so=Object.getPrototypeOf,ao=Object.prototype.hasOwnProperty;var co=(e,t)=>{for(var r in t)We(e,r,{get:t[r],enumerable:!0})},xt=(e,t,r,o)=>{if(t&&typeof t=="object"||typeof t=="function")for(let n of io(t))!ao.call(e,n)&&n!==r&&We(e,n,{get:()=>t[n],enumerable:!(o=no(t,n))||o.enumerable});return e};var Dt=(e,t,r)=>(r=e!=null?oo(so(e)):{},xt(t||!e||!e.__esModule?We(r,"default",{value:e,enumerable:!0}):r,e)),uo=e=>xt(We({},"__esModule",{value:!0}),e);var vn={};co(vn,{HIDE_METADATA:()=>ge,admin:()=>gn,adminMiddleware:()=>J,anonymous:()=>fn,bearer:()=>un,createAuthEndpoint:()=>u,createAuthMiddleware:()=>T,emailOTP:()=>An,genericOAuth:()=>wn,getPasskeyActions:()=>Kr,jwt:()=>yn,magicLink:()=>ln,multiSession:()=>bn,oAuthProxy:()=>Rn,oneTap:()=>kn,optionsMiddleware:()=>pt,organization:()=>Go,passkey:()=>cn,passkeyClient:()=>dn,phoneNumber:()=>mn,twoFactor:()=>nn,twoFactorClient:()=>on,username:()=>Ct});module.exports=uo(vn);var At=require("better-call"),Pe=require("zod");var fe=require("better-call"),pt=(0,fe.createMiddleware)(async()=>({})),T=(0,fe.createMiddlewareCreator)({use:[pt,(0,fe.createMiddleware)(async()=>({}))]}),u=(0,fe.createEndpointCreator)({use:[pt]});var $=require("better-call"),N=require("zod");var mo=require("oslo");var G=class extends Error{constructor(t,r){super(t),this.name="BetterAuthError",this.message=t,this.cause=r}};var Ge=Object.create(null),xe=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?Ge:globalThis),K=new Proxy(Ge,{get(e,t){return xe()[t]??Ge[t]},has(e,t){let r=xe();return t in r||t in Ge},set(e,t,r){let o=xe(!0);return o[t]=r,!0},deleteProperty(e,t){if(!t)return!1;let r=xe(!0);return delete r[t],!0},ownKeys(){let e=xe(!0);return Object.keys(e)}});function lo(e){return e?e!=="false":!1}var mt=typeof process<"u"&&process.env&&process.env.NODE_ENV||"";var jt=mt==="dev"||mt==="development",po=mt==="test"||lo(K.TEST);async function w(e,t,r,o){let n=e.context.authCookies.sessionToken.options;n.maxAge=r?void 0:e.context.sessionConfig.expiresIn,await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.id,e.context.secret,{...n,...o}),r&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled&&await e.setSignedCookie(e.context.authCookies.sessionData.name,JSON.stringify(t),e.context.secret,e.context.authCookies.sessionData.options),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.id,JSON.stringify({user:t.user,session:t.session}),t.session.expiresAt.getTime()-Date.now())}function re(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{maxAge:0})}function Nt(e){let t=new Map;return e.split(", ").forEach(o=>{let[n,...i]=o.split("; "),[a,s]=n.split("="),d={value:s};i.forEach(c=>{let[l,p]=c.split("=");d[l.toLowerCase()]=p||!0}),t.set(a,d)}),t}function Ke(e){let t=e.split("; "),r=new Map;return t.forEach(o=>{let[n,i]=o.split("=");r.set(n,i)}),r}var Wt=require("oslo/jwt");var Ft=require("oslo/crypto"),Vt=require("oslo/encoding");var C=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));async function qt(e){let t=await(0,Ft.sha256)(new TextEncoder().encode(e));return Vt.base64url.encode(new Uint8Array(t),{includePadding:!1})}function Mt(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?C(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function U({id:e,options:t,authorizationEndpoint:r,state:o,codeVerifier:n,scopes:i,claims:a,disablePkce:s,redirectURI:d}){let c=new URL(r);if(c.searchParams.set("response_type","code"),c.searchParams.set("client_id",t.clientId),c.searchParams.set("state",o),c.searchParams.set("scope",i.join(" ")),c.searchParams.set("redirect_uri",t.redirectURI||d),!s&&n){let l=await qt(n);c.searchParams.set("code_challenge_method","S256"),c.searchParams.set("code_challenge",l)}if(a){let l=a.reduce((p,m)=>(p[m]=null,p),{});c.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...l}}))}return c}var $t=require("@better-fetch/fetch");async function R({code:e,codeVerifier:t,redirectURI:r,options:o,tokenEndpoint:n}){let i=new URLSearchParams;i.set("grant_type","authorization_code"),i.set("code",e),t&&i.set("code_verifier",t),i.set("redirect_uri",r),i.set("client_id",o.clientId),i.set("client_secret",o.clientSecret);let{data:a,error:s}=await(0,$t.betterFetch)(n,{method:"POST",body:i,headers:{"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"}});if(s)throw s;return Mt(a)}var Ze=require("oslo/oauth2"),oe=require("zod"),ft=require("better-call");var ge={isAction:!1};var Qt=require("nanoid"),z=e=>(0,Qt.nanoid)(e);var Ht=require("consola"),he=(0,Ht.createConsola)({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),fo=e=>({log:(...t)=>{!e?.disabled&&he.log("",...t)},error:(...t)=>{!e?.disabled&&he.error("",...t)},warn:(...t)=>{!e?.disabled&&he.warn("",...t)},info:(...t)=>{!e?.disabled&&he.info("",...t)},debug:(...t)=>{!e?.disabled&&he.debug("",...t)},box:(...t)=>{!e?.disabled&&he.box("",...t)},success:(...t)=>{!e?.disabled&&he.success("",...t)},break:(...t)=>{!e?.disabled&&console.log(`
|
|
2
|
+
`)}}),y=fo();function Je(e){try{return new URL(e).origin}catch{return null}}async function ve(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?Je(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new ft.APIError("BAD_REQUEST",{message:"callbackURL is required"});let o=(0,Ze.generateCodeVerifier)(),n=(0,Ze.generateState)(),i=JSON.stringify({callbackURL:r,codeVerifier:o,errorURL:e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),a=new Date;a.setMinutes(a.getMinutes()+10);let s=await e.context.internalAdapter.createVerificationValue({value:i,identifier:n,expiresAt:a});if(!s)throw y.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new ft.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:s.identifier,codeVerifier:o}}async function Ye(e){let t=e.query.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw y.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=oe.z.object({callbackURL:oe.z.string(),codeVerifier:oe.z.string(),errorURL:oe.z.string().optional(),expiresAt:oe.z.number(),link:oe.z.object({email:oe.z.string(),userId:oe.z.string()}).optional()}).parse(JSON.parse(r.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),y.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),o}var Gt=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:o,redirectURI:n}){let i=o||["email","name","openid"];return e.scope&&i.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${n||e.redirectURI}&scope=${i.join(" ")}&state=${r}`)},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>R({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){if(!r.idToken)return null;let o=(0,Wt.parseJWT)(r.idToken)?.payload;return o?{user:{id:o.sub,name:o.name,email:o.email,emailVerified:o.email_verified==="true"},data:o}:null}}};var Kt=require("@better-fetch/fetch");var Jt=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["identify","email"];return e.scope&&n.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${n.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>R({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){let{data:r,error:o}=await(0,Kt.betterFetch)("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(r.avatar===null){let n=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${n}.png`}else{let n=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${n}`}return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url},data:r}}});var Zt=require("@better-fetch/fetch");var Yt=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["email","public_profile"];return e.scope&&n.push(...e.scope),await U({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:n,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:r})=>R({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){let{data:r,error:o}=await(0,Zt.betterFetch)("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});return o?null:{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified},data:r}}});var gt=require("@better-fetch/fetch");var Xt=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:o,codeVerifier:n,redirectURI:i}){let a=o||["user:email"];return e.scope&&a.push(...e.scope),U({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:a,state:r,redirectURI:i,codeVerifier:n})},validateAuthorizationCode:async({code:r,redirectURI:o})=>R({code:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){let{data:o,error:n}=await(0,gt.betterFetch)("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(n)return null;let i=!1;if(!o.email){let{data:a,error:s}=await(0,gt.betterFetch)("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});s||(o.email=(a.find(d=>d.primary)??a[0])?.email,i=a.find(d=>d.email===o.email)?.verified??!1)}return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:i},data:o}}}};var er=require("oslo/jwt");var tr=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){if(!e.clientId||!e.clientSecret)throw y.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new G("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new G("codeVerifier is required for Google");let i=r||["email","profile","openid"];e.scope&&i.push(...e.scope);let a=await U({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:i,state:t,codeVerifier:o,redirectURI:n});return e.accessType&&a.searchParams.set("access_type",e.accessType),e.prompt&&a.searchParams.set("prompt",e.prompt),a},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>R({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async getUserInfo(t){if(!t.idToken)return null;let r=(0,er.parseJWT)(t.idToken)?.payload;return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified},data:r}}});var rr=require("@better-fetch/fetch"),or=require("oslo/jwt");var nr=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(n){let i=n.scopes||["openid","profile","email","User.Read"];return e.scope&&i.push(...e.scope),U({id:"microsoft",options:e,authorizationEndpoint:r,state:n.state,codeVerifier:n.codeVerifier,scopes:i,redirectURI:n.redirectURI})},validateAuthorizationCode({code:n,codeVerifier:i,redirectURI:a}){return R({code:n,codeVerifier:i,redirectURI:e.redirectURI||a,options:e,tokenEndpoint:o})},async getUserInfo(n){if(!n.idToken)return null;let i=(0,or.parseJWT)(n.idToken)?.payload,a=e.profilePhotoSize||48;return await(0,rr.betterFetch)(`https://graph.microsoft.com/v1.0/me/photos/${a}x${a}/$value`,{headers:{Authorization:`Bearer ${n.accessToken}`},async onResponse(s){if(!(e.disableProfilePhoto||!s.response.ok))try{let c=await s.response.clone().arrayBuffer(),l=Buffer.from(c).toString("base64");i.picture=`data:image/jpeg;base64, ${l}`}catch(d){y.error(d)}}}),{user:{id:i.sub,name:i.name,email:i.email,image:i.picture,emailVerified:!0},data:i}}}};var ir=require("@better-fetch/fetch");var sr=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){let i=r||["user-read-email"];return e.scope&&i.push(...e.scope),U({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:i,state:t,codeVerifier:o,redirectURI:n})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>R({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){let{data:r,error:o}=await(0,ir.betterFetch)("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1},data:r}}});var Ui=require("@better-fetch/fetch");var ar=require("oslo/jwt");var dr=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["user:read:email","openid"];return e.scope&&n.push(...e.scope),U({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:n,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>R({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){let r=t.idToken;if(!r)return y.error("No idToken found in token"),null;let o=(0,ar.parseJWT)(r)?.payload;return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1},data:o}}});var cr=require("@better-fetch/fetch");var ur=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["account_info.read"];return e.scope&&r.push(...e.scope),U({id:"twitter",options:e,authorizationEndpoint:"https://twitter.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>R({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){let{data:r,error:o}=await(0,cr.betterFetch)("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o||!r.data.email?null:{user:{id:r.data.id,name:r.data.name,email:r.data.email,image:r.data.profile_image_url,emailVerified:r.data.verified||!1},data:r}}});var lr=require("@better-fetch/fetch");var pr=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:o,codeVerifier:n,redirectURI:i})=>{let a=o||["account_info.read"];return e.scope&&a.push(...e.scope),await U({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:a,state:r,redirectURI:i,codeVerifier:n})},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>await R({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){let{data:o,error:n}=await(0,lr.betterFetch)("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});return n?null:{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url},data:o}}}};var mr=require("@better-fetch/fetch");var fr=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:n,redirectURI:i})=>{let a=n||["profile","email","openid"];return e.scope&&a.push(...e.scope),await U({id:"linkedin",options:e,authorizationEndpoint:t,scopes:a,state:o,redirectURI:i})},validateAuthorizationCode:async({code:o,redirectURI:n})=>await R({code:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:r}),async getUserInfo(o){let{data:n,error:i}=await(0,mr.betterFetch)("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});return i?null:{user:{id:n.sub,name:n.name,email:n.email,emailVerified:n.email_verified||!1,image:n.picture},data:n}}}};var gr=require("@better-fetch/fetch");var ht=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),go=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:ht(`${t}/oauth/authorize`),tokenEndpoint:ht(`${t}/oauth/token`),userinfoEndpoint:ht(`${t}/api/v4/user`)}},hr=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:o}=go(e.issuer),n="gitlab";return{id:n,name:"Gitlab",createAuthorizationURL:async({state:a,scopes:s,codeVerifier:d,redirectURI:c})=>{let l=s||["read_user"];return e.scope&&l.push(...e.scope),await U({id:n,options:e,authorizationEndpoint:t,scopes:l,state:a,redirectURI:c,codeVerifier:d})},validateAuthorizationCode:async({code:a,redirectURI:s})=>R({code:a,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:r}),async getUserInfo(a){let{data:s,error:d}=await(0,gr.betterFetch)(o,{headers:{authorization:`Bearer ${a.accessToken}`}});return d||s.state!=="active"||s.locked?null:{user:{id:s.id.toString(),name:s.name??s.username,email:s.email,image:s.avatar_url,emailVerified:!0},data:s}}}};var ho={apple:Gt,discord:Jt,facebook:Yt,github:Xt,microsoft:nr,google:tr,spotify:sr,twitch:dr,twitter:ur,dropbox:pr,linkedin:fr,gitlab:hr},Xe=Object.keys(ho);var yr=require("oslo"),et=require("oslo/jwt"),M=require("zod");var we=require("better-call");var Ee=require("better-call");var Ue=require("zod"),wr=()=>u("/get-session",{method:"GET",query:Ue.z.optional(Ue.z.object({disableCookieCache:Ue.z.boolean().optional()})),requireHeaders:!0},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null,{status:401});let r=await e.getSignedCookie(e.context.authCookies.sessionData.name,e.context.secret),o=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(r&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let c=JSON.parse(r)?.session;if(c?.expiresAt>new Date)return e.json(c)}let n=await e.context.internalAdapter.findSession(t);if(!n||n.session.expiresAt<new Date)return re(e),n&&await e.context.internalAdapter.deleteSession(n.session.id),e.json(null,{status:401});if(o)return e.json(n);let i=e.context.sessionConfig.expiresIn,a=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-i*1e3+a*1e3<=Date.now()){let c=await e.context.internalAdapter.updateSession(n.session.id,{expiresAt:C(e.context.sessionConfig.expiresIn,"sec")});if(!c)return re(e),e.json(null,{status:401});let l=(c.expiresAt.valueOf()-Date.now())/1e3;return await w(e,{session:c,user:n.user},!1,{maxAge:l}),e.json({session:c,user:n.user})}return e.json(n)}catch(t){return e.context.logger.error(t),e.json(null,{status:500})}}),L=async e=>await wr()({...e,_flag:"json",headers:e.headers}),A=T(async e=>{let t=await L(e);if(!t?.session)throw new Ee.APIError("UNAUTHORIZED");return{session:t}});var wo=u("/revoke-session",{method:"POST",body:Ue.z.object({id:Ue.z.string()}),use:[A],requireHeaders:!0},async e=>{let t=e.body.id,r=await e.context.internalAdapter.findSession(t);if(!r)throw new Ee.APIError("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new Ee.APIError("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o),new Ee.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),yo=u("/revoke-sessions",{method:"POST",use:[A],requireHeaders:!0},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t),new Ee.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})});async function se(e,t,r){return await(0,et.createJWT)("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new yr.TimeSpan(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}var bo=u("/send-verification-email",{method:"POST",query:M.z.object({currentURL:M.z.string().optional()}).optional(),body:M.z.object({email:M.z.string().email(),callbackURL:M.z.string().optional()})},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new we.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new we.APIError("BAD_REQUEST",{message:"User not found"});let o=await se(e.context.secret,t),n=`${e.context.baseURL}/verify-email?token=${o}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.emailVerification.sendVerificationEmail(r.user,n,o),e.json({status:!0})}),Ao=u("/verify-email",{method:"GET",query:M.z.object({token:M.z.string(),callbackURL:M.z.string().optional()})},async e=>{let{token:t}=e.query,r;try{r=await(0,et.validateJWT)("HS256",Buffer.from(e.context.secret),t)}catch(a){throw e.context.logger.error("Failed to verify email",a),new we.APIError("BAD_REQUEST",{message:"Invalid token"})}let n=M.z.object({email:M.z.string().email(),updateTo:M.z.string().optional()}).parse(r.payload);if(!await e.context.internalAdapter.findUserByEmail(n.email))throw new we.APIError("BAD_REQUEST",{message:"User not found"});if(n.updateTo){let a=await L(e);if(!a)throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=unauthorized`):new we.APIError("UNAUTHORIZED",{message:"Session not found"});if(a.user.email!==n.email)throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=unauthorized`):new we.APIError("UNAUTHORIZED",{message:"Invalid session"});let s=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo});if(await e.context.options.emailVerification?.sendVerificationEmail?.(s,`${e.context.baseURL}/verify-email?token=${t}`,t),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:s,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});var ko=u("/sign-in/social",{method:"POST",query:N.z.object({currentURL:N.z.string().optional()}).optional(),body:N.z.object({callbackURL:N.z.string().optional(),provider:N.z.enum(Xe)})},async e=>{let t=e.context.socialProviders.find(i=>i.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new $.APIError("NOT_FOUND",{message:"Provider not found"});let{codeVerifier:r,state:o}=await ve(e),n=await t.createAuthorizationURL({state:o,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:n.toString(),redirect:!0})}),Oo=u("/sign-in/email",{method:"POST",body:N.z.object({email:N.z.string(),password:N.z.string(),callbackURL:N.z.string().optional(),dontRememberMe:N.z.boolean().default(!1).optional()})},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new $.APIError("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!N.z.string().email().safeParse(t).success)throw new $.APIError("BAD_REQUEST",{message:"Invalid email"});if(!N.z.string().email().safeParse(t).success)throw new $.APIError("BAD_REQUEST",{message:"Invalid email"});let i=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!i)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new $.APIError("UNAUTHORIZED",{message:"Invalid email or password"});let a=i.accounts.find(l=>l.providerId==="credential");if(!a)throw e.context.logger.error("Credential account not found",{email:t}),new $.APIError("UNAUTHORIZED",{message:"Invalid email or password"});let s=a?.password;if(!s)throw e.context.logger.error("Password not found",{email:t}),new $.APIError("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(s,r))throw e.context.logger.error("Invalid password"),new $.APIError("UNAUTHORIZED",{message:"Invalid email or password"});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!i.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw y.error("Email verification is required but no email verification handler is provided"),new $.APIError("INTERNAL_SERVER_ERROR",{message:"Email is not verified."});let l=await se(e.context.secret,i.user.email),p=`${e.context.options.baseURL}/verify-email?token=${l}`;throw await e.context.options.emailVerification.sendVerificationEmail(i.user,p,l),e.context.logger.error("Email not verified",{email:t}),new $.APIError("FORBIDDEN",{message:"Email is not verified. Check your email for a verification link"})}let c=await e.context.internalAdapter.createSession(i.user.id,e.headers,e.body.dontRememberMe);if(!c)throw e.context.logger.error("Failed to create session"),new $.APIError("UNAUTHORIZED",{message:"Failed to create session"});return await w(e,{session:c,user:i.user},e.body.dontRememberMe),e.json({user:i.user,session:c,redirect:!!e.body.callbackURL,url:e.body.callbackURL})});var De=require("zod");var O=require("zod"),Rs=O.z.object({id:O.z.string(),providerId:O.z.string(),accountId:O.z.string(),userId:O.z.string(),accessToken:O.z.string().nullable().optional(),refreshToken:O.z.string().nullable().optional(),idToken:O.z.string().nullable().optional(),expiresAt:O.z.date().nullable().optional(),password:O.z.string().optional().nullable()}),tt=O.z.object({id:O.z.string(),email:O.z.string().transform(e=>e.toLowerCase()),emailVerified:O.z.boolean().default(!1),name:O.z.string(),image:O.z.string().optional(),createdAt:O.z.date().default(new Date),updatedAt:O.z.date().default(new Date)}),vs=O.z.object({id:O.z.string(),userId:O.z.string(),expiresAt:O.z.date(),ipAddress:O.z.string().optional(),userAgent:O.z.string().optional()}),Es=O.z.object({id:O.z.string(),value:O.z.string(),expiresAt:O.z.date(),identifier:O.z.string()});var Ro=u("/callback/:id",{method:"GET",query:De.z.object({state:De.z.string(),code:De.z.string().optional(),error:De.z.string().optional()}),metadata:ge},async e=>{if(!e.query.code)throw e.redirect(`${e.context.baseURL}/error?error=${e.query.error||"no_code"}`);let t=e.context.socialProviders.find(b=>b.id===e.params.id);if(!t)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:r,callbackURL:o,link:n,errorURL:i}=await Ye(e),a;try{a=await t.validateAuthorizationCode({code:e.query.code,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`})}catch(b){throw e.context.logger.error(b),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let s=await t.getUserInfo(a).then(b=>b?.user),d=z(),c=tt.safeParse({...s,id:d});if(!s||c.success===!1)throw y.error("Unable to get user info",c.error),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(!o)throw y.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(n){if(n.email!==s.email.toLowerCase())return l("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:n.userId,providerId:t.id,accountId:s.id}))return l("unable_to_link_account");let h;try{h=new URL(o).toString()}catch{h=o}throw e.redirect(h)}function l(b){throw e.redirect(`${i||o||`${e.context.baseURL}/error`}?error=${b}`)}let p=await e.context.internalAdapter.findUserByEmail(s.email,{includeAccounts:!0}).catch(b=>{throw y.error(`Better auth was unable to query your database.
|
|
3
|
+
Error: `,b),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),m=p?.user;if(p){let b=p.accounts.find(h=>h.providerId===t.id);if(b)await e.context.internalAdapter.updateAccount(b.id,{accessToken:a.accessToken,idToken:a.idToken,refreshToken:a.refreshToken,expiresAt:a.accessTokenExpiresAt});else{(!e.context.options.account?.accountLinking?.trustedProviders?.includes(t.id)&&!s.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)&&(jt&&y.warn(`User already exist but account isn't linked to ${t.id}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),l("account_not_linked"));try{await e.context.internalAdapter.linkAccount({providerId:t.id,accountId:s.id.toString(),id:`${t.id}:${s.id}`,userId:p.user.id,accessToken:a.accessToken,idToken:a.idToken,refreshToken:a.refreshToken,expiresAt:a.accessTokenExpiresAt})}catch(Oe){y.error("Unable to link account",Oe),l("unable_to_link_account")}}}else try{let b=s.emailVerified||!1;if(m=await e.context.internalAdapter.createOAuthUser({...c.data,emailVerified:b},{accessToken:a.accessToken,idToken:a.idToken,refreshToken:a.refreshToken,expiresAt:a.accessTokenExpiresAt,providerId:t.id,accountId:s.id.toString()}).then(h=>h?.user),!b&&m&&e.context.options.emailVerification?.sendOnSignUp){let h=await se(e.context.secret,m.email),_=`${e.context.baseURL}/verify-email?token=${h}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.(m,_,h)}}catch(b){y.error("Unable to create user",b),l("unable_to_create_user")}if(!m)return l("unable_to_create_user");let f=await e.context.internalAdapter.createSession(m.id,e.request);f||l("unable_to_create_session"),await w(e,{session:f,user:m});let k;try{k=new URL(o).toString()}catch{k=o}throw e.redirect(k)});var Ds=require("zod");var br=require("better-call"),vo=u("/sign-out",{method:"POST"},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw new br.APIError("BAD_REQUEST",{message:"Session not found"});return await e.context.internalAdapter.deleteSession(t),re(e),e.json({success:!0})});var Q=require("zod");var je=require("better-call");function Ar(e,t,r){let o=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return r&&Object.entries(r).forEach(([n,i])=>o.searchParams.set(n,i)),o.href}function Eo(e,t,r){let o=new URL(t,e.baseURL);return r&&Object.entries(r).forEach(([n,i])=>o.searchParams.set(n,i)),o.href}var Uo=u("/forget-password",{method:"POST",body:Q.z.object({email:Q.z.string().email(),redirectTo:Q.z.string()})},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new je.APIError("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:r}=e.body,o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let n=60*60*1,i=new Date(Date.now()+1e3*(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||n)),a=e.context.uuid();await e.context.internalAdapter.createVerificationValue({value:o.user.id,identifier:`reset-password:${a}`,expiresAt:i});let s=`${e.context.baseURL}/reset-password/${a}?callbackURL=${r}`;return await e.context.options.emailAndPassword.sendResetPassword(o.user,s),e.json({status:!0})}),Io=u("/reset-password/:token",{method:"GET",query:Q.z.object({callbackURL:Q.z.string()})},async e=>{let{token:t}=e.params,{callbackURL:r}=e.query;if(!t||!r)throw e.redirect(Ar(e.context,r,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!o||o.expiresAt<new Date?e.redirect(Ar(e.context,r,{error:"INVALID_TOKEN"})):e.redirect(Eo(e.context,r,{token:t}))}),To=u("/reset-password",{query:Q.z.optional(Q.z.object({token:Q.z.string().optional(),currentURL:Q.z.string().optional()})),method:"POST",body:Q.z.object({newPassword:Q.z.string()})},async e=>{let t=e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new je.APIError("BAD_REQUEST",{message:"Token not found"});let{newPassword:r}=e.body,o=`reset-password:${t}`,n=await e.context.internalAdapter.findVerificationValue(o);if(!n||n.expiresAt<new Date)throw new je.APIError("BAD_REQUEST",{message:"Invalid token"});await e.context.internalAdapter.deleteVerificationValue(n.id);let i=n.value,a=await e.context.password.hash(r);if(!(await e.context.internalAdapter.findAccounts(i)).find(l=>l.providerId==="credential"))return await e.context.internalAdapter.createAccount({userId:i,providerId:"credential",password:a,accountId:e.context.uuid()}),e.json({status:!0});if(!await e.context.internalAdapter.updatePassword(i,a))throw new je.APIError("BAD_REQUEST",{message:"Failed to update password"});return e.json({status:!0})});var j=require("zod");var x=require("better-call");var Po=u("/change-password",{method:"POST",body:j.z.object({newPassword:j.z.string(),currentPassword:j.z.string(),revokeOtherSessions:j.z.boolean().optional()}),use:[A]},async e=>{let{newPassword:t,currentPassword:r,revokeOtherSessions:o}=e.body,n=e.context.session,i=e.context.password.config.minPasswordLength;if(t.length<i)throw e.context.logger.error("Password is too short"),new x.APIError("BAD_REQUEST",{message:"Password is too short"});let a=e.context.password.config.maxPasswordLength;if(t.length>a)throw e.context.logger.error("Password is too long"),new x.APIError("BAD_REQUEST",{message:"Password too long"});let d=(await e.context.internalAdapter.findAccounts(n.user.id)).find(p=>p.providerId==="credential"&&p.password);if(!d||!d.password)throw new x.APIError("BAD_REQUEST",{message:"User does not have a password"});let c=await e.context.password.hash(t);if(!await e.context.password.verify(d.password,r))throw new x.APIError("BAD_REQUEST",{message:"Incorrect password"});if(await e.context.internalAdapter.updateAccount(d.id,{password:c}),o){await e.context.internalAdapter.deleteSessions(n.user.id);let p=await e.context.internalAdapter.createSession(n.user.id,e.headers);if(!p)throw new x.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});await w(e,{session:p,user:n.user})}return e.json(n.user)}),_o=u("/set-password",{method:"POST",body:j.z.object({newPassword:j.z.string()}),metadata:{SERVER_ONLY:!0},use:[A]},async e=>{let{newPassword:t}=e.body,r=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new x.APIError("BAD_REQUEST",{message:"Password is too short"});let n=e.context.password.config.maxPasswordLength;if(t.length>n)throw e.context.logger.error("Password is too long"),new x.APIError("BAD_REQUEST",{message:"Password too long"});let a=(await e.context.internalAdapter.findAccounts(r.user.id)).find(d=>d.providerId==="credential"&&d.password),s=await e.context.password.hash(t);if(!a)return await e.context.internalAdapter.linkAccount({userId:r.user.id,providerId:"credential",accountId:r.user.id,password:s}),e.json(r.user);throw new x.APIError("BAD_REQUEST",{message:"user already has a password"})}),Co=u("/delete-user",{method:"POST",body:j.z.object({password:j.z.string()}),use:[A]},async e=>{let{password:t}=e.body,r=e.context.session,n=(await e.context.internalAdapter.findAccounts(r.user.id)).find(a=>a.providerId==="credential"&&a.password);if(!n||!n.password)throw new x.APIError("BAD_REQUEST",{message:"User does not have a password"});if(!await e.context.password.verify(n.password,t))throw new x.APIError("BAD_REQUEST",{message:"Incorrect password"});return await e.context.internalAdapter.deleteUser(r.user.id),await e.context.internalAdapter.deleteSessions(r.user.id),re(e),e.json(null)}),zo=u("/change-email",{method:"POST",query:j.z.object({currentURL:j.z.string().optional()}).optional(),body:j.z.object({newEmail:j.z.string().email(),callbackURL:j.z.string().optional()}),use:[A]},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new x.APIError("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new x.APIError("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new x.APIError("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let n=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:n,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new x.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await se(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification(e.context.session.user,e.body.newEmail,o,r),e.json({user:null,status:!0})});var Bo=(e="Unknown")=>`<!DOCTYPE html>
|
|
4
4
|
<html lang="en">
|
|
5
5
|
<head>
|
|
6
6
|
<meta charset="UTF-8">
|
|
@@ -80,6 +80,6 @@ Error: `,A),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)
|
|
|
80
80
|
<div class="error-code">Error Code: <span id="errorCode">${e}</span></div>
|
|
81
81
|
</div>
|
|
82
82
|
</body>
|
|
83
|
-
</html>`,
|
|
84
|
-
`,`Current list of trustedOrigins: ${d}`),new Or.APIError("FORBIDDEN",{message:`Invalid ${m}`})};c&&!e.context.options.advanced?.disableCSRFCheck&&l(n,"origin"),i&&l(i,"callbackURL"),a&&l(a,"redirectURL"),s&&l(s,"currentURL")});var E=require("better-call");var B=S(async e=>({})),L=S({use:[b]},async e=>({session:e.context.session}));var F=require("zod");var R=require("zod"),nt=R.z.enum(["admin","member","owner"]),Ho=R.z.enum(["pending","accepted","rejected","canceled"]).default("pending"),Ad=R.z.object({id:R.z.string(),name:R.z.string(),slug:R.z.string(),logo:R.z.string().optional(),metadata:R.z.record(R.z.string()).or(R.z.string().transform(e=>JSON.parse(e))).optional(),createdAt:R.z.date()}),kd=R.z.object({id:R.z.string(),email:R.z.string(),organizationId:R.z.string(),userId:R.z.string(),role:nt,createdAt:R.z.date()}),Od=R.z.object({id:R.z.string(),organizationId:R.z.string(),email:R.z.string(),role:nt,status:Ho,inviterId:R.z.string(),expiresAt:R.z.date()});var U=require("better-call"),vr=u("/organization/invite-member",{method:"POST",use:[B,L],body:F.z.object({email:F.z.string(),role:nt,organizationId:F.z.string().optional(),resend:F.z.boolean().optional()})},async e=>{if(!e.context.orgOptions.sendInvitationEmail)throw y.warn("Invitation email is not enabled. Pass `sendInvitationEmail` to the plugin options to enable it."),new U.APIError("BAD_REQUEST",{message:"Invitation email is not enabled"});let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)throw new U.APIError("BAD_REQUEST",{message:"Organization not found"});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)throw new U.APIError("BAD_REQUEST",{message:"Member not found!"});let i=e.context.roles[n.role];if(!i)throw new U.APIError("BAD_REQUEST",{message:"Role not found!"});if(i.authorize({invitation:["create"]}).error)throw new U.APIError("FORBIDDEN",{message:"You are not allowed to invite members"});if(await o.findMemberByEmail({email:e.body.email,organizationId:r}))throw new U.APIError("BAD_REQUEST",{message:"User is already a member of this organization"});if((await o.findPendingInvitation({email:e.body.email,organizationId:r})).length&&!e.body.resend)throw new U.APIError("BAD_REQUEST",{message:"User is already invited to this organization"});let c=await o.createInvitation({invitation:{role:e.body.role,email:e.body.email,organizationId:r},user:t.user}),l=await o.findOrganizationById(r);if(!l)throw new U.APIError("BAD_REQUEST",{message:"Organization not found"});return await e.context.orgOptions.sendInvitationEmail?.({id:c.id,role:c.role,email:c.email,organization:l,inviter:{...n,user:t.user}},e.request),e.json(c)}),Er=u("/organization/accept-invitation",{method:"POST",body:F.z.object({invitationId:F.z.string()}),use:[B,L]},async e=>{let t=e.context.session,r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new U.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new U.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.updateInvitation({invitationId:e.body.invitationId,status:"accepted"}),i=await r.createMember({id:z(),organizationId:o.organizationId,userId:t.user.id,email:o.email,role:o.role,createdAt:new Date});return await r.setActiveOrganization(t.session.id,o.organizationId),n?e.json({invitation:n,member:i}):e.json(null,{status:400,body:{message:"Invitation not found!"}})}),Rr=u("/organization/reject-invitation",{method:"POST",body:F.z.object({invitationId:F.z.string()}),use:[B,L]},async e=>{let t=e.context.session,r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new U.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new U.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.updateInvitation({invitationId:e.body.invitationId,status:"rejected"});return e.json({invitation:n,member:null})}),Ir=u("/organization/cancel-invitation",{method:"POST",body:F.z.object({invitationId:F.z.string()}),use:[B,L]},async e=>{let t=e.context.session,r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o)throw new U.APIError("BAD_REQUEST",{message:"Invitation not found!"});let n=await r.findMemberByOrgId({userId:t.user.id,organizationId:o.organizationId});if(!n)throw new U.APIError("BAD_REQUEST",{message:"Member not found!"});if(e.context.roles[n.role].authorize({invitation:["cancel"]}).error)throw new U.APIError("FORBIDDEN",{message:"You are not allowed to cancel this invitation"});let a=await r.updateInvitation({invitationId:e.body.invitationId,status:"canceled"});return e.json(a)}),Ur=u("/organization/get-invitation",{method:"GET",use:[B],requireHeaders:!0,query:F.z.object({id:F.z.string()})},async e=>{let t=await D(e);if(!t)throw new U.APIError("UNAUTHORIZED",{message:"Not authenticated"});let r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.query.id);if(!o||o.status!=="pending"||o.expiresAt<new Date)throw new U.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new U.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.findOrganizationById(o.organizationId);if(!n)throw new U.APIError("BAD_REQUEST",{message:"Organization not found"});let i=await r.findMemberByOrgId({userId:o.inviterId,organizationId:o.organizationId});if(!i)throw new U.APIError("BAD_REQUEST",{message:"Inviter is no longer a member of the organization"});return e.json({...o,organizationName:n.name,organizationSlug:n.slug,inviterEmail:i.email})});var se=require("zod");var Ie=require("better-call"),Tr=u("/organization/remove-member",{method:"POST",body:se.z.object({memberIdOrEmail:se.z.string(),organizationId:se.z.string().optional()}),use:[B,L]},async e=>{let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)throw new Ie.APIError("BAD_REQUEST",{message:"Member not found!"});let i=e.context.roles[n.role];if(!i)throw new Ie.APIError("BAD_REQUEST",{message:"Role not found!"});let a=t.user.email===e.body.memberIdOrEmail||n.id===e.body.memberIdOrEmail;if(a&&n.role===(e.context.orgOptions?.creatorRole||"owner"))throw new Ie.APIError("BAD_REQUEST",{message:"You cannot leave the organization as the owner"});if(!(a||i.authorize({member:["delete"]}).success))throw new Ie.APIError("UNAUTHORIZED",{message:"You are not allowed to delete this member"});let c=null;if(e.body.memberIdOrEmail.includes("@")?c=await o.findMemberByEmail({email:e.body.memberIdOrEmail,organizationId:r}):c=await o.findMemberById(e.body.memberIdOrEmail),c?.organizationId!==r)throw new Ie.APIError("BAD_REQUEST",{message:"Member not found!"});return await o.deleteMember(c.id),t.user.id===c.userId&&t.session.activeOrganizationId===c.organizationId&&await o.setActiveOrganization(t.session.id,null),e.json({member:c})}),Sr=u("/organization/update-member-role",{method:"POST",body:se.z.object({role:se.z.enum(["admin","member","owner"]),memberId:se.z.string(),organizationId:se.z.string().optional()}),use:[B,L]},async e=>{let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"Member not found!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({member:["update"]}).error||e.body.role==="owner"&&n.role!=="owner")return e.json(null,{body:{message:"You are not allowed to update this member"},status:403});let s=await o.updateMember(e.body.memberId,e.body.role);return s?e.json(s):e.json(null,{status:400,body:{message:"Member not found!"}})});var T=require("zod");var ae=require("better-call"),Pr=u("/organization/create",{method:"POST",body:T.z.object({name:T.z.string(),slug:T.z.string(),userId:T.z.string().optional(),logo:T.z.string().optional(),metadata:T.z.record(T.z.string()).optional()}),use:[B,L]},async e=>{let t=e.context.session.user;if(!t)return e.json(null,{status:401});let r=e.context.orgOptions;if(!(typeof r?.allowUserToCreateOrganization=="function"?await r.allowUserToCreateOrganization(t):r?.allowUserToCreateOrganization===void 0?!0:r.allowUserToCreateOrganization))throw new ae.APIError("FORBIDDEN",{message:"You are not allowed to create an organization"});let n=P(e.context,r),i=await n.listOrganizations(t.id);if(typeof r.organizationLimit=="number"?i.length>=r.organizationLimit:typeof r.organizationLimit=="function"?await r.organizationLimit(t):!1)throw new ae.APIError("FORBIDDEN",{message:"You have reached the organization limit"});if(await n.findOrganizationBySlug(e.body.slug))throw new ae.APIError("BAD_REQUEST",{message:"Organization with this slug already exists"});let d=await n.createOrganization({organization:{id:z(),slug:e.body.slug,name:e.body.name,logo:e.body.logo,createdAt:new Date,metadata:e.body.metadata},user:t});return e.json(d)}),_r=u("/organization/update",{method:"POST",body:T.z.object({data:T.z.object({name:T.z.string().optional(),slug:T.z.string().optional()}).partial(),orgId:T.z.string().optional()}),requireHeaders:!0,use:[B]},async e=>{let t=await e.context.getSession(e);if(!t)throw new ae.APIError("UNAUTHORIZED",{message:"User not found"});let r=e.body.orgId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({organization:["update"]}).error)return e.json(null,{body:{message:"You are not allowed to update this organization"},status:403});let s=await o.updateOrganization(r,e.body.data);return e.json(s)}),Cr=u("/organization/delete",{method:"POST",body:T.z.object({orgId:T.z.string()}),requireHeaders:!0,use:[B]},async e=>{let t=await e.context.getSession(e);if(!t)return e.json(null,{status:401});let r=e.body.orgId;if(!r)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({organization:["delete"]}).error)throw new ae.APIError("FORBIDDEN",{message:"You are not allowed to delete this organization"});return r===t.session.activeOrganizationId&&await o.setActiveOrganization(t.session.id,null),await o.deleteOrganization(r),e.json(r)}),zr=u("/organization/get-full",{method:"GET",query:T.z.optional(T.z.object({orgId:T.z.string().optional()})),requireHeaders:!0,use:[B,L]},async e=>{let t=e.context.session,r=e.query?.orgId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:200});let n=await P(e.context,e.context.orgOptions).findFullOrganization(r,e.context.db||void 0);if(!n)throw new ae.APIError("BAD_REQUEST",{message:"Organization not found"});return e.json(n)}),Br=u("/organization/activate",{method:"POST",body:T.z.object({orgId:T.z.string().nullable().optional()}),use:[L,B]},async e=>{let t=P(e.context,e.context.orgOptions),r=e.context.session,o=e.body.orgId;if(o===null)return r.session.activeOrganizationId&&await t.setActiveOrganization(r.session.id,null),e.json(null);if(!o){let a=r.session.activeOrganizationId;if(!a)return e.json(null);o=a}if(!await t.findMemberByOrgId({userId:r.user.id,organizationId:o}))throw await t.setActiveOrganization(r.session.id,null),new ae.APIError("FORBIDDEN",{message:"You are not a member of this organization"});await t.setActiveOrganization(r.session.id,o);let i=await t.findFullOrganization(o,e.context.db||void 0);return e.json(i)}),Dr=u("/organization/list",{method:"GET",use:[B,L]},async e=>{let r=await P(e.context,e.context.orgOptions).listOrganizations(e.context.session.user.id);return e.json(r)});var Wo=e=>{let t={createOrganization:Pr,updateOrganization:_r,deleteOrganization:Cr,setActiveOrganization:Br,getFullOrganization:zr,listOrganization:Dr,createInvitation:vr,cancelInvitation:Ir,acceptInvitation:Er,getInvitation:Ur,rejectInvitation:Rr,removeMember:Tr,updateMemberRole:Sr},r={...kr,...e?.roles};return{id:"organization",endpoints:{...Ar(t,{orgOptions:e||{},roles:r,getSession:async n=>await D(n)}),hasPermission:u("/organization/has-permission",{method:"POST",requireHeaders:!0,body:Ue.z.object({permission:Ue.z.record(Ue.z.string(),Ue.z.array(Ue.z.string()))}),use:[L]},async n=>{if(!n.context.session.session.activeOrganizationId)throw new bt.APIError("BAD_REQUEST",{message:"No active organization"});let a=await P(n.context).findMemberByOrgId({userId:n.context.session.user.id,organizationId:n.context.session.session.activeOrganizationId||""});if(!a)throw new bt.APIError("UNAUTHORIZED",{message:"You are not a member of this organization"});let d=r[a.role].authorize(n.body.permission);return d.error?n.json({error:d.error,success:!1},{status:403}):n.json({error:null,success:!0})})},schema:{session:{fields:{activeOrganizationId:{type:"string",required:!1}}},organization:{fields:{name:{type:"string",required:!0},slug:{type:"string",unique:!0},logo:{type:"string",required:!1},createdAt:{type:"date",required:!0},metadata:{type:"string",required:!1}}},member:{fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"}},userId:{type:"string",required:!0},email:{type:"string",required:!0},role:{type:"string",required:!0,defaultValue:"member"},createdAt:{type:"date",required:!0}}},invitation:{fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"}},email:{type:"string",required:!0},role:{type:"string",required:!1},status:{type:"string",required:!0,defaultValue:"pending"},expiresAt:{type:"date",required:!0},inviterId:{type:"string",references:{model:"user",field:"id"},required:!0}}}},$Infer:{Organization:{},Invitation:{},Member:{},ActiveOrganization:{}}}};var At=xt(require("uncrypto"),1);function Go(e){return e.toString(2).padStart(8,"0")}function Ko(e){return[...e].map(t=>Go(t)).join("")}function xr(e){return parseInt(Ko(e),2)}function Jo(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,o=new Uint8Array(Math.ceil(t/8));At.default.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1);let n=xr(o);for(;n>=e;)At.default.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1),n=xr(o);return n}function V(e,t){let r="";for(let o=0;o<e;o++)r+=t[Jo(t.length)];return r}function q(...e){let t=new Set(e),r="";for(let o of t)o==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?r+="0123456789":r+=o;return r}var Ve=require("zod");var Ot=require("@noble/ciphers/chacha"),Te=require("@noble/ciphers/utils"),vt=require("@noble/ciphers/webcrypto"),Et=require("oslo/crypto"),kt=xt(require("uncrypto"),1);var Lr=require("oslo/encoding");var Zo=require("@noble/hashes/scrypt"),Yo=require("uncrypto");async function ge(e,t){let r=new TextEncoder,o={name:"HMAC",hash:"SHA-256"},n=await kt.default.subtle.importKey("raw",r.encode(e),o,!1,["sign","verify"]),i=await kt.default.subtle.sign(o.name,n,r.encode(t));return btoa(String.fromCharCode(...new Uint8Array(i)))}var Se=async({key:e,data:t})=>{let r=await(0,Et.sha256)(new TextEncoder().encode(e)),o=(0,Te.utf8ToBytes)(t),n=(0,vt.managedNonce)(Ot.xchacha20poly1305)(new Uint8Array(r));return(0,Te.bytesToHex)(n.encrypt(o))},Pe=async({key:e,data:t})=>{let r=await(0,Et.sha256)(new TextEncoder().encode(e)),o=(0,Te.hexToBytes)(t),n=(0,vt.managedNonce)(Ot.xchacha20poly1305)(new Uint8Array(r));return new TextDecoder().decode(n.decrypt(o))};var J=require("zod");var oe=require("better-call");var it="two_factor";var st="trust_device";var Rt=require("zod");var he=S({body:Rt.z.object({trustDevice:Rt.z.boolean().optional()})},async e=>{let t=await D(e);if(!t){let r=e.context.createAuthCookie(it),o=await e.getSignedCookie(r.name,e.context.secret);if(!o)throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"});let[n,i]=o.split("!");if(!n||!i)throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"});let a=await e.context.adapter.findMany({model:e.context.tables.session.tableName,where:[{field:"userId",value:n}]});if(!a.length)throw new oe.APIError("UNAUTHORIZED",{message:"invalid session"});let s=a.filter(d=>d.expiresAt>new Date);if(!s)throw new oe.APIError("UNAUTHORIZED",{message:"invalid session"});for(let d of s){let c=await ge(e.context.secret,d.id),l=await e.context.adapter.findOne({model:e.context.tables.user.tableName,where:[{field:"id",value:d.userId}]});if(!l)throw new oe.APIError("UNAUTHORIZED",{message:"invalid session"});if(c===i)return{valid:async()=>{if(await w(e,{session:d,user:l},!1),e.body.trustDevice){let p=e.context.createAuthCookie(st,{maxAge:2592e3}),m=await ge(e.context.secret,`${l.id}!${d.id}`);await e.setSignedCookie(p.name,`${m}!${d.id}`,e.context.secret,p.attributes)}return e.json({session:d,user:l})},invalid:async()=>{throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:{id:d.id,userId:d.userId,expiresAt:d.expiresAt,user:l}}}throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"})}return{valid:async()=>e.json({session:t,user:t.user}),invalid:async()=>{throw new oe.APIError("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:t}});var _e=require("better-call");function Xo(e){return Array.from({length:e?.amount??10}).fill(null).map(()=>V(e?.length??10,q("a-z","0-9"))).map(t=>`${t.slice(0,5)}-${t.slice(5)}`)}async function It(e,t){let r=e,o=t?.customBackupCodesGenerate?t.customBackupCodesGenerate():Xo(),n=await Se({data:JSON.stringify(o),key:r});return{backupCodes:o,encryptedBackupCodes:n}}async function en(e,t){let r=await jr(e.backupCodes,t);return r?r.includes(e.code):!1}async function jr(e,t){let r=Buffer.from(await Pe({key:t,data:e})).toString("utf-8"),o=JSON.parse(r),n=J.z.array(J.z.string()).safeParse(o);return n.success?n.data:null}var Nr=(e,t)=>({id:"backup_code",endpoints:{verifyBackupCode:u("/two-factor/verify-backup-code",{method:"POST",body:J.z.object({code:J.z.string(),disableSession:J.z.boolean().optional()}),use:[he]},async r=>{let o=r.context.session.user,n=await r.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!n)throw new _e.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});if(!en({backupCodes:n.backupCodes,code:r.body.code},r.context.secret))throw new _e.APIError("BAD_REQUEST",{message:"Invalid backup code"});return r.body.disableSession||await w(r,{session:r.context.session,user:o}),r.json({user:o,session:r.context.session})}),generateBackupCodes:u("/two-factor/generate-backup-codes",{method:"POST",body:J.z.object({password:J.z.string()}),use:[b]},async r=>{let o=r.context.session.user;if(!o.twoFactorEnabled)throw new _e.APIError("BAD_REQUEST",{message:"Two factor isn't enabled"});await r.context.password.checkPassword(o.id,r);let n=await It(r.context.secret,e);return await r.context.adapter.update({model:t,update:{backupCodes:n.encryptedBackupCodes},where:[{field:"userId",value:r.context.session.user.id}]}),r.json({status:!0,backupCodes:n.backupCodes})}),viewBackupCodes:u("/view/backup-codes",{method:"GET",body:J.z.object({password:J.z.string()}),use:[b]},async r=>{let o=r.context.session.user,n=await r.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!n)throw new _e.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});await r.context.password.checkPassword(o.id,r);let i=jr(n.backupCodes,r.context.secret);if(!i)throw new _e.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});return r.json({status:!0,backupCodes:i})})}});var je=require("better-call"),Fr=require("oslo/otp"),Ut=require("zod");var Vr=require("oslo"),qr=(e,t)=>{let r={...e,period:new Vr.TimeSpan(e?.period||3,"m")},o=new Fr.TOTPController({digits:6,period:r.period}),n=u("/two-factor/send-otp",{method:"POST",use:[he]},async a=>{if(!e||!e.sendOTP)throw a.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options."),new je.APIError("BAD_REQUEST",{message:"otp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new je.APIError("BAD_REQUEST",{message:"OTP isn't enabled"});let c=await o.generate(Buffer.from(d.secret));return await e.sendOTP(s,c),a.json({status:!0})}),i=u("/two-factor/verify-otp",{method:"POST",body:Ut.z.object({code:Ut.z.string()}),use:[he]},async a=>{let s=a.context.session.user;if(!s.twoFactorEnabled)throw new je.APIError("BAD_REQUEST",{message:"two factor isn't enabled"});let d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new je.APIError("BAD_REQUEST",{message:"OTP isn't enabled"});return await o.generate(Buffer.from(d.secret))===a.body.code?a.context.valid():a.context.invalid()});return{id:"otp",endpoints:{send2FaOTP:n,verifyOTP:i}}};var we=require("better-call"),Mr=require("oslo"),Fe=require("oslo/otp"),Ne=require("zod");var $r=(e,t)=>{let r={...e,digits:6,period:new Mr.TimeSpan(e?.period||30,"s")},o=u("/totp/generate",{method:"POST",use:[b]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new we.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new we.APIError("BAD_REQUEST",{message:"totp isn't enabled"});return{code:await new Fe.TOTPController(r).generate(Buffer.from(d.secret))}}),n=u("/two-factor/get-totp-uri",{method:"POST",use:[b],body:Ne.z.object({password:Ne.z.string()})},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new we.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d||!s.twoFactorEnabled)throw new we.APIError("BAD_REQUEST",{message:"totp isn't enabled"});return await a.context.password.checkPassword(s.id,a),{totpURI:(0,Fe.createTOTPKeyURI)(e?.issuer||"BetterAuth",s.email,Buffer.from(d.secret),r)}}),i=u("/two-factor/verify-totp",{method:"POST",body:Ne.z.object({code:Ne.z.string()}),use:[he]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new we.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new we.APIError("BAD_REQUEST",{message:"totp isn't enabled"});let c=new Fe.TOTPController(r),l=await Pe({key:a.context.secret,data:d.secret}),p=Buffer.from(l);if(!await c.verify(a.body.code,p))return a.context.invalid();if(!s.twoFactorEnabled){let f=await a.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!0}),k=await a.context.internalAdapter.createSession(s.id,a.request);await w(a,{session:k,user:f})}return a.context.valid()});return{id:"totp",endpoints:{generateTOTP:o,viewTOTPURI:n,verifyTOTP:i}}};var tn=require("better-call");async function Tt(e,t){let o=(await e.context.internalAdapter.findAccounts(t.userId))?.find(a=>a.providerId==="credential"),n=o?.password;return!o||!n?!1:await e.context.password.verify(n,t.password)}var St=require("better-call"),Qr=require("oslo/otp"),Hr=require("oslo");var rn=(e={redirect:!0,twoFactorPage:"/"})=>({id:"two-factor",$InferServerPlugin:{},atomListeners:[{matcher:t=>t.startsWith("/two-factor/"),signal:"$sessionSignal"}],pathMethods:{"/two-factor/disable":"POST","/two-factor/enable":"POST","/two-factor/send-otp":"POST","/two-factor/generate-backup-codes":"POST"},fetchPlugins:[{id:"two-factor",name:"two-factor",hooks:{async onSuccess(t){t.data?.twoFactorRedirect&&(e.redirect||e.twoFactorPage)&&typeof window<"u"&&(window.location.href=e.twoFactorPage)}}}]});var on=e=>{let t={twoFactorTable:e?.twoFactorTable||"twoFactor"},r=$r({issuer:e?.issuer||"better-auth",...e?.totpOptions},t.twoFactorTable),o=Nr({...e?.backupCodeOptions},t.twoFactorTable),n=qr({...e?.otpOptions},t.twoFactorTable);return{id:"two-factor",endpoints:{...r.endpoints,...n.endpoints,...o.endpoints,enableTwoFactor:u("/two-factor/enable",{method:"POST",body:Ve.z.object({password:Ve.z.string().min(8)}),use:[b]},async i=>{let a=i.context.session.user,{password:s}=i.body;if(!await Tt(i,{password:s,userId:a.id}))throw new St.APIError("BAD_REQUEST",{message:"Invalid password"});let c=V(16,q("a-z","0-9","-")),l=await Se({key:i.context.secret,data:c}),p=await It(i.context.secret,e?.backupCodeOptions);if(e?.skipVerificationOnEnable){let f=await i.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!0}),k=await i.context.internalAdapter.createSession(f.id,i.request);await w(i,{session:k,user:a})}await i.context.adapter.deleteMany({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),await i.context.adapter.create({model:t.twoFactorTable,data:{id:i.context.uuid(),secret:l,backupCodes:p.encryptedBackupCodes,userId:a.id}});let m=(0,Qr.createTOTPKeyURI)(e?.issuer||"BetterAuth",a.email,Buffer.from(c),{digits:e?.totpOptions?.digits||6,period:new Hr.TimeSpan(e?.totpOptions?.period||30,"s")});return i.json({totpURI:m,backupCodes:p.backupCodes})}),disableTwoFactor:u("/two-factor/disable",{method:"POST",body:Ve.z.object({password:Ve.z.string().min(8)}),use:[b]},async i=>{let a=i.context.session.user,{password:s}=i.body;if(!await Tt(i,{password:s,userId:a.id}))throw new St.APIError("BAD_REQUEST",{message:"Invalid password"});return await i.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!1}),await i.context.adapter.delete({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),i.json({status:!0})})},options:e,hooks:{after:[{matcher(i){return i.path==="/sign-in/email"||i.path==="/sign-in/username"},handler:S(async i=>{let a=i.context.returned;if(a?.status!==200)return;let s=await a.clone().json();if(!s.user.twoFactorEnabled)return;let d=i.context.createAuthCookie(st,{maxAge:30*24*60*60}),c=await i.getSignedCookie(d.name,i.context.secret);if(c){let[f,k]=c.split("!"),A=await ge(i.context.secret,`${s.user.id}!${k}`);if(f===A){let h=await ge(i.context.secret,`${s.user.id}!${s.session.id}`);await i.setSignedCookie(d.name,`${h}!${s.session.id}`,i.context.secret,d.attributes);return}}te(i);let l=await ge(i.context.secret,s.session.id),p=i.context.createAuthCookie(it,{maxAge:60*60*24});return await i.setSignedCookie(p.name,`${s.session.userId}!${l}`,i.context.secret,p.attributes),{response:new Response(JSON.stringify({twoFactorRedirect:!0}),{headers:i.responseHeader})}})}]},schema:{user:{fields:{twoFactorEnabled:{type:"boolean",required:!1,defaultValue:!1,input:!1}}},twoFactor:{tableName:t.twoFactorTable,fields:{secret:{type:"string",required:!0,returned:!1},backupCodes:{type:"string",required:!0,returned:!1},userId:{type:"string",required:!0,returned:!1,references:{model:"user",field:"id"}}}}},rateLimit:[{pathMatcher(i){return i.startsWith("/two-factor/")},window:10,max:3}]}};var de=require("@simplewebauthn/server"),H=require("better-call");var Z=require("zod");var Ce=require("@simplewebauthn/browser");var sn=require("@better-fetch/fetch");var nu=require("nanostores");var Hc=require("@better-fetch/fetch");var nn=require("nanostores");var Gc=require("@better-fetch/fetch"),at=require("nanostores"),Pt=(e,t,r,o)=>{let n=(0,at.atom)({data:null,error:null,isPending:!0,isRefetching:!1}),i=()=>{let s=typeof o=="function"?o({data:n.get().data,error:n.get().error,isPending:n.get().isPending}):o;return r(t,{...s,onSuccess:async d=>{n.set({data:d.data,error:null,isPending:!1,isRefetching:!1}),await s?.onSuccess?.(d)},async onError(d){n.set({error:d.error,data:null,isPending:!1,isRefetching:!1}),await s?.onError?.(d)},async onRequest(d){let c=n.get();n.set({isPending:c.data===null,data:c.data,error:null,isRefetching:!0}),await s?.onRequest?.(d)}})};e=Array.isArray(e)?e:[e];let a=!1;for(let s of e)s.subscribe(()=>{a?i():(0,at.onMount)(n,()=>(i(),a=!0,()=>{n.off(),s.off()}))});return n};var Wr=require("nanostores"),Gr=(e,{_listPasskeys:t})=>({signIn:{passkey:async(n,i)=>{let a=await e("/passkey/generate-authenticate-options",{method:"POST",body:{email:n?.email}});if(!a.data)return a;try{let s=await(0,Ce.startAuthentication)(a.data,n?.autoFill||!1),d=await e("/passkey/verify-authentication",{body:{response:s},...n?.fetchOptions,...i,method:"POST"});if(!d.data)return d}catch{return{data:null,error:{message:"auth cancelled",status:400,statusText:"BAD_REQUEST"}}}}},passkey:{addPasskey:async(n,i)=>{let a=await e("/passkey/generate-register-options",{method:"GET"});if(!a.data)return a;try{let s=await(0,Ce.startRegistration)(a.data),d=await e("/passkey/verify-registration",{...n?.fetchOptions,...i,body:{response:s,name:n?.name},method:"POST"});if(!d.data)return d;t.set(Math.random())}catch(s){return s instanceof Ce.WebAuthnError?s.code==="ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED"?{data:null,error:{message:"previously registered",status:400,statusText:"BAD_REQUEST"}}:s.code==="ERROR_CEREMONY_ABORTED"?{data:null,error:{message:"registration cancelled",status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s.message,status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s instanceof Error?s.message:"unknown error",status:500,statusText:"INTERNAL_SERVER_ERROR"}}}}},$Infer:{}}),an=()=>{let e=(0,Wr.atom)();return{id:"passkey",$InferServerPlugin:{},getActions:t=>Gr(t,{_listPasskeys:e}),getAtoms(t){return{listPasskeys:Pt(e,"/passkey/list-user-passkeys",t,{method:"GET"}),_listPasskeys:e}},pathMethods:{"/passkey/register":"POST","/passkey/authenticate":"POST"},atomListeners:[{matcher(t){return t==="/passkey/verify-registration"||t==="/passkey/delete-passkey"},signal:"_listPasskeys"}]}};var dn=e=>{let t=Ge.BETTER_AUTH_URL,r=e?.rpID||t?.replace("http://","").replace("https://","").split(":")[0]||"localhost";if(!r)throw new G("passkey rpID not found. Please provide a rpID in the options or set the BETTER_AUTH_URL environment variable.");let o={origin:null,...e,rpID:r,advanced:{webAuthnChallengeCookie:"better-auth-passkey",...e?.advanced}},n=new Date(Date.now()+1e3*60*5),i=new Date,a=Math.floor((n.getTime()-i.getTime())/1e3);return{id:"passkey",endpoints:{generatePasskeyRegistrationOptions:u("/passkey/generate-register-options",{method:"GET",use:[b],metadata:{client:!1}},async s=>{let d=s.context.session,c=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}),l=new Uint8Array(Buffer.from(V(32,q("a-z","0-9")))),p;p=await(0,de.generateRegistrationOptions)({rpName:o.rpName||s.context.appName,rpID:o.rpID,userID:l,userName:d.user.email||d.user.id,attestationType:"none",excludeCredentials:c.map(f=>({id:f.id,transports:f.transports?.split(",")})),authenticatorSelection:{residentKey:"preferred",userVerification:"preferred",authenticatorAttachment:"platform"}});let m=z();return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,m,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:m,value:JSON.stringify({expectedChallenge:p.challenge,userData:{id:d.user.id}}),expiresAt:n}),s.json(p,{status:200})}),generatePasskeyAuthenticationOptions:u("/passkey/generate-authenticate-options",{method:"POST",body:Z.z.object({email:Z.z.string().optional()}).optional()},async s=>{let d=await D(s),c=[];d&&(c=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}));let l=await(0,de.generateAuthenticationOptions)({rpID:o.rpID,userVerification:"preferred",...c.length?{allowCredentials:c.map(f=>({id:f.id,transports:f.transports?.split(",")}))}:{}}),p={expectedChallenge:l.challenge,userData:{id:d?.user.id||""}},m=z();return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,m,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:m,value:JSON.stringify(p),expiresAt:n}),s.json(l,{status:200})}),verifyPasskeyRegistration:u("/passkey/verify-registration",{method:"POST",body:Z.z.object({response:Z.z.any(),name:Z.z.string().optional()}),use:[b]},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)return s.json(null,{status:400});let c=s.body.response,l=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!l)throw new H.APIError("BAD_REQUEST",{message:"Challenge not found"});let p=await s.context.internalAdapter.findVerificationValue(l);if(!p)return s.json(null,{status:400});let{expectedChallenge:m,userData:f}=JSON.parse(p.value);if(f.id!==s.context.session.user.id)throw new H.APIError("UNAUTHORIZED",{message:"You are not authorized to register this passkey"});try{let k=await(0,de.verifyRegistrationResponse)({response:c,expectedChallenge:m,expectedOrigin:d,expectedRPID:e?.rpID}),{verified:A,registrationInfo:h}=k;if(!A||!h)return s.json(null,{status:400});let{credentialID:_,credentialPublicKey:be,counter:W,credentialDeviceType:Qe,credentialBackedUp:Ae}=h,ue=Buffer.from(be).toString("base64"),ut=z(),eo={name:s.body.name,userId:f.id,webauthnUserID:ut,id:_,publicKey:ue,counter:W,deviceType:Qe,transports:c.response.transports.join(","),backedUp:Ae,createdAt:new Date},to=await s.context.adapter.create({model:"passkey",data:eo});return s.json(to,{status:200})}catch(k){throw console.log(k),new H.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to verify registration"})}}),verifyPasskeyAuthentication:u("/passkey/verify-authentication",{method:"POST",body:Z.z.object({response:Z.z.any()})},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)throw new H.APIError("BAD_REQUEST",{message:"origin missing"});let c=s.body.response,l=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!l)throw new H.APIError("BAD_REQUEST",{message:"Challenge not found"});let p=await s.context.internalAdapter.findVerificationValue(l);if(!p)throw new H.APIError("BAD_REQUEST",{message:"Challenge not found"});let{expectedChallenge:m}=JSON.parse(p.value),f=await s.context.adapter.findOne({model:"passkey",where:[{field:"id",value:c.id}]});if(!f)throw new H.APIError("UNAUTHORIZED",{message:"Passkey not found"});try{let k=await(0,de.verifyAuthenticationResponse)({response:c,expectedChallenge:m,expectedOrigin:d,expectedRPID:o.rpID,authenticator:{credentialID:f.id,credentialPublicKey:new Uint8Array(Buffer.from(f.publicKey,"base64")),counter:f.counter,transports:f.transports?.split(",")}}),{verified:A}=k;if(!A)throw new H.APIError("UNAUTHORIZED",{message:"Authentication failed"});await s.context.adapter.update({model:"passkey",where:[{field:"id",value:f.id}],update:{counter:k.authenticationInfo.newCounter}});let h=await s.context.internalAdapter.createSession(f.userId,s.request);if(!h)throw new H.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});let _=await s.context.internalAdapter.findUserById(f.userId);if(!_)throw new H.APIError("INTERNAL_SERVER_ERROR",{message:"User not found"});return await w(s,{session:h,user:_}),s.json({session:h},{status:200})}catch(k){throw s.context.logger.error(k),new H.APIError("BAD_REQUEST",{message:"Failed to verify authentication"})}}),listPasskeys:u("/passkey/list-user-passkeys",{method:"GET",use:[b]},async s=>{let d=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:s.context.session.user.id}]});return s.json(d,{status:200})}),deletePasskey:u("/passkey/delete-passkey",{method:"POST",body:Z.z.object({id:Z.z.string()}),use:[b]},async s=>(await s.context.adapter.delete({model:"passkey",where:[{field:"id",value:s.body.id}]}),s.json(null,{status:200})))},schema:{passkey:{fields:{name:{type:"string",required:!1},publicKey:{type:"string",required:!0},userId:{type:"string",references:{model:"user",field:"id"},required:!0},webauthnUserID:{type:"string",required:!0},counter:{type:"number",required:!0},deviceType:{type:"string",required:!0},backedUp:{type:"boolean",required:!0},transports:{type:"string",required:!1},createdAt:{type:"date",defaultValue:new Date,required:!1}}}}}};var qe=require("zod");var Me=require("better-call"),_t=()=>({id:"username",endpoints:{signInUsername:u("/sign-in/username",{method:"POST",body:qe.z.object({username:qe.z.string(),password:qe.z.string(),dontRememberMe:qe.z.boolean().optional()})},async e=>{let t=await e.context.adapter.findOne({model:e.context.tables.user.tableName,where:[{field:"username",value:e.body.username}]});if(!t)throw await e.context.password.hash(e.body.password),e.context.logger.error("User not found",{username:_t}),new Me.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let r=await e.context.adapter.findOne({model:e.context.tables.account.tableName,where:[{field:e.context.tables.account.fields.userId.fieldName||"userId",value:t.id},{field:e.context.tables.account.fields.providerId.fieldName||"providerId",value:"credential"}]});if(!r)throw new Me.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let o=r?.password;if(!o)throw e.context.logger.error("Password not found",{username:_t}),new Me.APIError("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(o,e.body.password))throw e.context.logger.error("Invalid password"),new Me.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let i=await e.context.internalAdapter.createSession(t.id,e.request);return i?(await e.setSignedCookie(e.context.authCookies.sessionToken.name,i.id,e.context.secret,e.body.dontRememberMe?{...e.context.authCookies.sessionToken.options,maxAge:void 0}:e.context.authCookies.sessionToken.options),e.json({user:t,session:i})):e.json(null,{status:500,body:{message:"Failed to create session",status:500}})})},schema:{user:{fields:{username:{type:"string",required:!1,unique:!0,returned:!0}}}}});var Kr=require("better-call"),cn=()=>({id:"bearer",hooks:{before:[{matcher(e){return!!(e.request?.headers.get("authorization")||e.headers?.get("authorization"))},handler:async e=>{let t=e.request?.headers.get("authorization")?.replace("Bearer ","")||e.headers?.get("authorization")?.replace("Bearer ","");if(!t)return;let r="";return t.includes(".")?r=t:r=await(0,Kr.serializeSigned)("",t,e.context.secret),e.request&&e.request.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${r.replace("=","")}`),e.headers&&e.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${r.replace("=","")}`),{context:e}}}]}});var ye=require("zod");var Ct=require("better-call");var un=e=>({id:"magic-link",endpoints:{signInMagicLink:u("/sign-in/magic-link",{method:"POST",requireHeaders:!0,body:ye.z.object({email:ye.z.string().email(),callbackURL:ye.z.string().optional()})},async t=>{let{email:r}=t.body;if(e.disableSignUp&&!await t.context.internalAdapter.findUserByEmail(r))throw new Ct.APIError("BAD_REQUEST",{message:"User not found"});let o=V(32,q("a-z","A-Z"));await t.context.internalAdapter.createVerificationValue({identifier:o,value:r,expiresAt:new Date(Date.now()+(e.expiresIn||60*5)*1e3)});let n=`${t.context.baseURL}/magic-link/verify?token=${o}&callbackURL=${t.body.callbackURL||"/"}`;try{await e.sendMagicLink({email:r,url:n,token:o})}catch(i){throw t.context.logger.error("Failed to send magic link",i),new Ct.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to send magic link"})}return t.json({status:!0})}),magicLinkVerify:u("/magic-link/verify",{method:"GET",query:ye.z.object({token:ye.z.string(),callbackURL:ye.z.string().optional()}),requireHeaders:!0},async t=>{let{token:r,callbackURL:o}=t.query,n=o?.startsWith("http")?o:o?`${t.context.options.baseURL}${o}`:t.context.options.baseURL,i=await t.context.internalAdapter.findVerificationValue(r);if(!i)throw t.redirect(`${n}?error=INVALID_TOKEN`);if(i.expiresAt<new Date)throw await t.context.internalAdapter.deleteVerificationValue(i.id),t.redirect(`${n}?error=EXPIRED_TOKEN`);await t.context.internalAdapter.deleteVerificationValue(i.id);let a=i.value,s=await t.context.internalAdapter.findUserByEmail(a),d=s?.user.id||"";if(!s){if(e.disableSignUp)throw t.redirect(`${n}?error=USER_NOT_FOUND`);if(d=(await t.context.internalAdapter.createUser({email:a,emailVerified:!0,name:a})).id,!d)throw t.redirect(`${n}?error=USER_NOT_CREATED`)}let c=await t.context.internalAdapter.createSession(d,t.headers);if(!c)throw t.redirect(`${n}?error=SESSION_NOT_CREATED`);if(await w(t,{session:c,user:s?.user}),!o)return t.json({status:!0});throw t.redirect(o)})},rateLimit:[{pathMatcher(t){return t.startsWith("/sign-in/magic-link")||t.startsWith("/magic-link/verify")},window:e.rateLimit?.window||60,max:e.rateLimit?.max||5}]});var ce=require("zod");var Y=require("better-call");function ln(e){return V(e,q("0-9"))}var pn=e=>{let t={phoneNumber:"phoneNumber",phoneNumberVerified:"phoneNumberVerified",code:"code",createdAt:"createdAt",expiresIn:e?.expiresIn||300,otpLength:e?.otpLength||6};return{id:"phone-number",endpoints:{sendPhoneNumberOTP:u("/phone-number/send-otp",{method:"POST",body:ce.z.object({phoneNumber:ce.z.string()})},async r=>{if(!e?.sendOTP)throw y.warn("sendOTP not implemented"),new Y.APIError("NOT_IMPLEMENTED",{message:"sendOTP not implemented"});let o=ln(t.otpLength);return await r.context.internalAdapter.createVerificationValue({value:o,identifier:r.body.phoneNumber,expiresAt:C(t.expiresIn,"sec")}),await e.sendOTP(r.body.phoneNumber,o),r.json({code:o},{body:{message:"Code sent"}})}),verifyPhoneNumber:u("/phone-number/verify",{method:"POST",body:ce.z.object({phoneNumber:ce.z.string(),code:ce.z.string(),disableSession:ce.z.boolean().optional(),updatePhoneNumber:ce.z.boolean().optional()})},async r=>{let o=await r.context.internalAdapter.findVerificationValue(r.body.phoneNumber);if(!o||o.expiresAt<new Date)throw o&&o.expiresAt<new Date?(await r.context.internalAdapter.deleteVerificationValue(o.id),new Y.APIError("BAD_REQUEST",{message:"OTP expired"})):new Y.APIError("BAD_REQUEST",{message:"OTP not found"});if(o.value!==r.body.code)throw new Y.APIError("BAD_REQUEST",{message:"Invalid OTP"});if(await r.context.internalAdapter.deleteVerificationValue(o.id),r.body.updatePhoneNumber){let i=await D(r);if(!i)throw new Y.APIError("UNAUTHORIZED",{message:"Session not found"});let a=await r.context.internalAdapter.updateUser(i.user.id,{[t.phoneNumber]:r.body.phoneNumber,[t.phoneNumberVerified]:!0});return r.json({user:a,session:i.session})}let n=await r.context.adapter.findOne({model:r.context.tables.user.tableName,where:[{value:r.body.phoneNumber,field:t.phoneNumber}]});if(n)n=await r.context.internalAdapter.updateUser(n.id,{[t.phoneNumberVerified]:!0});else if(e?.signUpOnVerification){if(n=await r.context.internalAdapter.createUser({email:e.signUpOnVerification.getTempEmail(r.body.phoneNumber),name:e.signUpOnVerification.getTempName?e.signUpOnVerification.getTempName(r.body.phoneNumber):r.body.phoneNumber,[t.phoneNumber]:r.body.phoneNumber,[t.phoneNumberVerified]:!0}),!n)throw new Y.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create user"})}else throw new Y.APIError("BAD_REQUEST",{message:"Phone number not found"});if(!n)throw new Y.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to update user"});if(!r.body.disableSession){let i=await r.context.internalAdapter.createSession(n.id,r.request);if(!i)throw new Y.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await w(r,{session:i,user:n}),r.json({user:n,session:i})}return r.json({user:n,session:null})})},schema:{user:{fields:{phoneNumber:{type:"string",required:!1,unique:!0,returned:!0},phoneNumberVerified:{type:"boolean",required:!1,returned:!0,input:!1}}}}}};var dt=require("zod");var mn=e=>({id:"anonymous",endpoints:{signInAnonymous:u("/sign-in/anonymous",{method:"POST"},async t=>{let{emailDomainName:r=Je(t.context.baseURL)}=e||{},o=z(),n=`temp-${o}@${r}`,i=await t.context.internalAdapter.createUser({id:o,email:n,emailVerified:!1,isAnonymous:!0,name:"Anonymous",createdAt:new Date,updatedAt:new Date});if(!i)return t.json(null,{status:500,body:{message:"Failed to create user",status:500}});let a=await t.context.internalAdapter.createSession(i.id,t.request);return a?(await w(t,{session:a,user:i}),t.json({user:i,session:a})):t.json(null,{status:400,body:{message:"Could not create session"}})}),linkAccount:u("/anonymous/link-account",{method:"POST",body:dt.z.object({email:dt.z.string().email().optional(),password:dt.z.string().min(6)}),use:[b]},async t=>{let r=t.context.session.user.id,{email:o,password:n}=t.body,i=null;if(o&&n&&(i=await t.context.internalAdapter.updateUser(r,{email:o,isAnonymous:!1})),!i)return t.json(null,{status:500,body:{message:"Failed to update user",status:500}});let a=await t.context.password.hash(n);if(!await t.context.internalAdapter.linkAccount({userId:i.id,providerId:"credential",password:a,accountId:i.id}))return t.json(null,{status:500,body:{message:"Failed to update account",status:500}});let d=await t.context.internalAdapter.createSession(i.id,t.request);return d?(await w(t,{session:d,user:i}),t.json({session:d,user:i})):t.json(null,{status:400,body:{message:"Could not create session"}})})},schema:{user:{fields:{isAnonymous:{type:"boolean",required:!1}}}}});var g=require("zod");var K=S(async e=>{let t=await D(e);if(!t?.session)throw new E.APIError("UNAUTHORIZED");let r=t.user;if(r.role!=="admin")throw new E.APIError("FORBIDDEN",{message:"Only admins can access this endpoint"});return{session:{user:r,session:t.session}}}),fn=e=>({id:"admin",init(t){return{options:{databaseHooks:{user:{create:{async before(r){if(e?.defaultRole!==!1)return{data:{role:e?.defaultRole??"user",...r}}}}},session:{create:{async before(r){let o=await t.internalAdapter.findUserById(r.userId);if(o.banned){if(o.banExpires&&o.banExpires<Date.now()){await t.internalAdapter.updateUser(r.userId,{banned:!1,banReason:null,banExpires:null});return}return!1}}}}}}}},hooks:{after:[{matcher(t){return t.path==="/list-sessions"},handler:S(async t=>{let r=t.context.returned;if(r){let n=(await r.json()).filter(a=>!a.impersonatedBy),i=new Response(JSON.stringify(n),{status:200,statusText:"OK",headers:r.headers});return t.json({response:i})}})}]},endpoints:{setRole:u("/admin/set-role",{method:"POST",body:g.z.object({userId:g.z.string(),role:g.z.string()}),use:[K]},async t=>{let r=await t.context.internalAdapter.updateUser(t.body.userId,{role:t.body.role});return t.json({user:r})}),createUser:u("/admin/create-user",{method:"POST",body:g.z.object({email:g.z.string(),password:g.z.string(),name:g.z.string(),role:g.z.string(),data:g.z.optional(g.z.record(g.z.any()))}),use:[K]},async t=>{if(await t.context.internalAdapter.findUserByEmail(t.body.email))throw new E.APIError("BAD_REQUEST",{message:"User already exists"});let o=await t.context.internalAdapter.createUser({email:t.body.email,name:t.body.name,role:t.body.role,...t.body.data});if(!o)throw new E.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create user"});let n=await t.context.password.hash(t.body.password);return await t.context.internalAdapter.linkAccount({accountId:o.id,providerId:"credential",password:n,userId:o.id}),t.json({user:o})}),listUsers:u("/admin/list-users",{method:"GET",use:[K],query:g.z.object({search:g.z.object({field:g.z.enum(["email","name"]),operator:g.z.enum(["contains","starts_with","ends_with"]).default("contains"),value:g.z.string()}).optional(),limit:g.z.string().or(g.z.number()).optional(),offset:g.z.string().or(g.z.number()).optional(),sortBy:g.z.string().optional(),sortDirection:g.z.enum(["asc","desc"]).optional(),filter:g.z.array(g.z.object({field:g.z.string(),value:g.z.string().or(g.z.number()).or(g.z.boolean()),operator:g.z.enum(["eq","ne","lt","lte","gt","gte"]),connector:g.z.enum(["AND","OR"]).optional()})).optional()})},async t=>{let r=[];t.query?.search&&r.push({field:t.query.search.field,operator:t.query.search.operator,value:t.query.search.value}),t.query?.filter&&r.push(...t.query.filter||[]);let o=await t.context.internalAdapter.listUsers(Number(t.query?.limit)||void 0,Number(t.query?.offset)||void 0,t.query?.sortBy?{field:t.query.sortBy,direction:t.query.sortDirection||"asc"}:void 0,r.length?r:void 0);return t.json({users:o})}),listUserSessions:u("/admin/list-user-sessions",{method:"POST",use:[K],body:g.z.object({userId:g.z.string()})},async t=>({sessions:await t.context.internalAdapter.listSessions(t.body.userId)})),unbanUser:u("/admin/unban-user",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>{let r=await t.context.internalAdapter.updateUser(t.body.userId,{banned:!1});return t.json({user:r})}),banUser:u("/admin/ban-user",{method:"POST",body:g.z.object({userId:g.z.string(),banReason:g.z.string().optional(),banExpiresIn:g.z.number().optional()}),use:[K]},async t=>{if(t.body.userId===t.context.session.user.id)throw new E.APIError("BAD_REQUEST",{message:"You cannot ban yourself"});let r=await t.context.internalAdapter.updateUser(t.body.userId,{banned:!0,banReason:t.body.banReason||e?.defaultBanReason||"No reason",banExpires:t.body.banExpiresIn?C(t.body.banExpiresIn,"sec"):e?.defaultBanExpiresIn?C(e.defaultBanExpiresIn,"sec"):void 0});return await t.context.internalAdapter.deleteSessions(t.body.userId),t.json({user:r})}),impersonateUser:u("/admin/impersonate-user",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>{let r=await t.context.internalAdapter.findUserById(t.body.userId);if(!r)throw new E.APIError("NOT_FOUND",{message:"User not found"});let o=await t.context.internalAdapter.createSession(r.id,void 0,!0,{impersonatedBy:t.context.session.user.id,expiresAt:e?.impersonationSessionDuration?C(e.impersonationSessionDuration,"sec"):C(60*60,"sec")});if(!o)throw new E.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await w(t,{session:o,user:r},!0),t.json({session:o,user:r})}),revokeUserSession:u("/admin/revoke-user-session",{method:"POST",body:g.z.object({sessionId:g.z.string()}),use:[K]},async t=>(await t.context.internalAdapter.deleteSession(t.body.sessionId),t.json({success:!0}))),revokeUserSessions:u("/admin/revoke-user-sessions",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>(await t.context.internalAdapter.deleteSessions(t.body.userId),t.json({success:!0}))),removeUser:u("/admin/remove-user",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[K]},async t=>(await t.context.internalAdapter.deleteUser(t.body.userId),t.json({success:!0})))},schema:{user:{fields:{role:{type:"string",required:!1,input:!1},banned:{type:"boolean",defaultValue:!1,required:!1,input:!1},banReason:{type:"string",required:!1,input:!1},banExpires:{type:"date",required:!1,input:!1}}},session:{fields:{impersonatedBy:{type:"string",required:!1}}}}});var X=require("zod"),ze=require("better-call");var ct=require("@better-fetch/fetch");var Jr=require("oslo/jwt");async function gn(e,t,r){if(t==="oidc"&&e.idToken){let n=(0,Jr.parseJWT)(e.idToken);if(n?.payload)return n.payload}return r?(await(0,ct.betterFetch)(r,{method:"GET",headers:{Authorization:`Bearer ${e.accessToken}`}})).data:null}var hn=e=>({id:"generic-oauth",endpoints:{signInWithOAuth2:u("/sign-in/oauth2",{method:"POST",query:X.z.object({currentURL:X.z.string().optional()}).optional(),body:X.z.object({providerId:X.z.string(),callbackURL:X.z.string().optional()})},async t=>{let{providerId:r}=t.body,o=e.config.find(ue=>ue.providerId===r);if(!o)throw new ze.APIError("BAD_REQUEST",{message:`No config found for provider ${r}`});let{discoveryUrl:n,authorizationUrl:i,tokenUrl:a,clientId:s,clientSecret:d,scopes:c,redirectURI:l,responseType:p,pkce:m,prompt:f,accessType:k}=o,A=i,h=a;if(n){let ue=await(0,ct.betterFetch)(n,{onError(ut){y.error(ut.error,{discoveryUrl:n})}});ue.data&&(A=ue.data.authorization_endpoint,h=ue.data.token_endpoint)}if(!A||!h)throw new ze.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});let _=t.query?.currentURL?new URL(t.query?.currentURL):null,be=t.body.callbackURL?.startsWith("http")?t.body.callbackURL:`${_?.origin}${t.body.callbackURL||""}`,{state:W,codeVerifier:Qe}=await ke(t),Ae=await I({id:r,options:{clientId:s,clientSecret:d,redirectURI:l},authorizationEndpoint:A,state:W,codeVerifier:Qe,scopes:c||[],disablePkce:!m,redirectURI:`${t.context.baseURL}/oauth2/callback/${r}`});return p&&p!=="code"&&Ae.searchParams.set("response_type",p),f&&Ae.searchParams.set("prompt",f),k&&Ae.searchParams.set("access_type",k),t.json({url:Ae.toString(),redirect:!0})}),oAuth2Callback:u("/oauth2/callback/:providerId",{method:"GET",query:X.z.object({code:X.z.string().optional(),error:X.z.string().optional(),state:X.z.string()})},async t=>{if(t.query.error||!t.query.code)throw t.redirect(`${t.context.baseURL}?error=${t.query.error||"oAuth_code_missing"}`);let r=e.config.find(h=>h.providerId===t.params.providerId);if(!r)throw new ze.APIError("BAD_REQUEST",{message:`No config found for provider ${t.params.providerId}`});let o,n=await Ye(t),{callbackURL:i,codeVerifier:a,errorURL:s}=n,d=t.query.code,c=r.tokenUrl,l=r.userInfoUrl;if(r.discoveryUrl){let h=await(0,ct.betterFetch)(r.discoveryUrl,{method:"GET"});h.data&&(c=h.data.token_endpoint,l=h.data.userinfo_endpoint)}try{if(!c)throw new ze.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});o=await v({code:d,codeVerifier:a,redirectURI:`${t.context.baseURL}/oauth2/callback/${r.providerId}`,options:{clientId:r.clientId,clientSecret:r.clientSecret},tokenEndpoint:c})}catch(h){throw t.context.logger.error(h),t.redirect(`${s}?error=oauth_code_verification_failed`)}if(!o)throw new ze.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});let p=r.getUserInfo?await r.getUserInfo(o):await gn(o,r.type||"oauth2",l),m=z(),f=p?tt.safeParse({...p,id:m}):null;if(!f?.success)throw t.redirect(`${s}?error=oauth_user_info_invalid`);let k=await t.context.internalAdapter.findUserByEmail(f.data.email,{includeAccounts:!0}).catch(h=>{throw y.error(`Better auth was unable to query your database.
|
|
85
|
-
Error: `,h),t.redirect(`${s}?error=internal_server_error`)}),A=k?.user.id||m;if(k){let h=k.accounts.find(W=>W.providerId===r.providerId),_=t.context.options.account?.accountLinking?.trustedProviders,be=_?_.includes(r.providerId):!0;if(!h&&(!f?.data.emailVerified||!be)){let W;try{W=new URL(s),W.searchParams.set("error","account_not_linked")}catch{throw t.redirect(`${s}?error=account_not_linked`)}throw t.redirect(W.toString())}if(h)await t.context.internalAdapter.updateAccount(h.id,{accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt});else try{await t.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:f.data.id,id:`${r.providerId}:${f.data.id}`,userId:k.user.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch(W){throw console.log(W),t.redirect(`${s}?error=failed_linking_account`)}}else try{await t.context.internalAdapter.createOAuthUser(f.data,{id:`${r.providerId}:${f.data.id}`,providerId:r.providerId,accountId:f.data.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch{let _=new URL(s);throw _.searchParams.set("error","unable_to_create_user"),t.setHeader("Location",_.toString()),t.redirect(_.toString())}try{let h=await t.context.internalAdapter.createSession(A||m,t.request);if(!h)throw t.redirect(`${s}?error=unable_to_create_session`);await w(t,{session:h,user:f.data})}catch{throw t.redirect(`${s}?error=unable_to_create_session`)}throw t.redirect(i)})}});var Be=require("zod"),Zr={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},cl=Be.z.object({id:Be.z.string(),publicKey:Be.z.string(),privateKey:Be.z.string(),createdAt:Be.z.date()});var zt=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async t=>await e.create({model:"jwks",data:{...t,createdAt:new Date}})});var ne=require("jose");var wn=e=>({id:"jwt",endpoints:{getJwks:u("/jwks",{method:"GET"},async t=>{let o=await zt(t.context.adapter).getAllKeys();return t.json({keys:o.map(n=>({...JSON.parse(n.publicKey),kid:n.id}))})}),getToken:u("/token",{method:"GET",requireHeaders:!0,use:[b]},async t=>{let r=zt(t.context.adapter),o=await r.getLatestKey(),n=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:c,privateKey:l}=await(0,ne.generateKeyPair)(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),p=await(0,ne.exportJWK)(c),m=await(0,ne.exportJWK)(l),f=JSON.stringify(m),k={id:crypto.randomUUID(),publicKey:JSON.stringify(p),privateKey:n?JSON.stringify(await Se({key:t.context.options.secret,data:f})):f,createdAt:new Date};o=await r.createJwk(k)}let i=n?await Pe({key:t.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,a=await(0,ne.importJWK)(JSON.parse(i)),s=e?.jwt?.definePayload?await e?.jwt.definePayload(t.context.session.user):t.context.session.user,d=await new ne.SignJWT({...s,...t.context.session.session.impersonatedBy?{impersonatedBy:t.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??t.context.options.baseURL).setAudience(e?.jwt?.audience??t.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(t.context.session.user.id).sign(a);return t.json({token:d})})},schema:Zr});var $e=require("zod");var yn=e=>{let t={maximumSessions:5,...e},r=o=>o.includes("_multi-");return{id:"multi-session",endpoints:{listDeviceSessions:u("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async o=>{let n=o.headers?.get("cookie");if(!n)return o.json([]);let i=Object.fromEntries(Ke(n)),a=(await Promise.all(Object.entries(i).filter(([c])=>r(c)).map(async([c])=>await o.getSignedCookie(c,o.context.secret)))).filter(c=>c!==void 0);if(!a.length)return o.json([]);let d=(await o.context.internalAdapter.findSessions(a)).filter(c=>c&&c.session.expiresAt>new Date).filter((c,l,p)=>l===p.findIndex(m=>m.user.id===c.user.id));return Object.entries(i).filter(([c])=>r(c)).forEach(([c,l])=>{d.some(p=>p.session.id===l)||o.setCookie(c,"",{...o.context.authCookies.sessionToken.options,maxAge:0})}),o.json(d)}),setActiveSession:u("/multi-session/set-active",{method:"POST",body:$e.z.object({sessionId:$e.z.string()}),requireHeaders:!0,use:[b]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new E.APIError("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);if(!s||s.session.expiresAt<new Date)throw o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),new E.APIError("UNAUTHORIZED",{message:"Invalid session id"});return await o.setSignedCookie(o.context.authCookies.sessionToken.name,n,o.context.secret,o.context.authCookies.sessionToken.options),o.json(s)}),revokeDeviceSession:u("/multi-session/revoke",{method:"POST",body:$e.z.object({sessionId:$e.z.string()}),requireHeaders:!0,use:[b]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new E.APIError("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);return o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),s?(await o.context.internalAdapter.deleteSession(n),o.json({success:!0})):o.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:S(async o=>{if(!o.context.returned||!(o.context.returned instanceof Response))return;let n=o.context.returned.headers.get("set-cookie");if(!n)return;let i=jt(n),a=o.context.authCookies.sessionToken,s=i.get(a.name)?.value;if(!s)return;let d=Ke(o.headers?.get("cookie")||""),c=s.split(".")[0],l=`${a.name}_multi-${c}`;if(i.get(l)||d.get(l)||Object.keys(Object.fromEntries(d)).filter(r).length+(n.includes("session_token")?1:0)>t.maximumSessions)return;await o.setSignedCookie(l,c,o.context.secret,a.options);let m=o.context.returned;return m.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:m}})},{matcher:o=>o.path==="/sign-out",handler:S(async o=>{let n=o.headers?.get("cookie");if(!n)return;let i=Object.fromEntries(Ke(n));await Promise.all(Object.entries(i).map(async([s,d])=>{if(r(s)){o.setCookie(s,"",{maxAge:0});let c=s.split("_multi-")[1];await o.context.internalAdapter.deleteSession(c)}}));let a=o.context.returned;return a?.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:a}})}]}}};var ee=require("zod");var bn=e=>{let t={expireIn:300,otpLength:6,...e};return{id:"email-otp",endpoints:{sendVerificationOTP:u("/email-otp/send-verification-otp",{method:"POST",body:ee.z.object({email:ee.z.string(),type:ee.z.enum(["email-verification","sign-in"])})},async r=>{if(!e?.sendVerificationOTP)throw y.error("send email verification is not implemented"),new E.APIError("BAD_REQUEST",{message:"send email verification is not implemented"});let o=r.body.email,n=V(t.otpLength,q("0-9"));return await r.context.internalAdapter.createVerificationValue({value:n,identifier:`${r.body.type}-otp-${o}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o,otp:n,type:r.body.type}),r.json({success:!0})}),verifyEmailOTP:u("/email-otp/verify-email",{method:"POST",body:ee.z.object({email:ee.z.string(),otp:ee.z.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`email-verification-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a)throw new E.APIError("BAD_REQUEST",{message:"User not found"});let s=await r.context.internalAdapter.updateUser(a.user.id,{email:o,emailVerified:!0});return r.json({user:s})}),signInEmailOTP:u("/sign-in/email-otp",{method:"POST",body:ee.z.object({email:ee.z.string(),otp:ee.z.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`sign-in-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new E.APIError("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a){if(t.disableSignUp)throw new E.APIError("BAD_REQUEST",{message:"User not found"});let d=await r.context.internalAdapter.createUser({email:o,emailVerified:!0,name:o}),c=await r.context.internalAdapter.createSession(d.id,r.request);return await w(r,{session:c,user:d}),r.json({user:d,session:c})}let s=await r.context.internalAdapter.createSession(a.user.id,r.request);return await w(r,{session:s,user:a.user}),r.json({session:s,user:a})})},hooks:{after:[{matcher(r){return!!(r.path?.startsWith("/sign-up")&&t.sendVerificationOnSignUp)},async handler(r){let o=r.context.returned;if(o?.status!==200)return;let n=await o.clone().json();if(n.user.email&&n.user.emailVerified===!1){let i=V(t.otpLength,q("0-9"));await r.context.internalAdapter.createVerificationValue({value:i,identifier:`email-verification-otp-${n.user.email}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:n.user.email,otp:i,type:"email-verification"})}}}]}}};var Bt=require("zod");var Xr=require("@better-fetch/fetch");function Yr(e){return e==="true"||e===!0}var An=e=>({id:"one-tap",endpoints:{oneTapCallback:u("/one-tap/callback",{method:"POST",body:Bt.z.object({idToken:Bt.z.string()})},async t=>{let{idToken:r}=t.body,{data:o,error:n}=await(0,Xr.betterFetch)("https://oauth2.googleapis.com/tokeninfo?id_token="+r);if(n)return t.json({error:"Invalid token"});let i=await t.context.internalAdapter.findUserByEmail(o.email);if(!i){if(e?.disableSignup)throw new E.APIError("BAD_GATEWAY",{message:"User not found"});let s=await t.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:Yr(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!s)throw new E.APIError("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let d=await t.context.internalAdapter.createSession(s?.user.id,t.request);return await w(t,{user:s.user,session:d}),t.json({session:d,user:s})}let a=await t.context.internalAdapter.createSession(i.user.id,t.request);return await w(t,{user:i.user,session:a}),t.json({session:a,user:i})})}});0&&(module.exports={HIDE_METADATA,admin,adminMiddleware,anonymous,bearer,createAuthEndpoint,createAuthMiddleware,emailOTP,genericOAuth,getPasskeyActions,jwt,magicLink,multiSession,oneTap,optionsMiddleware,organization,passkey,passkeyClient,phoneNumber,twoFactor,twoFactorClient,username});
|
|
83
|
+
</html>`,Lo=u("/error",{method:"GET",metadata:ge},async e=>{let t=new URL(e.request?.url||"").searchParams.get("error")||"Unknown";return new Response(Bo(t),{headers:{"Content-Type":"text/html"}})});var xo=u("/ok",{method:"GET",metadata:ge},async e=>e.json({ok:!0}));var Do=require("zod");var jo=require("better-call");var Ie=require("zod");var wt=require("better-call");var No=u("/list-accounts",{method:"GET",use:[A]},async e=>{let t=e.context.session,r=await e.context.internalAdapter.findAccounts(t.user.id);return e.json(r)}),Fo=u("/link-social",{method:"POST",requireHeaders:!0,query:Ie.z.object({currentURL:Ie.z.string().optional()}).optional(),body:Ie.z.object({callbackURL:Ie.z.string().optional(),provider:Ie.z.enum(Xe)}),use:[A]},async e=>{let t=e.context.session;if((await e.context.internalAdapter.findAccounts(t.user.id)).find(s=>s.providerId===e.body.provider))throw new wt.APIError("BAD_REQUEST",{message:"Social Account is already linked."});let n=e.context.socialProviders.find(s=>s.id===e.body.provider);if(!n)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new wt.APIError("NOT_FOUND",{message:"Provider not found"});let i=await ve(e,{userId:t.user.id,email:t.user.email}),a=await n.createAuthorizationURL({state:i.state,codeVerifier:i.codeVerifier,redirectURI:`${e.context.baseURL}/callback/${n.id}`});return e.json({url:a.toString(),redirect:!0})});var kr=(e,t)=>{let r={};for(let[o,n]of Object.entries(e))r[o]=i=>n({...i,context:{...t,...i.context}}),r[o].path=n.path,r[o].method=n.method,r[o].options=n.options,r[o].headers=n.headers;return r};var Te=class extends Error{path;constructor(t,r){super(t),this.path=r}},rt=class{constructor(t){this.s=t;this.statements=t}statements;newRole(t){return new ot(t)}},ot=class e{statements;constructor(t){this.statements=t}authorize(t,r){for(let[o,n]of Object.entries(t)){let i=this.statements[o];if(!i)return{success:!1,error:`You are not allowed to access resource: ${o}`};let a=r==="OR"?n.some(s=>i.includes(s)):n.every(s=>i.includes(s));return a?{success:a}:{success:!1,error:`unauthorized to access resource "${o}"`}}return{success:!1,error:"Not authorized"}}static fromString(t){let r=JSON.parse(t);if(typeof r!="object")throw new Te("statements is not an object",".");for(let[o,n]of Object.entries(r)){if(typeof o!="string")throw new Te("invalid resource identifier",o);if(!Array.isArray(n))throw new Te("actions is not an array",o);for(let i=0;i<n.length;i++)if(typeof n[i]!="string")throw new Te("action is not a string",`${o}[${i}]`)}return new e(r)}toString(){return JSON.stringify(this.statements)}};var Vo=e=>new rt(e),qo={organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]},yt=Vo(qo),Mo=yt.newRole({organization:["update"],invitation:["create","cancel"],member:["create","update","delete"]}),$o=yt.newRole({organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]}),Qo=yt.newRole({organization:[],member:[],invitation:[]}),Or={admin:Mo,owner:$o,member:Qo};var P=(e,t)=>{let r=e.adapter;return{findOrganizationBySlug:async o=>await r.findOne({model:"organization",where:[{field:"slug",value:o}]}),createOrganization:async o=>{let n=await r.create({model:"organization",data:{...o.organization,metadata:o.organization.metadata?JSON.stringify(o.organization.metadata):void 0}}),i=await r.create({model:"member",data:{id:z(),organizationId:n.id,userId:o.user.id,createdAt:new Date,email:o.user.email,role:t?.creatorRole||"owner"}});return{...n,metadata:n.metadata?JSON.parse(n.metadata):void 0,members:[{...i,user:{id:o.user.id,name:o.user.name,email:o.user.email,image:o.user.image}}]}},findMemberByEmail:async o=>{let n=await r.findOne({model:"member",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId}]});if(!n)return null;let i=await r.findOne({model:e.tables.user.tableName,where:[{field:"id",value:n.userId}]});return i?{...n,user:{id:i.id,name:i.name,email:i.email,image:i.image}}:null},findMemberByOrgId:async o=>{let[n,i]=await Promise.all([await r.findOne({model:"member",where:[{field:"userId",value:o.userId},{field:"organizationId",value:o.organizationId}]}),await r.findOne({model:e.tables.user.tableName,where:[{field:"id",value:o.userId}]})]);return!i||!n?null:{...n,user:{id:i.id,name:i.name,email:i.email,image:i.image}}},findMemberById:async o=>{let n=await r.findOne({model:"member",where:[{field:"id",value:o}]});if(!n)return null;let i=await r.findOne({model:e.tables.user.tableName,where:[{field:"id",value:n.userId}]});return i?{...n,user:{id:i.id,name:i.name,email:i.email,image:i.image}}:null},createMember:async o=>await r.create({model:"member",data:o}),updateMember:async(o,n)=>await r.update({model:"member",where:[{field:"id",value:o}],update:{role:n}}),deleteMember:async o=>await r.delete({model:"member",where:[{field:"id",value:o}]}),updateOrganization:async(o,n)=>await r.update({model:"organization",where:[{field:"id",value:o}],update:n}),deleteOrganization:async o=>(await r.delete({model:"member",where:[{field:"organizationId",value:o}]}),await r.delete({model:"invitation",where:[{field:"organizationId",value:o}]}),await r.delete({model:"organization",where:[{field:"id",value:o}]}),o),setActiveOrganization:async(o,n)=>await r.update({model:e.tables.session.tableName,where:[{field:"id",value:o}],update:{activeOrganizationId:n}}),findOrganizationById:async o=>await r.findOne({model:"organization",where:[{field:"id",value:o}]}),findFullOrganization:async(o,n)=>{let[i,a,s]=await Promise.all([r.findOne({model:"organization",where:[{field:"id",value:o}]}),r.findMany({model:"invitation",where:[{field:"organizationId",value:o}]}),r.findMany({model:"member",where:[{field:"organizationId",value:o}]})]);if(!i)return null;let d=s.map(m=>m.userId),c=await r.findMany({model:e.tables.user.tableName,where:[{field:"id",value:d,operator:"in"}]}),l=new Map(c.map(m=>[m.id,m])),p=s.map(m=>{let f=l.get(m.userId);if(!f)throw new G("Unexpected error: User not found for member");return{...m,user:{id:f.id,name:f.name,email:f.email,image:f.image}}});return{...i,invitations:a,members:p}},listOrganizations:async o=>{let n=await r.findMany({model:"member",where:[{field:"userId",value:o}]});if(!n||n.length===0)return[];let i=n.map(s=>s.organizationId);return await r.findMany({model:"organization",where:[{field:"id",value:i,operator:"in"}]})},createInvitation:async({invitation:o,user:n})=>{let a=C(t?.invitationExpiresIn||1728e5);return await r.create({model:"invitation",data:{id:z(),email:o.email,role:o.role,organizationId:o.organizationId,status:"pending",expiresAt:a,inviterId:n.id}})},findInvitationById:async o=>await r.findOne({model:"invitation",where:[{field:"id",value:o}]}),findPendingInvitation:async o=>(await r.findMany({model:"invitation",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId},{field:"status",value:"pending"}]})).filter(i=>new Date(i.expiresAt)>new Date),updateInvitation:async o=>await r.update({model:"invitation",where:[{field:"id",value:o.invitationId}],update:{status:o.status}})}};var bd=require("better-call");var bt=require("better-call");var Rr=require("better-call");var Ho=T(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:r,context:o}=e,n=e.headers?.get("origin")||e.headers?.get("referer")||"",i=t?.callbackURL||r?.callbackURL,a=t?.redirectTo,s=r?.currentURL,d=o.trustedOrigins,c=e.headers?.has("cookie"),l=(m,f)=>f.includes("*")?new RegExp("^"+f.replace(/\*/g,"[^/]+").replace(/\./g,"\\.")+"$").test(m):m.startsWith(f),p=(m,f)=>{if(!m)return;if(!d.some(b=>l(m,b)||m?.startsWith("/")&&f!=="origin"&&!m.includes(":")))throw y.error(`Invalid ${f}: ${m}`),y.info(`If it's a valid URL, please add ${m} to trustedOrigins in your auth config
|
|
84
|
+
`,`Current list of trustedOrigins: ${d}`),new Rr.APIError("FORBIDDEN",{message:`Invalid ${f}`})};c&&!e.context.options.advanced?.disableCSRFCheck&&p(n,"origin"),i&&p(i,"callbackURL"),a&&p(a,"redirectURL"),s&&p(s,"currentURL")});var v=require("better-call");var B=T(async e=>({})),D=T({use:[A]},async e=>({session:e.context.session}));var F=require("zod");var E=require("zod"),nt=E.z.enum(["admin","member","owner"]),Wo=E.z.enum(["pending","accepted","rejected","canceled"]).default("pending"),Rd=E.z.object({id:E.z.string(),name:E.z.string(),slug:E.z.string(),logo:E.z.string().optional(),metadata:E.z.record(E.z.string()).or(E.z.string().transform(e=>JSON.parse(e))).optional(),createdAt:E.z.date()}),vd=E.z.object({id:E.z.string(),email:E.z.string(),organizationId:E.z.string(),userId:E.z.string(),role:nt,createdAt:E.z.date()}),Ed=E.z.object({id:E.z.string(),organizationId:E.z.string(),email:E.z.string(),role:nt,status:Wo,inviterId:E.z.string(),expiresAt:E.z.date()});var I=require("better-call"),vr=u("/organization/invite-member",{method:"POST",use:[B,D],body:F.z.object({email:F.z.string(),role:nt,organizationId:F.z.string().optional(),resend:F.z.boolean().optional()})},async e=>{if(!e.context.orgOptions.sendInvitationEmail)throw y.warn("Invitation email is not enabled. Pass `sendInvitationEmail` to the plugin options to enable it."),new I.APIError("BAD_REQUEST",{message:"Invitation email is not enabled"});let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)throw new I.APIError("BAD_REQUEST",{message:"Organization not found"});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)throw new I.APIError("BAD_REQUEST",{message:"Member not found!"});let i=e.context.roles[n.role];if(!i)throw new I.APIError("BAD_REQUEST",{message:"Role not found!"});if(i.authorize({invitation:["create"]}).error)throw new I.APIError("FORBIDDEN",{message:"You are not allowed to invite members"});if(await o.findMemberByEmail({email:e.body.email,organizationId:r}))throw new I.APIError("BAD_REQUEST",{message:"User is already a member of this organization"});if((await o.findPendingInvitation({email:e.body.email,organizationId:r})).length&&!e.body.resend)throw new I.APIError("BAD_REQUEST",{message:"User is already invited to this organization"});let c=await o.createInvitation({invitation:{role:e.body.role,email:e.body.email,organizationId:r},user:t.user}),l=await o.findOrganizationById(r);if(!l)throw new I.APIError("BAD_REQUEST",{message:"Organization not found"});return await e.context.orgOptions.sendInvitationEmail?.({id:c.id,role:c.role,email:c.email,organization:l,inviter:{...n,user:t.user}},e.request),e.json(c)}),Er=u("/organization/accept-invitation",{method:"POST",body:F.z.object({invitationId:F.z.string()}),use:[B,D]},async e=>{let t=e.context.session,r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new I.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new I.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.updateInvitation({invitationId:e.body.invitationId,status:"accepted"}),i=await r.createMember({id:z(),organizationId:o.organizationId,userId:t.user.id,email:o.email,role:o.role,createdAt:new Date});return await r.setActiveOrganization(t.session.id,o.organizationId),n?e.json({invitation:n,member:i}):e.json(null,{status:400,body:{message:"Invitation not found!"}})}),Ur=u("/organization/reject-invitation",{method:"POST",body:F.z.object({invitationId:F.z.string()}),use:[B,D]},async e=>{let t=e.context.session,r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new I.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new I.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.updateInvitation({invitationId:e.body.invitationId,status:"rejected"});return e.json({invitation:n,member:null})}),Ir=u("/organization/cancel-invitation",{method:"POST",body:F.z.object({invitationId:F.z.string()}),use:[B,D]},async e=>{let t=e.context.session,r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.body.invitationId);if(!o)throw new I.APIError("BAD_REQUEST",{message:"Invitation not found!"});let n=await r.findMemberByOrgId({userId:t.user.id,organizationId:o.organizationId});if(!n)throw new I.APIError("BAD_REQUEST",{message:"Member not found!"});if(e.context.roles[n.role].authorize({invitation:["cancel"]}).error)throw new I.APIError("FORBIDDEN",{message:"You are not allowed to cancel this invitation"});let a=await r.updateInvitation({invitationId:e.body.invitationId,status:"canceled"});return e.json(a)}),Tr=u("/organization/get-invitation",{method:"GET",use:[B],requireHeaders:!0,query:F.z.object({id:F.z.string()})},async e=>{let t=await L(e);if(!t)throw new I.APIError("UNAUTHORIZED",{message:"Not authenticated"});let r=P(e.context,e.context.orgOptions),o=await r.findInvitationById(e.query.id);if(!o||o.status!=="pending"||o.expiresAt<new Date)throw new I.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new I.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let n=await r.findOrganizationById(o.organizationId);if(!n)throw new I.APIError("BAD_REQUEST",{message:"Organization not found"});let i=await r.findMemberByOrgId({userId:o.inviterId,organizationId:o.organizationId});if(!i)throw new I.APIError("BAD_REQUEST",{message:"Inviter is no longer a member of the organization"});return e.json({...o,organizationName:n.name,organizationSlug:n.slug,inviterEmail:i.email})});var ae=require("zod");var Se=require("better-call"),Sr=u("/organization/remove-member",{method:"POST",body:ae.z.object({memberIdOrEmail:ae.z.string(),organizationId:ae.z.string().optional()}),use:[B,D]},async e=>{let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)throw new Se.APIError("BAD_REQUEST",{message:"Member not found!"});let i=e.context.roles[n.role];if(!i)throw new Se.APIError("BAD_REQUEST",{message:"Role not found!"});let a=t.user.email===e.body.memberIdOrEmail||n.id===e.body.memberIdOrEmail;if(a&&n.role===(e.context.orgOptions?.creatorRole||"owner"))throw new Se.APIError("BAD_REQUEST",{message:"You cannot leave the organization as the owner"});if(!(a||i.authorize({member:["delete"]}).success))throw new Se.APIError("UNAUTHORIZED",{message:"You are not allowed to delete this member"});let c=null;if(e.body.memberIdOrEmail.includes("@")?c=await o.findMemberByEmail({email:e.body.memberIdOrEmail,organizationId:r}):c=await o.findMemberById(e.body.memberIdOrEmail),c?.organizationId!==r)throw new Se.APIError("BAD_REQUEST",{message:"Member not found!"});return await o.deleteMember(c.id),t.user.id===c.userId&&t.session.activeOrganizationId===c.organizationId&&await o.setActiveOrganization(t.session.id,null),e.json({member:c})}),Pr=u("/organization/update-member-role",{method:"POST",body:ae.z.object({role:ae.z.enum(["admin","member","owner"]),memberId:ae.z.string(),organizationId:ae.z.string().optional()}),use:[B,D]},async e=>{let t=e.context.session,r=e.body.organizationId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"Member not found!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({member:["update"]}).error||e.body.role==="owner"&&n.role!=="owner")return e.json(null,{body:{message:"You are not allowed to update this member"},status:403});let s=await o.updateMember(e.body.memberId,e.body.role);return s?e.json(s):e.json(null,{status:400,body:{message:"Member not found!"}})});var S=require("zod");var de=require("better-call"),_r=u("/organization/create",{method:"POST",body:S.z.object({name:S.z.string(),slug:S.z.string(),userId:S.z.string().optional(),logo:S.z.string().optional(),metadata:S.z.record(S.z.string()).optional()}),use:[B,D]},async e=>{let t=e.context.session.user;if(!t)return e.json(null,{status:401});let r=e.context.orgOptions;if(!(typeof r?.allowUserToCreateOrganization=="function"?await r.allowUserToCreateOrganization(t):r?.allowUserToCreateOrganization===void 0?!0:r.allowUserToCreateOrganization))throw new de.APIError("FORBIDDEN",{message:"You are not allowed to create an organization"});let n=P(e.context,r),i=await n.listOrganizations(t.id);if(typeof r.organizationLimit=="number"?i.length>=r.organizationLimit:typeof r.organizationLimit=="function"?await r.organizationLimit(t):!1)throw new de.APIError("FORBIDDEN",{message:"You have reached the organization limit"});if(await n.findOrganizationBySlug(e.body.slug))throw new de.APIError("BAD_REQUEST",{message:"Organization with this slug already exists"});let d=await n.createOrganization({organization:{id:z(),slug:e.body.slug,name:e.body.name,logo:e.body.logo,createdAt:new Date,metadata:e.body.metadata},user:t});return e.json(d)}),Cr=u("/organization/update",{method:"POST",body:S.z.object({data:S.z.object({name:S.z.string().optional(),slug:S.z.string().optional()}).partial(),orgId:S.z.string().optional()}),requireHeaders:!0,use:[B]},async e=>{let t=await e.context.getSession(e);if(!t)throw new de.APIError("UNAUTHORIZED",{message:"User not found"});let r=e.body.orgId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({organization:["update"]}).error)return e.json(null,{body:{message:"You are not allowed to update this organization"},status:403});let s=await o.updateOrganization(r,e.body.data);return e.json(s)}),zr=u("/organization/delete",{method:"POST",body:S.z.object({orgId:S.z.string()}),requireHeaders:!0,use:[B]},async e=>{let t=await e.context.getSession(e);if(!t)return e.json(null,{status:401});let r=e.body.orgId;if(!r)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=P(e.context,e.context.orgOptions),n=await o.findMemberByOrgId({userId:t.user.id,organizationId:r});if(!n)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let i=e.context.roles[n.role];if(!i)return e.json(null,{status:400,body:{message:"Role not found!"}});if(i.authorize({organization:["delete"]}).error)throw new de.APIError("FORBIDDEN",{message:"You are not allowed to delete this organization"});return r===t.session.activeOrganizationId&&await o.setActiveOrganization(t.session.id,null),await o.deleteOrganization(r),e.json(r)}),Br=u("/organization/get-full",{method:"GET",query:S.z.optional(S.z.object({orgId:S.z.string().optional()})),requireHeaders:!0,use:[B,D]},async e=>{let t=e.context.session,r=e.query?.orgId||t.session.activeOrganizationId;if(!r)return e.json(null,{status:200});let n=await P(e.context,e.context.orgOptions).findFullOrganization(r,e.context.db||void 0);if(!n)throw new de.APIError("BAD_REQUEST",{message:"Organization not found"});return e.json(n)}),Lr=u("/organization/activate",{method:"POST",body:S.z.object({orgId:S.z.string().nullable().optional()}),use:[D,B]},async e=>{let t=P(e.context,e.context.orgOptions),r=e.context.session,o=e.body.orgId;if(o===null)return r.session.activeOrganizationId&&await t.setActiveOrganization(r.session.id,null),e.json(null);if(!o){let a=r.session.activeOrganizationId;if(!a)return e.json(null);o=a}if(!await t.findMemberByOrgId({userId:r.user.id,organizationId:o}))throw await t.setActiveOrganization(r.session.id,null),new de.APIError("FORBIDDEN",{message:"You are not a member of this organization"});await t.setActiveOrganization(r.session.id,o);let i=await t.findFullOrganization(o,e.context.db||void 0);return e.json(i)}),xr=u("/organization/list",{method:"GET",use:[B,D]},async e=>{let r=await P(e.context,e.context.orgOptions).listOrganizations(e.context.session.user.id);return e.json(r)});var Go=e=>{let t={createOrganization:_r,updateOrganization:Cr,deleteOrganization:zr,setActiveOrganization:Lr,getFullOrganization:Br,listOrganization:xr,createInvitation:vr,cancelInvitation:Ir,acceptInvitation:Er,getInvitation:Tr,rejectInvitation:Ur,removeMember:Sr,updateMemberRole:Pr},r={...Or,...e?.roles};return{id:"organization",endpoints:{...kr(t,{orgOptions:e||{},roles:r,getSession:async n=>await L(n)}),hasPermission:u("/organization/has-permission",{method:"POST",requireHeaders:!0,body:Pe.z.object({permission:Pe.z.record(Pe.z.string(),Pe.z.array(Pe.z.string()))}),use:[D]},async n=>{if(!n.context.session.session.activeOrganizationId)throw new At.APIError("BAD_REQUEST",{message:"No active organization"});let a=await P(n.context).findMemberByOrgId({userId:n.context.session.user.id,organizationId:n.context.session.session.activeOrganizationId||""});if(!a)throw new At.APIError("UNAUTHORIZED",{message:"You are not a member of this organization"});let d=r[a.role].authorize(n.body.permission);return d.error?n.json({error:d.error,success:!1},{status:403}):n.json({error:null,success:!0})})},schema:{session:{fields:{activeOrganizationId:{type:"string",required:!1}}},organization:{fields:{name:{type:"string",required:!0},slug:{type:"string",unique:!0},logo:{type:"string",required:!1},createdAt:{type:"date",required:!0},metadata:{type:"string",required:!1}}},member:{fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"}},userId:{type:"string",required:!0},email:{type:"string",required:!0},role:{type:"string",required:!0,defaultValue:"member"},createdAt:{type:"date",required:!0}}},invitation:{fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"}},email:{type:"string",required:!0},role:{type:"string",required:!1},status:{type:"string",required:!0,defaultValue:"pending"},expiresAt:{type:"date",required:!0},inviterId:{type:"string",references:{model:"user",field:"id"},required:!0}}}},$Infer:{Organization:{},Invitation:{},Member:{},ActiveOrganization:{}}}};var kt=Dt(require("uncrypto"),1);function Ko(e){return e.toString(2).padStart(8,"0")}function Jo(e){return[...e].map(t=>Ko(t)).join("")}function Dr(e){return parseInt(Jo(e),2)}function Zo(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,o=new Uint8Array(Math.ceil(t/8));kt.default.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1);let n=Dr(o);for(;n>=e;)kt.default.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1),n=Dr(o);return n}function V(e,t){let r="";for(let o=0;o<e;o++)r+=t[Zo(t.length)];return r}function q(...e){let t=new Set(e),r="";for(let o of t)o==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?r+="0123456789":r+=o;return r}var qe=require("zod");var Rt=require("@noble/ciphers/chacha"),_e=require("@noble/ciphers/utils"),vt=require("@noble/ciphers/webcrypto"),Et=require("oslo/crypto"),Ot=Dt(require("uncrypto"),1);var jr=require("oslo/encoding");var Yo=require("@noble/hashes/scrypt"),Xo=require("uncrypto");async function ye(e,t){let r=new TextEncoder,o={name:"HMAC",hash:"SHA-256"},n=await Ot.default.subtle.importKey("raw",r.encode(e),o,!1,["sign","verify"]),i=await Ot.default.subtle.sign(o.name,n,r.encode(t));return btoa(String.fromCharCode(...new Uint8Array(i)))}var ce=async({key:e,data:t})=>{let r=await(0,Et.sha256)(new TextEncoder().encode(e)),o=(0,_e.utf8ToBytes)(t),n=(0,vt.managedNonce)(Rt.xchacha20poly1305)(new Uint8Array(r));return(0,_e.bytesToHex)(n.encrypt(o))},ue=async({key:e,data:t})=>{let r=await(0,Et.sha256)(new TextEncoder().encode(e)),o=(0,_e.hexToBytes)(t),n=(0,vt.managedNonce)(Rt.xchacha20poly1305)(new Uint8Array(r));return new TextDecoder().decode(n.decrypt(o))};var Z=require("zod");var ne=require("better-call");var it="two_factor";var st="trust_device";var Ut=require("zod");var be=T({body:Ut.z.object({trustDevice:Ut.z.boolean().optional()})},async e=>{let t=await L(e);if(!t){let r=e.context.createAuthCookie(it),o=await e.getSignedCookie(r.name,e.context.secret);if(!o)throw new ne.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"});let[n,i]=o.split("!");if(!n||!i)throw new ne.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"});let a=await e.context.adapter.findMany({model:e.context.tables.session.tableName,where:[{field:"userId",value:n}]});if(!a.length)throw new ne.APIError("UNAUTHORIZED",{message:"invalid session"});let s=a.filter(d=>d.expiresAt>new Date);if(!s)throw new ne.APIError("UNAUTHORIZED",{message:"invalid session"});for(let d of s){let c=await ye(e.context.secret,d.id),l=await e.context.adapter.findOne({model:e.context.tables.user.tableName,where:[{field:"id",value:d.userId}]});if(!l)throw new ne.APIError("UNAUTHORIZED",{message:"invalid session"});if(c===i)return{valid:async()=>{if(await w(e,{session:d,user:l},!1),e.body.trustDevice){let p=e.context.createAuthCookie(st,{maxAge:2592e3}),m=await ye(e.context.secret,`${l.id}!${d.id}`);await e.setSignedCookie(p.name,`${m}!${d.id}`,e.context.secret,p.attributes)}return e.json({session:d,user:l})},invalid:async()=>{throw new ne.APIError("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:{id:d.id,userId:d.userId,expiresAt:d.expiresAt,user:l}}}throw new ne.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"})}return{valid:async()=>e.json({session:t,user:t.user}),invalid:async()=>{throw new ne.APIError("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:t}});var Ce=require("better-call");function en(e){return Array.from({length:e?.amount??10}).fill(null).map(()=>V(e?.length??10,q("a-z","0-9"))).map(t=>`${t.slice(0,5)}-${t.slice(5)}`)}async function It(e,t){let r=e,o=t?.customBackupCodesGenerate?t.customBackupCodesGenerate():en(),n=await ce({data:JSON.stringify(o),key:r});return{backupCodes:o,encryptedBackupCodes:n}}async function tn(e,t){let r=await Nr(e.backupCodes,t);return r?r.includes(e.code):!1}async function Nr(e,t){let r=Buffer.from(await ue({key:t,data:e})).toString("utf-8"),o=JSON.parse(r),n=Z.z.array(Z.z.string()).safeParse(o);return n.success?n.data:null}var Fr=(e,t)=>({id:"backup_code",endpoints:{verifyBackupCode:u("/two-factor/verify-backup-code",{method:"POST",body:Z.z.object({code:Z.z.string(),disableSession:Z.z.boolean().optional()}),use:[be]},async r=>{let o=r.context.session.user,n=await r.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!n)throw new Ce.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});if(!tn({backupCodes:n.backupCodes,code:r.body.code},r.context.secret))throw new Ce.APIError("BAD_REQUEST",{message:"Invalid backup code"});return r.body.disableSession||await w(r,{session:r.context.session,user:o}),r.json({user:o,session:r.context.session})}),generateBackupCodes:u("/two-factor/generate-backup-codes",{method:"POST",body:Z.z.object({password:Z.z.string()}),use:[A]},async r=>{let o=r.context.session.user;if(!o.twoFactorEnabled)throw new Ce.APIError("BAD_REQUEST",{message:"Two factor isn't enabled"});await r.context.password.checkPassword(o.id,r);let n=await It(r.context.secret,e);return await r.context.adapter.update({model:t,update:{backupCodes:n.encryptedBackupCodes},where:[{field:"userId",value:r.context.session.user.id}]}),r.json({status:!0,backupCodes:n.backupCodes})}),viewBackupCodes:u("/view/backup-codes",{method:"GET",body:Z.z.object({password:Z.z.string()}),use:[A]},async r=>{let o=r.context.session.user,n=await r.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!n)throw new Ce.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});await r.context.password.checkPassword(o.id,r);let i=Nr(n.backupCodes,r.context.secret);if(!i)throw new Ce.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});return r.json({status:!0,backupCodes:i})})}});var Ne=require("better-call"),Vr=require("oslo/otp"),Tt=require("zod");var qr=require("oslo"),Mr=(e,t)=>{let r={...e,period:new qr.TimeSpan(e?.period||3,"m")},o=new Vr.TOTPController({digits:6,period:r.period}),n=u("/two-factor/send-otp",{method:"POST",use:[be]},async a=>{if(!e||!e.sendOTP)throw a.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options."),new Ne.APIError("BAD_REQUEST",{message:"otp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Ne.APIError("BAD_REQUEST",{message:"OTP isn't enabled"});let c=await o.generate(Buffer.from(d.secret));return await e.sendOTP(s,c),a.json({status:!0})}),i=u("/two-factor/verify-otp",{method:"POST",body:Tt.z.object({code:Tt.z.string()}),use:[be]},async a=>{let s=a.context.session.user;if(!s.twoFactorEnabled)throw new Ne.APIError("BAD_REQUEST",{message:"two factor isn't enabled"});let d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Ne.APIError("BAD_REQUEST",{message:"OTP isn't enabled"});return await o.generate(Buffer.from(d.secret))===a.body.code?a.context.valid():a.context.invalid()});return{id:"otp",endpoints:{send2FaOTP:n,verifyOTP:i}}};var Ae=require("better-call"),$r=require("oslo"),Ve=require("oslo/otp"),Fe=require("zod");var Qr=(e,t)=>{let r={...e,digits:6,period:new $r.TimeSpan(e?.period||30,"s")},o=u("/totp/generate",{method:"POST",use:[A]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ae.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Ae.APIError("BAD_REQUEST",{message:"totp isn't enabled"});return{code:await new Ve.TOTPController(r).generate(Buffer.from(d.secret))}}),n=u("/two-factor/get-totp-uri",{method:"POST",use:[A],body:Fe.z.object({password:Fe.z.string()})},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ae.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d||!s.twoFactorEnabled)throw new Ae.APIError("BAD_REQUEST",{message:"totp isn't enabled"});return await a.context.password.checkPassword(s.id,a),{totpURI:(0,Ve.createTOTPKeyURI)(e?.issuer||"BetterAuth",s.email,Buffer.from(d.secret),r)}}),i=u("/two-factor/verify-totp",{method:"POST",body:Fe.z.object({code:Fe.z.string()}),use:[be]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ae.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Ae.APIError("BAD_REQUEST",{message:"totp isn't enabled"});let c=new Ve.TOTPController(r),l=await ue({key:a.context.secret,data:d.secret}),p=Buffer.from(l);if(!await c.verify(a.body.code,p))return a.context.invalid();if(!s.twoFactorEnabled){let f=await a.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!0}),k=await a.context.internalAdapter.createSession(s.id,a.request);await w(a,{session:k,user:f})}return a.context.valid()});return{id:"totp",endpoints:{generateTOTP:o,viewTOTPURI:n,verifyTOTP:i}}};var rn=require("better-call");async function St(e,t){let o=(await e.context.internalAdapter.findAccounts(t.userId))?.find(a=>a.providerId==="credential"),n=o?.password;return!o||!n?!1:await e.context.password.verify(n,t.password)}var Pt=require("better-call"),Hr=require("oslo/otp"),Wr=require("oslo");var on=(e={redirect:!0,twoFactorPage:"/"})=>({id:"two-factor",$InferServerPlugin:{},atomListeners:[{matcher:t=>t.startsWith("/two-factor/"),signal:"$sessionSignal"}],pathMethods:{"/two-factor/disable":"POST","/two-factor/enable":"POST","/two-factor/send-otp":"POST","/two-factor/generate-backup-codes":"POST"},fetchPlugins:[{id:"two-factor",name:"two-factor",hooks:{async onSuccess(t){t.data?.twoFactorRedirect&&(e.redirect||e.twoFactorPage)&&typeof window<"u"&&(window.location.href=e.twoFactorPage)}}}]});var nn=e=>{let t={twoFactorTable:e?.twoFactorTable||"twoFactor"},r=Qr({issuer:e?.issuer||"better-auth",...e?.totpOptions},t.twoFactorTable),o=Fr({...e?.backupCodeOptions},t.twoFactorTable),n=Mr({...e?.otpOptions},t.twoFactorTable);return{id:"two-factor",endpoints:{...r.endpoints,...n.endpoints,...o.endpoints,enableTwoFactor:u("/two-factor/enable",{method:"POST",body:qe.z.object({password:qe.z.string().min(8)}),use:[A]},async i=>{let a=i.context.session.user,{password:s}=i.body;if(!await St(i,{password:s,userId:a.id}))throw new Pt.APIError("BAD_REQUEST",{message:"Invalid password"});let c=V(16,q("a-z","0-9","-")),l=await ce({key:i.context.secret,data:c}),p=await It(i.context.secret,e?.backupCodeOptions);if(e?.skipVerificationOnEnable){let f=await i.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!0}),k=await i.context.internalAdapter.createSession(f.id,i.request);await w(i,{session:k,user:a})}await i.context.adapter.deleteMany({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),await i.context.adapter.create({model:t.twoFactorTable,data:{id:i.context.uuid(),secret:l,backupCodes:p.encryptedBackupCodes,userId:a.id}});let m=(0,Hr.createTOTPKeyURI)(e?.issuer||"BetterAuth",a.email,Buffer.from(c),{digits:e?.totpOptions?.digits||6,period:new Wr.TimeSpan(e?.totpOptions?.period||30,"s")});return i.json({totpURI:m,backupCodes:p.backupCodes})}),disableTwoFactor:u("/two-factor/disable",{method:"POST",body:qe.z.object({password:qe.z.string().min(8)}),use:[A]},async i=>{let a=i.context.session.user,{password:s}=i.body;if(!await St(i,{password:s,userId:a.id}))throw new Pt.APIError("BAD_REQUEST",{message:"Invalid password"});return await i.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!1}),await i.context.adapter.delete({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),i.json({status:!0})})},options:e,hooks:{after:[{matcher(i){return i.path==="/sign-in/email"||i.path==="/sign-in/username"},handler:T(async i=>{let a=i.context.returned;if(a?.status!==200)return;let s=await a.clone().json();if(!s.user.twoFactorEnabled)return;let d=i.context.createAuthCookie(st,{maxAge:30*24*60*60}),c=await i.getSignedCookie(d.name,i.context.secret);if(c){let[f,k]=c.split("!"),b=await ye(i.context.secret,`${s.user.id}!${k}`);if(f===b){let h=await ye(i.context.secret,`${s.user.id}!${s.session.id}`);await i.setSignedCookie(d.name,`${h}!${s.session.id}`,i.context.secret,d.attributes);return}}re(i);let l=await ye(i.context.secret,s.session.id),p=i.context.createAuthCookie(it,{maxAge:60*60*24});return await i.setSignedCookie(p.name,`${s.session.userId}!${l}`,i.context.secret,p.attributes),{response:new Response(JSON.stringify({twoFactorRedirect:!0}),{headers:i.responseHeader})}})}]},schema:{user:{fields:{twoFactorEnabled:{type:"boolean",required:!1,defaultValue:!1,input:!1}}},twoFactor:{tableName:t.twoFactorTable,fields:{secret:{type:"string",required:!0,returned:!1},backupCodes:{type:"string",required:!0,returned:!1},userId:{type:"string",required:!0,returned:!1,references:{model:"user",field:"id"}}}}},rateLimit:[{pathMatcher(i){return i.startsWith("/two-factor/")},window:10,max:3}]}};var le=require("@simplewebauthn/server"),H=require("better-call");var Y=require("zod");var ze=require("@simplewebauthn/browser");var an=require("@better-fetch/fetch");var au=require("nanostores");var Kc=require("@better-fetch/fetch");var sn=require("nanostores");var Zc=require("@better-fetch/fetch"),at=require("nanostores"),_t=(e,t,r,o)=>{let n=(0,at.atom)({data:null,error:null,isPending:!0,isRefetching:!1}),i=()=>{let s=typeof o=="function"?o({data:n.get().data,error:n.get().error,isPending:n.get().isPending}):o;return r(t,{...s,onSuccess:async d=>{n.set({data:d.data,error:null,isPending:!1,isRefetching:!1}),await s?.onSuccess?.(d)},async onError(d){n.set({error:d.error,data:null,isPending:!1,isRefetching:!1}),await s?.onError?.(d)},async onRequest(d){let c=n.get();n.set({isPending:c.data===null,data:c.data,error:null,isRefetching:!0}),await s?.onRequest?.(d)}})};e=Array.isArray(e)?e:[e];let a=!1;for(let s of e)s.subscribe(()=>{a?i():(0,at.onMount)(n,()=>(i(),a=!0,()=>{n.off(),s.off()}))});return n};var Gr=require("nanostores"),Kr=(e,{_listPasskeys:t})=>({signIn:{passkey:async(n,i)=>{let a=await e("/passkey/generate-authenticate-options",{method:"POST",body:{email:n?.email}});if(!a.data)return a;try{let s=await(0,ze.startAuthentication)(a.data,n?.autoFill||!1),d=await e("/passkey/verify-authentication",{body:{response:s},...n?.fetchOptions,...i,method:"POST"});if(!d.data)return d}catch{return{data:null,error:{message:"auth cancelled",status:400,statusText:"BAD_REQUEST"}}}}},passkey:{addPasskey:async(n,i)=>{let a=await e("/passkey/generate-register-options",{method:"GET"});if(!a.data)return a;try{let s=await(0,ze.startRegistration)(a.data),d=await e("/passkey/verify-registration",{...n?.fetchOptions,...i,body:{response:s,name:n?.name},method:"POST"});if(!d.data)return d;t.set(Math.random())}catch(s){return s instanceof ze.WebAuthnError?s.code==="ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED"?{data:null,error:{message:"previously registered",status:400,statusText:"BAD_REQUEST"}}:s.code==="ERROR_CEREMONY_ABORTED"?{data:null,error:{message:"registration cancelled",status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s.message,status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s instanceof Error?s.message:"unknown error",status:500,statusText:"INTERNAL_SERVER_ERROR"}}}}},$Infer:{}}),dn=()=>{let e=(0,Gr.atom)();return{id:"passkey",$InferServerPlugin:{},getActions:t=>Kr(t,{_listPasskeys:e}),getAtoms(t){return{listPasskeys:_t(e,"/passkey/list-user-passkeys",t,{method:"GET"}),_listPasskeys:e}},pathMethods:{"/passkey/register":"POST","/passkey/authenticate":"POST"},atomListeners:[{matcher(t){return t==="/passkey/verify-registration"||t==="/passkey/delete-passkey"},signal:"_listPasskeys"}]}};var cn=e=>{let t=K.BETTER_AUTH_URL,r=e?.rpID||t?.replace("http://","").replace("https://","").split(":")[0]||"localhost";if(!r)throw new G("passkey rpID not found. Please provide a rpID in the options or set the BETTER_AUTH_URL environment variable.");let o={origin:null,...e,rpID:r,advanced:{webAuthnChallengeCookie:"better-auth-passkey",...e?.advanced}},n=new Date(Date.now()+1e3*60*5),i=new Date,a=Math.floor((n.getTime()-i.getTime())/1e3);return{id:"passkey",endpoints:{generatePasskeyRegistrationOptions:u("/passkey/generate-register-options",{method:"GET",use:[A],metadata:{client:!1}},async s=>{let d=s.context.session,c=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}),l=new Uint8Array(Buffer.from(V(32,q("a-z","0-9")))),p;p=await(0,le.generateRegistrationOptions)({rpName:o.rpName||s.context.appName,rpID:o.rpID,userID:l,userName:d.user.email||d.user.id,attestationType:"none",excludeCredentials:c.map(f=>({id:f.id,transports:f.transports?.split(",")})),authenticatorSelection:{residentKey:"preferred",userVerification:"preferred",authenticatorAttachment:"platform"}});let m=z();return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,m,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:m,value:JSON.stringify({expectedChallenge:p.challenge,userData:{id:d.user.id}}),expiresAt:n}),s.json(p,{status:200})}),generatePasskeyAuthenticationOptions:u("/passkey/generate-authenticate-options",{method:"POST",body:Y.z.object({email:Y.z.string().optional()}).optional()},async s=>{let d=await L(s),c=[];d&&(c=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}));let l=await(0,le.generateAuthenticationOptions)({rpID:o.rpID,userVerification:"preferred",...c.length?{allowCredentials:c.map(f=>({id:f.id,transports:f.transports?.split(",")}))}:{}}),p={expectedChallenge:l.challenge,userData:{id:d?.user.id||""}},m=z();return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,m,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:m,value:JSON.stringify(p),expiresAt:n}),s.json(l,{status:200})}),verifyPasskeyRegistration:u("/passkey/verify-registration",{method:"POST",body:Y.z.object({response:Y.z.any(),name:Y.z.string().optional()}),use:[A]},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)return s.json(null,{status:400});let c=s.body.response,l=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!l)throw new H.APIError("BAD_REQUEST",{message:"Challenge not found"});let p=await s.context.internalAdapter.findVerificationValue(l);if(!p)return s.json(null,{status:400});let{expectedChallenge:m,userData:f}=JSON.parse(p.value);if(f.id!==s.context.session.user.id)throw new H.APIError("UNAUTHORIZED",{message:"You are not authorized to register this passkey"});try{let k=await(0,le.verifyRegistrationResponse)({response:c,expectedChallenge:m,expectedOrigin:d,expectedRPID:e?.rpID}),{verified:b,registrationInfo:h}=k;if(!b||!h)return s.json(null,{status:400});let{credentialID:_,credentialPublicKey:Oe,counter:W,credentialDeviceType:He,credentialBackedUp:Re}=h,me=Buffer.from(Oe).toString("base64"),lt=z(),to={name:s.body.name,userId:f.id,webauthnUserID:lt,id:_,publicKey:me,counter:W,deviceType:He,transports:c.response.transports.join(","),backedUp:Re,createdAt:new Date},ro=await s.context.adapter.create({model:"passkey",data:to});return s.json(ro,{status:200})}catch(k){throw console.log(k),new H.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to verify registration"})}}),verifyPasskeyAuthentication:u("/passkey/verify-authentication",{method:"POST",body:Y.z.object({response:Y.z.any()})},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)throw new H.APIError("BAD_REQUEST",{message:"origin missing"});let c=s.body.response,l=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!l)throw new H.APIError("BAD_REQUEST",{message:"Challenge not found"});let p=await s.context.internalAdapter.findVerificationValue(l);if(!p)throw new H.APIError("BAD_REQUEST",{message:"Challenge not found"});let{expectedChallenge:m}=JSON.parse(p.value),f=await s.context.adapter.findOne({model:"passkey",where:[{field:"id",value:c.id}]});if(!f)throw new H.APIError("UNAUTHORIZED",{message:"Passkey not found"});try{let k=await(0,le.verifyAuthenticationResponse)({response:c,expectedChallenge:m,expectedOrigin:d,expectedRPID:o.rpID,authenticator:{credentialID:f.id,credentialPublicKey:new Uint8Array(Buffer.from(f.publicKey,"base64")),counter:f.counter,transports:f.transports?.split(",")}}),{verified:b}=k;if(!b)throw new H.APIError("UNAUTHORIZED",{message:"Authentication failed"});await s.context.adapter.update({model:"passkey",where:[{field:"id",value:f.id}],update:{counter:k.authenticationInfo.newCounter}});let h=await s.context.internalAdapter.createSession(f.userId,s.request);if(!h)throw new H.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});let _=await s.context.internalAdapter.findUserById(f.userId);if(!_)throw new H.APIError("INTERNAL_SERVER_ERROR",{message:"User not found"});return await w(s,{session:h,user:_}),s.json({session:h},{status:200})}catch(k){throw s.context.logger.error(k),new H.APIError("BAD_REQUEST",{message:"Failed to verify authentication"})}}),listPasskeys:u("/passkey/list-user-passkeys",{method:"GET",use:[A]},async s=>{let d=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:s.context.session.user.id}]});return s.json(d,{status:200})}),deletePasskey:u("/passkey/delete-passkey",{method:"POST",body:Y.z.object({id:Y.z.string()}),use:[A]},async s=>(await s.context.adapter.delete({model:"passkey",where:[{field:"id",value:s.body.id}]}),s.json(null,{status:200})))},schema:{passkey:{fields:{name:{type:"string",required:!1},publicKey:{type:"string",required:!0},userId:{type:"string",references:{model:"user",field:"id"},required:!0},webauthnUserID:{type:"string",required:!0},counter:{type:"number",required:!0},deviceType:{type:"string",required:!0},backedUp:{type:"boolean",required:!0},transports:{type:"string",required:!1},createdAt:{type:"date",defaultValue:new Date,required:!1}}}}}};var Me=require("zod");var $e=require("better-call"),Ct=()=>({id:"username",endpoints:{signInUsername:u("/sign-in/username",{method:"POST",body:Me.z.object({username:Me.z.string(),password:Me.z.string(),dontRememberMe:Me.z.boolean().optional()})},async e=>{let t=await e.context.adapter.findOne({model:e.context.tables.user.tableName,where:[{field:"username",value:e.body.username}]});if(!t)throw await e.context.password.hash(e.body.password),e.context.logger.error("User not found",{username:Ct}),new $e.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let r=await e.context.adapter.findOne({model:e.context.tables.account.tableName,where:[{field:e.context.tables.account.fields.userId.fieldName||"userId",value:t.id},{field:e.context.tables.account.fields.providerId.fieldName||"providerId",value:"credential"}]});if(!r)throw new $e.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let o=r?.password;if(!o)throw e.context.logger.error("Password not found",{username:Ct}),new $e.APIError("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(o,e.body.password))throw e.context.logger.error("Invalid password"),new $e.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let i=await e.context.internalAdapter.createSession(t.id,e.request);return i?(await e.setSignedCookie(e.context.authCookies.sessionToken.name,i.id,e.context.secret,e.body.dontRememberMe?{...e.context.authCookies.sessionToken.options,maxAge:void 0}:e.context.authCookies.sessionToken.options),e.json({user:t,session:i})):e.json(null,{status:500,body:{message:"Failed to create session",status:500}})})},schema:{user:{fields:{username:{type:"string",required:!1,unique:!0,returned:!0}}}}});var Jr=require("better-call"),un=()=>({id:"bearer",hooks:{before:[{matcher(e){return!!(e.request?.headers.get("authorization")||e.headers?.get("authorization"))},handler:async e=>{let t=e.request?.headers.get("authorization")?.replace("Bearer ","")||e.headers?.get("authorization")?.replace("Bearer ","");if(!t)return;let r="";return t.includes(".")?r=t:r=await(0,Jr.serializeSigned)("",t,e.context.secret),e.request&&e.request.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${r.replace("=","")}`),e.headers&&e.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${r.replace("=","")}`),{context:e}}}]}});var ke=require("zod");var zt=require("better-call");var ln=e=>({id:"magic-link",endpoints:{signInMagicLink:u("/sign-in/magic-link",{method:"POST",requireHeaders:!0,body:ke.z.object({email:ke.z.string().email(),callbackURL:ke.z.string().optional()})},async t=>{let{email:r}=t.body;if(e.disableSignUp&&!await t.context.internalAdapter.findUserByEmail(r))throw new zt.APIError("BAD_REQUEST",{message:"User not found"});let o=V(32,q("a-z","A-Z"));await t.context.internalAdapter.createVerificationValue({identifier:o,value:r,expiresAt:new Date(Date.now()+(e.expiresIn||60*5)*1e3)});let n=`${t.context.baseURL}/magic-link/verify?token=${o}&callbackURL=${t.body.callbackURL||"/"}`;try{await e.sendMagicLink({email:r,url:n,token:o})}catch(i){throw t.context.logger.error("Failed to send magic link",i),new zt.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to send magic link"})}return t.json({status:!0})}),magicLinkVerify:u("/magic-link/verify",{method:"GET",query:ke.z.object({token:ke.z.string(),callbackURL:ke.z.string().optional()}),requireHeaders:!0},async t=>{let{token:r,callbackURL:o}=t.query,n=o?.startsWith("http")?o:o?`${t.context.options.baseURL}${o}`:t.context.options.baseURL,i=await t.context.internalAdapter.findVerificationValue(r);if(!i)throw t.redirect(`${n}?error=INVALID_TOKEN`);if(i.expiresAt<new Date)throw await t.context.internalAdapter.deleteVerificationValue(i.id),t.redirect(`${n}?error=EXPIRED_TOKEN`);await t.context.internalAdapter.deleteVerificationValue(i.id);let a=i.value,s=await t.context.internalAdapter.findUserByEmail(a),d=s?.user.id||"";if(!s){if(e.disableSignUp)throw t.redirect(`${n}?error=USER_NOT_FOUND`);if(d=(await t.context.internalAdapter.createUser({email:a,emailVerified:!0,name:a})).id,!d)throw t.redirect(`${n}?error=USER_NOT_CREATED`)}let c=await t.context.internalAdapter.createSession(d,t.headers);if(!c)throw t.redirect(`${n}?error=SESSION_NOT_CREATED`);if(await w(t,{session:c,user:s?.user}),!o)return t.json({status:!0});throw t.redirect(o)})},rateLimit:[{pathMatcher(t){return t.startsWith("/sign-in/magic-link")||t.startsWith("/magic-link/verify")},window:e.rateLimit?.window||60,max:e.rateLimit?.max||5}]});var pe=require("zod");var X=require("better-call");function pn(e){return V(e,q("0-9"))}var mn=e=>{let t={phoneNumber:"phoneNumber",phoneNumberVerified:"phoneNumberVerified",code:"code",createdAt:"createdAt",expiresIn:e?.expiresIn||300,otpLength:e?.otpLength||6};return{id:"phone-number",endpoints:{sendPhoneNumberOTP:u("/phone-number/send-otp",{method:"POST",body:pe.z.object({phoneNumber:pe.z.string()})},async r=>{if(!e?.sendOTP)throw y.warn("sendOTP not implemented"),new X.APIError("NOT_IMPLEMENTED",{message:"sendOTP not implemented"});let o=pn(t.otpLength);return await r.context.internalAdapter.createVerificationValue({value:o,identifier:r.body.phoneNumber,expiresAt:C(t.expiresIn,"sec")}),await e.sendOTP(r.body.phoneNumber,o),r.json({code:o},{body:{message:"Code sent"}})}),verifyPhoneNumber:u("/phone-number/verify",{method:"POST",body:pe.z.object({phoneNumber:pe.z.string(),code:pe.z.string(),disableSession:pe.z.boolean().optional(),updatePhoneNumber:pe.z.boolean().optional()})},async r=>{let o=await r.context.internalAdapter.findVerificationValue(r.body.phoneNumber);if(!o||o.expiresAt<new Date)throw o&&o.expiresAt<new Date?(await r.context.internalAdapter.deleteVerificationValue(o.id),new X.APIError("BAD_REQUEST",{message:"OTP expired"})):new X.APIError("BAD_REQUEST",{message:"OTP not found"});if(o.value!==r.body.code)throw new X.APIError("BAD_REQUEST",{message:"Invalid OTP"});if(await r.context.internalAdapter.deleteVerificationValue(o.id),r.body.updatePhoneNumber){let i=await L(r);if(!i)throw new X.APIError("UNAUTHORIZED",{message:"Session not found"});let a=await r.context.internalAdapter.updateUser(i.user.id,{[t.phoneNumber]:r.body.phoneNumber,[t.phoneNumberVerified]:!0});return r.json({user:a,session:i.session})}let n=await r.context.adapter.findOne({model:r.context.tables.user.tableName,where:[{value:r.body.phoneNumber,field:t.phoneNumber}]});if(n)n=await r.context.internalAdapter.updateUser(n.id,{[t.phoneNumberVerified]:!0});else if(e?.signUpOnVerification){if(n=await r.context.internalAdapter.createUser({email:e.signUpOnVerification.getTempEmail(r.body.phoneNumber),name:e.signUpOnVerification.getTempName?e.signUpOnVerification.getTempName(r.body.phoneNumber):r.body.phoneNumber,[t.phoneNumber]:r.body.phoneNumber,[t.phoneNumberVerified]:!0}),!n)throw new X.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create user"})}else throw new X.APIError("BAD_REQUEST",{message:"Phone number not found"});if(!n)throw new X.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to update user"});if(!r.body.disableSession){let i=await r.context.internalAdapter.createSession(n.id,r.request);if(!i)throw new X.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await w(r,{session:i,user:n}),r.json({user:n,session:i})}return r.json({user:n,session:null})})},schema:{user:{fields:{phoneNumber:{type:"string",required:!1,unique:!0,returned:!0},phoneNumberVerified:{type:"boolean",required:!1,returned:!0,input:!1}}}}}};var dt=require("zod");var fn=e=>({id:"anonymous",endpoints:{signInAnonymous:u("/sign-in/anonymous",{method:"POST"},async t=>{let{emailDomainName:r=Je(t.context.baseURL)}=e||{},o=z(),n=`temp-${o}@${r}`,i=await t.context.internalAdapter.createUser({id:o,email:n,emailVerified:!1,isAnonymous:!0,name:"Anonymous",createdAt:new Date,updatedAt:new Date});if(!i)return t.json(null,{status:500,body:{message:"Failed to create user",status:500}});let a=await t.context.internalAdapter.createSession(i.id,t.request);return a?(await w(t,{session:a,user:i}),t.json({user:i,session:a})):t.json(null,{status:400,body:{message:"Could not create session"}})}),linkAccount:u("/anonymous/link-account",{method:"POST",body:dt.z.object({email:dt.z.string().email().optional(),password:dt.z.string().min(6)}),use:[A]},async t=>{let r=t.context.session.user.id,{email:o,password:n}=t.body,i=null;if(o&&n&&(i=await t.context.internalAdapter.updateUser(r,{email:o,isAnonymous:!1})),!i)return t.json(null,{status:500,body:{message:"Failed to update user",status:500}});let a=await t.context.password.hash(n);if(!await t.context.internalAdapter.linkAccount({userId:i.id,providerId:"credential",password:a,accountId:i.id}))return t.json(null,{status:500,body:{message:"Failed to update account",status:500}});let d=await t.context.internalAdapter.createSession(i.id,t.request);return d?(await w(t,{session:d,user:i}),t.json({session:d,user:i})):t.json(null,{status:400,body:{message:"Could not create session"}})})},schema:{user:{fields:{isAnonymous:{type:"boolean",required:!1}}}}});var g=require("zod");var J=T(async e=>{let t=await L(e);if(!t?.session)throw new v.APIError("UNAUTHORIZED");let r=t.user;if(r.role!=="admin")throw new v.APIError("FORBIDDEN",{message:"Only admins can access this endpoint"});return{session:{user:r,session:t.session}}}),gn=e=>({id:"admin",init(t){return{options:{databaseHooks:{user:{create:{async before(r){if(e?.defaultRole!==!1)return{data:{role:e?.defaultRole??"user",...r}}}}},session:{create:{async before(r){let o=await t.internalAdapter.findUserById(r.userId);if(o.banned){if(o.banExpires&&o.banExpires<Date.now()){await t.internalAdapter.updateUser(r.userId,{banned:!1,banReason:null,banExpires:null});return}return!1}}}}}}}},hooks:{after:[{matcher(t){return t.path==="/list-sessions"},handler:T(async t=>{let r=t.context.returned;if(r){let n=(await r.json()).filter(a=>!a.impersonatedBy),i=new Response(JSON.stringify(n),{status:200,statusText:"OK",headers:r.headers});return t.json({response:i})}})}]},endpoints:{setRole:u("/admin/set-role",{method:"POST",body:g.z.object({userId:g.z.string(),role:g.z.string()}),use:[J]},async t=>{let r=await t.context.internalAdapter.updateUser(t.body.userId,{role:t.body.role});return t.json({user:r})}),createUser:u("/admin/create-user",{method:"POST",body:g.z.object({email:g.z.string(),password:g.z.string(),name:g.z.string(),role:g.z.string(),data:g.z.optional(g.z.record(g.z.any()))}),use:[J]},async t=>{if(await t.context.internalAdapter.findUserByEmail(t.body.email))throw new v.APIError("BAD_REQUEST",{message:"User already exists"});let o=await t.context.internalAdapter.createUser({email:t.body.email,name:t.body.name,role:t.body.role,...t.body.data});if(!o)throw new v.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create user"});let n=await t.context.password.hash(t.body.password);return await t.context.internalAdapter.linkAccount({accountId:o.id,providerId:"credential",password:n,userId:o.id}),t.json({user:o})}),listUsers:u("/admin/list-users",{method:"GET",use:[J],query:g.z.object({search:g.z.object({field:g.z.enum(["email","name"]),operator:g.z.enum(["contains","starts_with","ends_with"]).default("contains"),value:g.z.string()}).optional(),limit:g.z.string().or(g.z.number()).optional(),offset:g.z.string().or(g.z.number()).optional(),sortBy:g.z.string().optional(),sortDirection:g.z.enum(["asc","desc"]).optional(),filter:g.z.array(g.z.object({field:g.z.string(),value:g.z.string().or(g.z.number()).or(g.z.boolean()),operator:g.z.enum(["eq","ne","lt","lte","gt","gte"]),connector:g.z.enum(["AND","OR"]).optional()})).optional()})},async t=>{let r=[];t.query?.search&&r.push({field:t.query.search.field,operator:t.query.search.operator,value:t.query.search.value}),t.query?.filter&&r.push(...t.query.filter||[]);let o=await t.context.internalAdapter.listUsers(Number(t.query?.limit)||void 0,Number(t.query?.offset)||void 0,t.query?.sortBy?{field:t.query.sortBy,direction:t.query.sortDirection||"asc"}:void 0,r.length?r:void 0);return t.json({users:o})}),listUserSessions:u("/admin/list-user-sessions",{method:"POST",use:[J],body:g.z.object({userId:g.z.string()})},async t=>({sessions:await t.context.internalAdapter.listSessions(t.body.userId)})),unbanUser:u("/admin/unban-user",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[J]},async t=>{let r=await t.context.internalAdapter.updateUser(t.body.userId,{banned:!1});return t.json({user:r})}),banUser:u("/admin/ban-user",{method:"POST",body:g.z.object({userId:g.z.string(),banReason:g.z.string().optional(),banExpiresIn:g.z.number().optional()}),use:[J]},async t=>{if(t.body.userId===t.context.session.user.id)throw new v.APIError("BAD_REQUEST",{message:"You cannot ban yourself"});let r=await t.context.internalAdapter.updateUser(t.body.userId,{banned:!0,banReason:t.body.banReason||e?.defaultBanReason||"No reason",banExpires:t.body.banExpiresIn?C(t.body.banExpiresIn,"sec"):e?.defaultBanExpiresIn?C(e.defaultBanExpiresIn,"sec"):void 0});return await t.context.internalAdapter.deleteSessions(t.body.userId),t.json({user:r})}),impersonateUser:u("/admin/impersonate-user",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[J]},async t=>{let r=await t.context.internalAdapter.findUserById(t.body.userId);if(!r)throw new v.APIError("NOT_FOUND",{message:"User not found"});let o=await t.context.internalAdapter.createSession(r.id,void 0,!0,{impersonatedBy:t.context.session.user.id,expiresAt:e?.impersonationSessionDuration?C(e.impersonationSessionDuration,"sec"):C(60*60,"sec")});if(!o)throw new v.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await w(t,{session:o,user:r},!0),t.json({session:o,user:r})}),revokeUserSession:u("/admin/revoke-user-session",{method:"POST",body:g.z.object({sessionId:g.z.string()}),use:[J]},async t=>(await t.context.internalAdapter.deleteSession(t.body.sessionId),t.json({success:!0}))),revokeUserSessions:u("/admin/revoke-user-sessions",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[J]},async t=>(await t.context.internalAdapter.deleteSessions(t.body.userId),t.json({success:!0}))),removeUser:u("/admin/remove-user",{method:"POST",body:g.z.object({userId:g.z.string()}),use:[J]},async t=>(await t.context.internalAdapter.deleteUser(t.body.userId),t.json({success:!0})))},schema:{user:{fields:{role:{type:"string",required:!1,input:!1},banned:{type:"boolean",defaultValue:!1,required:!1,input:!1},banReason:{type:"string",required:!1,input:!1},banExpires:{type:"date",required:!1,input:!1}}},session:{fields:{impersonatedBy:{type:"string",required:!1}}}}});var ee=require("zod"),Be=require("better-call");var ct=require("@better-fetch/fetch");var Zr=require("oslo/jwt");async function hn(e,t,r){if(t==="oidc"&&e.idToken){let n=(0,Zr.parseJWT)(e.idToken);if(n?.payload)return n.payload}return r?(await(0,ct.betterFetch)(r,{method:"GET",headers:{Authorization:`Bearer ${e.accessToken}`}})).data:null}var wn=e=>({id:"generic-oauth",endpoints:{signInWithOAuth2:u("/sign-in/oauth2",{method:"POST",query:ee.z.object({currentURL:ee.z.string().optional()}).optional(),body:ee.z.object({providerId:ee.z.string(),callbackURL:ee.z.string().optional()})},async t=>{let{providerId:r}=t.body,o=e.config.find(me=>me.providerId===r);if(!o)throw new Be.APIError("BAD_REQUEST",{message:`No config found for provider ${r}`});let{discoveryUrl:n,authorizationUrl:i,tokenUrl:a,clientId:s,clientSecret:d,scopes:c,redirectURI:l,responseType:p,pkce:m,prompt:f,accessType:k}=o,b=i,h=a;if(n){let me=await(0,ct.betterFetch)(n,{onError(lt){y.error(lt.error,{discoveryUrl:n})}});me.data&&(b=me.data.authorization_endpoint,h=me.data.token_endpoint)}if(!b||!h)throw new Be.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});let _=t.query?.currentURL?new URL(t.query?.currentURL):null,Oe=t.body.callbackURL?.startsWith("http")?t.body.callbackURL:`${_?.origin}${t.body.callbackURL||""}`,{state:W,codeVerifier:He}=await ve(t),Re=await U({id:r,options:{clientId:s,clientSecret:d,redirectURI:l},authorizationEndpoint:b,state:W,codeVerifier:He,scopes:c||[],disablePkce:!m,redirectURI:`${t.context.baseURL}/oauth2/callback/${r}`});return p&&p!=="code"&&Re.searchParams.set("response_type",p),f&&Re.searchParams.set("prompt",f),k&&Re.searchParams.set("access_type",k),t.json({url:Re.toString(),redirect:!0})}),oAuth2Callback:u("/oauth2/callback/:providerId",{method:"GET",query:ee.z.object({code:ee.z.string().optional(),error:ee.z.string().optional(),state:ee.z.string()})},async t=>{if(t.query.error||!t.query.code)throw t.redirect(`${t.context.baseURL}?error=${t.query.error||"oAuth_code_missing"}`);let r=e.config.find(h=>h.providerId===t.params.providerId);if(!r)throw new Be.APIError("BAD_REQUEST",{message:`No config found for provider ${t.params.providerId}`});let o,n=await Ye(t),{callbackURL:i,codeVerifier:a,errorURL:s}=n,d=t.query.code,c=r.tokenUrl,l=r.userInfoUrl;if(r.discoveryUrl){let h=await(0,ct.betterFetch)(r.discoveryUrl,{method:"GET"});h.data&&(c=h.data.token_endpoint,l=h.data.userinfo_endpoint)}try{if(!c)throw new Be.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});o=await R({code:d,codeVerifier:a,redirectURI:`${t.context.baseURL}/oauth2/callback/${r.providerId}`,options:{clientId:r.clientId,clientSecret:r.clientSecret},tokenEndpoint:c})}catch(h){throw t.context.logger.error(h),t.redirect(`${s}?error=oauth_code_verification_failed`)}if(!o)throw new Be.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});let p=r.getUserInfo?await r.getUserInfo(o):await hn(o,r.type||"oauth2",l),m=z(),f=p?tt.safeParse({...p,id:m}):null;if(!f?.success)throw t.redirect(`${s}?error=oauth_user_info_invalid`);let k=await t.context.internalAdapter.findUserByEmail(f.data.email,{includeAccounts:!0}).catch(h=>{throw y.error(`Better auth was unable to query your database.
|
|
85
|
+
Error: `,h),t.redirect(`${s}?error=internal_server_error`)}),b=k?.user.id||m;if(k){let h=k.accounts.find(W=>W.providerId===r.providerId),_=t.context.options.account?.accountLinking?.trustedProviders,Oe=_?_.includes(r.providerId):!0;if(!h&&(!f?.data.emailVerified||!Oe)){let W;try{W=new URL(s),W.searchParams.set("error","account_not_linked")}catch{throw t.redirect(`${s}?error=account_not_linked`)}throw t.redirect(W.toString())}if(h)await t.context.internalAdapter.updateAccount(h.id,{accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt});else try{await t.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:f.data.id,id:`${r.providerId}:${f.data.id}`,userId:k.user.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch(W){throw console.log(W),t.redirect(`${s}?error=failed_linking_account`)}}else try{await t.context.internalAdapter.createOAuthUser(f.data,{id:`${r.providerId}:${f.data.id}`,providerId:r.providerId,accountId:f.data.id,accessToken:o.accessToken,idToken:o.idToken,refreshToken:o.refreshToken,expiresAt:o.accessTokenExpiresAt})}catch{let _=new URL(s);throw _.searchParams.set("error","unable_to_create_user"),t.setHeader("Location",_.toString()),t.redirect(_.toString())}try{let h=await t.context.internalAdapter.createSession(b||m,t.request);if(!h)throw t.redirect(`${s}?error=unable_to_create_session`);await w(t,{session:h,user:f.data})}catch{throw t.redirect(`${s}?error=unable_to_create_session`)}throw t.redirect(i)})}});var Le=require("zod"),Yr={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},pl=Le.z.object({id:Le.z.string(),publicKey:Le.z.string(),privateKey:Le.z.string(),createdAt:Le.z.date()});var Bt=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async t=>await e.create({model:"jwks",data:{...t,createdAt:new Date}})});var ie=require("jose");var yn=e=>({id:"jwt",endpoints:{getJwks:u("/jwks",{method:"GET"},async t=>{let o=await Bt(t.context.adapter).getAllKeys();return t.json({keys:o.map(n=>({...JSON.parse(n.publicKey),kid:n.id}))})}),getToken:u("/token",{method:"GET",requireHeaders:!0,use:[A]},async t=>{let r=Bt(t.context.adapter),o=await r.getLatestKey(),n=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:c,privateKey:l}=await(0,ie.generateKeyPair)(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),p=await(0,ie.exportJWK)(c),m=await(0,ie.exportJWK)(l),f=JSON.stringify(m),k={id:crypto.randomUUID(),publicKey:JSON.stringify(p),privateKey:n?JSON.stringify(await ce({key:t.context.options.secret,data:f})):f,createdAt:new Date};o=await r.createJwk(k)}let i=n?await ue({key:t.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,a=await(0,ie.importJWK)(JSON.parse(i)),s=e?.jwt?.definePayload?await e?.jwt.definePayload(t.context.session.user):t.context.session.user,d=await new ie.SignJWT({...s,...t.context.session.session.impersonatedBy?{impersonatedBy:t.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??t.context.options.baseURL).setAudience(e?.jwt?.audience??t.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(t.context.session.user.id).sign(a);return t.json({token:d})})},schema:Yr});var Qe=require("zod");var bn=e=>{let t={maximumSessions:5,...e},r=o=>o.includes("_multi-");return{id:"multi-session",endpoints:{listDeviceSessions:u("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async o=>{let n=o.headers?.get("cookie");if(!n)return o.json([]);let i=Object.fromEntries(Ke(n)),a=(await Promise.all(Object.entries(i).filter(([c])=>r(c)).map(async([c])=>await o.getSignedCookie(c,o.context.secret)))).filter(c=>c!==void 0);if(!a.length)return o.json([]);let d=(await o.context.internalAdapter.findSessions(a)).filter(c=>c&&c.session.expiresAt>new Date).filter((c,l,p)=>l===p.findIndex(m=>m.user.id===c.user.id));return Object.entries(i).filter(([c])=>r(c)).forEach(([c,l])=>{d.some(p=>p.session.id===l)||o.setCookie(c,"",{...o.context.authCookies.sessionToken.options,maxAge:0})}),o.json(d)}),setActiveSession:u("/multi-session/set-active",{method:"POST",body:Qe.z.object({sessionId:Qe.z.string()}),requireHeaders:!0,use:[A]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new v.APIError("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);if(!s||s.session.expiresAt<new Date)throw o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),new v.APIError("UNAUTHORIZED",{message:"Invalid session id"});return await o.setSignedCookie(o.context.authCookies.sessionToken.name,n,o.context.secret,o.context.authCookies.sessionToken.options),o.json(s)}),revokeDeviceSession:u("/multi-session/revoke",{method:"POST",body:Qe.z.object({sessionId:Qe.z.string()}),requireHeaders:!0,use:[A]},async o=>{let n=o.body.sessionId,i=`${o.context.authCookies.sessionToken.name}_multi-${n}`;if(!await o.getSignedCookie(i,o.context.secret))throw new v.APIError("UNAUTHORIZED",{message:"Invalid session id"});let s=await o.context.internalAdapter.findSession(n);return o.setCookie(i,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),s?(await o.context.internalAdapter.deleteSession(n),o.json({success:!0})):o.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:T(async o=>{if(!o.context.returned||!(o.context.returned instanceof Response))return;let n=o.context.returned.headers.get("set-cookie");if(!n)return;let i=Nt(n),a=o.context.authCookies.sessionToken,s=i.get(a.name)?.value;if(!s)return;let d=Ke(o.headers?.get("cookie")||""),c=s.split(".")[0],l=`${a.name}_multi-${c}`;if(i.get(l)||d.get(l)||Object.keys(Object.fromEntries(d)).filter(r).length+(n.includes("session_token")?1:0)>t.maximumSessions)return;await o.setSignedCookie(l,c,o.context.secret,a.options);let m=o.context.returned;return m.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:m}})},{matcher:o=>o.path==="/sign-out",handler:T(async o=>{let n=o.headers?.get("cookie");if(!n)return;let i=Object.fromEntries(Ke(n));await Promise.all(Object.entries(i).map(async([s,d])=>{if(r(s)){o.setCookie(s,"",{maxAge:0});let c=s.split("_multi-")[1];await o.context.internalAdapter.deleteSession(c)}}));let a=o.context.returned;return a?.headers.append("Set-Cookie",o.responseHeader.get("set-cookie")),{response:a}})}]}}};var te=require("zod");var An=e=>{let t={expireIn:300,otpLength:6,...e};return{id:"email-otp",endpoints:{sendVerificationOTP:u("/email-otp/send-verification-otp",{method:"POST",body:te.z.object({email:te.z.string(),type:te.z.enum(["email-verification","sign-in"])})},async r=>{if(!e?.sendVerificationOTP)throw y.error("send email verification is not implemented"),new v.APIError("BAD_REQUEST",{message:"send email verification is not implemented"});let o=r.body.email,n=V(t.otpLength,q("0-9"));return await r.context.internalAdapter.createVerificationValue({value:n,identifier:`${r.body.type}-otp-${o}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o,otp:n,type:r.body.type}),r.json({success:!0})}),verifyEmailOTP:u("/email-otp/verify-email",{method:"POST",body:te.z.object({email:te.z.string(),otp:te.z.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`email-verification-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new v.APIError("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new v.APIError("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a)throw new v.APIError("BAD_REQUEST",{message:"User not found"});let s=await r.context.internalAdapter.updateUser(a.user.id,{email:o,emailVerified:!0});return r.json({user:s})}),signInEmailOTP:u("/sign-in/email-otp",{method:"POST",body:te.z.object({email:te.z.string(),otp:te.z.string()})},async r=>{let o=r.body.email,n=await r.context.internalAdapter.findVerificationValue(`sign-in-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await r.context.internalAdapter.deleteVerificationValue(n.id),new v.APIError("BAD_REQUEST",{message:"Invalid OTP"});let i=r.body.otp;if(n.value!==i)throw new v.APIError("BAD_REQUEST",{message:"Invalid OTP"});await r.context.internalAdapter.deleteVerificationValue(n.id);let a=await r.context.internalAdapter.findUserByEmail(o);if(!a){if(t.disableSignUp)throw new v.APIError("BAD_REQUEST",{message:"User not found"});let d=await r.context.internalAdapter.createUser({email:o,emailVerified:!0,name:o}),c=await r.context.internalAdapter.createSession(d.id,r.request);return await w(r,{session:c,user:d}),r.json({user:d,session:c})}let s=await r.context.internalAdapter.createSession(a.user.id,r.request);return await w(r,{session:s,user:a.user}),r.json({session:s,user:a})})},hooks:{after:[{matcher(r){return!!(r.path?.startsWith("/sign-up")&&t.sendVerificationOnSignUp)},async handler(r){let o=r.context.returned;if(o?.status!==200)return;let n=await o.clone().json();if(n.user.email&&n.user.emailVerified===!1){let i=V(t.otpLength,q("0-9"));await r.context.internalAdapter.createVerificationValue({value:i,identifier:`email-verification-otp-${n.user.email}`,expiresAt:C(t.expireIn,"sec")}),await e.sendVerificationOTP({email:n.user.email,otp:i,type:"email-verification"})}}}]}}};var Lt=require("zod");var eo=require("@better-fetch/fetch");function Xr(e){return e==="true"||e===!0}var kn=e=>({id:"one-tap",endpoints:{oneTapCallback:u("/one-tap/callback",{method:"POST",body:Lt.z.object({idToken:Lt.z.string()})},async t=>{let{idToken:r}=t.body,{data:o,error:n}=await(0,eo.betterFetch)("https://oauth2.googleapis.com/tokeninfo?id_token="+r);if(n)return t.json({error:"Invalid token"});let i=await t.context.internalAdapter.findUserByEmail(o.email);if(!i){if(e?.disableSignup)throw new v.APIError("BAD_GATEWAY",{message:"User not found"});let s=await t.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:Xr(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!s)throw new v.APIError("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let d=await t.context.internalAdapter.createSession(s?.user.id,t.request);return await w(t,{user:s.user,session:d}),t.json({session:d,user:s})}let a=await t.context.internalAdapter.createSession(i.user.id,t.request);return await w(t,{user:i.user,session:a}),t.json({session:a,user:i})})}});var ut=require("zod");function On(){let e=K.VERCEL_URL,t=K.NETLIFY_URL,r=K.RENDER_URL,o=K.AWS_LAMBDA_FUNCTION_NAME,n=K.GOOGLE_CLOUD_FUNCTION_NAME,i=K.AZURE_FUNCTION_NAME;return e||t||r||o||n||i}var Rn=e=>({id:"oauth-proxy",endpoints:{oAuthProxy:u("/oauth-proxy-callback",{method:"GET",query:ut.z.object({callbackURL:ut.z.string(),cookies:ut.z.string()})},async t=>{let r=t.query.cookies,o=await ue({key:t.context.secret,data:r});throw t.setHeader("set-cookie",o),t.redirect(t.query.callbackURL)})},hooks:{after:[{matcher(t){return t.path?.startsWith("/callback")},handler:T(async t=>{let r=t.context.returned;if(!r)return;let o=r.headers.get("location");if(o?.includes("/oauth-proxy-callback?callbackURL")){if(!o.startsWith("http")||new URL(o).origin===t.context.baseURL)return;let i=r.headers.get("set-cookie");if(!i)return;let a=await ce({key:t.context.secret,data:i}),s=`${o}&cookies=${encodeURIComponent(a)}`;return r.headers.set("location",s),{response:r}}})}],before:[{matcher(t){return t.path?.startsWith("/sign-in/social")},async handler(t){let r=new URL(e?.currentURL||t.request?.url||On()||t.context.baseURL);return t.body.callbackURL=`${r.origin}${t.context.options.basePath||"/api/auth"}/oauth-proxy-callback?callbackURL=${encodeURIComponent(t.body.callbackURL||t.context.baseURL)}`,{context:t}}}]}});0&&(module.exports={HIDE_METADATA,admin,adminMiddleware,anonymous,bearer,createAuthEndpoint,createAuthMiddleware,emailOTP,genericOAuth,getPasskeyActions,jwt,magicLink,multiSession,oAuthProxy,oneTap,optionsMiddleware,organization,passkey,passkeyClient,phoneNumber,twoFactor,twoFactorClient,username});
|