better-auth 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/README.md +1 -4
  2. package/dist/client/plugins.d.cts +2 -2
  3. package/dist/client/plugins.d.ts +2 -2
  4. package/dist/{index-qfU3ue1P.d.ts → index-CX-Hopog.d.ts} +4 -0
  5. package/dist/{index-ySD-VQEH.d.cts → index-x5P1hIyV.d.cts} +4 -0
  6. package/dist/node.cjs +1 -1
  7. package/dist/node.d.cts +3 -1
  8. package/dist/node.d.ts +3 -1
  9. package/dist/plugins.cjs +4 -4
  10. package/dist/plugins.d.cts +1 -1
  11. package/dist/plugins.d.ts +1 -1
  12. package/dist/plugins.js +4 -4
  13. package/package.json +1 -1
package/dist/plugins.cjs CHANGED
@@ -1,5 +1,5 @@
1
- "use strict";var or=Object.create;var oo=Object.defineProperty;var ir=Object.getOwnPropertyDescriptor;var tr=Object.getOwnPropertyNames;var rr=Object.getPrototypeOf,nr=Object.prototype.hasOwnProperty;var sr=(e,t)=>{for(var i in t)oo(e,i,{get:t[i],enumerable:!0})},Jo=(e,t,i,o)=>{if(t&&typeof t=="object"||typeof t=="function")for(let r of tr(t))!nr.call(e,r)&&r!==i&&oo(e,r,{get:()=>t[r],enumerable:!(o=ir(t,r))||o.enumerable});return e};var Xo=(e,t,i)=>(i=e!=null?or(rr(e)):{},Jo(t||!e||!e.__esModule?oo(i,"default",{value:e,enumerable:!0}):i,e)),ar=e=>Jo(oo({},"__esModule",{value:!0}),e);var fn={};sr(fn,{HIDE_METADATA:()=>we,admin:()=>on,anonymous:()=>en,bearer:()=>Zr,createAuthEndpoint:()=>K,createAuthMiddleware:()=>R,customSession:()=>un,emailOTP:()=>An,genericOAuth:()=>nn,getPasskeyActions:()=>Ft,jwt:()=>sn,magicLink:()=>Wr,multiSession:()=>an,oAuthProxy:()=>cn,oneTap:()=>dn,openAPI:()=>mn,optionsMiddleware:()=>bo,organization:()=>Sr,passkey:()=>Qr,passkeyClient:()=>Hr,phoneNumber:()=>Jr,twoFactor:()=>qr,twoFactorClient:()=>Fr,username:()=>Ho});module.exports=ar(fn);var Do=require("better-call"),Se=require("zod");var ye=require("better-call"),bo=(0,ye.createMiddleware)(async()=>({})),R=(0,ye.createMiddlewareCreator)({use:[bo,(0,ye.createMiddleware)(async()=>({}))]}),K=(0,ye.createEndpointCreator)({use:[bo]});var F=require("better-call"),x=require("zod");var lr=require("oslo"),ei=require("oslo/encoding");var io=require("oslo/crypto");async function dr({value:e,secret:t}){return new io.HMAC("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(o=>Buffer.from(o).toString("base64"))}function Kr({value:e,signature:t,secret:i}){return new io.HMAC("SHA-256").verify(new TextEncoder().encode(i),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var to={sign:dr,verify:Kr};var X=class extends Error{constructor(t,i){super(t),this.name="BetterAuthError",this.message=t,this.cause=i,this.stack=""}};var I=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));var ro=Object.create(null),Fe=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?ro:globalThis),re=new Proxy(ro,{get(e,t){return Fe()[t]??ro[t]},has(e,t){let i=Fe();return t in i||t in ro},set(e,t,i){let o=Fe(!0);return o[t]=i,!0},deleteProperty(e,t){if(!t)return!1;let i=Fe(!0);return delete i[t],!0},ownKeys(){let e=Fe(!0);return Object.keys(e)}});function cr(e){return e?e!=="false":!1}var vo=typeof process<"u"&&process.env&&process.env.NODE_ENV||"";var Yo=vo==="dev"||vo==="development",ur=vo==="test"||cr(re.TEST);function no(e){let t=new Map;return e.split(", ").forEach(o=>{let r=o.split(";").map(l=>l.trim()),[n,...a]=r,[s,...A]=n.split("="),d=A.join("=");if(!s||d===void 0){console.warn(`Malformed cookie: ${o}`);return}let c={value:d};a.forEach(l=>{let[u,...p]=l.split("="),h=p.join("="),k=u.trim().toLowerCase();switch(k){case"max-age":c["max-age"]=h?parseInt(h.trim(),10):void 0;break;case"expires":c.expires=h?new Date(h.trim()):void 0;break;case"domain":c.domain=h?h.trim():void 0;break;case"path":c.path=h?h.trim():void 0;break;case"secure":c.secure=!0;break;case"httponly":c.httponly=!0;break;case"samesite":c.samesite=h?h.trim().toLowerCase():void 0;break;default:c[k]=h?h.trim():!0;break}}),t.set(s,c)}),t}async function m(e,t,i,o){let r=e.context.authCookies.sessionToken.options,n=i?void 0:e.context.sessionConfig.expiresIn;await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...r,maxAge:n,...o}),i&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled&&e.setCookie(e.context.authCookies.sessionData.name,JSON.stringify(ei.base64url.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:I(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await to.sign({value:JSON.stringify(t),secret:e.context.secret})})))),e.context.authCookies.sessionData.options),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),t.session.expiresAt.getTime()-Date.now())}function M(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}function qe(e){let t=e.split("; "),i=new Map;return t.forEach(o=>{let[r,n]=o.split("=");i.set(r,n)}),i}var si=require("@better-fetch/fetch"),ai=require("better-call"),Ie=require("jose"),Ai=require("oslo/jwt");var oi=require("oslo/crypto"),ii=require("oslo/encoding");async function ti(e){let t=await(0,oi.sha256)(new TextEncoder().encode(e));return ii.base64url.encode(new Uint8Array(t),{includePadding:!1})}function ri(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?I(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function P({id:e,options:t,authorizationEndpoint:i,state:o,codeVerifier:r,scopes:n,claims:a,redirectURI:s}){let A=new URL(i);if(A.searchParams.set("response_type","code"),A.searchParams.set("client_id",t.clientId),A.searchParams.set("state",o),A.searchParams.set("scope",n.join(" ")),A.searchParams.set("redirect_uri",t.redirectURI||s),r){let d=await ti(r);A.searchParams.set("code_challenge_method","S256"),A.searchParams.set("code_challenge",d)}if(a){let d=a.reduce((c,l)=>(c[l]=null,c),{});A.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...d}}))}return A}var ni=require("@better-fetch/fetch");async function O({code:e,codeVerifier:t,redirectURI:i,options:o,tokenEndpoint:r,authentication:n}){let a=new URLSearchParams,s={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(a.set("grant_type","authorization_code"),a.set("code",e),t&&a.set("code_verifier",t),a.set("redirect_uri",i),n==="basic"){let l=btoa(`${o.clientId}:${o.clientSecret}`);s.authorization=`Basic ${l}`}else a.set("client_id",o.clientId),a.set("client_secret",o.clientSecret);let{data:A,error:d}=await(0,ni.betterFetch)(r,{method:"POST",body:a,headers:s});if(d)throw d;return ri(A)}var so=require("oslo/oauth2"),ce=require("zod"),ko=require("better-call");function Te(e){try{return new URL(e).origin}catch{return null}}async function Oe(e,t){let i=e.body?.callbackURL||(e.query?.currentURL?Te(e.query?.currentURL):"")||e.context.options.baseURL;if(!i)throw new ko.APIError("BAD_REQUEST",{message:"callbackURL is required"});let o=(0,so.generateCodeVerifier)(),r=(0,so.generateState)(),n=JSON.stringify({callbackURL:i,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),a=new Date;a.setMinutes(a.getMinutes()+10);let s=await e.context.internalAdapter.createVerificationValue({value:n,identifier:r,expiresAt:a});if(!s)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new ko.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:s.identifier,codeVerifier:o}}async function ao(e){let t=e.query.state||e.body.state,i=await e.context.internalAdapter.findVerificationValue(t);if(!i)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=ce.z.object({callbackURL:ce.z.string(),codeVerifier:ce.z.string(),errorURL:ce.z.string().optional(),expiresAt:ce.z.number(),link:ce.z.object({email:ce.z.string(),userId:ce.z.string()}).optional()}).parse(JSON.parse(i.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(i.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(i.id),o}var di=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:i,scopes:o,redirectURI:r}){let n=o||["email","name"];return e.scope&&n.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${r||e.redirectURI}&scope=${n.join(" ")}&state=${i}&response_mode=form_post`)},validateAuthorizationCode:async({code:i,codeVerifier:o,redirectURI:r})=>O({code:i,codeVerifier:o,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:t}),async verifyIdToken(i,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(i,o);let r=(0,Ie.decodeProtectedHeader)(i),{kid:n,alg:a}=r;if(!n||!a)return!1;let s=await pr(n),{payload:A}=await(0,Ie.jwtVerify)(i,s,{algorithms:[a],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(d=>{A[d]!==void 0&&(A[d]=!!A[d])}),o&&A.nonce!==o?!1:!!A},async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);if(!i.idToken)return null;let o=(0,Ai.parseJWT)(i.idToken)?.payload;if(!o)return null;let r=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email;return{user:{id:o.sub,name:r,emailVerified:!1,email:o.email},data:o}}}},pr=async e=>{let t="https://appleid.apple.com",i="/auth/keys",{data:o}=await(0,si.betterFetch)(`${t}${i}`);if(!o?.keys)throw new ai.APIError("BAD_REQUEST",{message:"Keys not found"});let r=o.keys.find(n=>n.kid===e);if(!r)throw new Error(`JWK with kid ${e} not found`);return await(0,Ie.importJWK)(r,r.alg)};var Ki=require("@better-fetch/fetch");var ci=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:i,redirectURI:o}){let r=i||["identify","email"];return e.scope&&r.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${r.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}`)},validateAuthorizationCode:async({code:t,redirectURI:i})=>O({code:t,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await(0,Ki.betterFetch)("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(i.avatar===null){let r=i.discriminator==="0"?Number(BigInt(i.id)>>BigInt(22))%6:parseInt(i.discriminator)%5;i.image_url=`https://cdn.discordapp.com/embed/avatars/${r}.png`}else{let r=i.avatar.startsWith("a_")?"gif":"png";i.image_url=`https://cdn.discordapp.com/avatars/${i.id}/${i.avatar}.${r}`}return{user:{id:i.id,name:i.display_name||i.username||"",email:i.email,emailVerified:i.verified,image:i.image_url},data:i}}});var ui=require("@better-fetch/fetch");var li=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:i,redirectURI:o}){let r=i||["email","public_profile"];return e.scope&&r.push(...e.scope),await P({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:r,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:i})=>O({code:t,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await(0,ui.betterFetch)("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});return o?null:{user:{id:i.id,name:i.name,email:i.email,image:i.picture.data.url,emailVerified:i.email_verified},data:i}}});var To=require("@better-fetch/fetch");var pi=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:i,scopes:o,codeVerifier:r,redirectURI:n}){let a=o||["user:email"];return e.scope&&a.push(...e.scope),P({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:a,state:i,redirectURI:n})},validateAuthorizationCode:async({code:i,redirectURI:o})=>O({code:i,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);let{data:o,error:r}=await(0,To.betterFetch)("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${i.accessToken}`}});if(r)return null;let n=!1;if(!o.email){let{data:a,error:s}=await(0,To.betterFetch)("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${i.accessToken}`,"User-Agent":"better-auth"}});s||(o.email=(a.find(A=>A.primary)??a[0])?.email,n=a.find(A=>A.email===o.email)?.verified??!1)}return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:n},data:o}}}};var fi=require("oslo/jwt");var gi=require("consola"),Oo=["info","success","warn","error","debug"];function gr(e,t){return Oo.indexOf(t)<=Oo.indexOf(e)}var mr=(0,gi.createConsola)({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),mi=e=>{let t=e?.disabled!==!0,i=e?.level??"error",o=(r,n,a=[])=>{if(!(!t||!gr(i,r))){if(!e||typeof e.log!="function"){mr[r]("",n,...a);return}e.log(r==="success"?"info":r,n,a)}};return Object.fromEntries(Oo.map(r=>[r,(...[n,...a])=>o(r,n,a)]))},G=mi();var hi=require("@better-fetch/fetch"),yi=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:i,codeVerifier:o,redirectURI:r}){if(!e.clientId||!e.clientSecret)throw G.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new X("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new X("codeVerifier is required for Google");let n=i||["email","profile","openid"];e.scope&&n.push(...e.scope);let a=await P({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:n,state:t,codeVerifier:o,redirectURI:r});return e.accessType&&a.searchParams.set("access_type",e.accessType),e.prompt&&a.searchParams.set("prompt",e.prompt),a},validateAuthorizationCode:async({code:t,codeVerifier:i,redirectURI:o})=>O({code:t,codeVerifier:i,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,i){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,i);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:r}=await(0,hi.betterFetch)(o);return r?r.aud===e.clientId&&r.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let i=(0,fi.parseJWT)(t.idToken)?.payload;return{user:{id:i.sub,name:i.name,email:i.email,image:i.picture,emailVerified:i.email_verified},data:i}}});var wi=require("@better-fetch/fetch"),Ci=require("oslo/jwt");var bi=e=>{let t=e.tenantId||"common",i=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(r){let n=r.scopes||["openid","profile","email","User.Read"];return e.scope&&n.push(...e.scope),P({id:"microsoft",options:e,authorizationEndpoint:i,state:r.state,codeVerifier:r.codeVerifier,scopes:n,redirectURI:r.redirectURI})},validateAuthorizationCode({code:r,codeVerifier:n,redirectURI:a}){return O({code:r,codeVerifier:n,redirectURI:e.redirectURI||a,options:e,tokenEndpoint:o})},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let n=(0,Ci.parseJWT)(r.idToken)?.payload,a=e.profilePhotoSize||48;return await(0,wi.betterFetch)(`https://graph.microsoft.com/v1.0/me/photos/${a}x${a}/$value`,{headers:{Authorization:`Bearer ${r.accessToken}`},async onResponse(s){if(!(e.disableProfilePhoto||!s.response.ok))try{let d=await s.response.clone().arrayBuffer(),c=Buffer.from(d).toString("base64");n.picture=`data:image/jpeg;base64, ${c}`}catch(A){G.error(A&&typeof A=="object"&&"name"in A?A.name:"",A)}}}),{user:{id:n.sub,name:n.name,email:n.email,image:n.picture,emailVerified:!0},data:n}}}};var vi=require("@better-fetch/fetch");var ki=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:i,codeVerifier:o,redirectURI:r}){let n=i||["user-read-email"];return e.scope&&n.push(...e.scope),P({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:n,state:t,codeVerifier:o,redirectURI:r})},validateAuthorizationCode:async({code:t,codeVerifier:i,redirectURI:o})=>O({code:t,codeVerifier:i,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await(0,vi.betterFetch)("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:i.id,name:i.display_name,email:i.email,image:i.images[0]?.url,emailVerified:!1},data:i}}});var we={isAction:!1};var Ti=require("nanoid"),L=e=>(0,Ti.nanoid)(e);var Oi=require("oslo/jwt");var Ii=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:i,redirectURI:o}){let r=i||["user:read:email","openid"];return e.scope&&r.push(...e.scope),P({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:r,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:i})=>O({code:t,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let i=t.idToken;if(!i)return G.error("No idToken found in token"),null;let o=(0,Oi.parseJWT)(i)?.payload;return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1},data:o}}});var Ri=require("@better-fetch/fetch");var Ui=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let i=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&i.push(...e.scope),P({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:i,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:i,redirectURI:o})=>O({code:t,codeVerifier:i,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await(0,Ri.betterFetch)("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:i.data.id,name:i.data.name,email:i.data.email||null,image:i.data.profile_image_url,emailVerified:i.data.verified||!1},data:i}}});var Ei=require("@better-fetch/fetch");var Pi=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:i,scopes:o,codeVerifier:r,redirectURI:n})=>{let a=o||["account_info.read"];return e.scope&&a.push(...e.scope),await P({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:a,state:i,redirectURI:n,codeVerifier:r})},validateAuthorizationCode:async({code:i,codeVerifier:o,redirectURI:r})=>await O({code:i,codeVerifier:o,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:t}),async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);let{data:o,error:r}=await(0,Ei.betterFetch)("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${i.accessToken}`}});return r?null:{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url},data:o}}}};var Si=require("@better-fetch/fetch");var Di=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",i="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:r,redirectURI:n})=>{let a=r||["profile","email","openid"];return e.scope&&a.push(...e.scope),await P({id:"linkedin",options:e,authorizationEndpoint:t,scopes:a,state:o,redirectURI:n})},validateAuthorizationCode:async({code:o,redirectURI:r})=>await O({code:o,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:i}),async getUserInfo(o){let{data:r,error:n}=await(0,Si.betterFetch)("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});return n?null:{user:{id:r.sub,name:r.name,email:r.email,emailVerified:r.email_verified||!1,image:r.picture},data:r}}}};var xi=require("@better-fetch/fetch");var Io=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),fr=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:Io(`${t}/oauth/authorize`),tokenEndpoint:Io(`${t}/oauth/token`),userinfoEndpoint:Io(`${t}/api/v4/user`)}},zi=e=>{let{authorizationEndpoint:t,tokenEndpoint:i,userinfoEndpoint:o}=fr(e.issuer),r="gitlab";return{id:r,name:"Gitlab",createAuthorizationURL:async({state:a,scopes:s,codeVerifier:A,redirectURI:d})=>{let c=s||["read_user"];return e.scope&&c.push(...e.scope),await P({id:r,options:e,authorizationEndpoint:t,scopes:c,state:a,redirectURI:d,codeVerifier:A})},validateAuthorizationCode:async({code:a,redirectURI:s,codeVerifier:A})=>O({code:a,redirectURI:e.redirectURI||s,options:e,codeVerifier:A,tokenEndpoint:i}),async getUserInfo(a){if(e.getUserInfo)return e.getUserInfo(a);let{data:s,error:A}=await(0,xi.betterFetch)(o,{headers:{authorization:`Bearer ${a.accessToken}`}});return A||s.state!=="active"||s.locked?null:{user:{id:s.id.toString(),name:s.name??s.username,email:s.email,image:s.avatar_url,emailVerified:!0},data:s}}}};var hr={apple:di,discord:ci,facebook:li,github:pi,microsoft:bi,google:yi,spotify:ki,twitch:Ii,twitter:Ui,dropbox:Pi,linkedin:Di,gitlab:zi},Ao=Object.keys(hr);var Li=require("oslo"),Ko=require("oslo/jwt"),Y=require("zod");var Me=require("better-call");var se=require("better-call");var Re=require("zod");function Ro(e){try{return JSON.parse(e)}catch{return null}}var Uo=()=>K("/get-session",{method:"GET",query:Re.z.optional(Re.z.object({disableCookieCache:Re.z.boolean({description:"Disable cookie cache and fetch session from database"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let i=e.getCookie(e.context.authCookies.sessionData.name),o=i?Ro(Buffer.from(i,"base64").toString()):null;if(o&&!await to.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return M(e),e.json(null);let r=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let c=o.session;if(o.expiresAt<Date.now()||c.session.expiresAt<new Date){let u=e.context.authCookies.sessionData.name;e.setCookie(u,"",{maxAge:0})}else return e.json(c)}let n=await e.context.internalAdapter.findSession(t);if(!n||n.session.expiresAt<new Date)return M(e),n&&await e.context.internalAdapter.deleteSession(n.session.token),e.json(null);if(r)return e.json(n);let a=e.context.sessionConfig.expiresIn,s=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-a*1e3+s*1e3<=Date.now()){let c=await e.context.internalAdapter.updateSession(n.session.token,{expiresAt:I(e.context.sessionConfig.expiresIn,"sec")});if(!c)return M(e),e.json(null,{status:401});let l=(c.expiresAt.valueOf()-Date.now())/1e3;return await m(e,{session:c,user:n.user},!1,{maxAge:l}),e.json({session:c,user:n.user})}return e.json(n)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new se.APIError("INTERNAL_SERVER_ERROR",{message:"internal server error"})}}),U=async e=>{if(e.context.session)return e.context.session;let t=await Uo()({...e,_flag:"json",headers:e.headers});return e.context.session=t,t},v=R(async e=>{let t=await U(e);if(!t?.session)throw new se.APIError("UNAUTHORIZED");return{session:t}}),Ve=R(async e=>{let t=await U(e);if(!t?.session)throw new se.APIError("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let i=e.context.sessionConfig.freshAge,o=t.session.createdAt.valueOf(),r=Date.now();if(!(o+i*1e3>r))throw new se.APIError("FORBIDDEN",{message:"Session is not fresh"});return{session:t}}),Bi=()=>K("/list-sessions",{method:"GET",use:[v],requireHeaders:!0,metadata:{openapi:{description:"List all active sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}}}}}}}}}},async e=>{let i=(await e.context.internalAdapter.listSessions(e.context.session.user.id)).filter(o=>o.expiresAt>new Date);return e.json(i)}),ji=K("/revoke-session",{method:"POST",body:Re.z.object({token:Re.z.string({description:"The token to revoke"})}),use:[v],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,i=await e.context.internalAdapter.findSession(t);if(!i)throw new se.APIError("BAD_REQUEST",{message:"Session not found"});if(i.session.userId!==e.context.session.user.id)throw new se.APIError("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new se.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Ni=K("/revoke-sessions",{method:"POST",use:[v],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new se.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),_i=K("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[v],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new se.APIError("UNAUTHORIZED");let r=(await e.context.internalAdapter.listSessions(t.user.id)).filter(n=>n.expiresAt>new Date).filter(n=>n.token!==e.context.session.session.token);return await Promise.all(r.map(n=>e.context.internalAdapter.deleteSession(n.token))),e.json({status:!0})});async function ue(e,t,i){return await(0,Ko.createJWT)("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:i},{expiresIn:new Li.TimeSpan(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}var Fi=K("/send-verification-email",{method:"POST",query:Y.z.object({currentURL:Y.z.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:Y.z.object({email:Y.z.string({description:"The email to send the verification email to"}).email(),callbackURL:Y.z.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new Me.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,i=await e.context.internalAdapter.findUserByEmail(t);if(!i)throw new Me.APIError("BAD_REQUEST",{message:"User not found"});let o=await ue(e.context.secret,t),r=`${e.context.baseURL}/verify-email?token=${o}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.emailVerification.sendVerificationEmail({user:i.user,url:r,token:o},e.request),e.json({status:!0})}),qi=K("/verify-email",{method:"GET",query:Y.z.object({token:Y.z.string({description:"The token to verify the email"}),callbackURL:Y.z.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(s){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${s}`):new Me.APIError("UNAUTHORIZED",{message:s})}let{token:i}=e.query,o;try{o=await(0,Ko.validateJWT)("HS256",Buffer.from(e.context.secret),i)}catch(s){return e.context.logger.error("Failed to verify email",s),t("invalid_token")}let n=Y.z.object({email:Y.z.string().email(),updateTo:Y.z.string().optional()}).parse(o.payload),a=await e.context.internalAdapter.findUserByEmail(n.email);if(!a)return t("user_not_found");if(n.updateTo){let s=await U(e);if(!s){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(s.user.email!==n.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let A=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:A,url:`${e.context.baseURL}/verify-email?token=${i}`,token:i},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:A,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await U(e)){let A=await e.context.internalAdapter.createSession(a.user.id,e.request);if(!A)throw new Me.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await m(e,{session:A,user:a.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});var H=require("better-call");var Vi=require("better-call");var yr=R(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:i,context:o}=e,r=e.headers?.get("origin")||e.headers?.get("referer")||"",n=t?.callbackURL||i?.callbackURL,a=t?.redirectTo,s=i?.currentURL,A=o.trustedOrigins,d=e.headers?.has("cookie"),c=(u,p)=>p.includes("*")?new RegExp("^"+p.replace(/\*/g,"[^/]+").replace(/\./g,"\\.")+"$").test(u):u.startsWith(p),l=(u,p)=>{if(!u)return;if(!A.some(k=>c(u,k)||u?.startsWith("/")&&p!=="origin"&&!u.includes(":")))throw e.context.logger.error(`Invalid ${p}: ${u}`),e.context.logger.info(`If it's a valid URL, please add ${u} to trustedOrigins in your auth config
2
- `,`Current list of trustedOrigins: ${A}`),new Vi.APIError("FORBIDDEN",{message:`Invalid ${p}`})};d&&!e.context.options.advanced?.disableCSRFCheck&&l(r,"origin"),n&&l(n,"callbackURL"),a&&l(a,"redirectURL"),s&&l(s,"currentURL")});var Mi=K("/ok",{method:"GET",metadata:{...we,openapi:{description:"Check if the API is working",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{ok:{type:"boolean"}}}}}}}}}},async e=>e.json({ok:!0}));var Ce=require("zod");var ae=require("better-call");var w=require("zod"),va=w.z.object({id:w.z.string(),providerId:w.z.string(),accountId:w.z.string(),userId:w.z.string(),accessToken:w.z.string().nullish(),refreshToken:w.z.string().nullish(),idToken:w.z.string().nullish(),accessTokenExpiresAt:w.z.date().nullish(),refreshTokenExpiresAt:w.z.date().nullish(),scope:w.z.string().nullish(),password:w.z.string().nullish(),createdAt:w.z.date().default(()=>new Date),updatedAt:w.z.date().default(()=>new Date)}),ka=w.z.object({id:w.z.string(),email:w.z.string().transform(e=>e.toLowerCase()),emailVerified:w.z.boolean().default(!1),name:w.z.string(),image:w.z.string().nullish(),createdAt:w.z.date().default(()=>new Date),updatedAt:w.z.date().default(()=>new Date)}),Ta=w.z.object({id:w.z.string(),userId:w.z.string(),expiresAt:w.z.date(),createdAt:w.z.date().default(()=>new Date),updatedAt:w.z.date().default(()=>new Date),token:w.z.string(),ipAddress:w.z.string().nullish(),userAgent:w.z.string().nullish()}),Oa=w.z.object({id:w.z.string(),value:w.z.string(),createdAt:w.z.date().default(()=>new Date),updatedAt:w.z.date().default(()=>new Date),expiresAt:w.z.date(),identifier:w.z.string()});function wr(e,t){let i={...t==="user"?e.user?.additionalFields:{},...t==="session"?e.session?.additionalFields:{}};for(let o of e.plugins||[])o.schema&&o.schema[t]&&(i={...i,...o.schema[t].fields});return i}function Cr(e,t){let i=t.action||"create",o=t.fields,r={};for(let n in o){if(n in e){if(o[n].input===!1){if(o[n].defaultValue){r[n]=o[n].defaultValue;continue}continue}r[n]=e[n];continue}if(o[n].defaultValue&&i==="create"){r[n]=o[n].defaultValue;continue}}return r}function co(e,t,i){let o=wr(e,"user");return Cr(t||{},{fields:o,action:i})}function ee(e,t){if(!t)return e;for(let i in t){let o=t[i]?.modelName;o&&(e[i].modelName=o);for(let r in e[i].fields){let n=t[i]?.fields?.[r];n&&(e[i].fields[r].fieldName=n)}}return e}var Hi=()=>K("/sign-up/email",{method:"POST",query:Ce.z.object({currentURL:Ce.z.string().optional()}).optional(),body:Ce.z.record(Ce.z.string(),Ce.z.any()),metadata:{openapi:{description:"Sign up a user using email and password",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},email:{type:"string",description:"The email of the user"},password:{type:"string",description:"The password of the user"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["name","email","password"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},session:{type:"object"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.enabled)throw new ae.APIError("BAD_REQUEST",{message:"Email and password sign up is not enabled"});let t=e.body,{name:i,email:o,password:r,image:n,callbackURL:a,...s}=t;if(!Ce.z.string().email().safeParse(o).success)throw new ae.APIError("BAD_REQUEST",{message:"Invalid email"});let d=e.context.password.config.minPasswordLength;if(r.length<d)throw e.context.logger.error("Password is too short"),new ae.APIError("BAD_REQUEST",{message:"Password is too short"});let c=e.context.password.config.maxPasswordLength;if(r.length>c)throw e.context.logger.error("Password is too long"),new ae.APIError("BAD_REQUEST",{message:"Password is too long"});if((await e.context.internalAdapter.findUserByEmail(o))?.user)throw e.context.logger.info(`Sign-up attempt for existing email: ${o}`),new ae.APIError("UNPROCESSABLE_ENTITY",{message:"User with this email already exists"});let u=co(e.context.options,s),p;try{if(p=await e.context.internalAdapter.createUser({email:o.toLowerCase(),name:i,image:n,...u,emailVerified:!1}),!p)throw new ae.APIError("BAD_REQUEST",{message:"Failed to create user"})}catch(f){throw e.context.logger.error("Failed to create user",f),new ae.APIError("UNPROCESSABLE_ENTITY",{message:"Failed to create user",details:f})}if(!p)throw new ae.APIError("UNPROCESSABLE_ENTITY",{message:"Failed to create user"});let h=await e.context.password.hash(r);if(await e.context.internalAdapter.linkAccount({userId:p.id,providerId:"credential",accountId:p.id,password:h}),e.context.options.emailVerification?.sendOnSignUp){let f=await ue(e.context.secret,p.email),g=`${e.context.baseURL}/verify-email?token=${f}&callbackURL=${t.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:p,url:g,token:f},e.request)}if(!e.context.options.emailAndPassword.autoSignIn||e.context.options.emailAndPassword.requireEmailVerification)return e.json({user:p,session:null});let k=await e.context.internalAdapter.createSession(p.id,e.request);if(!k)throw new ae.APIError("BAD_REQUEST",{message:"Failed to create session"});return await m(e,{session:k,user:p}),e.json({user:p,session:k})});var br=(e="Unknown")=>`<!DOCTYPE html>
1
+ "use strict";var or=Object.create;var oo=Object.defineProperty;var ir=Object.getOwnPropertyDescriptor;var tr=Object.getOwnPropertyNames;var rr=Object.getPrototypeOf,nr=Object.prototype.hasOwnProperty;var sr=(e,t)=>{for(var i in t)oo(e,i,{get:t[i],enumerable:!0})},Jo=(e,t,i,o)=>{if(t&&typeof t=="object"||typeof t=="function")for(let r of tr(t))!nr.call(e,r)&&r!==i&&oo(e,r,{get:()=>t[r],enumerable:!(o=ir(t,r))||o.enumerable});return e};var Xo=(e,t,i)=>(i=e!=null?or(rr(e)):{},Jo(t||!e||!e.__esModule?oo(i,"default",{value:e,enumerable:!0}):i,e)),ar=e=>Jo(oo({},"__esModule",{value:!0}),e);var fn={};sr(fn,{HIDE_METADATA:()=>we,admin:()=>on,anonymous:()=>en,bearer:()=>Zr,createAuthEndpoint:()=>K,createAuthMiddleware:()=>R,customSession:()=>un,emailOTP:()=>An,genericOAuth:()=>nn,getPasskeyActions:()=>Ft,jwt:()=>sn,magicLink:()=>Wr,multiSession:()=>an,oAuthProxy:()=>cn,oneTap:()=>dn,openAPI:()=>mn,optionsMiddleware:()=>bo,organization:()=>Sr,passkey:()=>Qr,passkeyClient:()=>Hr,phoneNumber:()=>Jr,twoFactor:()=>Vr,twoFactorClient:()=>Fr,username:()=>Ho});module.exports=ar(fn);var Do=require("better-call"),Se=require("zod");var ye=require("better-call"),bo=(0,ye.createMiddleware)(async()=>({})),R=(0,ye.createMiddlewareCreator)({use:[bo,(0,ye.createMiddleware)(async()=>({}))]}),K=(0,ye.createEndpointCreator)({use:[bo]});var F=require("better-call"),x=require("zod");var lr=require("oslo"),ei=require("oslo/encoding");var io=require("oslo/crypto");async function dr({value:e,secret:t}){return new io.HMAC("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(o=>Buffer.from(o).toString("base64"))}function Kr({value:e,signature:t,secret:i}){return new io.HMAC("SHA-256").verify(new TextEncoder().encode(i),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var to={sign:dr,verify:Kr};var X=class extends Error{constructor(t,i){super(t),this.name="BetterAuthError",this.message=t,this.cause=i,this.stack=""}};var I=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));var ro=Object.create(null),Fe=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?ro:globalThis),re=new Proxy(ro,{get(e,t){return Fe()[t]??ro[t]},has(e,t){let i=Fe();return t in i||t in ro},set(e,t,i){let o=Fe(!0);return o[t]=i,!0},deleteProperty(e,t){if(!t)return!1;let i=Fe(!0);return delete i[t],!0},ownKeys(){let e=Fe(!0);return Object.keys(e)}});function cr(e){return e?e!=="false":!1}var vo=typeof process<"u"&&process.env&&process.env.NODE_ENV||"";var Yo=vo==="dev"||vo==="development",ur=vo==="test"||cr(re.TEST);function no(e){let t=new Map;return e.split(", ").forEach(o=>{let r=o.split(";").map(l=>l.trim()),[n,...a]=r,[s,...A]=n.split("="),d=A.join("=");if(!s||d===void 0){console.warn(`Malformed cookie: ${o}`);return}let c={value:d};a.forEach(l=>{let[u,...p]=l.split("="),h=p.join("="),k=u.trim().toLowerCase();switch(k){case"max-age":c["max-age"]=h?parseInt(h.trim(),10):void 0;break;case"expires":c.expires=h?new Date(h.trim()):void 0;break;case"domain":c.domain=h?h.trim():void 0;break;case"path":c.path=h?h.trim():void 0;break;case"secure":c.secure=!0;break;case"httponly":c.httponly=!0;break;case"samesite":c.samesite=h?h.trim().toLowerCase():void 0;break;default:c[k]=h?h.trim():!0;break}}),t.set(s,c)}),t}async function m(e,t,i,o){let r=e.context.authCookies.sessionToken.options,n=i?void 0:e.context.sessionConfig.expiresIn;await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...r,maxAge:n,...o}),i&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled&&e.setCookie(e.context.authCookies.sessionData.name,JSON.stringify(ei.base64url.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:I(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await to.sign({value:JSON.stringify(t),secret:e.context.secret})})))),e.context.authCookies.sessionData.options),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),t.session.expiresAt.getTime()-Date.now())}function M(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}function Ve(e){let t=e.split("; "),i=new Map;return t.forEach(o=>{let[r,n]=o.split("=");i.set(r,n)}),i}var si=require("@better-fetch/fetch"),ai=require("better-call"),Ie=require("jose"),Ai=require("oslo/jwt");var oi=require("oslo/crypto"),ii=require("oslo/encoding");async function ti(e){let t=await(0,oi.sha256)(new TextEncoder().encode(e));return ii.base64url.encode(new Uint8Array(t),{includePadding:!1})}function ri(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?I(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function P({id:e,options:t,authorizationEndpoint:i,state:o,codeVerifier:r,scopes:n,claims:a,redirectURI:s}){let A=new URL(i);if(A.searchParams.set("response_type","code"),A.searchParams.set("client_id",t.clientId),A.searchParams.set("state",o),A.searchParams.set("scope",n.join(" ")),A.searchParams.set("redirect_uri",t.redirectURI||s),r){let d=await ti(r);A.searchParams.set("code_challenge_method","S256"),A.searchParams.set("code_challenge",d)}if(a){let d=a.reduce((c,l)=>(c[l]=null,c),{});A.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...d}}))}return A}var ni=require("@better-fetch/fetch");async function O({code:e,codeVerifier:t,redirectURI:i,options:o,tokenEndpoint:r,authentication:n}){let a=new URLSearchParams,s={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(a.set("grant_type","authorization_code"),a.set("code",e),t&&a.set("code_verifier",t),a.set("redirect_uri",i),n==="basic"){let l=btoa(`${o.clientId}:${o.clientSecret}`);s.authorization=`Basic ${l}`}else a.set("client_id",o.clientId),a.set("client_secret",o.clientSecret);let{data:A,error:d}=await(0,ni.betterFetch)(r,{method:"POST",body:a,headers:s});if(d)throw d;return ri(A)}var so=require("oslo/oauth2"),ce=require("zod"),ko=require("better-call");function Te(e){try{return new URL(e).origin}catch{return null}}async function Oe(e,t){let i=e.body?.callbackURL||(e.query?.currentURL?Te(e.query?.currentURL):"")||e.context.options.baseURL;if(!i)throw new ko.APIError("BAD_REQUEST",{message:"callbackURL is required"});let o=(0,so.generateCodeVerifier)(),r=(0,so.generateState)(),n=JSON.stringify({callbackURL:i,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),a=new Date;a.setMinutes(a.getMinutes()+10);let s=await e.context.internalAdapter.createVerificationValue({value:n,identifier:r,expiresAt:a});if(!s)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new ko.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:s.identifier,codeVerifier:o}}async function ao(e){let t=e.query.state||e.body.state,i=await e.context.internalAdapter.findVerificationValue(t);if(!i)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=ce.z.object({callbackURL:ce.z.string(),codeVerifier:ce.z.string(),errorURL:ce.z.string().optional(),expiresAt:ce.z.number(),link:ce.z.object({email:ce.z.string(),userId:ce.z.string()}).optional()}).parse(JSON.parse(i.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(i.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(i.id),o}var di=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:i,scopes:o,redirectURI:r}){let n=o||["email","name"];return e.scope&&n.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${r||e.redirectURI}&scope=${n.join(" ")}&state=${i}&response_mode=form_post`)},validateAuthorizationCode:async({code:i,codeVerifier:o,redirectURI:r})=>O({code:i,codeVerifier:o,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:t}),async verifyIdToken(i,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(i,o);let r=(0,Ie.decodeProtectedHeader)(i),{kid:n,alg:a}=r;if(!n||!a)return!1;let s=await pr(n),{payload:A}=await(0,Ie.jwtVerify)(i,s,{algorithms:[a],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(d=>{A[d]!==void 0&&(A[d]=!!A[d])}),o&&A.nonce!==o?!1:!!A},async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);if(!i.idToken)return null;let o=(0,Ai.parseJWT)(i.idToken)?.payload;if(!o)return null;let r=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email;return{user:{id:o.sub,name:r,emailVerified:!1,email:o.email},data:o}}}},pr=async e=>{let t="https://appleid.apple.com",i="/auth/keys",{data:o}=await(0,si.betterFetch)(`${t}${i}`);if(!o?.keys)throw new ai.APIError("BAD_REQUEST",{message:"Keys not found"});let r=o.keys.find(n=>n.kid===e);if(!r)throw new Error(`JWK with kid ${e} not found`);return await(0,Ie.importJWK)(r,r.alg)};var Ki=require("@better-fetch/fetch");var ci=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:i,redirectURI:o}){let r=i||["identify","email"];return e.scope&&r.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${r.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}`)},validateAuthorizationCode:async({code:t,redirectURI:i})=>O({code:t,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await(0,Ki.betterFetch)("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(i.avatar===null){let r=i.discriminator==="0"?Number(BigInt(i.id)>>BigInt(22))%6:parseInt(i.discriminator)%5;i.image_url=`https://cdn.discordapp.com/embed/avatars/${r}.png`}else{let r=i.avatar.startsWith("a_")?"gif":"png";i.image_url=`https://cdn.discordapp.com/avatars/${i.id}/${i.avatar}.${r}`}return{user:{id:i.id,name:i.display_name||i.username||"",email:i.email,emailVerified:i.verified,image:i.image_url},data:i}}});var ui=require("@better-fetch/fetch");var li=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:i,redirectURI:o}){let r=i||["email","public_profile"];return e.scope&&r.push(...e.scope),await P({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:r,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:i})=>O({code:t,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await(0,ui.betterFetch)("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});return o?null:{user:{id:i.id,name:i.name,email:i.email,image:i.picture.data.url,emailVerified:i.email_verified},data:i}}});var To=require("@better-fetch/fetch");var pi=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:i,scopes:o,codeVerifier:r,redirectURI:n}){let a=o||["user:email"];return e.scope&&a.push(...e.scope),P({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:a,state:i,redirectURI:n})},validateAuthorizationCode:async({code:i,redirectURI:o})=>O({code:i,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);let{data:o,error:r}=await(0,To.betterFetch)("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${i.accessToken}`}});if(r)return null;let n=!1;if(!o.email){let{data:a,error:s}=await(0,To.betterFetch)("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${i.accessToken}`,"User-Agent":"better-auth"}});s||(o.email=(a.find(A=>A.primary)??a[0])?.email,n=a.find(A=>A.email===o.email)?.verified??!1)}return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:n},data:o}}}};var fi=require("oslo/jwt");var gi=require("consola"),Oo=["info","success","warn","error","debug"];function gr(e,t){return Oo.indexOf(t)<=Oo.indexOf(e)}var mr=(0,gi.createConsola)({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),mi=e=>{let t=e?.disabled!==!0,i=e?.level??"error",o=(r,n,a=[])=>{if(!(!t||!gr(i,r))){if(!e||typeof e.log!="function"){mr[r]("",n,...a);return}e.log(r==="success"?"info":r,n,a)}};return Object.fromEntries(Oo.map(r=>[r,(...[n,...a])=>o(r,n,a)]))},G=mi();var hi=require("@better-fetch/fetch"),yi=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:i,codeVerifier:o,redirectURI:r}){if(!e.clientId||!e.clientSecret)throw G.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new X("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new X("codeVerifier is required for Google");let n=i||["email","profile","openid"];e.scope&&n.push(...e.scope);let a=await P({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:n,state:t,codeVerifier:o,redirectURI:r});return e.accessType&&a.searchParams.set("access_type",e.accessType),e.prompt&&a.searchParams.set("prompt",e.prompt),a},validateAuthorizationCode:async({code:t,codeVerifier:i,redirectURI:o})=>O({code:t,codeVerifier:i,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,i){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,i);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:r}=await(0,hi.betterFetch)(o);return r?r.aud===e.clientId&&r.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let i=(0,fi.parseJWT)(t.idToken)?.payload;return{user:{id:i.sub,name:i.name,email:i.email,image:i.picture,emailVerified:i.email_verified},data:i}}});var wi=require("@better-fetch/fetch"),Ci=require("oslo/jwt");var bi=e=>{let t=e.tenantId||"common",i=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(r){let n=r.scopes||["openid","profile","email","User.Read"];return e.scope&&n.push(...e.scope),P({id:"microsoft",options:e,authorizationEndpoint:i,state:r.state,codeVerifier:r.codeVerifier,scopes:n,redirectURI:r.redirectURI})},validateAuthorizationCode({code:r,codeVerifier:n,redirectURI:a}){return O({code:r,codeVerifier:n,redirectURI:e.redirectURI||a,options:e,tokenEndpoint:o})},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let n=(0,Ci.parseJWT)(r.idToken)?.payload,a=e.profilePhotoSize||48;return await(0,wi.betterFetch)(`https://graph.microsoft.com/v1.0/me/photos/${a}x${a}/$value`,{headers:{Authorization:`Bearer ${r.accessToken}`},async onResponse(s){if(!(e.disableProfilePhoto||!s.response.ok))try{let d=await s.response.clone().arrayBuffer(),c=Buffer.from(d).toString("base64");n.picture=`data:image/jpeg;base64, ${c}`}catch(A){G.error(A&&typeof A=="object"&&"name"in A?A.name:"",A)}}}),{user:{id:n.sub,name:n.name,email:n.email,image:n.picture,emailVerified:!0},data:n}}}};var vi=require("@better-fetch/fetch");var ki=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:i,codeVerifier:o,redirectURI:r}){let n=i||["user-read-email"];return e.scope&&n.push(...e.scope),P({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:n,state:t,codeVerifier:o,redirectURI:r})},validateAuthorizationCode:async({code:t,codeVerifier:i,redirectURI:o})=>O({code:t,codeVerifier:i,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await(0,vi.betterFetch)("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:i.id,name:i.display_name,email:i.email,image:i.images[0]?.url,emailVerified:!1},data:i}}});var we={isAction:!1};var Ti=require("nanoid"),L=e=>(0,Ti.nanoid)(e);var Oi=require("oslo/jwt");var Ii=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:i,redirectURI:o}){let r=i||["user:read:email","openid"];return e.scope&&r.push(...e.scope),P({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:r,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:i})=>O({code:t,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let i=t.idToken;if(!i)return G.error("No idToken found in token"),null;let o=(0,Oi.parseJWT)(i)?.payload;return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1},data:o}}});var Ri=require("@better-fetch/fetch");var Ui=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let i=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&i.push(...e.scope),P({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:i,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:i,redirectURI:o})=>O({code:t,codeVerifier:i,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:i,error:o}=await(0,Ri.betterFetch)("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:i.data.id,name:i.data.name,email:i.data.email||null,image:i.data.profile_image_url,emailVerified:i.data.verified||!1},data:i}}});var Ei=require("@better-fetch/fetch");var Pi=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:i,scopes:o,codeVerifier:r,redirectURI:n})=>{let a=o||["account_info.read"];return e.scope&&a.push(...e.scope),await P({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:a,state:i,redirectURI:n,codeVerifier:r})},validateAuthorizationCode:async({code:i,codeVerifier:o,redirectURI:r})=>await O({code:i,codeVerifier:o,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:t}),async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);let{data:o,error:r}=await(0,Ei.betterFetch)("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${i.accessToken}`}});return r?null:{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url},data:o}}}};var Si=require("@better-fetch/fetch");var Di=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",i="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:r,redirectURI:n})=>{let a=r||["profile","email","openid"];return e.scope&&a.push(...e.scope),await P({id:"linkedin",options:e,authorizationEndpoint:t,scopes:a,state:o,redirectURI:n})},validateAuthorizationCode:async({code:o,redirectURI:r})=>await O({code:o,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:i}),async getUserInfo(o){let{data:r,error:n}=await(0,Si.betterFetch)("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});return n?null:{user:{id:r.sub,name:r.name,email:r.email,emailVerified:r.email_verified||!1,image:r.picture},data:r}}}};var xi=require("@better-fetch/fetch");var Io=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),fr=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:Io(`${t}/oauth/authorize`),tokenEndpoint:Io(`${t}/oauth/token`),userinfoEndpoint:Io(`${t}/api/v4/user`)}},zi=e=>{let{authorizationEndpoint:t,tokenEndpoint:i,userinfoEndpoint:o}=fr(e.issuer),r="gitlab";return{id:r,name:"Gitlab",createAuthorizationURL:async({state:a,scopes:s,codeVerifier:A,redirectURI:d})=>{let c=s||["read_user"];return e.scope&&c.push(...e.scope),await P({id:r,options:e,authorizationEndpoint:t,scopes:c,state:a,redirectURI:d,codeVerifier:A})},validateAuthorizationCode:async({code:a,redirectURI:s,codeVerifier:A})=>O({code:a,redirectURI:e.redirectURI||s,options:e,codeVerifier:A,tokenEndpoint:i}),async getUserInfo(a){if(e.getUserInfo)return e.getUserInfo(a);let{data:s,error:A}=await(0,xi.betterFetch)(o,{headers:{authorization:`Bearer ${a.accessToken}`}});return A||s.state!=="active"||s.locked?null:{user:{id:s.id.toString(),name:s.name??s.username,email:s.email,image:s.avatar_url,emailVerified:!0},data:s}}}};var hr={apple:di,discord:ci,facebook:li,github:pi,microsoft:bi,google:yi,spotify:ki,twitch:Ii,twitter:Ui,dropbox:Pi,linkedin:Di,gitlab:zi},Ao=Object.keys(hr);var Li=require("oslo"),Ko=require("oslo/jwt"),Y=require("zod");var Me=require("better-call");var se=require("better-call");var Re=require("zod");function Ro(e){try{return JSON.parse(e)}catch{return null}}var Uo=()=>K("/get-session",{method:"GET",query:Re.z.optional(Re.z.object({disableCookieCache:Re.z.boolean({description:"Disable cookie cache and fetch session from database"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let i=e.getCookie(e.context.authCookies.sessionData.name),o=i?Ro(Buffer.from(i,"base64").toString()):null;if(o&&!await to.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return M(e),e.json(null);let r=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let c=o.session;if(o.expiresAt<Date.now()||c.session.expiresAt<new Date){let u=e.context.authCookies.sessionData.name;e.setCookie(u,"",{maxAge:0})}else return e.json(c)}let n=await e.context.internalAdapter.findSession(t);if(!n||n.session.expiresAt<new Date)return M(e),n&&await e.context.internalAdapter.deleteSession(n.session.token),e.json(null);if(r)return e.json(n);let a=e.context.sessionConfig.expiresIn,s=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-a*1e3+s*1e3<=Date.now()){let c=await e.context.internalAdapter.updateSession(n.session.token,{expiresAt:I(e.context.sessionConfig.expiresIn,"sec")});if(!c)return M(e),e.json(null,{status:401});let l=(c.expiresAt.valueOf()-Date.now())/1e3;return await m(e,{session:c,user:n.user},!1,{maxAge:l}),e.json({session:c,user:n.user})}return e.json(n)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new se.APIError("INTERNAL_SERVER_ERROR",{message:"internal server error"})}}),U=async e=>{if(e.context.session)return e.context.session;let t=await Uo()({...e,_flag:"json",headers:e.headers});return e.context.session=t,t},v=R(async e=>{let t=await U(e);if(!t?.session)throw new se.APIError("UNAUTHORIZED");return{session:t}}),qe=R(async e=>{let t=await U(e);if(!t?.session)throw new se.APIError("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let i=e.context.sessionConfig.freshAge,o=t.session.createdAt.valueOf(),r=Date.now();if(!(o+i*1e3>r))throw new se.APIError("FORBIDDEN",{message:"Session is not fresh"});return{session:t}}),Bi=()=>K("/list-sessions",{method:"GET",use:[v],requireHeaders:!0,metadata:{openapi:{description:"List all active sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}}}}}}}}}},async e=>{let i=(await e.context.internalAdapter.listSessions(e.context.session.user.id)).filter(o=>o.expiresAt>new Date);return e.json(i)}),ji=K("/revoke-session",{method:"POST",body:Re.z.object({token:Re.z.string({description:"The token to revoke"})}),use:[v],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,i=await e.context.internalAdapter.findSession(t);if(!i)throw new se.APIError("BAD_REQUEST",{message:"Session not found"});if(i.session.userId!==e.context.session.user.id)throw new se.APIError("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new se.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Ni=K("/revoke-sessions",{method:"POST",use:[v],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new se.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),_i=K("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[v],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new se.APIError("UNAUTHORIZED");let r=(await e.context.internalAdapter.listSessions(t.user.id)).filter(n=>n.expiresAt>new Date).filter(n=>n.token!==e.context.session.session.token);return await Promise.all(r.map(n=>e.context.internalAdapter.deleteSession(n.token))),e.json({status:!0})});async function ue(e,t,i){return await(0,Ko.createJWT)("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:i},{expiresIn:new Li.TimeSpan(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}var Fi=K("/send-verification-email",{method:"POST",query:Y.z.object({currentURL:Y.z.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:Y.z.object({email:Y.z.string({description:"The email to send the verification email to"}).email(),callbackURL:Y.z.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new Me.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,i=await e.context.internalAdapter.findUserByEmail(t);if(!i)throw new Me.APIError("BAD_REQUEST",{message:"User not found"});let o=await ue(e.context.secret,t),r=`${e.context.baseURL}/verify-email?token=${o}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.emailVerification.sendVerificationEmail({user:i.user,url:r,token:o},e.request),e.json({status:!0})}),Vi=K("/verify-email",{method:"GET",query:Y.z.object({token:Y.z.string({description:"The token to verify the email"}),callbackURL:Y.z.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(s){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${s}`):new Me.APIError("UNAUTHORIZED",{message:s})}let{token:i}=e.query,o;try{o=await(0,Ko.validateJWT)("HS256",Buffer.from(e.context.secret),i)}catch(s){return e.context.logger.error("Failed to verify email",s),t("invalid_token")}let n=Y.z.object({email:Y.z.string().email(),updateTo:Y.z.string().optional()}).parse(o.payload),a=await e.context.internalAdapter.findUserByEmail(n.email);if(!a)return t("user_not_found");if(n.updateTo){let s=await U(e);if(!s){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(s.user.email!==n.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let A=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:A,url:`${e.context.baseURL}/verify-email?token=${i}`,token:i},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:A,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await U(e)){let A=await e.context.internalAdapter.createSession(a.user.id,e.request);if(!A)throw new Me.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await m(e,{session:A,user:a.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});var H=require("better-call");var qi=require("better-call");var yr=R(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:i,context:o}=e,r=e.headers?.get("origin")||e.headers?.get("referer")||"",n=t?.callbackURL||i?.callbackURL,a=t?.redirectTo,s=i?.currentURL,A=o.trustedOrigins,d=e.headers?.has("cookie"),c=(u,p)=>p.includes("*")?new RegExp("^"+p.replace(/\*/g,"[^/]+").replace(/\./g,"\\.")+"$").test(u):u.startsWith(p),l=(u,p)=>{if(!u)return;if(!A.some(k=>c(u,k)||u?.startsWith("/")&&p!=="origin"&&!u.includes(":")))throw e.context.logger.error(`Invalid ${p}: ${u}`),e.context.logger.info(`If it's a valid URL, please add ${u} to trustedOrigins in your auth config
2
+ `,`Current list of trustedOrigins: ${A}`),new qi.APIError("FORBIDDEN",{message:`Invalid ${p}`})};d&&!e.context.options.advanced?.disableCSRFCheck&&l(r,"origin"),n&&l(n,"callbackURL"),a&&l(a,"redirectURL"),s&&l(s,"currentURL")});var Mi=K("/ok",{method:"GET",metadata:{...we,openapi:{description:"Check if the API is working",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{ok:{type:"boolean"}}}}}}}}}},async e=>e.json({ok:!0}));var Ce=require("zod");var ae=require("better-call");var w=require("zod"),va=w.z.object({id:w.z.string(),providerId:w.z.string(),accountId:w.z.string(),userId:w.z.string(),accessToken:w.z.string().nullish(),refreshToken:w.z.string().nullish(),idToken:w.z.string().nullish(),accessTokenExpiresAt:w.z.date().nullish(),refreshTokenExpiresAt:w.z.date().nullish(),scope:w.z.string().nullish(),password:w.z.string().nullish(),createdAt:w.z.date().default(()=>new Date),updatedAt:w.z.date().default(()=>new Date)}),ka=w.z.object({id:w.z.string(),email:w.z.string().transform(e=>e.toLowerCase()),emailVerified:w.z.boolean().default(!1),name:w.z.string(),image:w.z.string().nullish(),createdAt:w.z.date().default(()=>new Date),updatedAt:w.z.date().default(()=>new Date)}),Ta=w.z.object({id:w.z.string(),userId:w.z.string(),expiresAt:w.z.date(),createdAt:w.z.date().default(()=>new Date),updatedAt:w.z.date().default(()=>new Date),token:w.z.string(),ipAddress:w.z.string().nullish(),userAgent:w.z.string().nullish()}),Oa=w.z.object({id:w.z.string(),value:w.z.string(),createdAt:w.z.date().default(()=>new Date),updatedAt:w.z.date().default(()=>new Date),expiresAt:w.z.date(),identifier:w.z.string()});function wr(e,t){let i={...t==="user"?e.user?.additionalFields:{},...t==="session"?e.session?.additionalFields:{}};for(let o of e.plugins||[])o.schema&&o.schema[t]&&(i={...i,...o.schema[t].fields});return i}function Cr(e,t){let i=t.action||"create",o=t.fields,r={};for(let n in o){if(n in e){if(o[n].input===!1){if(o[n].defaultValue){r[n]=o[n].defaultValue;continue}continue}r[n]=e[n];continue}if(o[n].defaultValue&&i==="create"){r[n]=o[n].defaultValue;continue}}return r}function co(e,t,i){let o=wr(e,"user");return Cr(t||{},{fields:o,action:i})}function ee(e,t){if(!t)return e;for(let i in t){let o=t[i]?.modelName;o&&(e[i].modelName=o);for(let r in e[i].fields){let n=t[i]?.fields?.[r];n&&(e[i].fields[r].fieldName=n)}}return e}var Hi=()=>K("/sign-up/email",{method:"POST",query:Ce.z.object({currentURL:Ce.z.string().optional()}).optional(),body:Ce.z.record(Ce.z.string(),Ce.z.any()),metadata:{openapi:{description:"Sign up a user using email and password",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},email:{type:"string",description:"The email of the user"},password:{type:"string",description:"The password of the user"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["name","email","password"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},session:{type:"object"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.enabled)throw new ae.APIError("BAD_REQUEST",{message:"Email and password sign up is not enabled"});let t=e.body,{name:i,email:o,password:r,image:n,callbackURL:a,...s}=t;if(!Ce.z.string().email().safeParse(o).success)throw new ae.APIError("BAD_REQUEST",{message:"Invalid email"});let d=e.context.password.config.minPasswordLength;if(r.length<d)throw e.context.logger.error("Password is too short"),new ae.APIError("BAD_REQUEST",{message:"Password is too short"});let c=e.context.password.config.maxPasswordLength;if(r.length>c)throw e.context.logger.error("Password is too long"),new ae.APIError("BAD_REQUEST",{message:"Password is too long"});if((await e.context.internalAdapter.findUserByEmail(o))?.user)throw e.context.logger.info(`Sign-up attempt for existing email: ${o}`),new ae.APIError("UNPROCESSABLE_ENTITY",{message:"User with this email already exists"});let u=co(e.context.options,s),p;try{if(p=await e.context.internalAdapter.createUser({email:o.toLowerCase(),name:i,image:n,...u,emailVerified:!1}),!p)throw new ae.APIError("BAD_REQUEST",{message:"Failed to create user"})}catch(f){throw e.context.logger.error("Failed to create user",f),new ae.APIError("UNPROCESSABLE_ENTITY",{message:"Failed to create user",details:f})}if(!p)throw new ae.APIError("UNPROCESSABLE_ENTITY",{message:"Failed to create user"});let h=await e.context.password.hash(r);if(await e.context.internalAdapter.linkAccount({userId:p.id,providerId:"credential",accountId:p.id,password:h}),e.context.options.emailVerification?.sendOnSignUp){let f=await ue(e.context.secret,p.email),g=`${e.context.baseURL}/verify-email?token=${f}&callbackURL=${t.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:p,url:g,token:f},e.request)}if(!e.context.options.emailAndPassword.autoSignIn||e.context.options.emailAndPassword.requireEmailVerification)return e.json({user:p,session:null});let k=await e.context.internalAdapter.createSession(p.id,e.request);if(!k)throw new ae.APIError("BAD_REQUEST",{message:"Failed to create session"});return await m(e,{session:k,user:p}),e.json({user:p,session:k})});var br=(e="Unknown")=>`<!DOCTYPE html>
3
3
  <html lang="en">
4
4
  <head>
5
5
  <meta charset="UTF-8">
@@ -79,8 +79,8 @@
79
79
  <div class="error-code">Error Code: <span id="errorCode">${e}</span></div>
80
80
  </div>
81
81
  </body>
82
- </html>`,Qi=K("/error",{method:"GET",metadata:{...we,openapi:{description:"Displays an error page",responses:{200:{description:"Success",content:{"text/html":{schema:{type:"string"}}}}}}}},async e=>{let t=new URL(e.request?.url||"").searchParams.get("error")||"Unknown";return new Response(br(t),{headers:{"Content-Type":"text/html"}})});var b=require("better-call");function Eo(e,t){let i=t.plugins?.reduce((s,A)=>({...s,...A.endpoints}),{}),o=t.plugins?.map(s=>s.middlewares?.map(A=>{let d=async c=>A.middleware({...c,context:{...e,...c.context}});return d.path=A.path,d.options=A.middleware.options,d.headers=A.middleware.headers,{path:A.path,middleware:d}})).filter(s=>s!==void 0).flat()||[],n={...{signInSocial:$i,callbackOAuth:Wi,getSession:Uo(),signOut:Gi,signUpEmail:Hi(),signInEmail:Zi,forgetPassword:Ji,resetPassword:Yi,verifyEmail:qi,sendVerificationEmail:Fi,changeEmail:rt,changePassword:ot,setPassword:it,updateUser:et(),deleteUser:tt,forgetPasswordCallback:Xi,listSessions:Bi(),revokeSession:ji,revokeSessions:Ni,revokeOtherSessions:_i,linkSocialAccount:st,listUserAccounts:nt},...i,ok:Mi,error:Qi},a={};for(let[s,A]of Object.entries(n))a[s]=async(d={})=>{A.headers=new Headers;let c={setHeader(f,g){A.headers.set(f,g)},setCookie(f,g,C){(0,H.setCookie)(A.headers,f,g,C)},getCookie(f,g){let T=d.headers?.get("cookie");return(0,H.getCookie)(T||"",f,g)},getSignedCookie(f,g,C){let T=d.headers;return T?(0,H.getSignedCookie)(T,g,f,C):null},async setSignedCookie(f,g,C,T){await(0,H.setSignedCookie)(A.headers,f,g,C,T)},redirect(f){return A.headers.set("Location",f),new H.APIError("FOUND")},responseHeader:A.headers},l=await e,u={...c,...d,path:A.path,context:{...l,...d.context,endpoint:A}};l.session=null;let p=t.plugins||[];for(let f of p){let g=f.hooks?.before??[];for(let C of g){if(!C.matcher(u))continue;let T=await C.handler(u);if(T&&"context"in T){u={...u,...T.context};continue}if(T)return T}}let h;try{h=await A(u)}catch(f){if(f instanceof H.APIError){let g=t.plugins?.map(C=>{if(C.hooks?.after)return C.hooks.after}).filter(C=>C!==void 0).flat();if(!g?.length)throw f.headers=A.headers,f;u.context.returned=f,u.context.returned.headers=A.headers;for(let C of g||[])if(C.matcher(u))try{let N=await C.handler(u);N&&"response"in N&&(u.context.returned=N.response)}catch(N){if(N instanceof H.APIError){u.context.returned=N;continue}throw N}if(u.context.returned instanceof H.APIError)throw u.context.returned.headers=A.headers,u.context.returned;return u.context.returned}throw f}u.context.returned=h,u.responseHeader=A.headers;for(let f of t.plugins||[])if(f.hooks?.after){for(let g of f.hooks.after)if(g.matcher(u))try{let T=await g.handler(u);T&&(u.context.returned=T)}catch(T){if(T instanceof H.APIError){u.context.returned=T;continue}throw T}}let k=u.context.returned;return k instanceof Response&&A.headers.forEach((f,g)=>{g==="set-cookie"?k.headers.append(g,f):k.headers.set(g,f)}),k},a[s].path=A.path,a[s].method=A.method,a[s].options=A.options,a[s].headers=A.headers;return{api:a,middlewares:o}}async function Ue(e,{userInfo:t,account:i,callbackURL:o}){let r=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(s=>{throw G.error(`Better auth was unable to query your database.
83
- Error: `,s),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),n=r?.user;if(r){let s=r.accounts.find(A=>A.providerId===i.providerId);if(s)await e.context.internalAdapter.updateAccount(s.id,{accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt});else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(i.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return Yo&&G.warn(`User already exist but account isn't linked to ${i.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:i.providerId,accountId:t.id.toString(),userId:r.user.id,accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt,scope:i.scope})}catch(c){return G.error("Unable to link account",c),{error:"unable to link account",data:null}}}}else try{let s=t.emailVerified||!1;if(n=await e.context.internalAdapter.createOAuthUser({...t,id:void 0,emailVerified:s,email:t.email.toLowerCase()},{accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt,scope:i.scope,providerId:i.providerId,accountId:t.id.toString()}).then(A=>A?.user),!s&&n&&e.context.options.emailVerification?.sendOnSignUp){let A=await ue(e.context.secret,n.email),d=`${e.context.baseURL}/verify-email?token=${A}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:n,url:d,token:A},e.request)}}catch(s){return G.error("Unable to create user",s),{error:"unable to create user",data:null}}if(!n)return{error:"unable to create user",data:null};let a=await e.context.internalAdapter.createSession(n.id,e.request);return a?{data:{session:a,user:n},error:null}:{error:"unable to create session",data:null}}var $i=K("/sign-in/social",{method:"POST",query:x.z.object({currentURL:x.z.string().optional()}).optional(),body:x.z.object({callbackURL:x.z.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:x.z.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:x.z.enum(Ao,{description:"OAuth2 provider to use"}),disableRedirect:x.z.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:x.z.optional(x.z.object({token:x.z.string({description:"ID token from the provider"}),nonce:x.z.string({description:"Nonce used to generate the token"}).optional(),accessToken:x.z.string({description:"Access token from the provider"}).optional(),refreshToken:x.z.string({description:"Refresh token from the provider"}).optional(),expiresAt:x.z.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(n=>n.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new F.APIError("NOT_FOUND",{message:"Provider not found"});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new F.APIError("NOT_FOUND",{message:"Provider does not support id token verification"});let{token:n,nonce:a}=e.body.idToken;if(!await t.verifyIdToken(n,a))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new F.APIError("UNAUTHORIZED",{message:"Invalid id token"});let A=await t.getUserInfo({idToken:n,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!A||!A?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new F.APIError("UNAUTHORIZED",{message:"Failed to get user info"});if(!A.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new F.APIError("UNAUTHORIZED",{message:"User email not found"});let d=await Ue(e,{userInfo:{email:A.user.email,id:A.user.id,name:A.user.name||"",image:A.user.image,emailVerified:A.user.emailVerified||!1},account:{providerId:t.id,accountId:A.user.id,accessToken:e.body.idToken.accessToken}});if(d.error)throw new F.APIError("UNAUTHORIZED",{message:d.error});return await m(e,d.data),e.json({session:d.data.session,user:d.data.user,url:`${e.body.callbackURL||e.query?.currentURL||e.context.options.baseURL}`,redirect:!0})}let{codeVerifier:i,state:o}=await Oe(e),r=await t.createAuthorizationURL({state:o,codeVerifier:i,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:r.toString(),redirect:!e.body.disableRedirect})}),Zi=K("/sign-in/email",{method:"POST",body:x.z.object({email:x.z.string({description:"Email of the user"}),password:x.z.string({description:"Password of the user"}),callbackURL:x.z.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:x.z.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new F.APIError("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:i}=e.body;if(!x.z.string().email().safeParse(t).success)throw new F.APIError("BAD_REQUEST",{message:"Invalid email"});let r=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!r)throw await e.context.password.hash(i),e.context.logger.error("User not found",{email:t}),new F.APIError("UNAUTHORIZED",{message:"Invalid email or password"});let n=r.accounts.find(d=>d.providerId==="credential");if(!n)throw e.context.logger.error("Credential account not found",{email:t}),new F.APIError("UNAUTHORIZED",{message:"Invalid email or password"});let a=n?.password;if(!a)throw e.context.logger.error("Password not found",{email:t}),new F.APIError("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(a,i))throw e.context.logger.error("Invalid password"),new F.APIError("UNAUTHORIZED",{message:"Invalid email or password"});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!r.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new F.APIError("UNAUTHORIZED",{message:"Email is not verified."});let d=await ue(e.context.secret,r.user.email),c=`${e.context.baseURL}/verify-email?token=${d}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:r.user,url:c,token:d},e.request),e.context.logger.error("Email not verified",{email:t}),new F.APIError("FORBIDDEN",{message:"Email is not verified. Check your email for a verification link"})}let A=await e.context.internalAdapter.createSession(r.user.id,e.headers,e.body.rememberMe===!1);if(!A)throw e.context.logger.error("Failed to create session"),new F.APIError("UNAUTHORIZED",{message:"Failed to create session"});return await m(e,{session:A,user:r.user},e.body.rememberMe===!1),e.json({user:r.user,session:A,redirect:!!e.body.callbackURL,url:e.body.callbackURL})});var Ee=require("zod");var uo=Ee.z.object({code:Ee.z.string().optional(),error:Ee.z.string().optional(),errorMessage:Ee.z.string().optional(),state:Ee.z.string().optional()}),Wi=K("/callback/:id",{method:["GET","POST"],body:uo.optional(),query:uo.optional(),metadata:we},async e=>{let t;try{if(e.method==="GET")t=uo.parse(e.query);else if(e.method==="POST")t=uo.parse(e.body);else throw new Error("Unsupported method")}catch(g){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",g),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:i,error:o,state:r}=t;if(!r)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!i)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}`);let n=e.context.socialProviders.find(g=>g.id===e.params.id);if(!n)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:a,callbackURL:s,link:A,errorURL:d}=await ao(e),c;try{c=await n.validateAuthorizationCode({code:i,codeVerifier:a,redirectURI:`${e.context.baseURL}/callback/${n.id}`})}catch(g){throw e.context.logger.error("",g),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let l=await n.getUserInfo(c).then(g=>g?.user);function u(g){let C=d||s||`${e.context.baseURL}/error`;throw C.includes("?")?C=`${C}&error=${g}`:C=`${C}?error=${g}`,e.redirect(C)}if(!l)return e.context.logger.error("Unable to get user info"),u("unable_to_get_user_info");if(!l.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),u("email_not_found");if(!s)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(A){if(A.email!==l.email.toLowerCase())return u("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:A.userId,providerId:n.id,accountId:l.id}))return u("unable_to_link_account");let C;try{C=new URL(s).toString()}catch{C=s}throw e.redirect(C)}let p=await Ue(e,{userInfo:{id:l.id,email:l.email,name:l.name||"",image:l.image,emailVerified:l.emailVerified||!1},account:{providerId:n.id,accountId:l.id,...c,scope:c.scopes?.join(",")},callbackURL:s});if(p.error)return e.context.logger.error(p.error.split(" ").join("_")),u(p.error.split(" ").join("_"));let{session:h,user:k}=p.data;await m(e,{session:h,user:k});let f;try{f=new URL(s).toString()}catch{f=s}throw e.redirect(f)});var yA=require("zod");var at=require("better-call"),Gi=K("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw M(e),new at.APIError("BAD_REQUEST",{message:"Session not found"});return await e.context.internalAdapter.deleteSession(t),M(e),e.json({success:!0})});var J=require("zod");var lo=require("better-call");function At(e,t,i){let o=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return i&&Object.entries(i).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}function kr(e,t,i){let o=new URL(t,e.baseURL);return i&&Object.entries(i).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}var Ji=K("/forget-password",{method:"POST",body:J.z.object({email:J.z.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:J.z.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new lo.APIError("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:i}=e.body,o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let r=60*60*1,n=I(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||r,"sec"),a=L(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id,identifier:`reset-password:${a}`,expiresAt:n});let s=`${e.context.baseURL}/reset-password/${a}?callbackURL=${i}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:s,token:a},e.request),e.json({status:!0})}),Xi=K("/reset-password/:token",{method:"GET",query:J.z.object({callbackURL:J.z.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:i}=e.query;if(!t||!i)throw e.redirect(At(e.context,i,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!o||o.expiresAt<new Date?e.redirect(At(e.context,i,{error:"INVALID_TOKEN"})):e.redirect(kr(e.context,i,{token:t}))}),Yi=K("/reset-password",{query:J.z.optional(J.z.object({token:J.z.string().optional(),currentURL:J.z.string().optional()})),method:"POST",body:J.z.object({newPassword:J.z.string({description:"The new password to set"}),token:J.z.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new lo.APIError("BAD_REQUEST",{message:"Token not found"});let{newPassword:i}=e.body,o=`reset-password:${t}`,r=await e.context.internalAdapter.findVerificationValue(o);if(!r||r.expiresAt<new Date)throw new lo.APIError("BAD_REQUEST",{message:"Invalid token"});await e.context.internalAdapter.deleteVerificationValue(r.id);let n=r.value,a=await e.context.password.hash(i);return(await e.context.internalAdapter.findAccounts(n)).find(d=>d.providerId==="credential")?(await e.context.internalAdapter.updatePassword(n,a),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:n,providerId:"credential",password:a,accountId:n}),e.json({status:!0}))});var _=require("zod");var Z=require("better-call");var et=()=>K("/update-user",{method:"POST",body:_.z.record(_.z.string(),_.z.any()),use:[v],metadata:{openapi:{description:"Update the current user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"}}}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"}}}}}}}}}},async e=>{let t=e.body;if(t.email)throw new Z.APIError("BAD_REQUEST",{message:"You can't update email"});let{name:i,image:o,...r}=t,n=e.context.session;if(!o&&!i&&Object.keys(r).length===0)return e.json({user:n.user});let a=co(e.context.options,r,"update"),s=await e.context.internalAdapter.updateUserByEmail(n.user.email,{name:i,image:o,...a});return await m(e,{session:n.session,user:s}),e.json({user:s})}),ot=K("/change-password",{method:"POST",body:_.z.object({newPassword:_.z.string({description:"The new password to set"}),currentPassword:_.z.string({description:"The current password"}),revokeOtherSessions:_.z.boolean({description:"Revoke all other sessions"}).optional()}),use:[v],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:i,revokeOtherSessions:o}=e.body,r=e.context.session,n=e.context.password.config.minPasswordLength;if(t.length<n)throw e.context.logger.error("Password is too short"),new Z.APIError("BAD_REQUEST",{message:"Password is too short"});let a=e.context.password.config.maxPasswordLength;if(t.length>a)throw e.context.logger.error("Password is too long"),new Z.APIError("BAD_REQUEST",{message:"Password too long"});let A=(await e.context.internalAdapter.findAccounts(r.user.id)).find(l=>l.providerId==="credential"&&l.password);if(!A||!A.password)throw new Z.APIError("BAD_REQUEST",{message:"User does not have a password"});let d=await e.context.password.hash(t);if(!await e.context.password.verify(A.password,i))throw new Z.APIError("BAD_REQUEST",{message:"Incorrect password"});if(await e.context.internalAdapter.updateAccount(A.id,{password:d}),o){await e.context.internalAdapter.deleteSessions(r.user.id);let l=await e.context.internalAdapter.createSession(r.user.id,e.headers);if(!l)throw new Z.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});await m(e,{session:l,user:r.user})}return e.json(r.user)}),it=K("/set-password",{method:"POST",body:_.z.object({newPassword:_.z.string()}),metadata:{SERVER_ONLY:!0},use:[v]},async e=>{let{newPassword:t}=e.body,i=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new Z.APIError("BAD_REQUEST",{message:"Password is too short"});let r=e.context.password.config.maxPasswordLength;if(t.length>r)throw e.context.logger.error("Password is too long"),new Z.APIError("BAD_REQUEST",{message:"Password too long"});let a=(await e.context.internalAdapter.findAccounts(i.user.id)).find(A=>A.providerId==="credential"&&A.password),s=await e.context.password.hash(t);if(!a)return await e.context.internalAdapter.linkAccount({userId:i.user.id,providerId:"credential",accountId:i.user.id,password:s}),e.json(i.user);throw new Z.APIError("BAD_REQUEST",{message:"user already has a password"})}),tt=K("/delete-user",{method:"POST",body:_.z.object({password:_.z.string({description:"The password of the user"})}),use:[Ve],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{let t=e.context.session;return await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),M(e),e.json(null)}),rt=K("/change-email",{method:"POST",query:_.z.object({currentURL:_.z.string().optional()}).optional(),body:_.z.object({newEmail:_.z.string({description:"The new email to set"}).email(),callbackURL:_.z.string({description:"The URL to redirect to after email verification"}).optional()}),use:[v],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new Z.APIError("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new Z.APIError("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new Z.APIError("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let r=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:r,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new Z.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let i=await ue(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${i}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:i},e.request),e.json({user:null,status:!0})});var Pe=require("zod");var Po=require("better-call");var nt=K("/list-accounts",{method:"GET",use:[v],metadata:{openapi:{description:"List all accounts linked to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{id:{type:"string"},provider:{type:"string"}}}}}}}}}}},async e=>{let t=e.context.session,i=await e.context.internalAdapter.findAccounts(t.user.id);return e.json(i.map(o=>({id:o.id,provider:o.providerId})))}),st=K("/link-social",{method:"POST",requireHeaders:!0,query:Pe.z.object({currentURL:Pe.z.string().optional()}).optional(),body:Pe.z.object({callbackURL:Pe.z.string({description:"The URL to redirect to after the user has signed in"}).optional(),provider:Pe.z.enum(Ao,{description:"The OAuth2 provider to use"})}),use:[v],metadata:{openapi:{description:"Link a social account to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"},redirect:{type:"boolean"}},required:["url","redirect"]}}}}}}}},async e=>{let t=e.context.session;if((await e.context.internalAdapter.findAccounts(t.user.id)).find(s=>s.providerId===e.body.provider))throw new Po.APIError("BAD_REQUEST",{message:"Social Account is already linked."});let r=e.context.socialProviders.find(s=>s.id===e.body.provider);if(!r)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new Po.APIError("NOT_FOUND",{message:"Provider not found"});let n=await Oe(e,{userId:t.user.id,email:t.user.email}),a=await r.createAuthorizationURL({state:n.state,codeVerifier:n.codeVerifier,redirectURI:`${e.context.baseURL}/callback/${r.id}`});return e.json({url:a.toString(),redirect:!0})});var dt=(e,t)=>{let i={};for(let[o,r]of Object.entries(e))i[o]=n=>r({...n,context:{...t,...n.context}}),i[o].path=r.path,i[o].method=r.method,i[o].options=r.options,i[o].headers=r.headers;return i};function po(e){let t=e;return{newRole(i){return Tr(i)}}}function Tr(e){return{statements:e,authorize(t,i){for(let[o,r]of Object.entries(t)){let n=e[o];return n?(i==="OR"?r.some(s=>n.includes(s)):r.every(s=>n.includes(s)))?{success:!0}:{success:!1,error:`Unauthorized to access resource "${o}"`}:{success:!1,error:`You are not allowed to access resource: ${o}`}}return{success:!1,error:"Not authorized"}}}}var Or={organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]},So=po(Or),Ir=So.newRole({organization:["update"],invitation:["create","cancel"],member:["create","update","delete"]}),Rr=So.newRole({organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]}),Ur=So.newRole({organization:[],member:[],invitation:[]}),Kt={admin:Ir,owner:Rr,member:Ur};var B=(e,t)=>{let i=e.adapter;return{findOrganizationBySlug:async o=>await i.findOne({model:"organization",where:[{field:"slug",value:o}]}),createOrganization:async o=>{let r=await i.create({model:"organization",data:{...o.organization,metadata:o.organization.metadata?JSON.stringify(o.organization.metadata):void 0}}),n=await i.create({model:"member",data:{organizationId:r.id,userId:o.user.id,createdAt:new Date,role:t?.creatorRole||"owner"}});return{...r,metadata:r.metadata?JSON.parse(r.metadata):void 0,members:[{...n,user:{id:o.user.id,name:o.user.name,email:o.user.email,image:o.user.image}}]}},findMemberByEmail:async o=>{let r=await i.findOne({model:"user",where:[{field:"email",value:o.email}]});if(!r)return null;let n=await i.findOne({model:"member",where:[{field:"organizationId",value:o.organizationId},{field:"userId",value:r.id}]});return n?{...n,user:{id:r.id,name:r.name,email:r.email,image:r.image}}:null},findMemberByOrgId:async o=>{let[r,n]=await Promise.all([await i.findOne({model:"member",where:[{field:"userId",value:o.userId},{field:"organizationId",value:o.organizationId}]}),await i.findOne({model:"user",where:[{field:"id",value:o.userId}]})]);return!n||!r?null:{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}},findMemberById:async o=>{let r=await i.findOne({model:"member",where:[{field:"id",value:o}]});if(!r)return null;let n=await i.findOne({model:"user",where:[{field:"id",value:r.userId}]});return n?{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}:null},createMember:async o=>await i.create({model:"member",data:o}),updateMember:async(o,r)=>await i.update({model:"member",where:[{field:"id",value:o}],update:{role:r}}),deleteMember:async o=>await i.delete({model:"member",where:[{field:"id",value:o}]}),updateOrganization:async(o,r)=>await i.update({model:"organization",where:[{field:"id",value:o}],update:r}),deleteOrganization:async o=>(await i.delete({model:"member",where:[{field:"organizationId",value:o}]}),await i.delete({model:"invitation",where:[{field:"organizationId",value:o}]}),await i.delete({model:"organization",where:[{field:"id",value:o}]}),o),setActiveOrganization:async(o,r)=>await e.internalAdapter.updateSession(o,{activeOrganizationId:r}),findOrganizationById:async o=>await i.findOne({model:"organization",where:[{field:"id",value:o}]}),findFullOrganization:async o=>{let[r,n,a]=await Promise.all([i.findOne({model:"organization",where:[{field:"id",value:o}]}),i.findMany({model:"invitation",where:[{field:"organizationId",value:o}]}),i.findMany({model:"member",where:[{field:"organizationId",value:o}]})]);if(!r)return null;let s=a.map(l=>l.userId),A=await i.findMany({model:"user",where:[{field:"id",value:s,operator:"in"}]}),d=new Map(A.map(l=>[l.id,l])),c=a.map(l=>{let u=d.get(l.userId);if(!u)throw new X("Unexpected error: User not found for member");return{...l,user:{id:u.id,name:u.name,email:u.email,image:u.image}}});return{...r,invitations:n,members:c}},listOrganizations:async o=>{let r=await i.findMany({model:"member",where:[{field:"userId",value:o}]});if(!r||r.length===0)return[];let n=r.map(s=>s.organizationId);return await i.findMany({model:"organization",where:[{field:"id",value:n,operator:"in"}]})},createInvitation:async({invitation:o,user:r})=>{let a=I(t?.invitationExpiresIn||1728e5);return await i.create({model:"invitation",data:{email:o.email,role:o.role,organizationId:o.organizationId,status:"pending",expiresAt:a,inviterId:r.id}})},findInvitationById:async o=>await i.findOne({model:"invitation",where:[{field:"id",value:o}]}),findPendingInvitation:async o=>(await i.findMany({model:"invitation",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId},{field:"status",value:"pending"}]})).filter(n=>new Date(n.expiresAt)>new Date),updateInvitation:async o=>await i.update({model:"invitation",where:[{field:"id",value:o.invitationId}],update:{status:o.status}})}};var cd=require("better-call");var j=R(async e=>({})),q=R({use:[v]},async e=>({session:e.context.session}));var W=require("zod");var E=require("zod");var ct=E.z.string(),Er=E.z.enum(["pending","accepted","rejected","canceled"]).default("pending"),fd=E.z.object({id:E.z.string().default(L),name:E.z.string(),slug:E.z.string(),logo:E.z.string().nullish(),metadata:E.z.record(E.z.string()).or(E.z.string().transform(e=>JSON.parse(e))).nullish(),createdAt:E.z.date()}),hd=E.z.object({id:E.z.string().default(L),organizationId:E.z.string(),userId:E.z.string(),role:ct,createdAt:E.z.date()}),yd=E.z.object({id:E.z.string().default(L),organizationId:E.z.string(),email:E.z.string(),role:ct,status:Er,inviterId:E.z.string(),expiresAt:E.z.date()});var z=require("better-call"),ut=e=>K("/organization/invite-member",{method:"POST",use:[j,q],body:W.z.object({email:W.z.string({description:"The email address of the user to invite"}),role:W.z.string({description:"The role to assign to the user"}),organizationId:W.z.string({description:"The organization ID to invite the user to"}).optional(),resend:W.z.boolean({description:"Resend the invitation email, if the user is already invited"}).optional()}),metadata:{openapi:{description:"Invite a user to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt"]}}}}}}}},async t=>{if(!t.context.orgOptions.sendInvitationEmail)throw t.context.logger.warn("Invitation email is not enabled. Pass `sendInvitationEmail` to the plugin options to enable it."),new z.APIError("BAD_REQUEST",{message:"Invitation email is not enabled"});let i=t.context.session,o=t.body.organizationId||i.session.activeOrganizationId;if(!o)throw new z.APIError("BAD_REQUEST",{message:"Organization not found"});let r=B(t.context,t.context.orgOptions),n=await r.findMemberByOrgId({userId:i.user.id,organizationId:o});if(!n)throw new z.APIError("BAD_REQUEST",{message:"Member not found!"});let a=t.context.roles[n.role];if(!a)throw new z.APIError("BAD_REQUEST",{message:"Role not found!"});if(a.authorize({invitation:["create"]}).error)throw new z.APIError("FORBIDDEN",{message:"You are not allowed to invite members"});if(await r.findMemberByEmail({email:t.body.email,organizationId:o}))throw new z.APIError("BAD_REQUEST",{message:"User is already a member of this organization"});if((await r.findPendingInvitation({email:t.body.email,organizationId:o})).length&&!t.body.resend)throw new z.APIError("BAD_REQUEST",{message:"User is already invited to this organization"});let c=await r.createInvitation({invitation:{role:t.body.role,email:t.body.email,organizationId:o},user:i.user}),l=await r.findOrganizationById(o);if(!l)throw new z.APIError("BAD_REQUEST",{message:"Organization not found"});return await t.context.orgOptions.sendInvitationEmail?.({id:c.id,role:c.role,email:c.email,organization:l,inviter:{...n,user:i.user}},t.request),t.json(c)}),lt=K("/organization/accept-invitation",{method:"POST",body:W.z.object({invitationId:W.z.string({description:"The ID of the invitation to accept"})}),use:[j,q],metadata:{openapi:{description:"Accept an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"object"}}}}}}}}}},async e=>{let t=e.context.session,i=B(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new z.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new z.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.updateInvitation({invitationId:e.body.invitationId,status:"accepted"}),n=await i.createMember({organizationId:o.organizationId,userId:t.user.id,role:o.role,createdAt:new Date});return await i.setActiveOrganization(t.session.token,o.organizationId),r?e.json({invitation:r,member:n}):e.json(null,{status:400,body:{message:"Invitation not found!"}})}),pt=K("/organization/reject-invitation",{method:"POST",body:W.z.object({invitationId:W.z.string({description:"The ID of the invitation to reject"})}),use:[j,q],metadata:{openapi:{description:"Reject an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"null"}}}}}}}}}},async e=>{let t=e.context.session,i=B(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new z.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new z.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.updateInvitation({invitationId:e.body.invitationId,status:"rejected"});return e.json({invitation:r,member:null})}),gt=K("/organization/cancel-invitation",{method:"POST",body:W.z.object({invitationId:W.z.string({description:"The ID of the invitation to cancel"})}),use:[j,q],openapi:{description:"Cancel an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"}}}}}}}}},async e=>{let t=e.context.session,i=B(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o)throw new z.APIError("BAD_REQUEST",{message:"Invitation not found!"});let r=await i.findMemberByOrgId({userId:t.user.id,organizationId:o.organizationId});if(!r)throw new z.APIError("BAD_REQUEST",{message:"Member not found!"});if(e.context.roles[r.role].authorize({invitation:["cancel"]}).error)throw new z.APIError("FORBIDDEN",{message:"You are not allowed to cancel this invitation"});let a=await i.updateInvitation({invitationId:e.body.invitationId,status:"canceled"});return e.json(a)}),mt=K("/organization/get-invitation",{method:"GET",use:[j],requireHeaders:!0,query:W.z.object({id:W.z.string({description:"The ID of the invitation to get"})}),metadata:{openapi:{description:"Get an invitation by ID",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"},organizationName:{type:"string"},organizationSlug:{type:"string"},inviterEmail:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt","organizationName","organizationSlug","inviterEmail"]}}}}}}}},async e=>{let t=await U(e);if(!t)throw new z.APIError("UNAUTHORIZED",{message:"Not authenticated"});let i=B(e.context,e.context.orgOptions),o=await i.findInvitationById(e.query.id);if(!o||o.status!=="pending"||o.expiresAt<new Date)throw new z.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new z.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.findOrganizationById(o.organizationId);if(!r)throw new z.APIError("BAD_REQUEST",{message:"Organization not found"});let n=await i.findMemberByOrgId({userId:o.inviterId,organizationId:o.organizationId});if(!n)throw new z.APIError("BAD_REQUEST",{message:"Inviter is no longer a member of the organization"});return e.json({...o,organizationName:r.name,organizationSlug:r.slug,inviterEmail:n.user.email})});var oe=require("zod");var ge=require("better-call");var ft=()=>K("/organization/add-member",{method:"POST",body:oe.z.object({userId:oe.z.string(),role:oe.z.string(),organizationId:oe.z.string().optional()}),use:[j],metadata:{SERVER_ONLY:!0}},async e=>{let t=e.body.userId?await U(e).catch(s=>null):null,i=e.body.organizationId||t?.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=B(e.context,e.context.orgOptions),r=await e.context.internalAdapter.findUserById(e.body.userId);if(!r)throw new ge.APIError("BAD_REQUEST",{message:"User not found!"});if(await o.findMemberByEmail({email:r.email,organizationId:i}))throw new ge.APIError("BAD_REQUEST",{message:"User is already a member of this organization"});let a=await o.createMember({id:L(),organizationId:i,userId:r.id,role:e.body.role,createdAt:new Date});return e.json(a)}),ht=K("/organization/remove-member",{method:"POST",body:oe.z.object({memberIdOrEmail:oe.z.string({description:"The ID or email of the member to remove"}),organizationId:oe.z.string({description:"The ID of the organization to remove the member from. If not provided, the active organization will be used"}).optional()}),use:[j,q],metadata:{openapi:{description:"Remove a member from an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async e=>{let t=e.context.session,i=e.body.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=B(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)throw new ge.APIError("BAD_REQUEST",{message:"Member not found!"});let n=e.context.roles[r.role];if(!n)throw new ge.APIError("BAD_REQUEST",{message:"Role not found!"});let a=t.user.email===e.body.memberIdOrEmail||r.id===e.body.memberIdOrEmail;if(a&&r.role===(e.context.orgOptions?.creatorRole||"owner"))throw new ge.APIError("BAD_REQUEST",{message:"You cannot leave the organization as the owner"});if(!(a||n.authorize({member:["delete"]}).success))throw new ge.APIError("UNAUTHORIZED",{message:"You are not allowed to delete this member"});let d=null;if(e.body.memberIdOrEmail.includes("@")?d=await o.findMemberByEmail({email:e.body.memberIdOrEmail,organizationId:i}):d=await o.findMemberById(e.body.memberIdOrEmail),d?.organizationId!==i)throw new ge.APIError("BAD_REQUEST",{message:"Member not found!"});return await o.deleteMember(d.id),t.user.id===d.userId&&t.session.activeOrganizationId===d.organizationId&&await o.setActiveOrganization(t.session.token,null),e.json({member:d})}),yt=e=>K("/organization/update-member-role",{method:"POST",body:oe.z.object({role:oe.z.string(),memberId:oe.z.string(),organizationId:oe.z.string().optional()}),use:[j,q],metadata:{openapi:{description:"Update the role of a member in an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async t=>{let i=t.context.session,o=t.body.organizationId||i.session.activeOrganizationId;if(!o)return t.json(null,{status:400,body:{message:"No active organization found!"}});let r=B(t.context,t.context.orgOptions),n=await r.findMemberByOrgId({userId:i.user.id,organizationId:o});if(!n)return t.json(null,{status:400,body:{message:"Member not found!"}});let a=t.context.roles[n.role];if(!a)return t.json(null,{status:400,body:{message:"Role not found!"}});if(a.authorize({member:["update"]}).error||t.body.role==="owner"&&n.role!=="owner")return t.json(null,{body:{message:"You are not allowed to update this member"},status:403});let A=await r.updateMember(t.body.memberId,t.body.role);return A?t.json(A):t.json(null,{status:400,body:{message:"Member not found!"}})}),wt=K("/organization/get-active-member",{method:"GET",use:[j,q],metadata:{openapi:{description:"Get the active member in the organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}}}}}}}},async e=>{let t=e.context.session,i=t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let r=await B(e.context,e.context.orgOptions).findMemberByOrgId({userId:t.user.id,organizationId:i});return r?e.json(r):e.json(null,{status:400,body:{message:"Member not found!"}})});var S=require("zod");var me=require("better-call");var Ct=K("/organization/create",{method:"POST",body:S.z.object({name:S.z.string({description:"The name of the organization"}),slug:S.z.string({description:"The slug of the organization"}),userId:S.z.string({description:"The user id of the organization creator. If not provided, the current user will be used. Should only be used by admins or when called by the server."}).optional(),logo:S.z.string({description:"The logo of the organization"}).optional(),metadata:S.z.record(S.z.string(),S.z.any(),{description:"The metadata of the organization"}).optional()}),use:[j,q],metadata:{openapi:{description:"Create an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization that was created",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=e.context.session.user;if(!t)return e.json(null,{status:401});let i=e.context.orgOptions;if(!(typeof i?.allowUserToCreateOrganization=="function"?await i.allowUserToCreateOrganization(t):i?.allowUserToCreateOrganization===void 0?!0:i.allowUserToCreateOrganization))throw new me.APIError("FORBIDDEN",{message:"You are not allowed to create an organization"});let r=B(e.context,i),n=await r.listOrganizations(t.id);if(typeof i.organizationLimit=="number"?n.length>=i.organizationLimit:typeof i.organizationLimit=="function"?await i.organizationLimit(t):!1)throw new me.APIError("FORBIDDEN",{message:"You have reached the organization limit"});if(await r.findOrganizationBySlug(e.body.slug))throw new me.APIError("BAD_REQUEST",{message:"Organization with this slug already exists"});let A=await r.createOrganization({organization:{id:L(),slug:e.body.slug,name:e.body.name,logo:e.body.logo,createdAt:new Date,metadata:e.body.metadata},user:t});return await r.setActiveOrganization(e.context.session.session.token,A.id),e.json(A)}),bt=K("/organization/update",{method:"POST",body:S.z.object({data:S.z.object({name:S.z.string({description:"The name of the organization"}).optional(),slug:S.z.string({description:"The slug of the organization"}).optional(),logo:S.z.string({description:"The logo of the organization"}).optional()}).partial(),organizationId:S.z.string().optional()}),requireHeaders:!0,use:[j],metadata:{openapi:{description:"Update an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The updated organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=await e.context.getSession(e);if(!t)throw new me.APIError("UNAUTHORIZED",{message:"User not found"});let i=e.body.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=B(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["update"]}).error)return e.json(null,{body:{message:"You are not allowed to update this organization"},status:403});let s=await o.updateOrganization(i,e.body.data);return e.json(s)}),vt=K("/organization/delete",{method:"POST",body:S.z.object({organizationId:S.z.string({description:"The organization id to delete"})}),requireHeaders:!0,use:[j],metadata:{openapi:{description:"Delete an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"string",description:"The organization id that was deleted"}}}}}}}},async e=>{let t=await e.context.getSession(e);if(!t)return e.json(null,{status:401});let i=e.body.organizationId;if(!i)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=B(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["delete"]}).error)throw new me.APIError("FORBIDDEN",{message:"You are not allowed to delete this organization"});return i===t.session.activeOrganizationId&&await o.setActiveOrganization(t.session.token,null),await o.deleteOrganization(i),e.json(i)}),kt=K("/organization/get-full-organization",{method:"GET",query:S.z.optional(S.z.object({organizationId:S.z.string({description:"The organization id to get"}).optional()})),requireHeaders:!0,use:[j,q],metadata:{openapi:{description:"Get the full organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=e.context.session,i=e.query?.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:200});let r=await B(e.context,e.context.orgOptions).findFullOrganization(i);if(!r)throw new me.APIError("BAD_REQUEST",{message:"Organization not found"});return e.json(r)}),Tt=K("/organization/set-active",{method:"POST",body:S.z.object({organizationId:S.z.string({description:"The organization id to set as active. Can be null to unset the active organization"}).nullable().optional()}),use:[q,j],metadata:{openapi:{description:"Set the active organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=B(e.context,e.context.orgOptions),i=e.context.session,o=e.body.organizationId;if(o===null){if(!i.session.activeOrganizationId)return e.json(null);let A=await t.setActiveOrganization(i.session.token,null);return await m(e,{session:A,user:i.user}),e.json(null)}if(!o){let s=i.session.activeOrganizationId;if(!s)return e.json(null);o=s}if(!await t.findMemberByOrgId({userId:i.user.id,organizationId:o}))throw await t.setActiveOrganization(i.session.token,null),new me.APIError("FORBIDDEN",{message:"You are not a member of this organization"});let n=await t.setActiveOrganization(i.session.token,o);await m(e,{session:n,user:i.user});let a=await t.findFullOrganization(o);return e.json(a)}),Ot=K("/organization/list",{method:"GET",use:[j,q],metadata:{openapi:{description:"List all organizations",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{$ref:"#/components/schemas/Organization"}}}}}}}}},async e=>{let i=await B(e.context,e.context.orgOptions).listOrganizations(e.context.session.user.id);return e.json(i)});var Pr=po({name:["action"]}),Zd=Pr.newRole({name:["action"]}),Sr=e=>{let t={createOrganization:Ct,updateOrganization:bt,deleteOrganization:vt,setActiveOrganization:Tt,getFullOrganization:kt,listOrganizations:Ot,createInvitation:ut(e),cancelInvitation:gt,acceptInvitation:lt,getInvitation:mt,rejectInvitation:pt,addMember:ft(),removeMember:ht,updateMemberRole:yt(e),getActiveMember:wt},i={...Kt,...e?.roles};return{id:"organization",endpoints:{...dt(t,{orgOptions:e||{},roles:i,getSession:async r=>await U(r)}),hasPermission:K("/organization/has-permission",{method:"POST",requireHeaders:!0,body:Se.z.object({permission:Se.z.record(Se.z.string(),Se.z.array(Se.z.string()))}),use:[q],metadata:{openapi:{description:"Check if the user has permission",requestBody:{content:{"application/json":{schema:{type:"object",properties:{permission:{type:"object",description:"The permission to check"}},required:["permission"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{error:{type:"string"},success:{type:"boolean"}},required:["success"]}}}}}}}},async r=>{if(!r.context.session.session.activeOrganizationId)throw new Do.APIError("BAD_REQUEST",{message:"No active organization"});let a=await B(r.context).findMemberByOrgId({userId:r.context.session.user.id,organizationId:r.context.session.session.activeOrganizationId||""});if(!a)throw new Do.APIError("UNAUTHORIZED",{message:"You are not a member of this organization"});let A=i[a.role].authorize(r.body.permission);return A.error?r.json({error:A.error,success:!1},{status:403}):r.json({error:null,success:!0})})},schema:{session:{fields:{activeOrganizationId:{type:"string",required:!1,fieldName:e?.schema?.session?.fields?.activeOrganizationId}}},organization:{modelName:e?.schema?.organization?.modelName,fields:{name:{type:"string",required:!0,fieldName:e?.schema?.organization?.fields?.name},slug:{type:"string",unique:!0,fieldName:e?.schema?.organization?.fields?.slug},logo:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.logo},createdAt:{type:"date",required:!0,fieldName:e?.schema?.organization?.fields?.createdAt},metadata:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.metadata}}},member:{modelName:e?.schema?.member?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.member?.fields?.organizationId},userId:{type:"string",required:!0,fieldName:e?.schema?.member?.fields?.userId},role:{type:"string",required:!0,defaultValue:"member",fieldName:e?.schema?.member?.fields?.role},createdAt:{type:"date",required:!0,fieldName:e?.schema?.member?.fields?.createdAt}}},invitation:{modelName:e?.schema?.invitation?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.invitation?.fields?.organizationId},email:{type:"string",required:!0,fieldName:e?.schema?.invitation?.fields?.email},role:{type:"string",required:!1,fieldName:e?.schema?.invitation?.fields?.role},status:{type:"string",required:!0,defaultValue:"pending",fieldName:e?.schema?.invitation?.fields?.status},expiresAt:{type:"date",required:!0,fieldName:e?.schema?.invitation?.fields?.expiresAt},inviterId:{type:"string",references:{model:"user",field:"id"},fieldName:e?.schema?.invitation?.fields?.inviterId,required:!0}}}},$Infer:{Organization:{},Invitation:{},Member:{},ActiveOrganization:{}}}};var xo=Xo(require("uncrypto"),1);function Dr(e){return e.toString(2).padStart(8,"0")}function xr(e){return[...e].map(t=>Dr(t)).join("")}function It(e){return parseInt(xr(e),2)}function zr(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,i=t%8,o=new Uint8Array(Math.ceil(t/8));xo.default.getRandomValues(o),i!==0&&(o[0]&=(1<<i)-1);let r=It(o);for(;r>=e;)xo.default.getRandomValues(o),i!==0&&(o[0]&=(1<<i)-1),r=It(o);return r}function Q(e,t){let i="";for(let o=0;o<e;o++)i+=t[zr(t.length)];return i}function $(...e){let t=new Set(e),i="";for(let o of t)o==="a-z"?i+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?i+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?i+="0123456789":i+=o;return i}var We=require("zod");var Bo=require("@noble/ciphers/chacha"),De=require("@noble/ciphers/utils"),jo=require("@noble/ciphers/webcrypto"),No=require("oslo/crypto"),zo=Xo(require("uncrypto"),1);var Rt=require("oslo/encoding");var Br=require("@noble/hashes/scrypt"),jr=require("uncrypto");async function He(e,t){let i=new TextEncoder,o={name:"HMAC",hash:"SHA-256"},r=await zo.default.subtle.importKey("raw",i.encode(e),o,!1,["sign","verify"]),n=await zo.default.subtle.sign(o.name,r,i.encode(t));return btoa(String.fromCharCode(...new Uint8Array(n)))}var le=async({key:e,data:t})=>{let i=await(0,No.sha256)(new TextEncoder().encode(e)),o=(0,De.utf8ToBytes)(t),r=(0,jo.managedNonce)(Bo.xchacha20poly1305)(new Uint8Array(i));return(0,De.bytesToHex)(r.encrypt(o))},fe=async({key:e,data:t})=>{let i=await(0,No.sha256)(new TextEncoder().encode(e)),o=(0,De.hexToBytes)(t),r=(0,jo.managedNonce)(Bo.xchacha20poly1305)(new Uint8Array(i));return new TextDecoder().decode(r.decrypt(o))};var Ae=require("zod");var xe=require("better-call");var go="two_factor";var mo="trust_device";var _o=require("zod");var be=R({body:_o.z.object({trustDevice:_o.z.boolean().optional()})},async e=>{let t=await U(e);if(!t){let i=e.context.createAuthCookie(go),o=await e.getSignedCookie(i.name,e.context.secret);if(!o)throw new xe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"});let r=await e.context.internalAdapter.findUserById(o);if(!r)throw new xe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"});let n=await e.context.internalAdapter.createSession(o,e.request);if(!n)throw new xe.APIError("INTERNAL_SERVER_ERROR",{message:"failed to create session"});return{valid:async()=>{if(await m(e,{session:n,user:r}),e.body.trustDevice){let a=e.context.createAuthCookie(mo,{maxAge:2592e3}),s=await He(e.context.secret,`${r.id}!${n.token}`);await e.setSignedCookie(a.name,`${s}!${n.token}`,e.context.secret,a.attributes)}return e.json({session:n,user:r})},invalid:async()=>{throw new xe.APIError("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:{id:n.token,userId:n.userId,expiresAt:n.expiresAt,user:r}}}return{valid:async()=>e.json({session:t,user:t.user}),invalid:async()=>{throw new xe.APIError("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:t}});var ze=require("better-call");function Nr(e){return Array.from({length:e?.amount??10}).fill(null).map(()=>Q(e?.length??10,$("a-z","0-9"))).map(t=>`${t.slice(0,5)}-${t.slice(5)}`)}async function Lo(e,t){let i=e,o=t?.customBackupCodesGenerate?t.customBackupCodesGenerate():Nr(),r=await le({data:JSON.stringify(o),key:i});return{backupCodes:o,encryptedBackupCodes:r}}async function _r(e,t){let i=await Ut(e.backupCodes,t);return i?{status:i.includes(e.code),updated:i.filter(o=>o!==e.code)}:{status:!1,updated:null}}async function Ut(e,t){let i=Buffer.from(await fe({key:t,data:e})).toString("utf-8"),o=JSON.parse(i),r=Ae.z.array(Ae.z.string()).safeParse(o);return r.success?r.data:null}var Et=(e,t)=>({id:"backup_code",endpoints:{verifyBackupCode:K("/two-factor/verify-backup-code",{method:"POST",body:Ae.z.object({code:Ae.z.string(),disableSession:Ae.z.boolean().optional()}),use:[be]},async i=>{let o=i.context.session.user,r=await i.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!r)throw new ze.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});let n=await _r({backupCodes:r.backupCodes,code:i.body.code},i.context.secret);if(!n.status)throw new ze.APIError("UNAUTHORIZED",{message:"Invalid backup code"});let a=await le({key:i.context.secret,data:JSON.stringify(n.updated)});return await i.context.adapter.update({model:t,update:{backupCodes:a},where:[{field:"userId",value:o.id}]}),i.body.disableSession||await m(i,{session:i.context.session.session,user:o}),i.json({user:o,session:i.context.session})}),generateBackupCodes:K("/two-factor/generate-backup-codes",{method:"POST",body:Ae.z.object({password:Ae.z.string()}),use:[v]},async i=>{let o=i.context.session.user;if(!o.twoFactorEnabled)throw new ze.APIError("BAD_REQUEST",{message:"Two factor isn't enabled"});await i.context.password.checkPassword(o.id,i);let r=await Lo(i.context.secret,e);return await i.context.adapter.update({model:t,update:{backupCodes:r.encryptedBackupCodes},where:[{field:"userId",value:i.context.session.user.id}]}),i.json({status:!0,backupCodes:r.backupCodes})}),viewBackupCodes:K("/two-factor/view-backup-codes",{method:"GET",body:Ae.z.object({userId:Ae.z.string()}),metadata:{SERVER_ONLY:!0}},async i=>{let o=await i.context.adapter.findOne({model:t,where:[{field:"userId",value:i.body.userId}]});if(!o)throw new ze.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});let r=await Ut(o.backupCodes,i.context.secret);if(!r)throw new ze.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});return i.json({status:!0,backupCodes:r})})}});var Qe=require("better-call"),Pt=require("oslo/otp"),Fo=require("zod");var St=require("oslo"),Dt=(e,t)=>{let i={...e,period:new St.TimeSpan(e?.period||3,"m")},o=new Pt.TOTPController({digits:6,period:i.period}),r=K("/two-factor/send-otp",{method:"POST",use:[be]},async a=>{if(!e||!e.sendOTP)throw a.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options."),new Qe.APIError("BAD_REQUEST",{message:"otp isn't configured"});let s=a.context.session.user,A=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!A)throw new Qe.APIError("BAD_REQUEST",{message:"OTP isn't enabled"});let d=await o.generate(Buffer.from(A.secret));return await e.sendOTP({user:s,otp:d},a.request),a.json({status:!0})}),n=K("/two-factor/verify-otp",{method:"POST",body:Fo.z.object({code:Fo.z.string()}),use:[be]},async a=>{let s=a.context.session.user;if(!s.twoFactorEnabled)throw new Qe.APIError("BAD_REQUEST",{message:"two factor isn't enabled"});let A=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!A)throw new Qe.APIError("BAD_REQUEST",{message:"OTP isn't enabled"});return await o.generate(Buffer.from(A.secret))===a.body.code?a.context.valid():a.context.invalid()});return{id:"otp",endpoints:{sendTwoFactorOTP:r,verifyTwoFactorOTP:n}}};var ve=require("better-call"),xt=require("oslo"),Ze=require("oslo/otp"),$e=require("zod");var zt=(e,t)=>{let i={...e,digits:6,period:new xt.TimeSpan(e?.period||30,"s")},o=K("/totp/generate",{method:"POST",use:[v]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new ve.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,A=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!A)throw new ve.APIError("BAD_REQUEST",{message:"totp isn't enabled"});return{code:await new Ze.TOTPController(i).generate(Buffer.from(A.secret))}}),r=K("/two-factor/get-totp-uri",{method:"POST",use:[v],body:$e.z.object({password:$e.z.string()})},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new ve.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,A=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!A||!s.twoFactorEnabled)throw new ve.APIError("BAD_REQUEST",{message:"totp isn't enabled"});return await a.context.password.checkPassword(s.id,a),{totpURI:(0,Ze.createTOTPKeyURI)(e.issuer||a.context.appName,s.email,Buffer.from(A.secret),i)}}),n=K("/two-factor/verify-totp",{method:"POST",body:$e.z.object({code:$e.z.string()}),use:[be]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new ve.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,A=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!A)throw new ve.APIError("BAD_REQUEST",{message:"totp isn't enabled"});let d=new Ze.TOTPController(i),c=await fe({key:a.context.secret,data:A.secret}),l=Buffer.from(c);if(!await d.verify(a.body.code,l))return a.context.invalid();if(!s.twoFactorEnabled){let p=await a.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!0}),h=await a.context.internalAdapter.createSession(s.id,a.request,!1,a.context.session.session).catch(k=>{throw console.log(k),k});await a.context.internalAdapter.deleteSession(a.context.session.session.token),await m(a,{session:h,user:p})}return a.context.valid()});return{id:"totp",endpoints:{generateTOTP:o,getTOTPURI:r,verifyTOTP:n}}};var Lr=require("better-call");async function qo(e,t){let o=(await e.context.internalAdapter.findAccounts(t.userId))?.find(a=>a.providerId==="credential"),r=o?.password;return!o||!r?!1:await e.context.password.verify(r,t.password)}var Vo=require("better-call"),Nt=require("oslo/otp"),_t=require("oslo");var Bt=require("better-call"),Be=async e=>{let t=e.context.returned;return t?t instanceof Response?t.status!==200?null:await t.clone().json():t instanceof Bt.APIError?null:t:null};var jt={user:{fields:{twoFactorEnabled:{type:"boolean",required:!1,defaultValue:!1,input:!1}}},twoFactor:{fields:{secret:{type:"string",required:!0,returned:!1},backupCodes:{type:"string",required:!0,returned:!1},userId:{type:"string",required:!0,returned:!1,references:{model:"user",field:"id"}}}}};var Fr=e=>({id:"two-factor",$InferServerPlugin:{},atomListeners:[{matcher:t=>t.startsWith("/two-factor/"),signal:"$sessionSignal"}],pathMethods:{"/two-factor/disable":"POST","/two-factor/enable":"POST","/two-factor/send-otp":"POST","/two-factor/generate-backup-codes":"POST"},fetchPlugins:[{id:"two-factor",name:"two-factor",hooks:{async onSuccess(t){t.data?.twoFactorRedirect&&e?.onTwoFactorRedirect&&await e.onTwoFactorRedirect()}}}]});var qr=e=>{let t={twoFactorTable:"twoFactor"},i=zt({issuer:e?.issuer,...e?.totpOptions},t.twoFactorTable),o=Et({...e?.backupCodeOptions},t.twoFactorTable),r=Dt({...e?.otpOptions},t.twoFactorTable);return{id:"two-factor",endpoints:{...i.endpoints,...r.endpoints,...o.endpoints,enableTwoFactor:K("/two-factor/enable",{method:"POST",body:We.z.object({password:We.z.string().min(8)}),use:[v]},async n=>{let a=n.context.session.user,{password:s}=n.body;if(!await qo(n,{password:s,userId:a.id}))throw new Vo.APIError("BAD_REQUEST",{message:"Invalid password"});let d=Q(16,$("a-z","0-9","-")),c=await le({key:n.context.secret,data:d}),l=await Lo(n.context.secret,e?.backupCodeOptions);if(e?.skipVerificationOnEnable){let p=await n.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!0}),h=await n.context.internalAdapter.createSession(p.id,n.request,!1,n.context.session.session);await m(n,{session:h,user:a}),await n.context.internalAdapter.deleteSession(n.context.session.session.token)}await n.context.adapter.deleteMany({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),await n.context.adapter.create({model:t.twoFactorTable,data:{secret:c,backupCodes:l.encryptedBackupCodes,userId:a.id}});let u=(0,Nt.createTOTPKeyURI)(e?.issuer||"BetterAuth",a.email,Buffer.from(d),{digits:e?.totpOptions?.digits||6,period:new _t.TimeSpan(e?.totpOptions?.period||30,"s")});return n.json({totpURI:u,backupCodes:l.backupCodes})}),disableTwoFactor:K("/two-factor/disable",{method:"POST",body:We.z.object({password:We.z.string().min(8)}),use:[v]},async n=>{let a=n.context.session.user,{password:s}=n.body;if(!await qo(n,{password:s,userId:a.id}))throw new Vo.APIError("BAD_REQUEST",{message:"Invalid password"});await n.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!1}),await n.context.adapter.delete({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]});let d=await n.context.internalAdapter.createSession(a.id,n.request,!1,n.context.session.session);return await m(n,{session:d,user:a}),await n.context.internalAdapter.deleteSession(n.context.session.session.token),n.json({status:!0})})},options:e,hooks:{after:[{matcher(n){return n.path==="/sign-in/email"||n.path==="/sign-in/username"},handler:R(async n=>{let a=await Be(n);if(!a||!a.user.twoFactorEnabled)return;let s=n.context.createAuthCookie(mo),A=await n.getSignedCookie(s.name,n.context.secret);if(A){let[c,l]=A.split("!"),u=await He(n.context.secret,`${a.user.id}!${l}`);if(c===u){let p=await He(n.context.secret,`${a.user.id}!${a.session.token}`);await n.setSignedCookie(s.name,`${p}!${a.session.token}`,n.context.secret,s.attributes);return}}M(n),await n.context.internalAdapter.deleteSession(a.session.token);let d=n.context.createAuthCookie(go,{maxAge:60*10});return await n.setSignedCookie(d.name,a.user.id,n.context.secret,d.attributes),n.json({twoFactorRedirect:!0})})}]},schema:ee(jt,e?.schema),rateLimit:[{pathMatcher(n){return n.startsWith("/two-factor/")},window:10,max:3}]}};var he=require("@simplewebauthn/server"),ie=require("better-call");var de=require("zod");var je=require("@simplewebauthn/browser");var Mr=require("@better-fetch/fetch");var sc=require("nanostores");var ZK=require("@better-fetch/fetch");var Vr=require("nanostores");var GK=require("@better-fetch/fetch"),fo=require("nanostores"),Mo=(e,t,i,o)=>{let r=(0,fo.atom)({data:null,error:null,isPending:!0,isRefetching:!1}),n=()=>{let s=typeof o=="function"?o({data:r.get().data,error:r.get().error,isPending:r.get().isPending}):o;return i(t,{...s,async onSuccess(A){r.set({data:A.data,error:null,isPending:!1,isRefetching:!1}),await s?.onSuccess?.(A)},async onError(A){r.set({error:A.error,data:null,isPending:!1,isRefetching:!1}),await s?.onError?.(A)},async onRequest(A){let d=r.get();r.set({isPending:d.data===null,data:d.data,error:null,isRefetching:!0}),await s?.onRequest?.(A)}})};e=Array.isArray(e)?e:[e];let a=!1;for(let s of e)s.subscribe(()=>{a?n():(0,fo.onMount)(r,()=>(n(),a=!0,()=>{r.off(),s.off()}))});return r};var Lt=require("nanostores"),Ft=(e,{$listPasskeys:t})=>({signIn:{passkey:async(r,n)=>{let a=await e("/passkey/generate-authenticate-options",{method:"POST",body:{email:r?.email}});if(!a.data)return a;try{let s=await(0,je.startAuthentication)(a.data,r?.autoFill||!1),A=await e("/passkey/verify-authentication",{body:{response:s},...r?.fetchOptions,...n,method:"POST"});if(!A.data)return A}catch{return{data:null,error:{message:"auth cancelled",status:400,statusText:"BAD_REQUEST"}}}}},passkey:{addPasskey:async(r,n)=>{let a=await e("/passkey/generate-register-options",{method:"GET"});if(!a.data)return a;try{let s=await(0,je.startRegistration)(a.data),A=await e("/passkey/verify-registration",{...r?.fetchOptions,...n,body:{response:s,name:r?.name},method:"POST"});if(!A.data)return A;t.set(Math.random())}catch(s){return s instanceof je.WebAuthnError?s.code==="ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED"?{data:null,error:{message:"previously registered",status:400,statusText:"BAD_REQUEST"}}:s.code==="ERROR_CEREMONY_ABORTED"?{data:null,error:{message:"registration cancelled",status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s.message,status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s instanceof Error?s.message:"unknown error",status:500,statusText:"INTERNAL_SERVER_ERROR"}}}}},$Infer:{}}),Hr=()=>{let e=(0,Lt.atom)();return{id:"passkey",$InferServerPlugin:{},getActions:t=>Ft(t,{$listPasskeys:e}),getAtoms(t){return{listPasskeys:Mo(e,"/passkey/list-user-passkeys",t,{method:"GET"}),$listPasskeys:e}},pathMethods:{"/passkey/register":"POST","/passkey/authenticate":"POST"},atomListeners:[{matcher(t){return t==="/passkey/verify-registration"||t==="/passkey/delete-passkey"},signal:"_listPasskeys"}]}};var Qr=e=>{let t=re.BETTER_AUTH_URL,i=e?.rpID||t?.replace("http://","").replace("https://","").split(":")[0]||"localhost";if(!i)throw new X("passkey rpID not found. Please provide a rpID in the options or set the BETTER_AUTH_URL environment variable.");let o={origin:null,...e,rpID:i,advanced:{webAuthnChallengeCookie:"better-auth-passkey",...e?.advanced}},r=new Date(Date.now()+1e3*60*5),n=new Date,a=Math.floor((r.getTime()-n.getTime())/1e3);return{id:"passkey",endpoints:{generatePasskeyRegistrationOptions:K("/passkey/generate-register-options",{method:"GET",use:[Ve],metadata:{client:!1}},async s=>{let A=s.context.session,d=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:A.user.id}]}),c=new Uint8Array(Buffer.from(Q(32,$("a-z","0-9")))),l;l=await(0,he.generateRegistrationOptions)({rpName:o.rpName||s.context.appName,rpID:o.rpID,userID:c,userName:A.user.email||A.user.id,attestationType:"none",excludeCredentials:d.map(p=>({id:p.id,transports:p.transports?.split(",")})),authenticatorSelection:{residentKey:"preferred",userVerification:"preferred",authenticatorAttachment:"platform"}});let u=L(32);return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,u,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:u,value:JSON.stringify({expectedChallenge:l.challenge,userData:{id:A.user.id}}),expiresAt:r}),s.json(l,{status:200})}),generatePasskeyAuthenticationOptions:K("/passkey/generate-authenticate-options",{method:"POST",body:de.z.object({email:de.z.string().optional()}).optional()},async s=>{let A=await U(s),d=[];A&&(d=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:A.user.id}]}));let c=await(0,he.generateAuthenticationOptions)({rpID:o.rpID,userVerification:"preferred",...d.length?{allowCredentials:d.map(p=>({id:p.id,transports:p.transports?.split(",")}))}:{}}),l={expectedChallenge:c.challenge,userData:{id:A?.user.id||""}},u=L(32);return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,u,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:u,value:JSON.stringify(l),expiresAt:r}),s.json(c,{status:200})}),verifyPasskeyRegistration:K("/passkey/verify-registration",{method:"POST",body:de.z.object({response:de.z.any(),name:de.z.string().optional()}),use:[Ve]},async s=>{let A=e?.origin||s.headers?.get("origin")||"";if(!A)return s.json(null,{status:400});let d=s.body.response,c=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!c)throw new ie.APIError("BAD_REQUEST",{message:"Challenge not found"});let l=await s.context.internalAdapter.findVerificationValue(c);if(!l)return s.json(null,{status:400});let{expectedChallenge:u,userData:p}=JSON.parse(l.value);if(p.id!==s.context.session.user.id)throw new ie.APIError("UNAUTHORIZED",{message:"You are not authorized to register this passkey"});try{let h=await(0,he.verifyRegistrationResponse)({response:d,expectedChallenge:u,expectedOrigin:A,expectedRPID:e?.rpID}),{verified:k,registrationInfo:f}=h;if(!k||!f)return s.json(null,{status:400});let{credentialID:g,credentialPublicKey:C,counter:T,credentialDeviceType:N,credentialBackedUp:eo}=f,Xt=Buffer.from(C).toString("base64"),Yt={name:s.body.name,userId:p.id,webauthnUserID:s.context.generateId({model:"passkey"}),id:g,publicKey:Xt,counter:T,deviceType:N,transports:d.response.transports.join(","),backedUp:eo,createdAt:new Date},er=await s.context.adapter.create({model:"passkey",data:Yt});return s.json(er,{status:200})}catch(h){throw console.log(h),new ie.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to verify registration"})}}),verifyPasskeyAuthentication:K("/passkey/verify-authentication",{method:"POST",body:de.z.object({response:de.z.any()})},async s=>{let A=e?.origin||s.headers?.get("origin")||"";if(!A)throw new ie.APIError("BAD_REQUEST",{message:"origin missing"});let d=s.body.response,c=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!c)throw new ie.APIError("BAD_REQUEST",{message:"Challenge not found"});let l=await s.context.internalAdapter.findVerificationValue(c);if(!l)throw new ie.APIError("BAD_REQUEST",{message:"Challenge not found"});let{expectedChallenge:u}=JSON.parse(l.value),p=await s.context.adapter.findOne({model:"passkey",where:[{field:"id",value:d.id}]});if(!p)throw new ie.APIError("UNAUTHORIZED",{message:"Passkey not found"});try{let h=await(0,he.verifyAuthenticationResponse)({response:d,expectedChallenge:u,expectedOrigin:A,expectedRPID:o.rpID,authenticator:{credentialID:p.id,credentialPublicKey:new Uint8Array(Buffer.from(p.publicKey,"base64")),counter:p.counter,transports:p.transports?.split(",")}}),{verified:k}=h;if(!k)throw new ie.APIError("UNAUTHORIZED",{message:"Authentication failed"});await s.context.adapter.update({model:"passkey",where:[{field:"id",value:p.id}],update:{counter:h.authenticationInfo.newCounter}});let f=await s.context.internalAdapter.createSession(p.userId,s.request);if(!f)throw new ie.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});let g=await s.context.internalAdapter.findUserById(p.userId);if(!g)throw new ie.APIError("INTERNAL_SERVER_ERROR",{message:"User not found"});return await m(s,{session:f,user:g}),s.json({session:f},{status:200})}catch(h){throw s.context.logger.error("Failed to verify authentication",h),new ie.APIError("BAD_REQUEST",{message:"Failed to verify authentication"})}}),listPasskeys:K("/passkey/list-user-passkeys",{method:"GET",use:[v]},async s=>{let A=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:s.context.session.user.id}]});return s.json(A,{status:200})}),deletePasskey:K("/passkey/delete-passkey",{method:"POST",body:de.z.object({id:de.z.string()}),use:[v]},async s=>(await s.context.adapter.delete({model:"passkey",where:[{field:"id",value:s.body.id}]}),s.json(null,{status:200})))},schema:ee($r,e?.schema)}},$r={passkey:{fields:{name:{type:"string",required:!1},publicKey:{type:"string",required:!0},userId:{type:"string",references:{model:"user",field:"id"},required:!0},webauthnUserID:{type:"string",required:!0},counter:{type:"number",required:!0},deviceType:{type:"string",required:!0},backedUp:{type:"boolean",required:!0},transports:{type:"string",required:!1},createdAt:{type:"date",defaultValue:new Date,required:!1}}}};var Ge=require("zod");var Je=require("better-call");var Ho=()=>({id:"username",endpoints:{signInUsername:K("/sign-in/username",{method:"POST",body:Ge.z.object({username:Ge.z.string(),password:Ge.z.string(),rememberMe:Ge.z.boolean().optional()})},async e=>{let t=await e.context.adapter.findOne({model:"user",where:[{field:"username",value:e.body.username}]});if(!t)throw await e.context.password.hash(e.body.password),e.context.logger.error("User not found",{username:Ho}),new Je.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let i=await e.context.adapter.findOne({model:"account",where:[{field:"userId",value:t.id},{field:"providerId",value:"credential"}]});if(!i)throw new Je.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let o=i?.password;if(!o)throw e.context.logger.error("Password not found",{username:Ho}),new Je.APIError("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(o,e.body.password))throw e.context.logger.error("Invalid password"),new Je.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let n=await e.context.internalAdapter.createSession(t.id,e.request,e.body.rememberMe===!1);return n?(await m(e,{session:n,user:t},e.body.rememberMe===!1),e.json({user:t,session:n})):e.json(null,{status:500,body:{message:"Failed to create session",status:500}})})},schema:{user:{fields:{username:{type:"string",required:!1,unique:!0,returned:!0}}}}});var qt=require("better-call"),Zr=()=>({id:"bearer",hooks:{before:[{matcher(e){return!!(e.request?.headers.get("authorization")||e.headers?.get("authorization"))},handler:async e=>{let t=e.request?.headers.get("authorization")?.replace("Bearer ","")||e.headers?.get("authorization")?.replace("Bearer ","");if(!t)return;let i="";return t.includes(".")?i=t:i=await(0,qt.serializeSigned)("",t,e.context.secret),e.request&&e.request.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${i.replace("=","")}`),e.headers&&e.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${i.replace("=","")}`),{context:e}}}]}});var ke=require("zod");var Qo=require("better-call");var Wr=e=>({id:"magic-link",endpoints:{signInMagicLink:K("/sign-in/magic-link",{method:"POST",requireHeaders:!0,body:ke.z.object({email:ke.z.string().email(),callbackURL:ke.z.string().optional()})},async t=>{let{email:i}=t.body;if(e.disableSignUp&&!await t.context.internalAdapter.findUserByEmail(i))throw new Qo.APIError("BAD_REQUEST",{message:"User not found"});let o=Q(32,$("a-z","A-Z"));await t.context.internalAdapter.createVerificationValue({identifier:o,value:i,expiresAt:new Date(Date.now()+(e.expiresIn||60*5)*1e3)});let r=`${t.context.baseURL}/magic-link/verify?token=${o}&callbackURL=${t.body.callbackURL||"/"}`;try{await e.sendMagicLink({email:i,url:r,token:o},t.request)}catch(n){throw t.context.logger.error("Failed to send magic link",n),new Qo.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to send magic link"})}return t.json({status:!0})}),magicLinkVerify:K("/magic-link/verify",{method:"GET",query:ke.z.object({token:ke.z.string(),callbackURL:ke.z.string().optional()}),requireHeaders:!0},async t=>{let{token:i,callbackURL:o}=t.query,r=o?.startsWith("http")?o:o?`${t.context.options.baseURL}${o}`:t.context.options.baseURL,n=await t.context.internalAdapter.findVerificationValue(i);if(!n)throw t.redirect(`${r}?error=INVALID_TOKEN`);if(n.expiresAt<new Date)throw await t.context.internalAdapter.deleteVerificationValue(n.id),t.redirect(`${r}?error=EXPIRED_TOKEN`);await t.context.internalAdapter.deleteVerificationValue(n.id);let a=n.value,s=await t.context.internalAdapter.findUserByEmail(a),A=s?.user.id||"";if(!s){if(e.disableSignUp)throw t.redirect(`${r}?error=USER_NOT_FOUND`);if(A=(await t.context.internalAdapter.createUser({email:a,emailVerified:!0,name:a})).id,!A)throw t.redirect(`${r}?error=USER_NOT_CREATED`)}let d=await t.context.internalAdapter.createSession(A,t.headers);if(!d)throw t.redirect(`${r}?error=SESSION_NOT_CREATED`);if(await m(t,{session:d,user:s?.user}),!o)return t.json({session:d,user:s?.user});throw t.redirect(o)})},rateLimit:[{pathMatcher(t){return t.startsWith("/sign-in/magic-link")||t.startsWith("/magic-link/verify")},window:e.rateLimit?.window||60,max:e.rateLimit?.max||5}]});var te=require("zod");var V=require("better-call");function Gr(e){return Q(e,$("0-9"))}var Jr=e=>{let t={expiresIn:e?.expiresIn||300,otpLength:e?.otpLength||6,...e,phoneNumber:"phoneNumber",phoneNumberVerified:"phoneNumberVerified",code:"code",createdAt:"createdAt"};return{id:"phone-number",endpoints:{signInPhoneNumber:K("/sign-in/phone-number",{method:"POST",body:te.z.object({phoneNumber:te.z.string(),password:te.z.string(),rememberMe:te.z.boolean().optional()})},async i=>{let{password:o,phoneNumber:r}=i.body;if(t.phoneNumberValidator&&!await t.phoneNumberValidator(i.body.phoneNumber))throw new V.APIError("BAD_REQUEST",{message:"Invalid phone number!"});let n=await i.context.adapter.findOne({model:"user",where:[{field:"phoneNumber",value:r}]});if(!n)throw new V.APIError("UNAUTHORIZED",{message:"Invalid phone number or password"});let s=(await i.context.internalAdapter.findAccountByUserId(n.id)).find(l=>l.providerId==="credential");if(!s)throw i.context.logger.error("Credential account not found",{phoneNumber:r}),new V.APIError("UNAUTHORIZED",{message:"Invalid password or password"});let A=s?.password;if(!A)throw i.context.logger.error("Password not found",{phoneNumber:r}),new V.APIError("UNAUTHORIZED",{message:"Unexpected error"});if(!await i.context.password.verify(A,o))throw i.context.logger.error("Invalid password"),new V.APIError("UNAUTHORIZED",{message:"Invalid email or password"});let c=await i.context.internalAdapter.createSession(n.id,i.headers,i.body.rememberMe===!1);if(!c)throw i.context.logger.error("Failed to create session"),new V.APIError("UNAUTHORIZED",{message:"Failed to create session"});return await m(i,{session:c,user:n},i.body.rememberMe===!1),i.json({user:n,session:c})}),sendPhoneNumberOTP:K("/phone-number/send-otp",{method:"POST",body:te.z.object({phoneNumber:te.z.string()})},async i=>{if(!e?.sendOTP)throw i.context.logger.warn("sendOTP not implemented"),new V.APIError("NOT_IMPLEMENTED",{message:"sendOTP not implemented"});if(t.phoneNumberValidator&&!await t.phoneNumberValidator(i.body.phoneNumber))throw new V.APIError("BAD_REQUEST",{message:"Invalid phone number!"});let o=Gr(t.otpLength);return await i.context.internalAdapter.createVerificationValue({value:o,identifier:i.body.phoneNumber,expiresAt:I(t.expiresIn,"sec")}),await e.sendOTP({phoneNumber:i.body.phoneNumber,code:o},i.request),i.json({code:o},{body:{message:"Code sent"}})}),verifyPhoneNumber:K("/phone-number/verify",{method:"POST",body:te.z.object({phoneNumber:te.z.string(),code:te.z.string(),disableSession:te.z.boolean().optional(),updatePhoneNumber:te.z.boolean().optional()})},async i=>{let o=await i.context.internalAdapter.findVerificationValue(i.body.phoneNumber);if(!o||o.expiresAt<new Date)throw o&&o.expiresAt<new Date?(await i.context.internalAdapter.deleteVerificationValue(o.id),new V.APIError("BAD_REQUEST",{message:"OTP expired"})):new V.APIError("BAD_REQUEST",{message:"OTP not found"});if(o.value!==i.body.code)throw new V.APIError("BAD_REQUEST",{message:"Invalid OTP"});if(await i.context.internalAdapter.deleteVerificationValue(o.id),i.body.updatePhoneNumber){let n=await U(i);if(!n)throw new V.APIError("UNAUTHORIZED",{message:"Session not found"});let a=await i.context.internalAdapter.updateUser(n.user.id,{[t.phoneNumber]:i.body.phoneNumber,[t.phoneNumberVerified]:!0});return i.json({user:a,session:n.session})}let r=await i.context.adapter.findOne({model:"user",where:[{value:i.body.phoneNumber,field:t.phoneNumber}]});if(await e?.callbackOnVerification?.({phoneNumber:i.body.phoneNumber,user:r},i.request),r)r=await i.context.internalAdapter.updateUser(r.id,{[t.phoneNumberVerified]:!0});else if(e?.signUpOnVerification){if(r=await i.context.internalAdapter.createUser({email:e.signUpOnVerification.getTempEmail(i.body.phoneNumber),name:e.signUpOnVerification.getTempName?e.signUpOnVerification.getTempName(i.body.phoneNumber):i.body.phoneNumber,[t.phoneNumber]:i.body.phoneNumber,[t.phoneNumberVerified]:!0}),!r)throw new V.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create user"})}else return i.json(null);if(!r)throw new V.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to update user"});if(!i.body.disableSession){let n=await i.context.internalAdapter.createSession(r.id,i.request);if(!n)throw new V.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await m(i,{session:n,user:r}),i.json({user:r,session:n})}return i.json({user:r,session:null})})},schema:ee(Xr,e?.schema)}},Xr={user:{fields:{phoneNumber:{type:"string",required:!1,unique:!0,returned:!0},phoneNumberVerified:{type:"boolean",required:!1,returned:!0,input:!1}}}};var Xc=require("zod");var Yr={user:{fields:{isAnonymous:{type:"boolean",required:!1}}}},en=e=>({id:"anonymous",endpoints:{signInAnonymous:K("/sign-in/anonymous",{method:"POST"},async t=>{let{emailDomainName:i=Te(t.context.baseURL)}=e||{},o=t.context.generateId({model:"user"}),r=`temp-${o}@${i}`,n=await t.context.internalAdapter.createUser({id:o,email:r,emailVerified:!1,isAnonymous:!0,name:"Anonymous",createdAt:new Date,updatedAt:new Date});if(!n)return t.json(null,{status:500,body:{message:"Failed to create user",status:500}});let a=await t.context.internalAdapter.createSession(n.id,t.request);return a?(await m(t,{session:a,user:n}),t.json({user:n,session:a})):t.json(null,{status:400,body:{message:"Could not create session"}})})},hooks:{after:[{matcher(t){return t.path?.startsWith("/sign-in")||t.path?.startsWith("/sign-up")},handler:R(async t=>{let o=t.responseHeader.get("set-cookie"),r=t.context.authCookies.sessionToken.name,n=no(o||"").get(r)?.value.split(".")[0];if(!n)return;let a=await U(t);if(!(!a||!a.user.isAnonymous)){if(t.path==="/sign-in/anonymous")throw new b.APIError("BAD_REQUEST",{message:"Anonymous users cannot sign in again anonymously"});if(e?.onLinkAccount){let s=await t.context.internalAdapter.findSession(n);if(!s)return;await e?.onLinkAccount?.({anonymousUser:a,newUser:s})}e?.disableDeleteAnonymousUser||await t.context.internalAdapter.deleteUser(a.user.id)}})}]},schema:ee(Yr,e?.schema)});var y=require("zod");var on=e=>{let t={defaultRole:"user",adminRole:"admin",...e},i=R(async o=>{let r=await U(o);if(!r?.session)throw new b.APIError("UNAUTHORIZED");let n=r.user;if(!n.role||(Array.isArray(t.adminRole)?!t.adminRole.includes(n.role):n.role!==t.adminRole))throw new b.APIError("FORBIDDEN",{message:"Only admins can access this endpoint"});return{session:{user:n,session:r.session}}});return{id:"admin",init(o){return{options:{databaseHooks:{user:{create:{async before(r){if(e?.defaultRole!==!1)return{data:{role:e?.defaultRole??"user",...r}}}}},session:{create:{async before(r){let n=await o.internalAdapter.findUserById(r.userId);if(n.banned){if(n.banExpires&&n.banExpires<Date.now()){await o.internalAdapter.updateUser(r.userId,{banned:!1,banReason:null,banExpires:null});return}return!1}}}}}}}},hooks:{after:[{matcher(o){return o.path==="/list-sessions"},handler:R(async o=>{let r=await Be(o);if(!r)return;let n=r.filter(a=>!a.impersonatedBy);return o.json(n)})}]},endpoints:{setRole:K("/admin/set-role",{method:"POST",body:y.z.object({userId:y.z.string(),role:y.z.string()}),use:[i]},async o=>{let r=await o.context.internalAdapter.updateUser(o.body.userId,{role:o.body.role});return o.json({user:r})}),createUser:K("/admin/create-user",{method:"POST",body:y.z.object({email:y.z.string(),password:y.z.string(),name:y.z.string(),role:y.z.string(),data:y.z.optional(y.z.record(y.z.any()))}),use:[i]},async o=>{if(await o.context.internalAdapter.findUserByEmail(o.body.email))throw new b.APIError("BAD_REQUEST",{message:"User already exists"});let n=await o.context.internalAdapter.createUser({email:o.body.email,name:o.body.name,role:o.body.role,...o.body.data});if(!n)throw new b.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create user"});let a=await o.context.password.hash(o.body.password);return await o.context.internalAdapter.linkAccount({accountId:n.id,providerId:"credential",password:a,userId:n.id}),o.json({user:n})}),listUsers:K("/admin/list-users",{method:"GET",use:[i],query:y.z.object({searchValue:y.z.string().optional(),searchField:y.z.enum(["email","name"]).optional(),searchOperator:y.z.enum(["contains","starts_with","ends_with"]).optional(),limit:y.z.string().or(y.z.number()).optional(),offset:y.z.string().or(y.z.number()).optional(),sortBy:y.z.string().optional(),sortDirection:y.z.enum(["asc","desc"]).optional(),filterField:y.z.string().optional(),filterValue:y.z.string().or(y.z.number()).or(y.z.boolean()).optional(),filterOperator:y.z.enum(["eq","ne","lt","lte","gt","gte"]).optional()})},async o=>{let r=[];o.query?.searchValue&&r.push({field:o.query.searchField||"email",operator:o.query.searchOperator||"contains",value:o.query.searchValue}),o.query?.filterValue&&r.push({field:o.query.filterField||"email",operator:o.query.filterOperator||"eq",value:o.query.filterValue});try{let n=await o.context.internalAdapter.listUsers(Number(o.query?.limit)||void 0,Number(o.query?.offset)||void 0,o.query?.sortBy?{field:o.query.sortBy,direction:o.query.sortDirection||"asc"}:void 0,r.length?r:void 0);return o.json({users:n})}catch(n){return console.log(n),o.json({users:[]})}}),listUserSessions:K("/admin/list-user-sessions",{method:"POST",use:[i],body:y.z.object({userId:y.z.string()})},async o=>({sessions:await o.context.internalAdapter.listSessions(o.body.userId)})),unbanUser:K("/admin/unban-user",{method:"POST",body:y.z.object({userId:y.z.string()}),use:[i]},async o=>{let r=await o.context.internalAdapter.updateUser(o.body.userId,{banned:!1});return o.json({user:r})}),banUser:K("/admin/ban-user",{method:"POST",body:y.z.object({userId:y.z.string(),banReason:y.z.string().optional(),banExpiresIn:y.z.number().optional()}),use:[i]},async o=>{if(o.body.userId===o.context.session.user.id)throw new b.APIError("BAD_REQUEST",{message:"You cannot ban yourself"});let r=await o.context.internalAdapter.updateUser(o.body.userId,{banned:!0,banReason:o.body.banReason||e?.defaultBanReason||"No reason",banExpires:o.body.banExpiresIn?I(o.body.banExpiresIn,"sec"):e?.defaultBanExpiresIn?I(e.defaultBanExpiresIn,"sec"):void 0});return await o.context.internalAdapter.deleteSessions(o.body.userId),o.json({user:r})}),impersonateUser:K("/admin/impersonate-user",{method:"POST",body:y.z.object({userId:y.z.string()}),use:[i]},async o=>{let r=await o.context.internalAdapter.findUserById(o.body.userId);if(!r)throw new b.APIError("NOT_FOUND",{message:"User not found"});let n=await o.context.internalAdapter.createSession(r.id,void 0,!0,{impersonatedBy:o.context.session.user.id,expiresAt:e?.impersonationSessionDuration?I(e.impersonationSessionDuration,"sec"):I(60*60,"sec")});if(!n)throw new b.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await m(o,{session:n,user:r},!0),o.json({session:n,user:r})}),revokeUserSession:K("/admin/revoke-user-session",{method:"POST",body:y.z.object({sessionToken:y.z.string()}),use:[i]},async o=>(await o.context.internalAdapter.deleteSession(o.body.sessionToken),o.json({success:!0}))),revokeUserSessions:K("/admin/revoke-user-sessions",{method:"POST",body:y.z.object({userId:y.z.string()}),use:[i]},async o=>(await o.context.internalAdapter.deleteSessions(o.body.userId),o.json({success:!0}))),removeUser:K("/admin/remove-user",{method:"POST",body:y.z.object({userId:y.z.string()}),use:[i]},async o=>(await o.context.internalAdapter.deleteUser(o.body.userId),o.json({success:!0})))},schema:ee(tn,t.schema)}},tn={user:{fields:{role:{type:"string",required:!1,input:!1},banned:{type:"boolean",defaultValue:!1,required:!1,input:!1},banReason:{type:"string",required:!1,input:!1},banExpires:{type:"date",required:!1,input:!1}}},session:{fields:{impersonatedBy:{type:"string",required:!1}}}};var ne=require("zod"),Ne=require("better-call");var ho=require("@better-fetch/fetch");var Vt=require("oslo/jwt");async function rn(e,t,i){if(t==="oidc"&&e.idToken){let r=(0,Vt.parseJWT)(e.idToken);if(r?.payload)return r.payload}if(!i)return null;let o=await(0,ho.betterFetch)(i,{method:"GET",headers:{Authorization:`Bearer ${e.accessToken}`}});return{id:o.data?.sub,emailVerified:o.data?.email_verified,email:o.data?.email,...o.data}}var nn=e=>({id:"generic-oauth",endpoints:{signInWithOAuth2:K("/sign-in/oauth2",{method:"POST",query:ne.z.object({currentURL:ne.z.string().optional()}).optional(),body:ne.z.object({providerId:ne.z.string(),callbackURL:ne.z.string().optional(),errorCallbackURL:ne.z.string().optional()})},async t=>{let{providerId:i}=t.body,o=e.config.find(N=>N.providerId===i);if(!o)throw new Ne.APIError("BAD_REQUEST",{message:`No config found for provider ${i}`});let{discoveryUrl:r,authorizationUrl:n,tokenUrl:a,clientId:s,clientSecret:A,scopes:d,redirectURI:c,responseType:l,pkce:u,prompt:p,accessType:h}=o,k=n,f=a;if(r){let N=await(0,ho.betterFetch)(r,{onError(eo){t.context.logger.error(eo.error.message,eo.error,{discoveryUrl:r})}});N.data&&(k=N.data.authorization_endpoint,f=N.data.token_endpoint)}if(!k||!f)throw new Ne.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});let{state:g,codeVerifier:C}=await Oe(t),T=await P({id:i,options:{clientId:s,clientSecret:A,redirectURI:c},authorizationEndpoint:k,state:g,codeVerifier:u?C:void 0,scopes:d||[],redirectURI:`${t.context.baseURL}/oauth2/callback/${i}`});return l&&l!=="code"&&T.searchParams.set("response_type",l),p&&T.searchParams.set("prompt",p),h&&T.searchParams.set("access_type",h),t.json({url:T.toString(),redirect:!0})}),oAuth2Callback:K("/oauth2/callback/:providerId",{method:"GET",query:ne.z.object({code:ne.z.string().optional(),error:ne.z.string().optional(),state:ne.z.string()})},async t=>{if(t.query.error||!t.query.code)throw t.redirect(`${t.context.baseURL}?error=${t.query.error||"oAuth_code_missing"}`);let i=e.config.find(g=>g.providerId===t.params.providerId);if(!i)throw new Ne.APIError("BAD_REQUEST",{message:`No config found for provider ${t.params.providerId}`});let o,r=await ao(t),{callbackURL:n,codeVerifier:a,errorURL:s}=r,A=t.query.code,d=i.tokenUrl,c=i.userInfoUrl;if(i.discoveryUrl){let g=await(0,ho.betterFetch)(i.discoveryUrl,{method:"GET"});g.data&&(d=g.data.token_endpoint,c=g.data.userinfo_endpoint)}try{if(!d)throw new Ne.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});o=await O({code:A,codeVerifier:a,redirectURI:`${t.context.baseURL}/oauth2/callback/${i.providerId}`,options:{clientId:i.clientId,clientSecret:i.clientSecret},tokenEndpoint:d})}catch(g){throw t.context.logger.error(g&&typeof g=="object"&&"name"in g?g.name:"",g),t.redirect(`${s}?error=oauth_code_verification_failed`)}if(!o)throw new Ne.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});let l=i.getUserInfo?await i.getUserInfo(o):await rn(o,i.type||"oauth2",c);if(!l?.email)throw t.context.logger.error("Unable to get user info",l),t.redirect(`${t.context.baseURL}/error?error=email_is_missing`);let u=await Ue(t,{userInfo:l,account:{providerId:i.providerId,accountId:l.id,accessToken:o.accessToken}});function p(g){throw t.redirect(`${s||n||`${t.context.baseURL}/error`}?error=${g}`)}if(u.error)return p(u.error.split(" ").join("_"));let{session:h,user:k}=u.data;await m(t,{session:h,user:k});let f;try{f=new URL(n).toString()}catch{f=n}throw t.redirect(f)})}});var _e=require("zod"),Mt={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},yu=_e.z.object({id:_e.z.string(),publicKey:_e.z.string(),privateKey:_e.z.string(),createdAt:_e.z.date()});var $o=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async t=>await e.create({model:"jwks",data:{...t,createdAt:new Date}})});var pe=require("jose");var sn=e=>({id:"jwt",endpoints:{getJwks:K("/jwks",{method:"GET"},async t=>{let o=await $o(t.context.adapter).getAllKeys();return t.json({keys:o.map(r=>({...JSON.parse(r.publicKey),kid:r.id}))})}),getToken:K("/token",{method:"GET",requireHeaders:!0,use:[v]},async t=>{let i=$o(t.context.adapter),o=await i.getLatestKey(),r=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:d,privateKey:c}=await(0,pe.generateKeyPair)(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),l=await(0,pe.exportJWK)(d),u=await(0,pe.exportJWK)(c),p=JSON.stringify(u),h={id:crypto.randomUUID(),publicKey:JSON.stringify(l),privateKey:r?JSON.stringify(await le({key:t.context.options.secret,data:p})):p,createdAt:new Date};o=await i.createJwk(h)}let n=r?await fe({key:t.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,a=await(0,pe.importJWK)(JSON.parse(n)),s=e?.jwt?.definePayload?await e?.jwt.definePayload(t.context.session.user):t.context.session.user,A=await new pe.SignJWT({...s,...t.context.session.session.impersonatedBy?{impersonatedBy:t.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??t.context.options.baseURL).setAudience(e?.jwt?.audience??t.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(t.context.session.user.id).sign(a);return t.json({token:A})})},schema:ee(Mt,e?.schema)});var Xe=require("zod");var an=e=>{let t={maximumSessions:5,...e},i=o=>o.includes("_multi-");return{id:"multi-session",endpoints:{listDeviceSessions:K("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async o=>{let r=o.headers?.get("cookie");if(!r)return o.json([]);let n=Object.fromEntries(qe(r)),a=(await Promise.all(Object.entries(n).filter(([d])=>i(d)).map(async([d])=>await o.getSignedCookie(d,o.context.secret)))).filter(d=>d!==void 0);if(!a.length)return o.json([]);let A=(await o.context.internalAdapter.findSessions(a)).filter(d=>d&&d.session.expiresAt>new Date);return o.json(A)}),setActiveSession:K("/multi-session/set-active",{method:"POST",body:Xe.z.object({sessionToken:Xe.z.string()}),requireHeaders:!0,use:[v]},async o=>{let r=o.body.sessionToken,n=`${o.context.authCookies.sessionToken.name}_multi-${r}`;if(!await o.getSignedCookie(n,o.context.secret))throw new b.APIError("UNAUTHORIZED",{message:"Invalid session token"});let s=await o.context.internalAdapter.findSession(r);if(!s||s.session.expiresAt<new Date)throw o.setCookie(n,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),new b.APIError("UNAUTHORIZED",{message:"Invalid session token"});return await m(o,s),o.json(s)}),revokeDeviceSession:K("/multi-session/revoke",{method:"POST",body:Xe.z.object({sessionToken:Xe.z.string()}),requireHeaders:!0,use:[v]},async o=>{let r=o.body.sessionToken,n=`${o.context.authCookies.sessionToken.name}_multi-${r}`;if(!await o.getSignedCookie(n,o.context.secret))throw new b.APIError("UNAUTHORIZED",{message:"Invalid session token"});if(await o.context.internalAdapter.deleteSession(r),o.setCookie(n,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),!(o.context.session?.session.token===r))return o.json({success:!0});let A=o.headers?.get("cookie");if(A){let d=Object.fromEntries(qe(A)),c=(await Promise.all(Object.entries(d).filter(([u])=>i(u)).map(async([u])=>await o.getSignedCookie(u,o.context.secret)))).filter(u=>u!==void 0),l=o.context.internalAdapter;if(c.length>0){let p=(await l.findSessions(c)).filter(h=>h&&h.session.expiresAt>new Date);if(p.length>0){let h=p[0];await m(o,h)}else M(o)}else M(o)}else M(o);return o.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:R(async o=>{let r=o.responseHeader.get("set-cookie");if(!r)return;let n=no(r),a=o.context.authCookies.sessionToken,s=n.get(a.name)?.value;if(!s)return;let A=qe(o.headers?.get("cookie")||""),d=s.split(".")[0];if(!d)return;let c=`${a.name}_multi-${d}`;n.get(c)||A.get(c)||Object.keys(Object.fromEntries(A)).filter(i).length+(r.includes("session_token")?1:0)>t.maximumSessions||await o.setSignedCookie(c,d,o.context.secret,a.options)})},{matcher:o=>o.path==="/sign-out",handler:R(async o=>{let r=o.headers?.get("cookie");if(!r)return;let n=Object.fromEntries(qe(r)),a=Object.keys(n).map(s=>i(s)?(o.setCookie(s,"",{maxAge:0}),s.split("_multi-")[1]):null).filter(s=>s!==null);await o.context.internalAdapter.deleteSessions(a)})}]}}};var D=require("zod");var Zo=["email-verification","sign-in","forget-password"],An=e=>{let t={expireIn:300,otpLength:6,...e};return{id:"email-otp",endpoints:{sendVerificationOTP:K("/email-otp/send-verification-otp",{method:"POST",body:D.z.object({email:D.z.string(),type:D.z.enum(Zo)})},async i=>{if(!e?.sendVerificationOTP)throw i.context.logger.error("send email verification is not implemented"),new b.APIError("BAD_REQUEST",{message:"send email verification is not implemented"});let o=i.body.email,r=Q(t.otpLength,$("0-9"));return await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")}).catch(async n=>{await i.context.internalAdapter.deleteVerificationByIdentifier(`${i.body.type}-otp-${o}`),await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")})}),await e.sendVerificationOTP({email:o,otp:r,type:i.body.type},i.request),i.json({success:!0})}),createVerificationOTP:K("/email-otp/create-verification-otp",{method:"POST",body:D.z.object({email:D.z.string(),type:D.z.enum(Zo)}),metadata:{SERVER_ONLY:!0}},async i=>{let o=i.body.email,r=Q(t.otpLength,$("0-9"));return await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")}),r}),getVerificationOTP:K("/email-otp/get-verification-otp",{method:"GET",query:D.z.object({email:D.z.string(),type:D.z.enum(Zo)}),metadata:{SERVER_ONLY:!0}},async i=>{let o=i.query.email,r=await i.context.internalAdapter.findVerificationValue(`${i.query.type}-otp-${o}`);return!r||r.expiresAt<new Date?i.json({otp:null}):i.json({otp:r.value})}),verifyEmailOTP:K("/email-otp/verify-email",{method:"POST",body:D.z.object({email:D.z.string(),otp:D.z.string()})},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findVerificationValue(`email-verification-otp-${o}`);if(!r||r.expiresAt<new Date)throw r&&await i.context.internalAdapter.deleteVerificationValue(r.id),new b.APIError("BAD_REQUEST",{message:"Invalid OTP"});let n=i.body.otp;if(r.value!==n)throw new b.APIError("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(r.id);let a=await i.context.internalAdapter.findUserByEmail(o);if(!a)throw new b.APIError("BAD_REQUEST",{message:"User not found"});let s=await i.context.internalAdapter.updateUser(a.user.id,{email:o,emailVerified:!0});return i.json({user:s})}),signInEmailOTP:K("/sign-in/email-otp",{method:"POST",body:D.z.object({email:D.z.string(),otp:D.z.string()})},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findVerificationValue(`sign-in-otp-${o}`);if(!r||r.expiresAt<new Date)throw r&&await i.context.internalAdapter.deleteVerificationValue(r.id),new b.APIError("BAD_REQUEST",{message:"Invalid OTP"});let n=i.body.otp;if(r.value!==n)throw new b.APIError("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(r.id);let a=await i.context.internalAdapter.findUserByEmail(o);if(!a){if(t.disableSignUp)throw new b.APIError("BAD_REQUEST",{message:"User not found"});let A=await i.context.internalAdapter.createUser({email:o,emailVerified:!0,name:o}),d=await i.context.internalAdapter.createSession(A.id,i.request);return await m(i,{session:d,user:A}),i.json({user:A,session:d})}let s=await i.context.internalAdapter.createSession(a.user.id,i.request);return await m(i,{session:s,user:a.user}),i.json({session:s,user:a})}),forgetEmailOTP:K("/forget-password/email-otp",{method:"POST",body:D.z.object({email:D.z.string()})},async i=>{let o=i.body.email;if(!await i.context.internalAdapter.findUserByEmail(o))throw new b.APIError("BAD_REQUEST",{message:"User not found"});let n=Q(t.otpLength,$("0-9"));return await i.context.internalAdapter.createVerificationValue({value:n,identifier:`forget-password-otp-${o}`,expiresAt:I(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o,otp:n,type:"forget-password"},i.request),i.json({success:!0})}),resetPasswordEmailOTP:K("/email-otp/reset-password",{method:"POST",body:D.z.object({email:D.z.string(),otp:D.z.string(),password:D.z.string()})},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findUserByEmail(o);if(!r)throw new b.APIError("BAD_REQUEST",{message:"User not found"});let n=await i.context.internalAdapter.findVerificationValue(`forget-password-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await i.context.internalAdapter.deleteVerificationValue(n.id),new b.APIError("BAD_REQUEST",{message:"Invalid OTP"});let a=i.body.otp;if(n.value!==a)throw new b.APIError("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(n.id);let s=await i.context.password.hash(i.body.password);return await i.context.internalAdapter.updatePassword(r.user.id,s),i.json({success:!0})})},hooks:{after:[{matcher(i){return!!(i.path?.startsWith("/sign-up")&&t.sendVerificationOnSignUp)},async handler(i){let o=await Be(i);if(o&&o.user.email&&o.user.emailVerified===!1){let r=Q(t.otpLength,$("0-9"));await i.context.internalAdapter.createVerificationValue({value:r,identifier:`email-verification-otp-${o.user.email}`,expiresAt:I(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o.user.email,otp:r,type:"email-verification"},i.request)}}}]}}};var Wo=require("zod");var Qt=require("@better-fetch/fetch");function Ht(e){return e==="true"||e===!0}var dn=e=>({id:"one-tap",endpoints:{oneTapCallback:K("/one-tap/callback",{method:"POST",body:Wo.z.object({idToken:Wo.z.string()})},async t=>{let{idToken:i}=t.body,{data:o,error:r}=await(0,Qt.betterFetch)("https://oauth2.googleapis.com/tokeninfo?id_token="+i);if(r)return t.json({error:"Invalid token"});let n=await t.context.internalAdapter.findUserByEmail(o.email);if(!n){if(e?.disableSignup)throw new b.APIError("BAD_GATEWAY",{message:"User not found"});let s=await t.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:Ht(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!s)throw new b.APIError("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let A=await t.context.internalAdapter.createSession(s?.user.id,t.request);return await m(t,{user:s.user,session:A}),t.json({session:A,user:s})}let a=await t.context.internalAdapter.createSession(n.user.id,t.request);return await m(t,{user:n.user,session:a}),t.json({session:a,user:n})})}});var yo=require("zod");function Kn(){let e=re.VERCEL_URL,t=re.NETLIFY_URL,i=re.RENDER_URL,o=re.AWS_LAMBDA_FUNCTION_NAME,r=re.GOOGLE_CLOUD_FUNCTION_NAME,n=re.AZURE_FUNCTION_NAME;return e||t||i||o||r||n}var cn=e=>({id:"oauth-proxy",endpoints:{oAuthProxy:K("/oauth-proxy-callback",{method:"GET",query:yo.z.object({callbackURL:yo.z.string(),cookies:yo.z.string()})},async t=>{let i=t.query.cookies,o=await fe({key:t.context.secret,data:i});throw t.setHeader("set-cookie",o),t.redirect(t.query.callbackURL)})},hooks:{after:[{matcher(t){return t.path?.startsWith("/callback")},handler:R(async t=>{let i=t.context.returned,o=i instanceof b.APIError?i.headers:null,r=o?.get("location");if(r?.includes("/oauth-proxy-callback?callbackURL")){if(!r.startsWith("http"))return;let n=new URL(r);if(n.origin===Te(t.context.baseURL)){let c=n.searchParams.get("callbackURL");if(!c)return;t.setHeader("location",c);return}let s=o?.get("set-cookie");if(!s)return;let A=await le({key:t.context.secret,data:s}),d=`${r}&cookies=${encodeURIComponent(A)}`;t.setHeader("location",d)}})}],before:[{matcher(t){return t.path?.startsWith("/sign-in/social")},async handler(t){let i=new URL(e?.currentURL||t.request?.url||Kn()||t.context.baseURL);return t.body.callbackURL=`${i.origin}${t.context.options.basePath||"/api/auth"}/oauth-proxy-callback?callbackURL=${encodeURIComponent(t.body.callbackURL||t.context.baseURL)}`,{context:t}}}]}});var un=(e,t)=>({id:"custom-session",endpoints:{getSession:K("/get-session",{method:"GET",metadata:{CUSTOM_SESSION:!0}},async i=>{let o=await U(i);if(!o)return i.json(null);let r=await e(o);return i.json(r)})}});var Ke=require("zod");var Le=e=>{let t=e.plugins?.reduce((A,d)=>{let c=d.schema;if(!c)return A;for(let[l,u]of Object.entries(c))A[l]={fields:{...A[l]?.fields,...u.fields},modelName:u.modelName||l};return A},{}),i=e.rateLimit?.storage==="database",o={rateLimit:{modelName:e.rateLimit?.modelName||"rateLimit",fields:{key:{type:"string",fieldName:e.rateLimit?.fields?.key||"key"},count:{type:"number",fieldName:e.rateLimit?.fields?.count||"count"},lastRequest:{type:"number",fieldName:e.rateLimit?.fields?.lastRequest||"lastRequest"}}}},{user:r,session:n,account:a,...s}=t||{};return{user:{modelName:e.user?.modelName||"user",fields:{name:{type:"string",required:!0,fieldName:e.user?.fields?.name||"name"},email:{type:"string",unique:!0,required:!0,fieldName:e.user?.fields?.email||"email"},emailVerified:{type:"boolean",defaultValue:()=>!1,required:!0,fieldName:e.user?.fields?.emailVerified||"emailVerified"},image:{type:"string",required:!1,fieldName:e.user?.fields?.image||"image"},createdAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.updatedAt||"updatedAt"},...r?.fields,...e.user?.additionalFields},order:1},session:{modelName:e.session?.modelName||"session",fields:{expiresAt:{type:"date",required:!0,fieldName:e.session?.fields?.expiresAt||"expiresAt"},token:{type:"string",required:!0,fieldName:e.session?.fields?.token||"token",unique:!0},createdAt:{type:"date",required:!0,fieldName:e.session?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.session?.fields?.updatedAt||"updatedAt"},ipAddress:{type:"string",required:!1,fieldName:e.session?.fields?.ipAddress||"ipAddress"},userAgent:{type:"string",required:!1,fieldName:e.session?.fields?.userAgent||"userAgent"},userId:{type:"string",fieldName:e.session?.fields?.userId||"userId",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0},...n?.fields,...e.session?.additionalFields},order:2},account:{modelName:e.account?.modelName||"account",fields:{accountId:{type:"string",required:!0,fieldName:e.account?.fields?.accountId||"accountId"},providerId:{type:"string",required:!0,fieldName:e.account?.fields?.providerId||"providerId"},userId:{type:"string",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0,fieldName:e.account?.fields?.userId||"userId"},accessToken:{type:"string",required:!1,fieldName:e.account?.fields?.accessToken||"accessToken"},refreshToken:{type:"string",required:!1,fieldName:e.account?.fields?.refreshToken||"refreshToken"},idToken:{type:"string",required:!1,fieldName:e.account?.fields?.idToken||"idToken"},accessTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"accessTokenExpiresAt"},refreshTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"refreshTokenExpiresAt"},scope:{type:"string",required:!1,fieldName:e.account?.fields?.scope||"scope"},password:{type:"string",required:!1,fieldName:e.account?.fields?.password||"password"},createdAt:{type:"date",required:!0,fieldName:e.account?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.account?.fields?.updatedAt||"updatedAt"},...a?.fields},order:3},verification:{modelName:e.verification?.modelName||"verification",fields:{identifier:{type:"string",required:!0,fieldName:e.verification?.fields?.identifier||"identifier"},value:{type:"string",required:!0,fieldName:e.verification?.fields?.value||"value"},expiresAt:{type:"date",required:!0,fieldName:e.verification?.fields?.expiresAt||"expiresAt"},createdAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.updatedAt||"updatedAt"}},order:4},...s,...i?o:{}}};var ln=require("zod");var $t=require("kysely"),Go=require("kysely");var Ye={};function Wt(e){switch(e.constructor.name){case"ZodString":return"string";case"ZodNumber":return"number";case"ZodBoolean":return"boolean";case"ZodObject":return"object";case"ZodArray":return"array";default:return"string"}}function wo(e){let t=[];return e.metadata?.openapi?.parameters?(t.push(...e.metadata.openapi.parameters),t):(e.query instanceof Ke.ZodObject&&Object.entries(e.query.shape).forEach(([i,o])=>{o instanceof Ke.ZodSchema&&t.push({name:i,in:"query",schema:{type:Wt(o),..."minLength"in o&&o.minLength?{minLength:o.minLength}:{},description:o.description}})}),t)}function Zt(e){if(e.metadata?.openapi?.requestBody)return e.metadata.openapi.requestBody;if(e.body&&(e.body instanceof Ke.ZodObject||e.body instanceof Ke.ZodOptional)){let t=e.body.shape;if(!t)return;let i={},o=[];return Object.entries(t).forEach(([r,n])=>{n instanceof Ke.ZodSchema&&(i[r]={type:Wt(n),description:n.description},n instanceof Ke.ZodOptional||o.push(r))}),{required:e.body instanceof Ke.ZodOptional?!1:!!e.body,content:{"application/json":{schema:{type:"object",properties:i,required:o}}}}}}function Co(e){return{400:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Bad Request. Usually due to missing parameters, or invalid parameters."},401:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Unauthorized. Due to missing or invalid authentication."},403:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Forbidden. You do not have permission to access this resource or to perform this action."},404:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Not Found. The requested resource was not found."},429:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Too Many Requests. You have exceeded the rate limit. Try again later."},500:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Internal Server Error. This is a problem with the server that you cannot fix."},...e}}async function Gt(e,t){let i=Eo(e,{...t,plugins:[]}),o=Le(t),n={schemas:{...Object.entries(o).reduce((s,[A,d])=>{let c=A.charAt(0).toUpperCase()+A.slice(1);return s[c]={type:"object",properties:Object.entries(d.fields).reduce((l,[u,p])=>(l[u]={type:p.type},l),{})},s},{})}};Object.entries(i.api).forEach(([s,A])=>{let d=A.options;if(!d.metadata?.SERVER_ONLY&&(d.method==="GET"&&(Ye[A.path]={get:{tags:["Default",...d.metadata?.openapi?.tags||[]],description:d.metadata?.openapi?.description,operationId:d.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:wo(d),responses:Co(d.metadata?.openapi?.responses)}}),d.method==="POST")){let c=Zt(d);Ye[A.path]={post:{tags:["Default",...d.metadata?.openapi?.tags||[]],description:d.metadata?.openapi?.description,operationId:d.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:wo(d),...c?{requestBody:c}:{requestBody:{content:{"application/json":{schema:{type:"object",properties:{}}}}}},responses:Co(d.metadata?.openapi?.responses)}}}});for(let s of t.plugins||[]){if(s.id==="open-api")continue;let A=Eo(e,{...t,plugins:[s]}),d=Object.keys(A.api).map(c=>i.api[c]===void 0?A.api[c]:null).filter(c=>c!==null);Object.entries(d).forEach(([c,l])=>{let u=l.options;u.metadata?.SERVER_ONLY||(u.method==="GET"&&(Ye[l.path]={get:{tags:u.metadata?.openapi?.tags||[s.id.charAt(0).toUpperCase()+s.id.slice(1)],description:u.metadata?.openapi?.description,operationId:u.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:wo(u),responses:Co(u.metadata?.openapi?.responses)}}),u.method==="POST"&&(Ye[l.path]={post:{tags:u.metadata?.openapi?.tags||[s.id.charAt(0).toUpperCase()+s.id.slice(1)],description:u.metadata?.openapi?.description,operationId:u.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:wo(u),requestBody:Zt(u),responses:Co(u.metadata?.openapi?.responses)}}))})}return{openapi:"3.1.1",info:{title:"Better Auth",description:"API Reference for your Better Auth Instance"},components:n,security:[{apiKeyCookie:[]}],servers:[{url:e.baseURL}],tags:[{name:"Default",description:"Default endpoints that are included with Better Auth by default. These endpoints are not part of any plugin."}],paths:Ye}}var Jt=`<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
82
+ </html>`,Qi=K("/error",{method:"GET",metadata:{...we,openapi:{description:"Displays an error page",responses:{200:{description:"Success",content:{"text/html":{schema:{type:"string"}}}}}}}},async e=>{let t=new URL(e.request?.url||"").searchParams.get("error")||"Unknown";return new Response(br(t),{headers:{"Content-Type":"text/html"}})});var b=require("better-call");function Eo(e,t){let i=t.plugins?.reduce((s,A)=>({...s,...A.endpoints}),{}),o=t.plugins?.map(s=>s.middlewares?.map(A=>{let d=async c=>A.middleware({...c,context:{...e,...c.context}});return d.path=A.path,d.options=A.middleware.options,d.headers=A.middleware.headers,{path:A.path,middleware:d}})).filter(s=>s!==void 0).flat()||[],n={...{signInSocial:$i,callbackOAuth:Wi,getSession:Uo(),signOut:Gi,signUpEmail:Hi(),signInEmail:Zi,forgetPassword:Ji,resetPassword:Yi,verifyEmail:Vi,sendVerificationEmail:Fi,changeEmail:rt,changePassword:ot,setPassword:it,updateUser:et(),deleteUser:tt,forgetPasswordCallback:Xi,listSessions:Bi(),revokeSession:ji,revokeSessions:Ni,revokeOtherSessions:_i,linkSocialAccount:st,listUserAccounts:nt},...i,ok:Mi,error:Qi},a={};for(let[s,A]of Object.entries(n))a[s]=async(d={})=>{A.headers=new Headers;let c={setHeader(f,g){A.headers.set(f,g)},setCookie(f,g,C){(0,H.setCookie)(A.headers,f,g,C)},getCookie(f,g){let T=d.headers?.get("cookie");return(0,H.getCookie)(T||"",f,g)},getSignedCookie(f,g,C){let T=d.headers;return T?(0,H.getSignedCookie)(T,g,f,C):null},async setSignedCookie(f,g,C,T){await(0,H.setSignedCookie)(A.headers,f,g,C,T)},redirect(f){return A.headers.set("Location",f),new H.APIError("FOUND")},responseHeader:A.headers},l=await e,u={...c,...d,path:A.path,context:{...l,...d.context,endpoint:A}};l.session=null;let p=t.plugins||[];for(let f of p){let g=f.hooks?.before??[];for(let C of g){if(!C.matcher(u))continue;let T=await C.handler(u);if(T&&"context"in T){u={...u,...T.context};continue}if(T)return T}}let h;try{h=await A(u)}catch(f){if(f instanceof H.APIError){let g=t.plugins?.map(C=>{if(C.hooks?.after)return C.hooks.after}).filter(C=>C!==void 0).flat();if(!g?.length)throw f.headers=A.headers,f;u.context.returned=f,u.context.returned.headers=A.headers;for(let C of g||[])if(C.matcher(u))try{let N=await C.handler(u);N&&"response"in N&&(u.context.returned=N.response)}catch(N){if(N instanceof H.APIError){u.context.returned=N;continue}throw N}if(u.context.returned instanceof H.APIError)throw u.context.returned.headers=A.headers,u.context.returned;return u.context.returned}throw f}u.context.returned=h,u.responseHeader=A.headers;for(let f of t.plugins||[])if(f.hooks?.after){for(let g of f.hooks.after)if(g.matcher(u))try{let T=await g.handler(u);T&&(u.context.returned=T)}catch(T){if(T instanceof H.APIError){u.context.returned=T;continue}throw T}}let k=u.context.returned;return k instanceof Response&&A.headers.forEach((f,g)=>{g==="set-cookie"?k.headers.append(g,f):k.headers.set(g,f)}),k},a[s].path=A.path,a[s].method=A.method,a[s].options=A.options,a[s].headers=A.headers;return{api:a,middlewares:o}}async function Ue(e,{userInfo:t,account:i,callbackURL:o}){let r=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(s=>{throw G.error(`Better auth was unable to query your database.
83
+ Error: `,s),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),n=r?.user;if(r){let s=r.accounts.find(A=>A.providerId===i.providerId);if(s)await e.context.internalAdapter.updateAccount(s.id,{accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt});else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(i.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return Yo&&G.warn(`User already exist but account isn't linked to ${i.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:i.providerId,accountId:t.id.toString(),userId:r.user.id,accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt,scope:i.scope})}catch(c){return G.error("Unable to link account",c),{error:"unable to link account",data:null}}}}else try{let s=t.emailVerified||!1;if(n=await e.context.internalAdapter.createOAuthUser({...t,id:void 0,emailVerified:s,email:t.email.toLowerCase()},{accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt,scope:i.scope,providerId:i.providerId,accountId:t.id.toString()}).then(A=>A?.user),!s&&n&&e.context.options.emailVerification?.sendOnSignUp){let A=await ue(e.context.secret,n.email),d=`${e.context.baseURL}/verify-email?token=${A}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:n,url:d,token:A},e.request)}}catch(s){return G.error("Unable to create user",s),{error:"unable to create user",data:null}}if(!n)return{error:"unable to create user",data:null};let a=await e.context.internalAdapter.createSession(n.id,e.request);return a?{data:{session:a,user:n},error:null}:{error:"unable to create session",data:null}}var $i=K("/sign-in/social",{method:"POST",query:x.z.object({currentURL:x.z.string().optional()}).optional(),body:x.z.object({callbackURL:x.z.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:x.z.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:x.z.enum(Ao,{description:"OAuth2 provider to use"}),disableRedirect:x.z.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:x.z.optional(x.z.object({token:x.z.string({description:"ID token from the provider"}),nonce:x.z.string({description:"Nonce used to generate the token"}).optional(),accessToken:x.z.string({description:"Access token from the provider"}).optional(),refreshToken:x.z.string({description:"Refresh token from the provider"}).optional(),expiresAt:x.z.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(n=>n.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new F.APIError("NOT_FOUND",{message:"Provider not found"});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new F.APIError("NOT_FOUND",{message:"Provider does not support id token verification"});let{token:n,nonce:a}=e.body.idToken;if(!await t.verifyIdToken(n,a))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new F.APIError("UNAUTHORIZED",{message:"Invalid id token"});let A=await t.getUserInfo({idToken:n,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!A||!A?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new F.APIError("UNAUTHORIZED",{message:"Failed to get user info"});if(!A.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new F.APIError("UNAUTHORIZED",{message:"User email not found"});let d=await Ue(e,{userInfo:{email:A.user.email,id:A.user.id,name:A.user.name||"",image:A.user.image,emailVerified:A.user.emailVerified||!1},account:{providerId:t.id,accountId:A.user.id,accessToken:e.body.idToken.accessToken}});if(d.error)throw new F.APIError("UNAUTHORIZED",{message:d.error});return await m(e,d.data),e.json({session:d.data.session,user:d.data.user,url:`${e.body.callbackURL||e.query?.currentURL||e.context.options.baseURL}`,redirect:!0})}let{codeVerifier:i,state:o}=await Oe(e),r=await t.createAuthorizationURL({state:o,codeVerifier:i,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:r.toString(),redirect:!e.body.disableRedirect})}),Zi=K("/sign-in/email",{method:"POST",body:x.z.object({email:x.z.string({description:"Email of the user"}),password:x.z.string({description:"Password of the user"}),callbackURL:x.z.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:x.z.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new F.APIError("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:i}=e.body;if(!x.z.string().email().safeParse(t).success)throw new F.APIError("BAD_REQUEST",{message:"Invalid email"});let r=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!r)throw await e.context.password.hash(i),e.context.logger.error("User not found",{email:t}),new F.APIError("UNAUTHORIZED",{message:"Invalid email or password"});let n=r.accounts.find(d=>d.providerId==="credential");if(!n)throw e.context.logger.error("Credential account not found",{email:t}),new F.APIError("UNAUTHORIZED",{message:"Invalid email or password"});let a=n?.password;if(!a)throw e.context.logger.error("Password not found",{email:t}),new F.APIError("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(a,i))throw e.context.logger.error("Invalid password"),new F.APIError("UNAUTHORIZED",{message:"Invalid email or password"});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!r.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new F.APIError("UNAUTHORIZED",{message:"Email is not verified."});let d=await ue(e.context.secret,r.user.email),c=`${e.context.baseURL}/verify-email?token=${d}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:r.user,url:c,token:d},e.request),e.context.logger.error("Email not verified",{email:t}),new F.APIError("FORBIDDEN",{message:"Email is not verified. Check your email for a verification link"})}let A=await e.context.internalAdapter.createSession(r.user.id,e.headers,e.body.rememberMe===!1);if(!A)throw e.context.logger.error("Failed to create session"),new F.APIError("UNAUTHORIZED",{message:"Failed to create session"});return await m(e,{session:A,user:r.user},e.body.rememberMe===!1),e.json({user:r.user,session:A,redirect:!!e.body.callbackURL,url:e.body.callbackURL})});var Ee=require("zod");var uo=Ee.z.object({code:Ee.z.string().optional(),error:Ee.z.string().optional(),errorMessage:Ee.z.string().optional(),state:Ee.z.string().optional()}),Wi=K("/callback/:id",{method:["GET","POST"],body:uo.optional(),query:uo.optional(),metadata:we},async e=>{let t;try{if(e.method==="GET")t=uo.parse(e.query);else if(e.method==="POST")t=uo.parse(e.body);else throw new Error("Unsupported method")}catch(g){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",g),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:i,error:o,state:r}=t;if(!r)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!i)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}`);let n=e.context.socialProviders.find(g=>g.id===e.params.id);if(!n)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:a,callbackURL:s,link:A,errorURL:d}=await ao(e),c;try{c=await n.validateAuthorizationCode({code:i,codeVerifier:a,redirectURI:`${e.context.baseURL}/callback/${n.id}`})}catch(g){throw e.context.logger.error("",g),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let l=await n.getUserInfo(c).then(g=>g?.user);function u(g){let C=d||s||`${e.context.baseURL}/error`;throw C.includes("?")?C=`${C}&error=${g}`:C=`${C}?error=${g}`,e.redirect(C)}if(!l)return e.context.logger.error("Unable to get user info"),u("unable_to_get_user_info");if(!l.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),u("email_not_found");if(!s)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(A){if(A.email!==l.email.toLowerCase())return u("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:A.userId,providerId:n.id,accountId:l.id}))return u("unable_to_link_account");let C;try{C=new URL(s).toString()}catch{C=s}throw e.redirect(C)}let p=await Ue(e,{userInfo:{id:l.id,email:l.email,name:l.name||"",image:l.image,emailVerified:l.emailVerified||!1},account:{providerId:n.id,accountId:l.id,...c,scope:c.scopes?.join(",")},callbackURL:s});if(p.error)return e.context.logger.error(p.error.split(" ").join("_")),u(p.error.split(" ").join("_"));let{session:h,user:k}=p.data;await m(e,{session:h,user:k});let f;try{f=new URL(s).toString()}catch{f=s}throw e.redirect(f)});var yA=require("zod");var at=require("better-call"),Gi=K("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw M(e),new at.APIError("BAD_REQUEST",{message:"Session not found"});return await e.context.internalAdapter.deleteSession(t),M(e),e.json({success:!0})});var J=require("zod");var lo=require("better-call");function At(e,t,i){let o=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return i&&Object.entries(i).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}function kr(e,t,i){let o=new URL(t,e.baseURL);return i&&Object.entries(i).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}var Ji=K("/forget-password",{method:"POST",body:J.z.object({email:J.z.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:J.z.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new lo.APIError("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:i}=e.body,o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let r=60*60*1,n=I(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||r,"sec"),a=L(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id,identifier:`reset-password:${a}`,expiresAt:n});let s=`${e.context.baseURL}/reset-password/${a}?callbackURL=${i}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:s,token:a},e.request),e.json({status:!0})}),Xi=K("/reset-password/:token",{method:"GET",query:J.z.object({callbackURL:J.z.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:i}=e.query;if(!t||!i)throw e.redirect(At(e.context,i,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!o||o.expiresAt<new Date?e.redirect(At(e.context,i,{error:"INVALID_TOKEN"})):e.redirect(kr(e.context,i,{token:t}))}),Yi=K("/reset-password",{query:J.z.optional(J.z.object({token:J.z.string().optional(),currentURL:J.z.string().optional()})),method:"POST",body:J.z.object({newPassword:J.z.string({description:"The new password to set"}),token:J.z.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new lo.APIError("BAD_REQUEST",{message:"Token not found"});let{newPassword:i}=e.body,o=`reset-password:${t}`,r=await e.context.internalAdapter.findVerificationValue(o);if(!r||r.expiresAt<new Date)throw new lo.APIError("BAD_REQUEST",{message:"Invalid token"});await e.context.internalAdapter.deleteVerificationValue(r.id);let n=r.value,a=await e.context.password.hash(i);return(await e.context.internalAdapter.findAccounts(n)).find(d=>d.providerId==="credential")?(await e.context.internalAdapter.updatePassword(n,a),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:n,providerId:"credential",password:a,accountId:n}),e.json({status:!0}))});var _=require("zod");var Z=require("better-call");var et=()=>K("/update-user",{method:"POST",body:_.z.record(_.z.string(),_.z.any()),use:[v],metadata:{openapi:{description:"Update the current user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"}}}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"}}}}}}}}}},async e=>{let t=e.body;if(t.email)throw new Z.APIError("BAD_REQUEST",{message:"You can't update email"});let{name:i,image:o,...r}=t,n=e.context.session;if(!o&&!i&&Object.keys(r).length===0)return e.json({user:n.user});let a=co(e.context.options,r,"update"),s=await e.context.internalAdapter.updateUserByEmail(n.user.email,{name:i,image:o,...a});return await m(e,{session:n.session,user:s}),e.json({user:s})}),ot=K("/change-password",{method:"POST",body:_.z.object({newPassword:_.z.string({description:"The new password to set"}),currentPassword:_.z.string({description:"The current password"}),revokeOtherSessions:_.z.boolean({description:"Revoke all other sessions"}).optional()}),use:[v],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:i,revokeOtherSessions:o}=e.body,r=e.context.session,n=e.context.password.config.minPasswordLength;if(t.length<n)throw e.context.logger.error("Password is too short"),new Z.APIError("BAD_REQUEST",{message:"Password is too short"});let a=e.context.password.config.maxPasswordLength;if(t.length>a)throw e.context.logger.error("Password is too long"),new Z.APIError("BAD_REQUEST",{message:"Password too long"});let A=(await e.context.internalAdapter.findAccounts(r.user.id)).find(l=>l.providerId==="credential"&&l.password);if(!A||!A.password)throw new Z.APIError("BAD_REQUEST",{message:"User does not have a password"});let d=await e.context.password.hash(t);if(!await e.context.password.verify(A.password,i))throw new Z.APIError("BAD_REQUEST",{message:"Incorrect password"});if(await e.context.internalAdapter.updateAccount(A.id,{password:d}),o){await e.context.internalAdapter.deleteSessions(r.user.id);let l=await e.context.internalAdapter.createSession(r.user.id,e.headers);if(!l)throw new Z.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});await m(e,{session:l,user:r.user})}return e.json(r.user)}),it=K("/set-password",{method:"POST",body:_.z.object({newPassword:_.z.string()}),metadata:{SERVER_ONLY:!0},use:[v]},async e=>{let{newPassword:t}=e.body,i=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new Z.APIError("BAD_REQUEST",{message:"Password is too short"});let r=e.context.password.config.maxPasswordLength;if(t.length>r)throw e.context.logger.error("Password is too long"),new Z.APIError("BAD_REQUEST",{message:"Password too long"});let a=(await e.context.internalAdapter.findAccounts(i.user.id)).find(A=>A.providerId==="credential"&&A.password),s=await e.context.password.hash(t);if(!a)return await e.context.internalAdapter.linkAccount({userId:i.user.id,providerId:"credential",accountId:i.user.id,password:s}),e.json(i.user);throw new Z.APIError("BAD_REQUEST",{message:"user already has a password"})}),tt=K("/delete-user",{method:"POST",body:_.z.object({password:_.z.string({description:"The password of the user"})}),use:[qe],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{let t=e.context.session;return await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),M(e),e.json(null)}),rt=K("/change-email",{method:"POST",query:_.z.object({currentURL:_.z.string().optional()}).optional(),body:_.z.object({newEmail:_.z.string({description:"The new email to set"}).email(),callbackURL:_.z.string({description:"The URL to redirect to after email verification"}).optional()}),use:[v],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new Z.APIError("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new Z.APIError("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new Z.APIError("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let r=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:r,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new Z.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let i=await ue(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${i}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:i},e.request),e.json({user:null,status:!0})});var Pe=require("zod");var Po=require("better-call");var nt=K("/list-accounts",{method:"GET",use:[v],metadata:{openapi:{description:"List all accounts linked to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{id:{type:"string"},provider:{type:"string"}}}}}}}}}}},async e=>{let t=e.context.session,i=await e.context.internalAdapter.findAccounts(t.user.id);return e.json(i.map(o=>({id:o.id,provider:o.providerId})))}),st=K("/link-social",{method:"POST",requireHeaders:!0,query:Pe.z.object({currentURL:Pe.z.string().optional()}).optional(),body:Pe.z.object({callbackURL:Pe.z.string({description:"The URL to redirect to after the user has signed in"}).optional(),provider:Pe.z.enum(Ao,{description:"The OAuth2 provider to use"})}),use:[v],metadata:{openapi:{description:"Link a social account to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"},redirect:{type:"boolean"}},required:["url","redirect"]}}}}}}}},async e=>{let t=e.context.session;if((await e.context.internalAdapter.findAccounts(t.user.id)).find(s=>s.providerId===e.body.provider))throw new Po.APIError("BAD_REQUEST",{message:"Social Account is already linked."});let r=e.context.socialProviders.find(s=>s.id===e.body.provider);if(!r)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new Po.APIError("NOT_FOUND",{message:"Provider not found"});let n=await Oe(e,{userId:t.user.id,email:t.user.email}),a=await r.createAuthorizationURL({state:n.state,codeVerifier:n.codeVerifier,redirectURI:`${e.context.baseURL}/callback/${r.id}`});return e.json({url:a.toString(),redirect:!0})});var dt=(e,t)=>{let i={};for(let[o,r]of Object.entries(e))i[o]=n=>r({...n,context:{...t,...n.context}}),i[o].path=r.path,i[o].method=r.method,i[o].options=r.options,i[o].headers=r.headers;return i};function po(e){let t=e;return{newRole(i){return Tr(i)}}}function Tr(e){return{statements:e,authorize(t,i){for(let[o,r]of Object.entries(t)){let n=e[o];return n?(i==="OR"?r.some(s=>n.includes(s)):r.every(s=>n.includes(s)))?{success:!0}:{success:!1,error:`Unauthorized to access resource "${o}"`}:{success:!1,error:`You are not allowed to access resource: ${o}`}}return{success:!1,error:"Not authorized"}}}}var Or={organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]},So=po(Or),Ir=So.newRole({organization:["update"],invitation:["create","cancel"],member:["create","update","delete"]}),Rr=So.newRole({organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]}),Ur=So.newRole({organization:[],member:[],invitation:[]}),Kt={admin:Ir,owner:Rr,member:Ur};var B=(e,t)=>{let i=e.adapter;return{findOrganizationBySlug:async o=>await i.findOne({model:"organization",where:[{field:"slug",value:o}]}),createOrganization:async o=>{let r=await i.create({model:"organization",data:{...o.organization,metadata:o.organization.metadata?JSON.stringify(o.organization.metadata):void 0}}),n=await i.create({model:"member",data:{organizationId:r.id,userId:o.user.id,createdAt:new Date,role:t?.creatorRole||"owner"}});return{...r,metadata:r.metadata?JSON.parse(r.metadata):void 0,members:[{...n,user:{id:o.user.id,name:o.user.name,email:o.user.email,image:o.user.image}}]}},findMemberByEmail:async o=>{let r=await i.findOne({model:"user",where:[{field:"email",value:o.email}]});if(!r)return null;let n=await i.findOne({model:"member",where:[{field:"organizationId",value:o.organizationId},{field:"userId",value:r.id}]});return n?{...n,user:{id:r.id,name:r.name,email:r.email,image:r.image}}:null},findMemberByOrgId:async o=>{let[r,n]=await Promise.all([await i.findOne({model:"member",where:[{field:"userId",value:o.userId},{field:"organizationId",value:o.organizationId}]}),await i.findOne({model:"user",where:[{field:"id",value:o.userId}]})]);return!n||!r?null:{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}},findMemberById:async o=>{let r=await i.findOne({model:"member",where:[{field:"id",value:o}]});if(!r)return null;let n=await i.findOne({model:"user",where:[{field:"id",value:r.userId}]});return n?{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}:null},createMember:async o=>await i.create({model:"member",data:o}),updateMember:async(o,r)=>await i.update({model:"member",where:[{field:"id",value:o}],update:{role:r}}),deleteMember:async o=>await i.delete({model:"member",where:[{field:"id",value:o}]}),updateOrganization:async(o,r)=>await i.update({model:"organization",where:[{field:"id",value:o}],update:r}),deleteOrganization:async o=>(await i.delete({model:"member",where:[{field:"organizationId",value:o}]}),await i.delete({model:"invitation",where:[{field:"organizationId",value:o}]}),await i.delete({model:"organization",where:[{field:"id",value:o}]}),o),setActiveOrganization:async(o,r)=>await e.internalAdapter.updateSession(o,{activeOrganizationId:r}),findOrganizationById:async o=>await i.findOne({model:"organization",where:[{field:"id",value:o}]}),findFullOrganization:async o=>{let[r,n,a]=await Promise.all([i.findOne({model:"organization",where:[{field:"id",value:o}]}),i.findMany({model:"invitation",where:[{field:"organizationId",value:o}]}),i.findMany({model:"member",where:[{field:"organizationId",value:o}]})]);if(!r)return null;let s=a.map(l=>l.userId),A=await i.findMany({model:"user",where:[{field:"id",value:s,operator:"in"}]}),d=new Map(A.map(l=>[l.id,l])),c=a.map(l=>{let u=d.get(l.userId);if(!u)throw new X("Unexpected error: User not found for member");return{...l,user:{id:u.id,name:u.name,email:u.email,image:u.image}}});return{...r,invitations:n,members:c}},listOrganizations:async o=>{let r=await i.findMany({model:"member",where:[{field:"userId",value:o}]});if(!r||r.length===0)return[];let n=r.map(s=>s.organizationId);return await i.findMany({model:"organization",where:[{field:"id",value:n,operator:"in"}]})},createInvitation:async({invitation:o,user:r})=>{let a=I(t?.invitationExpiresIn||1728e5);return await i.create({model:"invitation",data:{email:o.email,role:o.role,organizationId:o.organizationId,status:"pending",expiresAt:a,inviterId:r.id}})},findInvitationById:async o=>await i.findOne({model:"invitation",where:[{field:"id",value:o}]}),findPendingInvitation:async o=>(await i.findMany({model:"invitation",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId},{field:"status",value:"pending"}]})).filter(n=>new Date(n.expiresAt)>new Date),updateInvitation:async o=>await i.update({model:"invitation",where:[{field:"id",value:o.invitationId}],update:{status:o.status}})}};var cd=require("better-call");var j=R(async e=>({})),V=R({use:[v]},async e=>({session:e.context.session}));var W=require("zod");var E=require("zod");var ct=E.z.string(),Er=E.z.enum(["pending","accepted","rejected","canceled"]).default("pending"),fd=E.z.object({id:E.z.string().default(L),name:E.z.string(),slug:E.z.string(),logo:E.z.string().nullish(),metadata:E.z.record(E.z.string()).or(E.z.string().transform(e=>JSON.parse(e))).nullish(),createdAt:E.z.date()}),hd=E.z.object({id:E.z.string().default(L),organizationId:E.z.string(),userId:E.z.string(),role:ct,createdAt:E.z.date()}),yd=E.z.object({id:E.z.string().default(L),organizationId:E.z.string(),email:E.z.string(),role:ct,status:Er,inviterId:E.z.string(),expiresAt:E.z.date()});var z=require("better-call"),ut=e=>K("/organization/invite-member",{method:"POST",use:[j,V],body:W.z.object({email:W.z.string({description:"The email address of the user to invite"}),role:W.z.string({description:"The role to assign to the user"}),organizationId:W.z.string({description:"The organization ID to invite the user to"}).optional(),resend:W.z.boolean({description:"Resend the invitation email, if the user is already invited"}).optional()}),metadata:{openapi:{description:"Invite a user to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt"]}}}}}}}},async t=>{if(!t.context.orgOptions.sendInvitationEmail)throw t.context.logger.warn("Invitation email is not enabled. Pass `sendInvitationEmail` to the plugin options to enable it."),new z.APIError("BAD_REQUEST",{message:"Invitation email is not enabled"});let i=t.context.session,o=t.body.organizationId||i.session.activeOrganizationId;if(!o)throw new z.APIError("BAD_REQUEST",{message:"Organization not found"});let r=B(t.context,t.context.orgOptions),n=await r.findMemberByOrgId({userId:i.user.id,organizationId:o});if(!n)throw new z.APIError("BAD_REQUEST",{message:"Member not found!"});let a=t.context.roles[n.role];if(!a)throw new z.APIError("BAD_REQUEST",{message:"Role not found!"});if(a.authorize({invitation:["create"]}).error)throw new z.APIError("FORBIDDEN",{message:"You are not allowed to invite members"});if(await r.findMemberByEmail({email:t.body.email,organizationId:o}))throw new z.APIError("BAD_REQUEST",{message:"User is already a member of this organization"});if((await r.findPendingInvitation({email:t.body.email,organizationId:o})).length&&!t.body.resend)throw new z.APIError("BAD_REQUEST",{message:"User is already invited to this organization"});let c=await r.createInvitation({invitation:{role:t.body.role,email:t.body.email,organizationId:o},user:i.user}),l=await r.findOrganizationById(o);if(!l)throw new z.APIError("BAD_REQUEST",{message:"Organization not found"});return await t.context.orgOptions.sendInvitationEmail?.({id:c.id,role:c.role,email:c.email,organization:l,inviter:{...n,user:i.user}},t.request),t.json(c)}),lt=K("/organization/accept-invitation",{method:"POST",body:W.z.object({invitationId:W.z.string({description:"The ID of the invitation to accept"})}),use:[j,V],metadata:{openapi:{description:"Accept an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"object"}}}}}}}}}},async e=>{let t=e.context.session,i=B(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new z.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new z.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.updateInvitation({invitationId:e.body.invitationId,status:"accepted"}),n=await i.createMember({organizationId:o.organizationId,userId:t.user.id,role:o.role,createdAt:new Date});return await i.setActiveOrganization(t.session.token,o.organizationId),r?e.json({invitation:r,member:n}):e.json(null,{status:400,body:{message:"Invitation not found!"}})}),pt=K("/organization/reject-invitation",{method:"POST",body:W.z.object({invitationId:W.z.string({description:"The ID of the invitation to reject"})}),use:[j,V],metadata:{openapi:{description:"Reject an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"null"}}}}}}}}}},async e=>{let t=e.context.session,i=B(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new z.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new z.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.updateInvitation({invitationId:e.body.invitationId,status:"rejected"});return e.json({invitation:r,member:null})}),gt=K("/organization/cancel-invitation",{method:"POST",body:W.z.object({invitationId:W.z.string({description:"The ID of the invitation to cancel"})}),use:[j,V],openapi:{description:"Cancel an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"}}}}}}}}},async e=>{let t=e.context.session,i=B(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o)throw new z.APIError("BAD_REQUEST",{message:"Invitation not found!"});let r=await i.findMemberByOrgId({userId:t.user.id,organizationId:o.organizationId});if(!r)throw new z.APIError("BAD_REQUEST",{message:"Member not found!"});if(e.context.roles[r.role].authorize({invitation:["cancel"]}).error)throw new z.APIError("FORBIDDEN",{message:"You are not allowed to cancel this invitation"});let a=await i.updateInvitation({invitationId:e.body.invitationId,status:"canceled"});return e.json(a)}),mt=K("/organization/get-invitation",{method:"GET",use:[j],requireHeaders:!0,query:W.z.object({id:W.z.string({description:"The ID of the invitation to get"})}),metadata:{openapi:{description:"Get an invitation by ID",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"},organizationName:{type:"string"},organizationSlug:{type:"string"},inviterEmail:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt","organizationName","organizationSlug","inviterEmail"]}}}}}}}},async e=>{let t=await U(e);if(!t)throw new z.APIError("UNAUTHORIZED",{message:"Not authenticated"});let i=B(e.context,e.context.orgOptions),o=await i.findInvitationById(e.query.id);if(!o||o.status!=="pending"||o.expiresAt<new Date)throw new z.APIError("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new z.APIError("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.findOrganizationById(o.organizationId);if(!r)throw new z.APIError("BAD_REQUEST",{message:"Organization not found"});let n=await i.findMemberByOrgId({userId:o.inviterId,organizationId:o.organizationId});if(!n)throw new z.APIError("BAD_REQUEST",{message:"Inviter is no longer a member of the organization"});return e.json({...o,organizationName:r.name,organizationSlug:r.slug,inviterEmail:n.user.email})});var oe=require("zod");var ge=require("better-call");var ft=()=>K("/organization/add-member",{method:"POST",body:oe.z.object({userId:oe.z.string(),role:oe.z.string(),organizationId:oe.z.string().optional()}),use:[j],metadata:{SERVER_ONLY:!0}},async e=>{let t=e.body.userId?await U(e).catch(s=>null):null,i=e.body.organizationId||t?.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=B(e.context,e.context.orgOptions),r=await e.context.internalAdapter.findUserById(e.body.userId);if(!r)throw new ge.APIError("BAD_REQUEST",{message:"User not found!"});if(await o.findMemberByEmail({email:r.email,organizationId:i}))throw new ge.APIError("BAD_REQUEST",{message:"User is already a member of this organization"});let a=await o.createMember({id:L(),organizationId:i,userId:r.id,role:e.body.role,createdAt:new Date});return e.json(a)}),ht=K("/organization/remove-member",{method:"POST",body:oe.z.object({memberIdOrEmail:oe.z.string({description:"The ID or email of the member to remove"}),organizationId:oe.z.string({description:"The ID of the organization to remove the member from. If not provided, the active organization will be used"}).optional()}),use:[j,V],metadata:{openapi:{description:"Remove a member from an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async e=>{let t=e.context.session,i=e.body.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=B(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)throw new ge.APIError("BAD_REQUEST",{message:"Member not found!"});let n=e.context.roles[r.role];if(!n)throw new ge.APIError("BAD_REQUEST",{message:"Role not found!"});let a=t.user.email===e.body.memberIdOrEmail||r.id===e.body.memberIdOrEmail;if(a&&r.role===(e.context.orgOptions?.creatorRole||"owner"))throw new ge.APIError("BAD_REQUEST",{message:"You cannot leave the organization as the owner"});if(!(a||n.authorize({member:["delete"]}).success))throw new ge.APIError("UNAUTHORIZED",{message:"You are not allowed to delete this member"});let d=null;if(e.body.memberIdOrEmail.includes("@")?d=await o.findMemberByEmail({email:e.body.memberIdOrEmail,organizationId:i}):d=await o.findMemberById(e.body.memberIdOrEmail),d?.organizationId!==i)throw new ge.APIError("BAD_REQUEST",{message:"Member not found!"});return await o.deleteMember(d.id),t.user.id===d.userId&&t.session.activeOrganizationId===d.organizationId&&await o.setActiveOrganization(t.session.token,null),e.json({member:d})}),yt=e=>K("/organization/update-member-role",{method:"POST",body:oe.z.object({role:oe.z.string(),memberId:oe.z.string(),organizationId:oe.z.string().optional()}),use:[j,V],metadata:{openapi:{description:"Update the role of a member in an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async t=>{let i=t.context.session,o=t.body.organizationId||i.session.activeOrganizationId;if(!o)return t.json(null,{status:400,body:{message:"No active organization found!"}});let r=B(t.context,t.context.orgOptions),n=await r.findMemberByOrgId({userId:i.user.id,organizationId:o});if(!n)return t.json(null,{status:400,body:{message:"Member not found!"}});let a=t.context.roles[n.role];if(!a)return t.json(null,{status:400,body:{message:"Role not found!"}});if(a.authorize({member:["update"]}).error||t.body.role==="owner"&&n.role!=="owner")return t.json(null,{body:{message:"You are not allowed to update this member"},status:403});let A=await r.updateMember(t.body.memberId,t.body.role);return A?t.json(A):t.json(null,{status:400,body:{message:"Member not found!"}})}),wt=K("/organization/get-active-member",{method:"GET",use:[j,V],metadata:{openapi:{description:"Get the active member in the organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}}}}}}}},async e=>{let t=e.context.session,i=t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let r=await B(e.context,e.context.orgOptions).findMemberByOrgId({userId:t.user.id,organizationId:i});return r?e.json(r):e.json(null,{status:400,body:{message:"Member not found!"}})});var S=require("zod");var me=require("better-call");var Ct=K("/organization/create",{method:"POST",body:S.z.object({name:S.z.string({description:"The name of the organization"}),slug:S.z.string({description:"The slug of the organization"}),userId:S.z.string({description:"The user id of the organization creator. If not provided, the current user will be used. Should only be used by admins or when called by the server."}).optional(),logo:S.z.string({description:"The logo of the organization"}).optional(),metadata:S.z.record(S.z.string(),S.z.any(),{description:"The metadata of the organization"}).optional()}),use:[j,V],metadata:{openapi:{description:"Create an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization that was created",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=e.context.session.user;if(!t)return e.json(null,{status:401});let i=e.context.orgOptions;if(!(typeof i?.allowUserToCreateOrganization=="function"?await i.allowUserToCreateOrganization(t):i?.allowUserToCreateOrganization===void 0?!0:i.allowUserToCreateOrganization))throw new me.APIError("FORBIDDEN",{message:"You are not allowed to create an organization"});let r=B(e.context,i),n=await r.listOrganizations(t.id);if(typeof i.organizationLimit=="number"?n.length>=i.organizationLimit:typeof i.organizationLimit=="function"?await i.organizationLimit(t):!1)throw new me.APIError("FORBIDDEN",{message:"You have reached the organization limit"});if(await r.findOrganizationBySlug(e.body.slug))throw new me.APIError("BAD_REQUEST",{message:"Organization with this slug already exists"});let A=await r.createOrganization({organization:{id:L(),slug:e.body.slug,name:e.body.name,logo:e.body.logo,createdAt:new Date,metadata:e.body.metadata},user:t});return await r.setActiveOrganization(e.context.session.session.token,A.id),e.json(A)}),bt=K("/organization/update",{method:"POST",body:S.z.object({data:S.z.object({name:S.z.string({description:"The name of the organization"}).optional(),slug:S.z.string({description:"The slug of the organization"}).optional(),logo:S.z.string({description:"The logo of the organization"}).optional()}).partial(),organizationId:S.z.string().optional()}),requireHeaders:!0,use:[j],metadata:{openapi:{description:"Update an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The updated organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=await e.context.getSession(e);if(!t)throw new me.APIError("UNAUTHORIZED",{message:"User not found"});let i=e.body.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=B(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["update"]}).error)return e.json(null,{body:{message:"You are not allowed to update this organization"},status:403});let s=await o.updateOrganization(i,e.body.data);return e.json(s)}),vt=K("/organization/delete",{method:"POST",body:S.z.object({organizationId:S.z.string({description:"The organization id to delete"})}),requireHeaders:!0,use:[j],metadata:{openapi:{description:"Delete an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"string",description:"The organization id that was deleted"}}}}}}}},async e=>{let t=await e.context.getSession(e);if(!t)return e.json(null,{status:401});let i=e.body.organizationId;if(!i)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=B(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["delete"]}).error)throw new me.APIError("FORBIDDEN",{message:"You are not allowed to delete this organization"});return i===t.session.activeOrganizationId&&await o.setActiveOrganization(t.session.token,null),await o.deleteOrganization(i),e.json(i)}),kt=K("/organization/get-full-organization",{method:"GET",query:S.z.optional(S.z.object({organizationId:S.z.string({description:"The organization id to get"}).optional()})),requireHeaders:!0,use:[j,V],metadata:{openapi:{description:"Get the full organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=e.context.session,i=e.query?.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:200});let r=await B(e.context,e.context.orgOptions).findFullOrganization(i);if(!r)throw new me.APIError("BAD_REQUEST",{message:"Organization not found"});return e.json(r)}),Tt=K("/organization/set-active",{method:"POST",body:S.z.object({organizationId:S.z.string({description:"The organization id to set as active. Can be null to unset the active organization"}).nullable().optional()}),use:[V,j],metadata:{openapi:{description:"Set the active organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=B(e.context,e.context.orgOptions),i=e.context.session,o=e.body.organizationId;if(o===null){if(!i.session.activeOrganizationId)return e.json(null);let A=await t.setActiveOrganization(i.session.token,null);return await m(e,{session:A,user:i.user}),e.json(null)}if(!o){let s=i.session.activeOrganizationId;if(!s)return e.json(null);o=s}if(!await t.findMemberByOrgId({userId:i.user.id,organizationId:o}))throw await t.setActiveOrganization(i.session.token,null),new me.APIError("FORBIDDEN",{message:"You are not a member of this organization"});let n=await t.setActiveOrganization(i.session.token,o);await m(e,{session:n,user:i.user});let a=await t.findFullOrganization(o);return e.json(a)}),Ot=K("/organization/list",{method:"GET",use:[j,V],metadata:{openapi:{description:"List all organizations",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{$ref:"#/components/schemas/Organization"}}}}}}}}},async e=>{let i=await B(e.context,e.context.orgOptions).listOrganizations(e.context.session.user.id);return e.json(i)});var Pr=po({name:["action"]}),Zd=Pr.newRole({name:["action"]}),Sr=e=>{let t={createOrganization:Ct,updateOrganization:bt,deleteOrganization:vt,setActiveOrganization:Tt,getFullOrganization:kt,listOrganizations:Ot,createInvitation:ut(e),cancelInvitation:gt,acceptInvitation:lt,getInvitation:mt,rejectInvitation:pt,addMember:ft(),removeMember:ht,updateMemberRole:yt(e),getActiveMember:wt},i={...Kt,...e?.roles};return{id:"organization",endpoints:{...dt(t,{orgOptions:e||{},roles:i,getSession:async r=>await U(r)}),hasPermission:K("/organization/has-permission",{method:"POST",requireHeaders:!0,body:Se.z.object({permission:Se.z.record(Se.z.string(),Se.z.array(Se.z.string()))}),use:[V],metadata:{openapi:{description:"Check if the user has permission",requestBody:{content:{"application/json":{schema:{type:"object",properties:{permission:{type:"object",description:"The permission to check"}},required:["permission"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{error:{type:"string"},success:{type:"boolean"}},required:["success"]}}}}}}}},async r=>{if(!r.context.session.session.activeOrganizationId)throw new Do.APIError("BAD_REQUEST",{message:"No active organization"});let a=await B(r.context).findMemberByOrgId({userId:r.context.session.user.id,organizationId:r.context.session.session.activeOrganizationId||""});if(!a)throw new Do.APIError("UNAUTHORIZED",{message:"You are not a member of this organization"});let A=i[a.role].authorize(r.body.permission);return A.error?r.json({error:A.error,success:!1},{status:403}):r.json({error:null,success:!0})})},schema:{session:{fields:{activeOrganizationId:{type:"string",required:!1,fieldName:e?.schema?.session?.fields?.activeOrganizationId}}},organization:{modelName:e?.schema?.organization?.modelName,fields:{name:{type:"string",required:!0,fieldName:e?.schema?.organization?.fields?.name},slug:{type:"string",unique:!0,fieldName:e?.schema?.organization?.fields?.slug},logo:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.logo},createdAt:{type:"date",required:!0,fieldName:e?.schema?.organization?.fields?.createdAt},metadata:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.metadata}}},member:{modelName:e?.schema?.member?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.member?.fields?.organizationId},userId:{type:"string",required:!0,fieldName:e?.schema?.member?.fields?.userId,references:{model:"user",field:"id"}},role:{type:"string",required:!0,defaultValue:"member",fieldName:e?.schema?.member?.fields?.role},createdAt:{type:"date",required:!0,fieldName:e?.schema?.member?.fields?.createdAt}}},invitation:{modelName:e?.schema?.invitation?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.invitation?.fields?.organizationId},email:{type:"string",required:!0,fieldName:e?.schema?.invitation?.fields?.email},role:{type:"string",required:!1,fieldName:e?.schema?.invitation?.fields?.role},status:{type:"string",required:!0,defaultValue:"pending",fieldName:e?.schema?.invitation?.fields?.status},expiresAt:{type:"date",required:!0,fieldName:e?.schema?.invitation?.fields?.expiresAt},inviterId:{type:"string",references:{model:"user",field:"id"},fieldName:e?.schema?.invitation?.fields?.inviterId,required:!0}}}},$Infer:{Organization:{},Invitation:{},Member:{},ActiveOrganization:{}}}};var xo=Xo(require("uncrypto"),1);function Dr(e){return e.toString(2).padStart(8,"0")}function xr(e){return[...e].map(t=>Dr(t)).join("")}function It(e){return parseInt(xr(e),2)}function zr(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,i=t%8,o=new Uint8Array(Math.ceil(t/8));xo.default.getRandomValues(o),i!==0&&(o[0]&=(1<<i)-1);let r=It(o);for(;r>=e;)xo.default.getRandomValues(o),i!==0&&(o[0]&=(1<<i)-1),r=It(o);return r}function Q(e,t){let i="";for(let o=0;o<e;o++)i+=t[zr(t.length)];return i}function $(...e){let t=new Set(e),i="";for(let o of t)o==="a-z"?i+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?i+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?i+="0123456789":i+=o;return i}var We=require("zod");var Bo=require("@noble/ciphers/chacha"),De=require("@noble/ciphers/utils"),jo=require("@noble/ciphers/webcrypto"),No=require("oslo/crypto"),zo=Xo(require("uncrypto"),1);var Rt=require("oslo/encoding");var Br=require("@noble/hashes/scrypt"),jr=require("uncrypto");async function He(e,t){let i=new TextEncoder,o={name:"HMAC",hash:"SHA-256"},r=await zo.default.subtle.importKey("raw",i.encode(e),o,!1,["sign","verify"]),n=await zo.default.subtle.sign(o.name,r,i.encode(t));return btoa(String.fromCharCode(...new Uint8Array(n)))}var le=async({key:e,data:t})=>{let i=await(0,No.sha256)(new TextEncoder().encode(e)),o=(0,De.utf8ToBytes)(t),r=(0,jo.managedNonce)(Bo.xchacha20poly1305)(new Uint8Array(i));return(0,De.bytesToHex)(r.encrypt(o))},fe=async({key:e,data:t})=>{let i=await(0,No.sha256)(new TextEncoder().encode(e)),o=(0,De.hexToBytes)(t),r=(0,jo.managedNonce)(Bo.xchacha20poly1305)(new Uint8Array(i));return new TextDecoder().decode(r.decrypt(o))};var Ae=require("zod");var xe=require("better-call");var go="two_factor";var mo="trust_device";var _o=require("zod");var be=R({body:_o.z.object({trustDevice:_o.z.boolean().optional()})},async e=>{let t=await U(e);if(!t){let i=e.context.createAuthCookie(go),o=await e.getSignedCookie(i.name,e.context.secret);if(!o)throw new xe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"});let r=await e.context.internalAdapter.findUserById(o);if(!r)throw new xe.APIError("UNAUTHORIZED",{message:"invalid two factor cookie"});let n=await e.context.internalAdapter.createSession(o,e.request);if(!n)throw new xe.APIError("INTERNAL_SERVER_ERROR",{message:"failed to create session"});return{valid:async()=>{if(await m(e,{session:n,user:r}),e.body.trustDevice){let a=e.context.createAuthCookie(mo,{maxAge:2592e3}),s=await He(e.context.secret,`${r.id}!${n.token}`);await e.setSignedCookie(a.name,`${s}!${n.token}`,e.context.secret,a.attributes)}return e.json({session:n,user:r})},invalid:async()=>{throw new xe.APIError("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:{id:n.token,userId:n.userId,expiresAt:n.expiresAt,user:r}}}return{valid:async()=>e.json({session:t,user:t.user}),invalid:async()=>{throw new xe.APIError("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:t}});var ze=require("better-call");function Nr(e){return Array.from({length:e?.amount??10}).fill(null).map(()=>Q(e?.length??10,$("a-z","0-9"))).map(t=>`${t.slice(0,5)}-${t.slice(5)}`)}async function Lo(e,t){let i=e,o=t?.customBackupCodesGenerate?t.customBackupCodesGenerate():Nr(),r=await le({data:JSON.stringify(o),key:i});return{backupCodes:o,encryptedBackupCodes:r}}async function _r(e,t){let i=await Ut(e.backupCodes,t);return i?{status:i.includes(e.code),updated:i.filter(o=>o!==e.code)}:{status:!1,updated:null}}async function Ut(e,t){let i=Buffer.from(await fe({key:t,data:e})).toString("utf-8"),o=JSON.parse(i),r=Ae.z.array(Ae.z.string()).safeParse(o);return r.success?r.data:null}var Et=(e,t)=>({id:"backup_code",endpoints:{verifyBackupCode:K("/two-factor/verify-backup-code",{method:"POST",body:Ae.z.object({code:Ae.z.string(),disableSession:Ae.z.boolean().optional()}),use:[be]},async i=>{let o=i.context.session.user,r=await i.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!r)throw new ze.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});let n=await _r({backupCodes:r.backupCodes,code:i.body.code},i.context.secret);if(!n.status)throw new ze.APIError("UNAUTHORIZED",{message:"Invalid backup code"});let a=await le({key:i.context.secret,data:JSON.stringify(n.updated)});return await i.context.adapter.update({model:t,update:{backupCodes:a},where:[{field:"userId",value:o.id}]}),i.body.disableSession||await m(i,{session:i.context.session.session,user:o}),i.json({user:o,session:i.context.session})}),generateBackupCodes:K("/two-factor/generate-backup-codes",{method:"POST",body:Ae.z.object({password:Ae.z.string()}),use:[v]},async i=>{let o=i.context.session.user;if(!o.twoFactorEnabled)throw new ze.APIError("BAD_REQUEST",{message:"Two factor isn't enabled"});await i.context.password.checkPassword(o.id,i);let r=await Lo(i.context.secret,e);return await i.context.adapter.update({model:t,update:{backupCodes:r.encryptedBackupCodes},where:[{field:"userId",value:i.context.session.user.id}]}),i.json({status:!0,backupCodes:r.backupCodes})}),viewBackupCodes:K("/two-factor/view-backup-codes",{method:"GET",body:Ae.z.object({userId:Ae.z.string()}),metadata:{SERVER_ONLY:!0}},async i=>{let o=await i.context.adapter.findOne({model:t,where:[{field:"userId",value:i.body.userId}]});if(!o)throw new ze.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});let r=await Ut(o.backupCodes,i.context.secret);if(!r)throw new ze.APIError("BAD_REQUEST",{message:"Backup codes aren't enabled"});return i.json({status:!0,backupCodes:r})})}});var Qe=require("better-call"),Pt=require("oslo/otp"),Fo=require("zod");var St=require("oslo"),Dt=(e,t)=>{let i={...e,period:new St.TimeSpan(e?.period||3,"m")},o=new Pt.TOTPController({digits:6,period:i.period}),r=K("/two-factor/send-otp",{method:"POST",use:[be]},async a=>{if(!e||!e.sendOTP)throw a.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options."),new Qe.APIError("BAD_REQUEST",{message:"otp isn't configured"});let s=a.context.session.user,A=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!A)throw new Qe.APIError("BAD_REQUEST",{message:"OTP isn't enabled"});let d=await o.generate(Buffer.from(A.secret));return await e.sendOTP({user:s,otp:d},a.request),a.json({status:!0})}),n=K("/two-factor/verify-otp",{method:"POST",body:Fo.z.object({code:Fo.z.string()}),use:[be]},async a=>{let s=a.context.session.user;if(!s.twoFactorEnabled)throw new Qe.APIError("BAD_REQUEST",{message:"two factor isn't enabled"});let A=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!A)throw new Qe.APIError("BAD_REQUEST",{message:"OTP isn't enabled"});return await o.generate(Buffer.from(A.secret))===a.body.code?a.context.valid():a.context.invalid()});return{id:"otp",endpoints:{sendTwoFactorOTP:r,verifyTwoFactorOTP:n}}};var ve=require("better-call"),xt=require("oslo"),Ze=require("oslo/otp"),$e=require("zod");var zt=(e,t)=>{let i={...e,digits:6,period:new xt.TimeSpan(e?.period||30,"s")},o=K("/totp/generate",{method:"POST",use:[v]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new ve.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,A=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!A)throw new ve.APIError("BAD_REQUEST",{message:"totp isn't enabled"});return{code:await new Ze.TOTPController(i).generate(Buffer.from(A.secret))}}),r=K("/two-factor/get-totp-uri",{method:"POST",use:[v],body:$e.z.object({password:$e.z.string()})},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new ve.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,A=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!A||!s.twoFactorEnabled)throw new ve.APIError("BAD_REQUEST",{message:"totp isn't enabled"});return await a.context.password.checkPassword(s.id,a),{totpURI:(0,Ze.createTOTPKeyURI)(e.issuer||a.context.appName,s.email,Buffer.from(A.secret),i)}}),n=K("/two-factor/verify-totp",{method:"POST",body:$e.z.object({code:$e.z.string()}),use:[be]},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new ve.APIError("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,A=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!A)throw new ve.APIError("BAD_REQUEST",{message:"totp isn't enabled"});let d=new Ze.TOTPController(i),c=await fe({key:a.context.secret,data:A.secret}),l=Buffer.from(c);if(!await d.verify(a.body.code,l))return a.context.invalid();if(!s.twoFactorEnabled){let p=await a.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!0}),h=await a.context.internalAdapter.createSession(s.id,a.request,!1,a.context.session.session).catch(k=>{throw console.log(k),k});await a.context.internalAdapter.deleteSession(a.context.session.session.token),await m(a,{session:h,user:p})}return a.context.valid()});return{id:"totp",endpoints:{generateTOTP:o,getTOTPURI:r,verifyTOTP:n}}};var Lr=require("better-call");async function Vo(e,t){let o=(await e.context.internalAdapter.findAccounts(t.userId))?.find(a=>a.providerId==="credential"),r=o?.password;return!o||!r?!1:await e.context.password.verify(r,t.password)}var qo=require("better-call"),Nt=require("oslo/otp"),_t=require("oslo");var Bt=require("better-call"),Be=async e=>{let t=e.context.returned;return t?t instanceof Response?t.status!==200?null:await t.clone().json():t instanceof Bt.APIError?null:t:null};var jt={user:{fields:{twoFactorEnabled:{type:"boolean",required:!1,defaultValue:!1,input:!1}}},twoFactor:{fields:{secret:{type:"string",required:!0,returned:!1},backupCodes:{type:"string",required:!0,returned:!1},userId:{type:"string",required:!0,returned:!1,references:{model:"user",field:"id"}}}}};var Fr=e=>({id:"two-factor",$InferServerPlugin:{},atomListeners:[{matcher:t=>t.startsWith("/two-factor/"),signal:"$sessionSignal"}],pathMethods:{"/two-factor/disable":"POST","/two-factor/enable":"POST","/two-factor/send-otp":"POST","/two-factor/generate-backup-codes":"POST"},fetchPlugins:[{id:"two-factor",name:"two-factor",hooks:{async onSuccess(t){t.data?.twoFactorRedirect&&e?.onTwoFactorRedirect&&await e.onTwoFactorRedirect()}}}]});var Vr=e=>{let t={twoFactorTable:"twoFactor"},i=zt({issuer:e?.issuer,...e?.totpOptions},t.twoFactorTable),o=Et({...e?.backupCodeOptions},t.twoFactorTable),r=Dt({...e?.otpOptions},t.twoFactorTable);return{id:"two-factor",endpoints:{...i.endpoints,...r.endpoints,...o.endpoints,enableTwoFactor:K("/two-factor/enable",{method:"POST",body:We.z.object({password:We.z.string().min(8)}),use:[v]},async n=>{let a=n.context.session.user,{password:s}=n.body;if(!await Vo(n,{password:s,userId:a.id}))throw new qo.APIError("BAD_REQUEST",{message:"Invalid password"});let d=Q(16,$("a-z","0-9","-")),c=await le({key:n.context.secret,data:d}),l=await Lo(n.context.secret,e?.backupCodeOptions);if(e?.skipVerificationOnEnable){let p=await n.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!0}),h=await n.context.internalAdapter.createSession(p.id,n.request,!1,n.context.session.session);await m(n,{session:h,user:a}),await n.context.internalAdapter.deleteSession(n.context.session.session.token)}await n.context.adapter.deleteMany({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),await n.context.adapter.create({model:t.twoFactorTable,data:{secret:c,backupCodes:l.encryptedBackupCodes,userId:a.id}});let u=(0,Nt.createTOTPKeyURI)(e?.issuer||"BetterAuth",a.email,Buffer.from(d),{digits:e?.totpOptions?.digits||6,period:new _t.TimeSpan(e?.totpOptions?.period||30,"s")});return n.json({totpURI:u,backupCodes:l.backupCodes})}),disableTwoFactor:K("/two-factor/disable",{method:"POST",body:We.z.object({password:We.z.string().min(8)}),use:[v]},async n=>{let a=n.context.session.user,{password:s}=n.body;if(!await Vo(n,{password:s,userId:a.id}))throw new qo.APIError("BAD_REQUEST",{message:"Invalid password"});await n.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!1}),await n.context.adapter.delete({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]});let d=await n.context.internalAdapter.createSession(a.id,n.request,!1,n.context.session.session);return await m(n,{session:d,user:a}),await n.context.internalAdapter.deleteSession(n.context.session.session.token),n.json({status:!0})})},options:e,hooks:{after:[{matcher(n){return n.path==="/sign-in/email"||n.path==="/sign-in/username"},handler:R(async n=>{let a=await Be(n);if(!a||!a.user.twoFactorEnabled)return;let s=n.context.createAuthCookie(mo),A=await n.getSignedCookie(s.name,n.context.secret);if(A){let[c,l]=A.split("!"),u=await He(n.context.secret,`${a.user.id}!${l}`);if(c===u){let p=await He(n.context.secret,`${a.user.id}!${a.session.token}`);await n.setSignedCookie(s.name,`${p}!${a.session.token}`,n.context.secret,s.attributes);return}}M(n),await n.context.internalAdapter.deleteSession(a.session.token);let d=n.context.createAuthCookie(go,{maxAge:60*10});return await n.setSignedCookie(d.name,a.user.id,n.context.secret,d.attributes),n.json({twoFactorRedirect:!0})})}]},schema:ee(jt,e?.schema),rateLimit:[{pathMatcher(n){return n.startsWith("/two-factor/")},window:10,max:3}]}};var he=require("@simplewebauthn/server"),ie=require("better-call");var de=require("zod");var je=require("@simplewebauthn/browser");var Mr=require("@better-fetch/fetch");var sc=require("nanostores");var ZK=require("@better-fetch/fetch");var qr=require("nanostores");var GK=require("@better-fetch/fetch"),fo=require("nanostores"),Mo=(e,t,i,o)=>{let r=(0,fo.atom)({data:null,error:null,isPending:!0,isRefetching:!1}),n=()=>{let s=typeof o=="function"?o({data:r.get().data,error:r.get().error,isPending:r.get().isPending}):o;return i(t,{...s,async onSuccess(A){r.set({data:A.data,error:null,isPending:!1,isRefetching:!1}),await s?.onSuccess?.(A)},async onError(A){r.set({error:A.error,data:null,isPending:!1,isRefetching:!1}),await s?.onError?.(A)},async onRequest(A){let d=r.get();r.set({isPending:d.data===null,data:d.data,error:null,isRefetching:!0}),await s?.onRequest?.(A)}})};e=Array.isArray(e)?e:[e];let a=!1;for(let s of e)s.subscribe(()=>{a?n():(0,fo.onMount)(r,()=>(n(),a=!0,()=>{r.off(),s.off()}))});return r};var Lt=require("nanostores"),Ft=(e,{$listPasskeys:t})=>({signIn:{passkey:async(r,n)=>{let a=await e("/passkey/generate-authenticate-options",{method:"POST",body:{email:r?.email}});if(!a.data)return a;try{let s=await(0,je.startAuthentication)(a.data,r?.autoFill||!1),A=await e("/passkey/verify-authentication",{body:{response:s},...r?.fetchOptions,...n,method:"POST"});if(!A.data)return A}catch{return{data:null,error:{message:"auth cancelled",status:400,statusText:"BAD_REQUEST"}}}}},passkey:{addPasskey:async(r,n)=>{let a=await e("/passkey/generate-register-options",{method:"GET"});if(!a.data)return a;try{let s=await(0,je.startRegistration)(a.data),A=await e("/passkey/verify-registration",{...r?.fetchOptions,...n,body:{response:s,name:r?.name},method:"POST"});if(!A.data)return A;t.set(Math.random())}catch(s){return s instanceof je.WebAuthnError?s.code==="ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED"?{data:null,error:{message:"previously registered",status:400,statusText:"BAD_REQUEST"}}:s.code==="ERROR_CEREMONY_ABORTED"?{data:null,error:{message:"registration cancelled",status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s.message,status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s instanceof Error?s.message:"unknown error",status:500,statusText:"INTERNAL_SERVER_ERROR"}}}}},$Infer:{}}),Hr=()=>{let e=(0,Lt.atom)();return{id:"passkey",$InferServerPlugin:{},getActions:t=>Ft(t,{$listPasskeys:e}),getAtoms(t){return{listPasskeys:Mo(e,"/passkey/list-user-passkeys",t,{method:"GET"}),$listPasskeys:e}},pathMethods:{"/passkey/register":"POST","/passkey/authenticate":"POST"},atomListeners:[{matcher(t){return t==="/passkey/verify-registration"||t==="/passkey/delete-passkey"},signal:"_listPasskeys"}]}};var Qr=e=>{let t=re.BETTER_AUTH_URL,i=e?.rpID||t?.replace("http://","").replace("https://","").split(":")[0]||"localhost";if(!i)throw new X("passkey rpID not found. Please provide a rpID in the options or set the BETTER_AUTH_URL environment variable.");let o={origin:null,...e,rpID:i,advanced:{webAuthnChallengeCookie:"better-auth-passkey",...e?.advanced}},r=new Date(Date.now()+1e3*60*5),n=new Date,a=Math.floor((r.getTime()-n.getTime())/1e3);return{id:"passkey",endpoints:{generatePasskeyRegistrationOptions:K("/passkey/generate-register-options",{method:"GET",use:[qe],metadata:{client:!1}},async s=>{let A=s.context.session,d=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:A.user.id}]}),c=new Uint8Array(Buffer.from(Q(32,$("a-z","0-9")))),l;l=await(0,he.generateRegistrationOptions)({rpName:o.rpName||s.context.appName,rpID:o.rpID,userID:c,userName:A.user.email||A.user.id,attestationType:"none",excludeCredentials:d.map(p=>({id:p.id,transports:p.transports?.split(",")})),authenticatorSelection:{residentKey:"preferred",userVerification:"preferred",authenticatorAttachment:"platform"}});let u=L(32);return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,u,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:u,value:JSON.stringify({expectedChallenge:l.challenge,userData:{id:A.user.id}}),expiresAt:r}),s.json(l,{status:200})}),generatePasskeyAuthenticationOptions:K("/passkey/generate-authenticate-options",{method:"POST",body:de.z.object({email:de.z.string().optional()}).optional()},async s=>{let A=await U(s),d=[];A&&(d=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:A.user.id}]}));let c=await(0,he.generateAuthenticationOptions)({rpID:o.rpID,userVerification:"preferred",...d.length?{allowCredentials:d.map(p=>({id:p.id,transports:p.transports?.split(",")}))}:{}}),l={expectedChallenge:c.challenge,userData:{id:A?.user.id||""}},u=L(32);return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,u,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:u,value:JSON.stringify(l),expiresAt:r}),s.json(c,{status:200})}),verifyPasskeyRegistration:K("/passkey/verify-registration",{method:"POST",body:de.z.object({response:de.z.any(),name:de.z.string().optional()}),use:[qe]},async s=>{let A=e?.origin||s.headers?.get("origin")||"";if(!A)return s.json(null,{status:400});let d=s.body.response,c=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!c)throw new ie.APIError("BAD_REQUEST",{message:"Challenge not found"});let l=await s.context.internalAdapter.findVerificationValue(c);if(!l)return s.json(null,{status:400});let{expectedChallenge:u,userData:p}=JSON.parse(l.value);if(p.id!==s.context.session.user.id)throw new ie.APIError("UNAUTHORIZED",{message:"You are not authorized to register this passkey"});try{let h=await(0,he.verifyRegistrationResponse)({response:d,expectedChallenge:u,expectedOrigin:A,expectedRPID:e?.rpID}),{verified:k,registrationInfo:f}=h;if(!k||!f)return s.json(null,{status:400});let{credentialID:g,credentialPublicKey:C,counter:T,credentialDeviceType:N,credentialBackedUp:eo}=f,Xt=Buffer.from(C).toString("base64"),Yt={name:s.body.name,userId:p.id,webauthnUserID:s.context.generateId({model:"passkey"}),id:g,publicKey:Xt,counter:T,deviceType:N,transports:d.response.transports.join(","),backedUp:eo,createdAt:new Date},er=await s.context.adapter.create({model:"passkey",data:Yt});return s.json(er,{status:200})}catch(h){throw console.log(h),new ie.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to verify registration"})}}),verifyPasskeyAuthentication:K("/passkey/verify-authentication",{method:"POST",body:de.z.object({response:de.z.any()})},async s=>{let A=e?.origin||s.headers?.get("origin")||"";if(!A)throw new ie.APIError("BAD_REQUEST",{message:"origin missing"});let d=s.body.response,c=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!c)throw new ie.APIError("BAD_REQUEST",{message:"Challenge not found"});let l=await s.context.internalAdapter.findVerificationValue(c);if(!l)throw new ie.APIError("BAD_REQUEST",{message:"Challenge not found"});let{expectedChallenge:u}=JSON.parse(l.value),p=await s.context.adapter.findOne({model:"passkey",where:[{field:"id",value:d.id}]});if(!p)throw new ie.APIError("UNAUTHORIZED",{message:"Passkey not found"});try{let h=await(0,he.verifyAuthenticationResponse)({response:d,expectedChallenge:u,expectedOrigin:A,expectedRPID:o.rpID,authenticator:{credentialID:p.id,credentialPublicKey:new Uint8Array(Buffer.from(p.publicKey,"base64")),counter:p.counter,transports:p.transports?.split(",")}}),{verified:k}=h;if(!k)throw new ie.APIError("UNAUTHORIZED",{message:"Authentication failed"});await s.context.adapter.update({model:"passkey",where:[{field:"id",value:p.id}],update:{counter:h.authenticationInfo.newCounter}});let f=await s.context.internalAdapter.createSession(p.userId,s.request);if(!f)throw new ie.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});let g=await s.context.internalAdapter.findUserById(p.userId);if(!g)throw new ie.APIError("INTERNAL_SERVER_ERROR",{message:"User not found"});return await m(s,{session:f,user:g}),s.json({session:f},{status:200})}catch(h){throw s.context.logger.error("Failed to verify authentication",h),new ie.APIError("BAD_REQUEST",{message:"Failed to verify authentication"})}}),listPasskeys:K("/passkey/list-user-passkeys",{method:"GET",use:[v]},async s=>{let A=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:s.context.session.user.id}]});return s.json(A,{status:200})}),deletePasskey:K("/passkey/delete-passkey",{method:"POST",body:de.z.object({id:de.z.string()}),use:[v]},async s=>(await s.context.adapter.delete({model:"passkey",where:[{field:"id",value:s.body.id}]}),s.json(null,{status:200})))},schema:ee($r,e?.schema)}},$r={passkey:{fields:{name:{type:"string",required:!1},publicKey:{type:"string",required:!0},userId:{type:"string",references:{model:"user",field:"id"},required:!0},webauthnUserID:{type:"string",required:!0},counter:{type:"number",required:!0},deviceType:{type:"string",required:!0},backedUp:{type:"boolean",required:!0},transports:{type:"string",required:!1},createdAt:{type:"date",defaultValue:new Date,required:!1}}}};var Ge=require("zod");var Je=require("better-call");var Ho=()=>({id:"username",endpoints:{signInUsername:K("/sign-in/username",{method:"POST",body:Ge.z.object({username:Ge.z.string(),password:Ge.z.string(),rememberMe:Ge.z.boolean().optional()})},async e=>{let t=await e.context.adapter.findOne({model:"user",where:[{field:"username",value:e.body.username}]});if(!t)throw await e.context.password.hash(e.body.password),e.context.logger.error("User not found",{username:Ho}),new Je.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let i=await e.context.adapter.findOne({model:"account",where:[{field:"userId",value:t.id},{field:"providerId",value:"credential"}]});if(!i)throw new Je.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let o=i?.password;if(!o)throw e.context.logger.error("Password not found",{username:Ho}),new Je.APIError("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(o,e.body.password))throw e.context.logger.error("Invalid password"),new Je.APIError("UNAUTHORIZED",{message:"Invalid username or password"});let n=await e.context.internalAdapter.createSession(t.id,e.request,e.body.rememberMe===!1);return n?(await m(e,{session:n,user:t},e.body.rememberMe===!1),e.json({user:t,session:n})):e.json(null,{status:500,body:{message:"Failed to create session",status:500}})})},schema:{user:{fields:{username:{type:"string",required:!1,unique:!0,returned:!0}}}}});var Vt=require("better-call"),Zr=()=>({id:"bearer",hooks:{before:[{matcher(e){return!!(e.request?.headers.get("authorization")||e.headers?.get("authorization"))},handler:async e=>{let t=e.request?.headers.get("authorization")?.replace("Bearer ","")||e.headers?.get("authorization")?.replace("Bearer ","");if(!t)return;let i="";return t.includes(".")?i=t:i=await(0,Vt.serializeSigned)("",t,e.context.secret),e.request&&e.request.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${i.replace("=","")}`),e.headers&&e.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${i.replace("=","")}`),{context:e}}}]}});var ke=require("zod");var Qo=require("better-call");var Wr=e=>({id:"magic-link",endpoints:{signInMagicLink:K("/sign-in/magic-link",{method:"POST",requireHeaders:!0,body:ke.z.object({email:ke.z.string().email(),callbackURL:ke.z.string().optional()})},async t=>{let{email:i}=t.body;if(e.disableSignUp&&!await t.context.internalAdapter.findUserByEmail(i))throw new Qo.APIError("BAD_REQUEST",{message:"User not found"});let o=Q(32,$("a-z","A-Z"));await t.context.internalAdapter.createVerificationValue({identifier:o,value:i,expiresAt:new Date(Date.now()+(e.expiresIn||60*5)*1e3)});let r=`${t.context.baseURL}/magic-link/verify?token=${o}&callbackURL=${t.body.callbackURL||"/"}`;try{await e.sendMagicLink({email:i,url:r,token:o},t.request)}catch(n){throw t.context.logger.error("Failed to send magic link",n),new Qo.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to send magic link"})}return t.json({status:!0})}),magicLinkVerify:K("/magic-link/verify",{method:"GET",query:ke.z.object({token:ke.z.string(),callbackURL:ke.z.string().optional()}),requireHeaders:!0},async t=>{let{token:i,callbackURL:o}=t.query,r=o?.startsWith("http")?o:o?`${t.context.options.baseURL}${o}`:t.context.options.baseURL,n=await t.context.internalAdapter.findVerificationValue(i);if(!n)throw t.redirect(`${r}?error=INVALID_TOKEN`);if(n.expiresAt<new Date)throw await t.context.internalAdapter.deleteVerificationValue(n.id),t.redirect(`${r}?error=EXPIRED_TOKEN`);await t.context.internalAdapter.deleteVerificationValue(n.id);let a=n.value,s=await t.context.internalAdapter.findUserByEmail(a),A=s?.user.id||"";if(!s){if(e.disableSignUp)throw t.redirect(`${r}?error=USER_NOT_FOUND`);if(A=(await t.context.internalAdapter.createUser({email:a,emailVerified:!0,name:a})).id,!A)throw t.redirect(`${r}?error=USER_NOT_CREATED`)}let d=await t.context.internalAdapter.createSession(A,t.headers);if(!d)throw t.redirect(`${r}?error=SESSION_NOT_CREATED`);if(await m(t,{session:d,user:s?.user}),!o)return t.json({session:d,user:s?.user});throw t.redirect(o)})},rateLimit:[{pathMatcher(t){return t.startsWith("/sign-in/magic-link")||t.startsWith("/magic-link/verify")},window:e.rateLimit?.window||60,max:e.rateLimit?.max||5}]});var te=require("zod");var q=require("better-call");function Gr(e){return Q(e,$("0-9"))}var Jr=e=>{let t={expiresIn:e?.expiresIn||300,otpLength:e?.otpLength||6,...e,phoneNumber:"phoneNumber",phoneNumberVerified:"phoneNumberVerified",code:"code",createdAt:"createdAt"};return{id:"phone-number",endpoints:{signInPhoneNumber:K("/sign-in/phone-number",{method:"POST",body:te.z.object({phoneNumber:te.z.string(),password:te.z.string(),rememberMe:te.z.boolean().optional()})},async i=>{let{password:o,phoneNumber:r}=i.body;if(t.phoneNumberValidator&&!await t.phoneNumberValidator(i.body.phoneNumber))throw new q.APIError("BAD_REQUEST",{message:"Invalid phone number!"});let n=await i.context.adapter.findOne({model:"user",where:[{field:"phoneNumber",value:r}]});if(!n)throw new q.APIError("UNAUTHORIZED",{message:"Invalid phone number or password"});let s=(await i.context.internalAdapter.findAccountByUserId(n.id)).find(l=>l.providerId==="credential");if(!s)throw i.context.logger.error("Credential account not found",{phoneNumber:r}),new q.APIError("UNAUTHORIZED",{message:"Invalid password or password"});let A=s?.password;if(!A)throw i.context.logger.error("Password not found",{phoneNumber:r}),new q.APIError("UNAUTHORIZED",{message:"Unexpected error"});if(!await i.context.password.verify(A,o))throw i.context.logger.error("Invalid password"),new q.APIError("UNAUTHORIZED",{message:"Invalid email or password"});let c=await i.context.internalAdapter.createSession(n.id,i.headers,i.body.rememberMe===!1);if(!c)throw i.context.logger.error("Failed to create session"),new q.APIError("UNAUTHORIZED",{message:"Failed to create session"});return await m(i,{session:c,user:n},i.body.rememberMe===!1),i.json({user:n,session:c})}),sendPhoneNumberOTP:K("/phone-number/send-otp",{method:"POST",body:te.z.object({phoneNumber:te.z.string()})},async i=>{if(!e?.sendOTP)throw i.context.logger.warn("sendOTP not implemented"),new q.APIError("NOT_IMPLEMENTED",{message:"sendOTP not implemented"});if(t.phoneNumberValidator&&!await t.phoneNumberValidator(i.body.phoneNumber))throw new q.APIError("BAD_REQUEST",{message:"Invalid phone number!"});let o=Gr(t.otpLength);return await i.context.internalAdapter.createVerificationValue({value:o,identifier:i.body.phoneNumber,expiresAt:I(t.expiresIn,"sec")}),await e.sendOTP({phoneNumber:i.body.phoneNumber,code:o},i.request),i.json({code:o},{body:{message:"Code sent"}})}),verifyPhoneNumber:K("/phone-number/verify",{method:"POST",body:te.z.object({phoneNumber:te.z.string(),code:te.z.string(),disableSession:te.z.boolean().optional(),updatePhoneNumber:te.z.boolean().optional()})},async i=>{let o=await i.context.internalAdapter.findVerificationValue(i.body.phoneNumber);if(!o||o.expiresAt<new Date)throw o&&o.expiresAt<new Date?(await i.context.internalAdapter.deleteVerificationValue(o.id),new q.APIError("BAD_REQUEST",{message:"OTP expired"})):new q.APIError("BAD_REQUEST",{message:"OTP not found"});if(o.value!==i.body.code)throw new q.APIError("BAD_REQUEST",{message:"Invalid OTP"});if(await i.context.internalAdapter.deleteVerificationValue(o.id),i.body.updatePhoneNumber){let n=await U(i);if(!n)throw new q.APIError("UNAUTHORIZED",{message:"Session not found"});let a=await i.context.internalAdapter.updateUser(n.user.id,{[t.phoneNumber]:i.body.phoneNumber,[t.phoneNumberVerified]:!0});return i.json({user:a,session:n.session})}let r=await i.context.adapter.findOne({model:"user",where:[{value:i.body.phoneNumber,field:t.phoneNumber}]});if(await e?.callbackOnVerification?.({phoneNumber:i.body.phoneNumber,user:r},i.request),r)r=await i.context.internalAdapter.updateUser(r.id,{[t.phoneNumberVerified]:!0});else if(e?.signUpOnVerification){if(r=await i.context.internalAdapter.createUser({email:e.signUpOnVerification.getTempEmail(i.body.phoneNumber),name:e.signUpOnVerification.getTempName?e.signUpOnVerification.getTempName(i.body.phoneNumber):i.body.phoneNumber,[t.phoneNumber]:i.body.phoneNumber,[t.phoneNumberVerified]:!0}),!r)throw new q.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create user"})}else return i.json(null);if(!r)throw new q.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to update user"});if(!i.body.disableSession){let n=await i.context.internalAdapter.createSession(r.id,i.request);if(!n)throw new q.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await m(i,{session:n,user:r}),i.json({user:r,session:n})}return i.json({user:r,session:null})})},schema:ee(Xr,e?.schema)}},Xr={user:{fields:{phoneNumber:{type:"string",required:!1,unique:!0,returned:!0},phoneNumberVerified:{type:"boolean",required:!1,returned:!0,input:!1}}}};var Xc=require("zod");var Yr={user:{fields:{isAnonymous:{type:"boolean",required:!1}}}},en=e=>({id:"anonymous",endpoints:{signInAnonymous:K("/sign-in/anonymous",{method:"POST"},async t=>{let{emailDomainName:i=Te(t.context.baseURL)}=e||{},o=t.context.generateId({model:"user"}),r=`temp-${o}@${i}`,n=await t.context.internalAdapter.createUser({id:o,email:r,emailVerified:!1,isAnonymous:!0,name:"Anonymous",createdAt:new Date,updatedAt:new Date});if(!n)return t.json(null,{status:500,body:{message:"Failed to create user",status:500}});let a=await t.context.internalAdapter.createSession(n.id,t.request);return a?(await m(t,{session:a,user:n}),t.json({user:n,session:a})):t.json(null,{status:400,body:{message:"Could not create session"}})})},hooks:{after:[{matcher(t){return t.path?.startsWith("/sign-in")||t.path?.startsWith("/sign-up")},handler:R(async t=>{let o=t.responseHeader.get("set-cookie"),r=t.context.authCookies.sessionToken.name,n=no(o||"").get(r)?.value.split(".")[0];if(!n)return;let a=await U(t);if(!(!a||!a.user.isAnonymous)){if(t.path==="/sign-in/anonymous")throw new b.APIError("BAD_REQUEST",{message:"Anonymous users cannot sign in again anonymously"});if(e?.onLinkAccount){let s=await t.context.internalAdapter.findSession(n);if(!s)return;await e?.onLinkAccount?.({anonymousUser:a,newUser:s})}e?.disableDeleteAnonymousUser||await t.context.internalAdapter.deleteUser(a.user.id)}})}]},schema:ee(Yr,e?.schema)});var y=require("zod");var on=e=>{let t={defaultRole:"user",adminRole:"admin",...e},i=R(async o=>{let r=await U(o);if(!r?.session)throw new b.APIError("UNAUTHORIZED");let n=r.user;if(!n.role||(Array.isArray(t.adminRole)?!t.adminRole.includes(n.role):n.role!==t.adminRole))throw new b.APIError("FORBIDDEN",{message:"Only admins can access this endpoint"});return{session:{user:n,session:r.session}}});return{id:"admin",init(o){return{options:{databaseHooks:{user:{create:{async before(r){if(e?.defaultRole!==!1)return{data:{role:e?.defaultRole??"user",...r}}}}},session:{create:{async before(r){let n=await o.internalAdapter.findUserById(r.userId);if(n.banned){if(n.banExpires&&n.banExpires<Date.now()){await o.internalAdapter.updateUser(r.userId,{banned:!1,banReason:null,banExpires:null});return}return!1}}}}}}}},hooks:{after:[{matcher(o){return o.path==="/list-sessions"},handler:R(async o=>{let r=await Be(o);if(!r)return;let n=r.filter(a=>!a.impersonatedBy);return o.json(n)})}]},endpoints:{setRole:K("/admin/set-role",{method:"POST",body:y.z.object({userId:y.z.string(),role:y.z.string()}),use:[i]},async o=>{let r=await o.context.internalAdapter.updateUser(o.body.userId,{role:o.body.role});return o.json({user:r})}),createUser:K("/admin/create-user",{method:"POST",body:y.z.object({email:y.z.string(),password:y.z.string(),name:y.z.string(),role:y.z.string(),data:y.z.optional(y.z.record(y.z.any()))}),use:[i]},async o=>{if(await o.context.internalAdapter.findUserByEmail(o.body.email))throw new b.APIError("BAD_REQUEST",{message:"User already exists"});let n=await o.context.internalAdapter.createUser({email:o.body.email,name:o.body.name,role:o.body.role,...o.body.data});if(!n)throw new b.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create user"});let a=await o.context.password.hash(o.body.password);return await o.context.internalAdapter.linkAccount({accountId:n.id,providerId:"credential",password:a,userId:n.id}),o.json({user:n})}),listUsers:K("/admin/list-users",{method:"GET",use:[i],query:y.z.object({searchValue:y.z.string().optional(),searchField:y.z.enum(["email","name"]).optional(),searchOperator:y.z.enum(["contains","starts_with","ends_with"]).optional(),limit:y.z.string().or(y.z.number()).optional(),offset:y.z.string().or(y.z.number()).optional(),sortBy:y.z.string().optional(),sortDirection:y.z.enum(["asc","desc"]).optional(),filterField:y.z.string().optional(),filterValue:y.z.string().or(y.z.number()).or(y.z.boolean()).optional(),filterOperator:y.z.enum(["eq","ne","lt","lte","gt","gte"]).optional()})},async o=>{let r=[];o.query?.searchValue&&r.push({field:o.query.searchField||"email",operator:o.query.searchOperator||"contains",value:o.query.searchValue}),o.query?.filterValue&&r.push({field:o.query.filterField||"email",operator:o.query.filterOperator||"eq",value:o.query.filterValue});try{let n=await o.context.internalAdapter.listUsers(Number(o.query?.limit)||void 0,Number(o.query?.offset)||void 0,o.query?.sortBy?{field:o.query.sortBy,direction:o.query.sortDirection||"asc"}:void 0,r.length?r:void 0);return o.json({users:n})}catch(n){return console.log(n),o.json({users:[]})}}),listUserSessions:K("/admin/list-user-sessions",{method:"POST",use:[i],body:y.z.object({userId:y.z.string()})},async o=>({sessions:await o.context.internalAdapter.listSessions(o.body.userId)})),unbanUser:K("/admin/unban-user",{method:"POST",body:y.z.object({userId:y.z.string()}),use:[i]},async o=>{let r=await o.context.internalAdapter.updateUser(o.body.userId,{banned:!1});return o.json({user:r})}),banUser:K("/admin/ban-user",{method:"POST",body:y.z.object({userId:y.z.string(),banReason:y.z.string().optional(),banExpiresIn:y.z.number().optional()}),use:[i]},async o=>{if(o.body.userId===o.context.session.user.id)throw new b.APIError("BAD_REQUEST",{message:"You cannot ban yourself"});let r=await o.context.internalAdapter.updateUser(o.body.userId,{banned:!0,banReason:o.body.banReason||e?.defaultBanReason||"No reason",banExpires:o.body.banExpiresIn?I(o.body.banExpiresIn,"sec"):e?.defaultBanExpiresIn?I(e.defaultBanExpiresIn,"sec"):void 0});return await o.context.internalAdapter.deleteSessions(o.body.userId),o.json({user:r})}),impersonateUser:K("/admin/impersonate-user",{method:"POST",body:y.z.object({userId:y.z.string()}),use:[i]},async o=>{let r=await o.context.internalAdapter.findUserById(o.body.userId);if(!r)throw new b.APIError("NOT_FOUND",{message:"User not found"});let n=await o.context.internalAdapter.createSession(r.id,void 0,!0,{impersonatedBy:o.context.session.user.id,expiresAt:e?.impersonationSessionDuration?I(e.impersonationSessionDuration,"sec"):I(60*60,"sec")});if(!n)throw new b.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await m(o,{session:n,user:r},!0),o.json({session:n,user:r})}),revokeUserSession:K("/admin/revoke-user-session",{method:"POST",body:y.z.object({sessionToken:y.z.string()}),use:[i]},async o=>(await o.context.internalAdapter.deleteSession(o.body.sessionToken),o.json({success:!0}))),revokeUserSessions:K("/admin/revoke-user-sessions",{method:"POST",body:y.z.object({userId:y.z.string()}),use:[i]},async o=>(await o.context.internalAdapter.deleteSessions(o.body.userId),o.json({success:!0}))),removeUser:K("/admin/remove-user",{method:"POST",body:y.z.object({userId:y.z.string()}),use:[i]},async o=>(await o.context.internalAdapter.deleteUser(o.body.userId),o.json({success:!0})))},schema:ee(tn,t.schema)}},tn={user:{fields:{role:{type:"string",required:!1,input:!1},banned:{type:"boolean",defaultValue:!1,required:!1,input:!1},banReason:{type:"string",required:!1,input:!1},banExpires:{type:"date",required:!1,input:!1}}},session:{fields:{impersonatedBy:{type:"string",required:!1}}}};var ne=require("zod"),Ne=require("better-call");var ho=require("@better-fetch/fetch");var qt=require("oslo/jwt");async function rn(e,t,i){if(t==="oidc"&&e.idToken){let r=(0,qt.parseJWT)(e.idToken);if(r?.payload)return r.payload}if(!i)return null;let o=await(0,ho.betterFetch)(i,{method:"GET",headers:{Authorization:`Bearer ${e.accessToken}`}});return{id:o.data?.sub,emailVerified:o.data?.email_verified,email:o.data?.email,...o.data}}var nn=e=>({id:"generic-oauth",endpoints:{signInWithOAuth2:K("/sign-in/oauth2",{method:"POST",query:ne.z.object({currentURL:ne.z.string().optional()}).optional(),body:ne.z.object({providerId:ne.z.string(),callbackURL:ne.z.string().optional(),errorCallbackURL:ne.z.string().optional()})},async t=>{let{providerId:i}=t.body,o=e.config.find(N=>N.providerId===i);if(!o)throw new Ne.APIError("BAD_REQUEST",{message:`No config found for provider ${i}`});let{discoveryUrl:r,authorizationUrl:n,tokenUrl:a,clientId:s,clientSecret:A,scopes:d,redirectURI:c,responseType:l,pkce:u,prompt:p,accessType:h}=o,k=n,f=a;if(r){let N=await(0,ho.betterFetch)(r,{onError(eo){t.context.logger.error(eo.error.message,eo.error,{discoveryUrl:r})}});N.data&&(k=N.data.authorization_endpoint,f=N.data.token_endpoint)}if(!k||!f)throw new Ne.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});let{state:g,codeVerifier:C}=await Oe(t),T=await P({id:i,options:{clientId:s,clientSecret:A,redirectURI:c},authorizationEndpoint:k,state:g,codeVerifier:u?C:void 0,scopes:d||[],redirectURI:`${t.context.baseURL}/oauth2/callback/${i}`});return l&&l!=="code"&&T.searchParams.set("response_type",l),p&&T.searchParams.set("prompt",p),h&&T.searchParams.set("access_type",h),t.json({url:T.toString(),redirect:!0})}),oAuth2Callback:K("/oauth2/callback/:providerId",{method:"GET",query:ne.z.object({code:ne.z.string().optional(),error:ne.z.string().optional(),state:ne.z.string()})},async t=>{if(t.query.error||!t.query.code)throw t.redirect(`${t.context.baseURL}?error=${t.query.error||"oAuth_code_missing"}`);let i=e.config.find(g=>g.providerId===t.params.providerId);if(!i)throw new Ne.APIError("BAD_REQUEST",{message:`No config found for provider ${t.params.providerId}`});let o,r=await ao(t),{callbackURL:n,codeVerifier:a,errorURL:s}=r,A=t.query.code,d=i.tokenUrl,c=i.userInfoUrl;if(i.discoveryUrl){let g=await(0,ho.betterFetch)(i.discoveryUrl,{method:"GET"});g.data&&(d=g.data.token_endpoint,c=g.data.userinfo_endpoint)}try{if(!d)throw new Ne.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});o=await O({code:A,codeVerifier:a,redirectURI:`${t.context.baseURL}/oauth2/callback/${i.providerId}`,options:{clientId:i.clientId,clientSecret:i.clientSecret},tokenEndpoint:d})}catch(g){throw t.context.logger.error(g&&typeof g=="object"&&"name"in g?g.name:"",g),t.redirect(`${s}?error=oauth_code_verification_failed`)}if(!o)throw new Ne.APIError("BAD_REQUEST",{message:"Invalid OAuth configuration."});let l=i.getUserInfo?await i.getUserInfo(o):await rn(o,i.type||"oauth2",c);if(!l?.email)throw t.context.logger.error("Unable to get user info",l),t.redirect(`${t.context.baseURL}/error?error=email_is_missing`);let u=await Ue(t,{userInfo:l,account:{providerId:i.providerId,accountId:l.id,accessToken:o.accessToken}});function p(g){throw t.redirect(`${s||n||`${t.context.baseURL}/error`}?error=${g}`)}if(u.error)return p(u.error.split(" ").join("_"));let{session:h,user:k}=u.data;await m(t,{session:h,user:k});let f;try{f=new URL(n).toString()}catch{f=n}throw t.redirect(f)})}});var _e=require("zod"),Mt={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},yu=_e.z.object({id:_e.z.string(),publicKey:_e.z.string(),privateKey:_e.z.string(),createdAt:_e.z.date()});var $o=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async t=>await e.create({model:"jwks",data:{...t,createdAt:new Date}})});var pe=require("jose");var sn=e=>({id:"jwt",endpoints:{getJwks:K("/jwks",{method:"GET"},async t=>{let o=await $o(t.context.adapter).getAllKeys();return t.json({keys:o.map(r=>({...JSON.parse(r.publicKey),kid:r.id}))})}),getToken:K("/token",{method:"GET",requireHeaders:!0,use:[v]},async t=>{let i=$o(t.context.adapter),o=await i.getLatestKey(),r=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:d,privateKey:c}=await(0,pe.generateKeyPair)(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),l=await(0,pe.exportJWK)(d),u=await(0,pe.exportJWK)(c),p=JSON.stringify(u),h={id:crypto.randomUUID(),publicKey:JSON.stringify(l),privateKey:r?JSON.stringify(await le({key:t.context.options.secret,data:p})):p,createdAt:new Date};o=await i.createJwk(h)}let n=r?await fe({key:t.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,a=await(0,pe.importJWK)(JSON.parse(n)),s=e?.jwt?.definePayload?await e?.jwt.definePayload(t.context.session.user):t.context.session.user,A=await new pe.SignJWT({...s,...t.context.session.session.impersonatedBy?{impersonatedBy:t.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??t.context.options.baseURL).setAudience(e?.jwt?.audience??t.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(t.context.session.user.id).sign(a);return t.json({token:A})})},schema:ee(Mt,e?.schema)});var Xe=require("zod");var an=e=>{let t={maximumSessions:5,...e},i=o=>o.includes("_multi-");return{id:"multi-session",endpoints:{listDeviceSessions:K("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async o=>{let r=o.headers?.get("cookie");if(!r)return o.json([]);let n=Object.fromEntries(Ve(r)),a=(await Promise.all(Object.entries(n).filter(([d])=>i(d)).map(async([d])=>await o.getSignedCookie(d,o.context.secret)))).filter(d=>d!==void 0);if(!a.length)return o.json([]);let A=(await o.context.internalAdapter.findSessions(a)).filter(d=>d&&d.session.expiresAt>new Date);return o.json(A)}),setActiveSession:K("/multi-session/set-active",{method:"POST",body:Xe.z.object({sessionToken:Xe.z.string()}),requireHeaders:!0,use:[v]},async o=>{let r=o.body.sessionToken,n=`${o.context.authCookies.sessionToken.name}_multi-${r}`;if(!await o.getSignedCookie(n,o.context.secret))throw new b.APIError("UNAUTHORIZED",{message:"Invalid session token"});let s=await o.context.internalAdapter.findSession(r);if(!s||s.session.expiresAt<new Date)throw o.setCookie(n,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),new b.APIError("UNAUTHORIZED",{message:"Invalid session token"});return await m(o,s),o.json(s)}),revokeDeviceSession:K("/multi-session/revoke",{method:"POST",body:Xe.z.object({sessionToken:Xe.z.string()}),requireHeaders:!0,use:[v]},async o=>{let r=o.body.sessionToken,n=`${o.context.authCookies.sessionToken.name}_multi-${r}`;if(!await o.getSignedCookie(n,o.context.secret))throw new b.APIError("UNAUTHORIZED",{message:"Invalid session token"});if(await o.context.internalAdapter.deleteSession(r),o.setCookie(n,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),!(o.context.session?.session.token===r))return o.json({success:!0});let A=o.headers?.get("cookie");if(A){let d=Object.fromEntries(Ve(A)),c=(await Promise.all(Object.entries(d).filter(([u])=>i(u)).map(async([u])=>await o.getSignedCookie(u,o.context.secret)))).filter(u=>u!==void 0),l=o.context.internalAdapter;if(c.length>0){let p=(await l.findSessions(c)).filter(h=>h&&h.session.expiresAt>new Date);if(p.length>0){let h=p[0];await m(o,h)}else M(o)}else M(o)}else M(o);return o.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:R(async o=>{let r=o.responseHeader.get("set-cookie");if(!r)return;let n=no(r),a=o.context.authCookies.sessionToken,s=n.get(a.name)?.value;if(!s)return;let A=Ve(o.headers?.get("cookie")||""),d=s.split(".")[0];if(!d)return;let c=`${a.name}_multi-${d}`;n.get(c)||A.get(c)||Object.keys(Object.fromEntries(A)).filter(i).length+(r.includes("session_token")?1:0)>t.maximumSessions||await o.setSignedCookie(c,d,o.context.secret,a.options)})},{matcher:o=>o.path==="/sign-out",handler:R(async o=>{let r=o.headers?.get("cookie");if(!r)return;let n=Object.fromEntries(Ve(r)),a=Object.keys(n).map(s=>i(s)?(o.setCookie(s,"",{maxAge:0}),s.split("_multi-")[1]):null).filter(s=>s!==null);await o.context.internalAdapter.deleteSessions(a)})}]}}};var D=require("zod");var Zo=["email-verification","sign-in","forget-password"],An=e=>{let t={expireIn:300,otpLength:6,...e};return{id:"email-otp",endpoints:{sendVerificationOTP:K("/email-otp/send-verification-otp",{method:"POST",body:D.z.object({email:D.z.string(),type:D.z.enum(Zo)})},async i=>{if(!e?.sendVerificationOTP)throw i.context.logger.error("send email verification is not implemented"),new b.APIError("BAD_REQUEST",{message:"send email verification is not implemented"});let o=i.body.email,r=Q(t.otpLength,$("0-9"));return await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")}).catch(async n=>{await i.context.internalAdapter.deleteVerificationByIdentifier(`${i.body.type}-otp-${o}`),await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")})}),await e.sendVerificationOTP({email:o,otp:r,type:i.body.type},i.request),i.json({success:!0})}),createVerificationOTP:K("/email-otp/create-verification-otp",{method:"POST",body:D.z.object({email:D.z.string(),type:D.z.enum(Zo)}),metadata:{SERVER_ONLY:!0}},async i=>{let o=i.body.email,r=Q(t.otpLength,$("0-9"));return await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")}),r}),getVerificationOTP:K("/email-otp/get-verification-otp",{method:"GET",query:D.z.object({email:D.z.string(),type:D.z.enum(Zo)}),metadata:{SERVER_ONLY:!0}},async i=>{let o=i.query.email,r=await i.context.internalAdapter.findVerificationValue(`${i.query.type}-otp-${o}`);return!r||r.expiresAt<new Date?i.json({otp:null}):i.json({otp:r.value})}),verifyEmailOTP:K("/email-otp/verify-email",{method:"POST",body:D.z.object({email:D.z.string(),otp:D.z.string()})},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findVerificationValue(`email-verification-otp-${o}`);if(!r||r.expiresAt<new Date)throw r&&await i.context.internalAdapter.deleteVerificationValue(r.id),new b.APIError("BAD_REQUEST",{message:"Invalid OTP"});let n=i.body.otp;if(r.value!==n)throw new b.APIError("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(r.id);let a=await i.context.internalAdapter.findUserByEmail(o);if(!a)throw new b.APIError("BAD_REQUEST",{message:"User not found"});let s=await i.context.internalAdapter.updateUser(a.user.id,{email:o,emailVerified:!0});return i.json({user:s})}),signInEmailOTP:K("/sign-in/email-otp",{method:"POST",body:D.z.object({email:D.z.string(),otp:D.z.string()})},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findVerificationValue(`sign-in-otp-${o}`);if(!r||r.expiresAt<new Date)throw r&&await i.context.internalAdapter.deleteVerificationValue(r.id),new b.APIError("BAD_REQUEST",{message:"Invalid OTP"});let n=i.body.otp;if(r.value!==n)throw new b.APIError("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(r.id);let a=await i.context.internalAdapter.findUserByEmail(o);if(!a){if(t.disableSignUp)throw new b.APIError("BAD_REQUEST",{message:"User not found"});let A=await i.context.internalAdapter.createUser({email:o,emailVerified:!0,name:o}),d=await i.context.internalAdapter.createSession(A.id,i.request);return await m(i,{session:d,user:A}),i.json({user:A,session:d})}a.user.emailVerified||await i.context.internalAdapter.updateUser(a.user.id,{emailVerified:!0});let s=await i.context.internalAdapter.createSession(a.user.id,i.request);return await m(i,{session:s,user:a.user}),i.json({session:s,user:a})}),forgetEmailOTP:K("/forget-password/email-otp",{method:"POST",body:D.z.object({email:D.z.string()})},async i=>{let o=i.body.email;if(!await i.context.internalAdapter.findUserByEmail(o))throw new b.APIError("BAD_REQUEST",{message:"User not found"});let n=Q(t.otpLength,$("0-9"));return await i.context.internalAdapter.createVerificationValue({value:n,identifier:`forget-password-otp-${o}`,expiresAt:I(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o,otp:n,type:"forget-password"},i.request),i.json({success:!0})}),resetPasswordEmailOTP:K("/email-otp/reset-password",{method:"POST",body:D.z.object({email:D.z.string(),otp:D.z.string(),password:D.z.string()})},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findUserByEmail(o);if(!r)throw new b.APIError("BAD_REQUEST",{message:"User not found"});let n=await i.context.internalAdapter.findVerificationValue(`forget-password-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await i.context.internalAdapter.deleteVerificationValue(n.id),new b.APIError("BAD_REQUEST",{message:"Invalid OTP"});let a=i.body.otp;if(n.value!==a)throw new b.APIError("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(n.id);let s=await i.context.password.hash(i.body.password);return await i.context.internalAdapter.updatePassword(r.user.id,s),i.json({success:!0})})},hooks:{after:[{matcher(i){return!!(i.path?.startsWith("/sign-up")&&t.sendVerificationOnSignUp)},async handler(i){let o=await Be(i);if(o&&o.user.email&&o.user.emailVerified===!1){let r=Q(t.otpLength,$("0-9"));await i.context.internalAdapter.createVerificationValue({value:r,identifier:`email-verification-otp-${o.user.email}`,expiresAt:I(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o.user.email,otp:r,type:"email-verification"},i.request)}}}]}}};var Wo=require("zod");var Qt=require("@better-fetch/fetch");function Ht(e){return e==="true"||e===!0}var dn=e=>({id:"one-tap",endpoints:{oneTapCallback:K("/one-tap/callback",{method:"POST",body:Wo.z.object({idToken:Wo.z.string()})},async t=>{let{idToken:i}=t.body,{data:o,error:r}=await(0,Qt.betterFetch)("https://oauth2.googleapis.com/tokeninfo?id_token="+i);if(r)return t.json({error:"Invalid token"});let n=await t.context.internalAdapter.findUserByEmail(o.email);if(!n){if(e?.disableSignup)throw new b.APIError("BAD_GATEWAY",{message:"User not found"});let s=await t.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:Ht(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!s)throw new b.APIError("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let A=await t.context.internalAdapter.createSession(s?.user.id,t.request);return await m(t,{user:s.user,session:A}),t.json({session:A,user:s})}let a=await t.context.internalAdapter.createSession(n.user.id,t.request);return await m(t,{user:n.user,session:a}),t.json({session:a,user:n})})}});var yo=require("zod");function Kn(){let e=re.VERCEL_URL,t=re.NETLIFY_URL,i=re.RENDER_URL,o=re.AWS_LAMBDA_FUNCTION_NAME,r=re.GOOGLE_CLOUD_FUNCTION_NAME,n=re.AZURE_FUNCTION_NAME;return e||t||i||o||r||n}var cn=e=>({id:"oauth-proxy",endpoints:{oAuthProxy:K("/oauth-proxy-callback",{method:"GET",query:yo.z.object({callbackURL:yo.z.string(),cookies:yo.z.string()})},async t=>{let i=t.query.cookies,o=await fe({key:t.context.secret,data:i});throw t.setHeader("set-cookie",o),t.redirect(t.query.callbackURL)})},hooks:{after:[{matcher(t){return t.path?.startsWith("/callback")},handler:R(async t=>{let i=t.context.returned,o=i instanceof b.APIError?i.headers:null,r=o?.get("location");if(r?.includes("/oauth-proxy-callback?callbackURL")){if(!r.startsWith("http"))return;let n=new URL(r);if(n.origin===Te(t.context.baseURL)){let c=n.searchParams.get("callbackURL");if(!c)return;t.setHeader("location",c);return}let s=o?.get("set-cookie");if(!s)return;let A=await le({key:t.context.secret,data:s}),d=`${r}&cookies=${encodeURIComponent(A)}`;t.setHeader("location",d)}})}],before:[{matcher(t){return t.path?.startsWith("/sign-in/social")},async handler(t){let i=new URL(e?.currentURL||t.request?.url||Kn()||t.context.baseURL);return t.body.callbackURL=`${i.origin}${t.context.options.basePath||"/api/auth"}/oauth-proxy-callback?callbackURL=${encodeURIComponent(t.body.callbackURL||t.context.baseURL)}`,{context:t}}}]}});var un=(e,t)=>({id:"custom-session",endpoints:{getSession:K("/get-session",{method:"GET",metadata:{CUSTOM_SESSION:!0}},async i=>{let o=await U(i);if(!o)return i.json(null);let r=await e(o);return i.json(r)})}});var Ke=require("zod");var Le=e=>{let t=e.plugins?.reduce((A,d)=>{let c=d.schema;if(!c)return A;for(let[l,u]of Object.entries(c))A[l]={fields:{...A[l]?.fields,...u.fields},modelName:u.modelName||l};return A},{}),i=e.rateLimit?.storage==="database",o={rateLimit:{modelName:e.rateLimit?.modelName||"rateLimit",fields:{key:{type:"string",fieldName:e.rateLimit?.fields?.key||"key"},count:{type:"number",fieldName:e.rateLimit?.fields?.count||"count"},lastRequest:{type:"number",fieldName:e.rateLimit?.fields?.lastRequest||"lastRequest"}}}},{user:r,session:n,account:a,...s}=t||{};return{user:{modelName:e.user?.modelName||"user",fields:{name:{type:"string",required:!0,fieldName:e.user?.fields?.name||"name"},email:{type:"string",unique:!0,required:!0,fieldName:e.user?.fields?.email||"email"},emailVerified:{type:"boolean",defaultValue:()=>!1,required:!0,fieldName:e.user?.fields?.emailVerified||"emailVerified"},image:{type:"string",required:!1,fieldName:e.user?.fields?.image||"image"},createdAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.updatedAt||"updatedAt"},...r?.fields,...e.user?.additionalFields},order:1},session:{modelName:e.session?.modelName||"session",fields:{expiresAt:{type:"date",required:!0,fieldName:e.session?.fields?.expiresAt||"expiresAt"},token:{type:"string",required:!0,fieldName:e.session?.fields?.token||"token",unique:!0},createdAt:{type:"date",required:!0,fieldName:e.session?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.session?.fields?.updatedAt||"updatedAt"},ipAddress:{type:"string",required:!1,fieldName:e.session?.fields?.ipAddress||"ipAddress"},userAgent:{type:"string",required:!1,fieldName:e.session?.fields?.userAgent||"userAgent"},userId:{type:"string",fieldName:e.session?.fields?.userId||"userId",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0},...n?.fields,...e.session?.additionalFields},order:2},account:{modelName:e.account?.modelName||"account",fields:{accountId:{type:"string",required:!0,fieldName:e.account?.fields?.accountId||"accountId"},providerId:{type:"string",required:!0,fieldName:e.account?.fields?.providerId||"providerId"},userId:{type:"string",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0,fieldName:e.account?.fields?.userId||"userId"},accessToken:{type:"string",required:!1,fieldName:e.account?.fields?.accessToken||"accessToken"},refreshToken:{type:"string",required:!1,fieldName:e.account?.fields?.refreshToken||"refreshToken"},idToken:{type:"string",required:!1,fieldName:e.account?.fields?.idToken||"idToken"},accessTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"accessTokenExpiresAt"},refreshTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"refreshTokenExpiresAt"},scope:{type:"string",required:!1,fieldName:e.account?.fields?.scope||"scope"},password:{type:"string",required:!1,fieldName:e.account?.fields?.password||"password"},createdAt:{type:"date",required:!0,fieldName:e.account?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.account?.fields?.updatedAt||"updatedAt"},...a?.fields},order:3},verification:{modelName:e.verification?.modelName||"verification",fields:{identifier:{type:"string",required:!0,fieldName:e.verification?.fields?.identifier||"identifier"},value:{type:"string",required:!0,fieldName:e.verification?.fields?.value||"value"},expiresAt:{type:"date",required:!0,fieldName:e.verification?.fields?.expiresAt||"expiresAt"},createdAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.updatedAt||"updatedAt"}},order:4},...s,...i?o:{}}};var ln=require("zod");var $t=require("kysely"),Go=require("kysely");var Ye={};function Wt(e){switch(e.constructor.name){case"ZodString":return"string";case"ZodNumber":return"number";case"ZodBoolean":return"boolean";case"ZodObject":return"object";case"ZodArray":return"array";default:return"string"}}function wo(e){let t=[];return e.metadata?.openapi?.parameters?(t.push(...e.metadata.openapi.parameters),t):(e.query instanceof Ke.ZodObject&&Object.entries(e.query.shape).forEach(([i,o])=>{o instanceof Ke.ZodSchema&&t.push({name:i,in:"query",schema:{type:Wt(o),..."minLength"in o&&o.minLength?{minLength:o.minLength}:{},description:o.description}})}),t)}function Zt(e){if(e.metadata?.openapi?.requestBody)return e.metadata.openapi.requestBody;if(e.body&&(e.body instanceof Ke.ZodObject||e.body instanceof Ke.ZodOptional)){let t=e.body.shape;if(!t)return;let i={},o=[];return Object.entries(t).forEach(([r,n])=>{n instanceof Ke.ZodSchema&&(i[r]={type:Wt(n),description:n.description},n instanceof Ke.ZodOptional||o.push(r))}),{required:e.body instanceof Ke.ZodOptional?!1:!!e.body,content:{"application/json":{schema:{type:"object",properties:i,required:o}}}}}}function Co(e){return{400:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Bad Request. Usually due to missing parameters, or invalid parameters."},401:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Unauthorized. Due to missing or invalid authentication."},403:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Forbidden. You do not have permission to access this resource or to perform this action."},404:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Not Found. The requested resource was not found."},429:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Too Many Requests. You have exceeded the rate limit. Try again later."},500:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Internal Server Error. This is a problem with the server that you cannot fix."},...e}}async function Gt(e,t){let i=Eo(e,{...t,plugins:[]}),o=Le(t),n={schemas:{...Object.entries(o).reduce((s,[A,d])=>{let c=A.charAt(0).toUpperCase()+A.slice(1);return s[c]={type:"object",properties:Object.entries(d.fields).reduce((l,[u,p])=>(l[u]={type:p.type},l),{})},s},{})}};Object.entries(i.api).forEach(([s,A])=>{let d=A.options;if(!d.metadata?.SERVER_ONLY&&(d.method==="GET"&&(Ye[A.path]={get:{tags:["Default",...d.metadata?.openapi?.tags||[]],description:d.metadata?.openapi?.description,operationId:d.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:wo(d),responses:Co(d.metadata?.openapi?.responses)}}),d.method==="POST")){let c=Zt(d);Ye[A.path]={post:{tags:["Default",...d.metadata?.openapi?.tags||[]],description:d.metadata?.openapi?.description,operationId:d.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:wo(d),...c?{requestBody:c}:{requestBody:{content:{"application/json":{schema:{type:"object",properties:{}}}}}},responses:Co(d.metadata?.openapi?.responses)}}}});for(let s of t.plugins||[]){if(s.id==="open-api")continue;let A=Eo(e,{...t,plugins:[s]}),d=Object.keys(A.api).map(c=>i.api[c]===void 0?A.api[c]:null).filter(c=>c!==null);Object.entries(d).forEach(([c,l])=>{let u=l.options;u.metadata?.SERVER_ONLY||(u.method==="GET"&&(Ye[l.path]={get:{tags:u.metadata?.openapi?.tags||[s.id.charAt(0).toUpperCase()+s.id.slice(1)],description:u.metadata?.openapi?.description,operationId:u.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:wo(u),responses:Co(u.metadata?.openapi?.responses)}}),u.method==="POST"&&(Ye[l.path]={post:{tags:u.metadata?.openapi?.tags||[s.id.charAt(0).toUpperCase()+s.id.slice(1)],description:u.metadata?.openapi?.description,operationId:u.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:wo(u),requestBody:Zt(u),responses:Co(u.metadata?.openapi?.responses)}}))})}return{openapi:"3.1.1",info:{title:"Better Auth",description:"API Reference for your Better Auth Instance"},components:n,security:[{apiKeyCookie:[]}],servers:[{url:e.baseURL}],tags:[{name:"Default",description:"Default endpoints that are included with Better Auth by default. These endpoints are not part of any plugin."}],paths:Ye}}var Jt=`<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
84
84
  <rect width="75" height="75" fill="url(#pattern0_21_12)"/>
85
85
  <defs>
86
86
  <pattern id="pattern0_21_12" patternContentUnits="objectBoundingBox" width="1" height="1">