better-auth 1.0.13 → 1.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/dist/api.cjs +2 -2
  2. package/dist/api.js +2 -2
  3. package/dist/cookies.cjs +1 -1
  4. package/dist/cookies.js +1 -1
  5. package/dist/index.cjs +2 -2
  6. package/dist/index.js +2 -2
  7. package/dist/next-js.cjs +1 -1
  8. package/dist/next-js.js +1 -1
  9. package/dist/plugins.cjs +2 -2
  10. package/dist/plugins.js +2 -2
  11. package/package.json +4 -1
package/dist/cookies.js CHANGED
@@ -1,5 +1,5 @@
1
1
  import{TimeSpan as ar}from"oslo";import{base64url as cr}from"oslo/encoding";import{HMAC as ie,sha256 as mr}from"oslo/crypto";async function qe({value:e,secret:t}){return new ie("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(o=>Buffer.from(o).toString("base64"))}function Fe({value:e,signature:t,secret:r}){return new ie("SHA-256").verify(new TextEncoder().encode(r),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var G={sign:qe,verify:Fe};var P=class extends Error{constructor(t,r){super(t),this.name="BetterAuthError",this.message=t,this.cause=r,this.stack=""}};var D=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));var W=Object.create(null),z=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?W:globalThis),se=new Proxy(W,{get(e,t){return z()[t]??W[t]},has(e,t){let r=z();return t in r||t in W},set(e,t,r){let o=z(!0);return o[t]=r,!0},deleteProperty(e,t){if(!t)return!1;let r=z(!0);return delete r[t],!0},ownKeys(){let e=z(!0);return Object.keys(e)}});function Me(e){return e?e!=="false":!1}var Z=typeof process<"u"&&process.env&&process.env.NODE_ENV||"",ae=Z==="production",ce=Z==="dev"||Z==="development",He=Z==="test"||Me(se.TEST);import{APIError as ka,createRouter as Ea,getCookie as Ra,getSignedCookie as Ua,setCookie as _a,setSignedCookie as Ta}from"better-call";import{APIError as Ke}from"better-call";import{createEndpointCreator as Ge,createMiddleware as de,createMiddlewareCreator as We}from"better-call";var le=de(async()=>({})),q=We({use:[le,de(async()=>({}))]}),f=Ge({use:[le]});function ee(e){return e==="-"||e==="^"||e==="$"||e==="+"||e==="."||e==="("||e===")"||e==="|"||e==="["||e==="]"||e==="{"||e==="}"||e==="*"||e==="?"||e==="\\"?`\\${e}`:e}function Ze(e){let t="";for(let r=0;r<e.length;r++)t+=ee(e[r]);return t}function ue(e,t=!0){if(Array.isArray(e))return`(?:${e.map(l=>`^${ue(l,t)}$`).join("|")})`;let r="",o="",n=".";t===!0?(r="/",o="[/\\\\]",n="[^/\\\\]"):t&&(r=t,o=Ze(r),o.length>1?(o=`(?:${o})`,n=`((?!${o}).)`):n=`[^${o}]`);let i=t?`${o}+?`:"",s=t?`${o}*?`:"",c=t?e.split(r):[e],a="";for(let d=0;d<c.length;d++){let l=c[d],m=c[d+1],g="";if(!(!l&&d>0)){if(t&&(d===c.length-1?g=s:m!=="**"?g=i:g=""),t&&l==="**"){g&&(a+=d===0?"":g,a+=`(?:${n}*?${g})*?`);continue}for(let w=0;w<l.length;w++){let y=l[w];y==="\\"?w<l.length-1&&(a+=ee(l[w+1]),w++):y==="?"?a+=n:y==="*"?a+=`${n}*?`:a+=ee(y)}a+=g}}return a}function Qe(e,t){if(typeof t!="string")throw new TypeError(`Sample must be a string, but ${typeof t} given`);return e.test(t)}function te(e,t){if(typeof e!="string"&&!Array.isArray(e))throw new TypeError(`The first argument must be a single pattern string or an array of patterns, but ${typeof e} given`);if((typeof t=="string"||typeof t=="boolean")&&(t={separator:t}),arguments.length===2&&!(typeof t>"u"||typeof t=="object"&&t!==null&&!Array.isArray(t)))throw new TypeError(`The second argument must be an options object or a string/boolean separator, but ${typeof t} given`);if(t=t||{},t.separator==="\\")throw new Error("\\ is not a valid separator because it is used for escaping. Try setting the separator to `true` instead");let r=ue(e,t.separator),o=new RegExp(`^${r}$`,t.flags),n=Qe.bind(null,o);return n.options=t,n.pattern=e,n.regexp=o,n}function pe(e){try{return new URL(e).origin}catch{return null}}function me(e){return e.includes("://")?new URL(e).host:e}var Je=q(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:r,context:o}=e,n=e.headers?.get("origin")||e.headers?.get("referer")||"",i=t?.callbackURL||r?.callbackURL,s=t?.redirectTo,c=r?.currentURL,a=o.trustedOrigins,d=e.headers?.has("cookie"),l=(g,w)=>g.startsWith("/")?!1:w.includes("*")?te(w)(me(g)):g.startsWith(w),m=(g,w)=>{if(!g)return;if(!a.some(B=>l(g,B)||g?.startsWith("/")&&w!=="origin"&&!g.includes(":")))throw e.context.logger.error(`Invalid ${w}: ${g}`),e.context.logger.info(`If it's a valid URL, please add ${g} to trustedOrigins in your auth config
2
- `,`Current list of trustedOrigins: ${a}`),new Ke("FORBIDDEN",{message:`Invalid ${w}`})};d&&!e.context.options.advanced?.disableCSRFCheck&&m(n,"origin"),i&&m(i,"callbackURL"),s&&m(s,"redirectURL"),c&&m(c,"currentURL")});import{APIError as E}from"better-call";import{z as A}from"zod";import{betterFetch as ot}from"@better-fetch/fetch";import{APIError as nt}from"better-call";import{decodeProtectedHeader as it,importJWK as st,jwtVerify as at}from"jose";import{parseJWT as ct}from"oslo/jwt";import{sha256 as Ye}from"oslo/crypto";import{base64url as Xe}from"oslo/encoding";async function fe(e){let t=await Ye(new TextEncoder().encode(e));return Xe.encode(new Uint8Array(t),{includePadding:!1})}function ge(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?D(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function b({id:e,options:t,authorizationEndpoint:r,state:o,codeVerifier:n,scopes:i,claims:s,redirectURI:c}){let a=new URL(r);if(a.searchParams.set("response_type","code"),a.searchParams.set("client_id",t.clientId),a.searchParams.set("state",o),a.searchParams.set("scope",i.join(" ")),a.searchParams.set("redirect_uri",t.redirectURI||c),n){let d=await fe(n);a.searchParams.set("code_challenge_method","S256"),a.searchParams.set("code_challenge",d)}if(s){let d=s.reduce((l,m)=>(l[m]=null,l),{});a.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...d}}))}return a}import{betterFetch as et}from"@better-fetch/fetch";async function h({code:e,codeVerifier:t,redirectURI:r,options:o,tokenEndpoint:n,authentication:i}){let s=new URLSearchParams,c={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(s.set("grant_type","authorization_code"),s.set("code",e),t&&s.set("code_verifier",t),s.set("redirect_uri",r),i==="basic"){let m=btoa(`${o.clientId}:${o.clientSecret}`);c.authorization=`Basic ${m}`}else s.set("client_id",o.clientId),s.set("client_secret",o.clientSecret);let{data:a,error:d}=await et(n,{method:"POST",body:s,headers:c});if(d)throw d;return ge(a)}import{generateCodeVerifier as tt,generateState as rt}from"oslo/oauth2";import{z as C}from"zod";import{APIError as he}from"better-call";async function Q(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?pe(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new he("BAD_REQUEST",{message:"callbackURL is required"});let o=tt(),n=rt(),i=JSON.stringify({callbackURL:r,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),s=new Date;s.setMinutes(s.getMinutes()+10);let c=await e.context.internalAdapter.createVerificationValue({value:i,identifier:n,expiresAt:s});if(!c)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new he("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:c.identifier,codeVerifier:o}}async function we(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=C.object({callbackURL:C.string(),codeVerifier:C.string(),errorURL:C.string().optional(),expiresAt:C.number(),link:C.object({email:C.string(),userId:C.string()}).optional()}).parse(JSON.parse(r.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),o}var ye=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:o,redirectURI:n}){let i=o||["email","name"];return e.scope&&i.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${n||e.redirectURI}&scope=${i.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>h({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async verifyIdToken(r,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,o);let n=it(r),{kid:i,alg:s}=n;if(!i||!s)return!1;let c=await dt(i),{payload:a}=await at(r,c,{algorithms:[s],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(d=>{a[d]!==void 0&&(a[d]=!!a[d])}),o&&a.nonce!==o?!1:!!a},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let o=ct(r.idToken)?.payload;if(!o)return null;let n=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email,i=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:n,emailVerified:!1,email:o.email,...i},data:o}}}},dt=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:o}=await ot(`${t}${r}`);if(!o?.keys)throw new nt("BAD_REQUEST",{message:"Keys not found"});let n=o.keys.find(i=>i.kid===e);if(!n)throw new Error(`JWK with kid ${e} not found`);return await st(n,n.alg)};import{betterFetch as lt}from"@better-fetch/fetch";var be=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["identify","email"];return e.scope&&n.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${n.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await lt("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(r.avatar===null){let i=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${i}.png`}else{let i=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${i}`}let n=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url,...n},data:r}}});import{betterFetch as ut}from"@better-fetch/fetch";var Ae=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["email","public_profile"];return e.scope&&n.push(...e.scope),await b({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:n,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await ut("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});if(o)return null;let n=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified,...n},data:r}}});import{betterFetch as ke}from"@better-fetch/fetch";var Ee=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:o,codeVerifier:n,redirectURI:i}){let s=o||["user:email"];return e.scope&&s.push(...e.scope),b({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:s,state:r,redirectURI:i})},validateAuthorizationCode:async({code:r,redirectURI:o})=>h({code:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:n}=await ke("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(n)return null;let i=!1;if(!o.email){let{data:c,error:a}=await ke("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});a||(o.email=(c.find(d=>d.primary)??c[0])?.email,i=c.find(d=>d.email===o.email)?.verified??!1)}let s=await e.mapProfileToUser?.(o);return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:i,...s},data:o}}}};import{parseJWT as ht}from"oslo/jwt";import{createConsola as pt}from"consola";var re=["info","success","warn","error","debug"];function mt(e,t){return re.indexOf(t)<=re.indexOf(e)}var ft=pt({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),gt=e=>{let t=e?.disabled!==!0,r=e?.level??"error",o=(n,i,s=[])=>{if(!(!t||!mt(r,n))){if(!e||typeof e.log!="function"){ft[n]("",i,...s);return}e.log(n==="success"?"info":n,i,s)}};return Object.fromEntries(re.map(n=>[n,(...[i,...s])=>o(n,i,s)]))},S=gt();import{betterFetch as wt}from"@better-fetch/fetch";var Re=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){if(!e.clientId||!e.clientSecret)throw S.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new P("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new P("codeVerifier is required for Google");let i=r||["email","profile","openid"];e.scope&&i.push(...e.scope);let s=await b({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:i,state:t,codeVerifier:o,redirectURI:n});return e.accessType&&s.searchParams.set("access_type",e.accessType),e.prompt&&s.searchParams.set("prompt",e.prompt),s},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>h({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:n}=await wt(o);return n?n.aud===e.clientId&&n.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=ht(t.idToken)?.payload,o=await e.mapProfileToUser?.(r);return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified,...o},data:r}}});import{betterFetch as yt}from"@better-fetch/fetch";import{parseJWT as bt}from"oslo/jwt";var Ue=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(n){let i=n.scopes||["openid","profile","email","User.Read"];return e.scope&&i.push(...e.scope),b({id:"microsoft",options:e,authorizationEndpoint:r,state:n.state,codeVerifier:n.codeVerifier,scopes:i,redirectURI:n.redirectURI})},validateAuthorizationCode({code:n,codeVerifier:i,redirectURI:s}){return h({code:n,codeVerifier:i,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:o})},async getUserInfo(n){if(e.getUserInfo)return e.getUserInfo(n);if(!n.idToken)return null;let i=bt(n.idToken)?.payload,s=e.profilePhotoSize||48;await yt(`https://graph.microsoft.com/v1.0/me/photos/${s}x${s}/$value`,{headers:{Authorization:`Bearer ${n.accessToken}`},async onResponse(a){if(!(e.disableProfilePhoto||!a.response.ok))try{let l=await a.response.clone().arrayBuffer(),m=Buffer.from(l).toString("base64");i.picture=`data:image/jpeg;base64, ${m}`}catch(d){S.error(d&&typeof d=="object"&&"name"in d?d.name:"",d)}}});let c=await e.mapProfileToUser?.(i);return{user:{id:i.sub,name:i.name,email:i.email,image:i.picture,emailVerified:!0,...c},data:i}}}};import{betterFetch as At}from"@better-fetch/fetch";var _e=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){let i=r||["user-read-email"];return e.scope&&i.push(...e.scope),b({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:i,state:t,codeVerifier:o,redirectURI:n})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>h({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await At("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let n=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1,...n},data:r}}});var $={isAction:!1};import{nanoid as kt}from"nanoid";var Te=e=>kt(e);import{parseJWT as Et}from"oslo/jwt";var Se=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["user:read:email","openid"];return e.scope&&n.push(...e.scope),b({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:n,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return S.error("No idToken found in token"),null;let o=Et(r)?.payload,n=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1,...n},data:o}}});import{betterFetch as Rt}from"@better-fetch/fetch";var Oe=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),b({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>h({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await Rt("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let n=await e.mapProfileToUser?.(r);return{user:{id:r.data.id,name:r.data.name,email:r.data.username||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1,...n},data:r}}});import{betterFetch as Ut}from"@better-fetch/fetch";var ve=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:o,codeVerifier:n,redirectURI:i})=>{let s=o||["account_info.read"];return e.scope&&s.push(...e.scope),await b({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:s,state:r,redirectURI:i,codeVerifier:n})},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>await h({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:n}=await Ut("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});if(n)return null;let i=await e.mapProfileToUser?.(o);return{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url,...i},data:o}}}};import{betterFetch as _t}from"@better-fetch/fetch";var Ie=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:n,redirectURI:i})=>{let s=n||["profile","email","openid"];return e.scope&&s.push(...e.scope),await b({id:"linkedin",options:e,authorizationEndpoint:t,scopes:s,state:o,redirectURI:i})},validateAuthorizationCode:async({code:o,redirectURI:n})=>await h({code:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:r}),async getUserInfo(o){let{data:n,error:i}=await _t("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});if(i)return null;let s=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.name,email:n.email,emailVerified:n.email_verified||!1,image:n.picture,...s},data:n}}}};import{betterFetch as Tt}from"@better-fetch/fetch";var oe=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),St=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:oe(`${t}/oauth/authorize`),tokenEndpoint:oe(`${t}/oauth/token`),userinfoEndpoint:oe(`${t}/api/v4/user`)}},xe=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:o}=St(e.issuer),n="gitlab";return{id:n,name:"Gitlab",createAuthorizationURL:async({state:s,scopes:c,codeVerifier:a,redirectURI:d})=>{let l=c||["read_user"];return e.scope&&l.push(...e.scope),await b({id:n,options:e,authorizationEndpoint:t,scopes:l,state:s,redirectURI:d,codeVerifier:a})},validateAuthorizationCode:async({code:s,redirectURI:c,codeVerifier:a})=>h({code:s,redirectURI:e.redirectURI||c,options:e,codeVerifier:a,tokenEndpoint:r}),async getUserInfo(s){if(e.getUserInfo)return e.getUserInfo(s);let{data:c,error:a}=await Tt(o,{headers:{authorization:`Bearer ${s.accessToken}`}});if(a||c.state!=="active"||c.locked)return null;let d=await e.mapProfileToUser?.(c);return{user:{id:c.id.toString(),name:c.name??c.username,email:c.email,image:c.avatar_url,emailVerified:!0,...d},data:c}}}};var Ot={apple:ye,discord:be,facebook:Ae,github:Ee,microsoft:Ue,google:Re,spotify:_e,twitch:Se,twitter:Oe,dropbox:ve,linkedin:Ie,gitlab:xe},K=Object.keys(Ot);import{TimeSpan as Lt}from"oslo";import{createJWT as Pt,validateJWT as Dt}from"oslo/jwt";import{z as O}from"zod";import{APIError as F}from"better-call";import{APIError as L}from"better-call";import{z as j}from"zod";function Le(e){try{return JSON.parse(e)}catch{return null}}var u={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var Pe=()=>f("/get-session",{method:"GET",query:j.optional(j.object({disableCookieCache:j.boolean({description:"Disable cookie cache and fetch session from database"}).or(j.string().transform(e=>e==="true")).optional(),disableRefresh:j.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),o=r?Le(Buffer.from(r,"base64").toString()):null;if(o&&!await G.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return I(e),e.json(null);let n=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let l=o.session;if(o.expiresAt<Date.now()||l.session.expiresAt<new Date){let g=e.context.authCookies.sessionData.name;e.setCookie(g,"",{maxAge:0})}else return e.json(l)}let i=await e.context.internalAdapter.findSession(t);if(e.context.session=i,!i||i.session.expiresAt<new Date)return I(e),i&&await e.context.internalAdapter.deleteSession(i.session.token),e.json(null);if(n||e.query?.disableRefresh)return e.json(i);let s=e.context.sessionConfig.expiresIn,c=e.context.sessionConfig.updateAge;if(i.session.expiresAt.valueOf()-s*1e3+c*1e3<=Date.now()){let l=await e.context.internalAdapter.updateSession(i.session.token,{expiresAt:D(e.context.sessionConfig.expiresIn,"sec")});if(!l)return I(e),e.json(null,{status:401});let m=(l.expiresAt.valueOf()-Date.now())/1e3;return await _(e,{session:l,user:i.user},!1,{maxAge:m}),e.json({session:l,user:i.user})}return e.json(i)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new L("INTERNAL_SERVER_ERROR",{message:u.FAILED_TO_GET_SESSION})}}),V=async(e,t)=>{if(e.context.session)return e.context.session;let r=await Pe()({...e,_flag:"json",headers:e.headers,query:t}).catch(o=>null);return e.context.session=r,r},x=q(async e=>{let t=await V(e);if(!t?.session)throw new L("UNAUTHORIZED");return{session:t}}),De=q(async e=>{let t=await V(e);if(!t?.session)throw new L("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,o=t.session.createdAt.valueOf(),n=Date.now();if(!(o+r*1e3>n))throw new L("FORBIDDEN",{message:"Session is not fresh"});return{session:t}});var vt=f("/revoke-session",{method:"POST",body:j.object({token:j.string({description:"The token to revoke"})}),use:[x],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new L("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new L("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new L("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),It=f("/revoke-sessions",{method:"POST",use:[x],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new L("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),xt=f("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[x],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new L("UNAUTHORIZED");let n=(await e.context.internalAdapter.listSessions(t.user.id)).filter(i=>i.expiresAt>new Date).filter(i=>i.token!==e.context.session.session.token);return await Promise.all(n.map(i=>e.context.internalAdapter.deleteSession(i.token))),e.json({status:!0})});async function N(e,t,r){return await Pt("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new Lt(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function Ct(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new F("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await N(e.context.secret,t.email),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:o,token:r},e.request)}var Nt=f("/send-verification-email",{method:"POST",query:O.object({currentURL:O.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:O.object({email:O.string({description:"The email to send the verification email to"}).email(),callbackURL:O.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new F("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new F("BAD_REQUEST",{message:u.USER_NOT_FOUND});return await Ct(e,r.user),e.json({status:!0})}),jt=f("/verify-email",{method:"GET",query:O.object({token:O.string({description:"The token to verify the email"}),callbackURL:O.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(c){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${c}`):new F("UNAUTHORIZED",{message:c})}let{token:r}=e.query,o;try{o=await Dt("HS256",Buffer.from(e.context.secret),r)}catch(c){return e.context.logger.error("Failed to verify email",c),t("invalid_token")}let i=O.object({email:O.string().email(),updateTo:O.string().optional()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(i.email);if(!s)return t("user_not_found");if(i.updateTo){let c=await V(e);if(!c){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(c.user.email!==i.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(i.email,{email:i.updateTo});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${r}`,token:r},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(i.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await V(e)){let a=await e.context.internalAdapter.createSession(s.user.id,e.request);if(!a)throw new F("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await _(e,{session:a,user:s.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function J(e,{userInfo:t,account:r,callbackURL:o}){let n=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(c=>{throw S.error(`Better auth was unable to query your database.
2
+ `,`Current list of trustedOrigins: ${a}`),new Ke("FORBIDDEN",{message:`Invalid ${w}`})};d&&!e.context.options.advanced?.disableCSRFCheck&&m(n,"origin"),i&&m(i,"callbackURL"),s&&m(s,"redirectURL"),c&&m(c,"currentURL")});import{APIError as E}from"better-call";import{z as A}from"zod";import{betterFetch as ot}from"@better-fetch/fetch";import{APIError as nt}from"better-call";import{decodeProtectedHeader as it,importJWK as st,jwtVerify as at}from"jose";import{parseJWT as ct}from"oslo/jwt";import{sha256 as Ye}from"oslo/crypto";import{base64url as Xe}from"oslo/encoding";async function fe(e){let t=await Ye(new TextEncoder().encode(e));return Xe.encode(new Uint8Array(t),{includePadding:!1})}function ge(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?D(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function b({id:e,options:t,authorizationEndpoint:r,state:o,codeVerifier:n,scopes:i,claims:s,redirectURI:c}){let a=new URL(r);if(a.searchParams.set("response_type","code"),a.searchParams.set("client_id",t.clientId),a.searchParams.set("state",o),a.searchParams.set("scope",i.join(" ")),a.searchParams.set("redirect_uri",t.redirectURI||c),n){let d=await fe(n);a.searchParams.set("code_challenge_method","S256"),a.searchParams.set("code_challenge",d)}if(s){let d=s.reduce((l,m)=>(l[m]=null,l),{});a.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...d}}))}return a}import{betterFetch as et}from"@better-fetch/fetch";async function h({code:e,codeVerifier:t,redirectURI:r,options:o,tokenEndpoint:n,authentication:i}){let s=new URLSearchParams,c={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(s.set("grant_type","authorization_code"),s.set("code",e),t&&s.set("code_verifier",t),s.set("redirect_uri",r),i==="basic"){let m=btoa(`${o.clientId}:${o.clientSecret}`);c.authorization=`Basic ${m}`}else s.set("client_id",o.clientId),s.set("client_secret",o.clientSecret);let{data:a,error:d}=await et(n,{method:"POST",body:s,headers:c});if(d)throw d;return ge(a)}import{generateCodeVerifier as tt,generateState as rt}from"oslo/oauth2";import{z as C}from"zod";import{APIError as he}from"better-call";async function Q(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?pe(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new he("BAD_REQUEST",{message:"callbackURL is required"});let o=tt(),n=rt(),i=JSON.stringify({callbackURL:r,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),s=new Date;s.setMinutes(s.getMinutes()+10);let c=await e.context.internalAdapter.createVerificationValue({value:i,identifier:n,expiresAt:s});if(!c)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new he("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:c.identifier,codeVerifier:o}}async function we(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=C.object({callbackURL:C.string(),codeVerifier:C.string(),errorURL:C.string().optional(),expiresAt:C.number(),link:C.object({email:C.string(),userId:C.string()}).optional()}).parse(JSON.parse(r.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),o}var ye=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:o,redirectURI:n}){let i=o||["email","name"];return e.scope&&i.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${n||e.redirectURI}&scope=${i.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>h({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async verifyIdToken(r,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,o);let n=it(r),{kid:i,alg:s}=n;if(!i||!s)return!1;let c=await dt(i),{payload:a}=await at(r,c,{algorithms:[s],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(d=>{a[d]!==void 0&&(a[d]=!!a[d])}),o&&a.nonce!==o?!1:!!a},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let o=ct(r.idToken)?.payload;if(!o)return null;let n=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email,i=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:n,emailVerified:!1,email:o.email,...i},data:o}}}},dt=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:o}=await ot(`${t}${r}`);if(!o?.keys)throw new nt("BAD_REQUEST",{message:"Keys not found"});let n=o.keys.find(i=>i.kid===e);if(!n)throw new Error(`JWK with kid ${e} not found`);return await st(n,n.alg)};import{betterFetch as lt}from"@better-fetch/fetch";var be=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["identify","email"];return e.scope&&n.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${n.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await lt("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(r.avatar===null){let i=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${i}.png`}else{let i=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${i}`}let n=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url,...n},data:r}}});import{betterFetch as ut}from"@better-fetch/fetch";var Ae=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["email","public_profile"];return e.scope&&n.push(...e.scope),await b({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:n,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await ut("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});if(o)return null;let n=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified,...n},data:r}}});import{betterFetch as ke}from"@better-fetch/fetch";var Ee=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:o,codeVerifier:n,redirectURI:i}){let s=o||["user:email"];return e.scope&&s.push(...e.scope),b({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:s,state:r,redirectURI:i})},validateAuthorizationCode:async({code:r,redirectURI:o})=>h({code:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:n}=await ke("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(n)return null;let i=!1;if(!o.email){let{data:c,error:a}=await ke("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});a||(o.email=(c.find(d=>d.primary)??c[0])?.email,i=c.find(d=>d.email===o.email)?.verified??!1)}let s=await e.mapProfileToUser?.(o);return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:i,...s},data:o}}}};import{parseJWT as ht}from"oslo/jwt";import{createConsola as pt}from"consola";var re=["info","success","warn","error","debug"];function mt(e,t){return re.indexOf(t)<=re.indexOf(e)}var ft=pt({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),gt=e=>{let t=e?.disabled!==!0,r=e?.level??"error",o=(n,i,s=[])=>{if(!(!t||!mt(r,n))){if(!e||typeof e.log!="function"){ft[n]("",i,...s);return}e.log(n==="success"?"info":n,i,s)}};return Object.fromEntries(re.map(n=>[n,(...[i,...s])=>o(n,i,s)]))},S=gt();import{betterFetch as wt}from"@better-fetch/fetch";var Re=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){if(!e.clientId||!e.clientSecret)throw S.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new P("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new P("codeVerifier is required for Google");let i=r||["email","profile","openid"];e.scope&&i.push(...e.scope);let s=await b({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:i,state:t,codeVerifier:o,redirectURI:n});return e.accessType&&s.searchParams.set("access_type",e.accessType),e.prompt&&s.searchParams.set("prompt",e.prompt),s},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>h({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:n}=await wt(o);return n?n.aud===e.clientId&&n.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=ht(t.idToken)?.payload,o=await e.mapProfileToUser?.(r);return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified,...o},data:r}}});import{betterFetch as yt}from"@better-fetch/fetch";import{parseJWT as bt}from"oslo/jwt";var Ue=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(n){let i=n.scopes||["openid","profile","email","User.Read"];return e.scope&&i.push(...e.scope),b({id:"microsoft",options:e,authorizationEndpoint:r,state:n.state,codeVerifier:n.codeVerifier,scopes:i,redirectURI:n.redirectURI})},validateAuthorizationCode({code:n,codeVerifier:i,redirectURI:s}){return h({code:n,codeVerifier:i,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:o})},async getUserInfo(n){if(e.getUserInfo)return e.getUserInfo(n);if(!n.idToken)return null;let i=bt(n.idToken)?.payload,s=e.profilePhotoSize||48;await yt(`https://graph.microsoft.com/v1.0/me/photos/${s}x${s}/$value`,{headers:{Authorization:`Bearer ${n.accessToken}`},async onResponse(a){if(!(e.disableProfilePhoto||!a.response.ok))try{let l=await a.response.clone().arrayBuffer(),m=Buffer.from(l).toString("base64");i.picture=`data:image/jpeg;base64, ${m}`}catch(d){S.error(d&&typeof d=="object"&&"name"in d?d.name:"",d)}}});let c=await e.mapProfileToUser?.(i);return{user:{id:i.sub,name:i.name,email:i.email,image:i.picture,emailVerified:!0,...c},data:i}}}};import{betterFetch as At}from"@better-fetch/fetch";var _e=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){let i=r||["user-read-email"];return e.scope&&i.push(...e.scope),b({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:i,state:t,codeVerifier:o,redirectURI:n})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>h({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await At("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let n=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1,...n},data:r}}});var $={isAction:!1};import{nanoid as kt}from"nanoid";var Te=e=>kt(e);import{parseJWT as Et}from"oslo/jwt";var Se=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["user:read:email","openid"];return e.scope&&n.push(...e.scope),b({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:n,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return S.error("No idToken found in token"),null;let o=Et(r)?.payload,n=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1,...n},data:o}}});import{betterFetch as Rt}from"@better-fetch/fetch";var Oe=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),b({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>h({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await Rt("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let n=await e.mapProfileToUser?.(r);return{user:{id:r.data.id,name:r.data.name,email:r.data.username||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1,...n},data:r}}});import{betterFetch as Ut}from"@better-fetch/fetch";var ve=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:o,codeVerifier:n,redirectURI:i})=>{let s=o||["account_info.read"];return e.scope&&s.push(...e.scope),await b({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:s,state:r,redirectURI:i,codeVerifier:n})},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>await h({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:n}=await Ut("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});if(n)return null;let i=await e.mapProfileToUser?.(o);return{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url,...i},data:o}}}};import{betterFetch as _t}from"@better-fetch/fetch";var Ie=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:n,redirectURI:i})=>{let s=n||["profile","email","openid"];return e.scope&&s.push(...e.scope),await b({id:"linkedin",options:e,authorizationEndpoint:t,scopes:s,state:o,redirectURI:i})},validateAuthorizationCode:async({code:o,redirectURI:n})=>await h({code:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:r}),async getUserInfo(o){let{data:n,error:i}=await _t("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});if(i)return null;let s=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.name,email:n.email,emailVerified:n.email_verified||!1,image:n.picture,...s},data:n}}}};import{betterFetch as Tt}from"@better-fetch/fetch";var oe=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),St=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:oe(`${t}/oauth/authorize`),tokenEndpoint:oe(`${t}/oauth/token`),userinfoEndpoint:oe(`${t}/api/v4/user`)}},xe=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:o}=St(e.issuer),n="gitlab";return{id:n,name:"Gitlab",createAuthorizationURL:async({state:s,scopes:c,codeVerifier:a,redirectURI:d})=>{let l=c||["read_user"];return e.scope&&l.push(...e.scope),await b({id:n,options:e,authorizationEndpoint:t,scopes:l,state:s,redirectURI:d,codeVerifier:a})},validateAuthorizationCode:async({code:s,redirectURI:c,codeVerifier:a})=>h({code:s,redirectURI:e.redirectURI||c,options:e,codeVerifier:a,tokenEndpoint:r}),async getUserInfo(s){if(e.getUserInfo)return e.getUserInfo(s);let{data:c,error:a}=await Tt(o,{headers:{authorization:`Bearer ${s.accessToken}`}});if(a||c.state!=="active"||c.locked)return null;let d=await e.mapProfileToUser?.(c);return{user:{id:c.id.toString(),name:c.name??c.username,email:c.email,image:c.avatar_url,emailVerified:!0,...d},data:c}}}};var Ot={apple:ye,discord:be,facebook:Ae,github:Ee,microsoft:Ue,google:Re,spotify:_e,twitch:Se,twitter:Oe,dropbox:ve,linkedin:Ie,gitlab:xe},K=Object.keys(Ot);import{TimeSpan as Lt}from"oslo";import{createJWT as Pt,validateJWT as Dt}from"oslo/jwt";import{z as O}from"zod";import{APIError as F}from"better-call";import{APIError as L}from"better-call";import{z as j}from"zod";function Le(e){try{return JSON.parse(e)}catch{return null}}var u={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var Pe=()=>f("/get-session",{method:"GET",query:j.optional(j.object({disableCookieCache:j.boolean({description:"Disable cookie cache and fetch session from database"}).or(j.string().transform(e=>e==="true")).optional(),disableRefresh:j.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),o=r?Le(Buffer.from(r,"base64").toString()):null;if(o&&!await G.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return I(e),e.json(null);let n=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let l=o.session;if(o.expiresAt<Date.now()||l.session.expiresAt<new Date){let g=e.context.authCookies.sessionData.name;e.setCookie(g,"",{maxAge:0})}else return e.json(l)}let i=await e.context.internalAdapter.findSession(t);if(e.context.session=i,!i||i.session.expiresAt<new Date)return I(e),i&&await e.context.internalAdapter.deleteSession(i.session.token),e.json(null);if(n||e.query?.disableRefresh)return e.json(i);let s=e.context.sessionConfig.expiresIn,c=e.context.sessionConfig.updateAge;if(i.session.expiresAt.valueOf()-s*1e3+c*1e3<=Date.now()){let l=await e.context.internalAdapter.updateSession(i.session.token,{expiresAt:D(e.context.sessionConfig.expiresIn,"sec")});if(!l)return I(e),e.json(null,{status:401});let m=(l.expiresAt.valueOf()-Date.now())/1e3;return await _(e,{session:l,user:i.user},!1,{maxAge:m}),e.json({session:l,user:i.user})}return e.json(i)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new L("INTERNAL_SERVER_ERROR",{message:u.FAILED_TO_GET_SESSION})}}),V=async(e,t)=>{if(e.context.session)return e.context.session;let r=await Pe()({...e,_flag:"json",headers:e.headers,query:t}).catch(o=>null);return e.context.session=r,r},x=q(async e=>{let t=await V(e);if(!t?.session)throw new L("UNAUTHORIZED");return{session:t}}),De=q(async e=>{let t=await V(e);if(!t?.session)throw new L("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,o=t.session.createdAt.valueOf(),n=Date.now();if(!(o+r*1e3>n))throw new L("FORBIDDEN",{message:"Session is not fresh"});return{session:t}});var vt=f("/revoke-session",{method:"POST",body:j.object({token:j.string({description:"The token to revoke"})}),use:[x],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new L("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new L("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new L("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),It=f("/revoke-sessions",{method:"POST",use:[x],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new L("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),xt=f("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[x],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new L("UNAUTHORIZED");let n=(await e.context.internalAdapter.listSessions(t.user.id)).filter(i=>i.expiresAt>new Date).filter(i=>i.token!==e.context.session.session.token);return await Promise.all(n.map(i=>e.context.internalAdapter.deleteSession(i.token))),e.json({status:!0})});async function N(e,t,r){return await Pt("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new Lt(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function Ct(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new F("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await N(e.context.secret,t.email),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:o,token:r},e.request)}var Nt=f("/send-verification-email",{method:"POST",query:O.object({currentURL:O.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:O.object({email:O.string({description:"The email to send the verification email to"}).email(),callbackURL:O.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new F("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new F("BAD_REQUEST",{message:u.USER_NOT_FOUND});return await Ct(e,r.user),e.json({status:!0})}),jt=f("/verify-email",{method:"GET",query:O.object({token:O.string({description:"The token to verify the email"}),callbackURL:O.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(c){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${c}`):new F("UNAUTHORIZED",{message:c})}let{token:r}=e.query,o;try{o=await Dt("HS256",Buffer.from(e.context.secret),r)}catch(c){return e.context.logger.error("Failed to verify email",c),t("invalid_token")}let i=O.object({email:O.string().email(),updateTo:O.string().optional()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(i.email);if(!s)return t("user_not_found");if(i.updateTo){let c=await V(e);if(!c){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(c.user.email!==i.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(i.email,{email:i.updateTo,emailVerified:!1});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${r}`,token:r},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(i.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await V(e)){let a=await e.context.internalAdapter.createSession(s.user.id,e.request);if(!a)throw new F("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await _(e,{session:a,user:s.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function J(e,{userInfo:t,account:r,callbackURL:o}){let n=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(c=>{throw S.error(`Better auth was unable to query your database.
3
3
  Error: `,c),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),i=n?.user;if(n){let c=n.accounts.find(a=>a.providerId===r.providerId);if(c){let a=Object.fromEntries(Object.entries({accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt}).filter(([d,l])=>l!==void 0));Object.keys(a).length>0&&await e.context.internalAdapter.updateAccount(c.id,a)}else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(r.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return ce&&S.warn(`User already exist but account isn't linked to ${r.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:t.id.toString(),userId:n.user.id,accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope})}catch(l){return S.error("Unable to link account",l),{error:"unable to link account",data:null}}i=await e.context.internalAdapter.updateUser(n.user.id,{...t,updatedAt:new Date})}}else if(i=await e.context.internalAdapter.createOAuthUser({...t,email:t.email.toLowerCase(),id:void 0},{accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope,providerId:r.providerId,accountId:t.id.toString()}).then(c=>c?.user),!t.emailVerified&&i&&e.context.options.emailVerification?.sendOnSignUp){let c=await N(e.context.secret,i.email),a=`${e.context.baseURL}/verify-email?token=${c}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:i,url:a,token:c},e.request)}if(!i)return{error:"unable to create user",data:null};let s=await e.context.internalAdapter.createSession(i.id,e.request);return s?{data:{session:s,user:i},error:null}:{error:"unable to create session",data:null}}var Vt=f("/sign-in/social",{method:"POST",query:A.object({currentURL:A.string().optional()}).optional(),body:A.object({callbackURL:A.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:A.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:A.enum(K,{description:"OAuth2 provider to use"}),disableRedirect:A.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:A.optional(A.object({token:A.string({description:"ID token from the provider"}),nonce:A.string({description:"Nonce used to generate the token"}).optional(),accessToken:A.string({description:"Access token from the provider"}).optional(),refreshToken:A.string({description:"Refresh token from the provider"}).optional(),expiresAt:A.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(i=>i.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new E("NOT_FOUND",{message:u.PROVIDER_NOT_FOUND});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new E("NOT_FOUND",{message:u.ID_TOKEN_NOT_SUPPORTED});let{token:i,nonce:s}=e.body.idToken;if(!await t.verifyIdToken(i,s))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new E("UNAUTHORIZED",{message:u.INVALID_TOKEN});let a=await t.getUserInfo({idToken:i,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!a||!a?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new E("UNAUTHORIZED",{message:u.FAILED_TO_GET_USER_INFO});if(!a.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new E("UNAUTHORIZED",{message:u.USER_EMAIL_NOT_FOUND});let d=await J(e,{userInfo:{email:a.user.email,id:a.user.id,name:a.user.name||"",image:a.user.image,emailVerified:a.user.emailVerified||!1},account:{providerId:t.id,accountId:a.user.id,accessToken:e.body.idToken.accessToken}});if(d.error)throw new E("UNAUTHORIZED",{message:d.error});return await _(e,d.data),e.json({session:d.data.session,user:d.data.user,url:void 0,redirect:!1})}let{codeVerifier:r,state:o}=await Q(e),n=await t.createAuthorizationURL({state:o,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:n.toString(),redirect:!e.body.disableRedirect})}),Bt=f("/sign-in/email",{method:"POST",body:A.object({email:A.string({description:"Email of the user"}),password:A.string({description:"Password of the user"}),callbackURL:A.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:A.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new E("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!A.string().email().safeParse(t).success)throw new E("BAD_REQUEST",{message:u.INVALID_EMAIL});let n=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!n)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new E("UNAUTHORIZED",{message:u.INVALID_EMAIL_OR_PASSWORD});let i=n.accounts.find(d=>d.providerId==="credential");if(!i)throw e.context.logger.error("Credential account not found",{email:t}),new E("UNAUTHORIZED",{message:u.INVALID_EMAIL_OR_PASSWORD});let s=i?.password;if(!s)throw e.context.logger.error("Password not found",{email:t}),new E("UNAUTHORIZED",{message:u.INVALID_EMAIL_OR_PASSWORD});if(!await e.context.password.verify({hash:s,password:r}))throw e.context.logger.error("Invalid password"),new E("UNAUTHORIZED",{message:u.INVALID_EMAIL_OR_PASSWORD});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!n.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new E("UNAUTHORIZED",{message:u.EMAIL_NOT_VERIFIED});let d=await N(e.context.secret,n.user.email),l=`${e.context.baseURL}/verify-email?token=${d}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:n.user,url:l,token:d},e.request),e.context.logger.error("Email not verified",{email:t}),new E("FORBIDDEN",{message:u.EMAIL_NOT_VERIFIED})}let a=await e.context.internalAdapter.createSession(n.user.id,e.headers,e.body.rememberMe===!1);if(!a)throw e.context.logger.error("Failed to create session"),new E("UNAUTHORIZED",{message:u.FAILED_TO_CREATE_SESSION});return await _(e,{session:a,user:n.user},e.body.rememberMe===!1),e.json({user:{id:n.user.id,email:n.user.email,name:n.user.name,image:n.user.image,emailVerified:n.user.emailVerified,createdAt:n.user.createdAt,updatedAt:n.user.updatedAt},redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{z as M}from"zod";var Y=M.object({code:M.string().optional(),error:M.string().optional(),errorMessage:M.string().optional(),state:M.string().optional()}),$t=f("/callback/:id",{method:["GET","POST"],body:Y.optional(),query:Y.optional(),metadata:$},async e=>{let t;try{if(e.method==="GET")t=Y.parse(e.query);else if(e.method==="POST")t=Y.parse(e.body);else throw new Error("Unsupported method")}catch(U){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",U),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:r,error:o,state:n}=t;if(!n)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!r)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}`);let i=e.context.socialProviders.find(U=>U.id===e.params.id);if(!i)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:s,callbackURL:c,link:a,errorURL:d}=await we(e),l;try{l=await i.validateAuthorizationCode({code:r,codeVerifier:s,redirectURI:`${e.context.baseURL}/callback/${i.id}`})}catch(U){throw e.context.logger.error("",U),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let m=await i.getUserInfo(l).then(U=>U?.user);function g(U){let v=d||c||`${e.context.baseURL}/error`;throw v.includes("?")?v=`${v}&error=${U}`:v=`${v}?error=${U}`,e.redirect(v)}if(!m)return e.context.logger.error("Unable to get user info"),g("unable_to_get_user_info");if(!m.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),g("email_not_found");if(!c)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(a){if(a.email!==m.email.toLowerCase())return g("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:a.userId,providerId:i.id,accountId:m.id}))return g("unable_to_link_account");let v;try{v=new URL(c).toString()}catch{v=c}throw e.redirect(v)}let w=await J(e,{userInfo:{...m,email:m.email,name:m.name||m.email},account:{providerId:i.id,accountId:m.id,...l,scope:l.scopes?.join(",")},callbackURL:c});if(w.error)return e.context.logger.error(w.error.split(" ").join("_")),g(w.error.split(" ").join("_"));let{session:y,user:B}=w.data;await _(e,{session:y,user:B});let X;try{X=new URL(c).toString()}catch{X=c}throw e.redirect(X)});import"zod";import{APIError as zt}from"better-call";var qt=f("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw I(e),new zt("BAD_REQUEST",{message:u.FAILED_TO_GET_SESSION});return await e.context.internalAdapter.deleteSession(t),I(e),e.json({success:!0})});import{z as T}from"zod";import{APIError as ne}from"better-call";function Ce(e,t,r){let o=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return r&&Object.entries(r).forEach(([n,i])=>o.searchParams.set(n,i)),o.href}function Ft(e,t,r){let o=new URL(t,e.baseURL);return r&&Object.entries(r).forEach(([n,i])=>o.searchParams.set(n,i)),o.href}var Mt=f("/forget-password",{method:"POST",body:T.object({email:T.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:T.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new ne("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:r}=e.body,o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let n=60*60*1,i=D(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||n,"sec"),s=Te(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id.toString(),identifier:`reset-password:${s}`,expiresAt:i});let c=`${e.context.baseURL}/reset-password/${s}?callbackURL=${r}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:c,token:s},e.request),e.json({status:!0})}),Ht=f("/reset-password/:token",{method:"GET",query:T.object({callbackURL:T.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:r}=e.query;if(!t||!r)throw e.redirect(Ce(e.context,r,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!o||o.expiresAt<new Date?e.redirect(Ce(e.context,r,{error:"INVALID_TOKEN"})):e.redirect(Ft(e.context,r,{token:t}))}),Gt=f("/reset-password",{query:T.optional(T.object({token:T.string().optional(),currentURL:T.string().optional()})),method:"POST",body:T.object({newPassword:T.string({description:"The new password to set"}),token:T.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new ne("BAD_REQUEST",{message:u.INVALID_TOKEN});let{newPassword:r}=e.body,o=`reset-password:${t}`,n=await e.context.internalAdapter.findVerificationValue(o);if(!n||n.expiresAt<new Date)throw new ne("BAD_REQUEST",{message:u.INVALID_TOKEN});await e.context.internalAdapter.deleteVerificationValue(n.id);let i=n.value,s=await e.context.password.hash(r);return(await e.context.internalAdapter.findAccounts(i)).find(d=>d.providerId==="credential")?(await e.context.internalAdapter.updatePassword(i,s),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:i,providerId:"credential",password:s,accountId:i}),e.json({status:!0}))});import{z as R}from"zod";import{APIError as k}from"better-call";import{z as p}from"zod";import{APIError as Ii}from"better-call";var xi=p.object({id:p.string(),providerId:p.string(),accountId:p.string(),userId:p.string(),accessToken:p.string().nullish(),refreshToken:p.string().nullish(),idToken:p.string().nullish(),accessTokenExpiresAt:p.date().nullish(),refreshTokenExpiresAt:p.date().nullish(),scope:p.string().nullish(),password:p.string().nullish(),createdAt:p.date().default(()=>new Date),updatedAt:p.date().default(()=>new Date)}),Li=p.object({id:p.string(),email:p.string().transform(e=>e.toLowerCase()),emailVerified:p.boolean().default(!1),name:p.string(),image:p.string().nullish(),createdAt:p.date().default(()=>new Date),updatedAt:p.date().default(()=>new Date)}),Pi=p.object({id:p.string(),userId:p.string(),expiresAt:p.date(),createdAt:p.date().default(()=>new Date),updatedAt:p.date().default(()=>new Date),token:p.string(),ipAddress:p.string().nullish(),userAgent:p.string().nullish()}),Di=p.object({id:p.string(),value:p.string(),createdAt:p.date().default(()=>new Date),updatedAt:p.date().default(()=>new Date),expiresAt:p.date(),identifier:p.string()});import{xchacha20poly1305 as Zi}from"@noble/ciphers/chacha";import{bytesToHex as Ki,hexToBytes as Ji,utf8ToBytes as Yi}from"@noble/ciphers/utils";import{managedNonce as es}from"@noble/ciphers/webcrypto";import{sha256 as rs}from"oslo/crypto";import ns from"uncrypto";import{decodeHex as ji,encodeHex as Vi}from"oslo/encoding";import{scryptAsync as zi}from"@noble/hashes/scrypt";import{getRandomValues as Fi}from"uncrypto";import Ne from"uncrypto";function Wt(e){return e.toString(2).padStart(8,"0")}function Zt(e){return[...e].map(t=>Wt(t)).join("")}function je(e){return parseInt(Zt(e),2)}function Qt(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,o=new Uint8Array(Math.ceil(t/8));Ne.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1);let n=je(o);for(;n>=e;)Ne.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1),n=je(o);return n}function Ve(e,t){let r="";for(let o=0;o<e;o++)r+=t[Qt(t.length)];return r}function Be(...e){let t=new Set(e),r="";for(let o of t)o==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?r+="0123456789":r+=o;return r}var Jt=f("/change-password",{method:"POST",body:R.object({newPassword:R.string({description:"The new password to set"}),currentPassword:R.string({description:"The current password"}),revokeOtherSessions:R.boolean({description:"Revoke all other sessions"}).optional()}),use:[x],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:r,revokeOtherSessions:o}=e.body,n=e.context.session,i=e.context.password.config.minPasswordLength;if(t.length<i)throw e.context.logger.error("Password is too short"),new k("BAD_REQUEST",{message:u.PASSWORD_TOO_SHORT});let s=e.context.password.config.maxPasswordLength;if(t.length>s)throw e.context.logger.error("Password is too long"),new k("BAD_REQUEST",{message:u.PASSWORD_TOO_LONG});let a=(await e.context.internalAdapter.findAccounts(n.user.id)).find(m=>m.providerId==="credential"&&m.password);if(!a||!a.password)throw new k("BAD_REQUEST",{message:u.CREDENTIAL_ACCOUNT_NOT_FOUND});let d=await e.context.password.hash(t);if(!await e.context.password.verify({hash:a.password,password:r}))throw new k("BAD_REQUEST",{message:u.INVALID_PASSWORD});if(await e.context.internalAdapter.updateAccount(a.id,{password:d}),o){await e.context.internalAdapter.deleteSessions(n.user.id);let m=await e.context.internalAdapter.createSession(n.user.id,e.headers);if(!m)throw new k("INTERNAL_SERVER_ERROR",{message:u.FAILED_TO_GET_SESSION});await _(e,{session:m,user:n.user})}return e.json(n.user)}),Yt=f("/set-password",{method:"POST",body:R.object({newPassword:R.string()}),metadata:{SERVER_ONLY:!0},use:[x]},async e=>{let{newPassword:t}=e.body,r=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new k("BAD_REQUEST",{message:u.PASSWORD_TOO_SHORT});let n=e.context.password.config.maxPasswordLength;if(t.length>n)throw e.context.logger.error("Password is too long"),new k("BAD_REQUEST",{message:u.PASSWORD_TOO_LONG});let s=(await e.context.internalAdapter.findAccounts(r.user.id)).find(a=>a.providerId==="credential"&&a.password),c=await e.context.password.hash(t);if(!s)return await e.context.internalAdapter.linkAccount({userId:r.user.id,providerId:"credential",accountId:r.user.id,password:c}),e.json(r.user);throw new k("BAD_REQUEST",{message:"user already has a password"})}),Xt=f("/delete-user",{method:"POST",use:[De],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options",{session:e.context.session}),new k("NOT_FOUND");let t=e.context.session;if(e.context.options.user.deleteUser?.sendDeleteAccountVerification){let n=Ve(32,Be("a-z","A-Z","0-9"));await e.context.internalAdapter.createVerificationValue({value:t.user.id,identifier:`delete-account-${n}`,expiresAt:new Date(Date.now()+1e3*60*60*24)});let i=`${e.context.baseURL}/delete-user/callback?token=${n}`;return await e.context.options.user.deleteUser.sendDeleteAccountVerification({user:t.user,url:i,token:n},e.request),e.json({success:!0,message:"Verification email sent"})}let r=e.context.options.user.deleteUser?.beforeDelete;r&&await r(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),I(e);let o=e.context.options.user.deleteUser?.afterDelete;return o&&await o(t.user,e.request),e.json({success:!0,message:"User deleted"})}),er=f("/delete-user/callback",{method:"GET",query:R.object({token:R.string()})},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options"),new k("NOT_FOUND");let t=await V(e);if(!t)throw new k("NOT_FOUND",{message:u.FAILED_TO_GET_USER_INFO});let r=await e.context.internalAdapter.findVerificationValue(`delete-account-${e.query.token}`);if(!r||r.expiresAt<new Date)throw r&&await e.context.internalAdapter.deleteVerificationValue(r.id),new k("NOT_FOUND",{message:u.INVALID_TOKEN});if(r.value!==t.user.id)throw new k("NOT_FOUND",{message:u.INVALID_TOKEN});let o=e.context.options.user.deleteUser?.beforeDelete;o&&await o(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),await e.context.internalAdapter.deleteVerificationValue(r.id),I(e);let n=e.context.options.user.deleteUser?.afterDelete;return n&&await n(t.user,e.request),e.json({success:!0,message:"User deleted"})}),tr=f("/change-email",{method:"POST",query:R.object({currentURL:R.string().optional()}).optional(),body:R.object({newEmail:R.string({description:"The new email to set"}).email(),callbackURL:R.string({description:"The URL to redirect to after email verification"}).optional()}),use:[x],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new k("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new k("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new k("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let n=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:n,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new k("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await N(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:r},e.request),e.json({user:null,status:!0})});var rr=(e="Unknown")=>`<!DOCTYPE html>
4
4
  <html lang="en">
5
5
  <head>
package/dist/index.cjs CHANGED
@@ -1,6 +1,6 @@
1
1
  "use strict";var $r=Object.create;var fe=Object.defineProperty;var Mr=Object.getOwnPropertyDescriptor;var zr=Object.getOwnPropertyNames;var Hr=Object.getPrototypeOf,Gr=Object.prototype.hasOwnProperty;var Wr=(e,t)=>{for(var r in t)fe(e,r,{get:t[r],enumerable:!0})},Xe=(e,t,r,n)=>{if(t&&typeof t=="object"||typeof t=="function")for(let i of zr(t))!Gr.call(e,i)&&i!==r&&fe(e,i,{get:()=>t[i],enumerable:!(n=Mr(t,i))||n.enumerable});return e};var Ie=(e,t,r)=>(r=e!=null?$r(Hr(e)):{},Xe(t||!e||!e.__esModule?fe(r,"default",{value:e,enumerable:!0}):r,e)),Kr=e=>Xe(fe({},"__esModule",{value:!0}),e);var Ln={};Wr(Ln,{BetterAuthError:()=>D,HIDE_METADATA:()=>Q,MissingDependencyError:()=>Le,betterAuth:()=>Pn,capitalizeFirstLetter:()=>sn,createCookieGetter:()=>Ae,createLogger:()=>ue,deleteSessionCookie:()=>q,generateId:()=>j,generateState:()=>ce,getCookies:()=>Ne,levels:()=>ke,logger:()=>P,parseCookies:()=>rn,parseSetCookieHeader:()=>tn,parseState:()=>Ve,setSessionCookie:()=>I,shouldPublishLog:()=>Ut});module.exports=Kr(Ln);var v=require("better-call");var st=require("better-call");var Z=require("better-call"),et=(0,Z.createMiddleware)(async()=>({})),oe=(0,Z.createMiddlewareCreator)({use:[et,(0,Z.createMiddleware)(async()=>({}))]}),R=(0,Z.createEndpointCreator)({use:[et]});function Pe(e){return e==="-"||e==="^"||e==="$"||e==="+"||e==="."||e==="("||e===")"||e==="|"||e==="["||e==="]"||e==="{"||e==="}"||e==="*"||e==="?"||e==="\\"?`\\${e}`:e}function Zr(e){let t="";for(let r=0;r<e.length;r++)t+=Pe(e[r]);return t}function tt(e,t=!0){if(Array.isArray(e))return`(?:${e.map(d=>`^${tt(d,t)}$`).join("|")})`;let r="",n="",i=".";t===!0?(r="/",n="[/\\\\]",i="[^/\\\\]"):t&&(r=t,n=Zr(r),n.length>1?(n=`(?:${n})`,i=`((?!${n}).)`):i=`[^${n}]`);let o=t?`${n}+?`:"",a=t?`${n}*?`:"",u=t?e.split(r):[e],c="";for(let s=0;s<u.length;s++){let d=u[s],p=u[s+1],m="";if(!(!d&&s>0)){if(t&&(s===u.length-1?m=a:p!=="**"?m=o:m=""),t&&d==="**"){m&&(c+=s===0?"":m,c+=`(?:${i}*?${m})*?`);continue}for(let l=0;l<d.length;l++){let f=d[l];f==="\\"?l<d.length-1&&(c+=Pe(d[l+1]),l++):f==="?"?c+=i:f==="*"?c+=`${i}*?`:c+=Pe(f)}c+=m}}return c}function Qr(e,t){if(typeof t!="string")throw new TypeError(`Sample must be a string, but ${typeof t} given`);return e.test(t)}function me(e,t){if(typeof e!="string"&&!Array.isArray(e))throw new TypeError(`The first argument must be a single pattern string or an array of patterns, but ${typeof e} given`);if((typeof t=="string"||typeof t=="boolean")&&(t={separator:t}),arguments.length===2&&!(typeof t>"u"||typeof t=="object"&&t!==null&&!Array.isArray(t)))throw new TypeError(`The second argument must be an options object or a string/boolean separator, but ${typeof t} given`);if(t=t||{},t.separator==="\\")throw new Error("\\ is not a valid separator because it is used for escaping. Try setting the separator to `true` instead");let r=tt(e,t.separator),n=new RegExp(`^${r}$`,t.flags),i=Qr.bind(null,n);return i.options=t,i.pattern=e,i.regexp=n,i}var ge=Object.create(null),se=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?ge:globalThis),L=new Proxy(ge,{get(e,t){return se()[t]??ge[t]},has(e,t){let r=se();return t in r||t in ge},set(e,t,r){let n=se(!0);return n[t]=r,!0},deleteProperty(e,t){if(!t)return!1;let r=se(!0);return delete r[t],!0},ownKeys(){let e=se(!0);return Object.keys(e)}});function Jr(e){return e?e!=="false":!1}var he=typeof process<"u"&&process.env&&process.env.NODE_ENV||"",ae=he==="production",rt=he==="dev"||he==="development",nt=he==="test"||Jr(L.TEST);var D=class extends Error{constructor(t,r){super(t),this.name="BetterAuthError",this.message=t,this.cause=r,this.stack=""}},Le=class extends D{constructor(t){super(`The package "${t}" is required. Make sure it is installed.`,t)}};function Yr(e){try{return new URL(e).pathname!=="/"}catch{throw new D(`Invalid base URL: ${e}. Please provide a valid base URL.`)}}function De(e,t="/api/auth"){return Yr(e)?e:(t=t.startsWith("/")?t:`/${t}`,`${e}${t}`)}function de(e,t){if(e)return De(e,t);let r=L.BETTER_AUTH_URL||L.NEXT_PUBLIC_BETTER_AUTH_URL||L.PUBLIC_BETTER_AUTH_URL||L.NUXT_PUBLIC_BETTER_AUTH_URL||L.NUXT_PUBLIC_AUTH_URL||(L.BASE_URL!=="/"?L.BASE_URL:void 0);if(r)return De(r,t);if(typeof window<"u"&&window.location)return De(window.location.origin,t)}function it(e){try{return new URL(e).origin}catch{return null}}function ot(e){return e.includes("://")?new URL(e).host:e}var at=oe(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:r,context:n}=e,i=e.headers?.get("origin")||e.headers?.get("referer")||"",o=t?.callbackURL||r?.callbackURL,a=t?.redirectTo,u=r?.currentURL,c=n.trustedOrigins,s=e.headers?.has("cookie"),d=(m,l)=>m.startsWith("/")?!1:l.includes("*")?me(l)(ot(m)):m.startsWith(l),p=(m,l)=>{if(!m)return;if(!c.some(g=>d(m,g)||m?.startsWith("/")&&l!=="origin"&&!m.includes(":")))throw e.context.logger.error(`Invalid ${l}: ${m}`),e.context.logger.info(`If it's a valid URL, please add ${m} to trustedOrigins in your auth config
2
- `,`Current list of trustedOrigins: ${c}`),new st.APIError("FORBIDDEN",{message:`Invalid ${l}`})};s&&!e.context.options.advanced?.disableCSRFCheck&&p(i,"origin"),o&&p(o,"callbackURL"),a&&p(a,"redirectURL"),u&&p(u,"currentURL")});var _=require("better-call"),U=require("zod");var dt=require("oslo"),ct=require("oslo/encoding");var ye=require("oslo/crypto");function Ce(e,t){let r=new Uint8Array(e),n=new Uint8Array(t);if(r.length!==n.length)return!1;let i=0;for(let o=0;o<r.length;o++)i|=r[o]^n[o];return i===0}async function Xr({value:e,secret:t}){return new ye.HMAC("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(n=>Buffer.from(n).toString("base64"))}function en({value:e,signature:t,secret:r}){return new ye.HMAC("SHA-256").verify(new TextEncoder().encode(r),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var we={sign:Xr,verify:en};var F=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));function tn(e){let t=new Map;return e.split(", ").forEach(n=>{let i=n.split(";").map(p=>p.trim()),[o,...a]=i,[u,...c]=o.split("="),s=c.join("=");if(!u||s===void 0)return;let d={value:s};a.forEach(p=>{let[m,...l]=p.split("="),f=l.join("="),g=m.trim().toLowerCase();switch(g){case"max-age":d["max-age"]=f?parseInt(f.trim(),10):void 0;break;case"expires":d.expires=f?new Date(f.trim()):void 0;break;case"domain":d.domain=f?f.trim():void 0;break;case"path":d.path=f?f.trim():void 0;break;case"secure":d.secure=!0;break;case"httponly":d.httponly=!0;break;case"samesite":d.samesite=f?f.trim().toLowerCase():void 0;break;default:d[g]=f?f.trim():!0;break}}),t.set(u,d)}),t}function Ae(e){let r=(e.advanced?.useSecureCookies!==void 0?e.advanced?.useSecureCookies:e.baseURL!==void 0?!!e.baseURL.startsWith("https://"):ae)?"__Secure-":"",n=!!e.advanced?.crossSubDomainCookies?.enabled,i=n?e.advanced?.crossSubDomainCookies?.domain||(e.baseURL?new URL(e.baseURL).hostname:void 0):void 0;if(n&&!i)throw new D("baseURL is required when crossSubdomainCookies are enabled");function o(a,u={}){let c=e.advanced?.cookiePrefix||"better-auth",s=e.advanced?.cookies?.[a]?.name||`${c}.${a}`,d=e.advanced?.cookies?.[a]?.attributes;return{name:`${r}${s}`,attributes:{secure:!!r,sameSite:"lax",path:"/",httpOnly:!0,...n?{domain:i}:{},...e.advanced?.defaultCookieAttributes,...u,...d}}}return o}function Ne(e){let t=Ae(e),r=e.session?.expiresIn||new dt.TimeSpan(7,"d").seconds(),n=t("session_token",{maxAge:r}),i=t("session_data",{maxAge:e.session?.cookieCache?.maxAge||60*5}),o=t("dont_remember");return{sessionToken:{name:n.name,options:n.attributes},sessionData:{name:i.name,options:i.attributes},dontRememberToken:{name:o.name,options:o.attributes}}}async function I(e,t,r,n){let i=e.context.authCookies.sessionToken.options,o=r?void 0:e.context.sessionConfig.expiresIn;await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...i,maxAge:o,...n}),r&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled&&e.setCookie(e.context.authCookies.sessionData.name,JSON.stringify(ct.base64url.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:F(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await we.sign({value:JSON.stringify(t),secret:e.context.secret})})))),e.context.authCookies.sessionData.options),e.context.setNewSession(t),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),Math.floor((new Date(t.session.expiresAt).getTime()-Date.now())/1e3))}function q(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}function rn(e){let t=e.split("; "),r=new Map;return t.forEach(n=>{let[i,o]=n.split("=");r.set(i,o)}),r}var gt=require("@better-fetch/fetch"),ht=require("better-call"),X=require("jose"),yt=require("oslo/jwt");var ut=require("oslo/crypto"),lt=require("oslo/encoding");async function pt(e){let t=await(0,ut.sha256)(new TextEncoder().encode(e));return lt.base64url.encode(new Uint8Array(t),{includePadding:!1})}function ft(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?F(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function x({id:e,options:t,authorizationEndpoint:r,state:n,codeVerifier:i,scopes:o,claims:a,redirectURI:u}){let c=new URL(r);if(c.searchParams.set("response_type","code"),c.searchParams.set("client_id",t.clientId),c.searchParams.set("state",n),c.searchParams.set("scope",o.join(" ")),c.searchParams.set("redirect_uri",t.redirectURI||u),i){let s=await pt(i);c.searchParams.set("code_challenge_method","S256"),c.searchParams.set("code_challenge",s)}if(a){let s=a.reduce((d,p)=>(d[p]=null,d),{});c.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...s}}))}return c}var mt=require("@better-fetch/fetch");async function T({code:e,codeVerifier:t,redirectURI:r,options:n,tokenEndpoint:i,authentication:o}){let a=new URLSearchParams,u={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(a.set("grant_type","authorization_code"),a.set("code",e),t&&a.set("code_verifier",t),a.set("redirect_uri",r),o==="basic"){let p=btoa(`${n.clientId}:${n.clientSecret}`);u.authorization=`Basic ${p}`}else a.set("client_id",n.clientId),a.set("client_secret",n.clientSecret);let{data:c,error:s}=await(0,mt.betterFetch)(i,{method:"POST",body:a,headers:u});if(s)throw s;return ft(c)}var be=require("oslo/oauth2"),z=require("zod"),Be=require("better-call");async function ce(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?it(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new Be.APIError("BAD_REQUEST",{message:"callbackURL is required"});let n=(0,be.generateCodeVerifier)(),i=(0,be.generateState)(),o=JSON.stringify({callbackURL:r,codeVerifier:n,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),a=new Date;a.setMinutes(a.getMinutes()+10);let u=await e.context.internalAdapter.createVerificationValue({value:o,identifier:i,expiresAt:a});if(!u)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new Be.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:u.identifier,codeVerifier:n}}async function Ve(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let n=z.z.object({callbackURL:z.z.string(),codeVerifier:z.z.string(),errorURL:z.z.string().optional(),expiresAt:z.z.number(),link:z.z.object({email:z.z.string(),userId:z.z.string()}).optional()}).parse(JSON.parse(r.value));if(n.errorURL||(n.errorURL=`${e.context.baseURL}/error`),n.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),n}var wt=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:n,redirectURI:i}){let o=n||["email","name"];return e.scope&&o.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${i||e.redirectURI}&scope=${o.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:n,redirectURI:i})=>T({code:r,codeVerifier:n,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async verifyIdToken(r,n){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,n);let i=(0,X.decodeProtectedHeader)(r),{kid:o,alg:a}=i;if(!o||!a)return!1;let u=await nn(o),{payload:c}=await(0,X.jwtVerify)(r,u,{algorithms:[a],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(s=>{c[s]!==void 0&&(c[s]=!!c[s])}),n&&c.nonce!==n?!1:!!c},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let n=(0,yt.parseJWT)(r.idToken)?.payload;if(!n)return null;let i=n.user?`${n.user.name.firstName} ${n.user.name.lastName}`:n.email,o=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:i,emailVerified:!1,email:n.email,...o},data:n}}}},nn=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:n}=await(0,gt.betterFetch)(`${t}${r}`);if(!n?.keys)throw new ht.APIError("BAD_REQUEST",{message:"Keys not found"});let i=n.keys.find(o=>o.kid===e);if(!i)throw new Error(`JWK with kid ${e} not found`);return await(0,X.importJWK)(i,i.alg)};var At=require("@better-fetch/fetch");var bt=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let i=r||["identify","email"];return e.scope&&i.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${i.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||n)}&state=${t}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>T({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,At.betterFetch)("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(n)return null;if(r.avatar===null){let o=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${o}.png`}else{let o=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${o}`}let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url,...i},data:r}}});var kt=require("@better-fetch/fetch");var Rt=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let i=r||["email","public_profile"];return e.scope&&i.push(...e.scope),await x({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:i,state:t,redirectURI:n})},validateAuthorizationCode:async({code:t,redirectURI:r})=>T({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,kt.betterFetch)("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});if(n)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified,...i},data:r}}});var Fe=require("@better-fetch/fetch");var Et=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:n,codeVerifier:i,redirectURI:o}){let a=n||["user:email"];return e.scope&&a.push(...e.scope),x({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:a,state:r,redirectURI:o})},validateAuthorizationCode:async({code:r,redirectURI:n})=>T({code:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:n,error:i}=await(0,Fe.betterFetch)("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(i)return null;let o=!1;if(!n.email){let{data:u,error:c}=await(0,Fe.betterFetch)("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});c||(n.email=(u.find(s=>s.primary)??u[0])?.email,o=u.find(s=>s.email===n.email)?.verified??!1)}let a=await e.mapProfileToUser?.(n);return{user:{id:n.id.toString(),name:n.name||n.login,email:n.email,image:n.avatar_url,emailVerified:o,...a},data:n}}}};var xt=require("oslo/jwt");var Tt=require("consola"),ke=["info","success","warn","error","debug"];function Ut(e,t){return ke.indexOf(t)<=ke.indexOf(e)}var on=(0,Tt.createConsola)({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),ue=e=>{let t=e?.disabled!==!0,r=e?.level??"error",n=(i,o,a=[])=>{if(!(!t||!Ut(r,i))){if(!e||typeof e.log!="function"){on[i]("",o,...a);return}e.log(i==="success"?"info":i,o,a)}};return Object.fromEntries(ke.map(i=>[i,(...[o,...a])=>n(i,o,a)]))},P=ue();var Ot=require("@better-fetch/fetch"),vt=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:n,redirectURI:i}){if(!e.clientId||!e.clientSecret)throw P.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new D("CLIENT_ID_AND_SECRET_REQUIRED");if(!n)throw new D("codeVerifier is required for Google");let o=r||["email","profile","openid"];e.scope&&o.push(...e.scope);let a=await x({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:o,state:t,codeVerifier:n,redirectURI:i});return e.accessType&&a.searchParams.set("access_type",e.accessType),e.prompt&&a.searchParams.set("prompt",e.prompt),a},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>T({code:t,codeVerifier:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let n=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:i}=await(0,Ot.betterFetch)(n);return i?i.aud===e.clientId&&i.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=(0,xt.parseJWT)(t.idToken)?.payload,n=await e.mapProfileToUser?.(r);return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified,...n},data:r}}});var St=require("@better-fetch/fetch"),_t=require("oslo/jwt");var It=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,n=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(i){let o=i.scopes||["openid","profile","email","User.Read"];return e.scope&&o.push(...e.scope),x({id:"microsoft",options:e,authorizationEndpoint:r,state:i.state,codeVerifier:i.codeVerifier,scopes:o,redirectURI:i.redirectURI})},validateAuthorizationCode({code:i,codeVerifier:o,redirectURI:a}){return T({code:i,codeVerifier:o,redirectURI:e.redirectURI||a,options:e,tokenEndpoint:n})},async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);if(!i.idToken)return null;let o=(0,_t.parseJWT)(i.idToken)?.payload,a=e.profilePhotoSize||48;await(0,St.betterFetch)(`https://graph.microsoft.com/v1.0/me/photos/${a}x${a}/$value`,{headers:{Authorization:`Bearer ${i.accessToken}`},async onResponse(c){if(!(e.disableProfilePhoto||!c.response.ok))try{let d=await c.response.clone().arrayBuffer(),p=Buffer.from(d).toString("base64");o.picture=`data:image/jpeg;base64, ${p}`}catch(s){P.error(s&&typeof s=="object"&&"name"in s?s.name:"",s)}}});let u=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.name,email:o.email,image:o.picture,emailVerified:!0,...u},data:o}}}};var Pt=require("@better-fetch/fetch");var Lt=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:n,redirectURI:i}){let o=r||["user-read-email"];return e.scope&&o.push(...e.scope),x({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:o,state:t,codeVerifier:n,redirectURI:i})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>T({code:t,codeVerifier:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,Pt.betterFetch)("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(n)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1,...i},data:r}}});function sn(e){return e.charAt(0).toUpperCase()+e.slice(1)}var Q={isAction:!1};var Dt=require("nanoid"),j=e=>(0,Dt.nanoid)(e);var Ct=require("oslo/jwt");var Nt=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let i=r||["user:read:email","openid"];return e.scope&&i.push(...e.scope),x({id:"twitch",redirectURI:n,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:i,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>T({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return P.error("No idToken found in token"),null;let n=(0,Ct.parseJWT)(r)?.payload,i=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.preferred_username,email:n.email,image:n.picture,emailVerified:!1,...i},data:n}}});var Bt=require("@better-fetch/fetch");var Vt=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),x({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>T({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,Bt.betterFetch)("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(n)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.data.id,name:r.data.name,email:r.data.username||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1,...i},data:r}}});var Ft=require("@better-fetch/fetch");var qt=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:n,codeVerifier:i,redirectURI:o})=>{let a=n||["account_info.read"];return e.scope&&a.push(...e.scope),await x({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:a,state:r,redirectURI:o,codeVerifier:i})},validateAuthorizationCode:async({code:r,codeVerifier:n,redirectURI:i})=>await T({code:r,codeVerifier:n,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:n,error:i}=await(0,Ft.betterFetch)("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});if(i)return null;let o=await e.mapProfileToUser?.(n);return{user:{id:n.account_id,name:n.name?.display_name,email:n.email,emailVerified:n.email_verified||!1,image:n.profile_photo_url,...o},data:n}}}};var jt=require("@better-fetch/fetch");var $t=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:n,scopes:i,redirectURI:o})=>{let a=i||["profile","email","openid"];return e.scope&&a.push(...e.scope),await x({id:"linkedin",options:e,authorizationEndpoint:t,scopes:a,state:n,redirectURI:o})},validateAuthorizationCode:async({code:n,redirectURI:i})=>await T({code:n,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:r}),async getUserInfo(n){let{data:i,error:o}=await(0,jt.betterFetch)("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${n.accessToken}`}});if(o)return null;let a=await e.mapProfileToUser?.(i);return{user:{id:i.sub,name:i.name,email:i.email,emailVerified:i.email_verified||!1,image:i.picture,...a},data:i}}}};var Mt=require("@better-fetch/fetch");var qe=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),an=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:qe(`${t}/oauth/authorize`),tokenEndpoint:qe(`${t}/oauth/token`),userinfoEndpoint:qe(`${t}/api/v4/user`)}},zt=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:n}=an(e.issuer),i="gitlab";return{id:i,name:"Gitlab",createAuthorizationURL:async({state:a,scopes:u,codeVerifier:c,redirectURI:s})=>{let d=u||["read_user"];return e.scope&&d.push(...e.scope),await x({id:i,options:e,authorizationEndpoint:t,scopes:d,state:a,redirectURI:s,codeVerifier:c})},validateAuthorizationCode:async({code:a,redirectURI:u,codeVerifier:c})=>T({code:a,redirectURI:e.redirectURI||u,options:e,codeVerifier:c,tokenEndpoint:r}),async getUserInfo(a){if(e.getUserInfo)return e.getUserInfo(a);let{data:u,error:c}=await(0,Mt.betterFetch)(n,{headers:{authorization:`Bearer ${a.accessToken}`}});if(c||u.state!=="active"||u.locked)return null;let s=await e.mapProfileToUser?.(u);return{user:{id:u.id.toString(),name:u.name??u.username,email:u.email,image:u.avatar_url,emailVerified:!0,...s},data:u}}}};var je={apple:wt,discord:bt,facebook:Rt,github:Et,microsoft:It,google:vt,spotify:Lt,twitch:Nt,twitter:Vt,dropbox:qt,linkedin:$t,gitlab:zt},Re=Object.keys(je);var Qt=require("oslo"),Ee=require("oslo/jwt"),V=require("zod");var te=require("better-call");var $=require("better-call");var K=require("zod");function ee(e){try{return JSON.parse(e)}catch{return null}}var b={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var $e=()=>R("/get-session",{method:"GET",query:K.z.optional(K.z.object({disableCookieCache:K.z.boolean({description:"Disable cookie cache and fetch session from database"}).or(K.z.string().transform(e=>e==="true")).optional(),disableRefresh:K.z.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),n=r?ee(Buffer.from(r,"base64").toString()):null;if(n&&!await we.verify({value:JSON.stringify(n.session),signature:n?.signature,secret:e.context.secret}))return q(e),e.json(null);let i=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(n?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let d=n.session;if(n.expiresAt<Date.now()||d.session.expiresAt<new Date){let m=e.context.authCookies.sessionData.name;e.setCookie(m,"",{maxAge:0})}else return e.json(d)}let o=await e.context.internalAdapter.findSession(t);if(e.context.session=o,!o||o.session.expiresAt<new Date)return q(e),o&&await e.context.internalAdapter.deleteSession(o.session.token),e.json(null);if(i||e.query?.disableRefresh)return e.json(o);let a=e.context.sessionConfig.expiresIn,u=e.context.sessionConfig.updateAge;if(o.session.expiresAt.valueOf()-a*1e3+u*1e3<=Date.now()){let d=await e.context.internalAdapter.updateSession(o.session.token,{expiresAt:F(e.context.sessionConfig.expiresIn,"sec")});if(!d)return q(e),e.json(null,{status:401});let p=(d.expiresAt.valueOf()-Date.now())/1e3;return await I(e,{session:d,user:o.user},!1,{maxAge:p}),e.json({session:d,user:o.user})}return e.json(o)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new $.APIError("INTERNAL_SERVER_ERROR",{message:b.FAILED_TO_GET_SESSION})}}),J=async(e,t)=>{if(e.context.session)return e.context.session;let r=await $e()({...e,_flag:"json",headers:e.headers,query:t}).catch(n=>null);return e.context.session=r,r},B=oe(async e=>{let t=await J(e);if(!t?.session)throw new $.APIError("UNAUTHORIZED");return{session:t}}),Ht=oe(async e=>{let t=await J(e);if(!t?.session)throw new $.APIError("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,n=t.session.createdAt.valueOf(),i=Date.now();if(!(n+r*1e3>i))throw new $.APIError("FORBIDDEN",{message:"Session is not fresh"});return{session:t}}),Gt=()=>R("/list-sessions",{method:"GET",use:[B],requireHeaders:!0,metadata:{openapi:{description:"List all active sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}}}}}}}}}},async e=>{let r=(await e.context.internalAdapter.listSessions(e.context.session.user.id)).filter(n=>n.expiresAt>new Date);return e.json(r)}),Wt=R("/revoke-session",{method:"POST",body:K.z.object({token:K.z.string({description:"The token to revoke"})}),use:[B],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new $.APIError("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new $.APIError("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(n){throw e.context.logger.error(n&&typeof n=="object"&&"name"in n?n.name:"",n),new $.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Kt=R("/revoke-sessions",{method:"POST",use:[B],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new $.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Zt=R("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[B],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new $.APIError("UNAUTHORIZED");let i=(await e.context.internalAdapter.listSessions(t.user.id)).filter(o=>o.expiresAt>new Date).filter(o=>o.token!==e.context.session.session.token);return await Promise.all(i.map(o=>e.context.internalAdapter.deleteSession(o.token))),e.json({status:!0})});async function H(e,t,r){return await(0,Ee.createJWT)("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new Qt.TimeSpan(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function dn(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new te.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await H(e.context.secret,t.email),n=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:n,token:r},e.request)}var Jt=R("/send-verification-email",{method:"POST",query:V.z.object({currentURL:V.z.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:V.z.object({email:V.z.string({description:"The email to send the verification email to"}).email(),callbackURL:V.z.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new te.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new te.APIError("BAD_REQUEST",{message:b.USER_NOT_FOUND});return await dn(e,r.user),e.json({status:!0})}),Yt=R("/verify-email",{method:"GET",query:V.z.object({token:V.z.string({description:"The token to verify the email"}),callbackURL:V.z.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(u){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${u}`):new te.APIError("UNAUTHORIZED",{message:u})}let{token:r}=e.query,n;try{n=await(0,Ee.validateJWT)("HS256",Buffer.from(e.context.secret),r)}catch(u){return e.context.logger.error("Failed to verify email",u),t("invalid_token")}let o=V.z.object({email:V.z.string().email(),updateTo:V.z.string().optional()}).parse(n.payload),a=await e.context.internalAdapter.findUserByEmail(o.email);if(!a)return t("user_not_found");if(o.updateTo){let u=await J(e);if(!u){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(u.user.email!==o.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let c=await e.context.internalAdapter.updateUserByEmail(o.email,{email:o.updateTo});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:c,url:`${e.context.baseURL}/verify-email?token=${r}`,token:r},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:c,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(o.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await J(e)){let c=await e.context.internalAdapter.createSession(a.user.id,e.request);if(!c)throw new te.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await I(e,{session:c,user:a.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function Te(e,{userInfo:t,account:r,callbackURL:n}){let i=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(u=>{throw P.error(`Better auth was unable to query your database.
3
- Error: `,u),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),o=i?.user;if(i){let u=i.accounts.find(c=>c.providerId===r.providerId);if(u){let c=Object.fromEntries(Object.entries({accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt}).filter(([s,d])=>d!==void 0));Object.keys(c).length>0&&await e.context.internalAdapter.updateAccount(u.id,c)}else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(r.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return rt&&P.warn(`User already exist but account isn't linked to ${r.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:t.id.toString(),userId:i.user.id,accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope})}catch(d){return P.error("Unable to link account",d),{error:"unable to link account",data:null}}o=await e.context.internalAdapter.updateUser(i.user.id,{...t,updatedAt:new Date})}}else if(o=await e.context.internalAdapter.createOAuthUser({...t,email:t.email.toLowerCase(),id:void 0},{accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope,providerId:r.providerId,accountId:t.id.toString()}).then(u=>u?.user),!t.emailVerified&&o&&e.context.options.emailVerification?.sendOnSignUp){let u=await H(e.context.secret,o.email),c=`${e.context.baseURL}/verify-email?token=${u}&callbackURL=${n}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:o,url:c,token:u},e.request)}if(!o)return{error:"unable to create user",data:null};let a=await e.context.internalAdapter.createSession(o.id,e.request);return a?{data:{session:a,user:o},error:null}:{error:"unable to create session",data:null}}var Xt=R("/sign-in/social",{method:"POST",query:U.z.object({currentURL:U.z.string().optional()}).optional(),body:U.z.object({callbackURL:U.z.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:U.z.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:U.z.enum(Re,{description:"OAuth2 provider to use"}),disableRedirect:U.z.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:U.z.optional(U.z.object({token:U.z.string({description:"ID token from the provider"}),nonce:U.z.string({description:"Nonce used to generate the token"}).optional(),accessToken:U.z.string({description:"Access token from the provider"}).optional(),refreshToken:U.z.string({description:"Refresh token from the provider"}).optional(),expiresAt:U.z.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(o=>o.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new _.APIError("NOT_FOUND",{message:b.PROVIDER_NOT_FOUND});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new _.APIError("NOT_FOUND",{message:b.ID_TOKEN_NOT_SUPPORTED});let{token:o,nonce:a}=e.body.idToken;if(!await t.verifyIdToken(o,a))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new _.APIError("UNAUTHORIZED",{message:b.INVALID_TOKEN});let c=await t.getUserInfo({idToken:o,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!c||!c?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new _.APIError("UNAUTHORIZED",{message:b.FAILED_TO_GET_USER_INFO});if(!c.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new _.APIError("UNAUTHORIZED",{message:b.USER_EMAIL_NOT_FOUND});let s=await Te(e,{userInfo:{email:c.user.email,id:c.user.id,name:c.user.name||"",image:c.user.image,emailVerified:c.user.emailVerified||!1},account:{providerId:t.id,accountId:c.user.id,accessToken:e.body.idToken.accessToken}});if(s.error)throw new _.APIError("UNAUTHORIZED",{message:s.error});return await I(e,s.data),e.json({session:s.data.session,user:s.data.user,url:void 0,redirect:!1})}let{codeVerifier:r,state:n}=await ce(e),i=await t.createAuthorizationURL({state:n,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:i.toString(),redirect:!e.body.disableRedirect})}),er=R("/sign-in/email",{method:"POST",body:U.z.object({email:U.z.string({description:"Email of the user"}),password:U.z.string({description:"Password of the user"}),callbackURL:U.z.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:U.z.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new _.APIError("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!U.z.string().email().safeParse(t).success)throw new _.APIError("BAD_REQUEST",{message:b.INVALID_EMAIL});let i=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!i)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new _.APIError("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});let o=i.accounts.find(s=>s.providerId==="credential");if(!o)throw e.context.logger.error("Credential account not found",{email:t}),new _.APIError("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});let a=o?.password;if(!a)throw e.context.logger.error("Password not found",{email:t}),new _.APIError("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});if(!await e.context.password.verify({hash:a,password:r}))throw e.context.logger.error("Invalid password"),new _.APIError("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!i.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new _.APIError("UNAUTHORIZED",{message:b.EMAIL_NOT_VERIFIED});let s=await H(e.context.secret,i.user.email),d=`${e.context.baseURL}/verify-email?token=${s}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:i.user,url:d,token:s},e.request),e.context.logger.error("Email not verified",{email:t}),new _.APIError("FORBIDDEN",{message:b.EMAIL_NOT_VERIFIED})}let c=await e.context.internalAdapter.createSession(i.user.id,e.headers,e.body.rememberMe===!1);if(!c)throw e.context.logger.error("Failed to create session"),new _.APIError("UNAUTHORIZED",{message:b.FAILED_TO_CREATE_SESSION});return await I(e,{session:c,user:i.user},e.body.rememberMe===!1),e.json({user:{id:i.user.id,email:i.user.email,name:i.user.name,image:i.user.image,emailVerified:i.user.emailVerified,createdAt:i.user.createdAt,updatedAt:i.user.updatedAt},redirect:!!e.body.callbackURL,url:e.body.callbackURL})});var re=require("zod");var Ue=re.z.object({code:re.z.string().optional(),error:re.z.string().optional(),errorMessage:re.z.string().optional(),state:re.z.string().optional()}),tr=R("/callback/:id",{method:["GET","POST"],body:Ue.optional(),query:Ue.optional(),metadata:Q},async e=>{let t;try{if(e.method==="GET")t=Ue.parse(e.query);else if(e.method==="POST")t=Ue.parse(e.body);else throw new Error("Unsupported method")}catch(h){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",h),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:r,error:n,state:i}=t;if(!i)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!r)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${n||"no_code"}`);let o=e.context.socialProviders.find(h=>h.id===e.params.id);if(!o)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:a,callbackURL:u,link:c,errorURL:s}=await Ve(e),d;try{d=await o.validateAuthorizationCode({code:r,codeVerifier:a,redirectURI:`${e.context.baseURL}/callback/${o.id}`})}catch(h){throw e.context.logger.error("",h),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let p=await o.getUserInfo(d).then(h=>h?.user);function m(h){let w=s||u||`${e.context.baseURL}/error`;throw w.includes("?")?w=`${w}&error=${h}`:w=`${w}?error=${h}`,e.redirect(w)}if(!p)return e.context.logger.error("Unable to get user info"),m("unable_to_get_user_info");if(!p.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),m("email_not_found");if(!u)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(c){if(c.email!==p.email.toLowerCase())return m("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:c.userId,providerId:o.id,accountId:p.id}))return m("unable_to_link_account");let w;try{w=new URL(u).toString()}catch{w=u}throw e.redirect(w)}let l=await Te(e,{userInfo:{...p,email:p.email,name:p.name||p.email},account:{providerId:o.id,accountId:p.id,...d,scope:d.scopes?.join(",")},callbackURL:u});if(l.error)return e.context.logger.error(l.error.split(" ").join("_")),m(l.error.split(" ").join("_"));let{session:f,user:g}=l.data;await I(e,{session:f,user:g});let y;try{y=new URL(u).toString()}catch{y=u}throw e.redirect(y)});var ds=require("zod");var rr=require("better-call");var nr=R("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw q(e),new rr.APIError("BAD_REQUEST",{message:b.FAILED_TO_GET_SESSION});return await e.context.internalAdapter.deleteSession(t),q(e),e.json({success:!0})});var C=require("zod");var xe=require("better-call");function ir(e,t,r){let n=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return r&&Object.entries(r).forEach(([i,o])=>n.searchParams.set(i,o)),n.href}function cn(e,t,r){let n=new URL(t,e.baseURL);return r&&Object.entries(r).forEach(([i,o])=>n.searchParams.set(i,o)),n.href}var or=R("/forget-password",{method:"POST",body:C.z.object({email:C.z.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:C.z.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new xe.APIError("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:r}=e.body,n=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!n)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let i=60*60*1,o=F(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||i,"sec"),a=j(24);await e.context.internalAdapter.createVerificationValue({value:n.user.id.toString(),identifier:`reset-password:${a}`,expiresAt:o});let u=`${e.context.baseURL}/reset-password/${a}?callbackURL=${r}`;return await e.context.options.emailAndPassword.sendResetPassword({user:n.user,url:u,token:a},e.request),e.json({status:!0})}),sr=R("/reset-password/:token",{method:"GET",query:C.z.object({callbackURL:C.z.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:r}=e.query;if(!t||!r)throw e.redirect(ir(e.context,r,{error:"INVALID_TOKEN"}));let n=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!n||n.expiresAt<new Date?e.redirect(ir(e.context,r,{error:"INVALID_TOKEN"})):e.redirect(cn(e.context,r,{token:t}))}),ar=R("/reset-password",{query:C.z.optional(C.z.object({token:C.z.string().optional(),currentURL:C.z.string().optional()})),method:"POST",body:C.z.object({newPassword:C.z.string({description:"The new password to set"}),token:C.z.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new xe.APIError("BAD_REQUEST",{message:b.INVALID_TOKEN});let{newPassword:r}=e.body,n=`reset-password:${t}`,i=await e.context.internalAdapter.findVerificationValue(n);if(!i||i.expiresAt<new Date)throw new xe.APIError("BAD_REQUEST",{message:b.INVALID_TOKEN});await e.context.internalAdapter.deleteVerificationValue(i.id);let o=i.value,a=await e.context.password.hash(r);return(await e.context.internalAdapter.findAccounts(o)).find(s=>s.providerId==="credential")?(await e.context.internalAdapter.updatePassword(o,a),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:o,providerId:"credential",password:a,accountId:o}),e.json({status:!0}))});var S=require("zod");var O=require("better-call");var k=require("zod"),dr=require("better-call"),As=k.z.object({id:k.z.string(),providerId:k.z.string(),accountId:k.z.string(),userId:k.z.string(),accessToken:k.z.string().nullish(),refreshToken:k.z.string().nullish(),idToken:k.z.string().nullish(),accessTokenExpiresAt:k.z.date().nullish(),refreshTokenExpiresAt:k.z.date().nullish(),scope:k.z.string().nullish(),password:k.z.string().nullish(),createdAt:k.z.date().default(()=>new Date),updatedAt:k.z.date().default(()=>new Date)}),bs=k.z.object({id:k.z.string(),email:k.z.string().transform(e=>e.toLowerCase()),emailVerified:k.z.boolean().default(!1),name:k.z.string(),image:k.z.string().nullish(),createdAt:k.z.date().default(()=>new Date),updatedAt:k.z.date().default(()=>new Date)}),ks=k.z.object({id:k.z.string(),userId:k.z.string(),expiresAt:k.z.date(),createdAt:k.z.date().default(()=>new Date),updatedAt:k.z.date().default(()=>new Date),token:k.z.string(),ipAddress:k.z.string().nullish(),userAgent:k.z.string().nullish()}),Rs=k.z.object({id:k.z.string(),value:k.z.string(),createdAt:k.z.date().default(()=>new Date),updatedAt:k.z.date().default(()=>new Date),expiresAt:k.z.date(),identifier:k.z.string()});function cr(e,t){let r=t.fields,n={};for(let i in e){let o=r[i];if(!o){n[i]=e[i];continue}o.returned!==!1&&(n[i]=e[i])}return n}function Me(e,t){let r={...t==="user"?e.user?.additionalFields:{},...t==="session"?e.session?.additionalFields:{}};for(let n of e.plugins||[])n.schema&&n.schema[t]&&(r={...r,...n.schema[t].fields});return r}function ze(e,t){let r=Me(e,"user");return cr(t,{fields:r})}function Oe(e,t){let r=Me(e,"session");return cr(t,{fields:r})}function un(e,t){let r=t.action||"create",n=t.fields,i={};for(let o in n){if(o in e){if(n[o].input===!1){if(n[o].defaultValue){i[o]=n[o].defaultValue;continue}continue}if(n[o].validator?.input&&e[o]!==void 0){i[o]=n[o].validator.input.parse(e[o]);continue}i[o]=e[o];continue}if(n[o].defaultValue&&r==="create"){i[o]=n[o].defaultValue;continue}if(n[o].required&&r==="create")throw new dr.APIError("BAD_REQUEST",{message:`${o} is required`})}return i}function ve(e,t,r){let n=Me(e,"user");return un(t||{},{fields:n,action:r})}var mn=require("@noble/ciphers/chacha"),Ge=require("@noble/ciphers/utils"),gn=require("@noble/ciphers/webcrypto"),hn=require("oslo/crypto"),yn=Ie(require("uncrypto"),1);var le=require("oslo/encoding");var ur=require("@noble/hashes/scrypt"),lr=require("uncrypto"),ne={N:16384,r:16,p:1,dkLen:64};async function pr(e,t){return await(0,ur.scryptAsync)(e.normalize("NFKC"),t,{N:ne.N,p:ne.p,r:ne.r,dkLen:ne.dkLen,maxmem:128*ne.N*ne.r*2})}var fr=async e=>{let t=(0,le.encodeHex)((0,lr.getRandomValues)(new Uint8Array(16))),r=await pr(e,t);return`${t}:${(0,le.encodeHex)(r)}`},mr=async({hash:e,password:t})=>{let[r,n]=e.split(":"),i=await pr(t,r);return Ce(i,(0,le.decodeHex)(n))};var He=Ie(require("uncrypto"),1);function ln(e){return e.toString(2).padStart(8,"0")}function pn(e){return[...e].map(t=>ln(t)).join("")}function gr(e){return parseInt(pn(e),2)}function fn(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,n=new Uint8Array(Math.ceil(t/8));He.default.getRandomValues(n),r!==0&&(n[0]&=(1<<r)-1);let i=gr(n);for(;i>=e;)He.default.getRandomValues(n),r!==0&&(n[0]&=(1<<r)-1),i=gr(n);return i}function hr(e,t){let r="";for(let n=0;n<e;n++)r+=t[fn(t.length)];return r}function yr(...e){let t=new Set(e),r="";for(let n of t)n==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":n==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":n==="0-9"?r+="0123456789":r+=n;return r}var wr=()=>R("/update-user",{method:"POST",body:S.z.record(S.z.string(),S.z.any()),use:[B],metadata:{openapi:{description:"Update the current user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"}}}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"}}}}}}}}}},async e=>{let t=e.body;if(t.email)throw new O.APIError("BAD_REQUEST",{message:b.EMAIL_CAN_NOT_BE_UPDATED});let{name:r,image:n,...i}=t,o=e.context.session;if(n===void 0&&!r&&Object.keys(i).length===0)return e.json({id:o.user.id,email:o.user.email,name:o.user.name,image:o.user.image,emailVerified:o.user.emailVerified,createdAt:o.user.createdAt,updatedAt:o.user.updatedAt});let a=ve(e.context.options,i,"update"),u=await e.context.internalAdapter.updateUserByEmail(o.user.email,{name:r,image:n,...a});return await I(e,{session:o.session,user:u}),e.json({id:u.id,email:u.email,name:u.name,image:u.image,emailVerified:u.emailVerified,createdAt:u.createdAt,updatedAt:u.updatedAt})}),Ar=R("/change-password",{method:"POST",body:S.z.object({newPassword:S.z.string({description:"The new password to set"}),currentPassword:S.z.string({description:"The current password"}),revokeOtherSessions:S.z.boolean({description:"Revoke all other sessions"}).optional()}),use:[B],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:r,revokeOtherSessions:n}=e.body,i=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new O.APIError("BAD_REQUEST",{message:b.PASSWORD_TOO_SHORT});let a=e.context.password.config.maxPasswordLength;if(t.length>a)throw e.context.logger.error("Password is too long"),new O.APIError("BAD_REQUEST",{message:b.PASSWORD_TOO_LONG});let c=(await e.context.internalAdapter.findAccounts(i.user.id)).find(p=>p.providerId==="credential"&&p.password);if(!c||!c.password)throw new O.APIError("BAD_REQUEST",{message:b.CREDENTIAL_ACCOUNT_NOT_FOUND});let s=await e.context.password.hash(t);if(!await e.context.password.verify({hash:c.password,password:r}))throw new O.APIError("BAD_REQUEST",{message:b.INVALID_PASSWORD});if(await e.context.internalAdapter.updateAccount(c.id,{password:s}),n){await e.context.internalAdapter.deleteSessions(i.user.id);let p=await e.context.internalAdapter.createSession(i.user.id,e.headers);if(!p)throw new O.APIError("INTERNAL_SERVER_ERROR",{message:b.FAILED_TO_GET_SESSION});await I(e,{session:p,user:i.user})}return e.json(i.user)}),br=R("/set-password",{method:"POST",body:S.z.object({newPassword:S.z.string()}),metadata:{SERVER_ONLY:!0},use:[B]},async e=>{let{newPassword:t}=e.body,r=e.context.session,n=e.context.password.config.minPasswordLength;if(t.length<n)throw e.context.logger.error("Password is too short"),new O.APIError("BAD_REQUEST",{message:b.PASSWORD_TOO_SHORT});let i=e.context.password.config.maxPasswordLength;if(t.length>i)throw e.context.logger.error("Password is too long"),new O.APIError("BAD_REQUEST",{message:b.PASSWORD_TOO_LONG});let a=(await e.context.internalAdapter.findAccounts(r.user.id)).find(c=>c.providerId==="credential"&&c.password),u=await e.context.password.hash(t);if(!a)return await e.context.internalAdapter.linkAccount({userId:r.user.id,providerId:"credential",accountId:r.user.id,password:u}),e.json(r.user);throw new O.APIError("BAD_REQUEST",{message:"user already has a password"})}),kr=R("/delete-user",{method:"POST",use:[Ht],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options",{session:e.context.session}),new O.APIError("NOT_FOUND");let t=e.context.session;if(e.context.options.user.deleteUser?.sendDeleteAccountVerification){let i=hr(32,yr("a-z","A-Z","0-9"));await e.context.internalAdapter.createVerificationValue({value:t.user.id,identifier:`delete-account-${i}`,expiresAt:new Date(Date.now()+1e3*60*60*24)});let o=`${e.context.baseURL}/delete-user/callback?token=${i}`;return await e.context.options.user.deleteUser.sendDeleteAccountVerification({user:t.user,url:o,token:i},e.request),e.json({success:!0,message:"Verification email sent"})}let r=e.context.options.user.deleteUser?.beforeDelete;r&&await r(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),q(e);let n=e.context.options.user.deleteUser?.afterDelete;return n&&await n(t.user,e.request),e.json({success:!0,message:"User deleted"})}),Rr=R("/delete-user/callback",{method:"GET",query:S.z.object({token:S.z.string()})},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options"),new O.APIError("NOT_FOUND");let t=await J(e);if(!t)throw new O.APIError("NOT_FOUND",{message:b.FAILED_TO_GET_USER_INFO});let r=await e.context.internalAdapter.findVerificationValue(`delete-account-${e.query.token}`);if(!r||r.expiresAt<new Date)throw r&&await e.context.internalAdapter.deleteVerificationValue(r.id),new O.APIError("NOT_FOUND",{message:b.INVALID_TOKEN});if(r.value!==t.user.id)throw new O.APIError("NOT_FOUND",{message:b.INVALID_TOKEN});let n=e.context.options.user.deleteUser?.beforeDelete;n&&await n(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),await e.context.internalAdapter.deleteVerificationValue(r.id),q(e);let i=e.context.options.user.deleteUser?.afterDelete;return i&&await i(t.user,e.request),e.json({success:!0,message:"User deleted"})}),Er=R("/change-email",{method:"POST",query:S.z.object({currentURL:S.z.string().optional()}).optional(),body:S.z.object({newEmail:S.z.string({description:"The new email to set"}).email(),callbackURL:S.z.string({description:"The URL to redirect to after email verification"}).optional()}),use:[B],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new O.APIError("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new O.APIError("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new O.APIError("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let i=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:i,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new O.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await H(e.context.secret,e.context.session.user.email,e.body.newEmail),n=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:n,token:r},e.request),e.json({user:null,status:!0})});var wn=(e="Unknown")=>`<!DOCTYPE html>
2
+ `,`Current list of trustedOrigins: ${c}`),new st.APIError("FORBIDDEN",{message:`Invalid ${l}`})};s&&!e.context.options.advanced?.disableCSRFCheck&&p(i,"origin"),o&&p(o,"callbackURL"),a&&p(a,"redirectURL"),u&&p(u,"currentURL")});var _=require("better-call"),U=require("zod");var dt=require("oslo"),ct=require("oslo/encoding");var ye=require("oslo/crypto");function Ce(e,t){let r=new Uint8Array(e),n=new Uint8Array(t);if(r.length!==n.length)return!1;let i=0;for(let o=0;o<r.length;o++)i|=r[o]^n[o];return i===0}async function Xr({value:e,secret:t}){return new ye.HMAC("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(n=>Buffer.from(n).toString("base64"))}function en({value:e,signature:t,secret:r}){return new ye.HMAC("SHA-256").verify(new TextEncoder().encode(r),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var we={sign:Xr,verify:en};var F=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));function tn(e){let t=new Map;return e.split(", ").forEach(n=>{let i=n.split(";").map(p=>p.trim()),[o,...a]=i,[u,...c]=o.split("="),s=c.join("=");if(!u||s===void 0)return;let d={value:s};a.forEach(p=>{let[m,...l]=p.split("="),f=l.join("="),g=m.trim().toLowerCase();switch(g){case"max-age":d["max-age"]=f?parseInt(f.trim(),10):void 0;break;case"expires":d.expires=f?new Date(f.trim()):void 0;break;case"domain":d.domain=f?f.trim():void 0;break;case"path":d.path=f?f.trim():void 0;break;case"secure":d.secure=!0;break;case"httponly":d.httponly=!0;break;case"samesite":d.samesite=f?f.trim().toLowerCase():void 0;break;default:d[g]=f?f.trim():!0;break}}),t.set(u,d)}),t}function Ae(e){let r=(e.advanced?.useSecureCookies!==void 0?e.advanced?.useSecureCookies:e.baseURL!==void 0?!!e.baseURL.startsWith("https://"):ae)?"__Secure-":"",n=!!e.advanced?.crossSubDomainCookies?.enabled,i=n?e.advanced?.crossSubDomainCookies?.domain||(e.baseURL?new URL(e.baseURL).hostname:void 0):void 0;if(n&&!i)throw new D("baseURL is required when crossSubdomainCookies are enabled");function o(a,u={}){let c=e.advanced?.cookiePrefix||"better-auth",s=e.advanced?.cookies?.[a]?.name||`${c}.${a}`,d=e.advanced?.cookies?.[a]?.attributes;return{name:`${r}${s}`,attributes:{secure:!!r,sameSite:"lax",path:"/",httpOnly:!0,...n?{domain:i}:{},...e.advanced?.defaultCookieAttributes,...u,...d}}}return o}function Ne(e){let t=Ae(e),r=e.session?.expiresIn||new dt.TimeSpan(7,"d").seconds(),n=t("session_token",{maxAge:r}),i=t("session_data",{maxAge:e.session?.cookieCache?.maxAge||60*5}),o=t("dont_remember");return{sessionToken:{name:n.name,options:n.attributes},sessionData:{name:i.name,options:i.attributes},dontRememberToken:{name:o.name,options:o.attributes}}}async function I(e,t,r,n){let i=e.context.authCookies.sessionToken.options,o=r?void 0:e.context.sessionConfig.expiresIn;await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...i,maxAge:o,...n}),r&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled&&e.setCookie(e.context.authCookies.sessionData.name,JSON.stringify(ct.base64url.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:F(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await we.sign({value:JSON.stringify(t),secret:e.context.secret})})))),e.context.authCookies.sessionData.options),e.context.setNewSession(t),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),Math.floor((new Date(t.session.expiresAt).getTime()-Date.now())/1e3))}function q(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}function rn(e){let t=e.split("; "),r=new Map;return t.forEach(n=>{let[i,o]=n.split("=");r.set(i,o)}),r}var gt=require("@better-fetch/fetch"),ht=require("better-call"),X=require("jose"),yt=require("oslo/jwt");var ut=require("oslo/crypto"),lt=require("oslo/encoding");async function pt(e){let t=await(0,ut.sha256)(new TextEncoder().encode(e));return lt.base64url.encode(new Uint8Array(t),{includePadding:!1})}function ft(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?F(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function x({id:e,options:t,authorizationEndpoint:r,state:n,codeVerifier:i,scopes:o,claims:a,redirectURI:u}){let c=new URL(r);if(c.searchParams.set("response_type","code"),c.searchParams.set("client_id",t.clientId),c.searchParams.set("state",n),c.searchParams.set("scope",o.join(" ")),c.searchParams.set("redirect_uri",t.redirectURI||u),i){let s=await pt(i);c.searchParams.set("code_challenge_method","S256"),c.searchParams.set("code_challenge",s)}if(a){let s=a.reduce((d,p)=>(d[p]=null,d),{});c.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...s}}))}return c}var mt=require("@better-fetch/fetch");async function T({code:e,codeVerifier:t,redirectURI:r,options:n,tokenEndpoint:i,authentication:o}){let a=new URLSearchParams,u={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(a.set("grant_type","authorization_code"),a.set("code",e),t&&a.set("code_verifier",t),a.set("redirect_uri",r),o==="basic"){let p=btoa(`${n.clientId}:${n.clientSecret}`);u.authorization=`Basic ${p}`}else a.set("client_id",n.clientId),a.set("client_secret",n.clientSecret);let{data:c,error:s}=await(0,mt.betterFetch)(i,{method:"POST",body:a,headers:u});if(s)throw s;return ft(c)}var be=require("oslo/oauth2"),z=require("zod"),Be=require("better-call");async function ce(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?it(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new Be.APIError("BAD_REQUEST",{message:"callbackURL is required"});let n=(0,be.generateCodeVerifier)(),i=(0,be.generateState)(),o=JSON.stringify({callbackURL:r,codeVerifier:n,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),a=new Date;a.setMinutes(a.getMinutes()+10);let u=await e.context.internalAdapter.createVerificationValue({value:o,identifier:i,expiresAt:a});if(!u)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new Be.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:u.identifier,codeVerifier:n}}async function Ve(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let n=z.z.object({callbackURL:z.z.string(),codeVerifier:z.z.string(),errorURL:z.z.string().optional(),expiresAt:z.z.number(),link:z.z.object({email:z.z.string(),userId:z.z.string()}).optional()}).parse(JSON.parse(r.value));if(n.errorURL||(n.errorURL=`${e.context.baseURL}/error`),n.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),n}var wt=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:n,redirectURI:i}){let o=n||["email","name"];return e.scope&&o.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${i||e.redirectURI}&scope=${o.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:n,redirectURI:i})=>T({code:r,codeVerifier:n,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async verifyIdToken(r,n){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,n);let i=(0,X.decodeProtectedHeader)(r),{kid:o,alg:a}=i;if(!o||!a)return!1;let u=await nn(o),{payload:c}=await(0,X.jwtVerify)(r,u,{algorithms:[a],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(s=>{c[s]!==void 0&&(c[s]=!!c[s])}),n&&c.nonce!==n?!1:!!c},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let n=(0,yt.parseJWT)(r.idToken)?.payload;if(!n)return null;let i=n.user?`${n.user.name.firstName} ${n.user.name.lastName}`:n.email,o=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:i,emailVerified:!1,email:n.email,...o},data:n}}}},nn=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:n}=await(0,gt.betterFetch)(`${t}${r}`);if(!n?.keys)throw new ht.APIError("BAD_REQUEST",{message:"Keys not found"});let i=n.keys.find(o=>o.kid===e);if(!i)throw new Error(`JWK with kid ${e} not found`);return await(0,X.importJWK)(i,i.alg)};var At=require("@better-fetch/fetch");var bt=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let i=r||["identify","email"];return e.scope&&i.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${i.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||n)}&state=${t}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>T({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,At.betterFetch)("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(n)return null;if(r.avatar===null){let o=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${o}.png`}else{let o=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${o}`}let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url,...i},data:r}}});var kt=require("@better-fetch/fetch");var Rt=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let i=r||["email","public_profile"];return e.scope&&i.push(...e.scope),await x({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:i,state:t,redirectURI:n})},validateAuthorizationCode:async({code:t,redirectURI:r})=>T({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,kt.betterFetch)("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});if(n)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified,...i},data:r}}});var Fe=require("@better-fetch/fetch");var Et=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:n,codeVerifier:i,redirectURI:o}){let a=n||["user:email"];return e.scope&&a.push(...e.scope),x({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:a,state:r,redirectURI:o})},validateAuthorizationCode:async({code:r,redirectURI:n})=>T({code:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:n,error:i}=await(0,Fe.betterFetch)("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(i)return null;let o=!1;if(!n.email){let{data:u,error:c}=await(0,Fe.betterFetch)("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});c||(n.email=(u.find(s=>s.primary)??u[0])?.email,o=u.find(s=>s.email===n.email)?.verified??!1)}let a=await e.mapProfileToUser?.(n);return{user:{id:n.id.toString(),name:n.name||n.login,email:n.email,image:n.avatar_url,emailVerified:o,...a},data:n}}}};var xt=require("oslo/jwt");var Tt=require("consola"),ke=["info","success","warn","error","debug"];function Ut(e,t){return ke.indexOf(t)<=ke.indexOf(e)}var on=(0,Tt.createConsola)({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),ue=e=>{let t=e?.disabled!==!0,r=e?.level??"error",n=(i,o,a=[])=>{if(!(!t||!Ut(r,i))){if(!e||typeof e.log!="function"){on[i]("",o,...a);return}e.log(i==="success"?"info":i,o,a)}};return Object.fromEntries(ke.map(i=>[i,(...[o,...a])=>n(i,o,a)]))},P=ue();var Ot=require("@better-fetch/fetch"),vt=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:n,redirectURI:i}){if(!e.clientId||!e.clientSecret)throw P.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new D("CLIENT_ID_AND_SECRET_REQUIRED");if(!n)throw new D("codeVerifier is required for Google");let o=r||["email","profile","openid"];e.scope&&o.push(...e.scope);let a=await x({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:o,state:t,codeVerifier:n,redirectURI:i});return e.accessType&&a.searchParams.set("access_type",e.accessType),e.prompt&&a.searchParams.set("prompt",e.prompt),a},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>T({code:t,codeVerifier:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let n=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:i}=await(0,Ot.betterFetch)(n);return i?i.aud===e.clientId&&i.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=(0,xt.parseJWT)(t.idToken)?.payload,n=await e.mapProfileToUser?.(r);return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified,...n},data:r}}});var St=require("@better-fetch/fetch"),_t=require("oslo/jwt");var It=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,n=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(i){let o=i.scopes||["openid","profile","email","User.Read"];return e.scope&&o.push(...e.scope),x({id:"microsoft",options:e,authorizationEndpoint:r,state:i.state,codeVerifier:i.codeVerifier,scopes:o,redirectURI:i.redirectURI})},validateAuthorizationCode({code:i,codeVerifier:o,redirectURI:a}){return T({code:i,codeVerifier:o,redirectURI:e.redirectURI||a,options:e,tokenEndpoint:n})},async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);if(!i.idToken)return null;let o=(0,_t.parseJWT)(i.idToken)?.payload,a=e.profilePhotoSize||48;await(0,St.betterFetch)(`https://graph.microsoft.com/v1.0/me/photos/${a}x${a}/$value`,{headers:{Authorization:`Bearer ${i.accessToken}`},async onResponse(c){if(!(e.disableProfilePhoto||!c.response.ok))try{let d=await c.response.clone().arrayBuffer(),p=Buffer.from(d).toString("base64");o.picture=`data:image/jpeg;base64, ${p}`}catch(s){P.error(s&&typeof s=="object"&&"name"in s?s.name:"",s)}}});let u=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.name,email:o.email,image:o.picture,emailVerified:!0,...u},data:o}}}};var Pt=require("@better-fetch/fetch");var Lt=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:n,redirectURI:i}){let o=r||["user-read-email"];return e.scope&&o.push(...e.scope),x({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:o,state:t,codeVerifier:n,redirectURI:i})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>T({code:t,codeVerifier:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,Pt.betterFetch)("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(n)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1,...i},data:r}}});function sn(e){return e.charAt(0).toUpperCase()+e.slice(1)}var Q={isAction:!1};var Dt=require("nanoid"),j=e=>(0,Dt.nanoid)(e);var Ct=require("oslo/jwt");var Nt=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let i=r||["user:read:email","openid"];return e.scope&&i.push(...e.scope),x({id:"twitch",redirectURI:n,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:i,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>T({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return P.error("No idToken found in token"),null;let n=(0,Ct.parseJWT)(r)?.payload,i=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.preferred_username,email:n.email,image:n.picture,emailVerified:!1,...i},data:n}}});var Bt=require("@better-fetch/fetch");var Vt=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),x({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>T({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,Bt.betterFetch)("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(n)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.data.id,name:r.data.name,email:r.data.username||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1,...i},data:r}}});var Ft=require("@better-fetch/fetch");var qt=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:n,codeVerifier:i,redirectURI:o})=>{let a=n||["account_info.read"];return e.scope&&a.push(...e.scope),await x({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:a,state:r,redirectURI:o,codeVerifier:i})},validateAuthorizationCode:async({code:r,codeVerifier:n,redirectURI:i})=>await T({code:r,codeVerifier:n,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:n,error:i}=await(0,Ft.betterFetch)("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});if(i)return null;let o=await e.mapProfileToUser?.(n);return{user:{id:n.account_id,name:n.name?.display_name,email:n.email,emailVerified:n.email_verified||!1,image:n.profile_photo_url,...o},data:n}}}};var jt=require("@better-fetch/fetch");var $t=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:n,scopes:i,redirectURI:o})=>{let a=i||["profile","email","openid"];return e.scope&&a.push(...e.scope),await x({id:"linkedin",options:e,authorizationEndpoint:t,scopes:a,state:n,redirectURI:o})},validateAuthorizationCode:async({code:n,redirectURI:i})=>await T({code:n,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:r}),async getUserInfo(n){let{data:i,error:o}=await(0,jt.betterFetch)("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${n.accessToken}`}});if(o)return null;let a=await e.mapProfileToUser?.(i);return{user:{id:i.sub,name:i.name,email:i.email,emailVerified:i.email_verified||!1,image:i.picture,...a},data:i}}}};var Mt=require("@better-fetch/fetch");var qe=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),an=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:qe(`${t}/oauth/authorize`),tokenEndpoint:qe(`${t}/oauth/token`),userinfoEndpoint:qe(`${t}/api/v4/user`)}},zt=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:n}=an(e.issuer),i="gitlab";return{id:i,name:"Gitlab",createAuthorizationURL:async({state:a,scopes:u,codeVerifier:c,redirectURI:s})=>{let d=u||["read_user"];return e.scope&&d.push(...e.scope),await x({id:i,options:e,authorizationEndpoint:t,scopes:d,state:a,redirectURI:s,codeVerifier:c})},validateAuthorizationCode:async({code:a,redirectURI:u,codeVerifier:c})=>T({code:a,redirectURI:e.redirectURI||u,options:e,codeVerifier:c,tokenEndpoint:r}),async getUserInfo(a){if(e.getUserInfo)return e.getUserInfo(a);let{data:u,error:c}=await(0,Mt.betterFetch)(n,{headers:{authorization:`Bearer ${a.accessToken}`}});if(c||u.state!=="active"||u.locked)return null;let s=await e.mapProfileToUser?.(u);return{user:{id:u.id.toString(),name:u.name??u.username,email:u.email,image:u.avatar_url,emailVerified:!0,...s},data:u}}}};var je={apple:wt,discord:bt,facebook:Rt,github:Et,microsoft:It,google:vt,spotify:Lt,twitch:Nt,twitter:Vt,dropbox:qt,linkedin:$t,gitlab:zt},Re=Object.keys(je);var Qt=require("oslo"),Ee=require("oslo/jwt"),V=require("zod");var te=require("better-call");var $=require("better-call");var K=require("zod");function ee(e){try{return JSON.parse(e)}catch{return null}}var b={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var $e=()=>R("/get-session",{method:"GET",query:K.z.optional(K.z.object({disableCookieCache:K.z.boolean({description:"Disable cookie cache and fetch session from database"}).or(K.z.string().transform(e=>e==="true")).optional(),disableRefresh:K.z.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),n=r?ee(Buffer.from(r,"base64").toString()):null;if(n&&!await we.verify({value:JSON.stringify(n.session),signature:n?.signature,secret:e.context.secret}))return q(e),e.json(null);let i=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(n?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let d=n.session;if(n.expiresAt<Date.now()||d.session.expiresAt<new Date){let m=e.context.authCookies.sessionData.name;e.setCookie(m,"",{maxAge:0})}else return e.json(d)}let o=await e.context.internalAdapter.findSession(t);if(e.context.session=o,!o||o.session.expiresAt<new Date)return q(e),o&&await e.context.internalAdapter.deleteSession(o.session.token),e.json(null);if(i||e.query?.disableRefresh)return e.json(o);let a=e.context.sessionConfig.expiresIn,u=e.context.sessionConfig.updateAge;if(o.session.expiresAt.valueOf()-a*1e3+u*1e3<=Date.now()){let d=await e.context.internalAdapter.updateSession(o.session.token,{expiresAt:F(e.context.sessionConfig.expiresIn,"sec")});if(!d)return q(e),e.json(null,{status:401});let p=(d.expiresAt.valueOf()-Date.now())/1e3;return await I(e,{session:d,user:o.user},!1,{maxAge:p}),e.json({session:d,user:o.user})}return e.json(o)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new $.APIError("INTERNAL_SERVER_ERROR",{message:b.FAILED_TO_GET_SESSION})}}),J=async(e,t)=>{if(e.context.session)return e.context.session;let r=await $e()({...e,_flag:"json",headers:e.headers,query:t}).catch(n=>null);return e.context.session=r,r},B=oe(async e=>{let t=await J(e);if(!t?.session)throw new $.APIError("UNAUTHORIZED");return{session:t}}),Ht=oe(async e=>{let t=await J(e);if(!t?.session)throw new $.APIError("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,n=t.session.createdAt.valueOf(),i=Date.now();if(!(n+r*1e3>i))throw new $.APIError("FORBIDDEN",{message:"Session is not fresh"});return{session:t}}),Gt=()=>R("/list-sessions",{method:"GET",use:[B],requireHeaders:!0,metadata:{openapi:{description:"List all active sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}}}}}}}}}},async e=>{let r=(await e.context.internalAdapter.listSessions(e.context.session.user.id)).filter(n=>n.expiresAt>new Date);return e.json(r)}),Wt=R("/revoke-session",{method:"POST",body:K.z.object({token:K.z.string({description:"The token to revoke"})}),use:[B],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new $.APIError("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new $.APIError("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(n){throw e.context.logger.error(n&&typeof n=="object"&&"name"in n?n.name:"",n),new $.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Kt=R("/revoke-sessions",{method:"POST",use:[B],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new $.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Zt=R("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[B],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new $.APIError("UNAUTHORIZED");let i=(await e.context.internalAdapter.listSessions(t.user.id)).filter(o=>o.expiresAt>new Date).filter(o=>o.token!==e.context.session.session.token);return await Promise.all(i.map(o=>e.context.internalAdapter.deleteSession(o.token))),e.json({status:!0})});async function H(e,t,r){return await(0,Ee.createJWT)("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new Qt.TimeSpan(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function dn(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new te.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await H(e.context.secret,t.email),n=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:n,token:r},e.request)}var Jt=R("/send-verification-email",{method:"POST",query:V.z.object({currentURL:V.z.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:V.z.object({email:V.z.string({description:"The email to send the verification email to"}).email(),callbackURL:V.z.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new te.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new te.APIError("BAD_REQUEST",{message:b.USER_NOT_FOUND});return await dn(e,r.user),e.json({status:!0})}),Yt=R("/verify-email",{method:"GET",query:V.z.object({token:V.z.string({description:"The token to verify the email"}),callbackURL:V.z.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(u){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${u}`):new te.APIError("UNAUTHORIZED",{message:u})}let{token:r}=e.query,n;try{n=await(0,Ee.validateJWT)("HS256",Buffer.from(e.context.secret),r)}catch(u){return e.context.logger.error("Failed to verify email",u),t("invalid_token")}let o=V.z.object({email:V.z.string().email(),updateTo:V.z.string().optional()}).parse(n.payload),a=await e.context.internalAdapter.findUserByEmail(o.email);if(!a)return t("user_not_found");if(o.updateTo){let u=await J(e);if(!u){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(u.user.email!==o.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let c=await e.context.internalAdapter.updateUserByEmail(o.email,{email:o.updateTo,emailVerified:!1});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:c,url:`${e.context.baseURL}/verify-email?token=${r}`,token:r},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:c,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(o.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await J(e)){let c=await e.context.internalAdapter.createSession(a.user.id,e.request);if(!c)throw new te.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await I(e,{session:c,user:a.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function Te(e,{userInfo:t,account:r,callbackURL:n}){let i=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(u=>{throw P.error(`Better auth was unable to query your database.
3
+ Error: `,u),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),o=i?.user;if(i){let u=i.accounts.find(c=>c.providerId===r.providerId);if(u){let c=Object.fromEntries(Object.entries({accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt}).filter(([s,d])=>d!==void 0));Object.keys(c).length>0&&await e.context.internalAdapter.updateAccount(u.id,c)}else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(r.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return rt&&P.warn(`User already exist but account isn't linked to ${r.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:t.id.toString(),userId:i.user.id,accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope})}catch(d){return P.error("Unable to link account",d),{error:"unable to link account",data:null}}o=await e.context.internalAdapter.updateUser(i.user.id,{...t,updatedAt:new Date})}}else if(o=await e.context.internalAdapter.createOAuthUser({...t,email:t.email.toLowerCase(),id:void 0},{accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope,providerId:r.providerId,accountId:t.id.toString()}).then(u=>u?.user),!t.emailVerified&&o&&e.context.options.emailVerification?.sendOnSignUp){let u=await H(e.context.secret,o.email),c=`${e.context.baseURL}/verify-email?token=${u}&callbackURL=${n}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:o,url:c,token:u},e.request)}if(!o)return{error:"unable to create user",data:null};let a=await e.context.internalAdapter.createSession(o.id,e.request);return a?{data:{session:a,user:o},error:null}:{error:"unable to create session",data:null}}var Xt=R("/sign-in/social",{method:"POST",query:U.z.object({currentURL:U.z.string().optional()}).optional(),body:U.z.object({callbackURL:U.z.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:U.z.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:U.z.enum(Re,{description:"OAuth2 provider to use"}),disableRedirect:U.z.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:U.z.optional(U.z.object({token:U.z.string({description:"ID token from the provider"}),nonce:U.z.string({description:"Nonce used to generate the token"}).optional(),accessToken:U.z.string({description:"Access token from the provider"}).optional(),refreshToken:U.z.string({description:"Refresh token from the provider"}).optional(),expiresAt:U.z.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(o=>o.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new _.APIError("NOT_FOUND",{message:b.PROVIDER_NOT_FOUND});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new _.APIError("NOT_FOUND",{message:b.ID_TOKEN_NOT_SUPPORTED});let{token:o,nonce:a}=e.body.idToken;if(!await t.verifyIdToken(o,a))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new _.APIError("UNAUTHORIZED",{message:b.INVALID_TOKEN});let c=await t.getUserInfo({idToken:o,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!c||!c?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new _.APIError("UNAUTHORIZED",{message:b.FAILED_TO_GET_USER_INFO});if(!c.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new _.APIError("UNAUTHORIZED",{message:b.USER_EMAIL_NOT_FOUND});let s=await Te(e,{userInfo:{email:c.user.email,id:c.user.id,name:c.user.name||"",image:c.user.image,emailVerified:c.user.emailVerified||!1},account:{providerId:t.id,accountId:c.user.id,accessToken:e.body.idToken.accessToken}});if(s.error)throw new _.APIError("UNAUTHORIZED",{message:s.error});return await I(e,s.data),e.json({session:s.data.session,user:s.data.user,url:void 0,redirect:!1})}let{codeVerifier:r,state:n}=await ce(e),i=await t.createAuthorizationURL({state:n,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:i.toString(),redirect:!e.body.disableRedirect})}),er=R("/sign-in/email",{method:"POST",body:U.z.object({email:U.z.string({description:"Email of the user"}),password:U.z.string({description:"Password of the user"}),callbackURL:U.z.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:U.z.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new _.APIError("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!U.z.string().email().safeParse(t).success)throw new _.APIError("BAD_REQUEST",{message:b.INVALID_EMAIL});let i=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!i)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new _.APIError("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});let o=i.accounts.find(s=>s.providerId==="credential");if(!o)throw e.context.logger.error("Credential account not found",{email:t}),new _.APIError("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});let a=o?.password;if(!a)throw e.context.logger.error("Password not found",{email:t}),new _.APIError("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});if(!await e.context.password.verify({hash:a,password:r}))throw e.context.logger.error("Invalid password"),new _.APIError("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!i.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new _.APIError("UNAUTHORIZED",{message:b.EMAIL_NOT_VERIFIED});let s=await H(e.context.secret,i.user.email),d=`${e.context.baseURL}/verify-email?token=${s}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:i.user,url:d,token:s},e.request),e.context.logger.error("Email not verified",{email:t}),new _.APIError("FORBIDDEN",{message:b.EMAIL_NOT_VERIFIED})}let c=await e.context.internalAdapter.createSession(i.user.id,e.headers,e.body.rememberMe===!1);if(!c)throw e.context.logger.error("Failed to create session"),new _.APIError("UNAUTHORIZED",{message:b.FAILED_TO_CREATE_SESSION});return await I(e,{session:c,user:i.user},e.body.rememberMe===!1),e.json({user:{id:i.user.id,email:i.user.email,name:i.user.name,image:i.user.image,emailVerified:i.user.emailVerified,createdAt:i.user.createdAt,updatedAt:i.user.updatedAt},redirect:!!e.body.callbackURL,url:e.body.callbackURL})});var re=require("zod");var Ue=re.z.object({code:re.z.string().optional(),error:re.z.string().optional(),errorMessage:re.z.string().optional(),state:re.z.string().optional()}),tr=R("/callback/:id",{method:["GET","POST"],body:Ue.optional(),query:Ue.optional(),metadata:Q},async e=>{let t;try{if(e.method==="GET")t=Ue.parse(e.query);else if(e.method==="POST")t=Ue.parse(e.body);else throw new Error("Unsupported method")}catch(h){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",h),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:r,error:n,state:i}=t;if(!i)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!r)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${n||"no_code"}`);let o=e.context.socialProviders.find(h=>h.id===e.params.id);if(!o)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:a,callbackURL:u,link:c,errorURL:s}=await Ve(e),d;try{d=await o.validateAuthorizationCode({code:r,codeVerifier:a,redirectURI:`${e.context.baseURL}/callback/${o.id}`})}catch(h){throw e.context.logger.error("",h),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let p=await o.getUserInfo(d).then(h=>h?.user);function m(h){let w=s||u||`${e.context.baseURL}/error`;throw w.includes("?")?w=`${w}&error=${h}`:w=`${w}?error=${h}`,e.redirect(w)}if(!p)return e.context.logger.error("Unable to get user info"),m("unable_to_get_user_info");if(!p.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),m("email_not_found");if(!u)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(c){if(c.email!==p.email.toLowerCase())return m("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:c.userId,providerId:o.id,accountId:p.id}))return m("unable_to_link_account");let w;try{w=new URL(u).toString()}catch{w=u}throw e.redirect(w)}let l=await Te(e,{userInfo:{...p,email:p.email,name:p.name||p.email},account:{providerId:o.id,accountId:p.id,...d,scope:d.scopes?.join(",")},callbackURL:u});if(l.error)return e.context.logger.error(l.error.split(" ").join("_")),m(l.error.split(" ").join("_"));let{session:f,user:g}=l.data;await I(e,{session:f,user:g});let y;try{y=new URL(u).toString()}catch{y=u}throw e.redirect(y)});var ds=require("zod");var rr=require("better-call");var nr=R("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw q(e),new rr.APIError("BAD_REQUEST",{message:b.FAILED_TO_GET_SESSION});return await e.context.internalAdapter.deleteSession(t),q(e),e.json({success:!0})});var C=require("zod");var xe=require("better-call");function ir(e,t,r){let n=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return r&&Object.entries(r).forEach(([i,o])=>n.searchParams.set(i,o)),n.href}function cn(e,t,r){let n=new URL(t,e.baseURL);return r&&Object.entries(r).forEach(([i,o])=>n.searchParams.set(i,o)),n.href}var or=R("/forget-password",{method:"POST",body:C.z.object({email:C.z.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:C.z.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new xe.APIError("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:r}=e.body,n=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!n)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let i=60*60*1,o=F(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||i,"sec"),a=j(24);await e.context.internalAdapter.createVerificationValue({value:n.user.id.toString(),identifier:`reset-password:${a}`,expiresAt:o});let u=`${e.context.baseURL}/reset-password/${a}?callbackURL=${r}`;return await e.context.options.emailAndPassword.sendResetPassword({user:n.user,url:u,token:a},e.request),e.json({status:!0})}),sr=R("/reset-password/:token",{method:"GET",query:C.z.object({callbackURL:C.z.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:r}=e.query;if(!t||!r)throw e.redirect(ir(e.context,r,{error:"INVALID_TOKEN"}));let n=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!n||n.expiresAt<new Date?e.redirect(ir(e.context,r,{error:"INVALID_TOKEN"})):e.redirect(cn(e.context,r,{token:t}))}),ar=R("/reset-password",{query:C.z.optional(C.z.object({token:C.z.string().optional(),currentURL:C.z.string().optional()})),method:"POST",body:C.z.object({newPassword:C.z.string({description:"The new password to set"}),token:C.z.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new xe.APIError("BAD_REQUEST",{message:b.INVALID_TOKEN});let{newPassword:r}=e.body,n=`reset-password:${t}`,i=await e.context.internalAdapter.findVerificationValue(n);if(!i||i.expiresAt<new Date)throw new xe.APIError("BAD_REQUEST",{message:b.INVALID_TOKEN});await e.context.internalAdapter.deleteVerificationValue(i.id);let o=i.value,a=await e.context.password.hash(r);return(await e.context.internalAdapter.findAccounts(o)).find(s=>s.providerId==="credential")?(await e.context.internalAdapter.updatePassword(o,a),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:o,providerId:"credential",password:a,accountId:o}),e.json({status:!0}))});var S=require("zod");var O=require("better-call");var k=require("zod"),dr=require("better-call"),As=k.z.object({id:k.z.string(),providerId:k.z.string(),accountId:k.z.string(),userId:k.z.string(),accessToken:k.z.string().nullish(),refreshToken:k.z.string().nullish(),idToken:k.z.string().nullish(),accessTokenExpiresAt:k.z.date().nullish(),refreshTokenExpiresAt:k.z.date().nullish(),scope:k.z.string().nullish(),password:k.z.string().nullish(),createdAt:k.z.date().default(()=>new Date),updatedAt:k.z.date().default(()=>new Date)}),bs=k.z.object({id:k.z.string(),email:k.z.string().transform(e=>e.toLowerCase()),emailVerified:k.z.boolean().default(!1),name:k.z.string(),image:k.z.string().nullish(),createdAt:k.z.date().default(()=>new Date),updatedAt:k.z.date().default(()=>new Date)}),ks=k.z.object({id:k.z.string(),userId:k.z.string(),expiresAt:k.z.date(),createdAt:k.z.date().default(()=>new Date),updatedAt:k.z.date().default(()=>new Date),token:k.z.string(),ipAddress:k.z.string().nullish(),userAgent:k.z.string().nullish()}),Rs=k.z.object({id:k.z.string(),value:k.z.string(),createdAt:k.z.date().default(()=>new Date),updatedAt:k.z.date().default(()=>new Date),expiresAt:k.z.date(),identifier:k.z.string()});function cr(e,t){let r=t.fields,n={};for(let i in e){let o=r[i];if(!o){n[i]=e[i];continue}o.returned!==!1&&(n[i]=e[i])}return n}function Me(e,t){let r={...t==="user"?e.user?.additionalFields:{},...t==="session"?e.session?.additionalFields:{}};for(let n of e.plugins||[])n.schema&&n.schema[t]&&(r={...r,...n.schema[t].fields});return r}function ze(e,t){let r=Me(e,"user");return cr(t,{fields:r})}function Oe(e,t){let r=Me(e,"session");return cr(t,{fields:r})}function un(e,t){let r=t.action||"create",n=t.fields,i={};for(let o in n){if(o in e){if(n[o].input===!1){if(n[o].defaultValue){i[o]=n[o].defaultValue;continue}continue}if(n[o].validator?.input&&e[o]!==void 0){i[o]=n[o].validator.input.parse(e[o]);continue}i[o]=e[o];continue}if(n[o].defaultValue&&r==="create"){i[o]=n[o].defaultValue;continue}if(n[o].required&&r==="create")throw new dr.APIError("BAD_REQUEST",{message:`${o} is required`})}return i}function ve(e,t,r){let n=Me(e,"user");return un(t||{},{fields:n,action:r})}var mn=require("@noble/ciphers/chacha"),Ge=require("@noble/ciphers/utils"),gn=require("@noble/ciphers/webcrypto"),hn=require("oslo/crypto"),yn=Ie(require("uncrypto"),1);var le=require("oslo/encoding");var ur=require("@noble/hashes/scrypt"),lr=require("uncrypto"),ne={N:16384,r:16,p:1,dkLen:64};async function pr(e,t){return await(0,ur.scryptAsync)(e.normalize("NFKC"),t,{N:ne.N,p:ne.p,r:ne.r,dkLen:ne.dkLen,maxmem:128*ne.N*ne.r*2})}var fr=async e=>{let t=(0,le.encodeHex)((0,lr.getRandomValues)(new Uint8Array(16))),r=await pr(e,t);return`${t}:${(0,le.encodeHex)(r)}`},mr=async({hash:e,password:t})=>{let[r,n]=e.split(":"),i=await pr(t,r);return Ce(i,(0,le.decodeHex)(n))};var He=Ie(require("uncrypto"),1);function ln(e){return e.toString(2).padStart(8,"0")}function pn(e){return[...e].map(t=>ln(t)).join("")}function gr(e){return parseInt(pn(e),2)}function fn(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,n=new Uint8Array(Math.ceil(t/8));He.default.getRandomValues(n),r!==0&&(n[0]&=(1<<r)-1);let i=gr(n);for(;i>=e;)He.default.getRandomValues(n),r!==0&&(n[0]&=(1<<r)-1),i=gr(n);return i}function hr(e,t){let r="";for(let n=0;n<e;n++)r+=t[fn(t.length)];return r}function yr(...e){let t=new Set(e),r="";for(let n of t)n==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":n==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":n==="0-9"?r+="0123456789":r+=n;return r}var wr=()=>R("/update-user",{method:"POST",body:S.z.record(S.z.string(),S.z.any()),use:[B],metadata:{openapi:{description:"Update the current user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"}}}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"}}}}}}}}}},async e=>{let t=e.body;if(t.email)throw new O.APIError("BAD_REQUEST",{message:b.EMAIL_CAN_NOT_BE_UPDATED});let{name:r,image:n,...i}=t,o=e.context.session;if(n===void 0&&r===void 0&&Object.keys(i).length===0)return e.json({id:o.user.id,email:o.user.email,name:o.user.name,image:o.user.image,emailVerified:o.user.emailVerified,createdAt:o.user.createdAt,updatedAt:o.user.updatedAt});let a=ve(e.context.options,i,"update"),u=await e.context.internalAdapter.updateUserByEmail(o.user.email,{name:r,image:n,...a});return await I(e,{session:o.session,user:u}),e.json({id:u.id,email:u.email,name:u.name,image:u.image,emailVerified:u.emailVerified,createdAt:u.createdAt,updatedAt:u.updatedAt})}),Ar=R("/change-password",{method:"POST",body:S.z.object({newPassword:S.z.string({description:"The new password to set"}),currentPassword:S.z.string({description:"The current password"}),revokeOtherSessions:S.z.boolean({description:"Revoke all other sessions"}).optional()}),use:[B],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:r,revokeOtherSessions:n}=e.body,i=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new O.APIError("BAD_REQUEST",{message:b.PASSWORD_TOO_SHORT});let a=e.context.password.config.maxPasswordLength;if(t.length>a)throw e.context.logger.error("Password is too long"),new O.APIError("BAD_REQUEST",{message:b.PASSWORD_TOO_LONG});let c=(await e.context.internalAdapter.findAccounts(i.user.id)).find(p=>p.providerId==="credential"&&p.password);if(!c||!c.password)throw new O.APIError("BAD_REQUEST",{message:b.CREDENTIAL_ACCOUNT_NOT_FOUND});let s=await e.context.password.hash(t);if(!await e.context.password.verify({hash:c.password,password:r}))throw new O.APIError("BAD_REQUEST",{message:b.INVALID_PASSWORD});if(await e.context.internalAdapter.updateAccount(c.id,{password:s}),n){await e.context.internalAdapter.deleteSessions(i.user.id);let p=await e.context.internalAdapter.createSession(i.user.id,e.headers);if(!p)throw new O.APIError("INTERNAL_SERVER_ERROR",{message:b.FAILED_TO_GET_SESSION});await I(e,{session:p,user:i.user})}return e.json(i.user)}),br=R("/set-password",{method:"POST",body:S.z.object({newPassword:S.z.string()}),metadata:{SERVER_ONLY:!0},use:[B]},async e=>{let{newPassword:t}=e.body,r=e.context.session,n=e.context.password.config.minPasswordLength;if(t.length<n)throw e.context.logger.error("Password is too short"),new O.APIError("BAD_REQUEST",{message:b.PASSWORD_TOO_SHORT});let i=e.context.password.config.maxPasswordLength;if(t.length>i)throw e.context.logger.error("Password is too long"),new O.APIError("BAD_REQUEST",{message:b.PASSWORD_TOO_LONG});let a=(await e.context.internalAdapter.findAccounts(r.user.id)).find(c=>c.providerId==="credential"&&c.password),u=await e.context.password.hash(t);if(!a)return await e.context.internalAdapter.linkAccount({userId:r.user.id,providerId:"credential",accountId:r.user.id,password:u}),e.json(r.user);throw new O.APIError("BAD_REQUEST",{message:"user already has a password"})}),kr=R("/delete-user",{method:"POST",use:[Ht],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options",{session:e.context.session}),new O.APIError("NOT_FOUND");let t=e.context.session;if(e.context.options.user.deleteUser?.sendDeleteAccountVerification){let i=hr(32,yr("a-z","A-Z","0-9"));await e.context.internalAdapter.createVerificationValue({value:t.user.id,identifier:`delete-account-${i}`,expiresAt:new Date(Date.now()+1e3*60*60*24)});let o=`${e.context.baseURL}/delete-user/callback?token=${i}`;return await e.context.options.user.deleteUser.sendDeleteAccountVerification({user:t.user,url:o,token:i},e.request),e.json({success:!0,message:"Verification email sent"})}let r=e.context.options.user.deleteUser?.beforeDelete;r&&await r(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),q(e);let n=e.context.options.user.deleteUser?.afterDelete;return n&&await n(t.user,e.request),e.json({success:!0,message:"User deleted"})}),Rr=R("/delete-user/callback",{method:"GET",query:S.z.object({token:S.z.string()})},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options"),new O.APIError("NOT_FOUND");let t=await J(e);if(!t)throw new O.APIError("NOT_FOUND",{message:b.FAILED_TO_GET_USER_INFO});let r=await e.context.internalAdapter.findVerificationValue(`delete-account-${e.query.token}`);if(!r||r.expiresAt<new Date)throw r&&await e.context.internalAdapter.deleteVerificationValue(r.id),new O.APIError("NOT_FOUND",{message:b.INVALID_TOKEN});if(r.value!==t.user.id)throw new O.APIError("NOT_FOUND",{message:b.INVALID_TOKEN});let n=e.context.options.user.deleteUser?.beforeDelete;n&&await n(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),await e.context.internalAdapter.deleteVerificationValue(r.id),q(e);let i=e.context.options.user.deleteUser?.afterDelete;return i&&await i(t.user,e.request),e.json({success:!0,message:"User deleted"})}),Er=R("/change-email",{method:"POST",query:S.z.object({currentURL:S.z.string().optional()}).optional(),body:S.z.object({newEmail:S.z.string({description:"The new email to set"}).email(),callbackURL:S.z.string({description:"The URL to redirect to after email verification"}).optional()}),use:[B],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new O.APIError("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new O.APIError("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new O.APIError("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let i=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:i,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new O.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await H(e.context.secret,e.context.session.user.email,e.body.newEmail),n=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:n,token:r},e.request),e.json({user:null,status:!0})});var wn=(e="Unknown")=>`<!DOCTYPE html>
4
4
  <html lang="en">
5
5
  <head>
6
6
  <meta charset="UTF-8">