better-auth 1.0.13 → 1.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/dist/api.cjs +2 -2
  2. package/dist/api.js +2 -2
  3. package/dist/cookies.cjs +1 -1
  4. package/dist/cookies.js +1 -1
  5. package/dist/index.cjs +2 -2
  6. package/dist/index.js +2 -2
  7. package/dist/next-js.cjs +1 -1
  8. package/dist/next-js.js +1 -1
  9. package/dist/plugins.cjs +2 -2
  10. package/dist/plugins.js +2 -2
  11. package/package.json +4 -1
package/dist/index.js CHANGED
@@ -1,6 +1,6 @@
1
1
  import{APIError as K,createRouter as mn,getCookie as gn,getSignedCookie as hn,setCookie as yn,setSignedCookie as wn}from"better-call";import{APIError as pr}from"better-call";import{createEndpointCreator as sr,createMiddleware as De,createMiddlewareCreator as ar}from"better-call";var Ce=De(async()=>({})),X=ar({use:[Ce,De(async()=>({}))]}),R=sr({use:[Ce]});function Ae(e){return e==="-"||e==="^"||e==="$"||e==="+"||e==="."||e==="("||e===")"||e==="|"||e==="["||e==="]"||e==="{"||e==="}"||e==="*"||e==="?"||e==="\\"?`\\${e}`:e}function dr(e){let t="";for(let r=0;r<e.length;r++)t+=Ae(e[r]);return t}function Ne(e,t=!0){if(Array.isArray(e))return`(?:${e.map(d=>`^${Ne(d,t)}$`).join("|")})`;let r="",n="",o=".";t===!0?(r="/",n="[/\\\\]",o="[^/\\\\]"):t&&(r=t,n=dr(r),n.length>1?(n=`(?:${n})`,o=`((?!${n}).)`):o=`[^${n}]`);let i=t?`${n}+?`:"",a=t?`${n}*?`:"",u=t?e.split(r):[e],c="";for(let s=0;s<u.length;s++){let d=u[s],p=u[s+1],m="";if(!(!d&&s>0)){if(t&&(s===u.length-1?m=a:p!=="**"?m=i:m=""),t&&d==="**"){m&&(c+=s===0?"":m,c+=`(?:${o}*?${m})*?`);continue}for(let l=0;l<d.length;l++){let f=d[l];f==="\\"?l<d.length-1&&(c+=Ae(d[l+1]),l++):f==="?"?c+=o:f==="*"?c+=`${o}*?`:c+=Ae(f)}c+=m}}return c}function cr(e,t){if(typeof t!="string")throw new TypeError(`Sample must be a string, but ${typeof t} given`);return e.test(t)}function se(e,t){if(typeof e!="string"&&!Array.isArray(e))throw new TypeError(`The first argument must be a single pattern string or an array of patterns, but ${typeof e} given`);if((typeof t=="string"||typeof t=="boolean")&&(t={separator:t}),arguments.length===2&&!(typeof t>"u"||typeof t=="object"&&t!==null&&!Array.isArray(t)))throw new TypeError(`The second argument must be an options object or a string/boolean separator, but ${typeof t} given`);if(t=t||{},t.separator==="\\")throw new Error("\\ is not a valid separator because it is used for escaping. Try setting the separator to `true` instead");let r=Ne(e,t.separator),n=new RegExp(`^${r}$`,t.flags),o=cr.bind(null,n);return o.options=t,o.pattern=e,o.regexp=n,o}var ae=Object.create(null),ee=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?ae:globalThis),P=new Proxy(ae,{get(e,t){return ee()[t]??ae[t]},has(e,t){let r=ee();return t in r||t in ae},set(e,t,r){let n=ee(!0);return n[t]=r,!0},deleteProperty(e,t){if(!t)return!1;let r=ee(!0);return delete r[t],!0},ownKeys(){let e=ee(!0);return Object.keys(e)}});function ur(e){return e?e!=="false":!1}var de=typeof process<"u"&&process.env&&process.env.NODE_ENV||"",te=de==="production",Be=de==="dev"||de==="development",Ve=de==="test"||ur(P.TEST);var D=class extends Error{constructor(t,r){super(t),this.name="BetterAuthError",this.message=t,this.cause=r,this.stack=""}},Fe=class extends D{constructor(t){super(`The package "${t}" is required. Make sure it is installed.`,t)}};function lr(e){try{return new URL(e).pathname!=="/"}catch{throw new D(`Invalid base URL: ${e}. Please provide a valid base URL.`)}}function be(e,t="/api/auth"){return lr(e)?e:(t=t.startsWith("/")?t:`/${t}`,`${e}${t}`)}function re(e,t){if(e)return be(e,t);let r=P.BETTER_AUTH_URL||P.NEXT_PUBLIC_BETTER_AUTH_URL||P.PUBLIC_BETTER_AUTH_URL||P.NUXT_PUBLIC_BETTER_AUTH_URL||P.NUXT_PUBLIC_AUTH_URL||(P.BASE_URL!=="/"?P.BASE_URL:void 0);if(r)return be(r,t);if(typeof window<"u"&&window.location)return be(window.location.origin,t)}function qe(e){try{return new URL(e).origin}catch{return null}}function je(e){return e.includes("://")?new URL(e).host:e}var $e=X(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:r,context:n}=e,o=e.headers?.get("origin")||e.headers?.get("referer")||"",i=t?.callbackURL||r?.callbackURL,a=t?.redirectTo,u=r?.currentURL,c=n.trustedOrigins,s=e.headers?.has("cookie"),d=(m,l)=>m.startsWith("/")?!1:l.includes("*")?se(l)(je(m)):m.startsWith(l),p=(m,l)=>{if(!m)return;if(!c.some(g=>d(m,g)||m?.startsWith("/")&&l!=="origin"&&!m.includes(":")))throw e.context.logger.error(`Invalid ${l}: ${m}`),e.context.logger.info(`If it's a valid URL, please add ${m} to trustedOrigins in your auth config
2
- `,`Current list of trustedOrigins: ${c}`),new pr("FORBIDDEN",{message:`Invalid ${l}`})};s&&!e.context.options.advanced?.disableCSRFCheck&&p(o,"origin"),i&&p(i,"callbackURL"),a&&p(a,"redirectURL"),u&&p(u,"currentURL")});import{APIError as S}from"better-call";import{z as x}from"zod";import{TimeSpan as gr}from"oslo";import{base64url as hr}from"oslo/encoding";import{HMAC as Me,sha256 as $n}from"oslo/crypto";function ke(e,t){let r=new Uint8Array(e),n=new Uint8Array(t);if(r.length!==n.length)return!1;let o=0;for(let i=0;i<r.length;i++)o|=r[i]^n[i];return o===0}async function fr({value:e,secret:t}){return new Me("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(n=>Buffer.from(n).toString("base64"))}function mr({value:e,signature:t,secret:r}){return new Me("SHA-256").verify(new TextEncoder().encode(r),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var ce={sign:fr,verify:mr};var B=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));function Gn(e){let t=new Map;return e.split(", ").forEach(n=>{let o=n.split(";").map(p=>p.trim()),[i,...a]=o,[u,...c]=i.split("="),s=c.join("=");if(!u||s===void 0)return;let d={value:s};a.forEach(p=>{let[m,...l]=p.split("="),f=l.join("="),g=m.trim().toLowerCase();switch(g){case"max-age":d["max-age"]=f?parseInt(f.trim(),10):void 0;break;case"expires":d.expires=f?new Date(f.trim()):void 0;break;case"domain":d.domain=f?f.trim():void 0;break;case"path":d.path=f?f.trim():void 0;break;case"secure":d.secure=!0;break;case"httponly":d.httponly=!0;break;case"samesite":d.samesite=f?f.trim().toLowerCase():void 0;break;default:d[g]=f?f.trim():!0;break}}),t.set(u,d)}),t}function Re(e){let r=(e.advanced?.useSecureCookies!==void 0?e.advanced?.useSecureCookies:e.baseURL!==void 0?!!e.baseURL.startsWith("https://"):te)?"__Secure-":"",n=!!e.advanced?.crossSubDomainCookies?.enabled,o=n?e.advanced?.crossSubDomainCookies?.domain||(e.baseURL?new URL(e.baseURL).hostname:void 0):void 0;if(n&&!o)throw new D("baseURL is required when crossSubdomainCookies are enabled");function i(a,u={}){let c=e.advanced?.cookiePrefix||"better-auth",s=e.advanced?.cookies?.[a]?.name||`${c}.${a}`,d=e.advanced?.cookies?.[a]?.attributes;return{name:`${r}${s}`,attributes:{secure:!!r,sameSite:"lax",path:"/",httpOnly:!0,...n?{domain:o}:{},...e.advanced?.defaultCookieAttributes,...u,...d}}}return i}function ze(e){let t=Re(e),r=e.session?.expiresIn||new gr(7,"d").seconds(),n=t("session_token",{maxAge:r}),o=t("session_data",{maxAge:e.session?.cookieCache?.maxAge||60*5}),i=t("dont_remember");return{sessionToken:{name:n.name,options:n.attributes},sessionData:{name:o.name,options:o.attributes},dontRememberToken:{name:i.name,options:i.attributes}}}async function _(e,t,r,n){let o=e.context.authCookies.sessionToken.options,i=r?void 0:e.context.sessionConfig.expiresIn;await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...o,maxAge:i,...n}),r&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled&&e.setCookie(e.context.authCookies.sessionData.name,JSON.stringify(hr.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:B(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await ce.sign({value:JSON.stringify(t),secret:e.context.secret})})))),e.context.authCookies.sessionData.options),e.context.setNewSession(t),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),Math.floor((new Date(t.session.expiresAt).getTime()-Date.now())/1e3))}function F(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}function ri(e){let t=e.split("; "),r=new Map;return t.forEach(n=>{let[o,i]=n.split("=");r.set(o,i)}),r}import{betterFetch as Rr}from"@better-fetch/fetch";import{APIError as Er}from"better-call";import{decodeProtectedHeader as Tr,importJWK as Ur,jwtVerify as xr}from"jose";import{parseJWT as Or}from"oslo/jwt";import{sha256 as yr}from"oslo/crypto";import{base64url as wr}from"oslo/encoding";async function He(e){let t=await yr(new TextEncoder().encode(e));return wr.encode(new Uint8Array(t),{includePadding:!1})}function Ge(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?B(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function U({id:e,options:t,authorizationEndpoint:r,state:n,codeVerifier:o,scopes:i,claims:a,redirectURI:u}){let c=new URL(r);if(c.searchParams.set("response_type","code"),c.searchParams.set("client_id",t.clientId),c.searchParams.set("state",n),c.searchParams.set("scope",i.join(" ")),c.searchParams.set("redirect_uri",t.redirectURI||u),o){let s=await He(o);c.searchParams.set("code_challenge_method","S256"),c.searchParams.set("code_challenge",s)}if(a){let s=a.reduce((d,p)=>(d[p]=null,d),{});c.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...s}}))}return c}import{betterFetch as Ar}from"@better-fetch/fetch";async function T({code:e,codeVerifier:t,redirectURI:r,options:n,tokenEndpoint:o,authentication:i}){let a=new URLSearchParams,u={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(a.set("grant_type","authorization_code"),a.set("code",e),t&&a.set("code_verifier",t),a.set("redirect_uri",r),i==="basic"){let p=btoa(`${n.clientId}:${n.clientSecret}`);u.authorization=`Basic ${p}`}else a.set("client_id",n.clientId),a.set("client_secret",n.clientSecret);let{data:c,error:s}=await Ar(o,{method:"POST",body:a,headers:u});if(s)throw s;return Ge(c)}import{generateCodeVerifier as br,generateState as kr}from"oslo/oauth2";import{z as H}from"zod";import{APIError as We}from"better-call";async function ue(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?qe(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new We("BAD_REQUEST",{message:"callbackURL is required"});let n=br(),o=kr(),i=JSON.stringify({callbackURL:r,codeVerifier:n,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),a=new Date;a.setMinutes(a.getMinutes()+10);let u=await e.context.internalAdapter.createVerificationValue({value:i,identifier:o,expiresAt:a});if(!u)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new We("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:u.identifier,codeVerifier:n}}async function Ke(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let n=H.object({callbackURL:H.string(),codeVerifier:H.string(),errorURL:H.string().optional(),expiresAt:H.number(),link:H.object({email:H.string(),userId:H.string()}).optional()}).parse(JSON.parse(r.value));if(n.errorURL||(n.errorURL=`${e.context.baseURL}/error`),n.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),n}var Ze=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:n,redirectURI:o}){let i=n||["email","name"];return e.scope&&i.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${o||e.redirectURI}&scope=${i.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:n,redirectURI:o})=>T({code:r,codeVerifier:n,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async verifyIdToken(r,n){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,n);let o=Tr(r),{kid:i,alg:a}=o;if(!i||!a)return!1;let u=await vr(i),{payload:c}=await xr(r,u,{algorithms:[a],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(s=>{c[s]!==void 0&&(c[s]=!!c[s])}),n&&c.nonce!==n?!1:!!c},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let n=Or(r.idToken)?.payload;if(!n)return null;let o=n.user?`${n.user.name.firstName} ${n.user.name.lastName}`:n.email,i=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:o,emailVerified:!1,email:n.email,...i},data:n}}}},vr=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:n}=await Rr(`${t}${r}`);if(!n?.keys)throw new Er("BAD_REQUEST",{message:"Keys not found"});let o=n.keys.find(i=>i.kid===e);if(!o)throw new Error(`JWK with kid ${e} not found`);return await Ur(o,o.alg)};import{betterFetch as Sr}from"@better-fetch/fetch";var Qe=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let o=r||["identify","email"];return e.scope&&o.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${o.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||n)}&state=${t}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>T({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await Sr("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(n)return null;if(r.avatar===null){let i=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${i}.png`}else{let i=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${i}`}let o=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url,...o},data:r}}});import{betterFetch as _r}from"@better-fetch/fetch";var Je=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let o=r||["email","public_profile"];return e.scope&&o.push(...e.scope),await U({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:o,state:t,redirectURI:n})},validateAuthorizationCode:async({code:t,redirectURI:r})=>T({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await _r("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});if(n)return null;let o=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified,...o},data:r}}});import{betterFetch as Ye}from"@better-fetch/fetch";var Xe=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:n,codeVerifier:o,redirectURI:i}){let a=n||["user:email"];return e.scope&&a.push(...e.scope),U({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:a,state:r,redirectURI:i})},validateAuthorizationCode:async({code:r,redirectURI:n})=>T({code:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:n,error:o}=await Ye("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(o)return null;let i=!1;if(!n.email){let{data:u,error:c}=await Ye("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});c||(n.email=(u.find(s=>s.primary)??u[0])?.email,i=u.find(s=>s.email===n.email)?.verified??!1)}let a=await e.mapProfileToUser?.(n);return{user:{id:n.id.toString(),name:n.name||n.login,email:n.email,image:n.avatar_url,emailVerified:i,...a},data:n}}}};import{parseJWT as Dr}from"oslo/jwt";import{createConsola as Ir}from"consola";var Ee=["info","success","warn","error","debug"];function Pr(e,t){return Ee.indexOf(t)<=Ee.indexOf(e)}var Lr=Ir({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),le=e=>{let t=e?.disabled!==!0,r=e?.level??"error",n=(o,i,a=[])=>{if(!(!t||!Pr(r,o))){if(!e||typeof e.log!="function"){Lr[o]("",i,...a);return}e.log(o==="success"?"info":o,i,a)}};return Object.fromEntries(Ee.map(o=>[o,(...[i,...a])=>n(o,i,a)]))},I=le();import{betterFetch as Cr}from"@better-fetch/fetch";var et=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:n,redirectURI:o}){if(!e.clientId||!e.clientSecret)throw I.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new D("CLIENT_ID_AND_SECRET_REQUIRED");if(!n)throw new D("codeVerifier is required for Google");let i=r||["email","profile","openid"];e.scope&&i.push(...e.scope);let a=await U({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:i,state:t,codeVerifier:n,redirectURI:o});return e.accessType&&a.searchParams.set("access_type",e.accessType),e.prompt&&a.searchParams.set("prompt",e.prompt),a},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>T({code:t,codeVerifier:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let n=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:o}=await Cr(n);return o?o.aud===e.clientId&&o.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=Dr(t.idToken)?.payload,n=await e.mapProfileToUser?.(r);return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified,...n},data:r}}});import{betterFetch as Nr}from"@better-fetch/fetch";import{parseJWT as Br}from"oslo/jwt";var tt=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,n=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(o){let i=o.scopes||["openid","profile","email","User.Read"];return e.scope&&i.push(...e.scope),U({id:"microsoft",options:e,authorizationEndpoint:r,state:o.state,codeVerifier:o.codeVerifier,scopes:i,redirectURI:o.redirectURI})},validateAuthorizationCode({code:o,codeVerifier:i,redirectURI:a}){return T({code:o,codeVerifier:i,redirectURI:e.redirectURI||a,options:e,tokenEndpoint:n})},async getUserInfo(o){if(e.getUserInfo)return e.getUserInfo(o);if(!o.idToken)return null;let i=Br(o.idToken)?.payload,a=e.profilePhotoSize||48;await Nr(`https://graph.microsoft.com/v1.0/me/photos/${a}x${a}/$value`,{headers:{Authorization:`Bearer ${o.accessToken}`},async onResponse(c){if(!(e.disableProfilePhoto||!c.response.ok))try{let d=await c.response.clone().arrayBuffer(),p=Buffer.from(d).toString("base64");i.picture=`data:image/jpeg;base64, ${p}`}catch(s){I.error(s&&typeof s=="object"&&"name"in s?s.name:"",s)}}});let u=await e.mapProfileToUser?.(i);return{user:{id:i.sub,name:i.name,email:i.email,image:i.picture,emailVerified:!0,...u},data:i}}}};import{betterFetch as Vr}from"@better-fetch/fetch";var rt=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:n,redirectURI:o}){let i=r||["user-read-email"];return e.scope&&i.push(...e.scope),U({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:i,state:t,codeVerifier:n,redirectURI:o})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>T({code:t,codeVerifier:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await Vr("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(n)return null;let o=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1,...o},data:r}}});function ro(e){return e.charAt(0).toUpperCase()+e.slice(1)}var Z={isAction:!1};import{nanoid as Fr}from"nanoid";var q=e=>Fr(e);import{parseJWT as qr}from"oslo/jwt";var nt=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let o=r||["user:read:email","openid"];return e.scope&&o.push(...e.scope),U({id:"twitch",redirectURI:n,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:o,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>T({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return I.error("No idToken found in token"),null;let n=qr(r)?.payload,o=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.preferred_username,email:n.email,image:n.picture,emailVerified:!1,...o},data:n}}});import{betterFetch as jr}from"@better-fetch/fetch";var it=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),U({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>T({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await jr("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(n)return null;let o=await e.mapProfileToUser?.(r);return{user:{id:r.data.id,name:r.data.name,email:r.data.username||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1,...o},data:r}}});import{betterFetch as $r}from"@better-fetch/fetch";var ot=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:n,codeVerifier:o,redirectURI:i})=>{let a=n||["account_info.read"];return e.scope&&a.push(...e.scope),await U({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:a,state:r,redirectURI:i,codeVerifier:o})},validateAuthorizationCode:async({code:r,codeVerifier:n,redirectURI:o})=>await T({code:r,codeVerifier:n,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:n,error:o}=await $r("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});if(o)return null;let i=await e.mapProfileToUser?.(n);return{user:{id:n.account_id,name:n.name?.display_name,email:n.email,emailVerified:n.email_verified||!1,image:n.profile_photo_url,...i},data:n}}}};import{betterFetch as Mr}from"@better-fetch/fetch";var st=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:n,scopes:o,redirectURI:i})=>{let a=o||["profile","email","openid"];return e.scope&&a.push(...e.scope),await U({id:"linkedin",options:e,authorizationEndpoint:t,scopes:a,state:n,redirectURI:i})},validateAuthorizationCode:async({code:n,redirectURI:o})=>await T({code:n,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:r}),async getUserInfo(n){let{data:o,error:i}=await Mr("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${n.accessToken}`}});if(i)return null;let a=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.name,email:o.email,emailVerified:o.email_verified||!1,image:o.picture,...a},data:o}}}};import{betterFetch as zr}from"@better-fetch/fetch";var Te=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),Hr=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:Te(`${t}/oauth/authorize`),tokenEndpoint:Te(`${t}/oauth/token`),userinfoEndpoint:Te(`${t}/api/v4/user`)}},at=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:n}=Hr(e.issuer),o="gitlab";return{id:o,name:"Gitlab",createAuthorizationURL:async({state:a,scopes:u,codeVerifier:c,redirectURI:s})=>{let d=u||["read_user"];return e.scope&&d.push(...e.scope),await U({id:o,options:e,authorizationEndpoint:t,scopes:d,state:a,redirectURI:s,codeVerifier:c})},validateAuthorizationCode:async({code:a,redirectURI:u,codeVerifier:c})=>T({code:a,redirectURI:e.redirectURI||u,options:e,codeVerifier:c,tokenEndpoint:r}),async getUserInfo(a){if(e.getUserInfo)return e.getUserInfo(a);let{data:u,error:c}=await zr(n,{headers:{authorization:`Bearer ${a.accessToken}`}});if(c||u.state!=="active"||u.locked)return null;let s=await e.mapProfileToUser?.(u);return{user:{id:u.id.toString(),name:u.name??u.username,email:u.email,image:u.avatar_url,emailVerified:!0,...s},data:u}}}};var Ue={apple:Ze,discord:Qe,facebook:Je,github:Xe,microsoft:tt,google:et,spotify:rt,twitch:nt,twitter:it,dropbox:ot,linkedin:st,gitlab:at},pe=Object.keys(Ue);import{TimeSpan as Gr}from"oslo";import{createJWT as Wr,validateJWT as Kr}from"oslo/jwt";import{z as V}from"zod";import{APIError as ne}from"better-call";import{APIError as j}from"better-call";import{z as G}from"zod";function Q(e){try{return JSON.parse(e)}catch{return null}}var b={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var xe=()=>R("/get-session",{method:"GET",query:G.optional(G.object({disableCookieCache:G.boolean({description:"Disable cookie cache and fetch session from database"}).or(G.string().transform(e=>e==="true")).optional(),disableRefresh:G.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),n=r?Q(Buffer.from(r,"base64").toString()):null;if(n&&!await ce.verify({value:JSON.stringify(n.session),signature:n?.signature,secret:e.context.secret}))return F(e),e.json(null);let o=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(n?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let d=n.session;if(n.expiresAt<Date.now()||d.session.expiresAt<new Date){let m=e.context.authCookies.sessionData.name;e.setCookie(m,"",{maxAge:0})}else return e.json(d)}let i=await e.context.internalAdapter.findSession(t);if(e.context.session=i,!i||i.session.expiresAt<new Date)return F(e),i&&await e.context.internalAdapter.deleteSession(i.session.token),e.json(null);if(o||e.query?.disableRefresh)return e.json(i);let a=e.context.sessionConfig.expiresIn,u=e.context.sessionConfig.updateAge;if(i.session.expiresAt.valueOf()-a*1e3+u*1e3<=Date.now()){let d=await e.context.internalAdapter.updateSession(i.session.token,{expiresAt:B(e.context.sessionConfig.expiresIn,"sec")});if(!d)return F(e),e.json(null,{status:401});let p=(d.expiresAt.valueOf()-Date.now())/1e3;return await _(e,{session:d,user:i.user},!1,{maxAge:p}),e.json({session:d,user:i.user})}return e.json(i)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new j("INTERNAL_SERVER_ERROR",{message:b.FAILED_TO_GET_SESSION})}}),W=async(e,t)=>{if(e.context.session)return e.context.session;let r=await xe()({...e,_flag:"json",headers:e.headers,query:t}).catch(n=>null);return e.context.session=r,r},C=X(async e=>{let t=await W(e);if(!t?.session)throw new j("UNAUTHORIZED");return{session:t}}),dt=X(async e=>{let t=await W(e);if(!t?.session)throw new j("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,n=t.session.createdAt.valueOf(),o=Date.now();if(!(n+r*1e3>o))throw new j("FORBIDDEN",{message:"Session is not fresh"});return{session:t}}),ct=()=>R("/list-sessions",{method:"GET",use:[C],requireHeaders:!0,metadata:{openapi:{description:"List all active sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}}}}}}}}}},async e=>{let r=(await e.context.internalAdapter.listSessions(e.context.session.user.id)).filter(n=>n.expiresAt>new Date);return e.json(r)}),ut=R("/revoke-session",{method:"POST",body:G.object({token:G.string({description:"The token to revoke"})}),use:[C],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new j("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new j("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(n){throw e.context.logger.error(n&&typeof n=="object"&&"name"in n?n.name:"",n),new j("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),lt=R("/revoke-sessions",{method:"POST",use:[C],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new j("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),pt=R("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[C],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new j("UNAUTHORIZED");let o=(await e.context.internalAdapter.listSessions(t.user.id)).filter(i=>i.expiresAt>new Date).filter(i=>i.token!==e.context.session.session.token);return await Promise.all(o.map(i=>e.context.internalAdapter.deleteSession(i.token))),e.json({status:!0})});async function $(e,t,r){return await Wr("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new Gr(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function Zr(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new ne("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await $(e.context.secret,t.email),n=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:n,token:r},e.request)}var ft=R("/send-verification-email",{method:"POST",query:V.object({currentURL:V.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:V.object({email:V.string({description:"The email to send the verification email to"}).email(),callbackURL:V.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new ne("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new ne("BAD_REQUEST",{message:b.USER_NOT_FOUND});return await Zr(e,r.user),e.json({status:!0})}),mt=R("/verify-email",{method:"GET",query:V.object({token:V.string({description:"The token to verify the email"}),callbackURL:V.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(u){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${u}`):new ne("UNAUTHORIZED",{message:u})}let{token:r}=e.query,n;try{n=await Kr("HS256",Buffer.from(e.context.secret),r)}catch(u){return e.context.logger.error("Failed to verify email",u),t("invalid_token")}let i=V.object({email:V.string().email(),updateTo:V.string().optional()}).parse(n.payload),a=await e.context.internalAdapter.findUserByEmail(i.email);if(!a)return t("user_not_found");if(i.updateTo){let u=await W(e);if(!u){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(u.user.email!==i.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let c=await e.context.internalAdapter.updateUserByEmail(i.email,{email:i.updateTo});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:c,url:`${e.context.baseURL}/verify-email?token=${r}`,token:r},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:c,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(i.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await W(e)){let c=await e.context.internalAdapter.createSession(a.user.id,e.request);if(!c)throw new ne("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await _(e,{session:c,user:a.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function fe(e,{userInfo:t,account:r,callbackURL:n}){let o=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(u=>{throw I.error(`Better auth was unable to query your database.
3
- Error: `,u),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),i=o?.user;if(o){let u=o.accounts.find(c=>c.providerId===r.providerId);if(u){let c=Object.fromEntries(Object.entries({accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt}).filter(([s,d])=>d!==void 0));Object.keys(c).length>0&&await e.context.internalAdapter.updateAccount(u.id,c)}else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(r.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return Be&&I.warn(`User already exist but account isn't linked to ${r.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:t.id.toString(),userId:o.user.id,accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope})}catch(d){return I.error("Unable to link account",d),{error:"unable to link account",data:null}}i=await e.context.internalAdapter.updateUser(o.user.id,{...t,updatedAt:new Date})}}else if(i=await e.context.internalAdapter.createOAuthUser({...t,email:t.email.toLowerCase(),id:void 0},{accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope,providerId:r.providerId,accountId:t.id.toString()}).then(u=>u?.user),!t.emailVerified&&i&&e.context.options.emailVerification?.sendOnSignUp){let u=await $(e.context.secret,i.email),c=`${e.context.baseURL}/verify-email?token=${u}&callbackURL=${n}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:i,url:c,token:u},e.request)}if(!i)return{error:"unable to create user",data:null};let a=await e.context.internalAdapter.createSession(i.id,e.request);return a?{data:{session:a,user:i},error:null}:{error:"unable to create session",data:null}}var gt=R("/sign-in/social",{method:"POST",query:x.object({currentURL:x.string().optional()}).optional(),body:x.object({callbackURL:x.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:x.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:x.enum(pe,{description:"OAuth2 provider to use"}),disableRedirect:x.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:x.optional(x.object({token:x.string({description:"ID token from the provider"}),nonce:x.string({description:"Nonce used to generate the token"}).optional(),accessToken:x.string({description:"Access token from the provider"}).optional(),refreshToken:x.string({description:"Refresh token from the provider"}).optional(),expiresAt:x.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(i=>i.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new S("NOT_FOUND",{message:b.PROVIDER_NOT_FOUND});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new S("NOT_FOUND",{message:b.ID_TOKEN_NOT_SUPPORTED});let{token:i,nonce:a}=e.body.idToken;if(!await t.verifyIdToken(i,a))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new S("UNAUTHORIZED",{message:b.INVALID_TOKEN});let c=await t.getUserInfo({idToken:i,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!c||!c?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new S("UNAUTHORIZED",{message:b.FAILED_TO_GET_USER_INFO});if(!c.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new S("UNAUTHORIZED",{message:b.USER_EMAIL_NOT_FOUND});let s=await fe(e,{userInfo:{email:c.user.email,id:c.user.id,name:c.user.name||"",image:c.user.image,emailVerified:c.user.emailVerified||!1},account:{providerId:t.id,accountId:c.user.id,accessToken:e.body.idToken.accessToken}});if(s.error)throw new S("UNAUTHORIZED",{message:s.error});return await _(e,s.data),e.json({session:s.data.session,user:s.data.user,url:void 0,redirect:!1})}let{codeVerifier:r,state:n}=await ue(e),o=await t.createAuthorizationURL({state:n,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:o.toString(),redirect:!e.body.disableRedirect})}),ht=R("/sign-in/email",{method:"POST",body:x.object({email:x.string({description:"Email of the user"}),password:x.string({description:"Password of the user"}),callbackURL:x.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:x.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new S("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!x.string().email().safeParse(t).success)throw new S("BAD_REQUEST",{message:b.INVALID_EMAIL});let o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new S("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});let i=o.accounts.find(s=>s.providerId==="credential");if(!i)throw e.context.logger.error("Credential account not found",{email:t}),new S("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});let a=i?.password;if(!a)throw e.context.logger.error("Password not found",{email:t}),new S("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});if(!await e.context.password.verify({hash:a,password:r}))throw e.context.logger.error("Invalid password"),new S("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!o.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new S("UNAUTHORIZED",{message:b.EMAIL_NOT_VERIFIED});let s=await $(e.context.secret,o.user.email),d=`${e.context.baseURL}/verify-email?token=${s}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:o.user,url:d,token:s},e.request),e.context.logger.error("Email not verified",{email:t}),new S("FORBIDDEN",{message:b.EMAIL_NOT_VERIFIED})}let c=await e.context.internalAdapter.createSession(o.user.id,e.headers,e.body.rememberMe===!1);if(!c)throw e.context.logger.error("Failed to create session"),new S("UNAUTHORIZED",{message:b.FAILED_TO_CREATE_SESSION});return await _(e,{session:c,user:o.user},e.body.rememberMe===!1),e.json({user:{id:o.user.id,email:o.user.email,name:o.user.name,image:o.user.image,emailVerified:o.user.emailVerified,createdAt:o.user.createdAt,updatedAt:o.user.updatedAt},redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{z as ie}from"zod";var me=ie.object({code:ie.string().optional(),error:ie.string().optional(),errorMessage:ie.string().optional(),state:ie.string().optional()}),yt=R("/callback/:id",{method:["GET","POST"],body:me.optional(),query:me.optional(),metadata:Z},async e=>{let t;try{if(e.method==="GET")t=me.parse(e.query);else if(e.method==="POST")t=me.parse(e.body);else throw new Error("Unsupported method")}catch(h){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",h),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:r,error:n,state:o}=t;if(!o)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!r)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${n||"no_code"}`);let i=e.context.socialProviders.find(h=>h.id===e.params.id);if(!i)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:a,callbackURL:u,link:c,errorURL:s}=await Ke(e),d;try{d=await i.validateAuthorizationCode({code:r,codeVerifier:a,redirectURI:`${e.context.baseURL}/callback/${i.id}`})}catch(h){throw e.context.logger.error("",h),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let p=await i.getUserInfo(d).then(h=>h?.user);function m(h){let w=s||u||`${e.context.baseURL}/error`;throw w.includes("?")?w=`${w}&error=${h}`:w=`${w}?error=${h}`,e.redirect(w)}if(!p)return e.context.logger.error("Unable to get user info"),m("unable_to_get_user_info");if(!p.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),m("email_not_found");if(!u)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(c){if(c.email!==p.email.toLowerCase())return m("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:c.userId,providerId:i.id,accountId:p.id}))return m("unable_to_link_account");let w;try{w=new URL(u).toString()}catch{w=u}throw e.redirect(w)}let l=await fe(e,{userInfo:{...p,email:p.email,name:p.name||p.email},account:{providerId:i.id,accountId:p.id,...d,scope:d.scopes?.join(",")},callbackURL:u});if(l.error)return e.context.logger.error(l.error.split(" ").join("_")),m(l.error.split(" ").join("_"));let{session:f,user:g}=l.data;await _(e,{session:f,user:g});let y;try{y=new URL(u).toString()}catch{y=u}throw e.redirect(y)});import"zod";import{APIError as Qr}from"better-call";var wt=R("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw F(e),new Qr("BAD_REQUEST",{message:b.FAILED_TO_GET_SESSION});return await e.context.internalAdapter.deleteSession(t),F(e),e.json({success:!0})});import{z as N}from"zod";import{APIError as Oe}from"better-call";function At(e,t,r){let n=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return r&&Object.entries(r).forEach(([o,i])=>n.searchParams.set(o,i)),n.href}function Jr(e,t,r){let n=new URL(t,e.baseURL);return r&&Object.entries(r).forEach(([o,i])=>n.searchParams.set(o,i)),n.href}var bt=R("/forget-password",{method:"POST",body:N.object({email:N.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:N.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new Oe("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:r}=e.body,n=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!n)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let o=60*60*1,i=B(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||o,"sec"),a=q(24);await e.context.internalAdapter.createVerificationValue({value:n.user.id.toString(),identifier:`reset-password:${a}`,expiresAt:i});let u=`${e.context.baseURL}/reset-password/${a}?callbackURL=${r}`;return await e.context.options.emailAndPassword.sendResetPassword({user:n.user,url:u,token:a},e.request),e.json({status:!0})}),kt=R("/reset-password/:token",{method:"GET",query:N.object({callbackURL:N.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:r}=e.query;if(!t||!r)throw e.redirect(At(e.context,r,{error:"INVALID_TOKEN"}));let n=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!n||n.expiresAt<new Date?e.redirect(At(e.context,r,{error:"INVALID_TOKEN"})):e.redirect(Jr(e.context,r,{token:t}))}),Rt=R("/reset-password",{query:N.optional(N.object({token:N.string().optional(),currentURL:N.string().optional()})),method:"POST",body:N.object({newPassword:N.string({description:"The new password to set"}),token:N.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new Oe("BAD_REQUEST",{message:b.INVALID_TOKEN});let{newPassword:r}=e.body,n=`reset-password:${t}`,o=await e.context.internalAdapter.findVerificationValue(n);if(!o||o.expiresAt<new Date)throw new Oe("BAD_REQUEST",{message:b.INVALID_TOKEN});await e.context.internalAdapter.deleteVerificationValue(o.id);let i=o.value,a=await e.context.password.hash(r);return(await e.context.internalAdapter.findAccounts(i)).find(s=>s.providerId==="credential")?(await e.context.internalAdapter.updatePassword(i,a),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:i,providerId:"credential",password:a,accountId:i}),e.json({status:!0}))});import{z as v}from"zod";import{APIError as O}from"better-call";import{z as k}from"zod";import{APIError as Yr}from"better-call";var oa=k.object({id:k.string(),providerId:k.string(),accountId:k.string(),userId:k.string(),accessToken:k.string().nullish(),refreshToken:k.string().nullish(),idToken:k.string().nullish(),accessTokenExpiresAt:k.date().nullish(),refreshTokenExpiresAt:k.date().nullish(),scope:k.string().nullish(),password:k.string().nullish(),createdAt:k.date().default(()=>new Date),updatedAt:k.date().default(()=>new Date)}),sa=k.object({id:k.string(),email:k.string().transform(e=>e.toLowerCase()),emailVerified:k.boolean().default(!1),name:k.string(),image:k.string().nullish(),createdAt:k.date().default(()=>new Date),updatedAt:k.date().default(()=>new Date)}),aa=k.object({id:k.string(),userId:k.string(),expiresAt:k.date(),createdAt:k.date().default(()=>new Date),updatedAt:k.date().default(()=>new Date),token:k.string(),ipAddress:k.string().nullish(),userAgent:k.string().nullish()}),da=k.object({id:k.string(),value:k.string(),createdAt:k.date().default(()=>new Date),updatedAt:k.date().default(()=>new Date),expiresAt:k.date(),identifier:k.string()});function Et(e,t){let r=t.fields,n={};for(let o in e){let i=r[o];if(!i){n[o]=e[o];continue}i.returned!==!1&&(n[o]=e[o])}return n}function ve(e,t){let r={...t==="user"?e.user?.additionalFields:{},...t==="session"?e.session?.additionalFields:{}};for(let n of e.plugins||[])n.schema&&n.schema[t]&&(r={...r,...n.schema[t].fields});return r}function Se(e,t){let r=ve(e,"user");return Et(t,{fields:r})}function ge(e,t){let r=ve(e,"session");return Et(t,{fields:r})}function Xr(e,t){let r=t.action||"create",n=t.fields,o={};for(let i in n){if(i in e){if(n[i].input===!1){if(n[i].defaultValue){o[i]=n[i].defaultValue;continue}continue}if(n[i].validator?.input&&e[i]!==void 0){o[i]=n[i].validator.input.parse(e[i]);continue}o[i]=e[i];continue}if(n[i].defaultValue&&r==="create"){o[i]=n[i].defaultValue;continue}if(n[i].required&&r==="create")throw new Yr("BAD_REQUEST",{message:`${i} is required`})}return o}function he(e,t,r){let n=ve(e,"user");return Xr(t||{},{fields:n,action:r})}import{xchacha20poly1305 as wa}from"@noble/ciphers/chacha";import{bytesToHex as ba,hexToBytes as ka,utf8ToBytes as Ra}from"@noble/ciphers/utils";import{managedNonce as Ta}from"@noble/ciphers/webcrypto";import{sha256 as xa}from"oslo/crypto";import va from"uncrypto";import{decodeHex as en,encodeHex as Tt}from"oslo/encoding";import{scryptAsync as tn}from"@noble/hashes/scrypt";import{getRandomValues as rn}from"uncrypto";var J={N:16384,r:16,p:1,dkLen:64};async function Ut(e,t){return await tn(e.normalize("NFKC"),t,{N:J.N,p:J.p,r:J.r,dkLen:J.dkLen,maxmem:128*J.N*J.r*2})}var xt=async e=>{let t=Tt(rn(new Uint8Array(16))),r=await Ut(e,t);return`${t}:${Tt(r)}`},Ot=async({hash:e,password:t})=>{let[r,n]=e.split(":"),o=await Ut(t,r);return ke(o,en(n))};import vt from"uncrypto";function nn(e){return e.toString(2).padStart(8,"0")}function on(e){return[...e].map(t=>nn(t)).join("")}function St(e){return parseInt(on(e),2)}function sn(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,n=new Uint8Array(Math.ceil(t/8));vt.getRandomValues(n),r!==0&&(n[0]&=(1<<r)-1);let o=St(n);for(;o>=e;)vt.getRandomValues(n),r!==0&&(n[0]&=(1<<r)-1),o=St(n);return o}function _t(e,t){let r="";for(let n=0;n<e;n++)r+=t[sn(t.length)];return r}function It(...e){let t=new Set(e),r="";for(let n of t)n==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":n==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":n==="0-9"?r+="0123456789":r+=n;return r}var Pt=()=>R("/update-user",{method:"POST",body:v.record(v.string(),v.any()),use:[C],metadata:{openapi:{description:"Update the current user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"}}}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"}}}}}}}}}},async e=>{let t=e.body;if(t.email)throw new O("BAD_REQUEST",{message:b.EMAIL_CAN_NOT_BE_UPDATED});let{name:r,image:n,...o}=t,i=e.context.session;if(n===void 0&&!r&&Object.keys(o).length===0)return e.json({id:i.user.id,email:i.user.email,name:i.user.name,image:i.user.image,emailVerified:i.user.emailVerified,createdAt:i.user.createdAt,updatedAt:i.user.updatedAt});let a=he(e.context.options,o,"update"),u=await e.context.internalAdapter.updateUserByEmail(i.user.email,{name:r,image:n,...a});return await _(e,{session:i.session,user:u}),e.json({id:u.id,email:u.email,name:u.name,image:u.image,emailVerified:u.emailVerified,createdAt:u.createdAt,updatedAt:u.updatedAt})}),Lt=R("/change-password",{method:"POST",body:v.object({newPassword:v.string({description:"The new password to set"}),currentPassword:v.string({description:"The current password"}),revokeOtherSessions:v.boolean({description:"Revoke all other sessions"}).optional()}),use:[C],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:r,revokeOtherSessions:n}=e.body,o=e.context.session,i=e.context.password.config.minPasswordLength;if(t.length<i)throw e.context.logger.error("Password is too short"),new O("BAD_REQUEST",{message:b.PASSWORD_TOO_SHORT});let a=e.context.password.config.maxPasswordLength;if(t.length>a)throw e.context.logger.error("Password is too long"),new O("BAD_REQUEST",{message:b.PASSWORD_TOO_LONG});let c=(await e.context.internalAdapter.findAccounts(o.user.id)).find(p=>p.providerId==="credential"&&p.password);if(!c||!c.password)throw new O("BAD_REQUEST",{message:b.CREDENTIAL_ACCOUNT_NOT_FOUND});let s=await e.context.password.hash(t);if(!await e.context.password.verify({hash:c.password,password:r}))throw new O("BAD_REQUEST",{message:b.INVALID_PASSWORD});if(await e.context.internalAdapter.updateAccount(c.id,{password:s}),n){await e.context.internalAdapter.deleteSessions(o.user.id);let p=await e.context.internalAdapter.createSession(o.user.id,e.headers);if(!p)throw new O("INTERNAL_SERVER_ERROR",{message:b.FAILED_TO_GET_SESSION});await _(e,{session:p,user:o.user})}return e.json(o.user)}),Dt=R("/set-password",{method:"POST",body:v.object({newPassword:v.string()}),metadata:{SERVER_ONLY:!0},use:[C]},async e=>{let{newPassword:t}=e.body,r=e.context.session,n=e.context.password.config.minPasswordLength;if(t.length<n)throw e.context.logger.error("Password is too short"),new O("BAD_REQUEST",{message:b.PASSWORD_TOO_SHORT});let o=e.context.password.config.maxPasswordLength;if(t.length>o)throw e.context.logger.error("Password is too long"),new O("BAD_REQUEST",{message:b.PASSWORD_TOO_LONG});let a=(await e.context.internalAdapter.findAccounts(r.user.id)).find(c=>c.providerId==="credential"&&c.password),u=await e.context.password.hash(t);if(!a)return await e.context.internalAdapter.linkAccount({userId:r.user.id,providerId:"credential",accountId:r.user.id,password:u}),e.json(r.user);throw new O("BAD_REQUEST",{message:"user already has a password"})}),Ct=R("/delete-user",{method:"POST",use:[dt],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options",{session:e.context.session}),new O("NOT_FOUND");let t=e.context.session;if(e.context.options.user.deleteUser?.sendDeleteAccountVerification){let o=_t(32,It("a-z","A-Z","0-9"));await e.context.internalAdapter.createVerificationValue({value:t.user.id,identifier:`delete-account-${o}`,expiresAt:new Date(Date.now()+1e3*60*60*24)});let i=`${e.context.baseURL}/delete-user/callback?token=${o}`;return await e.context.options.user.deleteUser.sendDeleteAccountVerification({user:t.user,url:i,token:o},e.request),e.json({success:!0,message:"Verification email sent"})}let r=e.context.options.user.deleteUser?.beforeDelete;r&&await r(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),F(e);let n=e.context.options.user.deleteUser?.afterDelete;return n&&await n(t.user,e.request),e.json({success:!0,message:"User deleted"})}),Nt=R("/delete-user/callback",{method:"GET",query:v.object({token:v.string()})},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options"),new O("NOT_FOUND");let t=await W(e);if(!t)throw new O("NOT_FOUND",{message:b.FAILED_TO_GET_USER_INFO});let r=await e.context.internalAdapter.findVerificationValue(`delete-account-${e.query.token}`);if(!r||r.expiresAt<new Date)throw r&&await e.context.internalAdapter.deleteVerificationValue(r.id),new O("NOT_FOUND",{message:b.INVALID_TOKEN});if(r.value!==t.user.id)throw new O("NOT_FOUND",{message:b.INVALID_TOKEN});let n=e.context.options.user.deleteUser?.beforeDelete;n&&await n(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),await e.context.internalAdapter.deleteVerificationValue(r.id),F(e);let o=e.context.options.user.deleteUser?.afterDelete;return o&&await o(t.user,e.request),e.json({success:!0,message:"User deleted"})}),Bt=R("/change-email",{method:"POST",query:v.object({currentURL:v.string().optional()}).optional(),body:v.object({newEmail:v.string({description:"The new email to set"}).email(),callbackURL:v.string({description:"The URL to redirect to after email verification"}).optional()}),use:[C],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new O("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new O("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new O("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let o=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:o,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new O("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await $(e.context.secret,e.context.session.user.email,e.body.newEmail),n=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:n,token:r},e.request),e.json({user:null,status:!0})});var an=(e="Unknown")=>`<!DOCTYPE html>
2
+ `,`Current list of trustedOrigins: ${c}`),new pr("FORBIDDEN",{message:`Invalid ${l}`})};s&&!e.context.options.advanced?.disableCSRFCheck&&p(o,"origin"),i&&p(i,"callbackURL"),a&&p(a,"redirectURL"),u&&p(u,"currentURL")});import{APIError as S}from"better-call";import{z as x}from"zod";import{TimeSpan as gr}from"oslo";import{base64url as hr}from"oslo/encoding";import{HMAC as Me,sha256 as $n}from"oslo/crypto";function ke(e,t){let r=new Uint8Array(e),n=new Uint8Array(t);if(r.length!==n.length)return!1;let o=0;for(let i=0;i<r.length;i++)o|=r[i]^n[i];return o===0}async function fr({value:e,secret:t}){return new Me("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(n=>Buffer.from(n).toString("base64"))}function mr({value:e,signature:t,secret:r}){return new Me("SHA-256").verify(new TextEncoder().encode(r),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var ce={sign:fr,verify:mr};var B=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));function Gn(e){let t=new Map;return e.split(", ").forEach(n=>{let o=n.split(";").map(p=>p.trim()),[i,...a]=o,[u,...c]=i.split("="),s=c.join("=");if(!u||s===void 0)return;let d={value:s};a.forEach(p=>{let[m,...l]=p.split("="),f=l.join("="),g=m.trim().toLowerCase();switch(g){case"max-age":d["max-age"]=f?parseInt(f.trim(),10):void 0;break;case"expires":d.expires=f?new Date(f.trim()):void 0;break;case"domain":d.domain=f?f.trim():void 0;break;case"path":d.path=f?f.trim():void 0;break;case"secure":d.secure=!0;break;case"httponly":d.httponly=!0;break;case"samesite":d.samesite=f?f.trim().toLowerCase():void 0;break;default:d[g]=f?f.trim():!0;break}}),t.set(u,d)}),t}function Re(e){let r=(e.advanced?.useSecureCookies!==void 0?e.advanced?.useSecureCookies:e.baseURL!==void 0?!!e.baseURL.startsWith("https://"):te)?"__Secure-":"",n=!!e.advanced?.crossSubDomainCookies?.enabled,o=n?e.advanced?.crossSubDomainCookies?.domain||(e.baseURL?new URL(e.baseURL).hostname:void 0):void 0;if(n&&!o)throw new D("baseURL is required when crossSubdomainCookies are enabled");function i(a,u={}){let c=e.advanced?.cookiePrefix||"better-auth",s=e.advanced?.cookies?.[a]?.name||`${c}.${a}`,d=e.advanced?.cookies?.[a]?.attributes;return{name:`${r}${s}`,attributes:{secure:!!r,sameSite:"lax",path:"/",httpOnly:!0,...n?{domain:o}:{},...e.advanced?.defaultCookieAttributes,...u,...d}}}return i}function ze(e){let t=Re(e),r=e.session?.expiresIn||new gr(7,"d").seconds(),n=t("session_token",{maxAge:r}),o=t("session_data",{maxAge:e.session?.cookieCache?.maxAge||60*5}),i=t("dont_remember");return{sessionToken:{name:n.name,options:n.attributes},sessionData:{name:o.name,options:o.attributes},dontRememberToken:{name:i.name,options:i.attributes}}}async function _(e,t,r,n){let o=e.context.authCookies.sessionToken.options,i=r?void 0:e.context.sessionConfig.expiresIn;await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...o,maxAge:i,...n}),r&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled&&e.setCookie(e.context.authCookies.sessionData.name,JSON.stringify(hr.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:B(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await ce.sign({value:JSON.stringify(t),secret:e.context.secret})})))),e.context.authCookies.sessionData.options),e.context.setNewSession(t),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),Math.floor((new Date(t.session.expiresAt).getTime()-Date.now())/1e3))}function F(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}function ri(e){let t=e.split("; "),r=new Map;return t.forEach(n=>{let[o,i]=n.split("=");r.set(o,i)}),r}import{betterFetch as Rr}from"@better-fetch/fetch";import{APIError as Er}from"better-call";import{decodeProtectedHeader as Tr,importJWK as Ur,jwtVerify as xr}from"jose";import{parseJWT as Or}from"oslo/jwt";import{sha256 as yr}from"oslo/crypto";import{base64url as wr}from"oslo/encoding";async function He(e){let t=await yr(new TextEncoder().encode(e));return wr.encode(new Uint8Array(t),{includePadding:!1})}function Ge(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?B(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function U({id:e,options:t,authorizationEndpoint:r,state:n,codeVerifier:o,scopes:i,claims:a,redirectURI:u}){let c=new URL(r);if(c.searchParams.set("response_type","code"),c.searchParams.set("client_id",t.clientId),c.searchParams.set("state",n),c.searchParams.set("scope",i.join(" ")),c.searchParams.set("redirect_uri",t.redirectURI||u),o){let s=await He(o);c.searchParams.set("code_challenge_method","S256"),c.searchParams.set("code_challenge",s)}if(a){let s=a.reduce((d,p)=>(d[p]=null,d),{});c.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...s}}))}return c}import{betterFetch as Ar}from"@better-fetch/fetch";async function T({code:e,codeVerifier:t,redirectURI:r,options:n,tokenEndpoint:o,authentication:i}){let a=new URLSearchParams,u={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(a.set("grant_type","authorization_code"),a.set("code",e),t&&a.set("code_verifier",t),a.set("redirect_uri",r),i==="basic"){let p=btoa(`${n.clientId}:${n.clientSecret}`);u.authorization=`Basic ${p}`}else a.set("client_id",n.clientId),a.set("client_secret",n.clientSecret);let{data:c,error:s}=await Ar(o,{method:"POST",body:a,headers:u});if(s)throw s;return Ge(c)}import{generateCodeVerifier as br,generateState as kr}from"oslo/oauth2";import{z as H}from"zod";import{APIError as We}from"better-call";async function ue(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?qe(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new We("BAD_REQUEST",{message:"callbackURL is required"});let n=br(),o=kr(),i=JSON.stringify({callbackURL:r,codeVerifier:n,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),a=new Date;a.setMinutes(a.getMinutes()+10);let u=await e.context.internalAdapter.createVerificationValue({value:i,identifier:o,expiresAt:a});if(!u)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new We("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:u.identifier,codeVerifier:n}}async function Ke(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let n=H.object({callbackURL:H.string(),codeVerifier:H.string(),errorURL:H.string().optional(),expiresAt:H.number(),link:H.object({email:H.string(),userId:H.string()}).optional()}).parse(JSON.parse(r.value));if(n.errorURL||(n.errorURL=`${e.context.baseURL}/error`),n.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),n}var Ze=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:n,redirectURI:o}){let i=n||["email","name"];return e.scope&&i.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${o||e.redirectURI}&scope=${i.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:n,redirectURI:o})=>T({code:r,codeVerifier:n,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async verifyIdToken(r,n){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,n);let o=Tr(r),{kid:i,alg:a}=o;if(!i||!a)return!1;let u=await vr(i),{payload:c}=await xr(r,u,{algorithms:[a],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(s=>{c[s]!==void 0&&(c[s]=!!c[s])}),n&&c.nonce!==n?!1:!!c},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let n=Or(r.idToken)?.payload;if(!n)return null;let o=n.user?`${n.user.name.firstName} ${n.user.name.lastName}`:n.email,i=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:o,emailVerified:!1,email:n.email,...i},data:n}}}},vr=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:n}=await Rr(`${t}${r}`);if(!n?.keys)throw new Er("BAD_REQUEST",{message:"Keys not found"});let o=n.keys.find(i=>i.kid===e);if(!o)throw new Error(`JWK with kid ${e} not found`);return await Ur(o,o.alg)};import{betterFetch as Sr}from"@better-fetch/fetch";var Qe=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let o=r||["identify","email"];return e.scope&&o.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${o.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||n)}&state=${t}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>T({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await Sr("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(n)return null;if(r.avatar===null){let i=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${i}.png`}else{let i=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${i}`}let o=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url,...o},data:r}}});import{betterFetch as _r}from"@better-fetch/fetch";var Je=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let o=r||["email","public_profile"];return e.scope&&o.push(...e.scope),await U({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:o,state:t,redirectURI:n})},validateAuthorizationCode:async({code:t,redirectURI:r})=>T({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await _r("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});if(n)return null;let o=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified,...o},data:r}}});import{betterFetch as Ye}from"@better-fetch/fetch";var Xe=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:n,codeVerifier:o,redirectURI:i}){let a=n||["user:email"];return e.scope&&a.push(...e.scope),U({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:a,state:r,redirectURI:i})},validateAuthorizationCode:async({code:r,redirectURI:n})=>T({code:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:n,error:o}=await Ye("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(o)return null;let i=!1;if(!n.email){let{data:u,error:c}=await Ye("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});c||(n.email=(u.find(s=>s.primary)??u[0])?.email,i=u.find(s=>s.email===n.email)?.verified??!1)}let a=await e.mapProfileToUser?.(n);return{user:{id:n.id.toString(),name:n.name||n.login,email:n.email,image:n.avatar_url,emailVerified:i,...a},data:n}}}};import{parseJWT as Dr}from"oslo/jwt";import{createConsola as Ir}from"consola";var Ee=["info","success","warn","error","debug"];function Pr(e,t){return Ee.indexOf(t)<=Ee.indexOf(e)}var Lr=Ir({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),le=e=>{let t=e?.disabled!==!0,r=e?.level??"error",n=(o,i,a=[])=>{if(!(!t||!Pr(r,o))){if(!e||typeof e.log!="function"){Lr[o]("",i,...a);return}e.log(o==="success"?"info":o,i,a)}};return Object.fromEntries(Ee.map(o=>[o,(...[i,...a])=>n(o,i,a)]))},I=le();import{betterFetch as Cr}from"@better-fetch/fetch";var et=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:n,redirectURI:o}){if(!e.clientId||!e.clientSecret)throw I.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new D("CLIENT_ID_AND_SECRET_REQUIRED");if(!n)throw new D("codeVerifier is required for Google");let i=r||["email","profile","openid"];e.scope&&i.push(...e.scope);let a=await U({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:i,state:t,codeVerifier:n,redirectURI:o});return e.accessType&&a.searchParams.set("access_type",e.accessType),e.prompt&&a.searchParams.set("prompt",e.prompt),a},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>T({code:t,codeVerifier:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let n=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:o}=await Cr(n);return o?o.aud===e.clientId&&o.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=Dr(t.idToken)?.payload,n=await e.mapProfileToUser?.(r);return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified,...n},data:r}}});import{betterFetch as Nr}from"@better-fetch/fetch";import{parseJWT as Br}from"oslo/jwt";var tt=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,n=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(o){let i=o.scopes||["openid","profile","email","User.Read"];return e.scope&&i.push(...e.scope),U({id:"microsoft",options:e,authorizationEndpoint:r,state:o.state,codeVerifier:o.codeVerifier,scopes:i,redirectURI:o.redirectURI})},validateAuthorizationCode({code:o,codeVerifier:i,redirectURI:a}){return T({code:o,codeVerifier:i,redirectURI:e.redirectURI||a,options:e,tokenEndpoint:n})},async getUserInfo(o){if(e.getUserInfo)return e.getUserInfo(o);if(!o.idToken)return null;let i=Br(o.idToken)?.payload,a=e.profilePhotoSize||48;await Nr(`https://graph.microsoft.com/v1.0/me/photos/${a}x${a}/$value`,{headers:{Authorization:`Bearer ${o.accessToken}`},async onResponse(c){if(!(e.disableProfilePhoto||!c.response.ok))try{let d=await c.response.clone().arrayBuffer(),p=Buffer.from(d).toString("base64");i.picture=`data:image/jpeg;base64, ${p}`}catch(s){I.error(s&&typeof s=="object"&&"name"in s?s.name:"",s)}}});let u=await e.mapProfileToUser?.(i);return{user:{id:i.sub,name:i.name,email:i.email,image:i.picture,emailVerified:!0,...u},data:i}}}};import{betterFetch as Vr}from"@better-fetch/fetch";var rt=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:n,redirectURI:o}){let i=r||["user-read-email"];return e.scope&&i.push(...e.scope),U({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:i,state:t,codeVerifier:n,redirectURI:o})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>T({code:t,codeVerifier:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await Vr("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(n)return null;let o=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1,...o},data:r}}});function ro(e){return e.charAt(0).toUpperCase()+e.slice(1)}var Z={isAction:!1};import{nanoid as Fr}from"nanoid";var q=e=>Fr(e);import{parseJWT as qr}from"oslo/jwt";var nt=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let o=r||["user:read:email","openid"];return e.scope&&o.push(...e.scope),U({id:"twitch",redirectURI:n,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:o,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>T({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return I.error("No idToken found in token"),null;let n=qr(r)?.payload,o=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.preferred_username,email:n.email,image:n.picture,emailVerified:!1,...o},data:n}}});import{betterFetch as jr}from"@better-fetch/fetch";var it=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),U({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>T({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await jr("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(n)return null;let o=await e.mapProfileToUser?.(r);return{user:{id:r.data.id,name:r.data.name,email:r.data.username||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1,...o},data:r}}});import{betterFetch as $r}from"@better-fetch/fetch";var ot=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:n,codeVerifier:o,redirectURI:i})=>{let a=n||["account_info.read"];return e.scope&&a.push(...e.scope),await U({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:a,state:r,redirectURI:i,codeVerifier:o})},validateAuthorizationCode:async({code:r,codeVerifier:n,redirectURI:o})=>await T({code:r,codeVerifier:n,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:n,error:o}=await $r("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});if(o)return null;let i=await e.mapProfileToUser?.(n);return{user:{id:n.account_id,name:n.name?.display_name,email:n.email,emailVerified:n.email_verified||!1,image:n.profile_photo_url,...i},data:n}}}};import{betterFetch as Mr}from"@better-fetch/fetch";var st=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:n,scopes:o,redirectURI:i})=>{let a=o||["profile","email","openid"];return e.scope&&a.push(...e.scope),await U({id:"linkedin",options:e,authorizationEndpoint:t,scopes:a,state:n,redirectURI:i})},validateAuthorizationCode:async({code:n,redirectURI:o})=>await T({code:n,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:r}),async getUserInfo(n){let{data:o,error:i}=await Mr("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${n.accessToken}`}});if(i)return null;let a=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.name,email:o.email,emailVerified:o.email_verified||!1,image:o.picture,...a},data:o}}}};import{betterFetch as zr}from"@better-fetch/fetch";var Te=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),Hr=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:Te(`${t}/oauth/authorize`),tokenEndpoint:Te(`${t}/oauth/token`),userinfoEndpoint:Te(`${t}/api/v4/user`)}},at=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:n}=Hr(e.issuer),o="gitlab";return{id:o,name:"Gitlab",createAuthorizationURL:async({state:a,scopes:u,codeVerifier:c,redirectURI:s})=>{let d=u||["read_user"];return e.scope&&d.push(...e.scope),await U({id:o,options:e,authorizationEndpoint:t,scopes:d,state:a,redirectURI:s,codeVerifier:c})},validateAuthorizationCode:async({code:a,redirectURI:u,codeVerifier:c})=>T({code:a,redirectURI:e.redirectURI||u,options:e,codeVerifier:c,tokenEndpoint:r}),async getUserInfo(a){if(e.getUserInfo)return e.getUserInfo(a);let{data:u,error:c}=await zr(n,{headers:{authorization:`Bearer ${a.accessToken}`}});if(c||u.state!=="active"||u.locked)return null;let s=await e.mapProfileToUser?.(u);return{user:{id:u.id.toString(),name:u.name??u.username,email:u.email,image:u.avatar_url,emailVerified:!0,...s},data:u}}}};var Ue={apple:Ze,discord:Qe,facebook:Je,github:Xe,microsoft:tt,google:et,spotify:rt,twitch:nt,twitter:it,dropbox:ot,linkedin:st,gitlab:at},pe=Object.keys(Ue);import{TimeSpan as Gr}from"oslo";import{createJWT as Wr,validateJWT as Kr}from"oslo/jwt";import{z as V}from"zod";import{APIError as ne}from"better-call";import{APIError as j}from"better-call";import{z as G}from"zod";function Q(e){try{return JSON.parse(e)}catch{return null}}var b={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var xe=()=>R("/get-session",{method:"GET",query:G.optional(G.object({disableCookieCache:G.boolean({description:"Disable cookie cache and fetch session from database"}).or(G.string().transform(e=>e==="true")).optional(),disableRefresh:G.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),n=r?Q(Buffer.from(r,"base64").toString()):null;if(n&&!await ce.verify({value:JSON.stringify(n.session),signature:n?.signature,secret:e.context.secret}))return F(e),e.json(null);let o=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(n?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let d=n.session;if(n.expiresAt<Date.now()||d.session.expiresAt<new Date){let m=e.context.authCookies.sessionData.name;e.setCookie(m,"",{maxAge:0})}else return e.json(d)}let i=await e.context.internalAdapter.findSession(t);if(e.context.session=i,!i||i.session.expiresAt<new Date)return F(e),i&&await e.context.internalAdapter.deleteSession(i.session.token),e.json(null);if(o||e.query?.disableRefresh)return e.json(i);let a=e.context.sessionConfig.expiresIn,u=e.context.sessionConfig.updateAge;if(i.session.expiresAt.valueOf()-a*1e3+u*1e3<=Date.now()){let d=await e.context.internalAdapter.updateSession(i.session.token,{expiresAt:B(e.context.sessionConfig.expiresIn,"sec")});if(!d)return F(e),e.json(null,{status:401});let p=(d.expiresAt.valueOf()-Date.now())/1e3;return await _(e,{session:d,user:i.user},!1,{maxAge:p}),e.json({session:d,user:i.user})}return e.json(i)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new j("INTERNAL_SERVER_ERROR",{message:b.FAILED_TO_GET_SESSION})}}),W=async(e,t)=>{if(e.context.session)return e.context.session;let r=await xe()({...e,_flag:"json",headers:e.headers,query:t}).catch(n=>null);return e.context.session=r,r},C=X(async e=>{let t=await W(e);if(!t?.session)throw new j("UNAUTHORIZED");return{session:t}}),dt=X(async e=>{let t=await W(e);if(!t?.session)throw new j("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,n=t.session.createdAt.valueOf(),o=Date.now();if(!(n+r*1e3>o))throw new j("FORBIDDEN",{message:"Session is not fresh"});return{session:t}}),ct=()=>R("/list-sessions",{method:"GET",use:[C],requireHeaders:!0,metadata:{openapi:{description:"List all active sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}}}}}}}}}},async e=>{let r=(await e.context.internalAdapter.listSessions(e.context.session.user.id)).filter(n=>n.expiresAt>new Date);return e.json(r)}),ut=R("/revoke-session",{method:"POST",body:G.object({token:G.string({description:"The token to revoke"})}),use:[C],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new j("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new j("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(n){throw e.context.logger.error(n&&typeof n=="object"&&"name"in n?n.name:"",n),new j("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),lt=R("/revoke-sessions",{method:"POST",use:[C],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new j("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),pt=R("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[C],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new j("UNAUTHORIZED");let o=(await e.context.internalAdapter.listSessions(t.user.id)).filter(i=>i.expiresAt>new Date).filter(i=>i.token!==e.context.session.session.token);return await Promise.all(o.map(i=>e.context.internalAdapter.deleteSession(i.token))),e.json({status:!0})});async function $(e,t,r){return await Wr("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new Gr(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function Zr(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new ne("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await $(e.context.secret,t.email),n=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:n,token:r},e.request)}var ft=R("/send-verification-email",{method:"POST",query:V.object({currentURL:V.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:V.object({email:V.string({description:"The email to send the verification email to"}).email(),callbackURL:V.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new ne("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new ne("BAD_REQUEST",{message:b.USER_NOT_FOUND});return await Zr(e,r.user),e.json({status:!0})}),mt=R("/verify-email",{method:"GET",query:V.object({token:V.string({description:"The token to verify the email"}),callbackURL:V.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(u){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${u}`):new ne("UNAUTHORIZED",{message:u})}let{token:r}=e.query,n;try{n=await Kr("HS256",Buffer.from(e.context.secret),r)}catch(u){return e.context.logger.error("Failed to verify email",u),t("invalid_token")}let i=V.object({email:V.string().email(),updateTo:V.string().optional()}).parse(n.payload),a=await e.context.internalAdapter.findUserByEmail(i.email);if(!a)return t("user_not_found");if(i.updateTo){let u=await W(e);if(!u){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(u.user.email!==i.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let c=await e.context.internalAdapter.updateUserByEmail(i.email,{email:i.updateTo,emailVerified:!1});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:c,url:`${e.context.baseURL}/verify-email?token=${r}`,token:r},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:c,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(i.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await W(e)){let c=await e.context.internalAdapter.createSession(a.user.id,e.request);if(!c)throw new ne("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await _(e,{session:c,user:a.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function fe(e,{userInfo:t,account:r,callbackURL:n}){let o=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(u=>{throw I.error(`Better auth was unable to query your database.
3
+ Error: `,u),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),i=o?.user;if(o){let u=o.accounts.find(c=>c.providerId===r.providerId);if(u){let c=Object.fromEntries(Object.entries({accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt}).filter(([s,d])=>d!==void 0));Object.keys(c).length>0&&await e.context.internalAdapter.updateAccount(u.id,c)}else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(r.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return Be&&I.warn(`User already exist but account isn't linked to ${r.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:t.id.toString(),userId:o.user.id,accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope})}catch(d){return I.error("Unable to link account",d),{error:"unable to link account",data:null}}i=await e.context.internalAdapter.updateUser(o.user.id,{...t,updatedAt:new Date})}}else if(i=await e.context.internalAdapter.createOAuthUser({...t,email:t.email.toLowerCase(),id:void 0},{accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope,providerId:r.providerId,accountId:t.id.toString()}).then(u=>u?.user),!t.emailVerified&&i&&e.context.options.emailVerification?.sendOnSignUp){let u=await $(e.context.secret,i.email),c=`${e.context.baseURL}/verify-email?token=${u}&callbackURL=${n}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:i,url:c,token:u},e.request)}if(!i)return{error:"unable to create user",data:null};let a=await e.context.internalAdapter.createSession(i.id,e.request);return a?{data:{session:a,user:i},error:null}:{error:"unable to create session",data:null}}var gt=R("/sign-in/social",{method:"POST",query:x.object({currentURL:x.string().optional()}).optional(),body:x.object({callbackURL:x.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:x.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:x.enum(pe,{description:"OAuth2 provider to use"}),disableRedirect:x.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:x.optional(x.object({token:x.string({description:"ID token from the provider"}),nonce:x.string({description:"Nonce used to generate the token"}).optional(),accessToken:x.string({description:"Access token from the provider"}).optional(),refreshToken:x.string({description:"Refresh token from the provider"}).optional(),expiresAt:x.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(i=>i.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new S("NOT_FOUND",{message:b.PROVIDER_NOT_FOUND});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new S("NOT_FOUND",{message:b.ID_TOKEN_NOT_SUPPORTED});let{token:i,nonce:a}=e.body.idToken;if(!await t.verifyIdToken(i,a))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new S("UNAUTHORIZED",{message:b.INVALID_TOKEN});let c=await t.getUserInfo({idToken:i,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!c||!c?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new S("UNAUTHORIZED",{message:b.FAILED_TO_GET_USER_INFO});if(!c.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new S("UNAUTHORIZED",{message:b.USER_EMAIL_NOT_FOUND});let s=await fe(e,{userInfo:{email:c.user.email,id:c.user.id,name:c.user.name||"",image:c.user.image,emailVerified:c.user.emailVerified||!1},account:{providerId:t.id,accountId:c.user.id,accessToken:e.body.idToken.accessToken}});if(s.error)throw new S("UNAUTHORIZED",{message:s.error});return await _(e,s.data),e.json({session:s.data.session,user:s.data.user,url:void 0,redirect:!1})}let{codeVerifier:r,state:n}=await ue(e),o=await t.createAuthorizationURL({state:n,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:o.toString(),redirect:!e.body.disableRedirect})}),ht=R("/sign-in/email",{method:"POST",body:x.object({email:x.string({description:"Email of the user"}),password:x.string({description:"Password of the user"}),callbackURL:x.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:x.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new S("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!x.string().email().safeParse(t).success)throw new S("BAD_REQUEST",{message:b.INVALID_EMAIL});let o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new S("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});let i=o.accounts.find(s=>s.providerId==="credential");if(!i)throw e.context.logger.error("Credential account not found",{email:t}),new S("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});let a=i?.password;if(!a)throw e.context.logger.error("Password not found",{email:t}),new S("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});if(!await e.context.password.verify({hash:a,password:r}))throw e.context.logger.error("Invalid password"),new S("UNAUTHORIZED",{message:b.INVALID_EMAIL_OR_PASSWORD});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!o.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new S("UNAUTHORIZED",{message:b.EMAIL_NOT_VERIFIED});let s=await $(e.context.secret,o.user.email),d=`${e.context.baseURL}/verify-email?token=${s}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:o.user,url:d,token:s},e.request),e.context.logger.error("Email not verified",{email:t}),new S("FORBIDDEN",{message:b.EMAIL_NOT_VERIFIED})}let c=await e.context.internalAdapter.createSession(o.user.id,e.headers,e.body.rememberMe===!1);if(!c)throw e.context.logger.error("Failed to create session"),new S("UNAUTHORIZED",{message:b.FAILED_TO_CREATE_SESSION});return await _(e,{session:c,user:o.user},e.body.rememberMe===!1),e.json({user:{id:o.user.id,email:o.user.email,name:o.user.name,image:o.user.image,emailVerified:o.user.emailVerified,createdAt:o.user.createdAt,updatedAt:o.user.updatedAt},redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{z as ie}from"zod";var me=ie.object({code:ie.string().optional(),error:ie.string().optional(),errorMessage:ie.string().optional(),state:ie.string().optional()}),yt=R("/callback/:id",{method:["GET","POST"],body:me.optional(),query:me.optional(),metadata:Z},async e=>{let t;try{if(e.method==="GET")t=me.parse(e.query);else if(e.method==="POST")t=me.parse(e.body);else throw new Error("Unsupported method")}catch(h){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",h),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:r,error:n,state:o}=t;if(!o)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!r)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${n||"no_code"}`);let i=e.context.socialProviders.find(h=>h.id===e.params.id);if(!i)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:a,callbackURL:u,link:c,errorURL:s}=await Ke(e),d;try{d=await i.validateAuthorizationCode({code:r,codeVerifier:a,redirectURI:`${e.context.baseURL}/callback/${i.id}`})}catch(h){throw e.context.logger.error("",h),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let p=await i.getUserInfo(d).then(h=>h?.user);function m(h){let w=s||u||`${e.context.baseURL}/error`;throw w.includes("?")?w=`${w}&error=${h}`:w=`${w}?error=${h}`,e.redirect(w)}if(!p)return e.context.logger.error("Unable to get user info"),m("unable_to_get_user_info");if(!p.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),m("email_not_found");if(!u)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(c){if(c.email!==p.email.toLowerCase())return m("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:c.userId,providerId:i.id,accountId:p.id}))return m("unable_to_link_account");let w;try{w=new URL(u).toString()}catch{w=u}throw e.redirect(w)}let l=await fe(e,{userInfo:{...p,email:p.email,name:p.name||p.email},account:{providerId:i.id,accountId:p.id,...d,scope:d.scopes?.join(",")},callbackURL:u});if(l.error)return e.context.logger.error(l.error.split(" ").join("_")),m(l.error.split(" ").join("_"));let{session:f,user:g}=l.data;await _(e,{session:f,user:g});let y;try{y=new URL(u).toString()}catch{y=u}throw e.redirect(y)});import"zod";import{APIError as Qr}from"better-call";var wt=R("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw F(e),new Qr("BAD_REQUEST",{message:b.FAILED_TO_GET_SESSION});return await e.context.internalAdapter.deleteSession(t),F(e),e.json({success:!0})});import{z as N}from"zod";import{APIError as Oe}from"better-call";function At(e,t,r){let n=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return r&&Object.entries(r).forEach(([o,i])=>n.searchParams.set(o,i)),n.href}function Jr(e,t,r){let n=new URL(t,e.baseURL);return r&&Object.entries(r).forEach(([o,i])=>n.searchParams.set(o,i)),n.href}var bt=R("/forget-password",{method:"POST",body:N.object({email:N.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:N.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new Oe("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:r}=e.body,n=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!n)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let o=60*60*1,i=B(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||o,"sec"),a=q(24);await e.context.internalAdapter.createVerificationValue({value:n.user.id.toString(),identifier:`reset-password:${a}`,expiresAt:i});let u=`${e.context.baseURL}/reset-password/${a}?callbackURL=${r}`;return await e.context.options.emailAndPassword.sendResetPassword({user:n.user,url:u,token:a},e.request),e.json({status:!0})}),kt=R("/reset-password/:token",{method:"GET",query:N.object({callbackURL:N.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:r}=e.query;if(!t||!r)throw e.redirect(At(e.context,r,{error:"INVALID_TOKEN"}));let n=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!n||n.expiresAt<new Date?e.redirect(At(e.context,r,{error:"INVALID_TOKEN"})):e.redirect(Jr(e.context,r,{token:t}))}),Rt=R("/reset-password",{query:N.optional(N.object({token:N.string().optional(),currentURL:N.string().optional()})),method:"POST",body:N.object({newPassword:N.string({description:"The new password to set"}),token:N.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new Oe("BAD_REQUEST",{message:b.INVALID_TOKEN});let{newPassword:r}=e.body,n=`reset-password:${t}`,o=await e.context.internalAdapter.findVerificationValue(n);if(!o||o.expiresAt<new Date)throw new Oe("BAD_REQUEST",{message:b.INVALID_TOKEN});await e.context.internalAdapter.deleteVerificationValue(o.id);let i=o.value,a=await e.context.password.hash(r);return(await e.context.internalAdapter.findAccounts(i)).find(s=>s.providerId==="credential")?(await e.context.internalAdapter.updatePassword(i,a),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:i,providerId:"credential",password:a,accountId:i}),e.json({status:!0}))});import{z as v}from"zod";import{APIError as O}from"better-call";import{z as k}from"zod";import{APIError as Yr}from"better-call";var oa=k.object({id:k.string(),providerId:k.string(),accountId:k.string(),userId:k.string(),accessToken:k.string().nullish(),refreshToken:k.string().nullish(),idToken:k.string().nullish(),accessTokenExpiresAt:k.date().nullish(),refreshTokenExpiresAt:k.date().nullish(),scope:k.string().nullish(),password:k.string().nullish(),createdAt:k.date().default(()=>new Date),updatedAt:k.date().default(()=>new Date)}),sa=k.object({id:k.string(),email:k.string().transform(e=>e.toLowerCase()),emailVerified:k.boolean().default(!1),name:k.string(),image:k.string().nullish(),createdAt:k.date().default(()=>new Date),updatedAt:k.date().default(()=>new Date)}),aa=k.object({id:k.string(),userId:k.string(),expiresAt:k.date(),createdAt:k.date().default(()=>new Date),updatedAt:k.date().default(()=>new Date),token:k.string(),ipAddress:k.string().nullish(),userAgent:k.string().nullish()}),da=k.object({id:k.string(),value:k.string(),createdAt:k.date().default(()=>new Date),updatedAt:k.date().default(()=>new Date),expiresAt:k.date(),identifier:k.string()});function Et(e,t){let r=t.fields,n={};for(let o in e){let i=r[o];if(!i){n[o]=e[o];continue}i.returned!==!1&&(n[o]=e[o])}return n}function ve(e,t){let r={...t==="user"?e.user?.additionalFields:{},...t==="session"?e.session?.additionalFields:{}};for(let n of e.plugins||[])n.schema&&n.schema[t]&&(r={...r,...n.schema[t].fields});return r}function Se(e,t){let r=ve(e,"user");return Et(t,{fields:r})}function ge(e,t){let r=ve(e,"session");return Et(t,{fields:r})}function Xr(e,t){let r=t.action||"create",n=t.fields,o={};for(let i in n){if(i in e){if(n[i].input===!1){if(n[i].defaultValue){o[i]=n[i].defaultValue;continue}continue}if(n[i].validator?.input&&e[i]!==void 0){o[i]=n[i].validator.input.parse(e[i]);continue}o[i]=e[i];continue}if(n[i].defaultValue&&r==="create"){o[i]=n[i].defaultValue;continue}if(n[i].required&&r==="create")throw new Yr("BAD_REQUEST",{message:`${i} is required`})}return o}function he(e,t,r){let n=ve(e,"user");return Xr(t||{},{fields:n,action:r})}import{xchacha20poly1305 as wa}from"@noble/ciphers/chacha";import{bytesToHex as ba,hexToBytes as ka,utf8ToBytes as Ra}from"@noble/ciphers/utils";import{managedNonce as Ta}from"@noble/ciphers/webcrypto";import{sha256 as xa}from"oslo/crypto";import va from"uncrypto";import{decodeHex as en,encodeHex as Tt}from"oslo/encoding";import{scryptAsync as tn}from"@noble/hashes/scrypt";import{getRandomValues as rn}from"uncrypto";var J={N:16384,r:16,p:1,dkLen:64};async function Ut(e,t){return await tn(e.normalize("NFKC"),t,{N:J.N,p:J.p,r:J.r,dkLen:J.dkLen,maxmem:128*J.N*J.r*2})}var xt=async e=>{let t=Tt(rn(new Uint8Array(16))),r=await Ut(e,t);return`${t}:${Tt(r)}`},Ot=async({hash:e,password:t})=>{let[r,n]=e.split(":"),o=await Ut(t,r);return ke(o,en(n))};import vt from"uncrypto";function nn(e){return e.toString(2).padStart(8,"0")}function on(e){return[...e].map(t=>nn(t)).join("")}function St(e){return parseInt(on(e),2)}function sn(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,n=new Uint8Array(Math.ceil(t/8));vt.getRandomValues(n),r!==0&&(n[0]&=(1<<r)-1);let o=St(n);for(;o>=e;)vt.getRandomValues(n),r!==0&&(n[0]&=(1<<r)-1),o=St(n);return o}function _t(e,t){let r="";for(let n=0;n<e;n++)r+=t[sn(t.length)];return r}function It(...e){let t=new Set(e),r="";for(let n of t)n==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":n==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":n==="0-9"?r+="0123456789":r+=n;return r}var Pt=()=>R("/update-user",{method:"POST",body:v.record(v.string(),v.any()),use:[C],metadata:{openapi:{description:"Update the current user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"}}}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"}}}}}}}}}},async e=>{let t=e.body;if(t.email)throw new O("BAD_REQUEST",{message:b.EMAIL_CAN_NOT_BE_UPDATED});let{name:r,image:n,...o}=t,i=e.context.session;if(n===void 0&&r===void 0&&Object.keys(o).length===0)return e.json({id:i.user.id,email:i.user.email,name:i.user.name,image:i.user.image,emailVerified:i.user.emailVerified,createdAt:i.user.createdAt,updatedAt:i.user.updatedAt});let a=he(e.context.options,o,"update"),u=await e.context.internalAdapter.updateUserByEmail(i.user.email,{name:r,image:n,...a});return await _(e,{session:i.session,user:u}),e.json({id:u.id,email:u.email,name:u.name,image:u.image,emailVerified:u.emailVerified,createdAt:u.createdAt,updatedAt:u.updatedAt})}),Lt=R("/change-password",{method:"POST",body:v.object({newPassword:v.string({description:"The new password to set"}),currentPassword:v.string({description:"The current password"}),revokeOtherSessions:v.boolean({description:"Revoke all other sessions"}).optional()}),use:[C],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:r,revokeOtherSessions:n}=e.body,o=e.context.session,i=e.context.password.config.minPasswordLength;if(t.length<i)throw e.context.logger.error("Password is too short"),new O("BAD_REQUEST",{message:b.PASSWORD_TOO_SHORT});let a=e.context.password.config.maxPasswordLength;if(t.length>a)throw e.context.logger.error("Password is too long"),new O("BAD_REQUEST",{message:b.PASSWORD_TOO_LONG});let c=(await e.context.internalAdapter.findAccounts(o.user.id)).find(p=>p.providerId==="credential"&&p.password);if(!c||!c.password)throw new O("BAD_REQUEST",{message:b.CREDENTIAL_ACCOUNT_NOT_FOUND});let s=await e.context.password.hash(t);if(!await e.context.password.verify({hash:c.password,password:r}))throw new O("BAD_REQUEST",{message:b.INVALID_PASSWORD});if(await e.context.internalAdapter.updateAccount(c.id,{password:s}),n){await e.context.internalAdapter.deleteSessions(o.user.id);let p=await e.context.internalAdapter.createSession(o.user.id,e.headers);if(!p)throw new O("INTERNAL_SERVER_ERROR",{message:b.FAILED_TO_GET_SESSION});await _(e,{session:p,user:o.user})}return e.json(o.user)}),Dt=R("/set-password",{method:"POST",body:v.object({newPassword:v.string()}),metadata:{SERVER_ONLY:!0},use:[C]},async e=>{let{newPassword:t}=e.body,r=e.context.session,n=e.context.password.config.minPasswordLength;if(t.length<n)throw e.context.logger.error("Password is too short"),new O("BAD_REQUEST",{message:b.PASSWORD_TOO_SHORT});let o=e.context.password.config.maxPasswordLength;if(t.length>o)throw e.context.logger.error("Password is too long"),new O("BAD_REQUEST",{message:b.PASSWORD_TOO_LONG});let a=(await e.context.internalAdapter.findAccounts(r.user.id)).find(c=>c.providerId==="credential"&&c.password),u=await e.context.password.hash(t);if(!a)return await e.context.internalAdapter.linkAccount({userId:r.user.id,providerId:"credential",accountId:r.user.id,password:u}),e.json(r.user);throw new O("BAD_REQUEST",{message:"user already has a password"})}),Ct=R("/delete-user",{method:"POST",use:[dt],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options",{session:e.context.session}),new O("NOT_FOUND");let t=e.context.session;if(e.context.options.user.deleteUser?.sendDeleteAccountVerification){let o=_t(32,It("a-z","A-Z","0-9"));await e.context.internalAdapter.createVerificationValue({value:t.user.id,identifier:`delete-account-${o}`,expiresAt:new Date(Date.now()+1e3*60*60*24)});let i=`${e.context.baseURL}/delete-user/callback?token=${o}`;return await e.context.options.user.deleteUser.sendDeleteAccountVerification({user:t.user,url:i,token:o},e.request),e.json({success:!0,message:"Verification email sent"})}let r=e.context.options.user.deleteUser?.beforeDelete;r&&await r(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),F(e);let n=e.context.options.user.deleteUser?.afterDelete;return n&&await n(t.user,e.request),e.json({success:!0,message:"User deleted"})}),Nt=R("/delete-user/callback",{method:"GET",query:v.object({token:v.string()})},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options"),new O("NOT_FOUND");let t=await W(e);if(!t)throw new O("NOT_FOUND",{message:b.FAILED_TO_GET_USER_INFO});let r=await e.context.internalAdapter.findVerificationValue(`delete-account-${e.query.token}`);if(!r||r.expiresAt<new Date)throw r&&await e.context.internalAdapter.deleteVerificationValue(r.id),new O("NOT_FOUND",{message:b.INVALID_TOKEN});if(r.value!==t.user.id)throw new O("NOT_FOUND",{message:b.INVALID_TOKEN});let n=e.context.options.user.deleteUser?.beforeDelete;n&&await n(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),await e.context.internalAdapter.deleteVerificationValue(r.id),F(e);let o=e.context.options.user.deleteUser?.afterDelete;return o&&await o(t.user,e.request),e.json({success:!0,message:"User deleted"})}),Bt=R("/change-email",{method:"POST",query:v.object({currentURL:v.string().optional()}).optional(),body:v.object({newEmail:v.string({description:"The new email to set"}).email(),callbackURL:v.string({description:"The URL to redirect to after email verification"}).optional()}),use:[C],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new O("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new O("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new O("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let o=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:o,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new O("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await $(e.context.secret,e.context.session.user.email,e.body.newEmail),n=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:n,token:r},e.request),e.json({user:null,status:!0})});var an=(e="Unknown")=>`<!DOCTYPE html>
4
4
  <html lang="en">
5
5
  <head>
6
6
  <meta charset="UTF-8">
package/dist/next-js.cjs CHANGED
@@ -1,5 +1,5 @@
1
1
  "use strict";var kt=Object.create;var Q=Object.defineProperty;var Rt=Object.getOwnPropertyDescriptor;var Et=Object.getOwnPropertyNames;var Ut=Object.getPrototypeOf,_t=Object.prototype.hasOwnProperty;var Tt=(e,t)=>{for(var r in t)Q(e,r,{get:t[r],enumerable:!0})},ye=(e,t,r,o)=>{if(t&&typeof t=="object"||typeof t=="function")for(let n of Et(t))!_t.call(e,n)&&n!==r&&Q(e,n,{get:()=>t[n],enumerable:!(o=Rt(t,n))||o.enumerable});return e};var ae=(e,t,r)=>(r=e!=null?kt(Ut(e)):{},ye(t||!e||!e.__esModule?Q(r,"default",{value:e,enumerable:!0}):r,e)),St=e=>ye(Q({},"__esModule",{value:!0}),e);var xr={};Tt(xr,{nextCookies:()=>vr,toNextJsHandler:()=>Or});module.exports=St(xr);var At=require("next/headers");var Sr=require("oslo"),bt=require("oslo/encoding");var K=require("oslo/crypto");async function vt({value:e,secret:t}){return new K.HMAC("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(o=>Buffer.from(o).toString("base64"))}function xt({value:e,signature:t,secret:r}){return new K.HMAC("SHA-256").verify(new TextEncoder().encode(r),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var J={sign:vt,verify:xt};var j=class extends Error{constructor(t,r){super(t),this.name="BetterAuthError",this.message=t,this.cause=r,this.stack=""}};var D=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));var Y=Object.create(null),W=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?Y:globalThis),be=new Proxy(Y,{get(e,t){return W()[t]??Y[t]},has(e,t){let r=W();return t in r||t in Y},set(e,t,r){let o=W(!0);return o[t]=r,!0},deleteProperty(e,t){if(!t)return!1;let r=W(!0);return delete r[t],!0},ownKeys(){let e=W(!0);return Object.keys(e)}});function It(e){return e?e!=="false":!1}var ce=typeof process<"u"&&process.env&&process.env.NODE_ENV||"";var Ae=ce==="dev"||ce==="development",Lt=ce==="test"||It(be.TEST);var G=require("better-call");var _e=require("better-call");var V=require("better-call"),ke=(0,V.createMiddleware)(async()=>({})),Z=(0,V.createMiddlewareCreator)({use:[ke,(0,V.createMiddleware)(async()=>({}))]}),f=(0,V.createEndpointCreator)({use:[ke]});function de(e){return e==="-"||e==="^"||e==="$"||e==="+"||e==="."||e==="("||e===")"||e==="|"||e==="["||e==="]"||e==="{"||e==="}"||e==="*"||e==="?"||e==="\\"?`\\${e}`:e}function Pt(e){let t="";for(let r=0;r<e.length;r++)t+=de(e[r]);return t}function Re(e,t=!0){if(Array.isArray(e))return`(?:${e.map(l=>`^${Re(l,t)}$`).join("|")})`;let r="",o="",n=".";t===!0?(r="/",o="[/\\\\]",n="[^/\\\\]"):t&&(r=t,o=Pt(r),o.length>1?(o=`(?:${o})`,n=`((?!${o}).)`):n=`[^${o}]`);let i=t?`${o}+?`:"",s=t?`${o}*?`:"",c=t?e.split(r):[e],a="";for(let d=0;d<c.length;d++){let l=c[d],m=c[d+1],g="";if(!(!l&&d>0)){if(t&&(d===c.length-1?g=s:m!=="**"?g=i:g=""),t&&l==="**"){g&&(a+=d===0?"":g,a+=`(?:${n}*?${g})*?`);continue}for(let w=0;w<l.length;w++){let b=l[w];b==="\\"?w<l.length-1&&(a+=de(l[w+1]),w++):b==="?"?a+=n:b==="*"?a+=`${n}*?`:a+=de(b)}a+=g}}return a}function Dt(e,t){if(typeof t!="string")throw new TypeError(`Sample must be a string, but ${typeof t} given`);return e.test(t)}function le(e,t){if(typeof e!="string"&&!Array.isArray(e))throw new TypeError(`The first argument must be a single pattern string or an array of patterns, but ${typeof e} given`);if((typeof t=="string"||typeof t=="boolean")&&(t={separator:t}),arguments.length===2&&!(typeof t>"u"||typeof t=="object"&&t!==null&&!Array.isArray(t)))throw new TypeError(`The second argument must be an options object or a string/boolean separator, but ${typeof t} given`);if(t=t||{},t.separator==="\\")throw new Error("\\ is not a valid separator because it is used for escaping. Try setting the separator to `true` instead");let r=Re(e,t.separator),o=new RegExp(`^${r}$`,t.flags),n=Dt.bind(null,o);return n.options=t,n.pattern=e,n.regexp=o,n}function Ee(e){try{return new URL(e).origin}catch{return null}}function Ue(e){return e.includes("://")?new URL(e).host:e}var Ct=Z(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:r,context:o}=e,n=e.headers?.get("origin")||e.headers?.get("referer")||"",i=t?.callbackURL||r?.callbackURL,s=t?.redirectTo,c=r?.currentURL,a=o.trustedOrigins,d=e.headers?.has("cookie"),l=(g,w)=>g.startsWith("/")?!1:w.includes("*")?le(w)(Ue(g)):g.startsWith(w),m=(g,w)=>{if(!g)return;if(!a.some($=>l(g,$)||g?.startsWith("/")&&w!=="origin"&&!g.includes(":")))throw e.context.logger.error(`Invalid ${w}: ${g}`),e.context.logger.info(`If it's a valid URL, please add ${g} to trustedOrigins in your auth config
2
- `,`Current list of trustedOrigins: ${a}`),new _e.APIError("FORBIDDEN",{message:`Invalid ${w}`})};d&&!e.context.options.advanced?.disableCSRFCheck&&m(n,"origin"),i&&m(i,"callbackURL"),s&&m(s,"redirectURL"),c&&m(c,"currentURL")});var R=require("better-call"),y=require("zod");var Le=require("@better-fetch/fetch"),Pe=require("better-call"),z=require("jose"),De=require("oslo/jwt");var Te=require("oslo/crypto"),Se=require("oslo/encoding");async function Oe(e){let t=await(0,Te.sha256)(new TextEncoder().encode(e));return Se.base64url.encode(new Uint8Array(t),{includePadding:!1})}function ve(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?D(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function A({id:e,options:t,authorizationEndpoint:r,state:o,codeVerifier:n,scopes:i,claims:s,redirectURI:c}){let a=new URL(r);if(a.searchParams.set("response_type","code"),a.searchParams.set("client_id",t.clientId),a.searchParams.set("state",o),a.searchParams.set("scope",i.join(" ")),a.searchParams.set("redirect_uri",t.redirectURI||c),n){let d=await Oe(n);a.searchParams.set("code_challenge_method","S256"),a.searchParams.set("code_challenge",d)}if(s){let d=s.reduce((l,m)=>(l[m]=null,l),{});a.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...d}}))}return a}var xe=require("@better-fetch/fetch");async function h({code:e,codeVerifier:t,redirectURI:r,options:o,tokenEndpoint:n,authentication:i}){let s=new URLSearchParams,c={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(s.set("grant_type","authorization_code"),s.set("code",e),t&&s.set("code_verifier",t),s.set("redirect_uri",r),i==="basic"){let m=btoa(`${o.clientId}:${o.clientSecret}`);c.authorization=`Basic ${m}`}else s.set("client_id",o.clientId),s.set("client_secret",o.clientSecret);let{data:a,error:d}=await(0,xe.betterFetch)(n,{method:"POST",body:s,headers:c});if(d)throw d;return ve(a)}var X=require("oslo/oauth2"),P=require("zod"),ue=require("better-call");async function ee(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?Ee(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new ue.APIError("BAD_REQUEST",{message:"callbackURL is required"});let o=(0,X.generateCodeVerifier)(),n=(0,X.generateState)(),i=JSON.stringify({callbackURL:r,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),s=new Date;s.setMinutes(s.getMinutes()+10);let c=await e.context.internalAdapter.createVerificationValue({value:i,identifier:n,expiresAt:s});if(!c)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new ue.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:c.identifier,codeVerifier:o}}async function Ie(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=P.z.object({callbackURL:P.z.string(),codeVerifier:P.z.string(),errorURL:P.z.string().optional(),expiresAt:P.z.number(),link:P.z.object({email:P.z.string(),userId:P.z.string()}).optional()}).parse(JSON.parse(r.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),o}var Ce=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:o,redirectURI:n}){let i=o||["email","name"];return e.scope&&i.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${n||e.redirectURI}&scope=${i.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>h({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async verifyIdToken(r,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,o);let n=(0,z.decodeProtectedHeader)(r),{kid:i,alg:s}=n;if(!i||!s)return!1;let c=await Nt(i),{payload:a}=await(0,z.jwtVerify)(r,c,{algorithms:[s],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(d=>{a[d]!==void 0&&(a[d]=!!a[d])}),o&&a.nonce!==o?!1:!!a},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let o=(0,De.parseJWT)(r.idToken)?.payload;if(!o)return null;let n=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email,i=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:n,emailVerified:!1,email:o.email,...i},data:o}}}},Nt=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:o}=await(0,Le.betterFetch)(`${t}${r}`);if(!o?.keys)throw new Pe.APIError("BAD_REQUEST",{message:"Keys not found"});let n=o.keys.find(i=>i.kid===e);if(!n)throw new Error(`JWK with kid ${e} not found`);return await(0,z.importJWK)(n,n.alg)};var Ne=require("@better-fetch/fetch");var je=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["identify","email"];return e.scope&&n.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${n.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await(0,Ne.betterFetch)("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(r.avatar===null){let i=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${i}.png`}else{let i=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${i}`}let n=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url,...n},data:r}}});var Ve=require("@better-fetch/fetch");var Be=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["email","public_profile"];return e.scope&&n.push(...e.scope),await A({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:n,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await(0,Ve.betterFetch)("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});if(o)return null;let n=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified,...n},data:r}}});var pe=require("@better-fetch/fetch");var $e=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:o,codeVerifier:n,redirectURI:i}){let s=o||["user:email"];return e.scope&&s.push(...e.scope),A({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:s,state:r,redirectURI:i})},validateAuthorizationCode:async({code:r,redirectURI:o})=>h({code:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:n}=await(0,pe.betterFetch)("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(n)return null;let i=!1;if(!o.email){let{data:c,error:a}=await(0,pe.betterFetch)("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});a||(o.email=(c.find(d=>d.primary)??c[0])?.email,i=c.find(d=>d.email===o.email)?.verified??!1)}let s=await e.mapProfileToUser?.(o);return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:i,...s},data:o}}}};var qe=require("oslo/jwt");var ze=require("consola"),me=["info","success","warn","error","debug"];function jt(e,t){return me.indexOf(t)<=me.indexOf(e)}var Vt=(0,ze.createConsola)({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),Bt=e=>{let t=e?.disabled!==!0,r=e?.level??"error",o=(n,i,s=[])=>{if(!(!t||!jt(r,n))){if(!e||typeof e.log!="function"){Vt[n]("",i,...s);return}e.log(n==="success"?"info":n,i,s)}};return Object.fromEntries(me.map(n=>[n,(...[i,...s])=>o(n,i,s)]))},O=Bt();var Fe=require("@better-fetch/fetch"),Me=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){if(!e.clientId||!e.clientSecret)throw O.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new j("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new j("codeVerifier is required for Google");let i=r||["email","profile","openid"];e.scope&&i.push(...e.scope);let s=await A({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:i,state:t,codeVerifier:o,redirectURI:n});return e.accessType&&s.searchParams.set("access_type",e.accessType),e.prompt&&s.searchParams.set("prompt",e.prompt),s},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>h({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:n}=await(0,Fe.betterFetch)(o);return n?n.aud===e.clientId&&n.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=(0,qe.parseJWT)(t.idToken)?.payload,o=await e.mapProfileToUser?.(r);return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified,...o},data:r}}});var He=require("@better-fetch/fetch"),Ge=require("oslo/jwt");var We=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(n){let i=n.scopes||["openid","profile","email","User.Read"];return e.scope&&i.push(...e.scope),A({id:"microsoft",options:e,authorizationEndpoint:r,state:n.state,codeVerifier:n.codeVerifier,scopes:i,redirectURI:n.redirectURI})},validateAuthorizationCode({code:n,codeVerifier:i,redirectURI:s}){return h({code:n,codeVerifier:i,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:o})},async getUserInfo(n){if(e.getUserInfo)return e.getUserInfo(n);if(!n.idToken)return null;let i=(0,Ge.parseJWT)(n.idToken)?.payload,s=e.profilePhotoSize||48;await(0,He.betterFetch)(`https://graph.microsoft.com/v1.0/me/photos/${s}x${s}/$value`,{headers:{Authorization:`Bearer ${n.accessToken}`},async onResponse(a){if(!(e.disableProfilePhoto||!a.response.ok))try{let l=await a.response.clone().arrayBuffer(),m=Buffer.from(l).toString("base64");i.picture=`data:image/jpeg;base64, ${m}`}catch(d){O.error(d&&typeof d=="object"&&"name"in d?d.name:"",d)}}});let c=await e.mapProfileToUser?.(i);return{user:{id:i.sub,name:i.name,email:i.email,image:i.picture,emailVerified:!0,...c},data:i}}}};var Ze=require("@better-fetch/fetch");var Qe=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){let i=r||["user-read-email"];return e.scope&&i.push(...e.scope),A({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:i,state:t,codeVerifier:o,redirectURI:n})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>h({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await(0,Ze.betterFetch)("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let n=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1,...n},data:r}}});var q={isAction:!1};var Ke=require("nanoid"),Je=e=>(0,Ke.nanoid)(e);var Ye=require("oslo/jwt");var Xe=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["user:read:email","openid"];return e.scope&&n.push(...e.scope),A({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:n,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return O.error("No idToken found in token"),null;let o=(0,Ye.parseJWT)(r)?.payload,n=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1,...n},data:o}}});var et=require("@better-fetch/fetch");var tt=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),A({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>h({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await(0,et.betterFetch)("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let n=await e.mapProfileToUser?.(r);return{user:{id:r.data.id,name:r.data.name,email:r.data.username||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1,...n},data:r}}});var rt=require("@better-fetch/fetch");var ot=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:o,codeVerifier:n,redirectURI:i})=>{let s=o||["account_info.read"];return e.scope&&s.push(...e.scope),await A({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:s,state:r,redirectURI:i,codeVerifier:n})},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>await h({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:n}=await(0,rt.betterFetch)("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});if(n)return null;let i=await e.mapProfileToUser?.(o);return{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url,...i},data:o}}}};var nt=require("@better-fetch/fetch");var it=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:n,redirectURI:i})=>{let s=n||["profile","email","openid"];return e.scope&&s.push(...e.scope),await A({id:"linkedin",options:e,authorizationEndpoint:t,scopes:s,state:o,redirectURI:i})},validateAuthorizationCode:async({code:o,redirectURI:n})=>await h({code:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:r}),async getUserInfo(o){let{data:n,error:i}=await(0,nt.betterFetch)("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});if(i)return null;let s=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.name,email:n.email,emailVerified:n.email_verified||!1,image:n.picture,...s},data:n}}}};var st=require("@better-fetch/fetch");var fe=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),$t=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:fe(`${t}/oauth/authorize`),tokenEndpoint:fe(`${t}/oauth/token`),userinfoEndpoint:fe(`${t}/api/v4/user`)}},at=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:o}=$t(e.issuer),n="gitlab";return{id:n,name:"Gitlab",createAuthorizationURL:async({state:s,scopes:c,codeVerifier:a,redirectURI:d})=>{let l=c||["read_user"];return e.scope&&l.push(...e.scope),await A({id:n,options:e,authorizationEndpoint:t,scopes:l,state:s,redirectURI:d,codeVerifier:a})},validateAuthorizationCode:async({code:s,redirectURI:c,codeVerifier:a})=>h({code:s,redirectURI:e.redirectURI||c,options:e,codeVerifier:a,tokenEndpoint:r}),async getUserInfo(s){if(e.getUserInfo)return e.getUserInfo(s);let{data:c,error:a}=await(0,st.betterFetch)(o,{headers:{authorization:`Bearer ${s.accessToken}`}});if(a||c.state!=="active"||c.locked)return null;let d=await e.mapProfileToUser?.(c);return{user:{id:c.id.toString(),name:c.name??c.username,email:c.email,image:c.avatar_url,emailVerified:!0,...d},data:c}}}};var zt={apple:Ce,discord:je,facebook:Be,github:$e,microsoft:We,google:Me,spotify:Qe,twitch:Xe,twitter:tt,dropbox:ot,linkedin:it,gitlab:at},te=Object.keys(zt);var ut=require("oslo"),re=require("oslo/jwt"),S=require("zod");var F=require("better-call");var x=require("better-call");var C=require("zod");function ct(e){try{return JSON.parse(e)}catch{return null}}var p={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var dt=()=>f("/get-session",{method:"GET",query:C.z.optional(C.z.object({disableCookieCache:C.z.boolean({description:"Disable cookie cache and fetch session from database"}).or(C.z.string().transform(e=>e==="true")).optional(),disableRefresh:C.z.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),o=r?ct(Buffer.from(r,"base64").toString()):null;if(o&&!await J.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return I(e),e.json(null);let n=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let l=o.session;if(o.expiresAt<Date.now()||l.session.expiresAt<new Date){let g=e.context.authCookies.sessionData.name;e.setCookie(g,"",{maxAge:0})}else return e.json(l)}let i=await e.context.internalAdapter.findSession(t);if(e.context.session=i,!i||i.session.expiresAt<new Date)return I(e),i&&await e.context.internalAdapter.deleteSession(i.session.token),e.json(null);if(n||e.query?.disableRefresh)return e.json(i);let s=e.context.sessionConfig.expiresIn,c=e.context.sessionConfig.updateAge;if(i.session.expiresAt.valueOf()-s*1e3+c*1e3<=Date.now()){let l=await e.context.internalAdapter.updateSession(i.session.token,{expiresAt:D(e.context.sessionConfig.expiresIn,"sec")});if(!l)return I(e),e.json(null,{status:401});let m=(l.expiresAt.valueOf()-Date.now())/1e3;return await T(e,{session:l,user:i.user},!1,{maxAge:m}),e.json({session:l,user:i.user})}return e.json(i)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new x.APIError("INTERNAL_SERVER_ERROR",{message:p.FAILED_TO_GET_SESSION})}}),B=async(e,t)=>{if(e.context.session)return e.context.session;let r=await dt()({...e,_flag:"json",headers:e.headers,query:t}).catch(o=>null);return e.context.session=r,r},L=Z(async e=>{let t=await B(e);if(!t?.session)throw new x.APIError("UNAUTHORIZED");return{session:t}}),lt=Z(async e=>{let t=await B(e);if(!t?.session)throw new x.APIError("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,o=t.session.createdAt.valueOf(),n=Date.now();if(!(o+r*1e3>n))throw new x.APIError("FORBIDDEN",{message:"Session is not fresh"});return{session:t}});var qt=f("/revoke-session",{method:"POST",body:C.z.object({token:C.z.string({description:"The token to revoke"})}),use:[L],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new x.APIError("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new x.APIError("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new x.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Ft=f("/revoke-sessions",{method:"POST",use:[L],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new x.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Mt=f("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[L],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new x.APIError("UNAUTHORIZED");let n=(await e.context.internalAdapter.listSessions(t.user.id)).filter(i=>i.expiresAt>new Date).filter(i=>i.token!==e.context.session.session.token);return await Promise.all(n.map(i=>e.context.internalAdapter.deleteSession(i.token))),e.json({status:!0})});async function N(e,t,r){return await(0,re.createJWT)("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new ut.TimeSpan(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function Ht(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new F.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await N(e.context.secret,t.email),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:o,token:r},e.request)}var Gt=f("/send-verification-email",{method:"POST",query:S.z.object({currentURL:S.z.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:S.z.object({email:S.z.string({description:"The email to send the verification email to"}).email(),callbackURL:S.z.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new F.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new F.APIError("BAD_REQUEST",{message:p.USER_NOT_FOUND});return await Ht(e,r.user),e.json({status:!0})}),Wt=f("/verify-email",{method:"GET",query:S.z.object({token:S.z.string({description:"The token to verify the email"}),callbackURL:S.z.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(c){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${c}`):new F.APIError("UNAUTHORIZED",{message:c})}let{token:r}=e.query,o;try{o=await(0,re.validateJWT)("HS256",Buffer.from(e.context.secret),r)}catch(c){return e.context.logger.error("Failed to verify email",c),t("invalid_token")}let i=S.z.object({email:S.z.string().email(),updateTo:S.z.string().optional()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(i.email);if(!s)return t("user_not_found");if(i.updateTo){let c=await B(e);if(!c){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(c.user.email!==i.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(i.email,{email:i.updateTo});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${r}`,token:r},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(i.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await B(e)){let a=await e.context.internalAdapter.createSession(s.user.id,e.request);if(!a)throw new F.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await T(e,{session:a,user:s.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function oe(e,{userInfo:t,account:r,callbackURL:o}){let n=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(c=>{throw O.error(`Better auth was unable to query your database.
2
+ `,`Current list of trustedOrigins: ${a}`),new _e.APIError("FORBIDDEN",{message:`Invalid ${w}`})};d&&!e.context.options.advanced?.disableCSRFCheck&&m(n,"origin"),i&&m(i,"callbackURL"),s&&m(s,"redirectURL"),c&&m(c,"currentURL")});var R=require("better-call"),y=require("zod");var Le=require("@better-fetch/fetch"),Pe=require("better-call"),z=require("jose"),De=require("oslo/jwt");var Te=require("oslo/crypto"),Se=require("oslo/encoding");async function Oe(e){let t=await(0,Te.sha256)(new TextEncoder().encode(e));return Se.base64url.encode(new Uint8Array(t),{includePadding:!1})}function ve(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?D(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function A({id:e,options:t,authorizationEndpoint:r,state:o,codeVerifier:n,scopes:i,claims:s,redirectURI:c}){let a=new URL(r);if(a.searchParams.set("response_type","code"),a.searchParams.set("client_id",t.clientId),a.searchParams.set("state",o),a.searchParams.set("scope",i.join(" ")),a.searchParams.set("redirect_uri",t.redirectURI||c),n){let d=await Oe(n);a.searchParams.set("code_challenge_method","S256"),a.searchParams.set("code_challenge",d)}if(s){let d=s.reduce((l,m)=>(l[m]=null,l),{});a.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...d}}))}return a}var xe=require("@better-fetch/fetch");async function h({code:e,codeVerifier:t,redirectURI:r,options:o,tokenEndpoint:n,authentication:i}){let s=new URLSearchParams,c={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(s.set("grant_type","authorization_code"),s.set("code",e),t&&s.set("code_verifier",t),s.set("redirect_uri",r),i==="basic"){let m=btoa(`${o.clientId}:${o.clientSecret}`);c.authorization=`Basic ${m}`}else s.set("client_id",o.clientId),s.set("client_secret",o.clientSecret);let{data:a,error:d}=await(0,xe.betterFetch)(n,{method:"POST",body:s,headers:c});if(d)throw d;return ve(a)}var X=require("oslo/oauth2"),P=require("zod"),ue=require("better-call");async function ee(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?Ee(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new ue.APIError("BAD_REQUEST",{message:"callbackURL is required"});let o=(0,X.generateCodeVerifier)(),n=(0,X.generateState)(),i=JSON.stringify({callbackURL:r,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),s=new Date;s.setMinutes(s.getMinutes()+10);let c=await e.context.internalAdapter.createVerificationValue({value:i,identifier:n,expiresAt:s});if(!c)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new ue.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:c.identifier,codeVerifier:o}}async function Ie(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=P.z.object({callbackURL:P.z.string(),codeVerifier:P.z.string(),errorURL:P.z.string().optional(),expiresAt:P.z.number(),link:P.z.object({email:P.z.string(),userId:P.z.string()}).optional()}).parse(JSON.parse(r.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),o}var Ce=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:o,redirectURI:n}){let i=o||["email","name"];return e.scope&&i.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${n||e.redirectURI}&scope=${i.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>h({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async verifyIdToken(r,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,o);let n=(0,z.decodeProtectedHeader)(r),{kid:i,alg:s}=n;if(!i||!s)return!1;let c=await Nt(i),{payload:a}=await(0,z.jwtVerify)(r,c,{algorithms:[s],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(d=>{a[d]!==void 0&&(a[d]=!!a[d])}),o&&a.nonce!==o?!1:!!a},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let o=(0,De.parseJWT)(r.idToken)?.payload;if(!o)return null;let n=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email,i=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:n,emailVerified:!1,email:o.email,...i},data:o}}}},Nt=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:o}=await(0,Le.betterFetch)(`${t}${r}`);if(!o?.keys)throw new Pe.APIError("BAD_REQUEST",{message:"Keys not found"});let n=o.keys.find(i=>i.kid===e);if(!n)throw new Error(`JWK with kid ${e} not found`);return await(0,z.importJWK)(n,n.alg)};var Ne=require("@better-fetch/fetch");var je=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["identify","email"];return e.scope&&n.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${n.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await(0,Ne.betterFetch)("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(r.avatar===null){let i=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${i}.png`}else{let i=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${i}`}let n=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url,...n},data:r}}});var Ve=require("@better-fetch/fetch");var Be=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["email","public_profile"];return e.scope&&n.push(...e.scope),await A({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:n,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await(0,Ve.betterFetch)("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});if(o)return null;let n=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified,...n},data:r}}});var pe=require("@better-fetch/fetch");var $e=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:o,codeVerifier:n,redirectURI:i}){let s=o||["user:email"];return e.scope&&s.push(...e.scope),A({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:s,state:r,redirectURI:i})},validateAuthorizationCode:async({code:r,redirectURI:o})=>h({code:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:n}=await(0,pe.betterFetch)("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(n)return null;let i=!1;if(!o.email){let{data:c,error:a}=await(0,pe.betterFetch)("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});a||(o.email=(c.find(d=>d.primary)??c[0])?.email,i=c.find(d=>d.email===o.email)?.verified??!1)}let s=await e.mapProfileToUser?.(o);return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:i,...s},data:o}}}};var qe=require("oslo/jwt");var ze=require("consola"),me=["info","success","warn","error","debug"];function jt(e,t){return me.indexOf(t)<=me.indexOf(e)}var Vt=(0,ze.createConsola)({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),Bt=e=>{let t=e?.disabled!==!0,r=e?.level??"error",o=(n,i,s=[])=>{if(!(!t||!jt(r,n))){if(!e||typeof e.log!="function"){Vt[n]("",i,...s);return}e.log(n==="success"?"info":n,i,s)}};return Object.fromEntries(me.map(n=>[n,(...[i,...s])=>o(n,i,s)]))},O=Bt();var Fe=require("@better-fetch/fetch"),Me=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){if(!e.clientId||!e.clientSecret)throw O.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new j("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new j("codeVerifier is required for Google");let i=r||["email","profile","openid"];e.scope&&i.push(...e.scope);let s=await A({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:i,state:t,codeVerifier:o,redirectURI:n});return e.accessType&&s.searchParams.set("access_type",e.accessType),e.prompt&&s.searchParams.set("prompt",e.prompt),s},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>h({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:n}=await(0,Fe.betterFetch)(o);return n?n.aud===e.clientId&&n.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=(0,qe.parseJWT)(t.idToken)?.payload,o=await e.mapProfileToUser?.(r);return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified,...o},data:r}}});var He=require("@better-fetch/fetch"),Ge=require("oslo/jwt");var We=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(n){let i=n.scopes||["openid","profile","email","User.Read"];return e.scope&&i.push(...e.scope),A({id:"microsoft",options:e,authorizationEndpoint:r,state:n.state,codeVerifier:n.codeVerifier,scopes:i,redirectURI:n.redirectURI})},validateAuthorizationCode({code:n,codeVerifier:i,redirectURI:s}){return h({code:n,codeVerifier:i,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:o})},async getUserInfo(n){if(e.getUserInfo)return e.getUserInfo(n);if(!n.idToken)return null;let i=(0,Ge.parseJWT)(n.idToken)?.payload,s=e.profilePhotoSize||48;await(0,He.betterFetch)(`https://graph.microsoft.com/v1.0/me/photos/${s}x${s}/$value`,{headers:{Authorization:`Bearer ${n.accessToken}`},async onResponse(a){if(!(e.disableProfilePhoto||!a.response.ok))try{let l=await a.response.clone().arrayBuffer(),m=Buffer.from(l).toString("base64");i.picture=`data:image/jpeg;base64, ${m}`}catch(d){O.error(d&&typeof d=="object"&&"name"in d?d.name:"",d)}}});let c=await e.mapProfileToUser?.(i);return{user:{id:i.sub,name:i.name,email:i.email,image:i.picture,emailVerified:!0,...c},data:i}}}};var Ze=require("@better-fetch/fetch");var Qe=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){let i=r||["user-read-email"];return e.scope&&i.push(...e.scope),A({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:i,state:t,codeVerifier:o,redirectURI:n})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>h({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await(0,Ze.betterFetch)("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let n=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1,...n},data:r}}});var q={isAction:!1};var Ke=require("nanoid"),Je=e=>(0,Ke.nanoid)(e);var Ye=require("oslo/jwt");var Xe=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["user:read:email","openid"];return e.scope&&n.push(...e.scope),A({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:n,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return O.error("No idToken found in token"),null;let o=(0,Ye.parseJWT)(r)?.payload,n=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1,...n},data:o}}});var et=require("@better-fetch/fetch");var tt=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),A({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>h({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await(0,et.betterFetch)("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let n=await e.mapProfileToUser?.(r);return{user:{id:r.data.id,name:r.data.name,email:r.data.username||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1,...n},data:r}}});var rt=require("@better-fetch/fetch");var ot=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:o,codeVerifier:n,redirectURI:i})=>{let s=o||["account_info.read"];return e.scope&&s.push(...e.scope),await A({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:s,state:r,redirectURI:i,codeVerifier:n})},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>await h({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:n}=await(0,rt.betterFetch)("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});if(n)return null;let i=await e.mapProfileToUser?.(o);return{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url,...i},data:o}}}};var nt=require("@better-fetch/fetch");var it=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:n,redirectURI:i})=>{let s=n||["profile","email","openid"];return e.scope&&s.push(...e.scope),await A({id:"linkedin",options:e,authorizationEndpoint:t,scopes:s,state:o,redirectURI:i})},validateAuthorizationCode:async({code:o,redirectURI:n})=>await h({code:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:r}),async getUserInfo(o){let{data:n,error:i}=await(0,nt.betterFetch)("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});if(i)return null;let s=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.name,email:n.email,emailVerified:n.email_verified||!1,image:n.picture,...s},data:n}}}};var st=require("@better-fetch/fetch");var fe=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),$t=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:fe(`${t}/oauth/authorize`),tokenEndpoint:fe(`${t}/oauth/token`),userinfoEndpoint:fe(`${t}/api/v4/user`)}},at=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:o}=$t(e.issuer),n="gitlab";return{id:n,name:"Gitlab",createAuthorizationURL:async({state:s,scopes:c,codeVerifier:a,redirectURI:d})=>{let l=c||["read_user"];return e.scope&&l.push(...e.scope),await A({id:n,options:e,authorizationEndpoint:t,scopes:l,state:s,redirectURI:d,codeVerifier:a})},validateAuthorizationCode:async({code:s,redirectURI:c,codeVerifier:a})=>h({code:s,redirectURI:e.redirectURI||c,options:e,codeVerifier:a,tokenEndpoint:r}),async getUserInfo(s){if(e.getUserInfo)return e.getUserInfo(s);let{data:c,error:a}=await(0,st.betterFetch)(o,{headers:{authorization:`Bearer ${s.accessToken}`}});if(a||c.state!=="active"||c.locked)return null;let d=await e.mapProfileToUser?.(c);return{user:{id:c.id.toString(),name:c.name??c.username,email:c.email,image:c.avatar_url,emailVerified:!0,...d},data:c}}}};var zt={apple:Ce,discord:je,facebook:Be,github:$e,microsoft:We,google:Me,spotify:Qe,twitch:Xe,twitter:tt,dropbox:ot,linkedin:it,gitlab:at},te=Object.keys(zt);var ut=require("oslo"),re=require("oslo/jwt"),S=require("zod");var F=require("better-call");var x=require("better-call");var C=require("zod");function ct(e){try{return JSON.parse(e)}catch{return null}}var p={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var dt=()=>f("/get-session",{method:"GET",query:C.z.optional(C.z.object({disableCookieCache:C.z.boolean({description:"Disable cookie cache and fetch session from database"}).or(C.z.string().transform(e=>e==="true")).optional(),disableRefresh:C.z.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),o=r?ct(Buffer.from(r,"base64").toString()):null;if(o&&!await J.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return I(e),e.json(null);let n=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let l=o.session;if(o.expiresAt<Date.now()||l.session.expiresAt<new Date){let g=e.context.authCookies.sessionData.name;e.setCookie(g,"",{maxAge:0})}else return e.json(l)}let i=await e.context.internalAdapter.findSession(t);if(e.context.session=i,!i||i.session.expiresAt<new Date)return I(e),i&&await e.context.internalAdapter.deleteSession(i.session.token),e.json(null);if(n||e.query?.disableRefresh)return e.json(i);let s=e.context.sessionConfig.expiresIn,c=e.context.sessionConfig.updateAge;if(i.session.expiresAt.valueOf()-s*1e3+c*1e3<=Date.now()){let l=await e.context.internalAdapter.updateSession(i.session.token,{expiresAt:D(e.context.sessionConfig.expiresIn,"sec")});if(!l)return I(e),e.json(null,{status:401});let m=(l.expiresAt.valueOf()-Date.now())/1e3;return await T(e,{session:l,user:i.user},!1,{maxAge:m}),e.json({session:l,user:i.user})}return e.json(i)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new x.APIError("INTERNAL_SERVER_ERROR",{message:p.FAILED_TO_GET_SESSION})}}),B=async(e,t)=>{if(e.context.session)return e.context.session;let r=await dt()({...e,_flag:"json",headers:e.headers,query:t}).catch(o=>null);return e.context.session=r,r},L=Z(async e=>{let t=await B(e);if(!t?.session)throw new x.APIError("UNAUTHORIZED");return{session:t}}),lt=Z(async e=>{let t=await B(e);if(!t?.session)throw new x.APIError("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,o=t.session.createdAt.valueOf(),n=Date.now();if(!(o+r*1e3>n))throw new x.APIError("FORBIDDEN",{message:"Session is not fresh"});return{session:t}});var qt=f("/revoke-session",{method:"POST",body:C.z.object({token:C.z.string({description:"The token to revoke"})}),use:[L],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new x.APIError("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new x.APIError("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new x.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Ft=f("/revoke-sessions",{method:"POST",use:[L],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new x.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Mt=f("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[L],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new x.APIError("UNAUTHORIZED");let n=(await e.context.internalAdapter.listSessions(t.user.id)).filter(i=>i.expiresAt>new Date).filter(i=>i.token!==e.context.session.session.token);return await Promise.all(n.map(i=>e.context.internalAdapter.deleteSession(i.token))),e.json({status:!0})});async function N(e,t,r){return await(0,re.createJWT)("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new ut.TimeSpan(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function Ht(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new F.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await N(e.context.secret,t.email),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:o,token:r},e.request)}var Gt=f("/send-verification-email",{method:"POST",query:S.z.object({currentURL:S.z.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:S.z.object({email:S.z.string({description:"The email to send the verification email to"}).email(),callbackURL:S.z.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new F.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new F.APIError("BAD_REQUEST",{message:p.USER_NOT_FOUND});return await Ht(e,r.user),e.json({status:!0})}),Wt=f("/verify-email",{method:"GET",query:S.z.object({token:S.z.string({description:"The token to verify the email"}),callbackURL:S.z.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(c){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${c}`):new F.APIError("UNAUTHORIZED",{message:c})}let{token:r}=e.query,o;try{o=await(0,re.validateJWT)("HS256",Buffer.from(e.context.secret),r)}catch(c){return e.context.logger.error("Failed to verify email",c),t("invalid_token")}let i=S.z.object({email:S.z.string().email(),updateTo:S.z.string().optional()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(i.email);if(!s)return t("user_not_found");if(i.updateTo){let c=await B(e);if(!c){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(c.user.email!==i.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(i.email,{email:i.updateTo,emailVerified:!1});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${r}`,token:r},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(i.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await B(e)){let a=await e.context.internalAdapter.createSession(s.user.id,e.request);if(!a)throw new F.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await T(e,{session:a,user:s.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function oe(e,{userInfo:t,account:r,callbackURL:o}){let n=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(c=>{throw O.error(`Better auth was unable to query your database.
3
3
  Error: `,c),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),i=n?.user;if(n){let c=n.accounts.find(a=>a.providerId===r.providerId);if(c){let a=Object.fromEntries(Object.entries({accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt}).filter(([d,l])=>l!==void 0));Object.keys(a).length>0&&await e.context.internalAdapter.updateAccount(c.id,a)}else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(r.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return Ae&&O.warn(`User already exist but account isn't linked to ${r.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:t.id.toString(),userId:n.user.id,accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope})}catch(l){return O.error("Unable to link account",l),{error:"unable to link account",data:null}}i=await e.context.internalAdapter.updateUser(n.user.id,{...t,updatedAt:new Date})}}else if(i=await e.context.internalAdapter.createOAuthUser({...t,email:t.email.toLowerCase(),id:void 0},{accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope,providerId:r.providerId,accountId:t.id.toString()}).then(c=>c?.user),!t.emailVerified&&i&&e.context.options.emailVerification?.sendOnSignUp){let c=await N(e.context.secret,i.email),a=`${e.context.baseURL}/verify-email?token=${c}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:i,url:a,token:c},e.request)}if(!i)return{error:"unable to create user",data:null};let s=await e.context.internalAdapter.createSession(i.id,e.request);return s?{data:{session:s,user:i},error:null}:{error:"unable to create session",data:null}}var Zt=f("/sign-in/social",{method:"POST",query:y.z.object({currentURL:y.z.string().optional()}).optional(),body:y.z.object({callbackURL:y.z.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:y.z.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:y.z.enum(te,{description:"OAuth2 provider to use"}),disableRedirect:y.z.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:y.z.optional(y.z.object({token:y.z.string({description:"ID token from the provider"}),nonce:y.z.string({description:"Nonce used to generate the token"}).optional(),accessToken:y.z.string({description:"Access token from the provider"}).optional(),refreshToken:y.z.string({description:"Refresh token from the provider"}).optional(),expiresAt:y.z.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(i=>i.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new R.APIError("NOT_FOUND",{message:p.PROVIDER_NOT_FOUND});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new R.APIError("NOT_FOUND",{message:p.ID_TOKEN_NOT_SUPPORTED});let{token:i,nonce:s}=e.body.idToken;if(!await t.verifyIdToken(i,s))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new R.APIError("UNAUTHORIZED",{message:p.INVALID_TOKEN});let a=await t.getUserInfo({idToken:i,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!a||!a?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new R.APIError("UNAUTHORIZED",{message:p.FAILED_TO_GET_USER_INFO});if(!a.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new R.APIError("UNAUTHORIZED",{message:p.USER_EMAIL_NOT_FOUND});let d=await oe(e,{userInfo:{email:a.user.email,id:a.user.id,name:a.user.name||"",image:a.user.image,emailVerified:a.user.emailVerified||!1},account:{providerId:t.id,accountId:a.user.id,accessToken:e.body.idToken.accessToken}});if(d.error)throw new R.APIError("UNAUTHORIZED",{message:d.error});return await T(e,d.data),e.json({session:d.data.session,user:d.data.user,url:void 0,redirect:!1})}let{codeVerifier:r,state:o}=await ee(e),n=await t.createAuthorizationURL({state:o,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:n.toString(),redirect:!e.body.disableRedirect})}),Qt=f("/sign-in/email",{method:"POST",body:y.z.object({email:y.z.string({description:"Email of the user"}),password:y.z.string({description:"Password of the user"}),callbackURL:y.z.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:y.z.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new R.APIError("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!y.z.string().email().safeParse(t).success)throw new R.APIError("BAD_REQUEST",{message:p.INVALID_EMAIL});let n=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!n)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new R.APIError("UNAUTHORIZED",{message:p.INVALID_EMAIL_OR_PASSWORD});let i=n.accounts.find(d=>d.providerId==="credential");if(!i)throw e.context.logger.error("Credential account not found",{email:t}),new R.APIError("UNAUTHORIZED",{message:p.INVALID_EMAIL_OR_PASSWORD});let s=i?.password;if(!s)throw e.context.logger.error("Password not found",{email:t}),new R.APIError("UNAUTHORIZED",{message:p.INVALID_EMAIL_OR_PASSWORD});if(!await e.context.password.verify({hash:s,password:r}))throw e.context.logger.error("Invalid password"),new R.APIError("UNAUTHORIZED",{message:p.INVALID_EMAIL_OR_PASSWORD});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!n.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new R.APIError("UNAUTHORIZED",{message:p.EMAIL_NOT_VERIFIED});let d=await N(e.context.secret,n.user.email),l=`${e.context.baseURL}/verify-email?token=${d}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:n.user,url:l,token:d},e.request),e.context.logger.error("Email not verified",{email:t}),new R.APIError("FORBIDDEN",{message:p.EMAIL_NOT_VERIFIED})}let a=await e.context.internalAdapter.createSession(n.user.id,e.headers,e.body.rememberMe===!1);if(!a)throw e.context.logger.error("Failed to create session"),new R.APIError("UNAUTHORIZED",{message:p.FAILED_TO_CREATE_SESSION});return await T(e,{session:a,user:n.user},e.body.rememberMe===!1),e.json({user:{id:n.user.id,email:n.user.email,name:n.user.name,image:n.user.image,emailVerified:n.user.emailVerified,createdAt:n.user.createdAt,updatedAt:n.user.updatedAt},redirect:!!e.body.callbackURL,url:e.body.callbackURL})});var M=require("zod");var ne=M.z.object({code:M.z.string().optional(),error:M.z.string().optional(),errorMessage:M.z.string().optional(),state:M.z.string().optional()}),Kt=f("/callback/:id",{method:["GET","POST"],body:ne.optional(),query:ne.optional(),metadata:q},async e=>{let t;try{if(e.method==="GET")t=ne.parse(e.query);else if(e.method==="POST")t=ne.parse(e.body);else throw new Error("Unsupported method")}catch(_){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",_),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:r,error:o,state:n}=t;if(!n)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!r)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}`);let i=e.context.socialProviders.find(_=>_.id===e.params.id);if(!i)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:s,callbackURL:c,link:a,errorURL:d}=await Ie(e),l;try{l=await i.validateAuthorizationCode({code:r,codeVerifier:s,redirectURI:`${e.context.baseURL}/callback/${i.id}`})}catch(_){throw e.context.logger.error("",_),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let m=await i.getUserInfo(l).then(_=>_?.user);function g(_){let v=d||c||`${e.context.baseURL}/error`;throw v.includes("?")?v=`${v}&error=${_}`:v=`${v}?error=${_}`,e.redirect(v)}if(!m)return e.context.logger.error("Unable to get user info"),g("unable_to_get_user_info");if(!m.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),g("email_not_found");if(!c)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(a){if(a.email!==m.email.toLowerCase())return g("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:a.userId,providerId:i.id,accountId:m.id}))return g("unable_to_link_account");let v;try{v=new URL(c).toString()}catch{v=c}throw e.redirect(v)}let w=await oe(e,{userInfo:{...m,email:m.email,name:m.name||m.email},account:{providerId:i.id,accountId:m.id,...l,scope:l.scopes?.join(",")},callbackURL:c});if(w.error)return e.context.logger.error(w.error.split(" ").join("_")),g(w.error.split(" ").join("_"));let{session:b,user:$}=w.data;await T(e,{session:b,user:$});let se;try{se=new URL(c).toString()}catch{se=c}throw e.redirect(se)});var Yn=require("zod");var pt=require("better-call");var Jt=f("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw I(e),new pt.APIError("BAD_REQUEST",{message:p.FAILED_TO_GET_SESSION});return await e.context.internalAdapter.deleteSession(t),I(e),e.json({success:!0})});var U=require("zod");var ie=require("better-call");function mt(e,t,r){let o=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return r&&Object.entries(r).forEach(([n,i])=>o.searchParams.set(n,i)),o.href}function Yt(e,t,r){let o=new URL(t,e.baseURL);return r&&Object.entries(r).forEach(([n,i])=>o.searchParams.set(n,i)),o.href}var Xt=f("/forget-password",{method:"POST",body:U.z.object({email:U.z.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:U.z.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new ie.APIError("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:r}=e.body,o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let n=60*60*1,i=D(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||n,"sec"),s=Je(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id.toString(),identifier:`reset-password:${s}`,expiresAt:i});let c=`${e.context.baseURL}/reset-password/${s}?callbackURL=${r}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:c,token:s},e.request),e.json({status:!0})}),er=f("/reset-password/:token",{method:"GET",query:U.z.object({callbackURL:U.z.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:r}=e.query;if(!t||!r)throw e.redirect(mt(e.context,r,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!o||o.expiresAt<new Date?e.redirect(mt(e.context,r,{error:"INVALID_TOKEN"})):e.redirect(Yt(e.context,r,{token:t}))}),tr=f("/reset-password",{query:U.z.optional(U.z.object({token:U.z.string().optional(),currentURL:U.z.string().optional()})),method:"POST",body:U.z.object({newPassword:U.z.string({description:"The new password to set"}),token:U.z.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new ie.APIError("BAD_REQUEST",{message:p.INVALID_TOKEN});let{newPassword:r}=e.body,o=`reset-password:${t}`,n=await e.context.internalAdapter.findVerificationValue(o);if(!n||n.expiresAt<new Date)throw new ie.APIError("BAD_REQUEST",{message:p.INVALID_TOKEN});await e.context.internalAdapter.deleteVerificationValue(n.id);let i=n.value,s=await e.context.password.hash(r);return(await e.context.internalAdapter.findAccounts(i)).find(d=>d.providerId==="credential")?(await e.context.internalAdapter.updatePassword(i,s),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:i,providerId:"credential",password:s,accountId:i}),e.json({status:!0}))});var E=require("zod");var k=require("better-call");var u=require("zod"),rr=require("better-call"),di=u.z.object({id:u.z.string(),providerId:u.z.string(),accountId:u.z.string(),userId:u.z.string(),accessToken:u.z.string().nullish(),refreshToken:u.z.string().nullish(),idToken:u.z.string().nullish(),accessTokenExpiresAt:u.z.date().nullish(),refreshTokenExpiresAt:u.z.date().nullish(),scope:u.z.string().nullish(),password:u.z.string().nullish(),createdAt:u.z.date().default(()=>new Date),updatedAt:u.z.date().default(()=>new Date)}),li=u.z.object({id:u.z.string(),email:u.z.string().transform(e=>e.toLowerCase()),emailVerified:u.z.boolean().default(!1),name:u.z.string(),image:u.z.string().nullish(),createdAt:u.z.date().default(()=>new Date),updatedAt:u.z.date().default(()=>new Date)}),ui=u.z.object({id:u.z.string(),userId:u.z.string(),expiresAt:u.z.date(),createdAt:u.z.date().default(()=>new Date),updatedAt:u.z.date().default(()=>new Date),token:u.z.string(),ipAddress:u.z.string().nullish(),userAgent:u.z.string().nullish()}),pi=u.z.object({id:u.z.string(),value:u.z.string(),createdAt:u.z.date().default(()=>new Date),updatedAt:u.z.date().default(()=>new Date),expiresAt:u.z.date(),identifier:u.z.string()});var cr=require("@noble/ciphers/chacha"),he=require("@noble/ciphers/utils"),dr=require("@noble/ciphers/webcrypto"),lr=require("oslo/crypto"),ur=ae(require("uncrypto"),1);var ft=require("oslo/encoding");var or=require("@noble/hashes/scrypt"),nr=require("uncrypto");var ge=ae(require("uncrypto"),1);function ir(e){return e.toString(2).padStart(8,"0")}function sr(e){return[...e].map(t=>ir(t)).join("")}function gt(e){return parseInt(sr(e),2)}function ar(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,o=new Uint8Array(Math.ceil(t/8));ge.default.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1);let n=gt(o);for(;n>=e;)ge.default.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1),n=gt(o);return n}function ht(e,t){let r="";for(let o=0;o<e;o++)r+=t[ar(t.length)];return r}function wt(...e){let t=new Set(e),r="";for(let o of t)o==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?r+="0123456789":r+=o;return r}var mr=f("/change-password",{method:"POST",body:E.z.object({newPassword:E.z.string({description:"The new password to set"}),currentPassword:E.z.string({description:"The current password"}),revokeOtherSessions:E.z.boolean({description:"Revoke all other sessions"}).optional()}),use:[L],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:r,revokeOtherSessions:o}=e.body,n=e.context.session,i=e.context.password.config.minPasswordLength;if(t.length<i)throw e.context.logger.error("Password is too short"),new k.APIError("BAD_REQUEST",{message:p.PASSWORD_TOO_SHORT});let s=e.context.password.config.maxPasswordLength;if(t.length>s)throw e.context.logger.error("Password is too long"),new k.APIError("BAD_REQUEST",{message:p.PASSWORD_TOO_LONG});let a=(await e.context.internalAdapter.findAccounts(n.user.id)).find(m=>m.providerId==="credential"&&m.password);if(!a||!a.password)throw new k.APIError("BAD_REQUEST",{message:p.CREDENTIAL_ACCOUNT_NOT_FOUND});let d=await e.context.password.hash(t);if(!await e.context.password.verify({hash:a.password,password:r}))throw new k.APIError("BAD_REQUEST",{message:p.INVALID_PASSWORD});if(await e.context.internalAdapter.updateAccount(a.id,{password:d}),o){await e.context.internalAdapter.deleteSessions(n.user.id);let m=await e.context.internalAdapter.createSession(n.user.id,e.headers);if(!m)throw new k.APIError("INTERNAL_SERVER_ERROR",{message:p.FAILED_TO_GET_SESSION});await T(e,{session:m,user:n.user})}return e.json(n.user)}),fr=f("/set-password",{method:"POST",body:E.z.object({newPassword:E.z.string()}),metadata:{SERVER_ONLY:!0},use:[L]},async e=>{let{newPassword:t}=e.body,r=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new k.APIError("BAD_REQUEST",{message:p.PASSWORD_TOO_SHORT});let n=e.context.password.config.maxPasswordLength;if(t.length>n)throw e.context.logger.error("Password is too long"),new k.APIError("BAD_REQUEST",{message:p.PASSWORD_TOO_LONG});let s=(await e.context.internalAdapter.findAccounts(r.user.id)).find(a=>a.providerId==="credential"&&a.password),c=await e.context.password.hash(t);if(!s)return await e.context.internalAdapter.linkAccount({userId:r.user.id,providerId:"credential",accountId:r.user.id,password:c}),e.json(r.user);throw new k.APIError("BAD_REQUEST",{message:"user already has a password"})}),gr=f("/delete-user",{method:"POST",use:[lt],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options",{session:e.context.session}),new k.APIError("NOT_FOUND");let t=e.context.session;if(e.context.options.user.deleteUser?.sendDeleteAccountVerification){let n=ht(32,wt("a-z","A-Z","0-9"));await e.context.internalAdapter.createVerificationValue({value:t.user.id,identifier:`delete-account-${n}`,expiresAt:new Date(Date.now()+1e3*60*60*24)});let i=`${e.context.baseURL}/delete-user/callback?token=${n}`;return await e.context.options.user.deleteUser.sendDeleteAccountVerification({user:t.user,url:i,token:n},e.request),e.json({success:!0,message:"Verification email sent"})}let r=e.context.options.user.deleteUser?.beforeDelete;r&&await r(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),I(e);let o=e.context.options.user.deleteUser?.afterDelete;return o&&await o(t.user,e.request),e.json({success:!0,message:"User deleted"})}),hr=f("/delete-user/callback",{method:"GET",query:E.z.object({token:E.z.string()})},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options"),new k.APIError("NOT_FOUND");let t=await B(e);if(!t)throw new k.APIError("NOT_FOUND",{message:p.FAILED_TO_GET_USER_INFO});let r=await e.context.internalAdapter.findVerificationValue(`delete-account-${e.query.token}`);if(!r||r.expiresAt<new Date)throw r&&await e.context.internalAdapter.deleteVerificationValue(r.id),new k.APIError("NOT_FOUND",{message:p.INVALID_TOKEN});if(r.value!==t.user.id)throw new k.APIError("NOT_FOUND",{message:p.INVALID_TOKEN});let o=e.context.options.user.deleteUser?.beforeDelete;o&&await o(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),await e.context.internalAdapter.deleteVerificationValue(r.id),I(e);let n=e.context.options.user.deleteUser?.afterDelete;return n&&await n(t.user,e.request),e.json({success:!0,message:"User deleted"})}),wr=f("/change-email",{method:"POST",query:E.z.object({currentURL:E.z.string().optional()}).optional(),body:E.z.object({newEmail:E.z.string({description:"The new email to set"}).email(),callbackURL:E.z.string({description:"The URL to redirect to after email verification"}).optional()}),use:[L],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new k.APIError("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new k.APIError("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new k.APIError("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let n=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:n,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new k.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await N(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:r},e.request),e.json({user:null,status:!0})});var yr=(e="Unknown")=>`<!DOCTYPE html>
4
4
  <html lang="en">
5
5
  <head>