better-auth 1.0.13 → 1.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/dist/api.cjs +2 -2
  2. package/dist/api.js +2 -2
  3. package/dist/cookies.cjs +1 -1
  4. package/dist/cookies.js +1 -1
  5. package/dist/index.cjs +2 -2
  6. package/dist/index.js +2 -2
  7. package/dist/next-js.cjs +1 -1
  8. package/dist/next-js.js +1 -1
  9. package/dist/plugins.cjs +2 -2
  10. package/dist/plugins.js +2 -2
  11. package/package.json +4 -1
package/dist/plugins.js CHANGED
@@ -1,5 +1,5 @@
1
1
  import{APIError as Yi}from"better-call";import{z as xe}from"zod";import{createEndpointCreator as Ot,createMiddleware as _o,createMiddlewareCreator as Tt}from"better-call";var vo=_o(async()=>({})),N=Tt({use:[vo,_o(async()=>({}))]}),p=Ot({use:[vo]});import{APIError as Z}from"better-call";import{z as B}from"zod";import{TimeSpan as ca}from"oslo";import{base64url as Wt}from"oslo/encoding";import{HMAC as ko,sha256 as vn}from"oslo/crypto";async function Rt({value:e,secret:i}){return new ko("SHA-256").sign(new TextEncoder().encode(i),new TextEncoder().encode(e)).then(o=>Buffer.from(o).toString("base64"))}function It({value:e,signature:i,secret:t}){return new ko("SHA-256").verify(new TextEncoder().encode(t),Buffer.from(i,"base64"),new TextEncoder().encode(e))}var Ge={sign:Rt,verify:It};var ee=class extends Error{constructor(i,t){super(i),this.name="BetterAuthError",this.message=i,this.cause=t,this.stack=""}};var k=(e,i="ms")=>new Date(Date.now()+(i==="sec"?e*1e3:e));var Ze=Object.create(null),_e=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?Ze:globalThis),ne=new Proxy(Ze,{get(e,i){return _e()[i]??Ze[i]},has(e,i){let t=_e();return i in t||i in Ze},set(e,i,t){let o=_e(!0);return o[i]=t,!0},deleteProperty(e,i){if(!i)return!1;let t=_e(!0);return delete t[i],!0},ownKeys(){let e=_e(!0);return Object.keys(e)}});function St(e){return e?e!=="false":!1}var po=typeof process<"u"&&process.env&&process.env.NODE_ENV||"";var Po=po==="dev"||po==="development",Ut=po==="test"||St(ne.TEST);import{APIError as Pe,createRouter as Gs,getCookie as Ht,getSignedCookie as $t,setCookie as Gt,setSignedCookie as Zt}from"better-call";import{APIError as kt}from"better-call";function Ko(e){return e==="-"||e==="^"||e==="$"||e==="+"||e==="."||e==="("||e===")"||e==="|"||e==="["||e==="]"||e==="{"||e==="}"||e==="*"||e==="?"||e==="\\"?`\\${e}`:e}function _t(e){let i="";for(let t=0;t<e.length;t++)i+=Ko(e[t]);return i}function No(e,i=!0){if(Array.isArray(e))return`(?:${e.map(c=>`^${No(c,i)}$`).join("|")})`;let t="",o="",r=".";i===!0?(t="/",o="[/\\\\]",r="[^/\\\\]"):i&&(t=i,o=_t(t),o.length>1?(o=`(?:${o})`,r=`((?!${o}).)`):r=`[^${o}]`);let n=i?`${o}+?`:"",s=i?`${o}*?`:"",A=i?e.split(t):[e],a="";for(let d=0;d<A.length;d++){let c=A[d],l=A[d+1],u="";if(!(!c&&d>0)){if(i&&(d===A.length-1?u=s:l!=="**"?u=n:u=""),i&&c==="**"){u&&(a+=d===0?"":u,a+=`(?:${r}*?${u})*?`);continue}for(let K=0;K<c.length;K++){let m=c[K];m==="\\"?K<c.length-1&&(a+=Ko(c[K+1]),K++):m==="?"?a+=r:m==="*"?a+=`${r}*?`:a+=Ko(m)}a+=u}}return a}function vt(e,i){if(typeof i!="string")throw new TypeError(`Sample must be a string, but ${typeof i} given`);return e.test(i)}function uo(e,i){if(typeof e!="string"&&!Array.isArray(e))throw new TypeError(`The first argument must be a single pattern string or an array of patterns, but ${typeof e} given`);if((typeof i=="string"||typeof i=="boolean")&&(i={separator:i}),arguments.length===2&&!(typeof i>"u"||typeof i=="object"&&i!==null&&!Array.isArray(i)))throw new TypeError(`The second argument must be an options object or a string/boolean separator, but ${typeof i} given`);if(i=i||{},i.separator==="\\")throw new Error("\\ is not a valid separator because it is used for escaping. Try setting the separator to `true` instead");let t=No(e,i.separator),o=new RegExp(`^${t}$`,i.flags),r=vt.bind(null,o);return r.options=i,r.pattern=e,r.regexp=o,r}function Ce(e){try{return new URL(e).origin}catch{return null}}function Do(e){return e.includes("://")?new URL(e).host:e}var Pt=N(async e=>{if(e.request?.method!=="POST")return;let{body:i,query:t,context:o}=e,r=e.headers?.get("origin")||e.headers?.get("referer")||"",n=i?.callbackURL||t?.callbackURL,s=i?.redirectTo,A=t?.currentURL,a=o.trustedOrigins,d=e.headers?.has("cookie"),c=(u,K)=>u.startsWith("/")?!1:K.includes("*")?uo(K)(Do(u)):u.startsWith(K),l=(u,K)=>{if(!u)return;if(!a.some(E=>c(u,E)||u?.startsWith("/")&&K!=="origin"&&!u.includes(":")))throw e.context.logger.error(`Invalid ${K}: ${u}`),e.context.logger.info(`If it's a valid URL, please add ${u} to trustedOrigins in your auth config
2
- `,`Current list of trustedOrigins: ${a}`),new kt("FORBIDDEN",{message:`Invalid ${K}`})};d&&!e.context.options.advanced?.disableCSRFCheck&&l(r,"origin"),n&&l(n,"callbackURL"),s&&l(s,"redirectURL"),A&&l(A,"currentURL")});var be={isAction:!1};var Lo=p("/ok",{method:"GET",metadata:{...be,openapi:{description:"Check if the API is working",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{ok:{type:"boolean"}}}}}}}}}},async e=>e.json({ok:!0}));import{z as Oe}from"zod";import{TimeSpan as Nt}from"oslo";import{createJWT as Dt,validateJWT as Lt}from"oslo/jwt";import{z as se}from"zod";import{APIError as ke}from"better-call";import{APIError as ce}from"better-call";import{z as he}from"zod";function lo(e){try{return JSON.parse(e)}catch{return null}}var g={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var go=()=>p("/get-session",{method:"GET",query:he.optional(he.object({disableCookieCache:he.boolean({description:"Disable cookie cache and fetch session from database"}).or(he.string().transform(e=>e==="true")).optional(),disableRefresh:he.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let i=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!i)return e.json(null);let t=e.getCookie(e.context.authCookies.sessionData.name),o=t?lo(Buffer.from(t,"base64").toString()):null;if(o&&!await Ge.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return H(e),e.json(null);let r=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let c=o.session;if(o.expiresAt<Date.now()||c.session.expiresAt<new Date){let u=e.context.authCookies.sessionData.name;e.setCookie(u,"",{maxAge:0})}else return e.json(c)}let n=await e.context.internalAdapter.findSession(i);if(e.context.session=n,!n||n.session.expiresAt<new Date)return H(e),n&&await e.context.internalAdapter.deleteSession(n.session.token),e.json(null);if(r||e.query?.disableRefresh)return e.json(n);let s=e.context.sessionConfig.expiresIn,A=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-s*1e3+A*1e3<=Date.now()){let c=await e.context.internalAdapter.updateSession(n.session.token,{expiresAt:k(e.context.sessionConfig.expiresIn,"sec")});if(!c)return H(e),e.json(null,{status:401});let l=(c.expiresAt.valueOf()-Date.now())/1e3;return await h(e,{session:c,user:n.user},!1,{maxAge:l}),e.json({session:c,user:n.user})}return e.json(n)}catch(i){throw e.context.logger.error("INTERNAL_SERVER_ERROR",i),new ce("INTERNAL_SERVER_ERROR",{message:g.FAILED_TO_GET_SESSION})}}),S=async(e,i)=>{if(e.context.session)return e.context.session;let t=await go()({...e,_flag:"json",headers:e.headers,query:i}).catch(o=>null);return e.context.session=t,t},R=N(async e=>{let i=await S(e);if(!i?.session)throw new ce("UNAUTHORIZED");return{session:i}}),ve=N(async e=>{let i=await S(e);if(!i?.session)throw new ce("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:i};let t=e.context.sessionConfig.freshAge,o=i.session.createdAt.valueOf(),r=Date.now();if(!(o+t*1e3>r))throw new ce("FORBIDDEN",{message:"Session is not fresh"});return{session:i}}),Bo=()=>p("/list-sessions",{method:"GET",use:[R],requireHeaders:!0,metadata:{openapi:{description:"List all active sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}}}}}}}}}},async e=>{let t=(await e.context.internalAdapter.listSessions(e.context.session.user.id)).filter(o=>o.expiresAt>new Date);return e.json(t)}),xo=p("/revoke-session",{method:"POST",body:he.object({token:he.string({description:"The token to revoke"})}),use:[R],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let i=e.body.token,t=await e.context.internalAdapter.findSession(i);if(!t)throw new ce("BAD_REQUEST",{message:"Session not found"});if(t.session.userId!==e.context.session.user.id)throw new ce("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(i)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new ce("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),jo=p("/revoke-sessions",{method:"POST",use:[R],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(i){throw e.context.logger.error(i&&typeof i=="object"&&"name"in i?i.name:"",i),new ce("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),zo=p("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[R],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let i=e.context.session;if(!i.user)throw new ce("UNAUTHORIZED");let r=(await e.context.internalAdapter.listSessions(i.user.id)).filter(n=>n.expiresAt>new Date).filter(n=>n.token!==e.context.session.session.token);return await Promise.all(r.map(n=>e.context.internalAdapter.deleteSession(n.token))),e.json({status:!0})});async function pe(e,i,t){return await Dt("HS256",Buffer.from(e),{email:i.toLowerCase(),updateTo:t},{expiresIn:new Nt(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[i],includeIssuedTimestamp:!0})}async function mo(e,i){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new ke("BAD_REQUEST",{message:"Verification email isn't enabled"});let t=await pe(e.context.secret,i.email),o=`${e.context.baseURL}/verify-email?token=${t}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:i,url:o,token:t},e.request)}var Fo=p("/send-verification-email",{method:"POST",query:se.object({currentURL:se.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:se.object({email:se.string({description:"The email to send the verification email to"}).email(),callbackURL:se.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new ke("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:i}=e.body,t=await e.context.internalAdapter.findUserByEmail(i);if(!t)throw new ke("BAD_REQUEST",{message:g.USER_NOT_FOUND});return await mo(e,t.user),e.json({status:!0})}),Vo=p("/verify-email",{method:"GET",query:se.object({token:se.string({description:"The token to verify the email"}),callbackURL:se.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function i(A){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${A}`):new ke("UNAUTHORIZED",{message:A})}let{token:t}=e.query,o;try{o=await Lt("HS256",Buffer.from(e.context.secret),t)}catch(A){return e.context.logger.error("Failed to verify email",A),i("invalid_token")}let n=se.object({email:se.string().email(),updateTo:se.string().optional()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(n.email);if(!s)return i("user_not_found");if(n.updateTo){let A=await S(e);if(!A){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return i("unauthorized")}if(A.user.email!==n.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return i("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${t}`,token:t},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await S(e)){let a=await e.context.internalAdapter.createSession(s.user.id,e.request);if(!a)throw new ke("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await h(e,{session:a,user:s.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});import{APIError as Ke}from"better-call";import{z as O}from"zod";import{APIError as Bt}from"better-call";var hs=O.object({id:O.string(),providerId:O.string(),accountId:O.string(),userId:O.string(),accessToken:O.string().nullish(),refreshToken:O.string().nullish(),idToken:O.string().nullish(),accessTokenExpiresAt:O.date().nullish(),refreshTokenExpiresAt:O.date().nullish(),scope:O.string().nullish(),password:O.string().nullish(),createdAt:O.date().default(()=>new Date),updatedAt:O.date().default(()=>new Date)}),ys=O.object({id:O.string(),email:O.string().transform(e=>e.toLowerCase()),emailVerified:O.boolean().default(!1),name:O.string(),image:O.string().nullish(),createdAt:O.date().default(()=>new Date),updatedAt:O.date().default(()=>new Date)}),ws=O.object({id:O.string(),userId:O.string(),expiresAt:O.date(),createdAt:O.date().default(()=>new Date),updatedAt:O.date().default(()=>new Date),token:O.string(),ipAddress:O.string().nullish(),userAgent:O.string().nullish()}),Cs=O.object({id:O.string(),value:O.string(),createdAt:O.date().default(()=>new Date),updatedAt:O.date().default(()=>new Date),expiresAt:O.date(),identifier:O.string()});function xt(e,i){let t={...i==="user"?e.user?.additionalFields:{},...i==="session"?e.session?.additionalFields:{}};for(let o of e.plugins||[])o.schema&&o.schema[i]&&(t={...t,...o.schema[i].fields});return t}function jt(e,i){let t=i.action||"create",o=i.fields,r={};for(let n in o){if(n in e){if(o[n].input===!1){if(o[n].defaultValue){r[n]=o[n].defaultValue;continue}continue}if(o[n].validator?.input&&e[n]!==void 0){r[n]=o[n].validator.input.parse(e[n]);continue}r[n]=e[n];continue}if(o[n].defaultValue&&t==="create"){r[n]=o[n].defaultValue;continue}if(o[n].required&&t==="create")throw new Bt("BAD_REQUEST",{message:`${n} is required`})}return r}function Qe(e,i,t){let o=xt(e,"user");return jt(i||{},{fields:o,action:t})}function oe(e,i){if(!i)return e;for(let t in i){let o=i[t]?.modelName;o&&(e[t].modelName=o);for(let r in e[t].fields){let n=i[t]?.fields?.[r];n&&(e[t].fields[r].fieldName=n)}}return e}var Mo=()=>p("/sign-up/email",{method:"POST",query:Oe.object({currentURL:Oe.string().optional()}).optional(),body:Oe.record(Oe.string(),Oe.any()),metadata:{openapi:{description:"Sign up a user using email and password",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},email:{type:"string",description:"The email of the user"},password:{type:"string",description:"The password of the user"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["name","email","password"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string",description:"The id of the user"},email:{type:"string",description:"The email of the user"},name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"},emailVerified:{type:"boolean",description:"If the email is verified"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.enabled)throw new Ke("BAD_REQUEST",{message:"Email and password sign up is not enabled"});let i=e.body,{name:t,email:o,password:r,image:n,callbackURL:s,...A}=i;if(!Oe.string().email().safeParse(o).success)throw new Ke("BAD_REQUEST",{message:g.INVALID_EMAIL});let d=e.context.password.config.minPasswordLength;if(r.length<d)throw e.context.logger.error("Password is too short"),new Ke("BAD_REQUEST",{message:g.PASSWORD_TOO_SHORT});let c=e.context.password.config.maxPasswordLength;if(r.length>c)throw e.context.logger.error("Password is too long"),new Ke("BAD_REQUEST",{message:g.PASSWORD_TOO_LONG});if((await e.context.internalAdapter.findUserByEmail(o))?.user)throw e.context.logger.info(`Sign-up attempt for existing email: ${o}`),new Ke("UNPROCESSABLE_ENTITY",{message:g.USER_ALREADY_EXISTS});let u=Qe(e.context.options,A),K;try{if(K=await e.context.internalAdapter.createUser({email:o.toLowerCase(),name:t,image:n,...u,emailVerified:!1}),!K)throw new Ke("BAD_REQUEST",{message:g.FAILED_TO_CREATE_USER})}catch(v){throw e.context.logger.error("Failed to create user",v),new Ke("UNPROCESSABLE_ENTITY",{message:g.FAILED_TO_CREATE_USER,details:v})}if(!K)throw new Ke("UNPROCESSABLE_ENTITY",{message:g.FAILED_TO_CREATE_USER});let m=await e.context.password.hash(r);if(await e.context.internalAdapter.linkAccount({userId:K.id,providerId:"credential",accountId:K.id,password:m}),e.context.options.emailVerification?.sendOnSignUp){let v=await pe(e.context.secret,K.email),f=`${e.context.baseURL}/verify-email?token=${v}&callbackURL=${i.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:K,url:f,token:v},e.request)}if(!e.context.options.emailAndPassword.autoSignIn||e.context.options.emailAndPassword.requireEmailVerification)return e.json({id:K.id,email:K.email,name:K.name,image:K.image,emailVerified:K.emailVerified});let E=await e.context.internalAdapter.createSession(K.id,e.request);if(!E)throw new Ke("BAD_REQUEST",{message:g.FAILED_TO_CREATE_SESSION});return await h(e,{session:E,user:K}),e.json({id:K.id,email:K.email,name:K.name,image:K.image,emailVerified:K.emailVerified,createdAt:K.createdAt,updatedAt:K.updatedAt})});var zt=(e="Unknown")=>`<!DOCTYPE html>
2
+ `,`Current list of trustedOrigins: ${a}`),new kt("FORBIDDEN",{message:`Invalid ${K}`})};d&&!e.context.options.advanced?.disableCSRFCheck&&l(r,"origin"),n&&l(n,"callbackURL"),s&&l(s,"redirectURL"),A&&l(A,"currentURL")});var be={isAction:!1};var Lo=p("/ok",{method:"GET",metadata:{...be,openapi:{description:"Check if the API is working",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{ok:{type:"boolean"}}}}}}}}}},async e=>e.json({ok:!0}));import{z as Oe}from"zod";import{TimeSpan as Nt}from"oslo";import{createJWT as Dt,validateJWT as Lt}from"oslo/jwt";import{z as se}from"zod";import{APIError as ke}from"better-call";import{APIError as ce}from"better-call";import{z as he}from"zod";function lo(e){try{return JSON.parse(e)}catch{return null}}var g={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var go=()=>p("/get-session",{method:"GET",query:he.optional(he.object({disableCookieCache:he.boolean({description:"Disable cookie cache and fetch session from database"}).or(he.string().transform(e=>e==="true")).optional(),disableRefresh:he.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let i=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!i)return e.json(null);let t=e.getCookie(e.context.authCookies.sessionData.name),o=t?lo(Buffer.from(t,"base64").toString()):null;if(o&&!await Ge.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return H(e),e.json(null);let r=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let c=o.session;if(o.expiresAt<Date.now()||c.session.expiresAt<new Date){let u=e.context.authCookies.sessionData.name;e.setCookie(u,"",{maxAge:0})}else return e.json(c)}let n=await e.context.internalAdapter.findSession(i);if(e.context.session=n,!n||n.session.expiresAt<new Date)return H(e),n&&await e.context.internalAdapter.deleteSession(n.session.token),e.json(null);if(r||e.query?.disableRefresh)return e.json(n);let s=e.context.sessionConfig.expiresIn,A=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-s*1e3+A*1e3<=Date.now()){let c=await e.context.internalAdapter.updateSession(n.session.token,{expiresAt:k(e.context.sessionConfig.expiresIn,"sec")});if(!c)return H(e),e.json(null,{status:401});let l=(c.expiresAt.valueOf()-Date.now())/1e3;return await h(e,{session:c,user:n.user},!1,{maxAge:l}),e.json({session:c,user:n.user})}return e.json(n)}catch(i){throw e.context.logger.error("INTERNAL_SERVER_ERROR",i),new ce("INTERNAL_SERVER_ERROR",{message:g.FAILED_TO_GET_SESSION})}}),S=async(e,i)=>{if(e.context.session)return e.context.session;let t=await go()({...e,_flag:"json",headers:e.headers,query:i}).catch(o=>null);return e.context.session=t,t},R=N(async e=>{let i=await S(e);if(!i?.session)throw new ce("UNAUTHORIZED");return{session:i}}),ve=N(async e=>{let i=await S(e);if(!i?.session)throw new ce("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:i};let t=e.context.sessionConfig.freshAge,o=i.session.createdAt.valueOf(),r=Date.now();if(!(o+t*1e3>r))throw new ce("FORBIDDEN",{message:"Session is not fresh"});return{session:i}}),Bo=()=>p("/list-sessions",{method:"GET",use:[R],requireHeaders:!0,metadata:{openapi:{description:"List all active sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}}}}}}}}}},async e=>{let t=(await e.context.internalAdapter.listSessions(e.context.session.user.id)).filter(o=>o.expiresAt>new Date);return e.json(t)}),xo=p("/revoke-session",{method:"POST",body:he.object({token:he.string({description:"The token to revoke"})}),use:[R],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let i=e.body.token,t=await e.context.internalAdapter.findSession(i);if(!t)throw new ce("BAD_REQUEST",{message:"Session not found"});if(t.session.userId!==e.context.session.user.id)throw new ce("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(i)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new ce("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),jo=p("/revoke-sessions",{method:"POST",use:[R],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(i){throw e.context.logger.error(i&&typeof i=="object"&&"name"in i?i.name:"",i),new ce("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),zo=p("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[R],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let i=e.context.session;if(!i.user)throw new ce("UNAUTHORIZED");let r=(await e.context.internalAdapter.listSessions(i.user.id)).filter(n=>n.expiresAt>new Date).filter(n=>n.token!==e.context.session.session.token);return await Promise.all(r.map(n=>e.context.internalAdapter.deleteSession(n.token))),e.json({status:!0})});async function pe(e,i,t){return await Dt("HS256",Buffer.from(e),{email:i.toLowerCase(),updateTo:t},{expiresIn:new Nt(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[i],includeIssuedTimestamp:!0})}async function mo(e,i){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new ke("BAD_REQUEST",{message:"Verification email isn't enabled"});let t=await pe(e.context.secret,i.email),o=`${e.context.baseURL}/verify-email?token=${t}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:i,url:o,token:t},e.request)}var Fo=p("/send-verification-email",{method:"POST",query:se.object({currentURL:se.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:se.object({email:se.string({description:"The email to send the verification email to"}).email(),callbackURL:se.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new ke("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:i}=e.body,t=await e.context.internalAdapter.findUserByEmail(i);if(!t)throw new ke("BAD_REQUEST",{message:g.USER_NOT_FOUND});return await mo(e,t.user),e.json({status:!0})}),Vo=p("/verify-email",{method:"GET",query:se.object({token:se.string({description:"The token to verify the email"}),callbackURL:se.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function i(A){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${A}`):new ke("UNAUTHORIZED",{message:A})}let{token:t}=e.query,o;try{o=await Lt("HS256",Buffer.from(e.context.secret),t)}catch(A){return e.context.logger.error("Failed to verify email",A),i("invalid_token")}let n=se.object({email:se.string().email(),updateTo:se.string().optional()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(n.email);if(!s)return i("user_not_found");if(n.updateTo){let A=await S(e);if(!A){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return i("unauthorized")}if(A.user.email!==n.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return i("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo,emailVerified:!1});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${t}`,token:t},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await S(e)){let a=await e.context.internalAdapter.createSession(s.user.id,e.request);if(!a)throw new ke("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await h(e,{session:a,user:s.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});import{APIError as Ke}from"better-call";import{z as O}from"zod";import{APIError as Bt}from"better-call";var hs=O.object({id:O.string(),providerId:O.string(),accountId:O.string(),userId:O.string(),accessToken:O.string().nullish(),refreshToken:O.string().nullish(),idToken:O.string().nullish(),accessTokenExpiresAt:O.date().nullish(),refreshTokenExpiresAt:O.date().nullish(),scope:O.string().nullish(),password:O.string().nullish(),createdAt:O.date().default(()=>new Date),updatedAt:O.date().default(()=>new Date)}),ys=O.object({id:O.string(),email:O.string().transform(e=>e.toLowerCase()),emailVerified:O.boolean().default(!1),name:O.string(),image:O.string().nullish(),createdAt:O.date().default(()=>new Date),updatedAt:O.date().default(()=>new Date)}),ws=O.object({id:O.string(),userId:O.string(),expiresAt:O.date(),createdAt:O.date().default(()=>new Date),updatedAt:O.date().default(()=>new Date),token:O.string(),ipAddress:O.string().nullish(),userAgent:O.string().nullish()}),Cs=O.object({id:O.string(),value:O.string(),createdAt:O.date().default(()=>new Date),updatedAt:O.date().default(()=>new Date),expiresAt:O.date(),identifier:O.string()});function xt(e,i){let t={...i==="user"?e.user?.additionalFields:{},...i==="session"?e.session?.additionalFields:{}};for(let o of e.plugins||[])o.schema&&o.schema[i]&&(t={...t,...o.schema[i].fields});return t}function jt(e,i){let t=i.action||"create",o=i.fields,r={};for(let n in o){if(n in e){if(o[n].input===!1){if(o[n].defaultValue){r[n]=o[n].defaultValue;continue}continue}if(o[n].validator?.input&&e[n]!==void 0){r[n]=o[n].validator.input.parse(e[n]);continue}r[n]=e[n];continue}if(o[n].defaultValue&&t==="create"){r[n]=o[n].defaultValue;continue}if(o[n].required&&t==="create")throw new Bt("BAD_REQUEST",{message:`${n} is required`})}return r}function Qe(e,i,t){let o=xt(e,"user");return jt(i||{},{fields:o,action:t})}function oe(e,i){if(!i)return e;for(let t in i){let o=i[t]?.modelName;o&&(e[t].modelName=o);for(let r in e[t].fields){let n=i[t]?.fields?.[r];n&&(e[t].fields[r].fieldName=n)}}return e}var Mo=()=>p("/sign-up/email",{method:"POST",query:Oe.object({currentURL:Oe.string().optional()}).optional(),body:Oe.record(Oe.string(),Oe.any()),metadata:{openapi:{description:"Sign up a user using email and password",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},email:{type:"string",description:"The email of the user"},password:{type:"string",description:"The password of the user"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["name","email","password"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string",description:"The id of the user"},email:{type:"string",description:"The email of the user"},name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"},emailVerified:{type:"boolean",description:"If the email is verified"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.enabled)throw new Ke("BAD_REQUEST",{message:"Email and password sign up is not enabled"});let i=e.body,{name:t,email:o,password:r,image:n,callbackURL:s,...A}=i;if(!Oe.string().email().safeParse(o).success)throw new Ke("BAD_REQUEST",{message:g.INVALID_EMAIL});let d=e.context.password.config.minPasswordLength;if(r.length<d)throw e.context.logger.error("Password is too short"),new Ke("BAD_REQUEST",{message:g.PASSWORD_TOO_SHORT});let c=e.context.password.config.maxPasswordLength;if(r.length>c)throw e.context.logger.error("Password is too long"),new Ke("BAD_REQUEST",{message:g.PASSWORD_TOO_LONG});if((await e.context.internalAdapter.findUserByEmail(o))?.user)throw e.context.logger.info(`Sign-up attempt for existing email: ${o}`),new Ke("UNPROCESSABLE_ENTITY",{message:g.USER_ALREADY_EXISTS});let u=Qe(e.context.options,A),K;try{if(K=await e.context.internalAdapter.createUser({email:o.toLowerCase(),name:t,image:n,...u,emailVerified:!1}),!K)throw new Ke("BAD_REQUEST",{message:g.FAILED_TO_CREATE_USER})}catch(v){throw e.context.logger.error("Failed to create user",v),new Ke("UNPROCESSABLE_ENTITY",{message:g.FAILED_TO_CREATE_USER,details:v})}if(!K)throw new Ke("UNPROCESSABLE_ENTITY",{message:g.FAILED_TO_CREATE_USER});let m=await e.context.password.hash(r);if(await e.context.internalAdapter.linkAccount({userId:K.id,providerId:"credential",accountId:K.id,password:m}),e.context.options.emailVerification?.sendOnSignUp){let v=await pe(e.context.secret,K.email),f=`${e.context.baseURL}/verify-email?token=${v}&callbackURL=${i.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:K,url:f,token:v},e.request)}if(!e.context.options.emailAndPassword.autoSignIn||e.context.options.emailAndPassword.requireEmailVerification)return e.json({id:K.id,email:K.email,name:K.name,image:K.image,emailVerified:K.emailVerified});let E=await e.context.internalAdapter.createSession(K.id,e.request);if(!E)throw new Ke("BAD_REQUEST",{message:g.FAILED_TO_CREATE_SESSION});return await h(e,{session:E,user:K}),e.json({id:K.id,email:K.email,name:K.name,image:K.image,emailVerified:K.emailVerified,createdAt:K.createdAt,updatedAt:K.updatedAt})});var zt=(e="Unknown")=>`<!DOCTYPE html>
3
3
  <html lang="en">
4
4
  <head>
5
5
  <meta charset="UTF-8">
@@ -80,7 +80,7 @@ import{APIError as Yi}from"better-call";import{z as xe}from"zod";import{createEn
80
80
  </div>
81
81
  </body>
82
82
  </html>`,qo=p("/error",{method:"GET",metadata:{...be,openapi:{description:"Displays an error page",responses:{200:{description:"Success",content:{"text/html":{schema:{type:"string"}}}}}}}},async e=>{let i=new URL(e.request?.url||"").searchParams.get("error")||"Unknown";return new Response(zt(i),{headers:{"Content-Type":"text/html"}})});import{createConsola as Ft}from"consola";var fo=["info","success","warn","error","debug"];function Vt(e,i){return fo.indexOf(i)<=fo.indexOf(e)}var Mt=Ft({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),Ho=e=>{let i=e?.disabled!==!0,t=e?.level??"error",o=(r,n,s=[])=>{if(!(!i||!Vt(t,r))){if(!e||typeof e.log!="function"){Mt[r]("",n,...s);return}e.log(r==="success"?"info":r,n,s)}};return Object.fromEntries(fo.map(r=>[r,(...[n,...s])=>o(r,n,s)]))},ie=Ho();import Qt from"defu";import{APIError as T}from"better-call";function ho(e,i){let t=i.plugins?.reduce((A,a)=>({...A,...a.endpoints}),{}),o=i.plugins?.map(A=>A.middlewares?.map(a=>{let d=async c=>a.middleware({...c,context:{...e,...c.context}});return d.path=a.path,d.options=a.middleware.options,d.headers=a.middleware.headers,{path:a.path,middleware:d}})).filter(A=>A!==void 0).flat()||[],n={...{signInSocial:$o,callbackOAuth:Zo,getSession:go(),signOut:Qo,signUpEmail:Mo(),signInEmail:Go,forgetPassword:Wo,resetPassword:Yo,verifyEmail:Vo,sendVerificationEmail:Fo,changeEmail:ri,changePassword:ei,setPassword:oi,updateUser:Xo(),deleteUser:ii,forgetPasswordCallback:Jo,listSessions:Bo(),revokeSession:xo,revokeSessions:jo,revokeOtherSessions:zo,linkSocialAccount:si,listUserAccounts:ni,deleteUserCallback:ti},...t,ok:Lo,error:qo},s={};for(let[A,a]of Object.entries(n))s[A]=async(d={})=>{a.headers=new Headers;let c={setHeader(f,w){a.headers.set(f,w)},setCookie(f,w,b){Gt(a.headers,f,w,b)},getCookie(f,w){let I=d.headers?.get("cookie");return Ht(I||"",f,w)},getSignedCookie(f,w,b){let I=d.headers;return I?$t(I,w,f,b):null},async setSignedCookie(f,w,b,I){await Zt(a.headers,f,w,b,I)},redirect(f){return a.headers.set("Location",f),new Pe("FOUND")},responseHeader:a.headers},l=await e,u=null,K={...c,...d,path:a.path,context:{...l,...d.context,session:null,setNewSession:function(f){this.newSession=f,u=f}}},m=i.plugins||[];for(let f of m){let w=f.hooks?.before??[];for(let b of w){if(!b.matcher(K))continue;let I=await b.handler(K);if(I&&"context"in I){K=Qt(K,I.context);continue}if(I)return I}}let E;try{E=await a(K),u&&(K.context.newSession=u)}catch(f){if(u&&(K.context.newSession=u),f instanceof Pe){let w=i.plugins?.map(b=>{if(b.hooks?.after)return b.hooks.after}).filter(b=>b!==void 0).flat();if(!w?.length)throw f.headers=a.headers,f;K.context.returned=f,K.context.returned.headers=a.headers;for(let b of w||[])if(b.matcher(K))try{let q=await b.handler(K);q&&"response"in q&&(K.context.returned=q.response)}catch(q){if(q instanceof Pe){K.context.returned=q;continue}throw q}if(K.context.returned instanceof Pe)throw K.context.returned.headers=a.headers,K.context.returned;return K.context.returned}throw f}K.context.returned=E,K.responseHeader=a.headers;for(let f of i.plugins||[])if(f.hooks?.after){for(let w of f.hooks.after)if(w.matcher(K))try{let I=await w.handler(K);I&&(K.context.returned=I)}catch(I){if(I instanceof Pe){K.context.returned=I;continue}throw I}}let v=K.context.returned;return v instanceof Response&&a.headers.forEach((f,w)=>{w==="set-cookie"?v.headers.append(w,f):v.headers.set(w,f)}),v},s[A].path=a.path,s[A].method=a.method,s[A].options=a.options,s[A].headers=a.headers;return{api:s,middlewares:o}}function We(e){let i=new Map;return e.split(", ").forEach(o=>{let r=o.split(";").map(l=>l.trim()),[n,...s]=r,[A,...a]=n.split("="),d=a.join("=");if(!A||d===void 0)return;let c={value:d};s.forEach(l=>{let[u,...K]=l.split("="),m=K.join("="),E=u.trim().toLowerCase();switch(E){case"max-age":c["max-age"]=m?parseInt(m.trim(),10):void 0;break;case"expires":c.expires=m?new Date(m.trim()):void 0;break;case"domain":c.domain=m?m.trim():void 0;break;case"path":c.path=m?m.trim():void 0;break;case"secure":c.secure=!0;break;case"httponly":c.httponly=!0;break;case"samesite":c.samesite=m?m.trim().toLowerCase():void 0;break;default:c[E]=m?m.trim():!0;break}}),i.set(A,c)}),i}async function h(e,i,t,o){let r=e.context.authCookies.sessionToken.options,n=t?void 0:e.context.sessionConfig.expiresIn;await e.setSignedCookie(e.context.authCookies.sessionToken.name,i.session.token,e.context.secret,{...r,maxAge:n,...o}),t&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled&&e.setCookie(e.context.authCookies.sessionData.name,JSON.stringify(Wt.encode(new TextEncoder().encode(JSON.stringify({session:i,expiresAt:k(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await Ge.sign({value:JSON.stringify(i),secret:e.context.secret})})))),e.context.authCookies.sessionData.options),e.context.setNewSession(i),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(i.session.token,JSON.stringify({user:i.user,session:i.session}),Math.floor((new Date(i.session.expiresAt).getTime()-Date.now())/1e3))}function H(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}function Ne(e){let i=e.split("; "),t=new Map;return i.forEach(o=>{let[r,n]=o.split("=");t.set(r,n)}),t}import{betterFetch as ir}from"@better-fetch/fetch";import{APIError as tr}from"better-call";import{decodeProtectedHeader as rr,importJWK as nr,jwtVerify as sr}from"jose";import{parseJWT as ar}from"oslo/jwt";import{sha256 as Jt}from"oslo/crypto";import{base64url as Yt}from"oslo/encoding";async function ai(e){let i=await Jt(new TextEncoder().encode(e));return Yt.encode(new Uint8Array(i),{includePadding:!1})}function Ai(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?k(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function P({id:e,options:i,authorizationEndpoint:t,state:o,codeVerifier:r,scopes:n,claims:s,redirectURI:A}){let a=new URL(t);if(a.searchParams.set("response_type","code"),a.searchParams.set("client_id",i.clientId),a.searchParams.set("state",o),a.searchParams.set("scope",n.join(" ")),a.searchParams.set("redirect_uri",i.redirectURI||A),r){let d=await ai(r);a.searchParams.set("code_challenge_method","S256"),a.searchParams.set("code_challenge",d)}if(s){let d=s.reduce((c,l)=>(c[l]=null,c),{});a.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...d}}))}return a}import{betterFetch as Xt}from"@better-fetch/fetch";async function U({code:e,codeVerifier:i,redirectURI:t,options:o,tokenEndpoint:r,authentication:n}){let s=new URLSearchParams,A={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(s.set("grant_type","authorization_code"),s.set("code",e),i&&s.set("code_verifier",i),s.set("redirect_uri",t),n==="basic"){let l=btoa(`${o.clientId}:${o.clientSecret}`);A.authorization=`Basic ${l}`}else s.set("client_id",o.clientId),s.set("client_secret",o.clientSecret);let{data:a,error:d}=await Xt(r,{method:"POST",body:s,headers:A});if(d)throw d;return Ai(a)}import{generateCodeVerifier as er,generateState as or}from"oslo/oauth2";import{z as me}from"zod";import{APIError as di}from"better-call";async function Te(e,i){let t=e.body?.callbackURL||(e.query?.currentURL?Ce(e.query?.currentURL):"")||e.context.options.baseURL;if(!t)throw new di("BAD_REQUEST",{message:"callbackURL is required"});let o=er(),r=or(),n=JSON.stringify({callbackURL:t,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,link:i,expiresAt:Date.now()+10*60*1e3}),s=new Date;s.setMinutes(s.getMinutes()+10);let A=await e.context.internalAdapter.createVerificationValue({value:n,identifier:r,expiresAt:s});if(!A)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new di("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:A.identifier,codeVerifier:o}}async function Je(e){let i=e.query.state||e.body.state,t=await e.context.internalAdapter.findVerificationValue(i);if(!t)throw e.context.logger.error("State Mismatch. Verification not found",{state:i}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=me.object({callbackURL:me.string(),codeVerifier:me.string(),errorURL:me.string().optional(),expiresAt:me.number(),link:me.object({email:me.string(),userId:me.string()}).optional()}).parse(JSON.parse(t.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(t.id),e.context.logger.error("State expired.",{state:i}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(t.id),o}var ci=e=>{let i="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:t,scopes:o,redirectURI:r}){let n=o||["email","name"];return e.scope&&n.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${r||e.redirectURI}&scope=${n.join(" ")}&state=${t}&response_mode=form_post`)},validateAuthorizationCode:async({code:t,codeVerifier:o,redirectURI:r})=>U({code:t,codeVerifier:o,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:i}),async verifyIdToken(t,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,o);let r=rr(t),{kid:n,alg:s}=r;if(!n||!s)return!1;let A=await Ar(n),{payload:a}=await sr(t,A,{algorithms:[s],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(d=>{a[d]!==void 0&&(a[d]=!!a[d])}),o&&a.nonce!==o?!1:!!a},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let o=ar(t.idToken)?.payload;if(!o)return null;let r=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email,n=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:r,emailVerified:!1,email:o.email,...n},data:o}}}},Ar=async e=>{let i="https://appleid.apple.com",t="/auth/keys",{data:o}=await ir(`${i}${t}`);if(!o?.keys)throw new tr("BAD_REQUEST",{message:"Keys not found"});let r=o.keys.find(n=>n.kid===e);if(!r)throw new Error(`JWK with kid ${e} not found`);return await nr(r,r.alg)};import{betterFetch as dr}from"@better-fetch/fetch";var pi=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:i,scopes:t,redirectURI:o}){let r=t||["identify","email"];return e.scope&&r.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${r.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${i}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:i,redirectURI:t})=>U({code:i,redirectURI:e.redirectURI||t,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);let{data:t,error:o}=await dr("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${i.accessToken}`}});if(o)return null;if(t.avatar===null){let n=t.discriminator==="0"?Number(BigInt(t.id)>>BigInt(22))%6:parseInt(t.discriminator)%5;t.image_url=`https://cdn.discordapp.com/embed/avatars/${n}.png`}else{let n=t.avatar.startsWith("a_")?"gif":"png";t.image_url=`https://cdn.discordapp.com/avatars/${t.id}/${t.avatar}.${n}`}let r=await e.mapProfileToUser?.(t);return{user:{id:t.id,name:t.display_name||t.username||"",email:t.email,emailVerified:t.verified,image:t.image_url,...r},data:t}}});import{betterFetch as cr}from"@better-fetch/fetch";var Ki=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:i,scopes:t,redirectURI:o}){let r=t||["email","public_profile"];return e.scope&&r.push(...e.scope),await P({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:r,state:i,redirectURI:o})},validateAuthorizationCode:async({code:i,redirectURI:t})=>U({code:i,redirectURI:e.redirectURI||t,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);let{data:t,error:o}=await cr("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:i.accessToken}});if(o)return null;let r=await e.mapProfileToUser?.(t);return{user:{id:t.id,name:t.name,email:t.email,image:t.picture.data.url,emailVerified:t.email_verified,...r},data:t}}});import{betterFetch as ui}from"@better-fetch/fetch";var li=e=>{let i="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:t,scopes:o,codeVerifier:r,redirectURI:n}){let s=o||["user:email"];return e.scope&&s.push(...e.scope),P({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:s,state:t,redirectURI:n})},validateAuthorizationCode:async({code:t,redirectURI:o})=>U({code:t,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:i}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:o,error:r}=await ui("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${t.accessToken}`}});if(r)return null;let n=!1;if(!o.email){let{data:A,error:a}=await ui("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${t.accessToken}`,"User-Agent":"better-auth"}});a||(o.email=(A.find(d=>d.primary)??A[0])?.email,n=A.find(d=>d.email===o.email)?.verified??!1)}let s=await e.mapProfileToUser?.(o);return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:n,...s},data:o}}}};import{parseJWT as pr}from"oslo/jwt";import{betterFetch as Kr}from"@better-fetch/fetch";var gi=e=>({id:"google",name:"Google",async createAuthorizationURL({state:i,scopes:t,codeVerifier:o,redirectURI:r}){if(!e.clientId||!e.clientSecret)throw ie.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new ee("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new ee("codeVerifier is required for Google");let n=t||["email","profile","openid"];e.scope&&n.push(...e.scope);let s=await P({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:n,state:i,codeVerifier:o,redirectURI:r});return e.accessType&&s.searchParams.set("access_type",e.accessType),e.prompt&&s.searchParams.set("prompt",e.prompt),s},validateAuthorizationCode:async({code:i,codeVerifier:t,redirectURI:o})=>U({code:i,codeVerifier:t,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(i,t){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(i,t);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${i}`,{data:r}=await Kr(o);return r?r.aud===e.clientId&&r.iss==="https://accounts.google.com":!1},async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);if(!i.idToken)return null;let t=pr(i.idToken)?.payload,o=await e.mapProfileToUser?.(t);return{user:{id:t.sub,name:t.name,email:t.email,image:t.picture,emailVerified:t.email_verified,...o},data:t}}});import{betterFetch as ur}from"@better-fetch/fetch";import{parseJWT as lr}from"oslo/jwt";var mi=e=>{let i=e.tenantId||"common",t=`https://login.microsoftonline.com/${i}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${i}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(r){let n=r.scopes||["openid","profile","email","User.Read"];return e.scope&&n.push(...e.scope),P({id:"microsoft",options:e,authorizationEndpoint:t,state:r.state,codeVerifier:r.codeVerifier,scopes:n,redirectURI:r.redirectURI})},validateAuthorizationCode({code:r,codeVerifier:n,redirectURI:s}){return U({code:r,codeVerifier:n,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:o})},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let n=lr(r.idToken)?.payload,s=e.profilePhotoSize||48;await ur(`https://graph.microsoft.com/v1.0/me/photos/${s}x${s}/$value`,{headers:{Authorization:`Bearer ${r.accessToken}`},async onResponse(a){if(!(e.disableProfilePhoto||!a.response.ok))try{let c=await a.response.clone().arrayBuffer(),l=Buffer.from(c).toString("base64");n.picture=`data:image/jpeg;base64, ${l}`}catch(d){ie.error(d&&typeof d=="object"&&"name"in d?d.name:"",d)}}});let A=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.name,email:n.email,image:n.picture,emailVerified:!0,...A},data:n}}}};import{betterFetch as gr}from"@better-fetch/fetch";var fi=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:i,scopes:t,codeVerifier:o,redirectURI:r}){let n=t||["user-read-email"];return e.scope&&n.push(...e.scope),P({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:n,state:i,codeVerifier:o,redirectURI:r})},validateAuthorizationCode:async({code:i,codeVerifier:t,redirectURI:o})=>U({code:i,codeVerifier:t,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);let{data:t,error:o}=await gr("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${i.accessToken}`}});if(o)return null;let r=await e.mapProfileToUser?.(t);return{user:{id:t.id,name:t.display_name,email:t.email,image:t.images[0]?.url,emailVerified:!1,...r},data:t}}});import{nanoid as mr}from"nanoid";var $=e=>mr(e);import{parseJWT as fr}from"oslo/jwt";var hi=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:i,scopes:t,redirectURI:o}){let r=t||["user:read:email","openid"];return e.scope&&r.push(...e.scope),P({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:r,state:i,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:i,redirectURI:t})=>U({code:i,redirectURI:e.redirectURI||t,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);let t=i.idToken;if(!t)return ie.error("No idToken found in token"),null;let o=fr(t)?.payload,r=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1,...r},data:o}}});import{betterFetch as hr}from"@better-fetch/fetch";var yi=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(i){let t=i.scopes||["users.read","tweet.read","offline.access"];return e.scope&&t.push(...e.scope),P({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:t,state:i.state,codeVerifier:i.codeVerifier,redirectURI:i.redirectURI})},validateAuthorizationCode:async({code:i,codeVerifier:t,redirectURI:o})=>U({code:i,codeVerifier:t,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);let{data:t,error:o}=await hr("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${i.accessToken}`}});if(o)return null;let r=await e.mapProfileToUser?.(t);return{user:{id:t.data.id,name:t.data.name,email:t.data.username||null,image:t.data.profile_image_url,emailVerified:t.data.verified||!1,...r},data:t}}});import{betterFetch as yr}from"@better-fetch/fetch";var wi=e=>{let i="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:t,scopes:o,codeVerifier:r,redirectURI:n})=>{let s=o||["account_info.read"];return e.scope&&s.push(...e.scope),await P({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:s,state:t,redirectURI:n,codeVerifier:r})},validateAuthorizationCode:async({code:t,codeVerifier:o,redirectURI:r})=>await U({code:t,codeVerifier:o,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:i}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:o,error:r}=await yr("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${t.accessToken}`}});if(r)return null;let n=await e.mapProfileToUser?.(o);return{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url,...n},data:o}}}};import{betterFetch as wr}from"@better-fetch/fetch";var Ci=e=>{let i="https://www.linkedin.com/oauth/v2/authorization",t="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:r,redirectURI:n})=>{let s=r||["profile","email","openid"];return e.scope&&s.push(...e.scope),await P({id:"linkedin",options:e,authorizationEndpoint:i,scopes:s,state:o,redirectURI:n})},validateAuthorizationCode:async({code:o,redirectURI:r})=>await U({code:o,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:t}),async getUserInfo(o){let{data:r,error:n}=await wr("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});if(n)return null;let s=await e.mapProfileToUser?.(r);return{user:{id:r.sub,name:r.name,email:r.email,emailVerified:r.email_verified||!1,image:r.picture,...s},data:r}}}};import{betterFetch as Cr}from"@better-fetch/fetch";var yo=(e="")=>e.split("://").map(i=>i.replace(/\/{2,}/g,"/")).join("://"),br=e=>{let i=e||"https://gitlab.com";return{authorizationEndpoint:yo(`${i}/oauth/authorize`),tokenEndpoint:yo(`${i}/oauth/token`),userinfoEndpoint:yo(`${i}/api/v4/user`)}},bi=e=>{let{authorizationEndpoint:i,tokenEndpoint:t,userinfoEndpoint:o}=br(e.issuer),r="gitlab";return{id:r,name:"Gitlab",createAuthorizationURL:async({state:s,scopes:A,codeVerifier:a,redirectURI:d})=>{let c=A||["read_user"];return e.scope&&c.push(...e.scope),await P({id:r,options:e,authorizationEndpoint:i,scopes:c,state:s,redirectURI:d,codeVerifier:a})},validateAuthorizationCode:async({code:s,redirectURI:A,codeVerifier:a})=>U({code:s,redirectURI:e.redirectURI||A,options:e,codeVerifier:a,tokenEndpoint:t}),async getUserInfo(s){if(e.getUserInfo)return e.getUserInfo(s);let{data:A,error:a}=await Cr(o,{headers:{authorization:`Bearer ${s.accessToken}`}});if(a||A.state!=="active"||A.locked)return null;let d=await e.mapProfileToUser?.(A);return{user:{id:A.id.toString(),name:A.name??A.username,email:A.email,image:A.avatar_url,emailVerified:!0,...d},data:A}}}};var Or={apple:ci,discord:pi,facebook:Ki,github:li,microsoft:mi,google:gi,spotify:fi,twitch:hi,twitter:yi,dropbox:wi,linkedin:Ci,gitlab:bi},Ye=Object.keys(Or);async function Ee(e,{userInfo:i,account:t,callbackURL:o}){let r=await e.context.internalAdapter.findUserByEmail(i.email.toLowerCase(),{includeAccounts:!0}).catch(A=>{throw ie.error(`Better auth was unable to query your database.
83
- Error: `,A),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),n=r?.user;if(r){let A=r.accounts.find(a=>a.providerId===t.providerId);if(A){let a=Object.fromEntries(Object.entries({accessToken:t.accessToken,idToken:t.idToken,refreshToken:t.refreshToken,accessTokenExpiresAt:t.accessTokenExpiresAt,refreshTokenExpiresAt:t.refreshTokenExpiresAt}).filter(([d,c])=>c!==void 0));Object.keys(a).length>0&&await e.context.internalAdapter.updateAccount(A.id,a)}else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(t.providerId)&&!i.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return Po&&ie.warn(`User already exist but account isn't linked to ${t.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:t.providerId,accountId:i.id.toString(),userId:r.user.id,accessToken:t.accessToken,idToken:t.idToken,refreshToken:t.refreshToken,accessTokenExpiresAt:t.accessTokenExpiresAt,refreshTokenExpiresAt:t.refreshTokenExpiresAt,scope:t.scope})}catch(c){return ie.error("Unable to link account",c),{error:"unable to link account",data:null}}n=await e.context.internalAdapter.updateUser(r.user.id,{...i,updatedAt:new Date})}}else if(n=await e.context.internalAdapter.createOAuthUser({...i,email:i.email.toLowerCase(),id:void 0},{accessToken:t.accessToken,idToken:t.idToken,refreshToken:t.refreshToken,accessTokenExpiresAt:t.accessTokenExpiresAt,refreshTokenExpiresAt:t.refreshTokenExpiresAt,scope:t.scope,providerId:t.providerId,accountId:i.id.toString()}).then(A=>A?.user),!i.emailVerified&&n&&e.context.options.emailVerification?.sendOnSignUp){let A=await pe(e.context.secret,n.email),a=`${e.context.baseURL}/verify-email?token=${A}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:n,url:a,token:A},e.request)}if(!n)return{error:"unable to create user",data:null};let s=await e.context.internalAdapter.createSession(n.id,e.request);return s?{data:{session:s,user:n},error:null}:{error:"unable to create session",data:null}}var $o=p("/sign-in/social",{method:"POST",query:B.object({currentURL:B.string().optional()}).optional(),body:B.object({callbackURL:B.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:B.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:B.enum(Ye,{description:"OAuth2 provider to use"}),disableRedirect:B.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:B.optional(B.object({token:B.string({description:"ID token from the provider"}),nonce:B.string({description:"Nonce used to generate the token"}).optional(),accessToken:B.string({description:"Access token from the provider"}).optional(),refreshToken:B.string({description:"Refresh token from the provider"}).optional(),expiresAt:B.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let i=e.context.socialProviders.find(n=>n.id===e.body.provider);if(!i)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new Z("NOT_FOUND",{message:g.PROVIDER_NOT_FOUND});if(e.body.idToken){if(!i.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new Z("NOT_FOUND",{message:g.ID_TOKEN_NOT_SUPPORTED});let{token:n,nonce:s}=e.body.idToken;if(!await i.verifyIdToken(n,s))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new Z("UNAUTHORIZED",{message:g.INVALID_TOKEN});let a=await i.getUserInfo({idToken:n,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!a||!a?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new Z("UNAUTHORIZED",{message:g.FAILED_TO_GET_USER_INFO});if(!a.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new Z("UNAUTHORIZED",{message:g.USER_EMAIL_NOT_FOUND});let d=await Ee(e,{userInfo:{email:a.user.email,id:a.user.id,name:a.user.name||"",image:a.user.image,emailVerified:a.user.emailVerified||!1},account:{providerId:i.id,accountId:a.user.id,accessToken:e.body.idToken.accessToken}});if(d.error)throw new Z("UNAUTHORIZED",{message:d.error});return await h(e,d.data),e.json({session:d.data.session,user:d.data.user,url:void 0,redirect:!1})}let{codeVerifier:t,state:o}=await Te(e),r=await i.createAuthorizationURL({state:o,codeVerifier:t,redirectURI:`${e.context.baseURL}/callback/${i.id}`});return e.json({url:r.toString(),redirect:!e.body.disableRedirect})}),Go=p("/sign-in/email",{method:"POST",body:B.object({email:B.string({description:"Email of the user"}),password:B.string({description:"Password of the user"}),callbackURL:B.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:B.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new Z("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:i,password:t}=e.body;if(!B.string().email().safeParse(i).success)throw new Z("BAD_REQUEST",{message:g.INVALID_EMAIL});let r=await e.context.internalAdapter.findUserByEmail(i,{includeAccounts:!0});if(!r)throw await e.context.password.hash(t),e.context.logger.error("User not found",{email:i}),new Z("UNAUTHORIZED",{message:g.INVALID_EMAIL_OR_PASSWORD});let n=r.accounts.find(d=>d.providerId==="credential");if(!n)throw e.context.logger.error("Credential account not found",{email:i}),new Z("UNAUTHORIZED",{message:g.INVALID_EMAIL_OR_PASSWORD});let s=n?.password;if(!s)throw e.context.logger.error("Password not found",{email:i}),new Z("UNAUTHORIZED",{message:g.INVALID_EMAIL_OR_PASSWORD});if(!await e.context.password.verify({hash:s,password:t}))throw e.context.logger.error("Invalid password"),new Z("UNAUTHORIZED",{message:g.INVALID_EMAIL_OR_PASSWORD});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!r.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new Z("UNAUTHORIZED",{message:g.EMAIL_NOT_VERIFIED});let d=await pe(e.context.secret,r.user.email),c=`${e.context.baseURL}/verify-email?token=${d}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:r.user,url:c,token:d},e.request),e.context.logger.error("Email not verified",{email:i}),new Z("FORBIDDEN",{message:g.EMAIL_NOT_VERIFIED})}let a=await e.context.internalAdapter.createSession(r.user.id,e.headers,e.body.rememberMe===!1);if(!a)throw e.context.logger.error("Failed to create session"),new Z("UNAUTHORIZED",{message:g.FAILED_TO_CREATE_SESSION});return await h(e,{session:a,user:r.user},e.body.rememberMe===!1),e.json({user:{id:r.user.id,email:r.user.email,name:r.user.name,image:r.user.image,emailVerified:r.user.emailVerified,createdAt:r.user.createdAt,updatedAt:r.user.updatedAt},redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{z as De}from"zod";var Xe=De.object({code:De.string().optional(),error:De.string().optional(),errorMessage:De.string().optional(),state:De.string().optional()}),Zo=p("/callback/:id",{method:["GET","POST"],body:Xe.optional(),query:Xe.optional(),metadata:be},async e=>{let i;try{if(e.method==="GET")i=Xe.parse(e.query);else if(e.method==="POST")i=Xe.parse(e.body);else throw new Error("Unsupported method")}catch(f){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",f),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:t,error:o,state:r}=i;if(!r)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!t)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}`);let n=e.context.socialProviders.find(f=>f.id===e.params.id);if(!n)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:s,callbackURL:A,link:a,errorURL:d}=await Je(e),c;try{c=await n.validateAuthorizationCode({code:t,codeVerifier:s,redirectURI:`${e.context.baseURL}/callback/${n.id}`})}catch(f){throw e.context.logger.error("",f),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let l=await n.getUserInfo(c).then(f=>f?.user);function u(f){let w=d||A||`${e.context.baseURL}/error`;throw w.includes("?")?w=`${w}&error=${f}`:w=`${w}?error=${f}`,e.redirect(w)}if(!l)return e.context.logger.error("Unable to get user info"),u("unable_to_get_user_info");if(!l.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),u("email_not_found");if(!A)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(a){if(a.email!==l.email.toLowerCase())return u("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:a.userId,providerId:n.id,accountId:l.id}))return u("unable_to_link_account");let w;try{w=new URL(A).toString()}catch{w=A}throw e.redirect(w)}let K=await Ee(e,{userInfo:{...l,email:l.email,name:l.name||l.email},account:{providerId:n.id,accountId:l.id,...c,scope:c.scopes?.join(",")},callbackURL:A});if(K.error)return e.context.logger.error(K.error.split(" ").join("_")),u(K.error.split(" ").join("_"));let{session:m,user:E}=K.data;await h(e,{session:m,user:E});let v;try{v=new URL(A).toString()}catch{v=A}throw e.redirect(v)});import"zod";import{APIError as Tr}from"better-call";var Qo=p("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let i=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!i)throw H(e),new Tr("BAD_REQUEST",{message:g.FAILED_TO_GET_SESSION});return await e.context.internalAdapter.deleteSession(i),H(e),e.json({success:!0})});import{z as te}from"zod";import{APIError as wo}from"better-call";function Oi(e,i,t){let o=i?new URL(i,e.baseURL):new URL(`${e.baseURL}/error`);return t&&Object.entries(t).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}function Er(e,i,t){let o=new URL(i,e.baseURL);return t&&Object.entries(t).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}var Wo=p("/forget-password",{method:"POST",body:te.object({email:te.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:te.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new wo("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:i,redirectTo:t}=e.body,o=await e.context.internalAdapter.findUserByEmail(i,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:i}),e.json({status:!1},{body:{status:!0}});let r=60*60*1,n=k(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||r,"sec"),s=$(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id.toString(),identifier:`reset-password:${s}`,expiresAt:n});let A=`${e.context.baseURL}/reset-password/${s}?callbackURL=${t}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:A,token:s},e.request),e.json({status:!0})}),Jo=p("/reset-password/:token",{method:"GET",query:te.object({callbackURL:te.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:i}=e.params,{callbackURL:t}=e.query;if(!i||!t)throw e.redirect(Oi(e.context,t,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${i}`);throw!o||o.expiresAt<new Date?e.redirect(Oi(e.context,t,{error:"INVALID_TOKEN"})):e.redirect(Er(e.context,t,{token:i}))}),Yo=p("/reset-password",{query:te.optional(te.object({token:te.string().optional(),currentURL:te.string().optional()})),method:"POST",body:te.object({newPassword:te.string({description:"The new password to set"}),token:te.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let i=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!i)throw new wo("BAD_REQUEST",{message:g.INVALID_TOKEN});let{newPassword:t}=e.body,o=`reset-password:${i}`,r=await e.context.internalAdapter.findVerificationValue(o);if(!r||r.expiresAt<new Date)throw new wo("BAD_REQUEST",{message:g.INVALID_TOKEN});await e.context.internalAdapter.deleteVerificationValue(r.id);let n=r.value,s=await e.context.password.hash(t);return(await e.context.internalAdapter.findAccounts(n)).find(d=>d.providerId==="credential")?(await e.context.internalAdapter.updatePassword(n,s),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:n,providerId:"credential",password:s,accountId:n}),e.json({status:!0}))});import{z as G}from"zod";import{APIError as V}from"better-call";import{xchacha20poly1305 as Ii}from"@noble/ciphers/chacha";import{bytesToHex as Ur,hexToBytes as _r,utf8ToBytes as vr}from"@noble/ciphers/utils";import{managedNonce as Si}from"@noble/ciphers/webcrypto";import{sha256 as Ui}from"oslo/crypto";import Ri from"uncrypto";import{decodeHex as Zd,encodeHex as Qd}from"oslo/encoding";import{scryptAsync as Yd}from"@noble/hashes/scrypt";import{getRandomValues as ec}from"uncrypto";import Ti from"uncrypto";function Rr(e){return e.toString(2).padStart(8,"0")}function Ir(e){return[...e].map(i=>Rr(i)).join("")}function Ei(e){return parseInt(Ir(e),2)}function Sr(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let i=(e-1).toString(2).length,t=i%8,o=new Uint8Array(Math.ceil(i/8));Ti.getRandomValues(o),t!==0&&(o[0]&=(1<<t)-1);let r=Ei(o);for(;r>=e;)Ti.getRandomValues(o),t!==0&&(o[0]&=(1<<t)-1),r=Ei(o);return r}function z(e,i){let t="";for(let o=0;o<e;o++)t+=i[Sr(i.length)];return t}function F(...e){let i=new Set(e),t="";for(let o of i)o==="a-z"?t+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?t+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?t+="0123456789":t+=o;return t}async function Le(e,i){let t=new TextEncoder,o={name:"HMAC",hash:"SHA-256"},r=await Ri.subtle.importKey("raw",t.encode(e),o,!1,["sign","verify"]),n=await Ri.subtle.sign(o.name,r,t.encode(i));return btoa(String.fromCharCode(...new Uint8Array(n)))}var ue=async({key:e,data:i})=>{let t=await Ui(new TextEncoder().encode(e)),o=vr(i),r=Si(Ii)(new Uint8Array(t));return Ur(r.encrypt(o))},fe=async({key:e,data:i})=>{let t=await Ui(new TextEncoder().encode(e)),o=_r(i),r=Si(Ii)(new Uint8Array(t));return new TextDecoder().decode(r.decrypt(o))};var Xo=()=>p("/update-user",{method:"POST",body:G.record(G.string(),G.any()),use:[R],metadata:{openapi:{description:"Update the current user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"}}}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"}}}}}}}}}},async e=>{let i=e.body;if(i.email)throw new V("BAD_REQUEST",{message:g.EMAIL_CAN_NOT_BE_UPDATED});let{name:t,image:o,...r}=i,n=e.context.session;if(o===void 0&&!t&&Object.keys(r).length===0)return e.json({id:n.user.id,email:n.user.email,name:n.user.name,image:n.user.image,emailVerified:n.user.emailVerified,createdAt:n.user.createdAt,updatedAt:n.user.updatedAt});let s=Qe(e.context.options,r,"update"),A=await e.context.internalAdapter.updateUserByEmail(n.user.email,{name:t,image:o,...s});return await h(e,{session:n.session,user:A}),e.json({id:A.id,email:A.email,name:A.name,image:A.image,emailVerified:A.emailVerified,createdAt:A.createdAt,updatedAt:A.updatedAt})}),ei=p("/change-password",{method:"POST",body:G.object({newPassword:G.string({description:"The new password to set"}),currentPassword:G.string({description:"The current password"}),revokeOtherSessions:G.boolean({description:"Revoke all other sessions"}).optional()}),use:[R],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:i,currentPassword:t,revokeOtherSessions:o}=e.body,r=e.context.session,n=e.context.password.config.minPasswordLength;if(i.length<n)throw e.context.logger.error("Password is too short"),new V("BAD_REQUEST",{message:g.PASSWORD_TOO_SHORT});let s=e.context.password.config.maxPasswordLength;if(i.length>s)throw e.context.logger.error("Password is too long"),new V("BAD_REQUEST",{message:g.PASSWORD_TOO_LONG});let a=(await e.context.internalAdapter.findAccounts(r.user.id)).find(l=>l.providerId==="credential"&&l.password);if(!a||!a.password)throw new V("BAD_REQUEST",{message:g.CREDENTIAL_ACCOUNT_NOT_FOUND});let d=await e.context.password.hash(i);if(!await e.context.password.verify({hash:a.password,password:t}))throw new V("BAD_REQUEST",{message:g.INVALID_PASSWORD});if(await e.context.internalAdapter.updateAccount(a.id,{password:d}),o){await e.context.internalAdapter.deleteSessions(r.user.id);let l=await e.context.internalAdapter.createSession(r.user.id,e.headers);if(!l)throw new V("INTERNAL_SERVER_ERROR",{message:g.FAILED_TO_GET_SESSION});await h(e,{session:l,user:r.user})}return e.json(r.user)}),oi=p("/set-password",{method:"POST",body:G.object({newPassword:G.string()}),metadata:{SERVER_ONLY:!0},use:[R]},async e=>{let{newPassword:i}=e.body,t=e.context.session,o=e.context.password.config.minPasswordLength;if(i.length<o)throw e.context.logger.error("Password is too short"),new V("BAD_REQUEST",{message:g.PASSWORD_TOO_SHORT});let r=e.context.password.config.maxPasswordLength;if(i.length>r)throw e.context.logger.error("Password is too long"),new V("BAD_REQUEST",{message:g.PASSWORD_TOO_LONG});let s=(await e.context.internalAdapter.findAccounts(t.user.id)).find(a=>a.providerId==="credential"&&a.password),A=await e.context.password.hash(i);if(!s)return await e.context.internalAdapter.linkAccount({userId:t.user.id,providerId:"credential",accountId:t.user.id,password:A}),e.json(t.user);throw new V("BAD_REQUEST",{message:"user already has a password"})}),ii=p("/delete-user",{method:"POST",use:[ve],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options",{session:e.context.session}),new V("NOT_FOUND");let i=e.context.session;if(e.context.options.user.deleteUser?.sendDeleteAccountVerification){let r=z(32,F("a-z","A-Z","0-9"));await e.context.internalAdapter.createVerificationValue({value:i.user.id,identifier:`delete-account-${r}`,expiresAt:new Date(Date.now()+1e3*60*60*24)});let n=`${e.context.baseURL}/delete-user/callback?token=${r}`;return await e.context.options.user.deleteUser.sendDeleteAccountVerification({user:i.user,url:n,token:r},e.request),e.json({success:!0,message:"Verification email sent"})}let t=e.context.options.user.deleteUser?.beforeDelete;t&&await t(i.user,e.request),await e.context.internalAdapter.deleteUser(i.user.id),await e.context.internalAdapter.deleteSessions(i.user.id),await e.context.internalAdapter.deleteAccounts(i.user.id),H(e);let o=e.context.options.user.deleteUser?.afterDelete;return o&&await o(i.user,e.request),e.json({success:!0,message:"User deleted"})}),ti=p("/delete-user/callback",{method:"GET",query:G.object({token:G.string()})},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options"),new V("NOT_FOUND");let i=await S(e);if(!i)throw new V("NOT_FOUND",{message:g.FAILED_TO_GET_USER_INFO});let t=await e.context.internalAdapter.findVerificationValue(`delete-account-${e.query.token}`);if(!t||t.expiresAt<new Date)throw t&&await e.context.internalAdapter.deleteVerificationValue(t.id),new V("NOT_FOUND",{message:g.INVALID_TOKEN});if(t.value!==i.user.id)throw new V("NOT_FOUND",{message:g.INVALID_TOKEN});let o=e.context.options.user.deleteUser?.beforeDelete;o&&await o(i.user,e.request),await e.context.internalAdapter.deleteUser(i.user.id),await e.context.internalAdapter.deleteSessions(i.user.id),await e.context.internalAdapter.deleteAccounts(i.user.id),await e.context.internalAdapter.deleteVerificationValue(t.id),H(e);let r=e.context.options.user.deleteUser?.afterDelete;return r&&await r(i.user,e.request),e.json({success:!0,message:"User deleted"})}),ri=p("/change-email",{method:"POST",query:G.object({currentURL:G.string().optional()}).optional(),body:G.object({newEmail:G.string({description:"The new email to set"}).email(),callbackURL:G.string({description:"The URL to redirect to after email verification"}).optional()}),use:[R],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new V("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new V("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new V("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let r=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:r,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new V("BAD_REQUEST",{message:"Verification email isn't enabled"});let t=await pe(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${t}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:t},e.request),e.json({user:null,status:!0})});import{z as Be}from"zod";import{APIError as _i}from"better-call";var ni=p("/list-accounts",{method:"GET",use:[R],metadata:{openapi:{description:"List all accounts linked to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{id:{type:"string"},provider:{type:"string"}}}}}}}}}}},async e=>{let i=e.context.session,t=await e.context.internalAdapter.findAccounts(i.user.id);return e.json(t.map(o=>({id:o.id,provider:o.providerId})))}),si=p("/link-social",{method:"POST",requireHeaders:!0,query:Be.object({currentURL:Be.string().optional()}).optional(),body:Be.object({callbackURL:Be.string({description:"The URL to redirect to after the user has signed in"}).optional(),provider:Be.enum(Ye,{description:"The OAuth2 provider to use"})}),use:[R],metadata:{openapi:{description:"Link a social account to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"},redirect:{type:"boolean"}},required:["url","redirect"]}}}}}}}},async e=>{let i=e.context.session;if((await e.context.internalAdapter.findAccounts(i.user.id)).find(A=>A.providerId===e.body.provider))throw new _i("BAD_REQUEST",{message:g.SOCIAL_ACCOUNT_ALREADY_LINKED});let r=e.context.socialProviders.find(A=>A.id===e.body.provider);if(!r)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new _i("NOT_FOUND",{message:g.PROVIDER_NOT_FOUND});let n=await Te(e,{userId:i.user.id,email:i.user.email}),s=await r.createAuthorizationURL({state:n.state,codeVerifier:n.codeVerifier,redirectURI:`${e.context.baseURL}/callback/${r.id}`});return e.json({url:s.toString(),redirect:!0})});var vi=(e,i)=>{let t={};for(let[o,r]of Object.entries(e))t[o]=n=>r({...n,context:{...i,...n.context}}),t[o].path=r.path,t[o].method=r.method,t[o].options=r.options,t[o].headers=r.headers;return t};function eo(e){let i=e;return{newRole(t){return kr(t)}}}function kr(e){return{statements:e,authorize(i,t){for(let[o,r]of Object.entries(i)){let n=e[o];return n?(t==="OR"?r.some(A=>n.includes(A)):r.every(A=>n.includes(A)))?{success:!0}:{success:!1,error:`Unauthorized to access resource "${o}"`}:{success:!1,error:`You are not allowed to access resource: ${o}`}}return{success:!1,error:"Not authorized"}}}}var Pr={organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]},Co=eo(Pr),Nr=Co.newRole({organization:["update"],invitation:["create","cancel"],member:["create","update","delete"]}),Dr=Co.newRole({organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]}),Lr=Co.newRole({organization:[],member:[],invitation:[]}),ki={admin:Nr,owner:Dr,member:Lr};var Br={proto:/"(?:_|\\u0{2}5[Ff]){2}(?:p|\\u0{2}70)(?:r|\\u0{2}72)(?:o|\\u0{2}6[Ff])(?:t|\\u0{2}74)(?:o|\\u0{2}6[Ff])(?:_|\\u0{2}5[Ff]){2}"\s*:/,constructor:/"(?:c|\\u0063)(?:o|\\u006[Ff])(?:n|\\u006[Ee])(?:s|\\u0073)(?:t|\\u0074)(?:r|\\u0072)(?:u|\\u0075)(?:c|\\u0063)(?:t|\\u0074)(?:o|\\u006[Ff])(?:r|\\u0072)"\s*:/,protoShort:/"__proto__"\s*:/,constructorShort:/"constructor"\s*:/},xr=/^\s*["[{]|^\s*-?\d{1,16}(\.\d{1,17})?([Ee][+-]?\d+)?\s*$/,Pi={true:!0,false:!1,null:null,undefined:void 0,nan:Number.NaN,infinity:Number.POSITIVE_INFINITY,"-infinity":Number.NEGATIVE_INFINITY},jr=/^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(?:\.(\d{1,7}))?(?:Z|([+-])(\d{2}):(\d{2}))$/;function zr(e){return e instanceof Date&&!isNaN(e.getTime())}function Fr(e){let i=jr.exec(e);if(!i)return null;let[,t,o,r,n,s,A,a,d,c,l]=i,u=new Date(Date.UTC(parseInt(t,10),parseInt(o,10)-1,parseInt(r,10),parseInt(n,10),parseInt(s,10),parseInt(A,10),a?parseInt(a.padEnd(3,"0"),10):0));if(d){let K=(parseInt(c,10)*60+parseInt(l,10))*(d==="+"?-1:1);u.setUTCMinutes(u.getUTCMinutes()+K)}return zr(u)?u:null}function Vr(e,i={}){let{strict:t=!1,warnings:o=!1,reviver:r,parseDates:n=!0}=i;if(typeof e!="string")return e;let s=e.trim();if(s[0]==='"'&&s.endsWith('"')&&!s.slice(1,-1).includes('"'))return s.slice(1,-1);let A=s.toLowerCase();if(A.length<=9&&A in Pi)return Pi[A];if(!xr.test(s)){if(t)throw new SyntaxError("[better-json] Invalid JSON");return e}if(Object.entries(Br).some(([d,c])=>{let l=c.test(s);return l&&o&&console.warn(`[better-json] Detected potential prototype pollution attempt using ${d} pattern`),l})&&t)throw new Error("[better-json] Potential prototype pollution attempt detected");try{return JSON.parse(s,(c,l)=>{if(c==="__proto__"||c==="constructor"&&l&&typeof l=="object"&&"prototype"in l){o&&console.warn(`[better-json] Dropping "${c}" key to prevent prototype pollution`);return}if(n&&typeof l=="string"){let u=Fr(l);if(u)return u}return r?r(c,l):l})}catch(d){if(t)throw d;return e}}function Ni(e,i={strict:!0}){return Vr(e,i)}var Di=Ni;var x=(e,i)=>{let t=e.adapter;return{findOrganizationBySlug:async o=>await t.findOne({model:"organization",where:[{field:"slug",value:o}]}),createOrganization:async o=>{let r=await t.create({model:"organization",data:{...o.organization,metadata:o.organization.metadata?JSON.stringify(o.organization.metadata):void 0}}),n=await t.create({model:"member",data:{organizationId:r.id,userId:o.user.id,createdAt:new Date,role:i?.creatorRole||"owner"}});return{...r,metadata:r.metadata?JSON.parse(r.metadata):void 0,members:[{...n,user:{id:o.user.id,name:o.user.name,email:o.user.email,image:o.user.image}}]}},findMemberByEmail:async o=>{let r=await t.findOne({model:"user",where:[{field:"email",value:o.email}]});if(!r)return null;let n=await t.findOne({model:"member",where:[{field:"organizationId",value:o.organizationId},{field:"userId",value:r.id}]});return n?{...n,user:{id:r.id,name:r.name,email:r.email,image:r.image}}:null},findMemberByOrgId:async o=>{let[r,n]=await Promise.all([await t.findOne({model:"member",where:[{field:"userId",value:o.userId},{field:"organizationId",value:o.organizationId}]}),await t.findOne({model:"user",where:[{field:"id",value:o.userId}]})]);return!n||!r?null:{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}},findMemberById:async o=>{let r=await t.findOne({model:"member",where:[{field:"id",value:o}]});if(!r)return null;let n=await t.findOne({model:"user",where:[{field:"id",value:r.userId}]});return n?{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}:null},createMember:async o=>await t.create({model:"member",data:o}),updateMember:async(o,r)=>await t.update({model:"member",where:[{field:"id",value:o}],update:{role:r}}),deleteMember:async o=>await t.delete({model:"member",where:[{field:"id",value:o}]}),updateOrganization:async(o,r)=>{let n=await t.update({model:"organization",where:[{field:"id",value:o}],update:{...r,metadata:typeof r.metadata=="object"?JSON.stringify(r.metadata):r.metadata}});return n?{...n,metadata:n.metadata?Di(n.metadata):void 0}:null},deleteOrganization:async o=>(await t.delete({model:"member",where:[{field:"organizationId",value:o}]}),await t.delete({model:"invitation",where:[{field:"organizationId",value:o}]}),await t.delete({model:"organization",where:[{field:"id",value:o}]}),o),setActiveOrganization:async(o,r)=>await e.internalAdapter.updateSession(o,{activeOrganizationId:r}),findOrganizationById:async o=>await t.findOne({model:"organization",where:[{field:"id",value:o}]}),findFullOrganization:async({organizationId:o,isSlug:r})=>{let n=await t.findOne({model:"organization",where:[{field:r?"slug":"id",value:o}]});if(!n)return null;let[s,A]=await Promise.all([t.findMany({model:"invitation",where:[{field:"organizationId",value:n.id}]}),t.findMany({model:"member",where:[{field:"organizationId",value:n.id}]})]);if(!n)return null;let a=A.map(u=>u.userId),d=await t.findMany({model:"user",where:[{field:"id",value:a,operator:"in"}]}),c=new Map(d.map(u=>[u.id,u])),l=A.map(u=>{let K=c.get(u.userId);if(!K)throw new ee("Unexpected error: User not found for member");return{...u,user:{id:K.id,name:K.name,email:K.email,image:K.image}}});return{...n,invitations:s,members:l}},listOrganizations:async o=>{let r=await t.findMany({model:"member",where:[{field:"userId",value:o}]});if(!r||r.length===0)return[];let n=r.map(A=>A.organizationId);return await t.findMany({model:"organization",where:[{field:"id",value:n,operator:"in"}]})},createInvitation:async({invitation:o,user:r})=>{let s=k(i?.invitationExpiresIn||1728e5);return await t.create({model:"invitation",data:{email:o.email,role:o.role,organizationId:o.organizationId,status:"pending",expiresAt:s,inviterId:r.id}})},findInvitationById:async o=>await t.findOne({model:"invitation",where:[{field:"id",value:o}]}),findPendingInvitation:async o=>(await t.findMany({model:"invitation",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId},{field:"status",value:"pending"}]})).filter(n=>new Date(n.expiresAt)>new Date),updateInvitation:async o=>await t.update({model:"invitation",where:[{field:"id",value:o.invitationId}],update:{status:o.status}})}};import"better-call";var M=N(async e=>({})),Q=N({use:[R]},async e=>({session:e.context.session}));import{z as X}from"zod";import{z as D}from"zod";var Li=D.string(),Mr=D.enum(["pending","accepted","rejected","canceled"]).default("pending"),lp=D.object({id:D.string().default($),name:D.string(),slug:D.string(),logo:D.string().nullish(),metadata:D.record(D.string()).or(D.string().transform(e=>JSON.parse(e))).nullish(),createdAt:D.date()}),gp=D.object({id:D.string().default($),organizationId:D.string(),userId:D.string(),role:Li,createdAt:D.date()}),mp=D.object({id:D.string().default($),organizationId:D.string(),email:D.string(),role:Li,status:Mr,inviterId:D.string(),expiresAt:D.date()});import{APIError as j}from"better-call";var y={YOU_ARE_NOT_ALLOWED_TO_CREATE_A_NEW_ORGANIZATION:"You are not allowed to create a new organization",YOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_ORGANIZATIONS:"You have reached the maximum number of organizations",ORGANIZATION_ALREADY_EXISTS:"Organization already exists",ORGANIZATION_NOT_FOUND:"Organization not found",USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION:"User is not a member of the organization",YOU_ARE_NOT_ALLOWED_TO_UPDATE_THIS_ORGANIZATION:"You are not allowed to update this organization",YOU_ARE_NOT_ALLOWED_TO_DELETE_THIS_ORGANIZATION:"You are not allowed to delete this organization",NO_ACTIVE_ORGANIZATION:"No active organization",USER_IS_ALREADY_A_MEMBER_OF_THIS_ORGANIZATION:"User is already a member of this organization",MEMBER_NOT_FOUND:"Member not found",ROLE_NOT_FOUND:"Role not found",YOU_CANNOT_LEAVE_THE_ORGANIZATION_AS_THE_ONLY_OWNER:"You cannot leave the organization as the only owner",YOU_ARE_NOT_ALLOWED_TO_DELETE_THIS_MEMBER:"You are not allowed to delete this member",YOU_ARE_NOT_ALLOWED_TO_INVITE_USERS_TO_THIS_ORGANIZATION:"You are not allowed to invite users to this organization",USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION:"User is already invited to this organization",INVITATION_NOT_FOUND:"Invitation not found",YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION:"You are not the recipient of the invitation",YOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION:"You are not allowed to cancel this invitation",INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION:"Inviter is no longer a member of the organization"};var Bi=e=>p("/organization/invite-member",{method:"POST",use:[M,Q],body:X.object({email:X.string({description:"The email address of the user to invite"}),role:X.string({description:"The role to assign to the user"}),organizationId:X.string({description:"The organization ID to invite the user to"}).optional(),resend:X.boolean({description:"Resend the invitation email, if the user is already invited"}).optional()}),metadata:{openapi:{description:"Invite a user to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt"]}}}}}}}},async i=>{if(!i.context.orgOptions.sendInvitationEmail)throw i.context.logger.warn("Invitation email is not enabled. Pass `sendInvitationEmail` to the plugin options to enable it."),new j("BAD_REQUEST",{message:"Invitation email is not enabled"});let t=i.context.session,o=i.body.organizationId||t.session.activeOrganizationId;if(!o)throw new j("BAD_REQUEST",{message:y.ORGANIZATION_NOT_FOUND});let r=x(i.context,i.context.orgOptions),n=await r.findMemberByOrgId({userId:t.user.id,organizationId:o});if(!n)throw new j("BAD_REQUEST",{message:y.MEMBER_NOT_FOUND});let s=i.context.roles[n.role];if(!s)throw new j("BAD_REQUEST",{message:y.ROLE_NOT_FOUND});if(s.authorize({invitation:["create"]}).error)throw new j("FORBIDDEN",{message:y.YOU_ARE_NOT_ALLOWED_TO_INVITE_USERS_TO_THIS_ORGANIZATION});if(await r.findMemberByEmail({email:i.body.email,organizationId:o}))throw new j("BAD_REQUEST",{message:y.USER_IS_ALREADY_A_MEMBER_OF_THIS_ORGANIZATION});if((await r.findPendingInvitation({email:i.body.email,organizationId:o})).length&&!i.body.resend)throw new j("BAD_REQUEST",{message:y.USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION});let c=await r.createInvitation({invitation:{role:i.body.role,email:i.body.email,organizationId:o},user:t.user}),l=await r.findOrganizationById(o);if(!l)throw new j("BAD_REQUEST",{message:y.ORGANIZATION_NOT_FOUND});return await i.context.orgOptions.sendInvitationEmail?.({id:c.id,role:c.role,email:c.email,organization:l,inviter:{...n,user:t.user}},i.request),i.json(c)}),xi=p("/organization/accept-invitation",{method:"POST",body:X.object({invitationId:X.string({description:"The ID of the invitation to accept"})}),use:[M,Q],metadata:{openapi:{description:"Accept an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"object"}}}}}}}}}},async e=>{let i=e.context.session,t=x(e.context,e.context.orgOptions),o=await t.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new j("BAD_REQUEST",{message:y.INVITATION_NOT_FOUND});if(o.email!==i.user.email)throw new j("FORBIDDEN",{message:y.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION});let r=await t.updateInvitation({invitationId:e.body.invitationId,status:"accepted"}),n=await t.createMember({organizationId:o.organizationId,userId:i.user.id,role:o.role,createdAt:new Date});return await t.setActiveOrganization(i.session.token,o.organizationId),r?e.json({invitation:r,member:n}):e.json(null,{status:400,body:{message:y.INVITATION_NOT_FOUND}})}),ji=p("/organization/reject-invitation",{method:"POST",body:X.object({invitationId:X.string({description:"The ID of the invitation to reject"})}),use:[M,Q],metadata:{openapi:{description:"Reject an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"null"}}}}}}}}}},async e=>{let i=e.context.session,t=x(e.context,e.context.orgOptions),o=await t.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new j("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==i.user.email)throw new j("FORBIDDEN",{message:y.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION});let r=await t.updateInvitation({invitationId:e.body.invitationId,status:"rejected"});return e.json({invitation:r,member:null})}),zi=p("/organization/cancel-invitation",{method:"POST",body:X.object({invitationId:X.string({description:"The ID of the invitation to cancel"})}),use:[M,Q],openapi:{description:"Cancel an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"}}}}}}}}},async e=>{let i=e.context.session,t=x(e.context,e.context.orgOptions),o=await t.findInvitationById(e.body.invitationId);if(!o)throw new j("BAD_REQUEST",{message:y.INVITATION_NOT_FOUND});let r=await t.findMemberByOrgId({userId:i.user.id,organizationId:o.organizationId});if(!r)throw new j("BAD_REQUEST",{message:y.MEMBER_NOT_FOUND});if(e.context.roles[r.role].authorize({invitation:["cancel"]}).error)throw new j("FORBIDDEN",{message:y.YOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION});let s=await t.updateInvitation({invitationId:e.body.invitationId,status:"canceled"});return e.json(s)}),Fi=p("/organization/get-invitation",{method:"GET",use:[M],requireHeaders:!0,query:X.object({id:X.string({description:"The ID of the invitation to get"})}),metadata:{openapi:{description:"Get an invitation by ID",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"},organizationName:{type:"string"},organizationSlug:{type:"string"},inviterEmail:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt","organizationName","organizationSlug","inviterEmail"]}}}}}}}},async e=>{let i=await S(e);if(!i)throw new j("UNAUTHORIZED",{message:"Not authenticated"});let t=x(e.context,e.context.orgOptions),o=await t.findInvitationById(e.query.id);if(!o||o.status!=="pending"||o.expiresAt<new Date)throw new j("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==i.user.email)throw new j("FORBIDDEN",{message:y.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION});let r=await t.findOrganizationById(o.organizationId);if(!r)throw new j("BAD_REQUEST",{message:y.ORGANIZATION_NOT_FOUND});let n=await t.findMemberByOrgId({userId:o.inviterId,organizationId:o.organizationId});if(!n)throw new j("BAD_REQUEST",{message:y.INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION});return e.json({...o,organizationName:r.name,organizationSlug:r.slug,inviterEmail:n.user.email})});import{z as ae}from"zod";import{APIError as ye}from"better-call";var Vi=()=>p("/organization/add-member",{method:"POST",body:ae.object({userId:ae.string(),role:ae.string(),organizationId:ae.string().optional()}),use:[M],metadata:{SERVER_ONLY:!0}},async e=>{let i=e.body.userId?await S(e).catch(A=>null):null,t=e.body.organizationId||i?.session.activeOrganizationId;if(!t)return e.json(null,{status:400,body:{message:y.NO_ACTIVE_ORGANIZATION}});let o=x(e.context,e.context.orgOptions),r=await e.context.internalAdapter.findUserById(e.body.userId);if(!r)throw new ye("BAD_REQUEST",{message:g.USER_NOT_FOUND});if(await o.findMemberByEmail({email:r.email,organizationId:t}))throw new ye("BAD_REQUEST",{message:y.USER_IS_ALREADY_A_MEMBER_OF_THIS_ORGANIZATION});let s=await o.createMember({id:$(),organizationId:t,userId:r.id,role:e.body.role,createdAt:new Date});return e.json(s)}),Mi=p("/organization/remove-member",{method:"POST",body:ae.object({memberIdOrEmail:ae.string({description:"The ID or email of the member to remove"}),organizationId:ae.string({description:"The ID of the organization to remove the member from. If not provided, the active organization will be used"}).optional()}),use:[M,Q],metadata:{openapi:{description:"Remove a member from an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async e=>{let i=e.context.session,t=e.body.organizationId||i.session.activeOrganizationId;if(!t)return e.json(null,{status:400,body:{message:y.NO_ACTIVE_ORGANIZATION}});let o=x(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:i.user.id,organizationId:t});if(!r)throw new ye("BAD_REQUEST",{message:y.MEMBER_NOT_FOUND});let n=e.context.roles[r.role];if(!n)throw new ye("BAD_REQUEST",{message:y.ROLE_NOT_FOUND});let s=i.user.email===e.body.memberIdOrEmail||r.id===e.body.memberIdOrEmail;if(s&&r.role===(e.context.orgOptions?.creatorRole||"owner"))throw new ye("BAD_REQUEST",{message:y.YOU_CANNOT_LEAVE_THE_ORGANIZATION_AS_THE_ONLY_OWNER});if(!(s||n.authorize({member:["delete"]}).success))throw new ye("UNAUTHORIZED",{message:y.YOU_ARE_NOT_ALLOWED_TO_DELETE_THIS_MEMBER});let d=null;if(e.body.memberIdOrEmail.includes("@")?d=await o.findMemberByEmail({email:e.body.memberIdOrEmail,organizationId:t}):d=await o.findMemberById(e.body.memberIdOrEmail),d?.organizationId!==t)throw new ye("BAD_REQUEST",{message:y.MEMBER_NOT_FOUND});return await o.deleteMember(d.id),i.user.id===d.userId&&i.session.activeOrganizationId===d.organizationId&&await o.setActiveOrganization(i.session.token,null),e.json({member:d})}),qi=e=>p("/organization/update-member-role",{method:"POST",body:ae.object({role:ae.string(),memberId:ae.string(),organizationId:ae.string().optional()}),use:[M,Q],metadata:{openapi:{description:"Update the role of a member in an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async i=>{let t=i.context.session,o=i.body.organizationId||t.session.activeOrganizationId;if(!o)return i.json(null,{status:400,body:{message:y.NO_ACTIVE_ORGANIZATION}});let r=x(i.context,i.context.orgOptions),n=await r.findMemberByOrgId({userId:t.user.id,organizationId:o});if(!n)return i.json(null,{status:400,body:{message:y.MEMBER_NOT_FOUND}});let s=i.context.roles[n.role];if(!s)return i.json(null,{status:400,body:{message:y.ROLE_NOT_FOUND}});if(s.authorize({member:["update"]}).error||i.body.role==="owner"&&n.role!=="owner")return i.json(null,{body:{message:"You are not allowed to update this member"},status:403});let a=await r.updateMember(i.body.memberId,i.body.role);return a?i.json(a):i.json(null,{status:400,body:{message:y.MEMBER_NOT_FOUND}})}),Hi=p("/organization/get-active-member",{method:"GET",use:[M,Q],metadata:{openapi:{description:"Get the active member in the organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}}}}}}}},async e=>{let i=e.context.session,t=i.session.activeOrganizationId;if(!t)return e.json(null,{status:400,body:{message:y.NO_ACTIVE_ORGANIZATION}});let r=await x(e.context,e.context.orgOptions).findMemberByOrgId({userId:i.user.id,organizationId:t});return r?e.json(r):e.json(null,{status:400,body:{message:y.MEMBER_NOT_FOUND}})});import{z as _}from"zod";import{APIError as le}from"better-call";var $i=p("/organization/create",{method:"POST",body:_.object({name:_.string({description:"The name of the organization"}),slug:_.string({description:"The slug of the organization"}),userId:_.string({description:"The user id of the organization creator. If not provided, the current user will be used. Should only be used by admins or when called by the server."}).optional(),logo:_.string({description:"The logo of the organization"}).optional(),metadata:_.record(_.string(),_.any(),{description:"The metadata of the organization"}).optional()}),use:[M],metadata:{openapi:{description:"Create an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization that was created",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let i=await S(e);if(!i&&(e.request||e.headers))throw new le("UNAUTHORIZED");let t=i?.user||null;if(!t){if(!e.body.userId)throw new le("UNAUTHORIZED");t=await e.context.internalAdapter.findUserById(e.body.userId)}if(!t)return e.json(null,{status:401});let o=e.context.orgOptions;if(!(typeof o?.allowUserToCreateOrganization=="function"?await o.allowUserToCreateOrganization(t):o?.allowUserToCreateOrganization===void 0?!0:o.allowUserToCreateOrganization))throw new le("FORBIDDEN",{message:y.YOU_ARE_NOT_ALLOWED_TO_CREATE_A_NEW_ORGANIZATION});let n=x(e.context,o),s=await n.listOrganizations(t.id);if(typeof o.organizationLimit=="number"?s.length>=o.organizationLimit:typeof o.organizationLimit=="function"?await o.organizationLimit(t):!1)throw new le("FORBIDDEN",{message:y.YOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_ORGANIZATIONS});if(await n.findOrganizationBySlug(e.body.slug))throw new le("BAD_REQUEST",{message:y.ORGANIZATION_ALREADY_EXISTS});let d=await n.createOrganization({organization:{id:$(),slug:e.body.slug,name:e.body.name,logo:e.body.logo,createdAt:new Date,metadata:e.body.metadata},user:t});return e.context.session&&await n.setActiveOrganization(e.context.session.session.token,d.id),e.json(d)}),Gi=p("/organization/update",{method:"POST",body:_.object({data:_.object({name:_.string({description:"The name of the organization"}).optional(),slug:_.string({description:"The slug of the organization"}).optional(),logo:_.string({description:"The logo of the organization"}).optional(),metadata:_.record(_.string(),_.any(),{description:"The metadata of the organization"}).optional()}).partial(),organizationId:_.string().optional()}),requireHeaders:!0,use:[M],metadata:{openapi:{description:"Update an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The updated organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let i=await e.context.getSession(e);if(!i)throw new le("UNAUTHORIZED",{message:"User not found"});let t=e.body.organizationId||i.session.activeOrganizationId;if(!t)return e.json(null,{status:400,body:{message:y.ORGANIZATION_NOT_FOUND}});let o=x(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:i.user.id,organizationId:t});if(!r)return e.json(null,{status:400,body:{message:y.USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["update"]}).error)return e.json(null,{body:{message:y.YOU_ARE_NOT_ALLOWED_TO_UPDATE_THIS_ORGANIZATION},status:403});let A=await o.updateOrganization(t,e.body.data);return e.json(A)}),Zi=p("/organization/delete",{method:"POST",body:_.object({organizationId:_.string({description:"The organization id to delete"})}),requireHeaders:!0,use:[M],metadata:{openapi:{description:"Delete an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"string",description:"The organization id that was deleted"}}}}}}}},async e=>{let i=await e.context.getSession(e);if(!i)return e.json(null,{status:401});let t=e.body.organizationId;if(!t)return e.json(null,{status:400,body:{message:y.ORGANIZATION_NOT_FOUND}});let o=x(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:i.user.id,organizationId:t});if(!r)return e.json(null,{status:400,body:{message:y.USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["delete"]}).error)throw new le("FORBIDDEN",{message:y.YOU_ARE_NOT_ALLOWED_TO_DELETE_THIS_ORGANIZATION});return t===i.session.activeOrganizationId&&await o.setActiveOrganization(i.session.token,null),await o.deleteOrganization(t),e.json(t)}),Qi=p("/organization/get-full-organization",{method:"GET",query:_.optional(_.object({organizationId:_.string({description:"The organization id to get"}).optional(),organizationSlug:_.string({description:"The organization slug to get"}).optional()})),requireHeaders:!0,use:[M,Q],metadata:{openapi:{description:"Get the full organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let i=e.context.session,t=e.query?.organizationSlug||e.query?.organizationId||i.session.activeOrganizationId;if(!t)return e.json(null,{status:200});let r=await x(e.context,e.context.orgOptions).findFullOrganization({organizationId:t,isSlug:!!e.query?.organizationSlug});if(!r)throw new le("BAD_REQUEST",{message:y.ORGANIZATION_NOT_FOUND});return e.json(r)}),Wi=p("/organization/set-active",{method:"POST",body:_.object({organizationId:_.string({description:"The organization id to set as active. It can be null to unset the active organization"}).nullable().optional(),organizationSlug:_.string({description:"The organization slug to set as active. It can be null to unset the active organization if organizationId is not provided"}).optional()}),use:[Q,M],metadata:{openapi:{description:"Set the active organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let i=x(e.context,e.context.orgOptions),t=e.context.session,o=e.body.organizationSlug||e.body.organizationId;if(o===null){if(!t.session.activeOrganizationId)return e.json(null);let a=await i.setActiveOrganization(t.session.token,null);return await h(e,{session:a,user:t.user}),e.json(null)}if(!o){let A=t.session.activeOrganizationId;if(!A)return e.json(null);o=A}let r=await i.findFullOrganization({organizationId:o,isSlug:!!e.body.organizationSlug});if(!r?.members.find(A=>A.userId===t.user.id))throw await i.setActiveOrganization(t.session.token,null),new le("FORBIDDEN",{message:y.USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION});let s=await i.setActiveOrganization(t.session.token,o);return await h(e,{session:s,user:t.user}),e.json(r)}),Ji=p("/organization/list",{method:"GET",use:[M,Q],metadata:{openapi:{description:"List all organizations",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{$ref:"#/components/schemas/Organization"}}}}}}}}},async e=>{let t=await x(e.context,e.context.orgOptions).listOrganizations(e.context.session.user.id);return e.json(t)});var qr=eo({name:["action"]}),sK=qr.newRole({name:["action"]}),aK=e=>{let i={createOrganization:$i,updateOrganization:Gi,deleteOrganization:Zi,setActiveOrganization:Wi,getFullOrganization:Qi,listOrganizations:Ji,createInvitation:Bi(e),cancelInvitation:zi,acceptInvitation:xi,getInvitation:Fi,rejectInvitation:ji,addMember:Vi(),removeMember:Mi,updateMemberRole:qi(e),getActiveMember:Hi},t={...ki,...e?.roles};return{id:"organization",endpoints:{...vi(i,{orgOptions:e||{},roles:t,getSession:async r=>await S(r)}),hasPermission:p("/organization/has-permission",{method:"POST",requireHeaders:!0,body:xe.object({permission:xe.record(xe.string(),xe.array(xe.string()))}),use:[Q],metadata:{openapi:{description:"Check if the user has permission",requestBody:{content:{"application/json":{schema:{type:"object",properties:{permission:{type:"object",description:"The permission to check"}},required:["permission"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{error:{type:"string"},success:{type:"boolean"}},required:["success"]}}}}}}}},async r=>{if(!r.context.session.session.activeOrganizationId)throw new Yi("BAD_REQUEST",{message:y.NO_ACTIVE_ORGANIZATION});let s=await x(r.context).findMemberByOrgId({userId:r.context.session.user.id,organizationId:r.context.session.session.activeOrganizationId||""});if(!s)throw new Yi("UNAUTHORIZED",{message:y.USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION});let a=t[s.role].authorize(r.body.permission);return a.error?r.json({error:a.error,success:!1},{status:403}):r.json({error:null,success:!0})})},schema:{session:{fields:{activeOrganizationId:{type:"string",required:!1,fieldName:e?.schema?.session?.fields?.activeOrganizationId}}},organization:{modelName:e?.schema?.organization?.modelName,fields:{name:{type:"string",required:!0,fieldName:e?.schema?.organization?.fields?.name},slug:{type:"string",unique:!0,fieldName:e?.schema?.organization?.fields?.slug},logo:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.logo},createdAt:{type:"date",required:!0,fieldName:e?.schema?.organization?.fields?.createdAt},metadata:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.metadata}}},member:{modelName:e?.schema?.member?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.member?.fields?.organizationId},userId:{type:"string",required:!0,fieldName:e?.schema?.member?.fields?.userId,references:{model:"user",field:"id"}},role:{type:"string",required:!0,defaultValue:"member",fieldName:e?.schema?.member?.fields?.role},createdAt:{type:"date",required:!0,fieldName:e?.schema?.member?.fields?.createdAt}}},invitation:{modelName:e?.schema?.invitation?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.invitation?.fields?.organizationId},email:{type:"string",required:!0,fieldName:e?.schema?.invitation?.fields?.email},role:{type:"string",required:!1,fieldName:e?.schema?.invitation?.fields?.role},status:{type:"string",required:!0,defaultValue:"pending",fieldName:e?.schema?.invitation?.fields?.status},expiresAt:{type:"date",required:!0,fieldName:e?.schema?.invitation?.fields?.expiresAt},inviterId:{type:"string",references:{model:"user",field:"id"},fieldName:e?.schema?.invitation?.fields?.inviterId,required:!0}}}},$Infer:{Organization:{},Invitation:{},Member:{},ActiveOrganization:{}},$ERROR_CODES:y}};import{z as ro}from"zod";import{z as ge}from"zod";import{APIError as je}from"better-call";var oo="two_factor";var io="trust_device";import{z as Xi}from"zod";var we=N({body:Xi.object({trustDevice:Xi.boolean().optional()})},async e=>{let i=await S(e);if(!i){let t=e.context.createAuthCookie(oo),o=await e.getSignedCookie(t.name,e.context.secret);if(!o)throw new je("UNAUTHORIZED",{message:"invalid two factor cookie"});let r=await e.context.internalAdapter.findUserById(o);if(!r)throw new je("UNAUTHORIZED",{message:"invalid two factor cookie"});let n=await e.context.internalAdapter.createSession(o,e.request);if(!n)throw new je("INTERNAL_SERVER_ERROR",{message:"failed to create session"});return{valid:async()=>{if(await h(e,{session:n,user:r}),e.body.trustDevice){let s=e.context.createAuthCookie(io,{maxAge:2592e3}),A=await Le(e.context.secret,`${r.id}!${n.token}`);await e.setSignedCookie(s.name,`${A}!${n.token}`,e.context.secret,s.attributes)}return e.json({session:n,user:r})},invalid:async()=>{throw new je("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:{session:n,user:r}}}return{valid:async()=>e.json({session:i,user:i.user}),invalid:async()=>{throw new je("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:i}});import{APIError as ze}from"better-call";var W={OTP_NOT_ENABLED:"OTP not enabled",OTP_HAS_EXPIRED:"OTP has expired",TOTP_NOT_ENABLED:"TOTP not enabled",TWO_FACTOR_NOT_ENABLED:"Two factor isn't enabled",BACKUP_CODES_NOT_ENABLED:"Backup codes aren't enabled",INVALID_BACKUP_CODE:"Invalid backup code"};function Hr(e){return Array.from({length:e?.amount??10}).fill(null).map(()=>z(e?.length??10,F("a-z","0-9"))).map(i=>`${i.slice(0,5)}-${i.slice(5)}`)}async function bo(e,i){let t=e,o=i?.customBackupCodesGenerate?i.customBackupCodesGenerate():Hr(),r=await ue({data:JSON.stringify(o),key:t});return{backupCodes:o,encryptedBackupCodes:r}}async function $r(e,i){let t=await et(e.backupCodes,i);return t?{status:t.includes(e.code),updated:t.filter(o=>o!==e.code)}:{status:!1,updated:null}}async function et(e,i){let t=Buffer.from(await fe({key:i,data:e})).toString("utf-8"),o=JSON.parse(t),r=ge.array(ge.string()).safeParse(o);return r.success?r.data:null}var ot=(e,i)=>({id:"backup_code",endpoints:{verifyBackupCode:p("/two-factor/verify-backup-code",{method:"POST",body:ge.object({code:ge.string(),disableSession:ge.boolean().optional()}),use:[we]},async t=>{let o=t.context.session.user,r=await t.context.adapter.findOne({model:i,where:[{field:"userId",value:o.id}]});if(!r)throw new ze("BAD_REQUEST",{message:W.BACKUP_CODES_NOT_ENABLED});let n=await $r({backupCodes:r.backupCodes,code:t.body.code},t.context.secret);if(!n.status)throw new ze("UNAUTHORIZED",{message:W.INVALID_BACKUP_CODE});let s=await ue({key:t.context.secret,data:JSON.stringify(n.updated)});return await t.context.adapter.updateMany({model:i,update:{backupCodes:s},where:[{field:"userId",value:o.id}]}),t.body.disableSession||await h(t,{session:t.context.session.session,user:o}),t.json({user:o,session:t.context.session})}),generateBackupCodes:p("/two-factor/generate-backup-codes",{method:"POST",body:ge.object({password:ge.string()}),use:[R]},async t=>{let o=t.context.session.user;if(!o.twoFactorEnabled)throw new ze("BAD_REQUEST",{message:W.TWO_FACTOR_NOT_ENABLED});await t.context.password.checkPassword(o.id,t);let r=await bo(t.context.secret,e);return await t.context.adapter.update({model:i,update:{backupCodes:r.encryptedBackupCodes},where:[{field:"userId",value:t.context.session.user.id}]}),t.json({status:!0,backupCodes:r.backupCodes})}),viewBackupCodes:p("/two-factor/view-backup-codes",{method:"GET",body:ge.object({userId:ge.string()}),metadata:{SERVER_ONLY:!0}},async t=>{let o=await t.context.adapter.findOne({model:i,where:[{field:"userId",value:t.body.userId}]});if(!o)throw new ze("BAD_REQUEST",{message:"Backup codes aren't enabled"});let r=await et(o.backupCodes,t.context.secret);if(!r)throw new ze("BAD_REQUEST",{message:W.BACKUP_CODES_NOT_ENABLED});return t.json({status:!0,backupCodes:r})})}});import{APIError as Fe}from"better-call";import{z as it}from"zod";import{TimeSpan as Gr}from"oslo";var tt=(e,i)=>{let t={...e,digits:e?.digits||6,period:new Gr(e?.period||3,"m")},o=p("/two-factor/send-otp",{method:"POST",use:[we],metadata:{openapi:{summary:"Send two factor OTP",description:"Send two factor OTP to the user",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async n=>{if(!e||!e.sendOTP)throw n.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options."),new Fe("BAD_REQUEST",{message:"otp isn't configured"});let s=n.context.session.user;if(!await n.context.adapter.findOne({model:i,where:[{field:"userId",value:s.id}]}))throw new Fe("BAD_REQUEST",{message:W.OTP_NOT_ENABLED});let a=z(t.digits,F("0-9"));return await n.context.internalAdapter.createVerificationValue({value:a,identifier:`2fa-otp-${s.id}`,expiresAt:new Date(Date.now()+t.period.milliseconds())}),await e.sendOTP({user:s,otp:a},n.request),n.json({status:!0})}),r=p("/two-factor/verify-otp",{method:"POST",body:it.object({code:it.string({description:"The otp code to verify"})}),use:[we],metadata:{openapi:{summary:"Verify two factor OTP",description:"Verify two factor OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async n=>{let s=n.context.session.user;if(!s.twoFactorEnabled)throw new Fe("BAD_REQUEST",{message:"two factor isn't enabled"});if(!await n.context.adapter.findOne({model:i,where:[{field:"userId",value:s.id}]}))throw new Fe("BAD_REQUEST",{message:W.OTP_NOT_ENABLED});let a=await n.context.internalAdapter.findVerificationValue(`2fa-otp-${s.id}`);if(!a||a.expiresAt<new Date)throw new Fe("BAD_REQUEST",{message:W.OTP_HAS_EXPIRED});return a.value===n.body.code?n.context.valid():n.context.invalid()});return{id:"otp",endpoints:{sendTwoFactorOTP:o,verifyTwoFactorOTP:r}}};import{APIError as Re}from"better-call";import{TimeSpan as Zr}from"oslo";import{TOTPController as rt,createTOTPKeyURI as Qr}from"oslo/otp";import{z as to}from"zod";var nt=(e,i)=>{let t={...e,digits:e?.digits||6,period:new Zr(e?.period||30,"s")},o=p("/totp/generate",{method:"POST",use:[R],metadata:{openapi:{summary:"Generate TOTP code",description:"Use this endpoint to generate a TOTP code",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{code:{type:"string"}}}}}}}}}},async s=>{if(!e)throw s.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Re("BAD_REQUEST",{message:"totp isn't configured"});let A=s.context.session.user,a=await s.context.adapter.findOne({model:i,where:[{field:"userId",value:A.id}]});if(!a)throw new Re("BAD_REQUEST",{message:W.TOTP_NOT_ENABLED});return{code:await new rt(t).generate(Buffer.from(a.secret))}}),r=p("/two-factor/get-totp-uri",{method:"POST",use:[R],body:to.object({password:to.string({description:"User password"})}),metadata:{openapi:{summary:"Get TOTP URI",description:"Use this endpoint to get the TOTP URI",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{totpURI:{type:"string"}}}}}}}}}},async s=>{if(!e)throw s.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Re("BAD_REQUEST",{message:"totp isn't configured"});let A=s.context.session.user,a=await s.context.adapter.findOne({model:i,where:[{field:"userId",value:A.id}]});if(!a||!A.twoFactorEnabled)throw new Re("BAD_REQUEST",{message:W.TOTP_NOT_ENABLED});return await s.context.password.checkPassword(A.id,s),{totpURI:Qr(e.issuer||s.context.appName,A.email,Buffer.from(a.secret),t)}}),n=p("/two-factor/verify-totp",{method:"POST",body:to.object({code:to.string({description:"The otp code to verify"})}),use:[we],metadata:{openapi:{summary:"Verify two factor TOTP",description:"Verify two factor TOTP",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async s=>{if(!e)throw s.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Re("BAD_REQUEST",{message:"totp isn't configured"});let A=s.context.session.user,a=await s.context.adapter.findOne({model:i,where:[{field:"userId",value:A.id}]});if(!a)throw new Re("BAD_REQUEST",{message:W.TOTP_NOT_ENABLED});let d=new rt(t),c=await fe({key:s.context.secret,data:a.secret}),l=Buffer.from(c);if(!await d.verify(s.body.code,l))return s.context.invalid();if(!A.twoFactorEnabled){let K=await s.context.internalAdapter.updateUser(A.id,{twoFactorEnabled:!0}),m=await s.context.internalAdapter.createSession(A.id,s.request,!1,s.context.session.session).catch(E=>{throw console.log(E),E});await s.context.internalAdapter.deleteSession(s.context.session.session.token),await h(s,{session:m,user:K})}return s.context.valid()});return{id:"totp",endpoints:{generateTOTP:o,getTOTPURI:r,verifyTOTP:n}}};import{APIError as JK}from"better-call";async function Oo(e,i){let o=(await e.context.internalAdapter.findAccounts(i.userId))?.find(s=>s.providerId==="credential"),r=o?.password;return!o||!r?!1:await e.context.password.verify({hash:r,password:i.password})}import{APIError as At}from"better-call";import{createTOTPKeyURI as Jr}from"oslo/otp";import{TimeSpan as Yr}from"oslo";import{APIError as Wr}from"better-call";var st=async e=>{let i=e.context.returned;return i?i instanceof Response?i.status!==200?null:await i.clone().json():i instanceof Wr?null:i:null};var at={user:{fields:{twoFactorEnabled:{type:"boolean",required:!1,defaultValue:!1,input:!1}}},twoFactor:{fields:{secret:{type:"string",required:!0,returned:!1},backupCodes:{type:"string",required:!0,returned:!1},userId:{type:"string",required:!0,returned:!1,references:{model:"user",field:"id"}}}}};var iu=e=>({id:"two-factor",$InferServerPlugin:{},atomListeners:[{matcher:i=>i.startsWith("/two-factor/"),signal:"$sessionSignal"}],pathMethods:{"/two-factor/disable":"POST","/two-factor/enable":"POST","/two-factor/send-otp":"POST","/two-factor/generate-backup-codes":"POST"},fetchPlugins:[{id:"two-factor",name:"two-factor",hooks:{async onSuccess(i){i.data?.twoFactorRedirect&&e?.onTwoFactorRedirect&&await e.onTwoFactorRedirect()}}}]});var Tu=e=>{let i={twoFactorTable:"twoFactor"},t=nt({issuer:e?.issuer,...e?.totpOptions},i.twoFactorTable),o=ot({...e?.backupCodeOptions},i.twoFactorTable),r=tt({...e?.otpOptions},i.twoFactorTable);return{id:"two-factor",endpoints:{...t.endpoints,...r.endpoints,...o.endpoints,enableTwoFactor:p("/two-factor/enable",{method:"POST",body:ro.object({password:ro.string({description:"User password"}).min(8)}),use:[R],metadata:{openapi:{summary:"Enable two factor authentication",description:"Use this endpoint to enable two factor authentication. This will generate a TOTP URI and backup codes. Once the user verifies the TOTP URI, the two factor authentication will be enabled.",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{totpURI:{type:"string",description:"TOTP URI"},backupCodes:{type:"array",items:{type:"string"},description:"Backup codes"}}}}}}}}}},async n=>{let s=n.context.session.user,{password:A}=n.body;if(!await Oo(n,{password:A,userId:s.id}))throw new At("BAD_REQUEST",{message:g.INVALID_PASSWORD});let d=z(16,F("a-z","0-9","-")),c=await ue({key:n.context.secret,data:d}),l=await bo(n.context.secret,e?.backupCodeOptions);if(e?.skipVerificationOnEnable){let K=await n.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!0}),m=await n.context.internalAdapter.createSession(K.id,n.request,!1,n.context.session.session);await h(n,{session:m,user:s}),await n.context.internalAdapter.deleteSession(n.context.session.session.token)}await n.context.adapter.deleteMany({model:i.twoFactorTable,where:[{field:"userId",value:s.id}]}),await n.context.adapter.create({model:i.twoFactorTable,data:{secret:c,backupCodes:l.encryptedBackupCodes,userId:s.id}});let u=Jr(e?.issuer||"BetterAuth",s.email,Buffer.from(d),{digits:e?.totpOptions?.digits||6,period:new Yr(e?.totpOptions?.period||30,"s")});return n.json({totpURI:u,backupCodes:l.backupCodes})}),disableTwoFactor:p("/two-factor/disable",{method:"POST",body:ro.object({password:ro.string({description:"User password"}).min(8)}),use:[R],metadata:{openapi:{summary:"Disable two factor authentication",description:"Use this endpoint to disable two factor authentication.",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async n=>{let s=n.context.session.user,{password:A}=n.body;if(!await Oo(n,{password:A,userId:s.id}))throw new At("BAD_REQUEST",{message:"Invalid password"});await n.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!1}),await n.context.adapter.delete({model:i.twoFactorTable,where:[{field:"userId",value:s.id}]});let d=await n.context.internalAdapter.createSession(s.id,n.request,!1,n.context.session.session);return await h(n,{session:d,user:s}),await n.context.internalAdapter.deleteSession(n.context.session.session.token),n.json({status:!0})})},options:e,hooks:{after:[{matcher(n){return n.path==="/sign-in/email"||n.path==="/sign-in/username"},handler:N(async n=>{let s=n.context.newSession;if(!s||!s?.user.twoFactorEnabled)return;let A=n.context.createAuthCookie(io),a=await n.getSignedCookie(A.name,n.context.secret);if(a){let[c,l]=a.split("!"),u=await Le(n.context.secret,`${s.user.id}!${l}`);if(c===u){let K=await Le(n.context.secret,`${s.user.id}!${s.session.token}`);await n.setSignedCookie(A.name,`${K}!${s.session.token}`,n.context.secret,A.attributes);return}}H(n),await n.context.internalAdapter.deleteSession(s.session.token);let d=n.context.createAuthCookie(oo,{maxAge:60*10});return await n.setSignedCookie(d.name,s.user.id,n.context.secret,d.attributes),n.json({twoFactorRedirect:!0})})}]},schema:oe(at,e?.schema),rateLimit:[{pathMatcher(n){return n.startsWith("/two-factor/")},window:10,max:3}]}};import{generateAuthenticationOptions as an,generateRegistrationOptions as An,verifyAuthenticationResponse as dn,verifyRegistrationResponse as cn}from"@simplewebauthn/server";import{APIError as Y}from"better-call";import{z as re}from"zod";import{WebAuthnError as on,startAuthentication as tn,startRegistration as rn}from"@simplewebauthn/browser";import{createFetch as Vu}from"@better-fetch/fetch";import"nanostores";import"@better-fetch/fetch";import{atom as Nu}from"nanostores";import"@better-fetch/fetch";import{atom as Xr,onMount as en}from"nanostores";var To=(e,i,t,o)=>{let r=Xr({data:null,error:null,isPending:!0,isRefetching:!1}),n=()=>{let A=typeof o=="function"?o({data:r.get().data,error:r.get().error,isPending:r.get().isPending}):o;return t(i,{...A,async onSuccess(a){r.set({data:a.data,error:null,isPending:!1,isRefetching:!1}),await A?.onSuccess?.(a)},async onError(a){r.set({error:a.error,data:null,isPending:!1,isRefetching:!1}),await A?.onError?.(a)},async onRequest(a){let d=r.get();r.set({isPending:d.data===null,data:d.data,error:null,isRefetching:!0}),await A?.onRequest?.(a)}})};e=Array.isArray(e)?e:[e];let s=!1;for(let A of e)A.subscribe(()=>{s?n():en(r,()=>(n(),s=!0,()=>{r.off(),A.off()}))});return r};import{atom as nn}from"nanostores";var sn=(e,{$listPasskeys:i})=>({signIn:{passkey:async(r,n)=>{let s=await e("/passkey/generate-authenticate-options",{method:"POST",body:{email:r?.email}});if(!s.data)return s;try{let A=await tn(s.data,r?.autoFill||!1),a=await e("/passkey/verify-authentication",{body:{response:A},...r?.fetchOptions,...n,method:"POST"});if(!a.data)return a}catch{return{data:null,error:{message:"auth cancelled",status:400,statusText:"BAD_REQUEST"}}}}},passkey:{addPasskey:async(r,n)=>{let s=await e("/passkey/generate-register-options",{method:"GET"});if(!s.data)return s;try{let A=await rn(s.data),a=await e("/passkey/verify-registration",{...r?.fetchOptions,...n,body:{response:A,name:r?.name},method:"POST"});if(!a.data)return a;i.set(Math.random())}catch(A){return A instanceof on?A.code==="ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED"?{data:null,error:{message:"previously registered",status:400,statusText:"BAD_REQUEST"}}:A.code==="ERROR_CEREMONY_ABORTED"?{data:null,error:{message:"registration cancelled",status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:A.message,status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:A instanceof Error?A.message:"unknown error",status:500,statusText:"INTERNAL_SERVER_ERROR"}}}}},$Infer:{}}),cl=()=>{let e=nn();return{id:"passkey",$InferServerPlugin:{},getActions:i=>sn(i,{$listPasskeys:e}),getAtoms(i){return{listPasskeys:To(e,"/passkey/list-user-passkeys",i,{method:"GET"}),$listPasskeys:e}},pathMethods:{"/passkey/register":"POST","/passkey/authenticate":"POST"},atomListeners:[{matcher(i){return i==="/passkey/verify-registration"||i==="/passkey/delete-passkey"||i==="/passkey/update-passkey"},signal:"_listPasskeys"}]}};var Tl=e=>{let i=ne.BETTER_AUTH_URL,t=e?.rpID||i?.replace("http://","").replace("https://","").split(":")[0]||"localhost";if(!t)throw new ee("passkey rpID not found. Please provide a rpID in the options or set the BETTER_AUTH_URL environment variable.");let o={origin:null,...e,rpID:t,advanced:{webAuthnChallengeCookie:"better-auth-passkey",...e?.advanced}},r=new Date(Date.now()+1e3*60*5),n=new Date,s=Math.floor((r.getTime()-n.getTime())/1e3),A={CHALLENGE_NOT_FOUND:"Challenge not found",YOU_ARE_NOT_ALLOWED_TO_REGISTER_THIS_PASSKEY:"You are not allowed to register this passkey",FAILED_TO_VERIFY_REGISTRATION:"Failed to verify registration",PASSKEY_NOT_FOUND:"Passkey not found",AUTHENTICATION_FAILED:"Authentication failed",UNABLE_TO_CREATE_SESSION:"Unable to create session",FAILED_TO_UPDATE_PASSKEY:"Failed to update passkey"};return{id:"passkey",endpoints:{generatePasskeyRegistrationOptions:p("/passkey/generate-register-options",{method:"GET",use:[ve],metadata:{client:!1,openapi:{description:"Generate registration options for a new passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{challenge:{type:"string"},rp:{type:"object",properties:{name:{type:"string"},id:{type:"string"}}},user:{type:"object",properties:{id:{type:"string"},name:{type:"string"},displayName:{type:"string"}}},pubKeyCredParams:{type:"array",items:{type:"object",properties:{type:{type:"string"},alg:{type:"number"}}}},timeout:{type:"number"},excludeCredentials:{type:"array",items:{type:"object",properties:{id:{type:"string"},type:{type:"string"},transports:{type:"array",items:{type:"string"}}}}},authenticatorSelection:{type:"object",properties:{authenticatorAttachment:{type:"string"},requireResidentKey:{type:"boolean"},userVerification:{type:"string"}}},attestation:{type:"string"},extensions:{type:"object"}}}}}}}}}},async a=>{let d=a.context.session,c=await a.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}),l=new Uint8Array(Buffer.from(z(32,F("a-z","0-9")))),u;u=await An({rpName:o.rpName||a.context.appName,rpID:o.rpID,userID:l,userName:d.user.email||d.user.id,attestationType:"none",excludeCredentials:c.map(m=>({id:m.id,transports:m.transports?.split(",")})),authenticatorSelection:{residentKey:"preferred",userVerification:"preferred",authenticatorAttachment:"platform"}});let K=$(32);return await a.setSignedCookie(o.advanced.webAuthnChallengeCookie,K,a.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:s}),await a.context.internalAdapter.createVerificationValue({identifier:K,value:JSON.stringify({expectedChallenge:u.challenge,userData:{id:d.user.id}}),expiresAt:r}),a.json(u,{status:200})}),generatePasskeyAuthenticationOptions:p("/passkey/generate-authenticate-options",{method:"POST",body:re.object({email:re.string({description:"The email address of the user"}).optional()}).optional(),metadata:{openapi:{description:"Generate authentication options for a passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{challenge:{type:"string"},rp:{type:"object",properties:{name:{type:"string"},id:{type:"string"}}},user:{type:"object",properties:{id:{type:"string"},name:{type:"string"},displayName:{type:"string"}}},timeout:{type:"number"},allowCredentials:{type:"array",items:{type:"object",properties:{id:{type:"string"},type:{type:"string"},transports:{type:"array",items:{type:"string"}}}}},userVerification:{type:"string"},authenticatorSelection:{type:"object",properties:{authenticatorAttachment:{type:"string"},requireResidentKey:{type:"boolean"},userVerification:{type:"string"}}},extensions:{type:"object"}}}}}}}}}},async a=>{let d=await S(a),c=[];d&&(c=await a.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}));let l=await an({rpID:o.rpID,userVerification:"preferred",...c.length?{allowCredentials:c.map(m=>({id:m.id,transports:m.transports?.split(",")}))}:{}}),u={expectedChallenge:l.challenge,userData:{id:d?.user.id||""}},K=$(32);return await a.setSignedCookie(o.advanced.webAuthnChallengeCookie,K,a.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:s}),await a.context.internalAdapter.createVerificationValue({identifier:K,value:JSON.stringify(u),expiresAt:r}),a.json(l,{status:200})}),verifyPasskeyRegistration:p("/passkey/verify-registration",{method:"POST",body:re.object({response:re.any({description:"The response from the authenticator"}),name:re.string({description:"Name of the passkey"}).optional()}),use:[ve],metadata:{openapi:{description:"Verify registration of a new passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{$ref:"#/components/schemas/Passkey"}}}},400:{description:"Bad request"}}}}},async a=>{let d=e?.origin||a.headers?.get("origin")||"";if(!d)return a.json(null,{status:400});let c=a.body.response,l=await a.getSignedCookie(o.advanced.webAuthnChallengeCookie,a.context.secret);if(!l)throw new Y("BAD_REQUEST",{message:A.CHALLENGE_NOT_FOUND});let u=await a.context.internalAdapter.findVerificationValue(l);if(!u)return a.json(null,{status:400});let{expectedChallenge:K,userData:m}=JSON.parse(u.value);if(m.id!==a.context.session.user.id)throw new Y("UNAUTHORIZED",{message:A.YOU_ARE_NOT_ALLOWED_TO_REGISTER_THIS_PASSKEY});try{let E=await cn({response:c,expectedChallenge:K,expectedOrigin:d,expectedRPID:e?.rpID}),{verified:v,registrationInfo:f}=E;if(!v||!f)return a.json(null,{status:400});let{credentialID:w,credentialPublicKey:b,counter:I,credentialDeviceType:q,credentialBackedUp:$e}=f,wt=Buffer.from(b).toString("base64"),Ct={name:a.body.name,userId:m.id,webauthnUserID:a.context.generateId({model:"passkey"}),id:w,publicKey:wt,counter:I,deviceType:q,transports:c.response.transports.join(","),backedUp:$e,createdAt:new Date},bt=await a.context.adapter.create({model:"passkey",data:Ct});return a.json(bt,{status:200})}catch(E){throw console.log(E),new Y("INTERNAL_SERVER_ERROR",{message:A.FAILED_TO_VERIFY_REGISTRATION})}}),verifyPasskeyAuthentication:p("/passkey/verify-authentication",{method:"POST",body:re.object({response:re.any()}),metadata:{openapi:{description:"Verify authentication of a passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}}}}}},async a=>{let d=e?.origin||a.headers?.get("origin")||"";if(!d)throw new Y("BAD_REQUEST",{message:"origin missing"});let c=a.body.response,l=await a.getSignedCookie(o.advanced.webAuthnChallengeCookie,a.context.secret);if(!l)throw new Y("BAD_REQUEST",{message:A.CHALLENGE_NOT_FOUND});let u=await a.context.internalAdapter.findVerificationValue(l);if(!u)throw new Y("BAD_REQUEST",{message:A.CHALLENGE_NOT_FOUND});let{expectedChallenge:K}=JSON.parse(u.value),m=await a.context.adapter.findOne({model:"passkey",where:[{field:"id",value:c.id}]});if(!m)throw new Y("UNAUTHORIZED",{message:A.PASSKEY_NOT_FOUND});try{let E=await dn({response:c,expectedChallenge:K,expectedOrigin:d,expectedRPID:o.rpID,authenticator:{credentialID:m.id,credentialPublicKey:new Uint8Array(Buffer.from(m.publicKey,"base64")),counter:m.counter,transports:m.transports?.split(",")},requireUserVerification:!1}),{verified:v}=E;if(!v)throw new Y("UNAUTHORIZED",{message:A.AUTHENTICATION_FAILED});await a.context.adapter.update({model:"passkey",where:[{field:"id",value:m.id}],update:{counter:E.authenticationInfo.newCounter}});let f=await a.context.internalAdapter.createSession(m.userId,a.request);if(!f)throw new Y("INTERNAL_SERVER_ERROR",{message:A.UNABLE_TO_CREATE_SESSION});let w=await a.context.internalAdapter.findUserById(m.userId);if(!w)throw new Y("INTERNAL_SERVER_ERROR",{message:"User not found"});return await h(a,{session:f,user:w}),a.json({session:f},{status:200})}catch(E){throw a.context.logger.error("Failed to verify authentication",E),new Y("BAD_REQUEST",{message:A.AUTHENTICATION_FAILED})}}),listPasskeys:p("/passkey/list-user-passkeys",{method:"GET",use:[R]},async a=>{let d=await a.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:a.context.session.user.id}]});return a.json(d,{status:200})}),deletePasskey:p("/passkey/delete-passkey",{method:"POST",body:re.object({id:re.string()}),use:[R]},async a=>(await a.context.adapter.delete({model:"passkey",where:[{field:"id",value:a.body.id}]}),a.json(null,{status:200}))),updatePasskey:p("/passkey/update-passkey",{method:"POST",body:re.object({id:re.string(),name:re.string()}),use:[R]},async a=>{let d=await a.context.adapter.findOne({model:"passkey",where:[{field:"id",value:a.body.id}]});if(!d)throw new Y("NOT_FOUND",{message:A.PASSKEY_NOT_FOUND});if(d.userId!==a.context.session.user.id)throw new Y("UNAUTHORIZED",{message:A.YOU_ARE_NOT_ALLOWED_TO_REGISTER_THIS_PASSKEY});let c=await a.context.adapter.update({model:"passkey",where:[{field:"id",value:a.body.id}],update:{name:a.body.name}});if(!c)throw new Y("INTERNAL_SERVER_ERROR",{message:A.FAILED_TO_UPDATE_PASSKEY});return a.json({passkey:c},{status:200})})},schema:oe(pn,e?.schema),$ERROR_CODES:A}},pn={passkey:{fields:{name:{type:"string",required:!1},publicKey:{type:"string",required:!0},userId:{type:"string",references:{model:"user",field:"id"},required:!0},webauthnUserID:{type:"string",required:!0},counter:{type:"number",required:!0},deviceType:{type:"string",required:!0},backedUp:{type:"boolean",required:!0},transports:{type:"string",required:!1},createdAt:{type:"date",required:!1}}}};import{z as no}from"zod";import{APIError as Ve}from"better-call";var dt=()=>{let e={INVALID_USERNAME_OR_PASSWORD:"invalid username or password",EMAIL_NOT_VERIFIED:"email not verified",UNEXPECTED_ERROR:"unexpected error"};return{id:"username",endpoints:{signInUsername:p("/sign-in/username",{method:"POST",body:no.object({username:no.string({description:"The username of the user"}),password:no.string({description:"The password of the user"}),rememberMe:no.boolean({description:"Remember the user session"}).optional()}),metadata:{openapi:{summary:"Sign in with username",description:"Sign in with username",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async i=>{let t=await i.context.adapter.findOne({model:"user",where:[{field:"username",value:i.body.username.toLowerCase()}]});if(!t)throw await i.context.password.hash(i.body.password),i.context.logger.error("User not found",{username:dt}),new Ve("UNAUTHORIZED",{message:e.INVALID_USERNAME_OR_PASSWORD});if(!t.emailVerified&&i.context.options.emailAndPassword?.requireEmailVerification)throw await mo(i,t),new Ve("UNAUTHORIZED",{message:e.INVALID_USERNAME_OR_PASSWORD});let o=await i.context.adapter.findOne({model:"account",where:[{field:"userId",value:t.id},{field:"providerId",value:"credential"}]});if(!o)throw new Ve("UNAUTHORIZED",{message:e.INVALID_USERNAME_OR_PASSWORD});let r=o?.password;if(!r)throw i.context.logger.error("Password not found",{username:dt}),new Ve("UNAUTHORIZED",{message:e.INVALID_USERNAME_OR_PASSWORD});if(!await i.context.password.verify({hash:r,password:i.body.password}))throw i.context.logger.error("Invalid password"),new Ve("UNAUTHORIZED",{message:e.INVALID_USERNAME_OR_PASSWORD});let s=await i.context.internalAdapter.createSession(t.id,i.request,i.body.rememberMe===!1);return s?(await h(i,{session:s,user:t},i.body.rememberMe===!1),i.json({id:t.id,email:t.email,name:t.name,image:t.image,emailVerified:t.emailVerified,createdAt:t.createdAt,updatedAt:t.updatedAt})):i.json(null,{status:500,body:{message:g.FAILED_TO_CREATE_SESSION,status:500}})})},schema:{user:{fields:{username:{type:"string",required:!1,unique:!0,returned:!0}}}},$ERROR_CODES:W}};import{serializeSigned as Kn}from"better-call";var Ll=()=>({id:"bearer",hooks:{before:[{matcher(e){return!!(e.request?.headers.get("authorization")||e.headers?.get("authorization"))},handler:async e=>{let i=e.request?.headers.get("authorization")?.replace("Bearer ","")||e.headers?.get("authorization")?.replace("Bearer ","");if(!i)return;let t="";return i.includes(".")?t=i:t=await Kn("",i,e.context.secret),e.request&&e.request.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${t.replace("=","")}`),e.headers&&e.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${t.replace("=","")}`),{context:e}}}]}});import{z as Ie}from"zod";import{APIError as un}from"better-call";var ql=e=>({id:"magic-link",endpoints:{signInMagicLink:p("/sign-in/magic-link",{method:"POST",requireHeaders:!0,body:Ie.object({email:Ie.string({description:"Email address to send the magic link"}).email(),callbackURL:Ie.string({description:"URL to redirect after magic link verification"}).optional()}),metadata:{openapi:{description:"Sign in with magic link",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async i=>{let{email:t}=i.body;if(e.disableSignUp&&!await i.context.internalAdapter.findUserByEmail(t))throw new un("BAD_REQUEST",{message:g.USER_NOT_FOUND});let o=z(32,F("a-z","A-Z"));await i.context.internalAdapter.createVerificationValue({identifier:o,value:t,expiresAt:new Date(Date.now()+(e.expiresIn||60*5)*1e3)});let r=`${i.context.baseURL}/magic-link/verify?token=${o}&callbackURL=${i.body.callbackURL||"/"}`;return await e.sendMagicLink({email:t,url:r,token:o},i.request),i.json({status:!0})}),magicLinkVerify:p("/magic-link/verify",{method:"GET",query:Ie.object({token:Ie.string({description:"Verification token"}),callbackURL:Ie.string({description:"URL to redirect after magic link verification, if not provided will return session"}).optional()}),requireHeaders:!0,metadata:{openapi:{description:"Verify magic link",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}}}}}},async i=>{let{token:t,callbackURL:o}=i.query,r=o?.startsWith("http")?o:o?`${i.context.options.baseURL}${o}`:i.context.options.baseURL,n=await i.context.internalAdapter.findVerificationValue(t);if(!n)throw i.redirect(`${r}?error=INVALID_TOKEN`);if(n.expiresAt<new Date)throw await i.context.internalAdapter.deleteVerificationValue(n.id),i.redirect(`${r}?error=EXPIRED_TOKEN`);await i.context.internalAdapter.deleteVerificationValue(n.id);let s=n.value,A=await i.context.internalAdapter.findUserByEmail(s),a=A?.user.id||"";if(!A){if(e.disableSignUp)throw i.redirect(`${r}?error=failed_to_create_user`);if(a=(await i.context.internalAdapter.createUser({email:s,emailVerified:!0,name:s})).id,!a)throw i.redirect(`${r}?error=failed_to_create_user`)}let d=await i.context.internalAdapter.createSession(a,i.headers);if(!d)throw i.redirect(`${r}?error=failed_to_create_session`);if(await h(i,{session:d,user:A?.user}),!o)return i.json({session:d,user:A?.user});throw i.redirect(o)})},rateLimit:[{pathMatcher(i){return i.startsWith("/sign-in/magic-link")||i.startsWith("/magic-link/verify")},window:e.rateLimit?.window||60,max:e.rateLimit?.max||5}]});import{z as Ae}from"zod";import{APIError as J}from"better-call";function ln(e){return z(e,F("0-9"))}var og=e=>{let i={expiresIn:e?.expiresIn||300,otpLength:e?.otpLength||6,...e,phoneNumber:"phoneNumber",phoneNumberVerified:"phoneNumberVerified",code:"code",createdAt:"createdAt"},t={INVALID_PHONE_NUMBER:"Invalid phone number",INVALID_PHONE_NUMBER_OR_PASSWORD:"Invalid phone number or password",UNEXPECTED_ERROR:"Unexpected error",OTP_NOT_FOUND:"OTP not found"};return{id:"phone-number",endpoints:{signInPhoneNumber:p("/sign-in/phone-number",{method:"POST",body:Ae.object({phoneNumber:Ae.string({description:"Phone number to sign in"}),password:Ae.string({description:"Password to use for sign in"}),rememberMe:Ae.boolean({description:"Remember the session"}).optional()}),metadata:{openapi:{summary:"Sign in with phone number",description:"Use this endpoint to sign in with phone number",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}},400:{description:"Invalid phone number or password"}}}}},async o=>{let{password:r,phoneNumber:n}=o.body;if(i.phoneNumberValidator&&!await i.phoneNumberValidator(o.body.phoneNumber))throw new J("BAD_REQUEST",{message:t.INVALID_PHONE_NUMBER});let s=await o.context.adapter.findOne({model:"user",where:[{field:"phoneNumber",value:n}]});if(!s)throw new J("UNAUTHORIZED",{message:t.INVALID_PHONE_NUMBER_OR_PASSWORD});let a=(await o.context.internalAdapter.findAccountByUserId(s.id)).find(u=>u.providerId==="credential");if(!a)throw o.context.logger.error("Credential account not found",{phoneNumber:n}),new J("UNAUTHORIZED",{message:t.INVALID_PHONE_NUMBER_OR_PASSWORD});let d=a?.password;if(!d)throw o.context.logger.error("Password not found",{phoneNumber:n}),new J("UNAUTHORIZED",{message:t.UNEXPECTED_ERROR});if(!await o.context.password.verify({hash:d,password:r}))throw o.context.logger.error("Invalid password"),new J("UNAUTHORIZED",{message:t.INVALID_PHONE_NUMBER_OR_PASSWORD});let l=await o.context.internalAdapter.createSession(s.id,o.headers,o.body.rememberMe===!1);if(!l)throw o.context.logger.error("Failed to create session"),new J("UNAUTHORIZED",{message:g.FAILED_TO_CREATE_SESSION});return await h(o,{session:l,user:s},o.body.rememberMe===!1),o.json({user:s,session:l})}),sendPhoneNumberOTP:p("/phone-number/send-otp",{method:"POST",body:Ae.object({phoneNumber:Ae.string({description:"Phone number to send OTP"})}),metadata:{openapi:{summary:"Send OTP to phone number",description:"Use this endpoint to send OTP to phone number",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}}}}}}},async o=>{if(!e?.sendOTP)throw o.context.logger.warn("sendOTP not implemented"),new J("NOT_IMPLEMENTED",{message:"sendOTP not implemented"});if(i.phoneNumberValidator&&!await i.phoneNumberValidator(o.body.phoneNumber))throw new J("BAD_REQUEST",{message:t.INVALID_PHONE_NUMBER});let r=ln(i.otpLength);return await o.context.internalAdapter.createVerificationValue({value:r,identifier:o.body.phoneNumber,expiresAt:k(i.expiresIn,"sec")}),await e.sendOTP({phoneNumber:o.body.phoneNumber,code:r},o.request),o.json({code:r},{body:{message:"Code sent"}})}),verifyPhoneNumber:p("/phone-number/verify",{method:"POST",body:Ae.object({phoneNumber:Ae.string({description:"Phone number to verify"}),code:Ae.string({description:"OTP code"}),disableSession:Ae.boolean({description:"Disable session creation after verification"}).optional(),updatePhoneNumber:Ae.boolean({description:"Check if there is a session and update the phone number"}).optional()}),metadata:{openapi:{summary:"Verify phone number",description:"Use this endpoint to verify phone number",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}},400:{description:"Invalid OTP"}}}}},async o=>{let r=await o.context.internalAdapter.findVerificationValue(o.body.phoneNumber);if(!r||r.expiresAt<new Date)throw r&&r.expiresAt<new Date?(await o.context.internalAdapter.deleteVerificationValue(r.id),new J("BAD_REQUEST",{message:"OTP expired"})):new J("BAD_REQUEST",{message:t.OTP_NOT_FOUND});if(r.value!==o.body.code)throw new J("BAD_REQUEST",{message:"Invalid OTP"});if(await o.context.internalAdapter.deleteVerificationValue(r.id),o.body.updatePhoneNumber){let s=await S(o);if(!s)throw new J("UNAUTHORIZED",{message:g.USER_NOT_FOUND});let A=await o.context.internalAdapter.updateUser(s.user.id,{[i.phoneNumber]:o.body.phoneNumber,[i.phoneNumberVerified]:!0});return o.json({user:A,session:s.session})}let n=await o.context.adapter.findOne({model:"user",where:[{value:o.body.phoneNumber,field:i.phoneNumber}]});if(await e?.callbackOnVerification?.({phoneNumber:o.body.phoneNumber,user:n},o.request),n)n=await o.context.internalAdapter.updateUser(n.id,{[i.phoneNumberVerified]:!0});else if(e?.signUpOnVerification){if(n=await o.context.internalAdapter.createUser({email:e.signUpOnVerification.getTempEmail(o.body.phoneNumber),name:e.signUpOnVerification.getTempName?e.signUpOnVerification.getTempName(o.body.phoneNumber):o.body.phoneNumber,[i.phoneNumber]:o.body.phoneNumber,[i.phoneNumberVerified]:!0}),!n)throw new J("INTERNAL_SERVER_ERROR",{message:g.FAILED_TO_CREATE_USER})}else return o.json(null);if(!n)throw new J("INTERNAL_SERVER_ERROR",{message:g.FAILED_TO_UPDATE_USER});if(!o.body.disableSession){let s=await o.context.internalAdapter.createSession(n.id,o.request);if(!s)throw new J("INTERNAL_SERVER_ERROR",{message:g.FAILED_TO_CREATE_SESSION});return await h(o,{session:s,user:n}),o.json({user:n,session:s})}return o.json({user:n,session:null})})},schema:oe(gn,e?.schema),$ERROR_CODES:t}},gn={user:{fields:{phoneNumber:{type:"string",required:!1,unique:!0,returned:!0},phoneNumberVerified:{type:"boolean",required:!1,returned:!0,input:!1}}}};var mn={user:{fields:{isAnonymous:{type:"boolean",required:!1}}}},ag=e=>{let i={FAILED_TO_CREATE_USER:"Failed to create user",COULD_NOT_CREATE_SESSION:"Could not create session",ANONYMOUS_USERS_CANNOT_SIGN_IN_AGAIN_ANONYMOUSLY:"Anonymous users cannot sign in again anonymously"};return{id:"anonymous",endpoints:{signInAnonymous:p("/sign-in/anonymous",{method:"POST",metadata:{openapi:{description:"Sign in anonymously",responses:{200:{description:"Sign in anonymously",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async t=>{let{emailDomainName:o=Ce(t.context.baseURL)}=e||{},r=t.context.generateId({model:"user"}),n=`temp-${r}@${o}`,s=await t.context.internalAdapter.createUser({id:r,email:n,emailVerified:!1,isAnonymous:!0,name:"Anonymous",createdAt:new Date,updatedAt:new Date});if(!s)return t.json(null,{status:500,body:{message:i.FAILED_TO_CREATE_USER,status:500}});let A=await t.context.internalAdapter.createSession(s.id,t.request);return A?(await h(t,{session:A,user:s}),t.json({id:s.id,email:s.email,emailVerified:s.emailVerified,name:s.name,createdAt:s.createdAt,updatedAt:s.updatedAt})):t.json(null,{status:400,body:{message:i.COULD_NOT_CREATE_SESSION}})})},hooks:{after:[{matcher(t){return!!t.responseHeader.get("set-cookie")?.includes(t.context.authCookies.sessionToken.name)},handler:N(async t=>{let r=t.responseHeader.get("set-cookie"),n=t.context.authCookies.sessionToken.name;if(!We(r||"").get(n)?.value.split(".")[0])return;let A=await S(t,{disableRefresh:!0});if(!A||!A.user.isAnonymous)return;if(t.path==="/sign-in/anonymous")throw new T("BAD_REQUEST",{message:i.ANONYMOUS_USERS_CANNOT_SIGN_IN_AGAIN_ANONYMOUSLY});let a=t.context.newSession;a&&(e?.onLinkAccount&&await e?.onLinkAccount?.({anonymousUser:A,newUser:a}),e?.disableDeleteAnonymousUser||await t.context.internalAdapter.deleteUser(A.user.id))})}]},schema:oe(mn,e?.schema),$ERROR_CODES:i}};import{z as C}from"zod";var fg=e=>{let i={defaultRole:"user",adminRole:"admin",...e},t={FAILED_TO_CREATE_USER:"Failed to create user",USER_ALREADY_EXISTS:"User already exists",USER_NOT_FOUND:"User not found",YOU_CANNOT_BAN_YOURSELF:"You cannot ban yourself",ONLY_ADMINS_CAN_ACCESS_THIS_ENDPOINT:"Only admins can access this endpoint"},o=N(async r=>{let n=await S(r);if(!n?.session)throw new T("UNAUTHORIZED");let s=n.user;if(!s.role||(Array.isArray(i.adminRole)?!i.adminRole.includes(s.role):s.role!==i.adminRole))throw new T("FORBIDDEN",{message:"Only admins can access this endpoint"});return{session:{user:s,session:n.session}}});return{id:"admin",init(r){return{options:{databaseHooks:{user:{create:{async before(n){if(e?.defaultRole!==!1)return{data:{role:e?.defaultRole??"user",...n}}}}},session:{create:{async before(n){let s=await r.internalAdapter.findUserById(n.userId);if(s.banned){if(s.banExpires&&s.banExpires.getTime()<Date.now()){await r.internalAdapter.updateUser(n.userId,{banned:!1,banReason:null,banExpires:null});return}return!1}}}}}}}},hooks:{after:[{matcher(r){return r.path==="/list-sessions"},handler:N(async r=>{let n=await st(r);if(!n)return;let s=n.filter(A=>!A.impersonatedBy);return r.json(s)})}]},endpoints:{setRole:p("/admin/set-role",{method:"POST",body:C.object({userId:C.string({description:"The user id"}),role:C.string({description:"The role to set. `admin` or `user` by default"})}),use:[o],metadata:{openapi:{operationId:"setRole",summary:"Set the role of a user",description:"Set the role of a user",responses:{200:{description:"User role updated",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async r=>{let n=await r.context.internalAdapter.updateUser(r.body.userId,{role:r.body.role});return r.json({user:n})}),createUser:p("/admin/create-user",{method:"POST",body:C.object({email:C.string({description:"The email of the user"}),password:C.string({description:"The password of the user"}),name:C.string({description:"The name of the user"}),role:C.string({description:"The role of the user"}),data:C.optional(C.record(C.any(),{description:"Extra fields for the user. Including custom additional fields."}))}),use:[o],metadata:{openapi:{operationId:"createUser",summary:"Create a new user",description:"Create a new user",responses:{200:{description:"User created",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async r=>{if(await r.context.internalAdapter.findUserByEmail(r.body.email))throw new T("BAD_REQUEST",{message:t.USER_ALREADY_EXISTS});let s=await r.context.internalAdapter.createUser({email:r.body.email,name:r.body.name,role:r.body.role,...r.body.data});if(!s)throw new T("INTERNAL_SERVER_ERROR",{message:t.FAILED_TO_CREATE_USER});let A=await r.context.password.hash(r.body.password);return await r.context.internalAdapter.linkAccount({accountId:s.id,providerId:"credential",password:A,userId:s.id}),r.json({user:s})}),listUsers:p("/admin/list-users",{method:"GET",use:[o],query:C.object({searchValue:C.string({description:"The value to search for"}).optional(),searchField:C.enum(["email","name"],{description:"The field to search in, defaults to email. Can be `email` or `name`"}).optional(),searchOperator:C.enum(["contains","starts_with","ends_with"],{description:"The operator to use for the search. Can be `contains`, `starts_with` or `ends_with`"}).optional(),limit:C.string({description:"The number of users to return"}).or(C.number()).optional(),offset:C.string({description:"The offset to start from"}).or(C.number()).optional(),sortBy:C.string({description:"The field to sort by"}).optional(),sortDirection:C.enum(["asc","desc"],{description:"The direction to sort by"}).optional(),filterField:C.string({description:"The field to filter by"}).optional(),filterValue:C.string({description:"The value to filter by"}).or(C.number()).or(C.boolean()).optional(),filterOperator:C.enum(["eq","ne","lt","lte","gt","gte"],{description:"The operator to use for the filter"}).optional()}),metadata:{openapi:{operationId:"listUsers",summary:"List users",description:"List users",responses:{200:{description:"List of users",content:{"application/json":{schema:{type:"object",properties:{users:{type:"array",items:{$ref:"#/components/schemas/User"}}}}}}}}}}},async r=>{let n=[];r.query?.searchValue&&n.push({field:r.query.searchField||"email",operator:r.query.searchOperator||"contains",value:r.query.searchValue}),r.query?.filterValue&&n.push({field:r.query.filterField||"email",operator:r.query.filterOperator||"eq",value:r.query.filterValue});try{let s=await r.context.internalAdapter.listUsers(Number(r.query?.limit)||void 0,Number(r.query?.offset)||void 0,r.query?.sortBy?{field:r.query.sortBy,direction:r.query.sortDirection||"asc"}:void 0,n.length?n:void 0);return r.json({users:s})}catch(s){return console.log(s),r.json({users:[]})}}),listUserSessions:p("/admin/list-user-sessions",{method:"POST",use:[o],body:C.object({userId:C.string({description:"The user id"})}),metadata:{openapi:{operationId:"listUserSessions",summary:"List user sessions",description:"List user sessions",responses:{200:{description:"List of user sessions",content:{"application/json":{schema:{type:"object",properties:{sessions:{type:"array",items:{$ref:"#/components/schemas/Session"}}}}}}}}}}},async r=>({sessions:await r.context.internalAdapter.listSessions(r.body.userId)})),unbanUser:p("/admin/unban-user",{method:"POST",body:C.object({userId:C.string({description:"The user id"})}),use:[o],metadata:{openapi:{operationId:"unbanUser",summary:"Unban a user",description:"Unban a user",responses:{200:{description:"User unbanned",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async r=>{let n=await r.context.internalAdapter.updateUser(r.body.userId,{banned:!1});return r.json({user:n})}),banUser:p("/admin/ban-user",{method:"POST",body:C.object({userId:C.string({description:"The user id"}),banReason:C.string({description:"The reason for the ban"}).optional(),banExpiresIn:C.number({description:"The number of seconds until the ban expires"}).optional()}),use:[o],metadata:{openapi:{operationId:"banUser",summary:"Ban a user",description:"Ban a user",responses:{200:{description:"User banned",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async r=>{if(r.body.userId===r.context.session.user.id)throw new T("BAD_REQUEST",{message:t.YOU_CANNOT_BAN_YOURSELF});let n=await r.context.internalAdapter.updateUser(r.body.userId,{banned:!0,banReason:r.body.banReason||e?.defaultBanReason||"No reason",banExpires:r.body.banExpiresIn?k(r.body.banExpiresIn,"sec"):e?.defaultBanExpiresIn?k(e.defaultBanExpiresIn,"sec"):void 0});return await r.context.internalAdapter.deleteSessions(r.body.userId),r.json({user:n})}),impersonateUser:p("/admin/impersonate-user",{method:"POST",body:C.object({userId:C.string({description:"The user id"})}),use:[o],metadata:{openapi:{operationId:"impersonateUser",summary:"Impersonate a user",description:"Impersonate a user",responses:{200:{description:"Impersonation session created",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}}}}}},async r=>{let n=await r.context.internalAdapter.findUserById(r.body.userId);if(!n)throw new T("NOT_FOUND",{message:"User not found"});let s=await r.context.internalAdapter.createSession(n.id,void 0,!0,{impersonatedBy:r.context.session.user.id,expiresAt:e?.impersonationSessionDuration?k(e.impersonationSessionDuration,"sec"):k(60*60,"sec")});if(!s)throw new T("INTERNAL_SERVER_ERROR",{message:t.FAILED_TO_CREATE_USER});return await h(r,{session:s,user:n},!0),r.json({session:s,user:n})}),revokeUserSession:p("/admin/revoke-user-session",{method:"POST",body:C.object({sessionToken:C.string({description:"The session token"})}),use:[o],metadata:{openapi:{operationId:"revokeUserSession",summary:"Revoke a user session",description:"Revoke a user session",responses:{200:{description:"Session revoked",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async r=>(await r.context.internalAdapter.deleteSession(r.body.sessionToken),r.json({success:!0}))),revokeUserSessions:p("/admin/revoke-user-sessions",{method:"POST",body:C.object({userId:C.string({description:"The user id"})}),use:[o],metadata:{openapi:{operationId:"revokeUserSessions",summary:"Revoke all user sessions",description:"Revoke all user sessions",responses:{200:{description:"Sessions revoked",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async r=>(await r.context.internalAdapter.deleteSessions(r.body.userId),r.json({success:!0}))),removeUser:p("/admin/remove-user",{method:"POST",body:C.object({userId:C.string({description:"The user id"})}),use:[o],metadata:{openapi:{operationId:"removeUser",summary:"Remove a user",description:"Delete a user and all their sessions and accounts. Cannot be undone.",responses:{200:{description:"User removed",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async r=>(await r.context.internalAdapter.deleteUser(r.body.userId),r.json({success:!0})))},$ERROR_CODES:t,schema:oe(fn,i.schema)}},fn={user:{fields:{role:{type:"string",required:!1,input:!1},banned:{type:"boolean",defaultValue:!1,required:!1,input:!1},banReason:{type:"string",required:!1,input:!1},banExpires:{type:"date",required:!1,input:!1}}},session:{fields:{impersonatedBy:{type:"string",required:!1}}}};import{betterFetch as so}from"@better-fetch/fetch";import{APIError as Se}from"better-call";import{parseJWT as hn}from"oslo/jwt";import{z as de}from"zod";async function ct(e,i){if(e.idToken){let o=hn(e.idToken);if(o?.payload&&o.payload.sub&&o.payload.email)return{id:o.payload.sub,emailVerified:o.payload.email_verified,image:o.payload.picture,...o.payload}}if(!i)return null;let t=await so(i,{method:"GET",headers:{Authorization:`Bearer ${e.accessToken}`}});return{id:t.data?.sub,emailVerified:t.data?.email_verified,email:t.data?.email,image:t.data?.picture,name:t.data?.name,...t.data}}var Sg=e=>{let i={INVALID_OAUTH_CONFIGURATION:"Invalid OAuth configuration"};return{id:"generic-oauth",init:t=>({context:{socialProviders:e.config.map(o=>{let r=o.tokenUrl,n=o.userInfoUrl;return{id:o.providerId,name:o.providerId,createAuthorizationURL(s){return P({id:o.providerId,options:{clientId:o.clientId,clientSecret:o.clientSecret,redirectURI:o.redirectURI},authorizationEndpoint:o.authorizationUrl,state:s.state,codeVerifier:o.pkce?s.codeVerifier:void 0,scopes:o.scopes||[],redirectURI:`${t.baseURL}/oauth2/callback/${o.providerId}`})},async validateAuthorizationCode(s){let A=o.tokenUrl;if(o.discoveryUrl){let a=await so(o.discoveryUrl,{method:"GET"});a.data&&(A=a.data.token_endpoint,n=a.data.userinfo_endpoint)}if(!A)throw new Se("BAD_REQUEST",{message:"Invalid OAuth configuration. Token URL not found."});return U({code:s.code,codeVerifier:s.codeVerifier,redirectURI:s.redirectURI,options:{clientId:o.clientId,clientSecret:o.clientSecret},tokenEndpoint:A})},async getUserInfo(s){if(!n)return null;let A=o.getUserInfo?await o.getUserInfo(s):await ct(s,n);return A?{user:{id:A?.id,email:A?.email,emailVerified:A?.emailVerified,image:A?.image,name:A?.name,...o.mapProfileToUser?.(A)},data:A}:null}}})}}),endpoints:{signInWithOAuth2:p("/sign-in/oauth2",{method:"POST",query:de.object({currentURL:de.string({description:"Redirect to the current URL after sign in"}).optional()}).optional(),body:de.object({providerId:de.string({description:"The provider ID for the OAuth provider"}),callbackURL:de.string({description:"The URL to redirect to after sign in"}).optional(),errorCallbackURL:de.string({description:"The URL to redirect to if an error occurs"}).optional()}),metadata:{openapi:{description:"Sign in with OAuth2",responses:{200:{description:"Sign in with OAuth2",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"},redirect:{type:"boolean"}}}}}}}}}},async t=>{let{providerId:o}=t.body,r=e.config.find(q=>q.providerId===o);if(!r)throw new Se("BAD_REQUEST",{message:`No config found for provider ${o}`});let{discoveryUrl:n,authorizationUrl:s,tokenUrl:A,clientId:a,clientSecret:d,scopes:c,redirectURI:l,responseType:u,pkce:K,prompt:m,accessType:E}=r,v=s,f=A;if(n){let q=await so(n,{onError($e){t.context.logger.error($e.error.message,$e.error,{discoveryUrl:n})}});q.data&&(v=q.data.authorization_endpoint,f=q.data.token_endpoint)}if(!v||!f)throw new Se("BAD_REQUEST",{message:i.INVALID_OAUTH_CONFIGURATION});let{state:w,codeVerifier:b}=await Te(t),I=await P({id:o,options:{clientId:a,clientSecret:d,redirectURI:l},authorizationEndpoint:v,state:w,codeVerifier:K?b:void 0,scopes:c||[],redirectURI:`${t.context.baseURL}/oauth2/callback/${o}`});return u&&u!=="code"&&I.searchParams.set("response_type",u),m&&I.searchParams.set("prompt",m),E&&I.searchParams.set("access_type",E),t.json({url:I.toString(),redirect:!0})}),oAuth2Callback:p("/oauth2/callback/:providerId",{method:"GET",query:de.object({code:de.string({description:"The OAuth2 code"}).optional(),error:de.string({description:"The error message, if any"}).optional(),state:de.string({description:"The state parameter from the OAuth2 request"})}),metadata:{openapi:{description:"OAuth2 callback",responses:{200:{description:"OAuth2 callback",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"}}}}}}}}}},async t=>{if(t.query.error||!t.query.code)throw t.redirect(`${t.context.baseURL}?error=${t.query.error||"oAuth_code_missing"}`);let o=e.config.find(b=>b.providerId===t.params.providerId);if(!o)throw new Se("BAD_REQUEST",{message:`No config found for provider ${t.params.providerId}`});let r,n=await Je(t),{callbackURL:s,codeVerifier:A,errorURL:a}=n,d=t.query.code,c=o.tokenUrl,l=o.userInfoUrl;if(o.discoveryUrl){let b=await so(o.discoveryUrl,{method:"GET"});b.data&&(c=b.data.token_endpoint,l=b.data.userinfo_endpoint)}try{if(!c)throw new Se("BAD_REQUEST",{message:"Invalid OAuth configuration."});r=await U({code:d,codeVerifier:A,redirectURI:`${t.context.baseURL}/oauth2/callback/${o.providerId}`,options:{clientId:o.clientId,clientSecret:o.clientSecret},tokenEndpoint:c})}catch(b){throw t.context.logger.error(b&&typeof b=="object"&&"name"in b?b.name:"",b),t.redirect(`${a}?error=oauth_code_verification_failed`)}if(!r)throw new Se("BAD_REQUEST",{message:"Invalid OAuth configuration."});let u=o.getUserInfo?await o.getUserInfo(r):await ct(r,l);if(!u?.email)throw t.context.logger.error("Unable to get user info",u),t.redirect(`${t.context.baseURL}/error?error=email_is_missing`);let K=o.mapProfileToUser?await o.mapProfileToUser(u):null,m=await Ee(t,{userInfo:{...u,...K},account:{providerId:o.providerId,accountId:u.id,...r,scope:r.scopes?.join(",")}});function E(b){throw t.redirect(`${a||s||`${t.context.baseURL}/error`}?error=${b}`)}if(m.error)return E(m.error.split(" ").join("_"));let{session:v,user:f}=m.data;await h(t,{session:v,user:f});let w;try{w=new URL(s).toString()}catch{w=s}throw t.redirect(w)})},$ERROR_CODES:i}};import{z as Me}from"zod";var pt={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},vg=Me.object({id:Me.string(),publicKey:Me.string(),privateKey:Me.string(),createdAt:Me.date()});var Eo=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async i=>await e.create({model:"jwks",data:{...i,createdAt:new Date}})});import{exportJWK as Kt,generateKeyPair as yn,importJWK as wn,SignJWT as Cn}from"jose";var zg=e=>({id:"jwt",endpoints:{getJwks:p("/jwks",{method:"GET",metadata:{openapi:{description:"Get the JSON Web Key Set",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{keys:{type:"array",items:{type:"object",properties:{kid:{type:"string"},kty:{type:"string"},use:{type:"string"},alg:{type:"string"},n:{type:"string"},e:{type:"string"}}}}}}}}}}}}},async i=>{let o=await Eo(i.context.adapter).getAllKeys();return i.json({keys:o.map(r=>({...JSON.parse(r.publicKey),kid:r.id}))})}),getToken:p("/token",{method:"GET",requireHeaders:!0,use:[R],metadata:{openapi:{description:"Get a JWT token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async i=>{let t=Eo(i.context.adapter),o=await t.getLatestKey(),r=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:d,privateKey:c}=await yn(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),l=await Kt(d),u=await Kt(c),K=JSON.stringify(u),m={id:crypto.randomUUID(),publicKey:JSON.stringify(l),privateKey:r?JSON.stringify(await ue({key:i.context.options.secret,data:K})):K,createdAt:new Date};o=await t.createJwk(m)}let n=r?await fe({key:i.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,s=await wn(JSON.parse(n)),A=e?.jwt?.definePayload?await e?.jwt.definePayload(i.context.session.user):i.context.session.user,a=await new Cn({...A,...i.context.session.session.impersonatedBy?{impersonatedBy:i.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??i.context.options.baseURL).setAudience(e?.jwt?.audience??i.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(i.context.session.user.id).sign(s);return i.json({token:a})})},schema:oe(pt,e?.schema)});import{z as ao}from"zod";var Hg=e=>{let i={maximumSessions:5,...e},t=r=>r.includes("_multi-"),o={INVALID_SESSION_TOKEN:"Invalid session token"};return{id:"multi-session",endpoints:{listDeviceSessions:p("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async r=>{let n=r.headers?.get("cookie");if(!n)return r.json([]);let s=Object.fromEntries(Ne(n)),A=(await Promise.all(Object.entries(s).filter(([c])=>t(c)).map(async([c])=>await r.getSignedCookie(c,r.context.secret)))).filter(c=>c!==void 0);if(!A.length)return r.json([]);let d=(await r.context.internalAdapter.findSessions(A)).filter(c=>c&&c.session.expiresAt>new Date);return r.json(d)}),setActiveSession:p("/multi-session/set-active",{method:"POST",body:ao.object({sessionToken:ao.string({description:"The session token to set as active"})}),requireHeaders:!0,use:[R],metadata:{openapi:{description:"Set the active session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async r=>{let n=r.body.sessionToken,s=`${r.context.authCookies.sessionToken.name}_multi-${n}`;if(!await r.getSignedCookie(s,r.context.secret))throw new T("UNAUTHORIZED",{message:o.INVALID_SESSION_TOKEN});let a=await r.context.internalAdapter.findSession(n);if(!a||a.session.expiresAt<new Date)throw r.setCookie(s,"",{...r.context.authCookies.sessionToken.options,maxAge:0}),new T("UNAUTHORIZED",{message:o.INVALID_SESSION_TOKEN});return await h(r,a),r.json(a)}),revokeDeviceSession:p("/multi-session/revoke",{method:"POST",body:ao.object({sessionToken:ao.string({description:"The session token to revoke"})}),requireHeaders:!0,use:[R],metadata:{openapi:{description:"Revoke a device session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async r=>{let n=r.body.sessionToken,s=`${r.context.authCookies.sessionToken.name}_multi-${n}`;if(!await r.getSignedCookie(s,r.context.secret))throw new T("UNAUTHORIZED",{message:o.INVALID_SESSION_TOKEN});if(await r.context.internalAdapter.deleteSession(n),r.setCookie(s,"",{...r.context.authCookies.sessionToken.options,maxAge:0}),!(r.context.session?.session.token===n))return r.json({success:!0});let d=r.headers?.get("cookie");if(d){let c=Object.fromEntries(Ne(d)),l=(await Promise.all(Object.entries(c).filter(([K])=>t(K)).map(async([K])=>await r.getSignedCookie(K,r.context.secret)))).filter(K=>K!==void 0),u=r.context.internalAdapter;if(l.length>0){let m=(await u.findSessions(l)).filter(E=>E&&E.session.expiresAt>new Date);if(m.length>0){let E=m[0];await h(r,E)}else H(r)}else H(r)}else H(r);return r.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:N(async r=>{let n=r.responseHeader.get("set-cookie");if(!n)return;let s=We(n),A=r.context.authCookies.sessionToken,a=s.get(A.name)?.value;if(!a)return;let d=Ne(r.headers?.get("cookie")||""),c=a.split(".")[0];if(!c)return;let l=`${A.name}_multi-${c}`;s.get(l)||d.get(l)||Object.keys(Object.fromEntries(d)).filter(t).length+(n.includes("session_token")?1:0)>i.maximumSessions||await r.setSignedCookie(l,c,r.context.secret,A.options)})},{matcher:r=>r.path==="/sign-out",handler:N(async r=>{let n=r.headers?.get("cookie");if(!n)return;let s=Object.fromEntries(Ne(n)),A=Object.keys(s).map(a=>t(a)?(r.setCookie(a,"",{maxAge:0}),a.split("_multi-")[1]):null).filter(a=>a!==null);await r.context.internalAdapter.deleteSessions(A)})}]},$ERROR_CODES:o}};import{z as L}from"zod";var Ro=["email-verification","sign-in","forget-password"],om=e=>{let i={expireIn:300,otpLength:6,...e},t={OTP_EXPIRED:"otp expired",INVALID_OTP:"invalid otp",INVALID_EMAIL:"invalid email",USER_NOT_FOUND:"user not found"};return{id:"email-otp",endpoints:{sendVerificationOTP:p("/email-otp/send-verification-otp",{method:"POST",body:L.object({email:L.string({description:"Email address to send the OTP"}),type:L.enum(Ro,{description:"Type of the OTP"})}),metadata:{openapi:{description:"Send verification OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>{if(!e?.sendVerificationOTP)throw o.context.logger.error("send email verification is not implemented"),new T("BAD_REQUEST",{message:"send email verification is not implemented"});let r=o.body.email;if(!/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(r))throw new T("BAD_REQUEST",{message:t.INVALID_EMAIL});let s=z(i.otpLength,F("0-9"));return await o.context.internalAdapter.createVerificationValue({value:s,identifier:`${o.body.type}-otp-${r}`,expiresAt:k(i.expireIn,"sec")}).catch(async A=>{await o.context.internalAdapter.deleteVerificationByIdentifier(`${o.body.type}-otp-${r}`),await o.context.internalAdapter.createVerificationValue({value:s,identifier:`${o.body.type}-otp-${r}`,expiresAt:k(i.expireIn,"sec")})}),await e.sendVerificationOTP({email:r,otp:s,type:o.body.type},o.request),o.json({success:!0})}),createVerificationOTP:p("/email-otp/create-verification-otp",{method:"POST",body:L.object({email:L.string({description:"Email address to send the OTP"}),type:L.enum(Ro,{description:"Type of the OTP"})}),metadata:{SERVER_ONLY:!0,openapi:{description:"Create verification OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"string"}}}}}}}},async o=>{let r=o.body.email,n=z(i.otpLength,F("0-9"));return await o.context.internalAdapter.createVerificationValue({value:n,identifier:`${o.body.type}-otp-${r}`,expiresAt:k(i.expireIn,"sec")}),n}),getVerificationOTP:p("/email-otp/get-verification-otp",{method:"GET",query:L.object({email:L.string({description:"Email address to get the OTP"}),type:L.enum(Ro)}),metadata:{SERVER_ONLY:!0,openapi:{description:"Get verification OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{otp:{type:"string"}}}}}}}}}},async o=>{let r=o.query.email,n=await o.context.internalAdapter.findVerificationValue(`${o.query.type}-otp-${r}`);return!n||n.expiresAt<new Date?o.json({otp:null}):o.json({otp:n.value})}),verifyEmailOTP:p("/email-otp/verify-email",{method:"POST",body:L.object({email:L.string({description:"Email address to verify"}),otp:L.string({description:"OTP to verify"})}),metadata:{openapi:{description:"Verify email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{let r=o.body.email;if(!/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(r))throw new T("BAD_REQUEST",{message:"Invalid email"});let s=await o.context.internalAdapter.findVerificationValue(`email-verification-otp-${r}`);if(!s||s.expiresAt<new Date)throw s&&await o.context.internalAdapter.deleteVerificationValue(s.id),new T("BAD_REQUEST",{message:"Invalid OTP"});let A=o.body.otp;if(s.value!==A)throw new T("BAD_REQUEST",{message:"Invalid OTP"});await o.context.internalAdapter.deleteVerificationValue(s.id);let a=await o.context.internalAdapter.findUserByEmail(r);if(!a)throw new T("BAD_REQUEST",{message:"User not found"});let d=await o.context.internalAdapter.updateUser(a.user.id,{email:r,emailVerified:!0});return o.json({user:d})}),signInEmailOTP:p("/sign-in/email-otp",{method:"POST",body:L.object({email:L.string({description:"Email address to sign in"}),otp:L.string({description:"OTP sent to the email"})}),metadata:{openapi:{description:"Sign in with email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async o=>{let r=o.body.email,n=await o.context.internalAdapter.findVerificationValue(`sign-in-otp-${r}`);if(!n||n.expiresAt<new Date)throw n&&await o.context.internalAdapter.deleteVerificationValue(n.id),new T("BAD_REQUEST",{message:"Invalid OTP"});let s=o.body.otp;if(n.value!==s)throw new T("BAD_REQUEST",{message:"Invalid OTP"});await o.context.internalAdapter.deleteVerificationValue(n.id);let A=await o.context.internalAdapter.findUserByEmail(r);if(!A){if(i.disableSignUp)throw new T("BAD_REQUEST",{message:"User not found"});let d=await o.context.internalAdapter.createUser({email:r,emailVerified:!0,name:r}),c=await o.context.internalAdapter.createSession(d.id,o.request);return await h(o,{session:c,user:d}),o.json({user:d,session:c})}A.user.emailVerified||await o.context.internalAdapter.updateUser(A.user.id,{emailVerified:!0});let a=await o.context.internalAdapter.createSession(A.user.id,o.request);return await h(o,{session:a,user:A.user}),o.json({session:a,user:A})}),forgetPasswordEmailOTP:p("/forget-password/email-otp",{method:"POST",body:L.object({email:L.string({description:"Email address to send the OTP"})}),metadata:{openapi:{description:"Forget password with email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>{let r=o.body.email;if(!await o.context.internalAdapter.findUserByEmail(r))throw new T("BAD_REQUEST",{message:"User not found"});let s=z(i.otpLength,F("0-9"));return await o.context.internalAdapter.createVerificationValue({value:s,identifier:`forget-password-otp-${r}`,expiresAt:k(i.expireIn,"sec")}),await e.sendVerificationOTP({email:r,otp:s,type:"forget-password"},o.request),o.json({success:!0})}),resetPasswordEmailOTP:p("/email-otp/reset-password",{method:"POST",body:L.object({email:L.string({description:"Email address to reset the password"}),otp:L.string({description:"OTP sent to the email"}),password:L.string({description:"New password"})}),metadata:{openapi:{description:"Reset password with email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>{let r=o.body.email,n=await o.context.internalAdapter.findUserByEmail(r);if(!n)throw new T("BAD_REQUEST",{message:t.USER_NOT_FOUND});let s=await o.context.internalAdapter.findVerificationValue(`forget-password-otp-${r}`);if(!s||s.expiresAt<new Date)throw s&&await o.context.internalAdapter.deleteVerificationValue(s.id),new T("BAD_REQUEST",{message:t.OTP_EXPIRED});let A=o.body.otp;if(s.value!==A)throw new T("BAD_REQUEST",{message:t.INVALID_OTP});await o.context.internalAdapter.deleteVerificationValue(s.id);let a=await o.context.password.hash(o.body.password);return await o.context.internalAdapter.updatePassword(n.user.id,a),o.json({success:!0})})},hooks:{after:[{matcher(o){return!!(o.path?.startsWith("/sign-up")&&i.sendVerificationOnSignUp)},async handler(o){let r=o.context.newSession;if(r?.user&&r.user.email&&r.user.emailVerified===!1){let n=z(i.otpLength,F("0-9"));await o.context.internalAdapter.createVerificationValue({value:n,identifier:`email-verification-otp-${r.user.email}`,expiresAt:k(i.expireIn,"sec")}),await e.sendVerificationOTP({email:r.user.email,otp:n,type:"email-verification"},o.request)}}}]},$ERROR_CODES:t}};import{z as lt}from"zod";import{betterFetch as bn}from"@better-fetch/fetch";function ut(e){return e==="true"||e===!0}var dm=e=>({id:"one-tap",endpoints:{oneTapCallback:p("/one-tap/callback",{method:"POST",body:lt.object({idToken:lt.string({description:"Google ID token, which the client obtains from the One Tap API"})}),metadata:{openapi:{summary:"One tap callback",description:"Use this endpoint to authenticate with Google One Tap",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}},400:{description:"Invalid token"}}}}},async i=>{let{idToken:t}=i.body,{data:o,error:r}=await bn("https://oauth2.googleapis.com/tokeninfo?id_token="+t);if(r)return i.json({error:"Invalid token"});let n=await i.context.internalAdapter.findUserByEmail(o.email);if(!n){if(e?.disableSignup)throw new T("BAD_GATEWAY",{message:"User not found"});let A=await i.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:ut(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!A)throw new T("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let a=await i.context.internalAdapter.createSession(A?.user.id,i.request);return await h(i,{user:A.user,session:a}),i.json({session:a,user:A})}let s=await i.context.internalAdapter.createSession(n.user.id,i.request);return await h(i,{user:n.user,session:s}),i.json({session:s,user:n})})}});import{z as Io}from"zod";function On(){let e=ne.VERCEL_URL,i=ne.NETLIFY_URL,t=ne.RENDER_URL,o=ne.AWS_LAMBDA_FUNCTION_NAME,r=ne.GOOGLE_CLOUD_FUNCTION_NAME,n=ne.AZURE_FUNCTION_NAME;return e||i||t||o||r||n}var mm=e=>({id:"oauth-proxy",endpoints:{oAuthProxy:p("/oauth-proxy-callback",{method:"GET",query:Io.object({callbackURL:Io.string({description:"The URL to redirect to after the proxy"}),cookies:Io.string({description:"The cookies to set after the proxy"})}),metadata:{openapi:{description:"OAuth Proxy Callback",parameters:[{in:"query",name:"callbackURL",required:!0,description:"The URL to redirect to after the proxy"},{in:"query",name:"cookies",required:!0,description:"The cookies to set after the proxy"}],responses:{302:{description:"Redirect",headers:{Location:{description:"The URL to redirect to",schema:{type:"string"}}}}}}}},async i=>{let t=i.query.cookies,o=await fe({key:i.context.secret,data:t});throw i.setHeader("set-cookie",o),i.redirect(i.query.callbackURL)})},hooks:{after:[{matcher(i){return i.path?.startsWith("/callback")},handler:N(async i=>{let t=i.context.returned,o=t instanceof T?t.headers:null,r=o?.get("location");if(r?.includes("/oauth-proxy-callback?callbackURL")){if(!r.startsWith("http"))return;let n=new URL(r);if(n.origin===Ce(i.context.baseURL)){let c=n.searchParams.get("callbackURL");if(!c)return;i.setHeader("location",c);return}let A=o?.get("set-cookie");if(!A)return;let a=await ue({key:i.context.secret,data:A}),d=`${r}&cookies=${encodeURIComponent(a)}`;i.setHeader("location",d)}})}],before:[{matcher(i){return i.path?.startsWith("/sign-in/social")},async handler(i){let t=new URL(e?.currentURL||i.request?.url||On()||i.context.baseURL);return i.body.callbackURL=`${t.origin}${i.context.options.basePath||"/api/auth"}/oauth-proxy-callback?callbackURL=${encodeURIComponent(i.body.callbackURL||i.context.baseURL)}`,{context:i}}}]}});import{z as qe}from"zod";var wm=(e,i)=>({id:"custom-session",endpoints:{getSession:p("/get-session",{method:"GET",metadata:{CUSTOM_SESSION:!0},query:qe.optional(qe.object({disableCookieCache:qe.boolean({description:"Disable cookie cache and fetch session from database"}).or(qe.string().transform(t=>t==="true")).optional(),disableRefresh:qe.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()}))},async t=>{let o=await S(t);if(!o)return t.json(null);let r=await e(o);return t.json(r)})}});import{ZodObject as mt,ZodOptional as So,ZodSchema as ft}from"zod";var Ue=e=>{let i=e.plugins?.reduce((a,d)=>{let c=d.schema;if(!c)return a;for(let[l,u]of Object.entries(c))a[l]={fields:{...a[l]?.fields,...u.fields},modelName:u.modelName||l};return a},{}),t=e.rateLimit?.storage==="database",o={rateLimit:{modelName:e.rateLimit?.modelName||"rateLimit",fields:{key:{type:"string",fieldName:e.rateLimit?.fields?.key||"key"},count:{type:"number",fieldName:e.rateLimit?.fields?.count||"count"},lastRequest:{type:"number",fieldName:e.rateLimit?.fields?.lastRequest||"lastRequest"}}}},{user:r,session:n,account:s,...A}=i||{};return{user:{modelName:e.user?.modelName||"user",fields:{name:{type:"string",required:!0,fieldName:e.user?.fields?.name||"name"},email:{type:"string",unique:!0,required:!0,fieldName:e.user?.fields?.email||"email"},emailVerified:{type:"boolean",defaultValue:()=>!1,required:!0,fieldName:e.user?.fields?.emailVerified||"emailVerified"},image:{type:"string",required:!1,fieldName:e.user?.fields?.image||"image"},createdAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.updatedAt||"updatedAt"},...r?.fields,...e.user?.additionalFields},order:1},session:{modelName:e.session?.modelName||"session",fields:{expiresAt:{type:"date",required:!0,fieldName:e.session?.fields?.expiresAt||"expiresAt"},token:{type:"string",required:!0,fieldName:e.session?.fields?.token||"token",unique:!0},createdAt:{type:"date",required:!0,fieldName:e.session?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.session?.fields?.updatedAt||"updatedAt"},ipAddress:{type:"string",required:!1,fieldName:e.session?.fields?.ipAddress||"ipAddress"},userAgent:{type:"string",required:!1,fieldName:e.session?.fields?.userAgent||"userAgent"},userId:{type:"string",fieldName:e.session?.fields?.userId||"userId",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0},...n?.fields,...e.session?.additionalFields},order:2},account:{modelName:e.account?.modelName||"account",fields:{accountId:{type:"string",required:!0,fieldName:e.account?.fields?.accountId||"accountId"},providerId:{type:"string",required:!0,fieldName:e.account?.fields?.providerId||"providerId"},userId:{type:"string",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0,fieldName:e.account?.fields?.userId||"userId"},accessToken:{type:"string",required:!1,fieldName:e.account?.fields?.accessToken||"accessToken"},refreshToken:{type:"string",required:!1,fieldName:e.account?.fields?.refreshToken||"refreshToken"},idToken:{type:"string",required:!1,fieldName:e.account?.fields?.idToken||"idToken"},accessTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"accessTokenExpiresAt"},refreshTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"refreshTokenExpiresAt"},scope:{type:"string",required:!1,fieldName:e.account?.fields?.scope||"scope"},password:{type:"string",required:!1,fieldName:e.account?.fields?.password||"password"},createdAt:{type:"date",required:!0,fieldName:e.account?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.account?.fields?.updatedAt||"updatedAt"},...s?.fields},order:3},verification:{modelName:e.verification?.modelName||"verification",fields:{identifier:{type:"string",required:!0,fieldName:e.verification?.fields?.identifier||"identifier"},value:{type:"string",required:!0,fieldName:e.verification?.fields?.value||"value"},expiresAt:{type:"date",required:!0,fieldName:e.verification?.fields?.expiresAt||"expiresAt"},createdAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.updatedAt||"updatedAt"}},order:4},...A,...t?o:{}}};import{z as Lm}from"zod";import{Kysely as jm,MssqlDialect as zm}from"kysely";import{MysqlDialect as Vm,PostgresDialect as Mm,SqliteDialect as qm}from"kysely";var He={};function ht(e){switch(e.constructor.name){case"ZodString":return"string";case"ZodNumber":return"number";case"ZodBoolean":return"boolean";case"ZodObject":return"object";case"ZodArray":return"array";default:return"string"}}function Ao(e){let i=[];return e.metadata?.openapi?.parameters?(i.push(...e.metadata.openapi.parameters),i):(e.query instanceof mt&&Object.entries(e.query.shape).forEach(([t,o])=>{o instanceof ft&&i.push({name:t,in:"query",schema:{type:ht(o),..."minLength"in o&&o.minLength?{minLength:o.minLength}:{},description:o.description}})}),i)}function gt(e){if(e.metadata?.openapi?.requestBody)return e.metadata.openapi.requestBody;if(e.body&&(e.body instanceof mt||e.body instanceof So)){let i=e.body.shape;if(!i)return;let t={},o=[];return Object.entries(i).forEach(([r,n])=>{n instanceof ft&&(t[r]={type:ht(n),description:n.description},n instanceof So||o.push(r))}),{required:e.body instanceof So?!1:!!e.body,content:{"application/json":{schema:{type:"object",properties:t,required:o}}}}}}function co(e){return{400:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Bad Request. Usually due to missing parameters, or invalid parameters."},401:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Unauthorized. Due to missing or invalid authentication."},403:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Forbidden. You do not have permission to access this resource or to perform this action."},404:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Not Found. The requested resource was not found."},429:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Too Many Requests. You have exceeded the rate limit. Try again later."},500:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Internal Server Error. This is a problem with the server that you cannot fix."},...e}}async function Uo(e,i){let t=ho(e,{...i,plugins:[]}),o=Ue(i),n={schemas:{...Object.entries(o).reduce((A,[a,d])=>{let c=a.charAt(0).toUpperCase()+a.slice(1);return A[c]={type:"object",properties:Object.entries(d.fields).reduce((l,[u,K])=>(l[u]={type:K.type},l),{})},A},{})}};Object.entries(t.api).forEach(([A,a])=>{let d=a.options;if(!d.metadata?.SERVER_ONLY&&(d.method==="GET"&&(He[a.path]={get:{tags:["Default",...d.metadata?.openapi?.tags||[]],description:d.metadata?.openapi?.description,operationId:d.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:Ao(d),responses:co(d.metadata?.openapi?.responses)}}),d.method==="POST")){let c=gt(d);He[a.path]={post:{tags:["Default",...d.metadata?.openapi?.tags||[]],description:d.metadata?.openapi?.description,operationId:d.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:Ao(d),...c?{requestBody:c}:{requestBody:{content:{"application/json":{schema:{type:"object",properties:{}}}}}},responses:co(d.metadata?.openapi?.responses)}}}});for(let A of i.plugins||[]){if(A.id==="open-api")continue;let a=ho(e,{...i,plugins:[A]}),d=Object.keys(a.api).map(c=>t.api[c]===void 0?a.api[c]:null).filter(c=>c!==null);Object.entries(d).forEach(([c,l])=>{let u=l.options;u.metadata?.SERVER_ONLY||(u.method==="GET"&&(He[l.path]={get:{tags:u.metadata?.openapi?.tags||[A.id.charAt(0).toUpperCase()+A.id.slice(1)],description:u.metadata?.openapi?.description,operationId:u.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:Ao(u),responses:co(u.metadata?.openapi?.responses)}}),u.method==="POST"&&(He[l.path]={post:{tags:u.metadata?.openapi?.tags||[A.id.charAt(0).toUpperCase()+A.id.slice(1)],description:u.metadata?.openapi?.description,operationId:u.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:Ao(u),requestBody:gt(u),responses:co(u.metadata?.openapi?.responses)}}))})}return{openapi:"3.1.1",info:{title:"Better Auth",description:"API Reference for your Better Auth Instance"},components:n,security:[{apiKeyCookie:[]}],servers:[{url:e.baseURL}],tags:[{name:"Default",description:"Default endpoints that are included with Better Auth by default. These endpoints are not part of any plugin."}],paths:He}}var yt=`<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
83
+ Error: `,A),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),n=r?.user;if(r){let A=r.accounts.find(a=>a.providerId===t.providerId);if(A){let a=Object.fromEntries(Object.entries({accessToken:t.accessToken,idToken:t.idToken,refreshToken:t.refreshToken,accessTokenExpiresAt:t.accessTokenExpiresAt,refreshTokenExpiresAt:t.refreshTokenExpiresAt}).filter(([d,c])=>c!==void 0));Object.keys(a).length>0&&await e.context.internalAdapter.updateAccount(A.id,a)}else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(t.providerId)&&!i.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return Po&&ie.warn(`User already exist but account isn't linked to ${t.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:t.providerId,accountId:i.id.toString(),userId:r.user.id,accessToken:t.accessToken,idToken:t.idToken,refreshToken:t.refreshToken,accessTokenExpiresAt:t.accessTokenExpiresAt,refreshTokenExpiresAt:t.refreshTokenExpiresAt,scope:t.scope})}catch(c){return ie.error("Unable to link account",c),{error:"unable to link account",data:null}}n=await e.context.internalAdapter.updateUser(r.user.id,{...i,updatedAt:new Date})}}else if(n=await e.context.internalAdapter.createOAuthUser({...i,email:i.email.toLowerCase(),id:void 0},{accessToken:t.accessToken,idToken:t.idToken,refreshToken:t.refreshToken,accessTokenExpiresAt:t.accessTokenExpiresAt,refreshTokenExpiresAt:t.refreshTokenExpiresAt,scope:t.scope,providerId:t.providerId,accountId:i.id.toString()}).then(A=>A?.user),!i.emailVerified&&n&&e.context.options.emailVerification?.sendOnSignUp){let A=await pe(e.context.secret,n.email),a=`${e.context.baseURL}/verify-email?token=${A}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:n,url:a,token:A},e.request)}if(!n)return{error:"unable to create user",data:null};let s=await e.context.internalAdapter.createSession(n.id,e.request);return s?{data:{session:s,user:n},error:null}:{error:"unable to create session",data:null}}var $o=p("/sign-in/social",{method:"POST",query:B.object({currentURL:B.string().optional()}).optional(),body:B.object({callbackURL:B.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:B.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:B.enum(Ye,{description:"OAuth2 provider to use"}),disableRedirect:B.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:B.optional(B.object({token:B.string({description:"ID token from the provider"}),nonce:B.string({description:"Nonce used to generate the token"}).optional(),accessToken:B.string({description:"Access token from the provider"}).optional(),refreshToken:B.string({description:"Refresh token from the provider"}).optional(),expiresAt:B.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let i=e.context.socialProviders.find(n=>n.id===e.body.provider);if(!i)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new Z("NOT_FOUND",{message:g.PROVIDER_NOT_FOUND});if(e.body.idToken){if(!i.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new Z("NOT_FOUND",{message:g.ID_TOKEN_NOT_SUPPORTED});let{token:n,nonce:s}=e.body.idToken;if(!await i.verifyIdToken(n,s))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new Z("UNAUTHORIZED",{message:g.INVALID_TOKEN});let a=await i.getUserInfo({idToken:n,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!a||!a?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new Z("UNAUTHORIZED",{message:g.FAILED_TO_GET_USER_INFO});if(!a.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new Z("UNAUTHORIZED",{message:g.USER_EMAIL_NOT_FOUND});let d=await Ee(e,{userInfo:{email:a.user.email,id:a.user.id,name:a.user.name||"",image:a.user.image,emailVerified:a.user.emailVerified||!1},account:{providerId:i.id,accountId:a.user.id,accessToken:e.body.idToken.accessToken}});if(d.error)throw new Z("UNAUTHORIZED",{message:d.error});return await h(e,d.data),e.json({session:d.data.session,user:d.data.user,url:void 0,redirect:!1})}let{codeVerifier:t,state:o}=await Te(e),r=await i.createAuthorizationURL({state:o,codeVerifier:t,redirectURI:`${e.context.baseURL}/callback/${i.id}`});return e.json({url:r.toString(),redirect:!e.body.disableRedirect})}),Go=p("/sign-in/email",{method:"POST",body:B.object({email:B.string({description:"Email of the user"}),password:B.string({description:"Password of the user"}),callbackURL:B.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:B.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new Z("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:i,password:t}=e.body;if(!B.string().email().safeParse(i).success)throw new Z("BAD_REQUEST",{message:g.INVALID_EMAIL});let r=await e.context.internalAdapter.findUserByEmail(i,{includeAccounts:!0});if(!r)throw await e.context.password.hash(t),e.context.logger.error("User not found",{email:i}),new Z("UNAUTHORIZED",{message:g.INVALID_EMAIL_OR_PASSWORD});let n=r.accounts.find(d=>d.providerId==="credential");if(!n)throw e.context.logger.error("Credential account not found",{email:i}),new Z("UNAUTHORIZED",{message:g.INVALID_EMAIL_OR_PASSWORD});let s=n?.password;if(!s)throw e.context.logger.error("Password not found",{email:i}),new Z("UNAUTHORIZED",{message:g.INVALID_EMAIL_OR_PASSWORD});if(!await e.context.password.verify({hash:s,password:t}))throw e.context.logger.error("Invalid password"),new Z("UNAUTHORIZED",{message:g.INVALID_EMAIL_OR_PASSWORD});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!r.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new Z("UNAUTHORIZED",{message:g.EMAIL_NOT_VERIFIED});let d=await pe(e.context.secret,r.user.email),c=`${e.context.baseURL}/verify-email?token=${d}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:r.user,url:c,token:d},e.request),e.context.logger.error("Email not verified",{email:i}),new Z("FORBIDDEN",{message:g.EMAIL_NOT_VERIFIED})}let a=await e.context.internalAdapter.createSession(r.user.id,e.headers,e.body.rememberMe===!1);if(!a)throw e.context.logger.error("Failed to create session"),new Z("UNAUTHORIZED",{message:g.FAILED_TO_CREATE_SESSION});return await h(e,{session:a,user:r.user},e.body.rememberMe===!1),e.json({user:{id:r.user.id,email:r.user.email,name:r.user.name,image:r.user.image,emailVerified:r.user.emailVerified,createdAt:r.user.createdAt,updatedAt:r.user.updatedAt},redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{z as De}from"zod";var Xe=De.object({code:De.string().optional(),error:De.string().optional(),errorMessage:De.string().optional(),state:De.string().optional()}),Zo=p("/callback/:id",{method:["GET","POST"],body:Xe.optional(),query:Xe.optional(),metadata:be},async e=>{let i;try{if(e.method==="GET")i=Xe.parse(e.query);else if(e.method==="POST")i=Xe.parse(e.body);else throw new Error("Unsupported method")}catch(f){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",f),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:t,error:o,state:r}=i;if(!r)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!t)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}`);let n=e.context.socialProviders.find(f=>f.id===e.params.id);if(!n)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:s,callbackURL:A,link:a,errorURL:d}=await Je(e),c;try{c=await n.validateAuthorizationCode({code:t,codeVerifier:s,redirectURI:`${e.context.baseURL}/callback/${n.id}`})}catch(f){throw e.context.logger.error("",f),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let l=await n.getUserInfo(c).then(f=>f?.user);function u(f){let w=d||A||`${e.context.baseURL}/error`;throw w.includes("?")?w=`${w}&error=${f}`:w=`${w}?error=${f}`,e.redirect(w)}if(!l)return e.context.logger.error("Unable to get user info"),u("unable_to_get_user_info");if(!l.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),u("email_not_found");if(!A)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(a){if(a.email!==l.email.toLowerCase())return u("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:a.userId,providerId:n.id,accountId:l.id}))return u("unable_to_link_account");let w;try{w=new URL(A).toString()}catch{w=A}throw e.redirect(w)}let K=await Ee(e,{userInfo:{...l,email:l.email,name:l.name||l.email},account:{providerId:n.id,accountId:l.id,...c,scope:c.scopes?.join(",")},callbackURL:A});if(K.error)return e.context.logger.error(K.error.split(" ").join("_")),u(K.error.split(" ").join("_"));let{session:m,user:E}=K.data;await h(e,{session:m,user:E});let v;try{v=new URL(A).toString()}catch{v=A}throw e.redirect(v)});import"zod";import{APIError as Tr}from"better-call";var Qo=p("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let i=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!i)throw H(e),new Tr("BAD_REQUEST",{message:g.FAILED_TO_GET_SESSION});return await e.context.internalAdapter.deleteSession(i),H(e),e.json({success:!0})});import{z as te}from"zod";import{APIError as wo}from"better-call";function Oi(e,i,t){let o=i?new URL(i,e.baseURL):new URL(`${e.baseURL}/error`);return t&&Object.entries(t).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}function Er(e,i,t){let o=new URL(i,e.baseURL);return t&&Object.entries(t).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}var Wo=p("/forget-password",{method:"POST",body:te.object({email:te.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:te.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new wo("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:i,redirectTo:t}=e.body,o=await e.context.internalAdapter.findUserByEmail(i,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:i}),e.json({status:!1},{body:{status:!0}});let r=60*60*1,n=k(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||r,"sec"),s=$(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id.toString(),identifier:`reset-password:${s}`,expiresAt:n});let A=`${e.context.baseURL}/reset-password/${s}?callbackURL=${t}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:A,token:s},e.request),e.json({status:!0})}),Jo=p("/reset-password/:token",{method:"GET",query:te.object({callbackURL:te.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:i}=e.params,{callbackURL:t}=e.query;if(!i||!t)throw e.redirect(Oi(e.context,t,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${i}`);throw!o||o.expiresAt<new Date?e.redirect(Oi(e.context,t,{error:"INVALID_TOKEN"})):e.redirect(Er(e.context,t,{token:i}))}),Yo=p("/reset-password",{query:te.optional(te.object({token:te.string().optional(),currentURL:te.string().optional()})),method:"POST",body:te.object({newPassword:te.string({description:"The new password to set"}),token:te.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let i=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!i)throw new wo("BAD_REQUEST",{message:g.INVALID_TOKEN});let{newPassword:t}=e.body,o=`reset-password:${i}`,r=await e.context.internalAdapter.findVerificationValue(o);if(!r||r.expiresAt<new Date)throw new wo("BAD_REQUEST",{message:g.INVALID_TOKEN});await e.context.internalAdapter.deleteVerificationValue(r.id);let n=r.value,s=await e.context.password.hash(t);return(await e.context.internalAdapter.findAccounts(n)).find(d=>d.providerId==="credential")?(await e.context.internalAdapter.updatePassword(n,s),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:n,providerId:"credential",password:s,accountId:n}),e.json({status:!0}))});import{z as G}from"zod";import{APIError as V}from"better-call";import{xchacha20poly1305 as Ii}from"@noble/ciphers/chacha";import{bytesToHex as Ur,hexToBytes as _r,utf8ToBytes as vr}from"@noble/ciphers/utils";import{managedNonce as Si}from"@noble/ciphers/webcrypto";import{sha256 as Ui}from"oslo/crypto";import Ri from"uncrypto";import{decodeHex as Zd,encodeHex as Qd}from"oslo/encoding";import{scryptAsync as Yd}from"@noble/hashes/scrypt";import{getRandomValues as ec}from"uncrypto";import Ti from"uncrypto";function Rr(e){return e.toString(2).padStart(8,"0")}function Ir(e){return[...e].map(i=>Rr(i)).join("")}function Ei(e){return parseInt(Ir(e),2)}function Sr(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let i=(e-1).toString(2).length,t=i%8,o=new Uint8Array(Math.ceil(i/8));Ti.getRandomValues(o),t!==0&&(o[0]&=(1<<t)-1);let r=Ei(o);for(;r>=e;)Ti.getRandomValues(o),t!==0&&(o[0]&=(1<<t)-1),r=Ei(o);return r}function z(e,i){let t="";for(let o=0;o<e;o++)t+=i[Sr(i.length)];return t}function F(...e){let i=new Set(e),t="";for(let o of i)o==="a-z"?t+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?t+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?t+="0123456789":t+=o;return t}async function Le(e,i){let t=new TextEncoder,o={name:"HMAC",hash:"SHA-256"},r=await Ri.subtle.importKey("raw",t.encode(e),o,!1,["sign","verify"]),n=await Ri.subtle.sign(o.name,r,t.encode(i));return btoa(String.fromCharCode(...new Uint8Array(n)))}var ue=async({key:e,data:i})=>{let t=await Ui(new TextEncoder().encode(e)),o=vr(i),r=Si(Ii)(new Uint8Array(t));return Ur(r.encrypt(o))},fe=async({key:e,data:i})=>{let t=await Ui(new TextEncoder().encode(e)),o=_r(i),r=Si(Ii)(new Uint8Array(t));return new TextDecoder().decode(r.decrypt(o))};var Xo=()=>p("/update-user",{method:"POST",body:G.record(G.string(),G.any()),use:[R],metadata:{openapi:{description:"Update the current user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"}}}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"}}}}}}}}}},async e=>{let i=e.body;if(i.email)throw new V("BAD_REQUEST",{message:g.EMAIL_CAN_NOT_BE_UPDATED});let{name:t,image:o,...r}=i,n=e.context.session;if(o===void 0&&t===void 0&&Object.keys(r).length===0)return e.json({id:n.user.id,email:n.user.email,name:n.user.name,image:n.user.image,emailVerified:n.user.emailVerified,createdAt:n.user.createdAt,updatedAt:n.user.updatedAt});let s=Qe(e.context.options,r,"update"),A=await e.context.internalAdapter.updateUserByEmail(n.user.email,{name:t,image:o,...s});return await h(e,{session:n.session,user:A}),e.json({id:A.id,email:A.email,name:A.name,image:A.image,emailVerified:A.emailVerified,createdAt:A.createdAt,updatedAt:A.updatedAt})}),ei=p("/change-password",{method:"POST",body:G.object({newPassword:G.string({description:"The new password to set"}),currentPassword:G.string({description:"The current password"}),revokeOtherSessions:G.boolean({description:"Revoke all other sessions"}).optional()}),use:[R],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:i,currentPassword:t,revokeOtherSessions:o}=e.body,r=e.context.session,n=e.context.password.config.minPasswordLength;if(i.length<n)throw e.context.logger.error("Password is too short"),new V("BAD_REQUEST",{message:g.PASSWORD_TOO_SHORT});let s=e.context.password.config.maxPasswordLength;if(i.length>s)throw e.context.logger.error("Password is too long"),new V("BAD_REQUEST",{message:g.PASSWORD_TOO_LONG});let a=(await e.context.internalAdapter.findAccounts(r.user.id)).find(l=>l.providerId==="credential"&&l.password);if(!a||!a.password)throw new V("BAD_REQUEST",{message:g.CREDENTIAL_ACCOUNT_NOT_FOUND});let d=await e.context.password.hash(i);if(!await e.context.password.verify({hash:a.password,password:t}))throw new V("BAD_REQUEST",{message:g.INVALID_PASSWORD});if(await e.context.internalAdapter.updateAccount(a.id,{password:d}),o){await e.context.internalAdapter.deleteSessions(r.user.id);let l=await e.context.internalAdapter.createSession(r.user.id,e.headers);if(!l)throw new V("INTERNAL_SERVER_ERROR",{message:g.FAILED_TO_GET_SESSION});await h(e,{session:l,user:r.user})}return e.json(r.user)}),oi=p("/set-password",{method:"POST",body:G.object({newPassword:G.string()}),metadata:{SERVER_ONLY:!0},use:[R]},async e=>{let{newPassword:i}=e.body,t=e.context.session,o=e.context.password.config.minPasswordLength;if(i.length<o)throw e.context.logger.error("Password is too short"),new V("BAD_REQUEST",{message:g.PASSWORD_TOO_SHORT});let r=e.context.password.config.maxPasswordLength;if(i.length>r)throw e.context.logger.error("Password is too long"),new V("BAD_REQUEST",{message:g.PASSWORD_TOO_LONG});let s=(await e.context.internalAdapter.findAccounts(t.user.id)).find(a=>a.providerId==="credential"&&a.password),A=await e.context.password.hash(i);if(!s)return await e.context.internalAdapter.linkAccount({userId:t.user.id,providerId:"credential",accountId:t.user.id,password:A}),e.json(t.user);throw new V("BAD_REQUEST",{message:"user already has a password"})}),ii=p("/delete-user",{method:"POST",use:[ve],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options",{session:e.context.session}),new V("NOT_FOUND");let i=e.context.session;if(e.context.options.user.deleteUser?.sendDeleteAccountVerification){let r=z(32,F("a-z","A-Z","0-9"));await e.context.internalAdapter.createVerificationValue({value:i.user.id,identifier:`delete-account-${r}`,expiresAt:new Date(Date.now()+1e3*60*60*24)});let n=`${e.context.baseURL}/delete-user/callback?token=${r}`;return await e.context.options.user.deleteUser.sendDeleteAccountVerification({user:i.user,url:n,token:r},e.request),e.json({success:!0,message:"Verification email sent"})}let t=e.context.options.user.deleteUser?.beforeDelete;t&&await t(i.user,e.request),await e.context.internalAdapter.deleteUser(i.user.id),await e.context.internalAdapter.deleteSessions(i.user.id),await e.context.internalAdapter.deleteAccounts(i.user.id),H(e);let o=e.context.options.user.deleteUser?.afterDelete;return o&&await o(i.user,e.request),e.json({success:!0,message:"User deleted"})}),ti=p("/delete-user/callback",{method:"GET",query:G.object({token:G.string()})},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options"),new V("NOT_FOUND");let i=await S(e);if(!i)throw new V("NOT_FOUND",{message:g.FAILED_TO_GET_USER_INFO});let t=await e.context.internalAdapter.findVerificationValue(`delete-account-${e.query.token}`);if(!t||t.expiresAt<new Date)throw t&&await e.context.internalAdapter.deleteVerificationValue(t.id),new V("NOT_FOUND",{message:g.INVALID_TOKEN});if(t.value!==i.user.id)throw new V("NOT_FOUND",{message:g.INVALID_TOKEN});let o=e.context.options.user.deleteUser?.beforeDelete;o&&await o(i.user,e.request),await e.context.internalAdapter.deleteUser(i.user.id),await e.context.internalAdapter.deleteSessions(i.user.id),await e.context.internalAdapter.deleteAccounts(i.user.id),await e.context.internalAdapter.deleteVerificationValue(t.id),H(e);let r=e.context.options.user.deleteUser?.afterDelete;return r&&await r(i.user,e.request),e.json({success:!0,message:"User deleted"})}),ri=p("/change-email",{method:"POST",query:G.object({currentURL:G.string().optional()}).optional(),body:G.object({newEmail:G.string({description:"The new email to set"}).email(),callbackURL:G.string({description:"The URL to redirect to after email verification"}).optional()}),use:[R],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new V("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new V("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new V("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let r=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:r,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new V("BAD_REQUEST",{message:"Verification email isn't enabled"});let t=await pe(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${t}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:t},e.request),e.json({user:null,status:!0})});import{z as Be}from"zod";import{APIError as _i}from"better-call";var ni=p("/list-accounts",{method:"GET",use:[R],metadata:{openapi:{description:"List all accounts linked to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{id:{type:"string"},provider:{type:"string"}}}}}}}}}}},async e=>{let i=e.context.session,t=await e.context.internalAdapter.findAccounts(i.user.id);return e.json(t.map(o=>({id:o.id,provider:o.providerId})))}),si=p("/link-social",{method:"POST",requireHeaders:!0,query:Be.object({currentURL:Be.string().optional()}).optional(),body:Be.object({callbackURL:Be.string({description:"The URL to redirect to after the user has signed in"}).optional(),provider:Be.enum(Ye,{description:"The OAuth2 provider to use"})}),use:[R],metadata:{openapi:{description:"Link a social account to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"},redirect:{type:"boolean"}},required:["url","redirect"]}}}}}}}},async e=>{let i=e.context.session;if((await e.context.internalAdapter.findAccounts(i.user.id)).find(A=>A.providerId===e.body.provider))throw new _i("BAD_REQUEST",{message:g.SOCIAL_ACCOUNT_ALREADY_LINKED});let r=e.context.socialProviders.find(A=>A.id===e.body.provider);if(!r)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new _i("NOT_FOUND",{message:g.PROVIDER_NOT_FOUND});let n=await Te(e,{userId:i.user.id,email:i.user.email}),s=await r.createAuthorizationURL({state:n.state,codeVerifier:n.codeVerifier,redirectURI:`${e.context.baseURL}/callback/${r.id}`});return e.json({url:s.toString(),redirect:!0})});var vi=(e,i)=>{let t={};for(let[o,r]of Object.entries(e))t[o]=n=>r({...n,context:{...i,...n.context}}),t[o].path=r.path,t[o].method=r.method,t[o].options=r.options,t[o].headers=r.headers;return t};function eo(e){let i=e;return{newRole(t){return kr(t)}}}function kr(e){return{statements:e,authorize(i,t){for(let[o,r]of Object.entries(i)){let n=e[o];return n?(t==="OR"?r.some(A=>n.includes(A)):r.every(A=>n.includes(A)))?{success:!0}:{success:!1,error:`Unauthorized to access resource "${o}"`}:{success:!1,error:`You are not allowed to access resource: ${o}`}}return{success:!1,error:"Not authorized"}}}}var Pr={organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]},Co=eo(Pr),Nr=Co.newRole({organization:["update"],invitation:["create","cancel"],member:["create","update","delete"]}),Dr=Co.newRole({organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]}),Lr=Co.newRole({organization:[],member:[],invitation:[]}),ki={admin:Nr,owner:Dr,member:Lr};var Br={proto:/"(?:_|\\u0{2}5[Ff]){2}(?:p|\\u0{2}70)(?:r|\\u0{2}72)(?:o|\\u0{2}6[Ff])(?:t|\\u0{2}74)(?:o|\\u0{2}6[Ff])(?:_|\\u0{2}5[Ff]){2}"\s*:/,constructor:/"(?:c|\\u0063)(?:o|\\u006[Ff])(?:n|\\u006[Ee])(?:s|\\u0073)(?:t|\\u0074)(?:r|\\u0072)(?:u|\\u0075)(?:c|\\u0063)(?:t|\\u0074)(?:o|\\u006[Ff])(?:r|\\u0072)"\s*:/,protoShort:/"__proto__"\s*:/,constructorShort:/"constructor"\s*:/},xr=/^\s*["[{]|^\s*-?\d{1,16}(\.\d{1,17})?([Ee][+-]?\d+)?\s*$/,Pi={true:!0,false:!1,null:null,undefined:void 0,nan:Number.NaN,infinity:Number.POSITIVE_INFINITY,"-infinity":Number.NEGATIVE_INFINITY},jr=/^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(?:\.(\d{1,7}))?(?:Z|([+-])(\d{2}):(\d{2}))$/;function zr(e){return e instanceof Date&&!isNaN(e.getTime())}function Fr(e){let i=jr.exec(e);if(!i)return null;let[,t,o,r,n,s,A,a,d,c,l]=i,u=new Date(Date.UTC(parseInt(t,10),parseInt(o,10)-1,parseInt(r,10),parseInt(n,10),parseInt(s,10),parseInt(A,10),a?parseInt(a.padEnd(3,"0"),10):0));if(d){let K=(parseInt(c,10)*60+parseInt(l,10))*(d==="+"?-1:1);u.setUTCMinutes(u.getUTCMinutes()+K)}return zr(u)?u:null}function Vr(e,i={}){let{strict:t=!1,warnings:o=!1,reviver:r,parseDates:n=!0}=i;if(typeof e!="string")return e;let s=e.trim();if(s[0]==='"'&&s.endsWith('"')&&!s.slice(1,-1).includes('"'))return s.slice(1,-1);let A=s.toLowerCase();if(A.length<=9&&A in Pi)return Pi[A];if(!xr.test(s)){if(t)throw new SyntaxError("[better-json] Invalid JSON");return e}if(Object.entries(Br).some(([d,c])=>{let l=c.test(s);return l&&o&&console.warn(`[better-json] Detected potential prototype pollution attempt using ${d} pattern`),l})&&t)throw new Error("[better-json] Potential prototype pollution attempt detected");try{return JSON.parse(s,(c,l)=>{if(c==="__proto__"||c==="constructor"&&l&&typeof l=="object"&&"prototype"in l){o&&console.warn(`[better-json] Dropping "${c}" key to prevent prototype pollution`);return}if(n&&typeof l=="string"){let u=Fr(l);if(u)return u}return r?r(c,l):l})}catch(d){if(t)throw d;return e}}function Ni(e,i={strict:!0}){return Vr(e,i)}var Di=Ni;var x=(e,i)=>{let t=e.adapter;return{findOrganizationBySlug:async o=>await t.findOne({model:"organization",where:[{field:"slug",value:o}]}),createOrganization:async o=>{let r=await t.create({model:"organization",data:{...o.organization,metadata:o.organization.metadata?JSON.stringify(o.organization.metadata):void 0}}),n=await t.create({model:"member",data:{organizationId:r.id,userId:o.user.id,createdAt:new Date,role:i?.creatorRole||"owner"}});return{...r,metadata:r.metadata?JSON.parse(r.metadata):void 0,members:[{...n,user:{id:o.user.id,name:o.user.name,email:o.user.email,image:o.user.image}}]}},findMemberByEmail:async o=>{let r=await t.findOne({model:"user",where:[{field:"email",value:o.email}]});if(!r)return null;let n=await t.findOne({model:"member",where:[{field:"organizationId",value:o.organizationId},{field:"userId",value:r.id}]});return n?{...n,user:{id:r.id,name:r.name,email:r.email,image:r.image}}:null},findMemberByOrgId:async o=>{let[r,n]=await Promise.all([await t.findOne({model:"member",where:[{field:"userId",value:o.userId},{field:"organizationId",value:o.organizationId}]}),await t.findOne({model:"user",where:[{field:"id",value:o.userId}]})]);return!n||!r?null:{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}},findMemberById:async o=>{let r=await t.findOne({model:"member",where:[{field:"id",value:o}]});if(!r)return null;let n=await t.findOne({model:"user",where:[{field:"id",value:r.userId}]});return n?{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}:null},createMember:async o=>await t.create({model:"member",data:o}),updateMember:async(o,r)=>await t.update({model:"member",where:[{field:"id",value:o}],update:{role:r}}),deleteMember:async o=>await t.delete({model:"member",where:[{field:"id",value:o}]}),updateOrganization:async(o,r)=>{let n=await t.update({model:"organization",where:[{field:"id",value:o}],update:{...r,metadata:typeof r.metadata=="object"?JSON.stringify(r.metadata):r.metadata}});return n?{...n,metadata:n.metadata?Di(n.metadata):void 0}:null},deleteOrganization:async o=>(await t.delete({model:"member",where:[{field:"organizationId",value:o}]}),await t.delete({model:"invitation",where:[{field:"organizationId",value:o}]}),await t.delete({model:"organization",where:[{field:"id",value:o}]}),o),setActiveOrganization:async(o,r)=>await e.internalAdapter.updateSession(o,{activeOrganizationId:r}),findOrganizationById:async o=>await t.findOne({model:"organization",where:[{field:"id",value:o}]}),findFullOrganization:async({organizationId:o,isSlug:r})=>{let n=await t.findOne({model:"organization",where:[{field:r?"slug":"id",value:o}]});if(!n)return null;let[s,A]=await Promise.all([t.findMany({model:"invitation",where:[{field:"organizationId",value:n.id}]}),t.findMany({model:"member",where:[{field:"organizationId",value:n.id}]})]);if(!n)return null;let a=A.map(u=>u.userId),d=await t.findMany({model:"user",where:[{field:"id",value:a,operator:"in"}]}),c=new Map(d.map(u=>[u.id,u])),l=A.map(u=>{let K=c.get(u.userId);if(!K)throw new ee("Unexpected error: User not found for member");return{...u,user:{id:K.id,name:K.name,email:K.email,image:K.image}}});return{...n,invitations:s,members:l}},listOrganizations:async o=>{let r=await t.findMany({model:"member",where:[{field:"userId",value:o}]});if(!r||r.length===0)return[];let n=r.map(A=>A.organizationId);return await t.findMany({model:"organization",where:[{field:"id",value:n,operator:"in"}]})},createInvitation:async({invitation:o,user:r})=>{let s=k(i?.invitationExpiresIn||1728e5);return await t.create({model:"invitation",data:{email:o.email,role:o.role,organizationId:o.organizationId,status:"pending",expiresAt:s,inviterId:r.id}})},findInvitationById:async o=>await t.findOne({model:"invitation",where:[{field:"id",value:o}]}),findPendingInvitation:async o=>(await t.findMany({model:"invitation",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId},{field:"status",value:"pending"}]})).filter(n=>new Date(n.expiresAt)>new Date),updateInvitation:async o=>await t.update({model:"invitation",where:[{field:"id",value:o.invitationId}],update:{status:o.status}})}};import"better-call";var M=N(async e=>({})),Q=N({use:[R]},async e=>({session:e.context.session}));import{z as X}from"zod";import{z as D}from"zod";var Li=D.string(),Mr=D.enum(["pending","accepted","rejected","canceled"]).default("pending"),lp=D.object({id:D.string().default($),name:D.string(),slug:D.string(),logo:D.string().nullish(),metadata:D.record(D.string()).or(D.string().transform(e=>JSON.parse(e))).nullish(),createdAt:D.date()}),gp=D.object({id:D.string().default($),organizationId:D.string(),userId:D.string(),role:Li,createdAt:D.date()}),mp=D.object({id:D.string().default($),organizationId:D.string(),email:D.string(),role:Li,status:Mr,inviterId:D.string(),expiresAt:D.date()});import{APIError as j}from"better-call";var y={YOU_ARE_NOT_ALLOWED_TO_CREATE_A_NEW_ORGANIZATION:"You are not allowed to create a new organization",YOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_ORGANIZATIONS:"You have reached the maximum number of organizations",ORGANIZATION_ALREADY_EXISTS:"Organization already exists",ORGANIZATION_NOT_FOUND:"Organization not found",USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION:"User is not a member of the organization",YOU_ARE_NOT_ALLOWED_TO_UPDATE_THIS_ORGANIZATION:"You are not allowed to update this organization",YOU_ARE_NOT_ALLOWED_TO_DELETE_THIS_ORGANIZATION:"You are not allowed to delete this organization",NO_ACTIVE_ORGANIZATION:"No active organization",USER_IS_ALREADY_A_MEMBER_OF_THIS_ORGANIZATION:"User is already a member of this organization",MEMBER_NOT_FOUND:"Member not found",ROLE_NOT_FOUND:"Role not found",YOU_CANNOT_LEAVE_THE_ORGANIZATION_AS_THE_ONLY_OWNER:"You cannot leave the organization as the only owner",YOU_ARE_NOT_ALLOWED_TO_DELETE_THIS_MEMBER:"You are not allowed to delete this member",YOU_ARE_NOT_ALLOWED_TO_INVITE_USERS_TO_THIS_ORGANIZATION:"You are not allowed to invite users to this organization",USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION:"User is already invited to this organization",INVITATION_NOT_FOUND:"Invitation not found",YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION:"You are not the recipient of the invitation",YOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION:"You are not allowed to cancel this invitation",INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION:"Inviter is no longer a member of the organization"};var Bi=e=>p("/organization/invite-member",{method:"POST",use:[M,Q],body:X.object({email:X.string({description:"The email address of the user to invite"}),role:X.string({description:"The role to assign to the user"}),organizationId:X.string({description:"The organization ID to invite the user to"}).optional(),resend:X.boolean({description:"Resend the invitation email, if the user is already invited"}).optional()}),metadata:{openapi:{description:"Invite a user to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt"]}}}}}}}},async i=>{if(!i.context.orgOptions.sendInvitationEmail)throw i.context.logger.warn("Invitation email is not enabled. Pass `sendInvitationEmail` to the plugin options to enable it."),new j("BAD_REQUEST",{message:"Invitation email is not enabled"});let t=i.context.session,o=i.body.organizationId||t.session.activeOrganizationId;if(!o)throw new j("BAD_REQUEST",{message:y.ORGANIZATION_NOT_FOUND});let r=x(i.context,i.context.orgOptions),n=await r.findMemberByOrgId({userId:t.user.id,organizationId:o});if(!n)throw new j("BAD_REQUEST",{message:y.MEMBER_NOT_FOUND});let s=i.context.roles[n.role];if(!s)throw new j("BAD_REQUEST",{message:y.ROLE_NOT_FOUND});if(s.authorize({invitation:["create"]}).error)throw new j("FORBIDDEN",{message:y.YOU_ARE_NOT_ALLOWED_TO_INVITE_USERS_TO_THIS_ORGANIZATION});if(await r.findMemberByEmail({email:i.body.email,organizationId:o}))throw new j("BAD_REQUEST",{message:y.USER_IS_ALREADY_A_MEMBER_OF_THIS_ORGANIZATION});if((await r.findPendingInvitation({email:i.body.email,organizationId:o})).length&&!i.body.resend)throw new j("BAD_REQUEST",{message:y.USER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION});let c=await r.createInvitation({invitation:{role:i.body.role,email:i.body.email,organizationId:o},user:t.user}),l=await r.findOrganizationById(o);if(!l)throw new j("BAD_REQUEST",{message:y.ORGANIZATION_NOT_FOUND});return await i.context.orgOptions.sendInvitationEmail?.({id:c.id,role:c.role,email:c.email,organization:l,inviter:{...n,user:t.user}},i.request),i.json(c)}),xi=p("/organization/accept-invitation",{method:"POST",body:X.object({invitationId:X.string({description:"The ID of the invitation to accept"})}),use:[M,Q],metadata:{openapi:{description:"Accept an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"object"}}}}}}}}}},async e=>{let i=e.context.session,t=x(e.context,e.context.orgOptions),o=await t.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new j("BAD_REQUEST",{message:y.INVITATION_NOT_FOUND});if(o.email!==i.user.email)throw new j("FORBIDDEN",{message:y.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION});let r=await t.updateInvitation({invitationId:e.body.invitationId,status:"accepted"}),n=await t.createMember({organizationId:o.organizationId,userId:i.user.id,role:o.role,createdAt:new Date});return await t.setActiveOrganization(i.session.token,o.organizationId),r?e.json({invitation:r,member:n}):e.json(null,{status:400,body:{message:y.INVITATION_NOT_FOUND}})}),ji=p("/organization/reject-invitation",{method:"POST",body:X.object({invitationId:X.string({description:"The ID of the invitation to reject"})}),use:[M,Q],metadata:{openapi:{description:"Reject an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"null"}}}}}}}}}},async e=>{let i=e.context.session,t=x(e.context,e.context.orgOptions),o=await t.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new j("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==i.user.email)throw new j("FORBIDDEN",{message:y.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION});let r=await t.updateInvitation({invitationId:e.body.invitationId,status:"rejected"});return e.json({invitation:r,member:null})}),zi=p("/organization/cancel-invitation",{method:"POST",body:X.object({invitationId:X.string({description:"The ID of the invitation to cancel"})}),use:[M,Q],openapi:{description:"Cancel an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"}}}}}}}}},async e=>{let i=e.context.session,t=x(e.context,e.context.orgOptions),o=await t.findInvitationById(e.body.invitationId);if(!o)throw new j("BAD_REQUEST",{message:y.INVITATION_NOT_FOUND});let r=await t.findMemberByOrgId({userId:i.user.id,organizationId:o.organizationId});if(!r)throw new j("BAD_REQUEST",{message:y.MEMBER_NOT_FOUND});if(e.context.roles[r.role].authorize({invitation:["cancel"]}).error)throw new j("FORBIDDEN",{message:y.YOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION});let s=await t.updateInvitation({invitationId:e.body.invitationId,status:"canceled"});return e.json(s)}),Fi=p("/organization/get-invitation",{method:"GET",use:[M],requireHeaders:!0,query:X.object({id:X.string({description:"The ID of the invitation to get"})}),metadata:{openapi:{description:"Get an invitation by ID",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"},organizationName:{type:"string"},organizationSlug:{type:"string"},inviterEmail:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt","organizationName","organizationSlug","inviterEmail"]}}}}}}}},async e=>{let i=await S(e);if(!i)throw new j("UNAUTHORIZED",{message:"Not authenticated"});let t=x(e.context,e.context.orgOptions),o=await t.findInvitationById(e.query.id);if(!o||o.status!=="pending"||o.expiresAt<new Date)throw new j("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==i.user.email)throw new j("FORBIDDEN",{message:y.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION});let r=await t.findOrganizationById(o.organizationId);if(!r)throw new j("BAD_REQUEST",{message:y.ORGANIZATION_NOT_FOUND});let n=await t.findMemberByOrgId({userId:o.inviterId,organizationId:o.organizationId});if(!n)throw new j("BAD_REQUEST",{message:y.INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION});return e.json({...o,organizationName:r.name,organizationSlug:r.slug,inviterEmail:n.user.email})});import{z as ae}from"zod";import{APIError as ye}from"better-call";var Vi=()=>p("/organization/add-member",{method:"POST",body:ae.object({userId:ae.string(),role:ae.string(),organizationId:ae.string().optional()}),use:[M],metadata:{SERVER_ONLY:!0}},async e=>{let i=e.body.userId?await S(e).catch(A=>null):null,t=e.body.organizationId||i?.session.activeOrganizationId;if(!t)return e.json(null,{status:400,body:{message:y.NO_ACTIVE_ORGANIZATION}});let o=x(e.context,e.context.orgOptions),r=await e.context.internalAdapter.findUserById(e.body.userId);if(!r)throw new ye("BAD_REQUEST",{message:g.USER_NOT_FOUND});if(await o.findMemberByEmail({email:r.email,organizationId:t}))throw new ye("BAD_REQUEST",{message:y.USER_IS_ALREADY_A_MEMBER_OF_THIS_ORGANIZATION});let s=await o.createMember({id:$(),organizationId:t,userId:r.id,role:e.body.role,createdAt:new Date});return e.json(s)}),Mi=p("/organization/remove-member",{method:"POST",body:ae.object({memberIdOrEmail:ae.string({description:"The ID or email of the member to remove"}),organizationId:ae.string({description:"The ID of the organization to remove the member from. If not provided, the active organization will be used"}).optional()}),use:[M,Q],metadata:{openapi:{description:"Remove a member from an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async e=>{let i=e.context.session,t=e.body.organizationId||i.session.activeOrganizationId;if(!t)return e.json(null,{status:400,body:{message:y.NO_ACTIVE_ORGANIZATION}});let o=x(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:i.user.id,organizationId:t});if(!r)throw new ye("BAD_REQUEST",{message:y.MEMBER_NOT_FOUND});let n=e.context.roles[r.role];if(!n)throw new ye("BAD_REQUEST",{message:y.ROLE_NOT_FOUND});let s=i.user.email===e.body.memberIdOrEmail||r.id===e.body.memberIdOrEmail;if(s&&r.role===(e.context.orgOptions?.creatorRole||"owner"))throw new ye("BAD_REQUEST",{message:y.YOU_CANNOT_LEAVE_THE_ORGANIZATION_AS_THE_ONLY_OWNER});if(!(s||n.authorize({member:["delete"]}).success))throw new ye("UNAUTHORIZED",{message:y.YOU_ARE_NOT_ALLOWED_TO_DELETE_THIS_MEMBER});let d=null;if(e.body.memberIdOrEmail.includes("@")?d=await o.findMemberByEmail({email:e.body.memberIdOrEmail,organizationId:t}):d=await o.findMemberById(e.body.memberIdOrEmail),d?.organizationId!==t)throw new ye("BAD_REQUEST",{message:y.MEMBER_NOT_FOUND});return await o.deleteMember(d.id),i.user.id===d.userId&&i.session.activeOrganizationId===d.organizationId&&await o.setActiveOrganization(i.session.token,null),e.json({member:d})}),qi=e=>p("/organization/update-member-role",{method:"POST",body:ae.object({role:ae.string(),memberId:ae.string(),organizationId:ae.string().optional()}),use:[M,Q],metadata:{openapi:{description:"Update the role of a member in an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async i=>{let t=i.context.session,o=i.body.organizationId||t.session.activeOrganizationId;if(!o)return i.json(null,{status:400,body:{message:y.NO_ACTIVE_ORGANIZATION}});let r=x(i.context,i.context.orgOptions),n=await r.findMemberByOrgId({userId:t.user.id,organizationId:o});if(!n)return i.json(null,{status:400,body:{message:y.MEMBER_NOT_FOUND}});let s=i.context.roles[n.role];if(!s)return i.json(null,{status:400,body:{message:y.ROLE_NOT_FOUND}});if(s.authorize({member:["update"]}).error||i.body.role==="owner"&&n.role!=="owner")return i.json(null,{body:{message:"You are not allowed to update this member"},status:403});let a=await r.updateMember(i.body.memberId,i.body.role);return a?i.json(a):i.json(null,{status:400,body:{message:y.MEMBER_NOT_FOUND}})}),Hi=p("/organization/get-active-member",{method:"GET",use:[M,Q],metadata:{openapi:{description:"Get the active member in the organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}}}}}}}},async e=>{let i=e.context.session,t=i.session.activeOrganizationId;if(!t)return e.json(null,{status:400,body:{message:y.NO_ACTIVE_ORGANIZATION}});let r=await x(e.context,e.context.orgOptions).findMemberByOrgId({userId:i.user.id,organizationId:t});return r?e.json(r):e.json(null,{status:400,body:{message:y.MEMBER_NOT_FOUND}})});import{z as _}from"zod";import{APIError as le}from"better-call";var $i=p("/organization/create",{method:"POST",body:_.object({name:_.string({description:"The name of the organization"}),slug:_.string({description:"The slug of the organization"}),userId:_.string({description:"The user id of the organization creator. If not provided, the current user will be used. Should only be used by admins or when called by the server."}).optional(),logo:_.string({description:"The logo of the organization"}).optional(),metadata:_.record(_.string(),_.any(),{description:"The metadata of the organization"}).optional()}),use:[M],metadata:{openapi:{description:"Create an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization that was created",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let i=await S(e);if(!i&&(e.request||e.headers))throw new le("UNAUTHORIZED");let t=i?.user||null;if(!t){if(!e.body.userId)throw new le("UNAUTHORIZED");t=await e.context.internalAdapter.findUserById(e.body.userId)}if(!t)return e.json(null,{status:401});let o=e.context.orgOptions;if(!(typeof o?.allowUserToCreateOrganization=="function"?await o.allowUserToCreateOrganization(t):o?.allowUserToCreateOrganization===void 0?!0:o.allowUserToCreateOrganization))throw new le("FORBIDDEN",{message:y.YOU_ARE_NOT_ALLOWED_TO_CREATE_A_NEW_ORGANIZATION});let n=x(e.context,o),s=await n.listOrganizations(t.id);if(typeof o.organizationLimit=="number"?s.length>=o.organizationLimit:typeof o.organizationLimit=="function"?await o.organizationLimit(t):!1)throw new le("FORBIDDEN",{message:y.YOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_ORGANIZATIONS});if(await n.findOrganizationBySlug(e.body.slug))throw new le("BAD_REQUEST",{message:y.ORGANIZATION_ALREADY_EXISTS});let d=await n.createOrganization({organization:{id:$(),slug:e.body.slug,name:e.body.name,logo:e.body.logo,createdAt:new Date,metadata:e.body.metadata},user:t});return e.context.session&&await n.setActiveOrganization(e.context.session.session.token,d.id),e.json(d)}),Gi=p("/organization/update",{method:"POST",body:_.object({data:_.object({name:_.string({description:"The name of the organization"}).optional(),slug:_.string({description:"The slug of the organization"}).optional(),logo:_.string({description:"The logo of the organization"}).optional(),metadata:_.record(_.string(),_.any(),{description:"The metadata of the organization"}).optional()}).partial(),organizationId:_.string().optional()}),requireHeaders:!0,use:[M],metadata:{openapi:{description:"Update an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The updated organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let i=await e.context.getSession(e);if(!i)throw new le("UNAUTHORIZED",{message:"User not found"});let t=e.body.organizationId||i.session.activeOrganizationId;if(!t)return e.json(null,{status:400,body:{message:y.ORGANIZATION_NOT_FOUND}});let o=x(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:i.user.id,organizationId:t});if(!r)return e.json(null,{status:400,body:{message:y.USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["update"]}).error)return e.json(null,{body:{message:y.YOU_ARE_NOT_ALLOWED_TO_UPDATE_THIS_ORGANIZATION},status:403});let A=await o.updateOrganization(t,e.body.data);return e.json(A)}),Zi=p("/organization/delete",{method:"POST",body:_.object({organizationId:_.string({description:"The organization id to delete"})}),requireHeaders:!0,use:[M],metadata:{openapi:{description:"Delete an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"string",description:"The organization id that was deleted"}}}}}}}},async e=>{let i=await e.context.getSession(e);if(!i)return e.json(null,{status:401});let t=e.body.organizationId;if(!t)return e.json(null,{status:400,body:{message:y.ORGANIZATION_NOT_FOUND}});let o=x(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:i.user.id,organizationId:t});if(!r)return e.json(null,{status:400,body:{message:y.USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["delete"]}).error)throw new le("FORBIDDEN",{message:y.YOU_ARE_NOT_ALLOWED_TO_DELETE_THIS_ORGANIZATION});return t===i.session.activeOrganizationId&&await o.setActiveOrganization(i.session.token,null),await o.deleteOrganization(t),e.json(t)}),Qi=p("/organization/get-full-organization",{method:"GET",query:_.optional(_.object({organizationId:_.string({description:"The organization id to get"}).optional(),organizationSlug:_.string({description:"The organization slug to get"}).optional()})),requireHeaders:!0,use:[M,Q],metadata:{openapi:{description:"Get the full organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let i=e.context.session,t=e.query?.organizationSlug||e.query?.organizationId||i.session.activeOrganizationId;if(!t)return e.json(null,{status:200});let r=await x(e.context,e.context.orgOptions).findFullOrganization({organizationId:t,isSlug:!!e.query?.organizationSlug});if(!r)throw new le("BAD_REQUEST",{message:y.ORGANIZATION_NOT_FOUND});return e.json(r)}),Wi=p("/organization/set-active",{method:"POST",body:_.object({organizationId:_.string({description:"The organization id to set as active. It can be null to unset the active organization"}).nullable().optional(),organizationSlug:_.string({description:"The organization slug to set as active. It can be null to unset the active organization if organizationId is not provided"}).optional()}),use:[Q,M],metadata:{openapi:{description:"Set the active organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let i=x(e.context,e.context.orgOptions),t=e.context.session,o=e.body.organizationSlug||e.body.organizationId;if(o===null){if(!t.session.activeOrganizationId)return e.json(null);let a=await i.setActiveOrganization(t.session.token,null);return await h(e,{session:a,user:t.user}),e.json(null)}if(!o){let A=t.session.activeOrganizationId;if(!A)return e.json(null);o=A}let r=await i.findFullOrganization({organizationId:o,isSlug:!!e.body.organizationSlug});if(!r?.members.find(A=>A.userId===t.user.id))throw await i.setActiveOrganization(t.session.token,null),new le("FORBIDDEN",{message:y.USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION});let s=await i.setActiveOrganization(t.session.token,o);return await h(e,{session:s,user:t.user}),e.json(r)}),Ji=p("/organization/list",{method:"GET",use:[M,Q],metadata:{openapi:{description:"List all organizations",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{$ref:"#/components/schemas/Organization"}}}}}}}}},async e=>{let t=await x(e.context,e.context.orgOptions).listOrganizations(e.context.session.user.id);return e.json(t)});var qr=eo({name:["action"]}),sK=qr.newRole({name:["action"]}),aK=e=>{let i={createOrganization:$i,updateOrganization:Gi,deleteOrganization:Zi,setActiveOrganization:Wi,getFullOrganization:Qi,listOrganizations:Ji,createInvitation:Bi(e),cancelInvitation:zi,acceptInvitation:xi,getInvitation:Fi,rejectInvitation:ji,addMember:Vi(),removeMember:Mi,updateMemberRole:qi(e),getActiveMember:Hi},t={...ki,...e?.roles};return{id:"organization",endpoints:{...vi(i,{orgOptions:e||{},roles:t,getSession:async r=>await S(r)}),hasPermission:p("/organization/has-permission",{method:"POST",requireHeaders:!0,body:xe.object({permission:xe.record(xe.string(),xe.array(xe.string()))}),use:[Q],metadata:{openapi:{description:"Check if the user has permission",requestBody:{content:{"application/json":{schema:{type:"object",properties:{permission:{type:"object",description:"The permission to check"}},required:["permission"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{error:{type:"string"},success:{type:"boolean"}},required:["success"]}}}}}}}},async r=>{if(!r.context.session.session.activeOrganizationId)throw new Yi("BAD_REQUEST",{message:y.NO_ACTIVE_ORGANIZATION});let s=await x(r.context).findMemberByOrgId({userId:r.context.session.user.id,organizationId:r.context.session.session.activeOrganizationId||""});if(!s)throw new Yi("UNAUTHORIZED",{message:y.USER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION});let a=t[s.role].authorize(r.body.permission);return a.error?r.json({error:a.error,success:!1},{status:403}):r.json({error:null,success:!0})})},schema:{session:{fields:{activeOrganizationId:{type:"string",required:!1,fieldName:e?.schema?.session?.fields?.activeOrganizationId}}},organization:{modelName:e?.schema?.organization?.modelName,fields:{name:{type:"string",required:!0,fieldName:e?.schema?.organization?.fields?.name},slug:{type:"string",unique:!0,fieldName:e?.schema?.organization?.fields?.slug},logo:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.logo},createdAt:{type:"date",required:!0,fieldName:e?.schema?.organization?.fields?.createdAt},metadata:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.metadata}}},member:{modelName:e?.schema?.member?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.member?.fields?.organizationId},userId:{type:"string",required:!0,fieldName:e?.schema?.member?.fields?.userId,references:{model:"user",field:"id"}},role:{type:"string",required:!0,defaultValue:"member",fieldName:e?.schema?.member?.fields?.role},createdAt:{type:"date",required:!0,fieldName:e?.schema?.member?.fields?.createdAt}}},invitation:{modelName:e?.schema?.invitation?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.invitation?.fields?.organizationId},email:{type:"string",required:!0,fieldName:e?.schema?.invitation?.fields?.email},role:{type:"string",required:!1,fieldName:e?.schema?.invitation?.fields?.role},status:{type:"string",required:!0,defaultValue:"pending",fieldName:e?.schema?.invitation?.fields?.status},expiresAt:{type:"date",required:!0,fieldName:e?.schema?.invitation?.fields?.expiresAt},inviterId:{type:"string",references:{model:"user",field:"id"},fieldName:e?.schema?.invitation?.fields?.inviterId,required:!0}}}},$Infer:{Organization:{},Invitation:{},Member:{},ActiveOrganization:{}},$ERROR_CODES:y}};import{z as ro}from"zod";import{z as ge}from"zod";import{APIError as je}from"better-call";var oo="two_factor";var io="trust_device";import{z as Xi}from"zod";var we=N({body:Xi.object({trustDevice:Xi.boolean().optional()})},async e=>{let i=await S(e);if(!i){let t=e.context.createAuthCookie(oo),o=await e.getSignedCookie(t.name,e.context.secret);if(!o)throw new je("UNAUTHORIZED",{message:"invalid two factor cookie"});let r=await e.context.internalAdapter.findUserById(o);if(!r)throw new je("UNAUTHORIZED",{message:"invalid two factor cookie"});let n=await e.context.internalAdapter.createSession(o,e.request);if(!n)throw new je("INTERNAL_SERVER_ERROR",{message:"failed to create session"});return{valid:async()=>{if(await h(e,{session:n,user:r}),e.body.trustDevice){let s=e.context.createAuthCookie(io,{maxAge:2592e3}),A=await Le(e.context.secret,`${r.id}!${n.token}`);await e.setSignedCookie(s.name,`${A}!${n.token}`,e.context.secret,s.attributes)}return e.json({session:n,user:r})},invalid:async()=>{throw new je("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:{session:n,user:r}}}return{valid:async()=>e.json({session:i,user:i.user}),invalid:async()=>{throw new je("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:i}});import{APIError as ze}from"better-call";var W={OTP_NOT_ENABLED:"OTP not enabled",OTP_HAS_EXPIRED:"OTP has expired",TOTP_NOT_ENABLED:"TOTP not enabled",TWO_FACTOR_NOT_ENABLED:"Two factor isn't enabled",BACKUP_CODES_NOT_ENABLED:"Backup codes aren't enabled",INVALID_BACKUP_CODE:"Invalid backup code"};function Hr(e){return Array.from({length:e?.amount??10}).fill(null).map(()=>z(e?.length??10,F("a-z","0-9"))).map(i=>`${i.slice(0,5)}-${i.slice(5)}`)}async function bo(e,i){let t=e,o=i?.customBackupCodesGenerate?i.customBackupCodesGenerate():Hr(),r=await ue({data:JSON.stringify(o),key:t});return{backupCodes:o,encryptedBackupCodes:r}}async function $r(e,i){let t=await et(e.backupCodes,i);return t?{status:t.includes(e.code),updated:t.filter(o=>o!==e.code)}:{status:!1,updated:null}}async function et(e,i){let t=Buffer.from(await fe({key:i,data:e})).toString("utf-8"),o=JSON.parse(t),r=ge.array(ge.string()).safeParse(o);return r.success?r.data:null}var ot=(e,i)=>({id:"backup_code",endpoints:{verifyBackupCode:p("/two-factor/verify-backup-code",{method:"POST",body:ge.object({code:ge.string(),disableSession:ge.boolean().optional()}),use:[we]},async t=>{let o=t.context.session.user,r=await t.context.adapter.findOne({model:i,where:[{field:"userId",value:o.id}]});if(!r)throw new ze("BAD_REQUEST",{message:W.BACKUP_CODES_NOT_ENABLED});let n=await $r({backupCodes:r.backupCodes,code:t.body.code},t.context.secret);if(!n.status)throw new ze("UNAUTHORIZED",{message:W.INVALID_BACKUP_CODE});let s=await ue({key:t.context.secret,data:JSON.stringify(n.updated)});return await t.context.adapter.updateMany({model:i,update:{backupCodes:s},where:[{field:"userId",value:o.id}]}),t.body.disableSession||await h(t,{session:t.context.session.session,user:o}),t.json({user:o,session:t.context.session})}),generateBackupCodes:p("/two-factor/generate-backup-codes",{method:"POST",body:ge.object({password:ge.string()}),use:[R]},async t=>{let o=t.context.session.user;if(!o.twoFactorEnabled)throw new ze("BAD_REQUEST",{message:W.TWO_FACTOR_NOT_ENABLED});await t.context.password.checkPassword(o.id,t);let r=await bo(t.context.secret,e);return await t.context.adapter.update({model:i,update:{backupCodes:r.encryptedBackupCodes},where:[{field:"userId",value:t.context.session.user.id}]}),t.json({status:!0,backupCodes:r.backupCodes})}),viewBackupCodes:p("/two-factor/view-backup-codes",{method:"GET",body:ge.object({userId:ge.string()}),metadata:{SERVER_ONLY:!0}},async t=>{let o=await t.context.adapter.findOne({model:i,where:[{field:"userId",value:t.body.userId}]});if(!o)throw new ze("BAD_REQUEST",{message:"Backup codes aren't enabled"});let r=await et(o.backupCodes,t.context.secret);if(!r)throw new ze("BAD_REQUEST",{message:W.BACKUP_CODES_NOT_ENABLED});return t.json({status:!0,backupCodes:r})})}});import{APIError as Fe}from"better-call";import{z as it}from"zod";import{TimeSpan as Gr}from"oslo";var tt=(e,i)=>{let t={...e,digits:e?.digits||6,period:new Gr(e?.period||3,"m")},o=p("/two-factor/send-otp",{method:"POST",use:[we],metadata:{openapi:{summary:"Send two factor OTP",description:"Send two factor OTP to the user",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async n=>{if(!e||!e.sendOTP)throw n.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options."),new Fe("BAD_REQUEST",{message:"otp isn't configured"});let s=n.context.session.user;if(!await n.context.adapter.findOne({model:i,where:[{field:"userId",value:s.id}]}))throw new Fe("BAD_REQUEST",{message:W.OTP_NOT_ENABLED});let a=z(t.digits,F("0-9"));return await n.context.internalAdapter.createVerificationValue({value:a,identifier:`2fa-otp-${s.id}`,expiresAt:new Date(Date.now()+t.period.milliseconds())}),await e.sendOTP({user:s,otp:a},n.request),n.json({status:!0})}),r=p("/two-factor/verify-otp",{method:"POST",body:it.object({code:it.string({description:"The otp code to verify"})}),use:[we],metadata:{openapi:{summary:"Verify two factor OTP",description:"Verify two factor OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async n=>{let s=n.context.session.user;if(!s.twoFactorEnabled)throw new Fe("BAD_REQUEST",{message:"two factor isn't enabled"});if(!await n.context.adapter.findOne({model:i,where:[{field:"userId",value:s.id}]}))throw new Fe("BAD_REQUEST",{message:W.OTP_NOT_ENABLED});let a=await n.context.internalAdapter.findVerificationValue(`2fa-otp-${s.id}`);if(!a||a.expiresAt<new Date)throw new Fe("BAD_REQUEST",{message:W.OTP_HAS_EXPIRED});return a.value===n.body.code?n.context.valid():n.context.invalid()});return{id:"otp",endpoints:{sendTwoFactorOTP:o,verifyTwoFactorOTP:r}}};import{APIError as Re}from"better-call";import{TimeSpan as Zr}from"oslo";import{TOTPController as rt,createTOTPKeyURI as Qr}from"oslo/otp";import{z as to}from"zod";var nt=(e,i)=>{let t={...e,digits:e?.digits||6,period:new Zr(e?.period||30,"s")},o=p("/totp/generate",{method:"POST",use:[R],metadata:{openapi:{summary:"Generate TOTP code",description:"Use this endpoint to generate a TOTP code",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{code:{type:"string"}}}}}}}}}},async s=>{if(!e)throw s.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Re("BAD_REQUEST",{message:"totp isn't configured"});let A=s.context.session.user,a=await s.context.adapter.findOne({model:i,where:[{field:"userId",value:A.id}]});if(!a)throw new Re("BAD_REQUEST",{message:W.TOTP_NOT_ENABLED});return{code:await new rt(t).generate(Buffer.from(a.secret))}}),r=p("/two-factor/get-totp-uri",{method:"POST",use:[R],body:to.object({password:to.string({description:"User password"})}),metadata:{openapi:{summary:"Get TOTP URI",description:"Use this endpoint to get the TOTP URI",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{totpURI:{type:"string"}}}}}}}}}},async s=>{if(!e)throw s.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Re("BAD_REQUEST",{message:"totp isn't configured"});let A=s.context.session.user,a=await s.context.adapter.findOne({model:i,where:[{field:"userId",value:A.id}]});if(!a||!A.twoFactorEnabled)throw new Re("BAD_REQUEST",{message:W.TOTP_NOT_ENABLED});return await s.context.password.checkPassword(A.id,s),{totpURI:Qr(e.issuer||s.context.appName,A.email,Buffer.from(a.secret),t)}}),n=p("/two-factor/verify-totp",{method:"POST",body:to.object({code:to.string({description:"The otp code to verify"})}),use:[we],metadata:{openapi:{summary:"Verify two factor TOTP",description:"Verify two factor TOTP",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async s=>{if(!e)throw s.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Re("BAD_REQUEST",{message:"totp isn't configured"});let A=s.context.session.user,a=await s.context.adapter.findOne({model:i,where:[{field:"userId",value:A.id}]});if(!a)throw new Re("BAD_REQUEST",{message:W.TOTP_NOT_ENABLED});let d=new rt(t),c=await fe({key:s.context.secret,data:a.secret}),l=Buffer.from(c);if(!await d.verify(s.body.code,l))return s.context.invalid();if(!A.twoFactorEnabled){let K=await s.context.internalAdapter.updateUser(A.id,{twoFactorEnabled:!0}),m=await s.context.internalAdapter.createSession(A.id,s.request,!1,s.context.session.session).catch(E=>{throw console.log(E),E});await s.context.internalAdapter.deleteSession(s.context.session.session.token),await h(s,{session:m,user:K})}return s.context.valid()});return{id:"totp",endpoints:{generateTOTP:o,getTOTPURI:r,verifyTOTP:n}}};import{APIError as JK}from"better-call";async function Oo(e,i){let o=(await e.context.internalAdapter.findAccounts(i.userId))?.find(s=>s.providerId==="credential"),r=o?.password;return!o||!r?!1:await e.context.password.verify({hash:r,password:i.password})}import{APIError as At}from"better-call";import{createTOTPKeyURI as Jr}from"oslo/otp";import{TimeSpan as Yr}from"oslo";import{APIError as Wr}from"better-call";var st=async e=>{let i=e.context.returned;return i?i instanceof Response?i.status!==200?null:await i.clone().json():i instanceof Wr?null:i:null};var at={user:{fields:{twoFactorEnabled:{type:"boolean",required:!1,defaultValue:!1,input:!1}}},twoFactor:{fields:{secret:{type:"string",required:!0,returned:!1},backupCodes:{type:"string",required:!0,returned:!1},userId:{type:"string",required:!0,returned:!1,references:{model:"user",field:"id"}}}}};var iu=e=>({id:"two-factor",$InferServerPlugin:{},atomListeners:[{matcher:i=>i.startsWith("/two-factor/"),signal:"$sessionSignal"}],pathMethods:{"/two-factor/disable":"POST","/two-factor/enable":"POST","/two-factor/send-otp":"POST","/two-factor/generate-backup-codes":"POST"},fetchPlugins:[{id:"two-factor",name:"two-factor",hooks:{async onSuccess(i){i.data?.twoFactorRedirect&&e?.onTwoFactorRedirect&&await e.onTwoFactorRedirect()}}}]});var Tu=e=>{let i={twoFactorTable:"twoFactor"},t=nt({issuer:e?.issuer,...e?.totpOptions},i.twoFactorTable),o=ot({...e?.backupCodeOptions},i.twoFactorTable),r=tt({...e?.otpOptions},i.twoFactorTable);return{id:"two-factor",endpoints:{...t.endpoints,...r.endpoints,...o.endpoints,enableTwoFactor:p("/two-factor/enable",{method:"POST",body:ro.object({password:ro.string({description:"User password"}).min(8)}),use:[R],metadata:{openapi:{summary:"Enable two factor authentication",description:"Use this endpoint to enable two factor authentication. This will generate a TOTP URI and backup codes. Once the user verifies the TOTP URI, the two factor authentication will be enabled.",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{totpURI:{type:"string",description:"TOTP URI"},backupCodes:{type:"array",items:{type:"string"},description:"Backup codes"}}}}}}}}}},async n=>{let s=n.context.session.user,{password:A}=n.body;if(!await Oo(n,{password:A,userId:s.id}))throw new At("BAD_REQUEST",{message:g.INVALID_PASSWORD});let d=z(16,F("a-z","0-9","-")),c=await ue({key:n.context.secret,data:d}),l=await bo(n.context.secret,e?.backupCodeOptions);if(e?.skipVerificationOnEnable){let K=await n.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!0}),m=await n.context.internalAdapter.createSession(K.id,n.request,!1,n.context.session.session);await h(n,{session:m,user:s}),await n.context.internalAdapter.deleteSession(n.context.session.session.token)}await n.context.adapter.deleteMany({model:i.twoFactorTable,where:[{field:"userId",value:s.id}]}),await n.context.adapter.create({model:i.twoFactorTable,data:{secret:c,backupCodes:l.encryptedBackupCodes,userId:s.id}});let u=Jr(e?.issuer||"BetterAuth",s.email,Buffer.from(d),{digits:e?.totpOptions?.digits||6,period:new Yr(e?.totpOptions?.period||30,"s")});return n.json({totpURI:u,backupCodes:l.backupCodes})}),disableTwoFactor:p("/two-factor/disable",{method:"POST",body:ro.object({password:ro.string({description:"User password"}).min(8)}),use:[R],metadata:{openapi:{summary:"Disable two factor authentication",description:"Use this endpoint to disable two factor authentication.",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async n=>{let s=n.context.session.user,{password:A}=n.body;if(!await Oo(n,{password:A,userId:s.id}))throw new At("BAD_REQUEST",{message:"Invalid password"});await n.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!1}),await n.context.adapter.delete({model:i.twoFactorTable,where:[{field:"userId",value:s.id}]});let d=await n.context.internalAdapter.createSession(s.id,n.request,!1,n.context.session.session);return await h(n,{session:d,user:s}),await n.context.internalAdapter.deleteSession(n.context.session.session.token),n.json({status:!0})})},options:e,hooks:{after:[{matcher(n){return n.path==="/sign-in/email"||n.path==="/sign-in/username"},handler:N(async n=>{let s=n.context.newSession;if(!s||!s?.user.twoFactorEnabled)return;let A=n.context.createAuthCookie(io),a=await n.getSignedCookie(A.name,n.context.secret);if(a){let[c,l]=a.split("!"),u=await Le(n.context.secret,`${s.user.id}!${l}`);if(c===u){let K=await Le(n.context.secret,`${s.user.id}!${s.session.token}`);await n.setSignedCookie(A.name,`${K}!${s.session.token}`,n.context.secret,A.attributes);return}}H(n),await n.context.internalAdapter.deleteSession(s.session.token);let d=n.context.createAuthCookie(oo,{maxAge:60*10});return await n.setSignedCookie(d.name,s.user.id,n.context.secret,d.attributes),n.json({twoFactorRedirect:!0})})}]},schema:oe(at,e?.schema),rateLimit:[{pathMatcher(n){return n.startsWith("/two-factor/")},window:10,max:3}]}};import{generateAuthenticationOptions as an,generateRegistrationOptions as An,verifyAuthenticationResponse as dn,verifyRegistrationResponse as cn}from"@simplewebauthn/server";import{APIError as Y}from"better-call";import{z as re}from"zod";import{WebAuthnError as on,startAuthentication as tn,startRegistration as rn}from"@simplewebauthn/browser";import{createFetch as Vu}from"@better-fetch/fetch";import"nanostores";import"@better-fetch/fetch";import{atom as Nu}from"nanostores";import"@better-fetch/fetch";import{atom as Xr,onMount as en}from"nanostores";var To=(e,i,t,o)=>{let r=Xr({data:null,error:null,isPending:!0,isRefetching:!1}),n=()=>{let A=typeof o=="function"?o({data:r.get().data,error:r.get().error,isPending:r.get().isPending}):o;return t(i,{...A,async onSuccess(a){r.set({data:a.data,error:null,isPending:!1,isRefetching:!1}),await A?.onSuccess?.(a)},async onError(a){r.set({error:a.error,data:null,isPending:!1,isRefetching:!1}),await A?.onError?.(a)},async onRequest(a){let d=r.get();r.set({isPending:d.data===null,data:d.data,error:null,isRefetching:!0}),await A?.onRequest?.(a)}})};e=Array.isArray(e)?e:[e];let s=!1;for(let A of e)A.subscribe(()=>{s?n():en(r,()=>(n(),s=!0,()=>{r.off(),A.off()}))});return r};import{atom as nn}from"nanostores";var sn=(e,{$listPasskeys:i})=>({signIn:{passkey:async(r,n)=>{let s=await e("/passkey/generate-authenticate-options",{method:"POST",body:{email:r?.email}});if(!s.data)return s;try{let A=await tn(s.data,r?.autoFill||!1),a=await e("/passkey/verify-authentication",{body:{response:A},...r?.fetchOptions,...n,method:"POST"});if(!a.data)return a}catch{return{data:null,error:{message:"auth cancelled",status:400,statusText:"BAD_REQUEST"}}}}},passkey:{addPasskey:async(r,n)=>{let s=await e("/passkey/generate-register-options",{method:"GET"});if(!s.data)return s;try{let A=await rn(s.data),a=await e("/passkey/verify-registration",{...r?.fetchOptions,...n,body:{response:A,name:r?.name},method:"POST"});if(!a.data)return a;i.set(Math.random())}catch(A){return A instanceof on?A.code==="ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED"?{data:null,error:{message:"previously registered",status:400,statusText:"BAD_REQUEST"}}:A.code==="ERROR_CEREMONY_ABORTED"?{data:null,error:{message:"registration cancelled",status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:A.message,status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:A instanceof Error?A.message:"unknown error",status:500,statusText:"INTERNAL_SERVER_ERROR"}}}}},$Infer:{}}),cl=()=>{let e=nn();return{id:"passkey",$InferServerPlugin:{},getActions:i=>sn(i,{$listPasskeys:e}),getAtoms(i){return{listPasskeys:To(e,"/passkey/list-user-passkeys",i,{method:"GET"}),$listPasskeys:e}},pathMethods:{"/passkey/register":"POST","/passkey/authenticate":"POST"},atomListeners:[{matcher(i){return i==="/passkey/verify-registration"||i==="/passkey/delete-passkey"||i==="/passkey/update-passkey"},signal:"_listPasskeys"}]}};var Tl=e=>{let i=ne.BETTER_AUTH_URL,t=e?.rpID||i?.replace("http://","").replace("https://","").split(":")[0]||"localhost";if(!t)throw new ee("passkey rpID not found. Please provide a rpID in the options or set the BETTER_AUTH_URL environment variable.");let o={origin:null,...e,rpID:t,advanced:{webAuthnChallengeCookie:"better-auth-passkey",...e?.advanced}},r=new Date(Date.now()+1e3*60*5),n=new Date,s=Math.floor((r.getTime()-n.getTime())/1e3),A={CHALLENGE_NOT_FOUND:"Challenge not found",YOU_ARE_NOT_ALLOWED_TO_REGISTER_THIS_PASSKEY:"You are not allowed to register this passkey",FAILED_TO_VERIFY_REGISTRATION:"Failed to verify registration",PASSKEY_NOT_FOUND:"Passkey not found",AUTHENTICATION_FAILED:"Authentication failed",UNABLE_TO_CREATE_SESSION:"Unable to create session",FAILED_TO_UPDATE_PASSKEY:"Failed to update passkey"};return{id:"passkey",endpoints:{generatePasskeyRegistrationOptions:p("/passkey/generate-register-options",{method:"GET",use:[ve],metadata:{client:!1,openapi:{description:"Generate registration options for a new passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{challenge:{type:"string"},rp:{type:"object",properties:{name:{type:"string"},id:{type:"string"}}},user:{type:"object",properties:{id:{type:"string"},name:{type:"string"},displayName:{type:"string"}}},pubKeyCredParams:{type:"array",items:{type:"object",properties:{type:{type:"string"},alg:{type:"number"}}}},timeout:{type:"number"},excludeCredentials:{type:"array",items:{type:"object",properties:{id:{type:"string"},type:{type:"string"},transports:{type:"array",items:{type:"string"}}}}},authenticatorSelection:{type:"object",properties:{authenticatorAttachment:{type:"string"},requireResidentKey:{type:"boolean"},userVerification:{type:"string"}}},attestation:{type:"string"},extensions:{type:"object"}}}}}}}}}},async a=>{let d=a.context.session,c=await a.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}),l=new Uint8Array(Buffer.from(z(32,F("a-z","0-9")))),u;u=await An({rpName:o.rpName||a.context.appName,rpID:o.rpID,userID:l,userName:d.user.email||d.user.id,attestationType:"none",excludeCredentials:c.map(m=>({id:m.id,transports:m.transports?.split(",")})),authenticatorSelection:{residentKey:"preferred",userVerification:"preferred",authenticatorAttachment:"platform"}});let K=$(32);return await a.setSignedCookie(o.advanced.webAuthnChallengeCookie,K,a.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:s}),await a.context.internalAdapter.createVerificationValue({identifier:K,value:JSON.stringify({expectedChallenge:u.challenge,userData:{id:d.user.id}}),expiresAt:r}),a.json(u,{status:200})}),generatePasskeyAuthenticationOptions:p("/passkey/generate-authenticate-options",{method:"POST",body:re.object({email:re.string({description:"The email address of the user"}).optional()}).optional(),metadata:{openapi:{description:"Generate authentication options for a passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{challenge:{type:"string"},rp:{type:"object",properties:{name:{type:"string"},id:{type:"string"}}},user:{type:"object",properties:{id:{type:"string"},name:{type:"string"},displayName:{type:"string"}}},timeout:{type:"number"},allowCredentials:{type:"array",items:{type:"object",properties:{id:{type:"string"},type:{type:"string"},transports:{type:"array",items:{type:"string"}}}}},userVerification:{type:"string"},authenticatorSelection:{type:"object",properties:{authenticatorAttachment:{type:"string"},requireResidentKey:{type:"boolean"},userVerification:{type:"string"}}},extensions:{type:"object"}}}}}}}}}},async a=>{let d=await S(a),c=[];d&&(c=await a.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}));let l=await an({rpID:o.rpID,userVerification:"preferred",...c.length?{allowCredentials:c.map(m=>({id:m.id,transports:m.transports?.split(",")}))}:{}}),u={expectedChallenge:l.challenge,userData:{id:d?.user.id||""}},K=$(32);return await a.setSignedCookie(o.advanced.webAuthnChallengeCookie,K,a.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:s}),await a.context.internalAdapter.createVerificationValue({identifier:K,value:JSON.stringify(u),expiresAt:r}),a.json(l,{status:200})}),verifyPasskeyRegistration:p("/passkey/verify-registration",{method:"POST",body:re.object({response:re.any({description:"The response from the authenticator"}),name:re.string({description:"Name of the passkey"}).optional()}),use:[ve],metadata:{openapi:{description:"Verify registration of a new passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{$ref:"#/components/schemas/Passkey"}}}},400:{description:"Bad request"}}}}},async a=>{let d=e?.origin||a.headers?.get("origin")||"";if(!d)return a.json(null,{status:400});let c=a.body.response,l=await a.getSignedCookie(o.advanced.webAuthnChallengeCookie,a.context.secret);if(!l)throw new Y("BAD_REQUEST",{message:A.CHALLENGE_NOT_FOUND});let u=await a.context.internalAdapter.findVerificationValue(l);if(!u)return a.json(null,{status:400});let{expectedChallenge:K,userData:m}=JSON.parse(u.value);if(m.id!==a.context.session.user.id)throw new Y("UNAUTHORIZED",{message:A.YOU_ARE_NOT_ALLOWED_TO_REGISTER_THIS_PASSKEY});try{let E=await cn({response:c,expectedChallenge:K,expectedOrigin:d,expectedRPID:e?.rpID}),{verified:v,registrationInfo:f}=E;if(!v||!f)return a.json(null,{status:400});let{credentialID:w,credentialPublicKey:b,counter:I,credentialDeviceType:q,credentialBackedUp:$e}=f,wt=Buffer.from(b).toString("base64"),Ct={name:a.body.name,userId:m.id,webauthnUserID:a.context.generateId({model:"passkey"}),id:w,publicKey:wt,counter:I,deviceType:q,transports:c.response.transports.join(","),backedUp:$e,createdAt:new Date},bt=await a.context.adapter.create({model:"passkey",data:Ct});return a.json(bt,{status:200})}catch(E){throw console.log(E),new Y("INTERNAL_SERVER_ERROR",{message:A.FAILED_TO_VERIFY_REGISTRATION})}}),verifyPasskeyAuthentication:p("/passkey/verify-authentication",{method:"POST",body:re.object({response:re.any()}),metadata:{openapi:{description:"Verify authentication of a passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}}}}}},async a=>{let d=e?.origin||a.headers?.get("origin")||"";if(!d)throw new Y("BAD_REQUEST",{message:"origin missing"});let c=a.body.response,l=await a.getSignedCookie(o.advanced.webAuthnChallengeCookie,a.context.secret);if(!l)throw new Y("BAD_REQUEST",{message:A.CHALLENGE_NOT_FOUND});let u=await a.context.internalAdapter.findVerificationValue(l);if(!u)throw new Y("BAD_REQUEST",{message:A.CHALLENGE_NOT_FOUND});let{expectedChallenge:K}=JSON.parse(u.value),m=await a.context.adapter.findOne({model:"passkey",where:[{field:"id",value:c.id}]});if(!m)throw new Y("UNAUTHORIZED",{message:A.PASSKEY_NOT_FOUND});try{let E=await dn({response:c,expectedChallenge:K,expectedOrigin:d,expectedRPID:o.rpID,authenticator:{credentialID:m.id,credentialPublicKey:new Uint8Array(Buffer.from(m.publicKey,"base64")),counter:m.counter,transports:m.transports?.split(",")},requireUserVerification:!1}),{verified:v}=E;if(!v)throw new Y("UNAUTHORIZED",{message:A.AUTHENTICATION_FAILED});await a.context.adapter.update({model:"passkey",where:[{field:"id",value:m.id}],update:{counter:E.authenticationInfo.newCounter}});let f=await a.context.internalAdapter.createSession(m.userId,a.request);if(!f)throw new Y("INTERNAL_SERVER_ERROR",{message:A.UNABLE_TO_CREATE_SESSION});let w=await a.context.internalAdapter.findUserById(m.userId);if(!w)throw new Y("INTERNAL_SERVER_ERROR",{message:"User not found"});return await h(a,{session:f,user:w}),a.json({session:f},{status:200})}catch(E){throw a.context.logger.error("Failed to verify authentication",E),new Y("BAD_REQUEST",{message:A.AUTHENTICATION_FAILED})}}),listPasskeys:p("/passkey/list-user-passkeys",{method:"GET",use:[R]},async a=>{let d=await a.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:a.context.session.user.id}]});return a.json(d,{status:200})}),deletePasskey:p("/passkey/delete-passkey",{method:"POST",body:re.object({id:re.string()}),use:[R]},async a=>(await a.context.adapter.delete({model:"passkey",where:[{field:"id",value:a.body.id}]}),a.json(null,{status:200}))),updatePasskey:p("/passkey/update-passkey",{method:"POST",body:re.object({id:re.string(),name:re.string()}),use:[R]},async a=>{let d=await a.context.adapter.findOne({model:"passkey",where:[{field:"id",value:a.body.id}]});if(!d)throw new Y("NOT_FOUND",{message:A.PASSKEY_NOT_FOUND});if(d.userId!==a.context.session.user.id)throw new Y("UNAUTHORIZED",{message:A.YOU_ARE_NOT_ALLOWED_TO_REGISTER_THIS_PASSKEY});let c=await a.context.adapter.update({model:"passkey",where:[{field:"id",value:a.body.id}],update:{name:a.body.name}});if(!c)throw new Y("INTERNAL_SERVER_ERROR",{message:A.FAILED_TO_UPDATE_PASSKEY});return a.json({passkey:c},{status:200})})},schema:oe(pn,e?.schema),$ERROR_CODES:A}},pn={passkey:{fields:{name:{type:"string",required:!1},publicKey:{type:"string",required:!0},userId:{type:"string",references:{model:"user",field:"id"},required:!0},webauthnUserID:{type:"string",required:!0},counter:{type:"number",required:!0},deviceType:{type:"string",required:!0},backedUp:{type:"boolean",required:!0},transports:{type:"string",required:!1},createdAt:{type:"date",required:!1}}}};import{z as no}from"zod";import{APIError as Ve}from"better-call";var dt=()=>{let e={INVALID_USERNAME_OR_PASSWORD:"invalid username or password",EMAIL_NOT_VERIFIED:"email not verified",UNEXPECTED_ERROR:"unexpected error"};return{id:"username",endpoints:{signInUsername:p("/sign-in/username",{method:"POST",body:no.object({username:no.string({description:"The username of the user"}),password:no.string({description:"The password of the user"}),rememberMe:no.boolean({description:"Remember the user session"}).optional()}),metadata:{openapi:{summary:"Sign in with username",description:"Sign in with username",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async i=>{let t=await i.context.adapter.findOne({model:"user",where:[{field:"username",value:i.body.username.toLowerCase()}]});if(!t)throw await i.context.password.hash(i.body.password),i.context.logger.error("User not found",{username:dt}),new Ve("UNAUTHORIZED",{message:e.INVALID_USERNAME_OR_PASSWORD});if(!t.emailVerified&&i.context.options.emailAndPassword?.requireEmailVerification)throw await mo(i,t),new Ve("UNAUTHORIZED",{message:e.INVALID_USERNAME_OR_PASSWORD});let o=await i.context.adapter.findOne({model:"account",where:[{field:"userId",value:t.id},{field:"providerId",value:"credential"}]});if(!o)throw new Ve("UNAUTHORIZED",{message:e.INVALID_USERNAME_OR_PASSWORD});let r=o?.password;if(!r)throw i.context.logger.error("Password not found",{username:dt}),new Ve("UNAUTHORIZED",{message:e.INVALID_USERNAME_OR_PASSWORD});if(!await i.context.password.verify({hash:r,password:i.body.password}))throw i.context.logger.error("Invalid password"),new Ve("UNAUTHORIZED",{message:e.INVALID_USERNAME_OR_PASSWORD});let s=await i.context.internalAdapter.createSession(t.id,i.request,i.body.rememberMe===!1);return s?(await h(i,{session:s,user:t},i.body.rememberMe===!1),i.json({id:t.id,email:t.email,name:t.name,image:t.image,emailVerified:t.emailVerified,createdAt:t.createdAt,updatedAt:t.updatedAt})):i.json(null,{status:500,body:{message:g.FAILED_TO_CREATE_SESSION,status:500}})})},schema:{user:{fields:{username:{type:"string",required:!1,unique:!0,returned:!0}}}},$ERROR_CODES:W}};import{serializeSigned as Kn}from"better-call";var Ll=()=>({id:"bearer",hooks:{before:[{matcher(e){return!!(e.request?.headers.get("authorization")||e.headers?.get("authorization"))},handler:async e=>{let i=e.request?.headers.get("authorization")?.replace("Bearer ","")||e.headers?.get("authorization")?.replace("Bearer ","");if(!i)return;let t="";return i.includes(".")?t=i:t=await Kn("",i,e.context.secret),e.request&&e.request.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${t.replace("=","")}`),e.headers&&e.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${t.replace("=","")}`),{context:e}}}]}});import{z as Ie}from"zod";import{APIError as un}from"better-call";var ql=e=>({id:"magic-link",endpoints:{signInMagicLink:p("/sign-in/magic-link",{method:"POST",requireHeaders:!0,body:Ie.object({email:Ie.string({description:"Email address to send the magic link"}).email(),callbackURL:Ie.string({description:"URL to redirect after magic link verification"}).optional()}),metadata:{openapi:{description:"Sign in with magic link",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async i=>{let{email:t}=i.body;if(e.disableSignUp&&!await i.context.internalAdapter.findUserByEmail(t))throw new un("BAD_REQUEST",{message:g.USER_NOT_FOUND});let o=z(32,F("a-z","A-Z"));await i.context.internalAdapter.createVerificationValue({identifier:o,value:t,expiresAt:new Date(Date.now()+(e.expiresIn||60*5)*1e3)});let r=`${i.context.baseURL}/magic-link/verify?token=${o}&callbackURL=${i.body.callbackURL||"/"}`;return await e.sendMagicLink({email:t,url:r,token:o},i.request),i.json({status:!0})}),magicLinkVerify:p("/magic-link/verify",{method:"GET",query:Ie.object({token:Ie.string({description:"Verification token"}),callbackURL:Ie.string({description:"URL to redirect after magic link verification, if not provided will return session"}).optional()}),requireHeaders:!0,metadata:{openapi:{description:"Verify magic link",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}}}}}},async i=>{let{token:t,callbackURL:o}=i.query,r=o?.startsWith("http")?o:o?`${i.context.options.baseURL}${o}`:i.context.options.baseURL,n=await i.context.internalAdapter.findVerificationValue(t);if(!n)throw i.redirect(`${r}?error=INVALID_TOKEN`);if(n.expiresAt<new Date)throw await i.context.internalAdapter.deleteVerificationValue(n.id),i.redirect(`${r}?error=EXPIRED_TOKEN`);await i.context.internalAdapter.deleteVerificationValue(n.id);let s=n.value,A=await i.context.internalAdapter.findUserByEmail(s),a=A?.user.id||"";if(!A){if(e.disableSignUp)throw i.redirect(`${r}?error=failed_to_create_user`);if(a=(await i.context.internalAdapter.createUser({email:s,emailVerified:!0,name:s})).id,!a)throw i.redirect(`${r}?error=failed_to_create_user`)}let d=await i.context.internalAdapter.createSession(a,i.headers);if(!d)throw i.redirect(`${r}?error=failed_to_create_session`);if(await h(i,{session:d,user:A?.user}),!o)return i.json({session:d,user:A?.user});throw i.redirect(o)})},rateLimit:[{pathMatcher(i){return i.startsWith("/sign-in/magic-link")||i.startsWith("/magic-link/verify")},window:e.rateLimit?.window||60,max:e.rateLimit?.max||5}]});import{z as Ae}from"zod";import{APIError as J}from"better-call";function ln(e){return z(e,F("0-9"))}var og=e=>{let i={expiresIn:e?.expiresIn||300,otpLength:e?.otpLength||6,...e,phoneNumber:"phoneNumber",phoneNumberVerified:"phoneNumberVerified",code:"code",createdAt:"createdAt"},t={INVALID_PHONE_NUMBER:"Invalid phone number",INVALID_PHONE_NUMBER_OR_PASSWORD:"Invalid phone number or password",UNEXPECTED_ERROR:"Unexpected error",OTP_NOT_FOUND:"OTP not found"};return{id:"phone-number",endpoints:{signInPhoneNumber:p("/sign-in/phone-number",{method:"POST",body:Ae.object({phoneNumber:Ae.string({description:"Phone number to sign in"}),password:Ae.string({description:"Password to use for sign in"}),rememberMe:Ae.boolean({description:"Remember the session"}).optional()}),metadata:{openapi:{summary:"Sign in with phone number",description:"Use this endpoint to sign in with phone number",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}},400:{description:"Invalid phone number or password"}}}}},async o=>{let{password:r,phoneNumber:n}=o.body;if(i.phoneNumberValidator&&!await i.phoneNumberValidator(o.body.phoneNumber))throw new J("BAD_REQUEST",{message:t.INVALID_PHONE_NUMBER});let s=await o.context.adapter.findOne({model:"user",where:[{field:"phoneNumber",value:n}]});if(!s)throw new J("UNAUTHORIZED",{message:t.INVALID_PHONE_NUMBER_OR_PASSWORD});let a=(await o.context.internalAdapter.findAccountByUserId(s.id)).find(u=>u.providerId==="credential");if(!a)throw o.context.logger.error("Credential account not found",{phoneNumber:n}),new J("UNAUTHORIZED",{message:t.INVALID_PHONE_NUMBER_OR_PASSWORD});let d=a?.password;if(!d)throw o.context.logger.error("Password not found",{phoneNumber:n}),new J("UNAUTHORIZED",{message:t.UNEXPECTED_ERROR});if(!await o.context.password.verify({hash:d,password:r}))throw o.context.logger.error("Invalid password"),new J("UNAUTHORIZED",{message:t.INVALID_PHONE_NUMBER_OR_PASSWORD});let l=await o.context.internalAdapter.createSession(s.id,o.headers,o.body.rememberMe===!1);if(!l)throw o.context.logger.error("Failed to create session"),new J("UNAUTHORIZED",{message:g.FAILED_TO_CREATE_SESSION});return await h(o,{session:l,user:s},o.body.rememberMe===!1),o.json({user:s,session:l})}),sendPhoneNumberOTP:p("/phone-number/send-otp",{method:"POST",body:Ae.object({phoneNumber:Ae.string({description:"Phone number to send OTP"})}),metadata:{openapi:{summary:"Send OTP to phone number",description:"Use this endpoint to send OTP to phone number",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}}}}}}},async o=>{if(!e?.sendOTP)throw o.context.logger.warn("sendOTP not implemented"),new J("NOT_IMPLEMENTED",{message:"sendOTP not implemented"});if(i.phoneNumberValidator&&!await i.phoneNumberValidator(o.body.phoneNumber))throw new J("BAD_REQUEST",{message:t.INVALID_PHONE_NUMBER});let r=ln(i.otpLength);return await o.context.internalAdapter.createVerificationValue({value:r,identifier:o.body.phoneNumber,expiresAt:k(i.expiresIn,"sec")}),await e.sendOTP({phoneNumber:o.body.phoneNumber,code:r},o.request),o.json({code:r},{body:{message:"Code sent"}})}),verifyPhoneNumber:p("/phone-number/verify",{method:"POST",body:Ae.object({phoneNumber:Ae.string({description:"Phone number to verify"}),code:Ae.string({description:"OTP code"}),disableSession:Ae.boolean({description:"Disable session creation after verification"}).optional(),updatePhoneNumber:Ae.boolean({description:"Check if there is a session and update the phone number"}).optional()}),metadata:{openapi:{summary:"Verify phone number",description:"Use this endpoint to verify phone number",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}},400:{description:"Invalid OTP"}}}}},async o=>{let r=await o.context.internalAdapter.findVerificationValue(o.body.phoneNumber);if(!r||r.expiresAt<new Date)throw r&&r.expiresAt<new Date?(await o.context.internalAdapter.deleteVerificationValue(r.id),new J("BAD_REQUEST",{message:"OTP expired"})):new J("BAD_REQUEST",{message:t.OTP_NOT_FOUND});if(r.value!==o.body.code)throw new J("BAD_REQUEST",{message:"Invalid OTP"});if(await o.context.internalAdapter.deleteVerificationValue(r.id),o.body.updatePhoneNumber){let s=await S(o);if(!s)throw new J("UNAUTHORIZED",{message:g.USER_NOT_FOUND});let A=await o.context.internalAdapter.updateUser(s.user.id,{[i.phoneNumber]:o.body.phoneNumber,[i.phoneNumberVerified]:!0});return o.json({user:A,session:s.session})}let n=await o.context.adapter.findOne({model:"user",where:[{value:o.body.phoneNumber,field:i.phoneNumber}]});if(await e?.callbackOnVerification?.({phoneNumber:o.body.phoneNumber,user:n},o.request),n)n=await o.context.internalAdapter.updateUser(n.id,{[i.phoneNumberVerified]:!0});else if(e?.signUpOnVerification){if(n=await o.context.internalAdapter.createUser({email:e.signUpOnVerification.getTempEmail(o.body.phoneNumber),name:e.signUpOnVerification.getTempName?e.signUpOnVerification.getTempName(o.body.phoneNumber):o.body.phoneNumber,[i.phoneNumber]:o.body.phoneNumber,[i.phoneNumberVerified]:!0}),!n)throw new J("INTERNAL_SERVER_ERROR",{message:g.FAILED_TO_CREATE_USER})}else return o.json(null);if(!n)throw new J("INTERNAL_SERVER_ERROR",{message:g.FAILED_TO_UPDATE_USER});if(!o.body.disableSession){let s=await o.context.internalAdapter.createSession(n.id,o.request);if(!s)throw new J("INTERNAL_SERVER_ERROR",{message:g.FAILED_TO_CREATE_SESSION});return await h(o,{session:s,user:n}),o.json({user:n,session:s})}return o.json({user:n,session:null})})},schema:oe(gn,e?.schema),$ERROR_CODES:t}},gn={user:{fields:{phoneNumber:{type:"string",required:!1,unique:!0,returned:!0},phoneNumberVerified:{type:"boolean",required:!1,returned:!0,input:!1}}}};var mn={user:{fields:{isAnonymous:{type:"boolean",required:!1}}}},ag=e=>{let i={FAILED_TO_CREATE_USER:"Failed to create user",COULD_NOT_CREATE_SESSION:"Could not create session",ANONYMOUS_USERS_CANNOT_SIGN_IN_AGAIN_ANONYMOUSLY:"Anonymous users cannot sign in again anonymously"};return{id:"anonymous",endpoints:{signInAnonymous:p("/sign-in/anonymous",{method:"POST",metadata:{openapi:{description:"Sign in anonymously",responses:{200:{description:"Sign in anonymously",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async t=>{let{emailDomainName:o=Ce(t.context.baseURL)}=e||{},r=t.context.generateId({model:"user"}),n=`temp-${r}@${o}`,s=await t.context.internalAdapter.createUser({id:r,email:n,emailVerified:!1,isAnonymous:!0,name:"Anonymous",createdAt:new Date,updatedAt:new Date});if(!s)return t.json(null,{status:500,body:{message:i.FAILED_TO_CREATE_USER,status:500}});let A=await t.context.internalAdapter.createSession(s.id,t.request);return A?(await h(t,{session:A,user:s}),t.json({id:s.id,email:s.email,emailVerified:s.emailVerified,name:s.name,createdAt:s.createdAt,updatedAt:s.updatedAt})):t.json(null,{status:400,body:{message:i.COULD_NOT_CREATE_SESSION}})})},hooks:{after:[{matcher(t){return!!t.responseHeader.get("set-cookie")?.includes(t.context.authCookies.sessionToken.name)},handler:N(async t=>{let r=t.responseHeader.get("set-cookie"),n=t.context.authCookies.sessionToken.name;if(!We(r||"").get(n)?.value.split(".")[0])return;let A=await S(t,{disableRefresh:!0});if(!A||!A.user.isAnonymous)return;if(t.path==="/sign-in/anonymous")throw new T("BAD_REQUEST",{message:i.ANONYMOUS_USERS_CANNOT_SIGN_IN_AGAIN_ANONYMOUSLY});let a=t.context.newSession;a&&(e?.onLinkAccount&&await e?.onLinkAccount?.({anonymousUser:A,newUser:a}),e?.disableDeleteAnonymousUser||await t.context.internalAdapter.deleteUser(A.user.id))})}]},schema:oe(mn,e?.schema),$ERROR_CODES:i}};import{z as C}from"zod";var fg=e=>{let i={defaultRole:"user",adminRole:"admin",...e},t={FAILED_TO_CREATE_USER:"Failed to create user",USER_ALREADY_EXISTS:"User already exists",USER_NOT_FOUND:"User not found",YOU_CANNOT_BAN_YOURSELF:"You cannot ban yourself",ONLY_ADMINS_CAN_ACCESS_THIS_ENDPOINT:"Only admins can access this endpoint"},o=N(async r=>{let n=await S(r);if(!n?.session)throw new T("UNAUTHORIZED");let s=n.user;if(!s.role||(Array.isArray(i.adminRole)?!i.adminRole.includes(s.role):s.role!==i.adminRole))throw new T("FORBIDDEN",{message:"Only admins can access this endpoint"});return{session:{user:s,session:n.session}}});return{id:"admin",init(r){return{options:{databaseHooks:{user:{create:{async before(n){if(e?.defaultRole!==!1)return{data:{role:e?.defaultRole??"user",...n}}}}},session:{create:{async before(n){let s=await r.internalAdapter.findUserById(n.userId);if(s.banned){if(s.banExpires&&s.banExpires.getTime()<Date.now()){await r.internalAdapter.updateUser(n.userId,{banned:!1,banReason:null,banExpires:null});return}return!1}}}}}}}},hooks:{after:[{matcher(r){return r.path==="/list-sessions"},handler:N(async r=>{let n=await st(r);if(!n)return;let s=n.filter(A=>!A.impersonatedBy);return r.json(s)})}]},endpoints:{setRole:p("/admin/set-role",{method:"POST",body:C.object({userId:C.string({description:"The user id"}),role:C.string({description:"The role to set. `admin` or `user` by default"})}),use:[o],metadata:{openapi:{operationId:"setRole",summary:"Set the role of a user",description:"Set the role of a user",responses:{200:{description:"User role updated",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async r=>{let n=await r.context.internalAdapter.updateUser(r.body.userId,{role:r.body.role});return r.json({user:n})}),createUser:p("/admin/create-user",{method:"POST",body:C.object({email:C.string({description:"The email of the user"}),password:C.string({description:"The password of the user"}),name:C.string({description:"The name of the user"}),role:C.string({description:"The role of the user"}),data:C.optional(C.record(C.any(),{description:"Extra fields for the user. Including custom additional fields."}))}),use:[o],metadata:{openapi:{operationId:"createUser",summary:"Create a new user",description:"Create a new user",responses:{200:{description:"User created",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async r=>{if(await r.context.internalAdapter.findUserByEmail(r.body.email))throw new T("BAD_REQUEST",{message:t.USER_ALREADY_EXISTS});let s=await r.context.internalAdapter.createUser({email:r.body.email,name:r.body.name,role:r.body.role,...r.body.data});if(!s)throw new T("INTERNAL_SERVER_ERROR",{message:t.FAILED_TO_CREATE_USER});let A=await r.context.password.hash(r.body.password);return await r.context.internalAdapter.linkAccount({accountId:s.id,providerId:"credential",password:A,userId:s.id}),r.json({user:s})}),listUsers:p("/admin/list-users",{method:"GET",use:[o],query:C.object({searchValue:C.string({description:"The value to search for"}).optional(),searchField:C.enum(["email","name"],{description:"The field to search in, defaults to email. Can be `email` or `name`"}).optional(),searchOperator:C.enum(["contains","starts_with","ends_with"],{description:"The operator to use for the search. Can be `contains`, `starts_with` or `ends_with`"}).optional(),limit:C.string({description:"The number of users to return"}).or(C.number()).optional(),offset:C.string({description:"The offset to start from"}).or(C.number()).optional(),sortBy:C.string({description:"The field to sort by"}).optional(),sortDirection:C.enum(["asc","desc"],{description:"The direction to sort by"}).optional(),filterField:C.string({description:"The field to filter by"}).optional(),filterValue:C.string({description:"The value to filter by"}).or(C.number()).or(C.boolean()).optional(),filterOperator:C.enum(["eq","ne","lt","lte","gt","gte"],{description:"The operator to use for the filter"}).optional()}),metadata:{openapi:{operationId:"listUsers",summary:"List users",description:"List users",responses:{200:{description:"List of users",content:{"application/json":{schema:{type:"object",properties:{users:{type:"array",items:{$ref:"#/components/schemas/User"}}}}}}}}}}},async r=>{let n=[];r.query?.searchValue&&n.push({field:r.query.searchField||"email",operator:r.query.searchOperator||"contains",value:r.query.searchValue}),r.query?.filterValue&&n.push({field:r.query.filterField||"email",operator:r.query.filterOperator||"eq",value:r.query.filterValue});try{let s=await r.context.internalAdapter.listUsers(Number(r.query?.limit)||void 0,Number(r.query?.offset)||void 0,r.query?.sortBy?{field:r.query.sortBy,direction:r.query.sortDirection||"asc"}:void 0,n.length?n:void 0);return r.json({users:s})}catch(s){return console.log(s),r.json({users:[]})}}),listUserSessions:p("/admin/list-user-sessions",{method:"POST",use:[o],body:C.object({userId:C.string({description:"The user id"})}),metadata:{openapi:{operationId:"listUserSessions",summary:"List user sessions",description:"List user sessions",responses:{200:{description:"List of user sessions",content:{"application/json":{schema:{type:"object",properties:{sessions:{type:"array",items:{$ref:"#/components/schemas/Session"}}}}}}}}}}},async r=>({sessions:await r.context.internalAdapter.listSessions(r.body.userId)})),unbanUser:p("/admin/unban-user",{method:"POST",body:C.object({userId:C.string({description:"The user id"})}),use:[o],metadata:{openapi:{operationId:"unbanUser",summary:"Unban a user",description:"Unban a user",responses:{200:{description:"User unbanned",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async r=>{let n=await r.context.internalAdapter.updateUser(r.body.userId,{banned:!1});return r.json({user:n})}),banUser:p("/admin/ban-user",{method:"POST",body:C.object({userId:C.string({description:"The user id"}),banReason:C.string({description:"The reason for the ban"}).optional(),banExpiresIn:C.number({description:"The number of seconds until the ban expires"}).optional()}),use:[o],metadata:{openapi:{operationId:"banUser",summary:"Ban a user",description:"Ban a user",responses:{200:{description:"User banned",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async r=>{if(r.body.userId===r.context.session.user.id)throw new T("BAD_REQUEST",{message:t.YOU_CANNOT_BAN_YOURSELF});let n=await r.context.internalAdapter.updateUser(r.body.userId,{banned:!0,banReason:r.body.banReason||e?.defaultBanReason||"No reason",banExpires:r.body.banExpiresIn?k(r.body.banExpiresIn,"sec"):e?.defaultBanExpiresIn?k(e.defaultBanExpiresIn,"sec"):void 0});return await r.context.internalAdapter.deleteSessions(r.body.userId),r.json({user:n})}),impersonateUser:p("/admin/impersonate-user",{method:"POST",body:C.object({userId:C.string({description:"The user id"})}),use:[o],metadata:{openapi:{operationId:"impersonateUser",summary:"Impersonate a user",description:"Impersonate a user",responses:{200:{description:"Impersonation session created",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}}}}}},async r=>{let n=await r.context.internalAdapter.findUserById(r.body.userId);if(!n)throw new T("NOT_FOUND",{message:"User not found"});let s=await r.context.internalAdapter.createSession(n.id,void 0,!0,{impersonatedBy:r.context.session.user.id,expiresAt:e?.impersonationSessionDuration?k(e.impersonationSessionDuration,"sec"):k(60*60,"sec")});if(!s)throw new T("INTERNAL_SERVER_ERROR",{message:t.FAILED_TO_CREATE_USER});return await h(r,{session:s,user:n},!0),r.json({session:s,user:n})}),revokeUserSession:p("/admin/revoke-user-session",{method:"POST",body:C.object({sessionToken:C.string({description:"The session token"})}),use:[o],metadata:{openapi:{operationId:"revokeUserSession",summary:"Revoke a user session",description:"Revoke a user session",responses:{200:{description:"Session revoked",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async r=>(await r.context.internalAdapter.deleteSession(r.body.sessionToken),r.json({success:!0}))),revokeUserSessions:p("/admin/revoke-user-sessions",{method:"POST",body:C.object({userId:C.string({description:"The user id"})}),use:[o],metadata:{openapi:{operationId:"revokeUserSessions",summary:"Revoke all user sessions",description:"Revoke all user sessions",responses:{200:{description:"Sessions revoked",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async r=>(await r.context.internalAdapter.deleteSessions(r.body.userId),r.json({success:!0}))),removeUser:p("/admin/remove-user",{method:"POST",body:C.object({userId:C.string({description:"The user id"})}),use:[o],metadata:{openapi:{operationId:"removeUser",summary:"Remove a user",description:"Delete a user and all their sessions and accounts. Cannot be undone.",responses:{200:{description:"User removed",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async r=>(await r.context.internalAdapter.deleteUser(r.body.userId),r.json({success:!0})))},$ERROR_CODES:t,schema:oe(fn,i.schema)}},fn={user:{fields:{role:{type:"string",required:!1,input:!1},banned:{type:"boolean",defaultValue:!1,required:!1,input:!1},banReason:{type:"string",required:!1,input:!1},banExpires:{type:"date",required:!1,input:!1}}},session:{fields:{impersonatedBy:{type:"string",required:!1}}}};import{betterFetch as so}from"@better-fetch/fetch";import{APIError as Se}from"better-call";import{parseJWT as hn}from"oslo/jwt";import{z as de}from"zod";async function ct(e,i){if(e.idToken){let o=hn(e.idToken);if(o?.payload&&o.payload.sub&&o.payload.email)return{id:o.payload.sub,emailVerified:o.payload.email_verified,image:o.payload.picture,...o.payload}}if(!i)return null;let t=await so(i,{method:"GET",headers:{Authorization:`Bearer ${e.accessToken}`}});return{id:t.data?.sub,emailVerified:t.data?.email_verified,email:t.data?.email,image:t.data?.picture,name:t.data?.name,...t.data}}var Sg=e=>{let i={INVALID_OAUTH_CONFIGURATION:"Invalid OAuth configuration"};return{id:"generic-oauth",init:t=>({context:{socialProviders:e.config.map(o=>{let r=o.tokenUrl,n=o.userInfoUrl;return{id:o.providerId,name:o.providerId,createAuthorizationURL(s){return P({id:o.providerId,options:{clientId:o.clientId,clientSecret:o.clientSecret,redirectURI:o.redirectURI},authorizationEndpoint:o.authorizationUrl,state:s.state,codeVerifier:o.pkce?s.codeVerifier:void 0,scopes:o.scopes||[],redirectURI:`${t.baseURL}/oauth2/callback/${o.providerId}`})},async validateAuthorizationCode(s){let A=o.tokenUrl;if(o.discoveryUrl){let a=await so(o.discoveryUrl,{method:"GET"});a.data&&(A=a.data.token_endpoint,n=a.data.userinfo_endpoint)}if(!A)throw new Se("BAD_REQUEST",{message:"Invalid OAuth configuration. Token URL not found."});return U({code:s.code,codeVerifier:s.codeVerifier,redirectURI:s.redirectURI,options:{clientId:o.clientId,clientSecret:o.clientSecret},tokenEndpoint:A})},async getUserInfo(s){if(!n)return null;let A=o.getUserInfo?await o.getUserInfo(s):await ct(s,n);return A?{user:{id:A?.id,email:A?.email,emailVerified:A?.emailVerified,image:A?.image,name:A?.name,...o.mapProfileToUser?.(A)},data:A}:null}}})}}),endpoints:{signInWithOAuth2:p("/sign-in/oauth2",{method:"POST",query:de.object({currentURL:de.string({description:"Redirect to the current URL after sign in"}).optional()}).optional(),body:de.object({providerId:de.string({description:"The provider ID for the OAuth provider"}),callbackURL:de.string({description:"The URL to redirect to after sign in"}).optional(),errorCallbackURL:de.string({description:"The URL to redirect to if an error occurs"}).optional()}),metadata:{openapi:{description:"Sign in with OAuth2",responses:{200:{description:"Sign in with OAuth2",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"},redirect:{type:"boolean"}}}}}}}}}},async t=>{let{providerId:o}=t.body,r=e.config.find(q=>q.providerId===o);if(!r)throw new Se("BAD_REQUEST",{message:`No config found for provider ${o}`});let{discoveryUrl:n,authorizationUrl:s,tokenUrl:A,clientId:a,clientSecret:d,scopes:c,redirectURI:l,responseType:u,pkce:K,prompt:m,accessType:E}=r,v=s,f=A;if(n){let q=await so(n,{onError($e){t.context.logger.error($e.error.message,$e.error,{discoveryUrl:n})}});q.data&&(v=q.data.authorization_endpoint,f=q.data.token_endpoint)}if(!v||!f)throw new Se("BAD_REQUEST",{message:i.INVALID_OAUTH_CONFIGURATION});let{state:w,codeVerifier:b}=await Te(t),I=await P({id:o,options:{clientId:a,clientSecret:d,redirectURI:l},authorizationEndpoint:v,state:w,codeVerifier:K?b:void 0,scopes:c||[],redirectURI:`${t.context.baseURL}/oauth2/callback/${o}`});return u&&u!=="code"&&I.searchParams.set("response_type",u),m&&I.searchParams.set("prompt",m),E&&I.searchParams.set("access_type",E),t.json({url:I.toString(),redirect:!0})}),oAuth2Callback:p("/oauth2/callback/:providerId",{method:"GET",query:de.object({code:de.string({description:"The OAuth2 code"}).optional(),error:de.string({description:"The error message, if any"}).optional(),state:de.string({description:"The state parameter from the OAuth2 request"})}),metadata:{openapi:{description:"OAuth2 callback",responses:{200:{description:"OAuth2 callback",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"}}}}}}}}}},async t=>{if(t.query.error||!t.query.code)throw t.redirect(`${t.context.baseURL}?error=${t.query.error||"oAuth_code_missing"}`);let o=e.config.find(b=>b.providerId===t.params.providerId);if(!o)throw new Se("BAD_REQUEST",{message:`No config found for provider ${t.params.providerId}`});let r,n=await Je(t),{callbackURL:s,codeVerifier:A,errorURL:a}=n,d=t.query.code,c=o.tokenUrl,l=o.userInfoUrl;if(o.discoveryUrl){let b=await so(o.discoveryUrl,{method:"GET"});b.data&&(c=b.data.token_endpoint,l=b.data.userinfo_endpoint)}try{if(!c)throw new Se("BAD_REQUEST",{message:"Invalid OAuth configuration."});r=await U({code:d,codeVerifier:A,redirectURI:`${t.context.baseURL}/oauth2/callback/${o.providerId}`,options:{clientId:o.clientId,clientSecret:o.clientSecret},tokenEndpoint:c})}catch(b){throw t.context.logger.error(b&&typeof b=="object"&&"name"in b?b.name:"",b),t.redirect(`${a}?error=oauth_code_verification_failed`)}if(!r)throw new Se("BAD_REQUEST",{message:"Invalid OAuth configuration."});let u=o.getUserInfo?await o.getUserInfo(r):await ct(r,l);if(!u?.email)throw t.context.logger.error("Unable to get user info",u),t.redirect(`${t.context.baseURL}/error?error=email_is_missing`);let K=o.mapProfileToUser?await o.mapProfileToUser(u):null,m=await Ee(t,{userInfo:{...u,...K},account:{providerId:o.providerId,accountId:u.id,...r,scope:r.scopes?.join(",")}});function E(b){throw t.redirect(`${a||s||`${t.context.baseURL}/error`}?error=${b}`)}if(m.error)return E(m.error.split(" ").join("_"));let{session:v,user:f}=m.data;await h(t,{session:v,user:f});let w;try{w=new URL(s).toString()}catch{w=s}throw t.redirect(w)})},$ERROR_CODES:i}};import{z as Me}from"zod";var pt={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},vg=Me.object({id:Me.string(),publicKey:Me.string(),privateKey:Me.string(),createdAt:Me.date()});var Eo=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async i=>await e.create({model:"jwks",data:{...i,createdAt:new Date}})});import{exportJWK as Kt,generateKeyPair as yn,importJWK as wn,SignJWT as Cn}from"jose";var zg=e=>({id:"jwt",endpoints:{getJwks:p("/jwks",{method:"GET",metadata:{openapi:{description:"Get the JSON Web Key Set",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{keys:{type:"array",items:{type:"object",properties:{kid:{type:"string"},kty:{type:"string"},use:{type:"string"},alg:{type:"string"},n:{type:"string"},e:{type:"string"}}}}}}}}}}}}},async i=>{let o=await Eo(i.context.adapter).getAllKeys();return i.json({keys:o.map(r=>({...JSON.parse(r.publicKey),kid:r.id}))})}),getToken:p("/token",{method:"GET",requireHeaders:!0,use:[R],metadata:{openapi:{description:"Get a JWT token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async i=>{let t=Eo(i.context.adapter),o=await t.getLatestKey(),r=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:d,privateKey:c}=await yn(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),l=await Kt(d),u=await Kt(c),K=JSON.stringify(u),m={id:crypto.randomUUID(),publicKey:JSON.stringify(l),privateKey:r?JSON.stringify(await ue({key:i.context.options.secret,data:K})):K,createdAt:new Date};o=await t.createJwk(m)}let n=r?await fe({key:i.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,s=await wn(JSON.parse(n)),A=e?.jwt?.definePayload?await e?.jwt.definePayload(i.context.session.user):i.context.session.user,a=await new Cn({...A,...i.context.session.session.impersonatedBy?{impersonatedBy:i.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??i.context.options.baseURL).setAudience(e?.jwt?.audience??i.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(i.context.session.user.id).sign(s);return i.json({token:a})})},schema:oe(pt,e?.schema)});import{z as ao}from"zod";var Hg=e=>{let i={maximumSessions:5,...e},t=r=>r.includes("_multi-"),o={INVALID_SESSION_TOKEN:"Invalid session token"};return{id:"multi-session",endpoints:{listDeviceSessions:p("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async r=>{let n=r.headers?.get("cookie");if(!n)return r.json([]);let s=Object.fromEntries(Ne(n)),A=(await Promise.all(Object.entries(s).filter(([c])=>t(c)).map(async([c])=>await r.getSignedCookie(c,r.context.secret)))).filter(c=>c!==void 0);if(!A.length)return r.json([]);let d=(await r.context.internalAdapter.findSessions(A)).filter(c=>c&&c.session.expiresAt>new Date);return r.json(d)}),setActiveSession:p("/multi-session/set-active",{method:"POST",body:ao.object({sessionToken:ao.string({description:"The session token to set as active"})}),requireHeaders:!0,use:[R],metadata:{openapi:{description:"Set the active session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async r=>{let n=r.body.sessionToken,s=`${r.context.authCookies.sessionToken.name}_multi-${n}`;if(!await r.getSignedCookie(s,r.context.secret))throw new T("UNAUTHORIZED",{message:o.INVALID_SESSION_TOKEN});let a=await r.context.internalAdapter.findSession(n);if(!a||a.session.expiresAt<new Date)throw r.setCookie(s,"",{...r.context.authCookies.sessionToken.options,maxAge:0}),new T("UNAUTHORIZED",{message:o.INVALID_SESSION_TOKEN});return await h(r,a),r.json(a)}),revokeDeviceSession:p("/multi-session/revoke",{method:"POST",body:ao.object({sessionToken:ao.string({description:"The session token to revoke"})}),requireHeaders:!0,use:[R],metadata:{openapi:{description:"Revoke a device session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async r=>{let n=r.body.sessionToken,s=`${r.context.authCookies.sessionToken.name}_multi-${n}`;if(!await r.getSignedCookie(s,r.context.secret))throw new T("UNAUTHORIZED",{message:o.INVALID_SESSION_TOKEN});if(await r.context.internalAdapter.deleteSession(n),r.setCookie(s,"",{...r.context.authCookies.sessionToken.options,maxAge:0}),!(r.context.session?.session.token===n))return r.json({success:!0});let d=r.headers?.get("cookie");if(d){let c=Object.fromEntries(Ne(d)),l=(await Promise.all(Object.entries(c).filter(([K])=>t(K)).map(async([K])=>await r.getSignedCookie(K,r.context.secret)))).filter(K=>K!==void 0),u=r.context.internalAdapter;if(l.length>0){let m=(await u.findSessions(l)).filter(E=>E&&E.session.expiresAt>new Date);if(m.length>0){let E=m[0];await h(r,E)}else H(r)}else H(r)}else H(r);return r.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:N(async r=>{let n=r.responseHeader.get("set-cookie");if(!n)return;let s=We(n),A=r.context.authCookies.sessionToken,a=s.get(A.name)?.value;if(!a)return;let d=Ne(r.headers?.get("cookie")||""),c=a.split(".")[0];if(!c)return;let l=`${A.name}_multi-${c}`;s.get(l)||d.get(l)||Object.keys(Object.fromEntries(d)).filter(t).length+(n.includes("session_token")?1:0)>i.maximumSessions||await r.setSignedCookie(l,c,r.context.secret,A.options)})},{matcher:r=>r.path==="/sign-out",handler:N(async r=>{let n=r.headers?.get("cookie");if(!n)return;let s=Object.fromEntries(Ne(n)),A=Object.keys(s).map(a=>t(a)?(r.setCookie(a,"",{maxAge:0}),a.split("_multi-")[1]):null).filter(a=>a!==null);await r.context.internalAdapter.deleteSessions(A)})}]},$ERROR_CODES:o}};import{z as L}from"zod";var Ro=["email-verification","sign-in","forget-password"],om=e=>{let i={expireIn:300,otpLength:6,...e},t={OTP_EXPIRED:"otp expired",INVALID_OTP:"invalid otp",INVALID_EMAIL:"invalid email",USER_NOT_FOUND:"user not found"};return{id:"email-otp",endpoints:{sendVerificationOTP:p("/email-otp/send-verification-otp",{method:"POST",body:L.object({email:L.string({description:"Email address to send the OTP"}),type:L.enum(Ro,{description:"Type of the OTP"})}),metadata:{openapi:{description:"Send verification OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>{if(!e?.sendVerificationOTP)throw o.context.logger.error("send email verification is not implemented"),new T("BAD_REQUEST",{message:"send email verification is not implemented"});let r=o.body.email;if(!/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(r))throw new T("BAD_REQUEST",{message:t.INVALID_EMAIL});let s=z(i.otpLength,F("0-9"));return await o.context.internalAdapter.createVerificationValue({value:s,identifier:`${o.body.type}-otp-${r}`,expiresAt:k(i.expireIn,"sec")}).catch(async A=>{await o.context.internalAdapter.deleteVerificationByIdentifier(`${o.body.type}-otp-${r}`),await o.context.internalAdapter.createVerificationValue({value:s,identifier:`${o.body.type}-otp-${r}`,expiresAt:k(i.expireIn,"sec")})}),await e.sendVerificationOTP({email:r,otp:s,type:o.body.type},o.request),o.json({success:!0})}),createVerificationOTP:p("/email-otp/create-verification-otp",{method:"POST",body:L.object({email:L.string({description:"Email address to send the OTP"}),type:L.enum(Ro,{description:"Type of the OTP"})}),metadata:{SERVER_ONLY:!0,openapi:{description:"Create verification OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"string"}}}}}}}},async o=>{let r=o.body.email,n=z(i.otpLength,F("0-9"));return await o.context.internalAdapter.createVerificationValue({value:n,identifier:`${o.body.type}-otp-${r}`,expiresAt:k(i.expireIn,"sec")}),n}),getVerificationOTP:p("/email-otp/get-verification-otp",{method:"GET",query:L.object({email:L.string({description:"Email address to get the OTP"}),type:L.enum(Ro)}),metadata:{SERVER_ONLY:!0,openapi:{description:"Get verification OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{otp:{type:"string"}}}}}}}}}},async o=>{let r=o.query.email,n=await o.context.internalAdapter.findVerificationValue(`${o.query.type}-otp-${r}`);return!n||n.expiresAt<new Date?o.json({otp:null}):o.json({otp:n.value})}),verifyEmailOTP:p("/email-otp/verify-email",{method:"POST",body:L.object({email:L.string({description:"Email address to verify"}),otp:L.string({description:"OTP to verify"})}),metadata:{openapi:{description:"Verify email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{let r=o.body.email;if(!/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(r))throw new T("BAD_REQUEST",{message:"Invalid email"});let s=await o.context.internalAdapter.findVerificationValue(`email-verification-otp-${r}`);if(!s||s.expiresAt<new Date)throw s&&await o.context.internalAdapter.deleteVerificationValue(s.id),new T("BAD_REQUEST",{message:"Invalid OTP"});let A=o.body.otp;if(s.value!==A)throw new T("BAD_REQUEST",{message:"Invalid OTP"});await o.context.internalAdapter.deleteVerificationValue(s.id);let a=await o.context.internalAdapter.findUserByEmail(r);if(!a)throw new T("BAD_REQUEST",{message:"User not found"});let d=await o.context.internalAdapter.updateUser(a.user.id,{email:r,emailVerified:!0});return o.json({user:d})}),signInEmailOTP:p("/sign-in/email-otp",{method:"POST",body:L.object({email:L.string({description:"Email address to sign in"}),otp:L.string({description:"OTP sent to the email"})}),metadata:{openapi:{description:"Sign in with email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async o=>{let r=o.body.email,n=await o.context.internalAdapter.findVerificationValue(`sign-in-otp-${r}`);if(!n||n.expiresAt<new Date)throw n&&await o.context.internalAdapter.deleteVerificationValue(n.id),new T("BAD_REQUEST",{message:"Invalid OTP"});let s=o.body.otp;if(n.value!==s)throw new T("BAD_REQUEST",{message:"Invalid OTP"});await o.context.internalAdapter.deleteVerificationValue(n.id);let A=await o.context.internalAdapter.findUserByEmail(r);if(!A){if(i.disableSignUp)throw new T("BAD_REQUEST",{message:"User not found"});let d=await o.context.internalAdapter.createUser({email:r,emailVerified:!0,name:r}),c=await o.context.internalAdapter.createSession(d.id,o.request);return await h(o,{session:c,user:d}),o.json({user:d,session:c})}A.user.emailVerified||await o.context.internalAdapter.updateUser(A.user.id,{emailVerified:!0});let a=await o.context.internalAdapter.createSession(A.user.id,o.request);return await h(o,{session:a,user:A.user}),o.json({session:a,user:A})}),forgetPasswordEmailOTP:p("/forget-password/email-otp",{method:"POST",body:L.object({email:L.string({description:"Email address to send the OTP"})}),metadata:{openapi:{description:"Forget password with email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>{let r=o.body.email;if(!await o.context.internalAdapter.findUserByEmail(r))throw new T("BAD_REQUEST",{message:"User not found"});let s=z(i.otpLength,F("0-9"));return await o.context.internalAdapter.createVerificationValue({value:s,identifier:`forget-password-otp-${r}`,expiresAt:k(i.expireIn,"sec")}),await e.sendVerificationOTP({email:r,otp:s,type:"forget-password"},o.request),o.json({success:!0})}),resetPasswordEmailOTP:p("/email-otp/reset-password",{method:"POST",body:L.object({email:L.string({description:"Email address to reset the password"}),otp:L.string({description:"OTP sent to the email"}),password:L.string({description:"New password"})}),metadata:{openapi:{description:"Reset password with email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>{let r=o.body.email,n=await o.context.internalAdapter.findUserByEmail(r);if(!n)throw new T("BAD_REQUEST",{message:t.USER_NOT_FOUND});let s=await o.context.internalAdapter.findVerificationValue(`forget-password-otp-${r}`);if(!s||s.expiresAt<new Date)throw s&&await o.context.internalAdapter.deleteVerificationValue(s.id),new T("BAD_REQUEST",{message:t.OTP_EXPIRED});let A=o.body.otp;if(s.value!==A)throw new T("BAD_REQUEST",{message:t.INVALID_OTP});await o.context.internalAdapter.deleteVerificationValue(s.id);let a=await o.context.password.hash(o.body.password);return await o.context.internalAdapter.updatePassword(n.user.id,a),o.json({success:!0})})},hooks:{after:[{matcher(o){return!!(o.path?.startsWith("/sign-up")&&i.sendVerificationOnSignUp)},async handler(o){let r=o.context.newSession;if(r?.user&&r.user.email&&r.user.emailVerified===!1){let n=z(i.otpLength,F("0-9"));await o.context.internalAdapter.createVerificationValue({value:n,identifier:`email-verification-otp-${r.user.email}`,expiresAt:k(i.expireIn,"sec")}),await e.sendVerificationOTP({email:r.user.email,otp:n,type:"email-verification"},o.request)}}}]},$ERROR_CODES:t}};import{z as lt}from"zod";import{betterFetch as bn}from"@better-fetch/fetch";function ut(e){return e==="true"||e===!0}var dm=e=>({id:"one-tap",endpoints:{oneTapCallback:p("/one-tap/callback",{method:"POST",body:lt.object({idToken:lt.string({description:"Google ID token, which the client obtains from the One Tap API"})}),metadata:{openapi:{summary:"One tap callback",description:"Use this endpoint to authenticate with Google One Tap",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}},400:{description:"Invalid token"}}}}},async i=>{let{idToken:t}=i.body,{data:o,error:r}=await bn("https://oauth2.googleapis.com/tokeninfo?id_token="+t);if(r)return i.json({error:"Invalid token"});let n=await i.context.internalAdapter.findUserByEmail(o.email);if(!n){if(e?.disableSignup)throw new T("BAD_GATEWAY",{message:"User not found"});let A=await i.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:ut(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!A)throw new T("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let a=await i.context.internalAdapter.createSession(A?.user.id,i.request);return await h(i,{user:A.user,session:a}),i.json({session:a,user:A})}let s=await i.context.internalAdapter.createSession(n.user.id,i.request);return await h(i,{user:n.user,session:s}),i.json({session:s,user:n})})}});import{z as Io}from"zod";function On(){let e=ne.VERCEL_URL,i=ne.NETLIFY_URL,t=ne.RENDER_URL,o=ne.AWS_LAMBDA_FUNCTION_NAME,r=ne.GOOGLE_CLOUD_FUNCTION_NAME,n=ne.AZURE_FUNCTION_NAME;return e||i||t||o||r||n}var mm=e=>({id:"oauth-proxy",endpoints:{oAuthProxy:p("/oauth-proxy-callback",{method:"GET",query:Io.object({callbackURL:Io.string({description:"The URL to redirect to after the proxy"}),cookies:Io.string({description:"The cookies to set after the proxy"})}),metadata:{openapi:{description:"OAuth Proxy Callback",parameters:[{in:"query",name:"callbackURL",required:!0,description:"The URL to redirect to after the proxy"},{in:"query",name:"cookies",required:!0,description:"The cookies to set after the proxy"}],responses:{302:{description:"Redirect",headers:{Location:{description:"The URL to redirect to",schema:{type:"string"}}}}}}}},async i=>{let t=i.query.cookies,o=await fe({key:i.context.secret,data:t});throw i.setHeader("set-cookie",o),i.redirect(i.query.callbackURL)})},hooks:{after:[{matcher(i){return i.path?.startsWith("/callback")},handler:N(async i=>{let t=i.context.returned,o=t instanceof T?t.headers:null,r=o?.get("location");if(r?.includes("/oauth-proxy-callback?callbackURL")){if(!r.startsWith("http"))return;let n=new URL(r);if(n.origin===Ce(i.context.baseURL)){let c=n.searchParams.get("callbackURL");if(!c)return;i.setHeader("location",c);return}let A=o?.get("set-cookie");if(!A)return;let a=await ue({key:i.context.secret,data:A}),d=`${r}&cookies=${encodeURIComponent(a)}`;i.setHeader("location",d)}})}],before:[{matcher(i){return i.path?.startsWith("/sign-in/social")},async handler(i){let t=new URL(e?.currentURL||i.request?.url||On()||i.context.baseURL);return i.body.callbackURL=`${t.origin}${i.context.options.basePath||"/api/auth"}/oauth-proxy-callback?callbackURL=${encodeURIComponent(i.body.callbackURL||i.context.baseURL)}`,{context:i}}}]}});import{z as qe}from"zod";var wm=(e,i)=>({id:"custom-session",endpoints:{getSession:p("/get-session",{method:"GET",metadata:{CUSTOM_SESSION:!0},query:qe.optional(qe.object({disableCookieCache:qe.boolean({description:"Disable cookie cache and fetch session from database"}).or(qe.string().transform(t=>t==="true")).optional(),disableRefresh:qe.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()}))},async t=>{let o=await S(t);if(!o)return t.json(null);let r=await e(o);return t.json(r)})}});import{ZodObject as mt,ZodOptional as So,ZodSchema as ft}from"zod";var Ue=e=>{let i=e.plugins?.reduce((a,d)=>{let c=d.schema;if(!c)return a;for(let[l,u]of Object.entries(c))a[l]={fields:{...a[l]?.fields,...u.fields},modelName:u.modelName||l};return a},{}),t=e.rateLimit?.storage==="database",o={rateLimit:{modelName:e.rateLimit?.modelName||"rateLimit",fields:{key:{type:"string",fieldName:e.rateLimit?.fields?.key||"key"},count:{type:"number",fieldName:e.rateLimit?.fields?.count||"count"},lastRequest:{type:"number",fieldName:e.rateLimit?.fields?.lastRequest||"lastRequest"}}}},{user:r,session:n,account:s,...A}=i||{};return{user:{modelName:e.user?.modelName||"user",fields:{name:{type:"string",required:!0,fieldName:e.user?.fields?.name||"name"},email:{type:"string",unique:!0,required:!0,fieldName:e.user?.fields?.email||"email"},emailVerified:{type:"boolean",defaultValue:()=>!1,required:!0,fieldName:e.user?.fields?.emailVerified||"emailVerified"},image:{type:"string",required:!1,fieldName:e.user?.fields?.image||"image"},createdAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.updatedAt||"updatedAt"},...r?.fields,...e.user?.additionalFields},order:1},session:{modelName:e.session?.modelName||"session",fields:{expiresAt:{type:"date",required:!0,fieldName:e.session?.fields?.expiresAt||"expiresAt"},token:{type:"string",required:!0,fieldName:e.session?.fields?.token||"token",unique:!0},createdAt:{type:"date",required:!0,fieldName:e.session?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.session?.fields?.updatedAt||"updatedAt"},ipAddress:{type:"string",required:!1,fieldName:e.session?.fields?.ipAddress||"ipAddress"},userAgent:{type:"string",required:!1,fieldName:e.session?.fields?.userAgent||"userAgent"},userId:{type:"string",fieldName:e.session?.fields?.userId||"userId",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0},...n?.fields,...e.session?.additionalFields},order:2},account:{modelName:e.account?.modelName||"account",fields:{accountId:{type:"string",required:!0,fieldName:e.account?.fields?.accountId||"accountId"},providerId:{type:"string",required:!0,fieldName:e.account?.fields?.providerId||"providerId"},userId:{type:"string",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0,fieldName:e.account?.fields?.userId||"userId"},accessToken:{type:"string",required:!1,fieldName:e.account?.fields?.accessToken||"accessToken"},refreshToken:{type:"string",required:!1,fieldName:e.account?.fields?.refreshToken||"refreshToken"},idToken:{type:"string",required:!1,fieldName:e.account?.fields?.idToken||"idToken"},accessTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"accessTokenExpiresAt"},refreshTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"refreshTokenExpiresAt"},scope:{type:"string",required:!1,fieldName:e.account?.fields?.scope||"scope"},password:{type:"string",required:!1,fieldName:e.account?.fields?.password||"password"},createdAt:{type:"date",required:!0,fieldName:e.account?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.account?.fields?.updatedAt||"updatedAt"},...s?.fields},order:3},verification:{modelName:e.verification?.modelName||"verification",fields:{identifier:{type:"string",required:!0,fieldName:e.verification?.fields?.identifier||"identifier"},value:{type:"string",required:!0,fieldName:e.verification?.fields?.value||"value"},expiresAt:{type:"date",required:!0,fieldName:e.verification?.fields?.expiresAt||"expiresAt"},createdAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.updatedAt||"updatedAt"}},order:4},...A,...t?o:{}}};import{z as Lm}from"zod";import{Kysely as jm,MssqlDialect as zm}from"kysely";import{MysqlDialect as Vm,PostgresDialect as Mm,SqliteDialect as qm}from"kysely";var He={};function ht(e){switch(e.constructor.name){case"ZodString":return"string";case"ZodNumber":return"number";case"ZodBoolean":return"boolean";case"ZodObject":return"object";case"ZodArray":return"array";default:return"string"}}function Ao(e){let i=[];return e.metadata?.openapi?.parameters?(i.push(...e.metadata.openapi.parameters),i):(e.query instanceof mt&&Object.entries(e.query.shape).forEach(([t,o])=>{o instanceof ft&&i.push({name:t,in:"query",schema:{type:ht(o),..."minLength"in o&&o.minLength?{minLength:o.minLength}:{},description:o.description}})}),i)}function gt(e){if(e.metadata?.openapi?.requestBody)return e.metadata.openapi.requestBody;if(e.body&&(e.body instanceof mt||e.body instanceof So)){let i=e.body.shape;if(!i)return;let t={},o=[];return Object.entries(i).forEach(([r,n])=>{n instanceof ft&&(t[r]={type:ht(n),description:n.description},n instanceof So||o.push(r))}),{required:e.body instanceof So?!1:!!e.body,content:{"application/json":{schema:{type:"object",properties:t,required:o}}}}}}function co(e){return{400:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Bad Request. Usually due to missing parameters, or invalid parameters."},401:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Unauthorized. Due to missing or invalid authentication."},403:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Forbidden. You do not have permission to access this resource or to perform this action."},404:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Not Found. The requested resource was not found."},429:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Too Many Requests. You have exceeded the rate limit. Try again later."},500:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Internal Server Error. This is a problem with the server that you cannot fix."},...e}}async function Uo(e,i){let t=ho(e,{...i,plugins:[]}),o=Ue(i),n={schemas:{...Object.entries(o).reduce((A,[a,d])=>{let c=a.charAt(0).toUpperCase()+a.slice(1);return A[c]={type:"object",properties:Object.entries(d.fields).reduce((l,[u,K])=>(l[u]={type:K.type},l),{})},A},{})}};Object.entries(t.api).forEach(([A,a])=>{let d=a.options;if(!d.metadata?.SERVER_ONLY&&(d.method==="GET"&&(He[a.path]={get:{tags:["Default",...d.metadata?.openapi?.tags||[]],description:d.metadata?.openapi?.description,operationId:d.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:Ao(d),responses:co(d.metadata?.openapi?.responses)}}),d.method==="POST")){let c=gt(d);He[a.path]={post:{tags:["Default",...d.metadata?.openapi?.tags||[]],description:d.metadata?.openapi?.description,operationId:d.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:Ao(d),...c?{requestBody:c}:{requestBody:{content:{"application/json":{schema:{type:"object",properties:{}}}}}},responses:co(d.metadata?.openapi?.responses)}}}});for(let A of i.plugins||[]){if(A.id==="open-api")continue;let a=ho(e,{...i,plugins:[A]}),d=Object.keys(a.api).map(c=>t.api[c]===void 0?a.api[c]:null).filter(c=>c!==null);Object.entries(d).forEach(([c,l])=>{let u=l.options;u.metadata?.SERVER_ONLY||(u.method==="GET"&&(He[l.path]={get:{tags:u.metadata?.openapi?.tags||[A.id.charAt(0).toUpperCase()+A.id.slice(1)],description:u.metadata?.openapi?.description,operationId:u.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:Ao(u),responses:co(u.metadata?.openapi?.responses)}}),u.method==="POST"&&(He[l.path]={post:{tags:u.metadata?.openapi?.tags||[A.id.charAt(0).toUpperCase()+A.id.slice(1)],description:u.metadata?.openapi?.description,operationId:u.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:Ao(u),requestBody:gt(u),responses:co(u.metadata?.openapi?.responses)}}))})}return{openapi:"3.1.1",info:{title:"Better Auth",description:"API Reference for your Better Auth Instance"},components:n,security:[{apiKeyCookie:[]}],servers:[{url:e.baseURL}],tags:[{name:"Default",description:"Default endpoints that are included with Better Auth by default. These endpoints are not part of any plugin."}],paths:He}}var yt=`<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
84
84
  <rect width="75" height="75" fill="url(#pattern0_21_12)"/>
85
85
  <defs>
86
86
  <pattern id="pattern0_21_12" patternContentUnits="objectBoundingBox" width="1" height="1">