better-auth 1.0.2 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (57) hide show
  1. package/dist/adapters/drizzle.d.cts +1 -1
  2. package/dist/adapters/drizzle.d.ts +1 -1
  3. package/dist/adapters/kysely.d.cts +1 -1
  4. package/dist/adapters/kysely.d.ts +1 -1
  5. package/dist/adapters/memory.d.cts +1 -1
  6. package/dist/adapters/memory.d.ts +1 -1
  7. package/dist/adapters/mongodb.d.cts +1 -1
  8. package/dist/adapters/mongodb.d.ts +1 -1
  9. package/dist/adapters/prisma.d.cts +1 -1
  10. package/dist/adapters/prisma.d.ts +1 -1
  11. package/dist/api.cjs +4 -4
  12. package/dist/api.d.cts +1 -1
  13. package/dist/api.d.ts +1 -1
  14. package/dist/api.js +4 -4
  15. package/dist/{auth-BVa3db5J.d.cts → auth-BubrmklB.d.cts} +5 -1
  16. package/dist/{auth-5eyWphKM.d.ts → auth-DF-f5DGM.d.ts} +5 -1
  17. package/dist/client/plugins.d.cts +3 -3
  18. package/dist/client/plugins.d.ts +3 -3
  19. package/dist/client.d.cts +1 -1
  20. package/dist/client.d.ts +1 -1
  21. package/dist/cookies.d.cts +1 -1
  22. package/dist/cookies.d.ts +1 -1
  23. package/dist/db.d.cts +2 -2
  24. package/dist/db.d.ts +2 -2
  25. package/dist/{index-x5P1hIyV.d.cts → index-CwnHFdnT.d.cts} +2345 -65
  26. package/dist/{index-CX-Hopog.d.ts → index-aMRluDla.d.ts} +2345 -65
  27. package/dist/index.cjs +4 -4
  28. package/dist/index.d.cts +2 -2
  29. package/dist/index.d.ts +2 -2
  30. package/dist/index.js +4 -4
  31. package/dist/next-js.d.cts +1 -1
  32. package/dist/next-js.d.ts +1 -1
  33. package/dist/node.d.cts +1 -1
  34. package/dist/node.d.ts +1 -1
  35. package/dist/oauth2.d.cts +2 -2
  36. package/dist/oauth2.d.ts +2 -2
  37. package/dist/plugins.cjs +7 -7
  38. package/dist/plugins.d.cts +233 -8
  39. package/dist/plugins.d.ts +233 -8
  40. package/dist/plugins.js +7 -7
  41. package/dist/react.d.cts +1 -1
  42. package/dist/react.d.ts +1 -1
  43. package/dist/solid-start.d.cts +1 -1
  44. package/dist/solid-start.d.ts +1 -1
  45. package/dist/solid.d.cts +1 -1
  46. package/dist/solid.d.ts +1 -1
  47. package/dist/{state-CYO8U5dl.d.cts → state-CQJXHclh.d.cts} +1 -1
  48. package/dist/{state-BpBNrIEi.d.ts → state-C_runTlH.d.ts} +1 -1
  49. package/dist/svelte-kit.d.cts +1 -1
  50. package/dist/svelte-kit.d.ts +1 -1
  51. package/dist/svelte.d.cts +1 -1
  52. package/dist/svelte.d.ts +1 -1
  53. package/dist/types.d.cts +2 -2
  54. package/dist/types.d.ts +2 -2
  55. package/dist/vue.d.cts +1 -1
  56. package/dist/vue.d.ts +1 -1
  57. package/package.json +1 -1
package/dist/api.js CHANGED
@@ -1,6 +1,6 @@
1
- import{APIError as q,createRouter as dr,getCookie as pr,getSignedCookie as ur,setCookie as lr,setSignedCookie as mr}from"better-call";import{APIError as mt}from"better-call";import{createEndpointCreator as ut,createMiddleware as de,createMiddlewareCreator as lt}from"better-call";var pe=de(async()=>({})),F=lt({use:[pe,de(async()=>({}))]}),h=ut({use:[pe]});var ue=F(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:r,context:o}=e,i=e.headers?.get("origin")||e.headers?.get("referer")||"",n=t?.callbackURL||r?.callbackURL,s=t?.redirectTo,c=r?.currentURL,a=o.trustedOrigins,d=e.headers?.has("cookie"),u=(p,w)=>w.includes("*")?new RegExp("^"+w.replace(/\*/g,"[^/]+").replace(/\./g,"\\.")+"$").test(p):p.startsWith(w),m=(p,w)=>{if(!p)return;if(!a.some(_=>u(p,_)||p?.startsWith("/")&&w!=="origin"&&!p.includes(":")))throw e.context.logger.error(`Invalid ${w}: ${p}`),e.context.logger.info(`If it's a valid URL, please add ${p} to trustedOrigins in your auth config
2
- `,`Current list of trustedOrigins: ${a}`),new mt("FORBIDDEN",{message:`Invalid ${w}`})};d&&!e.context.options.advanced?.disableCSRFCheck&&m(i,"origin"),n&&m(n,"callbackURL"),s&&m(s,"redirectURL"),c&&m(c,"currentURL")});import{APIError as v}from"better-call";import{z as U}from"zod";import{TimeSpan as Lr}from"oslo";import{base64url as wt}from"oslo/encoding";import{HMAC as le,sha256 as Rr}from"oslo/crypto";async function ft({value:e,secret:t}){return new le("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(o=>Buffer.from(o).toString("base64"))}function gt({value:e,signature:t,secret:r}){return new le("SHA-256").verify(new TextEncoder().encode(r),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var W={sign:ft,verify:gt};var $=class extends Error{constructor(t,r){super(t),this.name="BetterAuthError",this.message=t,this.cause=r,this.stack=""}};var V=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));var K=Object.create(null),M=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?K:globalThis),me=new Proxy(K,{get(e,t){return M()[t]??K[t]},has(e,t){let r=M();return t in r||t in K},set(e,t,r){let o=M(!0);return o[t]=r,!0},deleteProperty(e,t){if(!t)return!1;let r=M(!0);return delete r[t],!0},ownKeys(){let e=M(!0);return Object.keys(e)}});function ht(e){return e?e!=="false":!1}var ne=typeof process<"u"&&process.env&&process.env.NODE_ENV||"";var fe=ne==="dev"||ne==="development",ge=ne==="test"||ht(me.TEST);async function E(e,t,r,o){let i=e.context.authCookies.sessionToken.options,n=r?void 0:e.context.sessionConfig.expiresIn;await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...i,maxAge:n,...o}),r&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled&&e.setCookie(e.context.authCookies.sessionData.name,JSON.stringify(wt.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:V(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await W.sign({value:JSON.stringify(t),secret:e.context.secret})})))),e.context.authCookies.sessionData.options),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),t.session.expiresAt.getTime()-Date.now())}function C(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}import{betterFetch as Rt}from"@better-fetch/fetch";import{APIError as vt}from"better-call";import{decodeProtectedHeader as Et,importJWK as Tt,jwtVerify as xt}from"jose";import{parseJWT as _t}from"oslo/jwt";import{sha256 as yt}from"oslo/crypto";import{base64url as bt}from"oslo/encoding";async function he(e){let t=await yt(new TextEncoder().encode(e));return bt.encode(new Uint8Array(t),{includePadding:!1})}function we(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?V(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function A({id:e,options:t,authorizationEndpoint:r,state:o,codeVerifier:i,scopes:n,claims:s,redirectURI:c}){let a=new URL(r);if(a.searchParams.set("response_type","code"),a.searchParams.set("client_id",t.clientId),a.searchParams.set("state",o),a.searchParams.set("scope",n.join(" ")),a.searchParams.set("redirect_uri",t.redirectURI||c),i){let d=await he(i);a.searchParams.set("code_challenge_method","S256"),a.searchParams.set("code_challenge",d)}if(s){let d=s.reduce((u,m)=>(u[m]=null,u),{});a.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...d}}))}return a}import{betterFetch as kt}from"@better-fetch/fetch";async function b({code:e,codeVerifier:t,redirectURI:r,options:o,tokenEndpoint:i,authentication:n}){let s=new URLSearchParams,c={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(s.set("grant_type","authorization_code"),s.set("code",e),t&&s.set("code_verifier",t),s.set("redirect_uri",r),n==="basic"){let m=btoa(`${o.clientId}:${o.clientSecret}`);c.authorization=`Basic ${m}`}else s.set("client_id",o.clientId),s.set("client_secret",o.clientSecret);let{data:a,error:d}=await kt(i,{method:"POST",body:s,headers:c});if(d)throw d;return we(a)}import{generateCodeVerifier as At,generateState as Ut}from"oslo/oauth2";import{z}from"zod";import{APIError as be}from"better-call";function ye(e){try{return new URL(e).origin}catch{return null}}async function Y(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?ye(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new be("BAD_REQUEST",{message:"callbackURL is required"});let o=At(),i=Ut(),n=JSON.stringify({callbackURL:r,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),s=new Date;s.setMinutes(s.getMinutes()+10);let c=await e.context.internalAdapter.createVerificationValue({value:n,identifier:i,expiresAt:s});if(!c)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new be("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:c.identifier,codeVerifier:o}}async function ke(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=z.object({callbackURL:z.string(),codeVerifier:z.string(),errorURL:z.string().optional(),expiresAt:z.number(),link:z.object({email:z.string(),userId:z.string()}).optional()}).parse(JSON.parse(r.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),o}var Ae=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:o,redirectURI:i}){let n=o||["email","name"];return e.scope&&n.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${i||e.redirectURI}&scope=${n.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:i})=>b({code:r,codeVerifier:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async verifyIdToken(r,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,o);let i=Et(r),{kid:n,alg:s}=i;if(!n||!s)return!1;let c=await Pt(n),{payload:a}=await xt(r,c,{algorithms:[s],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(d=>{a[d]!==void 0&&(a[d]=!!a[d])}),o&&a.nonce!==o?!1:!!a},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let o=_t(r.idToken)?.payload;if(!o)return null;let i=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email;return{user:{id:o.sub,name:i,emailVerified:!1,email:o.email},data:o}}}},Pt=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:o}=await Rt(`${t}${r}`);if(!o?.keys)throw new vt("BAD_REQUEST",{message:"Keys not found"});let i=o.keys.find(n=>n.kid===e);if(!i)throw new Error(`JWK with kid ${e} not found`);return await Tt(i,i.alg)};import{betterFetch as St}from"@better-fetch/fetch";var Ue=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["identify","email"];return e.scope&&i.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${i.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>b({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await St("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(r.avatar===null){let i=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${i}.png`}else{let i=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${i}`}return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url},data:r}}});import{betterFetch as It}from"@better-fetch/fetch";var Re=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["email","public_profile"];return e.scope&&i.push(...e.scope),await A({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:i,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:r})=>b({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await It("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});return o?null:{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified},data:r}}});import{betterFetch as ve}from"@better-fetch/fetch";var Ee=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:o,codeVerifier:i,redirectURI:n}){let s=o||["user:email"];return e.scope&&s.push(...e.scope),A({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:s,state:r,redirectURI:n})},validateAuthorizationCode:async({code:r,redirectURI:o})=>b({code:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:i}=await ve("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(i)return null;let n=!1;if(!o.email){let{data:s,error:c}=await ve("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});c||(o.email=(s.find(a=>a.primary)??s[0])?.email,n=s.find(a=>a.email===o.email)?.verified??!1)}return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:n},data:o}}}};import{parseJWT as Dt}from"oslo/jwt";import{createConsola as Lt}from"consola";var ie=["info","success","warn","error","debug"];function Ot(e,t){return ie.indexOf(t)<=ie.indexOf(e)}var Ct=Lt({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),jt=e=>{let t=e?.disabled!==!0,r=e?.level??"error",o=(i,n,s=[])=>{if(!(!t||!Ot(r,i))){if(!e||typeof e.log!="function"){Ct[i]("",n,...s);return}e.log(i==="success"?"info":i,n,s)}};return Object.fromEntries(ie.map(i=>[i,(...[n,...s])=>o(i,n,s)]))},T=jt();import{betterFetch as Bt}from"@better-fetch/fetch";var Te=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:i}){if(!e.clientId||!e.clientSecret)throw T.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new $("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new $("codeVerifier is required for Google");let n=r||["email","profile","openid"];e.scope&&n.push(...e.scope);let s=await A({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:n,state:t,codeVerifier:o,redirectURI:i});return e.accessType&&s.searchParams.set("access_type",e.accessType),e.prompt&&s.searchParams.set("prompt",e.prompt),s},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>b({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:i}=await Bt(o);return i?i.aud===e.clientId&&i.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=Dt(t.idToken)?.payload;return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified},data:r}}});import{betterFetch as Vt}from"@better-fetch/fetch";import{parseJWT as zt}from"oslo/jwt";var xe=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(i){let n=i.scopes||["openid","profile","email","User.Read"];return e.scope&&n.push(...e.scope),A({id:"microsoft",options:e,authorizationEndpoint:r,state:i.state,codeVerifier:i.codeVerifier,scopes:n,redirectURI:i.redirectURI})},validateAuthorizationCode({code:i,codeVerifier:n,redirectURI:s}){return b({code:i,codeVerifier:n,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:o})},async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);if(!i.idToken)return null;let n=zt(i.idToken)?.payload,s=e.profilePhotoSize||48;return await Vt(`https://graph.microsoft.com/v1.0/me/photos/${s}x${s}/$value`,{headers:{Authorization:`Bearer ${i.accessToken}`},async onResponse(c){if(!(e.disableProfilePhoto||!c.response.ok))try{let d=await c.response.clone().arrayBuffer(),u=Buffer.from(d).toString("base64");n.picture=`data:image/jpeg;base64, ${u}`}catch(a){T.error(a&&typeof a=="object"&&"name"in a?a.name:"",a)}}}),{user:{id:n.sub,name:n.name,email:n.email,image:n.picture,emailVerified:!0},data:n}}}};import{betterFetch as $t}from"@better-fetch/fetch";var _e=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:i}){let n=r||["user-read-email"];return e.scope&&n.push(...e.scope),A({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:n,state:t,codeVerifier:o,redirectURI:i})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>b({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await $t("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1},data:r}}});var N={isAction:!1};import{nanoid as qt}from"nanoid";var Pe=e=>qt(e);import{parseJWT as Nt}from"oslo/jwt";var Se=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["user:read:email","openid"];return e.scope&&i.push(...e.scope),A({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:i,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>b({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return T.error("No idToken found in token"),null;let o=Nt(r)?.payload;return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1},data:o}}});import{betterFetch as Ht}from"@better-fetch/fetch";var Ie=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),A({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>b({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await Ht("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:r.data.id,name:r.data.name,email:r.data.email||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1},data:r}}});import{betterFetch as Ft}from"@better-fetch/fetch";var Le=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:o,codeVerifier:i,redirectURI:n})=>{let s=o||["account_info.read"];return e.scope&&s.push(...e.scope),await A({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:s,state:r,redirectURI:n,codeVerifier:i})},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:i})=>await b({code:r,codeVerifier:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:i}=await Ft("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});return i?null:{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url},data:o}}}};import{betterFetch as Mt}from"@better-fetch/fetch";var Oe=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:i,redirectURI:n})=>{let s=i||["profile","email","openid"];return e.scope&&s.push(...e.scope),await A({id:"linkedin",options:e,authorizationEndpoint:t,scopes:s,state:o,redirectURI:n})},validateAuthorizationCode:async({code:o,redirectURI:i})=>await b({code:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:r}),async getUserInfo(o){let{data:i,error:n}=await Mt("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});return n?null:{user:{id:i.sub,name:i.name,email:i.email,emailVerified:i.email_verified||!1,image:i.picture},data:i}}}};import{betterFetch as Gt}from"@better-fetch/fetch";var se=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),Zt=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:se(`${t}/oauth/authorize`),tokenEndpoint:se(`${t}/oauth/token`),userinfoEndpoint:se(`${t}/api/v4/user`)}},Ce=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:o}=Zt(e.issuer),i="gitlab";return{id:i,name:"Gitlab",createAuthorizationURL:async({state:s,scopes:c,codeVerifier:a,redirectURI:d})=>{let u=c||["read_user"];return e.scope&&u.push(...e.scope),await A({id:i,options:e,authorizationEndpoint:t,scopes:u,state:s,redirectURI:d,codeVerifier:a})},validateAuthorizationCode:async({code:s,redirectURI:c,codeVerifier:a})=>b({code:s,redirectURI:e.redirectURI||c,options:e,codeVerifier:a,tokenEndpoint:r}),async getUserInfo(s){if(e.getUserInfo)return e.getUserInfo(s);let{data:c,error:a}=await Gt(o,{headers:{authorization:`Bearer ${s.accessToken}`}});return a||c.state!=="active"||c.locked?null:{user:{id:c.id.toString(),name:c.name??c.username,email:c.email,image:c.avatar_url,emailVerified:!0},data:c}}}};var Qt={apple:Ae,discord:Ue,facebook:Re,github:Ee,microsoft:xe,google:Te,spotify:_e,twitch:Se,twitter:Ie,dropbox:Le,linkedin:Oe,gitlab:Ce},X=Object.keys(Qt);import{TimeSpan as Jt}from"oslo";import{createJWT as Wt,validateJWT as Kt}from"oslo/jwt";import{z as I}from"zod";import{APIError as ee}from"better-call";import{APIError as j}from"better-call";import{z as G}from"zod";function je(e){try{return JSON.parse(e)}catch{return null}}var ae=()=>h("/get-session",{method:"GET",query:G.optional(G.object({disableCookieCache:G.boolean({description:"Disable cookie cache and fetch session from database"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),o=r?je(Buffer.from(r,"base64").toString()):null;if(o&&!await W.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return C(e),e.json(null);let i=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let u=o.session;if(o.expiresAt<Date.now()||u.session.expiresAt<new Date){let p=e.context.authCookies.sessionData.name;e.setCookie(p,"",{maxAge:0})}else return e.json(u)}let n=await e.context.internalAdapter.findSession(t);if(!n||n.session.expiresAt<new Date)return C(e),n&&await e.context.internalAdapter.deleteSession(n.session.token),e.json(null);if(i)return e.json(n);let s=e.context.sessionConfig.expiresIn,c=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-s*1e3+c*1e3<=Date.now()){let u=await e.context.internalAdapter.updateSession(n.session.token,{expiresAt:V(e.context.sessionConfig.expiresIn,"sec")});if(!u)return C(e),e.json(null,{status:401});let m=(u.expiresAt.valueOf()-Date.now())/1e3;return await E(e,{session:u,user:n.user},!1,{maxAge:m}),e.json({session:u,user:n.user})}return e.json(n)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new j("INTERNAL_SERVER_ERROR",{message:"internal server error"})}}),Z=async e=>{if(e.context.session)return e.context.session;let t=await ae()({...e,_flag:"json",headers:e.headers});return e.context.session=t,t},P=F(async e=>{let t=await Z(e);if(!t?.session)throw new j("UNAUTHORIZED");return{session:t}}),De=F(async e=>{let t=await Z(e);if(!t?.session)throw new j("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,o=t.session.createdAt.valueOf(),i=Date.now();if(!(o+r*1e3>i))throw new j("FORBIDDEN",{message:"Session is not fresh"});return{session:t}}),Be=()=>h("/list-sessions",{method:"GET",use:[P],requireHeaders:!0,metadata:{openapi:{description:"List all active sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}}}}}}}}}},async e=>{let r=(await e.context.internalAdapter.listSessions(e.context.session.user.id)).filter(o=>o.expiresAt>new Date);return e.json(r)}),Ve=h("/revoke-session",{method:"POST",body:G.object({token:G.string({description:"The token to revoke"})}),use:[P],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new j("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new j("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new j("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),ze=h("/revoke-sessions",{method:"POST",use:[P],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new j("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),$e=h("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[P],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new j("UNAUTHORIZED");let i=(await e.context.internalAdapter.listSessions(t.user.id)).filter(n=>n.expiresAt>new Date).filter(n=>n.token!==e.context.session.session.token);return await Promise.all(i.map(n=>e.context.internalAdapter.deleteSession(n.token))),e.json({status:!0})});async function D(e,t,r){return await Wt("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new Jt(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}var qe=h("/send-verification-email",{method:"POST",query:I.object({currentURL:I.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:I.object({email:I.string({description:"The email to send the verification email to"}).email(),callbackURL:I.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new ee("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new ee("BAD_REQUEST",{message:"User not found"});let o=await D(e.context.secret,t),i=`${e.context.baseURL}/verify-email?token=${o}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.emailVerification.sendVerificationEmail({user:r.user,url:i,token:o},e.request),e.json({status:!0})}),Ne=h("/verify-email",{method:"GET",query:I.object({token:I.string({description:"The token to verify the email"}),callbackURL:I.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(c){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${c}`):new ee("UNAUTHORIZED",{message:c})}let{token:r}=e.query,o;try{o=await Kt("HS256",Buffer.from(e.context.secret),r)}catch(c){return e.context.logger.error("Failed to verify email",c),t("invalid_token")}let n=I.object({email:I.string().email(),updateTo:I.string().optional()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(n.email);if(!s)return t("user_not_found");if(n.updateTo){let c=await Z(e);if(!c){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(c.user.email!==n.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${r}`,token:r},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await Z(e)){let a=await e.context.internalAdapter.createSession(s.user.id,e.request);if(!a)throw new ee("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await E(e,{session:a,user:s.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function te(e,{userInfo:t,account:r,callbackURL:o}){let i=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(c=>{throw T.error(`Better auth was unable to query your database.
3
- Error: `,c),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),n=i?.user;if(i){let c=i.accounts.find(a=>a.providerId===r.providerId);if(c)await e.context.internalAdapter.updateAccount(c.id,{accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt});else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(r.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return fe&&T.warn(`User already exist but account isn't linked to ${r.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:t.id.toString(),userId:i.user.id,accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope})}catch(u){return T.error("Unable to link account",u),{error:"unable to link account",data:null}}}}else try{let c=t.emailVerified||!1;if(n=await e.context.internalAdapter.createOAuthUser({...t,id:void 0,emailVerified:c,email:t.email.toLowerCase()},{accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope,providerId:r.providerId,accountId:t.id.toString()}).then(a=>a?.user),!c&&n&&e.context.options.emailVerification?.sendOnSignUp){let a=await D(e.context.secret,n.email),d=`${e.context.baseURL}/verify-email?token=${a}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:n,url:d,token:a},e.request)}}catch(c){return T.error("Unable to create user",c),{error:"unable to create user",data:null}}if(!n)return{error:"unable to create user",data:null};let s=await e.context.internalAdapter.createSession(n.id,e.request);return s?{data:{session:s,user:n},error:null}:{error:"unable to create session",data:null}}var He=h("/sign-in/social",{method:"POST",query:U.object({currentURL:U.string().optional()}).optional(),body:U.object({callbackURL:U.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:U.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:U.enum(X,{description:"OAuth2 provider to use"}),disableRedirect:U.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:U.optional(U.object({token:U.string({description:"ID token from the provider"}),nonce:U.string({description:"Nonce used to generate the token"}).optional(),accessToken:U.string({description:"Access token from the provider"}).optional(),refreshToken:U.string({description:"Refresh token from the provider"}).optional(),expiresAt:U.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(n=>n.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new v("NOT_FOUND",{message:"Provider not found"});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new v("NOT_FOUND",{message:"Provider does not support id token verification"});let{token:n,nonce:s}=e.body.idToken;if(!await t.verifyIdToken(n,s))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new v("UNAUTHORIZED",{message:"Invalid id token"});let a=await t.getUserInfo({idToken:n,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!a||!a?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new v("UNAUTHORIZED",{message:"Failed to get user info"});if(!a.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new v("UNAUTHORIZED",{message:"User email not found"});let d=await te(e,{userInfo:{email:a.user.email,id:a.user.id,name:a.user.name||"",image:a.user.image,emailVerified:a.user.emailVerified||!1},account:{providerId:t.id,accountId:a.user.id,accessToken:e.body.idToken.accessToken}});if(d.error)throw new v("UNAUTHORIZED",{message:d.error});return await E(e,d.data),e.json({session:d.data.session,user:d.data.user,url:`${e.body.callbackURL||e.query?.currentURL||e.context.options.baseURL}`,redirect:!0})}let{codeVerifier:r,state:o}=await Y(e),i=await t.createAuthorizationURL({state:o,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:i.toString(),redirect:!e.body.disableRedirect})}),Fe=h("/sign-in/email",{method:"POST",body:U.object({email:U.string({description:"Email of the user"}),password:U.string({description:"Password of the user"}),callbackURL:U.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:U.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new v("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!U.string().email().safeParse(t).success)throw new v("BAD_REQUEST",{message:"Invalid email"});let i=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!i)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new v("UNAUTHORIZED",{message:"Invalid email or password"});let n=i.accounts.find(d=>d.providerId==="credential");if(!n)throw e.context.logger.error("Credential account not found",{email:t}),new v("UNAUTHORIZED",{message:"Invalid email or password"});let s=n?.password;if(!s)throw e.context.logger.error("Password not found",{email:t}),new v("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(s,r))throw e.context.logger.error("Invalid password"),new v("UNAUTHORIZED",{message:"Invalid email or password"});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!i.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new v("UNAUTHORIZED",{message:"Email is not verified."});let d=await D(e.context.secret,i.user.email),u=`${e.context.baseURL}/verify-email?token=${d}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:i.user,url:u,token:d},e.request),e.context.logger.error("Email not verified",{email:t}),new v("FORBIDDEN",{message:"Email is not verified. Check your email for a verification link"})}let a=await e.context.internalAdapter.createSession(i.user.id,e.headers,e.body.rememberMe===!1);if(!a)throw e.context.logger.error("Failed to create session"),new v("UNAUTHORIZED",{message:"Failed to create session"});return await E(e,{session:a,user:i.user},e.body.rememberMe===!1),e.json({user:i.user,session:a,redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{z as Q}from"zod";var re=Q.object({code:Q.string().optional(),error:Q.string().optional(),errorMessage:Q.string().optional(),state:Q.string().optional()}),Me=h("/callback/:id",{method:["GET","POST"],body:re.optional(),query:re.optional(),metadata:N},async e=>{let t;try{if(e.method==="GET")t=re.parse(e.query);else if(e.method==="POST")t=re.parse(e.body);else throw new Error("Unsupported method")}catch(f){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",f),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:r,error:o,state:i}=t;if(!i)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!r)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}`);let n=e.context.socialProviders.find(f=>f.id===e.params.id);if(!n)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:s,callbackURL:c,link:a,errorURL:d}=await ke(e),u;try{u=await n.validateAuthorizationCode({code:r,codeVerifier:s,redirectURI:`${e.context.baseURL}/callback/${n.id}`})}catch(f){throw e.context.logger.error("",f),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let m=await n.getUserInfo(u).then(f=>f?.user);function p(f){let y=d||c||`${e.context.baseURL}/error`;throw y.includes("?")?y=`${y}&error=${f}`:y=`${y}?error=${f}`,e.redirect(y)}if(!m)return e.context.logger.error("Unable to get user info"),p("unable_to_get_user_info");if(!m.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),p("email_not_found");if(!c)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(a){if(a.email!==m.email.toLowerCase())return p("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:a.userId,providerId:n.id,accountId:m.id}))return p("unable_to_link_account");let y;try{y=new URL(c).toString()}catch{y=c}throw e.redirect(y)}let w=await te(e,{userInfo:{id:m.id,email:m.email,name:m.name||"",image:m.image,emailVerified:m.emailVerified||!1},account:{providerId:n.id,accountId:m.id,...u,scope:u.scopes?.join(",")},callbackURL:c});if(w.error)return e.context.logger.error(w.error.split(" ").join("_")),p(w.error.split(" ").join("_"));let{session:L,user:_}=w.data;await E(e,{session:L,user:_});let g;try{g=new URL(c).toString()}catch{g=c}throw e.redirect(g)});import"zod";import{APIError as Yt}from"better-call";var Ge=h("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw C(e),new Yt("BAD_REQUEST",{message:"Session not found"});return await e.context.internalAdapter.deleteSession(t),C(e),e.json({success:!0})});import{z as S}from"zod";import{APIError as ce}from"better-call";function Ze(e,t,r){let o=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return r&&Object.entries(r).forEach(([i,n])=>o.searchParams.set(i,n)),o.href}function Xt(e,t,r){let o=new URL(t,e.baseURL);return r&&Object.entries(r).forEach(([i,n])=>o.searchParams.set(i,n)),o.href}var Qe=h("/forget-password",{method:"POST",body:S.object({email:S.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:S.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new ce("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:r}=e.body,o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let i=60*60*1,n=V(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||i,"sec"),s=Pe(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id,identifier:`reset-password:${s}`,expiresAt:n});let c=`${e.context.baseURL}/reset-password/${s}?callbackURL=${r}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:c,token:s},e.request),e.json({status:!0})}),Je=h("/reset-password/:token",{method:"GET",query:S.object({callbackURL:S.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:r}=e.query;if(!t||!r)throw e.redirect(Ze(e.context,r,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!o||o.expiresAt<new Date?e.redirect(Ze(e.context,r,{error:"INVALID_TOKEN"})):e.redirect(Xt(e.context,r,{token:t}))}),We=h("/reset-password",{query:S.optional(S.object({token:S.string().optional(),currentURL:S.string().optional()})),method:"POST",body:S.object({newPassword:S.string({description:"The new password to set"}),token:S.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new ce("BAD_REQUEST",{message:"Token not found"});let{newPassword:r}=e.body,o=`reset-password:${t}`,i=await e.context.internalAdapter.findVerificationValue(o);if(!i||i.expiresAt<new Date)throw new ce("BAD_REQUEST",{message:"Invalid token"});await e.context.internalAdapter.deleteVerificationValue(i.id);let n=i.value,s=await e.context.password.hash(r);return(await e.context.internalAdapter.findAccounts(n)).find(d=>d.providerId==="credential")?(await e.context.internalAdapter.updatePassword(n,s),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:n,providerId:"credential",password:s,accountId:n}),e.json({status:!0}))});import{z as R}from"zod";import{APIError as x}from"better-call";import{z as l}from"zod";var Di=l.object({id:l.string(),providerId:l.string(),accountId:l.string(),userId:l.string(),accessToken:l.string().nullish(),refreshToken:l.string().nullish(),idToken:l.string().nullish(),accessTokenExpiresAt:l.date().nullish(),refreshTokenExpiresAt:l.date().nullish(),scope:l.string().nullish(),password:l.string().nullish(),createdAt:l.date().default(()=>new Date),updatedAt:l.date().default(()=>new Date)}),Bi=l.object({id:l.string(),email:l.string().transform(e=>e.toLowerCase()),emailVerified:l.boolean().default(!1),name:l.string(),image:l.string().nullish(),createdAt:l.date().default(()=>new Date),updatedAt:l.date().default(()=>new Date)}),Vi=l.object({id:l.string(),userId:l.string(),expiresAt:l.date(),createdAt:l.date().default(()=>new Date),updatedAt:l.date().default(()=>new Date),token:l.string(),ipAddress:l.string().nullish(),userAgent:l.string().nullish()}),zi=l.object({id:l.string(),value:l.string(),createdAt:l.date().default(()=>new Date),updatedAt:l.date().default(()=>new Date),expiresAt:l.date(),identifier:l.string()});function er(e,t){let r={...t==="user"?e.user?.additionalFields:{},...t==="session"?e.session?.additionalFields:{}};for(let o of e.plugins||[])o.schema&&o.schema[t]&&(r={...r,...o.schema[t].fields});return r}function tr(e,t){let r=t.action||"create",o=t.fields,i={};for(let n in o){if(n in e){if(o[n].input===!1){if(o[n].defaultValue){i[n]=o[n].defaultValue;continue}continue}i[n]=e[n];continue}if(o[n].defaultValue&&r==="create"){i[n]=o[n].defaultValue;continue}}return i}function oe(e,t,r){let o=er(e,"user");return tr(t||{},{fields:o,action:r})}var Ke=()=>h("/update-user",{method:"POST",body:R.record(R.string(),R.any()),use:[P],metadata:{openapi:{description:"Update the current user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"}}}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"}}}}}}}}}},async e=>{let t=e.body;if(t.email)throw new x("BAD_REQUEST",{message:"You can't update email"});let{name:r,image:o,...i}=t,n=e.context.session;if(!o&&!r&&Object.keys(i).length===0)return e.json({user:n.user});let s=oe(e.context.options,i,"update"),c=await e.context.internalAdapter.updateUserByEmail(n.user.email,{name:r,image:o,...s});return await E(e,{session:n.session,user:c}),e.json({user:c})}),Ye=h("/change-password",{method:"POST",body:R.object({newPassword:R.string({description:"The new password to set"}),currentPassword:R.string({description:"The current password"}),revokeOtherSessions:R.boolean({description:"Revoke all other sessions"}).optional()}),use:[P],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:r,revokeOtherSessions:o}=e.body,i=e.context.session,n=e.context.password.config.minPasswordLength;if(t.length<n)throw e.context.logger.error("Password is too short"),new x("BAD_REQUEST",{message:"Password is too short"});let s=e.context.password.config.maxPasswordLength;if(t.length>s)throw e.context.logger.error("Password is too long"),new x("BAD_REQUEST",{message:"Password too long"});let a=(await e.context.internalAdapter.findAccounts(i.user.id)).find(m=>m.providerId==="credential"&&m.password);if(!a||!a.password)throw new x("BAD_REQUEST",{message:"User does not have a password"});let d=await e.context.password.hash(t);if(!await e.context.password.verify(a.password,r))throw new x("BAD_REQUEST",{message:"Incorrect password"});if(await e.context.internalAdapter.updateAccount(a.id,{password:d}),o){await e.context.internalAdapter.deleteSessions(i.user.id);let m=await e.context.internalAdapter.createSession(i.user.id,e.headers);if(!m)throw new x("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});await E(e,{session:m,user:i.user})}return e.json(i.user)}),Xe=h("/set-password",{method:"POST",body:R.object({newPassword:R.string()}),metadata:{SERVER_ONLY:!0},use:[P]},async e=>{let{newPassword:t}=e.body,r=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new x("BAD_REQUEST",{message:"Password is too short"});let i=e.context.password.config.maxPasswordLength;if(t.length>i)throw e.context.logger.error("Password is too long"),new x("BAD_REQUEST",{message:"Password too long"});let s=(await e.context.internalAdapter.findAccounts(r.user.id)).find(a=>a.providerId==="credential"&&a.password),c=await e.context.password.hash(t);if(!s)return await e.context.internalAdapter.linkAccount({userId:r.user.id,providerId:"credential",accountId:r.user.id,password:c}),e.json(r.user);throw new x("BAD_REQUEST",{message:"user already has a password"})}),et=h("/delete-user",{method:"POST",body:R.object({password:R.string({description:"The password of the user"})}),use:[De],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{let t=e.context.session;return await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),C(e),e.json(null)}),tt=h("/change-email",{method:"POST",query:R.object({currentURL:R.string().optional()}).optional(),body:R.object({newEmail:R.string({description:"The new email to set"}).email(),callbackURL:R.string({description:"The URL to redirect to after email verification"}).optional()}),use:[P],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new x("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new x("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new x("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let i=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:i,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new x("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await D(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:r},e.request),e.json({user:null,status:!0})});var rr=(e="Unknown")=>`<!DOCTYPE html>
1
+ import{APIError as q,createRouter as pr,getCookie as lr,getSignedCookie as ur,setCookie as mr,setSignedCookie as fr}from"better-call";import{APIError as mt}from"better-call";import{createEndpointCreator as lt,createMiddleware as de,createMiddlewareCreator as ut}from"better-call";var pe=de(async()=>({})),H=ut({use:[pe,de(async()=>({}))]}),h=lt({use:[pe]});var le=H(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:r,context:o}=e,n=e.headers?.get("origin")||e.headers?.get("referer")||"",i=t?.callbackURL||r?.callbackURL,s=t?.redirectTo,c=r?.currentURL,a=o.trustedOrigins,d=e.headers?.has("cookie"),l=(p,w)=>w.includes("*")?new RegExp("^"+w.replace(/\*/g,"[^/]+").replace(/\./g,"\\.")+"$").test(p):p.startsWith(w),m=(p,w)=>{if(!p)return;if(!a.some(_=>l(p,_)||p?.startsWith("/")&&w!=="origin"&&!p.includes(":")))throw e.context.logger.error(`Invalid ${w}: ${p}`),e.context.logger.info(`If it's a valid URL, please add ${p} to trustedOrigins in your auth config
2
+ `,`Current list of trustedOrigins: ${a}`),new mt("FORBIDDEN",{message:`Invalid ${w}`})};d&&!e.context.options.advanced?.disableCSRFCheck&&m(n,"origin"),i&&m(i,"callbackURL"),s&&m(s,"redirectURL"),c&&m(c,"currentURL")});import{APIError as v}from"better-call";import{z as U}from"zod";import{TimeSpan as Or}from"oslo";import{base64url as wt}from"oslo/encoding";import{HMAC as ue,sha256 as vr}from"oslo/crypto";async function ft({value:e,secret:t}){return new ue("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(o=>Buffer.from(o).toString("base64"))}function gt({value:e,signature:t,secret:r}){return new ue("SHA-256").verify(new TextEncoder().encode(r),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var K={sign:ft,verify:gt};var $=class extends Error{constructor(t,r){super(t),this.name="BetterAuthError",this.message=t,this.cause=r,this.stack=""}};var V=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));var Y=Object.create(null),M=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?Y:globalThis),me=new Proxy(Y,{get(e,t){return M()[t]??Y[t]},has(e,t){let r=M();return t in r||t in Y},set(e,t,r){let o=M(!0);return o[t]=r,!0},deleteProperty(e,t){if(!t)return!1;let r=M(!0);return delete r[t],!0},ownKeys(){let e=M(!0);return Object.keys(e)}});function ht(e){return e?e!=="false":!1}var ie=typeof process<"u"&&process.env&&process.env.NODE_ENV||"";var fe=ie==="dev"||ie==="development",ge=ie==="test"||ht(me.TEST);async function E(e,t,r,o){let n=e.context.authCookies.sessionToken.options,i=r?void 0:e.context.sessionConfig.expiresIn;await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...n,maxAge:i,...o}),r&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled&&e.setCookie(e.context.authCookies.sessionData.name,JSON.stringify(wt.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:V(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await K.sign({value:JSON.stringify(t),secret:e.context.secret})})))),e.context.authCookies.sessionData.options),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),t.session.expiresAt.getTime()-Date.now())}function C(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}import{betterFetch as Rt}from"@better-fetch/fetch";import{APIError as vt}from"better-call";import{decodeProtectedHeader as Et,importJWK as Tt,jwtVerify as xt}from"jose";import{parseJWT as _t}from"oslo/jwt";import{sha256 as yt}from"oslo/crypto";import{base64url as bt}from"oslo/encoding";async function he(e){let t=await yt(new TextEncoder().encode(e));return bt.encode(new Uint8Array(t),{includePadding:!1})}function we(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?V(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function A({id:e,options:t,authorizationEndpoint:r,state:o,codeVerifier:n,scopes:i,claims:s,redirectURI:c}){let a=new URL(r);if(a.searchParams.set("response_type","code"),a.searchParams.set("client_id",t.clientId),a.searchParams.set("state",o),a.searchParams.set("scope",i.join(" ")),a.searchParams.set("redirect_uri",t.redirectURI||c),n){let d=await he(n);a.searchParams.set("code_challenge_method","S256"),a.searchParams.set("code_challenge",d)}if(s){let d=s.reduce((l,m)=>(l[m]=null,l),{});a.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...d}}))}return a}import{betterFetch as kt}from"@better-fetch/fetch";async function b({code:e,codeVerifier:t,redirectURI:r,options:o,tokenEndpoint:n,authentication:i}){let s=new URLSearchParams,c={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(s.set("grant_type","authorization_code"),s.set("code",e),t&&s.set("code_verifier",t),s.set("redirect_uri",r),i==="basic"){let m=btoa(`${o.clientId}:${o.clientSecret}`);c.authorization=`Basic ${m}`}else s.set("client_id",o.clientId),s.set("client_secret",o.clientSecret);let{data:a,error:d}=await kt(n,{method:"POST",body:s,headers:c});if(d)throw d;return we(a)}import{generateCodeVerifier as At,generateState as Ut}from"oslo/oauth2";import{z}from"zod";import{APIError as be}from"better-call";function ye(e){try{return new URL(e).origin}catch{return null}}async function X(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?ye(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new be("BAD_REQUEST",{message:"callbackURL is required"});let o=At(),n=Ut(),i=JSON.stringify({callbackURL:r,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,link:t,expiresAt:Date.now()+10*60*1e3}),s=new Date;s.setMinutes(s.getMinutes()+10);let c=await e.context.internalAdapter.createVerificationValue({value:i,identifier:n,expiresAt:s});if(!c)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new be("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:c.identifier,codeVerifier:o}}async function ke(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=z.object({callbackURL:z.string(),codeVerifier:z.string(),errorURL:z.string().optional(),expiresAt:z.number(),link:z.object({email:z.string(),userId:z.string()}).optional()}).parse(JSON.parse(r.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),o}var Ae=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:o,redirectURI:n}){let i=o||["email","name"];return e.scope&&i.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${n||e.redirectURI}&scope=${i.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>b({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async verifyIdToken(r,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,o);let n=Et(r),{kid:i,alg:s}=n;if(!i||!s)return!1;let c=await Pt(i),{payload:a}=await xt(r,c,{algorithms:[s],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(d=>{a[d]!==void 0&&(a[d]=!!a[d])}),o&&a.nonce!==o?!1:!!a},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let o=_t(r.idToken)?.payload;if(!o)return null;let n=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email;return{user:{id:o.sub,name:n,emailVerified:!1,email:o.email},data:o}}}},Pt=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:o}=await Rt(`${t}${r}`);if(!o?.keys)throw new vt("BAD_REQUEST",{message:"Keys not found"});let n=o.keys.find(i=>i.kid===e);if(!n)throw new Error(`JWK with kid ${e} not found`);return await Tt(n,n.alg)};import{betterFetch as St}from"@better-fetch/fetch";var Ue=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["identify","email"];return e.scope&&n.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${n.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>b({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await St("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(r.avatar===null){let n=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${n}.png`}else{let n=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${n}`}return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url},data:r}}});import{betterFetch as It}from"@better-fetch/fetch";var Re=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["email","public_profile"];return e.scope&&n.push(...e.scope),await A({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:n,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:r})=>b({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await It("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});return o?null:{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified},data:r}}});import{betterFetch as ve}from"@better-fetch/fetch";var Ee=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:o,codeVerifier:n,redirectURI:i}){let s=o||["user:email"];return e.scope&&s.push(...e.scope),A({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:s,state:r,redirectURI:i})},validateAuthorizationCode:async({code:r,redirectURI:o})=>b({code:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:n}=await ve("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(n)return null;let i=!1;if(!o.email){let{data:s,error:c}=await ve("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});c||(o.email=(s.find(a=>a.primary)??s[0])?.email,i=s.find(a=>a.email===o.email)?.verified??!1)}return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:i},data:o}}}};import{parseJWT as Dt}from"oslo/jwt";import{createConsola as Lt}from"consola";var ne=["info","success","warn","error","debug"];function Ot(e,t){return ne.indexOf(t)<=ne.indexOf(e)}var Ct=Lt({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),jt=e=>{let t=e?.disabled!==!0,r=e?.level??"error",o=(n,i,s=[])=>{if(!(!t||!Ot(r,n))){if(!e||typeof e.log!="function"){Ct[n]("",i,...s);return}e.log(n==="success"?"info":n,i,s)}};return Object.fromEntries(ne.map(n=>[n,(...[i,...s])=>o(n,i,s)]))},T=jt();import{betterFetch as Bt}from"@better-fetch/fetch";var Te=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){if(!e.clientId||!e.clientSecret)throw T.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new $("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new $("codeVerifier is required for Google");let i=r||["email","profile","openid"];e.scope&&i.push(...e.scope);let s=await A({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:i,state:t,codeVerifier:o,redirectURI:n});return e.accessType&&s.searchParams.set("access_type",e.accessType),e.prompt&&s.searchParams.set("prompt",e.prompt),s},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>b({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:n}=await Bt(o);return n?n.aud===e.clientId&&n.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=Dt(t.idToken)?.payload;return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified},data:r}}});import{betterFetch as Vt}from"@better-fetch/fetch";import{parseJWT as zt}from"oslo/jwt";var xe=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(n){let i=n.scopes||["openid","profile","email","User.Read"];return e.scope&&i.push(...e.scope),A({id:"microsoft",options:e,authorizationEndpoint:r,state:n.state,codeVerifier:n.codeVerifier,scopes:i,redirectURI:n.redirectURI})},validateAuthorizationCode({code:n,codeVerifier:i,redirectURI:s}){return b({code:n,codeVerifier:i,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:o})},async getUserInfo(n){if(e.getUserInfo)return e.getUserInfo(n);if(!n.idToken)return null;let i=zt(n.idToken)?.payload,s=e.profilePhotoSize||48;return await Vt(`https://graph.microsoft.com/v1.0/me/photos/${s}x${s}/$value`,{headers:{Authorization:`Bearer ${n.accessToken}`},async onResponse(c){if(!(e.disableProfilePhoto||!c.response.ok))try{let d=await c.response.clone().arrayBuffer(),l=Buffer.from(d).toString("base64");i.picture=`data:image/jpeg;base64, ${l}`}catch(a){T.error(a&&typeof a=="object"&&"name"in a?a.name:"",a)}}}),{user:{id:i.sub,name:i.name,email:i.email,image:i.picture,emailVerified:!0},data:i}}}};import{betterFetch as $t}from"@better-fetch/fetch";var _e=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:n}){let i=r||["user-read-email"];return e.scope&&i.push(...e.scope),A({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:i,state:t,codeVerifier:o,redirectURI:n})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>b({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await $t("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1},data:r}}});var N={isAction:!1};import{nanoid as qt}from"nanoid";var Pe=e=>qt(e);import{parseJWT as Nt}from"oslo/jwt";var Se=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let n=r||["user:read:email","openid"];return e.scope&&n.push(...e.scope),A({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:n,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>b({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return T.error("No idToken found in token"),null;let o=Nt(r)?.payload;return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1},data:o}}});import{betterFetch as Ft}from"@better-fetch/fetch";var Ie=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),A({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>b({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await Ft("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});return o?null:{user:{id:r.data.id,name:r.data.name,email:r.data.email||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1},data:r}}});import{betterFetch as Ht}from"@better-fetch/fetch";var Le=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:o,codeVerifier:n,redirectURI:i})=>{let s=o||["account_info.read"];return e.scope&&s.push(...e.scope),await A({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:s,state:r,redirectURI:i,codeVerifier:n})},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:n})=>await b({code:r,codeVerifier:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:n}=await Ht("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});return n?null:{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url},data:o}}}};import{betterFetch as Mt}from"@better-fetch/fetch";var Oe=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:n,redirectURI:i})=>{let s=n||["profile","email","openid"];return e.scope&&s.push(...e.scope),await A({id:"linkedin",options:e,authorizationEndpoint:t,scopes:s,state:o,redirectURI:i})},validateAuthorizationCode:async({code:o,redirectURI:n})=>await b({code:o,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:r}),async getUserInfo(o){let{data:n,error:i}=await Mt("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});return i?null:{user:{id:n.sub,name:n.name,email:n.email,emailVerified:n.email_verified||!1,image:n.picture},data:n}}}};import{betterFetch as Gt}from"@better-fetch/fetch";var se=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),Qt=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:se(`${t}/oauth/authorize`),tokenEndpoint:se(`${t}/oauth/token`),userinfoEndpoint:se(`${t}/api/v4/user`)}},Ce=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:o}=Qt(e.issuer),n="gitlab";return{id:n,name:"Gitlab",createAuthorizationURL:async({state:s,scopes:c,codeVerifier:a,redirectURI:d})=>{let l=c||["read_user"];return e.scope&&l.push(...e.scope),await A({id:n,options:e,authorizationEndpoint:t,scopes:l,state:s,redirectURI:d,codeVerifier:a})},validateAuthorizationCode:async({code:s,redirectURI:c,codeVerifier:a})=>b({code:s,redirectURI:e.redirectURI||c,options:e,codeVerifier:a,tokenEndpoint:r}),async getUserInfo(s){if(e.getUserInfo)return e.getUserInfo(s);let{data:c,error:a}=await Gt(o,{headers:{authorization:`Bearer ${s.accessToken}`}});return a||c.state!=="active"||c.locked?null:{user:{id:c.id.toString(),name:c.name??c.username,email:c.email,image:c.avatar_url,emailVerified:!0},data:c}}}};var Zt={apple:Ae,discord:Ue,facebook:Re,github:Ee,microsoft:xe,google:Te,spotify:_e,twitch:Se,twitter:Ie,dropbox:Le,linkedin:Oe,gitlab:Ce},ee=Object.keys(Zt);import{TimeSpan as Jt}from"oslo";import{createJWT as Wt,validateJWT as Kt}from"oslo/jwt";import{z as I}from"zod";import{APIError as Z}from"better-call";import{APIError as j}from"better-call";import{z as G}from"zod";function je(e){try{return JSON.parse(e)}catch{return null}}var ae=()=>h("/get-session",{method:"GET",query:G.optional(G.object({disableCookieCache:G.boolean({description:"Disable cookie cache and fetch session from database"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),o=r?je(Buffer.from(r,"base64").toString()):null;if(o&&!await K.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return C(e),e.json(null);let n=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let l=o.session;if(o.expiresAt<Date.now()||l.session.expiresAt<new Date){let p=e.context.authCookies.sessionData.name;e.setCookie(p,"",{maxAge:0})}else return e.json(l)}let i=await e.context.internalAdapter.findSession(t);if(!i||i.session.expiresAt<new Date)return C(e),i&&await e.context.internalAdapter.deleteSession(i.session.token),e.json(null);if(n)return e.json(i);let s=e.context.sessionConfig.expiresIn,c=e.context.sessionConfig.updateAge;if(i.session.expiresAt.valueOf()-s*1e3+c*1e3<=Date.now()){let l=await e.context.internalAdapter.updateSession(i.session.token,{expiresAt:V(e.context.sessionConfig.expiresIn,"sec")});if(!l)return C(e),e.json(null,{status:401});let m=(l.expiresAt.valueOf()-Date.now())/1e3;return await E(e,{session:l,user:i.user},!1,{maxAge:m}),e.json({session:l,user:i.user})}return e.json(i)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new j("INTERNAL_SERVER_ERROR",{message:"internal server error"})}}),Q=async e=>{if(e.context.session)return e.context.session;let t=await ae()({...e,_flag:"json",headers:e.headers});return e.context.session=t,t},P=H(async e=>{let t=await Q(e);if(!t?.session)throw new j("UNAUTHORIZED");return{session:t}}),De=H(async e=>{let t=await Q(e);if(!t?.session)throw new j("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,o=t.session.createdAt.valueOf(),n=Date.now();if(!(o+r*1e3>n))throw new j("FORBIDDEN",{message:"Session is not fresh"});return{session:t}}),Be=()=>h("/list-sessions",{method:"GET",use:[P],requireHeaders:!0,metadata:{openapi:{description:"List all active sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}}}}}}}}}},async e=>{let r=(await e.context.internalAdapter.listSessions(e.context.session.user.id)).filter(o=>o.expiresAt>new Date);return e.json(r)}),Ve=h("/revoke-session",{method:"POST",body:G.object({token:G.string({description:"The token to revoke"})}),use:[P],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new j("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new j("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new j("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),ze=h("/revoke-sessions",{method:"POST",use:[P],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new j("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),$e=h("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[P],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new j("UNAUTHORIZED");let n=(await e.context.internalAdapter.listSessions(t.user.id)).filter(i=>i.expiresAt>new Date).filter(i=>i.token!==e.context.session.session.token);return await Promise.all(n.map(i=>e.context.internalAdapter.deleteSession(i.token))),e.json({status:!0})});async function D(e,t,r){return await Wt("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new Jt(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function Yt(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new Z("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await D(e.context.secret,t.email),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:o,token:r},e.request)}var qe=h("/send-verification-email",{method:"POST",query:I.object({currentURL:I.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:I.object({email:I.string({description:"The email to send the verification email to"}).email(),callbackURL:I.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new Z("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new Z("BAD_REQUEST",{message:"User not found"});return await Yt(e,r.user),e.json({status:!0})}),Ne=h("/verify-email",{method:"GET",query:I.object({token:I.string({description:"The token to verify the email"}),callbackURL:I.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(c){throw e.query.callbackURL?e.redirect(`${e.query.callbackURL}?error=${c}`):new Z("UNAUTHORIZED",{message:c})}let{token:r}=e.query,o;try{o=await Kt("HS256",Buffer.from(e.context.secret),r)}catch(c){return e.context.logger.error("Failed to verify email",c),t("invalid_token")}let i=I.object({email:I.string().email(),updateTo:I.string().optional()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(i.email);if(!s)return t("user_not_found");if(i.updateTo){let c=await Q(e);if(!c){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(c.user.email!==i.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(i.email,{email:i.updateTo});if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${r}`,token:r},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(i.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await Q(e)){let a=await e.context.internalAdapter.createSession(s.user.id,e.request);if(!a)throw new Z("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await E(e,{session:a,user:s.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function te(e,{userInfo:t,account:r,callbackURL:o}){let n=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(c=>{throw T.error(`Better auth was unable to query your database.
3
+ Error: `,c),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),i=n?.user;if(n){let c=n.accounts.find(a=>a.providerId===r.providerId);if(c)await e.context.internalAdapter.updateAccount(c.id,{accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt});else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(r.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return fe&&T.warn(`User already exist but account isn't linked to ${r.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:t.id.toString(),userId:n.user.id,accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope})}catch(l){return T.error("Unable to link account",l),{error:"unable to link account",data:null}}}}else try{let c=t.emailVerified||!1;if(i=await e.context.internalAdapter.createOAuthUser({...t,id:void 0,emailVerified:c,email:t.email.toLowerCase()},{accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope,providerId:r.providerId,accountId:t.id.toString()}).then(a=>a?.user),!c&&i&&e.context.options.emailVerification?.sendOnSignUp){let a=await D(e.context.secret,i.email),d=`${e.context.baseURL}/verify-email?token=${a}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:i,url:d,token:a},e.request)}}catch(c){return T.error("Unable to create user",c),{error:"unable to create user",data:null}}if(!i)return{error:"unable to create user",data:null};let s=await e.context.internalAdapter.createSession(i.id,e.request);return s?{data:{session:s,user:i},error:null}:{error:"unable to create session",data:null}}var Fe=h("/sign-in/social",{method:"POST",query:U.object({currentURL:U.string().optional()}).optional(),body:U.object({callbackURL:U.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:U.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:U.enum(ee,{description:"OAuth2 provider to use"}),disableRedirect:U.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:U.optional(U.object({token:U.string({description:"ID token from the provider"}),nonce:U.string({description:"Nonce used to generate the token"}).optional(),accessToken:U.string({description:"Access token from the provider"}).optional(),refreshToken:U.string({description:"Refresh token from the provider"}).optional(),expiresAt:U.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(i=>i.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new v("NOT_FOUND",{message:"Provider not found"});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new v("NOT_FOUND",{message:"Provider does not support id token verification"});let{token:i,nonce:s}=e.body.idToken;if(!await t.verifyIdToken(i,s))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new v("UNAUTHORIZED",{message:"Invalid id token"});let a=await t.getUserInfo({idToken:i,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!a||!a?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new v("UNAUTHORIZED",{message:"Failed to get user info"});if(!a.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new v("UNAUTHORIZED",{message:"User email not found"});let d=await te(e,{userInfo:{email:a.user.email,id:a.user.id,name:a.user.name||"",image:a.user.image,emailVerified:a.user.emailVerified||!1},account:{providerId:t.id,accountId:a.user.id,accessToken:e.body.idToken.accessToken}});if(d.error)throw new v("UNAUTHORIZED",{message:d.error});return await E(e,d.data),e.json({session:d.data.session,user:d.data.user,url:`${e.body.callbackURL||e.query?.currentURL||e.context.options.baseURL}`,redirect:!0})}let{codeVerifier:r,state:o}=await X(e),n=await t.createAuthorizationURL({state:o,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:n.toString(),redirect:!e.body.disableRedirect})}),He=h("/sign-in/email",{method:"POST",body:U.object({email:U.string({description:"Email of the user"}),password:U.string({description:"Password of the user"}),callbackURL:U.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:U.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new v("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!U.string().email().safeParse(t).success)throw new v("BAD_REQUEST",{message:"Invalid email"});let n=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!n)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new v("UNAUTHORIZED",{message:"Invalid email or password"});let i=n.accounts.find(d=>d.providerId==="credential");if(!i)throw e.context.logger.error("Credential account not found",{email:t}),new v("UNAUTHORIZED",{message:"Invalid email or password"});let s=i?.password;if(!s)throw e.context.logger.error("Password not found",{email:t}),new v("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(s,r))throw e.context.logger.error("Invalid password"),new v("UNAUTHORIZED",{message:"Invalid email or password"});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!n.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new v("UNAUTHORIZED",{message:"Email is not verified."});let d=await D(e.context.secret,n.user.email),l=`${e.context.baseURL}/verify-email?token=${d}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:n.user,url:l,token:d},e.request),e.context.logger.error("Email not verified",{email:t}),new v("FORBIDDEN",{message:"Email is not verified. Check your email for a verification link"})}let a=await e.context.internalAdapter.createSession(n.user.id,e.headers,e.body.rememberMe===!1);if(!a)throw e.context.logger.error("Failed to create session"),new v("UNAUTHORIZED",{message:"Failed to create session"});return await E(e,{session:a,user:n.user},e.body.rememberMe===!1),e.json({user:n.user,session:a,redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{z as J}from"zod";var re=J.object({code:J.string().optional(),error:J.string().optional(),errorMessage:J.string().optional(),state:J.string().optional()}),Me=h("/callback/:id",{method:["GET","POST"],body:re.optional(),query:re.optional(),metadata:N},async e=>{let t;try{if(e.method==="GET")t=re.parse(e.query);else if(e.method==="POST")t=re.parse(e.body);else throw new Error("Unsupported method")}catch(f){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",f),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:r,error:o,state:n}=t;if(!n)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!r)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}`);let i=e.context.socialProviders.find(f=>f.id===e.params.id);if(!i)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:s,callbackURL:c,link:a,errorURL:d}=await ke(e),l;try{l=await i.validateAuthorizationCode({code:r,codeVerifier:s,redirectURI:`${e.context.baseURL}/callback/${i.id}`})}catch(f){throw e.context.logger.error("",f),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let m=await i.getUserInfo(l).then(f=>f?.user);function p(f){let y=d||c||`${e.context.baseURL}/error`;throw y.includes("?")?y=`${y}&error=${f}`:y=`${y}?error=${f}`,e.redirect(y)}if(!m)return e.context.logger.error("Unable to get user info"),p("unable_to_get_user_info");if(!m.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),p("email_not_found");if(!c)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(a){if(a.email!==m.email.toLowerCase())return p("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:a.userId,providerId:i.id,accountId:m.id}))return p("unable_to_link_account");let y;try{y=new URL(c).toString()}catch{y=c}throw e.redirect(y)}let w=await te(e,{userInfo:{id:m.id,email:m.email,name:m.name||"",image:m.image,emailVerified:m.emailVerified||!1},account:{providerId:i.id,accountId:m.id,...l,scope:l.scopes?.join(",")},callbackURL:c});if(w.error)return e.context.logger.error(w.error.split(" ").join("_")),p(w.error.split(" ").join("_"));let{session:L,user:_}=w.data;await E(e,{session:L,user:_});let g;try{g=new URL(c).toString()}catch{g=c}throw e.redirect(g)});import"zod";import{APIError as Xt}from"better-call";var Ge=h("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw C(e),new Xt("BAD_REQUEST",{message:"Session not found"});return await e.context.internalAdapter.deleteSession(t),C(e),e.json({success:!0})});import{z as S}from"zod";import{APIError as ce}from"better-call";function Qe(e,t,r){let o=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return r&&Object.entries(r).forEach(([n,i])=>o.searchParams.set(n,i)),o.href}function er(e,t,r){let o=new URL(t,e.baseURL);return r&&Object.entries(r).forEach(([n,i])=>o.searchParams.set(n,i)),o.href}var Ze=h("/forget-password",{method:"POST",body:S.object({email:S.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:S.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new ce("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:r}=e.body,o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let n=60*60*1,i=V(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||n,"sec"),s=Pe(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id,identifier:`reset-password:${s}`,expiresAt:i});let c=`${e.context.baseURL}/reset-password/${s}?callbackURL=${r}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:c,token:s},e.request),e.json({status:!0})}),Je=h("/reset-password/:token",{method:"GET",query:S.object({callbackURL:S.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:r}=e.query;if(!t||!r)throw e.redirect(Qe(e.context,r,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!o||o.expiresAt<new Date?e.redirect(Qe(e.context,r,{error:"INVALID_TOKEN"})):e.redirect(er(e.context,r,{token:t}))}),We=h("/reset-password",{query:S.optional(S.object({token:S.string().optional(),currentURL:S.string().optional()})),method:"POST",body:S.object({newPassword:S.string({description:"The new password to set"}),token:S.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new ce("BAD_REQUEST",{message:"Token not found"});let{newPassword:r}=e.body,o=`reset-password:${t}`,n=await e.context.internalAdapter.findVerificationValue(o);if(!n||n.expiresAt<new Date)throw new ce("BAD_REQUEST",{message:"Invalid token"});await e.context.internalAdapter.deleteVerificationValue(n.id);let i=n.value,s=await e.context.password.hash(r);return(await e.context.internalAdapter.findAccounts(i)).find(d=>d.providerId==="credential")?(await e.context.internalAdapter.updatePassword(i,s),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:i,providerId:"credential",password:s,accountId:i}),e.json({status:!0}))});import{z as R}from"zod";import{APIError as x}from"better-call";import{z as u}from"zod";var Bn=u.object({id:u.string(),providerId:u.string(),accountId:u.string(),userId:u.string(),accessToken:u.string().nullish(),refreshToken:u.string().nullish(),idToken:u.string().nullish(),accessTokenExpiresAt:u.date().nullish(),refreshTokenExpiresAt:u.date().nullish(),scope:u.string().nullish(),password:u.string().nullish(),createdAt:u.date().default(()=>new Date),updatedAt:u.date().default(()=>new Date)}),Vn=u.object({id:u.string(),email:u.string().transform(e=>e.toLowerCase()),emailVerified:u.boolean().default(!1),name:u.string(),image:u.string().nullish(),createdAt:u.date().default(()=>new Date),updatedAt:u.date().default(()=>new Date)}),zn=u.object({id:u.string(),userId:u.string(),expiresAt:u.date(),createdAt:u.date().default(()=>new Date),updatedAt:u.date().default(()=>new Date),token:u.string(),ipAddress:u.string().nullish(),userAgent:u.string().nullish()}),$n=u.object({id:u.string(),value:u.string(),createdAt:u.date().default(()=>new Date),updatedAt:u.date().default(()=>new Date),expiresAt:u.date(),identifier:u.string()});function tr(e,t){let r={...t==="user"?e.user?.additionalFields:{},...t==="session"?e.session?.additionalFields:{}};for(let o of e.plugins||[])o.schema&&o.schema[t]&&(r={...r,...o.schema[t].fields});return r}function rr(e,t){let r=t.action||"create",o=t.fields,n={};for(let i in o){if(i in e){if(o[i].input===!1){if(o[i].defaultValue){n[i]=o[i].defaultValue;continue}continue}n[i]=e[i];continue}if(o[i].defaultValue&&r==="create"){n[i]=o[i].defaultValue;continue}}return n}function oe(e,t,r){let o=tr(e,"user");return rr(t||{},{fields:o,action:r})}var Ke=()=>h("/update-user",{method:"POST",body:R.record(R.string(),R.any()),use:[P],metadata:{openapi:{description:"Update the current user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"}}}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"}}}}}}}}}},async e=>{let t=e.body;if(t.email)throw new x("BAD_REQUEST",{message:"You can't update email"});let{name:r,image:o,...n}=t,i=e.context.session;if(!o&&!r&&Object.keys(n).length===0)return e.json({user:i.user});let s=oe(e.context.options,n,"update"),c=await e.context.internalAdapter.updateUserByEmail(i.user.email,{name:r,image:o,...s});return await E(e,{session:i.session,user:c}),e.json({user:c})}),Ye=h("/change-password",{method:"POST",body:R.object({newPassword:R.string({description:"The new password to set"}),currentPassword:R.string({description:"The current password"}),revokeOtherSessions:R.boolean({description:"Revoke all other sessions"}).optional()}),use:[P],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:r,revokeOtherSessions:o}=e.body,n=e.context.session,i=e.context.password.config.minPasswordLength;if(t.length<i)throw e.context.logger.error("Password is too short"),new x("BAD_REQUEST",{message:"Password is too short"});let s=e.context.password.config.maxPasswordLength;if(t.length>s)throw e.context.logger.error("Password is too long"),new x("BAD_REQUEST",{message:"Password too long"});let a=(await e.context.internalAdapter.findAccounts(n.user.id)).find(m=>m.providerId==="credential"&&m.password);if(!a||!a.password)throw new x("BAD_REQUEST",{message:"User does not have a password"});let d=await e.context.password.hash(t);if(!await e.context.password.verify(a.password,r))throw new x("BAD_REQUEST",{message:"Incorrect password"});if(await e.context.internalAdapter.updateAccount(a.id,{password:d}),o){await e.context.internalAdapter.deleteSessions(n.user.id);let m=await e.context.internalAdapter.createSession(n.user.id,e.headers);if(!m)throw new x("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});await E(e,{session:m,user:n.user})}return e.json(n.user)}),Xe=h("/set-password",{method:"POST",body:R.object({newPassword:R.string()}),metadata:{SERVER_ONLY:!0},use:[P]},async e=>{let{newPassword:t}=e.body,r=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new x("BAD_REQUEST",{message:"Password is too short"});let n=e.context.password.config.maxPasswordLength;if(t.length>n)throw e.context.logger.error("Password is too long"),new x("BAD_REQUEST",{message:"Password too long"});let s=(await e.context.internalAdapter.findAccounts(r.user.id)).find(a=>a.providerId==="credential"&&a.password),c=await e.context.password.hash(t);if(!s)return await e.context.internalAdapter.linkAccount({userId:r.user.id,providerId:"credential",accountId:r.user.id,password:c}),e.json(r.user);throw new x("BAD_REQUEST",{message:"user already has a password"})}),et=h("/delete-user",{method:"POST",body:R.object({password:R.string({description:"The password of the user"})}),use:[De],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{let t=e.context.session;return await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),C(e),e.json(null)}),tt=h("/change-email",{method:"POST",query:R.object({currentURL:R.string().optional()}).optional(),body:R.object({newEmail:R.string({description:"The new email to set"}).email(),callbackURL:R.string({description:"The URL to redirect to after email verification"}).optional()}),use:[P],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new x("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new x("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new x("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let n=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:n,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new x("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await D(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:r},e.request),e.json({user:null,status:!0})});var or=(e="Unknown")=>`<!DOCTYPE html>
4
4
  <html lang="en">
5
5
  <head>
6
6
  <meta charset="UTF-8">
@@ -80,4 +80,4 @@ Error: `,c),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)
80
80
  <div class="error-code">Error Code: <span id="errorCode">${e}</span></div>
81
81
  </div>
82
82
  </body>
83
- </html>`,rt=h("/error",{method:"GET",metadata:{...N,openapi:{description:"Displays an error page",responses:{200:{description:"Success",content:{"text/html":{schema:{type:"string"}}}}}}}},async e=>{let t=new URL(e.request?.url||"").searchParams.get("error")||"Unknown";return new Response(rr(t),{headers:{"Content-Type":"text/html"}})});var ot=h("/ok",{method:"GET",metadata:{...N,openapi:{description:"Check if the API is working",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{ok:{type:"boolean"}}}}}}}}}},async e=>e.json({ok:!0}));import{z as H}from"zod";import{APIError as B}from"better-call";var nt=()=>h("/sign-up/email",{method:"POST",query:H.object({currentURL:H.string().optional()}).optional(),body:H.record(H.string(),H.any()),metadata:{openapi:{description:"Sign up a user using email and password",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},email:{type:"string",description:"The email of the user"},password:{type:"string",description:"The password of the user"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["name","email","password"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},session:{type:"object"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.enabled)throw new B("BAD_REQUEST",{message:"Email and password sign up is not enabled"});let t=e.body,{name:r,email:o,password:i,image:n,callbackURL:s,...c}=t;if(!H.string().email().safeParse(o).success)throw new B("BAD_REQUEST",{message:"Invalid email"});let d=e.context.password.config.minPasswordLength;if(i.length<d)throw e.context.logger.error("Password is too short"),new B("BAD_REQUEST",{message:"Password is too short"});let u=e.context.password.config.maxPasswordLength;if(i.length>u)throw e.context.logger.error("Password is too long"),new B("BAD_REQUEST",{message:"Password is too long"});if((await e.context.internalAdapter.findUserByEmail(o))?.user)throw e.context.logger.info(`Sign-up attempt for existing email: ${o}`),new B("UNPROCESSABLE_ENTITY",{message:"User with this email already exists"});let p=oe(e.context.options,c),w;try{if(w=await e.context.internalAdapter.createUser({email:o.toLowerCase(),name:r,image:n,...p,emailVerified:!1}),!w)throw new B("BAD_REQUEST",{message:"Failed to create user"})}catch(g){throw e.context.logger.error("Failed to create user",g),new B("UNPROCESSABLE_ENTITY",{message:"Failed to create user",details:g})}if(!w)throw new B("UNPROCESSABLE_ENTITY",{message:"Failed to create user"});let L=await e.context.password.hash(i);if(await e.context.internalAdapter.linkAccount({userId:w.id,providerId:"credential",accountId:w.id,password:L}),e.context.options.emailVerification?.sendOnSignUp){let g=await D(e.context.secret,w.email),f=`${e.context.baseURL}/verify-email?token=${g}&callbackURL=${t.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:w,url:f,token:g},e.request)}if(!e.context.options.emailAndPassword.autoSignIn||e.context.options.emailAndPassword.requireEmailVerification)return e.json({user:w,session:null});let _=await e.context.internalAdapter.createSession(w.id,e.request);if(!_)throw new B("BAD_REQUEST",{message:"Failed to create session"});return await E(e,{session:_,user:w}),e.json({user:w,session:_})});import{z as J}from"zod";import{APIError as it}from"better-call";var st=h("/list-accounts",{method:"GET",use:[P],metadata:{openapi:{description:"List all accounts linked to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{id:{type:"string"},provider:{type:"string"}}}}}}}}}}},async e=>{let t=e.context.session,r=await e.context.internalAdapter.findAccounts(t.user.id);return e.json(r.map(o=>({id:o.id,provider:o.providerId})))}),at=h("/link-social",{method:"POST",requireHeaders:!0,query:J.object({currentURL:J.string().optional()}).optional(),body:J.object({callbackURL:J.string({description:"The URL to redirect to after the user has signed in"}).optional(),provider:J.enum(X,{description:"The OAuth2 provider to use"})}),use:[P],metadata:{openapi:{description:"Link a social account to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"},redirect:{type:"boolean"}},required:["url","redirect"]}}}}}}}},async e=>{let t=e.context.session;if((await e.context.internalAdapter.findAccounts(t.user.id)).find(c=>c.providerId===e.body.provider))throw new it("BAD_REQUEST",{message:"Social Account is already linked."});let i=e.context.socialProviders.find(c=>c.id===e.body.provider);if(!i)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new it("NOT_FOUND",{message:"Provider not found"});let n=await Y(e,{userId:t.user.id,email:t.user.email}),s=await i.createAuthorizationURL({state:n.state,codeVerifier:n.codeVerifier,redirectURI:`${e.context.baseURL}/callback/${i.id}`});return e.json({url:s.toString(),redirect:!0})});function ct(e,t){if(t.advanced?.ipAddress?.disableIpTracking)return null;let r="127.0.0.1";if(ge)return r;let i=t.advanced?.ipAddress?.ipAddressHeaders||["x-client-ip","x-forwarded-for","cf-connecting-ip","fastly-client-ip","x-real-ip","x-cluster-client-ip","x-forwarded","forwarded-for","forwarded"],n=e instanceof Request?e.headers:e;for(let s of i){let c=n.get(s);if(typeof c=="string"){let a=c.split(",")[0].trim();if(a)return a}}return null}function or(e,t,r){let o=Date.now(),i=t*1e3;return o-r.lastRequest<i&&r.count>=e}function nr(e){return new Response(JSON.stringify({message:"Too many requests. Please try again later."}),{status:429,statusText:"Too Many Requests",headers:{"X-Retry-After":e.toString()}})}function ir(e,t){let r=Date.now(),o=t*1e3;return Math.ceil((e+o-r)/1e3)}function sr(e,t){let r="rateLimit",o=e.adapter;return{get:async i=>await o.findOne({model:r,where:[{field:"key",value:i}]}),set:async(i,n,s)=>{try{s?await o.update({model:t??"rateLimit",where:[{field:"key",value:i}],update:{count:n.count,lastRequest:n.lastRequest}}):await o.create({model:t??"rateLimit",data:{key:i,count:n.count,lastRequest:n.lastRequest}})}catch(c){e.logger.error("Error setting rate limit",c)}}}}var dt=new Map;function ar(e){return e.rateLimit.storage==="secondary-storage"?{get:async r=>{let o=await e.options.secondaryStorage?.get(r);return o?JSON.parse(o):void 0},set:async(r,o)=>{await e.options.secondaryStorage?.set?.(r,JSON.stringify(o))}}:e.rateLimit.storage==="memory"?{async get(r){return dt.get(r)},async set(r,o,i){dt.set(r,o)}}:sr(e,e.rateLimit.modelName)}async function pt(e,t){if(!t.rateLimit.enabled)return;let r=t.baseURL,o=e.url.replace(r,""),i=t.rateLimit.window,n=t.rateLimit.max,s=ct(e,t.options)+o,a=cr().find(p=>p.pathMatcher(o));a&&(i=a.window,n=a.max);for(let p of t.options.plugins||[])if(p.rateLimit){let w=p.rateLimit.find(L=>L.pathMatcher(o));if(w){i=w.window,n=w.max;break}}if(t.rateLimit.customRules){let p=t.rateLimit.customRules[o];p&&(i=p.window,n=p.max)}let d=ar(t),u=await d.get(s),m=Date.now();if(!u)await d.set(s,{key:s,count:1,lastRequest:m});else{let p=m-u.lastRequest;if(or(n,i,u)){let w=ir(u.lastRequest,i);return nr(w)}else p>i*1e3?await d.set(s,{...u,count:1,lastRequest:m}):await d.set(s,{...u,count:u.count+1,lastRequest:m})}}function cr(){return[{pathMatcher(t){return t.startsWith("/sign-in")||t.startsWith("/sign-up")||t.startsWith("/change-password")||t.startsWith("/change-email")},window:10,max:3}]}import{APIError as Ys}from"better-call";function fr(e,t){let r=t.plugins?.reduce((c,a)=>({...c,...a.endpoints}),{}),o=t.plugins?.map(c=>c.middlewares?.map(a=>{let d=async u=>a.middleware({...u,context:{...e,...u.context}});return d.path=a.path,d.options=a.middleware.options,d.headers=a.middleware.headers,{path:a.path,middleware:d}})).filter(c=>c!==void 0).flat()||[],n={...{signInSocial:He,callbackOAuth:Me,getSession:ae(),signOut:Ge,signUpEmail:nt(),signInEmail:Fe,forgetPassword:Qe,resetPassword:We,verifyEmail:Ne,sendVerificationEmail:qe,changeEmail:tt,changePassword:Ye,setPassword:Xe,updateUser:Ke(),deleteUser:et,forgetPasswordCallback:Je,listSessions:Be(),revokeSession:Ve,revokeSessions:ze,revokeOtherSessions:$e,linkSocialAccount:at,listUserAccounts:st},...r,ok:ot,error:rt},s={};for(let[c,a]of Object.entries(n))s[c]=async(d={})=>{a.headers=new Headers;let u={setHeader(g,f){a.headers.set(g,f)},setCookie(g,f,y){lr(a.headers,g,f,y)},getCookie(g,f){let k=d.headers?.get("cookie");return pr(k||"",g,f)},getSignedCookie(g,f,y){let k=d.headers;return k?ur(k,f,g,y):null},async setSignedCookie(g,f,y,k){await mr(a.headers,g,f,y,k)},redirect(g){return a.headers.set("Location",g),new q("FOUND")},responseHeader:a.headers},m=await e,p={...u,...d,path:a.path,context:{...m,...d.context,endpoint:a}};m.session=null;let w=t.plugins||[];for(let g of w){let f=g.hooks?.before??[];for(let y of f){if(!y.matcher(p))continue;let k=await y.handler(p);if(k&&"context"in k){p={...p,...k.context};continue}if(k)return k}}let L;try{L=await a(p)}catch(g){if(g instanceof q){let f=t.plugins?.map(y=>{if(y.hooks?.after)return y.hooks.after}).filter(y=>y!==void 0).flat();if(!f?.length)throw g.headers=a.headers,g;p.context.returned=g,p.context.returned.headers=a.headers;for(let y of f||[])if(y.matcher(p))try{let O=await y.handler(p);O&&"response"in O&&(p.context.returned=O.response)}catch(O){if(O instanceof q){p.context.returned=O;continue}throw O}if(p.context.returned instanceof q)throw p.context.returned.headers=a.headers,p.context.returned;return p.context.returned}throw g}p.context.returned=L,p.responseHeader=a.headers;for(let g of t.plugins||[])if(g.hooks?.after){for(let f of g.hooks.after)if(f.matcher(p))try{let k=await f.handler(p);k&&(p.context.returned=k)}catch(k){if(k instanceof q){p.context.returned=k;continue}throw k}}let _=p.context.returned;return _ instanceof Response&&a.headers.forEach((g,f)=>{f==="set-cookie"?_.headers.append(f,g):_.headers.set(f,g)}),_},s[c].path=a.path,s[c].method=a.method,s[c].options=a.options,s[c].headers=a.headers;return{api:s,middlewares:o}}var Gs=(e,t)=>{let{api:r,middlewares:o}=fr(e,t),i=new URL(e.baseURL).pathname;return dr(r,{extraContext:e,basePath:i,routerMiddleware:[{path:"/**",middleware:ue},...o],async onRequest(n){for(let s of e.options.plugins||[])if(s.onRequest){let c=await s.onRequest(n,e);if(c&&"response"in c)return c.response}return pt(n,e)},async onResponse(n){for(let s of e.options.plugins||[])if(s.onResponse){let c=await s.onResponse(n,e);if(c)return c.response}return n},onError(n){if(n instanceof q&&n.status==="FOUND")return;if(t.onAPIError?.throw)throw n;if(t.onAPIError?.onError){t.onAPIError.onError(n,e);return}let s=t.logger?.level,c=s==="error"||s==="warn"||s==="debug"?T:void 0;if(t.logger?.disabled!==!0){if(n&&typeof n=="object"&&"message"in n&&typeof n.message=="string"&&(n.message.includes("no column")||n.message.includes("column")||n.message.includes("relation")||n.message.includes("table")||n.message.includes("does not exist"))){e.logger?.error(n.message),e.logger?.error("If you are seeing this error, it is likely that you need to run the migrations for the database or you need to update your database schema. If you recently updated the package, make sure to run the migrations.");return}n instanceof q?(n.status==="INTERNAL_SERVER_ERROR"&&e.logger.error(n.status,n),c?.error(n.message)):e.logger?.error(n&&typeof n=="object"&&"name"in n?n.name:"",n)}}})};export{Ys as APIError,Me as callbackOAuth,tt as changeEmail,Ye as changePassword,h as createAuthEndpoint,F as createAuthMiddleware,D as createEmailVerificationToken,et as deleteUser,rt as error,Qe as forgetPassword,Je as forgetPasswordCallback,De as freshSessionMiddleware,fr as getEndpoints,ae as getSession,Z as getSessionFromCtx,at as linkSocialAccount,Be as listSessions,st as listUserAccounts,ot as ok,pe as optionsMiddleware,ue as originCheckMiddleware,We as resetPassword,$e as revokeOtherSessions,Ve as revokeSession,ze as revokeSessions,Gs as router,qe as sendVerificationEmail,P as sessionMiddleware,Xe as setPassword,Fe as signInEmail,He as signInSocial,Ge as signOut,nt as signUpEmail,Ke as updateUser,Ne as verifyEmail};
83
+ </html>`,rt=h("/error",{method:"GET",metadata:{...N,openapi:{description:"Displays an error page",responses:{200:{description:"Success",content:{"text/html":{schema:{type:"string"}}}}}}}},async e=>{let t=new URL(e.request?.url||"").searchParams.get("error")||"Unknown";return new Response(or(t),{headers:{"Content-Type":"text/html"}})});var ot=h("/ok",{method:"GET",metadata:{...N,openapi:{description:"Check if the API is working",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{ok:{type:"boolean"}}}}}}}}}},async e=>e.json({ok:!0}));import{z as F}from"zod";import{APIError as B}from"better-call";var it=()=>h("/sign-up/email",{method:"POST",query:F.object({currentURL:F.string().optional()}).optional(),body:F.record(F.string(),F.any()),metadata:{openapi:{description:"Sign up a user using email and password",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},email:{type:"string",description:"The email of the user"},password:{type:"string",description:"The password of the user"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["name","email","password"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},session:{type:"object"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.enabled)throw new B("BAD_REQUEST",{message:"Email and password sign up is not enabled"});let t=e.body,{name:r,email:o,password:n,image:i,callbackURL:s,...c}=t;if(!F.string().email().safeParse(o).success)throw new B("BAD_REQUEST",{message:"Invalid email"});let d=e.context.password.config.minPasswordLength;if(n.length<d)throw e.context.logger.error("Password is too short"),new B("BAD_REQUEST",{message:"Password is too short"});let l=e.context.password.config.maxPasswordLength;if(n.length>l)throw e.context.logger.error("Password is too long"),new B("BAD_REQUEST",{message:"Password is too long"});if((await e.context.internalAdapter.findUserByEmail(o))?.user)throw e.context.logger.info(`Sign-up attempt for existing email: ${o}`),new B("UNPROCESSABLE_ENTITY",{message:"User with this email already exists"});let p=oe(e.context.options,c),w;try{if(w=await e.context.internalAdapter.createUser({email:o.toLowerCase(),name:r,image:i,...p,emailVerified:!1}),!w)throw new B("BAD_REQUEST",{message:"Failed to create user"})}catch(g){throw e.context.logger.error("Failed to create user",g),new B("UNPROCESSABLE_ENTITY",{message:"Failed to create user",details:g})}if(!w)throw new B("UNPROCESSABLE_ENTITY",{message:"Failed to create user"});let L=await e.context.password.hash(n);if(await e.context.internalAdapter.linkAccount({userId:w.id,providerId:"credential",accountId:w.id,password:L}),e.context.options.emailVerification?.sendOnSignUp){let g=await D(e.context.secret,w.email),f=`${e.context.baseURL}/verify-email?token=${g}&callbackURL=${t.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:w,url:f,token:g},e.request)}if(!e.context.options.emailAndPassword.autoSignIn||e.context.options.emailAndPassword.requireEmailVerification)return e.json({user:w,session:null});let _=await e.context.internalAdapter.createSession(w.id,e.request);if(!_)throw new B("BAD_REQUEST",{message:"Failed to create session"});return await E(e,{session:_,user:w}),e.json({user:w,session:_})});import{z as W}from"zod";import{APIError as nt}from"better-call";var st=h("/list-accounts",{method:"GET",use:[P],metadata:{openapi:{description:"List all accounts linked to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{id:{type:"string"},provider:{type:"string"}}}}}}}}}}},async e=>{let t=e.context.session,r=await e.context.internalAdapter.findAccounts(t.user.id);return e.json(r.map(o=>({id:o.id,provider:o.providerId})))}),at=h("/link-social",{method:"POST",requireHeaders:!0,query:W.object({currentURL:W.string().optional()}).optional(),body:W.object({callbackURL:W.string({description:"The URL to redirect to after the user has signed in"}).optional(),provider:W.enum(ee,{description:"The OAuth2 provider to use"})}),use:[P],metadata:{openapi:{description:"Link a social account to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"},redirect:{type:"boolean"}},required:["url","redirect"]}}}}}}}},async e=>{let t=e.context.session;if((await e.context.internalAdapter.findAccounts(t.user.id)).find(c=>c.providerId===e.body.provider))throw new nt("BAD_REQUEST",{message:"Social Account is already linked."});let n=e.context.socialProviders.find(c=>c.id===e.body.provider);if(!n)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new nt("NOT_FOUND",{message:"Provider not found"});let i=await X(e,{userId:t.user.id,email:t.user.email}),s=await n.createAuthorizationURL({state:i.state,codeVerifier:i.codeVerifier,redirectURI:`${e.context.baseURL}/callback/${n.id}`});return e.json({url:s.toString(),redirect:!0})});function ct(e,t){if(t.advanced?.ipAddress?.disableIpTracking)return null;let r="127.0.0.1";if(ge)return r;let n=t.advanced?.ipAddress?.ipAddressHeaders||["x-client-ip","x-forwarded-for","cf-connecting-ip","fastly-client-ip","x-real-ip","x-cluster-client-ip","x-forwarded","forwarded-for","forwarded"],i=e instanceof Request?e.headers:e;for(let s of n){let c=i.get(s);if(typeof c=="string"){let a=c.split(",")[0].trim();if(a)return a}}return null}function ir(e,t,r){let o=Date.now(),n=t*1e3;return o-r.lastRequest<n&&r.count>=e}function nr(e){return new Response(JSON.stringify({message:"Too many requests. Please try again later."}),{status:429,statusText:"Too Many Requests",headers:{"X-Retry-After":e.toString()}})}function sr(e,t){let r=Date.now(),o=t*1e3;return Math.ceil((e+o-r)/1e3)}function ar(e,t){let r="rateLimit",o=e.adapter;return{get:async n=>await o.findOne({model:r,where:[{field:"key",value:n}]}),set:async(n,i,s)=>{try{s?await o.update({model:t??"rateLimit",where:[{field:"key",value:n}],update:{count:i.count,lastRequest:i.lastRequest}}):await o.create({model:t??"rateLimit",data:{key:n,count:i.count,lastRequest:i.lastRequest}})}catch(c){e.logger.error("Error setting rate limit",c)}}}}var dt=new Map;function cr(e){return e.rateLimit.storage==="secondary-storage"?{get:async r=>{let o=await e.options.secondaryStorage?.get(r);return o?JSON.parse(o):void 0},set:async(r,o)=>{await e.options.secondaryStorage?.set?.(r,JSON.stringify(o))}}:e.rateLimit.storage==="memory"?{async get(r){return dt.get(r)},async set(r,o,n){dt.set(r,o)}}:ar(e,e.rateLimit.modelName)}async function pt(e,t){if(!t.rateLimit.enabled)return;let r=t.baseURL,o=e.url.replace(r,""),n=t.rateLimit.window,i=t.rateLimit.max,s=ct(e,t.options)+o,a=dr().find(p=>p.pathMatcher(o));a&&(n=a.window,i=a.max);for(let p of t.options.plugins||[])if(p.rateLimit){let w=p.rateLimit.find(L=>L.pathMatcher(o));if(w){n=w.window,i=w.max;break}}if(t.rateLimit.customRules){let p=t.rateLimit.customRules[o];p&&(n=p.window,i=p.max)}let d=cr(t),l=await d.get(s),m=Date.now();if(!l)await d.set(s,{key:s,count:1,lastRequest:m});else{let p=m-l.lastRequest;if(ir(i,n,l)){let w=sr(l.lastRequest,n);return nr(w)}else p>n*1e3?await d.set(s,{...l,count:1,lastRequest:m}):await d.set(s,{...l,count:l.count+1,lastRequest:m})}}function dr(){return[{pathMatcher(t){return t.startsWith("/sign-in")||t.startsWith("/sign-up")||t.startsWith("/change-password")||t.startsWith("/change-email")},window:10,max:3}]}import{APIError as Xs}from"better-call";function gr(e,t){let r=t.plugins?.reduce((c,a)=>({...c,...a.endpoints}),{}),o=t.plugins?.map(c=>c.middlewares?.map(a=>{let d=async l=>a.middleware({...l,context:{...e,...l.context}});return d.path=a.path,d.options=a.middleware.options,d.headers=a.middleware.headers,{path:a.path,middleware:d}})).filter(c=>c!==void 0).flat()||[],i={...{signInSocial:Fe,callbackOAuth:Me,getSession:ae(),signOut:Ge,signUpEmail:it(),signInEmail:He,forgetPassword:Ze,resetPassword:We,verifyEmail:Ne,sendVerificationEmail:qe,changeEmail:tt,changePassword:Ye,setPassword:Xe,updateUser:Ke(),deleteUser:et,forgetPasswordCallback:Je,listSessions:Be(),revokeSession:Ve,revokeSessions:ze,revokeOtherSessions:$e,linkSocialAccount:at,listUserAccounts:st},...r,ok:ot,error:rt},s={};for(let[c,a]of Object.entries(i))s[c]=async(d={})=>{a.headers=new Headers;let l={setHeader(g,f){a.headers.set(g,f)},setCookie(g,f,y){mr(a.headers,g,f,y)},getCookie(g,f){let k=d.headers?.get("cookie");return lr(k||"",g,f)},getSignedCookie(g,f,y){let k=d.headers;return k?ur(k,f,g,y):null},async setSignedCookie(g,f,y,k){await fr(a.headers,g,f,y,k)},redirect(g){return a.headers.set("Location",g),new q("FOUND")},responseHeader:a.headers},m=await e,p={...l,...d,path:a.path,context:{...m,...d.context,endpoint:a}};m.session=null;let w=t.plugins||[];for(let g of w){let f=g.hooks?.before??[];for(let y of f){if(!y.matcher(p))continue;let k=await y.handler(p);if(k&&"context"in k){p={...p,...k.context};continue}if(k)return k}}let L;try{L=await a(p)}catch(g){if(g instanceof q){let f=t.plugins?.map(y=>{if(y.hooks?.after)return y.hooks.after}).filter(y=>y!==void 0).flat();if(!f?.length)throw g.headers=a.headers,g;p.context.returned=g,p.context.returned.headers=a.headers;for(let y of f||[])if(y.matcher(p))try{let O=await y.handler(p);O&&"response"in O&&(p.context.returned=O.response)}catch(O){if(O instanceof q){p.context.returned=O;continue}throw O}if(p.context.returned instanceof q)throw p.context.returned.headers=a.headers,p.context.returned;return p.context.returned}throw g}p.context.returned=L,p.responseHeader=a.headers;for(let g of t.plugins||[])if(g.hooks?.after){for(let f of g.hooks.after)if(f.matcher(p))try{let k=await f.handler(p);k&&(p.context.returned=k)}catch(k){if(k instanceof q){p.context.returned=k;continue}throw k}}let _=p.context.returned;return _ instanceof Response&&a.headers.forEach((g,f)=>{f==="set-cookie"?_.headers.append(f,g):_.headers.set(f,g)}),_},s[c].path=a.path,s[c].method=a.method,s[c].options=a.options,s[c].headers=a.headers;return{api:s,middlewares:o}}var Qs=(e,t)=>{let{api:r,middlewares:o}=gr(e,t),n=new URL(e.baseURL).pathname;return pr(r,{extraContext:e,basePath:n,routerMiddleware:[{path:"/**",middleware:le},...o],async onRequest(i){for(let s of e.options.plugins||[])if(s.onRequest){let c=await s.onRequest(i,e);if(c&&"response"in c)return c.response}return pt(i,e)},async onResponse(i){for(let s of e.options.plugins||[])if(s.onResponse){let c=await s.onResponse(i,e);if(c)return c.response}return i},onError(i){if(i instanceof q&&i.status==="FOUND")return;if(t.onAPIError?.throw)throw i;if(t.onAPIError?.onError){t.onAPIError.onError(i,e);return}let s=t.logger?.level,c=s==="error"||s==="warn"||s==="debug"?T:void 0;if(t.logger?.disabled!==!0){if(i&&typeof i=="object"&&"message"in i&&typeof i.message=="string"&&(i.message.includes("no column")||i.message.includes("column")||i.message.includes("relation")||i.message.includes("table")||i.message.includes("does not exist"))){e.logger?.error(i.message),e.logger?.error("If you are seeing this error, it is likely that you need to run the migrations for the database or you need to update your database schema. If you recently updated the package, make sure to run the migrations.");return}i instanceof q?(i.status==="INTERNAL_SERVER_ERROR"&&e.logger.error(i.status,i),c?.error(i.message)):e.logger?.error(i&&typeof i=="object"&&"name"in i?i.name:"",i)}}})};export{Xs as APIError,Me as callbackOAuth,tt as changeEmail,Ye as changePassword,h as createAuthEndpoint,H as createAuthMiddleware,D as createEmailVerificationToken,et as deleteUser,rt as error,Ze as forgetPassword,Je as forgetPasswordCallback,De as freshSessionMiddleware,gr as getEndpoints,ae as getSession,Q as getSessionFromCtx,at as linkSocialAccount,Be as listSessions,st as listUserAccounts,ot as ok,pe as optionsMiddleware,le as originCheckMiddleware,We as resetPassword,$e as revokeOtherSessions,Ve as revokeSession,ze as revokeSessions,Qs as router,qe as sendVerificationEmail,Yt as sendVerificationEmailFn,P as sessionMiddleware,Xe as setPassword,He as signInEmail,Fe as signInSocial,Ge as signOut,it as signUpEmail,Ke as updateUser,Ne as verifyEmail};
package/dist/{auth-BVa3db5J.d.cts → auth-BubrmklB.d.cts} RENAMED
@@ -3089,6 +3089,10 @@ declare function createEmailVerificationToken(secret: string, email: string,
3089
3089
  * The email to update from
3090
3090
  */
3091
3091
  updateTo?: string): Promise<string>;
3092
+ /**
3093
+ * A function to send a verification email to the user
3094
+ */
3095
+ declare function sendVerificationEmailFn(ctx: GenericEndpointContext, user: User): Promise<void>;
3092
3096
  declare const sendVerificationEmail: {
3093
3097
  <C extends [better_call.Context<"/send-verification-email", {
3094
3098
  method: "POST";
@@ -13965,4 +13969,4 @@ type Auth = {
13965
13969
  options: BetterAuthOptions;
13966
13970
  };
13967
13971
 
13968
- export { type InferFieldsFromOptions as $, type Auth as A, type BetterAuthOptions as B, logger as C, type FieldType as D, type EligibleCookies as E, type FieldAttribute as F, type GenericEndpointContext as G, type HookEndpointContext as H, type InferUser as I, createInternalAdapter as J, type KyselyDatabaseType as K, type LogLevel as L, type Models as M, type InternalAdapter as N, type FieldAttributeConfig as O, type PluginSchema as P, createFieldAttribute as Q, type RateLimit as R, type Session as S, type InferValueType as T, type User as U, type InferFieldsOutput as V, type Where as W, type InferFieldsInput as X, type InferFieldsInputClient as Y, type PluginFieldAttribute as Z, type InferFieldsFromPlugins as _, type AdditionalUserFieldsInput as a, type BetterAuthDbSchema as a0, getAuthTables as a1, optionsMiddleware as a2, createAuthMiddleware as a3, createAuthEndpoint as a4, type AuthEndpoint as a5, type AuthMiddleware as a6, getEndpoints as a7, router as a8, signInSocial as a9, linkSocialAccount as aA, originCheckMiddleware as aB, signInEmail as aa, callbackOAuth as ab, getSession as ac, getSessionFromCtx as ad, sessionMiddleware as ae, freshSessionMiddleware as af, listSessions as ag, revokeSession as ah, revokeSessions as ai, revokeOtherSessions as aj, signOut as ak, forgetPassword as al, forgetPasswordCallback as am, resetPassword as an, createEmailVerificationToken as ao, sendVerificationEmail as ap, verifyEmail as aq, updateUser as ar, changePassword as as, setPassword as at, deleteUser as au, changeEmail as av, error as aw, ok as ax, signUpEmail as ay, listUserAccounts as az, betterAuth as b, type AdditionalUserFieldsOutput as c, type AdditionalSessionFieldsInput as d, type AdditionalSessionFieldsOutput as e, type InferSession as f, type InferPluginTypes as g, type AuthContext as h, init as i, type BetterAuthPlugin as j, type InferOptionSchema as k, type Adapter as l, type AdapterInstance as m, type SecondaryStorage as n, createCookieGetter as o, getCookies as p, type BetterAuthCookies as q, deleteSessionCookie as r, setSessionCookie as s, parseCookies as t, parseSetCookieHeader as u, levels as v, shouldPublishLog as w, type Logger as x, type LogHandlerParams as y, createLogger as z };
13972
+ export { type InferFieldsFromOptions as $, type Auth as A, type BetterAuthOptions as B, logger as C, type FieldType as D, type EligibleCookies as E, type FieldAttribute as F, type GenericEndpointContext as G, type HookEndpointContext as H, type InferUser as I, createInternalAdapter as J, type KyselyDatabaseType as K, type LogLevel as L, type Models as M, type InternalAdapter as N, type FieldAttributeConfig as O, type PluginSchema as P, createFieldAttribute as Q, type RateLimit as R, type Session as S, type InferValueType as T, type User as U, type InferFieldsOutput as V, type Where as W, type InferFieldsInput as X, type InferFieldsInputClient as Y, type PluginFieldAttribute as Z, type InferFieldsFromPlugins as _, type AdditionalUserFieldsInput as a, type BetterAuthDbSchema as a0, getAuthTables as a1, optionsMiddleware as a2, createAuthMiddleware as a3, createAuthEndpoint as a4, type AuthEndpoint as a5, type AuthMiddleware as a6, getEndpoints as a7, router as a8, signInSocial as a9, listUserAccounts as aA, linkSocialAccount as aB, originCheckMiddleware as aC, signInEmail as aa, callbackOAuth as ab, getSession as ac, getSessionFromCtx as ad, sessionMiddleware as ae, freshSessionMiddleware as af, listSessions as ag, revokeSession as ah, revokeSessions as ai, revokeOtherSessions as aj, signOut as ak, forgetPassword as al, forgetPasswordCallback as am, resetPassword as an, createEmailVerificationToken as ao, sendVerificationEmailFn as ap, sendVerificationEmail as aq, verifyEmail as ar, updateUser as as, changePassword as at, setPassword as au, deleteUser as av, changeEmail as aw, error as ax, ok as ay, signUpEmail as az, betterAuth as b, type AdditionalUserFieldsOutput as c, type AdditionalSessionFieldsInput as d, type AdditionalSessionFieldsOutput as e, type InferSession as f, type InferPluginTypes as g, type AuthContext as h, init as i, type BetterAuthPlugin as j, type InferOptionSchema as k, type Adapter as l, type AdapterInstance as m, type SecondaryStorage as n, createCookieGetter as o, getCookies as p, type BetterAuthCookies as q, deleteSessionCookie as r, setSessionCookie as s, parseCookies as t, parseSetCookieHeader as u, levels as v, shouldPublishLog as w, type Logger as x, type LogHandlerParams as y, createLogger as z };
package/dist/{auth-5eyWphKM.d.ts → auth-DF-f5DGM.d.ts} RENAMED
@@ -3089,6 +3089,10 @@ declare function createEmailVerificationToken(secret: string, email: string,
3089
3089
  * The email to update from
3090
3090
  */
3091
3091
  updateTo?: string): Promise<string>;
3092
+ /**
3093
+ * A function to send a verification email to the user
3094
+ */
3095
+ declare function sendVerificationEmailFn(ctx: GenericEndpointContext, user: User): Promise<void>;
3092
3096
  declare const sendVerificationEmail: {
3093
3097
  <C extends [better_call.Context<"/send-verification-email", {
3094
3098
  method: "POST";
@@ -13965,4 +13969,4 @@ type Auth = {
13965
13969
  options: BetterAuthOptions;
13966
13970
  };
13967
13971
 
13968
- export { type InferFieldsFromOptions as $, type Auth as A, type BetterAuthOptions as B, logger as C, type FieldType as D, type EligibleCookies as E, type FieldAttribute as F, type GenericEndpointContext as G, type HookEndpointContext as H, type InferUser as I, createInternalAdapter as J, type KyselyDatabaseType as K, type LogLevel as L, type Models as M, type InternalAdapter as N, type FieldAttributeConfig as O, type PluginSchema as P, createFieldAttribute as Q, type RateLimit as R, type Session as S, type InferValueType as T, type User as U, type InferFieldsOutput as V, type Where as W, type InferFieldsInput as X, type InferFieldsInputClient as Y, type PluginFieldAttribute as Z, type InferFieldsFromPlugins as _, type AdditionalUserFieldsInput as a, type BetterAuthDbSchema as a0, getAuthTables as a1, optionsMiddleware as a2, createAuthMiddleware as a3, createAuthEndpoint as a4, type AuthEndpoint as a5, type AuthMiddleware as a6, getEndpoints as a7, router as a8, signInSocial as a9, linkSocialAccount as aA, originCheckMiddleware as aB, signInEmail as aa, callbackOAuth as ab, getSession as ac, getSessionFromCtx as ad, sessionMiddleware as ae, freshSessionMiddleware as af, listSessions as ag, revokeSession as ah, revokeSessions as ai, revokeOtherSessions as aj, signOut as ak, forgetPassword as al, forgetPasswordCallback as am, resetPassword as an, createEmailVerificationToken as ao, sendVerificationEmail as ap, verifyEmail as aq, updateUser as ar, changePassword as as, setPassword as at, deleteUser as au, changeEmail as av, error as aw, ok as ax, signUpEmail as ay, listUserAccounts as az, betterAuth as b, type AdditionalUserFieldsOutput as c, type AdditionalSessionFieldsInput as d, type AdditionalSessionFieldsOutput as e, type InferSession as f, type InferPluginTypes as g, type AuthContext as h, init as i, type BetterAuthPlugin as j, type InferOptionSchema as k, type Adapter as l, type AdapterInstance as m, type SecondaryStorage as n, createCookieGetter as o, getCookies as p, type BetterAuthCookies as q, deleteSessionCookie as r, setSessionCookie as s, parseCookies as t, parseSetCookieHeader as u, levels as v, shouldPublishLog as w, type Logger as x, type LogHandlerParams as y, createLogger as z };
13972
+ export { type InferFieldsFromOptions as $, type Auth as A, type BetterAuthOptions as B, logger as C, type FieldType as D, type EligibleCookies as E, type FieldAttribute as F, type GenericEndpointContext as G, type HookEndpointContext as H, type InferUser as I, createInternalAdapter as J, type KyselyDatabaseType as K, type LogLevel as L, type Models as M, type InternalAdapter as N, type FieldAttributeConfig as O, type PluginSchema as P, createFieldAttribute as Q, type RateLimit as R, type Session as S, type InferValueType as T, type User as U, type InferFieldsOutput as V, type Where as W, type InferFieldsInput as X, type InferFieldsInputClient as Y, type PluginFieldAttribute as Z, type InferFieldsFromPlugins as _, type AdditionalUserFieldsInput as a, type BetterAuthDbSchema as a0, getAuthTables as a1, optionsMiddleware as a2, createAuthMiddleware as a3, createAuthEndpoint as a4, type AuthEndpoint as a5, type AuthMiddleware as a6, getEndpoints as a7, router as a8, signInSocial as a9, listUserAccounts as aA, linkSocialAccount as aB, originCheckMiddleware as aC, signInEmail as aa, callbackOAuth as ab, getSession as ac, getSessionFromCtx as ad, sessionMiddleware as ae, freshSessionMiddleware as af, listSessions as ag, revokeSession as ah, revokeSessions as ai, revokeOtherSessions as aj, signOut as ak, forgetPassword as al, forgetPasswordCallback as am, resetPassword as an, createEmailVerificationToken as ao, sendVerificationEmailFn as ap, sendVerificationEmail as aq, verifyEmail as ar, updateUser as as, changePassword as at, setPassword as au, deleteUser as av, changeEmail as aw, error as ax, ok as ay, signUpEmail as az, betterAuth as b, type AdditionalUserFieldsOutput as c, type AdditionalSessionFieldsInput as d, type AdditionalSessionFieldsOutput as e, type InferSession as f, type InferPluginTypes as g, type AuthContext as h, init as i, type BetterAuthPlugin as j, type InferOptionSchema as k, type Adapter as l, type AdapterInstance as m, type SecondaryStorage as n, createCookieGetter as o, getCookies as p, type BetterAuthCookies as q, deleteSessionCookie as r, setSessionCookie as s, parseCookies as t, parseSetCookieHeader as u, levels as v, shouldPublishLog as w, type Logger as x, type LogHandlerParams as y, createLogger as z };
package/dist/client/plugins.d.cts CHANGED
@@ -2,10 +2,10 @@ import * as nanostores from 'nanostores';
2
2
  import { AccessControl, StatementsPrimitive, Role } from '../plugins/access.cjs';
3
3
  import * as _better_fetch_fetch from '@better-fetch/fetch';
4
4
  import { BetterFetchOption } from '@better-fetch/fetch';
5
- import { o as organization, q as Organization, M as Member, I as Invitation, u as username, m as magicLink, d as phoneNumber, f as anonymous, i as admin, j as genericOAuth, k as jwt, l as multiSession, n as emailOTP } from '../index-x5P1hIyV.cjs';
6
- export { g as getPasskeyActions, c as passkeyClient, a as twoFactorClient } from '../index-x5P1hIyV.cjs';
5
+ import { o as organization, q as Organization, M as Member, I as Invitation, u as username, m as magicLink, d as phoneNumber, f as anonymous, i as admin, j as genericOAuth, k as jwt, l as multiSession, n as emailOTP } from '../index-CwnHFdnT.cjs';
6
+ export { g as getPasskeyActions, c as passkeyClient, a as twoFactorClient } from '../index-CwnHFdnT.cjs';
7
7
  import { P as Prettify } from '../helper-DxMBi7M2.cjs';
8
- import { F as FieldAttribute, B as BetterAuthOptions, j as BetterAuthPlugin } from '../auth-BVa3db5J.cjs';
8
+ import { F as FieldAttribute, B as BetterAuthOptions, j as BetterAuthPlugin } from '../auth-BubrmklB.cjs';
9
9
  import { Store } from '../types.cjs';
10
10
  import 'zod';
11
11
  import 'better-call';
package/dist/client/plugins.d.ts CHANGED
@@ -2,10 +2,10 @@ import * as nanostores from 'nanostores';
2
2
  import { AccessControl, StatementsPrimitive, Role } from '../plugins/access.js';
3
3
  import * as _better_fetch_fetch from '@better-fetch/fetch';
4
4
  import { BetterFetchOption } from '@better-fetch/fetch';
5
- import { o as organization, q as Organization, M as Member, I as Invitation, u as username, m as magicLink, d as phoneNumber, f as anonymous, i as admin, j as genericOAuth, k as jwt, l as multiSession, n as emailOTP } from '../index-CX-Hopog.js';
6
- export { g as getPasskeyActions, c as passkeyClient, a as twoFactorClient } from '../index-CX-Hopog.js';
5
+ import { o as organization, q as Organization, M as Member, I as Invitation, u as username, m as magicLink, d as phoneNumber, f as anonymous, i as admin, j as genericOAuth, k as jwt, l as multiSession, n as emailOTP } from '../index-aMRluDla.js';
6
+ export { g as getPasskeyActions, c as passkeyClient, a as twoFactorClient } from '../index-aMRluDla.js';
7
7
  import { P as Prettify } from '../helper-DxMBi7M2.js';
8
- import { F as FieldAttribute, B as BetterAuthOptions, j as BetterAuthPlugin } from '../auth-5eyWphKM.js';
8
+ import { F as FieldAttribute, B as BetterAuthOptions, j as BetterAuthPlugin } from '../auth-DF-f5DGM.js';
9
9
  import { Store } from '../types.js';
10
10
  import 'zod';
11
11
  import 'better-call';
package/dist/client.d.cts CHANGED
@@ -1,4 +1,4 @@
1
- import { j as BetterAuthPlugin } from './auth-BVa3db5J.cjs';
1
+ import { j as BetterAuthPlugin } from './auth-BubrmklB.cjs';
2
2
  import { ClientOptions, InferClientAPI, InferActions, BetterAuthClientPlugin, IsSignal } from './types.cjs';
3
3
  export { AtomListener, InferAdditionalFromClient, InferPluginsFromClient, InferSessionFromClient, InferUserFromClient, Store } from './types.cjs';
4
4
  import * as nanostores from 'nanostores';
package/dist/client.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- import { j as BetterAuthPlugin } from './auth-5eyWphKM.js';
1
+ import { j as BetterAuthPlugin } from './auth-DF-f5DGM.js';
2
2
  import { ClientOptions, InferClientAPI, InferActions, BetterAuthClientPlugin, IsSignal } from './types.js';
3
3
  export { AtomListener, InferAdditionalFromClient, InferPluginsFromClient, InferSessionFromClient, InferUserFromClient, Store } from './types.js';
4
4
  import * as nanostores from 'nanostores';
package/dist/cookies.d.cts CHANGED
@@ -1,5 +1,5 @@
1
1
  import 'better-call';
2
- export { q as BetterAuthCookies, E as EligibleCookies, o as createCookieGetter, r as deleteSessionCookie, p as getCookies, t as parseCookies, u as parseSetCookieHeader, s as setSessionCookie } from './auth-BVa3db5J.cjs';
2
+ export { q as BetterAuthCookies, E as EligibleCookies, o as createCookieGetter, r as deleteSessionCookie, p as getCookies, t as parseCookies, u as parseSetCookieHeader, s as setSessionCookie } from './auth-BubrmklB.cjs';
3
3
  import 'kysely';
4
4
  import 'zod';
5
5
  import './helper-DxMBi7M2.cjs';
package/dist/cookies.d.ts CHANGED
@@ -1,5 +1,5 @@
1
1
  import 'better-call';
2
- export { q as BetterAuthCookies, E as EligibleCookies, o as createCookieGetter, r as deleteSessionCookie, p as getCookies, t as parseCookies, u as parseSetCookieHeader, s as setSessionCookie } from './auth-5eyWphKM.js';
2
+ export { q as BetterAuthCookies, E as EligibleCookies, o as createCookieGetter, r as deleteSessionCookie, p as getCookies, t as parseCookies, u as parseSetCookieHeader, s as setSessionCookie } from './auth-DF-f5DGM.js';
3
3
  import 'kysely';
4
4
  import 'zod';
5
5
  import './helper-DxMBi7M2.js';
package/dist/db.d.cts CHANGED
@@ -1,5 +1,5 @@
1
- import { l as Adapter, B as BetterAuthOptions, W as Where, F as FieldAttribute, D as FieldType, K as KyselyDatabaseType } from './auth-BVa3db5J.cjs';
2
- export { a0 as BetterAuthDbSchema, O as FieldAttributeConfig, $ as InferFieldsFromOptions, _ as InferFieldsFromPlugins, X as InferFieldsInput, Y as InferFieldsInputClient, V as InferFieldsOutput, T as InferValueType, N as InternalAdapter, Z as PluginFieldAttribute, Q as createFieldAttribute, J as createInternalAdapter, a1 as getAuthTables } from './auth-BVa3db5J.cjs';
1
+ import { l as Adapter, B as BetterAuthOptions, W as Where, F as FieldAttribute, D as FieldType, K as KyselyDatabaseType } from './auth-BubrmklB.cjs';
2
+ export { a0 as BetterAuthDbSchema, O as FieldAttributeConfig, $ as InferFieldsFromOptions, _ as InferFieldsFromPlugins, X as InferFieldsInput, Y as InferFieldsInputClient, V as InferFieldsOutput, T as InferValueType, N as InternalAdapter, Z as PluginFieldAttribute, Q as createFieldAttribute, J as createInternalAdapter, a1 as getAuthTables } from './auth-BubrmklB.cjs';
3
3
  import { z } from 'zod';
4
4
  import 'kysely';
5
5
  import 'better-call';
package/dist/db.d.ts CHANGED
@@ -1,5 +1,5 @@
1
- import { l as Adapter, B as BetterAuthOptions, W as Where, F as FieldAttribute, D as FieldType, K as KyselyDatabaseType } from './auth-5eyWphKM.js';
2
- export { a0 as BetterAuthDbSchema, O as FieldAttributeConfig, $ as InferFieldsFromOptions, _ as InferFieldsFromPlugins, X as InferFieldsInput, Y as InferFieldsInputClient, V as InferFieldsOutput, T as InferValueType, N as InternalAdapter, Z as PluginFieldAttribute, Q as createFieldAttribute, J as createInternalAdapter, a1 as getAuthTables } from './auth-5eyWphKM.js';
1
+ import { l as Adapter, B as BetterAuthOptions, W as Where, F as FieldAttribute, D as FieldType, K as KyselyDatabaseType } from './auth-DF-f5DGM.js';
2
+ export { a0 as BetterAuthDbSchema, O as FieldAttributeConfig, $ as InferFieldsFromOptions, _ as InferFieldsFromPlugins, X as InferFieldsInput, Y as InferFieldsInputClient, V as InferFieldsOutput, T as InferValueType, N as InternalAdapter, Z as PluginFieldAttribute, Q as createFieldAttribute, J as createInternalAdapter, a1 as getAuthTables } from './auth-DF-f5DGM.js';
3
3
  import { z } from 'zod';
4
4
  import 'kysely';
5
5
  import 'better-call';