better-auth 1.0.21 → 1.0.22-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (47) hide show
  1. package/dist/adapters/prisma.d.cts +1 -1
  2. package/dist/adapters/prisma.d.ts +1 -1
  3. package/dist/api.cjs +1 -1
  4. package/dist/api.js +1 -1
  5. package/dist/client/plugins.d.cts +1 -1
  6. package/dist/client/plugins.d.ts +1 -1
  7. package/dist/{index-Dt4lZbQi.d.ts → index-Dd3_WG87.d.ts} +105 -103
  8. package/dist/{index-CgaJXZ9u.d.cts → index-Dp04oxSM.d.cts} +105 -103
  9. package/dist/index.cjs +2 -2
  10. package/dist/index.js +2 -2
  11. package/dist/plugin/custom-session.cjs +4 -4
  12. package/dist/plugin/custom-session.js +2 -2
  13. package/dist/plugins/admin.cjs +1 -1
  14. package/dist/plugins/admin.js +1 -1
  15. package/dist/plugins/anonymous.cjs +1 -1
  16. package/dist/plugins/anonymous.js +1 -1
  17. package/dist/plugins/bearer.cjs +1 -1
  18. package/dist/plugins/bearer.js +1 -1
  19. package/dist/plugins/email-otp.cjs +1 -1
  20. package/dist/plugins/email-otp.js +1 -1
  21. package/dist/plugins/generic-oauth.cjs +1 -1
  22. package/dist/plugins/generic-oauth.js +1 -1
  23. package/dist/plugins/jwt.cjs +2 -2
  24. package/dist/plugins/jwt.js +2 -2
  25. package/dist/plugins/multi-session.cjs +1 -1
  26. package/dist/plugins/multi-session.js +1 -1
  27. package/dist/plugins/one-tap.cjs +1 -1
  28. package/dist/plugins/one-tap.js +1 -1
  29. package/dist/plugins/open-api.cjs +1 -1
  30. package/dist/plugins/open-api.js +1 -1
  31. package/dist/plugins/organization.cjs +4 -4
  32. package/dist/plugins/organization.d.cts +1 -1
  33. package/dist/plugins/organization.d.ts +1 -1
  34. package/dist/plugins/organization.js +2 -2
  35. package/dist/plugins/passkey.cjs +1 -1
  36. package/dist/plugins/passkey.js +1 -1
  37. package/dist/plugins/phone-number.cjs +1 -1
  38. package/dist/plugins/phone-number.js +1 -1
  39. package/dist/plugins/two-factor.cjs +1 -1
  40. package/dist/plugins/two-factor.js +1 -1
  41. package/dist/plugins/username.cjs +1 -1
  42. package/dist/plugins/username.js +1 -1
  43. package/dist/plugins.cjs +3 -3
  44. package/dist/plugins.d.cts +1 -1
  45. package/dist/plugins.d.ts +1 -1
  46. package/dist/plugins.js +4 -4
  47. package/package.json +1 -1
package/dist/plugins/email-otp.js CHANGED
@@ -1,5 +1,5 @@
1
1
  import{z as A}from"zod";import{APIError as Fa,createRouter as Ma,getCookie as Ha,getSignedCookie as Ga,setCookie as Qa,setSignedCookie as Za}from"better-call";import{APIError as Xe}from"better-call";import{createEndpointCreator as Qe,createMiddleware as fe,createMiddlewareCreator as Ze}from"better-call";var ge=fe(async()=>({})),H=Ze({use:[ge,fe(async()=>({}))]}),l=Qe({use:[ge]});function se(e){return e==="-"||e==="^"||e==="$"||e==="+"||e==="."||e==="("||e===")"||e==="|"||e==="["||e==="]"||e==="{"||e==="}"||e==="*"||e==="?"||e==="\\"?`\\${e}`:e}function We(e){let t="";for(let r=0;r<e.length;r++)t+=se(e[r]);return t}function he(e,t=!0){if(Array.isArray(e))return`(?:${e.map(p=>`^${he(p,t)}$`).join("|")})`;let r="",o="",i=".";t===!0?(r="/",o="[/\\\\]",i="[^/\\\\]"):t&&(r=t,o=We(r),o.length>1?(o=`(?:${o})`,i=`((?!${o}).)`):i=`[^${o}]`);let n=t?`${o}+?`:"",s=t?`${o}*?`:"",d=t?e.split(r):[e],a="";for(let c=0;c<d.length;c++){let p=d[c],f=d[c+1],E="";if(!(!p&&c>0)){if(t&&(c===d.length-1?E=s:f!=="**"?E=n:E=""),t&&p==="**"){E&&(a+=c===0?"":E,a+=`(?:${i}*?${E})*?`);continue}for(let h=0;h<p.length;h++){let y=p[h];y==="\\"?h<p.length-1&&(a+=se(p[h+1]),h++):y==="?"?a+=i:y==="*"?a+=`${i}*?`:a+=se(y)}a+=E}}return a}function Ke(e,t){if(typeof t!="string")throw new TypeError(`Sample must be a string, but ${typeof t} given`);return e.test(t)}function ae(e,t){if(typeof e!="string"&&!Array.isArray(e))throw new TypeError(`The first argument must be a single pattern string or an array of patterns, but ${typeof e} given`);if((typeof t=="string"||typeof t=="boolean")&&(t={separator:t}),arguments.length===2&&!(typeof t>"u"||typeof t=="object"&&t!==null&&!Array.isArray(t)))throw new TypeError(`The second argument must be an options object or a string/boolean separator, but ${typeof t} given`);if(t=t||{},t.separator==="\\")throw new Error("\\ is not a valid separator because it is used for escaping. Try setting the separator to `true` instead");let r=he(e,t.separator),o=new RegExp(`^${r}$`,t.flags),i=Ke.bind(null,o);return i.options=t,i.pattern=e,i.regexp=o,i}var J=Object.create(null),G=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?J:globalThis),we=new Proxy(J,{get(e,t){return G()[t]??J[t]},has(e,t){let r=G();return t in r||t in J},set(e,t,r){let o=G(!0);return o[t]=r,!0},deleteProperty(e,t){if(!t)return!1;let r=G(!0);return delete r[t],!0},ownKeys(){let e=G(!0);return Object.keys(e)}});function Je(e){return e?e!=="false":!1}var de=typeof process<"u"&&process.env&&process.env.NODE_ENV||"";var ce=de==="dev"||de==="development",Ye=de==="test"||Je(we.TEST);var B=class extends Error{constructor(t,r){super(t),this.name="BetterAuthError",this.message=t,this.cause=r,this.stack=""}};function ye(e){try{return new URL(e).origin}catch{return null}}function be(e){return e.includes("://")?new URL(e).host:e}var et=H(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:r,context:o}=e,i=e.headers?.get("origin")||e.headers?.get("referer")||"",n=t?.callbackURL||r?.callbackURL,s=t?.redirectTo,d=r?.currentURL,a=t?.errorCallbackURL,c=t?.newUserCallbackURL,p=o.trustedOrigins,f=e.headers?.has("cookie"),E=(y,T)=>y.startsWith("/")?!1:T.includes("*")?ae(T)(be(y)):y.startsWith(T),h=(y,T)=>{if(!y)return;if(!p.some(ie=>E(y,ie)||y?.startsWith("/")&&T!=="origin"&&!y.includes(":")))throw e.context.logger.error(`Invalid ${T}: ${y}`),e.context.logger.info(`If it's a valid URL, please add ${y} to trustedOrigins in your auth config
2
- `,`Current list of trustedOrigins: ${p}`),new Xe("FORBIDDEN",{message:`Invalid ${T}`})};f&&!e.context.options.advanced?.disableCSRFCheck&&h(i,"origin"),n&&h(n,"callbackURL"),s&&h(s,"redirectURL"),d&&h(d,"currentURL"),a&&h(a,"errorCallbackURL"),c&&h(s,"newUserCallbackURL")});import{APIError as k}from"better-call";import{z as b}from"zod";import{TimeSpan as Nr}from"oslo";import{base64url as it}from"oslo/encoding";import{HMAC as Ae,sha256 as Pr}from"oslo/crypto";async function rt({value:e,secret:t}){return new Ae("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(o=>Buffer.from(o).toString("base64"))}function ot({value:e,signature:t,secret:r}){return new Ae("SHA-256").verify(new TextEncoder().encode(r),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var Y={sign:rt,verify:ot};var O=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));async function _(e,t,r,o){let i=e.context.authCookies.sessionToken.options,n=r?void 0:e.context.sessionConfig.expiresIn;if(await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...i,maxAge:n,...o}),r&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled){let d=it.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:O(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await Y.sign({value:JSON.stringify(t),secret:e.context.secret})})),{includePadding:!1});if(d.length>4093)throw new B("Session data is too large to store in the cookie. Please disable session cookie caching or reduce the size of the session data");e.setCookie(e.context.authCookies.sessionData.name,d,e.context.authCookies.sessionData.options)}e.context.setNewSession(t),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),Math.floor((new Date(t.session.expiresAt).getTime()-Date.now())/1e3))}function D(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}import{betterFetch as pt}from"@better-fetch/fetch";import{APIError as lt}from"better-call";import{decodeProtectedHeader as ut,importJWK as mt,jwtVerify as ft}from"jose";import{parseJWT as gt}from"oslo/jwt";import{sha256 as nt}from"oslo/crypto";import{base64url as st}from"oslo/encoding";async function Ee(e){let t=await nt(new TextEncoder().encode(e));return st.encode(new Uint8Array(t),{includePadding:!1})}function X(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?O(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function w({id:e,options:t,authorizationEndpoint:r,state:o,codeVerifier:i,scopes:n,claims:s,redirectURI:d,duration:a}){let c=new URL(r);if(c.searchParams.set("response_type","code"),c.searchParams.set("client_id",t.clientId),c.searchParams.set("state",o),c.searchParams.set("scope",n.join(" ")),c.searchParams.set("redirect_uri",t.redirectURI||d),i){let p=await Ee(i);c.searchParams.set("code_challenge_method","S256"),c.searchParams.set("code_challenge",p)}if(s){let p=s.reduce((f,E)=>(f[E]=null,f),{});c.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...p}}))}return a&&c.searchParams.set("duration",a),c}import{betterFetch as at}from"@better-fetch/fetch";async function g({code:e,codeVerifier:t,redirectURI:r,options:o,tokenEndpoint:i,authentication:n}){let s=new URLSearchParams,d={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(s.set("grant_type","authorization_code"),s.set("code",e),t&&s.set("code_verifier",t),s.set("redirect_uri",r),n==="basic"){let f=btoa(`${o.clientId}:${o.clientSecret}`);d.authorization=`Basic ${f}`}else s.set("client_id",o.clientId),s.set("client_secret",o.clientSecret);let{data:a,error:c}=await at(i,{method:"POST",body:s,headers:d});if(c)throw c;return X(a)}import{generateCodeVerifier as dt,generateState as ct}from"oslo/oauth2";import{z as V}from"zod";import{APIError as Re}from"better-call";async function ee(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?ye(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new Re("BAD_REQUEST",{message:"callbackURL is required"});let o=dt(),i=ct(),n=JSON.stringify({callbackURL:r,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,newUserURL:e.body?.newUserCallbackURL,link:t,expiresAt:Date.now()+10*60*1e3}),s=new Date;s.setMinutes(s.getMinutes()+10);let d=await e.context.internalAdapter.createVerificationValue({value:n,identifier:i,expiresAt:s});if(!d)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new Re("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:d.identifier,codeVerifier:o}}async function Ue(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=V.object({callbackURL:V.string(),codeVerifier:V.string(),errorURL:V.string().optional(),newUserURL:V.string().optional(),expiresAt:V.number(),link:V.object({email:V.string(),userId:V.string()}).optional()}).parse(JSON.parse(r.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),o}var _e=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:o,redirectURI:i}){let n=o||["email","name"];return e.scope&&n.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${i||e.redirectURI}&scope=${n.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:i})=>g({code:r,codeVerifier:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async verifyIdToken(r,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,o);let i=ut(r),{kid:n,alg:s}=i;if(!n||!s)return!1;let d=await ht(n),{payload:a}=await ft(r,d,{algorithms:[s],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(c=>{a[c]!==void 0&&(a[c]=!!a[c])}),o&&a.nonce!==o?!1:!!a},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let o=gt(r.idToken)?.payload;if(!o)return null;let i=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email,n=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:i,emailVerified:!1,email:o.email,...n},data:o}}}},ht=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:o}=await pt(`${t}${r}`);if(!o?.keys)throw new lt("BAD_REQUEST",{message:"Keys not found"});let i=o.keys.find(n=>n.kid===e);if(!i)throw new Error(`JWK with kid ${e} not found`);return await mt(i,i.alg)};import{betterFetch as wt}from"@better-fetch/fetch";var ke=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["identify","email"];return e.scope&&i.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${i.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>g({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await wt("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(r.avatar===null){let n=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${n}.png`}else{let n=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${n}`}let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url,...i},data:r}}});import{betterFetch as yt}from"@better-fetch/fetch";var Te=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["email","public_profile"];return e.scope&&i.push(...e.scope),await w({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:i,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:r})=>g({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await yt("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified,...i},data:r}}});import{betterFetch as Oe}from"@better-fetch/fetch";var Se=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:o,codeVerifier:i,redirectURI:n}){let s=o||["user:email"];return e.scope&&s.push(...e.scope),w({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:s,state:r,redirectURI:n})},validateAuthorizationCode:async({code:r,redirectURI:o})=>g({code:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:i}=await Oe("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(i)return null;let n=!1;if(!o.email){let{data:d,error:a}=await Oe("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});a||(o.email=(d.find(c=>c.primary)??d[0])?.email,n=d.find(c=>c.email===o.email)?.verified??!1)}let s=await e.mapProfileToUser?.(o);return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:n,...s},data:o}}}};import{parseJWT as Ut}from"oslo/jwt";import{createConsola as bt}from"consola";var pe=["info","success","warn","error","debug"];function At(e,t){return pe.indexOf(t)<=pe.indexOf(e)}var Et=bt({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),Rt=e=>{let t=e?.disabled!==!0,r=e?.level??"error",o=(i,n,s=[])=>{if(!(!t||!At(r,i))){if(!e||typeof e.log!="function"){Et[i]("",n,...s);return}e.log(i==="success"?"info":i,n,s)}};return Object.fromEntries(pe.map(i=>[i,(...[n,...s])=>o(i,n,s)]))},I=Rt();import{betterFetch as _t}from"@better-fetch/fetch";var ve=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:i}){if(!e.clientId||!e.clientSecret)throw I.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new B("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new B("codeVerifier is required for Google");let n=r||["email","profile","openid"];e.scope&&n.push(...e.scope);let s=await w({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:n,state:t,codeVerifier:o,redirectURI:i});return e.accessType&&s.searchParams.set("access_type",e.accessType),e.prompt&&s.searchParams.set("prompt",e.prompt),s},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>g({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:i}=await _t(o);return i?i.aud===e.clientId&&i.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=Ut(t.idToken)?.payload,o=await e.mapProfileToUser?.(r);return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified,...o},data:r}}});import{betterFetch as kt}from"@better-fetch/fetch";import{parseJWT as Tt}from"oslo/jwt";var Pe=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(i){let n=i.scopes||["openid","profile","email","User.Read"];return e.scope&&n.push(...e.scope),w({id:"microsoft",options:e,authorizationEndpoint:r,state:i.state,codeVerifier:i.codeVerifier,scopes:n,redirectURI:i.redirectURI})},validateAuthorizationCode({code:i,codeVerifier:n,redirectURI:s}){return g({code:i,codeVerifier:n,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:o})},async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);if(!i.idToken)return null;let n=Tt(i.idToken)?.payload,s=e.profilePhotoSize||48;await kt(`https://graph.microsoft.com/v1.0/me/photos/${s}x${s}/$value`,{headers:{Authorization:`Bearer ${i.accessToken}`},async onResponse(a){if(!(e.disableProfilePhoto||!a.response.ok))try{let p=await a.response.clone().arrayBuffer(),f=Buffer.from(p).toString("base64");n.picture=`data:image/jpeg;base64, ${f}`}catch(c){I.error(c&&typeof c=="object"&&"name"in c?c.name:"",c)}}});let d=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.name,email:n.email,image:n.picture,emailVerified:!0,...d},data:n}}}};import{betterFetch as Ot}from"@better-fetch/fetch";var Ie=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:i}){let n=r||["user-read-email"];return e.scope&&n.push(...e.scope),w({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:n,state:t,codeVerifier:o,redirectURI:i})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>g({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await Ot("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1,...i},data:r}}});var M={isAction:!1};import{nanoid as St}from"nanoid";var Le=e=>St(e);import{parseJWT as vt}from"oslo/jwt";var xe=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["user:read:email","openid"];return e.scope&&i.push(...e.scope),w({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:i,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>g({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return I.error("No idToken found in token"),null;let o=vt(r)?.payload,i=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1,...i},data:o}}});import{betterFetch as Pt}from"@better-fetch/fetch";var De=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),w({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>g({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await Pt("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.data.id,name:r.data.name,email:r.data.username||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1,...i},data:r}}});import{betterFetch as It}from"@better-fetch/fetch";var Ce=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:o,codeVerifier:i,redirectURI:n})=>{let s=o||["account_info.read"];return e.scope&&s.push(...e.scope),await w({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:s,state:r,redirectURI:n,codeVerifier:i})},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:i})=>await g({code:r,codeVerifier:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:i}=await It("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});if(i)return null;let n=await e.mapProfileToUser?.(o);return{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url,...n},data:o}}}};import{betterFetch as Lt}from"@better-fetch/fetch";var Ve=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:i,redirectURI:n})=>{let s=i||["profile","email","openid"];return e.scope&&s.push(...e.scope),await w({id:"linkedin",options:e,authorizationEndpoint:t,scopes:s,state:o,redirectURI:n})},validateAuthorizationCode:async({code:o,redirectURI:i})=>await g({code:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:r}),async getUserInfo(o){let{data:i,error:n}=await Lt("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});if(n)return null;let s=await e.mapProfileToUser?.(i);return{user:{id:i.sub,name:i.name,email:i.email,emailVerified:i.email_verified||!1,image:i.picture,...s},data:i}}}};import{betterFetch as xt}from"@better-fetch/fetch";var le=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),Dt=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:le(`${t}/oauth/authorize`),tokenEndpoint:le(`${t}/oauth/token`),userinfoEndpoint:le(`${t}/api/v4/user`)}},Ne=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:o}=Dt(e.issuer),i="gitlab";return{id:i,name:"Gitlab",createAuthorizationURL:async({state:s,scopes:d,codeVerifier:a,redirectURI:c})=>{let p=d||["read_user"];return e.scope&&p.push(...e.scope),await w({id:i,options:e,authorizationEndpoint:t,scopes:p,state:s,redirectURI:c,codeVerifier:a})},validateAuthorizationCode:async({code:s,redirectURI:d,codeVerifier:a})=>g({code:s,redirectURI:e.redirectURI||d,options:e,codeVerifier:a,tokenEndpoint:r}),async getUserInfo(s){if(e.getUserInfo)return e.getUserInfo(s);let{data:d,error:a}=await xt(o,{headers:{authorization:`Bearer ${s.accessToken}`}});if(a||d.state!=="active"||d.locked)return null;let c=await e.mapProfileToUser?.(d);return{user:{id:d.id.toString(),name:d.name??d.username,email:d.email,image:d.avatar_url,emailVerified:!0,...c},data:d}}}};import{betterFetch as je}from"@better-fetch/fetch";var Be=e=>({id:"reddit",name:"Reddit",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["identity"];return e.scope&&i.push(...e.scope),w({id:"reddit",options:e,authorizationEndpoint:"https://www.reddit.com/api/v1/authorize",scopes:i,state:t,redirectURI:o,duration:e.duration})},validateAuthorizationCode:async({code:t,redirectURI:r})=>{let o=new URLSearchParams({grant_type:"authorization_code",code:t,redirect_uri:e.redirectURI||r}),i={"content-type":"application/x-www-form-urlencoded",accept:"text/plain","user-agent":"better-auth",Authorization:`Basic ${Buffer.from(`${e.clientId}:${e.clientSecret}`).toString("base64")}`},{data:n,error:s}=await je("https://www.reddit.com/api/v1/access_token",{method:"POST",headers:i,body:o.toString()});if(s)throw s;return X(n)},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await je("https://oauth.reddit.com/api/v1/me",{headers:{Authorization:`Bearer ${t.accessToken}`,"User-Agent":"better-auth"}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.oauth_client_id,emailVerified:r.has_verified_email,image:r.icon_img?.split("?")[0],...i},data:r}}});var Ct={apple:_e,discord:ke,facebook:Te,github:Se,microsoft:Pe,google:ve,spotify:Ie,twitch:xe,twitter:De,dropbox:Ce,linkedin:Ve,gitlab:Ne,reddit:Be},te=Object.keys(Ct);import{TimeSpan as Bt}from"oslo";import{createJWT as $t,validateJWT as zt}from"oslo/jwt";import{z as L}from"zod";import{APIError as Q}from"better-call";import{APIError as N}from"better-call";import{z as $}from"zod";function $e(e){try{return JSON.parse(e)}catch{return null}}var u={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var ze=()=>l("/get-session",{method:"GET",query:$.optional($.object({disableCookieCache:$.boolean({description:"Disable cookie cache and fetch session from database"}).or($.string().transform(e=>e==="true")).optional(),disableRefresh:$.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),o=r?$e(Buffer.from(r,"base64").toString()):null;if(o&&!await Y.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return D(e),e.json(null);let i=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let p=o.session;if(o.expiresAt<Date.now()||p.session.expiresAt<new Date){let E=e.context.authCookies.sessionData.name;e.setCookie(E,"",{maxAge:0})}else return e.json(p)}let n=await e.context.internalAdapter.findSession(t);if(e.context.session=n,!n||n.session.expiresAt<new Date)return D(e),n&&await e.context.internalAdapter.deleteSession(n.session.token),e.json(null);if(i||e.query?.disableRefresh)return e.json(n);let s=e.context.sessionConfig.expiresIn,d=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-s*1e3+d*1e3<=Date.now()){let p=await e.context.internalAdapter.updateSession(n.session.token,{expiresAt:O(e.context.sessionConfig.expiresIn,"sec")});if(!p)return D(e),e.json(null,{status:401});let f=(p.expiresAt.valueOf()-Date.now())/1e3;return await _(e,{session:p,user:n.user},!1,{maxAge:f}),e.json({session:p,user:n.user})}return e.json(n)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new N("INTERNAL_SERVER_ERROR",{message:u.FAILED_TO_GET_SESSION})}}),z=async(e,t)=>{if(e.context.session)return e.context.session;let r=await ze()({...e,_flag:"json",headers:e.headers,query:t}).catch(o=>null);return e.context.session=r,r},C=H(async e=>{let t=await z(e);if(!t?.session)throw new N("UNAUTHORIZED");return{session:t}}),qe=H(async e=>{let t=await z(e);if(!t?.session)throw new N("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,o=t.session.createdAt.valueOf(),i=Date.now();if(!(o+r*1e3>i))throw new N("FORBIDDEN",{message:"Session is not fresh"});return{session:t}});var Vt=l("/revoke-session",{method:"POST",body:$.object({token:$.string({description:"The token to revoke"})}),use:[C],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new N("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new N("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new N("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Nt=l("/revoke-sessions",{method:"POST",use:[C],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new N("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),jt=l("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[C],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new N("UNAUTHORIZED");let i=(await e.context.internalAdapter.listSessions(t.user.id)).filter(n=>n.expiresAt>new Date).filter(n=>n.token!==e.context.session.session.token);return await Promise.all(i.map(n=>e.context.internalAdapter.deleteSession(n.token))),e.json({status:!0})});async function j(e,t,r){return await $t("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new Bt(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function qt(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new Q("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await j(e.context.secret,t.email),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:o,token:r},e.request)}var Ft=l("/send-verification-email",{method:"POST",query:L.object({currentURL:L.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:L.object({email:L.string({description:"The email to send the verification email to"}).email(),callbackURL:L.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new Q("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new Q("BAD_REQUEST",{message:u.USER_NOT_FOUND});return await qt(e,r.user),e.json({status:!0})}),Mt=l("/verify-email",{method:"GET",query:L.object({token:L.string({description:"The token to verify the email"}),callbackURL:L.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(d){throw e.query.callbackURL?e.query.callbackURL.includes("?")?e.redirect(`${e.query.callbackURL}&error=${d}`):e.redirect(`${e.query.callbackURL}?error=${d}`):new Q("UNAUTHORIZED",{message:d})}let{token:r}=e.query,o;try{o=await zt("HS256",Buffer.from(e.context.secret),r)}catch(d){return e.context.logger.error("Failed to verify email",d),t("invalid_token")}let n=L.object({email:L.string().email(),updateTo:L.string().optional()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(n.email);if(!s)return t("user_not_found");if(n.updateTo){let d=await z(e);if(!d){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(d.user.email!==n.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo,emailVerified:!1}),c=await j(e.context.secret,n.updateTo);if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${c}`,token:c},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await z(e)){let a=await e.context.internalAdapter.createSession(s.user.id,e.request);if(!a)throw new Q("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await _(e,{session:a,user:s.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function re(e,{userInfo:t,account:r,callbackURL:o}){let i=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(a=>{throw I.error(`Better auth was unable to query your database.
2
+ `,`Current list of trustedOrigins: ${p}`),new Xe("FORBIDDEN",{message:`Invalid ${T}`})};f&&!e.context.options.advanced?.disableCSRFCheck&&h(i,"origin"),n&&h(n,"callbackURL"),s&&h(s,"redirectURL"),d&&h(d,"currentURL"),a&&h(a,"errorCallbackURL"),c&&h(s,"newUserCallbackURL")});import{APIError as k}from"better-call";import{z as b}from"zod";import{TimeSpan as Nr}from"oslo";import{base64url as it}from"oslo/encoding";import{HMAC as Ae,sha256 as Pr}from"oslo/crypto";async function rt({value:e,secret:t}){return new Ae("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(o=>Buffer.from(o).toString("base64"))}function ot({value:e,signature:t,secret:r}){return new Ae("SHA-256").verify(new TextEncoder().encode(r),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var Y={sign:rt,verify:ot};var O=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));async function _(e,t,r,o){let i=e.context.authCookies.sessionToken.options,n=r?void 0:e.context.sessionConfig.expiresIn;if(await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...i,maxAge:n,...o}),r&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled){let d=it.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:O(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await Y.sign({value:JSON.stringify(t),secret:e.context.secret})})),{includePadding:!1});if(d.length>4093)throw new B("Session data is too large to store in the cookie. Please disable session cookie caching or reduce the size of the session data");e.setCookie(e.context.authCookies.sessionData.name,d,e.context.authCookies.sessionData.options)}e.context.setNewSession(t),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),Math.floor((new Date(t.session.expiresAt).getTime()-Date.now())/1e3))}function D(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}import{betterFetch as pt}from"@better-fetch/fetch";import{APIError as lt}from"better-call";import{decodeProtectedHeader as ut,importJWK as mt,jwtVerify as ft}from"jose";import{parseJWT as gt}from"oslo/jwt";import{sha256 as nt}from"oslo/crypto";import{base64url as st}from"oslo/encoding";async function Ee(e){let t=await nt(new TextEncoder().encode(e));return st.encode(new Uint8Array(t),{includePadding:!1})}function X(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?O(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function w({id:e,options:t,authorizationEndpoint:r,state:o,codeVerifier:i,scopes:n,claims:s,redirectURI:d,duration:a}){let c=new URL(r);if(c.searchParams.set("response_type","code"),c.searchParams.set("client_id",t.clientId),c.searchParams.set("state",o),c.searchParams.set("scope",n.join(" ")),c.searchParams.set("redirect_uri",t.redirectURI||d),i){let p=await Ee(i);c.searchParams.set("code_challenge_method","S256"),c.searchParams.set("code_challenge",p)}if(s){let p=s.reduce((f,E)=>(f[E]=null,f),{});c.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...p}}))}return a&&c.searchParams.set("duration",a),c}import{betterFetch as at}from"@better-fetch/fetch";async function g({code:e,codeVerifier:t,redirectURI:r,options:o,tokenEndpoint:i,authentication:n}){let s=new URLSearchParams,d={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(s.set("grant_type","authorization_code"),s.set("code",e),t&&s.set("code_verifier",t),s.set("redirect_uri",r),n==="basic"){let f=btoa(`${o.clientId}:${o.clientSecret}`);d.authorization=`Basic ${f}`}else s.set("client_id",o.clientId),s.set("client_secret",o.clientSecret);let{data:a,error:c}=await at(i,{method:"POST",body:s,headers:d});if(c)throw c;return X(a)}import{generateCodeVerifier as dt,generateState as ct}from"oslo/oauth2";import{z as V}from"zod";import{APIError as Re}from"better-call";async function ee(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?ye(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new Re("BAD_REQUEST",{message:"callbackURL is required"});let o=dt(),i=ct(),n=JSON.stringify({callbackURL:r,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,newUserURL:e.body?.newUserCallbackURL,link:t,expiresAt:Date.now()+10*60*1e3}),s=new Date;s.setMinutes(s.getMinutes()+10);let d=await e.context.internalAdapter.createVerificationValue({value:n,identifier:i,expiresAt:s});if(!d)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new Re("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:d.identifier,codeVerifier:o}}async function Ue(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=V.object({callbackURL:V.string(),codeVerifier:V.string(),errorURL:V.string().optional(),newUserURL:V.string().optional(),expiresAt:V.number(),link:V.object({email:V.string(),userId:V.string()}).optional()}).parse(JSON.parse(r.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),o}var _e=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:o,redirectURI:i}){let n=o||["email","name"];return e.scope&&n.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${i||e.redirectURI}&scope=${n.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:i})=>g({code:r,codeVerifier:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async verifyIdToken(r,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,o);let i=ut(r),{kid:n,alg:s}=i;if(!n||!s)return!1;let d=await ht(n),{payload:a}=await ft(r,d,{algorithms:[s],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(c=>{a[c]!==void 0&&(a[c]=!!a[c])}),o&&a.nonce!==o?!1:!!a},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let o=gt(r.idToken)?.payload;if(!o)return null;let i=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email,n=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:i,emailVerified:!1,email:o.email,...n},data:o}}}},ht=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:o}=await pt(`${t}${r}`);if(!o?.keys)throw new lt("BAD_REQUEST",{message:"Keys not found"});let i=o.keys.find(n=>n.kid===e);if(!i)throw new Error(`JWK with kid ${e} not found`);return await mt(i,i.alg)};import{betterFetch as wt}from"@better-fetch/fetch";var ke=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["identify","email"];return e.scope&&i.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${i.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>g({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await wt("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(r.avatar===null){let n=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${n}.png`}else{let n=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${n}`}let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url,...i},data:r}}});import{betterFetch as yt}from"@better-fetch/fetch";var Te=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["email","public_profile"];return e.scope&&i.push(...e.scope),await w({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:i,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:r})=>g({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await yt("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified,...i},data:r}}});import{betterFetch as Oe}from"@better-fetch/fetch";var Se=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:o,codeVerifier:i,redirectURI:n}){let s=o||["user:email"];return e.scope&&s.push(...e.scope),w({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:s,state:r,redirectURI:n})},validateAuthorizationCode:async({code:r,redirectURI:o})=>g({code:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:i}=await Oe("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(i)return null;let n=!1;if(!o.email){let{data:d,error:a}=await Oe("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});a||(o.email=(d.find(c=>c.primary)??d[0])?.email,n=d.find(c=>c.email===o.email)?.verified??!1)}let s=await e.mapProfileToUser?.(o);return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:n,...s},data:o}}}};import{parseJWT as Ut}from"oslo/jwt";import{createConsola as bt}from"consola";var pe=["info","success","warn","error","debug"];function At(e,t){return pe.indexOf(t)<=pe.indexOf(e)}var Et=bt({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),Rt=e=>{let t=e?.disabled!==!0,r=e?.level??"error",o=(i,n,s=[])=>{if(!(!t||!At(r,i))){if(!e||typeof e.log!="function"){Et[i]("",n,...s);return}e.log(i==="success"?"info":i,n,s)}};return Object.fromEntries(pe.map(i=>[i,(...[n,...s])=>o(i,n,s)]))},I=Rt();import{betterFetch as _t}from"@better-fetch/fetch";var ve=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:i}){if(!e.clientId||!e.clientSecret)throw I.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new B("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new B("codeVerifier is required for Google");let n=r||["email","profile","openid"];e.scope&&n.push(...e.scope);let s=await w({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:n,state:t,codeVerifier:o,redirectURI:i});return e.accessType&&s.searchParams.set("access_type",e.accessType),e.prompt&&s.searchParams.set("prompt",e.prompt),s},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>g({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:i}=await _t(o);return i?i.aud===e.clientId&&i.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=Ut(t.idToken)?.payload,o=await e.mapProfileToUser?.(r);return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified,...o},data:r}}});import{betterFetch as kt}from"@better-fetch/fetch";import{parseJWT as Tt}from"oslo/jwt";var Pe=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(i){let n=i.scopes||["openid","profile","email","User.Read"];return e.scope&&n.push(...e.scope),w({id:"microsoft",options:e,authorizationEndpoint:r,state:i.state,codeVerifier:i.codeVerifier,scopes:n,redirectURI:i.redirectURI})},validateAuthorizationCode({code:i,codeVerifier:n,redirectURI:s}){return g({code:i,codeVerifier:n,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:o})},async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);if(!i.idToken)return null;let n=Tt(i.idToken)?.payload,s=e.profilePhotoSize||48;await kt(`https://graph.microsoft.com/v1.0/me/photos/${s}x${s}/$value`,{headers:{Authorization:`Bearer ${i.accessToken}`},async onResponse(a){if(!(e.disableProfilePhoto||!a.response.ok))try{let p=await a.response.clone().arrayBuffer(),f=Buffer.from(p).toString("base64");n.picture=`data:image/jpeg;base64, ${f}`}catch(c){I.error(c&&typeof c=="object"&&"name"in c?c.name:"",c)}}});let d=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.name,email:n.email,image:n.picture,emailVerified:!0,...d},data:n}}}};import{betterFetch as Ot}from"@better-fetch/fetch";var Ie=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:i}){let n=r||["user-read-email"];return e.scope&&n.push(...e.scope),w({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:n,state:t,codeVerifier:o,redirectURI:i})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>g({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await Ot("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1,...i},data:r}}});var M={isAction:!1};import{nanoid as St}from"nanoid";var Le=e=>St(e);import{parseJWT as vt}from"oslo/jwt";var xe=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["user:read:email","openid"];return e.scope&&i.push(...e.scope),w({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:i,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>g({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return I.error("No idToken found in token"),null;let o=vt(r)?.payload,i=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1,...i},data:o}}});import{betterFetch as Pt}from"@better-fetch/fetch";var De=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),w({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>g({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await Pt("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.data.id,name:r.data.name,email:r.data.username||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1,...i},data:r}}});import{betterFetch as It}from"@better-fetch/fetch";var Ce=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:o,codeVerifier:i,redirectURI:n})=>{let s=o||["account_info.read"];return e.scope&&s.push(...e.scope),await w({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:s,state:r,redirectURI:n,codeVerifier:i})},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:i})=>await g({code:r,codeVerifier:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:i}=await It("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});if(i)return null;let n=await e.mapProfileToUser?.(o);return{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url,...n},data:o}}}};import{betterFetch as Lt}from"@better-fetch/fetch";var Ve=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:i,redirectURI:n})=>{let s=i||["profile","email","openid"];return e.scope&&s.push(...e.scope),await w({id:"linkedin",options:e,authorizationEndpoint:t,scopes:s,state:o,redirectURI:n})},validateAuthorizationCode:async({code:o,redirectURI:i})=>await g({code:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:r}),async getUserInfo(o){let{data:i,error:n}=await Lt("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});if(n)return null;let s=await e.mapProfileToUser?.(i);return{user:{id:i.sub,name:i.name,email:i.email,emailVerified:i.email_verified||!1,image:i.picture,...s},data:i}}}};import{betterFetch as xt}from"@better-fetch/fetch";var le=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),Dt=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:le(`${t}/oauth/authorize`),tokenEndpoint:le(`${t}/oauth/token`),userinfoEndpoint:le(`${t}/api/v4/user`)}},Ne=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:o}=Dt(e.issuer),i="gitlab";return{id:i,name:"Gitlab",createAuthorizationURL:async({state:s,scopes:d,codeVerifier:a,redirectURI:c})=>{let p=d||["read_user"];return e.scope&&p.push(...e.scope),await w({id:i,options:e,authorizationEndpoint:t,scopes:p,state:s,redirectURI:c,codeVerifier:a})},validateAuthorizationCode:async({code:s,redirectURI:d,codeVerifier:a})=>g({code:s,redirectURI:e.redirectURI||d,options:e,codeVerifier:a,tokenEndpoint:r}),async getUserInfo(s){if(e.getUserInfo)return e.getUserInfo(s);let{data:d,error:a}=await xt(o,{headers:{authorization:`Bearer ${s.accessToken}`}});if(a||d.state!=="active"||d.locked)return null;let c=await e.mapProfileToUser?.(d);return{user:{id:d.id.toString(),name:d.name??d.username,email:d.email,image:d.avatar_url,emailVerified:!0,...c},data:d}}}};import{betterFetch as je}from"@better-fetch/fetch";var Be=e=>({id:"reddit",name:"Reddit",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["identity"];return e.scope&&i.push(...e.scope),w({id:"reddit",options:e,authorizationEndpoint:"https://www.reddit.com/api/v1/authorize",scopes:i,state:t,redirectURI:o,duration:e.duration})},validateAuthorizationCode:async({code:t,redirectURI:r})=>{let o=new URLSearchParams({grant_type:"authorization_code",code:t,redirect_uri:e.redirectURI||r}),i={"content-type":"application/x-www-form-urlencoded",accept:"text/plain","user-agent":"better-auth",Authorization:`Basic ${Buffer.from(`${e.clientId}:${e.clientSecret}`).toString("base64")}`},{data:n,error:s}=await je("https://www.reddit.com/api/v1/access_token",{method:"POST",headers:i,body:o.toString()});if(s)throw s;return X(n)},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await je("https://oauth.reddit.com/api/v1/me",{headers:{Authorization:`Bearer ${t.accessToken}`,"User-Agent":"better-auth"}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.oauth_client_id,emailVerified:r.has_verified_email,image:r.icon_img?.split("?")[0],...i},data:r}}});var Ct={apple:_e,discord:ke,facebook:Te,github:Se,microsoft:Pe,google:ve,spotify:Ie,twitch:xe,twitter:De,dropbox:Ce,linkedin:Ve,gitlab:Ne,reddit:Be},te=Object.keys(Ct);import{TimeSpan as Bt}from"oslo";import{createJWT as $t,validateJWT as zt}from"oslo/jwt";import{z as L}from"zod";import{APIError as Q}from"better-call";import{APIError as N}from"better-call";import{z as $}from"zod";function $e(e){try{return JSON.parse(e)}catch{return null}}var u={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var ze=()=>l("/get-session",{method:"GET",query:$.optional($.object({disableCookieCache:$.boolean({description:"Disable cookie cache and fetch session from database"}).or($.string().transform(e=>e==="true")).optional(),disableRefresh:$.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),o=r?$e(Buffer.from(r,"base64").toString()):null;if(o&&!await Y.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return D(e),e.json(null);let i=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let p=o.session;if(o.expiresAt<Date.now()||p.session.expiresAt<new Date){let E=e.context.authCookies.sessionData.name;e.setCookie(E,"",{maxAge:0})}else return e.json(p)}let n=await e.context.internalAdapter.findSession(t);if(e.context.session=n,!n||n.session.expiresAt<new Date)return D(e),n&&await e.context.internalAdapter.deleteSession(n.session.token),e.json(null);if(i||e.query?.disableRefresh)return e.json(n);let s=e.context.sessionConfig.expiresIn,d=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-s*1e3+d*1e3<=Date.now()){let p=await e.context.internalAdapter.updateSession(n.session.token,{expiresAt:O(e.context.sessionConfig.expiresIn,"sec")});if(!p)return D(e),e.json(null,{status:401});let f=(p.expiresAt.valueOf()-Date.now())/1e3;return await _(e,{session:p,user:n.user},!1,{maxAge:f}),e.json({session:p,user:n.user})}return e.json(n)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new N("INTERNAL_SERVER_ERROR",{message:u.FAILED_TO_GET_SESSION})}}),z=async(e,t)=>{if(e.context.session)return e.context.session;let r=await ze()({...e,_flag:"json",headers:e.headers,query:t}).catch(o=>null);return e.context.session=r,r},C=H(async e=>{let t=await z(e);if(!t?.session)throw new N("UNAUTHORIZED");return{session:t}}),qe=H(async e=>{let t=await z(e);if(!t?.session)throw new N("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,o=t.session.updatedAt?.valueOf()||t.session.createdAt.valueOf();if(!(Date.now()-o<r*1e3))throw new N("FORBIDDEN",{message:"Session is not fresh"});return{session:t}});var Vt=l("/revoke-session",{method:"POST",body:$.object({token:$.string({description:"The token to revoke"})}),use:[C],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new N("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new N("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new N("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Nt=l("/revoke-sessions",{method:"POST",use:[C],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new N("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),jt=l("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[C],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new N("UNAUTHORIZED");let i=(await e.context.internalAdapter.listSessions(t.user.id)).filter(n=>n.expiresAt>new Date).filter(n=>n.token!==e.context.session.session.token);return await Promise.all(i.map(n=>e.context.internalAdapter.deleteSession(n.token))),e.json({status:!0})});async function j(e,t,r){return await $t("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new Bt(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function qt(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new Q("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await j(e.context.secret,t.email),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:o,token:r},e.request)}var Ft=l("/send-verification-email",{method:"POST",query:L.object({currentURL:L.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:L.object({email:L.string({description:"The email to send the verification email to"}).email(),callbackURL:L.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new Q("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new Q("BAD_REQUEST",{message:u.USER_NOT_FOUND});return await qt(e,r.user),e.json({status:!0})}),Mt=l("/verify-email",{method:"GET",query:L.object({token:L.string({description:"The token to verify the email"}),callbackURL:L.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(d){throw e.query.callbackURL?e.query.callbackURL.includes("?")?e.redirect(`${e.query.callbackURL}&error=${d}`):e.redirect(`${e.query.callbackURL}?error=${d}`):new Q("UNAUTHORIZED",{message:d})}let{token:r}=e.query,o;try{o=await zt("HS256",Buffer.from(e.context.secret),r)}catch(d){return e.context.logger.error("Failed to verify email",d),t("invalid_token")}let n=L.object({email:L.string().email(),updateTo:L.string().optional()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(n.email);if(!s)return t("user_not_found");if(n.updateTo){let d=await z(e);if(!d){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(d.user.email!==n.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo,emailVerified:!1}),c=await j(e.context.secret,n.updateTo);if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${c}`,token:c},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await z(e)){let a=await e.context.internalAdapter.createSession(s.user.id,e.request);if(!a)throw new Q("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await _(e,{session:a,user:s.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function re(e,{userInfo:t,account:r,callbackURL:o}){let i=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(a=>{throw I.error(`Better auth was unable to query your database.
3
3
  Error: `,a),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),n=i?.user,s=!n;if(i){let a=i.accounts.find(c=>c.providerId===r.providerId);if(a){let c=Object.fromEntries(Object.entries({accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt}).filter(([p,f])=>f!==void 0));Object.keys(c).length>0&&await e.context.internalAdapter.updateAccount(a.id,c)}else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(r.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return ce&&I.warn(`User already exist but account isn't linked to ${r.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:t.id.toString(),userId:i.user.id,accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope})}catch(f){return I.error("Unable to link account",f),{error:"unable to link account",data:null}}n=await e.context.internalAdapter.updateUser(i.user.id,{...t,updatedAt:new Date})}}else if(n=await e.context.internalAdapter.createOAuthUser({...t,email:t.email.toLowerCase(),id:void 0},{accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope,providerId:r.providerId,accountId:t.id.toString()}).then(a=>a?.user),!t.emailVerified&&n&&e.context.options.emailVerification?.sendOnSignUp){let a=await j(e.context.secret,n.email),c=`${e.context.baseURL}/verify-email?token=${a}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:n,url:c,token:a},e.request)}if(!n)return{error:"unable to create user",data:null,isRegister:!1};let d=await e.context.internalAdapter.createSession(n.id,e.request);return d?{data:{session:d,user:n},error:null,isRegister:s}:{error:"unable to create session",data:null,isRegister:!1}}var Ht=l("/sign-in/social",{method:"POST",query:b.object({currentURL:b.string().optional()}).optional(),body:b.object({callbackURL:b.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),newUserCallbackURL:b.string().optional(),errorCallbackURL:b.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:b.enum(te,{description:"OAuth2 provider to use"}),disableRedirect:b.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:b.optional(b.object({token:b.string({description:"ID token from the provider"}),nonce:b.string({description:"Nonce used to generate the token"}).optional(),accessToken:b.string({description:"Access token from the provider"}).optional(),refreshToken:b.string({description:"Refresh token from the provider"}).optional(),expiresAt:b.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(n=>n.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new k("NOT_FOUND",{message:u.PROVIDER_NOT_FOUND});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new k("NOT_FOUND",{message:u.ID_TOKEN_NOT_SUPPORTED});let{token:n,nonce:s}=e.body.idToken;if(!await t.verifyIdToken(n,s))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new k("UNAUTHORIZED",{message:u.INVALID_TOKEN});let a=await t.getUserInfo({idToken:n,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!a||!a?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new k("UNAUTHORIZED",{message:u.FAILED_TO_GET_USER_INFO});if(!a.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new k("UNAUTHORIZED",{message:u.USER_EMAIL_NOT_FOUND});let c=await re(e,{userInfo:{email:a.user.email,id:a.user.id,name:a.user.name||"",image:a.user.image,emailVerified:a.user.emailVerified||!1},account:{providerId:t.id,accountId:a.user.id,accessToken:e.body.idToken.accessToken}});if(c.error)throw new k("UNAUTHORIZED",{message:c.error});return await _(e,c.data),e.json({session:c.data.session,user:c.data.user,url:void 0,redirect:!1})}let{codeVerifier:r,state:o}=await ee(e),i=await t.createAuthorizationURL({state:o,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:i.toString(),redirect:!e.body.disableRedirect})}),Gt=l("/sign-in/email",{method:"POST",body:b.object({email:b.string({description:"Email of the user"}),password:b.string({description:"Password of the user"}),callbackURL:b.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:b.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new k("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!b.string().email().safeParse(t).success)throw new k("BAD_REQUEST",{message:u.INVALID_EMAIL});let i=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!i)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new k("UNAUTHORIZED",{message:u.INVALID_EMAIL_OR_PASSWORD});let n=i.accounts.find(c=>c.providerId==="credential");if(!n)throw e.context.logger.error("Credential account not found",{email:t}),new k("UNAUTHORIZED",{message:u.INVALID_EMAIL_OR_PASSWORD});let s=n?.password;if(!s)throw e.context.logger.error("Password not found",{email:t}),new k("UNAUTHORIZED",{message:u.INVALID_EMAIL_OR_PASSWORD});if(!await e.context.password.verify({hash:s,password:r}))throw e.context.logger.error("Invalid password"),new k("UNAUTHORIZED",{message:u.INVALID_EMAIL_OR_PASSWORD});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!i.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new k("UNAUTHORIZED",{message:u.EMAIL_NOT_VERIFIED});let c=await j(e.context.secret,i.user.email),p=`${e.context.baseURL}/verify-email?token=${c}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:i.user,url:p,token:c},e.request),e.context.logger.error("Email not verified",{email:t}),new k("FORBIDDEN",{message:u.EMAIL_NOT_VERIFIED})}let a=await e.context.internalAdapter.createSession(i.user.id,e.headers,e.body.rememberMe===!1);if(!a)throw e.context.logger.error("Failed to create session"),new k("UNAUTHORIZED",{message:u.FAILED_TO_CREATE_SESSION});return await _(e,{session:a,user:i.user},e.body.rememberMe===!1),e.json({user:{id:i.user.id,email:i.user.email,name:i.user.name,image:i.user.image,emailVerified:i.user.emailVerified,createdAt:i.user.createdAt,updatedAt:i.user.updatedAt},redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{z as Z}from"zod";var oe=Z.object({code:Z.string().optional(),error:Z.string().optional(),error_description:Z.string().optional(),state:Z.string().optional()}),Qt=l("/callback/:id",{method:["GET","POST"],body:oe.optional(),query:oe.optional(),metadata:M},async e=>{let t;try{if(e.method==="GET")t=oe.parse(e.query);else if(e.method==="POST")t=oe.parse(e.body);else throw new Error("Unsupported method")}catch(v){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",v),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:r,error:o,state:i,error_description:n}=t;if(!i)throw e.context.logger.error("State not found",o),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!r)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}&error_description=${n}`);let s=e.context.socialProviders.find(v=>v.id===e.params.id);if(!s)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:d,callbackURL:a,link:c,errorURL:p,newUserURL:f}=await Ue(e),E;try{E=await s.validateAuthorizationCode({code:r,codeVerifier:d,redirectURI:`${e.context.baseURL}/callback/${s.id}`})}catch(v){throw e.context.logger.error("",v),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let h=await s.getUserInfo(E).then(v=>v?.user);function y(v){let x=p||a||`${e.context.baseURL}/error`;throw x.includes("?")?x=`${x}&error=${v}`:x=`${x}?error=${v}`,e.redirect(x)}if(!h)return e.context.logger.error("Unable to get user info"),y("unable_to_get_user_info");if(!h.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),y("email_not_found");if(!a)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(c){if(c.email!==h.email.toLowerCase())return y("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:c.userId,providerId:s.id,accountId:h.id}))return y("unable_to_link_account");let x;try{x=a.toString()}catch{x=a}throw e.redirect(x)}let T=await re(e,{userInfo:{...h,email:h.email,name:h.name||h.email},account:{providerId:s.id,accountId:h.id,...E,scope:E.scopes?.join(",")},callbackURL:a});if(T.error)return e.context.logger.error(T.error.split(" ").join("_")),y(T.error.split(" ").join("_"));let{session:me,user:ie}=T.data;await _(e,{session:me,user:ie});let ne;try{ne=(T.isRegister&&f||a).toString()}catch{ne=T.isRegister&&f||a}throw e.redirect(ne)});import"zod";import{APIError as Zt}from"better-call";var Wt=l("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw D(e),new Zt("BAD_REQUEST",{message:u.FAILED_TO_GET_SESSION});return await e.context.internalAdapter.deleteSession(t),D(e),e.json({success:!0})});import{z as P}from"zod";import{APIError as W}from"better-call";function Fe(e,t,r){let o=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return r&&Object.entries(r).forEach(([i,n])=>o.searchParams.set(i,n)),o.href}function Kt(e,t,r){let o=new URL(t,e.baseURL);return r&&Object.entries(r).forEach(([i,n])=>o.searchParams.set(i,n)),o.href}var Jt=l("/forget-password",{method:"POST",body:P.object({email:P.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:P.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new W("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:r}=e.body,o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let i=60*60*1,n=O(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||i,"sec"),s=Le(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id.toString(),identifier:`reset-password:${s}`,expiresAt:n});let d=`${e.context.baseURL}/reset-password/${s}?callbackURL=${r}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:d,token:s},e.request),e.json({status:!0})}),Yt=l("/reset-password/:token",{method:"GET",query:P.object({callbackURL:P.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:r}=e.query;if(!t||!r)throw e.redirect(Fe(e.context,r,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!o||o.expiresAt<new Date?e.redirect(Fe(e.context,r,{error:"INVALID_TOKEN"})):e.redirect(Kt(e.context,r,{token:t}))}),Xt=l("/reset-password",{query:P.optional(P.object({token:P.string().optional(),currentURL:P.string().optional()})),method:"POST",body:P.object({newPassword:P.string({description:"The new password to set"}),token:P.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new W("BAD_REQUEST",{message:u.INVALID_TOKEN});let{newPassword:r}=e.body,o=e.context.password?.config.minPasswordLength,i=e.context.password?.config.maxPasswordLength;if(r.length<o)throw new W("BAD_REQUEST",{message:u.PASSWORD_TOO_SHORT});if(r.length>i)throw new W("BAD_REQUEST",{message:u.PASSWORD_TOO_LONG});let n=`reset-password:${t}`,s=await e.context.internalAdapter.findVerificationValue(n);if(!s||s.expiresAt<new Date)throw new W("BAD_REQUEST",{message:u.INVALID_TOKEN});await e.context.internalAdapter.deleteVerificationValue(s.id);let d=s.value,a=await e.context.password.hash(r);return(await e.context.internalAdapter.findAccounts(d)).find(f=>f.providerId==="credential")?(await e.context.internalAdapter.updatePassword(d,a),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:d,providerId:"credential",password:a,accountId:d}),e.json({status:!0}))});import{z as S}from"zod";import{APIError as R}from"better-call";import{z as m}from"zod";import{APIError as Jn}from"better-call";var Yn=m.object({id:m.string(),providerId:m.string(),accountId:m.string(),userId:m.string(),accessToken:m.string().nullish(),refreshToken:m.string().nullish(),idToken:m.string().nullish(),accessTokenExpiresAt:m.date().nullish(),refreshTokenExpiresAt:m.date().nullish(),scope:m.string().nullish(),password:m.string().nullish(),createdAt:m.date().default(()=>new Date),updatedAt:m.date().default(()=>new Date)}),Xn=m.object({id:m.string(),email:m.string().transform(e=>e.toLowerCase()),emailVerified:m.boolean().default(!1),name:m.string(),image:m.string().nullish(),createdAt:m.date().default(()=>new Date),updatedAt:m.date().default(()=>new Date)}),es=m.object({id:m.string(),userId:m.string(),expiresAt:m.date(),createdAt:m.date().default(()=>new Date),updatedAt:m.date().default(()=>new Date),token:m.string(),ipAddress:m.string().nullish(),userAgent:m.string().nullish()}),ts=m.object({id:m.string(),value:m.string(),createdAt:m.date().default(()=>new Date),updatedAt:m.date().default(()=>new Date),expiresAt:m.date(),identifier:m.string()});import{xchacha20poly1305 as gs}from"@noble/ciphers/chacha";import{bytesToHex as ws,hexToBytes as ys,utf8ToBytes as bs}from"@noble/ciphers/utils";import{managedNonce as Es}from"@noble/ciphers/webcrypto";import{sha256 as Us}from"oslo/crypto";import ks from"uncrypto";import{decodeHex as is,encodeHex as ns}from"oslo/encoding";import{scryptAsync as ds}from"@noble/hashes/scrypt";import{getRandomValues as ps}from"uncrypto";import Me from"uncrypto";function er(e){return e.toString(2).padStart(8,"0")}function tr(e){return[...e].map(t=>er(t)).join("")}function He(e){return parseInt(tr(e),2)}function rr(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,o=new Uint8Array(Math.ceil(t/8));Me.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1);let i=He(o);for(;i>=e;)Me.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1),i=He(o);return i}function q(e,t){let r="";for(let o=0;o<e;o++)r+=t[rr(t.length)];return r}function F(...e){let t=new Set(e),r="";for(let o of t)o==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?r+="0123456789":r+=o;return r}var ir=l("/change-password",{method:"POST",body:S.object({newPassword:S.string({description:"The new password to set"}),currentPassword:S.string({description:"The current password"}),revokeOtherSessions:S.boolean({description:"Revoke all other sessions"}).optional()}),use:[C],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:r,revokeOtherSessions:o}=e.body,i=e.context.session,n=e.context.password.config.minPasswordLength;if(t.length<n)throw e.context.logger.error("Password is too short"),new R("BAD_REQUEST",{message:u.PASSWORD_TOO_SHORT});let s=e.context.password.config.maxPasswordLength;if(t.length>s)throw e.context.logger.error("Password is too long"),new R("BAD_REQUEST",{message:u.PASSWORD_TOO_LONG});let a=(await e.context.internalAdapter.findAccounts(i.user.id)).find(f=>f.providerId==="credential"&&f.password);if(!a||!a.password)throw new R("BAD_REQUEST",{message:u.CREDENTIAL_ACCOUNT_NOT_FOUND});let c=await e.context.password.hash(t);if(!await e.context.password.verify({hash:a.password,password:r}))throw new R("BAD_REQUEST",{message:u.INVALID_PASSWORD});if(await e.context.internalAdapter.updateAccount(a.id,{password:c}),o){await e.context.internalAdapter.deleteSessions(i.user.id);let f=await e.context.internalAdapter.createSession(i.user.id,e.headers);if(!f)throw new R("INTERNAL_SERVER_ERROR",{message:u.FAILED_TO_GET_SESSION});await _(e,{session:f,user:i.user})}return e.json(i.user)}),nr=l("/set-password",{method:"POST",body:S.object({newPassword:S.string()}),metadata:{SERVER_ONLY:!0},use:[C]},async e=>{let{newPassword:t}=e.body,r=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new R("BAD_REQUEST",{message:u.PASSWORD_TOO_SHORT});let i=e.context.password.config.maxPasswordLength;if(t.length>i)throw e.context.logger.error("Password is too long"),new R("BAD_REQUEST",{message:u.PASSWORD_TOO_LONG});let s=(await e.context.internalAdapter.findAccounts(r.user.id)).find(a=>a.providerId==="credential"&&a.password),d=await e.context.password.hash(t);if(!s)return await e.context.internalAdapter.linkAccount({userId:r.user.id,providerId:"credential",accountId:r.user.id,password:d}),e.json(r.user);throw new R("BAD_REQUEST",{message:"user already has a password"})}),sr=l("/delete-user",{method:"POST",use:[qe],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options",{session:e.context.session}),new R("NOT_FOUND");let t=e.context.session;if(e.context.options.user.deleteUser?.sendDeleteAccountVerification){let i=q(32,F("a-z","A-Z","0-9"));await e.context.internalAdapter.createVerificationValue({value:t.user.id,identifier:`delete-account-${i}`,expiresAt:new Date(Date.now()+1e3*60*60*24)});let n=`${e.context.baseURL}/delete-user/callback?token=${i}`;return await e.context.options.user.deleteUser.sendDeleteAccountVerification({user:t.user,url:n,token:i},e.request),e.json({success:!0,message:"Verification email sent"})}let r=e.context.options.user.deleteUser?.beforeDelete;r&&await r(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),D(e);let o=e.context.options.user.deleteUser?.afterDelete;return o&&await o(t.user,e.request),e.json({success:!0,message:"User deleted"})}),ar=l("/delete-user/callback",{method:"GET",query:S.object({token:S.string()})},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options"),new R("NOT_FOUND");let t=await z(e);if(!t)throw new R("NOT_FOUND",{message:u.FAILED_TO_GET_USER_INFO});let r=await e.context.internalAdapter.findVerificationValue(`delete-account-${e.query.token}`);if(!r||r.expiresAt<new Date)throw r&&await e.context.internalAdapter.deleteVerificationValue(r.id),new R("NOT_FOUND",{message:u.INVALID_TOKEN});if(r.value!==t.user.id)throw new R("NOT_FOUND",{message:u.INVALID_TOKEN});let o=e.context.options.user.deleteUser?.beforeDelete;o&&await o(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),await e.context.internalAdapter.deleteVerificationValue(r.id),D(e);let i=e.context.options.user.deleteUser?.afterDelete;return i&&await i(t.user,e.request),e.json({success:!0,message:"User deleted"})}),dr=l("/change-email",{method:"POST",query:S.object({currentURL:S.string().optional()}).optional(),body:S.object({newEmail:S.string({description:"The new email to set"}).email(),callbackURL:S.string({description:"The URL to redirect to after email verification"}).optional()}),use:[C],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new R("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new R("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new R("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let i=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:i,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new R("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await j(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:r},e.request),e.json({user:null,status:!0})});var cr=(e="Unknown")=>`<!DOCTYPE html>
4
4
  <html lang="en">
5
5
  <head>
package/dist/plugins/generic-oauth.cjs CHANGED
@@ -1,5 +1,5 @@
1
1
  "use strict";var It=Object.create;var ne=Object.defineProperty;var Lt=Object.getOwnPropertyDescriptor;var Pt=Object.getOwnPropertyNames;var xt=Object.getPrototypeOf,Dt=Object.prototype.hasOwnProperty;var Ct=(e,r)=>{for(var t in r)ne(e,t,{get:r[t],enumerable:!0})},ve=(e,r,t,o)=>{if(r&&typeof r=="object"||typeof r=="function")for(let i of Pt(r))!Dt.call(e,i)&&i!==t&&ne(e,i,{get:()=>r[i],enumerable:!(o=Lt(r,i))||o.enumerable});return e};var ge=(e,r,t)=>(t=e!=null?It(xt(e)):{},ve(r||!e||!e.__esModule?ne(t,"default",{value:e,enumerable:!0}):t,e)),Nt=e=>ve(ne({},"__esModule",{value:!0}),e);var jr={};Ct(jr,{genericOAuth:()=>Vr});module.exports=Nt(jr);var ie=require("@better-fetch/fetch"),H=require("better-call"),vt=require("oslo/jwt"),L=require("zod");var te=require("better-call");var Ce=require("better-call");var F=require("better-call"),Ie=(0,F.createMiddleware)(async()=>({})),re=(0,F.createMiddlewareCreator)({use:[Ie,(0,F.createMiddleware)(async()=>({}))]}),m=(0,F.createEndpointCreator)({use:[Ie]});function he(e){return e==="-"||e==="^"||e==="$"||e==="+"||e==="."||e==="("||e===")"||e==="|"||e==="["||e==="]"||e==="{"||e==="}"||e==="*"||e==="?"||e==="\\"?`\\${e}`:e}function Vt(e){let r="";for(let t=0;t<e.length;t++)r+=he(e[t]);return r}function Le(e,r=!0){if(Array.isArray(e))return`(?:${e.map(l=>`^${Le(l,r)}$`).join("|")})`;let t="",o="",i=".";r===!0?(t="/",o="[/\\\\]",i="[^/\\\\]"):r&&(t=r,o=Vt(t),o.length>1?(o=`(?:${o})`,i=`((?!${o}).)`):i=`[^${o}]`);let n=r?`${o}+?`:"",s=r?`${o}*?`:"",d=r?e.split(t):[e],a="";for(let c=0;c<d.length;c++){let l=d[c],f=d[c+1],h="";if(!(!l&&c>0)){if(r&&(c===d.length-1?h=s:f!=="**"?h=n:h=""),r&&l==="**"){h&&(a+=c===0?"":h,a+=`(?:${i}*?${h})*?`);continue}for(let y=0;y<l.length;y++){let w=l[y];w==="\\"?y<l.length-1&&(a+=he(l[y+1]),y++):w==="?"?a+=i:w==="*"?a+=`${i}*?`:a+=he(w)}a+=h}}return a}function jt(e,r){if(typeof r!="string")throw new TypeError(`Sample must be a string, but ${typeof r} given`);return e.test(r)}function we(e,r){if(typeof e!="string"&&!Array.isArray(e))throw new TypeError(`The first argument must be a single pattern string or an array of patterns, but ${typeof e} given`);if((typeof r=="string"||typeof r=="boolean")&&(r={separator:r}),arguments.length===2&&!(typeof r>"u"||typeof r=="object"&&r!==null&&!Array.isArray(r)))throw new TypeError(`The second argument must be an options object or a string/boolean separator, but ${typeof r} given`);if(r=r||{},r.separator==="\\")throw new Error("\\ is not a valid separator because it is used for escaping. Try setting the separator to `true` instead");let t=Le(e,r.separator),o=new RegExp(`^${t}$`,r.flags),i=jt.bind(null,o);return i.options=r,i.pattern=e,i.regexp=o,i}var se=Object.create(null),oe=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?se:globalThis),Pe=new Proxy(se,{get(e,r){return oe()[r]??se[r]},has(e,r){let t=oe();return r in t||r in se},set(e,r,t){let o=oe(!0);return o[r]=t,!0},deleteProperty(e,r){if(!r)return!1;let t=oe(!0);return delete t[r],!0},ownKeys(){let e=oe(!0);return Object.keys(e)}});function Bt(e){return e?e!=="false":!1}var ye=typeof process<"u"&&process.env&&process.env.NODE_ENV||"";var be=ye==="dev"||ye==="development",$t=ye==="test"||Bt(Pe.TEST);var $=class extends Error{constructor(r,t){super(r),this.name="BetterAuthError",this.message=r,this.cause=t,this.stack=""}};function xe(e){try{return new URL(e).origin}catch{return null}}function De(e){return e.includes("://")?new URL(e).host:e}var zt=re(async e=>{if(e.request?.method!=="POST")return;let{body:r,query:t,context:o}=e,i=e.headers?.get("origin")||e.headers?.get("referer")||"",n=r?.callbackURL||t?.callbackURL,s=r?.redirectTo,d=t?.currentURL,a=r?.errorCallbackURL,c=r?.newUserCallbackURL,l=o.trustedOrigins,f=e.headers?.has("cookie"),h=(w,R)=>w.startsWith("/")?!1:R.includes("*")?we(R)(De(w)):w.startsWith(R),y=(w,R)=>{if(!w)return;if(!l.some(B=>h(w,B)||w?.startsWith("/")&&R!=="origin"&&!w.includes(":")))throw e.context.logger.error(`Invalid ${R}: ${w}`),e.context.logger.info(`If it's a valid URL, please add ${w} to trustedOrigins in your auth config
2
- `,`Current list of trustedOrigins: ${l}`),new Ce.APIError("FORBIDDEN",{message:`Invalid ${R}`})};f&&!e.context.options.advanced?.disableCSRFCheck&&y(i,"origin"),n&&y(n,"callbackURL"),s&&y(s,"redirectURL"),d&&y(d,"currentURL"),a&&y(a,"errorCallbackURL"),c&&y(s,"newUserCallbackURL")});var E=require("better-call"),U=require("zod");var Ht=require("oslo"),Ne=require("oslo/encoding");var ae=require("oslo/crypto");async function Ft({value:e,secret:r}){return new ae.HMAC("SHA-256").sign(new TextEncoder().encode(r),new TextEncoder().encode(e)).then(o=>Buffer.from(o).toString("base64"))}function Mt({value:e,signature:r,secret:t}){return new ae.HMAC("SHA-256").verify(new TextEncoder().encode(t),Buffer.from(r,"base64"),new TextEncoder().encode(e))}var de={sign:Ft,verify:Mt};var z=(e,r="ms")=>new Date(Date.now()+(r==="sec"?e*1e3:e));async function T(e,r,t,o){let i=e.context.authCookies.sessionToken.options,n=t?void 0:e.context.sessionConfig.expiresIn;if(await e.setSignedCookie(e.context.authCookies.sessionToken.name,r.session.token,e.context.secret,{...i,maxAge:n,...o}),t&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled){let d=Ne.base64url.encode(new TextEncoder().encode(JSON.stringify({session:r,expiresAt:z(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await de.sign({value:JSON.stringify(r),secret:e.context.secret})})),{includePadding:!1});if(d.length>4093)throw new $("Session data is too large to store in the cookie. Please disable session cookie caching or reduce the size of the session data");e.setCookie(e.context.authCookies.sessionData.name,d,e.context.authCookies.sessionData.options)}e.context.setNewSession(r),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(r.session.token,JSON.stringify({user:r.user,session:r.session}),Math.floor((new Date(r.session.expiresAt).getTime()-Date.now())/1e3))}function P(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}var ze=require("@better-fetch/fetch"),qe=require("better-call"),Q=require("jose"),Fe=require("oslo/jwt");var Ve=require("oslo/crypto"),je=require("oslo/encoding");async function Be(e){let r=await(0,Ve.sha256)(new TextEncoder().encode(e));return je.base64url.encode(new Uint8Array(r),{includePadding:!1})}function ce(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?z(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function A({id:e,options:r,authorizationEndpoint:t,state:o,codeVerifier:i,scopes:n,claims:s,redirectURI:d,duration:a}){let c=new URL(t);if(c.searchParams.set("response_type","code"),c.searchParams.set("client_id",r.clientId),c.searchParams.set("state",o),c.searchParams.set("scope",n.join(" ")),c.searchParams.set("redirect_uri",r.redirectURI||d),i){let l=await Be(i);c.searchParams.set("code_challenge_method","S256"),c.searchParams.set("code_challenge",l)}if(s){let l=s.reduce((f,h)=>(f[h]=null,f),{});c.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...l}}))}return a&&c.searchParams.set("duration",a),c}var $e=require("@better-fetch/fetch");async function b({code:e,codeVerifier:r,redirectURI:t,options:o,tokenEndpoint:i,authentication:n}){let s=new URLSearchParams,d={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(s.set("grant_type","authorization_code"),s.set("code",e),r&&s.set("code_verifier",r),s.set("redirect_uri",t),n==="basic"){let f=btoa(`${o.clientId}:${o.clientSecret}`);d.authorization=`Basic ${f}`}else s.set("client_id",o.clientId),s.set("client_secret",o.clientSecret);let{data:a,error:c}=await(0,$e.betterFetch)(i,{method:"POST",body:s,headers:d});if(c)throw c;return ce(a)}var le=require("oslo/oauth2"),x=require("zod"),Ae=require("better-call");async function W(e,r){let t=e.body?.callbackURL||(e.query?.currentURL?xe(e.query?.currentURL):"")||e.context.options.baseURL;if(!t)throw new Ae.APIError("BAD_REQUEST",{message:"callbackURL is required"});let o=(0,le.generateCodeVerifier)(),i=(0,le.generateState)(),n=JSON.stringify({callbackURL:t,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,newUserURL:e.body?.newUserCallbackURL,link:r,expiresAt:Date.now()+10*60*1e3}),s=new Date;s.setMinutes(s.getMinutes()+10);let d=await e.context.internalAdapter.createVerificationValue({value:n,identifier:i,expiresAt:s});if(!d)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new Ae.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:d.identifier,codeVerifier:o}}async function pe(e){let r=e.query.state||e.body.state,t=await e.context.internalAdapter.findVerificationValue(r);if(!t)throw e.context.logger.error("State Mismatch. Verification not found",{state:r}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=x.z.object({callbackURL:x.z.string(),codeVerifier:x.z.string(),errorURL:x.z.string().optional(),newUserURL:x.z.string().optional(),expiresAt:x.z.number(),link:x.z.object({email:x.z.string(),userId:x.z.string()}).optional()}).parse(JSON.parse(t.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(t.id),e.context.logger.error("State expired.",{state:r}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(t.id),o}var Me=e=>{let r="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:t,scopes:o,redirectURI:i}){let n=o||["email","name"];return e.scope&&n.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${i||e.redirectURI}&scope=${n.join(" ")}&state=${t}&response_mode=form_post`)},validateAuthorizationCode:async({code:t,codeVerifier:o,redirectURI:i})=>b({code:t,codeVerifier:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:r}),async verifyIdToken(t,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,o);let i=(0,Q.decodeProtectedHeader)(t),{kid:n,alg:s}=i;if(!n||!s)return!1;let d=await Gt(n),{payload:a}=await(0,Q.jwtVerify)(t,d,{algorithms:[s],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(c=>{a[c]!==void 0&&(a[c]=!!a[c])}),o&&a.nonce!==o?!1:!!a},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let o=(0,Fe.parseJWT)(t.idToken)?.payload;if(!o)return null;let i=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email,n=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:i,emailVerified:!1,email:o.email,...n},data:o}}}},Gt=async e=>{let r="https://appleid.apple.com",t="/auth/keys",{data:o}=await(0,ze.betterFetch)(`${r}${t}`);if(!o?.keys)throw new qe.APIError("BAD_REQUEST",{message:"Keys not found"});let i=o.keys.find(n=>n.kid===e);if(!i)throw new Error(`JWK with kid ${e} not found`);return await(0,Q.importJWK)(i,i.alg)};var He=require("@better-fetch/fetch");var Ge=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:r,scopes:t,redirectURI:o}){let i=t||["identify","email"];return e.scope&&i.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${i.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${r}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:r,redirectURI:t})=>b({code:r,redirectURI:e.redirectURI||t,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:t,error:o}=await(0,He.betterFetch)("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${r.accessToken}`}});if(o)return null;if(t.avatar===null){let n=t.discriminator==="0"?Number(BigInt(t.id)>>BigInt(22))%6:parseInt(t.discriminator)%5;t.image_url=`https://cdn.discordapp.com/embed/avatars/${n}.png`}else{let n=t.avatar.startsWith("a_")?"gif":"png";t.image_url=`https://cdn.discordapp.com/avatars/${t.id}/${t.avatar}.${n}`}let i=await e.mapProfileToUser?.(t);return{user:{id:t.id,name:t.display_name||t.username||"",email:t.email,emailVerified:t.verified,image:t.image_url,...i},data:t}}});var We=require("@better-fetch/fetch");var Qe=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:r,scopes:t,redirectURI:o}){let i=t||["email","public_profile"];return e.scope&&i.push(...e.scope),await A({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:i,state:r,redirectURI:o})},validateAuthorizationCode:async({code:r,redirectURI:t})=>b({code:r,redirectURI:e.redirectURI||t,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:t,error:o}=await(0,We.betterFetch)("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:r.accessToken}});if(o)return null;let i=await e.mapProfileToUser?.(t);return{user:{id:t.id,name:t.name,email:t.email,image:t.picture.data.url,emailVerified:t.email_verified,...i},data:t}}});var Ue=require("@better-fetch/fetch");var Ze=e=>{let r="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:t,scopes:o,codeVerifier:i,redirectURI:n}){let s=o||["user:email"];return e.scope&&s.push(...e.scope),A({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:s,state:t,redirectURI:n})},validateAuthorizationCode:async({code:t,redirectURI:o})=>b({code:t,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:r}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:o,error:i}=await(0,Ue.betterFetch)("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${t.accessToken}`}});if(i)return null;let n=!1;if(!o.email){let{data:d,error:a}=await(0,Ue.betterFetch)("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${t.accessToken}`,"User-Agent":"better-auth"}});a||(o.email=(d.find(c=>c.primary)??d[0])?.email,n=d.find(c=>c.email===o.email)?.verified??!1)}let s=await e.mapProfileToUser?.(o);return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:n,...s},data:o}}}};var Je=require("oslo/jwt");var Ke=require("consola"),Re=["info","success","warn","error","debug"];function Wt(e,r){return Re.indexOf(r)<=Re.indexOf(e)}var Qt=(0,Ke.createConsola)({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),Zt=e=>{let r=e?.disabled!==!0,t=e?.level??"error",o=(i,n,s=[])=>{if(!(!r||!Wt(t,i))){if(!e||typeof e.log!="function"){Qt[i]("",n,...s);return}e.log(i==="success"?"info":i,n,s)}};return Object.fromEntries(Re.map(i=>[i,(...[n,...s])=>o(i,n,s)]))},I=Zt();var Ye=require("@better-fetch/fetch"),Xe=e=>({id:"google",name:"Google",async createAuthorizationURL({state:r,scopes:t,codeVerifier:o,redirectURI:i}){if(!e.clientId||!e.clientSecret)throw I.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new $("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new $("codeVerifier is required for Google");let n=t||["email","profile","openid"];e.scope&&n.push(...e.scope);let s=await A({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:n,state:r,codeVerifier:o,redirectURI:i});return e.accessType&&s.searchParams.set("access_type",e.accessType),e.prompt&&s.searchParams.set("prompt",e.prompt),s},validateAuthorizationCode:async({code:r,codeVerifier:t,redirectURI:o})=>b({code:r,codeVerifier:t,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(r,t){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,t);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${r}`,{data:i}=await(0,Ye.betterFetch)(o);return i?i.aud===e.clientId&&i.iss==="https://accounts.google.com":!1},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let t=(0,Je.parseJWT)(r.idToken)?.payload,o=await e.mapProfileToUser?.(t);return{user:{id:t.sub,name:t.name,email:t.email,image:t.picture,emailVerified:t.email_verified,...o},data:t}}});var et=require("@better-fetch/fetch"),tt=require("oslo/jwt");var rt=e=>{let r=e.tenantId||"common",t=`https://login.microsoftonline.com/${r}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${r}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(i){let n=i.scopes||["openid","profile","email","User.Read"];return e.scope&&n.push(...e.scope),A({id:"microsoft",options:e,authorizationEndpoint:t,state:i.state,codeVerifier:i.codeVerifier,scopes:n,redirectURI:i.redirectURI})},validateAuthorizationCode({code:i,codeVerifier:n,redirectURI:s}){return b({code:i,codeVerifier:n,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:o})},async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);if(!i.idToken)return null;let n=(0,tt.parseJWT)(i.idToken)?.payload,s=e.profilePhotoSize||48;await(0,et.betterFetch)(`https://graph.microsoft.com/v1.0/me/photos/${s}x${s}/$value`,{headers:{Authorization:`Bearer ${i.accessToken}`},async onResponse(a){if(!(e.disableProfilePhoto||!a.response.ok))try{let l=await a.response.clone().arrayBuffer(),f=Buffer.from(l).toString("base64");n.picture=`data:image/jpeg;base64, ${f}`}catch(c){I.error(c&&typeof c=="object"&&"name"in c?c.name:"",c)}}});let d=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.name,email:n.email,image:n.picture,emailVerified:!0,...d},data:n}}}};var ot=require("@better-fetch/fetch");var it=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:r,scopes:t,codeVerifier:o,redirectURI:i}){let n=t||["user-read-email"];return e.scope&&n.push(...e.scope),A({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:n,state:r,codeVerifier:o,redirectURI:i})},validateAuthorizationCode:async({code:r,codeVerifier:t,redirectURI:o})=>b({code:r,codeVerifier:t,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:t,error:o}=await(0,ot.betterFetch)("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${r.accessToken}`}});if(o)return null;let i=await e.mapProfileToUser?.(t);return{user:{id:t.id,name:t.display_name,email:t.email,image:t.images[0]?.url,emailVerified:!1,...i},data:t}}});var Z={isAction:!1};var nt=require("nanoid"),st=e=>(0,nt.nanoid)(e);var at=require("oslo/jwt");var dt=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:r,scopes:t,redirectURI:o}){let i=t||["user:read:email","openid"];return e.scope&&i.push(...e.scope),A({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:i,state:r,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:r,redirectURI:t})=>b({code:r,redirectURI:e.redirectURI||t,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let t=r.idToken;if(!t)return I.error("No idToken found in token"),null;let o=(0,at.parseJWT)(t)?.payload,i=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1,...i},data:o}}});var ct=require("@better-fetch/fetch");var lt=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(r){let t=r.scopes||["users.read","tweet.read","offline.access"];return e.scope&&t.push(...e.scope),A({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:t,state:r.state,codeVerifier:r.codeVerifier,redirectURI:r.redirectURI})},validateAuthorizationCode:async({code:r,codeVerifier:t,redirectURI:o})=>b({code:r,codeVerifier:t,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:t,error:o}=await(0,ct.betterFetch)("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${r.accessToken}`}});if(o)return null;let i=await e.mapProfileToUser?.(t);return{user:{id:t.data.id,name:t.data.name,email:t.data.username||null,image:t.data.profile_image_url,emailVerified:t.data.verified||!1,...i},data:t}}});var pt=require("@better-fetch/fetch");var ut=e=>{let r="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:t,scopes:o,codeVerifier:i,redirectURI:n})=>{let s=o||["account_info.read"];return e.scope&&s.push(...e.scope),await A({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:s,state:t,redirectURI:n,codeVerifier:i})},validateAuthorizationCode:async({code:t,codeVerifier:o,redirectURI:i})=>await b({code:t,codeVerifier:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:r}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:o,error:i}=await(0,pt.betterFetch)("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${t.accessToken}`}});if(i)return null;let n=await e.mapProfileToUser?.(o);return{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url,...n},data:o}}}};var mt=require("@better-fetch/fetch");var ft=e=>{let r="https://www.linkedin.com/oauth/v2/authorization",t="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:i,redirectURI:n})=>{let s=i||["profile","email","openid"];return e.scope&&s.push(...e.scope),await A({id:"linkedin",options:e,authorizationEndpoint:r,scopes:s,state:o,redirectURI:n})},validateAuthorizationCode:async({code:o,redirectURI:i})=>await b({code:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async getUserInfo(o){let{data:i,error:n}=await(0,mt.betterFetch)("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});if(n)return null;let s=await e.mapProfileToUser?.(i);return{user:{id:i.sub,name:i.name,email:i.email,emailVerified:i.email_verified||!1,image:i.picture,...s},data:i}}}};var gt=require("@better-fetch/fetch");var ke=(e="")=>e.split("://").map(r=>r.replace(/\/{2,}/g,"/")).join("://"),Kt=e=>{let r=e||"https://gitlab.com";return{authorizationEndpoint:ke(`${r}/oauth/authorize`),tokenEndpoint:ke(`${r}/oauth/token`),userinfoEndpoint:ke(`${r}/api/v4/user`)}},ht=e=>{let{authorizationEndpoint:r,tokenEndpoint:t,userinfoEndpoint:o}=Kt(e.issuer),i="gitlab";return{id:i,name:"Gitlab",createAuthorizationURL:async({state:s,scopes:d,codeVerifier:a,redirectURI:c})=>{let l=d||["read_user"];return e.scope&&l.push(...e.scope),await A({id:i,options:e,authorizationEndpoint:r,scopes:l,state:s,redirectURI:c,codeVerifier:a})},validateAuthorizationCode:async({code:s,redirectURI:d,codeVerifier:a})=>b({code:s,redirectURI:e.redirectURI||d,options:e,codeVerifier:a,tokenEndpoint:t}),async getUserInfo(s){if(e.getUserInfo)return e.getUserInfo(s);let{data:d,error:a}=await(0,gt.betterFetch)(o,{headers:{authorization:`Bearer ${s.accessToken}`}});if(a||d.state!=="active"||d.locked)return null;let c=await e.mapProfileToUser?.(d);return{user:{id:d.id.toString(),name:d.name??d.username,email:d.email,image:d.avatar_url,emailVerified:!0,...c},data:d}}}};var Ee=require("@better-fetch/fetch");var wt=e=>({id:"reddit",name:"Reddit",createAuthorizationURL({state:r,scopes:t,redirectURI:o}){let i=t||["identity"];return e.scope&&i.push(...e.scope),A({id:"reddit",options:e,authorizationEndpoint:"https://www.reddit.com/api/v1/authorize",scopes:i,state:r,redirectURI:o,duration:e.duration})},validateAuthorizationCode:async({code:r,redirectURI:t})=>{let o=new URLSearchParams({grant_type:"authorization_code",code:r,redirect_uri:e.redirectURI||t}),i={"content-type":"application/x-www-form-urlencoded",accept:"text/plain","user-agent":"better-auth",Authorization:`Basic ${Buffer.from(`${e.clientId}:${e.clientSecret}`).toString("base64")}`},{data:n,error:s}=await(0,Ee.betterFetch)("https://www.reddit.com/api/v1/access_token",{method:"POST",headers:i,body:o.toString()});if(s)throw s;return ce(n)},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:t,error:o}=await(0,Ee.betterFetch)("https://oauth.reddit.com/api/v1/me",{headers:{Authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});if(o)return null;let i=await e.mapProfileToUser?.(t);return{user:{id:t.id,name:t.name,email:t.oauth_client_id,emailVerified:t.has_verified_email,image:t.icon_img?.split("?")[0],...i},data:t}}});var Jt={apple:Me,discord:Ge,facebook:Qe,github:Ze,microsoft:rt,google:Xe,spotify:it,twitch:dt,twitter:lt,dropbox:ut,linkedin:ft,gitlab:ht,reddit:wt},ue=Object.keys(Jt);var Ut=require("oslo"),me=require("oslo/jwt"),v=require("zod");var K=require("better-call");var D=require("better-call");var q=require("zod");function yt(e){try{return JSON.parse(e)}catch{return null}}var p={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var bt=()=>m("/get-session",{method:"GET",query:q.z.optional(q.z.object({disableCookieCache:q.z.boolean({description:"Disable cookie cache and fetch session from database"}).or(q.z.string().transform(e=>e==="true")).optional(),disableRefresh:q.z.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let r=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!r)return e.json(null);let t=e.getCookie(e.context.authCookies.sessionData.name),o=t?yt(Buffer.from(t,"base64").toString()):null;if(o&&!await de.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return P(e),e.json(null);let i=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let l=o.session;if(o.expiresAt<Date.now()||l.session.expiresAt<new Date){let h=e.context.authCookies.sessionData.name;e.setCookie(h,"",{maxAge:0})}else return e.json(l)}let n=await e.context.internalAdapter.findSession(r);if(e.context.session=n,!n||n.session.expiresAt<new Date)return P(e),n&&await e.context.internalAdapter.deleteSession(n.session.token),e.json(null);if(i||e.query?.disableRefresh)return e.json(n);let s=e.context.sessionConfig.expiresIn,d=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-s*1e3+d*1e3<=Date.now()){let l=await e.context.internalAdapter.updateSession(n.session.token,{expiresAt:z(e.context.sessionConfig.expiresIn,"sec")});if(!l)return P(e),e.json(null,{status:401});let f=(l.expiresAt.valueOf()-Date.now())/1e3;return await T(e,{session:l,user:n.user},!1,{maxAge:f}),e.json({session:l,user:n.user})}return e.json(n)}catch(r){throw e.context.logger.error("INTERNAL_SERVER_ERROR",r),new D.APIError("INTERNAL_SERVER_ERROR",{message:p.FAILED_TO_GET_SESSION})}}),M=async(e,r)=>{if(e.context.session)return e.context.session;let t=await bt()({...e,_flag:"json",headers:e.headers,query:r}).catch(o=>null);return e.context.session=t,t},C=re(async e=>{let r=await M(e);if(!r?.session)throw new D.APIError("UNAUTHORIZED");return{session:r}}),At=re(async e=>{let r=await M(e);if(!r?.session)throw new D.APIError("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:r};let t=e.context.sessionConfig.freshAge,o=r.session.createdAt.valueOf(),i=Date.now();if(!(o+t*1e3>i))throw new D.APIError("FORBIDDEN",{message:"Session is not fresh"});return{session:r}});var Yt=m("/revoke-session",{method:"POST",body:q.z.object({token:q.z.string({description:"The token to revoke"})}),use:[C],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let r=e.body.token,t=await e.context.internalAdapter.findSession(r);if(!t)throw new D.APIError("BAD_REQUEST",{message:"Session not found"});if(t.session.userId!==e.context.session.user.id)throw new D.APIError("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(r)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new D.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Xt=m("/revoke-sessions",{method:"POST",use:[C],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(r){throw e.context.logger.error(r&&typeof r=="object"&&"name"in r?r.name:"",r),new D.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),er=m("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[C],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let r=e.context.session;if(!r.user)throw new D.APIError("UNAUTHORIZED");let i=(await e.context.internalAdapter.listSessions(r.user.id)).filter(n=>n.expiresAt>new Date).filter(n=>n.token!==e.context.session.session.token);return await Promise.all(i.map(n=>e.context.internalAdapter.deleteSession(n.token))),e.json({status:!0})});async function V(e,r,t){return await(0,me.createJWT)("HS256",Buffer.from(e),{email:r.toLowerCase(),updateTo:t},{expiresIn:new Ut.TimeSpan(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[r],includeIssuedTimestamp:!0})}async function tr(e,r){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new K.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let t=await V(e.context.secret,r.email),o=`${e.context.baseURL}/verify-email?token=${t}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:r,url:o,token:t},e.request)}var rr=m("/send-verification-email",{method:"POST",query:v.z.object({currentURL:v.z.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:v.z.object({email:v.z.string({description:"The email to send the verification email to"}).email(),callbackURL:v.z.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new K.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:r}=e.body,t=await e.context.internalAdapter.findUserByEmail(r);if(!t)throw new K.APIError("BAD_REQUEST",{message:p.USER_NOT_FOUND});return await tr(e,t.user),e.json({status:!0})}),or=m("/verify-email",{method:"GET",query:v.z.object({token:v.z.string({description:"The token to verify the email"}),callbackURL:v.z.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function r(d){throw e.query.callbackURL?e.query.callbackURL.includes("?")?e.redirect(`${e.query.callbackURL}&error=${d}`):e.redirect(`${e.query.callbackURL}?error=${d}`):new K.APIError("UNAUTHORIZED",{message:d})}let{token:t}=e.query,o;try{o=await(0,me.validateJWT)("HS256",Buffer.from(e.context.secret),t)}catch(d){return e.context.logger.error("Failed to verify email",d),r("invalid_token")}let n=v.z.object({email:v.z.string().email(),updateTo:v.z.string().optional()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(n.email);if(!s)return r("user_not_found");if(n.updateTo){let d=await M(e);if(!d){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return r("unauthorized")}if(d.user.email!==n.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return r("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo,emailVerified:!1}),c=await V(e.context.secret,n.updateTo);if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${c}`,token:c},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await M(e)){let a=await e.context.internalAdapter.createSession(s.user.id,e.request);if(!a)throw new K.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await T(e,{session:a,user:s.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function J(e,{userInfo:r,account:t,callbackURL:o}){let i=await e.context.internalAdapter.findUserByEmail(r.email.toLowerCase(),{includeAccounts:!0}).catch(a=>{throw I.error(`Better auth was unable to query your database.
2
+ `,`Current list of trustedOrigins: ${l}`),new Ce.APIError("FORBIDDEN",{message:`Invalid ${R}`})};f&&!e.context.options.advanced?.disableCSRFCheck&&y(i,"origin"),n&&y(n,"callbackURL"),s&&y(s,"redirectURL"),d&&y(d,"currentURL"),a&&y(a,"errorCallbackURL"),c&&y(s,"newUserCallbackURL")});var E=require("better-call"),U=require("zod");var Ht=require("oslo"),Ne=require("oslo/encoding");var ae=require("oslo/crypto");async function Ft({value:e,secret:r}){return new ae.HMAC("SHA-256").sign(new TextEncoder().encode(r),new TextEncoder().encode(e)).then(o=>Buffer.from(o).toString("base64"))}function Mt({value:e,signature:r,secret:t}){return new ae.HMAC("SHA-256").verify(new TextEncoder().encode(t),Buffer.from(r,"base64"),new TextEncoder().encode(e))}var de={sign:Ft,verify:Mt};var z=(e,r="ms")=>new Date(Date.now()+(r==="sec"?e*1e3:e));async function T(e,r,t,o){let i=e.context.authCookies.sessionToken.options,n=t?void 0:e.context.sessionConfig.expiresIn;if(await e.setSignedCookie(e.context.authCookies.sessionToken.name,r.session.token,e.context.secret,{...i,maxAge:n,...o}),t&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled){let d=Ne.base64url.encode(new TextEncoder().encode(JSON.stringify({session:r,expiresAt:z(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await de.sign({value:JSON.stringify(r),secret:e.context.secret})})),{includePadding:!1});if(d.length>4093)throw new $("Session data is too large to store in the cookie. Please disable session cookie caching or reduce the size of the session data");e.setCookie(e.context.authCookies.sessionData.name,d,e.context.authCookies.sessionData.options)}e.context.setNewSession(r),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(r.session.token,JSON.stringify({user:r.user,session:r.session}),Math.floor((new Date(r.session.expiresAt).getTime()-Date.now())/1e3))}function P(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}var ze=require("@better-fetch/fetch"),qe=require("better-call"),Q=require("jose"),Fe=require("oslo/jwt");var Ve=require("oslo/crypto"),je=require("oslo/encoding");async function Be(e){let r=await(0,Ve.sha256)(new TextEncoder().encode(e));return je.base64url.encode(new Uint8Array(r),{includePadding:!1})}function ce(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?z(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function A({id:e,options:r,authorizationEndpoint:t,state:o,codeVerifier:i,scopes:n,claims:s,redirectURI:d,duration:a}){let c=new URL(t);if(c.searchParams.set("response_type","code"),c.searchParams.set("client_id",r.clientId),c.searchParams.set("state",o),c.searchParams.set("scope",n.join(" ")),c.searchParams.set("redirect_uri",r.redirectURI||d),i){let l=await Be(i);c.searchParams.set("code_challenge_method","S256"),c.searchParams.set("code_challenge",l)}if(s){let l=s.reduce((f,h)=>(f[h]=null,f),{});c.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...l}}))}return a&&c.searchParams.set("duration",a),c}var $e=require("@better-fetch/fetch");async function b({code:e,codeVerifier:r,redirectURI:t,options:o,tokenEndpoint:i,authentication:n}){let s=new URLSearchParams,d={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(s.set("grant_type","authorization_code"),s.set("code",e),r&&s.set("code_verifier",r),s.set("redirect_uri",t),n==="basic"){let f=btoa(`${o.clientId}:${o.clientSecret}`);d.authorization=`Basic ${f}`}else s.set("client_id",o.clientId),s.set("client_secret",o.clientSecret);let{data:a,error:c}=await(0,$e.betterFetch)(i,{method:"POST",body:s,headers:d});if(c)throw c;return ce(a)}var le=require("oslo/oauth2"),x=require("zod"),Ae=require("better-call");async function W(e,r){let t=e.body?.callbackURL||(e.query?.currentURL?xe(e.query?.currentURL):"")||e.context.options.baseURL;if(!t)throw new Ae.APIError("BAD_REQUEST",{message:"callbackURL is required"});let o=(0,le.generateCodeVerifier)(),i=(0,le.generateState)(),n=JSON.stringify({callbackURL:t,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,newUserURL:e.body?.newUserCallbackURL,link:r,expiresAt:Date.now()+10*60*1e3}),s=new Date;s.setMinutes(s.getMinutes()+10);let d=await e.context.internalAdapter.createVerificationValue({value:n,identifier:i,expiresAt:s});if(!d)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new Ae.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:d.identifier,codeVerifier:o}}async function pe(e){let r=e.query.state||e.body.state,t=await e.context.internalAdapter.findVerificationValue(r);if(!t)throw e.context.logger.error("State Mismatch. Verification not found",{state:r}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=x.z.object({callbackURL:x.z.string(),codeVerifier:x.z.string(),errorURL:x.z.string().optional(),newUserURL:x.z.string().optional(),expiresAt:x.z.number(),link:x.z.object({email:x.z.string(),userId:x.z.string()}).optional()}).parse(JSON.parse(t.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(t.id),e.context.logger.error("State expired.",{state:r}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(t.id),o}var Me=e=>{let r="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:t,scopes:o,redirectURI:i}){let n=o||["email","name"];return e.scope&&n.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${i||e.redirectURI}&scope=${n.join(" ")}&state=${t}&response_mode=form_post`)},validateAuthorizationCode:async({code:t,codeVerifier:o,redirectURI:i})=>b({code:t,codeVerifier:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:r}),async verifyIdToken(t,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,o);let i=(0,Q.decodeProtectedHeader)(t),{kid:n,alg:s}=i;if(!n||!s)return!1;let d=await Gt(n),{payload:a}=await(0,Q.jwtVerify)(t,d,{algorithms:[s],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(c=>{a[c]!==void 0&&(a[c]=!!a[c])}),o&&a.nonce!==o?!1:!!a},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let o=(0,Fe.parseJWT)(t.idToken)?.payload;if(!o)return null;let i=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email,n=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:i,emailVerified:!1,email:o.email,...n},data:o}}}},Gt=async e=>{let r="https://appleid.apple.com",t="/auth/keys",{data:o}=await(0,ze.betterFetch)(`${r}${t}`);if(!o?.keys)throw new qe.APIError("BAD_REQUEST",{message:"Keys not found"});let i=o.keys.find(n=>n.kid===e);if(!i)throw new Error(`JWK with kid ${e} not found`);return await(0,Q.importJWK)(i,i.alg)};var He=require("@better-fetch/fetch");var Ge=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:r,scopes:t,redirectURI:o}){let i=t||["identify","email"];return e.scope&&i.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${i.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${r}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:r,redirectURI:t})=>b({code:r,redirectURI:e.redirectURI||t,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:t,error:o}=await(0,He.betterFetch)("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${r.accessToken}`}});if(o)return null;if(t.avatar===null){let n=t.discriminator==="0"?Number(BigInt(t.id)>>BigInt(22))%6:parseInt(t.discriminator)%5;t.image_url=`https://cdn.discordapp.com/embed/avatars/${n}.png`}else{let n=t.avatar.startsWith("a_")?"gif":"png";t.image_url=`https://cdn.discordapp.com/avatars/${t.id}/${t.avatar}.${n}`}let i=await e.mapProfileToUser?.(t);return{user:{id:t.id,name:t.display_name||t.username||"",email:t.email,emailVerified:t.verified,image:t.image_url,...i},data:t}}});var We=require("@better-fetch/fetch");var Qe=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:r,scopes:t,redirectURI:o}){let i=t||["email","public_profile"];return e.scope&&i.push(...e.scope),await A({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:i,state:r,redirectURI:o})},validateAuthorizationCode:async({code:r,redirectURI:t})=>b({code:r,redirectURI:e.redirectURI||t,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:t,error:o}=await(0,We.betterFetch)("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:r.accessToken}});if(o)return null;let i=await e.mapProfileToUser?.(t);return{user:{id:t.id,name:t.name,email:t.email,image:t.picture.data.url,emailVerified:t.email_verified,...i},data:t}}});var Ue=require("@better-fetch/fetch");var Ze=e=>{let r="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:t,scopes:o,codeVerifier:i,redirectURI:n}){let s=o||["user:email"];return e.scope&&s.push(...e.scope),A({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:s,state:t,redirectURI:n})},validateAuthorizationCode:async({code:t,redirectURI:o})=>b({code:t,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:r}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:o,error:i}=await(0,Ue.betterFetch)("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${t.accessToken}`}});if(i)return null;let n=!1;if(!o.email){let{data:d,error:a}=await(0,Ue.betterFetch)("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${t.accessToken}`,"User-Agent":"better-auth"}});a||(o.email=(d.find(c=>c.primary)??d[0])?.email,n=d.find(c=>c.email===o.email)?.verified??!1)}let s=await e.mapProfileToUser?.(o);return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:n,...s},data:o}}}};var Je=require("oslo/jwt");var Ke=require("consola"),Re=["info","success","warn","error","debug"];function Wt(e,r){return Re.indexOf(r)<=Re.indexOf(e)}var Qt=(0,Ke.createConsola)({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),Zt=e=>{let r=e?.disabled!==!0,t=e?.level??"error",o=(i,n,s=[])=>{if(!(!r||!Wt(t,i))){if(!e||typeof e.log!="function"){Qt[i]("",n,...s);return}e.log(i==="success"?"info":i,n,s)}};return Object.fromEntries(Re.map(i=>[i,(...[n,...s])=>o(i,n,s)]))},I=Zt();var Ye=require("@better-fetch/fetch"),Xe=e=>({id:"google",name:"Google",async createAuthorizationURL({state:r,scopes:t,codeVerifier:o,redirectURI:i}){if(!e.clientId||!e.clientSecret)throw I.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new $("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new $("codeVerifier is required for Google");let n=t||["email","profile","openid"];e.scope&&n.push(...e.scope);let s=await A({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:n,state:r,codeVerifier:o,redirectURI:i});return e.accessType&&s.searchParams.set("access_type",e.accessType),e.prompt&&s.searchParams.set("prompt",e.prompt),s},validateAuthorizationCode:async({code:r,codeVerifier:t,redirectURI:o})=>b({code:r,codeVerifier:t,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(r,t){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,t);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${r}`,{data:i}=await(0,Ye.betterFetch)(o);return i?i.aud===e.clientId&&i.iss==="https://accounts.google.com":!1},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let t=(0,Je.parseJWT)(r.idToken)?.payload,o=await e.mapProfileToUser?.(t);return{user:{id:t.sub,name:t.name,email:t.email,image:t.picture,emailVerified:t.email_verified,...o},data:t}}});var et=require("@better-fetch/fetch"),tt=require("oslo/jwt");var rt=e=>{let r=e.tenantId||"common",t=`https://login.microsoftonline.com/${r}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${r}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(i){let n=i.scopes||["openid","profile","email","User.Read"];return e.scope&&n.push(...e.scope),A({id:"microsoft",options:e,authorizationEndpoint:t,state:i.state,codeVerifier:i.codeVerifier,scopes:n,redirectURI:i.redirectURI})},validateAuthorizationCode({code:i,codeVerifier:n,redirectURI:s}){return b({code:i,codeVerifier:n,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:o})},async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);if(!i.idToken)return null;let n=(0,tt.parseJWT)(i.idToken)?.payload,s=e.profilePhotoSize||48;await(0,et.betterFetch)(`https://graph.microsoft.com/v1.0/me/photos/${s}x${s}/$value`,{headers:{Authorization:`Bearer ${i.accessToken}`},async onResponse(a){if(!(e.disableProfilePhoto||!a.response.ok))try{let l=await a.response.clone().arrayBuffer(),f=Buffer.from(l).toString("base64");n.picture=`data:image/jpeg;base64, ${f}`}catch(c){I.error(c&&typeof c=="object"&&"name"in c?c.name:"",c)}}});let d=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.name,email:n.email,image:n.picture,emailVerified:!0,...d},data:n}}}};var ot=require("@better-fetch/fetch");var it=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:r,scopes:t,codeVerifier:o,redirectURI:i}){let n=t||["user-read-email"];return e.scope&&n.push(...e.scope),A({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:n,state:r,codeVerifier:o,redirectURI:i})},validateAuthorizationCode:async({code:r,codeVerifier:t,redirectURI:o})=>b({code:r,codeVerifier:t,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:t,error:o}=await(0,ot.betterFetch)("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${r.accessToken}`}});if(o)return null;let i=await e.mapProfileToUser?.(t);return{user:{id:t.id,name:t.display_name,email:t.email,image:t.images[0]?.url,emailVerified:!1,...i},data:t}}});var Z={isAction:!1};var nt=require("nanoid"),st=e=>(0,nt.nanoid)(e);var at=require("oslo/jwt");var dt=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:r,scopes:t,redirectURI:o}){let i=t||["user:read:email","openid"];return e.scope&&i.push(...e.scope),A({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:i,state:r,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:r,redirectURI:t})=>b({code:r,redirectURI:e.redirectURI||t,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let t=r.idToken;if(!t)return I.error("No idToken found in token"),null;let o=(0,at.parseJWT)(t)?.payload,i=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1,...i},data:o}}});var ct=require("@better-fetch/fetch");var lt=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(r){let t=r.scopes||["users.read","tweet.read","offline.access"];return e.scope&&t.push(...e.scope),A({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:t,state:r.state,codeVerifier:r.codeVerifier,redirectURI:r.redirectURI})},validateAuthorizationCode:async({code:r,codeVerifier:t,redirectURI:o})=>b({code:r,codeVerifier:t,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:t,error:o}=await(0,ct.betterFetch)("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${r.accessToken}`}});if(o)return null;let i=await e.mapProfileToUser?.(t);return{user:{id:t.data.id,name:t.data.name,email:t.data.username||null,image:t.data.profile_image_url,emailVerified:t.data.verified||!1,...i},data:t}}});var pt=require("@better-fetch/fetch");var ut=e=>{let r="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:t,scopes:o,codeVerifier:i,redirectURI:n})=>{let s=o||["account_info.read"];return e.scope&&s.push(...e.scope),await A({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:s,state:t,redirectURI:n,codeVerifier:i})},validateAuthorizationCode:async({code:t,codeVerifier:o,redirectURI:i})=>await b({code:t,codeVerifier:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:r}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:o,error:i}=await(0,pt.betterFetch)("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${t.accessToken}`}});if(i)return null;let n=await e.mapProfileToUser?.(o);return{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url,...n},data:o}}}};var mt=require("@better-fetch/fetch");var ft=e=>{let r="https://www.linkedin.com/oauth/v2/authorization",t="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:i,redirectURI:n})=>{let s=i||["profile","email","openid"];return e.scope&&s.push(...e.scope),await A({id:"linkedin",options:e,authorizationEndpoint:r,scopes:s,state:o,redirectURI:n})},validateAuthorizationCode:async({code:o,redirectURI:i})=>await b({code:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async getUserInfo(o){let{data:i,error:n}=await(0,mt.betterFetch)("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});if(n)return null;let s=await e.mapProfileToUser?.(i);return{user:{id:i.sub,name:i.name,email:i.email,emailVerified:i.email_verified||!1,image:i.picture,...s},data:i}}}};var gt=require("@better-fetch/fetch");var ke=(e="")=>e.split("://").map(r=>r.replace(/\/{2,}/g,"/")).join("://"),Kt=e=>{let r=e||"https://gitlab.com";return{authorizationEndpoint:ke(`${r}/oauth/authorize`),tokenEndpoint:ke(`${r}/oauth/token`),userinfoEndpoint:ke(`${r}/api/v4/user`)}},ht=e=>{let{authorizationEndpoint:r,tokenEndpoint:t,userinfoEndpoint:o}=Kt(e.issuer),i="gitlab";return{id:i,name:"Gitlab",createAuthorizationURL:async({state:s,scopes:d,codeVerifier:a,redirectURI:c})=>{let l=d||["read_user"];return e.scope&&l.push(...e.scope),await A({id:i,options:e,authorizationEndpoint:r,scopes:l,state:s,redirectURI:c,codeVerifier:a})},validateAuthorizationCode:async({code:s,redirectURI:d,codeVerifier:a})=>b({code:s,redirectURI:e.redirectURI||d,options:e,codeVerifier:a,tokenEndpoint:t}),async getUserInfo(s){if(e.getUserInfo)return e.getUserInfo(s);let{data:d,error:a}=await(0,gt.betterFetch)(o,{headers:{authorization:`Bearer ${s.accessToken}`}});if(a||d.state!=="active"||d.locked)return null;let c=await e.mapProfileToUser?.(d);return{user:{id:d.id.toString(),name:d.name??d.username,email:d.email,image:d.avatar_url,emailVerified:!0,...c},data:d}}}};var Ee=require("@better-fetch/fetch");var wt=e=>({id:"reddit",name:"Reddit",createAuthorizationURL({state:r,scopes:t,redirectURI:o}){let i=t||["identity"];return e.scope&&i.push(...e.scope),A({id:"reddit",options:e,authorizationEndpoint:"https://www.reddit.com/api/v1/authorize",scopes:i,state:r,redirectURI:o,duration:e.duration})},validateAuthorizationCode:async({code:r,redirectURI:t})=>{let o=new URLSearchParams({grant_type:"authorization_code",code:r,redirect_uri:e.redirectURI||t}),i={"content-type":"application/x-www-form-urlencoded",accept:"text/plain","user-agent":"better-auth",Authorization:`Basic ${Buffer.from(`${e.clientId}:${e.clientSecret}`).toString("base64")}`},{data:n,error:s}=await(0,Ee.betterFetch)("https://www.reddit.com/api/v1/access_token",{method:"POST",headers:i,body:o.toString()});if(s)throw s;return ce(n)},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:t,error:o}=await(0,Ee.betterFetch)("https://oauth.reddit.com/api/v1/me",{headers:{Authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});if(o)return null;let i=await e.mapProfileToUser?.(t);return{user:{id:t.id,name:t.name,email:t.oauth_client_id,emailVerified:t.has_verified_email,image:t.icon_img?.split("?")[0],...i},data:t}}});var Jt={apple:Me,discord:Ge,facebook:Qe,github:Ze,microsoft:rt,google:Xe,spotify:it,twitch:dt,twitter:lt,dropbox:ut,linkedin:ft,gitlab:ht,reddit:wt},ue=Object.keys(Jt);var Ut=require("oslo"),me=require("oslo/jwt"),v=require("zod");var K=require("better-call");var D=require("better-call");var q=require("zod");function yt(e){try{return JSON.parse(e)}catch{return null}}var p={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var bt=()=>m("/get-session",{method:"GET",query:q.z.optional(q.z.object({disableCookieCache:q.z.boolean({description:"Disable cookie cache and fetch session from database"}).or(q.z.string().transform(e=>e==="true")).optional(),disableRefresh:q.z.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let r=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!r)return e.json(null);let t=e.getCookie(e.context.authCookies.sessionData.name),o=t?yt(Buffer.from(t,"base64").toString()):null;if(o&&!await de.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return P(e),e.json(null);let i=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let l=o.session;if(o.expiresAt<Date.now()||l.session.expiresAt<new Date){let h=e.context.authCookies.sessionData.name;e.setCookie(h,"",{maxAge:0})}else return e.json(l)}let n=await e.context.internalAdapter.findSession(r);if(e.context.session=n,!n||n.session.expiresAt<new Date)return P(e),n&&await e.context.internalAdapter.deleteSession(n.session.token),e.json(null);if(i||e.query?.disableRefresh)return e.json(n);let s=e.context.sessionConfig.expiresIn,d=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-s*1e3+d*1e3<=Date.now()){let l=await e.context.internalAdapter.updateSession(n.session.token,{expiresAt:z(e.context.sessionConfig.expiresIn,"sec")});if(!l)return P(e),e.json(null,{status:401});let f=(l.expiresAt.valueOf()-Date.now())/1e3;return await T(e,{session:l,user:n.user},!1,{maxAge:f}),e.json({session:l,user:n.user})}return e.json(n)}catch(r){throw e.context.logger.error("INTERNAL_SERVER_ERROR",r),new D.APIError("INTERNAL_SERVER_ERROR",{message:p.FAILED_TO_GET_SESSION})}}),M=async(e,r)=>{if(e.context.session)return e.context.session;let t=await bt()({...e,_flag:"json",headers:e.headers,query:r}).catch(o=>null);return e.context.session=t,t},C=re(async e=>{let r=await M(e);if(!r?.session)throw new D.APIError("UNAUTHORIZED");return{session:r}}),At=re(async e=>{let r=await M(e);if(!r?.session)throw new D.APIError("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:r};let t=e.context.sessionConfig.freshAge,o=r.session.updatedAt?.valueOf()||r.session.createdAt.valueOf();if(!(Date.now()-o<t*1e3))throw new D.APIError("FORBIDDEN",{message:"Session is not fresh"});return{session:r}});var Yt=m("/revoke-session",{method:"POST",body:q.z.object({token:q.z.string({description:"The token to revoke"})}),use:[C],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let r=e.body.token,t=await e.context.internalAdapter.findSession(r);if(!t)throw new D.APIError("BAD_REQUEST",{message:"Session not found"});if(t.session.userId!==e.context.session.user.id)throw new D.APIError("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(r)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new D.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Xt=m("/revoke-sessions",{method:"POST",use:[C],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(r){throw e.context.logger.error(r&&typeof r=="object"&&"name"in r?r.name:"",r),new D.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),er=m("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[C],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let r=e.context.session;if(!r.user)throw new D.APIError("UNAUTHORIZED");let i=(await e.context.internalAdapter.listSessions(r.user.id)).filter(n=>n.expiresAt>new Date).filter(n=>n.token!==e.context.session.session.token);return await Promise.all(i.map(n=>e.context.internalAdapter.deleteSession(n.token))),e.json({status:!0})});async function V(e,r,t){return await(0,me.createJWT)("HS256",Buffer.from(e),{email:r.toLowerCase(),updateTo:t},{expiresIn:new Ut.TimeSpan(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[r],includeIssuedTimestamp:!0})}async function tr(e,r){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new K.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let t=await V(e.context.secret,r.email),o=`${e.context.baseURL}/verify-email?token=${t}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:r,url:o,token:t},e.request)}var rr=m("/send-verification-email",{method:"POST",query:v.z.object({currentURL:v.z.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:v.z.object({email:v.z.string({description:"The email to send the verification email to"}).email(),callbackURL:v.z.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new K.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:r}=e.body,t=await e.context.internalAdapter.findUserByEmail(r);if(!t)throw new K.APIError("BAD_REQUEST",{message:p.USER_NOT_FOUND});return await tr(e,t.user),e.json({status:!0})}),or=m("/verify-email",{method:"GET",query:v.z.object({token:v.z.string({description:"The token to verify the email"}),callbackURL:v.z.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function r(d){throw e.query.callbackURL?e.query.callbackURL.includes("?")?e.redirect(`${e.query.callbackURL}&error=${d}`):e.redirect(`${e.query.callbackURL}?error=${d}`):new K.APIError("UNAUTHORIZED",{message:d})}let{token:t}=e.query,o;try{o=await(0,me.validateJWT)("HS256",Buffer.from(e.context.secret),t)}catch(d){return e.context.logger.error("Failed to verify email",d),r("invalid_token")}let n=v.z.object({email:v.z.string().email(),updateTo:v.z.string().optional()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(n.email);if(!s)return r("user_not_found");if(n.updateTo){let d=await M(e);if(!d){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return r("unauthorized")}if(d.user.email!==n.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return r("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo,emailVerified:!1}),c=await V(e.context.secret,n.updateTo);if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${c}`,token:c},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await M(e)){let a=await e.context.internalAdapter.createSession(s.user.id,e.request);if(!a)throw new K.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await T(e,{session:a,user:s.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function J(e,{userInfo:r,account:t,callbackURL:o}){let i=await e.context.internalAdapter.findUserByEmail(r.email.toLowerCase(),{includeAccounts:!0}).catch(a=>{throw I.error(`Better auth was unable to query your database.
3
3
  Error: `,a),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),n=i?.user,s=!n;if(i){let a=i.accounts.find(c=>c.providerId===t.providerId);if(a){let c=Object.fromEntries(Object.entries({accessToken:t.accessToken,idToken:t.idToken,refreshToken:t.refreshToken,accessTokenExpiresAt:t.accessTokenExpiresAt,refreshTokenExpiresAt:t.refreshTokenExpiresAt}).filter(([l,f])=>f!==void 0));Object.keys(c).length>0&&await e.context.internalAdapter.updateAccount(a.id,c)}else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(t.providerId)&&!r.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return be&&I.warn(`User already exist but account isn't linked to ${t.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:t.providerId,accountId:r.id.toString(),userId:i.user.id,accessToken:t.accessToken,idToken:t.idToken,refreshToken:t.refreshToken,accessTokenExpiresAt:t.accessTokenExpiresAt,refreshTokenExpiresAt:t.refreshTokenExpiresAt,scope:t.scope})}catch(f){return I.error("Unable to link account",f),{error:"unable to link account",data:null}}n=await e.context.internalAdapter.updateUser(i.user.id,{...r,updatedAt:new Date})}}else if(n=await e.context.internalAdapter.createOAuthUser({...r,email:r.email.toLowerCase(),id:void 0},{accessToken:t.accessToken,idToken:t.idToken,refreshToken:t.refreshToken,accessTokenExpiresAt:t.accessTokenExpiresAt,refreshTokenExpiresAt:t.refreshTokenExpiresAt,scope:t.scope,providerId:t.providerId,accountId:r.id.toString()}).then(a=>a?.user),!r.emailVerified&&n&&e.context.options.emailVerification?.sendOnSignUp){let a=await V(e.context.secret,n.email),c=`${e.context.baseURL}/verify-email?token=${a}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:n,url:c,token:a},e.request)}if(!n)return{error:"unable to create user",data:null,isRegister:!1};let d=await e.context.internalAdapter.createSession(n.id,e.request);return d?{data:{session:d,user:n},error:null,isRegister:s}:{error:"unable to create session",data:null,isRegister:!1}}var ir=m("/sign-in/social",{method:"POST",query:U.z.object({currentURL:U.z.string().optional()}).optional(),body:U.z.object({callbackURL:U.z.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),newUserCallbackURL:U.z.string().optional(),errorCallbackURL:U.z.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:U.z.enum(ue,{description:"OAuth2 provider to use"}),disableRedirect:U.z.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:U.z.optional(U.z.object({token:U.z.string({description:"ID token from the provider"}),nonce:U.z.string({description:"Nonce used to generate the token"}).optional(),accessToken:U.z.string({description:"Access token from the provider"}).optional(),refreshToken:U.z.string({description:"Refresh token from the provider"}).optional(),expiresAt:U.z.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let r=e.context.socialProviders.find(n=>n.id===e.body.provider);if(!r)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new E.APIError("NOT_FOUND",{message:p.PROVIDER_NOT_FOUND});if(e.body.idToken){if(!r.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new E.APIError("NOT_FOUND",{message:p.ID_TOKEN_NOT_SUPPORTED});let{token:n,nonce:s}=e.body.idToken;if(!await r.verifyIdToken(n,s))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new E.APIError("UNAUTHORIZED",{message:p.INVALID_TOKEN});let a=await r.getUserInfo({idToken:n,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!a||!a?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new E.APIError("UNAUTHORIZED",{message:p.FAILED_TO_GET_USER_INFO});if(!a.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new E.APIError("UNAUTHORIZED",{message:p.USER_EMAIL_NOT_FOUND});let c=await J(e,{userInfo:{email:a.user.email,id:a.user.id,name:a.user.name||"",image:a.user.image,emailVerified:a.user.emailVerified||!1},account:{providerId:r.id,accountId:a.user.id,accessToken:e.body.idToken.accessToken}});if(c.error)throw new E.APIError("UNAUTHORIZED",{message:c.error});return await T(e,c.data),e.json({session:c.data.session,user:c.data.user,url:void 0,redirect:!1})}let{codeVerifier:t,state:o}=await W(e),i=await r.createAuthorizationURL({state:o,codeVerifier:t,redirectURI:`${e.context.baseURL}/callback/${r.id}`});return e.json({url:i.toString(),redirect:!e.body.disableRedirect})}),nr=m("/sign-in/email",{method:"POST",body:U.z.object({email:U.z.string({description:"Email of the user"}),password:U.z.string({description:"Password of the user"}),callbackURL:U.z.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:U.z.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new E.APIError("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:r,password:t}=e.body;if(!U.z.string().email().safeParse(r).success)throw new E.APIError("BAD_REQUEST",{message:p.INVALID_EMAIL});let i=await e.context.internalAdapter.findUserByEmail(r,{includeAccounts:!0});if(!i)throw await e.context.password.hash(t),e.context.logger.error("User not found",{email:r}),new E.APIError("UNAUTHORIZED",{message:p.INVALID_EMAIL_OR_PASSWORD});let n=i.accounts.find(c=>c.providerId==="credential");if(!n)throw e.context.logger.error("Credential account not found",{email:r}),new E.APIError("UNAUTHORIZED",{message:p.INVALID_EMAIL_OR_PASSWORD});let s=n?.password;if(!s)throw e.context.logger.error("Password not found",{email:r}),new E.APIError("UNAUTHORIZED",{message:p.INVALID_EMAIL_OR_PASSWORD});if(!await e.context.password.verify({hash:s,password:t}))throw e.context.logger.error("Invalid password"),new E.APIError("UNAUTHORIZED",{message:p.INVALID_EMAIL_OR_PASSWORD});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!i.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new E.APIError("UNAUTHORIZED",{message:p.EMAIL_NOT_VERIFIED});let c=await V(e.context.secret,i.user.email),l=`${e.context.baseURL}/verify-email?token=${c}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:i.user,url:l,token:c},e.request),e.context.logger.error("Email not verified",{email:r}),new E.APIError("FORBIDDEN",{message:p.EMAIL_NOT_VERIFIED})}let a=await e.context.internalAdapter.createSession(i.user.id,e.headers,e.body.rememberMe===!1);if(!a)throw e.context.logger.error("Failed to create session"),new E.APIError("UNAUTHORIZED",{message:p.FAILED_TO_CREATE_SESSION});return await T(e,{session:a,user:i.user},e.body.rememberMe===!1),e.json({user:{id:i.user.id,email:i.user.email,name:i.user.name,image:i.user.image,emailVerified:i.user.emailVerified,createdAt:i.user.createdAt,updatedAt:i.user.updatedAt},redirect:!!e.body.callbackURL,url:e.body.callbackURL})});var Y=require("zod");var fe=Y.z.object({code:Y.z.string().optional(),error:Y.z.string().optional(),error_description:Y.z.string().optional(),state:Y.z.string().optional()}),sr=m("/callback/:id",{method:["GET","POST"],body:fe.optional(),query:fe.optional(),metadata:Z},async e=>{let r;try{if(e.method==="GET")r=fe.parse(e.query);else if(e.method==="POST")r=fe.parse(e.body);else throw new Error("Unsupported method")}catch(g){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",g),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:t,error:o,state:i,error_description:n}=r;if(!i)throw e.context.logger.error("State not found",o),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!t)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}&error_description=${n}`);let s=e.context.socialProviders.find(g=>g.id===e.params.id);if(!s)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:d,callbackURL:a,link:c,errorURL:l,newUserURL:f}=await pe(e),h;try{h=await s.validateAuthorizationCode({code:t,codeVerifier:d,redirectURI:`${e.context.baseURL}/callback/${s.id}`})}catch(g){throw e.context.logger.error("",g),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let y=await s.getUserInfo(h).then(g=>g?.user);function w(g){let _=l||a||`${e.context.baseURL}/error`;throw _.includes("?")?_=`${_}&error=${g}`:_=`${_}?error=${g}`,e.redirect(_)}if(!y)return e.context.logger.error("Unable to get user info"),w("unable_to_get_user_info");if(!y.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),w("email_not_found");if(!a)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(c){if(c.email!==y.email.toLowerCase())return w("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:c.userId,providerId:s.id,accountId:y.id}))return w("unable_to_link_account");let _;try{_=a.toString()}catch{_=a}throw e.redirect(_)}let R=await J(e,{userInfo:{...y,email:y.email,name:y.name||y.email},account:{providerId:s.id,accountId:y.id,...h,scope:h.scopes?.join(",")},callbackURL:a});if(R.error)return e.context.logger.error(R.error.split(" ").join("_")),w(R.error.split(" ").join("_"));let{session:j,user:B}=R.data;await T(e,{session:j,user:B});let N;try{N=(R.isRegister&&f||a).toString()}catch{N=R.isRegister&&f||a}throw e.redirect(N)});var yn=require("zod");var Rt=require("better-call");var ar=m("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let r=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!r)throw P(e),new Rt.APIError("BAD_REQUEST",{message:p.FAILED_TO_GET_SESSION});return await e.context.internalAdapter.deleteSession(r),P(e),e.json({success:!0})});var S=require("zod");var X=require("better-call");function kt(e,r,t){let o=r?new URL(r,e.baseURL):new URL(`${e.baseURL}/error`);return t&&Object.entries(t).forEach(([i,n])=>o.searchParams.set(i,n)),o.href}function dr(e,r,t){let o=new URL(r,e.baseURL);return t&&Object.entries(t).forEach(([i,n])=>o.searchParams.set(i,n)),o.href}var cr=m("/forget-password",{method:"POST",body:S.z.object({email:S.z.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:S.z.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new X.APIError("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:r,redirectTo:t}=e.body,o=await e.context.internalAdapter.findUserByEmail(r,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:r}),e.json({status:!1},{body:{status:!0}});let i=60*60*1,n=z(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||i,"sec"),s=st(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id.toString(),identifier:`reset-password:${s}`,expiresAt:n});let d=`${e.context.baseURL}/reset-password/${s}?callbackURL=${t}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:d,token:s},e.request),e.json({status:!0})}),lr=m("/reset-password/:token",{method:"GET",query:S.z.object({callbackURL:S.z.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:r}=e.params,{callbackURL:t}=e.query;if(!r||!t)throw e.redirect(kt(e.context,t,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${r}`);throw!o||o.expiresAt<new Date?e.redirect(kt(e.context,t,{error:"INVALID_TOKEN"})):e.redirect(dr(e.context,t,{token:r}))}),pr=m("/reset-password",{query:S.z.optional(S.z.object({token:S.z.string().optional(),currentURL:S.z.string().optional()})),method:"POST",body:S.z.object({newPassword:S.z.string({description:"The new password to set"}),token:S.z.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let r=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!r)throw new X.APIError("BAD_REQUEST",{message:p.INVALID_TOKEN});let{newPassword:t}=e.body,o=e.context.password?.config.minPasswordLength,i=e.context.password?.config.maxPasswordLength;if(t.length<o)throw new X.APIError("BAD_REQUEST",{message:p.PASSWORD_TOO_SHORT});if(t.length>i)throw new X.APIError("BAD_REQUEST",{message:p.PASSWORD_TOO_LONG});let n=`reset-password:${r}`,s=await e.context.internalAdapter.findVerificationValue(n);if(!s||s.expiresAt<new Date)throw new X.APIError("BAD_REQUEST",{message:p.INVALID_TOKEN});await e.context.internalAdapter.deleteVerificationValue(s.id);let d=s.value,a=await e.context.password.hash(t);return(await e.context.internalAdapter.findAccounts(d)).find(f=>f.providerId==="credential")?(await e.context.internalAdapter.updatePassword(d,a),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:d,providerId:"credential",password:a,accountId:d}),e.json({status:!0}))});var O=require("zod");var k=require("better-call");var u=require("zod"),ur=require("better-call"),vn=u.z.object({id:u.z.string(),providerId:u.z.string(),accountId:u.z.string(),userId:u.z.string(),accessToken:u.z.string().nullish(),refreshToken:u.z.string().nullish(),idToken:u.z.string().nullish(),accessTokenExpiresAt:u.z.date().nullish(),refreshTokenExpiresAt:u.z.date().nullish(),scope:u.z.string().nullish(),password:u.z.string().nullish(),createdAt:u.z.date().default(()=>new Date),updatedAt:u.z.date().default(()=>new Date)}),In=u.z.object({id:u.z.string(),email:u.z.string().transform(e=>e.toLowerCase()),emailVerified:u.z.boolean().default(!1),name:u.z.string(),image:u.z.string().nullish(),createdAt:u.z.date().default(()=>new Date),updatedAt:u.z.date().default(()=>new Date)}),Ln=u.z.object({id:u.z.string(),userId:u.z.string(),expiresAt:u.z.date(),createdAt:u.z.date().default(()=>new Date),updatedAt:u.z.date().default(()=>new Date),token:u.z.string(),ipAddress:u.z.string().nullish(),userAgent:u.z.string().nullish()}),Pn=u.z.object({id:u.z.string(),value:u.z.string(),createdAt:u.z.date().default(()=>new Date),updatedAt:u.z.date().default(()=>new Date),expiresAt:u.z.date(),identifier:u.z.string()});var yr=require("@noble/ciphers/chacha"),Te=require("@noble/ciphers/utils"),br=require("@noble/ciphers/webcrypto"),Ar=require("oslo/crypto"),Ur=ge(require("uncrypto"),1);var Et=require("oslo/encoding");var mr=require("@noble/hashes/scrypt"),fr=require("uncrypto");var _e=ge(require("uncrypto"),1);function gr(e){return e.toString(2).padStart(8,"0")}function hr(e){return[...e].map(r=>gr(r)).join("")}function _t(e){return parseInt(hr(e),2)}function wr(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let r=(e-1).toString(2).length,t=r%8,o=new Uint8Array(Math.ceil(r/8));_e.default.getRandomValues(o),t!==0&&(o[0]&=(1<<t)-1);let i=_t(o);for(;i>=e;)_e.default.getRandomValues(o),t!==0&&(o[0]&=(1<<t)-1),i=_t(o);return i}function Tt(e,r){let t="";for(let o=0;o<e;o++)t+=r[wr(r.length)];return t}function Ot(...e){let r=new Set(e),t="";for(let o of r)o==="a-z"?t+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?t+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?t+="0123456789":t+=o;return t}var kr=m("/change-password",{method:"POST",body:O.z.object({newPassword:O.z.string({description:"The new password to set"}),currentPassword:O.z.string({description:"The current password"}),revokeOtherSessions:O.z.boolean({description:"Revoke all other sessions"}).optional()}),use:[C],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:r,currentPassword:t,revokeOtherSessions:o}=e.body,i=e.context.session,n=e.context.password.config.minPasswordLength;if(r.length<n)throw e.context.logger.error("Password is too short"),new k.APIError("BAD_REQUEST",{message:p.PASSWORD_TOO_SHORT});let s=e.context.password.config.maxPasswordLength;if(r.length>s)throw e.context.logger.error("Password is too long"),new k.APIError("BAD_REQUEST",{message:p.PASSWORD_TOO_LONG});let a=(await e.context.internalAdapter.findAccounts(i.user.id)).find(f=>f.providerId==="credential"&&f.password);if(!a||!a.password)throw new k.APIError("BAD_REQUEST",{message:p.CREDENTIAL_ACCOUNT_NOT_FOUND});let c=await e.context.password.hash(r);if(!await e.context.password.verify({hash:a.password,password:t}))throw new k.APIError("BAD_REQUEST",{message:p.INVALID_PASSWORD});if(await e.context.internalAdapter.updateAccount(a.id,{password:c}),o){await e.context.internalAdapter.deleteSessions(i.user.id);let f=await e.context.internalAdapter.createSession(i.user.id,e.headers);if(!f)throw new k.APIError("INTERNAL_SERVER_ERROR",{message:p.FAILED_TO_GET_SESSION});await T(e,{session:f,user:i.user})}return e.json(i.user)}),Er=m("/set-password",{method:"POST",body:O.z.object({newPassword:O.z.string()}),metadata:{SERVER_ONLY:!0},use:[C]},async e=>{let{newPassword:r}=e.body,t=e.context.session,o=e.context.password.config.minPasswordLength;if(r.length<o)throw e.context.logger.error("Password is too short"),new k.APIError("BAD_REQUEST",{message:p.PASSWORD_TOO_SHORT});let i=e.context.password.config.maxPasswordLength;if(r.length>i)throw e.context.logger.error("Password is too long"),new k.APIError("BAD_REQUEST",{message:p.PASSWORD_TOO_LONG});let s=(await e.context.internalAdapter.findAccounts(t.user.id)).find(a=>a.providerId==="credential"&&a.password),d=await e.context.password.hash(r);if(!s)return await e.context.internalAdapter.linkAccount({userId:t.user.id,providerId:"credential",accountId:t.user.id,password:d}),e.json(t.user);throw new k.APIError("BAD_REQUEST",{message:"user already has a password"})}),_r=m("/delete-user",{method:"POST",use:[At],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options",{session:e.context.session}),new k.APIError("NOT_FOUND");let r=e.context.session;if(e.context.options.user.deleteUser?.sendDeleteAccountVerification){let i=Tt(32,Ot("a-z","A-Z","0-9"));await e.context.internalAdapter.createVerificationValue({value:r.user.id,identifier:`delete-account-${i}`,expiresAt:new Date(Date.now()+1e3*60*60*24)});let n=`${e.context.baseURL}/delete-user/callback?token=${i}`;return await e.context.options.user.deleteUser.sendDeleteAccountVerification({user:r.user,url:n,token:i},e.request),e.json({success:!0,message:"Verification email sent"})}let t=e.context.options.user.deleteUser?.beforeDelete;t&&await t(r.user,e.request),await e.context.internalAdapter.deleteUser(r.user.id),await e.context.internalAdapter.deleteSessions(r.user.id),await e.context.internalAdapter.deleteAccounts(r.user.id),P(e);let o=e.context.options.user.deleteUser?.afterDelete;return o&&await o(r.user,e.request),e.json({success:!0,message:"User deleted"})}),Tr=m("/delete-user/callback",{method:"GET",query:O.z.object({token:O.z.string()})},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options"),new k.APIError("NOT_FOUND");let r=await M(e);if(!r)throw new k.APIError("NOT_FOUND",{message:p.FAILED_TO_GET_USER_INFO});let t=await e.context.internalAdapter.findVerificationValue(`delete-account-${e.query.token}`);if(!t||t.expiresAt<new Date)throw t&&await e.context.internalAdapter.deleteVerificationValue(t.id),new k.APIError("NOT_FOUND",{message:p.INVALID_TOKEN});if(t.value!==r.user.id)throw new k.APIError("NOT_FOUND",{message:p.INVALID_TOKEN});let o=e.context.options.user.deleteUser?.beforeDelete;o&&await o(r.user,e.request),await e.context.internalAdapter.deleteUser(r.user.id),await e.context.internalAdapter.deleteSessions(r.user.id),await e.context.internalAdapter.deleteAccounts(r.user.id),await e.context.internalAdapter.deleteVerificationValue(t.id),P(e);let i=e.context.options.user.deleteUser?.afterDelete;return i&&await i(r.user,e.request),e.json({success:!0,message:"User deleted"})}),Or=m("/change-email",{method:"POST",query:O.z.object({currentURL:O.z.string().optional()}).optional(),body:O.z.object({newEmail:O.z.string({description:"The new email to set"}).email(),callbackURL:O.z.string({description:"The URL to redirect to after email verification"}).optional()}),use:[C],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new k.APIError("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new k.APIError("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new k.APIError("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let i=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:i,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new k.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let t=await V(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${t}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:t},e.request),e.json({user:null,status:!0})});var Sr=(e="Unknown")=>`<!DOCTYPE html>
4
4
  <html lang="en">
5
5
  <head>