better-auth 1.0.21 → 1.0.22-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (47) hide show
  1. package/dist/adapters/prisma.d.cts +1 -1
  2. package/dist/adapters/prisma.d.ts +1 -1
  3. package/dist/api.cjs +1 -1
  4. package/dist/api.js +1 -1
  5. package/dist/client/plugins.d.cts +1 -1
  6. package/dist/client/plugins.d.ts +1 -1
  7. package/dist/{index-Dt4lZbQi.d.ts → index-Dd3_WG87.d.ts} +105 -103
  8. package/dist/{index-CgaJXZ9u.d.cts → index-Dp04oxSM.d.cts} +105 -103
  9. package/dist/index.cjs +2 -2
  10. package/dist/index.js +2 -2
  11. package/dist/plugin/custom-session.cjs +4 -4
  12. package/dist/plugin/custom-session.js +2 -2
  13. package/dist/plugins/admin.cjs +1 -1
  14. package/dist/plugins/admin.js +1 -1
  15. package/dist/plugins/anonymous.cjs +1 -1
  16. package/dist/plugins/anonymous.js +1 -1
  17. package/dist/plugins/bearer.cjs +1 -1
  18. package/dist/plugins/bearer.js +1 -1
  19. package/dist/plugins/email-otp.cjs +1 -1
  20. package/dist/plugins/email-otp.js +1 -1
  21. package/dist/plugins/generic-oauth.cjs +1 -1
  22. package/dist/plugins/generic-oauth.js +1 -1
  23. package/dist/plugins/jwt.cjs +2 -2
  24. package/dist/plugins/jwt.js +2 -2
  25. package/dist/plugins/multi-session.cjs +1 -1
  26. package/dist/plugins/multi-session.js +1 -1
  27. package/dist/plugins/one-tap.cjs +1 -1
  28. package/dist/plugins/one-tap.js +1 -1
  29. package/dist/plugins/open-api.cjs +1 -1
  30. package/dist/plugins/open-api.js +1 -1
  31. package/dist/plugins/organization.cjs +4 -4
  32. package/dist/plugins/organization.d.cts +1 -1
  33. package/dist/plugins/organization.d.ts +1 -1
  34. package/dist/plugins/organization.js +2 -2
  35. package/dist/plugins/passkey.cjs +1 -1
  36. package/dist/plugins/passkey.js +1 -1
  37. package/dist/plugins/phone-number.cjs +1 -1
  38. package/dist/plugins/phone-number.js +1 -1
  39. package/dist/plugins/two-factor.cjs +1 -1
  40. package/dist/plugins/two-factor.js +1 -1
  41. package/dist/plugins/username.cjs +1 -1
  42. package/dist/plugins/username.js +1 -1
  43. package/dist/plugins.cjs +3 -3
  44. package/dist/plugins.d.cts +1 -1
  45. package/dist/plugins.d.ts +1 -1
  46. package/dist/plugins.js +4 -4
  47. package/package.json +1 -1
package/dist/plugin/custom-session.js CHANGED
@@ -1,6 +1,6 @@
1
1
  import{z as W}from"zod";import{APIError as za,createRouter as qa,getCookie as Fa,getSignedCookie as Ma,setCookie as Ha,setSignedCookie as Ga}from"better-call";import{APIError as Je}from"better-call";import{createEndpointCreator as He,createMiddleware as le,createMiddlewareCreator as Ge}from"better-call";var ue=le(async()=>({})),z=Ge({use:[ue,le(async()=>({}))]}),m=He({use:[ue]});function oe(e){return e==="-"||e==="^"||e==="$"||e==="+"||e==="."||e==="("||e===")"||e==="|"||e==="["||e==="]"||e==="{"||e==="}"||e==="*"||e==="?"||e==="\\"?`\\${e}`:e}function We(e){let t="";for(let r=0;r<e.length;r++)t+=oe(e[r]);return t}function pe(e,t=!0){if(Array.isArray(e))return`(?:${e.map(u=>`^${pe(u,t)}$`).join("|")})`;let r="",o="",i=".";t===!0?(r="/",o="[/\\\\]",i="[^/\\\\]"):t&&(r=t,o=We(r),o.length>1?(o=`(?:${o})`,i=`((?!${o}).)`):i=`[^${o}]`);let n=t?`${o}+?`:"",s=t?`${o}*?`:"",c=t?e.split(r):[e],a="";for(let d=0;d<c.length;d++){let u=c[d],f=c[d+1],A="";if(!(!u&&d>0)){if(t&&(d===c.length-1?A=s:f!=="**"?A=n:A=""),t&&u==="**"){A&&(a+=d===0?"":A,a+=`(?:${i}*?${A})*?`);continue}for(let h=0;h<u.length;h++){let y=u[h];y==="\\"?h<u.length-1&&(a+=oe(u[h+1]),h++):y==="?"?a+=i:y==="*"?a+=`${i}*?`:a+=oe(y)}a+=A}}return a}function Ze(e,t){if(typeof t!="string")throw new TypeError(`Sample must be a string, but ${typeof t} given`);return e.test(t)}function ie(e,t){if(typeof e!="string"&&!Array.isArray(e))throw new TypeError(`The first argument must be a single pattern string or an array of patterns, but ${typeof e} given`);if((typeof t=="string"||typeof t=="boolean")&&(t={separator:t}),arguments.length===2&&!(typeof t>"u"||typeof t=="object"&&t!==null&&!Array.isArray(t)))throw new TypeError(`The second argument must be an options object or a string/boolean separator, but ${typeof t} given`);if(t=t||{},t.separator==="\\")throw new Error("\\ is not a valid separator because it is used for escaping. Try setting the separator to `true` instead");let r=pe(e,t.separator),o=new RegExp(`^${r}$`,t.flags),i=Ze.bind(null,o);return i.options=t,i.pattern=e,i.regexp=o,i}var Z=Object.create(null),q=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?Z:globalThis),me=new Proxy(Z,{get(e,t){return q()[t]??Z[t]},has(e,t){let r=q();return t in r||t in Z},set(e,t,r){let o=q(!0);return o[t]=r,!0},deleteProperty(e,t){if(!t)return!1;let r=q(!0);return delete r[t],!0},ownKeys(){let e=q(!0);return Object.keys(e)}});function Qe(e){return e?e!=="false":!1}var ne=typeof process<"u"&&process.env&&process.env.NODE_ENV||"";var se=ne==="dev"||ne==="development",Ke=ne==="test"||Qe(me.TEST);var j=class extends Error{constructor(t,r){super(t),this.name="BetterAuthError",this.message=t,this.cause=r,this.stack=""}};function fe(e){try{return new URL(e).origin}catch{return null}}function ge(e){return e.includes("://")?new URL(e).host:e}var Ye=z(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:r,context:o}=e,i=e.headers?.get("origin")||e.headers?.get("referer")||"",n=t?.callbackURL||r?.callbackURL,s=t?.redirectTo,c=r?.currentURL,a=t?.errorCallbackURL,d=t?.newUserCallbackURL,u=o.trustedOrigins,f=e.headers?.has("cookie"),A=(y,E)=>y.startsWith("/")?!1:E.includes("*")?ie(E)(ge(y)):y.startsWith(E),h=(y,E)=>{if(!y)return;if(!u.some(te=>A(y,te)||y?.startsWith("/")&&E!=="origin"&&!y.includes(":")))throw e.context.logger.error(`Invalid ${E}: ${y}`),e.context.logger.info(`If it's a valid URL, please add ${y} to trustedOrigins in your auth config
2
- `,`Current list of trustedOrigins: ${u}`),new Je("FORBIDDEN",{message:`Invalid ${E}`})};f&&!e.context.options.advanced?.disableCSRFCheck&&h(i,"origin"),n&&h(n,"callbackURL"),s&&h(s,"redirectURL"),c&&h(c,"currentURL"),a&&h(a,"errorCallbackURL"),d&&h(s,"newUserCallbackURL")});import{APIError as k}from"better-call";import{z as b}from"zod";import{TimeSpan as Cr}from"oslo";import{base64url as rt}from"oslo/encoding";import{HMAC as he,sha256 as Or}from"oslo/crypto";async function et({value:e,secret:t}){return new he("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(o=>Buffer.from(o).toString("base64"))}function tt({value:e,signature:t,secret:r}){return new he("SHA-256").verify(new TextEncoder().encode(r),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var Q={sign:et,verify:tt};var B=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));async function T(e,t,r,o){let i=e.context.authCookies.sessionToken.options,n=r?void 0:e.context.sessionConfig.expiresIn;if(await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...i,maxAge:n,...o}),r&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled){let c=rt.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:B(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await Q.sign({value:JSON.stringify(t),secret:e.context.secret})})),{includePadding:!1});if(c.length>4093)throw new j("Session data is too large to store in the cookie. Please disable session cookie caching or reduce the size of the session data");e.setCookie(e.context.authCookies.sessionData.name,c,e.context.authCookies.sessionData.options)}e.context.setNewSession(t),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),Math.floor((new Date(t.session.expiresAt).getTime()-Date.now())/1e3))}function I(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}import{betterFetch as ct}from"@better-fetch/fetch";import{APIError as dt}from"better-call";import{decodeProtectedHeader as lt,importJWK as ut,jwtVerify as pt}from"jose";import{parseJWT as mt}from"oslo/jwt";import{sha256 as ot}from"oslo/crypto";import{base64url as it}from"oslo/encoding";async function we(e){let t=await ot(new TextEncoder().encode(e));return it.encode(new Uint8Array(t),{includePadding:!1})}function K(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?B(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function w({id:e,options:t,authorizationEndpoint:r,state:o,codeVerifier:i,scopes:n,claims:s,redirectURI:c,duration:a}){let d=new URL(r);if(d.searchParams.set("response_type","code"),d.searchParams.set("client_id",t.clientId),d.searchParams.set("state",o),d.searchParams.set("scope",n.join(" ")),d.searchParams.set("redirect_uri",t.redirectURI||c),i){let u=await we(i);d.searchParams.set("code_challenge_method","S256"),d.searchParams.set("code_challenge",u)}if(s){let u=s.reduce((f,A)=>(f[A]=null,f),{});d.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...u}}))}return a&&d.searchParams.set("duration",a),d}import{betterFetch as nt}from"@better-fetch/fetch";async function g({code:e,codeVerifier:t,redirectURI:r,options:o,tokenEndpoint:i,authentication:n}){let s=new URLSearchParams,c={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(s.set("grant_type","authorization_code"),s.set("code",e),t&&s.set("code_verifier",t),s.set("redirect_uri",r),n==="basic"){let f=btoa(`${o.clientId}:${o.clientSecret}`);c.authorization=`Basic ${f}`}else s.set("client_id",o.clientId),s.set("client_secret",o.clientSecret);let{data:a,error:d}=await nt(i,{method:"POST",body:s,headers:c});if(d)throw d;return K(a)}import{generateCodeVerifier as st,generateState as at}from"oslo/oauth2";import{z as P}from"zod";import{APIError as ye}from"better-call";async function J(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?fe(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new ye("BAD_REQUEST",{message:"callbackURL is required"});let o=st(),i=at(),n=JSON.stringify({callbackURL:r,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,newUserURL:e.body?.newUserCallbackURL,link:t,expiresAt:Date.now()+10*60*1e3}),s=new Date;s.setMinutes(s.getMinutes()+10);let c=await e.context.internalAdapter.createVerificationValue({value:n,identifier:i,expiresAt:s});if(!c)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new ye("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:c.identifier,codeVerifier:o}}async function be(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=P.object({callbackURL:P.string(),codeVerifier:P.string(),errorURL:P.string().optional(),newUserURL:P.string().optional(),expiresAt:P.number(),link:P.object({email:P.string(),userId:P.string()}).optional()}).parse(JSON.parse(r.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),o}var Ae=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:o,redirectURI:i}){let n=o||["email","name"];return e.scope&&n.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${i||e.redirectURI}&scope=${n.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:i})=>g({code:r,codeVerifier:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async verifyIdToken(r,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,o);let i=lt(r),{kid:n,alg:s}=i;if(!n||!s)return!1;let c=await ft(n),{payload:a}=await pt(r,c,{algorithms:[s],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(d=>{a[d]!==void 0&&(a[d]=!!a[d])}),o&&a.nonce!==o?!1:!!a},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let o=mt(r.idToken)?.payload;if(!o)return null;let i=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email,n=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:i,emailVerified:!1,email:o.email,...n},data:o}}}},ft=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:o}=await ct(`${t}${r}`);if(!o?.keys)throw new dt("BAD_REQUEST",{message:"Keys not found"});let i=o.keys.find(n=>n.kid===e);if(!i)throw new Error(`JWK with kid ${e} not found`);return await ut(i,i.alg)};import{betterFetch as gt}from"@better-fetch/fetch";var Re=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["identify","email"];return e.scope&&i.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${i.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>g({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await gt("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(r.avatar===null){let n=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${n}.png`}else{let n=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${n}`}let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url,...i},data:r}}});import{betterFetch as ht}from"@better-fetch/fetch";var ke=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["email","public_profile"];return e.scope&&i.push(...e.scope),await w({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:i,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:r})=>g({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await ht("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified,...i},data:r}}});import{betterFetch as Ee}from"@better-fetch/fetch";var Ue=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:o,codeVerifier:i,redirectURI:n}){let s=o||["user:email"];return e.scope&&s.push(...e.scope),w({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:s,state:r,redirectURI:n})},validateAuthorizationCode:async({code:r,redirectURI:o})=>g({code:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:i}=await Ee("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(i)return null;let n=!1;if(!o.email){let{data:c,error:a}=await Ee("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});a||(o.email=(c.find(d=>d.primary)??c[0])?.email,n=c.find(d=>d.email===o.email)?.verified??!1)}let s=await e.mapProfileToUser?.(o);return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:n,...s},data:o}}}};import{parseJWT as Rt}from"oslo/jwt";import{createConsola as wt}from"consola";var ae=["info","success","warn","error","debug"];function yt(e,t){return ae.indexOf(t)<=ae.indexOf(e)}var bt=wt({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),At=e=>{let t=e?.disabled!==!0,r=e?.level??"error",o=(i,n,s=[])=>{if(!(!t||!yt(r,i))){if(!e||typeof e.log!="function"){bt[i]("",n,...s);return}e.log(i==="success"?"info":i,n,s)}};return Object.fromEntries(ae.map(i=>[i,(...[n,...s])=>o(i,n,s)]))},O=At();import{betterFetch as kt}from"@better-fetch/fetch";var _e=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:i}){if(!e.clientId||!e.clientSecret)throw O.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new j("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new j("codeVerifier is required for Google");let n=r||["email","profile","openid"];e.scope&&n.push(...e.scope);let s=await w({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:n,state:t,codeVerifier:o,redirectURI:i});return e.accessType&&s.searchParams.set("access_type",e.accessType),e.prompt&&s.searchParams.set("prompt",e.prompt),s},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>g({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:i}=await kt(o);return i?i.aud===e.clientId&&i.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=Rt(t.idToken)?.payload,o=await e.mapProfileToUser?.(r);return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified,...o},data:r}}});import{betterFetch as Et}from"@better-fetch/fetch";import{parseJWT as Ut}from"oslo/jwt";var Te=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(i){let n=i.scopes||["openid","profile","email","User.Read"];return e.scope&&n.push(...e.scope),w({id:"microsoft",options:e,authorizationEndpoint:r,state:i.state,codeVerifier:i.codeVerifier,scopes:n,redirectURI:i.redirectURI})},validateAuthorizationCode({code:i,codeVerifier:n,redirectURI:s}){return g({code:i,codeVerifier:n,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:o})},async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);if(!i.idToken)return null;let n=Ut(i.idToken)?.payload,s=e.profilePhotoSize||48;await Et(`https://graph.microsoft.com/v1.0/me/photos/${s}x${s}/$value`,{headers:{Authorization:`Bearer ${i.accessToken}`},async onResponse(a){if(!(e.disableProfilePhoto||!a.response.ok))try{let u=await a.response.clone().arrayBuffer(),f=Buffer.from(u).toString("base64");n.picture=`data:image/jpeg;base64, ${f}`}catch(d){O.error(d&&typeof d=="object"&&"name"in d?d.name:"",d)}}});let c=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.name,email:n.email,image:n.picture,emailVerified:!0,...c},data:n}}}};import{betterFetch as _t}from"@better-fetch/fetch";var Se=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:i}){let n=r||["user-read-email"];return e.scope&&n.push(...e.scope),w({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:n,state:t,codeVerifier:o,redirectURI:i})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>g({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await _t("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1,...i},data:r}}});var $={isAction:!1};import{nanoid as Tt}from"nanoid";var Oe=e=>Tt(e);import{parseJWT as St}from"oslo/jwt";var ve=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["user:read:email","openid"];return e.scope&&i.push(...e.scope),w({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:i,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>g({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return O.error("No idToken found in token"),null;let o=St(r)?.payload,i=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1,...i},data:o}}});import{betterFetch as Ot}from"@better-fetch/fetch";var xe=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),w({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>g({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await Ot("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.data.id,name:r.data.name,email:r.data.username||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1,...i},data:r}}});import{betterFetch as vt}from"@better-fetch/fetch";var Ie=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:o,codeVerifier:i,redirectURI:n})=>{let s=o||["account_info.read"];return e.scope&&s.push(...e.scope),await w({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:s,state:r,redirectURI:n,codeVerifier:i})},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:i})=>await g({code:r,codeVerifier:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:i}=await vt("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});if(i)return null;let n=await e.mapProfileToUser?.(o);return{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url,...n},data:o}}}};import{betterFetch as xt}from"@better-fetch/fetch";var Le=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:i,redirectURI:n})=>{let s=i||["profile","email","openid"];return e.scope&&s.push(...e.scope),await w({id:"linkedin",options:e,authorizationEndpoint:t,scopes:s,state:o,redirectURI:n})},validateAuthorizationCode:async({code:o,redirectURI:i})=>await g({code:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:r}),async getUserInfo(o){let{data:i,error:n}=await xt("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});if(n)return null;let s=await e.mapProfileToUser?.(i);return{user:{id:i.sub,name:i.name,email:i.email,emailVerified:i.email_verified||!1,image:i.picture,...s},data:i}}}};import{betterFetch as It}from"@better-fetch/fetch";var ce=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),Lt=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:ce(`${t}/oauth/authorize`),tokenEndpoint:ce(`${t}/oauth/token`),userinfoEndpoint:ce(`${t}/api/v4/user`)}},Pe=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:o}=Lt(e.issuer),i="gitlab";return{id:i,name:"Gitlab",createAuthorizationURL:async({state:s,scopes:c,codeVerifier:a,redirectURI:d})=>{let u=c||["read_user"];return e.scope&&u.push(...e.scope),await w({id:i,options:e,authorizationEndpoint:t,scopes:u,state:s,redirectURI:d,codeVerifier:a})},validateAuthorizationCode:async({code:s,redirectURI:c,codeVerifier:a})=>g({code:s,redirectURI:e.redirectURI||c,options:e,codeVerifier:a,tokenEndpoint:r}),async getUserInfo(s){if(e.getUserInfo)return e.getUserInfo(s);let{data:c,error:a}=await It(o,{headers:{authorization:`Bearer ${s.accessToken}`}});if(a||c.state!=="active"||c.locked)return null;let d=await e.mapProfileToUser?.(c);return{user:{id:c.id.toString(),name:c.name??c.username,email:c.email,image:c.avatar_url,emailVerified:!0,...d},data:c}}}};import{betterFetch as De}from"@better-fetch/fetch";var Ce=e=>({id:"reddit",name:"Reddit",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["identity"];return e.scope&&i.push(...e.scope),w({id:"reddit",options:e,authorizationEndpoint:"https://www.reddit.com/api/v1/authorize",scopes:i,state:t,redirectURI:o,duration:e.duration})},validateAuthorizationCode:async({code:t,redirectURI:r})=>{let o=new URLSearchParams({grant_type:"authorization_code",code:t,redirect_uri:e.redirectURI||r}),i={"content-type":"application/x-www-form-urlencoded",accept:"text/plain","user-agent":"better-auth",Authorization:`Basic ${Buffer.from(`${e.clientId}:${e.clientSecret}`).toString("base64")}`},{data:n,error:s}=await De("https://www.reddit.com/api/v1/access_token",{method:"POST",headers:i,body:o.toString()});if(s)throw s;return K(n)},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await De("https://oauth.reddit.com/api/v1/me",{headers:{Authorization:`Bearer ${t.accessToken}`,"User-Agent":"better-auth"}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.oauth_client_id,emailVerified:r.has_verified_email,image:r.icon_img?.split("?")[0],...i},data:r}}});var Pt={apple:Ae,discord:Re,facebook:ke,github:Ue,microsoft:Te,google:_e,spotify:Se,twitch:ve,twitter:xe,dropbox:Ie,linkedin:Le,gitlab:Pe,reddit:Ce},Y=Object.keys(Pt);import{TimeSpan as jt}from"oslo";import{createJWT as Bt,validateJWT as Vt}from"oslo/jwt";import{z as v}from"zod";import{APIError as F}from"better-call";import{APIError as D}from"better-call";import{z as V}from"zod";function Ne(e){try{return JSON.parse(e)}catch{return null}}var l={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var je=()=>m("/get-session",{method:"GET",query:V.optional(V.object({disableCookieCache:V.boolean({description:"Disable cookie cache and fetch session from database"}).or(V.string().transform(e=>e==="true")).optional(),disableRefresh:V.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),o=r?Ne(Buffer.from(r,"base64").toString()):null;if(o&&!await Q.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return I(e),e.json(null);let i=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let u=o.session;if(o.expiresAt<Date.now()||u.session.expiresAt<new Date){let A=e.context.authCookies.sessionData.name;e.setCookie(A,"",{maxAge:0})}else return e.json(u)}let n=await e.context.internalAdapter.findSession(t);if(e.context.session=n,!n||n.session.expiresAt<new Date)return I(e),n&&await e.context.internalAdapter.deleteSession(n.session.token),e.json(null);if(i||e.query?.disableRefresh)return e.json(n);let s=e.context.sessionConfig.expiresIn,c=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-s*1e3+c*1e3<=Date.now()){let u=await e.context.internalAdapter.updateSession(n.session.token,{expiresAt:B(e.context.sessionConfig.expiresIn,"sec")});if(!u)return I(e),e.json(null,{status:401});let f=(u.expiresAt.valueOf()-Date.now())/1e3;return await T(e,{session:u,user:n.user},!1,{maxAge:f}),e.json({session:u,user:n.user})}return e.json(n)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new D("INTERNAL_SERVER_ERROR",{message:l.FAILED_TO_GET_SESSION})}}),C=async(e,t)=>{if(e.context.session)return e.context.session;let r=await je()({...e,_flag:"json",headers:e.headers,query:t}).catch(o=>null);return e.context.session=r,r},L=z(async e=>{let t=await C(e);if(!t?.session)throw new D("UNAUTHORIZED");return{session:t}}),Be=z(async e=>{let t=await C(e);if(!t?.session)throw new D("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,o=t.session.createdAt.valueOf(),i=Date.now();if(!(o+r*1e3>i))throw new D("FORBIDDEN",{message:"Session is not fresh"});return{session:t}});var Dt=m("/revoke-session",{method:"POST",body:V.object({token:V.string({description:"The token to revoke"})}),use:[L],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new D("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new D("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new D("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Ct=m("/revoke-sessions",{method:"POST",use:[L],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new D("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Nt=m("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[L],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new D("UNAUTHORIZED");let i=(await e.context.internalAdapter.listSessions(t.user.id)).filter(n=>n.expiresAt>new Date).filter(n=>n.token!==e.context.session.session.token);return await Promise.all(i.map(n=>e.context.internalAdapter.deleteSession(n.token))),e.json({status:!0})});async function N(e,t,r){return await Bt("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new jt(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function $t(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new F("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await N(e.context.secret,t.email),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:o,token:r},e.request)}var zt=m("/send-verification-email",{method:"POST",query:v.object({currentURL:v.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:v.object({email:v.string({description:"The email to send the verification email to"}).email(),callbackURL:v.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new F("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new F("BAD_REQUEST",{message:l.USER_NOT_FOUND});return await $t(e,r.user),e.json({status:!0})}),qt=m("/verify-email",{method:"GET",query:v.object({token:v.string({description:"The token to verify the email"}),callbackURL:v.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(c){throw e.query.callbackURL?e.query.callbackURL.includes("?")?e.redirect(`${e.query.callbackURL}&error=${c}`):e.redirect(`${e.query.callbackURL}?error=${c}`):new F("UNAUTHORIZED",{message:c})}let{token:r}=e.query,o;try{o=await Vt("HS256",Buffer.from(e.context.secret),r)}catch(c){return e.context.logger.error("Failed to verify email",c),t("invalid_token")}let n=v.object({email:v.string().email(),updateTo:v.string().optional()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(n.email);if(!s)return t("user_not_found");if(n.updateTo){let c=await C(e);if(!c){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(c.user.email!==n.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo,emailVerified:!1}),d=await N(e.context.secret,n.updateTo);if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${d}`,token:d},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await C(e)){let a=await e.context.internalAdapter.createSession(s.user.id,e.request);if(!a)throw new F("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await T(e,{session:a,user:s.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function X(e,{userInfo:t,account:r,callbackURL:o}){let i=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(a=>{throw O.error(`Better auth was unable to query your database.
3
- Error: `,a),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),n=i?.user,s=!n;if(i){let a=i.accounts.find(d=>d.providerId===r.providerId);if(a){let d=Object.fromEntries(Object.entries({accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt}).filter(([u,f])=>f!==void 0));Object.keys(d).length>0&&await e.context.internalAdapter.updateAccount(a.id,d)}else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(r.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return se&&O.warn(`User already exist but account isn't linked to ${r.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:t.id.toString(),userId:i.user.id,accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope})}catch(f){return O.error("Unable to link account",f),{error:"unable to link account",data:null}}n=await e.context.internalAdapter.updateUser(i.user.id,{...t,updatedAt:new Date})}}else if(n=await e.context.internalAdapter.createOAuthUser({...t,email:t.email.toLowerCase(),id:void 0},{accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope,providerId:r.providerId,accountId:t.id.toString()}).then(a=>a?.user),!t.emailVerified&&n&&e.context.options.emailVerification?.sendOnSignUp){let a=await N(e.context.secret,n.email),d=`${e.context.baseURL}/verify-email?token=${a}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:n,url:d,token:a},e.request)}if(!n)return{error:"unable to create user",data:null,isRegister:!1};let c=await e.context.internalAdapter.createSession(n.id,e.request);return c?{data:{session:c,user:n},error:null,isRegister:s}:{error:"unable to create session",data:null,isRegister:!1}}var Ft=m("/sign-in/social",{method:"POST",query:b.object({currentURL:b.string().optional()}).optional(),body:b.object({callbackURL:b.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),newUserCallbackURL:b.string().optional(),errorCallbackURL:b.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:b.enum(Y,{description:"OAuth2 provider to use"}),disableRedirect:b.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:b.optional(b.object({token:b.string({description:"ID token from the provider"}),nonce:b.string({description:"Nonce used to generate the token"}).optional(),accessToken:b.string({description:"Access token from the provider"}).optional(),refreshToken:b.string({description:"Refresh token from the provider"}).optional(),expiresAt:b.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(n=>n.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new k("NOT_FOUND",{message:l.PROVIDER_NOT_FOUND});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new k("NOT_FOUND",{message:l.ID_TOKEN_NOT_SUPPORTED});let{token:n,nonce:s}=e.body.idToken;if(!await t.verifyIdToken(n,s))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new k("UNAUTHORIZED",{message:l.INVALID_TOKEN});let a=await t.getUserInfo({idToken:n,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!a||!a?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new k("UNAUTHORIZED",{message:l.FAILED_TO_GET_USER_INFO});if(!a.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new k("UNAUTHORIZED",{message:l.USER_EMAIL_NOT_FOUND});let d=await X(e,{userInfo:{email:a.user.email,id:a.user.id,name:a.user.name||"",image:a.user.image,emailVerified:a.user.emailVerified||!1},account:{providerId:t.id,accountId:a.user.id,accessToken:e.body.idToken.accessToken}});if(d.error)throw new k("UNAUTHORIZED",{message:d.error});return await T(e,d.data),e.json({session:d.data.session,user:d.data.user,url:void 0,redirect:!1})}let{codeVerifier:r,state:o}=await J(e),i=await t.createAuthorizationURL({state:o,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:i.toString(),redirect:!e.body.disableRedirect})}),Mt=m("/sign-in/email",{method:"POST",body:b.object({email:b.string({description:"Email of the user"}),password:b.string({description:"Password of the user"}),callbackURL:b.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:b.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new k("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!b.string().email().safeParse(t).success)throw new k("BAD_REQUEST",{message:l.INVALID_EMAIL});let i=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!i)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new k("UNAUTHORIZED",{message:l.INVALID_EMAIL_OR_PASSWORD});let n=i.accounts.find(d=>d.providerId==="credential");if(!n)throw e.context.logger.error("Credential account not found",{email:t}),new k("UNAUTHORIZED",{message:l.INVALID_EMAIL_OR_PASSWORD});let s=n?.password;if(!s)throw e.context.logger.error("Password not found",{email:t}),new k("UNAUTHORIZED",{message:l.INVALID_EMAIL_OR_PASSWORD});if(!await e.context.password.verify({hash:s,password:r}))throw e.context.logger.error("Invalid password"),new k("UNAUTHORIZED",{message:l.INVALID_EMAIL_OR_PASSWORD});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!i.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new k("UNAUTHORIZED",{message:l.EMAIL_NOT_VERIFIED});let d=await N(e.context.secret,i.user.email),u=`${e.context.baseURL}/verify-email?token=${d}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:i.user,url:u,token:d},e.request),e.context.logger.error("Email not verified",{email:t}),new k("FORBIDDEN",{message:l.EMAIL_NOT_VERIFIED})}let a=await e.context.internalAdapter.createSession(i.user.id,e.headers,e.body.rememberMe===!1);if(!a)throw e.context.logger.error("Failed to create session"),new k("UNAUTHORIZED",{message:l.FAILED_TO_CREATE_SESSION});return await T(e,{session:a,user:i.user},e.body.rememberMe===!1),e.json({user:{id:i.user.id,email:i.user.email,name:i.user.name,image:i.user.image,emailVerified:i.user.emailVerified,createdAt:i.user.createdAt,updatedAt:i.user.updatedAt},redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{z as M}from"zod";var ee=M.object({code:M.string().optional(),error:M.string().optional(),error_description:M.string().optional(),state:M.string().optional()}),Ht=m("/callback/:id",{method:["GET","POST"],body:ee.optional(),query:ee.optional(),metadata:$},async e=>{let t;try{if(e.method==="GET")t=ee.parse(e.query);else if(e.method==="POST")t=ee.parse(e.body);else throw new Error("Unsupported method")}catch(_){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",_),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:r,error:o,state:i,error_description:n}=t;if(!i)throw e.context.logger.error("State not found",o),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!r)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}&error_description=${n}`);let s=e.context.socialProviders.find(_=>_.id===e.params.id);if(!s)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:c,callbackURL:a,link:d,errorURL:u,newUserURL:f}=await be(e),A;try{A=await s.validateAuthorizationCode({code:r,codeVerifier:c,redirectURI:`${e.context.baseURL}/callback/${s.id}`})}catch(_){throw e.context.logger.error("",_),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let h=await s.getUserInfo(A).then(_=>_?.user);function y(_){let x=u||a||`${e.context.baseURL}/error`;throw x.includes("?")?x=`${x}&error=${_}`:x=`${x}?error=${_}`,e.redirect(x)}if(!h)return e.context.logger.error("Unable to get user info"),y("unable_to_get_user_info");if(!h.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),y("email_not_found");if(!a)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(d){if(d.email!==h.email.toLowerCase())return y("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:d.userId,providerId:s.id,accountId:h.id}))return y("unable_to_link_account");let x;try{x=a.toString()}catch{x=a}throw e.redirect(x)}let E=await X(e,{userInfo:{...h,email:h.email,name:h.name||h.email},account:{providerId:s.id,accountId:h.id,...A,scope:A.scopes?.join(",")},callbackURL:a});if(E.error)return e.context.logger.error(E.error.split(" ").join("_")),y(E.error.split(" ").join("_"));let{session:de,user:te}=E.data;await T(e,{session:de,user:te});let re;try{re=(E.isRegister&&f||a).toString()}catch{re=E.isRegister&&f||a}throw e.redirect(re)});import"zod";import{APIError as Gt}from"better-call";var Wt=m("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw I(e),new Gt("BAD_REQUEST",{message:l.FAILED_TO_GET_SESSION});return await e.context.internalAdapter.deleteSession(t),I(e),e.json({success:!0})});import{z as S}from"zod";import{APIError as H}from"better-call";function Ve(e,t,r){let o=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return r&&Object.entries(r).forEach(([i,n])=>o.searchParams.set(i,n)),o.href}function Zt(e,t,r){let o=new URL(t,e.baseURL);return r&&Object.entries(r).forEach(([i,n])=>o.searchParams.set(i,n)),o.href}var Qt=m("/forget-password",{method:"POST",body:S.object({email:S.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:S.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new H("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:r}=e.body,o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let i=60*60*1,n=B(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||i,"sec"),s=Oe(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id.toString(),identifier:`reset-password:${s}`,expiresAt:n});let c=`${e.context.baseURL}/reset-password/${s}?callbackURL=${r}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:c,token:s},e.request),e.json({status:!0})}),Kt=m("/reset-password/:token",{method:"GET",query:S.object({callbackURL:S.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:r}=e.query;if(!t||!r)throw e.redirect(Ve(e.context,r,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!o||o.expiresAt<new Date?e.redirect(Ve(e.context,r,{error:"INVALID_TOKEN"})):e.redirect(Zt(e.context,r,{token:t}))}),Jt=m("/reset-password",{query:S.optional(S.object({token:S.string().optional(),currentURL:S.string().optional()})),method:"POST",body:S.object({newPassword:S.string({description:"The new password to set"}),token:S.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new H("BAD_REQUEST",{message:l.INVALID_TOKEN});let{newPassword:r}=e.body,o=e.context.password?.config.minPasswordLength,i=e.context.password?.config.maxPasswordLength;if(r.length<o)throw new H("BAD_REQUEST",{message:l.PASSWORD_TOO_SHORT});if(r.length>i)throw new H("BAD_REQUEST",{message:l.PASSWORD_TOO_LONG});let n=`reset-password:${t}`,s=await e.context.internalAdapter.findVerificationValue(n);if(!s||s.expiresAt<new Date)throw new H("BAD_REQUEST",{message:l.INVALID_TOKEN});await e.context.internalAdapter.deleteVerificationValue(s.id);let c=s.value,a=await e.context.password.hash(r);return(await e.context.internalAdapter.findAccounts(c)).find(f=>f.providerId==="credential")?(await e.context.internalAdapter.updatePassword(c,a),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:c,providerId:"credential",password:a,accountId:c}),e.json({status:!0}))});import{z as U}from"zod";import{APIError as R}from"better-call";import{z as p}from"zod";import{APIError as Qn}from"better-call";var Kn=p.object({id:p.string(),providerId:p.string(),accountId:p.string(),userId:p.string(),accessToken:p.string().nullish(),refreshToken:p.string().nullish(),idToken:p.string().nullish(),accessTokenExpiresAt:p.date().nullish(),refreshTokenExpiresAt:p.date().nullish(),scope:p.string().nullish(),password:p.string().nullish(),createdAt:p.date().default(()=>new Date),updatedAt:p.date().default(()=>new Date)}),Jn=p.object({id:p.string(),email:p.string().transform(e=>e.toLowerCase()),emailVerified:p.boolean().default(!1),name:p.string(),image:p.string().nullish(),createdAt:p.date().default(()=>new Date),updatedAt:p.date().default(()=>new Date)}),Yn=p.object({id:p.string(),userId:p.string(),expiresAt:p.date(),createdAt:p.date().default(()=>new Date),updatedAt:p.date().default(()=>new Date),token:p.string(),ipAddress:p.string().nullish(),userAgent:p.string().nullish()}),Xn=p.object({id:p.string(),value:p.string(),createdAt:p.date().default(()=>new Date),updatedAt:p.date().default(()=>new Date),expiresAt:p.date(),identifier:p.string()});import{xchacha20poly1305 as ms}from"@noble/ciphers/chacha";import{bytesToHex as gs,hexToBytes as hs,utf8ToBytes as ws}from"@noble/ciphers/utils";import{managedNonce as bs}from"@noble/ciphers/webcrypto";import{sha256 as Rs}from"oslo/crypto";import Es from"uncrypto";import{decodeHex as rs,encodeHex as os}from"oslo/encoding";import{scryptAsync as ss}from"@noble/hashes/scrypt";import{getRandomValues as cs}from"uncrypto";import $e from"uncrypto";function Yt(e){return e.toString(2).padStart(8,"0")}function Xt(e){return[...e].map(t=>Yt(t)).join("")}function ze(e){return parseInt(Xt(e),2)}function er(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,o=new Uint8Array(Math.ceil(t/8));$e.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1);let i=ze(o);for(;i>=e;)$e.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1),i=ze(o);return i}function qe(e,t){let r="";for(let o=0;o<e;o++)r+=t[er(t.length)];return r}function Fe(...e){let t=new Set(e),r="";for(let o of t)o==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?r+="0123456789":r+=o;return r}var rr=m("/change-password",{method:"POST",body:U.object({newPassword:U.string({description:"The new password to set"}),currentPassword:U.string({description:"The current password"}),revokeOtherSessions:U.boolean({description:"Revoke all other sessions"}).optional()}),use:[L],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:r,revokeOtherSessions:o}=e.body,i=e.context.session,n=e.context.password.config.minPasswordLength;if(t.length<n)throw e.context.logger.error("Password is too short"),new R("BAD_REQUEST",{message:l.PASSWORD_TOO_SHORT});let s=e.context.password.config.maxPasswordLength;if(t.length>s)throw e.context.logger.error("Password is too long"),new R("BAD_REQUEST",{message:l.PASSWORD_TOO_LONG});let a=(await e.context.internalAdapter.findAccounts(i.user.id)).find(f=>f.providerId==="credential"&&f.password);if(!a||!a.password)throw new R("BAD_REQUEST",{message:l.CREDENTIAL_ACCOUNT_NOT_FOUND});let d=await e.context.password.hash(t);if(!await e.context.password.verify({hash:a.password,password:r}))throw new R("BAD_REQUEST",{message:l.INVALID_PASSWORD});if(await e.context.internalAdapter.updateAccount(a.id,{password:d}),o){await e.context.internalAdapter.deleteSessions(i.user.id);let f=await e.context.internalAdapter.createSession(i.user.id,e.headers);if(!f)throw new R("INTERNAL_SERVER_ERROR",{message:l.FAILED_TO_GET_SESSION});await T(e,{session:f,user:i.user})}return e.json(i.user)}),or=m("/set-password",{method:"POST",body:U.object({newPassword:U.string()}),metadata:{SERVER_ONLY:!0},use:[L]},async e=>{let{newPassword:t}=e.body,r=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new R("BAD_REQUEST",{message:l.PASSWORD_TOO_SHORT});let i=e.context.password.config.maxPasswordLength;if(t.length>i)throw e.context.logger.error("Password is too long"),new R("BAD_REQUEST",{message:l.PASSWORD_TOO_LONG});let s=(await e.context.internalAdapter.findAccounts(r.user.id)).find(a=>a.providerId==="credential"&&a.password),c=await e.context.password.hash(t);if(!s)return await e.context.internalAdapter.linkAccount({userId:r.user.id,providerId:"credential",accountId:r.user.id,password:c}),e.json(r.user);throw new R("BAD_REQUEST",{message:"user already has a password"})}),ir=m("/delete-user",{method:"POST",use:[Be],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options",{session:e.context.session}),new R("NOT_FOUND");let t=e.context.session;if(e.context.options.user.deleteUser?.sendDeleteAccountVerification){let i=qe(32,Fe("a-z","A-Z","0-9"));await e.context.internalAdapter.createVerificationValue({value:t.user.id,identifier:`delete-account-${i}`,expiresAt:new Date(Date.now()+1e3*60*60*24)});let n=`${e.context.baseURL}/delete-user/callback?token=${i}`;return await e.context.options.user.deleteUser.sendDeleteAccountVerification({user:t.user,url:n,token:i},e.request),e.json({success:!0,message:"Verification email sent"})}let r=e.context.options.user.deleteUser?.beforeDelete;r&&await r(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),I(e);let o=e.context.options.user.deleteUser?.afterDelete;return o&&await o(t.user,e.request),e.json({success:!0,message:"User deleted"})}),nr=m("/delete-user/callback",{method:"GET",query:U.object({token:U.string()})},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options"),new R("NOT_FOUND");let t=await C(e);if(!t)throw new R("NOT_FOUND",{message:l.FAILED_TO_GET_USER_INFO});let r=await e.context.internalAdapter.findVerificationValue(`delete-account-${e.query.token}`);if(!r||r.expiresAt<new Date)throw r&&await e.context.internalAdapter.deleteVerificationValue(r.id),new R("NOT_FOUND",{message:l.INVALID_TOKEN});if(r.value!==t.user.id)throw new R("NOT_FOUND",{message:l.INVALID_TOKEN});let o=e.context.options.user.deleteUser?.beforeDelete;o&&await o(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),await e.context.internalAdapter.deleteVerificationValue(r.id),I(e);let i=e.context.options.user.deleteUser?.afterDelete;return i&&await i(t.user,e.request),e.json({success:!0,message:"User deleted"})}),sr=m("/change-email",{method:"POST",query:U.object({currentURL:U.string().optional()}).optional(),body:U.object({newEmail:U.string({description:"The new email to set"}).email(),callbackURL:U.string({description:"The URL to redirect to after email verification"}).optional()}),use:[L],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new R("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new R("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new R("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let i=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:i,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new R("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await N(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:r},e.request),e.json({user:null,status:!0})});var ar=(e="Unknown")=>`<!DOCTYPE html>
2
+ `,`Current list of trustedOrigins: ${u}`),new Je("FORBIDDEN",{message:`Invalid ${E}`})};f&&!e.context.options.advanced?.disableCSRFCheck&&h(i,"origin"),n&&h(n,"callbackURL"),s&&h(s,"redirectURL"),c&&h(c,"currentURL"),a&&h(a,"errorCallbackURL"),d&&h(s,"newUserCallbackURL")});import{APIError as k}from"better-call";import{z as b}from"zod";import{TimeSpan as Cr}from"oslo";import{base64url as rt}from"oslo/encoding";import{HMAC as he,sha256 as Sr}from"oslo/crypto";async function et({value:e,secret:t}){return new he("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(o=>Buffer.from(o).toString("base64"))}function tt({value:e,signature:t,secret:r}){return new he("SHA-256").verify(new TextEncoder().encode(r),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var Q={sign:et,verify:tt};var B=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));async function T(e,t,r,o){let i=e.context.authCookies.sessionToken.options,n=r?void 0:e.context.sessionConfig.expiresIn;if(await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...i,maxAge:n,...o}),r&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled){let c=rt.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:B(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await Q.sign({value:JSON.stringify(t),secret:e.context.secret})})),{includePadding:!1});if(c.length>4093)throw new j("Session data is too large to store in the cookie. Please disable session cookie caching or reduce the size of the session data");e.setCookie(e.context.authCookies.sessionData.name,c,e.context.authCookies.sessionData.options)}e.context.setNewSession(t),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),Math.floor((new Date(t.session.expiresAt).getTime()-Date.now())/1e3))}function I(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}import{betterFetch as ct}from"@better-fetch/fetch";import{APIError as dt}from"better-call";import{decodeProtectedHeader as lt,importJWK as ut,jwtVerify as pt}from"jose";import{parseJWT as mt}from"oslo/jwt";import{sha256 as ot}from"oslo/crypto";import{base64url as it}from"oslo/encoding";async function we(e){let t=await ot(new TextEncoder().encode(e));return it.encode(new Uint8Array(t),{includePadding:!1})}function K(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?B(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function w({id:e,options:t,authorizationEndpoint:r,state:o,codeVerifier:i,scopes:n,claims:s,redirectURI:c,duration:a}){let d=new URL(r);if(d.searchParams.set("response_type","code"),d.searchParams.set("client_id",t.clientId),d.searchParams.set("state",o),d.searchParams.set("scope",n.join(" ")),d.searchParams.set("redirect_uri",t.redirectURI||c),i){let u=await we(i);d.searchParams.set("code_challenge_method","S256"),d.searchParams.set("code_challenge",u)}if(s){let u=s.reduce((f,A)=>(f[A]=null,f),{});d.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...u}}))}return a&&d.searchParams.set("duration",a),d}import{betterFetch as nt}from"@better-fetch/fetch";async function g({code:e,codeVerifier:t,redirectURI:r,options:o,tokenEndpoint:i,authentication:n}){let s=new URLSearchParams,c={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(s.set("grant_type","authorization_code"),s.set("code",e),t&&s.set("code_verifier",t),s.set("redirect_uri",r),n==="basic"){let f=btoa(`${o.clientId}:${o.clientSecret}`);c.authorization=`Basic ${f}`}else s.set("client_id",o.clientId),s.set("client_secret",o.clientSecret);let{data:a,error:d}=await nt(i,{method:"POST",body:s,headers:c});if(d)throw d;return K(a)}import{generateCodeVerifier as st,generateState as at}from"oslo/oauth2";import{z as P}from"zod";import{APIError as ye}from"better-call";async function J(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?fe(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new ye("BAD_REQUEST",{message:"callbackURL is required"});let o=st(),i=at(),n=JSON.stringify({callbackURL:r,codeVerifier:o,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,newUserURL:e.body?.newUserCallbackURL,link:t,expiresAt:Date.now()+10*60*1e3}),s=new Date;s.setMinutes(s.getMinutes()+10);let c=await e.context.internalAdapter.createVerificationValue({value:n,identifier:i,expiresAt:s});if(!c)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new ye("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:c.identifier,codeVerifier:o}}async function be(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let o=P.object({callbackURL:P.string(),codeVerifier:P.string(),errorURL:P.string().optional(),newUserURL:P.string().optional(),expiresAt:P.number(),link:P.object({email:P.string(),userId:P.string()}).optional()}).parse(JSON.parse(r.value));if(o.errorURL||(o.errorURL=`${e.context.baseURL}/error`),o.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),o}var Ae=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:o,redirectURI:i}){let n=o||["email","name"];return e.scope&&n.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${i||e.redirectURI}&scope=${n.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:i})=>g({code:r,codeVerifier:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async verifyIdToken(r,o){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,o);let i=lt(r),{kid:n,alg:s}=i;if(!n||!s)return!1;let c=await ft(n),{payload:a}=await pt(r,c,{algorithms:[s],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(d=>{a[d]!==void 0&&(a[d]=!!a[d])}),o&&a.nonce!==o?!1:!!a},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let o=mt(r.idToken)?.payload;if(!o)return null;let i=o.user?`${o.user.name.firstName} ${o.user.name.lastName}`:o.email,n=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:i,emailVerified:!1,email:o.email,...n},data:o}}}},ft=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:o}=await ct(`${t}${r}`);if(!o?.keys)throw new dt("BAD_REQUEST",{message:"Keys not found"});let i=o.keys.find(n=>n.kid===e);if(!i)throw new Error(`JWK with kid ${e} not found`);return await ut(i,i.alg)};import{betterFetch as gt}from"@better-fetch/fetch";var Re=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["identify","email"];return e.scope&&i.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${i.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||o)}&state=${t}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>g({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await gt("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(o)return null;if(r.avatar===null){let n=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${n}.png`}else{let n=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${n}`}let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url,...i},data:r}}});import{betterFetch as ht}from"@better-fetch/fetch";var ke=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["email","public_profile"];return e.scope&&i.push(...e.scope),await w({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:i,state:t,redirectURI:o})},validateAuthorizationCode:async({code:t,redirectURI:r})=>g({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await ht("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified,...i},data:r}}});import{betterFetch as Ee}from"@better-fetch/fetch";var Ue=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:o,codeVerifier:i,redirectURI:n}){let s=o||["user:email"];return e.scope&&s.push(...e.scope),w({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:s,state:r,redirectURI:n})},validateAuthorizationCode:async({code:r,redirectURI:o})=>g({code:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:i}=await Ee("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(i)return null;let n=!1;if(!o.email){let{data:c,error:a}=await Ee("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});a||(o.email=(c.find(d=>d.primary)??c[0])?.email,n=c.find(d=>d.email===o.email)?.verified??!1)}let s=await e.mapProfileToUser?.(o);return{user:{id:o.id.toString(),name:o.name||o.login,email:o.email,image:o.avatar_url,emailVerified:n,...s},data:o}}}};import{parseJWT as Rt}from"oslo/jwt";import{createConsola as wt}from"consola";var ae=["info","success","warn","error","debug"];function yt(e,t){return ae.indexOf(t)<=ae.indexOf(e)}var bt=wt({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),At=e=>{let t=e?.disabled!==!0,r=e?.level??"error",o=(i,n,s=[])=>{if(!(!t||!yt(r,i))){if(!e||typeof e.log!="function"){bt[i]("",n,...s);return}e.log(i==="success"?"info":i,n,s)}};return Object.fromEntries(ae.map(i=>[i,(...[n,...s])=>o(i,n,s)]))},S=At();import{betterFetch as kt}from"@better-fetch/fetch";var _e=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:i}){if(!e.clientId||!e.clientSecret)throw S.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new j("CLIENT_ID_AND_SECRET_REQUIRED");if(!o)throw new j("codeVerifier is required for Google");let n=r||["email","profile","openid"];e.scope&&n.push(...e.scope);let s=await w({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:n,state:t,codeVerifier:o,redirectURI:i});return e.accessType&&s.searchParams.set("access_type",e.accessType),e.prompt&&s.searchParams.set("prompt",e.prompt),s},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>g({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let o=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:i}=await kt(o);return i?i.aud===e.clientId&&i.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=Rt(t.idToken)?.payload,o=await e.mapProfileToUser?.(r);return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified,...o},data:r}}});import{betterFetch as Et}from"@better-fetch/fetch";import{parseJWT as Ut}from"oslo/jwt";var Te=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,o=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(i){let n=i.scopes||["openid","profile","email","User.Read"];return e.scope&&n.push(...e.scope),w({id:"microsoft",options:e,authorizationEndpoint:r,state:i.state,codeVerifier:i.codeVerifier,scopes:n,redirectURI:i.redirectURI})},validateAuthorizationCode({code:i,codeVerifier:n,redirectURI:s}){return g({code:i,codeVerifier:n,redirectURI:e.redirectURI||s,options:e,tokenEndpoint:o})},async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);if(!i.idToken)return null;let n=Ut(i.idToken)?.payload,s=e.profilePhotoSize||48;await Et(`https://graph.microsoft.com/v1.0/me/photos/${s}x${s}/$value`,{headers:{Authorization:`Bearer ${i.accessToken}`},async onResponse(a){if(!(e.disableProfilePhoto||!a.response.ok))try{let u=await a.response.clone().arrayBuffer(),f=Buffer.from(u).toString("base64");n.picture=`data:image/jpeg;base64, ${f}`}catch(d){S.error(d&&typeof d=="object"&&"name"in d?d.name:"",d)}}});let c=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.name,email:n.email,image:n.picture,emailVerified:!0,...c},data:n}}}};import{betterFetch as _t}from"@better-fetch/fetch";var Oe=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:o,redirectURI:i}){let n=r||["user-read-email"];return e.scope&&n.push(...e.scope),w({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:n,state:t,codeVerifier:o,redirectURI:i})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>g({code:t,codeVerifier:r,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await _t("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1,...i},data:r}}});var $={isAction:!1};import{nanoid as Tt}from"nanoid";var Se=e=>Tt(e);import{parseJWT as Ot}from"oslo/jwt";var ve=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["user:read:email","openid"];return e.scope&&i.push(...e.scope),w({id:"twitch",redirectURI:o,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:i,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>g({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return S.error("No idToken found in token"),null;let o=Ot(r)?.payload,i=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.preferred_username,email:o.email,image:o.picture,emailVerified:!1,...i},data:o}}});import{betterFetch as St}from"@better-fetch/fetch";var xe=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),w({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:o})=>g({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||o,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await St("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.data.id,name:r.data.name,email:r.data.username||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1,...i},data:r}}});import{betterFetch as vt}from"@better-fetch/fetch";var Ie=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:o,codeVerifier:i,redirectURI:n})=>{let s=o||["account_info.read"];return e.scope&&s.push(...e.scope),await w({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:s,state:r,redirectURI:n,codeVerifier:i})},validateAuthorizationCode:async({code:r,codeVerifier:o,redirectURI:i})=>await g({code:r,codeVerifier:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:o,error:i}=await vt("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});if(i)return null;let n=await e.mapProfileToUser?.(o);return{user:{id:o.account_id,name:o.name?.display_name,email:o.email,emailVerified:o.email_verified||!1,image:o.profile_photo_url,...n},data:o}}}};import{betterFetch as xt}from"@better-fetch/fetch";var Le=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:o,scopes:i,redirectURI:n})=>{let s=i||["profile","email","openid"];return e.scope&&s.push(...e.scope),await w({id:"linkedin",options:e,authorizationEndpoint:t,scopes:s,state:o,redirectURI:n})},validateAuthorizationCode:async({code:o,redirectURI:i})=>await g({code:o,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:r}),async getUserInfo(o){let{data:i,error:n}=await xt("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${o.accessToken}`}});if(n)return null;let s=await e.mapProfileToUser?.(i);return{user:{id:i.sub,name:i.name,email:i.email,emailVerified:i.email_verified||!1,image:i.picture,...s},data:i}}}};import{betterFetch as It}from"@better-fetch/fetch";var ce=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),Lt=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:ce(`${t}/oauth/authorize`),tokenEndpoint:ce(`${t}/oauth/token`),userinfoEndpoint:ce(`${t}/api/v4/user`)}},Pe=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:o}=Lt(e.issuer),i="gitlab";return{id:i,name:"Gitlab",createAuthorizationURL:async({state:s,scopes:c,codeVerifier:a,redirectURI:d})=>{let u=c||["read_user"];return e.scope&&u.push(...e.scope),await w({id:i,options:e,authorizationEndpoint:t,scopes:u,state:s,redirectURI:d,codeVerifier:a})},validateAuthorizationCode:async({code:s,redirectURI:c,codeVerifier:a})=>g({code:s,redirectURI:e.redirectURI||c,options:e,codeVerifier:a,tokenEndpoint:r}),async getUserInfo(s){if(e.getUserInfo)return e.getUserInfo(s);let{data:c,error:a}=await It(o,{headers:{authorization:`Bearer ${s.accessToken}`}});if(a||c.state!=="active"||c.locked)return null;let d=await e.mapProfileToUser?.(c);return{user:{id:c.id.toString(),name:c.name??c.username,email:c.email,image:c.avatar_url,emailVerified:!0,...d},data:c}}}};import{betterFetch as De}from"@better-fetch/fetch";var Ce=e=>({id:"reddit",name:"Reddit",createAuthorizationURL({state:t,scopes:r,redirectURI:o}){let i=r||["identity"];return e.scope&&i.push(...e.scope),w({id:"reddit",options:e,authorizationEndpoint:"https://www.reddit.com/api/v1/authorize",scopes:i,state:t,redirectURI:o,duration:e.duration})},validateAuthorizationCode:async({code:t,redirectURI:r})=>{let o=new URLSearchParams({grant_type:"authorization_code",code:t,redirect_uri:e.redirectURI||r}),i={"content-type":"application/x-www-form-urlencoded",accept:"text/plain","user-agent":"better-auth",Authorization:`Basic ${Buffer.from(`${e.clientId}:${e.clientSecret}`).toString("base64")}`},{data:n,error:s}=await De("https://www.reddit.com/api/v1/access_token",{method:"POST",headers:i,body:o.toString()});if(s)throw s;return K(n)},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:o}=await De("https://oauth.reddit.com/api/v1/me",{headers:{Authorization:`Bearer ${t.accessToken}`,"User-Agent":"better-auth"}});if(o)return null;let i=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.oauth_client_id,emailVerified:r.has_verified_email,image:r.icon_img?.split("?")[0],...i},data:r}}});var Pt={apple:Ae,discord:Re,facebook:ke,github:Ue,microsoft:Te,google:_e,spotify:Oe,twitch:ve,twitter:xe,dropbox:Ie,linkedin:Le,gitlab:Pe,reddit:Ce},Y=Object.keys(Pt);import{TimeSpan as jt}from"oslo";import{createJWT as Bt,validateJWT as Vt}from"oslo/jwt";import{z as v}from"zod";import{APIError as F}from"better-call";import{APIError as D}from"better-call";import{z as V}from"zod";function Ne(e){try{return JSON.parse(e)}catch{return null}}var l={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var je=()=>m("/get-session",{method:"GET",query:V.optional(V.object({disableCookieCache:V.boolean({description:"Disable cookie cache and fetch session from database"}).or(V.string().transform(e=>e==="true")).optional(),disableRefresh:V.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),o=r?Ne(Buffer.from(r,"base64").toString()):null;if(o&&!await Q.verify({value:JSON.stringify(o.session),signature:o?.signature,secret:e.context.secret}))return I(e),e.json(null);let i=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(o?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let u=o.session;if(o.expiresAt<Date.now()||u.session.expiresAt<new Date){let A=e.context.authCookies.sessionData.name;e.setCookie(A,"",{maxAge:0})}else return e.json(u)}let n=await e.context.internalAdapter.findSession(t);if(e.context.session=n,!n||n.session.expiresAt<new Date)return I(e),n&&await e.context.internalAdapter.deleteSession(n.session.token),e.json(null);if(i||e.query?.disableRefresh)return e.json(n);let s=e.context.sessionConfig.expiresIn,c=e.context.sessionConfig.updateAge;if(n.session.expiresAt.valueOf()-s*1e3+c*1e3<=Date.now()){let u=await e.context.internalAdapter.updateSession(n.session.token,{expiresAt:B(e.context.sessionConfig.expiresIn,"sec")});if(!u)return I(e),e.json(null,{status:401});let f=(u.expiresAt.valueOf()-Date.now())/1e3;return await T(e,{session:u,user:n.user},!1,{maxAge:f}),e.json({session:u,user:n.user})}return e.json(n)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new D("INTERNAL_SERVER_ERROR",{message:l.FAILED_TO_GET_SESSION})}}),C=async(e,t)=>{if(e.context.session)return e.context.session;let r=await je()({...e,_flag:"json",headers:e.headers,query:t}).catch(o=>null);return e.context.session=r,r},L=z(async e=>{let t=await C(e);if(!t?.session)throw new D("UNAUTHORIZED");return{session:t}}),Be=z(async e=>{let t=await C(e);if(!t?.session)throw new D("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,o=t.session.updatedAt?.valueOf()||t.session.createdAt.valueOf();if(!(Date.now()-o<r*1e3))throw new D("FORBIDDEN",{message:"Session is not fresh"});return{session:t}});var Dt=m("/revoke-session",{method:"POST",body:V.object({token:V.string({description:"The token to revoke"})}),use:[L],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new D("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new D("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(o){throw e.context.logger.error(o&&typeof o=="object"&&"name"in o?o.name:"",o),new D("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Ct=m("/revoke-sessions",{method:"POST",use:[L],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new D("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Nt=m("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[L],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new D("UNAUTHORIZED");let i=(await e.context.internalAdapter.listSessions(t.user.id)).filter(n=>n.expiresAt>new Date).filter(n=>n.token!==e.context.session.session.token);return await Promise.all(i.map(n=>e.context.internalAdapter.deleteSession(n.token))),e.json({status:!0})});async function N(e,t,r){return await Bt("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new jt(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function $t(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new F("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await N(e.context.secret,t.email),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:o,token:r},e.request)}var zt=m("/send-verification-email",{method:"POST",query:v.object({currentURL:v.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:v.object({email:v.string({description:"The email to send the verification email to"}).email(),callbackURL:v.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new F("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new F("BAD_REQUEST",{message:l.USER_NOT_FOUND});return await $t(e,r.user),e.json({status:!0})}),qt=m("/verify-email",{method:"GET",query:v.object({token:v.string({description:"The token to verify the email"}),callbackURL:v.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(c){throw e.query.callbackURL?e.query.callbackURL.includes("?")?e.redirect(`${e.query.callbackURL}&error=${c}`):e.redirect(`${e.query.callbackURL}?error=${c}`):new F("UNAUTHORIZED",{message:c})}let{token:r}=e.query,o;try{o=await Vt("HS256",Buffer.from(e.context.secret),r)}catch(c){return e.context.logger.error("Failed to verify email",c),t("invalid_token")}let n=v.object({email:v.string().email(),updateTo:v.string().optional()}).parse(o.payload),s=await e.context.internalAdapter.findUserByEmail(n.email);if(!s)return t("user_not_found");if(n.updateTo){let c=await C(e);if(!c){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(c.user.email!==n.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(n.email,{email:n.updateTo,emailVerified:!1}),d=await N(e.context.secret,n.updateTo);if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${d}`,token:d},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(n.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await C(e)){let a=await e.context.internalAdapter.createSession(s.user.id,e.request);if(!a)throw new F("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await T(e,{session:a,user:s.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function X(e,{userInfo:t,account:r,callbackURL:o}){let i=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(a=>{throw S.error(`Better auth was unable to query your database.
3
+ Error: `,a),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),n=i?.user,s=!n;if(i){let a=i.accounts.find(d=>d.providerId===r.providerId);if(a){let d=Object.fromEntries(Object.entries({accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt}).filter(([u,f])=>f!==void 0));Object.keys(d).length>0&&await e.context.internalAdapter.updateAccount(a.id,d)}else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(r.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return se&&S.warn(`User already exist but account isn't linked to ${r.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:t.id.toString(),userId:i.user.id,accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope})}catch(f){return S.error("Unable to link account",f),{error:"unable to link account",data:null}}n=await e.context.internalAdapter.updateUser(i.user.id,{...t,updatedAt:new Date})}}else if(n=await e.context.internalAdapter.createOAuthUser({...t,email:t.email.toLowerCase(),id:void 0},{accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope,providerId:r.providerId,accountId:t.id.toString()}).then(a=>a?.user),!t.emailVerified&&n&&e.context.options.emailVerification?.sendOnSignUp){let a=await N(e.context.secret,n.email),d=`${e.context.baseURL}/verify-email?token=${a}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:n,url:d,token:a},e.request)}if(!n)return{error:"unable to create user",data:null,isRegister:!1};let c=await e.context.internalAdapter.createSession(n.id,e.request);return c?{data:{session:c,user:n},error:null,isRegister:s}:{error:"unable to create session",data:null,isRegister:!1}}var Ft=m("/sign-in/social",{method:"POST",query:b.object({currentURL:b.string().optional()}).optional(),body:b.object({callbackURL:b.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),newUserCallbackURL:b.string().optional(),errorCallbackURL:b.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:b.enum(Y,{description:"OAuth2 provider to use"}),disableRedirect:b.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:b.optional(b.object({token:b.string({description:"ID token from the provider"}),nonce:b.string({description:"Nonce used to generate the token"}).optional(),accessToken:b.string({description:"Access token from the provider"}).optional(),refreshToken:b.string({description:"Refresh token from the provider"}).optional(),expiresAt:b.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(n=>n.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new k("NOT_FOUND",{message:l.PROVIDER_NOT_FOUND});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new k("NOT_FOUND",{message:l.ID_TOKEN_NOT_SUPPORTED});let{token:n,nonce:s}=e.body.idToken;if(!await t.verifyIdToken(n,s))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new k("UNAUTHORIZED",{message:l.INVALID_TOKEN});let a=await t.getUserInfo({idToken:n,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!a||!a?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new k("UNAUTHORIZED",{message:l.FAILED_TO_GET_USER_INFO});if(!a.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new k("UNAUTHORIZED",{message:l.USER_EMAIL_NOT_FOUND});let d=await X(e,{userInfo:{email:a.user.email,id:a.user.id,name:a.user.name||"",image:a.user.image,emailVerified:a.user.emailVerified||!1},account:{providerId:t.id,accountId:a.user.id,accessToken:e.body.idToken.accessToken}});if(d.error)throw new k("UNAUTHORIZED",{message:d.error});return await T(e,d.data),e.json({session:d.data.session,user:d.data.user,url:void 0,redirect:!1})}let{codeVerifier:r,state:o}=await J(e),i=await t.createAuthorizationURL({state:o,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:i.toString(),redirect:!e.body.disableRedirect})}),Mt=m("/sign-in/email",{method:"POST",body:b.object({email:b.string({description:"Email of the user"}),password:b.string({description:"Password of the user"}),callbackURL:b.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:b.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new k("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!b.string().email().safeParse(t).success)throw new k("BAD_REQUEST",{message:l.INVALID_EMAIL});let i=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!i)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new k("UNAUTHORIZED",{message:l.INVALID_EMAIL_OR_PASSWORD});let n=i.accounts.find(d=>d.providerId==="credential");if(!n)throw e.context.logger.error("Credential account not found",{email:t}),new k("UNAUTHORIZED",{message:l.INVALID_EMAIL_OR_PASSWORD});let s=n?.password;if(!s)throw e.context.logger.error("Password not found",{email:t}),new k("UNAUTHORIZED",{message:l.INVALID_EMAIL_OR_PASSWORD});if(!await e.context.password.verify({hash:s,password:r}))throw e.context.logger.error("Invalid password"),new k("UNAUTHORIZED",{message:l.INVALID_EMAIL_OR_PASSWORD});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!i.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new k("UNAUTHORIZED",{message:l.EMAIL_NOT_VERIFIED});let d=await N(e.context.secret,i.user.email),u=`${e.context.baseURL}/verify-email?token=${d}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:i.user,url:u,token:d},e.request),e.context.logger.error("Email not verified",{email:t}),new k("FORBIDDEN",{message:l.EMAIL_NOT_VERIFIED})}let a=await e.context.internalAdapter.createSession(i.user.id,e.headers,e.body.rememberMe===!1);if(!a)throw e.context.logger.error("Failed to create session"),new k("UNAUTHORIZED",{message:l.FAILED_TO_CREATE_SESSION});return await T(e,{session:a,user:i.user},e.body.rememberMe===!1),e.json({user:{id:i.user.id,email:i.user.email,name:i.user.name,image:i.user.image,emailVerified:i.user.emailVerified,createdAt:i.user.createdAt,updatedAt:i.user.updatedAt},redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{z as M}from"zod";var ee=M.object({code:M.string().optional(),error:M.string().optional(),error_description:M.string().optional(),state:M.string().optional()}),Ht=m("/callback/:id",{method:["GET","POST"],body:ee.optional(),query:ee.optional(),metadata:$},async e=>{let t;try{if(e.method==="GET")t=ee.parse(e.query);else if(e.method==="POST")t=ee.parse(e.body);else throw new Error("Unsupported method")}catch(_){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",_),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:r,error:o,state:i,error_description:n}=t;if(!i)throw e.context.logger.error("State not found",o),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!r)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}&error_description=${n}`);let s=e.context.socialProviders.find(_=>_.id===e.params.id);if(!s)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:c,callbackURL:a,link:d,errorURL:u,newUserURL:f}=await be(e),A;try{A=await s.validateAuthorizationCode({code:r,codeVerifier:c,redirectURI:`${e.context.baseURL}/callback/${s.id}`})}catch(_){throw e.context.logger.error("",_),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let h=await s.getUserInfo(A).then(_=>_?.user);function y(_){let x=u||a||`${e.context.baseURL}/error`;throw x.includes("?")?x=`${x}&error=${_}`:x=`${x}?error=${_}`,e.redirect(x)}if(!h)return e.context.logger.error("Unable to get user info"),y("unable_to_get_user_info");if(!h.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),y("email_not_found");if(!a)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(d){if(d.email!==h.email.toLowerCase())return y("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:d.userId,providerId:s.id,accountId:h.id}))return y("unable_to_link_account");let x;try{x=a.toString()}catch{x=a}throw e.redirect(x)}let E=await X(e,{userInfo:{...h,email:h.email,name:h.name||h.email},account:{providerId:s.id,accountId:h.id,...A,scope:A.scopes?.join(",")},callbackURL:a});if(E.error)return e.context.logger.error(E.error.split(" ").join("_")),y(E.error.split(" ").join("_"));let{session:de,user:te}=E.data;await T(e,{session:de,user:te});let re;try{re=(E.isRegister&&f||a).toString()}catch{re=E.isRegister&&f||a}throw e.redirect(re)});import"zod";import{APIError as Gt}from"better-call";var Wt=m("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw I(e),new Gt("BAD_REQUEST",{message:l.FAILED_TO_GET_SESSION});return await e.context.internalAdapter.deleteSession(t),I(e),e.json({success:!0})});import{z as O}from"zod";import{APIError as H}from"better-call";function Ve(e,t,r){let o=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return r&&Object.entries(r).forEach(([i,n])=>o.searchParams.set(i,n)),o.href}function Zt(e,t,r){let o=new URL(t,e.baseURL);return r&&Object.entries(r).forEach(([i,n])=>o.searchParams.set(i,n)),o.href}var Qt=m("/forget-password",{method:"POST",body:O.object({email:O.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:O.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new H("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:r}=e.body,o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let i=60*60*1,n=B(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||i,"sec"),s=Se(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id.toString(),identifier:`reset-password:${s}`,expiresAt:n});let c=`${e.context.baseURL}/reset-password/${s}?callbackURL=${r}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:c,token:s},e.request),e.json({status:!0})}),Kt=m("/reset-password/:token",{method:"GET",query:O.object({callbackURL:O.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:r}=e.query;if(!t||!r)throw e.redirect(Ve(e.context,r,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!o||o.expiresAt<new Date?e.redirect(Ve(e.context,r,{error:"INVALID_TOKEN"})):e.redirect(Zt(e.context,r,{token:t}))}),Jt=m("/reset-password",{query:O.optional(O.object({token:O.string().optional(),currentURL:O.string().optional()})),method:"POST",body:O.object({newPassword:O.string({description:"The new password to set"}),token:O.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new H("BAD_REQUEST",{message:l.INVALID_TOKEN});let{newPassword:r}=e.body,o=e.context.password?.config.minPasswordLength,i=e.context.password?.config.maxPasswordLength;if(r.length<o)throw new H("BAD_REQUEST",{message:l.PASSWORD_TOO_SHORT});if(r.length>i)throw new H("BAD_REQUEST",{message:l.PASSWORD_TOO_LONG});let n=`reset-password:${t}`,s=await e.context.internalAdapter.findVerificationValue(n);if(!s||s.expiresAt<new Date)throw new H("BAD_REQUEST",{message:l.INVALID_TOKEN});await e.context.internalAdapter.deleteVerificationValue(s.id);let c=s.value,a=await e.context.password.hash(r);return(await e.context.internalAdapter.findAccounts(c)).find(f=>f.providerId==="credential")?(await e.context.internalAdapter.updatePassword(c,a),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:c,providerId:"credential",password:a,accountId:c}),e.json({status:!0}))});import{z as U}from"zod";import{APIError as R}from"better-call";import{z as p}from"zod";import{APIError as Qn}from"better-call";var Kn=p.object({id:p.string(),providerId:p.string(),accountId:p.string(),userId:p.string(),accessToken:p.string().nullish(),refreshToken:p.string().nullish(),idToken:p.string().nullish(),accessTokenExpiresAt:p.date().nullish(),refreshTokenExpiresAt:p.date().nullish(),scope:p.string().nullish(),password:p.string().nullish(),createdAt:p.date().default(()=>new Date),updatedAt:p.date().default(()=>new Date)}),Jn=p.object({id:p.string(),email:p.string().transform(e=>e.toLowerCase()),emailVerified:p.boolean().default(!1),name:p.string(),image:p.string().nullish(),createdAt:p.date().default(()=>new Date),updatedAt:p.date().default(()=>new Date)}),Yn=p.object({id:p.string(),userId:p.string(),expiresAt:p.date(),createdAt:p.date().default(()=>new Date),updatedAt:p.date().default(()=>new Date),token:p.string(),ipAddress:p.string().nullish(),userAgent:p.string().nullish()}),Xn=p.object({id:p.string(),value:p.string(),createdAt:p.date().default(()=>new Date),updatedAt:p.date().default(()=>new Date),expiresAt:p.date(),identifier:p.string()});import{xchacha20poly1305 as ms}from"@noble/ciphers/chacha";import{bytesToHex as gs,hexToBytes as hs,utf8ToBytes as ws}from"@noble/ciphers/utils";import{managedNonce as bs}from"@noble/ciphers/webcrypto";import{sha256 as Rs}from"oslo/crypto";import Es from"uncrypto";import{decodeHex as rs,encodeHex as os}from"oslo/encoding";import{scryptAsync as ss}from"@noble/hashes/scrypt";import{getRandomValues as cs}from"uncrypto";import $e from"uncrypto";function Yt(e){return e.toString(2).padStart(8,"0")}function Xt(e){return[...e].map(t=>Yt(t)).join("")}function ze(e){return parseInt(Xt(e),2)}function er(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,o=new Uint8Array(Math.ceil(t/8));$e.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1);let i=ze(o);for(;i>=e;)$e.getRandomValues(o),r!==0&&(o[0]&=(1<<r)-1),i=ze(o);return i}function qe(e,t){let r="";for(let o=0;o<e;o++)r+=t[er(t.length)];return r}function Fe(...e){let t=new Set(e),r="";for(let o of t)o==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?r+="0123456789":r+=o;return r}var rr=m("/change-password",{method:"POST",body:U.object({newPassword:U.string({description:"The new password to set"}),currentPassword:U.string({description:"The current password"}),revokeOtherSessions:U.boolean({description:"Revoke all other sessions"}).optional()}),use:[L],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:r,revokeOtherSessions:o}=e.body,i=e.context.session,n=e.context.password.config.minPasswordLength;if(t.length<n)throw e.context.logger.error("Password is too short"),new R("BAD_REQUEST",{message:l.PASSWORD_TOO_SHORT});let s=e.context.password.config.maxPasswordLength;if(t.length>s)throw e.context.logger.error("Password is too long"),new R("BAD_REQUEST",{message:l.PASSWORD_TOO_LONG});let a=(await e.context.internalAdapter.findAccounts(i.user.id)).find(f=>f.providerId==="credential"&&f.password);if(!a||!a.password)throw new R("BAD_REQUEST",{message:l.CREDENTIAL_ACCOUNT_NOT_FOUND});let d=await e.context.password.hash(t);if(!await e.context.password.verify({hash:a.password,password:r}))throw new R("BAD_REQUEST",{message:l.INVALID_PASSWORD});if(await e.context.internalAdapter.updateAccount(a.id,{password:d}),o){await e.context.internalAdapter.deleteSessions(i.user.id);let f=await e.context.internalAdapter.createSession(i.user.id,e.headers);if(!f)throw new R("INTERNAL_SERVER_ERROR",{message:l.FAILED_TO_GET_SESSION});await T(e,{session:f,user:i.user})}return e.json(i.user)}),or=m("/set-password",{method:"POST",body:U.object({newPassword:U.string()}),metadata:{SERVER_ONLY:!0},use:[L]},async e=>{let{newPassword:t}=e.body,r=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new R("BAD_REQUEST",{message:l.PASSWORD_TOO_SHORT});let i=e.context.password.config.maxPasswordLength;if(t.length>i)throw e.context.logger.error("Password is too long"),new R("BAD_REQUEST",{message:l.PASSWORD_TOO_LONG});let s=(await e.context.internalAdapter.findAccounts(r.user.id)).find(a=>a.providerId==="credential"&&a.password),c=await e.context.password.hash(t);if(!s)return await e.context.internalAdapter.linkAccount({userId:r.user.id,providerId:"credential",accountId:r.user.id,password:c}),e.json(r.user);throw new R("BAD_REQUEST",{message:"user already has a password"})}),ir=m("/delete-user",{method:"POST",use:[Be],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options",{session:e.context.session}),new R("NOT_FOUND");let t=e.context.session;if(e.context.options.user.deleteUser?.sendDeleteAccountVerification){let i=qe(32,Fe("a-z","A-Z","0-9"));await e.context.internalAdapter.createVerificationValue({value:t.user.id,identifier:`delete-account-${i}`,expiresAt:new Date(Date.now()+1e3*60*60*24)});let n=`${e.context.baseURL}/delete-user/callback?token=${i}`;return await e.context.options.user.deleteUser.sendDeleteAccountVerification({user:t.user,url:n,token:i},e.request),e.json({success:!0,message:"Verification email sent"})}let r=e.context.options.user.deleteUser?.beforeDelete;r&&await r(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),I(e);let o=e.context.options.user.deleteUser?.afterDelete;return o&&await o(t.user,e.request),e.json({success:!0,message:"User deleted"})}),nr=m("/delete-user/callback",{method:"GET",query:U.object({token:U.string()})},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options"),new R("NOT_FOUND");let t=await C(e);if(!t)throw new R("NOT_FOUND",{message:l.FAILED_TO_GET_USER_INFO});let r=await e.context.internalAdapter.findVerificationValue(`delete-account-${e.query.token}`);if(!r||r.expiresAt<new Date)throw r&&await e.context.internalAdapter.deleteVerificationValue(r.id),new R("NOT_FOUND",{message:l.INVALID_TOKEN});if(r.value!==t.user.id)throw new R("NOT_FOUND",{message:l.INVALID_TOKEN});let o=e.context.options.user.deleteUser?.beforeDelete;o&&await o(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),await e.context.internalAdapter.deleteVerificationValue(r.id),I(e);let i=e.context.options.user.deleteUser?.afterDelete;return i&&await i(t.user,e.request),e.json({success:!0,message:"User deleted"})}),sr=m("/change-email",{method:"POST",query:U.object({currentURL:U.string().optional()}).optional(),body:U.object({newEmail:U.string({description:"The new email to set"}).email(),callbackURL:U.string({description:"The URL to redirect to after email verification"}).optional()}),use:[L],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new R("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new R("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new R("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let i=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:i,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new R("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await N(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:r},e.request),e.json({user:null,status:!0})});var ar=(e="Unknown")=>`<!DOCTYPE html>
4
4
  <html lang="en">
5
5
  <head>
6
6
  <meta charset="UTF-8">
package/dist/plugins/admin.cjs CHANGED
@@ -1,5 +1,5 @@
1
1
  "use strict";var Ot=Object.create;var Y=Object.defineProperty;var It=Object.getOwnPropertyDescriptor;var vt=Object.getOwnPropertyNames;var Lt=Object.getPrototypeOf,Pt=Object.prototype.hasOwnProperty;var xt=(e,t)=>{for(var r in t)Y(e,r,{get:t[r],enumerable:!0})},_e=(e,t,r,n)=>{if(t&&typeof t=="object"||typeof t=="function")for(let o of vt(t))!Pt.call(e,o)&&o!==r&&Y(e,o,{get:()=>t[o],enumerable:!(n=It(t,o))||n.enumerable});return e};var ue=(e,t,r)=>(r=e!=null?Ot(Lt(e)):{},_e(t||!e||!e.__esModule?Y(r,"default",{value:e,enumerable:!0}):r,e)),Dt=e=>_e(Y({},"__esModule",{value:!0}),e);var Nr={};xt(Nr,{admin:()=>Dr});module.exports=Dt(Nr);var u=require("zod");var K=require("better-call");var Le=require("better-call");var F=require("better-call"),Te=(0,F.createMiddleware)(async()=>({})),$=(0,F.createMiddlewareCreator)({use:[Te,(0,F.createMiddleware)(async()=>({}))]}),p=(0,F.createEndpointCreator)({use:[Te]});function le(e){return e==="-"||e==="^"||e==="$"||e==="+"||e==="."||e==="("||e===")"||e==="|"||e==="["||e==="]"||e==="{"||e==="}"||e==="*"||e==="?"||e==="\\"?`\\${e}`:e}function Ct(e){let t="";for(let r=0;r<e.length;r++)t+=le(e[r]);return t}function Se(e,t=!0){if(Array.isArray(e))return`(?:${e.map(f=>`^${Se(f,t)}$`).join("|")})`;let r="",n="",o=".";t===!0?(r="/",n="[/\\\\]",o="[^/\\\\]"):t&&(r=t,n=Ct(r),n.length>1?(n=`(?:${n})`,o=`((?!${n}).)`):o=`[^${n}]`);let s=t?`${n}+?`:"",i=t?`${n}*?`:"",d=t?e.split(r):[e],a="";for(let c=0;c<d.length;c++){let f=d[c],g=d[c+1],R="";if(!(!f&&c>0)){if(t&&(c===d.length-1?R=i:g!=="**"?R=s:R=""),t&&f==="**"){R&&(a+=c===0?"":R,a+=`(?:${o}*?${R})*?`);continue}for(let w=0;w<f.length;w++){let A=f[w];A==="\\"?w<f.length-1&&(a+=le(f[w+1]),w++):A==="?"?a+=o:A==="*"?a+=`${o}*?`:a+=le(A)}a+=R}}return a}function Nt(e,t){if(typeof t!="string")throw new TypeError(`Sample must be a string, but ${typeof t} given`);return e.test(t)}function me(e,t){if(typeof e!="string"&&!Array.isArray(e))throw new TypeError(`The first argument must be a single pattern string or an array of patterns, but ${typeof e} given`);if((typeof t=="string"||typeof t=="boolean")&&(t={separator:t}),arguments.length===2&&!(typeof t>"u"||typeof t=="object"&&t!==null&&!Array.isArray(t)))throw new TypeError(`The second argument must be an options object or a string/boolean separator, but ${typeof t} given`);if(t=t||{},t.separator==="\\")throw new Error("\\ is not a valid separator because it is used for escaping. Try setting the separator to `true` instead");let r=Se(e,t.separator),n=new RegExp(`^${r}$`,t.flags),o=Nt.bind(null,n);return o.options=t,o.pattern=e,o.regexp=n,o}var X=Object.create(null),J=e=>globalThis.process?.env||globalThis.Deno?.env.toObject()||globalThis.__env__||(e?X:globalThis),Oe=new Proxy(X,{get(e,t){return J()[t]??X[t]},has(e,t){let r=J();return t in r||t in X},set(e,t,r){let n=J(!0);return n[t]=r,!0},deleteProperty(e,t){if(!t)return!1;let r=J(!0);return delete r[t],!0},ownKeys(){let e=J(!0);return Object.keys(e)}});function jt(e){return e?e!=="false":!1}var fe=typeof process<"u"&&process.env&&process.env.NODE_ENV||"";var ge=fe==="dev"||fe==="development",Bt=fe==="test"||jt(Oe.TEST);var q=class extends Error{constructor(t,r){super(t),this.name="BetterAuthError",this.message=t,this.cause=r,this.stack=""}};function Ie(e){try{return new URL(e).origin}catch{return null}}function ve(e){return e.includes("://")?new URL(e).host:e}var Vt=$(async e=>{if(e.request?.method!=="POST")return;let{body:t,query:r,context:n}=e,o=e.headers?.get("origin")||e.headers?.get("referer")||"",s=t?.callbackURL||r?.callbackURL,i=t?.redirectTo,d=r?.currentURL,a=t?.errorCallbackURL,c=t?.newUserCallbackURL,f=n.trustedOrigins,g=e.headers?.has("cookie"),R=(A,_)=>A.startsWith("/")?!1:_.includes("*")?me(_)(ve(A)):A.startsWith(_),w=(A,_)=>{if(!A)return;if(!f.some(ce=>R(A,ce)||A?.startsWith("/")&&_!=="origin"&&!A.includes(":")))throw e.context.logger.error(`Invalid ${_}: ${A}`),e.context.logger.info(`If it's a valid URL, please add ${A} to trustedOrigins in your auth config
2
- `,`Current list of trustedOrigins: ${f}`),new Le.APIError("FORBIDDEN",{message:`Invalid ${_}`})};g&&!e.context.options.advanced?.disableCSRFCheck&&w(o,"origin"),s&&w(s,"callbackURL"),i&&w(i,"redirectURL"),d&&w(d,"currentURL"),a&&w(a,"errorCallbackURL"),c&&w(i,"newUserCallbackURL")});var U=require("better-call"),b=require("zod");var Ft=require("oslo"),Pe=require("oslo/encoding");var ee=require("oslo/crypto");async function qt({value:e,secret:t}){return new ee.HMAC("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(n=>Buffer.from(n).toString("base64"))}function zt({value:e,signature:t,secret:r}){return new ee.HMAC("SHA-256").verify(new TextEncoder().encode(r),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var te={sign:qt,verify:zt};var O=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));async function k(e,t,r,n){let o=e.context.authCookies.sessionToken.options,s=r?void 0:e.context.sessionConfig.expiresIn;if(await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...o,maxAge:s,...n}),r&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled){let d=Pe.base64url.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:O(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await te.sign({value:JSON.stringify(t),secret:e.context.secret})})),{includePadding:!1});if(d.length>4093)throw new q("Session data is too large to store in the cookie. Please disable session cookie caching or reduce the size of the session data");e.setCookie(e.context.authCookies.sessionData.name,d,e.context.authCookies.sessionData.options)}e.context.setNewSession(t),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),Math.floor((new Date(t.session.expiresAt).getTime()-Date.now())/1e3))}function L(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}var Be=require("@better-fetch/fetch"),Ve=require("better-call"),M=require("jose"),$e=require("oslo/jwt");var xe=require("oslo/crypto"),De=require("oslo/encoding");async function Ce(e){let t=await(0,xe.sha256)(new TextEncoder().encode(e));return De.base64url.encode(new Uint8Array(t),{includePadding:!1})}function re(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?O(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function y({id:e,options:t,authorizationEndpoint:r,state:n,codeVerifier:o,scopes:s,claims:i,redirectURI:d,duration:a}){let c=new URL(r);if(c.searchParams.set("response_type","code"),c.searchParams.set("client_id",t.clientId),c.searchParams.set("state",n),c.searchParams.set("scope",s.join(" ")),c.searchParams.set("redirect_uri",t.redirectURI||d),o){let f=await Ce(o);c.searchParams.set("code_challenge_method","S256"),c.searchParams.set("code_challenge",f)}if(i){let f=i.reduce((g,R)=>(g[R]=null,g),{});c.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...f}}))}return a&&c.searchParams.set("duration",a),c}var Ne=require("@better-fetch/fetch");async function h({code:e,codeVerifier:t,redirectURI:r,options:n,tokenEndpoint:o,authentication:s}){let i=new URLSearchParams,d={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(i.set("grant_type","authorization_code"),i.set("code",e),t&&i.set("code_verifier",t),i.set("redirect_uri",r),s==="basic"){let g=btoa(`${n.clientId}:${n.clientSecret}`);d.authorization=`Basic ${g}`}else i.set("client_id",n.clientId),i.set("client_secret",n.clientSecret);let{data:a,error:c}=await(0,Ne.betterFetch)(o,{method:"POST",body:i,headers:d});if(c)throw c;return re(a)}var oe=require("oslo/oauth2"),C=require("zod"),he=require("better-call");async function ne(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?Ie(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new he.APIError("BAD_REQUEST",{message:"callbackURL is required"});let n=(0,oe.generateCodeVerifier)(),o=(0,oe.generateState)(),s=JSON.stringify({callbackURL:r,codeVerifier:n,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,newUserURL:e.body?.newUserCallbackURL,link:t,expiresAt:Date.now()+10*60*1e3}),i=new Date;i.setMinutes(i.getMinutes()+10);let d=await e.context.internalAdapter.createVerificationValue({value:s,identifier:o,expiresAt:i});if(!d)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new he.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:d.identifier,codeVerifier:n}}async function je(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let n=C.z.object({callbackURL:C.z.string(),codeVerifier:C.z.string(),errorURL:C.z.string().optional(),newUserURL:C.z.string().optional(),expiresAt:C.z.number(),link:C.z.object({email:C.z.string(),userId:C.z.string()}).optional()}).parse(JSON.parse(r.value));if(n.errorURL||(n.errorURL=`${e.context.baseURL}/error`),n.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),n}var qe=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:n,redirectURI:o}){let s=n||["email","name"];return e.scope&&s.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${o||e.redirectURI}&scope=${s.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:n,redirectURI:o})=>h({code:r,codeVerifier:n,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async verifyIdToken(r,n){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,n);let o=(0,M.decodeProtectedHeader)(r),{kid:s,alg:i}=o;if(!s||!i)return!1;let d=await Mt(s),{payload:a}=await(0,M.jwtVerify)(r,d,{algorithms:[i],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(c=>{a[c]!==void 0&&(a[c]=!!a[c])}),n&&a.nonce!==n?!1:!!a},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let n=(0,$e.parseJWT)(r.idToken)?.payload;if(!n)return null;let o=n.user?`${n.user.name.firstName} ${n.user.name.lastName}`:n.email,s=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:o,emailVerified:!1,email:n.email,...s},data:n}}}},Mt=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:n}=await(0,Be.betterFetch)(`${t}${r}`);if(!n?.keys)throw new Ve.APIError("BAD_REQUEST",{message:"Keys not found"});let o=n.keys.find(s=>s.kid===e);if(!o)throw new Error(`JWK with kid ${e} not found`);return await(0,M.importJWK)(o,o.alg)};var ze=require("@better-fetch/fetch");var Fe=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let o=r||["identify","email"];return e.scope&&o.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${o.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||n)}&state=${t}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,ze.betterFetch)("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(n)return null;if(r.avatar===null){let s=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${s}.png`}else{let s=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${s}`}let o=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url,...o},data:r}}});var Me=require("@better-fetch/fetch");var He=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let o=r||["email","public_profile"];return e.scope&&o.push(...e.scope),await y({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:o,state:t,redirectURI:n})},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,Me.betterFetch)("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});if(n)return null;let o=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified,...o},data:r}}});var we=require("@better-fetch/fetch");var Ge=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:n,codeVerifier:o,redirectURI:s}){let i=n||["user:email"];return e.scope&&i.push(...e.scope),y({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:i,state:r,redirectURI:s})},validateAuthorizationCode:async({code:r,redirectURI:n})=>h({code:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:n,error:o}=await(0,we.betterFetch)("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(o)return null;let s=!1;if(!n.email){let{data:d,error:a}=await(0,we.betterFetch)("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});a||(n.email=(d.find(c=>c.primary)??d[0])?.email,s=d.find(c=>c.email===n.email)?.verified??!1)}let i=await e.mapProfileToUser?.(n);return{user:{id:n.id.toString(),name:n.name||n.login,email:n.email,image:n.avatar_url,emailVerified:s,...i},data:n}}}};var Ze=require("oslo/jwt");var We=require("consola"),ye=["info","success","warn","error","debug"];function Ht(e,t){return ye.indexOf(t)<=ye.indexOf(e)}var Gt=(0,We.createConsola)({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),Wt=e=>{let t=e?.disabled!==!0,r=e?.level??"error",n=(o,s,i=[])=>{if(!(!t||!Ht(r,o))){if(!e||typeof e.log!="function"){Gt[o]("",s,...i);return}e.log(o==="success"?"info":o,s,i)}};return Object.fromEntries(ye.map(o=>[o,(...[s,...i])=>n(o,s,i)]))},x=Wt();var Qe=require("@better-fetch/fetch"),Ke=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:n,redirectURI:o}){if(!e.clientId||!e.clientSecret)throw x.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new q("CLIENT_ID_AND_SECRET_REQUIRED");if(!n)throw new q("codeVerifier is required for Google");let s=r||["email","profile","openid"];e.scope&&s.push(...e.scope);let i=await y({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:s,state:t,codeVerifier:n,redirectURI:o});return e.accessType&&i.searchParams.set("access_type",e.accessType),e.prompt&&i.searchParams.set("prompt",e.prompt),i},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>h({code:t,codeVerifier:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let n=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:o}=await(0,Qe.betterFetch)(n);return o?o.aud===e.clientId&&o.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=(0,Ze.parseJWT)(t.idToken)?.payload,n=await e.mapProfileToUser?.(r);return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified,...n},data:r}}});var Je=require("@better-fetch/fetch"),Ye=require("oslo/jwt");var Xe=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,n=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(o){let s=o.scopes||["openid","profile","email","User.Read"];return e.scope&&s.push(...e.scope),y({id:"microsoft",options:e,authorizationEndpoint:r,state:o.state,codeVerifier:o.codeVerifier,scopes:s,redirectURI:o.redirectURI})},validateAuthorizationCode({code:o,codeVerifier:s,redirectURI:i}){return h({code:o,codeVerifier:s,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:n})},async getUserInfo(o){if(e.getUserInfo)return e.getUserInfo(o);if(!o.idToken)return null;let s=(0,Ye.parseJWT)(o.idToken)?.payload,i=e.profilePhotoSize||48;await(0,Je.betterFetch)(`https://graph.microsoft.com/v1.0/me/photos/${i}x${i}/$value`,{headers:{Authorization:`Bearer ${o.accessToken}`},async onResponse(a){if(!(e.disableProfilePhoto||!a.response.ok))try{let f=await a.response.clone().arrayBuffer(),g=Buffer.from(f).toString("base64");s.picture=`data:image/jpeg;base64, ${g}`}catch(c){x.error(c&&typeof c=="object"&&"name"in c?c.name:"",c)}}});let d=await e.mapProfileToUser?.(s);return{user:{id:s.sub,name:s.name,email:s.email,image:s.picture,emailVerified:!0,...d},data:s}}}};var et=require("@better-fetch/fetch");var tt=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:n,redirectURI:o}){let s=r||["user-read-email"];return e.scope&&s.push(...e.scope),y({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:s,state:t,codeVerifier:n,redirectURI:o})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>h({code:t,codeVerifier:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,et.betterFetch)("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(n)return null;let o=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1,...o},data:r}}});var H={isAction:!1};var rt=require("nanoid"),ot=e=>(0,rt.nanoid)(e);var nt=require("oslo/jwt");var st=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let o=r||["user:read:email","openid"];return e.scope&&o.push(...e.scope),y({id:"twitch",redirectURI:n,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:o,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return x.error("No idToken found in token"),null;let n=(0,nt.parseJWT)(r)?.payload,o=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.preferred_username,email:n.email,image:n.picture,emailVerified:!1,...o},data:n}}});var it=require("@better-fetch/fetch");var at=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),y({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>h({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,it.betterFetch)("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(n)return null;let o=await e.mapProfileToUser?.(r);return{user:{id:r.data.id,name:r.data.name,email:r.data.username||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1,...o},data:r}}});var dt=require("@better-fetch/fetch");var ct=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:n,codeVerifier:o,redirectURI:s})=>{let i=n||["account_info.read"];return e.scope&&i.push(...e.scope),await y({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:i,state:r,redirectURI:s,codeVerifier:o})},validateAuthorizationCode:async({code:r,codeVerifier:n,redirectURI:o})=>await h({code:r,codeVerifier:n,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:n,error:o}=await(0,dt.betterFetch)("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});if(o)return null;let s=await e.mapProfileToUser?.(n);return{user:{id:n.account_id,name:n.name?.display_name,email:n.email,emailVerified:n.email_verified||!1,image:n.profile_photo_url,...s},data:n}}}};var pt=require("@better-fetch/fetch");var ut=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:n,scopes:o,redirectURI:s})=>{let i=o||["profile","email","openid"];return e.scope&&i.push(...e.scope),await y({id:"linkedin",options:e,authorizationEndpoint:t,scopes:i,state:n,redirectURI:s})},validateAuthorizationCode:async({code:n,redirectURI:o})=>await h({code:n,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:r}),async getUserInfo(n){let{data:o,error:s}=await(0,pt.betterFetch)("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${n.accessToken}`}});if(s)return null;let i=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.name,email:o.email,emailVerified:o.email_verified||!1,image:o.picture,...i},data:o}}}};var lt=require("@better-fetch/fetch");var be=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),Zt=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:be(`${t}/oauth/authorize`),tokenEndpoint:be(`${t}/oauth/token`),userinfoEndpoint:be(`${t}/api/v4/user`)}},mt=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:n}=Zt(e.issuer),o="gitlab";return{id:o,name:"Gitlab",createAuthorizationURL:async({state:i,scopes:d,codeVerifier:a,redirectURI:c})=>{let f=d||["read_user"];return e.scope&&f.push(...e.scope),await y({id:o,options:e,authorizationEndpoint:t,scopes:f,state:i,redirectURI:c,codeVerifier:a})},validateAuthorizationCode:async({code:i,redirectURI:d,codeVerifier:a})=>h({code:i,redirectURI:e.redirectURI||d,options:e,codeVerifier:a,tokenEndpoint:r}),async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);let{data:d,error:a}=await(0,lt.betterFetch)(n,{headers:{authorization:`Bearer ${i.accessToken}`}});if(a||d.state!=="active"||d.locked)return null;let c=await e.mapProfileToUser?.(d);return{user:{id:d.id.toString(),name:d.name??d.username,email:d.email,image:d.avatar_url,emailVerified:!0,...c},data:d}}}};var Ae=require("@better-fetch/fetch");var ft=e=>({id:"reddit",name:"Reddit",createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let o=r||["identity"];return e.scope&&o.push(...e.scope),y({id:"reddit",options:e,authorizationEndpoint:"https://www.reddit.com/api/v1/authorize",scopes:o,state:t,redirectURI:n,duration:e.duration})},validateAuthorizationCode:async({code:t,redirectURI:r})=>{let n=new URLSearchParams({grant_type:"authorization_code",code:t,redirect_uri:e.redirectURI||r}),o={"content-type":"application/x-www-form-urlencoded",accept:"text/plain","user-agent":"better-auth",Authorization:`Basic ${Buffer.from(`${e.clientId}:${e.clientSecret}`).toString("base64")}`},{data:s,error:i}=await(0,Ae.betterFetch)("https://www.reddit.com/api/v1/access_token",{method:"POST",headers:o,body:n.toString()});if(i)throw i;return re(s)},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,Ae.betterFetch)("https://oauth.reddit.com/api/v1/me",{headers:{Authorization:`Bearer ${t.accessToken}`,"User-Agent":"better-auth"}});if(n)return null;let o=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.oauth_client_id,emailVerified:r.has_verified_email,image:r.icon_img?.split("?")[0],...o},data:r}}});var Qt={apple:qe,discord:Fe,facebook:He,github:Ge,microsoft:Xe,google:Ke,spotify:tt,twitch:st,twitter:at,dropbox:ct,linkedin:ut,gitlab:mt,reddit:ft},se=Object.keys(Qt);var yt=require("oslo"),ie=require("oslo/jwt"),P=require("zod");var G=require("better-call");var N=require("better-call");var z=require("zod");function gt(e){try{return JSON.parse(e)}catch{return null}}var l={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var ht=()=>p("/get-session",{method:"GET",query:z.z.optional(z.z.object({disableCookieCache:z.z.boolean({description:"Disable cookie cache and fetch session from database"}).or(z.z.string().transform(e=>e==="true")).optional(),disableRefresh:z.z.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),n=r?gt(Buffer.from(r,"base64").toString()):null;if(n&&!await te.verify({value:JSON.stringify(n.session),signature:n?.signature,secret:e.context.secret}))return L(e),e.json(null);let o=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(n?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let f=n.session;if(n.expiresAt<Date.now()||f.session.expiresAt<new Date){let R=e.context.authCookies.sessionData.name;e.setCookie(R,"",{maxAge:0})}else return e.json(f)}let s=await e.context.internalAdapter.findSession(t);if(e.context.session=s,!s||s.session.expiresAt<new Date)return L(e),s&&await e.context.internalAdapter.deleteSession(s.session.token),e.json(null);if(o||e.query?.disableRefresh)return e.json(s);let i=e.context.sessionConfig.expiresIn,d=e.context.sessionConfig.updateAge;if(s.session.expiresAt.valueOf()-i*1e3+d*1e3<=Date.now()){let f=await e.context.internalAdapter.updateSession(s.session.token,{expiresAt:O(e.context.sessionConfig.expiresIn,"sec")});if(!f)return L(e),e.json(null,{status:401});let g=(f.expiresAt.valueOf()-Date.now())/1e3;return await k(e,{session:f,user:s.user},!1,{maxAge:g}),e.json({session:f,user:s.user})}return e.json(s)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new N.APIError("INTERNAL_SERVER_ERROR",{message:l.FAILED_TO_GET_SESSION})}}),j=async(e,t)=>{if(e.context.session)return e.context.session;let r=await ht()({...e,_flag:"json",headers:e.headers,query:t}).catch(n=>null);return e.context.session=r,r},B=$(async e=>{let t=await j(e);if(!t?.session)throw new N.APIError("UNAUTHORIZED");return{session:t}}),wt=$(async e=>{let t=await j(e);if(!t?.session)throw new N.APIError("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,n=t.session.createdAt.valueOf(),o=Date.now();if(!(n+r*1e3>o))throw new N.APIError("FORBIDDEN",{message:"Session is not fresh"});return{session:t}});var Kt=p("/revoke-session",{method:"POST",body:z.z.object({token:z.z.string({description:"The token to revoke"})}),use:[B],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new N.APIError("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new N.APIError("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(n){throw e.context.logger.error(n&&typeof n=="object"&&"name"in n?n.name:"",n),new N.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Jt=p("/revoke-sessions",{method:"POST",use:[B],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new N.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Yt=p("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[B],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new N.APIError("UNAUTHORIZED");let o=(await e.context.internalAdapter.listSessions(t.user.id)).filter(s=>s.expiresAt>new Date).filter(s=>s.token!==e.context.session.session.token);return await Promise.all(o.map(s=>e.context.internalAdapter.deleteSession(s.token))),e.json({status:!0})});async function V(e,t,r){return await(0,ie.createJWT)("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new yt.TimeSpan(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function Xt(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new G.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await V(e.context.secret,t.email),n=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:n,token:r},e.request)}var er=p("/send-verification-email",{method:"POST",query:P.z.object({currentURL:P.z.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:P.z.object({email:P.z.string({description:"The email to send the verification email to"}).email(),callbackURL:P.z.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new G.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new G.APIError("BAD_REQUEST",{message:l.USER_NOT_FOUND});return await Xt(e,r.user),e.json({status:!0})}),tr=p("/verify-email",{method:"GET",query:P.z.object({token:P.z.string({description:"The token to verify the email"}),callbackURL:P.z.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(d){throw e.query.callbackURL?e.query.callbackURL.includes("?")?e.redirect(`${e.query.callbackURL}&error=${d}`):e.redirect(`${e.query.callbackURL}?error=${d}`):new G.APIError("UNAUTHORIZED",{message:d})}let{token:r}=e.query,n;try{n=await(0,ie.validateJWT)("HS256",Buffer.from(e.context.secret),r)}catch(d){return e.context.logger.error("Failed to verify email",d),t("invalid_token")}let s=P.z.object({email:P.z.string().email(),updateTo:P.z.string().optional()}).parse(n.payload),i=await e.context.internalAdapter.findUserByEmail(s.email);if(!i)return t("user_not_found");if(s.updateTo){let d=await j(e);if(!d){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(d.user.email!==s.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(s.email,{email:s.updateTo,emailVerified:!1}),c=await V(e.context.secret,s.updateTo);if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${c}`,token:c},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(s.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await j(e)){let a=await e.context.internalAdapter.createSession(i.user.id,e.request);if(!a)throw new G.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await k(e,{session:a,user:i.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function ae(e,{userInfo:t,account:r,callbackURL:n}){let o=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(a=>{throw x.error(`Better auth was unable to query your database.
2
+ `,`Current list of trustedOrigins: ${f}`),new Le.APIError("FORBIDDEN",{message:`Invalid ${_}`})};g&&!e.context.options.advanced?.disableCSRFCheck&&w(o,"origin"),s&&w(s,"callbackURL"),i&&w(i,"redirectURL"),d&&w(d,"currentURL"),a&&w(a,"errorCallbackURL"),c&&w(i,"newUserCallbackURL")});var U=require("better-call"),b=require("zod");var Ft=require("oslo"),Pe=require("oslo/encoding");var ee=require("oslo/crypto");async function qt({value:e,secret:t}){return new ee.HMAC("SHA-256").sign(new TextEncoder().encode(t),new TextEncoder().encode(e)).then(n=>Buffer.from(n).toString("base64"))}function zt({value:e,signature:t,secret:r}){return new ee.HMAC("SHA-256").verify(new TextEncoder().encode(r),Buffer.from(t,"base64"),new TextEncoder().encode(e))}var te={sign:qt,verify:zt};var O=(e,t="ms")=>new Date(Date.now()+(t==="sec"?e*1e3:e));async function k(e,t,r,n){let o=e.context.authCookies.sessionToken.options,s=r?void 0:e.context.sessionConfig.expiresIn;if(await e.setSignedCookie(e.context.authCookies.sessionToken.name,t.session.token,e.context.secret,{...o,maxAge:s,...n}),r&&await e.setSignedCookie(e.context.authCookies.dontRememberToken.name,"true",e.context.secret,e.context.authCookies.dontRememberToken.options),e.context.options.session?.cookieCache?.enabled){let d=Pe.base64url.encode(new TextEncoder().encode(JSON.stringify({session:t,expiresAt:O(e.context.authCookies.sessionData.options.maxAge||60,"sec").getTime(),signature:await te.sign({value:JSON.stringify(t),secret:e.context.secret})})),{includePadding:!1});if(d.length>4093)throw new q("Session data is too large to store in the cookie. Please disable session cookie caching or reduce the size of the session data");e.setCookie(e.context.authCookies.sessionData.name,d,e.context.authCookies.sessionData.options)}e.context.setNewSession(t),e.context.options.secondaryStorage&&await e.context.secondaryStorage?.set(t.session.token,JSON.stringify({user:t.user,session:t.session}),Math.floor((new Date(t.session.expiresAt).getTime()-Date.now())/1e3))}function L(e){e.setCookie(e.context.authCookies.sessionToken.name,"",{...e.context.authCookies.sessionToken.options,maxAge:0}),e.setCookie(e.context.authCookies.sessionData.name,"",{...e.context.authCookies.sessionData.options,maxAge:0}),e.setCookie(e.context.authCookies.dontRememberToken.name,"",{...e.context.authCookies.dontRememberToken.options,maxAge:0})}var Be=require("@better-fetch/fetch"),Ve=require("better-call"),M=require("jose"),$e=require("oslo/jwt");var xe=require("oslo/crypto"),De=require("oslo/encoding");async function Ce(e){let t=await(0,xe.sha256)(new TextEncoder().encode(e));return De.base64url.encode(new Uint8Array(t),{includePadding:!1})}function re(e){return{tokenType:e.token_type,accessToken:e.access_token,refreshToken:e.refresh_token,accessTokenExpiresAt:e.expires_in?O(e.expires_in,"sec"):void 0,scopes:e?.scope?typeof e.scope=="string"?e.scope.split(" "):e.scope:[],idToken:e.id_token}}async function y({id:e,options:t,authorizationEndpoint:r,state:n,codeVerifier:o,scopes:s,claims:i,redirectURI:d,duration:a}){let c=new URL(r);if(c.searchParams.set("response_type","code"),c.searchParams.set("client_id",t.clientId),c.searchParams.set("state",n),c.searchParams.set("scope",s.join(" ")),c.searchParams.set("redirect_uri",t.redirectURI||d),o){let f=await Ce(o);c.searchParams.set("code_challenge_method","S256"),c.searchParams.set("code_challenge",f)}if(i){let f=i.reduce((g,R)=>(g[R]=null,g),{});c.searchParams.set("claims",JSON.stringify({id_token:{email:null,email_verified:null,...f}}))}return a&&c.searchParams.set("duration",a),c}var Ne=require("@better-fetch/fetch");async function h({code:e,codeVerifier:t,redirectURI:r,options:n,tokenEndpoint:o,authentication:s}){let i=new URLSearchParams,d={"content-type":"application/x-www-form-urlencoded",accept:"application/json","user-agent":"better-auth"};if(i.set("grant_type","authorization_code"),i.set("code",e),t&&i.set("code_verifier",t),i.set("redirect_uri",r),s==="basic"){let g=btoa(`${n.clientId}:${n.clientSecret}`);d.authorization=`Basic ${g}`}else i.set("client_id",n.clientId),i.set("client_secret",n.clientSecret);let{data:a,error:c}=await(0,Ne.betterFetch)(o,{method:"POST",body:i,headers:d});if(c)throw c;return re(a)}var oe=require("oslo/oauth2"),C=require("zod"),he=require("better-call");async function ne(e,t){let r=e.body?.callbackURL||(e.query?.currentURL?Ie(e.query?.currentURL):"")||e.context.options.baseURL;if(!r)throw new he.APIError("BAD_REQUEST",{message:"callbackURL is required"});let n=(0,oe.generateCodeVerifier)(),o=(0,oe.generateState)(),s=JSON.stringify({callbackURL:r,codeVerifier:n,errorURL:e.body?.errorCallbackURL||e.query?.currentURL,newUserURL:e.body?.newUserCallbackURL,link:t,expiresAt:Date.now()+10*60*1e3}),i=new Date;i.setMinutes(i.getMinutes()+10);let d=await e.context.internalAdapter.createVerificationValue({value:s,identifier:o,expiresAt:i});if(!d)throw e.context.logger.error("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database"),new he.APIError("INTERNAL_SERVER_ERROR",{message:"Unable to create verification"});return{state:d.identifier,codeVerifier:n}}async function je(e){let t=e.query.state||e.body.state,r=await e.context.internalAdapter.findVerificationValue(t);if(!r)throw e.context.logger.error("State Mismatch. Verification not found",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);let n=C.z.object({callbackURL:C.z.string(),codeVerifier:C.z.string(),errorURL:C.z.string().optional(),newUserURL:C.z.string().optional(),expiresAt:C.z.number(),link:C.z.object({email:C.z.string(),userId:C.z.string()}).optional()}).parse(JSON.parse(r.value));if(n.errorURL||(n.errorURL=`${e.context.baseURL}/error`),n.expiresAt<Date.now())throw await e.context.internalAdapter.deleteVerificationValue(r.id),e.context.logger.error("State expired.",{state:t}),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);return await e.context.internalAdapter.deleteVerificationValue(r.id),n}var qe=e=>{let t="https://appleid.apple.com/auth/token";return{id:"apple",name:"Apple",createAuthorizationURL({state:r,scopes:n,redirectURI:o}){let s=n||["email","name"];return e.scope&&s.push(...e.scope),new URL(`https://appleid.apple.com/auth/authorize?client_id=${e.clientId}&response_type=code&redirect_uri=${o||e.redirectURI}&scope=${s.join(" ")}&state=${r}&response_mode=form_post`)},validateAuthorizationCode:async({code:r,codeVerifier:n,redirectURI:o})=>h({code:r,codeVerifier:n,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async verifyIdToken(r,n){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(r,n);let o=(0,M.decodeProtectedHeader)(r),{kid:s,alg:i}=o;if(!s||!i)return!1;let d=await Mt(s),{payload:a}=await(0,M.jwtVerify)(r,d,{algorithms:[i],issuer:"https://appleid.apple.com",audience:e.clientId,maxTokenAge:"1h"});return["email_verified","is_private_email"].forEach(c=>{a[c]!==void 0&&(a[c]=!!a[c])}),n&&a.nonce!==n?!1:!!a},async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);if(!r.idToken)return null;let n=(0,$e.parseJWT)(r.idToken)?.payload;if(!n)return null;let o=n.user?`${n.user.name.firstName} ${n.user.name.lastName}`:n.email,s=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:o,emailVerified:!1,email:n.email,...s},data:n}}}},Mt=async e=>{let t="https://appleid.apple.com",r="/auth/keys",{data:n}=await(0,Be.betterFetch)(`${t}${r}`);if(!n?.keys)throw new Ve.APIError("BAD_REQUEST",{message:"Keys not found"});let o=n.keys.find(s=>s.kid===e);if(!o)throw new Error(`JWK with kid ${e} not found`);return await(0,M.importJWK)(o,o.alg)};var ze=require("@better-fetch/fetch");var Fe=e=>({id:"discord",name:"Discord",createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let o=r||["identify","email"];return e.scope&&o.push(...e.scope),new URL(`https://discord.com/api/oauth2/authorize?scope=${o.join("+")}&response_type=code&client_id=${e.clientId}&redirect_uri=${encodeURIComponent(e.redirectURI||n)}&state=${t}&prompt=${e.prompt||"none"}`)},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://discord.com/api/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,ze.betterFetch)("https://discord.com/api/users/@me",{headers:{authorization:`Bearer ${t.accessToken}`}});if(n)return null;if(r.avatar===null){let s=r.discriminator==="0"?Number(BigInt(r.id)>>BigInt(22))%6:parseInt(r.discriminator)%5;r.image_url=`https://cdn.discordapp.com/embed/avatars/${s}.png`}else{let s=r.avatar.startsWith("a_")?"gif":"png";r.image_url=`https://cdn.discordapp.com/avatars/${r.id}/${r.avatar}.${s}`}let o=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name||r.username||"",email:r.email,emailVerified:r.verified,image:r.image_url,...o},data:r}}});var Me=require("@better-fetch/fetch");var He=e=>({id:"facebook",name:"Facebook",async createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let o=r||["email","public_profile"];return e.scope&&o.push(...e.scope),await y({id:"facebook",options:e,authorizationEndpoint:"https://www.facebook.com/v21.0/dialog/oauth",scopes:o,state:t,redirectURI:n})},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://graph.facebook.com/oauth/access_token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,Me.betterFetch)("https://graph.facebook.com/me?fields=id,name,email,picture",{auth:{type:"Bearer",token:t.accessToken}});if(n)return null;let o=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.email,image:r.picture.data.url,emailVerified:r.email_verified,...o},data:r}}});var we=require("@better-fetch/fetch");var Ge=e=>{let t="https://github.com/login/oauth/access_token";return{id:"github",name:"GitHub",createAuthorizationURL({state:r,scopes:n,codeVerifier:o,redirectURI:s}){let i=n||["user:email"];return e.scope&&i.push(...e.scope),y({id:"github",options:e,authorizationEndpoint:"https://github.com/login/oauth/authorize",scopes:i,state:r,redirectURI:s})},validateAuthorizationCode:async({code:r,redirectURI:n})=>h({code:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:n,error:o}=await(0,we.betterFetch)("https://api.github.com/user",{headers:{"User-Agent":"better-auth",authorization:`Bearer ${r.accessToken}`}});if(o)return null;let s=!1;if(!n.email){let{data:d,error:a}=await(0,we.betterFetch)("https://api.github.com/user/emails",{headers:{authorization:`Bearer ${r.accessToken}`,"User-Agent":"better-auth"}});a||(n.email=(d.find(c=>c.primary)??d[0])?.email,s=d.find(c=>c.email===n.email)?.verified??!1)}let i=await e.mapProfileToUser?.(n);return{user:{id:n.id.toString(),name:n.name||n.login,email:n.email,image:n.avatar_url,emailVerified:s,...i},data:n}}}};var Ze=require("oslo/jwt");var We=require("consola"),ye=["info","success","warn","error","debug"];function Ht(e,t){return ye.indexOf(t)<=ye.indexOf(e)}var Gt=(0,We.createConsola)({formatOptions:{date:!1,colors:!0,compact:!0},defaults:{tag:"Better Auth"}}),Wt=e=>{let t=e?.disabled!==!0,r=e?.level??"error",n=(o,s,i=[])=>{if(!(!t||!Ht(r,o))){if(!e||typeof e.log!="function"){Gt[o]("",s,...i);return}e.log(o==="success"?"info":o,s,i)}};return Object.fromEntries(ye.map(o=>[o,(...[s,...i])=>n(o,s,i)]))},x=Wt();var Qe=require("@better-fetch/fetch"),Ke=e=>({id:"google",name:"Google",async createAuthorizationURL({state:t,scopes:r,codeVerifier:n,redirectURI:o}){if(!e.clientId||!e.clientSecret)throw x.error("Client Id and Client Secret is required for Google. Make sure to provide them in the options."),new q("CLIENT_ID_AND_SECRET_REQUIRED");if(!n)throw new q("codeVerifier is required for Google");let s=r||["email","profile","openid"];e.scope&&s.push(...e.scope);let i=await y({id:"google",options:e,authorizationEndpoint:"https://accounts.google.com/o/oauth2/auth",scopes:s,state:t,codeVerifier:n,redirectURI:o});return e.accessType&&i.searchParams.set("access_type",e.accessType),e.prompt&&i.searchParams.set("prompt",e.prompt),i},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>h({code:t,codeVerifier:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://oauth2.googleapis.com/token"}),async verifyIdToken(t,r){if(e.disableIdTokenSignIn)return!1;if(e.verifyIdToken)return e.verifyIdToken(t,r);let n=`https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=${t}`,{data:o}=await(0,Qe.betterFetch)(n);return o?o.aud===e.clientId&&o.iss==="https://accounts.google.com":!1},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);if(!t.idToken)return null;let r=(0,Ze.parseJWT)(t.idToken)?.payload,n=await e.mapProfileToUser?.(r);return{user:{id:r.sub,name:r.name,email:r.email,image:r.picture,emailVerified:r.email_verified,...n},data:r}}});var Je=require("@better-fetch/fetch"),Ye=require("oslo/jwt");var Xe=e=>{let t=e.tenantId||"common",r=`https://login.microsoftonline.com/${t}/oauth2/v2.0/authorize`,n=`https://login.microsoftonline.com/${t}/oauth2/v2.0/token`;return{id:"microsoft",name:"Microsoft EntraID",createAuthorizationURL(o){let s=o.scopes||["openid","profile","email","User.Read"];return e.scope&&s.push(...e.scope),y({id:"microsoft",options:e,authorizationEndpoint:r,state:o.state,codeVerifier:o.codeVerifier,scopes:s,redirectURI:o.redirectURI})},validateAuthorizationCode({code:o,codeVerifier:s,redirectURI:i}){return h({code:o,codeVerifier:s,redirectURI:e.redirectURI||i,options:e,tokenEndpoint:n})},async getUserInfo(o){if(e.getUserInfo)return e.getUserInfo(o);if(!o.idToken)return null;let s=(0,Ye.parseJWT)(o.idToken)?.payload,i=e.profilePhotoSize||48;await(0,Je.betterFetch)(`https://graph.microsoft.com/v1.0/me/photos/${i}x${i}/$value`,{headers:{Authorization:`Bearer ${o.accessToken}`},async onResponse(a){if(!(e.disableProfilePhoto||!a.response.ok))try{let f=await a.response.clone().arrayBuffer(),g=Buffer.from(f).toString("base64");s.picture=`data:image/jpeg;base64, ${g}`}catch(c){x.error(c&&typeof c=="object"&&"name"in c?c.name:"",c)}}});let d=await e.mapProfileToUser?.(s);return{user:{id:s.sub,name:s.name,email:s.email,image:s.picture,emailVerified:!0,...d},data:s}}}};var et=require("@better-fetch/fetch");var tt=e=>({id:"spotify",name:"Spotify",createAuthorizationURL({state:t,scopes:r,codeVerifier:n,redirectURI:o}){let s=r||["user-read-email"];return e.scope&&s.push(...e.scope),y({id:"spotify",options:e,authorizationEndpoint:"https://accounts.spotify.com/authorize",scopes:s,state:t,codeVerifier:n,redirectURI:o})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>h({code:t,codeVerifier:r,redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://accounts.spotify.com/api/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,et.betterFetch)("https://api.spotify.com/v1/me",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(n)return null;let o=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.display_name,email:r.email,image:r.images[0]?.url,emailVerified:!1,...o},data:r}}});var H={isAction:!1};var rt=require("nanoid"),ot=e=>(0,rt.nanoid)(e);var nt=require("oslo/jwt");var st=e=>({id:"twitch",name:"Twitch",createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let o=r||["user:read:email","openid"];return e.scope&&o.push(...e.scope),y({id:"twitch",redirectURI:n,options:e,authorizationEndpoint:"https://id.twitch.tv/oauth2/authorize",scopes:o,state:t,claims:e.claims||["email","email_verified","preferred_username","picture"]})},validateAuthorizationCode:async({code:t,redirectURI:r})=>h({code:t,redirectURI:e.redirectURI||r,options:e,tokenEndpoint:"https://id.twitch.tv/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let r=t.idToken;if(!r)return x.error("No idToken found in token"),null;let n=(0,nt.parseJWT)(r)?.payload,o=await e.mapProfileToUser?.(n);return{user:{id:n.sub,name:n.preferred_username,email:n.email,image:n.picture,emailVerified:!1,...o},data:n}}});var it=require("@better-fetch/fetch");var at=e=>({id:"twitter",name:"Twitter",createAuthorizationURL(t){let r=t.scopes||["users.read","tweet.read","offline.access"];return e.scope&&r.push(...e.scope),y({id:"twitter",options:e,authorizationEndpoint:"https://x.com/i/oauth2/authorize",scopes:r,state:t.state,codeVerifier:t.codeVerifier,redirectURI:t.redirectURI})},validateAuthorizationCode:async({code:t,codeVerifier:r,redirectURI:n})=>h({code:t,codeVerifier:r,authentication:"basic",redirectURI:e.redirectURI||n,options:e,tokenEndpoint:"https://api.x.com/2/oauth2/token"}),async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,it.betterFetch)("https://api.x.com/2/users/me?user.fields=profile_image_url",{method:"GET",headers:{Authorization:`Bearer ${t.accessToken}`}});if(n)return null;let o=await e.mapProfileToUser?.(r);return{user:{id:r.data.id,name:r.data.name,email:r.data.username||null,image:r.data.profile_image_url,emailVerified:r.data.verified||!1,...o},data:r}}});var dt=require("@better-fetch/fetch");var ct=e=>{let t="https://api.dropboxapi.com/oauth2/token";return{id:"dropbox",name:"Dropbox",createAuthorizationURL:async({state:r,scopes:n,codeVerifier:o,redirectURI:s})=>{let i=n||["account_info.read"];return e.scope&&i.push(...e.scope),await y({id:"dropbox",options:e,authorizationEndpoint:"https://www.dropbox.com/oauth2/authorize",scopes:i,state:r,redirectURI:s,codeVerifier:o})},validateAuthorizationCode:async({code:r,codeVerifier:n,redirectURI:o})=>await h({code:r,codeVerifier:n,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:t}),async getUserInfo(r){if(e.getUserInfo)return e.getUserInfo(r);let{data:n,error:o}=await(0,dt.betterFetch)("https://api.dropboxapi.com/2/users/get_current_account",{method:"POST",headers:{Authorization:`Bearer ${r.accessToken}`}});if(o)return null;let s=await e.mapProfileToUser?.(n);return{user:{id:n.account_id,name:n.name?.display_name,email:n.email,emailVerified:n.email_verified||!1,image:n.profile_photo_url,...s},data:n}}}};var pt=require("@better-fetch/fetch");var ut=e=>{let t="https://www.linkedin.com/oauth/v2/authorization",r="https://www.linkedin.com/oauth/v2/accessToken";return{id:"linkedin",name:"Linkedin",createAuthorizationURL:async({state:n,scopes:o,redirectURI:s})=>{let i=o||["profile","email","openid"];return e.scope&&i.push(...e.scope),await y({id:"linkedin",options:e,authorizationEndpoint:t,scopes:i,state:n,redirectURI:s})},validateAuthorizationCode:async({code:n,redirectURI:o})=>await h({code:n,redirectURI:e.redirectURI||o,options:e,tokenEndpoint:r}),async getUserInfo(n){let{data:o,error:s}=await(0,pt.betterFetch)("https://api.linkedin.com/v2/userinfo",{method:"GET",headers:{Authorization:`Bearer ${n.accessToken}`}});if(s)return null;let i=await e.mapProfileToUser?.(o);return{user:{id:o.sub,name:o.name,email:o.email,emailVerified:o.email_verified||!1,image:o.picture,...i},data:o}}}};var lt=require("@better-fetch/fetch");var be=(e="")=>e.split("://").map(t=>t.replace(/\/{2,}/g,"/")).join("://"),Zt=e=>{let t=e||"https://gitlab.com";return{authorizationEndpoint:be(`${t}/oauth/authorize`),tokenEndpoint:be(`${t}/oauth/token`),userinfoEndpoint:be(`${t}/api/v4/user`)}},mt=e=>{let{authorizationEndpoint:t,tokenEndpoint:r,userinfoEndpoint:n}=Zt(e.issuer),o="gitlab";return{id:o,name:"Gitlab",createAuthorizationURL:async({state:i,scopes:d,codeVerifier:a,redirectURI:c})=>{let f=d||["read_user"];return e.scope&&f.push(...e.scope),await y({id:o,options:e,authorizationEndpoint:t,scopes:f,state:i,redirectURI:c,codeVerifier:a})},validateAuthorizationCode:async({code:i,redirectURI:d,codeVerifier:a})=>h({code:i,redirectURI:e.redirectURI||d,options:e,codeVerifier:a,tokenEndpoint:r}),async getUserInfo(i){if(e.getUserInfo)return e.getUserInfo(i);let{data:d,error:a}=await(0,lt.betterFetch)(n,{headers:{authorization:`Bearer ${i.accessToken}`}});if(a||d.state!=="active"||d.locked)return null;let c=await e.mapProfileToUser?.(d);return{user:{id:d.id.toString(),name:d.name??d.username,email:d.email,image:d.avatar_url,emailVerified:!0,...c},data:d}}}};var Ae=require("@better-fetch/fetch");var ft=e=>({id:"reddit",name:"Reddit",createAuthorizationURL({state:t,scopes:r,redirectURI:n}){let o=r||["identity"];return e.scope&&o.push(...e.scope),y({id:"reddit",options:e,authorizationEndpoint:"https://www.reddit.com/api/v1/authorize",scopes:o,state:t,redirectURI:n,duration:e.duration})},validateAuthorizationCode:async({code:t,redirectURI:r})=>{let n=new URLSearchParams({grant_type:"authorization_code",code:t,redirect_uri:e.redirectURI||r}),o={"content-type":"application/x-www-form-urlencoded",accept:"text/plain","user-agent":"better-auth",Authorization:`Basic ${Buffer.from(`${e.clientId}:${e.clientSecret}`).toString("base64")}`},{data:s,error:i}=await(0,Ae.betterFetch)("https://www.reddit.com/api/v1/access_token",{method:"POST",headers:o,body:n.toString()});if(i)throw i;return re(s)},async getUserInfo(t){if(e.getUserInfo)return e.getUserInfo(t);let{data:r,error:n}=await(0,Ae.betterFetch)("https://oauth.reddit.com/api/v1/me",{headers:{Authorization:`Bearer ${t.accessToken}`,"User-Agent":"better-auth"}});if(n)return null;let o=await e.mapProfileToUser?.(r);return{user:{id:r.id,name:r.name,email:r.oauth_client_id,emailVerified:r.has_verified_email,image:r.icon_img?.split("?")[0],...o},data:r}}});var Qt={apple:qe,discord:Fe,facebook:He,github:Ge,microsoft:Xe,google:Ke,spotify:tt,twitch:st,twitter:at,dropbox:ct,linkedin:ut,gitlab:mt,reddit:ft},se=Object.keys(Qt);var yt=require("oslo"),ie=require("oslo/jwt"),P=require("zod");var G=require("better-call");var N=require("better-call");var z=require("zod");function gt(e){try{return JSON.parse(e)}catch{return null}}var l={USER_NOT_FOUND:"User not found",FAILED_TO_CREATE_USER:"Failed to create user",FAILED_TO_CREATE_SESSION:"Failed to create session",FAILED_TO_UPDATE_USER:"Failed to update user",FAILED_TO_GET_SESSION:"Failed to get session",INVALID_PASSWORD:"Invalid password",INVALID_EMAIL:"Invalid email",INVALID_EMAIL_OR_PASSWORD:"Invalid email or password",SOCIAL_ACCOUNT_ALREADY_LINKED:"Social account already linked",PROVIDER_NOT_FOUND:"Provider not found",INVALID_TOKEN:"invalid token",ID_TOKEN_NOT_SUPPORTED:"id_token not supported",FAILED_TO_GET_USER_INFO:"Failed to get user info",USER_EMAIL_NOT_FOUND:"User email not found",EMAIL_NOT_VERIFIED:"Email not verified",PASSWORD_TOO_SHORT:"Password too short",PASSWORD_TOO_LONG:"Password too long",USER_ALREADY_EXISTS:"User already exists",EMAIL_CAN_NOT_BE_UPDATED:"Email can not be updated",CREDENTIAL_ACCOUNT_NOT_FOUND:"Credential account not found"};var ht=()=>p("/get-session",{method:"GET",query:z.z.optional(z.z.object({disableCookieCache:z.z.boolean({description:"Disable cookie cache and fetch session from database"}).or(z.z.string().transform(e=>e==="true")).optional(),disableRefresh:z.z.boolean({description:"Disable session refresh. Useful for checking session status, without updating the session"}).optional()})),requireHeaders:!0,metadata:{openapi:{description:"Get the current session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"object",properties:{token:{type:"string"},userId:{type:"string"},expiresAt:{type:"string"}}},user:{type:"object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{try{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)return e.json(null);let r=e.getCookie(e.context.authCookies.sessionData.name),n=r?gt(Buffer.from(r,"base64").toString()):null;if(n&&!await te.verify({value:JSON.stringify(n.session),signature:n?.signature,secret:e.context.secret}))return L(e),e.json(null);let o=await e.getSignedCookie(e.context.authCookies.dontRememberToken.name,e.context.secret);if(n?.session&&e.context.options.session?.cookieCache?.enabled&&!e.query?.disableCookieCache){let f=n.session;if(n.expiresAt<Date.now()||f.session.expiresAt<new Date){let R=e.context.authCookies.sessionData.name;e.setCookie(R,"",{maxAge:0})}else return e.json(f)}let s=await e.context.internalAdapter.findSession(t);if(e.context.session=s,!s||s.session.expiresAt<new Date)return L(e),s&&await e.context.internalAdapter.deleteSession(s.session.token),e.json(null);if(o||e.query?.disableRefresh)return e.json(s);let i=e.context.sessionConfig.expiresIn,d=e.context.sessionConfig.updateAge;if(s.session.expiresAt.valueOf()-i*1e3+d*1e3<=Date.now()){let f=await e.context.internalAdapter.updateSession(s.session.token,{expiresAt:O(e.context.sessionConfig.expiresIn,"sec")});if(!f)return L(e),e.json(null,{status:401});let g=(f.expiresAt.valueOf()-Date.now())/1e3;return await k(e,{session:f,user:s.user},!1,{maxAge:g}),e.json({session:f,user:s.user})}return e.json(s)}catch(t){throw e.context.logger.error("INTERNAL_SERVER_ERROR",t),new N.APIError("INTERNAL_SERVER_ERROR",{message:l.FAILED_TO_GET_SESSION})}}),j=async(e,t)=>{if(e.context.session)return e.context.session;let r=await ht()({...e,_flag:"json",headers:e.headers,query:t}).catch(n=>null);return e.context.session=r,r},B=$(async e=>{let t=await j(e);if(!t?.session)throw new N.APIError("UNAUTHORIZED");return{session:t}}),wt=$(async e=>{let t=await j(e);if(!t?.session)throw new N.APIError("UNAUTHORIZED");if(e.context.sessionConfig.freshAge===0)return{session:t};let r=e.context.sessionConfig.freshAge,n=t.session.updatedAt?.valueOf()||t.session.createdAt.valueOf();if(!(Date.now()-n<r*1e3))throw new N.APIError("FORBIDDEN",{message:"Session is not fresh"});return{session:t}});var Kt=p("/revoke-session",{method:"POST",body:z.z.object({token:z.z.string({description:"The token to revoke"})}),use:[B],requireHeaders:!0,metadata:{openapi:{description:"Revoke a single session",requestBody:{content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}},required:["token"]}}}}}}},async e=>{let t=e.body.token,r=await e.context.internalAdapter.findSession(t);if(!r)throw new N.APIError("BAD_REQUEST",{message:"Session not found"});if(r.session.userId!==e.context.session.user.id)throw new N.APIError("UNAUTHORIZED");try{await e.context.internalAdapter.deleteSession(t)}catch(n){throw e.context.logger.error(n&&typeof n=="object"&&"name"in n?n.name:"",n),new N.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Jt=p("/revoke-sessions",{method:"POST",use:[B],requireHeaders:!0,metadata:{openapi:{description:"Revoke all sessions for the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}},required:["status"]}}}}}}}},async e=>{try{await e.context.internalAdapter.deleteSessions(e.context.session.user.id)}catch(t){throw e.context.logger.error(t&&typeof t=="object"&&"name"in t?t.name:"",t),new N.APIError("INTERNAL_SERVER_ERROR")}return e.json({status:!0})}),Yt=p("/revoke-other-sessions",{method:"POST",requireHeaders:!0,use:[B],metadata:{openapi:{description:"Revoke all other sessions for the user except the current one",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.context.session;if(!t.user)throw new N.APIError("UNAUTHORIZED");let o=(await e.context.internalAdapter.listSessions(t.user.id)).filter(s=>s.expiresAt>new Date).filter(s=>s.token!==e.context.session.session.token);return await Promise.all(o.map(s=>e.context.internalAdapter.deleteSession(s.token))),e.json({status:!0})});async function V(e,t,r){return await(0,ie.createJWT)("HS256",Buffer.from(e),{email:t.toLowerCase(),updateTo:r},{expiresIn:new yt.TimeSpan(1,"h"),issuer:"better-auth",subject:"verify-email",audiences:[t],includeIssuedTimestamp:!0})}async function Xt(e,t){if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new G.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await V(e.context.secret,t.email),n=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;await e.context.options.emailVerification.sendVerificationEmail({user:t,url:n,token:r},e.request)}var er=p("/send-verification-email",{method:"POST",query:P.z.object({currentURL:P.z.string({description:"The URL to use for email verification callback"}).optional()}).optional(),body:P.z.object({email:P.z.string({description:"The email to send the verification email to"}).email(),callbackURL:P.z.string({description:"The URL to use for email verification callback"}).optional()}),metadata:{openapi:{description:"Send a verification email to the user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{email:{type:"string",description:"The email to send the verification email to"},callbackURL:{type:"string",description:"The URL to use for email verification callback"}},required:["email"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailVerification?.sendVerificationEmail)throw e.context.logger.error("Verification email isn't enabled."),new G.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let{email:t}=e.body,r=await e.context.internalAdapter.findUserByEmail(t);if(!r)throw new G.APIError("BAD_REQUEST",{message:l.USER_NOT_FOUND});return await Xt(e,r.user),e.json({status:!0})}),tr=p("/verify-email",{method:"GET",query:P.z.object({token:P.z.string({description:"The token to verify the email"}),callbackURL:P.z.string({description:"The URL to redirect to after email verification"}).optional()}),metadata:{openapi:{description:"Verify the email of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}},required:["user","status"]}}}}}}}},async e=>{function t(d){throw e.query.callbackURL?e.query.callbackURL.includes("?")?e.redirect(`${e.query.callbackURL}&error=${d}`):e.redirect(`${e.query.callbackURL}?error=${d}`):new G.APIError("UNAUTHORIZED",{message:d})}let{token:r}=e.query,n;try{n=await(0,ie.validateJWT)("HS256",Buffer.from(e.context.secret),r)}catch(d){return e.context.logger.error("Failed to verify email",d),t("invalid_token")}let s=P.z.object({email:P.z.string().email(),updateTo:P.z.string().optional()}).parse(n.payload),i=await e.context.internalAdapter.findUserByEmail(s.email);if(!i)return t("user_not_found");if(s.updateTo){let d=await j(e);if(!d){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}if(d.user.email!==s.email){if(e.query.callbackURL)throw e.redirect(`${e.query.callbackURL}?error=unauthorized`);return t("unauthorized")}let a=await e.context.internalAdapter.updateUserByEmail(s.email,{email:s.updateTo,emailVerified:!1}),c=await V(e.context.secret,s.updateTo);if(await e.context.options.emailVerification?.sendVerificationEmail?.({user:a,url:`${e.context.baseURL}/verify-email?token=${c}`,token:c},e.request),e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:a,status:!0})}if(await e.context.internalAdapter.updateUserByEmail(s.email,{emailVerified:!0}),e.context.options.emailVerification?.autoSignInAfterVerification&&!await j(e)){let a=await e.context.internalAdapter.createSession(i.user.id,e.request);if(!a)throw new G.APIError("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});await k(e,{session:a,user:i.user})}if(e.query.callbackURL)throw e.redirect(e.query.callbackURL);return e.json({user:null,status:!0})});async function ae(e,{userInfo:t,account:r,callbackURL:n}){let o=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(a=>{throw x.error(`Better auth was unable to query your database.
3
3
  Error: `,a),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),s=o?.user,i=!s;if(o){let a=o.accounts.find(c=>c.providerId===r.providerId);if(a){let c=Object.fromEntries(Object.entries({accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt}).filter(([f,g])=>g!==void 0));Object.keys(c).length>0&&await e.context.internalAdapter.updateAccount(a.id,c)}else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(r.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return ge&&x.warn(`User already exist but account isn't linked to ${r.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:r.providerId,accountId:t.id.toString(),userId:o.user.id,accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope})}catch(g){return x.error("Unable to link account",g),{error:"unable to link account",data:null}}s=await e.context.internalAdapter.updateUser(o.user.id,{...t,updatedAt:new Date})}}else if(s=await e.context.internalAdapter.createOAuthUser({...t,email:t.email.toLowerCase(),id:void 0},{accessToken:r.accessToken,idToken:r.idToken,refreshToken:r.refreshToken,accessTokenExpiresAt:r.accessTokenExpiresAt,refreshTokenExpiresAt:r.refreshTokenExpiresAt,scope:r.scope,providerId:r.providerId,accountId:t.id.toString()}).then(a=>a?.user),!t.emailVerified&&s&&e.context.options.emailVerification?.sendOnSignUp){let a=await V(e.context.secret,s.email),c=`${e.context.baseURL}/verify-email?token=${a}&callbackURL=${n}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:s,url:c,token:a},e.request)}if(!s)return{error:"unable to create user",data:null,isRegister:!1};let d=await e.context.internalAdapter.createSession(s.id,e.request);return d?{data:{session:d,user:s},error:null,isRegister:i}:{error:"unable to create session",data:null,isRegister:!1}}var rr=p("/sign-in/social",{method:"POST",query:b.z.object({currentURL:b.z.string().optional()}).optional(),body:b.z.object({callbackURL:b.z.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),newUserCallbackURL:b.z.string().optional(),errorCallbackURL:b.z.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:b.z.enum(se,{description:"OAuth2 provider to use"}),disableRedirect:b.z.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:b.z.optional(b.z.object({token:b.z.string({description:"ID token from the provider"}),nonce:b.z.string({description:"Nonce used to generate the token"}).optional(),accessToken:b.z.string({description:"Access token from the provider"}).optional(),refreshToken:b.z.string({description:"Refresh token from the provider"}).optional(),expiresAt:b.z.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(s=>s.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new U.APIError("NOT_FOUND",{message:l.PROVIDER_NOT_FOUND});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new U.APIError("NOT_FOUND",{message:l.ID_TOKEN_NOT_SUPPORTED});let{token:s,nonce:i}=e.body.idToken;if(!await t.verifyIdToken(s,i))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new U.APIError("UNAUTHORIZED",{message:l.INVALID_TOKEN});let a=await t.getUserInfo({idToken:s,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!a||!a?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new U.APIError("UNAUTHORIZED",{message:l.FAILED_TO_GET_USER_INFO});if(!a.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new U.APIError("UNAUTHORIZED",{message:l.USER_EMAIL_NOT_FOUND});let c=await ae(e,{userInfo:{email:a.user.email,id:a.user.id,name:a.user.name||"",image:a.user.image,emailVerified:a.user.emailVerified||!1},account:{providerId:t.id,accountId:a.user.id,accessToken:e.body.idToken.accessToken}});if(c.error)throw new U.APIError("UNAUTHORIZED",{message:c.error});return await k(e,c.data),e.json({session:c.data.session,user:c.data.user,url:void 0,redirect:!1})}let{codeVerifier:r,state:n}=await ne(e),o=await t.createAuthorizationURL({state:n,codeVerifier:r,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:o.toString(),redirect:!e.body.disableRedirect})}),or=p("/sign-in/email",{method:"POST",body:b.z.object({email:b.z.string({description:"Email of the user"}),password:b.z.string({description:"Password of the user"}),callbackURL:b.z.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:b.z.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new U.APIError("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:r}=e.body;if(!b.z.string().email().safeParse(t).success)throw new U.APIError("BAD_REQUEST",{message:l.INVALID_EMAIL});let o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)throw await e.context.password.hash(r),e.context.logger.error("User not found",{email:t}),new U.APIError("UNAUTHORIZED",{message:l.INVALID_EMAIL_OR_PASSWORD});let s=o.accounts.find(c=>c.providerId==="credential");if(!s)throw e.context.logger.error("Credential account not found",{email:t}),new U.APIError("UNAUTHORIZED",{message:l.INVALID_EMAIL_OR_PASSWORD});let i=s?.password;if(!i)throw e.context.logger.error("Password not found",{email:t}),new U.APIError("UNAUTHORIZED",{message:l.INVALID_EMAIL_OR_PASSWORD});if(!await e.context.password.verify({hash:i,password:r}))throw e.context.logger.error("Invalid password"),new U.APIError("UNAUTHORIZED",{message:l.INVALID_EMAIL_OR_PASSWORD});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!o.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new U.APIError("UNAUTHORIZED",{message:l.EMAIL_NOT_VERIFIED});let c=await V(e.context.secret,o.user.email),f=`${e.context.baseURL}/verify-email?token=${c}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:o.user,url:f,token:c},e.request),e.context.logger.error("Email not verified",{email:t}),new U.APIError("FORBIDDEN",{message:l.EMAIL_NOT_VERIFIED})}let a=await e.context.internalAdapter.createSession(o.user.id,e.headers,e.body.rememberMe===!1);if(!a)throw e.context.logger.error("Failed to create session"),new U.APIError("UNAUTHORIZED",{message:l.FAILED_TO_CREATE_SESSION});return await k(e,{session:a,user:o.user},e.body.rememberMe===!1),e.json({user:{id:o.user.id,email:o.user.email,name:o.user.name,image:o.user.image,emailVerified:o.user.emailVerified,createdAt:o.user.createdAt,updatedAt:o.user.updatedAt},redirect:!!e.body.callbackURL,url:e.body.callbackURL})});var W=require("zod");var de=W.z.object({code:W.z.string().optional(),error:W.z.string().optional(),error_description:W.z.string().optional(),state:W.z.string().optional()}),nr=p("/callback/:id",{method:["GET","POST"],body:de.optional(),query:de.optional(),metadata:H},async e=>{let t;try{if(e.method==="GET")t=de.parse(e.query);else if(e.method==="POST")t=de.parse(e.body);else throw new Error("Unsupported method")}catch(v){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",v),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:r,error:n,state:o,error_description:s}=t;if(!o)throw e.context.logger.error("State not found",n),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!r)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${n||"no_code"}&error_description=${s}`);let i=e.context.socialProviders.find(v=>v.id===e.params.id);if(!i)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:d,callbackURL:a,link:c,errorURL:f,newUserURL:g}=await je(e),R;try{R=await i.validateAuthorizationCode({code:r,codeVerifier:d,redirectURI:`${e.context.baseURL}/callback/${i.id}`})}catch(v){throw e.context.logger.error("",v),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let w=await i.getUserInfo(R).then(v=>v?.user);function A(v){let D=f||a||`${e.context.baseURL}/error`;throw D.includes("?")?D=`${D}&error=${v}`:D=`${D}?error=${v}`,e.redirect(D)}if(!w)return e.context.logger.error("Unable to get user info"),A("unable_to_get_user_info");if(!w.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),A("email_not_found");if(!a)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(c){if(c.email!==w.email.toLowerCase())return A("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:c.userId,providerId:i.id,accountId:w.id}))return A("unable_to_link_account");let D;try{D=a.toString()}catch{D=a}throw e.redirect(D)}let _=await ae(e,{userInfo:{...w,email:w.email,name:w.name||w.email},account:{providerId:i.id,accountId:w.id,...R,scope:R.scopes?.join(",")},callbackURL:a});if(_.error)return e.context.logger.error(_.error.split(" ").join("_")),A(_.error.split(" ").join("_"));let{session:ke,user:ce}=_.data;await k(e,{session:ke,user:ce});let pe;try{pe=(_.isRegister&&g||a).toString()}catch{pe=_.isRegister&&g||a}throw e.redirect(pe)});var ws=require("zod");var bt=require("better-call");var sr=p("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw L(e),new bt.APIError("BAD_REQUEST",{message:l.FAILED_TO_GET_SESSION});return await e.context.internalAdapter.deleteSession(t),L(e),e.json({success:!0})});var I=require("zod");var Z=require("better-call");function At(e,t,r){let n=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return r&&Object.entries(r).forEach(([o,s])=>n.searchParams.set(o,s)),n.href}function ir(e,t,r){let n=new URL(t,e.baseURL);return r&&Object.entries(r).forEach(([o,s])=>n.searchParams.set(o,s)),n.href}var ar=p("/forget-password",{method:"POST",body:I.z.object({email:I.z.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:I.z.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new Z.APIError("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:r}=e.body,n=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!n)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let o=60*60*1,s=O(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||o,"sec"),i=ot(24);await e.context.internalAdapter.createVerificationValue({value:n.user.id.toString(),identifier:`reset-password:${i}`,expiresAt:s});let d=`${e.context.baseURL}/reset-password/${i}?callbackURL=${r}`;return await e.context.options.emailAndPassword.sendResetPassword({user:n.user,url:d,token:i},e.request),e.json({status:!0})}),dr=p("/reset-password/:token",{method:"GET",query:I.z.object({callbackURL:I.z.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:r}=e.query;if(!t||!r)throw e.redirect(At(e.context,r,{error:"INVALID_TOKEN"}));let n=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!n||n.expiresAt<new Date?e.redirect(At(e.context,r,{error:"INVALID_TOKEN"})):e.redirect(ir(e.context,r,{token:t}))}),cr=p("/reset-password",{query:I.z.optional(I.z.object({token:I.z.string().optional(),currentURL:I.z.string().optional()})),method:"POST",body:I.z.object({newPassword:I.z.string({description:"The new password to set"}),token:I.z.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new Z.APIError("BAD_REQUEST",{message:l.INVALID_TOKEN});let{newPassword:r}=e.body,n=e.context.password?.config.minPasswordLength,o=e.context.password?.config.maxPasswordLength;if(r.length<n)throw new Z.APIError("BAD_REQUEST",{message:l.PASSWORD_TOO_SHORT});if(r.length>o)throw new Z.APIError("BAD_REQUEST",{message:l.PASSWORD_TOO_LONG});let s=`reset-password:${t}`,i=await e.context.internalAdapter.findVerificationValue(s);if(!i||i.expiresAt<new Date)throw new Z.APIError("BAD_REQUEST",{message:l.INVALID_TOKEN});await e.context.internalAdapter.deleteVerificationValue(i.id);let d=i.value,a=await e.context.password.hash(r);return(await e.context.internalAdapter.findAccounts(d)).find(g=>g.providerId==="credential")?(await e.context.internalAdapter.updatePassword(d,a),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:d,providerId:"credential",password:a,accountId:d}),e.json({status:!0}))});var T=require("zod");var E=require("better-call");var m=require("zod"),pr=require("better-call"),Os=m.z.object({id:m.z.string(),providerId:m.z.string(),accountId:m.z.string(),userId:m.z.string(),accessToken:m.z.string().nullish(),refreshToken:m.z.string().nullish(),idToken:m.z.string().nullish(),accessTokenExpiresAt:m.z.date().nullish(),refreshTokenExpiresAt:m.z.date().nullish(),scope:m.z.string().nullish(),password:m.z.string().nullish(),createdAt:m.z.date().default(()=>new Date),updatedAt:m.z.date().default(()=>new Date)}),Is=m.z.object({id:m.z.string(),email:m.z.string().transform(e=>e.toLowerCase()),emailVerified:m.z.boolean().default(!1),name:m.z.string(),image:m.z.string().nullish(),createdAt:m.z.date().default(()=>new Date),updatedAt:m.z.date().default(()=>new Date)}),vs=m.z.object({id:m.z.string(),userId:m.z.string(),expiresAt:m.z.date(),createdAt:m.z.date().default(()=>new Date),updatedAt:m.z.date().default(()=>new Date),token:m.z.string(),ipAddress:m.z.string().nullish(),userAgent:m.z.string().nullish()}),Ls=m.z.object({id:m.z.string(),value:m.z.string(),createdAt:m.z.date().default(()=>new Date),updatedAt:m.z.date().default(()=>new Date),expiresAt:m.z.date(),identifier:m.z.string()});function Rt(e,t){if(!t)return e;for(let r in t){let n=t[r]?.modelName;n&&(e[r].modelName=n);for(let o in e[r].fields){let s=t[r]?.fields?.[o];s&&(e[r].fields[o].fieldName=s)}}return e}var hr=require("@noble/ciphers/chacha"),Ee=require("@noble/ciphers/utils"),wr=require("@noble/ciphers/webcrypto"),yr=require("oslo/crypto"),br=ue(require("uncrypto"),1);var Et=require("oslo/encoding");var ur=require("@noble/hashes/scrypt"),lr=require("uncrypto");var Re=ue(require("uncrypto"),1);function mr(e){return e.toString(2).padStart(8,"0")}function fr(e){return[...e].map(t=>mr(t)).join("")}function Ut(e){return parseInt(fr(e),2)}function gr(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,r=t%8,n=new Uint8Array(Math.ceil(t/8));Re.default.getRandomValues(n),r!==0&&(n[0]&=(1<<r)-1);let o=Ut(n);for(;o>=e;)Re.default.getRandomValues(n),r!==0&&(n[0]&=(1<<r)-1),o=Ut(n);return o}function kt(e,t){let r="";for(let n=0;n<e;n++)r+=t[gr(t.length)];return r}function _t(...e){let t=new Set(e),r="";for(let n of t)n==="a-z"?r+="abcdefghijklmnopqrstuvwxyz":n==="A-Z"?r+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":n==="0-9"?r+="0123456789":r+=n;return r}var Rr=p("/change-password",{method:"POST",body:T.z.object({newPassword:T.z.string({description:"The new password to set"}),currentPassword:T.z.string({description:"The current password"}),revokeOtherSessions:T.z.boolean({description:"Revoke all other sessions"}).optional()}),use:[B],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:r,revokeOtherSessions:n}=e.body,o=e.context.session,s=e.context.password.config.minPasswordLength;if(t.length<s)throw e.context.logger.error("Password is too short"),new E.APIError("BAD_REQUEST",{message:l.PASSWORD_TOO_SHORT});let i=e.context.password.config.maxPasswordLength;if(t.length>i)throw e.context.logger.error("Password is too long"),new E.APIError("BAD_REQUEST",{message:l.PASSWORD_TOO_LONG});let a=(await e.context.internalAdapter.findAccounts(o.user.id)).find(g=>g.providerId==="credential"&&g.password);if(!a||!a.password)throw new E.APIError("BAD_REQUEST",{message:l.CREDENTIAL_ACCOUNT_NOT_FOUND});let c=await e.context.password.hash(t);if(!await e.context.password.verify({hash:a.password,password:r}))throw new E.APIError("BAD_REQUEST",{message:l.INVALID_PASSWORD});if(await e.context.internalAdapter.updateAccount(a.id,{password:c}),n){await e.context.internalAdapter.deleteSessions(o.user.id);let g=await e.context.internalAdapter.createSession(o.user.id,e.headers);if(!g)throw new E.APIError("INTERNAL_SERVER_ERROR",{message:l.FAILED_TO_GET_SESSION});await k(e,{session:g,user:o.user})}return e.json(o.user)}),Er=p("/set-password",{method:"POST",body:T.z.object({newPassword:T.z.string()}),metadata:{SERVER_ONLY:!0},use:[B]},async e=>{let{newPassword:t}=e.body,r=e.context.session,n=e.context.password.config.minPasswordLength;if(t.length<n)throw e.context.logger.error("Password is too short"),new E.APIError("BAD_REQUEST",{message:l.PASSWORD_TOO_SHORT});let o=e.context.password.config.maxPasswordLength;if(t.length>o)throw e.context.logger.error("Password is too long"),new E.APIError("BAD_REQUEST",{message:l.PASSWORD_TOO_LONG});let i=(await e.context.internalAdapter.findAccounts(r.user.id)).find(a=>a.providerId==="credential"&&a.password),d=await e.context.password.hash(t);if(!i)return await e.context.internalAdapter.linkAccount({userId:r.user.id,providerId:"credential",accountId:r.user.id,password:d}),e.json(r.user);throw new E.APIError("BAD_REQUEST",{message:"user already has a password"})}),Ur=p("/delete-user",{method:"POST",use:[wt],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options",{session:e.context.session}),new E.APIError("NOT_FOUND");let t=e.context.session;if(e.context.options.user.deleteUser?.sendDeleteAccountVerification){let o=kt(32,_t("a-z","A-Z","0-9"));await e.context.internalAdapter.createVerificationValue({value:t.user.id,identifier:`delete-account-${o}`,expiresAt:new Date(Date.now()+1e3*60*60*24)});let s=`${e.context.baseURL}/delete-user/callback?token=${o}`;return await e.context.options.user.deleteUser.sendDeleteAccountVerification({user:t.user,url:s,token:o},e.request),e.json({success:!0,message:"Verification email sent"})}let r=e.context.options.user.deleteUser?.beforeDelete;r&&await r(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),L(e);let n=e.context.options.user.deleteUser?.afterDelete;return n&&await n(t.user,e.request),e.json({success:!0,message:"User deleted"})}),kr=p("/delete-user/callback",{method:"GET",query:T.z.object({token:T.z.string()})},async e=>{if(!e.context.options.user?.deleteUser?.enabled)throw e.context.logger.error("Delete user is disabled. Enable it in the options"),new E.APIError("NOT_FOUND");let t=await j(e);if(!t)throw new E.APIError("NOT_FOUND",{message:l.FAILED_TO_GET_USER_INFO});let r=await e.context.internalAdapter.findVerificationValue(`delete-account-${e.query.token}`);if(!r||r.expiresAt<new Date)throw r&&await e.context.internalAdapter.deleteVerificationValue(r.id),new E.APIError("NOT_FOUND",{message:l.INVALID_TOKEN});if(r.value!==t.user.id)throw new E.APIError("NOT_FOUND",{message:l.INVALID_TOKEN});let n=e.context.options.user.deleteUser?.beforeDelete;n&&await n(t.user,e.request),await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),await e.context.internalAdapter.deleteAccounts(t.user.id),await e.context.internalAdapter.deleteVerificationValue(r.id),L(e);let o=e.context.options.user.deleteUser?.afterDelete;return o&&await o(t.user,e.request),e.json({success:!0,message:"User deleted"})}),_r=p("/change-email",{method:"POST",query:T.z.object({currentURL:T.z.string().optional()}).optional(),body:T.z.object({newEmail:T.z.string({description:"The new email to set"}).email(),callbackURL:T.z.string({description:"The URL to redirect to after email verification"}).optional()}),use:[B],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new E.APIError("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new E.APIError("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new E.APIError("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let o=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:o,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new E.APIError("BAD_REQUEST",{message:"Verification email isn't enabled"});let r=await V(e.context.secret,e.context.session.user.email,e.body.newEmail),n=`${e.context.baseURL}/verify-email?token=${r}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:n,token:r},e.request),e.json({user:null,status:!0})});var Tr=(e="Unknown")=>`<!DOCTYPE html>
4
4
  <html lang="en">
5
5
  <head>