better-auth 1.0.3 → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/dist/adapters/drizzle.cjs +1 -1
  2. package/dist/adapters/drizzle.d.cts +1 -1
  3. package/dist/adapters/drizzle.d.ts +1 -1
  4. package/dist/adapters/drizzle.js +1 -1
  5. package/dist/adapters/kysely.d.cts +1 -1
  6. package/dist/adapters/kysely.d.ts +1 -1
  7. package/dist/adapters/memory.d.cts +1 -1
  8. package/dist/adapters/memory.d.ts +1 -1
  9. package/dist/adapters/mongodb.d.cts +1 -1
  10. package/dist/adapters/mongodb.d.ts +1 -1
  11. package/dist/adapters/prisma.d.cts +1 -1
  12. package/dist/adapters/prisma.d.ts +1 -1
  13. package/dist/api.d.cts +1 -1
  14. package/dist/api.d.ts +1 -1
  15. package/dist/{auth-DF-f5DGM.d.ts → auth-BXAJa4bS.d.ts} +12 -0
  16. package/dist/{auth-BubrmklB.d.cts → auth-JcgLy3mH.d.cts} +12 -0
  17. package/dist/client/plugins.d.cts +3 -3
  18. package/dist/client/plugins.d.ts +3 -3
  19. package/dist/client.d.cts +1 -1
  20. package/dist/client.d.ts +1 -1
  21. package/dist/cookies.d.cts +1 -1
  22. package/dist/cookies.d.ts +1 -1
  23. package/dist/db.d.cts +2 -2
  24. package/dist/db.d.ts +2 -2
  25. package/dist/{index-CwnHFdnT.d.cts → index-B3tboD6m.d.cts} +1 -1
  26. package/dist/{index-aMRluDla.d.ts → index-Bn2pZ0pb.d.ts} +1 -1
  27. package/dist/index.d.cts +2 -2
  28. package/dist/index.d.ts +2 -2
  29. package/dist/next-js.d.cts +1 -1
  30. package/dist/next-js.d.ts +1 -1
  31. package/dist/node.d.cts +1 -1
  32. package/dist/node.d.ts +1 -1
  33. package/dist/oauth2.d.cts +2 -2
  34. package/dist/oauth2.d.ts +2 -2
  35. package/dist/plugins.cjs +1 -1
  36. package/dist/plugins.d.cts +3 -3
  37. package/dist/plugins.d.ts +3 -3
  38. package/dist/plugins.js +1 -1
  39. package/dist/react.d.cts +1 -1
  40. package/dist/react.d.ts +1 -1
  41. package/dist/solid-start.d.cts +1 -1
  42. package/dist/solid-start.d.ts +1 -1
  43. package/dist/solid.d.cts +1 -1
  44. package/dist/solid.d.ts +1 -1
  45. package/dist/{state-CQJXHclh.d.cts → state-CMDbIivR.d.cts} +1 -1
  46. package/dist/{state-C_runTlH.d.ts → state-MOcw4xXw.d.ts} +1 -1
  47. package/dist/svelte-kit.d.cts +1 -1
  48. package/dist/svelte-kit.d.ts +1 -1
  49. package/dist/svelte.d.cts +1 -1
  50. package/dist/svelte.d.ts +1 -1
  51. package/dist/types.d.cts +2 -2
  52. package/dist/types.d.ts +2 -2
  53. package/dist/vue.d.cts +1 -1
  54. package/dist/vue.d.ts +1 -1
  55. package/package.json +1 -1
package/dist/plugins.js CHANGED
@@ -80,7 +80,7 @@ import{APIError as xi}from"better-call";import{z as De}from"zod";import{createEn
80
80
  </div>
81
81
  </body>
82
82
  </html>`,Yo=c("/error",{method:"GET",metadata:{...he,openapi:{description:"Displays an error page",responses:{200:{description:"Success",content:{"text/html":{schema:{type:"string"}}}}}}}},async e=>{let t=new URL(e.request?.url||"").searchParams.get("error")||"Unknown";return new Response(or(t),{headers:{"Content-Type":"text/html"}})});import{APIError as b}from"better-call";function po(e,t){let i=t.plugins?.reduce((s,d)=>({...s,...d.endpoints}),{}),o=t.plugins?.map(s=>s.middlewares?.map(d=>{let A=async K=>d.middleware({...K,context:{...e,...K.context}});return A.path=d.path,A.options=d.middleware.options,A.headers=d.middleware.headers,{path:d.path,middleware:A}})).filter(s=>s!==void 0).flat()||[],n={...{signInSocial:ei,callbackOAuth:ii,getSession:co(),signOut:ti,signUpEmail:Xo(),signInEmail:oi,forgetPassword:ri,resetPassword:si,verifyEmail:Wo,sendVerificationEmail:Go,changeEmail:Ki,changePassword:di,setPassword:Ai,updateUser:ai(),deleteUser:ci,forgetPasswordCallback:ni,listSessions:Ho(),revokeSession:Qo,revokeSessions:$o,revokeOtherSessions:Zo,linkSocialAccount:ui,listUserAccounts:pi},...i,ok:Jo,error:Yo},a={};for(let[s,d]of Object.entries(n))a[s]=async(A={})=>{d.headers=new Headers;let K={setHeader(f,g){d.headers.set(f,g)},setCookie(f,g,C){nr(d.headers,f,g,C)},getCookie(f,g){let T=A.headers?.get("cookie");return tr(T||"",f,g)},getSignedCookie(f,g,C){let T=A.headers;return T?rr(T,g,f,C):null},async setSignedCookie(f,g,C,T){await sr(d.headers,f,g,C,T)},redirect(f){return d.headers.set("Location",f),new Pe("FOUND")},responseHeader:d.headers},u=await e,p={...K,...A,path:d.path,context:{...u,...A.context,endpoint:d}};u.session=null;let l=t.plugins||[];for(let f of l){let g=f.hooks?.before??[];for(let C of g){if(!C.matcher(p))continue;let T=await C.handler(p);if(T&&"context"in T){p={...p,...T.context};continue}if(T)return T}}let h;try{h=await d(p)}catch(f){if(f instanceof Pe){let g=t.plugins?.map(C=>{if(C.hooks?.after)return C.hooks.after}).filter(C=>C!==void 0).flat();if(!g?.length)throw f.headers=d.headers,f;p.context.returned=f,p.context.returned.headers=d.headers;for(let C of g||[])if(C.matcher(p))try{let N=await C.handler(p);N&&"response"in N&&(p.context.returned=N.response)}catch(N){if(N instanceof Pe){p.context.returned=N;continue}throw N}if(p.context.returned instanceof Pe)throw p.context.returned.headers=d.headers,p.context.returned;return p.context.returned}throw f}p.context.returned=h,p.responseHeader=d.headers;for(let f of t.plugins||[])if(f.hooks?.after){for(let g of f.hooks.after)if(g.matcher(p))try{let T=await g.handler(p);T&&(p.context.returned=T)}catch(T){if(T instanceof Pe){p.context.returned=T;continue}throw T}}let k=p.context.returned;return k instanceof Response&&d.headers.forEach((f,g)=>{g==="set-cookie"?k.headers.append(g,f):k.headers.set(g,f)}),k},a[s].path=d.path,a[s].method=d.method,a[s].options=d.options,a[s].headers=d.headers;return{api:a,middlewares:o}}async function we(e,{userInfo:t,account:i,callbackURL:o}){let r=await e.context.internalAdapter.findUserByEmail(t.email.toLowerCase(),{includeAccounts:!0}).catch(s=>{throw $.error(`Better auth was unable to query your database.
83
- Error: `,s),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),n=r?.user;if(r){let s=r.accounts.find(d=>d.providerId===i.providerId);if(s)await e.context.internalAdapter.updateAccount(s.id,{accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt});else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(i.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return Io&&$.warn(`User already exist but account isn't linked to ${i.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:i.providerId,accountId:t.id.toString(),userId:r.user.id,accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt,scope:i.scope})}catch(K){return $.error("Unable to link account",K),{error:"unable to link account",data:null}}}}else try{let s=t.emailVerified||!1;if(n=await e.context.internalAdapter.createOAuthUser({...t,id:void 0,emailVerified:s,email:t.email.toLowerCase()},{accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt,scope:i.scope,providerId:i.providerId,accountId:t.id.toString()}).then(d=>d?.user),!s&&n&&e.context.options.emailVerification?.sendOnSignUp){let d=await se(e.context.secret,n.email),A=`${e.context.baseURL}/verify-email?token=${d}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:n,url:A,token:d},e.request)}}catch(s){return $.error("Unable to create user",s),{error:"unable to create user",data:null}}if(!n)return{error:"unable to create user",data:null};let a=await e.context.internalAdapter.createSession(n.id,e.request);return a?{data:{session:a,user:n},error:null}:{error:"unable to create session",data:null}}var ei=c("/sign-in/social",{method:"POST",query:x.object({currentURL:x.string().optional()}).optional(),body:x.object({callbackURL:x.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:x.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:x.enum(Qe,{description:"OAuth2 provider to use"}),disableRedirect:x.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:x.optional(x.object({token:x.string({description:"ID token from the provider"}),nonce:x.string({description:"Nonce used to generate the token"}).optional(),accessToken:x.string({description:"Access token from the provider"}).optional(),refreshToken:x.string({description:"Refresh token from the provider"}).optional(),expiresAt:x.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(n=>n.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new q("NOT_FOUND",{message:"Provider not found"});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new q("NOT_FOUND",{message:"Provider does not support id token verification"});let{token:n,nonce:a}=e.body.idToken;if(!await t.verifyIdToken(n,a))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new q("UNAUTHORIZED",{message:"Invalid id token"});let d=await t.getUserInfo({idToken:n,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!d||!d?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new q("UNAUTHORIZED",{message:"Failed to get user info"});if(!d.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new q("UNAUTHORIZED",{message:"User email not found"});let A=await we(e,{userInfo:{email:d.user.email,id:d.user.id,name:d.user.name||"",image:d.user.image,emailVerified:d.user.emailVerified||!1},account:{providerId:t.id,accountId:d.user.id,accessToken:e.body.idToken.accessToken}});if(A.error)throw new q("UNAUTHORIZED",{message:A.error});return await m(e,A.data),e.json({session:A.data.session,user:A.data.user,url:`${e.body.callbackURL||e.query?.currentURL||e.context.options.baseURL}`,redirect:!0})}let{codeVerifier:i,state:o}=await fe(e),r=await t.createAuthorizationURL({state:o,codeVerifier:i,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:r.toString(),redirect:!e.body.disableRedirect})}),oi=c("/sign-in/email",{method:"POST",body:x.object({email:x.string({description:"Email of the user"}),password:x.string({description:"Password of the user"}),callbackURL:x.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:x.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new q("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:i}=e.body;if(!x.string().email().safeParse(t).success)throw new q("BAD_REQUEST",{message:"Invalid email"});let r=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!r)throw await e.context.password.hash(i),e.context.logger.error("User not found",{email:t}),new q("UNAUTHORIZED",{message:"Invalid email or password"});let n=r.accounts.find(A=>A.providerId==="credential");if(!n)throw e.context.logger.error("Credential account not found",{email:t}),new q("UNAUTHORIZED",{message:"Invalid email or password"});let a=n?.password;if(!a)throw e.context.logger.error("Password not found",{email:t}),new q("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(a,i))throw e.context.logger.error("Invalid password"),new q("UNAUTHORIZED",{message:"Invalid email or password"});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!r.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new q("UNAUTHORIZED",{message:"Email is not verified."});let A=await se(e.context.secret,r.user.email),K=`${e.context.baseURL}/verify-email?token=${A}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:r.user,url:K,token:A},e.request),e.context.logger.error("Email not verified",{email:t}),new q("FORBIDDEN",{message:"Email is not verified. Check your email for a verification link"})}let d=await e.context.internalAdapter.createSession(r.user.id,e.headers,e.body.rememberMe===!1);if(!d)throw e.context.logger.error("Failed to create session"),new q("UNAUTHORIZED",{message:"Failed to create session"});return await m(e,{session:d,user:r.user},e.body.rememberMe===!1),e.json({user:r.user,session:d,redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{z as Ee}from"zod";var Ze=Ee.object({code:Ee.string().optional(),error:Ee.string().optional(),errorMessage:Ee.string().optional(),state:Ee.string().optional()}),ii=c("/callback/:id",{method:["GET","POST"],body:Ze.optional(),query:Ze.optional(),metadata:he},async e=>{let t;try{if(e.method==="GET")t=Ze.parse(e.query);else if(e.method==="POST")t=Ze.parse(e.body);else throw new Error("Unsupported method")}catch(g){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",g),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:i,error:o,state:r}=t;if(!r)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!i)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}`);let n=e.context.socialProviders.find(g=>g.id===e.params.id);if(!n)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:a,callbackURL:s,link:d,errorURL:A}=await He(e),K;try{K=await n.validateAuthorizationCode({code:i,codeVerifier:a,redirectURI:`${e.context.baseURL}/callback/${n.id}`})}catch(g){throw e.context.logger.error("",g),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let u=await n.getUserInfo(K).then(g=>g?.user);function p(g){let C=A||s||`${e.context.baseURL}/error`;throw C.includes("?")?C=`${C}&error=${g}`:C=`${C}?error=${g}`,e.redirect(C)}if(!u)return e.context.logger.error("Unable to get user info"),p("unable_to_get_user_info");if(!u.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),p("email_not_found");if(!s)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(d){if(d.email!==u.email.toLowerCase())return p("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:d.userId,providerId:n.id,accountId:u.id}))return p("unable_to_link_account");let C;try{C=new URL(s).toString()}catch{C=s}throw e.redirect(C)}let l=await we(e,{userInfo:{id:u.id,email:u.email,name:u.name||"",image:u.image,emailVerified:u.emailVerified||!1},account:{providerId:n.id,accountId:u.id,...K,scope:K.scopes?.join(",")},callbackURL:s});if(l.error)return e.context.logger.error(l.error.split(" ").join("_")),p(l.error.split(" ").join("_"));let{session:h,user:k}=l.data;await m(e,{session:h,user:k});let f;try{f=new URL(s).toString()}catch{f=s}throw e.redirect(f)});import"zod";import{APIError as ar}from"better-call";var ti=c("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw V(e),new ar("BAD_REQUEST",{message:"Session not found"});return await e.context.internalAdapter.deleteSession(t),V(e),e.json({success:!0})});import{z as X}from"zod";import{APIError as uo}from"better-call";function li(e,t,i){let o=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return i&&Object.entries(i).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}function dr(e,t,i){let o=new URL(t,e.baseURL);return i&&Object.entries(i).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}var ri=c("/forget-password",{method:"POST",body:X.object({email:X.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:X.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new uo("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:i}=e.body,o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let r=60*60*1,n=I(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||r,"sec"),a=L(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id,identifier:`reset-password:${a}`,expiresAt:n});let s=`${e.context.baseURL}/reset-password/${a}?callbackURL=${i}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:s,token:a},e.request),e.json({status:!0})}),ni=c("/reset-password/:token",{method:"GET",query:X.object({callbackURL:X.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:i}=e.query;if(!t||!i)throw e.redirect(li(e.context,i,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!o||o.expiresAt<new Date?e.redirect(li(e.context,i,{error:"INVALID_TOKEN"})):e.redirect(dr(e.context,i,{token:t}))}),si=c("/reset-password",{query:X.optional(X.object({token:X.string().optional(),currentURL:X.string().optional()})),method:"POST",body:X.object({newPassword:X.string({description:"The new password to set"}),token:X.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new uo("BAD_REQUEST",{message:"Token not found"});let{newPassword:i}=e.body,o=`reset-password:${t}`,r=await e.context.internalAdapter.findVerificationValue(o);if(!r||r.expiresAt<new Date)throw new uo("BAD_REQUEST",{message:"Invalid token"});await e.context.internalAdapter.deleteVerificationValue(r.id);let n=r.value,a=await e.context.password.hash(i);return(await e.context.internalAdapter.findAccounts(n)).find(A=>A.providerId==="credential")?(await e.context.internalAdapter.updatePassword(n,a),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:n,providerId:"credential",password:a,accountId:n}),e.json({status:!0}))});import{z as _}from"zod";import{APIError as Z}from"better-call";var ai=()=>c("/update-user",{method:"POST",body:_.record(_.string(),_.any()),use:[v],metadata:{openapi:{description:"Update the current user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"}}}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"}}}}}}}}}},async e=>{let t=e.body;if(t.email)throw new Z("BAD_REQUEST",{message:"You can't update email"});let{name:i,image:o,...r}=t,n=e.context.session;if(!o&&!i&&Object.keys(r).length===0)return e.json({user:n.user});let a=$e(e.context.options,r,"update"),s=await e.context.internalAdapter.updateUserByEmail(n.user.email,{name:i,image:o,...a});return await m(e,{session:n.session,user:s}),e.json({user:s})}),di=c("/change-password",{method:"POST",body:_.object({newPassword:_.string({description:"The new password to set"}),currentPassword:_.string({description:"The current password"}),revokeOtherSessions:_.boolean({description:"Revoke all other sessions"}).optional()}),use:[v],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:i,revokeOtherSessions:o}=e.body,r=e.context.session,n=e.context.password.config.minPasswordLength;if(t.length<n)throw e.context.logger.error("Password is too short"),new Z("BAD_REQUEST",{message:"Password is too short"});let a=e.context.password.config.maxPasswordLength;if(t.length>a)throw e.context.logger.error("Password is too long"),new Z("BAD_REQUEST",{message:"Password too long"});let d=(await e.context.internalAdapter.findAccounts(r.user.id)).find(u=>u.providerId==="credential"&&u.password);if(!d||!d.password)throw new Z("BAD_REQUEST",{message:"User does not have a password"});let A=await e.context.password.hash(t);if(!await e.context.password.verify(d.password,i))throw new Z("BAD_REQUEST",{message:"Incorrect password"});if(await e.context.internalAdapter.updateAccount(d.id,{password:A}),o){await e.context.internalAdapter.deleteSessions(r.user.id);let u=await e.context.internalAdapter.createSession(r.user.id,e.headers);if(!u)throw new Z("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});await m(e,{session:u,user:r.user})}return e.json(r.user)}),Ai=c("/set-password",{method:"POST",body:_.object({newPassword:_.string()}),metadata:{SERVER_ONLY:!0},use:[v]},async e=>{let{newPassword:t}=e.body,i=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new Z("BAD_REQUEST",{message:"Password is too short"});let r=e.context.password.config.maxPasswordLength;if(t.length>r)throw e.context.logger.error("Password is too long"),new Z("BAD_REQUEST",{message:"Password too long"});let a=(await e.context.internalAdapter.findAccounts(i.user.id)).find(d=>d.providerId==="credential"&&d.password),s=await e.context.password.hash(t);if(!a)return await e.context.internalAdapter.linkAccount({userId:i.user.id,providerId:"credential",accountId:i.user.id,password:s}),e.json(i.user);throw new Z("BAD_REQUEST",{message:"user already has a password"})}),ci=c("/delete-user",{method:"POST",body:_.object({password:_.string({description:"The password of the user"})}),use:[Re],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{let t=e.context.session;return await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),V(e),e.json(null)}),Ki=c("/change-email",{method:"POST",query:_.object({currentURL:_.string().optional()}).optional(),body:_.object({newEmail:_.string({description:"The new email to set"}).email(),callbackURL:_.string({description:"The URL to redirect to after email verification"}).optional()}),use:[v],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new Z("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new Z("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new Z("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let r=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:r,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new Z("BAD_REQUEST",{message:"Verification email isn't enabled"});let i=await se(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${i}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:i},e.request),e.json({user:null,status:!0})});import{z as Se}from"zod";import{APIError as gi}from"better-call";var pi=c("/list-accounts",{method:"GET",use:[v],metadata:{openapi:{description:"List all accounts linked to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{id:{type:"string"},provider:{type:"string"}}}}}}}}}}},async e=>{let t=e.context.session,i=await e.context.internalAdapter.findAccounts(t.user.id);return e.json(i.map(o=>({id:o.id,provider:o.providerId})))}),ui=c("/link-social",{method:"POST",requireHeaders:!0,query:Se.object({currentURL:Se.string().optional()}).optional(),body:Se.object({callbackURL:Se.string({description:"The URL to redirect to after the user has signed in"}).optional(),provider:Se.enum(Qe,{description:"The OAuth2 provider to use"})}),use:[v],metadata:{openapi:{description:"Link a social account to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"},redirect:{type:"boolean"}},required:["url","redirect"]}}}}}}}},async e=>{let t=e.context.session;if((await e.context.internalAdapter.findAccounts(t.user.id)).find(s=>s.providerId===e.body.provider))throw new gi("BAD_REQUEST",{message:"Social Account is already linked."});let r=e.context.socialProviders.find(s=>s.id===e.body.provider);if(!r)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new gi("NOT_FOUND",{message:"Provider not found"});let n=await fe(e,{userId:t.user.id,email:t.user.email}),a=await r.createAuthorizationURL({state:n.state,codeVerifier:n.codeVerifier,redirectURI:`${e.context.baseURL}/callback/${r.id}`});return e.json({url:a.toString(),redirect:!0})});var mi=(e,t)=>{let i={};for(let[o,r]of Object.entries(e))i[o]=n=>r({...n,context:{...t,...n.context}}),i[o].path=r.path,i[o].method=r.method,i[o].options=r.options,i[o].headers=r.headers;return i};function Ge(e){let t=e;return{newRole(i){return Ar(i)}}}function Ar(e){return{statements:e,authorize(t,i){for(let[o,r]of Object.entries(t)){let n=e[o];return n?(i==="OR"?r.some(s=>n.includes(s)):r.every(s=>n.includes(s)))?{success:!0}:{success:!1,error:`Unauthorized to access resource "${o}"`}:{success:!1,error:`You are not allowed to access resource: ${o}`}}return{success:!1,error:"Not authorized"}}}}var cr={organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]},lo=Ge(cr),Kr=lo.newRole({organization:["update"],invitation:["create","cancel"],member:["create","update","delete"]}),pr=lo.newRole({organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]}),ur=lo.newRole({organization:[],member:[],invitation:[]}),fi={admin:Kr,owner:pr,member:ur};var j=(e,t)=>{let i=e.adapter;return{findOrganizationBySlug:async o=>await i.findOne({model:"organization",where:[{field:"slug",value:o}]}),createOrganization:async o=>{let r=await i.create({model:"organization",data:{...o.organization,metadata:o.organization.metadata?JSON.stringify(o.organization.metadata):void 0}}),n=await i.create({model:"member",data:{organizationId:r.id,userId:o.user.id,createdAt:new Date,role:t?.creatorRole||"owner"}});return{...r,metadata:r.metadata?JSON.parse(r.metadata):void 0,members:[{...n,user:{id:o.user.id,name:o.user.name,email:o.user.email,image:o.user.image}}]}},findMemberByEmail:async o=>{let r=await i.findOne({model:"user",where:[{field:"email",value:o.email}]});if(!r)return null;let n=await i.findOne({model:"member",where:[{field:"organizationId",value:o.organizationId},{field:"userId",value:r.id}]});return n?{...n,user:{id:r.id,name:r.name,email:r.email,image:r.image}}:null},findMemberByOrgId:async o=>{let[r,n]=await Promise.all([await i.findOne({model:"member",where:[{field:"userId",value:o.userId},{field:"organizationId",value:o.organizationId}]}),await i.findOne({model:"user",where:[{field:"id",value:o.userId}]})]);return!n||!r?null:{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}},findMemberById:async o=>{let r=await i.findOne({model:"member",where:[{field:"id",value:o}]});if(!r)return null;let n=await i.findOne({model:"user",where:[{field:"id",value:r.userId}]});return n?{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}:null},createMember:async o=>await i.create({model:"member",data:o}),updateMember:async(o,r)=>await i.update({model:"member",where:[{field:"id",value:o}],update:{role:r}}),deleteMember:async o=>await i.delete({model:"member",where:[{field:"id",value:o}]}),updateOrganization:async(o,r)=>await i.update({model:"organization",where:[{field:"id",value:o}],update:r}),deleteOrganization:async o=>(await i.delete({model:"member",where:[{field:"organizationId",value:o}]}),await i.delete({model:"invitation",where:[{field:"organizationId",value:o}]}),await i.delete({model:"organization",where:[{field:"id",value:o}]}),o),setActiveOrganization:async(o,r)=>await e.internalAdapter.updateSession(o,{activeOrganizationId:r}),findOrganizationById:async o=>await i.findOne({model:"organization",where:[{field:"id",value:o}]}),findFullOrganization:async o=>{let[r,n,a]=await Promise.all([i.findOne({model:"organization",where:[{field:"id",value:o}]}),i.findMany({model:"invitation",where:[{field:"organizationId",value:o}]}),i.findMany({model:"member",where:[{field:"organizationId",value:o}]})]);if(!r)return null;let s=a.map(u=>u.userId),d=await i.findMany({model:"user",where:[{field:"id",value:s,operator:"in"}]}),A=new Map(d.map(u=>[u.id,u])),K=a.map(u=>{let p=A.get(u.userId);if(!p)throw new W("Unexpected error: User not found for member");return{...u,user:{id:p.id,name:p.name,email:p.email,image:p.image}}});return{...r,invitations:n,members:K}},listOrganizations:async o=>{let r=await i.findMany({model:"member",where:[{field:"userId",value:o}]});if(!r||r.length===0)return[];let n=r.map(s=>s.organizationId);return await i.findMany({model:"organization",where:[{field:"id",value:n,operator:"in"}]})},createInvitation:async({invitation:o,user:r})=>{let a=I(t?.invitationExpiresIn||1728e5);return await i.create({model:"invitation",data:{email:o.email,role:o.role,organizationId:o.organizationId,status:"pending",expiresAt:a,inviterId:r.id}})},findInvitationById:async o=>await i.findOne({model:"invitation",where:[{field:"id",value:o}]}),findPendingInvitation:async o=>(await i.findMany({model:"invitation",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId},{field:"status",value:"pending"}]})).filter(n=>new Date(n.expiresAt)>new Date),updateInvitation:async o=>await i.update({model:"invitation",where:[{field:"id",value:o.invitationId}],update:{status:o.status}})}};import"better-call";var z=U(async e=>({})),F=U({use:[v]},async e=>({session:e.context.session}));import{z as G}from"zod";import{z as E}from"zod";var hi=E.string(),lr=E.enum(["pending","accepted","rejected","canceled"]).default("pending"),tc=E.object({id:E.string().default(L),name:E.string(),slug:E.string(),logo:E.string().nullish(),metadata:E.record(E.string()).or(E.string().transform(e=>JSON.parse(e))).nullish(),createdAt:E.date()}),rc=E.object({id:E.string().default(L),organizationId:E.string(),userId:E.string(),role:hi,createdAt:E.date()}),nc=E.object({id:E.string().default(L),organizationId:E.string(),email:E.string(),role:hi,status:lr,inviterId:E.string(),expiresAt:E.date()});import{APIError as B}from"better-call";var yi=e=>c("/organization/invite-member",{method:"POST",use:[z,F],body:G.object({email:G.string({description:"The email address of the user to invite"}),role:G.string({description:"The role to assign to the user"}),organizationId:G.string({description:"The organization ID to invite the user to"}).optional(),resend:G.boolean({description:"Resend the invitation email, if the user is already invited"}).optional()}),metadata:{openapi:{description:"Invite a user to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt"]}}}}}}}},async t=>{if(!t.context.orgOptions.sendInvitationEmail)throw t.context.logger.warn("Invitation email is not enabled. Pass `sendInvitationEmail` to the plugin options to enable it."),new B("BAD_REQUEST",{message:"Invitation email is not enabled"});let i=t.context.session,o=t.body.organizationId||i.session.activeOrganizationId;if(!o)throw new B("BAD_REQUEST",{message:"Organization not found"});let r=j(t.context,t.context.orgOptions),n=await r.findMemberByOrgId({userId:i.user.id,organizationId:o});if(!n)throw new B("BAD_REQUEST",{message:"Member not found!"});let a=t.context.roles[n.role];if(!a)throw new B("BAD_REQUEST",{message:"Role not found!"});if(a.authorize({invitation:["create"]}).error)throw new B("FORBIDDEN",{message:"You are not allowed to invite members"});if(await r.findMemberByEmail({email:t.body.email,organizationId:o}))throw new B("BAD_REQUEST",{message:"User is already a member of this organization"});if((await r.findPendingInvitation({email:t.body.email,organizationId:o})).length&&!t.body.resend)throw new B("BAD_REQUEST",{message:"User is already invited to this organization"});let K=await r.createInvitation({invitation:{role:t.body.role,email:t.body.email,organizationId:o},user:i.user}),u=await r.findOrganizationById(o);if(!u)throw new B("BAD_REQUEST",{message:"Organization not found"});return await t.context.orgOptions.sendInvitationEmail?.({id:K.id,role:K.role,email:K.email,organization:u,inviter:{...n,user:i.user}},t.request),t.json(K)}),wi=c("/organization/accept-invitation",{method:"POST",body:G.object({invitationId:G.string({description:"The ID of the invitation to accept"})}),use:[z,F],metadata:{openapi:{description:"Accept an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"object"}}}}}}}}}},async e=>{let t=e.context.session,i=j(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new B("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new B("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.updateInvitation({invitationId:e.body.invitationId,status:"accepted"}),n=await i.createMember({organizationId:o.organizationId,userId:t.user.id,role:o.role,createdAt:new Date});return await i.setActiveOrganization(t.session.token,o.organizationId),r?e.json({invitation:r,member:n}):e.json(null,{status:400,body:{message:"Invitation not found!"}})}),Ci=c("/organization/reject-invitation",{method:"POST",body:G.object({invitationId:G.string({description:"The ID of the invitation to reject"})}),use:[z,F],metadata:{openapi:{description:"Reject an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"null"}}}}}}}}}},async e=>{let t=e.context.session,i=j(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new B("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new B("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.updateInvitation({invitationId:e.body.invitationId,status:"rejected"});return e.json({invitation:r,member:null})}),bi=c("/organization/cancel-invitation",{method:"POST",body:G.object({invitationId:G.string({description:"The ID of the invitation to cancel"})}),use:[z,F],openapi:{description:"Cancel an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"}}}}}}}}},async e=>{let t=e.context.session,i=j(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o)throw new B("BAD_REQUEST",{message:"Invitation not found!"});let r=await i.findMemberByOrgId({userId:t.user.id,organizationId:o.organizationId});if(!r)throw new B("BAD_REQUEST",{message:"Member not found!"});if(e.context.roles[r.role].authorize({invitation:["cancel"]}).error)throw new B("FORBIDDEN",{message:"You are not allowed to cancel this invitation"});let a=await i.updateInvitation({invitationId:e.body.invitationId,status:"canceled"});return e.json(a)}),vi=c("/organization/get-invitation",{method:"GET",use:[z],requireHeaders:!0,query:G.object({id:G.string({description:"The ID of the invitation to get"})}),metadata:{openapi:{description:"Get an invitation by ID",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"},organizationName:{type:"string"},organizationSlug:{type:"string"},inviterEmail:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt","organizationName","organizationSlug","inviterEmail"]}}}}}}}},async e=>{let t=await R(e);if(!t)throw new B("UNAUTHORIZED",{message:"Not authenticated"});let i=j(e.context,e.context.orgOptions),o=await i.findInvitationById(e.query.id);if(!o||o.status!=="pending"||o.expiresAt<new Date)throw new B("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new B("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.findOrganizationById(o.organizationId);if(!r)throw new B("BAD_REQUEST",{message:"Organization not found"});let n=await i.findMemberByOrgId({userId:o.inviterId,organizationId:o.organizationId});if(!n)throw new B("BAD_REQUEST",{message:"Inviter is no longer a member of the organization"});return e.json({...o,organizationName:r.name,organizationSlug:r.slug,inviterEmail:n.user.email})});import{z as oe}from"zod";import{APIError as ue}from"better-call";var ki=()=>c("/organization/add-member",{method:"POST",body:oe.object({userId:oe.string(),role:oe.string(),organizationId:oe.string().optional()}),use:[z],metadata:{SERVER_ONLY:!0}},async e=>{let t=e.body.userId?await R(e).catch(s=>null):null,i=e.body.organizationId||t?.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=j(e.context,e.context.orgOptions),r=await e.context.internalAdapter.findUserById(e.body.userId);if(!r)throw new ue("BAD_REQUEST",{message:"User not found!"});if(await o.findMemberByEmail({email:r.email,organizationId:i}))throw new ue("BAD_REQUEST",{message:"User is already a member of this organization"});let a=await o.createMember({id:L(),organizationId:i,userId:r.id,role:e.body.role,createdAt:new Date});return e.json(a)}),Ti=c("/organization/remove-member",{method:"POST",body:oe.object({memberIdOrEmail:oe.string({description:"The ID or email of the member to remove"}),organizationId:oe.string({description:"The ID of the organization to remove the member from. If not provided, the active organization will be used"}).optional()}),use:[z,F],metadata:{openapi:{description:"Remove a member from an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async e=>{let t=e.context.session,i=e.body.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=j(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)throw new ue("BAD_REQUEST",{message:"Member not found!"});let n=e.context.roles[r.role];if(!n)throw new ue("BAD_REQUEST",{message:"Role not found!"});let a=t.user.email===e.body.memberIdOrEmail||r.id===e.body.memberIdOrEmail;if(a&&r.role===(e.context.orgOptions?.creatorRole||"owner"))throw new ue("BAD_REQUEST",{message:"You cannot leave the organization as the owner"});if(!(a||n.authorize({member:["delete"]}).success))throw new ue("UNAUTHORIZED",{message:"You are not allowed to delete this member"});let A=null;if(e.body.memberIdOrEmail.includes("@")?A=await o.findMemberByEmail({email:e.body.memberIdOrEmail,organizationId:i}):A=await o.findMemberById(e.body.memberIdOrEmail),A?.organizationId!==i)throw new ue("BAD_REQUEST",{message:"Member not found!"});return await o.deleteMember(A.id),t.user.id===A.userId&&t.session.activeOrganizationId===A.organizationId&&await o.setActiveOrganization(t.session.token,null),e.json({member:A})}),Oi=e=>c("/organization/update-member-role",{method:"POST",body:oe.object({role:oe.string(),memberId:oe.string(),organizationId:oe.string().optional()}),use:[z,F],metadata:{openapi:{description:"Update the role of a member in an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async t=>{let i=t.context.session,o=t.body.organizationId||i.session.activeOrganizationId;if(!o)return t.json(null,{status:400,body:{message:"No active organization found!"}});let r=j(t.context,t.context.orgOptions),n=await r.findMemberByOrgId({userId:i.user.id,organizationId:o});if(!n)return t.json(null,{status:400,body:{message:"Member not found!"}});let a=t.context.roles[n.role];if(!a)return t.json(null,{status:400,body:{message:"Role not found!"}});if(a.authorize({member:["update"]}).error||t.body.role==="owner"&&n.role!=="owner")return t.json(null,{body:{message:"You are not allowed to update this member"},status:403});let d=await r.updateMember(t.body.memberId,t.body.role);return d?t.json(d):t.json(null,{status:400,body:{message:"Member not found!"}})}),Ii=c("/organization/get-active-member",{method:"GET",use:[z,F],metadata:{openapi:{description:"Get the active member in the organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}}}}}}}},async e=>{let t=e.context.session,i=t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let r=await j(e.context,e.context.orgOptions).findMemberByOrgId({userId:t.user.id,organizationId:i});return r?e.json(r):e.json(null,{status:400,body:{message:"Member not found!"}})});import{z as S}from"zod";import{APIError as le}from"better-call";var Ri=c("/organization/create",{method:"POST",body:S.object({name:S.string({description:"The name of the organization"}),slug:S.string({description:"The slug of the organization"}),userId:S.string({description:"The user id of the organization creator. If not provided, the current user will be used. Should only be used by admins or when called by the server."}).optional(),logo:S.string({description:"The logo of the organization"}).optional(),metadata:S.record(S.string(),S.any(),{description:"The metadata of the organization"}).optional()}),use:[z,F],metadata:{openapi:{description:"Create an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization that was created",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=e.context.session.user;if(!t)return e.json(null,{status:401});let i=e.context.orgOptions;if(!(typeof i?.allowUserToCreateOrganization=="function"?await i.allowUserToCreateOrganization(t):i?.allowUserToCreateOrganization===void 0?!0:i.allowUserToCreateOrganization))throw new le("FORBIDDEN",{message:"You are not allowed to create an organization"});let r=j(e.context,i),n=await r.listOrganizations(t.id);if(typeof i.organizationLimit=="number"?n.length>=i.organizationLimit:typeof i.organizationLimit=="function"?await i.organizationLimit(t):!1)throw new le("FORBIDDEN",{message:"You have reached the organization limit"});if(await r.findOrganizationBySlug(e.body.slug))throw new le("BAD_REQUEST",{message:"Organization with this slug already exists"});let d=await r.createOrganization({organization:{id:L(),slug:e.body.slug,name:e.body.name,logo:e.body.logo,createdAt:new Date,metadata:e.body.metadata},user:t});return await r.setActiveOrganization(e.context.session.session.token,d.id),e.json(d)}),Ui=c("/organization/update",{method:"POST",body:S.object({data:S.object({name:S.string({description:"The name of the organization"}).optional(),slug:S.string({description:"The slug of the organization"}).optional(),logo:S.string({description:"The logo of the organization"}).optional()}).partial(),organizationId:S.string().optional()}),requireHeaders:!0,use:[z],metadata:{openapi:{description:"Update an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The updated organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=await e.context.getSession(e);if(!t)throw new le("UNAUTHORIZED",{message:"User not found"});let i=e.body.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=j(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["update"]}).error)return e.json(null,{body:{message:"You are not allowed to update this organization"},status:403});let s=await o.updateOrganization(i,e.body.data);return e.json(s)}),Pi=c("/organization/delete",{method:"POST",body:S.object({organizationId:S.string({description:"The organization id to delete"})}),requireHeaders:!0,use:[z],metadata:{openapi:{description:"Delete an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"string",description:"The organization id that was deleted"}}}}}}}},async e=>{let t=await e.context.getSession(e);if(!t)return e.json(null,{status:401});let i=e.body.organizationId;if(!i)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=j(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["delete"]}).error)throw new le("FORBIDDEN",{message:"You are not allowed to delete this organization"});return i===t.session.activeOrganizationId&&await o.setActiveOrganization(t.session.token,null),await o.deleteOrganization(i),e.json(i)}),Ei=c("/organization/get-full-organization",{method:"GET",query:S.optional(S.object({organizationId:S.string({description:"The organization id to get"}).optional()})),requireHeaders:!0,use:[z,F],metadata:{openapi:{description:"Get the full organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=e.context.session,i=e.query?.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:200});let r=await j(e.context,e.context.orgOptions).findFullOrganization(i);if(!r)throw new le("BAD_REQUEST",{message:"Organization not found"});return e.json(r)}),Si=c("/organization/set-active",{method:"POST",body:S.object({organizationId:S.string({description:"The organization id to set as active. Can be null to unset the active organization"}).nullable().optional()}),use:[F,z],metadata:{openapi:{description:"Set the active organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=j(e.context,e.context.orgOptions),i=e.context.session,o=e.body.organizationId;if(o===null){if(!i.session.activeOrganizationId)return e.json(null);let d=await t.setActiveOrganization(i.session.token,null);return await m(e,{session:d,user:i.user}),e.json(null)}if(!o){let s=i.session.activeOrganizationId;if(!s)return e.json(null);o=s}if(!await t.findMemberByOrgId({userId:i.user.id,organizationId:o}))throw await t.setActiveOrganization(i.session.token,null),new le("FORBIDDEN",{message:"You are not a member of this organization"});let n=await t.setActiveOrganization(i.session.token,o);await m(e,{session:n,user:i.user});let a=await t.findFullOrganization(o);return e.json(a)}),Di=c("/organization/list",{method:"GET",use:[z,F],metadata:{openapi:{description:"List all organizations",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{$ref:"#/components/schemas/Organization"}}}}}}}}},async e=>{let i=await j(e.context,e.context.orgOptions).listOrganizations(e.context.session.user.id);return e.json(i)});var gr=Ge({name:["action"]}),Vc=gr.newRole({name:["action"]}),qc=e=>{let t={createOrganization:Ri,updateOrganization:Ui,deleteOrganization:Pi,setActiveOrganization:Si,getFullOrganization:Ei,listOrganizations:Di,createInvitation:yi(e),cancelInvitation:bi,acceptInvitation:wi,getInvitation:vi,rejectInvitation:Ci,addMember:ki(),removeMember:Ti,updateMemberRole:Oi(e),getActiveMember:Ii},i={...fi,...e?.roles};return{id:"organization",endpoints:{...mi(t,{orgOptions:e||{},roles:i,getSession:async r=>await R(r)}),hasPermission:c("/organization/has-permission",{method:"POST",requireHeaders:!0,body:De.object({permission:De.record(De.string(),De.array(De.string()))}),use:[F],metadata:{openapi:{description:"Check if the user has permission",requestBody:{content:{"application/json":{schema:{type:"object",properties:{permission:{type:"object",description:"The permission to check"}},required:["permission"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{error:{type:"string"},success:{type:"boolean"}},required:["success"]}}}}}}}},async r=>{if(!r.context.session.session.activeOrganizationId)throw new xi("BAD_REQUEST",{message:"No active organization"});let a=await j(r.context).findMemberByOrgId({userId:r.context.session.user.id,organizationId:r.context.session.session.activeOrganizationId||""});if(!a)throw new xi("UNAUTHORIZED",{message:"You are not a member of this organization"});let d=i[a.role].authorize(r.body.permission);return d.error?r.json({error:d.error,success:!1},{status:403}):r.json({error:null,success:!0})})},schema:{session:{fields:{activeOrganizationId:{type:"string",required:!1,fieldName:e?.schema?.session?.fields?.activeOrganizationId}}},organization:{modelName:e?.schema?.organization?.modelName,fields:{name:{type:"string",required:!0,fieldName:e?.schema?.organization?.fields?.name},slug:{type:"string",unique:!0,fieldName:e?.schema?.organization?.fields?.slug},logo:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.logo},createdAt:{type:"date",required:!0,fieldName:e?.schema?.organization?.fields?.createdAt},metadata:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.metadata}}},member:{modelName:e?.schema?.member?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.member?.fields?.organizationId},userId:{type:"string",required:!0,fieldName:e?.schema?.member?.fields?.userId,references:{model:"user",field:"id"}},role:{type:"string",required:!0,defaultValue:"member",fieldName:e?.schema?.member?.fields?.role},createdAt:{type:"date",required:!0,fieldName:e?.schema?.member?.fields?.createdAt}}},invitation:{modelName:e?.schema?.invitation?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.invitation?.fields?.organizationId},email:{type:"string",required:!0,fieldName:e?.schema?.invitation?.fields?.email},role:{type:"string",required:!1,fieldName:e?.schema?.invitation?.fields?.role},status:{type:"string",required:!0,defaultValue:"pending",fieldName:e?.schema?.invitation?.fields?.status},expiresAt:{type:"date",required:!0,fieldName:e?.schema?.invitation?.fields?.expiresAt},inviterId:{type:"string",references:{model:"user",field:"id"},fieldName:e?.schema?.invitation?.fields?.inviterId,required:!0}}}},$Infer:{Organization:{},Invitation:{},Member:{},ActiveOrganization:{}}}};import ji from"uncrypto";function mr(e){return e.toString(2).padStart(8,"0")}function fr(e){return[...e].map(t=>mr(t)).join("")}function Bi(e){return parseInt(fr(e),2)}function hr(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,i=t%8,o=new Uint8Array(Math.ceil(t/8));ji.getRandomValues(o),i!==0&&(o[0]&=(1<<i)-1);let r=Bi(o);for(;r>=e;)ji.getRandomValues(o),i!==0&&(o[0]&=(1<<i)-1),r=Bi(o);return r}function M(e,t){let i="";for(let o=0;o<e;o++)i+=t[hr(t.length)];return i}function H(...e){let t=new Set(e),i="";for(let o of t)o==="a-z"?i+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?i+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?i+="0123456789":i+=o;return i}import{z as eo}from"zod";import{xchacha20poly1305 as Ni}from"@noble/ciphers/chacha";import{bytesToHex as yr,hexToBytes as wr,utf8ToBytes as Cr}from"@noble/ciphers/utils";import{managedNonce as Li}from"@noble/ciphers/webcrypto";import{sha256 as _i}from"oslo/crypto";import zi from"uncrypto";import{decodeHex as Wc,encodeHex as Jc}from"oslo/encoding";import{scryptAsync as eK}from"@noble/hashes/scrypt";import{getRandomValues as iK}from"uncrypto";async function xe(e,t){let i=new TextEncoder,o={name:"HMAC",hash:"SHA-256"},r=await zi.subtle.importKey("raw",i.encode(e),o,!1,["sign","verify"]),n=await zi.subtle.sign(o.name,r,i.encode(t));return btoa(String.fromCharCode(...new Uint8Array(n)))}var de=async({key:e,data:t})=>{let i=await _i(new TextEncoder().encode(e)),o=Cr(t),r=Li(Ni)(new Uint8Array(i));return yr(r.encrypt(o))},pe=async({key:e,data:t})=>{let i=await _i(new TextEncoder().encode(e)),o=wr(t),r=Li(Ni)(new Uint8Array(i));return new TextDecoder().decode(r.decrypt(o))};import{z as Ae}from"zod";import{APIError as je}from"better-call";var We="two_factor";var Je="trust_device";import{z as Fi}from"zod";var ge=U({body:Fi.object({trustDevice:Fi.boolean().optional()})},async e=>{let t=await R(e);if(!t){let i=e.context.createAuthCookie(We),o=await e.getSignedCookie(i.name,e.context.secret);if(!o)throw new je("UNAUTHORIZED",{message:"invalid two factor cookie"});let r=await e.context.internalAdapter.findUserById(o);if(!r)throw new je("UNAUTHORIZED",{message:"invalid two factor cookie"});let n=await e.context.internalAdapter.createSession(o,e.request);if(!n)throw new je("INTERNAL_SERVER_ERROR",{message:"failed to create session"});return{valid:async()=>{if(await m(e,{session:n,user:r}),e.body.trustDevice){let a=e.context.createAuthCookie(Je,{maxAge:2592e3}),s=await xe(e.context.secret,`${r.id}!${n.token}`);await e.setSignedCookie(a.name,`${s}!${n.token}`,e.context.secret,a.attributes)}return e.json({session:n,user:r})},invalid:async()=>{throw new je("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:{id:n.token,userId:n.userId,expiresAt:n.expiresAt,user:r}}}return{valid:async()=>e.json({session:t,user:t.user}),invalid:async()=>{throw new je("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:t}});import{APIError as Be}from"better-call";function br(e){return Array.from({length:e?.amount??10}).fill(null).map(()=>M(e?.length??10,H("a-z","0-9"))).map(t=>`${t.slice(0,5)}-${t.slice(5)}`)}async function go(e,t){let i=e,o=t?.customBackupCodesGenerate?t.customBackupCodesGenerate():br(),r=await de({data:JSON.stringify(o),key:i});return{backupCodes:o,encryptedBackupCodes:r}}async function vr(e,t){let i=await Vi(e.backupCodes,t);return i?{status:i.includes(e.code),updated:i.filter(o=>o!==e.code)}:{status:!1,updated:null}}async function Vi(e,t){let i=Buffer.from(await pe({key:t,data:e})).toString("utf-8"),o=JSON.parse(i),r=Ae.array(Ae.string()).safeParse(o);return r.success?r.data:null}var qi=(e,t)=>({id:"backup_code",endpoints:{verifyBackupCode:c("/two-factor/verify-backup-code",{method:"POST",body:Ae.object({code:Ae.string(),disableSession:Ae.boolean().optional()}),use:[ge]},async i=>{let o=i.context.session.user,r=await i.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!r)throw new Be("BAD_REQUEST",{message:"Backup codes aren't enabled"});let n=await vr({backupCodes:r.backupCodes,code:i.body.code},i.context.secret);if(!n.status)throw new Be("UNAUTHORIZED",{message:"Invalid backup code"});let a=await de({key:i.context.secret,data:JSON.stringify(n.updated)});return await i.context.adapter.update({model:t,update:{backupCodes:a},where:[{field:"userId",value:o.id}]}),i.body.disableSession||await m(i,{session:i.context.session.session,user:o}),i.json({user:o,session:i.context.session})}),generateBackupCodes:c("/two-factor/generate-backup-codes",{method:"POST",body:Ae.object({password:Ae.string()}),use:[v]},async i=>{let o=i.context.session.user;if(!o.twoFactorEnabled)throw new Be("BAD_REQUEST",{message:"Two factor isn't enabled"});await i.context.password.checkPassword(o.id,i);let r=await go(i.context.secret,e);return await i.context.adapter.update({model:t,update:{backupCodes:r.encryptedBackupCodes},where:[{field:"userId",value:i.context.session.user.id}]}),i.json({status:!0,backupCodes:r.backupCodes})}),viewBackupCodes:c("/two-factor/view-backup-codes",{method:"GET",body:Ae.object({userId:Ae.string()}),metadata:{SERVER_ONLY:!0}},async i=>{let o=await i.context.adapter.findOne({model:t,where:[{field:"userId",value:i.body.userId}]});if(!o)throw new Be("BAD_REQUEST",{message:"Backup codes aren't enabled"});let r=await Vi(o.backupCodes,i.context.secret);if(!r)throw new Be("BAD_REQUEST",{message:"Backup codes aren't enabled"});return i.json({status:!0,backupCodes:r})})}});import{APIError as Xe}from"better-call";import{TOTPController as kr}from"oslo/otp";import{z as Mi}from"zod";import{TimeSpan as Tr}from"oslo";var Hi=(e,t)=>{let i={...e,period:new Tr(e?.period||3,"m")},o=new kr({digits:6,period:i.period}),r=c("/two-factor/send-otp",{method:"POST",use:[ge],metadata:{openapi:{summary:"Send two factor OTP",description:"Send two factor OTP to the user",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async a=>{if(!e||!e.sendOTP)throw a.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options."),new Xe("BAD_REQUEST",{message:"otp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Xe("BAD_REQUEST",{message:"OTP isn't enabled"});let A=await o.generate(Buffer.from(d.secret));return await e.sendOTP({user:s,otp:A},a.request),a.json({status:!0})}),n=c("/two-factor/verify-otp",{method:"POST",body:Mi.object({code:Mi.string({description:"The otp code to verify"})}),use:[ge],metadata:{openapi:{summary:"Verify two factor OTP",description:"Verify two factor OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async a=>{let s=a.context.session.user;if(!s.twoFactorEnabled)throw new Xe("BAD_REQUEST",{message:"two factor isn't enabled"});let d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Xe("BAD_REQUEST",{message:"OTP isn't enabled"});return await o.generate(Buffer.from(d.secret))===a.body.code?a.context.valid():a.context.invalid()});return{id:"otp",endpoints:{sendTwoFactorOTP:r,verifyTwoFactorOTP:n}}};import{APIError as Ce}from"better-call";import{TimeSpan as Or}from"oslo";import{TOTPController as Qi,createTOTPKeyURI as Ir}from"oslo/otp";import{z as Ye}from"zod";var $i=(e,t)=>{let i={...e,digits:6,period:new Or(e?.period||30,"s")},o=c("/totp/generate",{method:"POST",use:[v],metadata:{openapi:{summary:"Generate TOTP code",description:"Use this endpoint to generate a TOTP code",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{code:{type:"string"}}}}}}}}}},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ce("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Ce("BAD_REQUEST",{message:"totp isn't enabled"});return{code:await new Qi(i).generate(Buffer.from(d.secret))}}),r=c("/two-factor/get-totp-uri",{method:"POST",use:[v],body:Ye.object({password:Ye.string({description:"User password"})}),metadata:{openapi:{summary:"Get TOTP URI",description:"Use this endpoint to get the TOTP URI",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{totpURI:{type:"string"}}}}}}}}}},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ce("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d||!s.twoFactorEnabled)throw new Ce("BAD_REQUEST",{message:"totp isn't enabled"});return await a.context.password.checkPassword(s.id,a),{totpURI:Ir(e.issuer||a.context.appName,s.email,Buffer.from(d.secret),i)}}),n=c("/two-factor/verify-totp",{method:"POST",body:Ye.object({code:Ye.string({description:"The otp code to verify"})}),use:[ge],metadata:{openapi:{summary:"Verify two factor TOTP",description:"Verify two factor TOTP",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ce("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Ce("BAD_REQUEST",{message:"totp isn't enabled"});let A=new Qi(i),K=await pe({key:a.context.secret,data:d.secret}),u=Buffer.from(K);if(!await A.verify(a.body.code,u))return a.context.invalid();if(!s.twoFactorEnabled){let l=await a.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!0}),h=await a.context.internalAdapter.createSession(s.id,a.request,!1,a.context.session.session).catch(k=>{throw console.log(k),k});await a.context.internalAdapter.deleteSession(a.context.session.session.token),await m(a,{session:h,user:l})}return a.context.valid()});return{id:"totp",endpoints:{generateTOTP:o,getTOTPURI:r,verifyTOTP:n}}};import{APIError as WK}from"better-call";async function mo(e,t){let o=(await e.context.internalAdapter.findAccounts(t.userId))?.find(a=>a.providerId==="credential"),r=o?.password;return!o||!r?!1:await e.context.password.verify(r,t.password)}import{APIError as Gi}from"better-call";import{createTOTPKeyURI as Ur}from"oslo/otp";import{TimeSpan as Pr}from"oslo";import{APIError as Rr}from"better-call";var be=async e=>{let t=e.context.returned;return t?t instanceof Response?t.status!==200?null:await t.clone().json():t instanceof Rr?null:t:null};var Zi={user:{fields:{twoFactorEnabled:{type:"boolean",required:!1,defaultValue:!1,input:!1}}},twoFactor:{fields:{secret:{type:"string",required:!0,returned:!1},backupCodes:{type:"string",required:!0,returned:!1},userId:{type:"string",required:!0,returned:!1,references:{model:"user",field:"id"}}}}};var op=e=>({id:"two-factor",$InferServerPlugin:{},atomListeners:[{matcher:t=>t.startsWith("/two-factor/"),signal:"$sessionSignal"}],pathMethods:{"/two-factor/disable":"POST","/two-factor/enable":"POST","/two-factor/send-otp":"POST","/two-factor/generate-backup-codes":"POST"},fetchPlugins:[{id:"two-factor",name:"two-factor",hooks:{async onSuccess(t){t.data?.twoFactorRedirect&&e?.onTwoFactorRedirect&&await e.onTwoFactorRedirect()}}}]});var wp=e=>{let t={twoFactorTable:"twoFactor"},i=$i({issuer:e?.issuer,...e?.totpOptions},t.twoFactorTable),o=qi({...e?.backupCodeOptions},t.twoFactorTable),r=Hi({...e?.otpOptions},t.twoFactorTable);return{id:"two-factor",endpoints:{...i.endpoints,...r.endpoints,...o.endpoints,enableTwoFactor:c("/two-factor/enable",{method:"POST",body:eo.object({password:eo.string({description:"User password"}).min(8)}),use:[v],metadata:{openapi:{summary:"Enable two factor authentication",description:"Use this endpoint to enable two factor authentication. This will generate a TOTP URI and backup codes. Once the user verifies the TOTP URI, the two factor authentication will be enabled.",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{totpURI:{type:"string",description:"TOTP URI"},backupCodes:{type:"array",items:{type:"string"},description:"Backup codes"}}}}}}}}}},async n=>{let a=n.context.session.user,{password:s}=n.body;if(!await mo(n,{password:s,userId:a.id}))throw new Gi("BAD_REQUEST",{message:"Invalid password"});let A=M(16,H("a-z","0-9","-")),K=await de({key:n.context.secret,data:A}),u=await go(n.context.secret,e?.backupCodeOptions);if(e?.skipVerificationOnEnable){let l=await n.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!0}),h=await n.context.internalAdapter.createSession(l.id,n.request,!1,n.context.session.session);await m(n,{session:h,user:a}),await n.context.internalAdapter.deleteSession(n.context.session.session.token)}await n.context.adapter.deleteMany({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),await n.context.adapter.create({model:t.twoFactorTable,data:{secret:K,backupCodes:u.encryptedBackupCodes,userId:a.id}});let p=Ur(e?.issuer||"BetterAuth",a.email,Buffer.from(A),{digits:e?.totpOptions?.digits||6,period:new Pr(e?.totpOptions?.period||30,"s")});return n.json({totpURI:p,backupCodes:u.backupCodes})}),disableTwoFactor:c("/two-factor/disable",{method:"POST",body:eo.object({password:eo.string({description:"User password"}).min(8)}),use:[v],metadata:{openapi:{summary:"Disable two factor authentication",description:"Use this endpoint to disable two factor authentication.",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async n=>{let a=n.context.session.user,{password:s}=n.body;if(!await mo(n,{password:s,userId:a.id}))throw new Gi("BAD_REQUEST",{message:"Invalid password"});await n.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!1}),await n.context.adapter.delete({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]});let A=await n.context.internalAdapter.createSession(a.id,n.request,!1,n.context.session.session);return await m(n,{session:A,user:a}),await n.context.internalAdapter.deleteSession(n.context.session.session.token),n.json({status:!0})})},options:e,hooks:{after:[{matcher(n){return n.path==="/sign-in/email"||n.path==="/sign-in/username"},handler:U(async n=>{let a=await be(n);if(!a||!a.user.twoFactorEnabled)return;let s=n.context.createAuthCookie(Je),d=await n.getSignedCookie(s.name,n.context.secret);if(d){let[K,u]=d.split("!"),p=await xe(n.context.secret,`${a.user.id}!${u}`);if(K===p){let l=await xe(n.context.secret,`${a.user.id}!${a.session.token}`);await n.setSignedCookie(s.name,`${l}!${a.session.token}`,n.context.secret,s.attributes);return}}V(n),await n.context.internalAdapter.deleteSession(a.session.token);let A=n.context.createAuthCookie(We,{maxAge:60*10});return await n.setSignedCookie(A.name,a.user.id,n.context.secret,A.attributes),n.json({twoFactorRedirect:!0})})}]},schema:J(Zi,e?.schema),rateLimit:[{pathMatcher(n){return n.startsWith("/two-factor/")},window:10,max:3}]}};import{generateAuthenticationOptions as Nr,generateRegistrationOptions as Lr,verifyAuthenticationResponse as _r,verifyRegistrationResponse as Fr}from"@simplewebauthn/server";import{APIError as ie}from"better-call";import{z as ce}from"zod";import{WebAuthnError as Dr,startAuthentication as xr,startRegistration as jr}from"@simplewebauthn/browser";import{createFetch as Np}from"@better-fetch/fetch";import"nanostores";import"@better-fetch/fetch";import{atom as Pp}from"nanostores";import"@better-fetch/fetch";import{atom as Er,onMount as Sr}from"nanostores";var fo=(e,t,i,o)=>{let r=Er({data:null,error:null,isPending:!0,isRefetching:!1}),n=()=>{let s=typeof o=="function"?o({data:r.get().data,error:r.get().error,isPending:r.get().isPending}):o;return i(t,{...s,async onSuccess(d){r.set({data:d.data,error:null,isPending:!1,isRefetching:!1}),await s?.onSuccess?.(d)},async onError(d){r.set({error:d.error,data:null,isPending:!1,isRefetching:!1}),await s?.onError?.(d)},async onRequest(d){let A=r.get();r.set({isPending:A.data===null,data:A.data,error:null,isRefetching:!0}),await s?.onRequest?.(d)}})};e=Array.isArray(e)?e:[e];let a=!1;for(let s of e)s.subscribe(()=>{a?n():Sr(r,()=>(n(),a=!0,()=>{r.off(),s.off()}))});return r};import{atom as Br}from"nanostores";var zr=(e,{$listPasskeys:t})=>({signIn:{passkey:async(r,n)=>{let a=await e("/passkey/generate-authenticate-options",{method:"POST",body:{email:r?.email}});if(!a.data)return a;try{let s=await xr(a.data,r?.autoFill||!1),d=await e("/passkey/verify-authentication",{body:{response:s},...r?.fetchOptions,...n,method:"POST"});if(!d.data)return d}catch{return{data:null,error:{message:"auth cancelled",status:400,statusText:"BAD_REQUEST"}}}}},passkey:{addPasskey:async(r,n)=>{let a=await e("/passkey/generate-register-options",{method:"GET"});if(!a.data)return a;try{let s=await jr(a.data),d=await e("/passkey/verify-registration",{...r?.fetchOptions,...n,body:{response:s,name:r?.name},method:"POST"});if(!d.data)return d;t.set(Math.random())}catch(s){return s instanceof Dr?s.code==="ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED"?{data:null,error:{message:"previously registered",status:400,statusText:"BAD_REQUEST"}}:s.code==="ERROR_CEREMONY_ABORTED"?{data:null,error:{message:"registration cancelled",status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s.message,status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s instanceof Error?s.message:"unknown error",status:500,statusText:"INTERNAL_SERVER_ERROR"}}}}},$Infer:{}}),nu=()=>{let e=Br();return{id:"passkey",$InferServerPlugin:{},getActions:t=>zr(t,{$listPasskeys:e}),getAtoms(t){return{listPasskeys:fo(e,"/passkey/list-user-passkeys",t,{method:"GET"}),$listPasskeys:e}},pathMethods:{"/passkey/register":"POST","/passkey/authenticate":"POST"},atomListeners:[{matcher(t){return t==="/passkey/verify-registration"||t==="/passkey/delete-passkey"},signal:"_listPasskeys"}]}};var yu=e=>{let t=Y.BETTER_AUTH_URL,i=e?.rpID||t?.replace("http://","").replace("https://","").split(":")[0]||"localhost";if(!i)throw new W("passkey rpID not found. Please provide a rpID in the options or set the BETTER_AUTH_URL environment variable.");let o={origin:null,...e,rpID:i,advanced:{webAuthnChallengeCookie:"better-auth-passkey",...e?.advanced}},r=new Date(Date.now()+1e3*60*5),n=new Date,a=Math.floor((r.getTime()-n.getTime())/1e3);return{id:"passkey",endpoints:{generatePasskeyRegistrationOptions:c("/passkey/generate-register-options",{method:"GET",use:[Re],metadata:{client:!1,openapi:{description:"Generate registration options for a new passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{challenge:{type:"string"},rp:{type:"object",properties:{name:{type:"string"},id:{type:"string"}}},user:{type:"object",properties:{id:{type:"string"},name:{type:"string"},displayName:{type:"string"}}},pubKeyCredParams:{type:"array",items:{type:"object",properties:{type:{type:"string"},alg:{type:"number"}}}},timeout:{type:"number"},excludeCredentials:{type:"array",items:{type:"object",properties:{id:{type:"string"},type:{type:"string"},transports:{type:"array",items:{type:"string"}}}}},authenticatorSelection:{type:"object",properties:{authenticatorAttachment:{type:"string"},requireResidentKey:{type:"boolean"},userVerification:{type:"string"}}},attestation:{type:"string"},extensions:{type:"object"}}}}}}}}}},async s=>{let d=s.context.session,A=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}),K=new Uint8Array(Buffer.from(M(32,H("a-z","0-9")))),u;u=await Lr({rpName:o.rpName||s.context.appName,rpID:o.rpID,userID:K,userName:d.user.email||d.user.id,attestationType:"none",excludeCredentials:A.map(l=>({id:l.id,transports:l.transports?.split(",")})),authenticatorSelection:{residentKey:"preferred",userVerification:"preferred",authenticatorAttachment:"platform"}});let p=L(32);return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,p,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:p,value:JSON.stringify({expectedChallenge:u.challenge,userData:{id:d.user.id}}),expiresAt:r}),s.json(u,{status:200})}),generatePasskeyAuthenticationOptions:c("/passkey/generate-authenticate-options",{method:"POST",body:ce.object({email:ce.string({description:"The email address of the user"}).optional()}).optional(),metadata:{openapi:{description:"Generate authentication options for a passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{challenge:{type:"string"},rp:{type:"object",properties:{name:{type:"string"},id:{type:"string"}}},user:{type:"object",properties:{id:{type:"string"},name:{type:"string"},displayName:{type:"string"}}},timeout:{type:"number"},allowCredentials:{type:"array",items:{type:"object",properties:{id:{type:"string"},type:{type:"string"},transports:{type:"array",items:{type:"string"}}}}},userVerification:{type:"string"},authenticatorSelection:{type:"object",properties:{authenticatorAttachment:{type:"string"},requireResidentKey:{type:"boolean"},userVerification:{type:"string"}}},extensions:{type:"object"}}}}}}}}}},async s=>{let d=await R(s),A=[];d&&(A=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}));let K=await Nr({rpID:o.rpID,userVerification:"preferred",...A.length?{allowCredentials:A.map(l=>({id:l.id,transports:l.transports?.split(",")}))}:{}}),u={expectedChallenge:K.challenge,userData:{id:d?.user.id||""}},p=L(32);return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,p,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:p,value:JSON.stringify(u),expiresAt:r}),s.json(K,{status:200})}),verifyPasskeyRegistration:c("/passkey/verify-registration",{method:"POST",body:ce.object({response:ce.any({description:"The response from the authenticator"}),name:ce.string({description:"Name of the passkey"}).optional()}),use:[Re],metadata:{openapi:{description:"Verify registration of a new passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{$ref:"#/components/schemas/Passkey"}}}},400:{description:"Bad request"}}}}},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)return s.json(null,{status:400});let A=s.body.response,K=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!K)throw new ie("BAD_REQUEST",{message:"Challenge not found"});let u=await s.context.internalAdapter.findVerificationValue(K);if(!u)return s.json(null,{status:400});let{expectedChallenge:p,userData:l}=JSON.parse(u.value);if(l.id!==s.context.session.user.id)throw new ie("UNAUTHORIZED",{message:"You are not authorized to register this passkey"});try{let h=await Fr({response:A,expectedChallenge:p,expectedOrigin:d,expectedRPID:e?.rpID}),{verified:k,registrationInfo:f}=h;if(!k||!f)return s.json(null,{status:400});let{credentialID:g,credentialPublicKey:C,counter:T,credentialDeviceType:N,credentialBackedUp:Fe}=f,at=Buffer.from(C).toString("base64"),dt={name:s.body.name,userId:l.id,webauthnUserID:s.context.generateId({model:"passkey"}),id:g,publicKey:at,counter:T,deviceType:N,transports:A.response.transports.join(","),backedUp:Fe,createdAt:new Date},At=await s.context.adapter.create({model:"passkey",data:dt});return s.json(At,{status:200})}catch(h){throw console.log(h),new ie("INTERNAL_SERVER_ERROR",{message:"Failed to verify registration"})}}),verifyPasskeyAuthentication:c("/passkey/verify-authentication",{method:"POST",body:ce.object({response:ce.any()}),metadata:{openapi:{description:"Verify authentication of a passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}}}}}},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)throw new ie("BAD_REQUEST",{message:"origin missing"});let A=s.body.response,K=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!K)throw new ie("BAD_REQUEST",{message:"Challenge not found"});let u=await s.context.internalAdapter.findVerificationValue(K);if(!u)throw new ie("BAD_REQUEST",{message:"Challenge not found"});let{expectedChallenge:p}=JSON.parse(u.value),l=await s.context.adapter.findOne({model:"passkey",where:[{field:"id",value:A.id}]});if(!l)throw new ie("UNAUTHORIZED",{message:"Passkey not found"});try{let h=await _r({response:A,expectedChallenge:p,expectedOrigin:d,expectedRPID:o.rpID,authenticator:{credentialID:l.id,credentialPublicKey:new Uint8Array(Buffer.from(l.publicKey,"base64")),counter:l.counter,transports:l.transports?.split(",")}}),{verified:k}=h;if(!k)throw new ie("UNAUTHORIZED",{message:"Authentication failed"});await s.context.adapter.update({model:"passkey",where:[{field:"id",value:l.id}],update:{counter:h.authenticationInfo.newCounter}});let f=await s.context.internalAdapter.createSession(l.userId,s.request);if(!f)throw new ie("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});let g=await s.context.internalAdapter.findUserById(l.userId);if(!g)throw new ie("INTERNAL_SERVER_ERROR",{message:"User not found"});return await m(s,{session:f,user:g}),s.json({session:f},{status:200})}catch(h){throw s.context.logger.error("Failed to verify authentication",h),new ie("BAD_REQUEST",{message:"Failed to verify authentication"})}}),listPasskeys:c("/passkey/list-user-passkeys",{method:"GET",use:[v]},async s=>{let d=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:s.context.session.user.id}]});return s.json(d,{status:200})}),deletePasskey:c("/passkey/delete-passkey",{method:"POST",body:ce.object({id:ce.string()}),use:[v]},async s=>(await s.context.adapter.delete({model:"passkey",where:[{field:"id",value:s.body.id}]}),s.json(null,{status:200})))},schema:J(Vr,e?.schema)}},Vr={passkey:{fields:{name:{type:"string",required:!1},publicKey:{type:"string",required:!0},userId:{type:"string",references:{model:"user",field:"id"},required:!0},webauthnUserID:{type:"string",required:!0},counter:{type:"number",required:!0},deviceType:{type:"string",required:!0},backedUp:{type:"boolean",required:!0},transports:{type:"string",required:!1},createdAt:{type:"date",defaultValue:new Date,required:!1}}}};import{z as oo}from"zod";import{APIError as ze}from"better-call";var Wi=()=>({id:"username",endpoints:{signInUsername:c("/sign-in/username",{method:"POST",body:oo.object({username:oo.string({description:"The username of the user"}),password:oo.string({description:"The password of the user"}),rememberMe:oo.boolean({description:"Remember the user session"}).optional()}),metadata:{openapi:{summary:"Sign in with username",description:"Sign in with username",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async e=>{let t=await e.context.adapter.findOne({model:"user",where:[{field:"username",value:e.body.username}]});if(!t)throw await e.context.password.hash(e.body.password),e.context.logger.error("User not found",{username:Wi}),new ze("UNAUTHORIZED",{message:"Invalid username or password"});if(!t.emailVerified&&e.context.options.emailAndPassword?.requireEmailVerification)throw await Ko(e,t),new ze("UNAUTHORIZED",{message:"Email not verified"});let i=await e.context.adapter.findOne({model:"account",where:[{field:"userId",value:t.id},{field:"providerId",value:"credential"}]});if(!i)throw new ze("UNAUTHORIZED",{message:"Invalid username or password"});let o=i?.password;if(!o)throw e.context.logger.error("Password not found",{username:Wi}),new ze("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(o,e.body.password))throw e.context.logger.error("Invalid password"),new ze("UNAUTHORIZED",{message:"Invalid username or password"});let n=await e.context.internalAdapter.createSession(t.id,e.request,e.body.rememberMe===!1);return n?(await m(e,{session:n,user:t},e.body.rememberMe===!1),e.json({user:t,session:n})):e.json(null,{status:500,body:{message:"Failed to create session",status:500}})})},schema:{user:{fields:{username:{type:"string",required:!1,unique:!0,returned:!0}}}}});import{serializeSigned as qr}from"better-call";var Uu=()=>({id:"bearer",hooks:{before:[{matcher(e){return!!(e.request?.headers.get("authorization")||e.headers?.get("authorization"))},handler:async e=>{let t=e.request?.headers.get("authorization")?.replace("Bearer ","")||e.headers?.get("authorization")?.replace("Bearer ","");if(!t)return;let i="";return t.includes(".")?i=t:i=await qr("",t,e.context.secret),e.request&&e.request.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${i.replace("=","")}`),e.headers&&e.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${i.replace("=","")}`),{context:e}}}]}});import{z as ve}from"zod";import{APIError as Ji}from"better-call";var Bu=e=>({id:"magic-link",endpoints:{signInMagicLink:c("/sign-in/magic-link",{method:"POST",requireHeaders:!0,body:ve.object({email:ve.string({description:"Email address to send the magic link"}).email(),callbackURL:ve.string({description:"URL to redirect after magic link verification"}).optional()}),metadata:{openapi:{description:"Sign in with magic link",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async t=>{let{email:i}=t.body;if(e.disableSignUp&&!await t.context.internalAdapter.findUserByEmail(i))throw new Ji("BAD_REQUEST",{message:"User not found"});let o=M(32,H("a-z","A-Z"));await t.context.internalAdapter.createVerificationValue({identifier:o,value:i,expiresAt:new Date(Date.now()+(e.expiresIn||60*5)*1e3)});let r=`${t.context.baseURL}/magic-link/verify?token=${o}&callbackURL=${t.body.callbackURL||"/"}`;try{await e.sendMagicLink({email:i,url:r,token:o},t.request)}catch(n){throw t.context.logger.error("Failed to send magic link",n),new Ji("INTERNAL_SERVER_ERROR",{message:"Failed to send magic link"})}return t.json({status:!0})}),magicLinkVerify:c("/magic-link/verify",{method:"GET",query:ve.object({token:ve.string({description:"Verification token"}),callbackURL:ve.string({description:"URL to redirect after magic link verification, if not provided will return session"}).optional()}),requireHeaders:!0,metadata:{openapi:{description:"Verify magic link",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}}}}}},async t=>{let{token:i,callbackURL:o}=t.query,r=o?.startsWith("http")?o:o?`${t.context.options.baseURL}${o}`:t.context.options.baseURL,n=await t.context.internalAdapter.findVerificationValue(i);if(!n)throw t.redirect(`${r}?error=INVALID_TOKEN`);if(n.expiresAt<new Date)throw await t.context.internalAdapter.deleteVerificationValue(n.id),t.redirect(`${r}?error=EXPIRED_TOKEN`);await t.context.internalAdapter.deleteVerificationValue(n.id);let a=n.value,s=await t.context.internalAdapter.findUserByEmail(a),d=s?.user.id||"";if(!s){if(e.disableSignUp)throw t.redirect(`${r}?error=USER_NOT_FOUND`);if(d=(await t.context.internalAdapter.createUser({email:a,emailVerified:!0,name:a})).id,!d)throw t.redirect(`${r}?error=USER_NOT_CREATED`)}let A=await t.context.internalAdapter.createSession(d,t.headers);if(!A)throw t.redirect(`${r}?error=SESSION_NOT_CREATED`);if(await m(t,{session:A,user:s?.user}),!o)return t.json({session:A,user:s?.user});throw t.redirect(o)})},rateLimit:[{pathMatcher(t){return t.startsWith("/sign-in/magic-link")||t.startsWith("/magic-link/verify")},window:e.rateLimit?.window||60,max:e.rateLimit?.max||5}]});import{z as te}from"zod";import{APIError as Q}from"better-call";function Mr(e){return M(e,H("0-9"))}var Qu=e=>{let t={expiresIn:e?.expiresIn||300,otpLength:e?.otpLength||6,...e,phoneNumber:"phoneNumber",phoneNumberVerified:"phoneNumberVerified",code:"code",createdAt:"createdAt"};return{id:"phone-number",endpoints:{signInPhoneNumber:c("/sign-in/phone-number",{method:"POST",body:te.object({phoneNumber:te.string({description:"Phone number to sign in"}),password:te.string({description:"Password to use for sign in"}),rememberMe:te.boolean({description:"Remember the session"}).optional()}),metadata:{openapi:{summary:"Sign in with phone number",description:"Use this endpoint to sign in with phone number",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}},400:{description:"Invalid phone number or password"}}}}},async i=>{let{password:o,phoneNumber:r}=i.body;if(t.phoneNumberValidator&&!await t.phoneNumberValidator(i.body.phoneNumber))throw new Q("BAD_REQUEST",{message:"Invalid phone number!"});let n=await i.context.adapter.findOne({model:"user",where:[{field:"phoneNumber",value:r}]});if(!n)throw new Q("UNAUTHORIZED",{message:"Invalid phone number or password"});let s=(await i.context.internalAdapter.findAccountByUserId(n.id)).find(u=>u.providerId==="credential");if(!s)throw i.context.logger.error("Credential account not found",{phoneNumber:r}),new Q("UNAUTHORIZED",{message:"Invalid password or password"});let d=s?.password;if(!d)throw i.context.logger.error("Password not found",{phoneNumber:r}),new Q("UNAUTHORIZED",{message:"Unexpected error"});if(!await i.context.password.verify(d,o))throw i.context.logger.error("Invalid password"),new Q("UNAUTHORIZED",{message:"Invalid email or password"});let K=await i.context.internalAdapter.createSession(n.id,i.headers,i.body.rememberMe===!1);if(!K)throw i.context.logger.error("Failed to create session"),new Q("UNAUTHORIZED",{message:"Failed to create session"});return await m(i,{session:K,user:n},i.body.rememberMe===!1),i.json({user:n,session:K})}),sendPhoneNumberOTP:c("/phone-number/send-otp",{method:"POST",body:te.object({phoneNumber:te.string({description:"Phone number to send OTP"})}),metadata:{openapi:{summary:"Send OTP to phone number",description:"Use this endpoint to send OTP to phone number",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}}}}}}},async i=>{if(!e?.sendOTP)throw i.context.logger.warn("sendOTP not implemented"),new Q("NOT_IMPLEMENTED",{message:"sendOTP not implemented"});if(t.phoneNumberValidator&&!await t.phoneNumberValidator(i.body.phoneNumber))throw new Q("BAD_REQUEST",{message:"Invalid phone number!"});let o=Mr(t.otpLength);return await i.context.internalAdapter.createVerificationValue({value:o,identifier:i.body.phoneNumber,expiresAt:I(t.expiresIn,"sec")}),await e.sendOTP({phoneNumber:i.body.phoneNumber,code:o},i.request),i.json({code:o},{body:{message:"Code sent"}})}),verifyPhoneNumber:c("/phone-number/verify",{method:"POST",body:te.object({phoneNumber:te.string({description:"Phone number to verify"}),code:te.string({description:"OTP code"}),disableSession:te.boolean({description:"Disable session creation after verification"}).optional(),updatePhoneNumber:te.boolean({description:"Check if there is a session and update the phone number"}).optional()}),metadata:{openapi:{summary:"Verify phone number",description:"Use this endpoint to verify phone number",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}},400:{description:"Invalid OTP"}}}}},async i=>{let o=await i.context.internalAdapter.findVerificationValue(i.body.phoneNumber);if(!o||o.expiresAt<new Date)throw o&&o.expiresAt<new Date?(await i.context.internalAdapter.deleteVerificationValue(o.id),new Q("BAD_REQUEST",{message:"OTP expired"})):new Q("BAD_REQUEST",{message:"OTP not found"});if(o.value!==i.body.code)throw new Q("BAD_REQUEST",{message:"Invalid OTP"});if(await i.context.internalAdapter.deleteVerificationValue(o.id),i.body.updatePhoneNumber){let n=await R(i);if(!n)throw new Q("UNAUTHORIZED",{message:"Session not found"});let a=await i.context.internalAdapter.updateUser(n.user.id,{[t.phoneNumber]:i.body.phoneNumber,[t.phoneNumberVerified]:!0});return i.json({user:a,session:n.session})}let r=await i.context.adapter.findOne({model:"user",where:[{value:i.body.phoneNumber,field:t.phoneNumber}]});if(await e?.callbackOnVerification?.({phoneNumber:i.body.phoneNumber,user:r},i.request),r)r=await i.context.internalAdapter.updateUser(r.id,{[t.phoneNumberVerified]:!0});else if(e?.signUpOnVerification){if(r=await i.context.internalAdapter.createUser({email:e.signUpOnVerification.getTempEmail(i.body.phoneNumber),name:e.signUpOnVerification.getTempName?e.signUpOnVerification.getTempName(i.body.phoneNumber):i.body.phoneNumber,[t.phoneNumber]:i.body.phoneNumber,[t.phoneNumberVerified]:!0}),!r)throw new Q("INTERNAL_SERVER_ERROR",{message:"Failed to create user"})}else return i.json(null);if(!r)throw new Q("INTERNAL_SERVER_ERROR",{message:"Failed to update user"});if(!i.body.disableSession){let n=await i.context.internalAdapter.createSession(r.id,i.request);if(!n)throw new Q("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await m(i,{session:n,user:r}),i.json({user:r,session:n})}return i.json({user:r,session:null})})},schema:J(Hr,e?.schema)}},Hr={user:{fields:{phoneNumber:{type:"string",required:!1,unique:!0,returned:!0},phoneNumberVerified:{type:"boolean",required:!1,returned:!0,input:!1}}}};import"zod";var Qr={user:{fields:{isAnonymous:{type:"boolean",required:!1}}}},el=e=>({id:"anonymous",endpoints:{signInAnonymous:c("/sign-in/anonymous",{method:"POST",metadata:{openapi:{description:"Sign in anonymously",responses:{200:{description:"Sign in anonymously",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async t=>{let{emailDomainName:i=me(t.context.baseURL)}=e||{},o=t.context.generateId({model:"user"}),r=`temp-${o}@${i}`,n=await t.context.internalAdapter.createUser({id:o,email:r,emailVerified:!1,isAnonymous:!0,name:"Anonymous",createdAt:new Date,updatedAt:new Date});if(!n)return t.json(null,{status:500,body:{message:"Failed to create user",status:500}});let a=await t.context.internalAdapter.createSession(n.id,t.request);return a?(await m(t,{session:a,user:n}),t.json({user:n,session:a})):t.json(null,{status:400,body:{message:"Could not create session"}})})},hooks:{after:[{matcher(t){return t.path?.startsWith("/sign-in")||t.path?.startsWith("/sign-up")},handler:U(async t=>{let o=t.responseHeader.get("set-cookie"),r=t.context.authCookies.sessionToken.name,n=Me(o||"").get(r)?.value.split(".")[0];if(!n)return;let a=await R(t);if(!(!a||!a.user.isAnonymous)){if(t.path==="/sign-in/anonymous")throw new b("BAD_REQUEST",{message:"Anonymous users cannot sign in again anonymously"});if(e?.onLinkAccount){let s=await t.context.internalAdapter.findSession(n);if(!s)return;await e?.onLinkAccount?.({anonymousUser:a,newUser:s})}e?.disableDeleteAnonymousUser||await t.context.internalAdapter.deleteUser(a.user.id)}})}]},schema:J(Qr,e?.schema)});import{z as y}from"zod";var cl=e=>{let t={defaultRole:"user",adminRole:"admin",...e},i=U(async o=>{let r=await R(o);if(!r?.session)throw new b("UNAUTHORIZED");let n=r.user;if(!n.role||(Array.isArray(t.adminRole)?!t.adminRole.includes(n.role):n.role!==t.adminRole))throw new b("FORBIDDEN",{message:"Only admins can access this endpoint"});return{session:{user:n,session:r.session}}});return{id:"admin",init(o){return{options:{databaseHooks:{user:{create:{async before(r){if(e?.defaultRole!==!1)return{data:{role:e?.defaultRole??"user",...r}}}}},session:{create:{async before(r){let n=await o.internalAdapter.findUserById(r.userId);if(n.banned){if(n.banExpires&&n.banExpires<Date.now()){await o.internalAdapter.updateUser(r.userId,{banned:!1,banReason:null,banExpires:null});return}return!1}}}}}}}},hooks:{after:[{matcher(o){return o.path==="/list-sessions"},handler:U(async o=>{let r=await be(o);if(!r)return;let n=r.filter(a=>!a.impersonatedBy);return o.json(n)})}]},endpoints:{setRole:c("/admin/set-role",{method:"POST",body:y.object({userId:y.string({description:"The user id"}),role:y.string({description:"The role to set. `admin` or `user` by default"})}),use:[i],metadata:{openapi:{operationId:"setRole",summary:"Set the role of a user",description:"Set the role of a user",responses:{200:{description:"User role updated",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{let r=await o.context.internalAdapter.updateUser(o.body.userId,{role:o.body.role});return o.json({user:r})}),createUser:c("/admin/create-user",{method:"POST",body:y.object({email:y.string({description:"The email of the user"}),password:y.string({description:"The password of the user"}),name:y.string({description:"The name of the user"}),role:y.string({description:"The role of the user"}),data:y.optional(y.record(y.any(),{description:"Extra fields for the user. Including custom additional fields."}))}),use:[i],metadata:{openapi:{operationId:"createUser",summary:"Create a new user",description:"Create a new user",responses:{200:{description:"User created",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{if(await o.context.internalAdapter.findUserByEmail(o.body.email))throw new b("BAD_REQUEST",{message:"User already exists"});let n=await o.context.internalAdapter.createUser({email:o.body.email,name:o.body.name,role:o.body.role,...o.body.data});if(!n)throw new b("INTERNAL_SERVER_ERROR",{message:"Failed to create user"});let a=await o.context.password.hash(o.body.password);return await o.context.internalAdapter.linkAccount({accountId:n.id,providerId:"credential",password:a,userId:n.id}),o.json({user:n})}),listUsers:c("/admin/list-users",{method:"GET",use:[i],query:y.object({searchValue:y.string({description:"The value to search for"}).optional(),searchField:y.enum(["email","name"],{description:"The field to search in, defaults to email. Can be `email` or `name`"}).optional(),searchOperator:y.enum(["contains","starts_with","ends_with"],{description:"The operator to use for the search. Can be `contains`, `starts_with` or `ends_with`"}).optional(),limit:y.string({description:"The number of users to return"}).or(y.number()).optional(),offset:y.string({description:"The offset to start from"}).or(y.number()).optional(),sortBy:y.string({description:"The field to sort by"}).optional(),sortDirection:y.enum(["asc","desc"],{description:"The direction to sort by"}).optional(),filterField:y.string({description:"The field to filter by"}).optional(),filterValue:y.string({description:"The value to filter by"}).or(y.number()).or(y.boolean()).optional(),filterOperator:y.enum(["eq","ne","lt","lte","gt","gte"],{description:"The operator to use for the filter"}).optional()}),metadata:{openapi:{operationId:"listUsers",summary:"List users",description:"List users",responses:{200:{description:"List of users",content:{"application/json":{schema:{type:"object",properties:{users:{type:"array",items:{$ref:"#/components/schemas/User"}}}}}}}}}}},async o=>{let r=[];o.query?.searchValue&&r.push({field:o.query.searchField||"email",operator:o.query.searchOperator||"contains",value:o.query.searchValue}),o.query?.filterValue&&r.push({field:o.query.filterField||"email",operator:o.query.filterOperator||"eq",value:o.query.filterValue});try{let n=await o.context.internalAdapter.listUsers(Number(o.query?.limit)||void 0,Number(o.query?.offset)||void 0,o.query?.sortBy?{field:o.query.sortBy,direction:o.query.sortDirection||"asc"}:void 0,r.length?r:void 0);return o.json({users:n})}catch(n){return console.log(n),o.json({users:[]})}}),listUserSessions:c("/admin/list-user-sessions",{method:"POST",use:[i],body:y.object({userId:y.string({description:"The user id"})}),metadata:{openapi:{operationId:"listUserSessions",summary:"List user sessions",description:"List user sessions",responses:{200:{description:"List of user sessions",content:{"application/json":{schema:{type:"object",properties:{sessions:{type:"array",items:{$ref:"#/components/schemas/Session"}}}}}}}}}}},async o=>({sessions:await o.context.internalAdapter.listSessions(o.body.userId)})),unbanUser:c("/admin/unban-user",{method:"POST",body:y.object({userId:y.string({description:"The user id"})}),use:[i],metadata:{openapi:{operationId:"unbanUser",summary:"Unban a user",description:"Unban a user",responses:{200:{description:"User unbanned",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{let r=await o.context.internalAdapter.updateUser(o.body.userId,{banned:!1});return o.json({user:r})}),banUser:c("/admin/ban-user",{method:"POST",body:y.object({userId:y.string({description:"The user id"}),banReason:y.string({description:"The reason for the ban"}).optional(),banExpiresIn:y.number({description:"The number of seconds until the ban expires"}).optional()}),use:[i],metadata:{openapi:{operationId:"banUser",summary:"Ban a user",description:"Ban a user",responses:{200:{description:"User banned",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{if(o.body.userId===o.context.session.user.id)throw new b("BAD_REQUEST",{message:"You cannot ban yourself"});let r=await o.context.internalAdapter.updateUser(o.body.userId,{banned:!0,banReason:o.body.banReason||e?.defaultBanReason||"No reason",banExpires:o.body.banExpiresIn?I(o.body.banExpiresIn,"sec"):e?.defaultBanExpiresIn?I(e.defaultBanExpiresIn,"sec"):void 0});return await o.context.internalAdapter.deleteSessions(o.body.userId),o.json({user:r})}),impersonateUser:c("/admin/impersonate-user",{method:"POST",body:y.object({userId:y.string({description:"The user id"})}),use:[i],metadata:{openapi:{operationId:"impersonateUser",summary:"Impersonate a user",description:"Impersonate a user",responses:{200:{description:"Impersonation session created",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{let r=await o.context.internalAdapter.findUserById(o.body.userId);if(!r)throw new b("NOT_FOUND",{message:"User not found"});let n=await o.context.internalAdapter.createSession(r.id,void 0,!0,{impersonatedBy:o.context.session.user.id,expiresAt:e?.impersonationSessionDuration?I(e.impersonationSessionDuration,"sec"):I(60*60,"sec")});if(!n)throw new b("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await m(o,{session:n,user:r},!0),o.json({session:n,user:r})}),revokeUserSession:c("/admin/revoke-user-session",{method:"POST",body:y.object({sessionToken:y.string({description:"The session token"})}),use:[i],metadata:{openapi:{operationId:"revokeUserSession",summary:"Revoke a user session",description:"Revoke a user session",responses:{200:{description:"Session revoked",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>(await o.context.internalAdapter.deleteSession(o.body.sessionToken),o.json({success:!0}))),revokeUserSessions:c("/admin/revoke-user-sessions",{method:"POST",body:y.object({userId:y.string({description:"The user id"})}),use:[i],metadata:{openapi:{operationId:"revokeUserSessions",summary:"Revoke all user sessions",description:"Revoke all user sessions",responses:{200:{description:"Sessions revoked",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>(await o.context.internalAdapter.deleteSessions(o.body.userId),o.json({success:!0}))),removeUser:c("/admin/remove-user",{method:"POST",body:y.object({userId:y.string({description:"The user id"})}),use:[i],metadata:{openapi:{operationId:"removeUser",summary:"Remove a user",description:"Delete a user and all their sessions and accounts. Cannot be undone.",responses:{200:{description:"User removed",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>(await o.context.internalAdapter.deleteUser(o.body.userId),o.json({success:!0})))},schema:J($r,t.schema)}},$r={user:{fields:{role:{type:"string",required:!1,input:!1},banned:{type:"boolean",defaultValue:!1,required:!1,input:!1},banReason:{type:"string",required:!1,input:!1},banExpires:{type:"date",required:!1,input:!1}}},session:{fields:{impersonatedBy:{type:"string",required:!1}}}};import{z as re}from"zod";import{APIError as Ne}from"better-call";import{betterFetch as ho}from"@better-fetch/fetch";import{parseJWT as Zr}from"oslo/jwt";async function Gr(e,t,i){if(t==="oidc"&&e.idToken){let r=Zr(e.idToken);if(r?.payload)return r.payload}if(!i)return null;let o=await ho(i,{method:"GET",headers:{Authorization:`Bearer ${e.accessToken}`}});return{id:o.data?.sub,emailVerified:o.data?.email_verified,email:o.data?.email,...o.data}}var vl=e=>({id:"generic-oauth",endpoints:{signInWithOAuth2:c("/sign-in/oauth2",{method:"POST",query:re.object({currentURL:re.string({description:"Redirect to the current URL after sign in"}).optional()}).optional(),body:re.object({providerId:re.string({description:"The provider ID for the OAuth provider"}),callbackURL:re.string({description:"The URL to redirect to after sign in"}).optional(),errorCallbackURL:re.string({description:"The URL to redirect to if an error occurs"}).optional()}),metadata:{openapi:{description:"Sign in with OAuth2",responses:{200:{description:"Sign in with OAuth2",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"},redirect:{type:"boolean"}}}}}}}}}},async t=>{let{providerId:i}=t.body,o=e.config.find(N=>N.providerId===i);if(!o)throw new Ne("BAD_REQUEST",{message:`No config found for provider ${i}`});let{discoveryUrl:r,authorizationUrl:n,tokenUrl:a,clientId:s,clientSecret:d,scopes:A,redirectURI:K,responseType:u,pkce:p,prompt:l,accessType:h}=o,k=n,f=a;if(r){let N=await ho(r,{onError(Fe){t.context.logger.error(Fe.error.message,Fe.error,{discoveryUrl:r})}});N.data&&(k=N.data.authorization_endpoint,f=N.data.token_endpoint)}if(!k||!f)throw new Ne("BAD_REQUEST",{message:"Invalid OAuth configuration."});let{state:g,codeVerifier:C}=await fe(t),T=await P({id:i,options:{clientId:s,clientSecret:d,redirectURI:K},authorizationEndpoint:k,state:g,codeVerifier:p?C:void 0,scopes:A||[],redirectURI:`${t.context.baseURL}/oauth2/callback/${i}`});return u&&u!=="code"&&T.searchParams.set("response_type",u),l&&T.searchParams.set("prompt",l),h&&T.searchParams.set("access_type",h),t.json({url:T.toString(),redirect:!0})}),oAuth2Callback:c("/oauth2/callback/:providerId",{method:"GET",query:re.object({code:re.string({description:"The OAuth2 code"}).optional(),error:re.string({description:"The error message, if any"}).optional(),state:re.string({description:"The state parameter from the OAuth2 request"})}),metadata:{openapi:{description:"OAuth2 callback",responses:{200:{description:"OAuth2 callback",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"}}}}}}}}}},async t=>{if(t.query.error||!t.query.code)throw t.redirect(`${t.context.baseURL}?error=${t.query.error||"oAuth_code_missing"}`);let i=e.config.find(g=>g.providerId===t.params.providerId);if(!i)throw new Ne("BAD_REQUEST",{message:`No config found for provider ${t.params.providerId}`});let o,r=await He(t),{callbackURL:n,codeVerifier:a,errorURL:s}=r,d=t.query.code,A=i.tokenUrl,K=i.userInfoUrl;if(i.discoveryUrl){let g=await ho(i.discoveryUrl,{method:"GET"});g.data&&(A=g.data.token_endpoint,K=g.data.userinfo_endpoint)}try{if(!A)throw new Ne("BAD_REQUEST",{message:"Invalid OAuth configuration."});o=await O({code:d,codeVerifier:a,redirectURI:`${t.context.baseURL}/oauth2/callback/${i.providerId}`,options:{clientId:i.clientId,clientSecret:i.clientSecret},tokenEndpoint:A})}catch(g){throw t.context.logger.error(g&&typeof g=="object"&&"name"in g?g.name:"",g),t.redirect(`${s}?error=oauth_code_verification_failed`)}if(!o)throw new Ne("BAD_REQUEST",{message:"Invalid OAuth configuration."});let u=i.getUserInfo?await i.getUserInfo(o):await Gr(o,i.type||"oauth2",K);if(!u?.email)throw t.context.logger.error("Unable to get user info",u),t.redirect(`${t.context.baseURL}/error?error=email_is_missing`);let p=await we(t,{userInfo:u,account:{providerId:i.providerId,accountId:u.id,accessToken:o.accessToken}});function l(g){throw t.redirect(`${s||n||`${t.context.baseURL}/error`}?error=${g}`)}if(p.error)return l(p.error.split(" ").join("_"));let{session:h,user:k}=p.data;await m(t,{session:h,user:k});let f;try{f=new URL(n).toString()}catch{f=n}throw t.redirect(f)})}});import{z as Le}from"zod";var Xi={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},Ol=Le.object({id:Le.string(),publicKey:Le.string(),privateKey:Le.string(),createdAt:Le.date()});var yo=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async t=>await e.create({model:"jwks",data:{...t,createdAt:new Date}})});import{exportJWK as Yi,generateKeyPair as Wr,importJWK as Jr,SignJWT as Xr}from"jose";var jl=e=>({id:"jwt",endpoints:{getJwks:c("/jwks",{method:"GET",metadata:{openapi:{description:"Get the JSON Web Key Set",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{keys:{type:"array",items:{type:"object",properties:{kid:{type:"string"},kty:{type:"string"},use:{type:"string"},alg:{type:"string"},n:{type:"string"},e:{type:"string"}}}}}}}}}}}}},async t=>{let o=await yo(t.context.adapter).getAllKeys();return t.json({keys:o.map(r=>({...JSON.parse(r.publicKey),kid:r.id}))})}),getToken:c("/token",{method:"GET",requireHeaders:!0,use:[v],metadata:{openapi:{description:"Get a JWT token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async t=>{let i=yo(t.context.adapter),o=await i.getLatestKey(),r=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:A,privateKey:K}=await Wr(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),u=await Yi(A),p=await Yi(K),l=JSON.stringify(p),h={id:crypto.randomUUID(),publicKey:JSON.stringify(u),privateKey:r?JSON.stringify(await de({key:t.context.options.secret,data:l})):l,createdAt:new Date};o=await i.createJwk(h)}let n=r?await pe({key:t.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,a=await Jr(JSON.parse(n)),s=e?.jwt?.definePayload?await e?.jwt.definePayload(t.context.session.user):t.context.session.user,d=await new Xr({...s,...t.context.session.session.impersonatedBy?{impersonatedBy:t.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??t.context.options.baseURL).setAudience(e?.jwt?.audience??t.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(t.context.session.user.id).sign(a);return t.json({token:d})})},schema:J(Xi,e?.schema)});import{z as io}from"zod";var _l=e=>{let t={maximumSessions:5,...e},i=o=>o.includes("_multi-");return{id:"multi-session",endpoints:{listDeviceSessions:c("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async o=>{let r=o.headers?.get("cookie");if(!r)return o.json([]);let n=Object.fromEntries(Oe(r)),a=(await Promise.all(Object.entries(n).filter(([A])=>i(A)).map(async([A])=>await o.getSignedCookie(A,o.context.secret)))).filter(A=>A!==void 0);if(!a.length)return o.json([]);let d=(await o.context.internalAdapter.findSessions(a)).filter(A=>A&&A.session.expiresAt>new Date);return o.json(d)}),setActiveSession:c("/multi-session/set-active",{method:"POST",body:io.object({sessionToken:io.string({description:"The session token to set as active"})}),requireHeaders:!0,use:[v],metadata:{openapi:{description:"Set the active session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async o=>{let r=o.body.sessionToken,n=`${o.context.authCookies.sessionToken.name}_multi-${r}`;if(!await o.getSignedCookie(n,o.context.secret))throw new b("UNAUTHORIZED",{message:"Invalid session token"});let s=await o.context.internalAdapter.findSession(r);if(!s||s.session.expiresAt<new Date)throw o.setCookie(n,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),new b("UNAUTHORIZED",{message:"Invalid session token"});return await m(o,s),o.json(s)}),revokeDeviceSession:c("/multi-session/revoke",{method:"POST",body:io.object({sessionToken:io.string({description:"The session token to revoke"})}),requireHeaders:!0,use:[v],metadata:{openapi:{description:"Revoke a device session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>{let r=o.body.sessionToken,n=`${o.context.authCookies.sessionToken.name}_multi-${r}`;if(!await o.getSignedCookie(n,o.context.secret))throw new b("UNAUTHORIZED",{message:"Invalid session token"});if(await o.context.internalAdapter.deleteSession(r),o.setCookie(n,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),!(o.context.session?.session.token===r))return o.json({success:!0});let d=o.headers?.get("cookie");if(d){let A=Object.fromEntries(Oe(d)),K=(await Promise.all(Object.entries(A).filter(([p])=>i(p)).map(async([p])=>await o.getSignedCookie(p,o.context.secret)))).filter(p=>p!==void 0),u=o.context.internalAdapter;if(K.length>0){let l=(await u.findSessions(K)).filter(h=>h&&h.session.expiresAt>new Date);if(l.length>0){let h=l[0];await m(o,h)}else V(o)}else V(o)}else V(o);return o.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:U(async o=>{let r=o.responseHeader.get("set-cookie");if(!r)return;let n=Me(r),a=o.context.authCookies.sessionToken,s=n.get(a.name)?.value;if(!s)return;let d=Oe(o.headers?.get("cookie")||""),A=s.split(".")[0];if(!A)return;let K=`${a.name}_multi-${A}`;n.get(K)||d.get(K)||Object.keys(Object.fromEntries(d)).filter(i).length+(r.includes("session_token")?1:0)>t.maximumSessions||await o.setSignedCookie(K,A,o.context.secret,a.options)})},{matcher:o=>o.path==="/sign-out",handler:U(async o=>{let r=o.headers?.get("cookie");if(!r)return;let n=Object.fromEntries(Oe(r)),a=Object.keys(n).map(s=>i(s)?(o.setCookie(s,"",{maxAge:0}),s.split("_multi-")[1]):null).filter(s=>s!==null);await o.context.internalAdapter.deleteSessions(a)})}]}}};import{z as D}from"zod";var wo=["email-verification","sign-in","forget-password"],Zl=e=>{let t={expireIn:300,otpLength:6,...e};return{id:"email-otp",endpoints:{sendVerificationOTP:c("/email-otp/send-verification-otp",{method:"POST",body:D.object({email:D.string({description:"Email address to send the OTP"}),type:D.enum(wo,{description:"Type of the OTP"})}),metadata:{openapi:{description:"Send verification OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async i=>{if(!e?.sendVerificationOTP)throw i.context.logger.error("send email verification is not implemented"),new b("BAD_REQUEST",{message:"send email verification is not implemented"});let o=i.body.email,r=M(t.otpLength,H("0-9"));return await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")}).catch(async n=>{await i.context.internalAdapter.deleteVerificationByIdentifier(`${i.body.type}-otp-${o}`),await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")})}),await e.sendVerificationOTP({email:o,otp:r,type:i.body.type},i.request),i.json({success:!0})}),createVerificationOTP:c("/email-otp/create-verification-otp",{method:"POST",body:D.object({email:D.string({description:"Email address to send the OTP"}),type:D.enum(wo,{description:"Type of the OTP"})}),metadata:{SERVER_ONLY:!0,openapi:{description:"Create verification OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"string"}}}}}}}},async i=>{let o=i.body.email,r=M(t.otpLength,H("0-9"));return await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")}),r}),getVerificationOTP:c("/email-otp/get-verification-otp",{method:"GET",query:D.object({email:D.string({description:"Email address to get the OTP"}),type:D.enum(wo)}),metadata:{SERVER_ONLY:!0,openapi:{description:"Get verification OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{otp:{type:"string"}}}}}}}}}},async i=>{let o=i.query.email,r=await i.context.internalAdapter.findVerificationValue(`${i.query.type}-otp-${o}`);return!r||r.expiresAt<new Date?i.json({otp:null}):i.json({otp:r.value})}),verifyEmailOTP:c("/email-otp/verify-email",{method:"POST",body:D.object({email:D.string({description:"Email address to verify"}),otp:D.string({description:"OTP to verify"})}),metadata:{openapi:{description:"Verify email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findVerificationValue(`email-verification-otp-${o}`);if(!r||r.expiresAt<new Date)throw r&&await i.context.internalAdapter.deleteVerificationValue(r.id),new b("BAD_REQUEST",{message:"Invalid OTP"});let n=i.body.otp;if(r.value!==n)throw new b("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(r.id);let a=await i.context.internalAdapter.findUserByEmail(o);if(!a)throw new b("BAD_REQUEST",{message:"User not found"});let s=await i.context.internalAdapter.updateUser(a.user.id,{email:o,emailVerified:!0});return i.json({user:s})}),signInEmailOTP:c("/sign-in/email-otp",{method:"POST",body:D.object({email:D.string({description:"Email address to sign in"}),otp:D.string({description:"OTP sent to the email"})}),metadata:{openapi:{description:"Sign in with email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findVerificationValue(`sign-in-otp-${o}`);if(!r||r.expiresAt<new Date)throw r&&await i.context.internalAdapter.deleteVerificationValue(r.id),new b("BAD_REQUEST",{message:"Invalid OTP"});let n=i.body.otp;if(r.value!==n)throw new b("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(r.id);let a=await i.context.internalAdapter.findUserByEmail(o);if(!a){if(t.disableSignUp)throw new b("BAD_REQUEST",{message:"User not found"});let d=await i.context.internalAdapter.createUser({email:o,emailVerified:!0,name:o}),A=await i.context.internalAdapter.createSession(d.id,i.request);return await m(i,{session:A,user:d}),i.json({user:d,session:A})}a.user.emailVerified||await i.context.internalAdapter.updateUser(a.user.id,{emailVerified:!0});let s=await i.context.internalAdapter.createSession(a.user.id,i.request);return await m(i,{session:s,user:a.user}),i.json({session:s,user:a})}),forgetPasswordEmailOTP:c("/forget-password/email-otp",{method:"POST",body:D.object({email:D.string({description:"Email address to send the OTP"})}),metadata:{openapi:{description:"Forget password with email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async i=>{let o=i.body.email;if(!await i.context.internalAdapter.findUserByEmail(o))throw new b("BAD_REQUEST",{message:"User not found"});let n=M(t.otpLength,H("0-9"));return await i.context.internalAdapter.createVerificationValue({value:n,identifier:`forget-password-otp-${o}`,expiresAt:I(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o,otp:n,type:"forget-password"},i.request),i.json({success:!0})}),resetPasswordEmailOTP:c("/email-otp/reset-password",{method:"POST",body:D.object({email:D.string({description:"Email address to reset the password"}),otp:D.string({description:"OTP sent to the email"}),password:D.string({description:"New password"})}),metadata:{openapi:{description:"Reset password with email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findUserByEmail(o);if(!r)throw new b("BAD_REQUEST",{message:"User not found"});let n=await i.context.internalAdapter.findVerificationValue(`forget-password-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await i.context.internalAdapter.deleteVerificationValue(n.id),new b("BAD_REQUEST",{message:"Invalid OTP"});let a=i.body.otp;if(n.value!==a)throw new b("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(n.id);let s=await i.context.password.hash(i.body.password);return await i.context.internalAdapter.updatePassword(r.user.id,s),i.json({success:!0})})},hooks:{after:[{matcher(i){return!!(i.path?.startsWith("/sign-up")&&t.sendVerificationOnSignUp)},async handler(i){let o=await be(i);if(o&&o.user.email&&o.user.emailVerified===!1){let r=M(t.otpLength,H("0-9"));await i.context.internalAdapter.createVerificationValue({value:r,identifier:`email-verification-otp-${o.user.email}`,expiresAt:I(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o.user.email,otp:r,type:"email-verification"},i.request)}}}]}}};import{z as ot}from"zod";import{betterFetch as Yr}from"@better-fetch/fetch";function et(e){return e==="true"||e===!0}var ig=e=>({id:"one-tap",endpoints:{oneTapCallback:c("/one-tap/callback",{method:"POST",body:ot.object({idToken:ot.string({description:"Google ID token, which the client obtains from the One Tap API"})}),metadata:{openapi:{summary:"One tap callback",description:"Use this endpoint to authenticate with Google One Tap",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}},400:{description:"Invalid token"}}}}},async t=>{let{idToken:i}=t.body,{data:o,error:r}=await Yr("https://oauth2.googleapis.com/tokeninfo?id_token="+i);if(r)return t.json({error:"Invalid token"});let n=await t.context.internalAdapter.findUserByEmail(o.email);if(!n){if(e?.disableSignup)throw new b("BAD_GATEWAY",{message:"User not found"});let s=await t.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:et(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!s)throw new b("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let d=await t.context.internalAdapter.createSession(s?.user.id,t.request);return await m(t,{user:s.user,session:d}),t.json({session:d,user:s})}let a=await t.context.internalAdapter.createSession(n.user.id,t.request);return await m(t,{user:n.user,session:a}),t.json({session:a,user:n})})}});import{z as Co}from"zod";function en(){let e=Y.VERCEL_URL,t=Y.NETLIFY_URL,i=Y.RENDER_URL,o=Y.AWS_LAMBDA_FUNCTION_NAME,r=Y.GOOGLE_CLOUD_FUNCTION_NAME,n=Y.AZURE_FUNCTION_NAME;return e||t||i||o||r||n}var Ag=e=>({id:"oauth-proxy",endpoints:{oAuthProxy:c("/oauth-proxy-callback",{method:"GET",query:Co.object({callbackURL:Co.string({description:"The URL to redirect to after the proxy"}),cookies:Co.string({description:"The cookies to set after the proxy"})}),metadata:{openapi:{description:"OAuth Proxy Callback",parameters:[{in:"query",name:"callbackURL",required:!0,description:"The URL to redirect to after the proxy"},{in:"query",name:"cookies",required:!0,description:"The cookies to set after the proxy"}],responses:{302:{description:"Redirect",headers:{Location:{description:"The URL to redirect to",schema:{type:"string"}}}}}}}},async t=>{let i=t.query.cookies,o=await pe({key:t.context.secret,data:i});throw t.setHeader("set-cookie",o),t.redirect(t.query.callbackURL)})},hooks:{after:[{matcher(t){return t.path?.startsWith("/callback")},handler:U(async t=>{let i=t.context.returned,o=i instanceof b?i.headers:null,r=o?.get("location");if(r?.includes("/oauth-proxy-callback?callbackURL")){if(!r.startsWith("http"))return;let n=new URL(r);if(n.origin===me(t.context.baseURL)){let K=n.searchParams.get("callbackURL");if(!K)return;t.setHeader("location",K);return}let s=o?.get("set-cookie");if(!s)return;let d=await de({key:t.context.secret,data:s}),A=`${r}&cookies=${encodeURIComponent(d)}`;t.setHeader("location",A)}})}],before:[{matcher(t){return t.path?.startsWith("/sign-in/social")},async handler(t){let i=new URL(e?.currentURL||t.request?.url||en()||t.context.baseURL);return t.body.callbackURL=`${i.origin}${t.context.options.basePath||"/api/auth"}/oauth-proxy-callback?callbackURL=${encodeURIComponent(t.body.callbackURL||t.context.baseURL)}`,{context:t}}}]}});var pg=(e,t)=>({id:"custom-session",endpoints:{getSession:c("/get-session",{method:"GET",metadata:{CUSTOM_SESSION:!0}},async i=>{let o=await R(i);if(!o)return i.json(null);let r=await e(o);return i.json(r)})}});import{ZodObject as tt,ZodOptional as bo,ZodSchema as rt}from"zod";var ke=e=>{let t=e.plugins?.reduce((d,A)=>{let K=A.schema;if(!K)return d;for(let[u,p]of Object.entries(K))d[u]={fields:{...d[u]?.fields,...p.fields},modelName:p.modelName||u};return d},{}),i=e.rateLimit?.storage==="database",o={rateLimit:{modelName:e.rateLimit?.modelName||"rateLimit",fields:{key:{type:"string",fieldName:e.rateLimit?.fields?.key||"key"},count:{type:"number",fieldName:e.rateLimit?.fields?.count||"count"},lastRequest:{type:"number",fieldName:e.rateLimit?.fields?.lastRequest||"lastRequest"}}}},{user:r,session:n,account:a,...s}=t||{};return{user:{modelName:e.user?.modelName||"user",fields:{name:{type:"string",required:!0,fieldName:e.user?.fields?.name||"name"},email:{type:"string",unique:!0,required:!0,fieldName:e.user?.fields?.email||"email"},emailVerified:{type:"boolean",defaultValue:()=>!1,required:!0,fieldName:e.user?.fields?.emailVerified||"emailVerified"},image:{type:"string",required:!1,fieldName:e.user?.fields?.image||"image"},createdAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.updatedAt||"updatedAt"},...r?.fields,...e.user?.additionalFields},order:1},session:{modelName:e.session?.modelName||"session",fields:{expiresAt:{type:"date",required:!0,fieldName:e.session?.fields?.expiresAt||"expiresAt"},token:{type:"string",required:!0,fieldName:e.session?.fields?.token||"token",unique:!0},createdAt:{type:"date",required:!0,fieldName:e.session?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.session?.fields?.updatedAt||"updatedAt"},ipAddress:{type:"string",required:!1,fieldName:e.session?.fields?.ipAddress||"ipAddress"},userAgent:{type:"string",required:!1,fieldName:e.session?.fields?.userAgent||"userAgent"},userId:{type:"string",fieldName:e.session?.fields?.userId||"userId",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0},...n?.fields,...e.session?.additionalFields},order:2},account:{modelName:e.account?.modelName||"account",fields:{accountId:{type:"string",required:!0,fieldName:e.account?.fields?.accountId||"accountId"},providerId:{type:"string",required:!0,fieldName:e.account?.fields?.providerId||"providerId"},userId:{type:"string",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0,fieldName:e.account?.fields?.userId||"userId"},accessToken:{type:"string",required:!1,fieldName:e.account?.fields?.accessToken||"accessToken"},refreshToken:{type:"string",required:!1,fieldName:e.account?.fields?.refreshToken||"refreshToken"},idToken:{type:"string",required:!1,fieldName:e.account?.fields?.idToken||"idToken"},accessTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"accessTokenExpiresAt"},refreshTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"refreshTokenExpiresAt"},scope:{type:"string",required:!1,fieldName:e.account?.fields?.scope||"scope"},password:{type:"string",required:!1,fieldName:e.account?.fields?.password||"password"},createdAt:{type:"date",required:!0,fieldName:e.account?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.account?.fields?.updatedAt||"updatedAt"},...a?.fields},order:3},verification:{modelName:e.verification?.modelName||"verification",fields:{identifier:{type:"string",required:!0,fieldName:e.verification?.fields?.identifier||"identifier"},value:{type:"string",required:!0,fieldName:e.verification?.fields?.value||"value"},expiresAt:{type:"date",required:!0,fieldName:e.verification?.fields?.expiresAt||"expiresAt"},createdAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.updatedAt||"updatedAt"}},order:4},...s,...i?o:{}}};import{z as Rg}from"zod";import{Kysely as Eg,MssqlDialect as Sg}from"kysely";import{MysqlDialect as xg,PostgresDialect as jg,SqliteDialect as Bg}from"kysely";var _e={};function nt(e){switch(e.constructor.name){case"ZodString":return"string";case"ZodNumber":return"number";case"ZodBoolean":return"boolean";case"ZodObject":return"object";case"ZodArray":return"array";default:return"string"}}function to(e){let t=[];return e.metadata?.openapi?.parameters?(t.push(...e.metadata.openapi.parameters),t):(e.query instanceof tt&&Object.entries(e.query.shape).forEach(([i,o])=>{o instanceof rt&&t.push({name:i,in:"query",schema:{type:nt(o),..."minLength"in o&&o.minLength?{minLength:o.minLength}:{},description:o.description}})}),t)}function it(e){if(e.metadata?.openapi?.requestBody)return e.metadata.openapi.requestBody;if(e.body&&(e.body instanceof tt||e.body instanceof bo)){let t=e.body.shape;if(!t)return;let i={},o=[];return Object.entries(t).forEach(([r,n])=>{n instanceof rt&&(i[r]={type:nt(n),description:n.description},n instanceof bo||o.push(r))}),{required:e.body instanceof bo?!1:!!e.body,content:{"application/json":{schema:{type:"object",properties:i,required:o}}}}}}function ro(e){return{400:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Bad Request. Usually due to missing parameters, or invalid parameters."},401:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Unauthorized. Due to missing or invalid authentication."},403:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Forbidden. You do not have permission to access this resource or to perform this action."},404:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Not Found. The requested resource was not found."},429:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Too Many Requests. You have exceeded the rate limit. Try again later."},500:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Internal Server Error. This is a problem with the server that you cannot fix."},...e}}async function vo(e,t){let i=po(e,{...t,plugins:[]}),o=ke(t),n={schemas:{...Object.entries(o).reduce((s,[d,A])=>{let K=d.charAt(0).toUpperCase()+d.slice(1);return s[K]={type:"object",properties:Object.entries(A.fields).reduce((u,[p,l])=>(u[p]={type:l.type},u),{})},s},{})}};Object.entries(i.api).forEach(([s,d])=>{let A=d.options;if(!A.metadata?.SERVER_ONLY&&(A.method==="GET"&&(_e[d.path]={get:{tags:["Default",...A.metadata?.openapi?.tags||[]],description:A.metadata?.openapi?.description,operationId:A.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(A),responses:ro(A.metadata?.openapi?.responses)}}),A.method==="POST")){let K=it(A);_e[d.path]={post:{tags:["Default",...A.metadata?.openapi?.tags||[]],description:A.metadata?.openapi?.description,operationId:A.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(A),...K?{requestBody:K}:{requestBody:{content:{"application/json":{schema:{type:"object",properties:{}}}}}},responses:ro(A.metadata?.openapi?.responses)}}}});for(let s of t.plugins||[]){if(s.id==="open-api")continue;let d=po(e,{...t,plugins:[s]}),A=Object.keys(d.api).map(K=>i.api[K]===void 0?d.api[K]:null).filter(K=>K!==null);Object.entries(A).forEach(([K,u])=>{let p=u.options;p.metadata?.SERVER_ONLY||(p.method==="GET"&&(_e[u.path]={get:{tags:p.metadata?.openapi?.tags||[s.id.charAt(0).toUpperCase()+s.id.slice(1)],description:p.metadata?.openapi?.description,operationId:p.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(p),responses:ro(p.metadata?.openapi?.responses)}}),p.method==="POST"&&(_e[u.path]={post:{tags:p.metadata?.openapi?.tags||[s.id.charAt(0).toUpperCase()+s.id.slice(1)],description:p.metadata?.openapi?.description,operationId:p.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(p),requestBody:it(p),responses:ro(p.metadata?.openapi?.responses)}}))})}return{openapi:"3.1.1",info:{title:"Better Auth",description:"API Reference for your Better Auth Instance"},components:n,security:[{apiKeyCookie:[]}],servers:[{url:e.baseURL}],tags:[{name:"Default",description:"Default endpoints that are included with Better Auth by default. These endpoints are not part of any plugin."}],paths:_e}}var st=`<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
83
+ Error: `,s),e.redirect(`${e.context.baseURL}/error?error=internal_server_error`)}),n=r?.user;if(r){let s=r.accounts.find(d=>d.providerId===i.providerId);if(s)await e.context.internalAdapter.updateAccount(s.id,{accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt});else{if(!e.context.options.account?.accountLinking?.trustedProviders?.includes(i.providerId)&&!t.emailVerified||e.context.options.account?.accountLinking?.enabled===!1)return Io&&$.warn(`User already exist but account isn't linked to ${i.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`),{error:"account not linked",data:null};try{await e.context.internalAdapter.linkAccount({providerId:i.providerId,accountId:t.id.toString(),userId:r.user.id,accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt,scope:i.scope})}catch(K){return $.error("Unable to link account",K),{error:"unable to link account",data:null}}}}else try{let s=t.emailVerified||!1;if(n=await e.context.internalAdapter.createOAuthUser({...t,id:void 0,emailVerified:s,email:t.email.toLowerCase()},{accessToken:i.accessToken,idToken:i.idToken,refreshToken:i.refreshToken,accessTokenExpiresAt:i.accessTokenExpiresAt,refreshTokenExpiresAt:i.refreshTokenExpiresAt,scope:i.scope,providerId:i.providerId,accountId:t.id.toString()}).then(d=>d?.user),!s&&n&&e.context.options.emailVerification?.sendOnSignUp){let d=await se(e.context.secret,n.email),A=`${e.context.baseURL}/verify-email?token=${d}&callbackURL=${o}`;await e.context.options.emailVerification?.sendVerificationEmail?.({user:n,url:A,token:d},e.request)}}catch(s){return $.error("Unable to create user",s),{error:"unable to create user",data:null}}if(!n)return{error:"unable to create user",data:null};let a=await e.context.internalAdapter.createSession(n.id,e.request);return a?{data:{session:a,user:n},error:null}:{error:"unable to create session",data:null}}var ei=c("/sign-in/social",{method:"POST",query:x.object({currentURL:x.string().optional()}).optional(),body:x.object({callbackURL:x.string({description:"Callback URL to redirect to after the user has signed in"}).optional(),errorCallbackURL:x.string({description:"Callback URL to redirect to if an error happens"}).optional(),provider:x.enum(Qe,{description:"OAuth2 provider to use"}),disableRedirect:x.boolean({description:"Disable automatic redirection to the provider. Useful for handling the redirection yourself"}).optional(),idToken:x.optional(x.object({token:x.string({description:"ID token from the provider"}),nonce:x.string({description:"Nonce used to generate the token"}).optional(),accessToken:x.string({description:"Access token from the provider"}).optional(),refreshToken:x.string({description:"Refresh token from the provider"}).optional(),expiresAt:x.number({description:"Expiry date of the token"}).optional()}),{description:"ID token from the provider to sign in the user with id token"})}),metadata:{openapi:{description:"Sign in with a social provider",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{let t=e.context.socialProviders.find(n=>n.id===e.body.provider);if(!t)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new q("NOT_FOUND",{message:"Provider not found"});if(e.body.idToken){if(!t.verifyIdToken)throw e.context.logger.error("Provider does not support id token verification",{provider:e.body.provider}),new q("NOT_FOUND",{message:"Provider does not support id token verification"});let{token:n,nonce:a}=e.body.idToken;if(!await t.verifyIdToken(n,a))throw e.context.logger.error("Invalid id token",{provider:e.body.provider}),new q("UNAUTHORIZED",{message:"Invalid id token"});let d=await t.getUserInfo({idToken:n,accessToken:e.body.idToken.accessToken,refreshToken:e.body.idToken.refreshToken});if(!d||!d?.user)throw e.context.logger.error("Failed to get user info",{provider:e.body.provider}),new q("UNAUTHORIZED",{message:"Failed to get user info"});if(!d.user.email)throw e.context.logger.error("User email not found",{provider:e.body.provider}),new q("UNAUTHORIZED",{message:"User email not found"});let A=await we(e,{userInfo:{email:d.user.email,id:d.user.id,name:d.user.name||"",image:d.user.image,emailVerified:d.user.emailVerified||!1},account:{providerId:t.id,accountId:d.user.id,accessToken:e.body.idToken.accessToken}});if(A.error)throw new q("UNAUTHORIZED",{message:A.error});return await m(e,A.data),e.json({session:A.data.session,user:A.data.user,url:`${e.body.callbackURL||e.query?.currentURL||e.context.options.baseURL}`,redirect:!0})}let{codeVerifier:i,state:o}=await fe(e),r=await t.createAuthorizationURL({state:o,codeVerifier:i,redirectURI:`${e.context.baseURL}/callback/${t.id}`});return e.json({url:r.toString(),redirect:!e.body.disableRedirect})}),oi=c("/sign-in/email",{method:"POST",body:x.object({email:x.string({description:"Email of the user"}),password:x.string({description:"Password of the user"}),callbackURL:x.string({description:"Callback URL to use as a redirect for email verification"}).optional(),rememberMe:x.boolean({description:"If this is false, the session will not be remembered. Default is `true`."}).default(!0).optional()}),metadata:{openapi:{description:"Sign in with email and password",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{type:"string"},user:{type:"object"},url:{type:"string"},redirect:{type:"boolean"}},required:["session","user","url","redirect"]}}}}}}}},async e=>{if(!e.context.options?.emailAndPassword?.enabled)throw e.context.logger.error("Email and password is not enabled. Make sure to enable it in the options on you `auth.ts` file. Check `https://better-auth.com/docs/authentication/email-password` for more!"),new q("BAD_REQUEST",{message:"Email and password is not enabled"});let{email:t,password:i}=e.body;if(!x.string().email().safeParse(t).success)throw new q("BAD_REQUEST",{message:"Invalid email"});let r=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!r)throw await e.context.password.hash(i),e.context.logger.error("User not found",{email:t}),new q("UNAUTHORIZED",{message:"Invalid email or password"});let n=r.accounts.find(A=>A.providerId==="credential");if(!n)throw e.context.logger.error("Credential account not found",{email:t}),new q("UNAUTHORIZED",{message:"Invalid email or password"});let a=n?.password;if(!a)throw e.context.logger.error("Password not found",{email:t}),new q("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(a,i))throw e.context.logger.error("Invalid password"),new q("UNAUTHORIZED",{message:"Invalid email or password"});if(e.context.options?.emailAndPassword?.requireEmailVerification&&!r.user.emailVerified){if(!e.context.options?.emailVerification?.sendVerificationEmail)throw new q("UNAUTHORIZED",{message:"Email is not verified."});let A=await se(e.context.secret,r.user.email),K=`${e.context.baseURL}/verify-email?token=${A}&callbackURL=${e.body.callbackURL||"/"}`;throw await e.context.options.emailVerification.sendVerificationEmail({user:r.user,url:K,token:A},e.request),e.context.logger.error("Email not verified",{email:t}),new q("FORBIDDEN",{message:"Email is not verified. Check your email for a verification link"})}let d=await e.context.internalAdapter.createSession(r.user.id,e.headers,e.body.rememberMe===!1);if(!d)throw e.context.logger.error("Failed to create session"),new q("UNAUTHORIZED",{message:"Failed to create session"});return await m(e,{session:d,user:r.user},e.body.rememberMe===!1),e.json({user:r.user,session:d,redirect:!!e.body.callbackURL,url:e.body.callbackURL})});import{z as Ee}from"zod";var Ze=Ee.object({code:Ee.string().optional(),error:Ee.string().optional(),errorMessage:Ee.string().optional(),state:Ee.string().optional()}),ii=c("/callback/:id",{method:["GET","POST"],body:Ze.optional(),query:Ze.optional(),metadata:he},async e=>{let t;try{if(e.method==="GET")t=Ze.parse(e.query);else if(e.method==="POST")t=Ze.parse(e.body);else throw new Error("Unsupported method")}catch(g){throw e.context.logger.error("INVALID_CALLBACK_REQUEST",g),e.redirect(`${e.context.baseURL}/error?error=invalid_callback_request`)}let{code:i,error:o,state:r}=t;if(!r)throw e.context.logger.error("State not found"),e.redirect(`${e.context.baseURL}/error?error=state_not_found`);if(!i)throw e.context.logger.error("Code not found"),e.redirect(`${e.context.baseURL}/error?error=${o||"no_code"}`);let n=e.context.socialProviders.find(g=>g.id===e.params.id);if(!n)throw e.context.logger.error("Oauth provider with id",e.params.id,"not found"),e.redirect(`${e.context.baseURL}/error?error=oauth_provider_not_found`);let{codeVerifier:a,callbackURL:s,link:d,errorURL:A}=await He(e),K;try{K=await n.validateAuthorizationCode({code:i,codeVerifier:a,redirectURI:`${e.context.baseURL}/callback/${n.id}`})}catch(g){throw e.context.logger.error("",g),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`)}let u=await n.getUserInfo(K).then(g=>g?.user);function p(g){let C=A||s||`${e.context.baseURL}/error`;throw C.includes("?")?C=`${C}&error=${g}`:C=`${C}?error=${g}`,e.redirect(C)}if(!u)return e.context.logger.error("Unable to get user info"),p("unable_to_get_user_info");if(!u.email)return e.context.logger.error("Provider did not return email. This could be due to misconfiguration in the provider settings."),p("email_not_found");if(!s)throw e.context.logger.error("No callback URL found"),e.redirect(`${e.context.baseURL}/error?error=please_restart_the_process`);if(d){if(d.email!==u.email.toLowerCase())return p("email_doesn't_match");if(!await e.context.internalAdapter.createAccount({userId:d.userId,providerId:n.id,accountId:u.id}))return p("unable_to_link_account");let C;try{C=new URL(s).toString()}catch{C=s}throw e.redirect(C)}let l=await we(e,{userInfo:{id:u.id,email:u.email,name:u.name||"",image:u.image,emailVerified:u.emailVerified||!1},account:{providerId:n.id,accountId:u.id,...K,scope:K.scopes?.join(",")},callbackURL:s});if(l.error)return e.context.logger.error(l.error.split(" ").join("_")),p(l.error.split(" ").join("_"));let{session:h,user:k}=l.data;await m(e,{session:h,user:k});let f;try{f=new URL(s).toString()}catch{f=s}throw e.redirect(f)});import"zod";import{APIError as ar}from"better-call";var ti=c("/sign-out",{method:"POST",requireHeaders:!0,metadata:{openapi:{description:"Sign out the current user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async e=>{let t=await e.getSignedCookie(e.context.authCookies.sessionToken.name,e.context.secret);if(!t)throw V(e),new ar("BAD_REQUEST",{message:"Session not found"});return await e.context.internalAdapter.deleteSession(t),V(e),e.json({success:!0})});import{z as X}from"zod";import{APIError as uo}from"better-call";function li(e,t,i){let o=t?new URL(t,e.baseURL):new URL(`${e.baseURL}/error`);return i&&Object.entries(i).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}function dr(e,t,i){let o=new URL(t,e.baseURL);return i&&Object.entries(i).forEach(([r,n])=>o.searchParams.set(r,n)),o.href}var ri=c("/forget-password",{method:"POST",body:X.object({email:X.string({description:"The email address of the user to send a password reset email to"}).email(),redirectTo:X.string({description:"The URL to redirect the user to reset their password. If the token isn't valid or expired, it'll be redirected with a query parameter `?error=INVALID_TOKEN`. If the token is valid, it'll be redirected with a query parameter `?token=VALID_TOKEN"}).optional()}),metadata:{openapi:{description:"Send a password reset email to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.emailAndPassword?.sendResetPassword)throw e.context.logger.error("Reset password isn't enabled.Please pass an emailAndPassword.sendResetPasswordToken function in your auth config!"),new uo("BAD_REQUEST",{message:"Reset password isn't enabled"});let{email:t,redirectTo:i}=e.body,o=await e.context.internalAdapter.findUserByEmail(t,{includeAccounts:!0});if(!o)return e.context.logger.error("Reset Password: User not found",{email:t}),e.json({status:!1},{body:{status:!0}});let r=60*60*1,n=I(e.context.options.emailAndPassword.resetPasswordTokenExpiresIn||r,"sec"),a=L(24);await e.context.internalAdapter.createVerificationValue({value:o.user.id,identifier:`reset-password:${a}`,expiresAt:n});let s=`${e.context.baseURL}/reset-password/${a}?callbackURL=${i}`;return await e.context.options.emailAndPassword.sendResetPassword({user:o.user,url:s,token:a},e.request),e.json({status:!0})}),ni=c("/reset-password/:token",{method:"GET",query:X.object({callbackURL:X.string({description:"The URL to redirect the user to reset their password"})}),metadata:{openapi:{description:"Redirects the user to the callback URL with the token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async e=>{let{token:t}=e.params,{callbackURL:i}=e.query;if(!t||!i)throw e.redirect(li(e.context,i,{error:"INVALID_TOKEN"}));let o=await e.context.internalAdapter.findVerificationValue(`reset-password:${t}`);throw!o||o.expiresAt<new Date?e.redirect(li(e.context,i,{error:"INVALID_TOKEN"})):e.redirect(dr(e.context,i,{token:t}))}),si=c("/reset-password",{query:X.optional(X.object({token:X.string().optional(),currentURL:X.string().optional()})),method:"POST",body:X.object({newPassword:X.string({description:"The new password to set"}),token:X.string({description:"The token to reset the password"}).optional()}),metadata:{openapi:{description:"Reset the password for a user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async e=>{let t=e.body.token||e.query?.token||(e.query?.currentURL?new URL(e.query.currentURL).searchParams.get("token"):"");if(!t)throw new uo("BAD_REQUEST",{message:"Token not found"});let{newPassword:i}=e.body,o=`reset-password:${t}`,r=await e.context.internalAdapter.findVerificationValue(o);if(!r||r.expiresAt<new Date)throw new uo("BAD_REQUEST",{message:"Invalid token"});await e.context.internalAdapter.deleteVerificationValue(r.id);let n=r.value,a=await e.context.password.hash(i);return(await e.context.internalAdapter.findAccounts(n)).find(A=>A.providerId==="credential")?(await e.context.internalAdapter.updatePassword(n,a),e.json({status:!0})):(await e.context.internalAdapter.createAccount({userId:n,providerId:"credential",password:a,accountId:n}),e.json({status:!0}))});import{z as _}from"zod";import{APIError as Z}from"better-call";var ai=()=>c("/update-user",{method:"POST",body:_.record(_.string(),_.any()),use:[v],metadata:{openapi:{description:"Update the current user",requestBody:{content:{"application/json":{schema:{type:"object",properties:{name:{type:"string",description:"The name of the user"},image:{type:"string",description:"The image of the user"}}}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"}}}}}}}}}},async e=>{let t=e.body;if(t.email)throw new Z("BAD_REQUEST",{message:"You can't update email"});let{name:i,image:o,...r}=t,n=e.context.session;if(!o&&!i&&Object.keys(r).length===0)return e.json({user:n.user});let a=$e(e.context.options,r,"update"),s=await e.context.internalAdapter.updateUserByEmail(n.user.email,{name:i,image:o,...a});return await m(e,{session:n.session,user:s}),e.json({user:s})}),di=c("/change-password",{method:"POST",body:_.object({newPassword:_.string({description:"The new password to set"}),currentPassword:_.string({description:"The current password"}),revokeOtherSessions:_.boolean({description:"Revoke all other sessions"}).optional()}),use:[v],metadata:{openapi:{description:"Change the password of the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{description:"The user object",$ref:"#/components/schemas/User"}}}}}}}}}},async e=>{let{newPassword:t,currentPassword:i,revokeOtherSessions:o}=e.body,r=e.context.session,n=e.context.password.config.minPasswordLength;if(t.length<n)throw e.context.logger.error("Password is too short"),new Z("BAD_REQUEST",{message:"Password is too short"});let a=e.context.password.config.maxPasswordLength;if(t.length>a)throw e.context.logger.error("Password is too long"),new Z("BAD_REQUEST",{message:"Password too long"});let d=(await e.context.internalAdapter.findAccounts(r.user.id)).find(u=>u.providerId==="credential"&&u.password);if(!d||!d.password)throw new Z("BAD_REQUEST",{message:"User does not have a password"});let A=await e.context.password.hash(t);if(!await e.context.password.verify(d.password,i))throw new Z("BAD_REQUEST",{message:"Incorrect password"});if(await e.context.internalAdapter.updateAccount(d.id,{password:A}),o){await e.context.internalAdapter.deleteSessions(r.user.id);let u=await e.context.internalAdapter.createSession(r.user.id,e.headers);if(!u)throw new Z("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});await m(e,{session:u,user:r.user})}return e.json(r.user)}),Ai=c("/set-password",{method:"POST",body:_.object({newPassword:_.string()}),metadata:{SERVER_ONLY:!0},use:[v]},async e=>{let{newPassword:t}=e.body,i=e.context.session,o=e.context.password.config.minPasswordLength;if(t.length<o)throw e.context.logger.error("Password is too short"),new Z("BAD_REQUEST",{message:"Password is too short"});let r=e.context.password.config.maxPasswordLength;if(t.length>r)throw e.context.logger.error("Password is too long"),new Z("BAD_REQUEST",{message:"Password too long"});let a=(await e.context.internalAdapter.findAccounts(i.user.id)).find(d=>d.providerId==="credential"&&d.password),s=await e.context.password.hash(t);if(!a)return await e.context.internalAdapter.linkAccount({userId:i.user.id,providerId:"credential",accountId:i.user.id,password:s}),e.json(i.user);throw new Z("BAD_REQUEST",{message:"user already has a password"})}),ci=c("/delete-user",{method:"POST",body:_.object({password:_.string({description:"The password of the user"})}),use:[Re],metadata:{openapi:{description:"Delete the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object"}}}}}}}},async e=>{let t=e.context.session;return await e.context.internalAdapter.deleteUser(t.user.id),await e.context.internalAdapter.deleteSessions(t.user.id),V(e),e.json(null)}),Ki=c("/change-email",{method:"POST",query:_.object({currentURL:_.string().optional()}).optional(),body:_.object({newEmail:_.string({description:"The new email to set"}).email(),callbackURL:_.string({description:"The URL to redirect to after email verification"}).optional()}),use:[v],metadata:{openapi:{responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{type:"object"},status:{type:"boolean"}}}}}}}}}},async e=>{if(!e.context.options.user?.changeEmail?.enabled)throw e.context.logger.error("Change email is disabled."),new Z("BAD_REQUEST",{message:"Change email is disabled"});if(e.body.newEmail===e.context.session.user.email)throw e.context.logger.error("Email is the same"),new Z("BAD_REQUEST",{message:"Email is the same"});if(await e.context.internalAdapter.findUserByEmail(e.body.newEmail))throw e.context.logger.error("Email already exists"),new Z("BAD_REQUEST",{message:"Couldn't update your email"});if(e.context.session.user.emailVerified!==!0){let r=await e.context.internalAdapter.updateUserByEmail(e.context.session.user.email,{email:e.body.newEmail});return e.json({user:r,status:!0})}if(!e.context.options.user.changeEmail.sendChangeEmailVerification)throw e.context.logger.error("Verification email isn't enabled."),new Z("BAD_REQUEST",{message:"Verification email isn't enabled"});let i=await se(e.context.secret,e.context.session.user.email,e.body.newEmail),o=`${e.context.baseURL}/verify-email?token=${i}&callbackURL=${e.body.callbackURL||e.query?.currentURL||"/"}`;return await e.context.options.user.changeEmail.sendChangeEmailVerification({user:e.context.session.user,newEmail:e.body.newEmail,url:o,token:i},e.request),e.json({user:null,status:!0})});import{z as Se}from"zod";import{APIError as gi}from"better-call";var pi=c("/list-accounts",{method:"GET",use:[v],metadata:{openapi:{description:"List all accounts linked to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{type:"object",properties:{id:{type:"string"},provider:{type:"string"}}}}}}}}}}},async e=>{let t=e.context.session,i=await e.context.internalAdapter.findAccounts(t.user.id);return e.json(i.map(o=>({id:o.id,provider:o.providerId})))}),ui=c("/link-social",{method:"POST",requireHeaders:!0,query:Se.object({currentURL:Se.string().optional()}).optional(),body:Se.object({callbackURL:Se.string({description:"The URL to redirect to after the user has signed in"}).optional(),provider:Se.enum(Qe,{description:"The OAuth2 provider to use"})}),use:[v],metadata:{openapi:{description:"Link a social account to the user",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"},redirect:{type:"boolean"}},required:["url","redirect"]}}}}}}}},async e=>{let t=e.context.session;if((await e.context.internalAdapter.findAccounts(t.user.id)).find(s=>s.providerId===e.body.provider))throw new gi("BAD_REQUEST",{message:"Social Account is already linked."});let r=e.context.socialProviders.find(s=>s.id===e.body.provider);if(!r)throw e.context.logger.error("Provider not found. Make sure to add the provider in your auth config",{provider:e.body.provider}),new gi("NOT_FOUND",{message:"Provider not found"});let n=await fe(e,{userId:t.user.id,email:t.user.email}),a=await r.createAuthorizationURL({state:n.state,codeVerifier:n.codeVerifier,redirectURI:`${e.context.baseURL}/callback/${r.id}`});return e.json({url:a.toString(),redirect:!0})});var mi=(e,t)=>{let i={};for(let[o,r]of Object.entries(e))i[o]=n=>r({...n,context:{...t,...n.context}}),i[o].path=r.path,i[o].method=r.method,i[o].options=r.options,i[o].headers=r.headers;return i};function Ge(e){let t=e;return{newRole(i){return Ar(i)}}}function Ar(e){return{statements:e,authorize(t,i){for(let[o,r]of Object.entries(t)){let n=e[o];return n?(i==="OR"?r.some(s=>n.includes(s)):r.every(s=>n.includes(s)))?{success:!0}:{success:!1,error:`Unauthorized to access resource "${o}"`}:{success:!1,error:`You are not allowed to access resource: ${o}`}}return{success:!1,error:"Not authorized"}}}}var cr={organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]},lo=Ge(cr),Kr=lo.newRole({organization:["update"],invitation:["create","cancel"],member:["create","update","delete"]}),pr=lo.newRole({organization:["update","delete"],member:["create","update","delete"],invitation:["create","cancel"]}),ur=lo.newRole({organization:[],member:[],invitation:[]}),fi={admin:Kr,owner:pr,member:ur};var j=(e,t)=>{let i=e.adapter;return{findOrganizationBySlug:async o=>await i.findOne({model:"organization",where:[{field:"slug",value:o}]}),createOrganization:async o=>{let r=await i.create({model:"organization",data:{...o.organization,metadata:o.organization.metadata?JSON.stringify(o.organization.metadata):void 0}}),n=await i.create({model:"member",data:{organizationId:r.id,userId:o.user.id,createdAt:new Date,role:t?.creatorRole||"owner"}});return{...r,metadata:r.metadata?JSON.parse(r.metadata):void 0,members:[{...n,user:{id:o.user.id,name:o.user.name,email:o.user.email,image:o.user.image}}]}},findMemberByEmail:async o=>{let r=await i.findOne({model:"user",where:[{field:"email",value:o.email}]});if(!r)return null;let n=await i.findOne({model:"member",where:[{field:"organizationId",value:o.organizationId},{field:"userId",value:r.id}]});return n?{...n,user:{id:r.id,name:r.name,email:r.email,image:r.image}}:null},findMemberByOrgId:async o=>{let[r,n]=await Promise.all([await i.findOne({model:"member",where:[{field:"userId",value:o.userId},{field:"organizationId",value:o.organizationId}]}),await i.findOne({model:"user",where:[{field:"id",value:o.userId}]})]);return!n||!r?null:{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}},findMemberById:async o=>{let r=await i.findOne({model:"member",where:[{field:"id",value:o}]});if(!r)return null;let n=await i.findOne({model:"user",where:[{field:"id",value:r.userId}]});return n?{...r,user:{id:n.id,name:n.name,email:n.email,image:n.image}}:null},createMember:async o=>await i.create({model:"member",data:o}),updateMember:async(o,r)=>await i.update({model:"member",where:[{field:"id",value:o}],update:{role:r}}),deleteMember:async o=>await i.delete({model:"member",where:[{field:"id",value:o}]}),updateOrganization:async(o,r)=>await i.update({model:"organization",where:[{field:"id",value:o}],update:r}),deleteOrganization:async o=>(await i.delete({model:"member",where:[{field:"organizationId",value:o}]}),await i.delete({model:"invitation",where:[{field:"organizationId",value:o}]}),await i.delete({model:"organization",where:[{field:"id",value:o}]}),o),setActiveOrganization:async(o,r)=>await e.internalAdapter.updateSession(o,{activeOrganizationId:r}),findOrganizationById:async o=>await i.findOne({model:"organization",where:[{field:"id",value:o}]}),findFullOrganization:async o=>{let[r,n,a]=await Promise.all([i.findOne({model:"organization",where:[{field:"id",value:o}]}),i.findMany({model:"invitation",where:[{field:"organizationId",value:o}]}),i.findMany({model:"member",where:[{field:"organizationId",value:o}]})]);if(!r)return null;let s=a.map(u=>u.userId),d=await i.findMany({model:"user",where:[{field:"id",value:s,operator:"in"}]}),A=new Map(d.map(u=>[u.id,u])),K=a.map(u=>{let p=A.get(u.userId);if(!p)throw new W("Unexpected error: User not found for member");return{...u,user:{id:p.id,name:p.name,email:p.email,image:p.image}}});return{...r,invitations:n,members:K}},listOrganizations:async o=>{let r=await i.findMany({model:"member",where:[{field:"userId",value:o}]});if(!r||r.length===0)return[];let n=r.map(s=>s.organizationId);return await i.findMany({model:"organization",where:[{field:"id",value:n,operator:"in"}]})},createInvitation:async({invitation:o,user:r})=>{let a=I(t?.invitationExpiresIn||1728e5);return await i.create({model:"invitation",data:{email:o.email,role:o.role,organizationId:o.organizationId,status:"pending",expiresAt:a,inviterId:r.id}})},findInvitationById:async o=>await i.findOne({model:"invitation",where:[{field:"id",value:o}]}),findPendingInvitation:async o=>(await i.findMany({model:"invitation",where:[{field:"email",value:o.email},{field:"organizationId",value:o.organizationId},{field:"status",value:"pending"}]})).filter(n=>new Date(n.expiresAt)>new Date),updateInvitation:async o=>await i.update({model:"invitation",where:[{field:"id",value:o.invitationId}],update:{status:o.status}})}};import"better-call";var z=U(async e=>({})),F=U({use:[v]},async e=>({session:e.context.session}));import{z as G}from"zod";import{z as E}from"zod";var hi=E.string(),lr=E.enum(["pending","accepted","rejected","canceled"]).default("pending"),tc=E.object({id:E.string().default(L),name:E.string(),slug:E.string(),logo:E.string().nullish(),metadata:E.record(E.string()).or(E.string().transform(e=>JSON.parse(e))).nullish(),createdAt:E.date()}),rc=E.object({id:E.string().default(L),organizationId:E.string(),userId:E.string(),role:hi,createdAt:E.date()}),nc=E.object({id:E.string().default(L),organizationId:E.string(),email:E.string(),role:hi,status:lr,inviterId:E.string(),expiresAt:E.date()});import{APIError as B}from"better-call";var yi=e=>c("/organization/invite-member",{method:"POST",use:[z,F],body:G.object({email:G.string({description:"The email address of the user to invite"}),role:G.string({description:"The role to assign to the user"}),organizationId:G.string({description:"The organization ID to invite the user to"}).optional(),resend:G.boolean({description:"Resend the invitation email, if the user is already invited"}).optional()}),metadata:{openapi:{description:"Invite a user to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt"]}}}}}}}},async t=>{if(!t.context.orgOptions.sendInvitationEmail)throw t.context.logger.warn("Invitation email is not enabled. Pass `sendInvitationEmail` to the plugin options to enable it."),new B("BAD_REQUEST",{message:"Invitation email is not enabled"});let i=t.context.session,o=t.body.organizationId||i.session.activeOrganizationId;if(!o)throw new B("BAD_REQUEST",{message:"Organization not found"});let r=j(t.context,t.context.orgOptions),n=await r.findMemberByOrgId({userId:i.user.id,organizationId:o});if(!n)throw new B("BAD_REQUEST",{message:"Member not found!"});let a=t.context.roles[n.role];if(!a)throw new B("BAD_REQUEST",{message:"Role not found!"});if(a.authorize({invitation:["create"]}).error)throw new B("FORBIDDEN",{message:"You are not allowed to invite members"});if(await r.findMemberByEmail({email:t.body.email,organizationId:o}))throw new B("BAD_REQUEST",{message:"User is already a member of this organization"});if((await r.findPendingInvitation({email:t.body.email,organizationId:o})).length&&!t.body.resend)throw new B("BAD_REQUEST",{message:"User is already invited to this organization"});let K=await r.createInvitation({invitation:{role:t.body.role,email:t.body.email,organizationId:o},user:i.user}),u=await r.findOrganizationById(o);if(!u)throw new B("BAD_REQUEST",{message:"Organization not found"});return await t.context.orgOptions.sendInvitationEmail?.({id:K.id,role:K.role,email:K.email,organization:u,inviter:{...n,user:i.user}},t.request),t.json(K)}),wi=c("/organization/accept-invitation",{method:"POST",body:G.object({invitationId:G.string({description:"The ID of the invitation to accept"})}),use:[z,F],metadata:{openapi:{description:"Accept an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"object"}}}}}}}}}},async e=>{let t=e.context.session,i=j(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new B("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new B("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.updateInvitation({invitationId:e.body.invitationId,status:"accepted"}),n=await i.createMember({organizationId:o.organizationId,userId:t.user.id,role:o.role,createdAt:new Date});return await i.setActiveOrganization(t.session.token,o.organizationId),r?e.json({invitation:r,member:n}):e.json(null,{status:400,body:{message:"Invitation not found!"}})}),Ci=c("/organization/reject-invitation",{method:"POST",body:G.object({invitationId:G.string({description:"The ID of the invitation to reject"})}),use:[z,F],metadata:{openapi:{description:"Reject an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"},member:{type:"null"}}}}}}}}}},async e=>{let t=e.context.session,i=j(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o||o.expiresAt<new Date||o.status!=="pending")throw new B("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new B("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.updateInvitation({invitationId:e.body.invitationId,status:"rejected"});return e.json({invitation:r,member:null})}),bi=c("/organization/cancel-invitation",{method:"POST",body:G.object({invitationId:G.string({description:"The ID of the invitation to cancel"})}),use:[z,F],openapi:{description:"Cancel an invitation to an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{invitation:{type:"object"}}}}}}}}},async e=>{let t=e.context.session,i=j(e.context,e.context.orgOptions),o=await i.findInvitationById(e.body.invitationId);if(!o)throw new B("BAD_REQUEST",{message:"Invitation not found!"});let r=await i.findMemberByOrgId({userId:t.user.id,organizationId:o.organizationId});if(!r)throw new B("BAD_REQUEST",{message:"Member not found!"});if(e.context.roles[r.role].authorize({invitation:["cancel"]}).error)throw new B("FORBIDDEN",{message:"You are not allowed to cancel this invitation"});let a=await i.updateInvitation({invitationId:e.body.invitationId,status:"canceled"});return e.json(a)}),vi=c("/organization/get-invitation",{method:"GET",use:[z],requireHeaders:!0,query:G.object({id:G.string({description:"The ID of the invitation to get"})}),metadata:{openapi:{description:"Get an invitation by ID",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},email:{type:"string"},role:{type:"string"},organizationId:{type:"string"},inviterId:{type:"string"},status:{type:"string"},expiresAt:{type:"string"},organizationName:{type:"string"},organizationSlug:{type:"string"},inviterEmail:{type:"string"}},required:["id","email","role","organizationId","inviterId","status","expiresAt","organizationName","organizationSlug","inviterEmail"]}}}}}}}},async e=>{let t=await R(e);if(!t)throw new B("UNAUTHORIZED",{message:"Not authenticated"});let i=j(e.context,e.context.orgOptions),o=await i.findInvitationById(e.query.id);if(!o||o.status!=="pending"||o.expiresAt<new Date)throw new B("BAD_REQUEST",{message:"Invitation not found!"});if(o.email!==t.user.email)throw new B("FORBIDDEN",{message:"You are not the recipient of the invitation"});let r=await i.findOrganizationById(o.organizationId);if(!r)throw new B("BAD_REQUEST",{message:"Organization not found"});let n=await i.findMemberByOrgId({userId:o.inviterId,organizationId:o.organizationId});if(!n)throw new B("BAD_REQUEST",{message:"Inviter is no longer a member of the organization"});return e.json({...o,organizationName:r.name,organizationSlug:r.slug,inviterEmail:n.user.email})});import{z as oe}from"zod";import{APIError as ue}from"better-call";var ki=()=>c("/organization/add-member",{method:"POST",body:oe.object({userId:oe.string(),role:oe.string(),organizationId:oe.string().optional()}),use:[z],metadata:{SERVER_ONLY:!0}},async e=>{let t=e.body.userId?await R(e).catch(s=>null):null,i=e.body.organizationId||t?.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=j(e.context,e.context.orgOptions),r=await e.context.internalAdapter.findUserById(e.body.userId);if(!r)throw new ue("BAD_REQUEST",{message:"User not found!"});if(await o.findMemberByEmail({email:r.email,organizationId:i}))throw new ue("BAD_REQUEST",{message:"User is already a member of this organization"});let a=await o.createMember({id:L(),organizationId:i,userId:r.id,role:e.body.role,createdAt:new Date});return e.json(a)}),Ti=c("/organization/remove-member",{method:"POST",body:oe.object({memberIdOrEmail:oe.string({description:"The ID or email of the member to remove"}),organizationId:oe.string({description:"The ID of the organization to remove the member from. If not provided, the active organization will be used"}).optional()}),use:[z,F],metadata:{openapi:{description:"Remove a member from an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async e=>{let t=e.context.session,i=e.body.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let o=j(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)throw new ue("BAD_REQUEST",{message:"Member not found!"});let n=e.context.roles[r.role];if(!n)throw new ue("BAD_REQUEST",{message:"Role not found!"});let a=t.user.email===e.body.memberIdOrEmail||r.id===e.body.memberIdOrEmail;if(a&&r.role===(e.context.orgOptions?.creatorRole||"owner"))throw new ue("BAD_REQUEST",{message:"You cannot leave the organization as the owner"});if(!(a||n.authorize({member:["delete"]}).success))throw new ue("UNAUTHORIZED",{message:"You are not allowed to delete this member"});let A=null;if(e.body.memberIdOrEmail.includes("@")?A=await o.findMemberByEmail({email:e.body.memberIdOrEmail,organizationId:i}):A=await o.findMemberById(e.body.memberIdOrEmail),A?.organizationId!==i)throw new ue("BAD_REQUEST",{message:"Member not found!"});return await o.deleteMember(A.id),t.user.id===A.userId&&t.session.activeOrganizationId===A.organizationId&&await o.setActiveOrganization(t.session.token,null),e.json({member:A})}),Oi=e=>c("/organization/update-member-role",{method:"POST",body:oe.object({role:oe.string(),memberId:oe.string(),organizationId:oe.string().optional()}),use:[z,F],metadata:{openapi:{description:"Update the role of a member in an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{member:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}},required:["member"]}}}}}}}},async t=>{let i=t.context.session,o=t.body.organizationId||i.session.activeOrganizationId;if(!o)return t.json(null,{status:400,body:{message:"No active organization found!"}});let r=j(t.context,t.context.orgOptions),n=await r.findMemberByOrgId({userId:i.user.id,organizationId:o});if(!n)return t.json(null,{status:400,body:{message:"Member not found!"}});let a=t.context.roles[n.role];if(!a)return t.json(null,{status:400,body:{message:"Role not found!"}});if(a.authorize({member:["update"]}).error||t.body.role==="owner"&&n.role!=="owner")return t.json(null,{body:{message:"You are not allowed to update this member"},status:403});let d=await r.updateMember(t.body.memberId,t.body.role);return d?t.json(d):t.json(null,{status:400,body:{message:"Member not found!"}})}),Ii=c("/organization/get-active-member",{method:"GET",use:[z,F],metadata:{openapi:{description:"Get the active member in the organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{id:{type:"string"},userId:{type:"string"},organizationId:{type:"string"},role:{type:"string"}},required:["id","userId","organizationId","role"]}}}}}}}},async e=>{let t=e.context.session,i=t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"No active organization found!"}});let r=await j(e.context,e.context.orgOptions).findMemberByOrgId({userId:t.user.id,organizationId:i});return r?e.json(r):e.json(null,{status:400,body:{message:"Member not found!"}})});import{z as S}from"zod";import{APIError as le}from"better-call";var Ri=c("/organization/create",{method:"POST",body:S.object({name:S.string({description:"The name of the organization"}),slug:S.string({description:"The slug of the organization"}),userId:S.string({description:"The user id of the organization creator. If not provided, the current user will be used. Should only be used by admins or when called by the server."}).optional(),logo:S.string({description:"The logo of the organization"}).optional(),metadata:S.record(S.string(),S.any(),{description:"The metadata of the organization"}).optional()}),use:[z,F],metadata:{openapi:{description:"Create an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization that was created",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=e.context.session.user;if(!t)return e.json(null,{status:401});let i=e.context.orgOptions;if(!(typeof i?.allowUserToCreateOrganization=="function"?await i.allowUserToCreateOrganization(t):i?.allowUserToCreateOrganization===void 0?!0:i.allowUserToCreateOrganization))throw new le("FORBIDDEN",{message:"You are not allowed to create an organization"});let r=j(e.context,i),n=await r.listOrganizations(t.id);if(typeof i.organizationLimit=="number"?n.length>=i.organizationLimit:typeof i.organizationLimit=="function"?await i.organizationLimit(t):!1)throw new le("FORBIDDEN",{message:"You have reached the organization limit"});if(await r.findOrganizationBySlug(e.body.slug))throw new le("BAD_REQUEST",{message:"Organization with this slug already exists"});let d=await r.createOrganization({organization:{id:L(),slug:e.body.slug,name:e.body.name,logo:e.body.logo,createdAt:new Date,metadata:e.body.metadata},user:t});return await r.setActiveOrganization(e.context.session.session.token,d.id),e.json(d)}),Ui=c("/organization/update",{method:"POST",body:S.object({data:S.object({name:S.string({description:"The name of the organization"}).optional(),slug:S.string({description:"The slug of the organization"}).optional(),logo:S.string({description:"The logo of the organization"}).optional()}).partial(),organizationId:S.string().optional()}),requireHeaders:!0,use:[z],metadata:{openapi:{description:"Update an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The updated organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=await e.context.getSession(e);if(!t)throw new le("UNAUTHORIZED",{message:"User not found"});let i=e.body.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=j(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["update"]}).error)return e.json(null,{body:{message:"You are not allowed to update this organization"},status:403});let s=await o.updateOrganization(i,e.body.data);return e.json(s)}),Pi=c("/organization/delete",{method:"POST",body:S.object({organizationId:S.string({description:"The organization id to delete"})}),requireHeaders:!0,use:[z],metadata:{openapi:{description:"Delete an organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"string",description:"The organization id that was deleted"}}}}}}}},async e=>{let t=await e.context.getSession(e);if(!t)return e.json(null,{status:401});let i=e.body.organizationId;if(!i)return e.json(null,{status:400,body:{message:"Organization id not found!"}});let o=j(e.context,e.context.orgOptions),r=await o.findMemberByOrgId({userId:t.user.id,organizationId:i});if(!r)return e.json(null,{status:400,body:{message:"User is not a member of this organization!"}});let n=e.context.roles[r.role];if(!n)return e.json(null,{status:400,body:{message:"Role not found!"}});if(n.authorize({organization:["delete"]}).error)throw new le("FORBIDDEN",{message:"You are not allowed to delete this organization"});return i===t.session.activeOrganizationId&&await o.setActiveOrganization(t.session.token,null),await o.deleteOrganization(i),e.json(i)}),Ei=c("/organization/get-full-organization",{method:"GET",query:S.optional(S.object({organizationId:S.string({description:"The organization id to get"}).optional()})),requireHeaders:!0,use:[z,F],metadata:{openapi:{description:"Get the full organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=e.context.session,i=e.query?.organizationId||t.session.activeOrganizationId;if(!i)return e.json(null,{status:200});let r=await j(e.context,e.context.orgOptions).findFullOrganization(i);if(!r)throw new le("BAD_REQUEST",{message:"Organization not found"});return e.json(r)}),Si=c("/organization/set-active",{method:"POST",body:S.object({organizationId:S.string({description:"The organization id to set as active. Can be null to unset the active organization"}).nullable().optional()}),use:[F,z],metadata:{openapi:{description:"Set the active organization",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",description:"The organization",$ref:"#/components/schemas/Organization"}}}}}}}},async e=>{let t=j(e.context,e.context.orgOptions),i=e.context.session,o=e.body.organizationId;if(o===null){if(!i.session.activeOrganizationId)return e.json(null);let d=await t.setActiveOrganization(i.session.token,null);return await m(e,{session:d,user:i.user}),e.json(null)}if(!o){let s=i.session.activeOrganizationId;if(!s)return e.json(null);o=s}if(!await t.findMemberByOrgId({userId:i.user.id,organizationId:o}))throw await t.setActiveOrganization(i.session.token,null),new le("FORBIDDEN",{message:"You are not a member of this organization"});let n=await t.setActiveOrganization(i.session.token,o);await m(e,{session:n,user:i.user});let a=await t.findFullOrganization(o);return e.json(a)}),Di=c("/organization/list",{method:"GET",use:[z,F],metadata:{openapi:{description:"List all organizations",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"array",items:{$ref:"#/components/schemas/Organization"}}}}}}}}},async e=>{let i=await j(e.context,e.context.orgOptions).listOrganizations(e.context.session.user.id);return e.json(i)});var gr=Ge({name:["action"]}),Vc=gr.newRole({name:["action"]}),qc=e=>{let t={createOrganization:Ri,updateOrganization:Ui,deleteOrganization:Pi,setActiveOrganization:Si,getFullOrganization:Ei,listOrganizations:Di,createInvitation:yi(e),cancelInvitation:bi,acceptInvitation:wi,getInvitation:vi,rejectInvitation:Ci,addMember:ki(),removeMember:Ti,updateMemberRole:Oi(e),getActiveMember:Ii},i={...fi,...e?.roles};return{id:"organization",endpoints:{...mi(t,{orgOptions:e||{},roles:i,getSession:async r=>await R(r)}),hasPermission:c("/organization/has-permission",{method:"POST",requireHeaders:!0,body:De.object({permission:De.record(De.string(),De.array(De.string()))}),use:[F],metadata:{openapi:{description:"Check if the user has permission",requestBody:{content:{"application/json":{schema:{type:"object",properties:{permission:{type:"object",description:"The permission to check"}},required:["permission"]}}}},responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{error:{type:"string"},success:{type:"boolean"}},required:["success"]}}}}}}}},async r=>{if(!r.context.session.session.activeOrganizationId)throw new xi("BAD_REQUEST",{message:"No active organization"});let a=await j(r.context).findMemberByOrgId({userId:r.context.session.user.id,organizationId:r.context.session.session.activeOrganizationId||""});if(!a)throw new xi("UNAUTHORIZED",{message:"You are not a member of this organization"});let d=i[a.role].authorize(r.body.permission);return d.error?r.json({error:d.error,success:!1},{status:403}):r.json({error:null,success:!0})})},schema:{session:{fields:{activeOrganizationId:{type:"string",required:!1,fieldName:e?.schema?.session?.fields?.activeOrganizationId}}},organization:{modelName:e?.schema?.organization?.modelName,fields:{name:{type:"string",required:!0,fieldName:e?.schema?.organization?.fields?.name},slug:{type:"string",unique:!0,fieldName:e?.schema?.organization?.fields?.slug},logo:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.logo},createdAt:{type:"date",required:!0,fieldName:e?.schema?.organization?.fields?.createdAt},metadata:{type:"string",required:!1,fieldName:e?.schema?.organization?.fields?.metadata}}},member:{modelName:e?.schema?.member?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.member?.fields?.organizationId},userId:{type:"string",required:!0,fieldName:e?.schema?.member?.fields?.userId,references:{model:"user",field:"id"}},role:{type:"string",required:!0,defaultValue:"member",fieldName:e?.schema?.member?.fields?.role},createdAt:{type:"date",required:!0,fieldName:e?.schema?.member?.fields?.createdAt}}},invitation:{modelName:e?.schema?.invitation?.modelName,fields:{organizationId:{type:"string",required:!0,references:{model:"organization",field:"id"},fieldName:e?.schema?.invitation?.fields?.organizationId},email:{type:"string",required:!0,fieldName:e?.schema?.invitation?.fields?.email},role:{type:"string",required:!1,fieldName:e?.schema?.invitation?.fields?.role},status:{type:"string",required:!0,defaultValue:"pending",fieldName:e?.schema?.invitation?.fields?.status},expiresAt:{type:"date",required:!0,fieldName:e?.schema?.invitation?.fields?.expiresAt},inviterId:{type:"string",references:{model:"user",field:"id"},fieldName:e?.schema?.invitation?.fields?.inviterId,required:!0}}}},$Infer:{Organization:{},Invitation:{},Member:{},ActiveOrganization:{}}}};import ji from"uncrypto";function mr(e){return e.toString(2).padStart(8,"0")}function fr(e){return[...e].map(t=>mr(t)).join("")}function Bi(e){return parseInt(fr(e),2)}function hr(e){if(e<0||!Number.isInteger(e))throw new Error("Argument 'max' must be an integer greater than or equal to 0");let t=(e-1).toString(2).length,i=t%8,o=new Uint8Array(Math.ceil(t/8));ji.getRandomValues(o),i!==0&&(o[0]&=(1<<i)-1);let r=Bi(o);for(;r>=e;)ji.getRandomValues(o),i!==0&&(o[0]&=(1<<i)-1),r=Bi(o);return r}function M(e,t){let i="";for(let o=0;o<e;o++)i+=t[hr(t.length)];return i}function H(...e){let t=new Set(e),i="";for(let o of t)o==="a-z"?i+="abcdefghijklmnopqrstuvwxyz":o==="A-Z"?i+="ABCDEFGHIJKLMNOPQRSTUVWXYZ":o==="0-9"?i+="0123456789":i+=o;return i}import{z as eo}from"zod";import{xchacha20poly1305 as Ni}from"@noble/ciphers/chacha";import{bytesToHex as yr,hexToBytes as wr,utf8ToBytes as Cr}from"@noble/ciphers/utils";import{managedNonce as Li}from"@noble/ciphers/webcrypto";import{sha256 as _i}from"oslo/crypto";import zi from"uncrypto";import{decodeHex as Wc,encodeHex as Jc}from"oslo/encoding";import{scryptAsync as eK}from"@noble/hashes/scrypt";import{getRandomValues as iK}from"uncrypto";async function xe(e,t){let i=new TextEncoder,o={name:"HMAC",hash:"SHA-256"},r=await zi.subtle.importKey("raw",i.encode(e),o,!1,["sign","verify"]),n=await zi.subtle.sign(o.name,r,i.encode(t));return btoa(String.fromCharCode(...new Uint8Array(n)))}var de=async({key:e,data:t})=>{let i=await _i(new TextEncoder().encode(e)),o=Cr(t),r=Li(Ni)(new Uint8Array(i));return yr(r.encrypt(o))},pe=async({key:e,data:t})=>{let i=await _i(new TextEncoder().encode(e)),o=wr(t),r=Li(Ni)(new Uint8Array(i));return new TextDecoder().decode(r.decrypt(o))};import{z as Ae}from"zod";import{APIError as je}from"better-call";var We="two_factor";var Je="trust_device";import{z as Fi}from"zod";var ge=U({body:Fi.object({trustDevice:Fi.boolean().optional()})},async e=>{let t=await R(e);if(!t){let i=e.context.createAuthCookie(We),o=await e.getSignedCookie(i.name,e.context.secret);if(!o)throw new je("UNAUTHORIZED",{message:"invalid two factor cookie"});let r=await e.context.internalAdapter.findUserById(o);if(!r)throw new je("UNAUTHORIZED",{message:"invalid two factor cookie"});let n=await e.context.internalAdapter.createSession(o,e.request);if(!n)throw new je("INTERNAL_SERVER_ERROR",{message:"failed to create session"});return{valid:async()=>{if(await m(e,{session:n,user:r}),e.body.trustDevice){let a=e.context.createAuthCookie(Je,{maxAge:2592e3}),s=await xe(e.context.secret,`${r.id}!${n.token}`);await e.setSignedCookie(a.name,`${s}!${n.token}`,e.context.secret,a.attributes)}return e.json({session:n,user:r})},invalid:async()=>{throw new je("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:{id:n.token,userId:n.userId,expiresAt:n.expiresAt,user:r}}}return{valid:async()=>e.json({session:t,user:t.user}),invalid:async()=>{throw new je("UNAUTHORIZED",{message:"invalid two factor authentication"})},session:t}});import{APIError as Be}from"better-call";function br(e){return Array.from({length:e?.amount??10}).fill(null).map(()=>M(e?.length??10,H("a-z","0-9"))).map(t=>`${t.slice(0,5)}-${t.slice(5)}`)}async function go(e,t){let i=e,o=t?.customBackupCodesGenerate?t.customBackupCodesGenerate():br(),r=await de({data:JSON.stringify(o),key:i});return{backupCodes:o,encryptedBackupCodes:r}}async function vr(e,t){let i=await Vi(e.backupCodes,t);return i?{status:i.includes(e.code),updated:i.filter(o=>o!==e.code)}:{status:!1,updated:null}}async function Vi(e,t){let i=Buffer.from(await pe({key:t,data:e})).toString("utf-8"),o=JSON.parse(i),r=Ae.array(Ae.string()).safeParse(o);return r.success?r.data:null}var qi=(e,t)=>({id:"backup_code",endpoints:{verifyBackupCode:c("/two-factor/verify-backup-code",{method:"POST",body:Ae.object({code:Ae.string(),disableSession:Ae.boolean().optional()}),use:[ge]},async i=>{let o=i.context.session.user,r=await i.context.adapter.findOne({model:t,where:[{field:"userId",value:o.id}]});if(!r)throw new Be("BAD_REQUEST",{message:"Backup codes aren't enabled"});let n=await vr({backupCodes:r.backupCodes,code:i.body.code},i.context.secret);if(!n.status)throw new Be("UNAUTHORIZED",{message:"Invalid backup code"});let a=await de({key:i.context.secret,data:JSON.stringify(n.updated)});return await i.context.adapter.update({model:t,update:{backupCodes:a},where:[{field:"userId",value:o.id}]}),i.body.disableSession||await m(i,{session:i.context.session.session,user:o}),i.json({user:o,session:i.context.session})}),generateBackupCodes:c("/two-factor/generate-backup-codes",{method:"POST",body:Ae.object({password:Ae.string()}),use:[v]},async i=>{let o=i.context.session.user;if(!o.twoFactorEnabled)throw new Be("BAD_REQUEST",{message:"Two factor isn't enabled"});await i.context.password.checkPassword(o.id,i);let r=await go(i.context.secret,e);return await i.context.adapter.update({model:t,update:{backupCodes:r.encryptedBackupCodes},where:[{field:"userId",value:i.context.session.user.id}]}),i.json({status:!0,backupCodes:r.backupCodes})}),viewBackupCodes:c("/two-factor/view-backup-codes",{method:"GET",body:Ae.object({userId:Ae.string()}),metadata:{SERVER_ONLY:!0}},async i=>{let o=await i.context.adapter.findOne({model:t,where:[{field:"userId",value:i.body.userId}]});if(!o)throw new Be("BAD_REQUEST",{message:"Backup codes aren't enabled"});let r=await Vi(o.backupCodes,i.context.secret);if(!r)throw new Be("BAD_REQUEST",{message:"Backup codes aren't enabled"});return i.json({status:!0,backupCodes:r})})}});import{APIError as Xe}from"better-call";import{TOTPController as kr}from"oslo/otp";import{z as Mi}from"zod";import{TimeSpan as Tr}from"oslo";var Hi=(e,t)=>{let i={...e,period:new Tr(e?.period||3,"m")},o=new kr({digits:6,period:i.period}),r=c("/two-factor/send-otp",{method:"POST",use:[ge],metadata:{openapi:{summary:"Send two factor OTP",description:"Send two factor OTP to the user",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async a=>{if(!e||!e.sendOTP)throw a.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options."),new Xe("BAD_REQUEST",{message:"otp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Xe("BAD_REQUEST",{message:"OTP isn't enabled"});let A=await o.generate(Buffer.from(d.secret));return await e.sendOTP({user:s,otp:A},a.request),a.json({status:!0})}),n=c("/two-factor/verify-otp",{method:"POST",body:Mi.object({code:Mi.string({description:"The otp code to verify"})}),use:[ge],metadata:{openapi:{summary:"Verify two factor OTP",description:"Verify two factor OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async a=>{let s=a.context.session.user;if(!s.twoFactorEnabled)throw new Xe("BAD_REQUEST",{message:"two factor isn't enabled"});let d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Xe("BAD_REQUEST",{message:"OTP isn't enabled"});return await o.generate(Buffer.from(d.secret))===a.body.code?a.context.valid():a.context.invalid()});return{id:"otp",endpoints:{sendTwoFactorOTP:r,verifyTwoFactorOTP:n}}};import{APIError as Ce}from"better-call";import{TimeSpan as Or}from"oslo";import{TOTPController as Qi,createTOTPKeyURI as Ir}from"oslo/otp";import{z as Ye}from"zod";var $i=(e,t)=>{let i={...e,digits:6,period:new Or(e?.period||30,"s")},o=c("/totp/generate",{method:"POST",use:[v],metadata:{openapi:{summary:"Generate TOTP code",description:"Use this endpoint to generate a TOTP code",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{code:{type:"string"}}}}}}}}}},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ce("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Ce("BAD_REQUEST",{message:"totp isn't enabled"});return{code:await new Qi(i).generate(Buffer.from(d.secret))}}),r=c("/two-factor/get-totp-uri",{method:"POST",use:[v],body:Ye.object({password:Ye.string({description:"User password"})}),metadata:{openapi:{summary:"Get TOTP URI",description:"Use this endpoint to get the TOTP URI",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{totpURI:{type:"string"}}}}}}}}}},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ce("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d||!s.twoFactorEnabled)throw new Ce("BAD_REQUEST",{message:"totp isn't enabled"});return await a.context.password.checkPassword(s.id,a),{totpURI:Ir(e.issuer||a.context.appName,s.email,Buffer.from(d.secret),i)}}),n=c("/two-factor/verify-totp",{method:"POST",body:Ye.object({code:Ye.string({description:"The otp code to verify"})}),use:[ge],metadata:{openapi:{summary:"Verify two factor TOTP",description:"Verify two factor TOTP",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async a=>{if(!e)throw a.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp"),new Ce("BAD_REQUEST",{message:"totp isn't configured"});let s=a.context.session.user,d=await a.context.adapter.findOne({model:t,where:[{field:"userId",value:s.id}]});if(!d)throw new Ce("BAD_REQUEST",{message:"totp isn't enabled"});let A=new Qi(i),K=await pe({key:a.context.secret,data:d.secret}),u=Buffer.from(K);if(!await A.verify(a.body.code,u))return a.context.invalid();if(!s.twoFactorEnabled){let l=await a.context.internalAdapter.updateUser(s.id,{twoFactorEnabled:!0}),h=await a.context.internalAdapter.createSession(s.id,a.request,!1,a.context.session.session).catch(k=>{throw console.log(k),k});await a.context.internalAdapter.deleteSession(a.context.session.session.token),await m(a,{session:h,user:l})}return a.context.valid()});return{id:"totp",endpoints:{generateTOTP:o,getTOTPURI:r,verifyTOTP:n}}};import{APIError as WK}from"better-call";async function mo(e,t){let o=(await e.context.internalAdapter.findAccounts(t.userId))?.find(a=>a.providerId==="credential"),r=o?.password;return!o||!r?!1:await e.context.password.verify(r,t.password)}import{APIError as Gi}from"better-call";import{createTOTPKeyURI as Ur}from"oslo/otp";import{TimeSpan as Pr}from"oslo";import{APIError as Rr}from"better-call";var be=async e=>{let t=e.context.returned;return t?t instanceof Response?t.status!==200?null:await t.clone().json():t instanceof Rr?null:t:null};var Zi={user:{fields:{twoFactorEnabled:{type:"boolean",required:!1,defaultValue:!1,input:!1}}},twoFactor:{fields:{secret:{type:"string",required:!0,returned:!1},backupCodes:{type:"string",required:!0,returned:!1},userId:{type:"string",required:!0,returned:!1,references:{model:"user",field:"id"}}}}};var op=e=>({id:"two-factor",$InferServerPlugin:{},atomListeners:[{matcher:t=>t.startsWith("/two-factor/"),signal:"$sessionSignal"}],pathMethods:{"/two-factor/disable":"POST","/two-factor/enable":"POST","/two-factor/send-otp":"POST","/two-factor/generate-backup-codes":"POST"},fetchPlugins:[{id:"two-factor",name:"two-factor",hooks:{async onSuccess(t){t.data?.twoFactorRedirect&&e?.onTwoFactorRedirect&&await e.onTwoFactorRedirect()}}}]});var wp=e=>{let t={twoFactorTable:"twoFactor"},i=$i({issuer:e?.issuer,...e?.totpOptions},t.twoFactorTable),o=qi({...e?.backupCodeOptions},t.twoFactorTable),r=Hi({...e?.otpOptions},t.twoFactorTable);return{id:"two-factor",endpoints:{...i.endpoints,...r.endpoints,...o.endpoints,enableTwoFactor:c("/two-factor/enable",{method:"POST",body:eo.object({password:eo.string({description:"User password"}).min(8)}),use:[v],metadata:{openapi:{summary:"Enable two factor authentication",description:"Use this endpoint to enable two factor authentication. This will generate a TOTP URI and backup codes. Once the user verifies the TOTP URI, the two factor authentication will be enabled.",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{totpURI:{type:"string",description:"TOTP URI"},backupCodes:{type:"array",items:{type:"string"},description:"Backup codes"}}}}}}}}}},async n=>{let a=n.context.session.user,{password:s}=n.body;if(!await mo(n,{password:s,userId:a.id}))throw new Gi("BAD_REQUEST",{message:"Invalid password"});let A=M(16,H("a-z","0-9","-")),K=await de({key:n.context.secret,data:A}),u=await go(n.context.secret,e?.backupCodeOptions);if(e?.skipVerificationOnEnable){let l=await n.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!0}),h=await n.context.internalAdapter.createSession(l.id,n.request,!1,n.context.session.session);await m(n,{session:h,user:a}),await n.context.internalAdapter.deleteSession(n.context.session.session.token)}await n.context.adapter.deleteMany({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]}),await n.context.adapter.create({model:t.twoFactorTable,data:{secret:K,backupCodes:u.encryptedBackupCodes,userId:a.id}});let p=Ur(e?.issuer||"BetterAuth",a.email,Buffer.from(A),{digits:e?.totpOptions?.digits||6,period:new Pr(e?.totpOptions?.period||30,"s")});return n.json({totpURI:p,backupCodes:u.backupCodes})}),disableTwoFactor:c("/two-factor/disable",{method:"POST",body:eo.object({password:eo.string({description:"User password"}).min(8)}),use:[v],metadata:{openapi:{summary:"Disable two factor authentication",description:"Use this endpoint to disable two factor authentication.",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async n=>{let a=n.context.session.user,{password:s}=n.body;if(!await mo(n,{password:s,userId:a.id}))throw new Gi("BAD_REQUEST",{message:"Invalid password"});await n.context.internalAdapter.updateUser(a.id,{twoFactorEnabled:!1}),await n.context.adapter.delete({model:t.twoFactorTable,where:[{field:"userId",value:a.id}]});let A=await n.context.internalAdapter.createSession(a.id,n.request,!1,n.context.session.session);return await m(n,{session:A,user:a}),await n.context.internalAdapter.deleteSession(n.context.session.session.token),n.json({status:!0})})},options:e,hooks:{after:[{matcher(n){return n.path==="/sign-in/email"||n.path==="/sign-in/username"},handler:U(async n=>{let a=await be(n);if(!a||!a.user.twoFactorEnabled)return;let s=n.context.createAuthCookie(Je),d=await n.getSignedCookie(s.name,n.context.secret);if(d){let[K,u]=d.split("!"),p=await xe(n.context.secret,`${a.user.id}!${u}`);if(K===p){let l=await xe(n.context.secret,`${a.user.id}!${a.session.token}`);await n.setSignedCookie(s.name,`${l}!${a.session.token}`,n.context.secret,s.attributes);return}}V(n),await n.context.internalAdapter.deleteSession(a.session.token);let A=n.context.createAuthCookie(We,{maxAge:60*10});return await n.setSignedCookie(A.name,a.user.id,n.context.secret,A.attributes),n.json({twoFactorRedirect:!0})})}]},schema:J(Zi,e?.schema),rateLimit:[{pathMatcher(n){return n.startsWith("/two-factor/")},window:10,max:3}]}};import{generateAuthenticationOptions as Nr,generateRegistrationOptions as Lr,verifyAuthenticationResponse as _r,verifyRegistrationResponse as Fr}from"@simplewebauthn/server";import{APIError as ie}from"better-call";import{z as ce}from"zod";import{WebAuthnError as Dr,startAuthentication as xr,startRegistration as jr}from"@simplewebauthn/browser";import{createFetch as Np}from"@better-fetch/fetch";import"nanostores";import"@better-fetch/fetch";import{atom as Pp}from"nanostores";import"@better-fetch/fetch";import{atom as Er,onMount as Sr}from"nanostores";var fo=(e,t,i,o)=>{let r=Er({data:null,error:null,isPending:!0,isRefetching:!1}),n=()=>{let s=typeof o=="function"?o({data:r.get().data,error:r.get().error,isPending:r.get().isPending}):o;return i(t,{...s,async onSuccess(d){r.set({data:d.data,error:null,isPending:!1,isRefetching:!1}),await s?.onSuccess?.(d)},async onError(d){r.set({error:d.error,data:null,isPending:!1,isRefetching:!1}),await s?.onError?.(d)},async onRequest(d){let A=r.get();r.set({isPending:A.data===null,data:A.data,error:null,isRefetching:!0}),await s?.onRequest?.(d)}})};e=Array.isArray(e)?e:[e];let a=!1;for(let s of e)s.subscribe(()=>{a?n():Sr(r,()=>(n(),a=!0,()=>{r.off(),s.off()}))});return r};import{atom as Br}from"nanostores";var zr=(e,{$listPasskeys:t})=>({signIn:{passkey:async(r,n)=>{let a=await e("/passkey/generate-authenticate-options",{method:"POST",body:{email:r?.email}});if(!a.data)return a;try{let s=await xr(a.data,r?.autoFill||!1),d=await e("/passkey/verify-authentication",{body:{response:s},...r?.fetchOptions,...n,method:"POST"});if(!d.data)return d}catch{return{data:null,error:{message:"auth cancelled",status:400,statusText:"BAD_REQUEST"}}}}},passkey:{addPasskey:async(r,n)=>{let a=await e("/passkey/generate-register-options",{method:"GET"});if(!a.data)return a;try{let s=await jr(a.data),d=await e("/passkey/verify-registration",{...r?.fetchOptions,...n,body:{response:s,name:r?.name},method:"POST"});if(!d.data)return d;t.set(Math.random())}catch(s){return s instanceof Dr?s.code==="ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED"?{data:null,error:{message:"previously registered",status:400,statusText:"BAD_REQUEST"}}:s.code==="ERROR_CEREMONY_ABORTED"?{data:null,error:{message:"registration cancelled",status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s.message,status:400,statusText:"BAD_REQUEST"}}:{data:null,error:{message:s instanceof Error?s.message:"unknown error",status:500,statusText:"INTERNAL_SERVER_ERROR"}}}}},$Infer:{}}),nu=()=>{let e=Br();return{id:"passkey",$InferServerPlugin:{},getActions:t=>zr(t,{$listPasskeys:e}),getAtoms(t){return{listPasskeys:fo(e,"/passkey/list-user-passkeys",t,{method:"GET"}),$listPasskeys:e}},pathMethods:{"/passkey/register":"POST","/passkey/authenticate":"POST"},atomListeners:[{matcher(t){return t==="/passkey/verify-registration"||t==="/passkey/delete-passkey"},signal:"_listPasskeys"}]}};var yu=e=>{let t=Y.BETTER_AUTH_URL,i=e?.rpID||t?.replace("http://","").replace("https://","").split(":")[0]||"localhost";if(!i)throw new W("passkey rpID not found. Please provide a rpID in the options or set the BETTER_AUTH_URL environment variable.");let o={origin:null,...e,rpID:i,advanced:{webAuthnChallengeCookie:"better-auth-passkey",...e?.advanced}},r=new Date(Date.now()+1e3*60*5),n=new Date,a=Math.floor((r.getTime()-n.getTime())/1e3);return{id:"passkey",endpoints:{generatePasskeyRegistrationOptions:c("/passkey/generate-register-options",{method:"GET",use:[Re],metadata:{client:!1,openapi:{description:"Generate registration options for a new passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{challenge:{type:"string"},rp:{type:"object",properties:{name:{type:"string"},id:{type:"string"}}},user:{type:"object",properties:{id:{type:"string"},name:{type:"string"},displayName:{type:"string"}}},pubKeyCredParams:{type:"array",items:{type:"object",properties:{type:{type:"string"},alg:{type:"number"}}}},timeout:{type:"number"},excludeCredentials:{type:"array",items:{type:"object",properties:{id:{type:"string"},type:{type:"string"},transports:{type:"array",items:{type:"string"}}}}},authenticatorSelection:{type:"object",properties:{authenticatorAttachment:{type:"string"},requireResidentKey:{type:"boolean"},userVerification:{type:"string"}}},attestation:{type:"string"},extensions:{type:"object"}}}}}}}}}},async s=>{let d=s.context.session,A=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}),K=new Uint8Array(Buffer.from(M(32,H("a-z","0-9")))),u;u=await Lr({rpName:o.rpName||s.context.appName,rpID:o.rpID,userID:K,userName:d.user.email||d.user.id,attestationType:"none",excludeCredentials:A.map(l=>({id:l.id,transports:l.transports?.split(",")})),authenticatorSelection:{residentKey:"preferred",userVerification:"preferred",authenticatorAttachment:"platform"}});let p=L(32);return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,p,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:p,value:JSON.stringify({expectedChallenge:u.challenge,userData:{id:d.user.id}}),expiresAt:r}),s.json(u,{status:200})}),generatePasskeyAuthenticationOptions:c("/passkey/generate-authenticate-options",{method:"POST",body:ce.object({email:ce.string({description:"The email address of the user"}).optional()}).optional(),metadata:{openapi:{description:"Generate authentication options for a passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{challenge:{type:"string"},rp:{type:"object",properties:{name:{type:"string"},id:{type:"string"}}},user:{type:"object",properties:{id:{type:"string"},name:{type:"string"},displayName:{type:"string"}}},timeout:{type:"number"},allowCredentials:{type:"array",items:{type:"object",properties:{id:{type:"string"},type:{type:"string"},transports:{type:"array",items:{type:"string"}}}}},userVerification:{type:"string"},authenticatorSelection:{type:"object",properties:{authenticatorAttachment:{type:"string"},requireResidentKey:{type:"boolean"},userVerification:{type:"string"}}},extensions:{type:"object"}}}}}}}}}},async s=>{let d=await R(s),A=[];d&&(A=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:d.user.id}]}));let K=await Nr({rpID:o.rpID,userVerification:"preferred",...A.length?{allowCredentials:A.map(l=>({id:l.id,transports:l.transports?.split(",")}))}:{}}),u={expectedChallenge:K.challenge,userData:{id:d?.user.id||""}},p=L(32);return await s.setSignedCookie(o.advanced.webAuthnChallengeCookie,p,s.context.secret,{secure:!0,httpOnly:!0,sameSite:"lax",maxAge:a}),await s.context.internalAdapter.createVerificationValue({identifier:p,value:JSON.stringify(u),expiresAt:r}),s.json(K,{status:200})}),verifyPasskeyRegistration:c("/passkey/verify-registration",{method:"POST",body:ce.object({response:ce.any({description:"The response from the authenticator"}),name:ce.string({description:"Name of the passkey"}).optional()}),use:[Re],metadata:{openapi:{description:"Verify registration of a new passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{$ref:"#/components/schemas/Passkey"}}}},400:{description:"Bad request"}}}}},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)return s.json(null,{status:400});let A=s.body.response,K=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!K)throw new ie("BAD_REQUEST",{message:"Challenge not found"});let u=await s.context.internalAdapter.findVerificationValue(K);if(!u)return s.json(null,{status:400});let{expectedChallenge:p,userData:l}=JSON.parse(u.value);if(l.id!==s.context.session.user.id)throw new ie("UNAUTHORIZED",{message:"You are not authorized to register this passkey"});try{let h=await Fr({response:A,expectedChallenge:p,expectedOrigin:d,expectedRPID:e?.rpID}),{verified:k,registrationInfo:f}=h;if(!k||!f)return s.json(null,{status:400});let{credentialID:g,credentialPublicKey:C,counter:T,credentialDeviceType:N,credentialBackedUp:Fe}=f,at=Buffer.from(C).toString("base64"),dt={name:s.body.name,userId:l.id,webauthnUserID:s.context.generateId({model:"passkey"}),id:g,publicKey:at,counter:T,deviceType:N,transports:A.response.transports.join(","),backedUp:Fe,createdAt:new Date},At=await s.context.adapter.create({model:"passkey",data:dt});return s.json(At,{status:200})}catch(h){throw console.log(h),new ie("INTERNAL_SERVER_ERROR",{message:"Failed to verify registration"})}}),verifyPasskeyAuthentication:c("/passkey/verify-authentication",{method:"POST",body:ce.object({response:ce.any()}),metadata:{openapi:{description:"Verify authentication of a passkey",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}}}}}},async s=>{let d=e?.origin||s.headers?.get("origin")||"";if(!d)throw new ie("BAD_REQUEST",{message:"origin missing"});let A=s.body.response,K=await s.getSignedCookie(o.advanced.webAuthnChallengeCookie,s.context.secret);if(!K)throw new ie("BAD_REQUEST",{message:"Challenge not found"});let u=await s.context.internalAdapter.findVerificationValue(K);if(!u)throw new ie("BAD_REQUEST",{message:"Challenge not found"});let{expectedChallenge:p}=JSON.parse(u.value),l=await s.context.adapter.findOne({model:"passkey",where:[{field:"id",value:A.id}]});if(!l)throw new ie("UNAUTHORIZED",{message:"Passkey not found"});try{let h=await _r({response:A,expectedChallenge:p,expectedOrigin:d,expectedRPID:o.rpID,authenticator:{credentialID:l.id,credentialPublicKey:new Uint8Array(Buffer.from(l.publicKey,"base64")),counter:l.counter,transports:l.transports?.split(",")}}),{verified:k}=h;if(!k)throw new ie("UNAUTHORIZED",{message:"Authentication failed"});await s.context.adapter.update({model:"passkey",where:[{field:"id",value:l.id}],update:{counter:h.authenticationInfo.newCounter}});let f=await s.context.internalAdapter.createSession(l.userId,s.request);if(!f)throw new ie("INTERNAL_SERVER_ERROR",{message:"Unable to create session"});let g=await s.context.internalAdapter.findUserById(l.userId);if(!g)throw new ie("INTERNAL_SERVER_ERROR",{message:"User not found"});return await m(s,{session:f,user:g}),s.json({session:f},{status:200})}catch(h){throw s.context.logger.error("Failed to verify authentication",h),new ie("BAD_REQUEST",{message:"Failed to verify authentication"})}}),listPasskeys:c("/passkey/list-user-passkeys",{method:"GET",use:[v]},async s=>{let d=await s.context.adapter.findMany({model:"passkey",where:[{field:"userId",value:s.context.session.user.id}]});return s.json(d,{status:200})}),deletePasskey:c("/passkey/delete-passkey",{method:"POST",body:ce.object({id:ce.string()}),use:[v]},async s=>(await s.context.adapter.delete({model:"passkey",where:[{field:"id",value:s.body.id}]}),s.json(null,{status:200})))},schema:J(Vr,e?.schema)}},Vr={passkey:{fields:{name:{type:"string",required:!1},publicKey:{type:"string",required:!0},userId:{type:"string",references:{model:"user",field:"id"},required:!0},webauthnUserID:{type:"string",required:!0},counter:{type:"number",required:!0},deviceType:{type:"string",required:!0},backedUp:{type:"boolean",required:!0},transports:{type:"string",required:!1},createdAt:{type:"date",defaultValue:new Date,required:!1}}}};import{z as oo}from"zod";import{APIError as ze}from"better-call";var Wi=()=>({id:"username",endpoints:{signInUsername:c("/sign-in/username",{method:"POST",body:oo.object({username:oo.string({description:"The username of the user"}),password:oo.string({description:"The password of the user"}),rememberMe:oo.boolean({description:"Remember the user session"}).optional()}),metadata:{openapi:{summary:"Sign in with username",description:"Sign in with username",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async e=>{let t=await e.context.adapter.findOne({model:"user",where:[{field:"username",value:e.body.username}]});if(!t)throw await e.context.password.hash(e.body.password),e.context.logger.error("User not found",{username:Wi}),new ze("UNAUTHORIZED",{message:"Invalid username or password"});if(!t.emailVerified&&e.context.options.emailAndPassword?.requireEmailVerification)throw await Ko(e,t),new ze("UNAUTHORIZED",{message:"Email not verified"});let i=await e.context.adapter.findOne({model:"account",where:[{field:"userId",value:t.id},{field:"providerId",value:"credential"}]});if(!i)throw new ze("UNAUTHORIZED",{message:"Invalid username or password"});let o=i?.password;if(!o)throw e.context.logger.error("Password not found",{username:Wi}),new ze("UNAUTHORIZED",{message:"Unexpected error"});if(!await e.context.password.verify(o,e.body.password))throw e.context.logger.error("Invalid password"),new ze("UNAUTHORIZED",{message:"Invalid username or password"});let n=await e.context.internalAdapter.createSession(t.id,e.request,e.body.rememberMe===!1);return n?(await m(e,{session:n,user:t},e.body.rememberMe===!1),e.json({user:t,session:n})):e.json(null,{status:500,body:{message:"Failed to create session",status:500}})})},schema:{user:{fields:{username:{type:"string",required:!1,unique:!0,returned:!0}}}}});import{serializeSigned as qr}from"better-call";var Uu=()=>({id:"bearer",hooks:{before:[{matcher(e){return!!(e.request?.headers.get("authorization")||e.headers?.get("authorization"))},handler:async e=>{let t=e.request?.headers.get("authorization")?.replace("Bearer ","")||e.headers?.get("authorization")?.replace("Bearer ","");if(!t)return;let i="";return t.includes(".")?i=t:i=await qr("",t,e.context.secret),e.request&&e.request.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${i.replace("=","")}`),e.headers&&e.headers.set("cookie",`${e.context.authCookies.sessionToken.name}=${i.replace("=","")}`),{context:e}}}]}});import{z as ve}from"zod";import{APIError as Ji}from"better-call";var Bu=e=>({id:"magic-link",endpoints:{signInMagicLink:c("/sign-in/magic-link",{method:"POST",requireHeaders:!0,body:ve.object({email:ve.string({description:"Email address to send the magic link"}).email(),callbackURL:ve.string({description:"URL to redirect after magic link verification"}).optional()}),metadata:{openapi:{description:"Sign in with magic link",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{status:{type:"boolean"}}}}}}}}}},async t=>{let{email:i}=t.body;if(e.disableSignUp&&!await t.context.internalAdapter.findUserByEmail(i))throw new Ji("BAD_REQUEST",{message:"User not found"});let o=M(32,H("a-z","A-Z"));await t.context.internalAdapter.createVerificationValue({identifier:o,value:i,expiresAt:new Date(Date.now()+(e.expiresIn||60*5)*1e3)});let r=`${t.context.baseURL}/magic-link/verify?token=${o}&callbackURL=${t.body.callbackURL||"/"}`;try{await e.sendMagicLink({email:i,url:r,token:o},t.request)}catch(n){throw t.context.logger.error("Failed to send magic link",n),new Ji("INTERNAL_SERVER_ERROR",{message:"Failed to send magic link"})}return t.json({status:!0})}),magicLinkVerify:c("/magic-link/verify",{method:"GET",query:ve.object({token:ve.string({description:"Verification token"}),callbackURL:ve.string({description:"URL to redirect after magic link verification, if not provided will return session"}).optional()}),requireHeaders:!0,metadata:{openapi:{description:"Verify magic link",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}}}}}},async t=>{let{token:i,callbackURL:o}=t.query,r=o?.startsWith("http")?o:o?`${t.context.options.baseURL}${o}`:t.context.options.baseURL,n=await t.context.internalAdapter.findVerificationValue(i);if(!n)throw t.redirect(`${r}?error=INVALID_TOKEN`);if(n.expiresAt<new Date)throw await t.context.internalAdapter.deleteVerificationValue(n.id),t.redirect(`${r}?error=EXPIRED_TOKEN`);await t.context.internalAdapter.deleteVerificationValue(n.id);let a=n.value,s=await t.context.internalAdapter.findUserByEmail(a),d=s?.user.id||"";if(!s){if(e.disableSignUp)throw t.redirect(`${r}?error=USER_NOT_FOUND`);if(d=(await t.context.internalAdapter.createUser({email:a,emailVerified:!0,name:a})).id,!d)throw t.redirect(`${r}?error=USER_NOT_CREATED`)}let A=await t.context.internalAdapter.createSession(d,t.headers);if(!A)throw t.redirect(`${r}?error=SESSION_NOT_CREATED`);if(await m(t,{session:A,user:s?.user}),!o)return t.json({session:A,user:s?.user});throw t.redirect(o)})},rateLimit:[{pathMatcher(t){return t.startsWith("/sign-in/magic-link")||t.startsWith("/magic-link/verify")},window:e.rateLimit?.window||60,max:e.rateLimit?.max||5}]});import{z as te}from"zod";import{APIError as Q}from"better-call";function Mr(e){return M(e,H("0-9"))}var Qu=e=>{let t={expiresIn:e?.expiresIn||300,otpLength:e?.otpLength||6,...e,phoneNumber:"phoneNumber",phoneNumberVerified:"phoneNumberVerified",code:"code",createdAt:"createdAt"};return{id:"phone-number",endpoints:{signInPhoneNumber:c("/sign-in/phone-number",{method:"POST",body:te.object({phoneNumber:te.string({description:"Phone number to sign in"}),password:te.string({description:"Password to use for sign in"}),rememberMe:te.boolean({description:"Remember the session"}).optional()}),metadata:{openapi:{summary:"Sign in with phone number",description:"Use this endpoint to sign in with phone number",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}},400:{description:"Invalid phone number or password"}}}}},async i=>{let{password:o,phoneNumber:r}=i.body;if(t.phoneNumberValidator&&!await t.phoneNumberValidator(i.body.phoneNumber))throw new Q("BAD_REQUEST",{message:"Invalid phone number!"});let n=await i.context.adapter.findOne({model:"user",where:[{field:"phoneNumber",value:r}]});if(!n)throw new Q("UNAUTHORIZED",{message:"Invalid phone number or password"});let s=(await i.context.internalAdapter.findAccountByUserId(n.id)).find(u=>u.providerId==="credential");if(!s)throw i.context.logger.error("Credential account not found",{phoneNumber:r}),new Q("UNAUTHORIZED",{message:"Invalid password or password"});let d=s?.password;if(!d)throw i.context.logger.error("Password not found",{phoneNumber:r}),new Q("UNAUTHORIZED",{message:"Unexpected error"});if(!await i.context.password.verify(d,o))throw i.context.logger.error("Invalid password"),new Q("UNAUTHORIZED",{message:"Invalid email or password"});let K=await i.context.internalAdapter.createSession(n.id,i.headers,i.body.rememberMe===!1);if(!K)throw i.context.logger.error("Failed to create session"),new Q("UNAUTHORIZED",{message:"Failed to create session"});return await m(i,{session:K,user:n},i.body.rememberMe===!1),i.json({user:n,session:K})}),sendPhoneNumberOTP:c("/phone-number/send-otp",{method:"POST",body:te.object({phoneNumber:te.string({description:"Phone number to send OTP"})}),metadata:{openapi:{summary:"Send OTP to phone number",description:"Use this endpoint to send OTP to phone number",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}}}}}}},async i=>{if(!e?.sendOTP)throw i.context.logger.warn("sendOTP not implemented"),new Q("NOT_IMPLEMENTED",{message:"sendOTP not implemented"});if(t.phoneNumberValidator&&!await t.phoneNumberValidator(i.body.phoneNumber))throw new Q("BAD_REQUEST",{message:"Invalid phone number!"});let o=Mr(t.otpLength);return await i.context.internalAdapter.createVerificationValue({value:o,identifier:i.body.phoneNumber,expiresAt:I(t.expiresIn,"sec")}),await e.sendOTP({phoneNumber:i.body.phoneNumber,code:o},i.request),i.json({code:o},{body:{message:"Code sent"}})}),verifyPhoneNumber:c("/phone-number/verify",{method:"POST",body:te.object({phoneNumber:te.string({description:"Phone number to verify"}),code:te.string({description:"OTP code"}),disableSession:te.boolean({description:"Disable session creation after verification"}).optional(),updatePhoneNumber:te.boolean({description:"Check if there is a session and update the phone number"}).optional()}),metadata:{openapi:{summary:"Verify phone number",description:"Use this endpoint to verify phone number",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}},400:{description:"Invalid OTP"}}}}},async i=>{let o=await i.context.internalAdapter.findVerificationValue(i.body.phoneNumber);if(!o||o.expiresAt<new Date)throw o&&o.expiresAt<new Date?(await i.context.internalAdapter.deleteVerificationValue(o.id),new Q("BAD_REQUEST",{message:"OTP expired"})):new Q("BAD_REQUEST",{message:"OTP not found"});if(o.value!==i.body.code)throw new Q("BAD_REQUEST",{message:"Invalid OTP"});if(await i.context.internalAdapter.deleteVerificationValue(o.id),i.body.updatePhoneNumber){let n=await R(i);if(!n)throw new Q("UNAUTHORIZED",{message:"Session not found"});let a=await i.context.internalAdapter.updateUser(n.user.id,{[t.phoneNumber]:i.body.phoneNumber,[t.phoneNumberVerified]:!0});return i.json({user:a,session:n.session})}let r=await i.context.adapter.findOne({model:"user",where:[{value:i.body.phoneNumber,field:t.phoneNumber}]});if(await e?.callbackOnVerification?.({phoneNumber:i.body.phoneNumber,user:r},i.request),r)r=await i.context.internalAdapter.updateUser(r.id,{[t.phoneNumberVerified]:!0});else if(e?.signUpOnVerification){if(r=await i.context.internalAdapter.createUser({email:e.signUpOnVerification.getTempEmail(i.body.phoneNumber),name:e.signUpOnVerification.getTempName?e.signUpOnVerification.getTempName(i.body.phoneNumber):i.body.phoneNumber,[t.phoneNumber]:i.body.phoneNumber,[t.phoneNumberVerified]:!0}),!r)throw new Q("INTERNAL_SERVER_ERROR",{message:"Failed to create user"})}else return i.json(null);if(!r)throw new Q("INTERNAL_SERVER_ERROR",{message:"Failed to update user"});if(!i.body.disableSession){let n=await i.context.internalAdapter.createSession(r.id,i.request);if(!n)throw new Q("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await m(i,{session:n,user:r}),i.json({user:r,session:n})}return i.json({user:r,session:null})})},schema:J(Hr,e?.schema)}},Hr={user:{fields:{phoneNumber:{type:"string",required:!1,unique:!0,returned:!0},phoneNumberVerified:{type:"boolean",required:!1,returned:!0,input:!1}}}};import"zod";var Qr={user:{fields:{isAnonymous:{type:"boolean",required:!1}}}},el=e=>({id:"anonymous",endpoints:{signInAnonymous:c("/sign-in/anonymous",{method:"POST",metadata:{openapi:{description:"Sign in anonymously",responses:{200:{description:"Sign in anonymously",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async t=>{let{emailDomainName:i=me(t.context.baseURL)}=e||{},o=t.context.generateId({model:"user"}),r=`temp-${o}@${i}`,n=await t.context.internalAdapter.createUser({id:o,email:r,emailVerified:!1,isAnonymous:!0,name:"Anonymous",createdAt:new Date,updatedAt:new Date});if(!n)return t.json(null,{status:500,body:{message:"Failed to create user",status:500}});let a=await t.context.internalAdapter.createSession(n.id,t.request);return a?(await m(t,{session:a,user:n}),t.json({user:n,session:a})):t.json(null,{status:400,body:{message:"Could not create session"}})})},hooks:{after:[{matcher(t){return t.path?.startsWith("/sign-in")||t.path?.startsWith("/sign-up")},handler:U(async t=>{let o=t.responseHeader.get("set-cookie"),r=t.context.authCookies.sessionToken.name,n=Me(o||"").get(r)?.value.split(".")[0];if(!n)return;let a=await R(t);if(!(!a||!a.user.isAnonymous)){if(t.path==="/sign-in/anonymous")throw new b("BAD_REQUEST",{message:"Anonymous users cannot sign in again anonymously"});if(e?.onLinkAccount){let s=await t.context.internalAdapter.findSession(n);if(!s)return;await e?.onLinkAccount?.({anonymousUser:a,newUser:s})}e?.disableDeleteAnonymousUser||await t.context.internalAdapter.deleteUser(a.user.id)}})}]},schema:J(Qr,e?.schema)});import{z as y}from"zod";var cl=e=>{let t={defaultRole:"user",adminRole:"admin",...e},i=U(async o=>{let r=await R(o);if(!r?.session)throw new b("UNAUTHORIZED");let n=r.user;if(!n.role||(Array.isArray(t.adminRole)?!t.adminRole.includes(n.role):n.role!==t.adminRole))throw new b("FORBIDDEN",{message:"Only admins can access this endpoint"});return{session:{user:n,session:r.session}}});return{id:"admin",init(o){return{options:{databaseHooks:{user:{create:{async before(r){if(e?.defaultRole!==!1)return{data:{role:e?.defaultRole??"user",...r}}}}},session:{create:{async before(r){let n=await o.internalAdapter.findUserById(r.userId);if(n.banned){if(n.banExpires&&n.banExpires<Date.now()){await o.internalAdapter.updateUser(r.userId,{banned:!1,banReason:null,banExpires:null});return}return!1}}}}}}}},hooks:{after:[{matcher(o){return o.path==="/list-sessions"},handler:U(async o=>{let r=await be(o);if(!r)return;let n=r.filter(a=>!a.impersonatedBy);return o.json(n)})}]},endpoints:{setRole:c("/admin/set-role",{method:"POST",body:y.object({userId:y.string({description:"The user id"}),role:y.string({description:"The role to set. `admin` or `user` by default"})}),use:[i],metadata:{openapi:{operationId:"setRole",summary:"Set the role of a user",description:"Set the role of a user",responses:{200:{description:"User role updated",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{let r=await o.context.internalAdapter.updateUser(o.body.userId,{role:o.body.role});return o.json({user:r})}),createUser:c("/admin/create-user",{method:"POST",body:y.object({email:y.string({description:"The email of the user"}),password:y.string({description:"The password of the user"}),name:y.string({description:"The name of the user"}),role:y.string({description:"The role of the user"}),data:y.optional(y.record(y.any(),{description:"Extra fields for the user. Including custom additional fields."}))}),use:[i],metadata:{openapi:{operationId:"createUser",summary:"Create a new user",description:"Create a new user",responses:{200:{description:"User created",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{if(await o.context.internalAdapter.findUserByEmail(o.body.email))throw new b("BAD_REQUEST",{message:"User already exists"});let n=await o.context.internalAdapter.createUser({email:o.body.email,name:o.body.name,role:o.body.role,...o.body.data});if(!n)throw new b("INTERNAL_SERVER_ERROR",{message:"Failed to create user"});let a=await o.context.password.hash(o.body.password);return await o.context.internalAdapter.linkAccount({accountId:n.id,providerId:"credential",password:a,userId:n.id}),o.json({user:n})}),listUsers:c("/admin/list-users",{method:"GET",use:[i],query:y.object({searchValue:y.string({description:"The value to search for"}).optional(),searchField:y.enum(["email","name"],{description:"The field to search in, defaults to email. Can be `email` or `name`"}).optional(),searchOperator:y.enum(["contains","starts_with","ends_with"],{description:"The operator to use for the search. Can be `contains`, `starts_with` or `ends_with`"}).optional(),limit:y.string({description:"The number of users to return"}).or(y.number()).optional(),offset:y.string({description:"The offset to start from"}).or(y.number()).optional(),sortBy:y.string({description:"The field to sort by"}).optional(),sortDirection:y.enum(["asc","desc"],{description:"The direction to sort by"}).optional(),filterField:y.string({description:"The field to filter by"}).optional(),filterValue:y.string({description:"The value to filter by"}).or(y.number()).or(y.boolean()).optional(),filterOperator:y.enum(["eq","ne","lt","lte","gt","gte"],{description:"The operator to use for the filter"}).optional()}),metadata:{openapi:{operationId:"listUsers",summary:"List users",description:"List users",responses:{200:{description:"List of users",content:{"application/json":{schema:{type:"object",properties:{users:{type:"array",items:{$ref:"#/components/schemas/User"}}}}}}}}}}},async o=>{let r=[];o.query?.searchValue&&r.push({field:o.query.searchField||"email",operator:o.query.searchOperator||"contains",value:o.query.searchValue}),o.query?.filterValue&&r.push({field:o.query.filterField||"email",operator:o.query.filterOperator||"eq",value:o.query.filterValue});try{let n=await o.context.internalAdapter.listUsers(Number(o.query?.limit)||void 0,Number(o.query?.offset)||void 0,o.query?.sortBy?{field:o.query.sortBy,direction:o.query.sortDirection||"asc"}:void 0,r.length?r:void 0);return o.json({users:n})}catch(n){return console.log(n),o.json({users:[]})}}),listUserSessions:c("/admin/list-user-sessions",{method:"POST",use:[i],body:y.object({userId:y.string({description:"The user id"})}),metadata:{openapi:{operationId:"listUserSessions",summary:"List user sessions",description:"List user sessions",responses:{200:{description:"List of user sessions",content:{"application/json":{schema:{type:"object",properties:{sessions:{type:"array",items:{$ref:"#/components/schemas/Session"}}}}}}}}}}},async o=>({sessions:await o.context.internalAdapter.listSessions(o.body.userId)})),unbanUser:c("/admin/unban-user",{method:"POST",body:y.object({userId:y.string({description:"The user id"})}),use:[i],metadata:{openapi:{operationId:"unbanUser",summary:"Unban a user",description:"Unban a user",responses:{200:{description:"User unbanned",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{let r=await o.context.internalAdapter.updateUser(o.body.userId,{banned:!1});return o.json({user:r})}),banUser:c("/admin/ban-user",{method:"POST",body:y.object({userId:y.string({description:"The user id"}),banReason:y.string({description:"The reason for the ban"}).optional(),banExpiresIn:y.number({description:"The number of seconds until the ban expires"}).optional()}),use:[i],metadata:{openapi:{operationId:"banUser",summary:"Ban a user",description:"Ban a user",responses:{200:{description:"User banned",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{if(o.body.userId===o.context.session.user.id)throw new b("BAD_REQUEST",{message:"You cannot ban yourself"});let r=await o.context.internalAdapter.updateUser(o.body.userId,{banned:!0,banReason:o.body.banReason||e?.defaultBanReason||"No reason",banExpires:o.body.banExpiresIn?I(o.body.banExpiresIn,"sec"):e?.defaultBanExpiresIn?I(e.defaultBanExpiresIn,"sec"):void 0});return await o.context.internalAdapter.deleteSessions(o.body.userId),o.json({user:r})}),impersonateUser:c("/admin/impersonate-user",{method:"POST",body:y.object({userId:y.string({description:"The user id"})}),use:[i],metadata:{openapi:{operationId:"impersonateUser",summary:"Impersonate a user",description:"Impersonate a user",responses:{200:{description:"Impersonation session created",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}}}}}},async o=>{let r=await o.context.internalAdapter.findUserById(o.body.userId);if(!r)throw new b("NOT_FOUND",{message:"User not found"});let n=await o.context.internalAdapter.createSession(r.id,void 0,!0,{impersonatedBy:o.context.session.user.id,expiresAt:e?.impersonationSessionDuration?I(e.impersonationSessionDuration,"sec"):I(60*60,"sec")});if(!n)throw new b("INTERNAL_SERVER_ERROR",{message:"Failed to create session"});return await m(o,{session:n,user:r},!0),o.json({session:n,user:r})}),revokeUserSession:c("/admin/revoke-user-session",{method:"POST",body:y.object({sessionToken:y.string({description:"The session token"})}),use:[i],metadata:{openapi:{operationId:"revokeUserSession",summary:"Revoke a user session",description:"Revoke a user session",responses:{200:{description:"Session revoked",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>(await o.context.internalAdapter.deleteSession(o.body.sessionToken),o.json({success:!0}))),revokeUserSessions:c("/admin/revoke-user-sessions",{method:"POST",body:y.object({userId:y.string({description:"The user id"})}),use:[i],metadata:{openapi:{operationId:"revokeUserSessions",summary:"Revoke all user sessions",description:"Revoke all user sessions",responses:{200:{description:"Sessions revoked",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>(await o.context.internalAdapter.deleteSessions(o.body.userId),o.json({success:!0}))),removeUser:c("/admin/remove-user",{method:"POST",body:y.object({userId:y.string({description:"The user id"})}),use:[i],metadata:{openapi:{operationId:"removeUser",summary:"Remove a user",description:"Delete a user and all their sessions and accounts. Cannot be undone.",responses:{200:{description:"User removed",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>(await o.context.internalAdapter.deleteUser(o.body.userId),o.json({success:!0})))},schema:J($r,t.schema)}},$r={user:{fields:{role:{type:"string",required:!1,input:!1},banned:{type:"boolean",defaultValue:!1,required:!1,input:!1},banReason:{type:"string",required:!1,input:!1},banExpires:{type:"date",required:!1,input:!1}}},session:{fields:{impersonatedBy:{type:"string",required:!1}}}};import{z as re}from"zod";import{APIError as Ne}from"better-call";import{betterFetch as ho}from"@better-fetch/fetch";import{parseJWT as Zr}from"oslo/jwt";async function Gr(e,t,i){if(t==="oidc"&&e.idToken){let r=Zr(e.idToken);if(r?.payload)return{id:r.payload.sub,emailVerified:r.payload.email_verified,...r.payload}}if(!i)return null;let o=await ho(i,{method:"GET",headers:{Authorization:`Bearer ${e.accessToken}`}});return{id:o.data?.sub,emailVerified:o.data?.email_verified,email:o.data?.email,...o.data}}var vl=e=>({id:"generic-oauth",endpoints:{signInWithOAuth2:c("/sign-in/oauth2",{method:"POST",query:re.object({currentURL:re.string({description:"Redirect to the current URL after sign in"}).optional()}).optional(),body:re.object({providerId:re.string({description:"The provider ID for the OAuth provider"}),callbackURL:re.string({description:"The URL to redirect to after sign in"}).optional(),errorCallbackURL:re.string({description:"The URL to redirect to if an error occurs"}).optional()}),metadata:{openapi:{description:"Sign in with OAuth2",responses:{200:{description:"Sign in with OAuth2",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"},redirect:{type:"boolean"}}}}}}}}}},async t=>{let{providerId:i}=t.body,o=e.config.find(N=>N.providerId===i);if(!o)throw new Ne("BAD_REQUEST",{message:`No config found for provider ${i}`});let{discoveryUrl:r,authorizationUrl:n,tokenUrl:a,clientId:s,clientSecret:d,scopes:A,redirectURI:K,responseType:u,pkce:p,prompt:l,accessType:h}=o,k=n,f=a;if(r){let N=await ho(r,{onError(Fe){t.context.logger.error(Fe.error.message,Fe.error,{discoveryUrl:r})}});N.data&&(k=N.data.authorization_endpoint,f=N.data.token_endpoint)}if(!k||!f)throw new Ne("BAD_REQUEST",{message:"Invalid OAuth configuration."});let{state:g,codeVerifier:C}=await fe(t),T=await P({id:i,options:{clientId:s,clientSecret:d,redirectURI:K},authorizationEndpoint:k,state:g,codeVerifier:p?C:void 0,scopes:A||[],redirectURI:`${t.context.baseURL}/oauth2/callback/${i}`});return u&&u!=="code"&&T.searchParams.set("response_type",u),l&&T.searchParams.set("prompt",l),h&&T.searchParams.set("access_type",h),t.json({url:T.toString(),redirect:!0})}),oAuth2Callback:c("/oauth2/callback/:providerId",{method:"GET",query:re.object({code:re.string({description:"The OAuth2 code"}).optional(),error:re.string({description:"The error message, if any"}).optional(),state:re.string({description:"The state parameter from the OAuth2 request"})}),metadata:{openapi:{description:"OAuth2 callback",responses:{200:{description:"OAuth2 callback",content:{"application/json":{schema:{type:"object",properties:{url:{type:"string"}}}}}}}}}},async t=>{if(t.query.error||!t.query.code)throw t.redirect(`${t.context.baseURL}?error=${t.query.error||"oAuth_code_missing"}`);let i=e.config.find(g=>g.providerId===t.params.providerId);if(!i)throw new Ne("BAD_REQUEST",{message:`No config found for provider ${t.params.providerId}`});let o,r=await He(t),{callbackURL:n,codeVerifier:a,errorURL:s}=r,d=t.query.code,A=i.tokenUrl,K=i.userInfoUrl;if(i.discoveryUrl){let g=await ho(i.discoveryUrl,{method:"GET"});g.data&&(A=g.data.token_endpoint,K=g.data.userinfo_endpoint)}try{if(!A)throw new Ne("BAD_REQUEST",{message:"Invalid OAuth configuration."});o=await O({code:d,codeVerifier:a,redirectURI:`${t.context.baseURL}/oauth2/callback/${i.providerId}`,options:{clientId:i.clientId,clientSecret:i.clientSecret},tokenEndpoint:A})}catch(g){throw t.context.logger.error(g&&typeof g=="object"&&"name"in g?g.name:"",g),t.redirect(`${s}?error=oauth_code_verification_failed`)}if(!o)throw new Ne("BAD_REQUEST",{message:"Invalid OAuth configuration."});let u=i.getUserInfo?await i.getUserInfo(o):await Gr(o,i.type||"oauth2",K);if(!u?.email)throw t.context.logger.error("Unable to get user info",u),t.redirect(`${t.context.baseURL}/error?error=email_is_missing`);let p=await we(t,{userInfo:u,account:{providerId:i.providerId,accountId:u.id,accessToken:o.accessToken}});function l(g){throw t.redirect(`${s||n||`${t.context.baseURL}/error`}?error=${g}`)}if(p.error)return l(p.error.split(" ").join("_"));let{session:h,user:k}=p.data;await m(t,{session:h,user:k});let f;try{f=new URL(n).toString()}catch{f=n}throw t.redirect(f)})}});import{z as Le}from"zod";var Xi={jwks:{fields:{publicKey:{type:"string",required:!0},privateKey:{type:"string",required:!0},createdAt:{type:"date",required:!0}}}},Ol=Le.object({id:Le.string(),publicKey:Le.string(),privateKey:Le.string(),createdAt:Le.date()});var yo=e=>({getAllKeys:async()=>await e.findMany({model:"jwks"}),getLatestKey:async()=>(await e.findMany({model:"jwks",sortBy:{field:"createdAt",direction:"desc"},limit:1}))[0],createJwk:async t=>await e.create({model:"jwks",data:{...t,createdAt:new Date}})});import{exportJWK as Yi,generateKeyPair as Wr,importJWK as Jr,SignJWT as Xr}from"jose";var jl=e=>({id:"jwt",endpoints:{getJwks:c("/jwks",{method:"GET",metadata:{openapi:{description:"Get the JSON Web Key Set",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{keys:{type:"array",items:{type:"object",properties:{kid:{type:"string"},kty:{type:"string"},use:{type:"string"},alg:{type:"string"},n:{type:"string"},e:{type:"string"}}}}}}}}}}}}},async t=>{let o=await yo(t.context.adapter).getAllKeys();return t.json({keys:o.map(r=>({...JSON.parse(r.publicKey),kid:r.id}))})}),getToken:c("/token",{method:"GET",requireHeaders:!0,use:[v],metadata:{openapi:{description:"Get a JWT token",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{token:{type:"string"}}}}}}}}}},async t=>{let i=yo(t.context.adapter),o=await i.getLatestKey(),r=!e?.jwks?.disablePrivateKeyEncryption;if(o===void 0){let{publicKey:A,privateKey:K}=await Wr(e?.jwks?.keyPairConfig?.alg??"EdDSA",e?.jwks?.keyPairConfig??{crv:"Ed25519"}),u=await Yi(A),p=await Yi(K),l=JSON.stringify(p),h={id:crypto.randomUUID(),publicKey:JSON.stringify(u),privateKey:r?JSON.stringify(await de({key:t.context.options.secret,data:l})):l,createdAt:new Date};o=await i.createJwk(h)}let n=r?await pe({key:t.context.options.secret,data:JSON.parse(o.privateKey)}):o.privateKey,a=await Jr(JSON.parse(n)),s=e?.jwt?.definePayload?await e?.jwt.definePayload(t.context.session.user):t.context.session.user,d=await new Xr({...s,...t.context.session.session.impersonatedBy?{impersonatedBy:t.context.session.session.impersonatedBy}:{}}).setProtectedHeader({alg:e?.jwks?.keyPairConfig?.alg??"EdDSA",kid:o.id}).setIssuedAt().setIssuer(e?.jwt?.issuer??t.context.options.baseURL).setAudience(e?.jwt?.audience??t.context.options.baseURL).setExpirationTime(e?.jwt?.expirationTime??"15m").setSubject(t.context.session.user.id).sign(a);return t.json({token:d})})},schema:J(Xi,e?.schema)});import{z as io}from"zod";var _l=e=>{let t={maximumSessions:5,...e},i=o=>o.includes("_multi-");return{id:"multi-session",endpoints:{listDeviceSessions:c("/multi-session/list-device-sessions",{method:"GET",requireHeaders:!0},async o=>{let r=o.headers?.get("cookie");if(!r)return o.json([]);let n=Object.fromEntries(Oe(r)),a=(await Promise.all(Object.entries(n).filter(([A])=>i(A)).map(async([A])=>await o.getSignedCookie(A,o.context.secret)))).filter(A=>A!==void 0);if(!a.length)return o.json([]);let d=(await o.context.internalAdapter.findSessions(a)).filter(A=>A&&A.session.expiresAt>new Date);return o.json(d)}),setActiveSession:c("/multi-session/set-active",{method:"POST",body:io.object({sessionToken:io.string({description:"The session token to set as active"})}),requireHeaders:!0,use:[v],metadata:{openapi:{description:"Set the active session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async o=>{let r=o.body.sessionToken,n=`${o.context.authCookies.sessionToken.name}_multi-${r}`;if(!await o.getSignedCookie(n,o.context.secret))throw new b("UNAUTHORIZED",{message:"Invalid session token"});let s=await o.context.internalAdapter.findSession(r);if(!s||s.session.expiresAt<new Date)throw o.setCookie(n,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),new b("UNAUTHORIZED",{message:"Invalid session token"});return await m(o,s),o.json(s)}),revokeDeviceSession:c("/multi-session/revoke",{method:"POST",body:io.object({sessionToken:io.string({description:"The session token to revoke"})}),requireHeaders:!0,use:[v],metadata:{openapi:{description:"Revoke a device session",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async o=>{let r=o.body.sessionToken,n=`${o.context.authCookies.sessionToken.name}_multi-${r}`;if(!await o.getSignedCookie(n,o.context.secret))throw new b("UNAUTHORIZED",{message:"Invalid session token"});if(await o.context.internalAdapter.deleteSession(r),o.setCookie(n,"",{...o.context.authCookies.sessionToken.options,maxAge:0}),!(o.context.session?.session.token===r))return o.json({success:!0});let d=o.headers?.get("cookie");if(d){let A=Object.fromEntries(Oe(d)),K=(await Promise.all(Object.entries(A).filter(([p])=>i(p)).map(async([p])=>await o.getSignedCookie(p,o.context.secret)))).filter(p=>p!==void 0),u=o.context.internalAdapter;if(K.length>0){let l=(await u.findSessions(K)).filter(h=>h&&h.session.expiresAt>new Date);if(l.length>0){let h=l[0];await m(o,h)}else V(o)}else V(o)}else V(o);return o.json({success:!0})})},hooks:{after:[{matcher:()=>!0,handler:U(async o=>{let r=o.responseHeader.get("set-cookie");if(!r)return;let n=Me(r),a=o.context.authCookies.sessionToken,s=n.get(a.name)?.value;if(!s)return;let d=Oe(o.headers?.get("cookie")||""),A=s.split(".")[0];if(!A)return;let K=`${a.name}_multi-${A}`;n.get(K)||d.get(K)||Object.keys(Object.fromEntries(d)).filter(i).length+(r.includes("session_token")?1:0)>t.maximumSessions||await o.setSignedCookie(K,A,o.context.secret,a.options)})},{matcher:o=>o.path==="/sign-out",handler:U(async o=>{let r=o.headers?.get("cookie");if(!r)return;let n=Object.fromEntries(Oe(r)),a=Object.keys(n).map(s=>i(s)?(o.setCookie(s,"",{maxAge:0}),s.split("_multi-")[1]):null).filter(s=>s!==null);await o.context.internalAdapter.deleteSessions(a)})}]}}};import{z as D}from"zod";var wo=["email-verification","sign-in","forget-password"],Zl=e=>{let t={expireIn:300,otpLength:6,...e};return{id:"email-otp",endpoints:{sendVerificationOTP:c("/email-otp/send-verification-otp",{method:"POST",body:D.object({email:D.string({description:"Email address to send the OTP"}),type:D.enum(wo,{description:"Type of the OTP"})}),metadata:{openapi:{description:"Send verification OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async i=>{if(!e?.sendVerificationOTP)throw i.context.logger.error("send email verification is not implemented"),new b("BAD_REQUEST",{message:"send email verification is not implemented"});let o=i.body.email,r=M(t.otpLength,H("0-9"));return await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")}).catch(async n=>{await i.context.internalAdapter.deleteVerificationByIdentifier(`${i.body.type}-otp-${o}`),await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")})}),await e.sendVerificationOTP({email:o,otp:r,type:i.body.type},i.request),i.json({success:!0})}),createVerificationOTP:c("/email-otp/create-verification-otp",{method:"POST",body:D.object({email:D.string({description:"Email address to send the OTP"}),type:D.enum(wo,{description:"Type of the OTP"})}),metadata:{SERVER_ONLY:!0,openapi:{description:"Create verification OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"string"}}}}}}}},async i=>{let o=i.body.email,r=M(t.otpLength,H("0-9"));return await i.context.internalAdapter.createVerificationValue({value:r,identifier:`${i.body.type}-otp-${o}`,expiresAt:I(t.expireIn,"sec")}),r}),getVerificationOTP:c("/email-otp/get-verification-otp",{method:"GET",query:D.object({email:D.string({description:"Email address to get the OTP"}),type:D.enum(wo)}),metadata:{SERVER_ONLY:!0,openapi:{description:"Get verification OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{otp:{type:"string"}}}}}}}}}},async i=>{let o=i.query.email,r=await i.context.internalAdapter.findVerificationValue(`${i.query.type}-otp-${o}`);return!r||r.expiresAt<new Date?i.json({otp:null}):i.json({otp:r.value})}),verifyEmailOTP:c("/email-otp/verify-email",{method:"POST",body:D.object({email:D.string({description:"Email address to verify"}),otp:D.string({description:"OTP to verify"})}),metadata:{openapi:{description:"Verify email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"}}}}}}}}}},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findVerificationValue(`email-verification-otp-${o}`);if(!r||r.expiresAt<new Date)throw r&&await i.context.internalAdapter.deleteVerificationValue(r.id),new b("BAD_REQUEST",{message:"Invalid OTP"});let n=i.body.otp;if(r.value!==n)throw new b("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(r.id);let a=await i.context.internalAdapter.findUserByEmail(o);if(!a)throw new b("BAD_REQUEST",{message:"User not found"});let s=await i.context.internalAdapter.updateUser(a.user.id,{email:o,emailVerified:!0});return i.json({user:s})}),signInEmailOTP:c("/sign-in/email-otp",{method:"POST",body:D.object({email:D.string({description:"Email address to sign in"}),otp:D.string({description:"OTP sent to the email"})}),metadata:{openapi:{description:"Sign in with email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{user:{$ref:"#/components/schemas/User"},session:{$ref:"#/components/schemas/Session"}}}}}}}}}},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findVerificationValue(`sign-in-otp-${o}`);if(!r||r.expiresAt<new Date)throw r&&await i.context.internalAdapter.deleteVerificationValue(r.id),new b("BAD_REQUEST",{message:"Invalid OTP"});let n=i.body.otp;if(r.value!==n)throw new b("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(r.id);let a=await i.context.internalAdapter.findUserByEmail(o);if(!a){if(t.disableSignUp)throw new b("BAD_REQUEST",{message:"User not found"});let d=await i.context.internalAdapter.createUser({email:o,emailVerified:!0,name:o}),A=await i.context.internalAdapter.createSession(d.id,i.request);return await m(i,{session:A,user:d}),i.json({user:d,session:A})}a.user.emailVerified||await i.context.internalAdapter.updateUser(a.user.id,{emailVerified:!0});let s=await i.context.internalAdapter.createSession(a.user.id,i.request);return await m(i,{session:s,user:a.user}),i.json({session:s,user:a})}),forgetPasswordEmailOTP:c("/forget-password/email-otp",{method:"POST",body:D.object({email:D.string({description:"Email address to send the OTP"})}),metadata:{openapi:{description:"Forget password with email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async i=>{let o=i.body.email;if(!await i.context.internalAdapter.findUserByEmail(o))throw new b("BAD_REQUEST",{message:"User not found"});let n=M(t.otpLength,H("0-9"));return await i.context.internalAdapter.createVerificationValue({value:n,identifier:`forget-password-otp-${o}`,expiresAt:I(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o,otp:n,type:"forget-password"},i.request),i.json({success:!0})}),resetPasswordEmailOTP:c("/email-otp/reset-password",{method:"POST",body:D.object({email:D.string({description:"Email address to reset the password"}),otp:D.string({description:"OTP sent to the email"}),password:D.string({description:"New password"})}),metadata:{openapi:{description:"Reset password with email OTP",responses:{200:{description:"Success",content:{"application/json":{schema:{type:"object",properties:{success:{type:"boolean"}}}}}}}}}},async i=>{let o=i.body.email,r=await i.context.internalAdapter.findUserByEmail(o);if(!r)throw new b("BAD_REQUEST",{message:"User not found"});let n=await i.context.internalAdapter.findVerificationValue(`forget-password-otp-${o}`);if(!n||n.expiresAt<new Date)throw n&&await i.context.internalAdapter.deleteVerificationValue(n.id),new b("BAD_REQUEST",{message:"Invalid OTP"});let a=i.body.otp;if(n.value!==a)throw new b("BAD_REQUEST",{message:"Invalid OTP"});await i.context.internalAdapter.deleteVerificationValue(n.id);let s=await i.context.password.hash(i.body.password);return await i.context.internalAdapter.updatePassword(r.user.id,s),i.json({success:!0})})},hooks:{after:[{matcher(i){return!!(i.path?.startsWith("/sign-up")&&t.sendVerificationOnSignUp)},async handler(i){let o=await be(i);if(o&&o.user.email&&o.user.emailVerified===!1){let r=M(t.otpLength,H("0-9"));await i.context.internalAdapter.createVerificationValue({value:r,identifier:`email-verification-otp-${o.user.email}`,expiresAt:I(t.expireIn,"sec")}),await e.sendVerificationOTP({email:o.user.email,otp:r,type:"email-verification"},i.request)}}}]}}};import{z as ot}from"zod";import{betterFetch as Yr}from"@better-fetch/fetch";function et(e){return e==="true"||e===!0}var ig=e=>({id:"one-tap",endpoints:{oneTapCallback:c("/one-tap/callback",{method:"POST",body:ot.object({idToken:ot.string({description:"Google ID token, which the client obtains from the One Tap API"})}),metadata:{openapi:{summary:"One tap callback",description:"Use this endpoint to authenticate with Google One Tap",responses:{200:{description:"Successful response",content:{"application/json":{schema:{type:"object",properties:{session:{$ref:"#/components/schemas/Session"},user:{$ref:"#/components/schemas/User"}}}}}},400:{description:"Invalid token"}}}}},async t=>{let{idToken:i}=t.body,{data:o,error:r}=await Yr("https://oauth2.googleapis.com/tokeninfo?id_token="+i);if(r)return t.json({error:"Invalid token"});let n=await t.context.internalAdapter.findUserByEmail(o.email);if(!n){if(e?.disableSignup)throw new b("BAD_GATEWAY",{message:"User not found"});let s=await t.context.internalAdapter.createOAuthUser({email:o.email,emailVerified:et(o.email_verified),name:o.name,image:o.picture},{providerId:"google",accountId:o.sub});if(!s)throw new b("INTERNAL_SERVER_ERROR",{message:"Could not create user"});let d=await t.context.internalAdapter.createSession(s?.user.id,t.request);return await m(t,{user:s.user,session:d}),t.json({session:d,user:s})}let a=await t.context.internalAdapter.createSession(n.user.id,t.request);return await m(t,{user:n.user,session:a}),t.json({session:a,user:n})})}});import{z as Co}from"zod";function en(){let e=Y.VERCEL_URL,t=Y.NETLIFY_URL,i=Y.RENDER_URL,o=Y.AWS_LAMBDA_FUNCTION_NAME,r=Y.GOOGLE_CLOUD_FUNCTION_NAME,n=Y.AZURE_FUNCTION_NAME;return e||t||i||o||r||n}var Ag=e=>({id:"oauth-proxy",endpoints:{oAuthProxy:c("/oauth-proxy-callback",{method:"GET",query:Co.object({callbackURL:Co.string({description:"The URL to redirect to after the proxy"}),cookies:Co.string({description:"The cookies to set after the proxy"})}),metadata:{openapi:{description:"OAuth Proxy Callback",parameters:[{in:"query",name:"callbackURL",required:!0,description:"The URL to redirect to after the proxy"},{in:"query",name:"cookies",required:!0,description:"The cookies to set after the proxy"}],responses:{302:{description:"Redirect",headers:{Location:{description:"The URL to redirect to",schema:{type:"string"}}}}}}}},async t=>{let i=t.query.cookies,o=await pe({key:t.context.secret,data:i});throw t.setHeader("set-cookie",o),t.redirect(t.query.callbackURL)})},hooks:{after:[{matcher(t){return t.path?.startsWith("/callback")},handler:U(async t=>{let i=t.context.returned,o=i instanceof b?i.headers:null,r=o?.get("location");if(r?.includes("/oauth-proxy-callback?callbackURL")){if(!r.startsWith("http"))return;let n=new URL(r);if(n.origin===me(t.context.baseURL)){let K=n.searchParams.get("callbackURL");if(!K)return;t.setHeader("location",K);return}let s=o?.get("set-cookie");if(!s)return;let d=await de({key:t.context.secret,data:s}),A=`${r}&cookies=${encodeURIComponent(d)}`;t.setHeader("location",A)}})}],before:[{matcher(t){return t.path?.startsWith("/sign-in/social")},async handler(t){let i=new URL(e?.currentURL||t.request?.url||en()||t.context.baseURL);return t.body.callbackURL=`${i.origin}${t.context.options.basePath||"/api/auth"}/oauth-proxy-callback?callbackURL=${encodeURIComponent(t.body.callbackURL||t.context.baseURL)}`,{context:t}}}]}});var pg=(e,t)=>({id:"custom-session",endpoints:{getSession:c("/get-session",{method:"GET",metadata:{CUSTOM_SESSION:!0}},async i=>{let o=await R(i);if(!o)return i.json(null);let r=await e(o);return i.json(r)})}});import{ZodObject as tt,ZodOptional as bo,ZodSchema as rt}from"zod";var ke=e=>{let t=e.plugins?.reduce((d,A)=>{let K=A.schema;if(!K)return d;for(let[u,p]of Object.entries(K))d[u]={fields:{...d[u]?.fields,...p.fields},modelName:p.modelName||u};return d},{}),i=e.rateLimit?.storage==="database",o={rateLimit:{modelName:e.rateLimit?.modelName||"rateLimit",fields:{key:{type:"string",fieldName:e.rateLimit?.fields?.key||"key"},count:{type:"number",fieldName:e.rateLimit?.fields?.count||"count"},lastRequest:{type:"number",fieldName:e.rateLimit?.fields?.lastRequest||"lastRequest"}}}},{user:r,session:n,account:a,...s}=t||{};return{user:{modelName:e.user?.modelName||"user",fields:{name:{type:"string",required:!0,fieldName:e.user?.fields?.name||"name"},email:{type:"string",unique:!0,required:!0,fieldName:e.user?.fields?.email||"email"},emailVerified:{type:"boolean",defaultValue:()=>!1,required:!0,fieldName:e.user?.fields?.emailVerified||"emailVerified"},image:{type:"string",required:!1,fieldName:e.user?.fields?.image||"image"},createdAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",defaultValue:()=>new Date,required:!0,fieldName:e.user?.fields?.updatedAt||"updatedAt"},...r?.fields,...e.user?.additionalFields},order:1},session:{modelName:e.session?.modelName||"session",fields:{expiresAt:{type:"date",required:!0,fieldName:e.session?.fields?.expiresAt||"expiresAt"},token:{type:"string",required:!0,fieldName:e.session?.fields?.token||"token",unique:!0},createdAt:{type:"date",required:!0,fieldName:e.session?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.session?.fields?.updatedAt||"updatedAt"},ipAddress:{type:"string",required:!1,fieldName:e.session?.fields?.ipAddress||"ipAddress"},userAgent:{type:"string",required:!1,fieldName:e.session?.fields?.userAgent||"userAgent"},userId:{type:"string",fieldName:e.session?.fields?.userId||"userId",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0},...n?.fields,...e.session?.additionalFields},order:2},account:{modelName:e.account?.modelName||"account",fields:{accountId:{type:"string",required:!0,fieldName:e.account?.fields?.accountId||"accountId"},providerId:{type:"string",required:!0,fieldName:e.account?.fields?.providerId||"providerId"},userId:{type:"string",references:{model:e.user?.modelName||"user",field:"id",onDelete:"cascade"},required:!0,fieldName:e.account?.fields?.userId||"userId"},accessToken:{type:"string",required:!1,fieldName:e.account?.fields?.accessToken||"accessToken"},refreshToken:{type:"string",required:!1,fieldName:e.account?.fields?.refreshToken||"refreshToken"},idToken:{type:"string",required:!1,fieldName:e.account?.fields?.idToken||"idToken"},accessTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"accessTokenExpiresAt"},refreshTokenExpiresAt:{type:"date",required:!1,fieldName:e.account?.fields?.accessTokenExpiresAt||"refreshTokenExpiresAt"},scope:{type:"string",required:!1,fieldName:e.account?.fields?.scope||"scope"},password:{type:"string",required:!1,fieldName:e.account?.fields?.password||"password"},createdAt:{type:"date",required:!0,fieldName:e.account?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!0,fieldName:e.account?.fields?.updatedAt||"updatedAt"},...a?.fields},order:3},verification:{modelName:e.verification?.modelName||"verification",fields:{identifier:{type:"string",required:!0,fieldName:e.verification?.fields?.identifier||"identifier"},value:{type:"string",required:!0,fieldName:e.verification?.fields?.value||"value"},expiresAt:{type:"date",required:!0,fieldName:e.verification?.fields?.expiresAt||"expiresAt"},createdAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.createdAt||"createdAt"},updatedAt:{type:"date",required:!1,defaultValue:()=>new Date,fieldName:e.verification?.fields?.updatedAt||"updatedAt"}},order:4},...s,...i?o:{}}};import{z as Rg}from"zod";import{Kysely as Eg,MssqlDialect as Sg}from"kysely";import{MysqlDialect as xg,PostgresDialect as jg,SqliteDialect as Bg}from"kysely";var _e={};function nt(e){switch(e.constructor.name){case"ZodString":return"string";case"ZodNumber":return"number";case"ZodBoolean":return"boolean";case"ZodObject":return"object";case"ZodArray":return"array";default:return"string"}}function to(e){let t=[];return e.metadata?.openapi?.parameters?(t.push(...e.metadata.openapi.parameters),t):(e.query instanceof tt&&Object.entries(e.query.shape).forEach(([i,o])=>{o instanceof rt&&t.push({name:i,in:"query",schema:{type:nt(o),..."minLength"in o&&o.minLength?{minLength:o.minLength}:{},description:o.description}})}),t)}function it(e){if(e.metadata?.openapi?.requestBody)return e.metadata.openapi.requestBody;if(e.body&&(e.body instanceof tt||e.body instanceof bo)){let t=e.body.shape;if(!t)return;let i={},o=[];return Object.entries(t).forEach(([r,n])=>{n instanceof rt&&(i[r]={type:nt(n),description:n.description},n instanceof bo||o.push(r))}),{required:e.body instanceof bo?!1:!!e.body,content:{"application/json":{schema:{type:"object",properties:i,required:o}}}}}}function ro(e){return{400:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Bad Request. Usually due to missing parameters, or invalid parameters."},401:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}},required:["message"]}}},description:"Unauthorized. Due to missing or invalid authentication."},403:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Forbidden. You do not have permission to access this resource or to perform this action."},404:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Not Found. The requested resource was not found."},429:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Too Many Requests. You have exceeded the rate limit. Try again later."},500:{content:{"application/json":{schema:{type:"object",properties:{message:{type:"string"}}}}},description:"Internal Server Error. This is a problem with the server that you cannot fix."},...e}}async function vo(e,t){let i=po(e,{...t,plugins:[]}),o=ke(t),n={schemas:{...Object.entries(o).reduce((s,[d,A])=>{let K=d.charAt(0).toUpperCase()+d.slice(1);return s[K]={type:"object",properties:Object.entries(A.fields).reduce((u,[p,l])=>(u[p]={type:l.type},u),{})},s},{})}};Object.entries(i.api).forEach(([s,d])=>{let A=d.options;if(!A.metadata?.SERVER_ONLY&&(A.method==="GET"&&(_e[d.path]={get:{tags:["Default",...A.metadata?.openapi?.tags||[]],description:A.metadata?.openapi?.description,operationId:A.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(A),responses:ro(A.metadata?.openapi?.responses)}}),A.method==="POST")){let K=it(A);_e[d.path]={post:{tags:["Default",...A.metadata?.openapi?.tags||[]],description:A.metadata?.openapi?.description,operationId:A.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(A),...K?{requestBody:K}:{requestBody:{content:{"application/json":{schema:{type:"object",properties:{}}}}}},responses:ro(A.metadata?.openapi?.responses)}}}});for(let s of t.plugins||[]){if(s.id==="open-api")continue;let d=po(e,{...t,plugins:[s]}),A=Object.keys(d.api).map(K=>i.api[K]===void 0?d.api[K]:null).filter(K=>K!==null);Object.entries(A).forEach(([K,u])=>{let p=u.options;p.metadata?.SERVER_ONLY||(p.method==="GET"&&(_e[u.path]={get:{tags:p.metadata?.openapi?.tags||[s.id.charAt(0).toUpperCase()+s.id.slice(1)],description:p.metadata?.openapi?.description,operationId:p.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(p),responses:ro(p.metadata?.openapi?.responses)}}),p.method==="POST"&&(_e[u.path]={post:{tags:p.metadata?.openapi?.tags||[s.id.charAt(0).toUpperCase()+s.id.slice(1)],description:p.metadata?.openapi?.description,operationId:p.metadata?.openapi?.operationId,security:[{bearerAuth:[]}],parameters:to(p),requestBody:it(p),responses:ro(p.metadata?.openapi?.responses)}}))})}return{openapi:"3.1.1",info:{title:"Better Auth",description:"API Reference for your Better Auth Instance"},components:n,security:[{apiKeyCookie:[]}],servers:[{url:e.baseURL}],tags:[{name:"Default",description:"Default endpoints that are included with Better Auth by default. These endpoints are not part of any plugin."}],paths:_e}}var st=`<svg width="75" height="75" viewBox="0 0 75 75" fill="none" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
84
84
  <rect width="75" height="75" fill="url(#pattern0_21_12)"/>
85
85
  <defs>
86
86
  <pattern id="pattern0_21_12" patternContentUnits="objectBoundingBox" width="1" height="1">