better-auth 1.4.18 → 1.4.19

package/dist/plugins/email-otp/index.d.mts

@@ -1,14 +1,14 @@
 import { EmailOTPOptions } from "./types.mjs";
-import * as _better_auth_core7 from "@better-auth/core";
+import * as _better_auth_core5 from "@better-auth/core";
 import * as _better_auth_core_db0 from "@better-auth/core/db";
-import * as better_call29 from "better-call";
+import * as better_call20 from "better-call";
 import * as zod0 from "zod";
 import * as zod_v4_core0 from "zod/v4/core";
 
 //#region src/plugins/email-otp/index.d.ts
 declare const emailOTP: (options: EmailOTPOptions) => {
   id: "email-otp";
-  init(ctx: _better_auth_core7.AuthContext): {
+  init(ctx: _better_auth_core5.AuthContext): {
     options: {
       emailVerification: {
         sendVerificationEmail(data: {
@@ -20,7 +20,7 @@ declare const emailOTP: (options: EmailOTPOptions) => {
     };
   } | undefined;
   endpoints: {
-    sendVerificationOTP: better_call29.StrictEndpoint<"/email-otp/send-verification-otp", {
+    sendVerificationOTP: better_call20.StrictEndpoint<"/email-otp/send-verification-otp", {
       method: "POST";
       body: zod0.ZodObject<{
         email: zod0.ZodString;
@@ -56,7 +56,7 @@ declare const emailOTP: (options: EmailOTPOptions) => {
     }, {
       success: boolean;
     }>;
-    createVerificationOTP: better_call29.StrictEndpoint<string, {
+    createVerificationOTP: better_call20.StrictEndpoint<string, {
       method: "POST";
       body: zod0.ZodObject<{
         email: zod0.ZodString;
@@ -85,7 +85,7 @@ declare const emailOTP: (options: EmailOTPOptions) => {
         };
       };
     }, string>;
-    getVerificationOTP: better_call29.StrictEndpoint<string, {
+    getVerificationOTP: better_call20.StrictEndpoint<string, {
       method: "GET";
       query: zod0.ZodObject<{
         email: zod0.ZodString;
@@ -126,7 +126,7 @@ declare const emailOTP: (options: EmailOTPOptions) => {
     } | {
       otp: string;
     }>;
-    checkVerificationOTP: better_call29.StrictEndpoint<"/email-otp/check-verification-otp", {
+    checkVerificationOTP: better_call20.StrictEndpoint<"/email-otp/check-verification-otp", {
       method: "POST";
       body: zod0.ZodObject<{
         email: zod0.ZodString;
@@ -163,7 +163,7 @@ declare const emailOTP: (options: EmailOTPOptions) => {
     }, {
       success: boolean;
     }>;
-    verifyEmailOTP: better_call29.StrictEndpoint<"/email-otp/verify-email", {
+    verifyEmailOTP: better_call20.StrictEndpoint<"/email-otp/verify-email", {
       method: "POST";
       body: zod0.ZodObject<{
         email: zod0.ZodString;
@@ -227,7 +227,7 @@ declare const emailOTP: (options: EmailOTPOptions) => {
         image?: string | null | undefined;
       } & Record<string, any>;
     }>;
-    signInEmailOTP: better_call29.StrictEndpoint<"/sign-in/email-otp", {
+    signInEmailOTP: better_call20.StrictEndpoint<"/sign-in/email-otp", {
       method: "POST";
       body: zod0.ZodObject<{
         email: zod0.ZodString;
@@ -273,7 +273,7 @@ declare const emailOTP: (options: EmailOTPOptions) => {
         image?: string | null | undefined;
       };
     }>;
-    requestPasswordResetEmailOTP: better_call29.StrictEndpoint<"/email-otp/request-password-reset", {
+    requestPasswordResetEmailOTP: better_call20.StrictEndpoint<"/email-otp/request-password-reset", {
       method: "POST";
       body: zod0.ZodObject<{
         email: zod0.ZodString;
@@ -305,7 +305,7 @@ declare const emailOTP: (options: EmailOTPOptions) => {
     }, {
       success: boolean;
     }>;
-    forgetPasswordEmailOTP: better_call29.StrictEndpoint<"/forget-password/email-otp", {
+    forgetPasswordEmailOTP: better_call20.StrictEndpoint<"/forget-password/email-otp", {
       method: "POST";
       body: zod0.ZodObject<{
         email: zod0.ZodString;
@@ -337,7 +337,7 @@ declare const emailOTP: (options: EmailOTPOptions) => {
     }, {
       success: boolean;
     }>;
-    resetPasswordEmailOTP: better_call29.StrictEndpoint<"/email-otp/reset-password", {
+    resetPasswordEmailOTP: better_call20.StrictEndpoint<"/email-otp/reset-password", {
       method: "POST";
       body: zod0.ZodObject<{
         email: zod0.ZodString;
@@ -351,10 +351,10 @@ declare const emailOTP: (options: EmailOTPOptions) => {
           responses: {
             200: {
               description: string;
-              contnt: {
+              content: {
                 "application/json": {
                   schema: {
-                    type: string;
+                    type: "object";
                     properties: {
                       success: {
                         type: string;
@@ -373,8 +373,8 @@ declare const emailOTP: (options: EmailOTPOptions) => {
   };
   hooks: {
     after: {
-      matcher(context: _better_auth_core7.HookEndpointContext): boolean;
-      handler: (inputContext: better_call29.MiddlewareInputContext<better_call29.MiddlewareOptions>) => Promise<void>;
+      matcher(context: _better_auth_core5.HookEndpointContext): boolean;
+      handler: (inputContext: better_call20.MiddlewareInputContext<better_call20.MiddlewareOptions>) => Promise<void>;
     }[];
   };
   $ERROR_CODES: {

package/dist/plugins/email-otp/routes.mjs

@@ -579,7 +579,7 @@ const resetPasswordEmailOTP = (opts) => createAuthEndpoint("/email-otp/reset-pas
 		description: "Reset password with email and OTP",
 		responses: { 200: {
 			description: "Success",
-			contnt: { "application/json": { schema: {
+			content: { "application/json": { schema: {
 				type: "object",
 				properties: { success: { type: "boolean" } }
 			} } }

package/dist/plugins/email-otp/routes.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"routes.mjs","names":["session"],"sources":["../../../src/plugins/email-otp/routes.ts"],"sourcesContent":["import { createAuthEndpoint } from \"@better-auth/core/api\";\nimport { BASE_ERROR_CODES } from \"@better-auth/core/error\";\nimport { defineErrorCodes, deprecate } from \"@better-auth/core/utils\";\nimport * as z from \"zod\";\nimport { APIError, getSessionFromCtx } from \"../../api\";\nimport { setCookieCache, setSessionCookie } from \"../../cookies\";\nimport { generateRandomString, symmetricDecrypt } from \"../../crypto\";\nimport { parseUserOutput } from \"../../db/schema\";\nimport { getDate } from \"../../utils/date\";\nimport { storeOTP, verifyStoredOTP } from \"./otp-token\";\nimport type { EmailOTPOptions } from \"./types\";\nimport { splitAtLastColon } from \"./utils\";\n\nconst types = [\"email-verification\", \"sign-in\", \"forget-password\"] as const;\n\ntype WithRequired<T, K extends keyof T> = T & { [P in K]-?: T[P] };\n\ntype RequiredEmailOTPOptions = WithRequired<\n\tEmailOTPOptions,\n\t\"expiresIn\" | \"generateOTP\" | \"storeOTP\"\n>;\n\nexport const ERROR_CODES = defineErrorCodes({\n\tOTP_EXPIRED: \"OTP expired\",\n\tINVALID_OTP: \"Invalid OTP\",\n\tTOO_MANY_ATTEMPTS: \"Too many attempts\",\n});\n\nconst sendVerificationOTPBodySchema = z.object({\n\temail: z.string({}).meta({\n\t\tdescription: \"Email address to send the OTP\",\n\t}),\n\ttype: z.enum(types).meta({\n\t\tdescription: \"Type of the OTP\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/email-otp/send-verification-otp`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.sendVerificationOTP`\n *\n * **client:**\n * `authClient.emailOtp.sendVerificationOtp`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/email-otp#api-method-email-otp-send-verification-otp)\n */\nexport const sendVerificationOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/email-otp/send-verification-otp\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: sendVerificationOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"sendEmailVerificationOTP\",\n\t\t\t\t\tdescription: \"Send a verification OTP to an email\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tsuccess: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tif (!opts?.sendVerificationOTP) {\n\t\t\t\tctx.context.logger.error(\"send email verification is not implemented\");\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: \"send email verification is not implemented\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst email = ctx.body.email.toLowerCase();\n\t\t\tconst isValidEmail = z.email().safeParse(email);\n\t\t\tif (!isValidEmail.success) {\n\t\t\t\tthrow ctx.error(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.INVALID_EMAIL,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst otp =\n\t\t\t\topts.generateOTP({ email, type: ctx.body.type }, ctx) ||\n\t\t\t\tdefaultOTPGenerator(opts);\n\n\t\t\tconst storedOTP = await storeOTP(ctx, opts, otp);\n\n\t\t\tawait ctx.context.internalAdapter\n\t\t\t\t.createVerificationValue({\n\t\t\t\t\tvalue: `${storedOTP}:0`,\n\t\t\t\t\tidentifier: `${ctx.body.type}-otp-${email}`,\n\t\t\t\t\texpiresAt: getDate(opts.expiresIn, \"sec\"),\n\t\t\t\t})\n\t\t\t\t.catch(async (error) => {\n\t\t\t\t\t// might be duplicate key error\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationByIdentifier(\n\t\t\t\t\t\t`${ctx.body.type}-otp-${email}`,\n\t\t\t\t\t);\n\t\t\t\t\t//try again\n\t\t\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\t\t\tvalue: `${storedOTP}:0`,\n\t\t\t\t\t\tidentifier: `${ctx.body.type}-otp-${email}`,\n\t\t\t\t\t\texpiresAt: getDate(opts.expiresIn, \"sec\"),\n\t\t\t\t\t});\n\t\t\t\t});\n\t\t\tconst user = await ctx.context.internalAdapter.findUserByEmail(email);\n\t\t\tif (!user) {\n\t\t\t\tif (ctx.body.type === \"sign-in\" && !opts.disableSignUp) {\n\t\t\t\t\t// allow\n\t\t\t\t} else {\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationByIdentifier(\n\t\t\t\t\t\t`${ctx.body.type}-otp-${email}`,\n\t\t\t\t\t);\n\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\tsuccess: true,\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tawait ctx.context.runInBackgroundOrAwait(\n\t\t\t\topts.sendVerificationOTP(\n\t\t\t\t\t{\n\t\t\t\t\t\temail,\n\t\t\t\t\t\totp,\n\t\t\t\t\t\ttype: ctx.body.type,\n\t\t\t\t\t},\n\t\t\t\t\tctx,\n\t\t\t\t),\n\t\t\t);\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t});\n\t\t},\n\t);\n\nconst createVerificationOTPBodySchema = z.object({\n\temail: z.string({}).meta({\n\t\tdescription: \"Email address to send the OTP\",\n\t}),\n\ttype: z.enum(types).meta({\n\t\trequired: true,\n\t\tdescription: \"Type of the OTP\",\n\t}),\n});\n\nexport const createVerificationOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: createVerificationOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"createEmailVerificationOTP\",\n\t\t\t\t\tdescription: \"Create a verification OTP for an email\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst email = ctx.body.email.toLowerCase();\n\t\t\tconst otp =\n\t\t\t\topts.generateOTP({ email, type: ctx.body.type }, ctx) ||\n\t\t\t\tdefaultOTPGenerator(opts);\n\t\t\tconst storedOTP = await storeOTP(ctx, opts, otp);\n\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\tvalue: `${storedOTP}:0`,\n\t\t\t\tidentifier: `${ctx.body.type}-otp-${email}`,\n\t\t\t\texpiresAt: getDate(opts.expiresIn, \"sec\"),\n\t\t\t});\n\t\t\treturn otp;\n\t\t},\n\t);\n\nconst getVerificationOTPBodySchema = z.object({\n\temail: z.string({}).meta({\n\t\tdescription: \"Email address the OTP was sent to\",\n\t}),\n\ttype: z.enum(types).meta({\n\t\trequired: true,\n\t\tdescription: \"Type of the OTP\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * GET `/email-otp/get-verification-otp`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.getVerificationOTP`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/email-otp#api-method-email-otp-get-verification-otp)\n */\nexport const getVerificationOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t{\n\t\t\tmethod: \"GET\",\n\t\t\tquery: getVerificationOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"getEmailVerificationOTP\",\n\t\t\t\t\tdescription: \"Get a verification OTP for an email\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"OTP retrieved successfully or not found/expired\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\totp: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"The stored OTP, or null if not found or expired\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\trequired: [\"otp\"],\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst email = ctx.query.email.toLowerCase();\n\t\t\tconst verificationValue =\n\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t`${ctx.query.type}-otp-${email}`,\n\t\t\t\t);\n\t\t\tif (!verificationValue || verificationValue.expiresAt < new Date()) {\n\t\t\t\treturn ctx.json({\n\t\t\t\t\totp: null,\n\t\t\t\t});\n\t\t\t}\n\t\t\tif (\n\t\t\t\topts.storeOTP === \"hashed\" ||\n\t\t\t\t(typeof opts.storeOTP === \"object\" && \"hash\" in opts.storeOTP)\n\t\t\t) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: \"OTP is hashed, cannot return the plain text OTP\",\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst [storedOtp, _attempts] = splitAtLastColon(verificationValue.value);\n\t\t\tlet otp = storedOtp;\n\t\t\tif (opts.storeOTP === \"encrypted\") {\n\t\t\t\totp = await symmetricDecrypt({\n\t\t\t\t\tkey: ctx.context.secret,\n\t\t\t\t\tdata: storedOtp,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tif (typeof opts.storeOTP === \"object\" && \"decrypt\" in opts.storeOTP) {\n\t\t\t\totp = await opts.storeOTP.decrypt(storedOtp);\n\t\t\t}\n\n\t\t\treturn ctx.json({\n\t\t\t\totp,\n\t\t\t});\n\t\t},\n\t);\n\nconst checkVerificationOTPBodySchema = z.object({\n\temail: z.string().meta({\n\t\tdescription: \"Email address the OTP was sent to\",\n\t}),\n\ttype: z.enum(types).meta({\n\t\trequired: true,\n\t\tdescription: \"Type of the OTP\",\n\t}),\n\totp: z.string().meta({\n\t\trequired: true,\n\t\tdescription: \"OTP to verify\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * GET `/email-otp/check-verification-otp`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.checkVerificationOTP`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/email-otp#api-method-email-otp-check-verification-otp)\n */\nexport const checkVerificationOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/email-otp/check-verification-otp\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: checkVerificationOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"verifyEmailWithOTP\",\n\t\t\t\t\tdescription: \"Verify an email with an OTP\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tsuccess: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst email = ctx.body.email.toLowerCase();\n\t\t\tconst isValidEmail = z.email().safeParse(email);\n\t\t\tif (!isValidEmail.success) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.INVALID_EMAIL,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst user = await ctx.context.internalAdapter.findUserByEmail(email);\n\t\t\tif (!user) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.USER_NOT_FOUND,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst verificationValue =\n\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t`${ctx.body.type}-otp-${email}`,\n\t\t\t\t);\n\t\t\tif (!verificationValue) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\tif (verificationValue.expiresAt < new Date()) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.OTP_EXPIRED,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst [otpValue, attempts] = splitAtLastColon(verificationValue.value);\n\t\t\tconst allowedAttempts = opts?.allowedAttempts || 3;\n\t\t\tif (attempts && parseInt(attempts) >= allowedAttempts) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ERROR_CODES.TOO_MANY_ATTEMPTS,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst verified = await verifyStoredOTP(ctx, opts, otpValue, ctx.body.otp);\n\t\t\tif (!verified) {\n\t\t\t\tawait ctx.context.internalAdapter.updateVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t\t{\n\t\t\t\t\t\tvalue: `${otpValue}:${parseInt(attempts || \"0\") + 1}`,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t});\n\t\t},\n\t);\n\nconst verifyEmailOTPBodySchema = z.object({\n\temail: z.string({}).meta({\n\t\tdescription: \"Email address to verify\",\n\t}),\n\totp: z.string().meta({\n\t\trequired: true,\n\t\tdescription: \"OTP to verify\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/email-otp/verify-email`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.verifyEmailOTP`\n *\n * **client:**\n * `authClient.emailOtp.verifyEmail`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/email-otp#api-method-email-otp-verify-email)\n */\nexport const verifyEmailOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/email-otp/verify-email\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: verifyEmailOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription: \"Verify email with OTP\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tstatus: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Indicates if the verification was successful\",\n\t\t\t\t\t\t\t\t\t\t\t\tenum: [true],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\ttoken: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Session token if autoSignInAfterVerification is enabled, otherwise null\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\trequired: [\"status\", \"token\", \"user\"],\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst email = ctx.body.email.toLowerCase();\n\t\t\tconst isValidEmail = z.email().safeParse(email);\n\t\t\tif (!isValidEmail.success) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.INVALID_EMAIL,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst verificationValue =\n\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t`email-verification-otp-${email}`,\n\t\t\t\t);\n\n\t\t\tif (!verificationValue) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\tif (verificationValue.expiresAt < new Date()) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.OTP_EXPIRED,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst [otpValue, attempts] = splitAtLastColon(verificationValue.value);\n\t\t\tconst allowedAttempts = opts?.allowedAttempts || 3;\n\t\t\tif (attempts && parseInt(attempts) >= allowedAttempts) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ERROR_CODES.TOO_MANY_ATTEMPTS,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst verified = await verifyStoredOTP(ctx, opts, otpValue, ctx.body.otp);\n\t\t\tif (!verified) {\n\t\t\t\tawait ctx.context.internalAdapter.updateVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t\t{\n\t\t\t\t\t\tvalue: `${otpValue}:${parseInt(attempts || \"0\") + 1}`,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\tverificationValue.id,\n\t\t\t);\n\t\t\tconst user = await ctx.context.internalAdapter.findUserByEmail(email);\n\t\t\tif (!user) {\n\t\t\t\t/**\n\t\t\t\t * safe to leak the existence of a user, given the user has already the OTP from the\n\t\t\t\t * email\n\t\t\t\t */\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.USER_NOT_FOUND,\n\t\t\t\t});\n\t\t\t}\n\t\t\tif (ctx.context.options.emailVerification?.beforeEmailVerification) {\n\t\t\t\tawait ctx.context.options.emailVerification.beforeEmailVerification(\n\t\t\t\t\tuser.user,\n\t\t\t\t\tctx.request,\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\tuser.user.id,\n\t\t\t\t{\n\t\t\t\t\temail,\n\t\t\t\t\temailVerified: true,\n\t\t\t\t},\n\t\t\t);\n\t\t\tif (ctx.context.options.emailVerification?.onEmailVerification) {\n\t\t\t\tawait ctx.context.options.emailVerification.onEmailVerification(\n\t\t\t\t\tupdatedUser,\n\t\t\t\t\tctx.request,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tawait ctx.context.options.emailVerification?.afterEmailVerification?.(\n\t\t\t\tupdatedUser,\n\t\t\t\tctx.request,\n\t\t\t);\n\n\t\t\tif (ctx.context.options.emailVerification?.autoSignInAfterVerification) {\n\t\t\t\tconst session = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\tupdatedUser.id,\n\t\t\t\t);\n\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\tsession,\n\t\t\t\t\tuser: updatedUser,\n\t\t\t\t});\n\t\t\t\treturn ctx.json({\n\t\t\t\t\tstatus: true,\n\t\t\t\t\ttoken: session.token,\n\t\t\t\t\tuser: parseUserOutput(ctx.context.options, updatedUser),\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst currentSession = await getSessionFromCtx(ctx);\n\t\t\tif (currentSession && updatedUser.emailVerified) {\n\t\t\t\tconst dontRememberMeCookie = await ctx.getSignedCookie(\n\t\t\t\t\tctx.context.authCookies.dontRememberToken.name,\n\t\t\t\t\tctx.context.secret,\n\t\t\t\t);\n\t\t\t\tawait setCookieCache(\n\t\t\t\t\tctx,\n\t\t\t\t\t{\n\t\t\t\t\t\tsession: currentSession.session,\n\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t...currentSession.user,\n\t\t\t\t\t\t\temailVerified: true,\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\t!!dontRememberMeCookie,\n\t\t\t\t);\n\t\t\t}\n\t\t\treturn ctx.json({\n\t\t\t\tstatus: true,\n\t\t\t\ttoken: null,\n\t\t\t\tuser: parseUserOutput(ctx.context.options, updatedUser),\n\t\t\t});\n\t\t},\n\t);\n\nconst signInEmailOTPBodySchema = z.object({\n\temail: z.string({}).meta({\n\t\tdescription: \"Email address to sign in\",\n\t}),\n\totp: z.string().meta({\n\t\trequired: true,\n\t\tdescription: \"OTP sent to the email\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/sign-in/email-otp`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.signInEmailOTP`\n *\n * **client:**\n * `authClient.signIn.emailOtp`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/email-otp#api-method-sign-in-email-otp)\n */\nexport const signInEmailOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/sign-in/email-otp\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: signInEmailOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"signInWithEmailOTP\",\n\t\t\t\t\tdescription: \"Sign in with email and OTP\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\ttoken: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Session token for the authenticated session\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\trequired: [\"token\", \"user\"],\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst email = ctx.body.email.toLowerCase();\n\t\t\tconst verificationValue =\n\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t`sign-in-otp-${email}`,\n\t\t\t\t);\n\t\t\tif (!verificationValue) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\tif (verificationValue.expiresAt < new Date()) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.OTP_EXPIRED,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst [otpValue, attempts] = splitAtLastColon(verificationValue.value);\n\t\t\tconst allowedAttempts = opts?.allowedAttempts || 3;\n\t\t\tif (attempts && parseInt(attempts) >= allowedAttempts) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ERROR_CODES.TOO_MANY_ATTEMPTS,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst verified = await verifyStoredOTP(ctx, opts, otpValue, ctx.body.otp);\n\t\t\tif (!verified) {\n\t\t\t\tawait ctx.context.internalAdapter.updateVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t\t{\n\t\t\t\t\t\tvalue: `${otpValue}:${parseInt(attempts || \"0\") + 1}`,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\tverificationValue.id,\n\t\t\t);\n\t\t\tconst user = await ctx.context.internalAdapter.findUserByEmail(email);\n\t\t\tif (!user) {\n\t\t\t\tif (opts.disableSignUp) {\n\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\tmessage: BASE_ERROR_CODES.USER_NOT_FOUND,\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t\tconst newUser = await ctx.context.internalAdapter.createUser({\n\t\t\t\t\temail,\n\t\t\t\t\temailVerified: true,\n\t\t\t\t\tname: \"\",\n\t\t\t\t});\n\t\t\t\tconst session = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\tnewUser.id,\n\t\t\t\t);\n\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\tsession,\n\t\t\t\t\tuser: newUser,\n\t\t\t\t});\n\t\t\t\treturn ctx.json({\n\t\t\t\t\ttoken: session.token,\n\t\t\t\t\tuser: parseUserOutput(ctx.context.options, newUser),\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tif (!user.user.emailVerified) {\n\t\t\t\tawait ctx.context.internalAdapter.updateUser(user.user.id, {\n\t\t\t\t\temailVerified: true,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst session = await ctx.context.internalAdapter.createSession(\n\t\t\t\tuser.user.id,\n\t\t\t);\n\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\tsession,\n\t\t\t\tuser: user.user,\n\t\t\t});\n\t\t\treturn ctx.json({\n\t\t\t\ttoken: session.token,\n\t\t\t\tuser: parseUserOutput(ctx.context.options, user.user),\n\t\t\t});\n\t\t},\n\t);\n\nconst requestPasswordResetEmailOTPBodySchema = z.object({\n\temail: z.string().meta({\n\t\tdescription: \"Email address to send the OTP\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/email-otp/request-password-reset`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.requestPasswordResetEmailOTP`\n *\n * **client:**\n * `authClient.emailOtp.requestPasswordReset`\n *\n * @see [Read our docs to learn more.](https://www.better-auth.com/docs/plugins/email-otp#reset-password-with-otp)\n */\nexport const requestPasswordResetEmailOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/email-otp/request-password-reset\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: requestPasswordResetEmailOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"requestPasswordResetWithEmailOTP\",\n\t\t\t\t\tdescription: \"Request password reset with email and OTP\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tsuccess: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Indicates if the OTP was sent successfully\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst email = ctx.body.email;\n\t\t\tconst otp =\n\t\t\t\topts.generateOTP({ email, type: \"forget-password\" }, ctx) ||\n\t\t\t\tdefaultOTPGenerator(opts);\n\t\t\tconst storedOTP = await storeOTP(ctx, opts, otp);\n\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\tvalue: `${storedOTP}:0`,\n\t\t\t\tidentifier: `forget-password-otp-${email}`,\n\t\t\t\texpiresAt: getDate(opts.expiresIn, \"sec\"),\n\t\t\t});\n\t\t\tconst user = await ctx.context.internalAdapter.findUserByEmail(email);\n\t\t\tif (!user) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationByIdentifier(\n\t\t\t\t\t`forget-password-otp-${email}`,\n\t\t\t\t);\n\t\t\t\treturn ctx.json({\n\t\t\t\t\tsuccess: true,\n\t\t\t\t});\n\t\t\t}\n\t\t\tawait ctx.context.runInBackgroundOrAwait(\n\t\t\t\topts.sendVerificationOTP(\n\t\t\t\t\t{\n\t\t\t\t\t\temail,\n\t\t\t\t\t\totp,\n\t\t\t\t\t\ttype: \"forget-password\",\n\t\t\t\t\t},\n\t\t\t\t\tctx,\n\t\t\t\t),\n\t\t\t);\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t});\n\t\t},\n\t);\n\nconst forgetPasswordEmailOTPBodySchema = z.object({\n\temail: z.string().meta({\n\t\tdescription: \"Email address to send the OTP\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/forget-password/email-otp`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.forgetPasswordEmailOTP`\n *\n * **client:**\n * `authClient.forgetPassword.emailOtp`\n *\n * @deprecated Use `/email-otp/request-password-reset` instead.\n * @see [Read our docs to learn more.](https://www.better-auth.com/docs/plugins/email-otp#reset-password-with-otp)\n */\nexport const forgetPasswordEmailOTP = (opts: RequiredEmailOTPOptions) => {\n\tconst warnDeprecation = deprecate(\n\t\t() => {},\n\t\t'The \"/forget-password/email-otp\" endpoint is deprecated. ' +\n\t\t\t'Please use \"/email-otp/request-password-reset\" instead. ' +\n\t\t\t\"This endpoint will be removed in the next major version.\",\n\t);\n\n\treturn createAuthEndpoint(\n\t\t\"/forget-password/email-otp\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: forgetPasswordEmailOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"forgetPasswordWithEmailOTP\",\n\t\t\t\t\tdescription:\n\t\t\t\t\t\t\"Deprecated: Use /email-otp/request-password-reset instead.\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tsuccess: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Indicates if the OTP was sent successfully\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\twarnDeprecation();\n\t\t\tconst email = ctx.body.email;\n\t\t\tconst otp =\n\t\t\t\topts.generateOTP({ email, type: \"forget-password\" }, ctx) ||\n\t\t\t\tdefaultOTPGenerator(opts);\n\t\t\tconst storedOTP = await storeOTP(ctx, opts, otp);\n\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\tvalue: `${storedOTP}:0`,\n\t\t\t\tidentifier: `forget-password-otp-${email}`,\n\t\t\t\texpiresAt: getDate(opts.expiresIn, \"sec\"),\n\t\t\t});\n\t\t\tconst user = await ctx.context.internalAdapter.findUserByEmail(email);\n\t\t\tif (!user) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationByIdentifier(\n\t\t\t\t\t`forget-password-otp-${email}`,\n\t\t\t\t);\n\t\t\t\treturn ctx.json({\n\t\t\t\t\tsuccess: true,\n\t\t\t\t});\n\t\t\t}\n\t\t\tawait ctx.context.runInBackgroundOrAwait(\n\t\t\t\topts.sendVerificationOTP(\n\t\t\t\t\t{\n\t\t\t\t\t\temail,\n\t\t\t\t\t\totp,\n\t\t\t\t\t\ttype: \"forget-password\",\n\t\t\t\t\t},\n\t\t\t\t\tctx,\n\t\t\t\t),\n\t\t\t);\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t});\n\t\t},\n\t);\n};\n\nconst resetPasswordEmailOTPBodySchema = z.object({\n\temail: z.string().meta({\n\t\tdescription: \"Email address to reset the password\",\n\t}),\n\totp: z.string().meta({\n\t\tdescription: \"OTP sent to the email\",\n\t}),\n\tpassword: z.string().meta({\n\t\tdescription: \"New password\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/email-otp/reset-password`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.resetPasswordEmailOTP`\n *\n * **client:**\n * `authClient.emailOtp.resetPassword`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/email-otp#api-method-email-otp-reset-password)\n */\nexport const resetPasswordEmailOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/email-otp/reset-password\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: resetPasswordEmailOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"resetPasswordWithEmailOTP\",\n\t\t\t\t\tdescription: \"Reset password with email and OTP\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontnt: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tsuccess: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst email = ctx.body.email;\n\t\t\tconst verificationValue =\n\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t`forget-password-otp-${email}`,\n\t\t\t\t);\n\t\t\tif (!verificationValue) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\tif (verificationValue.expiresAt < new Date()) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.OTP_EXPIRED,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst [otpValue, attempts] = splitAtLastColon(verificationValue.value);\n\t\t\tconst allowedAttempts = opts?.allowedAttempts || 3;\n\t\t\tif (attempts && parseInt(attempts) >= allowedAttempts) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ERROR_CODES.TOO_MANY_ATTEMPTS,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst verified = await verifyStoredOTP(ctx, opts, otpValue, ctx.body.otp);\n\t\t\tif (!verified) {\n\t\t\t\tawait ctx.context.internalAdapter.updateVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t\t{\n\t\t\t\t\t\tvalue: `${otpValue}:${parseInt(attempts || \"0\") + 1}`,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\tverificationValue.id,\n\t\t\t);\n\t\t\tconst user = await ctx.context.internalAdapter.findUserByEmail(email, {\n\t\t\t\tincludeAccounts: true,\n\t\t\t});\n\t\t\tif (!user) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.USER_NOT_FOUND,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst minPasswordLength = ctx.context.password.config.minPasswordLength;\n\t\t\tif (ctx.body.password.length < minPasswordLength) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.PASSWORD_TOO_SHORT,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst maxPasswordLength = ctx.context.password.config.maxPasswordLength;\n\t\t\tif (ctx.body.password.length > maxPasswordLength) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.PASSWORD_TOO_LONG,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst passwordHash = await ctx.context.password.hash(ctx.body.password);\n\t\t\tconst account = user.accounts?.find(\n\t\t\t\t(account) => account.providerId === \"credential\",\n\t\t\t);\n\t\t\tif (!account) {\n\t\t\t\tawait ctx.context.internalAdapter.createAccount({\n\t\t\t\t\tuserId: user.user.id,\n\t\t\t\t\tproviderId: \"credential\",\n\t\t\t\t\taccountId: user.user.id,\n\t\t\t\t\tpassword: passwordHash,\n\t\t\t\t});\n\t\t\t} else {\n\t\t\t\tawait ctx.context.internalAdapter.updatePassword(\n\t\t\t\t\tuser.user.id,\n\t\t\t\t\tpasswordHash,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tif (ctx.context.options.emailAndPassword?.onPasswordReset) {\n\t\t\t\tawait ctx.context.options.emailAndPassword.onPasswordReset(\n\t\t\t\t\t{\n\t\t\t\t\t\tuser: user.user,\n\t\t\t\t\t},\n\t\t\t\t\tctx.request,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tif (!user.user.emailVerified) {\n\t\t\t\tawait ctx.context.internalAdapter.updateUser(user.user.id, {\n\t\t\t\t\temailVerified: true,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tif (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteSessions(user.user.id);\n\t\t\t}\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t});\n\t\t},\n\t);\n\nconst defaultOTPGenerator = (options: EmailOTPOptions) =>\n\tgenerateRandomString(options.otpLength ?? 6, \"0-9\");\n"],"mappings":";;;;;;;;;;;;;;;AAaA,MAAM,QAAQ;CAAC;CAAsB;CAAW;CAAkB;AASlE,MAAa,cAAc,iBAAiB;CAC3C,aAAa;CACb,aAAa;CACb,mBAAmB;CACnB,CAAC;AAEF,MAAM,gCAAgC,EAAE,OAAO;CAC9C,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,EACxB,aAAa,iCACb,CAAC;CACF,MAAM,EAAE,KAAK,MAAM,CAAC,KAAK,EACxB,aAAa,mBACb,CAAC;CACF,CAAC;;;;;;;;;;;;;;;;AAiBF,MAAa,uBAAuB,SACnC,mBACC,oCACA;CACC,QAAQ;CACR,MAAM;CACN,UAAU,EACT,SAAS;EACR,aAAa;EACb,aAAa;EACb,WAAW,EACV,KAAK;GACJ,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;IACP,MAAM;IACN,YAAY,EACX,SAAS,EACR,MAAM,WACN,EACD;IACD,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;AACd,KAAI,CAAC,MAAM,qBAAqB;AAC/B,MAAI,QAAQ,OAAO,MAAM,6CAA6C;AACtE,QAAM,IAAI,SAAS,eAAe,EACjC,SAAS,8CACT,CAAC;;CAEH,MAAM,QAAQ,IAAI,KAAK,MAAM,aAAa;AAE1C,KAAI,CADiB,EAAE,OAAO,CAAC,UAAU,MAAM,CAC7B,QACjB,OAAM,IAAI,MAAM,eAAe,EAC9B,SAAS,iBAAiB,eAC1B,CAAC;CAEH,MAAM,MACL,KAAK,YAAY;EAAE;EAAO,MAAM,IAAI,KAAK;EAAM,EAAE,IAAI,IACrD,oBAAoB,KAAK;CAE1B,MAAM,YAAY,MAAM,SAAS,KAAK,MAAM,IAAI;AAEhD,OAAM,IAAI,QAAQ,gBAChB,wBAAwB;EACxB,OAAO,GAAG,UAAU;EACpB,YAAY,GAAG,IAAI,KAAK,KAAK,OAAO;EACpC,WAAW,QAAQ,KAAK,WAAW,MAAM;EACzC,CAAC,CACD,MAAM,OAAO,UAAU;AAEvB,QAAM,IAAI,QAAQ,gBAAgB,+BACjC,GAAG,IAAI,KAAK,KAAK,OAAO,QACxB;AAED,QAAM,IAAI,QAAQ,gBAAgB,wBAAwB;GACzD,OAAO,GAAG,UAAU;GACpB,YAAY,GAAG,IAAI,KAAK,KAAK,OAAO;GACpC,WAAW,QAAQ,KAAK,WAAW,MAAM;GACzC,CAAC;GACD;AAEH,KAAI,CADS,MAAM,IAAI,QAAQ,gBAAgB,gBAAgB,MAAM,CAEpE,KAAI,IAAI,KAAK,SAAS,aAAa,CAAC,KAAK,eAAe,QAEjD;AACN,QAAM,IAAI,QAAQ,gBAAgB,+BACjC,GAAG,IAAI,KAAK,KAAK,OAAO,QACxB;AACD,SAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;;AAIJ,OAAM,IAAI,QAAQ,uBACjB,KAAK,oBACJ;EACC;EACA;EACA,MAAM,IAAI,KAAK;EACf,EACD,IACA,CACD;AACD,QAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;EAEH;AAEF,MAAM,kCAAkC,EAAE,OAAO;CAChD,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,EACxB,aAAa,iCACb,CAAC;CACF,MAAM,EAAE,KAAK,MAAM,CAAC,KAAK;EACxB,UAAU;EACV,aAAa;EACb,CAAC;CACF,CAAC;AAEF,MAAa,yBAAyB,SACrC,mBACC;CACC,QAAQ;CACR,MAAM;CACN,UAAU,EACT,SAAS;EACR,aAAa;EACb,aAAa;EACb,WAAW,EACV,KAAK;GACJ,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ,EACP,MAAM,UACN,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;CACd,MAAM,QAAQ,IAAI,KAAK,MAAM,aAAa;CAC1C,MAAM,MACL,KAAK,YAAY;EAAE;EAAO,MAAM,IAAI,KAAK;EAAM,EAAE,IAAI,IACrD,oBAAoB,KAAK;CAC1B,MAAM,YAAY,MAAM,SAAS,KAAK,MAAM,IAAI;AAChD,OAAM,IAAI,QAAQ,gBAAgB,wBAAwB;EACzD,OAAO,GAAG,UAAU;EACpB,YAAY,GAAG,IAAI,KAAK,KAAK,OAAO;EACpC,WAAW,QAAQ,KAAK,WAAW,MAAM;EACzC,CAAC;AACF,QAAO;EAER;AAEF,MAAM,+BAA+B,EAAE,OAAO;CAC7C,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,EACxB,aAAa,qCACb,CAAC;CACF,MAAM,EAAE,KAAK,MAAM,CAAC,KAAK;EACxB,UAAU;EACV,aAAa;EACb,CAAC;CACF,CAAC;;;;;;;;;;;;;AAcF,MAAa,sBAAsB,SAClC,mBACC;CACC,QAAQ;CACR,OAAO;CACP,UAAU,EACT,SAAS;EACR,aAAa;EACb,aAAa;EACb,WAAW,EACV,OAAO;GACN,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;IACP,MAAM;IACN,YAAY,EACX,KAAK;KACJ,MAAM;KACN,UAAU;KACV,aACC;KACD,EACD;IACD,UAAU,CAAC,MAAM;IACjB,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;CACd,MAAM,QAAQ,IAAI,MAAM,MAAM,aAAa;CAC3C,MAAM,oBACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,GAAG,IAAI,MAAM,KAAK,OAAO,QACzB;AACF,KAAI,CAAC,qBAAqB,kBAAkB,4BAAY,IAAI,MAAM,CACjE,QAAO,IAAI,KAAK,EACf,KAAK,MACL,CAAC;AAEH,KACC,KAAK,aAAa,YACjB,OAAO,KAAK,aAAa,YAAY,UAAU,KAAK,SAErD,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,mDACT,CAAC;CAGH,MAAM,CAAC,WAAW,aAAa,iBAAiB,kBAAkB,MAAM;CACxE,IAAI,MAAM;AACV,KAAI,KAAK,aAAa,YACrB,OAAM,MAAM,iBAAiB;EAC5B,KAAK,IAAI,QAAQ;EACjB,MAAM;EACN,CAAC;AAGH,KAAI,OAAO,KAAK,aAAa,YAAY,aAAa,KAAK,SAC1D,OAAM,MAAM,KAAK,SAAS,QAAQ,UAAU;AAG7C,QAAO,IAAI,KAAK,EACf,KACA,CAAC;EAEH;AAEF,MAAM,iCAAiC,EAAE,OAAO;CAC/C,OAAO,EAAE,QAAQ,CAAC,KAAK,EACtB,aAAa,qCACb,CAAC;CACF,MAAM,EAAE,KAAK,MAAM,CAAC,KAAK;EACxB,UAAU;EACV,aAAa;EACb,CAAC;CACF,KAAK,EAAE,QAAQ,CAAC,KAAK;EACpB,UAAU;EACV,aAAa;EACb,CAAC;CACF,CAAC;;;;;;;;;;;;;AAcF,MAAa,wBAAwB,SACpC,mBACC,qCACA;CACC,QAAQ;CACR,MAAM;CACN,UAAU,EACT,SAAS;EACR,aAAa;EACb,aAAa;EACb,WAAW,EACV,KAAK;GACJ,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;IACP,MAAM;IACN,YAAY,EACX,SAAS,EACR,MAAM,WACN,EACD;IACD,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;CACd,MAAM,QAAQ,IAAI,KAAK,MAAM,aAAa;AAE1C,KAAI,CADiB,EAAE,OAAO,CAAC,UAAU,MAAM,CAC7B,QACjB,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,eAC1B,CAAC;AAGH,KAAI,CADS,MAAM,IAAI,QAAQ,gBAAgB,gBAAgB,MAAM,CAEpE,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,gBAC1B,CAAC;CAEH,MAAM,oBACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,GAAG,IAAI,KAAK,KAAK,OAAO,QACxB;AACF,KAAI,CAAC,kBACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;AAEH,KAAI,kBAAkB,4BAAY,IAAI,MAAM,EAAE;AAC7C,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;AACD,QAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;;CAGH,MAAM,CAAC,UAAU,YAAY,iBAAiB,kBAAkB,MAAM;CACtE,MAAM,kBAAkB,MAAM,mBAAmB;AACjD,KAAI,YAAY,SAAS,SAAS,IAAI,iBAAiB;AACtD,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;AACD,QAAM,IAAI,SAAS,aAAa,EAC/B,SAAS,YAAY,mBACrB,CAAC;;AAGH,KAAI,CADa,MAAM,gBAAgB,KAAK,MAAM,UAAU,IAAI,KAAK,IAAI,EAC1D;AACd,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,IAClB,EACC,OAAO,GAAG,SAAS,GAAG,SAAS,YAAY,IAAI,GAAG,KAClD,CACD;AACD,QAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;;AAEH,QAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;EAEH;AAEF,MAAM,2BAA2B,EAAE,OAAO;CACzC,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,EACxB,aAAa,2BACb,CAAC;CACF,KAAK,EAAE,QAAQ,CAAC,KAAK;EACpB,UAAU;EACV,aAAa;EACb,CAAC;CACF,CAAC;;;;;;;;;;;;;;;;AAiBF,MAAa,kBAAkB,SAC9B,mBACC,2BACA;CACC,QAAQ;CACR,MAAM;CACN,UAAU,EACT,SAAS;EACR,aAAa;EACb,WAAW,EACV,KAAK;GACJ,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;IACP,MAAM;IACN,YAAY;KACX,QAAQ;MACP,MAAM;MACN,aACC;MACD,MAAM,CAAC,KAAK;MACZ;KACD,OAAO;MACN,MAAM;MACN,UAAU;MACV,aACC;MACD;KACD,MAAM,EACL,MAAM,6BACN;KACD;IACD,UAAU;KAAC;KAAU;KAAS;KAAO;IACrC,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;CACd,MAAM,QAAQ,IAAI,KAAK,MAAM,aAAa;AAE1C,KAAI,CADiB,EAAE,OAAO,CAAC,UAAU,MAAM,CAC7B,QACjB,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,eAC1B,CAAC;CAEH,MAAM,oBACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,0BAA0B,QAC1B;AAEF,KAAI,CAAC,kBACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;AAEH,KAAI,kBAAkB,4BAAY,IAAI,MAAM,CAC3C,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;CAGH,MAAM,CAAC,UAAU,YAAY,iBAAiB,kBAAkB,MAAM;CACtE,MAAM,kBAAkB,MAAM,mBAAmB;AACjD,KAAI,YAAY,SAAS,SAAS,IAAI,iBAAiB;AACtD,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;AACD,QAAM,IAAI,SAAS,aAAa,EAC/B,SAAS,YAAY,mBACrB,CAAC;;AAGH,KAAI,CADa,MAAM,gBAAgB,KAAK,MAAM,UAAU,IAAI,KAAK,IAAI,EAC1D;AACd,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,IAClB,EACC,OAAO,GAAG,SAAS,GAAG,SAAS,YAAY,IAAI,GAAG,KAClD,CACD;AACD,QAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;;AAEH,OAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;CACD,MAAM,OAAO,MAAM,IAAI,QAAQ,gBAAgB,gBAAgB,MAAM;AACrE,KAAI,CAAC;;;;;AAKJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,gBAC1B,CAAC;AAEH,KAAI,IAAI,QAAQ,QAAQ,mBAAmB,wBAC1C,OAAM,IAAI,QAAQ,QAAQ,kBAAkB,wBAC3C,KAAK,MACL,IAAI,QACJ;CAEF,MAAM,cAAc,MAAM,IAAI,QAAQ,gBAAgB,WACrD,KAAK,KAAK,IACV;EACC;EACA,eAAe;EACf,CACD;AACD,KAAI,IAAI,QAAQ,QAAQ,mBAAmB,oBAC1C,OAAM,IAAI,QAAQ,QAAQ,kBAAkB,oBAC3C,aACA,IAAI,QACJ;AAGF,OAAM,IAAI,QAAQ,QAAQ,mBAAmB,yBAC5C,aACA,IAAI,QACJ;AAED,KAAI,IAAI,QAAQ,QAAQ,mBAAmB,6BAA6B;EACvE,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,cACjD,YAAY,GACZ;AACD,QAAM,iBAAiB,KAAK;GAC3B;GACA,MAAM;GACN,CAAC;AACF,SAAO,IAAI,KAAK;GACf,QAAQ;GACR,OAAO,QAAQ;GACf,MAAM,gBAAgB,IAAI,QAAQ,SAAS,YAAY;GACvD,CAAC;;CAEH,MAAM,iBAAiB,MAAM,kBAAkB,IAAI;AACnD,KAAI,kBAAkB,YAAY,eAAe;EAChD,MAAM,uBAAuB,MAAM,IAAI,gBACtC,IAAI,QAAQ,YAAY,kBAAkB,MAC1C,IAAI,QAAQ,OACZ;AACD,QAAM,eACL,KACA;GACC,SAAS,eAAe;GACxB,MAAM;IACL,GAAG,eAAe;IAClB,eAAe;IACf;GACD,EACD,CAAC,CAAC,qBACF;;AAEF,QAAO,IAAI,KAAK;EACf,QAAQ;EACR,OAAO;EACP,MAAM,gBAAgB,IAAI,QAAQ,SAAS,YAAY;EACvD,CAAC;EAEH;AAEF,MAAM,2BAA2B,EAAE,OAAO;CACzC,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,EACxB,aAAa,4BACb,CAAC;CACF,KAAK,EAAE,QAAQ,CAAC,KAAK;EACpB,UAAU;EACV,aAAa;EACb,CAAC;CACF,CAAC;;;;;;;;;;;;;;;;AAiBF,MAAa,kBAAkB,SAC9B,mBACC,sBACA;CACC,QAAQ;CACR,MAAM;CACN,UAAU,EACT,SAAS;EACR,aAAa;EACb,aAAa;EACb,WAAW,EACV,KAAK;GACJ,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;IACP,MAAM;IACN,YAAY;KACX,OAAO;MACN,MAAM;MACN,aACC;MACD;KACD,MAAM,EACL,MAAM,6BACN;KACD;IACD,UAAU,CAAC,SAAS,OAAO;IAC3B,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;CACd,MAAM,QAAQ,IAAI,KAAK,MAAM,aAAa;CAC1C,MAAM,oBACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,eAAe,QACf;AACF,KAAI,CAAC,kBACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;AAEH,KAAI,kBAAkB,4BAAY,IAAI,MAAM,CAC3C,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;CAEH,MAAM,CAAC,UAAU,YAAY,iBAAiB,kBAAkB,MAAM;CACtE,MAAM,kBAAkB,MAAM,mBAAmB;AACjD,KAAI,YAAY,SAAS,SAAS,IAAI,iBAAiB;AACtD,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;AACD,QAAM,IAAI,SAAS,aAAa,EAC/B,SAAS,YAAY,mBACrB,CAAC;;AAGH,KAAI,CADa,MAAM,gBAAgB,KAAK,MAAM,UAAU,IAAI,KAAK,IAAI,EAC1D;AACd,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,IAClB,EACC,OAAO,GAAG,SAAS,GAAG,SAAS,YAAY,IAAI,GAAG,KAClD,CACD;AACD,QAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;;AAEH,OAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;CACD,MAAM,OAAO,MAAM,IAAI,QAAQ,gBAAgB,gBAAgB,MAAM;AACrE,KAAI,CAAC,MAAM;AACV,MAAI,KAAK,cACR,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,gBAC1B,CAAC;EAEH,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,WAAW;GAC5D;GACA,eAAe;GACf,MAAM;GACN,CAAC;EACF,MAAMA,YAAU,MAAM,IAAI,QAAQ,gBAAgB,cACjD,QAAQ,GACR;AACD,QAAM,iBAAiB,KAAK;GAC3B;GACA,MAAM;GACN,CAAC;AACF,SAAO,IAAI,KAAK;GACf,OAAOA,UAAQ;GACf,MAAM,gBAAgB,IAAI,QAAQ,SAAS,QAAQ;GACnD,CAAC;;AAGH,KAAI,CAAC,KAAK,KAAK,cACd,OAAM,IAAI,QAAQ,gBAAgB,WAAW,KAAK,KAAK,IAAI,EAC1D,eAAe,MACf,CAAC;CAGH,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,cACjD,KAAK,KAAK,GACV;AACD,OAAM,iBAAiB,KAAK;EAC3B;EACA,MAAM,KAAK;EACX,CAAC;AACF,QAAO,IAAI,KAAK;EACf,OAAO,QAAQ;EACf,MAAM,gBAAgB,IAAI,QAAQ,SAAS,KAAK,KAAK;EACrD,CAAC;EAEH;AAEF,MAAM,yCAAyC,EAAE,OAAO,EACvD,OAAO,EAAE,QAAQ,CAAC,KAAK,EACtB,aAAa,iCACb,CAAC,EACF,CAAC;;;;;;;;;;;;;;;;AAiBF,MAAa,gCAAgC,SAC5C,mBACC,qCACA;CACC,QAAQ;CACR,MAAM;CACN,UAAU,EACT,SAAS;EACR,aAAa;EACb,aAAa;EACb,WAAW,EACV,KAAK;GACJ,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;IACP,MAAM;IACN,YAAY,EACX,SAAS;KACR,MAAM;KACN,aACC;KACD,EACD;IACD,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;CACd,MAAM,QAAQ,IAAI,KAAK;CACvB,MAAM,MACL,KAAK,YAAY;EAAE;EAAO,MAAM;EAAmB,EAAE,IAAI,IACzD,oBAAoB,KAAK;CAC1B,MAAM,YAAY,MAAM,SAAS,KAAK,MAAM,IAAI;AAChD,OAAM,IAAI,QAAQ,gBAAgB,wBAAwB;EACzD,OAAO,GAAG,UAAU;EACpB,YAAY,uBAAuB;EACnC,WAAW,QAAQ,KAAK,WAAW,MAAM;EACzC,CAAC;AAEF,KAAI,CADS,MAAM,IAAI,QAAQ,gBAAgB,gBAAgB,MAAM,EAC1D;AACV,QAAM,IAAI,QAAQ,gBAAgB,+BACjC,uBAAuB,QACvB;AACD,SAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;;AAEH,OAAM,IAAI,QAAQ,uBACjB,KAAK,oBACJ;EACC;EACA;EACA,MAAM;EACN,EACD,IACA,CACD;AACD,QAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;EAEH;AAEF,MAAM,mCAAmC,EAAE,OAAO,EACjD,OAAO,EAAE,QAAQ,CAAC,KAAK,EACtB,aAAa,iCACb,CAAC,EACF,CAAC;;;;;;;;;;;;;;;;;AAkBF,MAAa,0BAA0B,SAAkC;CACxE,MAAM,kBAAkB,gBACjB,IACN,gLAGA;AAED,QAAO,mBACN,8BACA;EACC,QAAQ;EACR,MAAM;EACN,UAAU,EACT,SAAS;GACR,aAAa;GACb,aACC;GACD,WAAW,EACV,KAAK;IACJ,aAAa;IACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;KACP,MAAM;KACN,YAAY,EACX,SAAS;MACR,MAAM;MACN,aACC;MACD,EACD;KACD,EACD,EACD;IACD,EACD;GACD,EACD;EACD,EACD,OAAO,QAAQ;AACd,mBAAiB;EACjB,MAAM,QAAQ,IAAI,KAAK;EACvB,MAAM,MACL,KAAK,YAAY;GAAE;GAAO,MAAM;GAAmB,EAAE,IAAI,IACzD,oBAAoB,KAAK;EAC1B,MAAM,YAAY,MAAM,SAAS,KAAK,MAAM,IAAI;AAChD,QAAM,IAAI,QAAQ,gBAAgB,wBAAwB;GACzD,OAAO,GAAG,UAAU;GACpB,YAAY,uBAAuB;GACnC,WAAW,QAAQ,KAAK,WAAW,MAAM;GACzC,CAAC;AAEF,MAAI,CADS,MAAM,IAAI,QAAQ,gBAAgB,gBAAgB,MAAM,EAC1D;AACV,SAAM,IAAI,QAAQ,gBAAgB,+BACjC,uBAAuB,QACvB;AACD,UAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;;AAEH,QAAM,IAAI,QAAQ,uBACjB,KAAK,oBACJ;GACC;GACA;GACA,MAAM;GACN,EACD,IACA,CACD;AACD,SAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;GAEH;;AAGF,MAAM,kCAAkC,EAAE,OAAO;CAChD,OAAO,EAAE,QAAQ,CAAC,KAAK,EACtB,aAAa,uCACb,CAAC;CACF,KAAK,EAAE,QAAQ,CAAC,KAAK,EACpB,aAAa,yBACb,CAAC;CACF,UAAU,EAAE,QAAQ,CAAC,KAAK,EACzB,aAAa,gBACb,CAAC;CACF,CAAC;;;;;;;;;;;;;;;;AAiBF,MAAa,yBAAyB,SACrC,mBACC,6BACA;CACC,QAAQ;CACR,MAAM;CACN,UAAU,EACT,SAAS;EACR,aAAa;EACb,aAAa;EACb,WAAW,EACV,KAAK;GACJ,aAAa;GACb,QAAQ,EACP,oBAAoB,EACnB,QAAQ;IACP,MAAM;IACN,YAAY,EACX,SAAS,EACR,MAAM,WACN,EACD;IACD,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;CACd,MAAM,QAAQ,IAAI,KAAK;CACvB,MAAM,oBACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,uBAAuB,QACvB;AACF,KAAI,CAAC,kBACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;AAEH,KAAI,kBAAkB,4BAAY,IAAI,MAAM,EAAE;AAC7C,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;AACD,QAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;;CAEH,MAAM,CAAC,UAAU,YAAY,iBAAiB,kBAAkB,MAAM;CACtE,MAAM,kBAAkB,MAAM,mBAAmB;AACjD,KAAI,YAAY,SAAS,SAAS,IAAI,iBAAiB;AACtD,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;AACD,QAAM,IAAI,SAAS,aAAa,EAC/B,SAAS,YAAY,mBACrB,CAAC;;AAGH,KAAI,CADa,MAAM,gBAAgB,KAAK,MAAM,UAAU,IAAI,KAAK,IAAI,EAC1D;AACd,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,IAClB,EACC,OAAO,GAAG,SAAS,GAAG,SAAS,YAAY,IAAI,GAAG,KAClD,CACD;AACD,QAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;;AAEH,OAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;CACD,MAAM,OAAO,MAAM,IAAI,QAAQ,gBAAgB,gBAAgB,OAAO,EACrE,iBAAiB,MACjB,CAAC;AACF,KAAI,CAAC,KACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,gBAC1B,CAAC;CAEH,MAAM,oBAAoB,IAAI,QAAQ,SAAS,OAAO;AACtD,KAAI,IAAI,KAAK,SAAS,SAAS,kBAC9B,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,oBAC1B,CAAC;CAEH,MAAM,oBAAoB,IAAI,QAAQ,SAAS,OAAO;AACtD,KAAI,IAAI,KAAK,SAAS,SAAS,kBAC9B,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,mBAC1B,CAAC;CAEH,MAAM,eAAe,MAAM,IAAI,QAAQ,SAAS,KAAK,IAAI,KAAK,SAAS;AAIvE,KAAI,CAHY,KAAK,UAAU,MAC7B,YAAY,QAAQ,eAAe,aACpC,CAEA,OAAM,IAAI,QAAQ,gBAAgB,cAAc;EAC/C,QAAQ,KAAK,KAAK;EAClB,YAAY;EACZ,WAAW,KAAK,KAAK;EACrB,UAAU;EACV,CAAC;KAEF,OAAM,IAAI,QAAQ,gBAAgB,eACjC,KAAK,KAAK,IACV,aACA;AAGF,KAAI,IAAI,QAAQ,QAAQ,kBAAkB,gBACzC,OAAM,IAAI,QAAQ,QAAQ,iBAAiB,gBAC1C,EACC,MAAM,KAAK,MACX,EACD,IAAI,QACJ;AAGF,KAAI,CAAC,KAAK,KAAK,cACd,OAAM,IAAI,QAAQ,gBAAgB,WAAW,KAAK,KAAK,IAAI,EAC1D,eAAe,MACf,CAAC;AAGH,KAAI,IAAI,QAAQ,QAAQ,kBAAkB,8BACzC,OAAM,IAAI,QAAQ,gBAAgB,eAAe,KAAK,KAAK,GAAG;AAE/D,QAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;EAEH;AAEF,MAAM,uBAAuB,YAC5B,qBAAqB,QAAQ,aAAa,GAAG,MAAM"}
+{"version":3,"file":"routes.mjs","names":["session"],"sources":["../../../src/plugins/email-otp/routes.ts"],"sourcesContent":["import { createAuthEndpoint } from \"@better-auth/core/api\";\nimport { BASE_ERROR_CODES } from \"@better-auth/core/error\";\nimport { defineErrorCodes, deprecate } from \"@better-auth/core/utils\";\nimport * as z from \"zod\";\nimport { APIError, getSessionFromCtx } from \"../../api\";\nimport { setCookieCache, setSessionCookie } from \"../../cookies\";\nimport { generateRandomString, symmetricDecrypt } from \"../../crypto\";\nimport { parseUserOutput } from \"../../db/schema\";\nimport { getDate } from \"../../utils/date\";\nimport { storeOTP, verifyStoredOTP } from \"./otp-token\";\nimport type { EmailOTPOptions } from \"./types\";\nimport { splitAtLastColon } from \"./utils\";\n\nconst types = [\"email-verification\", \"sign-in\", \"forget-password\"] as const;\n\ntype WithRequired<T, K extends keyof T> = T & { [P in K]-?: T[P] };\n\ntype RequiredEmailOTPOptions = WithRequired<\n\tEmailOTPOptions,\n\t\"expiresIn\" | \"generateOTP\" | \"storeOTP\"\n>;\n\nexport const ERROR_CODES = defineErrorCodes({\n\tOTP_EXPIRED: \"OTP expired\",\n\tINVALID_OTP: \"Invalid OTP\",\n\tTOO_MANY_ATTEMPTS: \"Too many attempts\",\n});\n\nconst sendVerificationOTPBodySchema = z.object({\n\temail: z.string({}).meta({\n\t\tdescription: \"Email address to send the OTP\",\n\t}),\n\ttype: z.enum(types).meta({\n\t\tdescription: \"Type of the OTP\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/email-otp/send-verification-otp`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.sendVerificationOTP`\n *\n * **client:**\n * `authClient.emailOtp.sendVerificationOtp`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/email-otp#api-method-email-otp-send-verification-otp)\n */\nexport const sendVerificationOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/email-otp/send-verification-otp\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: sendVerificationOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"sendEmailVerificationOTP\",\n\t\t\t\t\tdescription: \"Send a verification OTP to an email\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tsuccess: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tif (!opts?.sendVerificationOTP) {\n\t\t\t\tctx.context.logger.error(\"send email verification is not implemented\");\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: \"send email verification is not implemented\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst email = ctx.body.email.toLowerCase();\n\t\t\tconst isValidEmail = z.email().safeParse(email);\n\t\t\tif (!isValidEmail.success) {\n\t\t\t\tthrow ctx.error(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.INVALID_EMAIL,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst otp =\n\t\t\t\topts.generateOTP({ email, type: ctx.body.type }, ctx) ||\n\t\t\t\tdefaultOTPGenerator(opts);\n\n\t\t\tconst storedOTP = await storeOTP(ctx, opts, otp);\n\n\t\t\tawait ctx.context.internalAdapter\n\t\t\t\t.createVerificationValue({\n\t\t\t\t\tvalue: `${storedOTP}:0`,\n\t\t\t\t\tidentifier: `${ctx.body.type}-otp-${email}`,\n\t\t\t\t\texpiresAt: getDate(opts.expiresIn, \"sec\"),\n\t\t\t\t})\n\t\t\t\t.catch(async (error) => {\n\t\t\t\t\t// might be duplicate key error\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationByIdentifier(\n\t\t\t\t\t\t`${ctx.body.type}-otp-${email}`,\n\t\t\t\t\t);\n\t\t\t\t\t//try again\n\t\t\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\t\t\tvalue: `${storedOTP}:0`,\n\t\t\t\t\t\tidentifier: `${ctx.body.type}-otp-${email}`,\n\t\t\t\t\t\texpiresAt: getDate(opts.expiresIn, \"sec\"),\n\t\t\t\t\t});\n\t\t\t\t});\n\t\t\tconst user = await ctx.context.internalAdapter.findUserByEmail(email);\n\t\t\tif (!user) {\n\t\t\t\tif (ctx.body.type === \"sign-in\" && !opts.disableSignUp) {\n\t\t\t\t\t// allow\n\t\t\t\t} else {\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationByIdentifier(\n\t\t\t\t\t\t`${ctx.body.type}-otp-${email}`,\n\t\t\t\t\t);\n\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\tsuccess: true,\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tawait ctx.context.runInBackgroundOrAwait(\n\t\t\t\topts.sendVerificationOTP(\n\t\t\t\t\t{\n\t\t\t\t\t\temail,\n\t\t\t\t\t\totp,\n\t\t\t\t\t\ttype: ctx.body.type,\n\t\t\t\t\t},\n\t\t\t\t\tctx,\n\t\t\t\t),\n\t\t\t);\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t});\n\t\t},\n\t);\n\nconst createVerificationOTPBodySchema = z.object({\n\temail: z.string({}).meta({\n\t\tdescription: \"Email address to send the OTP\",\n\t}),\n\ttype: z.enum(types).meta({\n\t\trequired: true,\n\t\tdescription: \"Type of the OTP\",\n\t}),\n});\n\nexport const createVerificationOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: createVerificationOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"createEmailVerificationOTP\",\n\t\t\t\t\tdescription: \"Create a verification OTP for an email\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst email = ctx.body.email.toLowerCase();\n\t\t\tconst otp =\n\t\t\t\topts.generateOTP({ email, type: ctx.body.type }, ctx) ||\n\t\t\t\tdefaultOTPGenerator(opts);\n\t\t\tconst storedOTP = await storeOTP(ctx, opts, otp);\n\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\tvalue: `${storedOTP}:0`,\n\t\t\t\tidentifier: `${ctx.body.type}-otp-${email}`,\n\t\t\t\texpiresAt: getDate(opts.expiresIn, \"sec\"),\n\t\t\t});\n\t\t\treturn otp;\n\t\t},\n\t);\n\nconst getVerificationOTPBodySchema = z.object({\n\temail: z.string({}).meta({\n\t\tdescription: \"Email address the OTP was sent to\",\n\t}),\n\ttype: z.enum(types).meta({\n\t\trequired: true,\n\t\tdescription: \"Type of the OTP\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * GET `/email-otp/get-verification-otp`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.getVerificationOTP`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/email-otp#api-method-email-otp-get-verification-otp)\n */\nexport const getVerificationOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t{\n\t\t\tmethod: \"GET\",\n\t\t\tquery: getVerificationOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"getEmailVerificationOTP\",\n\t\t\t\t\tdescription: \"Get a verification OTP for an email\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"OTP retrieved successfully or not found/expired\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\totp: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"The stored OTP, or null if not found or expired\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\trequired: [\"otp\"],\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst email = ctx.query.email.toLowerCase();\n\t\t\tconst verificationValue =\n\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t`${ctx.query.type}-otp-${email}`,\n\t\t\t\t);\n\t\t\tif (!verificationValue || verificationValue.expiresAt < new Date()) {\n\t\t\t\treturn ctx.json({\n\t\t\t\t\totp: null,\n\t\t\t\t});\n\t\t\t}\n\t\t\tif (\n\t\t\t\topts.storeOTP === \"hashed\" ||\n\t\t\t\t(typeof opts.storeOTP === \"object\" && \"hash\" in opts.storeOTP)\n\t\t\t) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: \"OTP is hashed, cannot return the plain text OTP\",\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst [storedOtp, _attempts] = splitAtLastColon(verificationValue.value);\n\t\t\tlet otp = storedOtp;\n\t\t\tif (opts.storeOTP === \"encrypted\") {\n\t\t\t\totp = await symmetricDecrypt({\n\t\t\t\t\tkey: ctx.context.secret,\n\t\t\t\t\tdata: storedOtp,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tif (typeof opts.storeOTP === \"object\" && \"decrypt\" in opts.storeOTP) {\n\t\t\t\totp = await opts.storeOTP.decrypt(storedOtp);\n\t\t\t}\n\n\t\t\treturn ctx.json({\n\t\t\t\totp,\n\t\t\t});\n\t\t},\n\t);\n\nconst checkVerificationOTPBodySchema = z.object({\n\temail: z.string().meta({\n\t\tdescription: \"Email address the OTP was sent to\",\n\t}),\n\ttype: z.enum(types).meta({\n\t\trequired: true,\n\t\tdescription: \"Type of the OTP\",\n\t}),\n\totp: z.string().meta({\n\t\trequired: true,\n\t\tdescription: \"OTP to verify\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * GET `/email-otp/check-verification-otp`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.checkVerificationOTP`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/email-otp#api-method-email-otp-check-verification-otp)\n */\nexport const checkVerificationOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/email-otp/check-verification-otp\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: checkVerificationOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"verifyEmailWithOTP\",\n\t\t\t\t\tdescription: \"Verify an email with an OTP\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tsuccess: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst email = ctx.body.email.toLowerCase();\n\t\t\tconst isValidEmail = z.email().safeParse(email);\n\t\t\tif (!isValidEmail.success) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.INVALID_EMAIL,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst user = await ctx.context.internalAdapter.findUserByEmail(email);\n\t\t\tif (!user) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.USER_NOT_FOUND,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst verificationValue =\n\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t`${ctx.body.type}-otp-${email}`,\n\t\t\t\t);\n\t\t\tif (!verificationValue) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\tif (verificationValue.expiresAt < new Date()) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.OTP_EXPIRED,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst [otpValue, attempts] = splitAtLastColon(verificationValue.value);\n\t\t\tconst allowedAttempts = opts?.allowedAttempts || 3;\n\t\t\tif (attempts && parseInt(attempts) >= allowedAttempts) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ERROR_CODES.TOO_MANY_ATTEMPTS,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst verified = await verifyStoredOTP(ctx, opts, otpValue, ctx.body.otp);\n\t\t\tif (!verified) {\n\t\t\t\tawait ctx.context.internalAdapter.updateVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t\t{\n\t\t\t\t\t\tvalue: `${otpValue}:${parseInt(attempts || \"0\") + 1}`,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t});\n\t\t},\n\t);\n\nconst verifyEmailOTPBodySchema = z.object({\n\temail: z.string({}).meta({\n\t\tdescription: \"Email address to verify\",\n\t}),\n\totp: z.string().meta({\n\t\trequired: true,\n\t\tdescription: \"OTP to verify\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/email-otp/verify-email`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.verifyEmailOTP`\n *\n * **client:**\n * `authClient.emailOtp.verifyEmail`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/email-otp#api-method-email-otp-verify-email)\n */\nexport const verifyEmailOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/email-otp/verify-email\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: verifyEmailOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription: \"Verify email with OTP\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tstatus: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Indicates if the verification was successful\",\n\t\t\t\t\t\t\t\t\t\t\t\tenum: [true],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\ttoken: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Session token if autoSignInAfterVerification is enabled, otherwise null\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\trequired: [\"status\", \"token\", \"user\"],\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst email = ctx.body.email.toLowerCase();\n\t\t\tconst isValidEmail = z.email().safeParse(email);\n\t\t\tif (!isValidEmail.success) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.INVALID_EMAIL,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst verificationValue =\n\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t`email-verification-otp-${email}`,\n\t\t\t\t);\n\n\t\t\tif (!verificationValue) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\tif (verificationValue.expiresAt < new Date()) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.OTP_EXPIRED,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst [otpValue, attempts] = splitAtLastColon(verificationValue.value);\n\t\t\tconst allowedAttempts = opts?.allowedAttempts || 3;\n\t\t\tif (attempts && parseInt(attempts) >= allowedAttempts) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ERROR_CODES.TOO_MANY_ATTEMPTS,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst verified = await verifyStoredOTP(ctx, opts, otpValue, ctx.body.otp);\n\t\t\tif (!verified) {\n\t\t\t\tawait ctx.context.internalAdapter.updateVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t\t{\n\t\t\t\t\t\tvalue: `${otpValue}:${parseInt(attempts || \"0\") + 1}`,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\tverificationValue.id,\n\t\t\t);\n\t\t\tconst user = await ctx.context.internalAdapter.findUserByEmail(email);\n\t\t\tif (!user) {\n\t\t\t\t/**\n\t\t\t\t * safe to leak the existence of a user, given the user has already the OTP from the\n\t\t\t\t * email\n\t\t\t\t */\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.USER_NOT_FOUND,\n\t\t\t\t});\n\t\t\t}\n\t\t\tif (ctx.context.options.emailVerification?.beforeEmailVerification) {\n\t\t\t\tawait ctx.context.options.emailVerification.beforeEmailVerification(\n\t\t\t\t\tuser.user,\n\t\t\t\t\tctx.request,\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\tuser.user.id,\n\t\t\t\t{\n\t\t\t\t\temail,\n\t\t\t\t\temailVerified: true,\n\t\t\t\t},\n\t\t\t);\n\t\t\tif (ctx.context.options.emailVerification?.onEmailVerification) {\n\t\t\t\tawait ctx.context.options.emailVerification.onEmailVerification(\n\t\t\t\t\tupdatedUser,\n\t\t\t\t\tctx.request,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tawait ctx.context.options.emailVerification?.afterEmailVerification?.(\n\t\t\t\tupdatedUser,\n\t\t\t\tctx.request,\n\t\t\t);\n\n\t\t\tif (ctx.context.options.emailVerification?.autoSignInAfterVerification) {\n\t\t\t\tconst session = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\tupdatedUser.id,\n\t\t\t\t);\n\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\tsession,\n\t\t\t\t\tuser: updatedUser,\n\t\t\t\t});\n\t\t\t\treturn ctx.json({\n\t\t\t\t\tstatus: true,\n\t\t\t\t\ttoken: session.token,\n\t\t\t\t\tuser: parseUserOutput(ctx.context.options, updatedUser),\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst currentSession = await getSessionFromCtx(ctx);\n\t\t\tif (currentSession && updatedUser.emailVerified) {\n\t\t\t\tconst dontRememberMeCookie = await ctx.getSignedCookie(\n\t\t\t\t\tctx.context.authCookies.dontRememberToken.name,\n\t\t\t\t\tctx.context.secret,\n\t\t\t\t);\n\t\t\t\tawait setCookieCache(\n\t\t\t\t\tctx,\n\t\t\t\t\t{\n\t\t\t\t\t\tsession: currentSession.session,\n\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t...currentSession.user,\n\t\t\t\t\t\t\temailVerified: true,\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\t!!dontRememberMeCookie,\n\t\t\t\t);\n\t\t\t}\n\t\t\treturn ctx.json({\n\t\t\t\tstatus: true,\n\t\t\t\ttoken: null,\n\t\t\t\tuser: parseUserOutput(ctx.context.options, updatedUser),\n\t\t\t});\n\t\t},\n\t);\n\nconst signInEmailOTPBodySchema = z.object({\n\temail: z.string({}).meta({\n\t\tdescription: \"Email address to sign in\",\n\t}),\n\totp: z.string().meta({\n\t\trequired: true,\n\t\tdescription: \"OTP sent to the email\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/sign-in/email-otp`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.signInEmailOTP`\n *\n * **client:**\n * `authClient.signIn.emailOtp`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/email-otp#api-method-sign-in-email-otp)\n */\nexport const signInEmailOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/sign-in/email-otp\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: signInEmailOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"signInWithEmailOTP\",\n\t\t\t\t\tdescription: \"Sign in with email and OTP\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\ttoken: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Session token for the authenticated session\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\trequired: [\"token\", \"user\"],\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst email = ctx.body.email.toLowerCase();\n\t\t\tconst verificationValue =\n\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t`sign-in-otp-${email}`,\n\t\t\t\t);\n\t\t\tif (!verificationValue) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\tif (verificationValue.expiresAt < new Date()) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.OTP_EXPIRED,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst [otpValue, attempts] = splitAtLastColon(verificationValue.value);\n\t\t\tconst allowedAttempts = opts?.allowedAttempts || 3;\n\t\t\tif (attempts && parseInt(attempts) >= allowedAttempts) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ERROR_CODES.TOO_MANY_ATTEMPTS,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst verified = await verifyStoredOTP(ctx, opts, otpValue, ctx.body.otp);\n\t\t\tif (!verified) {\n\t\t\t\tawait ctx.context.internalAdapter.updateVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t\t{\n\t\t\t\t\t\tvalue: `${otpValue}:${parseInt(attempts || \"0\") + 1}`,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\tverificationValue.id,\n\t\t\t);\n\t\t\tconst user = await ctx.context.internalAdapter.findUserByEmail(email);\n\t\t\tif (!user) {\n\t\t\t\tif (opts.disableSignUp) {\n\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\tmessage: BASE_ERROR_CODES.USER_NOT_FOUND,\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t\tconst newUser = await ctx.context.internalAdapter.createUser({\n\t\t\t\t\temail,\n\t\t\t\t\temailVerified: true,\n\t\t\t\t\tname: \"\",\n\t\t\t\t});\n\t\t\t\tconst session = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\tnewUser.id,\n\t\t\t\t);\n\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\tsession,\n\t\t\t\t\tuser: newUser,\n\t\t\t\t});\n\t\t\t\treturn ctx.json({\n\t\t\t\t\ttoken: session.token,\n\t\t\t\t\tuser: parseUserOutput(ctx.context.options, newUser),\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tif (!user.user.emailVerified) {\n\t\t\t\tawait ctx.context.internalAdapter.updateUser(user.user.id, {\n\t\t\t\t\temailVerified: true,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tconst session = await ctx.context.internalAdapter.createSession(\n\t\t\t\tuser.user.id,\n\t\t\t);\n\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\tsession,\n\t\t\t\tuser: user.user,\n\t\t\t});\n\t\t\treturn ctx.json({\n\t\t\t\ttoken: session.token,\n\t\t\t\tuser: parseUserOutput(ctx.context.options, user.user),\n\t\t\t});\n\t\t},\n\t);\n\nconst requestPasswordResetEmailOTPBodySchema = z.object({\n\temail: z.string().meta({\n\t\tdescription: \"Email address to send the OTP\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/email-otp/request-password-reset`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.requestPasswordResetEmailOTP`\n *\n * **client:**\n * `authClient.emailOtp.requestPasswordReset`\n *\n * @see [Read our docs to learn more.](https://www.better-auth.com/docs/plugins/email-otp#reset-password-with-otp)\n */\nexport const requestPasswordResetEmailOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/email-otp/request-password-reset\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: requestPasswordResetEmailOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"requestPasswordResetWithEmailOTP\",\n\t\t\t\t\tdescription: \"Request password reset with email and OTP\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tsuccess: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Indicates if the OTP was sent successfully\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst email = ctx.body.email;\n\t\t\tconst otp =\n\t\t\t\topts.generateOTP({ email, type: \"forget-password\" }, ctx) ||\n\t\t\t\tdefaultOTPGenerator(opts);\n\t\t\tconst storedOTP = await storeOTP(ctx, opts, otp);\n\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\tvalue: `${storedOTP}:0`,\n\t\t\t\tidentifier: `forget-password-otp-${email}`,\n\t\t\t\texpiresAt: getDate(opts.expiresIn, \"sec\"),\n\t\t\t});\n\t\t\tconst user = await ctx.context.internalAdapter.findUserByEmail(email);\n\t\t\tif (!user) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationByIdentifier(\n\t\t\t\t\t`forget-password-otp-${email}`,\n\t\t\t\t);\n\t\t\t\treturn ctx.json({\n\t\t\t\t\tsuccess: true,\n\t\t\t\t});\n\t\t\t}\n\t\t\tawait ctx.context.runInBackgroundOrAwait(\n\t\t\t\topts.sendVerificationOTP(\n\t\t\t\t\t{\n\t\t\t\t\t\temail,\n\t\t\t\t\t\totp,\n\t\t\t\t\t\ttype: \"forget-password\",\n\t\t\t\t\t},\n\t\t\t\t\tctx,\n\t\t\t\t),\n\t\t\t);\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t});\n\t\t},\n\t);\n\nconst forgetPasswordEmailOTPBodySchema = z.object({\n\temail: z.string().meta({\n\t\tdescription: \"Email address to send the OTP\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/forget-password/email-otp`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.forgetPasswordEmailOTP`\n *\n * **client:**\n * `authClient.forgetPassword.emailOtp`\n *\n * @deprecated Use `/email-otp/request-password-reset` instead.\n * @see [Read our docs to learn more.](https://www.better-auth.com/docs/plugins/email-otp#reset-password-with-otp)\n */\nexport const forgetPasswordEmailOTP = (opts: RequiredEmailOTPOptions) => {\n\tconst warnDeprecation = deprecate(\n\t\t() => {},\n\t\t'The \"/forget-password/email-otp\" endpoint is deprecated. ' +\n\t\t\t'Please use \"/email-otp/request-password-reset\" instead. ' +\n\t\t\t\"This endpoint will be removed in the next major version.\",\n\t);\n\n\treturn createAuthEndpoint(\n\t\t\"/forget-password/email-otp\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: forgetPasswordEmailOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"forgetPasswordWithEmailOTP\",\n\t\t\t\t\tdescription:\n\t\t\t\t\t\t\"Deprecated: Use /email-otp/request-password-reset instead.\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tsuccess: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Indicates if the OTP was sent successfully\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\twarnDeprecation();\n\t\t\tconst email = ctx.body.email;\n\t\t\tconst otp =\n\t\t\t\topts.generateOTP({ email, type: \"forget-password\" }, ctx) ||\n\t\t\t\tdefaultOTPGenerator(opts);\n\t\t\tconst storedOTP = await storeOTP(ctx, opts, otp);\n\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\tvalue: `${storedOTP}:0`,\n\t\t\t\tidentifier: `forget-password-otp-${email}`,\n\t\t\t\texpiresAt: getDate(opts.expiresIn, \"sec\"),\n\t\t\t});\n\t\t\tconst user = await ctx.context.internalAdapter.findUserByEmail(email);\n\t\t\tif (!user) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationByIdentifier(\n\t\t\t\t\t`forget-password-otp-${email}`,\n\t\t\t\t);\n\t\t\t\treturn ctx.json({\n\t\t\t\t\tsuccess: true,\n\t\t\t\t});\n\t\t\t}\n\t\t\tawait ctx.context.runInBackgroundOrAwait(\n\t\t\t\topts.sendVerificationOTP(\n\t\t\t\t\t{\n\t\t\t\t\t\temail,\n\t\t\t\t\t\totp,\n\t\t\t\t\t\ttype: \"forget-password\",\n\t\t\t\t\t},\n\t\t\t\t\tctx,\n\t\t\t\t),\n\t\t\t);\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t});\n\t\t},\n\t);\n};\n\nconst resetPasswordEmailOTPBodySchema = z.object({\n\temail: z.string().meta({\n\t\tdescription: \"Email address to reset the password\",\n\t}),\n\totp: z.string().meta({\n\t\tdescription: \"OTP sent to the email\",\n\t}),\n\tpassword: z.string().meta({\n\t\tdescription: \"New password\",\n\t}),\n});\n\n/**\n * ### Endpoint\n *\n * POST `/email-otp/reset-password`\n *\n * ### API Methods\n *\n * **server:**\n * `auth.api.resetPasswordEmailOTP`\n *\n * **client:**\n * `authClient.emailOtp.resetPassword`\n *\n * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/email-otp#api-method-email-otp-reset-password)\n */\nexport const resetPasswordEmailOTP = (opts: RequiredEmailOTPOptions) =>\n\tcreateAuthEndpoint(\n\t\t\"/email-otp/reset-password\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: resetPasswordEmailOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\toperationId: \"resetPasswordWithEmailOTP\",\n\t\t\t\t\tdescription: \"Reset password with email and OTP\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tsuccess: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst email = ctx.body.email;\n\t\t\tconst verificationValue =\n\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t`forget-password-otp-${email}`,\n\t\t\t\t);\n\t\t\tif (!verificationValue) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\tif (verificationValue.expiresAt < new Date()) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.OTP_EXPIRED,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst [otpValue, attempts] = splitAtLastColon(verificationValue.value);\n\t\t\tconst allowedAttempts = opts?.allowedAttempts || 3;\n\t\t\tif (attempts && parseInt(attempts) >= allowedAttempts) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\t\t\tmessage: ERROR_CODES.TOO_MANY_ATTEMPTS,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst verified = await verifyStoredOTP(ctx, opts, otpValue, ctx.body.otp);\n\t\t\tif (!verified) {\n\t\t\t\tawait ctx.context.internalAdapter.updateVerificationValue(\n\t\t\t\t\tverificationValue.id,\n\t\t\t\t\t{\n\t\t\t\t\t\tvalue: `${otpValue}:${parseInt(attempts || \"0\") + 1}`,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: ERROR_CODES.INVALID_OTP,\n\t\t\t\t});\n\t\t\t}\n\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\tverificationValue.id,\n\t\t\t);\n\t\t\tconst user = await ctx.context.internalAdapter.findUserByEmail(email, {\n\t\t\t\tincludeAccounts: true,\n\t\t\t});\n\t\t\tif (!user) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.USER_NOT_FOUND,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst minPasswordLength = ctx.context.password.config.minPasswordLength;\n\t\t\tif (ctx.body.password.length < minPasswordLength) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.PASSWORD_TOO_SHORT,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst maxPasswordLength = ctx.context.password.config.maxPasswordLength;\n\t\t\tif (ctx.body.password.length > maxPasswordLength) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: BASE_ERROR_CODES.PASSWORD_TOO_LONG,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst passwordHash = await ctx.context.password.hash(ctx.body.password);\n\t\t\tconst account = user.accounts?.find(\n\t\t\t\t(account) => account.providerId === \"credential\",\n\t\t\t);\n\t\t\tif (!account) {\n\t\t\t\tawait ctx.context.internalAdapter.createAccount({\n\t\t\t\t\tuserId: user.user.id,\n\t\t\t\t\tproviderId: \"credential\",\n\t\t\t\t\taccountId: user.user.id,\n\t\t\t\t\tpassword: passwordHash,\n\t\t\t\t});\n\t\t\t} else {\n\t\t\t\tawait ctx.context.internalAdapter.updatePassword(\n\t\t\t\t\tuser.user.id,\n\t\t\t\t\tpasswordHash,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tif (ctx.context.options.emailAndPassword?.onPasswordReset) {\n\t\t\t\tawait ctx.context.options.emailAndPassword.onPasswordReset(\n\t\t\t\t\t{\n\t\t\t\t\t\tuser: user.user,\n\t\t\t\t\t},\n\t\t\t\t\tctx.request,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tif (!user.user.emailVerified) {\n\t\t\t\tawait ctx.context.internalAdapter.updateUser(user.user.id, {\n\t\t\t\t\temailVerified: true,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\tif (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteSessions(user.user.id);\n\t\t\t}\n\t\t\treturn ctx.json({\n\t\t\t\tsuccess: true,\n\t\t\t});\n\t\t},\n\t);\n\nconst defaultOTPGenerator = (options: EmailOTPOptions) =>\n\tgenerateRandomString(options.otpLength ?? 6, \"0-9\");\n"],"mappings":";;;;;;;;;;;;;;;AAaA,MAAM,QAAQ;CAAC;CAAsB;CAAW;CAAkB;AASlE,MAAa,cAAc,iBAAiB;CAC3C,aAAa;CACb,aAAa;CACb,mBAAmB;CACnB,CAAC;AAEF,MAAM,gCAAgC,EAAE,OAAO;CAC9C,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,EACxB,aAAa,iCACb,CAAC;CACF,MAAM,EAAE,KAAK,MAAM,CAAC,KAAK,EACxB,aAAa,mBACb,CAAC;CACF,CAAC;;;;;;;;;;;;;;;;AAiBF,MAAa,uBAAuB,SACnC,mBACC,oCACA;CACC,QAAQ;CACR,MAAM;CACN,UAAU,EACT,SAAS;EACR,aAAa;EACb,aAAa;EACb,WAAW,EACV,KAAK;GACJ,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;IACP,MAAM;IACN,YAAY,EACX,SAAS,EACR,MAAM,WACN,EACD;IACD,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;AACd,KAAI,CAAC,MAAM,qBAAqB;AAC/B,MAAI,QAAQ,OAAO,MAAM,6CAA6C;AACtE,QAAM,IAAI,SAAS,eAAe,EACjC,SAAS,8CACT,CAAC;;CAEH,MAAM,QAAQ,IAAI,KAAK,MAAM,aAAa;AAE1C,KAAI,CADiB,EAAE,OAAO,CAAC,UAAU,MAAM,CAC7B,QACjB,OAAM,IAAI,MAAM,eAAe,EAC9B,SAAS,iBAAiB,eAC1B,CAAC;CAEH,MAAM,MACL,KAAK,YAAY;EAAE;EAAO,MAAM,IAAI,KAAK;EAAM,EAAE,IAAI,IACrD,oBAAoB,KAAK;CAE1B,MAAM,YAAY,MAAM,SAAS,KAAK,MAAM,IAAI;AAEhD,OAAM,IAAI,QAAQ,gBAChB,wBAAwB;EACxB,OAAO,GAAG,UAAU;EACpB,YAAY,GAAG,IAAI,KAAK,KAAK,OAAO;EACpC,WAAW,QAAQ,KAAK,WAAW,MAAM;EACzC,CAAC,CACD,MAAM,OAAO,UAAU;AAEvB,QAAM,IAAI,QAAQ,gBAAgB,+BACjC,GAAG,IAAI,KAAK,KAAK,OAAO,QACxB;AAED,QAAM,IAAI,QAAQ,gBAAgB,wBAAwB;GACzD,OAAO,GAAG,UAAU;GACpB,YAAY,GAAG,IAAI,KAAK,KAAK,OAAO;GACpC,WAAW,QAAQ,KAAK,WAAW,MAAM;GACzC,CAAC;GACD;AAEH,KAAI,CADS,MAAM,IAAI,QAAQ,gBAAgB,gBAAgB,MAAM,CAEpE,KAAI,IAAI,KAAK,SAAS,aAAa,CAAC,KAAK,eAAe,QAEjD;AACN,QAAM,IAAI,QAAQ,gBAAgB,+BACjC,GAAG,IAAI,KAAK,KAAK,OAAO,QACxB;AACD,SAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;;AAIJ,OAAM,IAAI,QAAQ,uBACjB,KAAK,oBACJ;EACC;EACA;EACA,MAAM,IAAI,KAAK;EACf,EACD,IACA,CACD;AACD,QAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;EAEH;AAEF,MAAM,kCAAkC,EAAE,OAAO;CAChD,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,EACxB,aAAa,iCACb,CAAC;CACF,MAAM,EAAE,KAAK,MAAM,CAAC,KAAK;EACxB,UAAU;EACV,aAAa;EACb,CAAC;CACF,CAAC;AAEF,MAAa,yBAAyB,SACrC,mBACC;CACC,QAAQ;CACR,MAAM;CACN,UAAU,EACT,SAAS;EACR,aAAa;EACb,aAAa;EACb,WAAW,EACV,KAAK;GACJ,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ,EACP,MAAM,UACN,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;CACd,MAAM,QAAQ,IAAI,KAAK,MAAM,aAAa;CAC1C,MAAM,MACL,KAAK,YAAY;EAAE;EAAO,MAAM,IAAI,KAAK;EAAM,EAAE,IAAI,IACrD,oBAAoB,KAAK;CAC1B,MAAM,YAAY,MAAM,SAAS,KAAK,MAAM,IAAI;AAChD,OAAM,IAAI,QAAQ,gBAAgB,wBAAwB;EACzD,OAAO,GAAG,UAAU;EACpB,YAAY,GAAG,IAAI,KAAK,KAAK,OAAO;EACpC,WAAW,QAAQ,KAAK,WAAW,MAAM;EACzC,CAAC;AACF,QAAO;EAER;AAEF,MAAM,+BAA+B,EAAE,OAAO;CAC7C,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,EACxB,aAAa,qCACb,CAAC;CACF,MAAM,EAAE,KAAK,MAAM,CAAC,KAAK;EACxB,UAAU;EACV,aAAa;EACb,CAAC;CACF,CAAC;;;;;;;;;;;;;AAcF,MAAa,sBAAsB,SAClC,mBACC;CACC,QAAQ;CACR,OAAO;CACP,UAAU,EACT,SAAS;EACR,aAAa;EACb,aAAa;EACb,WAAW,EACV,OAAO;GACN,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;IACP,MAAM;IACN,YAAY,EACX,KAAK;KACJ,MAAM;KACN,UAAU;KACV,aACC;KACD,EACD;IACD,UAAU,CAAC,MAAM;IACjB,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;CACd,MAAM,QAAQ,IAAI,MAAM,MAAM,aAAa;CAC3C,MAAM,oBACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,GAAG,IAAI,MAAM,KAAK,OAAO,QACzB;AACF,KAAI,CAAC,qBAAqB,kBAAkB,4BAAY,IAAI,MAAM,CACjE,QAAO,IAAI,KAAK,EACf,KAAK,MACL,CAAC;AAEH,KACC,KAAK,aAAa,YACjB,OAAO,KAAK,aAAa,YAAY,UAAU,KAAK,SAErD,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,mDACT,CAAC;CAGH,MAAM,CAAC,WAAW,aAAa,iBAAiB,kBAAkB,MAAM;CACxE,IAAI,MAAM;AACV,KAAI,KAAK,aAAa,YACrB,OAAM,MAAM,iBAAiB;EAC5B,KAAK,IAAI,QAAQ;EACjB,MAAM;EACN,CAAC;AAGH,KAAI,OAAO,KAAK,aAAa,YAAY,aAAa,KAAK,SAC1D,OAAM,MAAM,KAAK,SAAS,QAAQ,UAAU;AAG7C,QAAO,IAAI,KAAK,EACf,KACA,CAAC;EAEH;AAEF,MAAM,iCAAiC,EAAE,OAAO;CAC/C,OAAO,EAAE,QAAQ,CAAC,KAAK,EACtB,aAAa,qCACb,CAAC;CACF,MAAM,EAAE,KAAK,MAAM,CAAC,KAAK;EACxB,UAAU;EACV,aAAa;EACb,CAAC;CACF,KAAK,EAAE,QAAQ,CAAC,KAAK;EACpB,UAAU;EACV,aAAa;EACb,CAAC;CACF,CAAC;;;;;;;;;;;;;AAcF,MAAa,wBAAwB,SACpC,mBACC,qCACA;CACC,QAAQ;CACR,MAAM;CACN,UAAU,EACT,SAAS;EACR,aAAa;EACb,aAAa;EACb,WAAW,EACV,KAAK;GACJ,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;IACP,MAAM;IACN,YAAY,EACX,SAAS,EACR,MAAM,WACN,EACD;IACD,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;CACd,MAAM,QAAQ,IAAI,KAAK,MAAM,aAAa;AAE1C,KAAI,CADiB,EAAE,OAAO,CAAC,UAAU,MAAM,CAC7B,QACjB,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,eAC1B,CAAC;AAGH,KAAI,CADS,MAAM,IAAI,QAAQ,gBAAgB,gBAAgB,MAAM,CAEpE,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,gBAC1B,CAAC;CAEH,MAAM,oBACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,GAAG,IAAI,KAAK,KAAK,OAAO,QACxB;AACF,KAAI,CAAC,kBACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;AAEH,KAAI,kBAAkB,4BAAY,IAAI,MAAM,EAAE;AAC7C,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;AACD,QAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;;CAGH,MAAM,CAAC,UAAU,YAAY,iBAAiB,kBAAkB,MAAM;CACtE,MAAM,kBAAkB,MAAM,mBAAmB;AACjD,KAAI,YAAY,SAAS,SAAS,IAAI,iBAAiB;AACtD,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;AACD,QAAM,IAAI,SAAS,aAAa,EAC/B,SAAS,YAAY,mBACrB,CAAC;;AAGH,KAAI,CADa,MAAM,gBAAgB,KAAK,MAAM,UAAU,IAAI,KAAK,IAAI,EAC1D;AACd,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,IAClB,EACC,OAAO,GAAG,SAAS,GAAG,SAAS,YAAY,IAAI,GAAG,KAClD,CACD;AACD,QAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;;AAEH,QAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;EAEH;AAEF,MAAM,2BAA2B,EAAE,OAAO;CACzC,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,EACxB,aAAa,2BACb,CAAC;CACF,KAAK,EAAE,QAAQ,CAAC,KAAK;EACpB,UAAU;EACV,aAAa;EACb,CAAC;CACF,CAAC;;;;;;;;;;;;;;;;AAiBF,MAAa,kBAAkB,SAC9B,mBACC,2BACA;CACC,QAAQ;CACR,MAAM;CACN,UAAU,EACT,SAAS;EACR,aAAa;EACb,WAAW,EACV,KAAK;GACJ,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;IACP,MAAM;IACN,YAAY;KACX,QAAQ;MACP,MAAM;MACN,aACC;MACD,MAAM,CAAC,KAAK;MACZ;KACD,OAAO;MACN,MAAM;MACN,UAAU;MACV,aACC;MACD;KACD,MAAM,EACL,MAAM,6BACN;KACD;IACD,UAAU;KAAC;KAAU;KAAS;KAAO;IACrC,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;CACd,MAAM,QAAQ,IAAI,KAAK,MAAM,aAAa;AAE1C,KAAI,CADiB,EAAE,OAAO,CAAC,UAAU,MAAM,CAC7B,QACjB,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,eAC1B,CAAC;CAEH,MAAM,oBACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,0BAA0B,QAC1B;AAEF,KAAI,CAAC,kBACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;AAEH,KAAI,kBAAkB,4BAAY,IAAI,MAAM,CAC3C,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;CAGH,MAAM,CAAC,UAAU,YAAY,iBAAiB,kBAAkB,MAAM;CACtE,MAAM,kBAAkB,MAAM,mBAAmB;AACjD,KAAI,YAAY,SAAS,SAAS,IAAI,iBAAiB;AACtD,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;AACD,QAAM,IAAI,SAAS,aAAa,EAC/B,SAAS,YAAY,mBACrB,CAAC;;AAGH,KAAI,CADa,MAAM,gBAAgB,KAAK,MAAM,UAAU,IAAI,KAAK,IAAI,EAC1D;AACd,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,IAClB,EACC,OAAO,GAAG,SAAS,GAAG,SAAS,YAAY,IAAI,GAAG,KAClD,CACD;AACD,QAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;;AAEH,OAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;CACD,MAAM,OAAO,MAAM,IAAI,QAAQ,gBAAgB,gBAAgB,MAAM;AACrE,KAAI,CAAC;;;;;AAKJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,gBAC1B,CAAC;AAEH,KAAI,IAAI,QAAQ,QAAQ,mBAAmB,wBAC1C,OAAM,IAAI,QAAQ,QAAQ,kBAAkB,wBAC3C,KAAK,MACL,IAAI,QACJ;CAEF,MAAM,cAAc,MAAM,IAAI,QAAQ,gBAAgB,WACrD,KAAK,KAAK,IACV;EACC;EACA,eAAe;EACf,CACD;AACD,KAAI,IAAI,QAAQ,QAAQ,mBAAmB,oBAC1C,OAAM,IAAI,QAAQ,QAAQ,kBAAkB,oBAC3C,aACA,IAAI,QACJ;AAGF,OAAM,IAAI,QAAQ,QAAQ,mBAAmB,yBAC5C,aACA,IAAI,QACJ;AAED,KAAI,IAAI,QAAQ,QAAQ,mBAAmB,6BAA6B;EACvE,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,cACjD,YAAY,GACZ;AACD,QAAM,iBAAiB,KAAK;GAC3B;GACA,MAAM;GACN,CAAC;AACF,SAAO,IAAI,KAAK;GACf,QAAQ;GACR,OAAO,QAAQ;GACf,MAAM,gBAAgB,IAAI,QAAQ,SAAS,YAAY;GACvD,CAAC;;CAEH,MAAM,iBAAiB,MAAM,kBAAkB,IAAI;AACnD,KAAI,kBAAkB,YAAY,eAAe;EAChD,MAAM,uBAAuB,MAAM,IAAI,gBACtC,IAAI,QAAQ,YAAY,kBAAkB,MAC1C,IAAI,QAAQ,OACZ;AACD,QAAM,eACL,KACA;GACC,SAAS,eAAe;GACxB,MAAM;IACL,GAAG,eAAe;IAClB,eAAe;IACf;GACD,EACD,CAAC,CAAC,qBACF;;AAEF,QAAO,IAAI,KAAK;EACf,QAAQ;EACR,OAAO;EACP,MAAM,gBAAgB,IAAI,QAAQ,SAAS,YAAY;EACvD,CAAC;EAEH;AAEF,MAAM,2BAA2B,EAAE,OAAO;CACzC,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,EACxB,aAAa,4BACb,CAAC;CACF,KAAK,EAAE,QAAQ,CAAC,KAAK;EACpB,UAAU;EACV,aAAa;EACb,CAAC;CACF,CAAC;;;;;;;;;;;;;;;;AAiBF,MAAa,kBAAkB,SAC9B,mBACC,sBACA;CACC,QAAQ;CACR,MAAM;CACN,UAAU,EACT,SAAS;EACR,aAAa;EACb,aAAa;EACb,WAAW,EACV,KAAK;GACJ,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;IACP,MAAM;IACN,YAAY;KACX,OAAO;MACN,MAAM;MACN,aACC;MACD;KACD,MAAM,EACL,MAAM,6BACN;KACD;IACD,UAAU,CAAC,SAAS,OAAO;IAC3B,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;CACd,MAAM,QAAQ,IAAI,KAAK,MAAM,aAAa;CAC1C,MAAM,oBACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,eAAe,QACf;AACF,KAAI,CAAC,kBACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;AAEH,KAAI,kBAAkB,4BAAY,IAAI,MAAM,CAC3C,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;CAEH,MAAM,CAAC,UAAU,YAAY,iBAAiB,kBAAkB,MAAM;CACtE,MAAM,kBAAkB,MAAM,mBAAmB;AACjD,KAAI,YAAY,SAAS,SAAS,IAAI,iBAAiB;AACtD,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;AACD,QAAM,IAAI,SAAS,aAAa,EAC/B,SAAS,YAAY,mBACrB,CAAC;;AAGH,KAAI,CADa,MAAM,gBAAgB,KAAK,MAAM,UAAU,IAAI,KAAK,IAAI,EAC1D;AACd,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,IAClB,EACC,OAAO,GAAG,SAAS,GAAG,SAAS,YAAY,IAAI,GAAG,KAClD,CACD;AACD,QAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;;AAEH,OAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;CACD,MAAM,OAAO,MAAM,IAAI,QAAQ,gBAAgB,gBAAgB,MAAM;AACrE,KAAI,CAAC,MAAM;AACV,MAAI,KAAK,cACR,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,gBAC1B,CAAC;EAEH,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,WAAW;GAC5D;GACA,eAAe;GACf,MAAM;GACN,CAAC;EACF,MAAMA,YAAU,MAAM,IAAI,QAAQ,gBAAgB,cACjD,QAAQ,GACR;AACD,QAAM,iBAAiB,KAAK;GAC3B;GACA,MAAM;GACN,CAAC;AACF,SAAO,IAAI,KAAK;GACf,OAAOA,UAAQ;GACf,MAAM,gBAAgB,IAAI,QAAQ,SAAS,QAAQ;GACnD,CAAC;;AAGH,KAAI,CAAC,KAAK,KAAK,cACd,OAAM,IAAI,QAAQ,gBAAgB,WAAW,KAAK,KAAK,IAAI,EAC1D,eAAe,MACf,CAAC;CAGH,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,cACjD,KAAK,KAAK,GACV;AACD,OAAM,iBAAiB,KAAK;EAC3B;EACA,MAAM,KAAK;EACX,CAAC;AACF,QAAO,IAAI,KAAK;EACf,OAAO,QAAQ;EACf,MAAM,gBAAgB,IAAI,QAAQ,SAAS,KAAK,KAAK;EACrD,CAAC;EAEH;AAEF,MAAM,yCAAyC,EAAE,OAAO,EACvD,OAAO,EAAE,QAAQ,CAAC,KAAK,EACtB,aAAa,iCACb,CAAC,EACF,CAAC;;;;;;;;;;;;;;;;AAiBF,MAAa,gCAAgC,SAC5C,mBACC,qCACA;CACC,QAAQ;CACR,MAAM;CACN,UAAU,EACT,SAAS;EACR,aAAa;EACb,aAAa;EACb,WAAW,EACV,KAAK;GACJ,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;IACP,MAAM;IACN,YAAY,EACX,SAAS;KACR,MAAM;KACN,aACC;KACD,EACD;IACD,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;CACd,MAAM,QAAQ,IAAI,KAAK;CACvB,MAAM,MACL,KAAK,YAAY;EAAE;EAAO,MAAM;EAAmB,EAAE,IAAI,IACzD,oBAAoB,KAAK;CAC1B,MAAM,YAAY,MAAM,SAAS,KAAK,MAAM,IAAI;AAChD,OAAM,IAAI,QAAQ,gBAAgB,wBAAwB;EACzD,OAAO,GAAG,UAAU;EACpB,YAAY,uBAAuB;EACnC,WAAW,QAAQ,KAAK,WAAW,MAAM;EACzC,CAAC;AAEF,KAAI,CADS,MAAM,IAAI,QAAQ,gBAAgB,gBAAgB,MAAM,EAC1D;AACV,QAAM,IAAI,QAAQ,gBAAgB,+BACjC,uBAAuB,QACvB;AACD,SAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;;AAEH,OAAM,IAAI,QAAQ,uBACjB,KAAK,oBACJ;EACC;EACA;EACA,MAAM;EACN,EACD,IACA,CACD;AACD,QAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;EAEH;AAEF,MAAM,mCAAmC,EAAE,OAAO,EACjD,OAAO,EAAE,QAAQ,CAAC,KAAK,EACtB,aAAa,iCACb,CAAC,EACF,CAAC;;;;;;;;;;;;;;;;;AAkBF,MAAa,0BAA0B,SAAkC;CACxE,MAAM,kBAAkB,gBACjB,IACN,gLAGA;AAED,QAAO,mBACN,8BACA;EACC,QAAQ;EACR,MAAM;EACN,UAAU,EACT,SAAS;GACR,aAAa;GACb,aACC;GACD,WAAW,EACV,KAAK;IACJ,aAAa;IACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;KACP,MAAM;KACN,YAAY,EACX,SAAS;MACR,MAAM;MACN,aACC;MACD,EACD;KACD,EACD,EACD;IACD,EACD;GACD,EACD;EACD,EACD,OAAO,QAAQ;AACd,mBAAiB;EACjB,MAAM,QAAQ,IAAI,KAAK;EACvB,MAAM,MACL,KAAK,YAAY;GAAE;GAAO,MAAM;GAAmB,EAAE,IAAI,IACzD,oBAAoB,KAAK;EAC1B,MAAM,YAAY,MAAM,SAAS,KAAK,MAAM,IAAI;AAChD,QAAM,IAAI,QAAQ,gBAAgB,wBAAwB;GACzD,OAAO,GAAG,UAAU;GACpB,YAAY,uBAAuB;GACnC,WAAW,QAAQ,KAAK,WAAW,MAAM;GACzC,CAAC;AAEF,MAAI,CADS,MAAM,IAAI,QAAQ,gBAAgB,gBAAgB,MAAM,EAC1D;AACV,SAAM,IAAI,QAAQ,gBAAgB,+BACjC,uBAAuB,QACvB;AACD,UAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;;AAEH,QAAM,IAAI,QAAQ,uBACjB,KAAK,oBACJ;GACC;GACA;GACA,MAAM;GACN,EACD,IACA,CACD;AACD,SAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;GAEH;;AAGF,MAAM,kCAAkC,EAAE,OAAO;CAChD,OAAO,EAAE,QAAQ,CAAC,KAAK,EACtB,aAAa,uCACb,CAAC;CACF,KAAK,EAAE,QAAQ,CAAC,KAAK,EACpB,aAAa,yBACb,CAAC;CACF,UAAU,EAAE,QAAQ,CAAC,KAAK,EACzB,aAAa,gBACb,CAAC;CACF,CAAC;;;;;;;;;;;;;;;;AAiBF,MAAa,yBAAyB,SACrC,mBACC,6BACA;CACC,QAAQ;CACR,MAAM;CACN,UAAU,EACT,SAAS;EACR,aAAa;EACb,aAAa;EACb,WAAW,EACV,KAAK;GACJ,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;IACP,MAAM;IACN,YAAY,EACX,SAAS,EACR,MAAM,WACN,EACD;IACD,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;CACd,MAAM,QAAQ,IAAI,KAAK;CACvB,MAAM,oBACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,uBAAuB,QACvB;AACF,KAAI,CAAC,kBACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;AAEH,KAAI,kBAAkB,4BAAY,IAAI,MAAM,EAAE;AAC7C,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;AACD,QAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;;CAEH,MAAM,CAAC,UAAU,YAAY,iBAAiB,kBAAkB,MAAM;CACtE,MAAM,kBAAkB,MAAM,mBAAmB;AACjD,KAAI,YAAY,SAAS,SAAS,IAAI,iBAAiB;AACtD,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;AACD,QAAM,IAAI,SAAS,aAAa,EAC/B,SAAS,YAAY,mBACrB,CAAC;;AAGH,KAAI,CADa,MAAM,gBAAgB,KAAK,MAAM,UAAU,IAAI,KAAK,IAAI,EAC1D;AACd,QAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,IAClB,EACC,OAAO,GAAG,SAAS,GAAG,SAAS,YAAY,IAAI,GAAG,KAClD,CACD;AACD,QAAM,IAAI,SAAS,eAAe,EACjC,SAAS,YAAY,aACrB,CAAC;;AAEH,OAAM,IAAI,QAAQ,gBAAgB,wBACjC,kBAAkB,GAClB;CACD,MAAM,OAAO,MAAM,IAAI,QAAQ,gBAAgB,gBAAgB,OAAO,EACrE,iBAAiB,MACjB,CAAC;AACF,KAAI,CAAC,KACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,gBAC1B,CAAC;CAEH,MAAM,oBAAoB,IAAI,QAAQ,SAAS,OAAO;AACtD,KAAI,IAAI,KAAK,SAAS,SAAS,kBAC9B,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,oBAC1B,CAAC;CAEH,MAAM,oBAAoB,IAAI,QAAQ,SAAS,OAAO;AACtD,KAAI,IAAI,KAAK,SAAS,SAAS,kBAC9B,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,mBAC1B,CAAC;CAEH,MAAM,eAAe,MAAM,IAAI,QAAQ,SAAS,KAAK,IAAI,KAAK,SAAS;AAIvE,KAAI,CAHY,KAAK,UAAU,MAC7B,YAAY,QAAQ,eAAe,aACpC,CAEA,OAAM,IAAI,QAAQ,gBAAgB,cAAc;EAC/C,QAAQ,KAAK,KAAK;EAClB,YAAY;EACZ,WAAW,KAAK,KAAK;EACrB,UAAU;EACV,CAAC;KAEF,OAAM,IAAI,QAAQ,gBAAgB,eACjC,KAAK,KAAK,IACV,aACA;AAGF,KAAI,IAAI,QAAQ,QAAQ,kBAAkB,gBACzC,OAAM,IAAI,QAAQ,QAAQ,iBAAiB,gBAC1C,EACC,MAAM,KAAK,MACX,EACD,IAAI,QACJ;AAGF,KAAI,CAAC,KAAK,KAAK,cACd,OAAM,IAAI,QAAQ,gBAAgB,WAAW,KAAK,KAAK,IAAI,EAC1D,eAAe,MACf,CAAC;AAGH,KAAI,IAAI,QAAQ,QAAQ,kBAAkB,8BACzC,OAAM,IAAI,QAAQ,gBAAgB,eAAe,KAAK,KAAK,GAAG;AAE/D,QAAO,IAAI,KAAK,EACf,SAAS,MACT,CAAC;EAEH;AAEF,MAAM,uBAAuB,YAC5B,qBAAqB,QAAQ,aAAa,GAAG,MAAM"}

package/dist/plugins/generic-oauth/error-codes.mjs

@@ -7,7 +7,9 @@ const GENERIC_OAUTH_ERROR_CODES = defineErrorCodes({
 	PROVIDER_CONFIG_NOT_FOUND: "No config found for provider",
 	PROVIDER_ID_REQUIRED: "Provider ID is required",
 	INVALID_OAUTH_CONFIG: "Invalid OAuth configuration.",
-	SESSION_REQUIRED: "Session is required"
+	SESSION_REQUIRED: "Session is required",
+	ISSUER_MISMATCH: "OAuth issuer mismatch. The authorization server issuer does not match the expected value (RFC 9207).",
+	ISSUER_MISSING: "OAuth issuer parameter missing. The authorization server did not include the required iss parameter (RFC 9207)."
 });
 
 //#endregion

package/dist/plugins/generic-oauth/error-codes.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"error-codes.mjs","names":[],"sources":["../../../src/plugins/generic-oauth/error-codes.ts"],"sourcesContent":["import { defineErrorCodes } from \"@better-auth/core/utils\";\n\nexport const GENERIC_OAUTH_ERROR_CODES = defineErrorCodes({\n\tINVALID_OAUTH_CONFIGURATION: \"Invalid OAuth configuration\",\n\tTOKEN_URL_NOT_FOUND: \"Invalid OAuth configuration. Token URL not found.\",\n\tPROVIDER_CONFIG_NOT_FOUND: \"No config found for provider\",\n\tPROVIDER_ID_REQUIRED: \"Provider ID is required\",\n\tINVALID_OAUTH_CONFIG: \"Invalid OAuth configuration.\",\n\tSESSION_REQUIRED: \"Session is required\",\n});\n"],"mappings":";;;AAEA,MAAa,4BAA4B,iBAAiB;CACzD,6BAA6B;CAC7B,qBAAqB;CACrB,2BAA2B;CAC3B,sBAAsB;CACtB,sBAAsB;CACtB,kBAAkB;CAClB,CAAC"}
+{"version":3,"file":"error-codes.mjs","names":[],"sources":["../../../src/plugins/generic-oauth/error-codes.ts"],"sourcesContent":["import { defineErrorCodes } from \"@better-auth/core/utils\";\n\nexport const GENERIC_OAUTH_ERROR_CODES = defineErrorCodes({\n\tINVALID_OAUTH_CONFIGURATION: \"Invalid OAuth configuration\",\n\tTOKEN_URL_NOT_FOUND: \"Invalid OAuth configuration. Token URL not found.\",\n\tPROVIDER_CONFIG_NOT_FOUND: \"No config found for provider\",\n\tPROVIDER_ID_REQUIRED: \"Provider ID is required\",\n\tINVALID_OAUTH_CONFIG: \"Invalid OAuth configuration.\",\n\tSESSION_REQUIRED: \"Session is required\",\n\tISSUER_MISMATCH:\n\t\t\"OAuth issuer mismatch. The authorization server issuer does not match the expected value (RFC 9207).\",\n\tISSUER_MISSING:\n\t\t\"OAuth issuer parameter missing. The authorization server did not include the required iss parameter (RFC 9207).\",\n});\n"],"mappings":";;;AAEA,MAAa,4BAA4B,iBAAiB;CACzD,6BAA6B;CAC7B,qBAAqB;CACrB,2BAA2B;CAC3B,sBAAsB;CACtB,sBAAsB;CACtB,kBAAkB;CAClB,iBACC;CACD,gBACC;CACD,CAAC"}

package/dist/plugins/generic-oauth/index.d.mts

@@ -12,9 +12,9 @@ import "./providers/index.mjs";
 import { AuthContext } from "@better-auth/core";
 import * as _better_auth_core_oauth21 from "@better-auth/core/oauth2";
 import { OAuthProvider } from "@better-auth/core/oauth2";
-import * as better_call262 from "better-call";
-import * as zod488 from "zod";
-import * as zod_v4_core75 from "zod/v4/core";
+import * as better_call234 from "better-call";
+import * as zod468 from "zod";
+import * as zod_v4_core70 from "zod/v4/core";
 
 //#region src/plugins/generic-oauth/index.d.ts
 /**
@@ -36,18 +36,18 @@ declare const genericOAuth: (options: GenericOAuthOptions) => {
     };
   };
   endpoints: {
-    signInWithOAuth2: better_call262.StrictEndpoint<"/sign-in/oauth2", {
+    signInWithOAuth2: better_call234.StrictEndpoint<"/sign-in/oauth2", {
       method: "POST";
-      body: zod488.ZodObject<{
-        providerId: zod488.ZodString;
-        callbackURL: zod488.ZodOptional<zod488.ZodString>;
-        errorCallbackURL: zod488.ZodOptional<zod488.ZodString>;
-        newUserCallbackURL: zod488.ZodOptional<zod488.ZodString>;
-        disableRedirect: zod488.ZodOptional<zod488.ZodBoolean>;
-        scopes: zod488.ZodOptional<zod488.ZodArray<zod488.ZodString>>;
-        requestSignUp: zod488.ZodOptional<zod488.ZodBoolean>;
-        additionalData: zod488.ZodOptional<zod488.ZodRecord<zod488.ZodString, zod488.ZodAny>>;
-      }, zod_v4_core75.$strip>;
+      body: zod468.ZodObject<{
+        providerId: zod468.ZodString;
+        callbackURL: zod468.ZodOptional<zod468.ZodString>;
+        errorCallbackURL: zod468.ZodOptional<zod468.ZodString>;
+        newUserCallbackURL: zod468.ZodOptional<zod468.ZodString>;
+        disableRedirect: zod468.ZodOptional<zod468.ZodBoolean>;
+        scopes: zod468.ZodOptional<zod468.ZodArray<zod468.ZodString>>;
+        requestSignUp: zod468.ZodOptional<zod468.ZodBoolean>;
+        additionalData: zod468.ZodOptional<zod468.ZodRecord<zod468.ZodString, zod468.ZodAny>>;
+      }, zod_v4_core70.$strip>;
       metadata: {
         openapi: {
           description: string;
@@ -77,14 +77,15 @@ declare const genericOAuth: (options: GenericOAuthOptions) => {
       url: string;
       redirect: boolean;
     }>;
-    oAuth2Callback: better_call262.StrictEndpoint<"/oauth2/callback/:providerId", {
+    oAuth2Callback: better_call234.StrictEndpoint<"/oauth2/callback/:providerId", {
       method: "GET";
-      query: zod488.ZodObject<{
-        code: zod488.ZodOptional<zod488.ZodString>;
-        error: zod488.ZodOptional<zod488.ZodString>;
-        error_description: zod488.ZodOptional<zod488.ZodString>;
-        state: zod488.ZodOptional<zod488.ZodString>;
-      }, zod_v4_core75.$strip>;
+      query: zod468.ZodObject<{
+        code: zod468.ZodOptional<zod468.ZodString>;
+        error: zod468.ZodOptional<zod468.ZodString>;
+        error_description: zod468.ZodOptional<zod468.ZodString>;
+        state: zod468.ZodOptional<zod468.ZodString>;
+        iss: zod468.ZodOptional<zod468.ZodString>;
+      }, zod_v4_core70.$strip>;
       metadata: {
         allowedMediaTypes: string[];
         openapi: {
@@ -110,15 +111,15 @@ declare const genericOAuth: (options: GenericOAuthOptions) => {
         scope: "server";
       };
     }, void>;
-    oAuth2LinkAccount: better_call262.StrictEndpoint<"/oauth2/link", {
+    oAuth2LinkAccount: better_call234.StrictEndpoint<"/oauth2/link", {
       method: "POST";
-      body: zod488.ZodObject<{
-        providerId: zod488.ZodString;
-        callbackURL: zod488.ZodString;
-        scopes: zod488.ZodOptional<zod488.ZodArray<zod488.ZodString>>;
-        errorCallbackURL: zod488.ZodOptional<zod488.ZodString>;
-      }, zod_v4_core75.$strip>;
-      use: ((inputContext: better_call262.MiddlewareInputContext<better_call262.MiddlewareOptions>) => Promise<{
+      body: zod468.ZodObject<{
+        providerId: zod468.ZodString;
+        callbackURL: zod468.ZodString;
+        scopes: zod468.ZodOptional<zod468.ZodArray<zod468.ZodString>>;
+        errorCallbackURL: zod468.ZodOptional<zod468.ZodString>;
+      }, zod_v4_core70.$strip>;
+      use: ((inputContext: better_call234.MiddlewareInputContext<better_call234.MiddlewareOptions>) => Promise<{
         session: {
           session: Record<string, any> & {
             id: string;
@@ -184,6 +185,8 @@ declare const genericOAuth: (options: GenericOAuthOptions) => {
     readonly PROVIDER_ID_REQUIRED: "Provider ID is required";
     readonly INVALID_OAUTH_CONFIG: "Invalid OAuth configuration.";
     readonly SESSION_REQUIRED: "Session is required";
+    readonly ISSUER_MISMATCH: "OAuth issuer mismatch. The authorization server issuer does not match the expected value (RFC 9207).";
+    readonly ISSUER_MISSING: "OAuth issuer parameter missing. The authorization server did not include the required iss parameter (RFC 9207).";
   };
 };
 //#endregion

package/dist/plugins/generic-oauth/index.mjs

@@ -19,6 +19,14 @@ import { betterFetch } from "@better-fetch/fetch";
 * A generic OAuth plugin that can be used to add OAuth support to any provider
 */
 const genericOAuth = (options) => {
+	const seenIds = /* @__PURE__ */ new Set();
+	const nonUniqueIds = /* @__PURE__ */ new Set();
+	for (const config of options.config) {
+		const id = config.providerId;
+		if (seenIds.has(id)) nonUniqueIds.add(id);
+		seenIds.add(id);
+	}
+	if (nonUniqueIds.size > 0) console.warn(`Duplicate provider IDs found: ${Array.from(nonUniqueIds).join(", ")}`);
 	return {
 		id: "generic-oauth",
 		init: (ctx) => {

package/dist/plugins/generic-oauth/index.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/generic-oauth/index.ts"],"sourcesContent":["import type { AuthContext, BetterAuthPlugin } from \"@better-auth/core\";\nimport type { OAuth2Tokens, OAuthProvider } from \"@better-auth/core/oauth2\";\nimport {\n\tcreateAuthorizationURL,\n\trefreshAccessToken,\n\tvalidateAuthorizationCode,\n} from \"@better-auth/core/oauth2\";\nimport { betterFetch } from \"@better-fetch/fetch\";\nimport { APIError } from \"better-call\";\nimport { GENERIC_OAUTH_ERROR_CODES } from \"./error-codes\";\nimport {\n\tgetUserInfo,\n\toAuth2Callback,\n\toAuth2LinkAccount,\n\tsignInWithOAuth2,\n} from \"./routes\";\nimport type { GenericOAuthConfig, GenericOAuthOptions } from \"./types\";\n\nexport * from \"./providers\";\nexport type { GenericOAuthConfig, GenericOAuthOptions } from \"./types\";\n\n/**\n * Base type for OAuth provider options.\n * Extracts common fields from GenericOAuthConfig and makes clientSecret required.\n */\nexport type BaseOAuthProviderOptions = Omit<\n\tPick<\n\t\tGenericOAuthConfig,\n\t\t| \"clientId\"\n\t\t| \"clientSecret\"\n\t\t| \"scopes\"\n\t\t| \"redirectURI\"\n\t\t| \"pkce\"\n\t\t| \"disableImplicitSignUp\"\n\t\t| \"disableSignUp\"\n\t\t| \"overrideUserInfo\"\n\t>,\n\t\"clientSecret\"\n> & {\n\t/** OAuth client secret (required for provider options) */\n\tclientSecret: string;\n};\n\n/**\n * A generic OAuth plugin that can be used to add OAuth support to any provider\n */\nexport const genericOAuth = (options: GenericOAuthOptions) => {\n\treturn {\n\t\tid: \"generic-oauth\",\n\t\tinit: (ctx: AuthContext) => {\n\t\t\tconst genericProviders = options.config.map((c) => {\n\t\t\t\tlet finalUserInfoUrl = c.userInfoUrl;\n\t\t\t\treturn {\n\t\t\t\t\tid: c.providerId,\n\t\t\t\t\tname: c.providerId,\n\t\t\t\t\tasync createAuthorizationURL(data: {\n\t\t\t\t\t\tstate: string;\n\t\t\t\t\t\tcodeVerifier: string;\n\t\t\t\t\t\tscopes?: string[] | undefined;\n\t\t\t\t\t\tredirectURI: string;\n\t\t\t\t\t\tdisplay?: string | undefined;\n\t\t\t\t\t\tloginHint?: string | undefined;\n\t\t\t\t\t}) {\n\t\t\t\t\t\tlet finalAuthUrl = c.authorizationUrl;\n\t\t\t\t\t\tif (!finalAuthUrl && c.discoveryUrl) {\n\t\t\t\t\t\t\tconst discovery = await betterFetch<{\n\t\t\t\t\t\t\t\tauthorization_endpoint: string;\n\t\t\t\t\t\t\t\tuserinfo_endpoint: string;\n\t\t\t\t\t\t\t}>(c.discoveryUrl, {\n\t\t\t\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\t\t\t\theaders: c.discoveryHeaders,\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\tif (discovery.data) {\n\t\t\t\t\t\t\t\tfinalAuthUrl = discovery.data.authorization_endpoint;\n\t\t\t\t\t\t\t\tfinalUserInfoUrl =\n\t\t\t\t\t\t\t\t\tfinalUserInfoUrl ?? discovery.data.userinfo_endpoint;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!finalAuthUrl) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\tmessage: GENERIC_OAUTH_ERROR_CODES.INVALID_OAUTH_CONFIGURATION,\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn createAuthorizationURL({\n\t\t\t\t\t\t\tid: c.providerId,\n\t\t\t\t\t\t\toptions: {\n\t\t\t\t\t\t\t\tclientId: c.clientId,\n\t\t\t\t\t\t\t\tclientSecret: c.clientSecret,\n\t\t\t\t\t\t\t\tredirectURI: c.redirectURI,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tauthorizationEndpoint: finalAuthUrl,\n\t\t\t\t\t\t\tstate: data.state,\n\t\t\t\t\t\t\tcodeVerifier: c.pkce ? data.codeVerifier : undefined,\n\t\t\t\t\t\t\tscopes: c.scopes || [],\n\t\t\t\t\t\t\tredirectURI: `${ctx.baseURL}/oauth2/callback/${c.providerId}`,\n\t\t\t\t\t\t});\n\t\t\t\t\t},\n\t\t\t\t\tasync validateAuthorizationCode(data: {\n\t\t\t\t\t\tcode: string;\n\t\t\t\t\t\tredirectURI: string;\n\t\t\t\t\t\tcodeVerifier?: string | undefined;\n\t\t\t\t\t\tdeviceId?: string | undefined;\n\t\t\t\t\t}) {\n\t\t\t\t\t\t// Use custom getToken if provided\n\t\t\t\t\t\tif (c.getToken) {\n\t\t\t\t\t\t\treturn c.getToken(data);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t// Standard token exchange flow\n\t\t\t\t\t\tlet finalTokenUrl = c.tokenUrl;\n\t\t\t\t\t\tif (c.discoveryUrl) {\n\t\t\t\t\t\t\tconst discovery = await betterFetch<{\n\t\t\t\t\t\t\t\ttoken_endpoint: string;\n\t\t\t\t\t\t\t\tuserinfo_endpoint: string;\n\t\t\t\t\t\t\t}>(c.discoveryUrl, {\n\t\t\t\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\t\t\t\theaders: c.discoveryHeaders,\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\tif (discovery.data) {\n\t\t\t\t\t\t\t\tfinalTokenUrl = discovery.data.token_endpoint;\n\t\t\t\t\t\t\t\tfinalUserInfoUrl = discovery.data.userinfo_endpoint;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!finalTokenUrl) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\tmessage: GENERIC_OAUTH_ERROR_CODES.TOKEN_URL_NOT_FOUND,\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn validateAuthorizationCode({\n\t\t\t\t\t\t\theaders: c.authorizationHeaders,\n\t\t\t\t\t\t\tcode: data.code,\n\t\t\t\t\t\t\tcodeVerifier: data.codeVerifier,\n\t\t\t\t\t\t\tredirectURI: data.redirectURI,\n\t\t\t\t\t\t\toptions: {\n\t\t\t\t\t\t\t\tclientId: c.clientId,\n\t\t\t\t\t\t\t\tclientSecret: c.clientSecret,\n\t\t\t\t\t\t\t\tredirectURI: c.redirectURI,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\ttokenEndpoint: finalTokenUrl,\n\t\t\t\t\t\t\tauthentication: c.authentication,\n\t\t\t\t\t\t});\n\t\t\t\t\t},\n\t\t\t\t\tasync refreshAccessToken(\n\t\t\t\t\t\trefreshToken: string,\n\t\t\t\t\t): Promise<OAuth2Tokens> {\n\t\t\t\t\t\tlet finalTokenUrl = c.tokenUrl;\n\t\t\t\t\t\tif (c.discoveryUrl) {\n\t\t\t\t\t\t\tconst discovery = await betterFetch<{\n\t\t\t\t\t\t\t\ttoken_endpoint: string;\n\t\t\t\t\t\t\t}>(c.discoveryUrl, {\n\t\t\t\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\t\t\t\theaders: c.discoveryHeaders,\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\tif (discovery.data) {\n\t\t\t\t\t\t\t\tfinalTokenUrl = discovery.data.token_endpoint;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!finalTokenUrl) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\tmessage: GENERIC_OAUTH_ERROR_CODES.TOKEN_URL_NOT_FOUND,\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn refreshAccessToken({\n\t\t\t\t\t\t\trefreshToken,\n\t\t\t\t\t\t\toptions: {\n\t\t\t\t\t\t\t\tclientId: c.clientId,\n\t\t\t\t\t\t\t\tclientSecret: c.clientSecret,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tauthentication: c.authentication,\n\t\t\t\t\t\t\ttokenEndpoint: finalTokenUrl,\n\t\t\t\t\t\t});\n\t\t\t\t\t},\n\t\t\t\t\tasync getUserInfo(tokens: OAuth2Tokens) {\n\t\t\t\t\t\tconst userInfo = c.getUserInfo\n\t\t\t\t\t\t\t? await c.getUserInfo(tokens)\n\t\t\t\t\t\t\t: await getUserInfo(tokens, finalUserInfoUrl);\n\t\t\t\t\t\tif (!userInfo) {\n\t\t\t\t\t\t\treturn null;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tconst userMap = await c.mapProfileToUser?.(userInfo);\n\n\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\tid: userInfo?.id,\n\t\t\t\t\t\t\t\temail: userInfo?.email,\n\t\t\t\t\t\t\t\temailVerified: userInfo?.emailVerified,\n\t\t\t\t\t\t\t\timage: userInfo?.image,\n\t\t\t\t\t\t\t\tname: userInfo?.name,\n\t\t\t\t\t\t\t\t...userMap,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tdata: userInfo,\n\t\t\t\t\t\t};\n\t\t\t\t\t},\n\t\t\t\t\toptions: {\n\t\t\t\t\t\toverrideUserInfoOnSignIn: c.overrideUserInfo,\n\t\t\t\t\t},\n\t\t\t\t} as OAuthProvider;\n\t\t\t});\n\t\t\treturn {\n\t\t\t\tcontext: {\n\t\t\t\t\tsocialProviders: genericProviders.concat(ctx.socialProviders),\n\t\t\t\t},\n\t\t\t};\n\t\t},\n\t\tendpoints: {\n\t\t\tsignInWithOAuth2: signInWithOAuth2(options),\n\t\t\toAuth2Callback: oAuth2Callback(options),\n\t\t\toAuth2LinkAccount: oAuth2LinkAccount(options),\n\t\t},\n\t\toptions,\n\t\t$ERROR_CODES: GENERIC_OAUTH_ERROR_CODES,\n\t} satisfies BetterAuthPlugin;\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AA8CA,MAAa,gBAAgB,YAAiC;AAC7D,QAAO;EACN,IAAI;EACJ,OAAO,QAAqB;AAsJ3B,UAAO,EACN,SAAS,EACR,iBAvJuB,QAAQ,OAAO,KAAK,MAAM;IAClD,IAAI,mBAAmB,EAAE;AACzB,WAAO;KACN,IAAI,EAAE;KACN,MAAM,EAAE;KACR,MAAM,uBAAuB,MAO1B;MACF,IAAI,eAAe,EAAE;AACrB,UAAI,CAAC,gBAAgB,EAAE,cAAc;OACpC,MAAM,YAAY,MAAM,YAGrB,EAAE,cAAc;QAClB,QAAQ;QACR,SAAS,EAAE;QACX,CAAC;AACF,WAAI,UAAU,MAAM;AACnB,uBAAe,UAAU,KAAK;AAC9B,2BACC,oBAAoB,UAAU,KAAK;;;AAGtC,UAAI,CAAC,aACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,0BAA0B,6BACnC,CAAC;AAEH,aAAO,uBAAuB;OAC7B,IAAI,EAAE;OACN,SAAS;QACR,UAAU,EAAE;QACZ,cAAc,EAAE;QAChB,aAAa,EAAE;QACf;OACD,uBAAuB;OACvB,OAAO,KAAK;OACZ,cAAc,EAAE,OAAO,KAAK,eAAe;OAC3C,QAAQ,EAAE,UAAU,EAAE;OACtB,aAAa,GAAG,IAAI,QAAQ,mBAAmB,EAAE;OACjD,CAAC;;KAEH,MAAM,0BAA0B,MAK7B;AAEF,UAAI,EAAE,SACL,QAAO,EAAE,SAAS,KAAK;MAIxB,IAAI,gBAAgB,EAAE;AACtB,UAAI,EAAE,cAAc;OACnB,MAAM,YAAY,MAAM,YAGrB,EAAE,cAAc;QAClB,QAAQ;QACR,SAAS,EAAE;QACX,CAAC;AACF,WAAI,UAAU,MAAM;AACnB,wBAAgB,UAAU,KAAK;AAC/B,2BAAmB,UAAU,KAAK;;;AAGpC,UAAI,CAAC,cACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,0BAA0B,qBACnC,CAAC;AAEH,aAAO,0BAA0B;OAChC,SAAS,EAAE;OACX,MAAM,KAAK;OACX,cAAc,KAAK;OACnB,aAAa,KAAK;OAClB,SAAS;QACR,UAAU,EAAE;QACZ,cAAc,EAAE;QAChB,aAAa,EAAE;QACf;OACD,eAAe;OACf,gBAAgB,EAAE;OAClB,CAAC;;KAEH,MAAM,mBACL,cACwB;MACxB,IAAI,gBAAgB,EAAE;AACtB,UAAI,EAAE,cAAc;OACnB,MAAM,YAAY,MAAM,YAErB,EAAE,cAAc;QAClB,QAAQ;QACR,SAAS,EAAE;QACX,CAAC;AACF,WAAI,UAAU,KACb,iBAAgB,UAAU,KAAK;;AAGjC,UAAI,CAAC,cACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,0BAA0B,qBACnC,CAAC;AAEH,aAAO,mBAAmB;OACzB;OACA,SAAS;QACR,UAAU,EAAE;QACZ,cAAc,EAAE;QAChB;OACD,gBAAgB,EAAE;OAClB,eAAe;OACf,CAAC;;KAEH,MAAM,YAAY,QAAsB;MACvC,MAAM,WAAW,EAAE,cAChB,MAAM,EAAE,YAAY,OAAO,GAC3B,MAAM,YAAY,QAAQ,iBAAiB;AAC9C,UAAI,CAAC,SACJ,QAAO;MAGR,MAAM,UAAU,MAAM,EAAE,mBAAmB,SAAS;AAEpD,aAAO;OACN,MAAM;QACL,IAAI,UAAU;QACd,OAAO,UAAU;QACjB,eAAe,UAAU;QACzB,OAAO,UAAU;QACjB,MAAM,UAAU;QAChB,GAAG;QACH;OACD,MAAM;OACN;;KAEF,SAAS,EACR,0BAA0B,EAAE,kBAC5B;KACD;KACA,CAGkC,OAAO,IAAI,gBAAgB,EAC7D,EACD;;EAEF,WAAW;GACV,kBAAkB,iBAAiB,QAAQ;GAC3C,gBAAgB,eAAe,QAAQ;GACvC,mBAAmB,kBAAkB,QAAQ;GAC7C;EACD;EACA,cAAc;EACd"}
+{"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/generic-oauth/index.ts"],"sourcesContent":["import type { AuthContext, BetterAuthPlugin } from \"@better-auth/core\";\nimport type { OAuth2Tokens, OAuthProvider } from \"@better-auth/core/oauth2\";\nimport {\n\tcreateAuthorizationURL,\n\trefreshAccessToken,\n\tvalidateAuthorizationCode,\n} from \"@better-auth/core/oauth2\";\nimport { betterFetch } from \"@better-fetch/fetch\";\nimport { APIError } from \"better-call\";\nimport { GENERIC_OAUTH_ERROR_CODES } from \"./error-codes\";\nimport {\n\tgetUserInfo,\n\toAuth2Callback,\n\toAuth2LinkAccount,\n\tsignInWithOAuth2,\n} from \"./routes\";\nimport type { GenericOAuthConfig, GenericOAuthOptions } from \"./types\";\n\nexport * from \"./providers\";\nexport type { GenericOAuthConfig, GenericOAuthOptions } from \"./types\";\n\n/**\n * Base type for OAuth provider options.\n * Extracts common fields from GenericOAuthConfig and makes clientSecret required.\n */\nexport type BaseOAuthProviderOptions = Omit<\n\tPick<\n\t\tGenericOAuthConfig,\n\t\t| \"clientId\"\n\t\t| \"clientSecret\"\n\t\t| \"scopes\"\n\t\t| \"redirectURI\"\n\t\t| \"pkce\"\n\t\t| \"disableImplicitSignUp\"\n\t\t| \"disableSignUp\"\n\t\t| \"overrideUserInfo\"\n\t>,\n\t\"clientSecret\"\n> & {\n\t/** OAuth client secret (required for provider options) */\n\tclientSecret: string;\n};\n\n/**\n * A generic OAuth plugin that can be used to add OAuth support to any provider\n */\nexport const genericOAuth = (options: GenericOAuthOptions) => {\n\tconst seenIds = new Set<string>();\n\tconst nonUniqueIds = new Set<string>();\n\n\tfor (const config of options.config) {\n\t\tconst id = config.providerId;\n\t\tif (seenIds.has(id)) {\n\t\t\tnonUniqueIds.add(id);\n\t\t}\n\t\tseenIds.add(id);\n\t}\n\n\tif (nonUniqueIds.size > 0) {\n\t\tconsole.warn(\n\t\t\t`Duplicate provider IDs found: ${Array.from(nonUniqueIds).join(\", \")}`,\n\t\t);\n\t}\n\n\treturn {\n\t\tid: \"generic-oauth\",\n\t\tinit: (ctx: AuthContext) => {\n\t\t\tconst genericProviders = options.config.map((c) => {\n\t\t\t\tlet finalUserInfoUrl = c.userInfoUrl;\n\t\t\t\treturn {\n\t\t\t\t\tid: c.providerId,\n\t\t\t\t\tname: c.providerId,\n\t\t\t\t\tasync createAuthorizationURL(data: {\n\t\t\t\t\t\tstate: string;\n\t\t\t\t\t\tcodeVerifier: string;\n\t\t\t\t\t\tscopes?: string[] | undefined;\n\t\t\t\t\t\tredirectURI: string;\n\t\t\t\t\t\tdisplay?: string | undefined;\n\t\t\t\t\t\tloginHint?: string | undefined;\n\t\t\t\t\t}) {\n\t\t\t\t\t\tlet finalAuthUrl = c.authorizationUrl;\n\t\t\t\t\t\tif (!finalAuthUrl && c.discoveryUrl) {\n\t\t\t\t\t\t\tconst discovery = await betterFetch<{\n\t\t\t\t\t\t\t\tauthorization_endpoint: string;\n\t\t\t\t\t\t\t\tuserinfo_endpoint: string;\n\t\t\t\t\t\t\t}>(c.discoveryUrl, {\n\t\t\t\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\t\t\t\theaders: c.discoveryHeaders,\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\tif (discovery.data) {\n\t\t\t\t\t\t\t\tfinalAuthUrl = discovery.data.authorization_endpoint;\n\t\t\t\t\t\t\t\tfinalUserInfoUrl =\n\t\t\t\t\t\t\t\t\tfinalUserInfoUrl ?? discovery.data.userinfo_endpoint;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!finalAuthUrl) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\tmessage: GENERIC_OAUTH_ERROR_CODES.INVALID_OAUTH_CONFIGURATION,\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn createAuthorizationURL({\n\t\t\t\t\t\t\tid: c.providerId,\n\t\t\t\t\t\t\toptions: {\n\t\t\t\t\t\t\t\tclientId: c.clientId,\n\t\t\t\t\t\t\t\tclientSecret: c.clientSecret,\n\t\t\t\t\t\t\t\tredirectURI: c.redirectURI,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tauthorizationEndpoint: finalAuthUrl,\n\t\t\t\t\t\t\tstate: data.state,\n\t\t\t\t\t\t\tcodeVerifier: c.pkce ? data.codeVerifier : undefined,\n\t\t\t\t\t\t\tscopes: c.scopes || [],\n\t\t\t\t\t\t\tredirectURI: `${ctx.baseURL}/oauth2/callback/${c.providerId}`,\n\t\t\t\t\t\t});\n\t\t\t\t\t},\n\t\t\t\t\tasync validateAuthorizationCode(data: {\n\t\t\t\t\t\tcode: string;\n\t\t\t\t\t\tredirectURI: string;\n\t\t\t\t\t\tcodeVerifier?: string | undefined;\n\t\t\t\t\t\tdeviceId?: string | undefined;\n\t\t\t\t\t}) {\n\t\t\t\t\t\t// Use custom getToken if provided\n\t\t\t\t\t\tif (c.getToken) {\n\t\t\t\t\t\t\treturn c.getToken(data);\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t// Standard token exchange flow\n\t\t\t\t\t\tlet finalTokenUrl = c.tokenUrl;\n\t\t\t\t\t\tif (c.discoveryUrl) {\n\t\t\t\t\t\t\tconst discovery = await betterFetch<{\n\t\t\t\t\t\t\t\ttoken_endpoint: string;\n\t\t\t\t\t\t\t\tuserinfo_endpoint: string;\n\t\t\t\t\t\t\t}>(c.discoveryUrl, {\n\t\t\t\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\t\t\t\theaders: c.discoveryHeaders,\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\tif (discovery.data) {\n\t\t\t\t\t\t\t\tfinalTokenUrl = discovery.data.token_endpoint;\n\t\t\t\t\t\t\t\tfinalUserInfoUrl = discovery.data.userinfo_endpoint;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!finalTokenUrl) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\tmessage: GENERIC_OAUTH_ERROR_CODES.TOKEN_URL_NOT_FOUND,\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn validateAuthorizationCode({\n\t\t\t\t\t\t\theaders: c.authorizationHeaders,\n\t\t\t\t\t\t\tcode: data.code,\n\t\t\t\t\t\t\tcodeVerifier: data.codeVerifier,\n\t\t\t\t\t\t\tredirectURI: data.redirectURI,\n\t\t\t\t\t\t\toptions: {\n\t\t\t\t\t\t\t\tclientId: c.clientId,\n\t\t\t\t\t\t\t\tclientSecret: c.clientSecret,\n\t\t\t\t\t\t\t\tredirectURI: c.redirectURI,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\ttokenEndpoint: finalTokenUrl,\n\t\t\t\t\t\t\tauthentication: c.authentication,\n\t\t\t\t\t\t});\n\t\t\t\t\t},\n\t\t\t\t\tasync refreshAccessToken(\n\t\t\t\t\t\trefreshToken: string,\n\t\t\t\t\t): Promise<OAuth2Tokens> {\n\t\t\t\t\t\tlet finalTokenUrl = c.tokenUrl;\n\t\t\t\t\t\tif (c.discoveryUrl) {\n\t\t\t\t\t\t\tconst discovery = await betterFetch<{\n\t\t\t\t\t\t\t\ttoken_endpoint: string;\n\t\t\t\t\t\t\t}>(c.discoveryUrl, {\n\t\t\t\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\t\t\t\theaders: c.discoveryHeaders,\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\tif (discovery.data) {\n\t\t\t\t\t\t\t\tfinalTokenUrl = discovery.data.token_endpoint;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!finalTokenUrl) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\tmessage: GENERIC_OAUTH_ERROR_CODES.TOKEN_URL_NOT_FOUND,\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn refreshAccessToken({\n\t\t\t\t\t\t\trefreshToken,\n\t\t\t\t\t\t\toptions: {\n\t\t\t\t\t\t\t\tclientId: c.clientId,\n\t\t\t\t\t\t\t\tclientSecret: c.clientSecret,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tauthentication: c.authentication,\n\t\t\t\t\t\t\ttokenEndpoint: finalTokenUrl,\n\t\t\t\t\t\t});\n\t\t\t\t\t},\n\t\t\t\t\tasync getUserInfo(tokens: OAuth2Tokens) {\n\t\t\t\t\t\tconst userInfo = c.getUserInfo\n\t\t\t\t\t\t\t? await c.getUserInfo(tokens)\n\t\t\t\t\t\t\t: await getUserInfo(tokens, finalUserInfoUrl);\n\t\t\t\t\t\tif (!userInfo) {\n\t\t\t\t\t\t\treturn null;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tconst userMap = await c.mapProfileToUser?.(userInfo);\n\n\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\tid: userInfo?.id,\n\t\t\t\t\t\t\t\temail: userInfo?.email,\n\t\t\t\t\t\t\t\temailVerified: userInfo?.emailVerified,\n\t\t\t\t\t\t\t\timage: userInfo?.image,\n\t\t\t\t\t\t\t\tname: userInfo?.name,\n\t\t\t\t\t\t\t\t...userMap,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tdata: userInfo,\n\t\t\t\t\t\t};\n\t\t\t\t\t},\n\t\t\t\t\toptions: {\n\t\t\t\t\t\toverrideUserInfoOnSignIn: c.overrideUserInfo,\n\t\t\t\t\t},\n\t\t\t\t} as OAuthProvider;\n\t\t\t});\n\t\t\treturn {\n\t\t\t\tcontext: {\n\t\t\t\t\tsocialProviders: genericProviders.concat(ctx.socialProviders),\n\t\t\t\t},\n\t\t\t};\n\t\t},\n\t\tendpoints: {\n\t\t\tsignInWithOAuth2: signInWithOAuth2(options),\n\t\t\toAuth2Callback: oAuth2Callback(options),\n\t\t\toAuth2LinkAccount: oAuth2LinkAccount(options),\n\t\t},\n\t\toptions,\n\t\t$ERROR_CODES: GENERIC_OAUTH_ERROR_CODES,\n\t} satisfies BetterAuthPlugin;\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AA8CA,MAAa,gBAAgB,YAAiC;CAC7D,MAAM,0BAAU,IAAI,KAAa;CACjC,MAAM,+BAAe,IAAI,KAAa;AAEtC,MAAK,MAAM,UAAU,QAAQ,QAAQ;EACpC,MAAM,KAAK,OAAO;AAClB,MAAI,QAAQ,IAAI,GAAG,CAClB,cAAa,IAAI,GAAG;AAErB,UAAQ,IAAI,GAAG;;AAGhB,KAAI,aAAa,OAAO,EACvB,SAAQ,KACP,iCAAiC,MAAM,KAAK,aAAa,CAAC,KAAK,KAAK,GACpE;AAGF,QAAO;EACN,IAAI;EACJ,OAAO,QAAqB;AAsJ3B,UAAO,EACN,SAAS,EACR,iBAvJuB,QAAQ,OAAO,KAAK,MAAM;IAClD,IAAI,mBAAmB,EAAE;AACzB,WAAO;KACN,IAAI,EAAE;KACN,MAAM,EAAE;KACR,MAAM,uBAAuB,MAO1B;MACF,IAAI,eAAe,EAAE;AACrB,UAAI,CAAC,gBAAgB,EAAE,cAAc;OACpC,MAAM,YAAY,MAAM,YAGrB,EAAE,cAAc;QAClB,QAAQ;QACR,SAAS,EAAE;QACX,CAAC;AACF,WAAI,UAAU,MAAM;AACnB,uBAAe,UAAU,KAAK;AAC9B,2BACC,oBAAoB,UAAU,KAAK;;;AAGtC,UAAI,CAAC,aACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,0BAA0B,6BACnC,CAAC;AAEH,aAAO,uBAAuB;OAC7B,IAAI,EAAE;OACN,SAAS;QACR,UAAU,EAAE;QACZ,cAAc,EAAE;QAChB,aAAa,EAAE;QACf;OACD,uBAAuB;OACvB,OAAO,KAAK;OACZ,cAAc,EAAE,OAAO,KAAK,eAAe;OAC3C,QAAQ,EAAE,UAAU,EAAE;OACtB,aAAa,GAAG,IAAI,QAAQ,mBAAmB,EAAE;OACjD,CAAC;;KAEH,MAAM,0BAA0B,MAK7B;AAEF,UAAI,EAAE,SACL,QAAO,EAAE,SAAS,KAAK;MAIxB,IAAI,gBAAgB,EAAE;AACtB,UAAI,EAAE,cAAc;OACnB,MAAM,YAAY,MAAM,YAGrB,EAAE,cAAc;QAClB,QAAQ;QACR,SAAS,EAAE;QACX,CAAC;AACF,WAAI,UAAU,MAAM;AACnB,wBAAgB,UAAU,KAAK;AAC/B,2BAAmB,UAAU,KAAK;;;AAGpC,UAAI,CAAC,cACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,0BAA0B,qBACnC,CAAC;AAEH,aAAO,0BAA0B;OAChC,SAAS,EAAE;OACX,MAAM,KAAK;OACX,cAAc,KAAK;OACnB,aAAa,KAAK;OAClB,SAAS;QACR,UAAU,EAAE;QACZ,cAAc,EAAE;QAChB,aAAa,EAAE;QACf;OACD,eAAe;OACf,gBAAgB,EAAE;OAClB,CAAC;;KAEH,MAAM,mBACL,cACwB;MACxB,IAAI,gBAAgB,EAAE;AACtB,UAAI,EAAE,cAAc;OACnB,MAAM,YAAY,MAAM,YAErB,EAAE,cAAc;QAClB,QAAQ;QACR,SAAS,EAAE;QACX,CAAC;AACF,WAAI,UAAU,KACb,iBAAgB,UAAU,KAAK;;AAGjC,UAAI,CAAC,cACJ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,0BAA0B,qBACnC,CAAC;AAEH,aAAO,mBAAmB;OACzB;OACA,SAAS;QACR,UAAU,EAAE;QACZ,cAAc,EAAE;QAChB;OACD,gBAAgB,EAAE;OAClB,eAAe;OACf,CAAC;;KAEH,MAAM,YAAY,QAAsB;MACvC,MAAM,WAAW,EAAE,cAChB,MAAM,EAAE,YAAY,OAAO,GAC3B,MAAM,YAAY,QAAQ,iBAAiB;AAC9C,UAAI,CAAC,SACJ,QAAO;MAGR,MAAM,UAAU,MAAM,EAAE,mBAAmB,SAAS;AAEpD,aAAO;OACN,MAAM;QACL,IAAI,UAAU;QACd,OAAO,UAAU;QACjB,eAAe,UAAU;QACzB,OAAO,UAAU;QACjB,MAAM,UAAU;QAChB,GAAG;QACH;OACD,MAAM;OACN;;KAEF,SAAS,EACR,0BAA0B,EAAE,kBAC5B;KACD;KACA,CAGkC,OAAO,IAAI,gBAAgB,EAC7D,EACD;;EAEF,WAAW;GACV,kBAAkB,iBAAiB,QAAQ;GAC3C,gBAAgB,eAAe,QAAQ;GACvC,mBAAmB,kBAAkB,QAAQ;GAC7C;EACD;EACA,cAAc;EACd"}

package/dist/plugins/generic-oauth/routes.mjs

@@ -112,7 +112,8 @@ const OAuth2CallbackQuerySchema = z.object({
 	code: z.string().meta({ description: "The OAuth2 code" }).optional(),
 	error: z.string().meta({ description: "The error message, if any" }).optional(),
 	error_description: z.string().meta({ description: "The error description, if any" }).optional(),
-	state: z.string().meta({ description: "The state parameter from the OAuth2 request" }).optional()
+	state: z.string().meta({ description: "The state parameter from the OAuth2 request" }).optional(),
+	iss: z.string().meta({ description: "The issuer identifier" }).optional()
 });
 const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:providerId", {
 	method: "GET",
@@ -150,6 +151,7 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 	}
 	let finalTokenUrl = providerConfig.tokenUrl;
 	let finalUserInfoUrl = providerConfig.userInfoUrl;
+	let expectedIssuer = providerConfig.issuer;
 	if (providerConfig.discoveryUrl) {
 		const discovery = await betterFetch(providerConfig.discoveryUrl, {
 			method: "GET",
@@ -158,6 +160,21 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 		if (discovery.data) {
 			finalTokenUrl = discovery.data.token_endpoint;
 			finalUserInfoUrl = discovery.data.userinfo_endpoint;
+			if (!expectedIssuer && discovery.data.issuer) expectedIssuer = discovery.data.issuer;
+		}
+	}
+	if (expectedIssuer) {
+		if (ctx.query.iss) {
+			if (ctx.query.iss !== expectedIssuer) {
+				ctx.context.logger.error("OAuth issuer mismatch", {
+					expected: expectedIssuer,
+					received: ctx.query.iss
+				});
+				return redirectOnError("issuer_mismatch");
+			}
+		} else if (providerConfig.requireIssuerValidation) {
+			ctx.context.logger.error("OAuth issuer parameter missing", { expected: expectedIssuer });
+			return redirectOnError("issuer_missing");
 		}
 	}
 	try {
@@ -213,7 +230,7 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 		};
 	})();
 	if (link) {
-		if (ctx.context.options.account?.accountLinking?.allowDifferentEmails !== true && link.email !== userInfo.email) return redirectOnError("email_doesn't_match");
+		if (ctx.context.options.account?.accountLinking?.allowDifferentEmails !== true && link.email.toLowerCase() !== userInfo.email.toLowerCase()) return redirectOnError("email_doesn't_match");
 		const existingAccount = await ctx.context.internalAdapter.findAccountByProviderId(String(userInfo.id), providerConfig.providerId);
 		if (existingAccount) {
 			if (existingAccount.userId !== link.userId) return redirectOnError("account_already_linked_to_different_user");