better-auth 1.4.18 → 1.4.19

package/dist/plugins/oidc-provider/authorize.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"authorize.mjs","names":["query"],"sources":["../../../src/plugins/oidc-provider/authorize.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError } from \"better-call\";\nimport { getSessionFromCtx } from \"../../api\";\nimport { generateRandomString } from \"../../crypto\";\nimport { getClient } from \"./index\";\nimport type { AuthorizationQuery, OIDCOptions } from \"./types\";\nimport { parsePrompt } from \"./utils/prompt\";\n\nfunction formatErrorURL(url: string, error: string, description: string) {\n\treturn `${\n\t\turl.includes(\"?\") ? \"&\" : \"?\"\n\t}error=${error}&error_description=${description}`;\n}\n\nfunction getErrorURL(\n\tctx: GenericEndpointContext,\n\terror: string,\n\tdescription: string,\n) {\n\tconst baseURL =\n\t\tctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;\n\tconst formattedURL = formatErrorURL(baseURL, error, description);\n\treturn formattedURL;\n}\n\nexport async function authorize(\n\tctx: GenericEndpointContext,\n\toptions: OIDCOptions,\n) {\n\tconst handleRedirect = (url: string) => {\n\t\tconst fromFetch = ctx.request?.headers.get(\"sec-fetch-mode\") === \"cors\";\n\t\tif (fromFetch) {\n\t\t\treturn ctx.json({\n\t\t\t\tredirect: true,\n\t\t\t\turl,\n\t\t\t});\n\t\t} else {\n\t\t\tthrow ctx.redirect(url);\n\t\t}\n\t};\n\n\tconst opts = {\n\t\tcodeExpiresIn: 600,\n\t\tdefaultScope: \"openid\",\n\t\t...options,\n\t\tscopes: [\n\t\t\t\"openid\",\n\t\t\t\"profile\",\n\t\t\t\"email\",\n\t\t\t\"offline_access\",\n\t\t\t...(options?.scopes || []),\n\t\t],\n\t};\n\tif (!ctx.request) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"request not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) {\n\t\t// Handle prompt=none per OIDC spec - must return error instead of redirecting\n\t\tconst query = ctx.query as AuthorizationQuery;\n\t\tconst promptSet = parsePrompt(query.prompt ?? \"\");\n\t\tif (promptSet.has(\"none\") && query.redirect_uri) {\n\t\t\treturn handleRedirect(\n\t\t\t\tformatErrorURL(\n\t\t\t\t\tquery.redirect_uri,\n\t\t\t\t\t\"login_required\",\n\t\t\t\t\t\"Authentication required but prompt is none\",\n\t\t\t\t),\n\t\t\t);\n\t\t}\n\n\t\t/**\n\t\t * If the user is not logged in, we need to redirect them to the\n\t\t * login page.\n\t\t */\n\t\tawait ctx.setSignedCookie(\n\t\t\t\"oidc_login_prompt\",\n\t\t\tJSON.stringify(ctx.query),\n\t\t\tctx.context.secret,\n\t\t\t{\n\t\t\t\tmaxAge: 600,\n\t\t\t\tpath: \"/\",\n\t\t\t\tsameSite: \"lax\",\n\t\t\t},\n\t\t);\n\t\tconst queryFromURL = ctx.request.url?.split(\"?\")[1]!;\n\t\treturn handleRedirect(`${options.loginPage}?${queryFromURL}`);\n\t}\n\n\tconst query = ctx.query as AuthorizationQuery;\n\tif (!query.client_id) {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"invalid_client\",\n\t\t\t\"client_id is required\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tif (!query.response_type) {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"invalid_request\",\n\t\t\t\"response_type is required\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tconst client = await getClient(\n\t\tctx.query.client_id,\n\t\toptions.trustedClients || [],\n\t);\n\tif (!client) {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"invalid_client\",\n\t\t\t\"client_id is required\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\tconst redirectURI = client.redirectUrls.find(\n\t\t(url) => url === ctx.query.redirect_uri,\n\t);\n\n\tif (!redirectURI || !query.redirect_uri) {\n\t\t/**\n\t\t * show UI error here warning the user that the redirect URI is invalid\n\t\t */\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\tmessage: \"Invalid redirect URI\",\n\t\t});\n\t}\n\tif (client.disabled) {\n\t\tconst errorURL = getErrorURL(ctx, \"client_disabled\", \"client is disabled\");\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tif (query.response_type !== \"code\") {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"unsupported_response_type\",\n\t\t\t\"unsupported response type\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tconst requestScope =\n\t\tquery.scope?.split(\" \").filter((s) => s) ||\n\t\topts.defaultScope?.split(\" \") ||\n\t\t[];\n\tconst invalidScopes = requestScope.filter((scope) => {\n\t\treturn !opts.scopes.includes(scope);\n\t});\n\tif (invalidScopes.length) {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_scope\",\n\t\t\t\t`The following scopes are invalid: ${invalidScopes.join(\", \")}`,\n\t\t\t),\n\t\t);\n\t}\n\n\tif (\n\t\t(!query.code_challenge || !query.code_challenge_method) &&\n\t\toptions.requirePKCE\n\t) {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(query.redirect_uri, \"invalid_request\", \"pkce is required\"),\n\t\t);\n\t}\n\n\tif (!query.code_challenge_method) {\n\t\tquery.code_challenge_method = \"plain\";\n\t}\n\n\tif (\n\t\t![\n\t\t\t\"s256\",\n\t\t\toptions.allowPlainCodeChallengeMethod ? \"plain\" : \"s256\",\n\t\t].includes(query.code_challenge_method?.toLowerCase() || \"\")\n\t) {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_request\",\n\t\t\t\t\"invalid code_challenge method\",\n\t\t\t),\n\t\t);\n\t}\n\n\tconst code = generateRandomString(32, \"a-z\", \"A-Z\", \"0-9\");\n\tconst codeExpiresInMs = opts.codeExpiresIn! * 1000;\n\tconst expiresAt = new Date(Date.now() + codeExpiresInMs);\n\n\t// Determine if consent is required\n\t// Consent is ALWAYS required unless:\n\t// 1. The client is trusted (skipConsent = true)\n\t// 2. The user has already consented and prompt is not \"consent\"\n\tconst skipConsentForTrustedClient = client.skipConsent;\n\tconst hasAlreadyConsented = await ctx.context.adapter\n\t\t.findOne<{\n\t\t\tconsentGiven: boolean;\n\t\t\tscopes: string;\n\t\t}>({\n\t\t\tmodel: \"oauthConsent\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t\tvalue: client.clientId,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\tvalue: session.user.id,\n\t\t\t\t},\n\t\t\t],\n\t\t})\n\t\t.then((res) => {\n\t\t\tif (!res?.consentGiven) {\n\t\t\t\treturn false;\n\t\t\t}\n\t\t\tconst consentedScopes = res.scopes ? res.scopes.split(\" \") : [];\n\t\t\tconst hasConsented = requestScope.every((scope) =>\n\t\t\t\tconsentedScopes.includes(scope),\n\t\t\t);\n\t\t\treturn hasConsented;\n\t\t});\n\n\tconst promptSet = parsePrompt(query.prompt ?? \"\");\n\n\t// Handle prompt=none per OIDC spec 3.1.2.1\n\t// The Authorization Server MUST NOT display any authentication or consent UI\n\tif (promptSet.has(\"none\")) {\n\t\t// If consent is required, return consent_required error\n\t\tif (!skipConsentForTrustedClient && !hasAlreadyConsented) {\n\t\t\treturn handleRedirect(\n\t\t\t\tformatErrorURL(\n\t\t\t\t\tquery.redirect_uri,\n\t\t\t\t\t\"consent_required\",\n\t\t\t\t\t\"Consent required but prompt is none\",\n\t\t\t\t),\n\t\t\t);\n\t\t}\n\t\t// If we reach here, user is authenticated and consent is satisfied\n\t\t// Continue without any UI interaction\n\t}\n\n\t// Handle max_age parameter per OIDC spec 3.1.2.1\n\t// max_age=0 is equivalent to prompt=login\n\tlet requireLogin = promptSet.has(\"login\");\n\tif (query.max_age !== undefined) {\n\t\tconst maxAge = Number(query.max_age);\n\t\tif (Number.isInteger(maxAge) && maxAge >= 0) {\n\t\t\tconst sessionAge =\n\t\t\t\t(Date.now() - new Date(session.session.createdAt).getTime()) / 1000;\n\t\t\tif (sessionAge > maxAge) {\n\t\t\t\t// Session is older than max_age, force re-authentication\n\t\t\t\trequireLogin = true;\n\t\t\t}\n\t\t}\n\t\t// If max_age is invalid (not a non-negative integer), ignore it per OIDC spec\n\t}\n\n\tconst requireConsent =\n\t\t!skipConsentForTrustedClient &&\n\t\t(!hasAlreadyConsented || promptSet.has(\"consent\"));\n\n\ttry {\n\t\t/**\n\t\t * Save the code in the database\n\t\t */\n\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\tvalue: JSON.stringify({\n\t\t\t\tclientId: client.clientId,\n\t\t\t\tredirectURI: query.redirect_uri,\n\t\t\t\tscope: requestScope,\n\t\t\t\tuserId: session.user.id,\n\t\t\t\tauthTime: new Date(session.session.createdAt).getTime(),\n\t\t\t\t/**\n\t\t\t\t * Consent is required per OIDC spec unless:\n\t\t\t\t * 1. Client is trusted (skipConsent = true)\n\t\t\t\t * 2. User has already consented (and prompt is not \"consent\")\n\t\t\t\t *\n\t\t\t\t * When consent is required, the code needs to be treated as a\n\t\t\t\t * consent request. Once the user consents, the code will be\n\t\t\t\t * updated with the actual authorization code.\n\t\t\t\t */\n\t\t\t\trequireConsent,\n\t\t\t\tstate: requireConsent ? query.state : null,\n\t\t\t\tcodeChallenge: query.code_challenge,\n\t\t\t\tcodeChallengeMethod: query.code_challenge_method,\n\t\t\t\tnonce: query.nonce,\n\t\t\t}),\n\t\t\tidentifier: code,\n\t\t\texpiresAt,\n\t\t});\n\t} catch {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"server_error\",\n\t\t\t\t\"An error occurred while processing the request\",\n\t\t\t),\n\t\t);\n\t}\n\n\tif (requireLogin) {\n\t\tawait ctx.setSignedCookie(\n\t\t\t\"oidc_login_prompt\",\n\t\t\tJSON.stringify(ctx.query),\n\t\t\tctx.context.secret,\n\t\t\t{\n\t\t\t\tmaxAge: 600,\n\t\t\t\tpath: \"/\",\n\t\t\t\tsameSite: \"lax\",\n\t\t\t},\n\t\t);\n\t\tawait ctx.setSignedCookie(\"oidc_consent_prompt\", code, ctx.context.secret, {\n\t\t\tmaxAge: 600,\n\t\t\tpath: \"/\",\n\t\t\tsameSite: \"lax\",\n\t\t});\n\n\t\tconst loginURI = `${options.loginPage}?${new URLSearchParams({\n\t\t\tclient_id: client.clientId,\n\t\t\tcode,\n\t\t\tstate: query.state,\n\t\t}).toString()}`;\n\t\treturn handleRedirect(loginURI);\n\t}\n\n\t// If consent is not required, redirect with the code immediately\n\tif (!requireConsent) {\n\t\tconst redirectURIWithCode = new URL(redirectURI);\n\t\tredirectURIWithCode.searchParams.set(\"code\", code);\n\t\tredirectURIWithCode.searchParams.set(\"state\", ctx.query.state);\n\t\treturn handleRedirect(redirectURIWithCode.toString());\n\t}\n\n\t// Consent is required - redirect to consent page or show consent HTML\n\n\tif (options?.consentPage) {\n\t\t// Set cookie to support cookie-based consent flows\n\t\tawait ctx.setSignedCookie(\"oidc_consent_prompt\", code, ctx.context.secret, {\n\t\t\tmaxAge: 600,\n\t\t\tpath: \"/\",\n\t\t\tsameSite: \"lax\",\n\t\t});\n\n\t\t// Pass the consent code as a URL parameter to support URL-based consent flows\n\t\tconst urlParams = new URLSearchParams();\n\t\turlParams.set(\"consent_code\", code);\n\t\turlParams.set(\"client_id\", client.clientId);\n\t\turlParams.set(\"scope\", requestScope.join(\" \"));\n\t\tconst consentURI = `${options.consentPage}?${urlParams.toString()}`;\n\n\t\treturn handleRedirect(consentURI);\n\t}\n\tconst htmlFn = options?.getConsentHTML;\n\n\tif (!htmlFn) {\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\tmessage: \"No consent page provided\",\n\t\t});\n\t}\n\n\treturn new Response(\n\t\thtmlFn({\n\t\t\tscopes: requestScope,\n\t\t\tclientMetadata: client.metadata,\n\t\t\tclientIcon: client?.icon,\n\t\t\tclientId: client.clientId,\n\t\t\tclientName: client.name,\n\t\t\tcode,\n\t\t}),\n\t\t{\n\t\t\theaders: {\n\t\t\t\t\"content-type\": \"text/html\",\n\t\t\t},\n\t\t},\n\t);\n}\n"],"mappings":";;;;;;;;;AAQA,SAAS,eAAe,KAAa,OAAe,aAAqB;AACxE,QAAO,GACN,IAAI,SAAS,IAAI,GAAG,MAAM,IAC1B,QAAQ,MAAM,qBAAqB;;AAGrC,SAAS,YACR,KACA,OACA,aACC;AAID,QADqB,eADpB,IAAI,QAAQ,QAAQ,YAAY,YAAY,GAAG,IAAI,QAAQ,QAAQ,SACvB,OAAO,YAAY;;AAIjE,eAAsB,UACrB,KACA,SACC;CACD,MAAM,kBAAkB,QAAgB;AAEvC,MADkB,IAAI,SAAS,QAAQ,IAAI,iBAAiB,KAAK,OAEhE,QAAO,IAAI,KAAK;GACf,UAAU;GACV;GACA,CAAC;MAEF,OAAM,IAAI,SAAS,IAAI;;CAIzB,MAAM,OAAO;EACZ,eAAe;EACf,cAAc;EACd,GAAG;EACH,QAAQ;GACP;GACA;GACA;GACA;GACA,GAAI,SAAS,UAAU,EAAE;GACzB;EACD;AACD,KAAI,CAAC,IAAI,QACR,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAEH,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,SAAS;EAEb,MAAMA,UAAQ,IAAI;AAElB,MADkB,YAAYA,QAAM,UAAU,GAAG,CACnC,IAAI,OAAO,IAAIA,QAAM,aAClC,QAAO,eACN,eACCA,QAAM,cACN,kBACA,6CACA,CACD;;;;;AAOF,QAAM,IAAI,gBACT,qBACA,KAAK,UAAU,IAAI,MAAM,EACzB,IAAI,QAAQ,QACZ;GACC,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CACD;EACD,MAAM,eAAe,IAAI,QAAQ,KAAK,MAAM,IAAI,CAAC;AACjD,SAAO,eAAe,GAAG,QAAQ,UAAU,GAAG,eAAe;;CAG9D,MAAM,QAAQ,IAAI;AAClB,KAAI,CAAC,MAAM,WAAW;EACrB,MAAM,WAAW,YAChB,KACA,kBACA,wBACA;AACD,QAAM,IAAI,SAAS,SAAS;;AAG7B,KAAI,CAAC,MAAM,eAAe;EACzB,MAAM,WAAW,YAChB,KACA,mBACA,4BACA;AACD,QAAM,IAAI,SAAS,SAAS;;CAG7B,MAAM,SAAS,MAAM,UACpB,IAAI,MAAM,WACV,QAAQ,kBAAkB,EAAE,CAC5B;AACD,KAAI,CAAC,QAAQ;EACZ,MAAM,WAAW,YAChB,KACA,kBACA,wBACA;AACD,QAAM,IAAI,SAAS,SAAS;;CAE7B,MAAM,cAAc,OAAO,aAAa,MACtC,QAAQ,QAAQ,IAAI,MAAM,aAC3B;AAED,KAAI,CAAC,eAAe,CAAC,MAAM;;;;AAI1B,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,wBACT,CAAC;AAEH,KAAI,OAAO,UAAU;EACpB,MAAM,WAAW,YAAY,KAAK,mBAAmB,qBAAqB;AAC1E,QAAM,IAAI,SAAS,SAAS;;AAG7B,KAAI,MAAM,kBAAkB,QAAQ;EACnC,MAAM,WAAW,YAChB,KACA,6BACA,4BACA;AACD,QAAM,IAAI,SAAS,SAAS;;CAG7B,MAAM,eACL,MAAM,OAAO,MAAM,IAAI,CAAC,QAAQ,MAAM,EAAE,IACxC,KAAK,cAAc,MAAM,IAAI,IAC7B,EAAE;CACH,MAAM,gBAAgB,aAAa,QAAQ,UAAU;AACpD,SAAO,CAAC,KAAK,OAAO,SAAS,MAAM;GAClC;AACF,KAAI,cAAc,OACjB,QAAO,eACN,eACC,MAAM,cACN,iBACA,qCAAqC,cAAc,KAAK,KAAK,GAC7D,CACD;AAGF,MACE,CAAC,MAAM,kBAAkB,CAAC,MAAM,0BACjC,QAAQ,YAER,QAAO,eACN,eAAe,MAAM,cAAc,mBAAmB,mBAAmB,CACzE;AAGF,KAAI,CAAC,MAAM,sBACV,OAAM,wBAAwB;AAG/B,KACC,CAAC,CACA,QACA,QAAQ,gCAAgC,UAAU,OAClD,CAAC,SAAS,MAAM,uBAAuB,aAAa,IAAI,GAAG,CAE5D,QAAO,eACN,eACC,MAAM,cACN,mBACA,gCACA,CACD;CAGF,MAAM,OAAO,qBAAqB,IAAI,OAAO,OAAO,MAAM;CAC1D,MAAM,kBAAkB,KAAK,gBAAiB;CAC9C,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,gBAAgB;CAMxD,MAAM,8BAA8B,OAAO;CAC3C,MAAM,sBAAsB,MAAM,IAAI,QAAQ,QAC5C,QAGE;EACF,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,OAAO;GACd,EACD;GACC,OAAO;GACP,OAAO,QAAQ,KAAK;GACpB,CACD;EACD,CAAC,CACD,MAAM,QAAQ;AACd,MAAI,CAAC,KAAK,aACT,QAAO;EAER,MAAM,kBAAkB,IAAI,SAAS,IAAI,OAAO,MAAM,IAAI,GAAG,EAAE;AAI/D,SAHqB,aAAa,OAAO,UACxC,gBAAgB,SAAS,MAAM,CAC/B;GAEA;CAEH,MAAM,YAAY,YAAY,MAAM,UAAU,GAAG;AAIjD,KAAI,UAAU,IAAI,OAAO,EAExB;MAAI,CAAC,+BAA+B,CAAC,oBACpC,QAAO,eACN,eACC,MAAM,cACN,oBACA,sCACA,CACD;;CAQH,IAAI,eAAe,UAAU,IAAI,QAAQ;AACzC,KAAI,MAAM,YAAY,QAAW;EAChC,MAAM,SAAS,OAAO,MAAM,QAAQ;AACpC,MAAI,OAAO,UAAU,OAAO,IAAI,UAAU,GAGzC;QADE,KAAK,KAAK,GAAG,IAAI,KAAK,QAAQ,QAAQ,UAAU,CAAC,SAAS,IAAI,MAC/C,OAEhB,gBAAe;;;CAMlB,MAAM,iBACL,CAAC,gCACA,CAAC,uBAAuB,UAAU,IAAI,UAAU;AAElD,KAAI;;;;AAIH,QAAM,IAAI,QAAQ,gBAAgB,wBAAwB;GACzD,OAAO,KAAK,UAAU;IACrB,UAAU,OAAO;IACjB,aAAa,MAAM;IACnB,OAAO;IACP,QAAQ,QAAQ,KAAK;IACrB,UAAU,IAAI,KAAK,QAAQ,QAAQ,UAAU,CAAC,SAAS;IAUvD;IACA,OAAO,iBAAiB,MAAM,QAAQ;IACtC,eAAe,MAAM;IACrB,qBAAqB,MAAM;IAC3B,OAAO,MAAM;IACb,CAAC;GACF,YAAY;GACZ;GACA,CAAC;SACK;AACP,SAAO,eACN,eACC,MAAM,cACN,gBACA,iDACA,CACD;;AAGF,KAAI,cAAc;AACjB,QAAM,IAAI,gBACT,qBACA,KAAK,UAAU,IAAI,MAAM,EACzB,IAAI,QAAQ,QACZ;GACC,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CACD;AACD,QAAM,IAAI,gBAAgB,uBAAuB,MAAM,IAAI,QAAQ,QAAQ;GAC1E,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CAAC;AAOF,SAAO,eALU,GAAG,QAAQ,UAAU,GAAG,IAAI,gBAAgB;GAC5D,WAAW,OAAO;GAClB;GACA,OAAO,MAAM;GACb,CAAC,CAAC,UAAU,GACkB;;AAIhC,KAAI,CAAC,gBAAgB;EACpB,MAAM,sBAAsB,IAAI,IAAI,YAAY;AAChD,sBAAoB,aAAa,IAAI,QAAQ,KAAK;AAClD,sBAAoB,aAAa,IAAI,SAAS,IAAI,MAAM,MAAM;AAC9D,SAAO,eAAe,oBAAoB,UAAU,CAAC;;AAKtD,KAAI,SAAS,aAAa;AAEzB,QAAM,IAAI,gBAAgB,uBAAuB,MAAM,IAAI,QAAQ,QAAQ;GAC1E,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CAAC;EAGF,MAAM,YAAY,IAAI,iBAAiB;AACvC,YAAU,IAAI,gBAAgB,KAAK;AACnC,YAAU,IAAI,aAAa,OAAO,SAAS;AAC3C,YAAU,IAAI,SAAS,aAAa,KAAK,IAAI,CAAC;AAG9C,SAAO,eAFY,GAAG,QAAQ,YAAY,GAAG,UAAU,UAAU,GAEhC;;CAElC,MAAM,SAAS,SAAS;AAExB,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,yBAAyB,EAC3C,SAAS,4BACT,CAAC;AAGH,QAAO,IAAI,SACV,OAAO;EACN,QAAQ;EACR,gBAAgB,OAAO;EACvB,YAAY,QAAQ;EACpB,UAAU,OAAO;EACjB,YAAY,OAAO;EACnB;EACA,CAAC,EACF,EACC,SAAS,EACR,gBAAgB,aAChB,EACD,CACD"}
+{"version":3,"file":"authorize.mjs","names":["query"],"sources":["../../../src/plugins/oidc-provider/authorize.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError } from \"better-call\";\nimport { getSessionFromCtx } from \"../../api\";\nimport { generateRandomString } from \"../../crypto\";\nimport { getClient } from \"./index\";\nimport type { AuthorizationQuery, OIDCOptions } from \"./types\";\nimport { parsePrompt } from \"./utils/prompt\";\n\nfunction formatErrorURL(url: string, error: string, description: string) {\n\treturn `${url}${\n\t\turl.includes(\"?\") ? \"&\" : \"?\"\n\t}error=${error}&error_description=${description}`;\n}\n\nfunction getErrorURL(\n\tctx: GenericEndpointContext,\n\terror: string,\n\tdescription: string,\n) {\n\tconst baseURL =\n\t\tctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;\n\tconst formattedURL = formatErrorURL(baseURL, error, description);\n\treturn formattedURL;\n}\n\nexport async function authorize(\n\tctx: GenericEndpointContext,\n\toptions: OIDCOptions,\n) {\n\tconst handleRedirect = (url: string) => {\n\t\tconst fromFetch = ctx.request?.headers.get(\"sec-fetch-mode\") === \"cors\";\n\t\tif (fromFetch) {\n\t\t\treturn ctx.json({\n\t\t\t\tredirect: true,\n\t\t\t\turl,\n\t\t\t});\n\t\t} else {\n\t\t\tthrow ctx.redirect(url);\n\t\t}\n\t};\n\n\tconst opts = {\n\t\tcodeExpiresIn: 600,\n\t\tdefaultScope: \"openid\",\n\t\t...options,\n\t\tscopes: [\n\t\t\t\"openid\",\n\t\t\t\"profile\",\n\t\t\t\"email\",\n\t\t\t\"offline_access\",\n\t\t\t...(options?.scopes || []),\n\t\t],\n\t};\n\tif (!ctx.request) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"request not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) {\n\t\t// Handle prompt=none per OIDC spec - must return error instead of redirecting\n\t\tconst query = ctx.query as AuthorizationQuery;\n\t\tconst promptSet = parsePrompt(query.prompt ?? \"\");\n\t\tif (promptSet.has(\"none\") && query.redirect_uri) {\n\t\t\treturn handleRedirect(\n\t\t\t\tformatErrorURL(\n\t\t\t\t\tquery.redirect_uri,\n\t\t\t\t\t\"login_required\",\n\t\t\t\t\t\"Authentication required but prompt is none\",\n\t\t\t\t),\n\t\t\t);\n\t\t}\n\n\t\t/**\n\t\t * If the user is not logged in, we need to redirect them to the\n\t\t * login page.\n\t\t */\n\t\tawait ctx.setSignedCookie(\n\t\t\t\"oidc_login_prompt\",\n\t\t\tJSON.stringify(ctx.query),\n\t\t\tctx.context.secret,\n\t\t\t{\n\t\t\t\tmaxAge: 600,\n\t\t\t\tpath: \"/\",\n\t\t\t\tsameSite: \"lax\",\n\t\t\t},\n\t\t);\n\t\tconst queryFromURL = ctx.request.url?.split(\"?\")[1]!;\n\t\treturn handleRedirect(`${options.loginPage}?${queryFromURL}`);\n\t}\n\n\tconst query = ctx.query as AuthorizationQuery;\n\tif (!query.client_id) {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"invalid_client\",\n\t\t\t\"client_id is required\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tif (!query.response_type) {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"invalid_request\",\n\t\t\t\"response_type is required\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tconst client = await getClient(\n\t\tctx.query.client_id,\n\t\toptions.trustedClients || [],\n\t);\n\tif (!client) {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"invalid_client\",\n\t\t\t\"client_id is required\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\tconst redirectURI = client.redirectUrls.find(\n\t\t(url) => url === ctx.query.redirect_uri,\n\t);\n\n\tif (!redirectURI || !query.redirect_uri) {\n\t\t/**\n\t\t * show UI error here warning the user that the redirect URI is invalid\n\t\t */\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\tmessage: \"Invalid redirect URI\",\n\t\t});\n\t}\n\tif (client.disabled) {\n\t\tconst errorURL = getErrorURL(ctx, \"client_disabled\", \"client is disabled\");\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tif (query.response_type !== \"code\") {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"unsupported_response_type\",\n\t\t\t\"unsupported response type\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tconst requestScope =\n\t\tquery.scope?.split(\" \").filter((s) => s) ||\n\t\topts.defaultScope?.split(\" \") ||\n\t\t[];\n\tconst invalidScopes = requestScope.filter((scope) => {\n\t\treturn !opts.scopes.includes(scope);\n\t});\n\tif (invalidScopes.length) {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_scope\",\n\t\t\t\t`The following scopes are invalid: ${invalidScopes.join(\", \")}`,\n\t\t\t),\n\t\t);\n\t}\n\n\tif (\n\t\t(!query.code_challenge || !query.code_challenge_method) &&\n\t\toptions.requirePKCE\n\t) {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(query.redirect_uri, \"invalid_request\", \"pkce is required\"),\n\t\t);\n\t}\n\n\tif (!query.code_challenge_method) {\n\t\tquery.code_challenge_method = \"plain\";\n\t}\n\n\tif (\n\t\t![\n\t\t\t\"s256\",\n\t\t\toptions.allowPlainCodeChallengeMethod ? \"plain\" : \"s256\",\n\t\t].includes(query.code_challenge_method?.toLowerCase() || \"\")\n\t) {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_request\",\n\t\t\t\t\"invalid code_challenge method\",\n\t\t\t),\n\t\t);\n\t}\n\n\tconst code = generateRandomString(32, \"a-z\", \"A-Z\", \"0-9\");\n\tconst codeExpiresInMs = opts.codeExpiresIn! * 1000;\n\tconst expiresAt = new Date(Date.now() + codeExpiresInMs);\n\n\t// Determine if consent is required\n\t// Consent is ALWAYS required unless:\n\t// 1. The client is trusted (skipConsent = true)\n\t// 2. The user has already consented and prompt is not \"consent\"\n\tconst skipConsentForTrustedClient = client.skipConsent;\n\tconst hasAlreadyConsented = await ctx.context.adapter\n\t\t.findOne<{\n\t\t\tconsentGiven: boolean;\n\t\t\tscopes: string;\n\t\t}>({\n\t\t\tmodel: \"oauthConsent\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t\tvalue: client.clientId,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\tvalue: session.user.id,\n\t\t\t\t},\n\t\t\t],\n\t\t})\n\t\t.then((res) => {\n\t\t\tif (!res?.consentGiven) {\n\t\t\t\treturn false;\n\t\t\t}\n\t\t\tconst consentedScopes = res.scopes ? res.scopes.split(\" \") : [];\n\t\t\tconst hasConsented = requestScope.every((scope) =>\n\t\t\t\tconsentedScopes.includes(scope),\n\t\t\t);\n\t\t\treturn hasConsented;\n\t\t});\n\n\tconst promptSet = parsePrompt(query.prompt ?? \"\");\n\n\t// Handle prompt=none per OIDC spec 3.1.2.1\n\t// The Authorization Server MUST NOT display any authentication or consent UI\n\tif (promptSet.has(\"none\")) {\n\t\t// If consent is required, return consent_required error\n\t\tif (!skipConsentForTrustedClient && !hasAlreadyConsented) {\n\t\t\treturn handleRedirect(\n\t\t\t\tformatErrorURL(\n\t\t\t\t\tquery.redirect_uri,\n\t\t\t\t\t\"consent_required\",\n\t\t\t\t\t\"Consent required but prompt is none\",\n\t\t\t\t),\n\t\t\t);\n\t\t}\n\t\t// If we reach here, user is authenticated and consent is satisfied\n\t\t// Continue without any UI interaction\n\t}\n\n\t// Handle max_age parameter per OIDC spec 3.1.2.1\n\t// max_age=0 is equivalent to prompt=login\n\tlet requireLogin = promptSet.has(\"login\");\n\tif (query.max_age !== undefined) {\n\t\tconst maxAge = Number(query.max_age);\n\t\tif (Number.isInteger(maxAge) && maxAge >= 0) {\n\t\t\tconst sessionAge =\n\t\t\t\t(Date.now() - new Date(session.session.createdAt).getTime()) / 1000;\n\t\t\tif (sessionAge > maxAge) {\n\t\t\t\t// Session is older than max_age, force re-authentication\n\t\t\t\trequireLogin = true;\n\t\t\t}\n\t\t}\n\t\t// If max_age is invalid (not a non-negative integer), ignore it per OIDC spec\n\t}\n\n\tconst requireConsent =\n\t\t!skipConsentForTrustedClient &&\n\t\t(!hasAlreadyConsented || promptSet.has(\"consent\"));\n\n\ttry {\n\t\t/**\n\t\t * Save the code in the database\n\t\t */\n\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\tvalue: JSON.stringify({\n\t\t\t\tclientId: client.clientId,\n\t\t\t\tredirectURI: query.redirect_uri,\n\t\t\t\tscope: requestScope,\n\t\t\t\tuserId: session.user.id,\n\t\t\t\tauthTime: new Date(session.session.createdAt).getTime(),\n\t\t\t\t/**\n\t\t\t\t * Consent is required per OIDC spec unless:\n\t\t\t\t * 1. Client is trusted (skipConsent = true)\n\t\t\t\t * 2. User has already consented (and prompt is not \"consent\")\n\t\t\t\t *\n\t\t\t\t * When consent is required, the code needs to be treated as a\n\t\t\t\t * consent request. Once the user consents, the code will be\n\t\t\t\t * updated with the actual authorization code.\n\t\t\t\t */\n\t\t\t\trequireConsent,\n\t\t\t\tstate: requireConsent ? query.state : null,\n\t\t\t\tcodeChallenge: query.code_challenge,\n\t\t\t\tcodeChallengeMethod: query.code_challenge_method,\n\t\t\t\tnonce: query.nonce,\n\t\t\t}),\n\t\t\tidentifier: code,\n\t\t\texpiresAt,\n\t\t});\n\t} catch {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"server_error\",\n\t\t\t\t\"An error occurred while processing the request\",\n\t\t\t),\n\t\t);\n\t}\n\n\tif (requireLogin) {\n\t\tawait ctx.setSignedCookie(\n\t\t\t\"oidc_login_prompt\",\n\t\t\tJSON.stringify(ctx.query),\n\t\t\tctx.context.secret,\n\t\t\t{\n\t\t\t\tmaxAge: 600,\n\t\t\t\tpath: \"/\",\n\t\t\t\tsameSite: \"lax\",\n\t\t\t},\n\t\t);\n\t\tawait ctx.setSignedCookie(\"oidc_consent_prompt\", code, ctx.context.secret, {\n\t\t\tmaxAge: 600,\n\t\t\tpath: \"/\",\n\t\t\tsameSite: \"lax\",\n\t\t});\n\n\t\tconst loginURI = `${options.loginPage}?${new URLSearchParams({\n\t\t\tclient_id: client.clientId,\n\t\t\tcode,\n\t\t\tstate: query.state,\n\t\t}).toString()}`;\n\t\treturn handleRedirect(loginURI);\n\t}\n\n\t// If consent is not required, redirect with the code immediately\n\tif (!requireConsent) {\n\t\tconst redirectURIWithCode = new URL(redirectURI);\n\t\tredirectURIWithCode.searchParams.set(\"code\", code);\n\t\tredirectURIWithCode.searchParams.set(\"state\", ctx.query.state);\n\t\treturn handleRedirect(redirectURIWithCode.toString());\n\t}\n\n\t// Consent is required - redirect to consent page or show consent HTML\n\n\tif (options?.consentPage) {\n\t\t// Set cookie to support cookie-based consent flows\n\t\tawait ctx.setSignedCookie(\"oidc_consent_prompt\", code, ctx.context.secret, {\n\t\t\tmaxAge: 600,\n\t\t\tpath: \"/\",\n\t\t\tsameSite: \"lax\",\n\t\t});\n\n\t\t// Pass the consent code as a URL parameter to support URL-based consent flows\n\t\tconst urlParams = new URLSearchParams();\n\t\turlParams.set(\"consent_code\", code);\n\t\turlParams.set(\"client_id\", client.clientId);\n\t\turlParams.set(\"scope\", requestScope.join(\" \"));\n\t\tconst consentURI = `${options.consentPage}?${urlParams.toString()}`;\n\n\t\treturn handleRedirect(consentURI);\n\t}\n\tconst htmlFn = options?.getConsentHTML;\n\n\tif (!htmlFn) {\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\tmessage: \"No consent page provided\",\n\t\t});\n\t}\n\n\treturn new Response(\n\t\thtmlFn({\n\t\t\tscopes: requestScope,\n\t\t\tclientMetadata: client.metadata,\n\t\t\tclientIcon: client?.icon,\n\t\t\tclientId: client.clientId,\n\t\t\tclientName: client.name,\n\t\t\tcode,\n\t\t}),\n\t\t{\n\t\t\theaders: {\n\t\t\t\t\"content-type\": \"text/html\",\n\t\t\t},\n\t\t},\n\t);\n}\n"],"mappings":";;;;;;;;;AAQA,SAAS,eAAe,KAAa,OAAe,aAAqB;AACxE,QAAO,GAAG,MACT,IAAI,SAAS,IAAI,GAAG,MAAM,IAC1B,QAAQ,MAAM,qBAAqB;;AAGrC,SAAS,YACR,KACA,OACA,aACC;AAID,QADqB,eADpB,IAAI,QAAQ,QAAQ,YAAY,YAAY,GAAG,IAAI,QAAQ,QAAQ,SACvB,OAAO,YAAY;;AAIjE,eAAsB,UACrB,KACA,SACC;CACD,MAAM,kBAAkB,QAAgB;AAEvC,MADkB,IAAI,SAAS,QAAQ,IAAI,iBAAiB,KAAK,OAEhE,QAAO,IAAI,KAAK;GACf,UAAU;GACV;GACA,CAAC;MAEF,OAAM,IAAI,SAAS,IAAI;;CAIzB,MAAM,OAAO;EACZ,eAAe;EACf,cAAc;EACd,GAAG;EACH,QAAQ;GACP;GACA;GACA;GACA;GACA,GAAI,SAAS,UAAU,EAAE;GACzB;EACD;AACD,KAAI,CAAC,IAAI,QACR,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAEH,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,SAAS;EAEb,MAAMA,UAAQ,IAAI;AAElB,MADkB,YAAYA,QAAM,UAAU,GAAG,CACnC,IAAI,OAAO,IAAIA,QAAM,aAClC,QAAO,eACN,eACCA,QAAM,cACN,kBACA,6CACA,CACD;;;;;AAOF,QAAM,IAAI,gBACT,qBACA,KAAK,UAAU,IAAI,MAAM,EACzB,IAAI,QAAQ,QACZ;GACC,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CACD;EACD,MAAM,eAAe,IAAI,QAAQ,KAAK,MAAM,IAAI,CAAC;AACjD,SAAO,eAAe,GAAG,QAAQ,UAAU,GAAG,eAAe;;CAG9D,MAAM,QAAQ,IAAI;AAClB,KAAI,CAAC,MAAM,WAAW;EACrB,MAAM,WAAW,YAChB,KACA,kBACA,wBACA;AACD,QAAM,IAAI,SAAS,SAAS;;AAG7B,KAAI,CAAC,MAAM,eAAe;EACzB,MAAM,WAAW,YAChB,KACA,mBACA,4BACA;AACD,QAAM,IAAI,SAAS,SAAS;;CAG7B,MAAM,SAAS,MAAM,UACpB,IAAI,MAAM,WACV,QAAQ,kBAAkB,EAAE,CAC5B;AACD,KAAI,CAAC,QAAQ;EACZ,MAAM,WAAW,YAChB,KACA,kBACA,wBACA;AACD,QAAM,IAAI,SAAS,SAAS;;CAE7B,MAAM,cAAc,OAAO,aAAa,MACtC,QAAQ,QAAQ,IAAI,MAAM,aAC3B;AAED,KAAI,CAAC,eAAe,CAAC,MAAM;;;;AAI1B,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,wBACT,CAAC;AAEH,KAAI,OAAO,UAAU;EACpB,MAAM,WAAW,YAAY,KAAK,mBAAmB,qBAAqB;AAC1E,QAAM,IAAI,SAAS,SAAS;;AAG7B,KAAI,MAAM,kBAAkB,QAAQ;EACnC,MAAM,WAAW,YAChB,KACA,6BACA,4BACA;AACD,QAAM,IAAI,SAAS,SAAS;;CAG7B,MAAM,eACL,MAAM,OAAO,MAAM,IAAI,CAAC,QAAQ,MAAM,EAAE,IACxC,KAAK,cAAc,MAAM,IAAI,IAC7B,EAAE;CACH,MAAM,gBAAgB,aAAa,QAAQ,UAAU;AACpD,SAAO,CAAC,KAAK,OAAO,SAAS,MAAM;GAClC;AACF,KAAI,cAAc,OACjB,QAAO,eACN,eACC,MAAM,cACN,iBACA,qCAAqC,cAAc,KAAK,KAAK,GAC7D,CACD;AAGF,MACE,CAAC,MAAM,kBAAkB,CAAC,MAAM,0BACjC,QAAQ,YAER,QAAO,eACN,eAAe,MAAM,cAAc,mBAAmB,mBAAmB,CACzE;AAGF,KAAI,CAAC,MAAM,sBACV,OAAM,wBAAwB;AAG/B,KACC,CAAC,CACA,QACA,QAAQ,gCAAgC,UAAU,OAClD,CAAC,SAAS,MAAM,uBAAuB,aAAa,IAAI,GAAG,CAE5D,QAAO,eACN,eACC,MAAM,cACN,mBACA,gCACA,CACD;CAGF,MAAM,OAAO,qBAAqB,IAAI,OAAO,OAAO,MAAM;CAC1D,MAAM,kBAAkB,KAAK,gBAAiB;CAC9C,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,gBAAgB;CAMxD,MAAM,8BAA8B,OAAO;CAC3C,MAAM,sBAAsB,MAAM,IAAI,QAAQ,QAC5C,QAGE;EACF,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,OAAO;GACd,EACD;GACC,OAAO;GACP,OAAO,QAAQ,KAAK;GACpB,CACD;EACD,CAAC,CACD,MAAM,QAAQ;AACd,MAAI,CAAC,KAAK,aACT,QAAO;EAER,MAAM,kBAAkB,IAAI,SAAS,IAAI,OAAO,MAAM,IAAI,GAAG,EAAE;AAI/D,SAHqB,aAAa,OAAO,UACxC,gBAAgB,SAAS,MAAM,CAC/B;GAEA;CAEH,MAAM,YAAY,YAAY,MAAM,UAAU,GAAG;AAIjD,KAAI,UAAU,IAAI,OAAO,EAExB;MAAI,CAAC,+BAA+B,CAAC,oBACpC,QAAO,eACN,eACC,MAAM,cACN,oBACA,sCACA,CACD;;CAQH,IAAI,eAAe,UAAU,IAAI,QAAQ;AACzC,KAAI,MAAM,YAAY,QAAW;EAChC,MAAM,SAAS,OAAO,MAAM,QAAQ;AACpC,MAAI,OAAO,UAAU,OAAO,IAAI,UAAU,GAGzC;QADE,KAAK,KAAK,GAAG,IAAI,KAAK,QAAQ,QAAQ,UAAU,CAAC,SAAS,IAAI,MAC/C,OAEhB,gBAAe;;;CAMlB,MAAM,iBACL,CAAC,gCACA,CAAC,uBAAuB,UAAU,IAAI,UAAU;AAElD,KAAI;;;;AAIH,QAAM,IAAI,QAAQ,gBAAgB,wBAAwB;GACzD,OAAO,KAAK,UAAU;IACrB,UAAU,OAAO;IACjB,aAAa,MAAM;IACnB,OAAO;IACP,QAAQ,QAAQ,KAAK;IACrB,UAAU,IAAI,KAAK,QAAQ,QAAQ,UAAU,CAAC,SAAS;IAUvD;IACA,OAAO,iBAAiB,MAAM,QAAQ;IACtC,eAAe,MAAM;IACrB,qBAAqB,MAAM;IAC3B,OAAO,MAAM;IACb,CAAC;GACF,YAAY;GACZ;GACA,CAAC;SACK;AACP,SAAO,eACN,eACC,MAAM,cACN,gBACA,iDACA,CACD;;AAGF,KAAI,cAAc;AACjB,QAAM,IAAI,gBACT,qBACA,KAAK,UAAU,IAAI,MAAM,EACzB,IAAI,QAAQ,QACZ;GACC,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CACD;AACD,QAAM,IAAI,gBAAgB,uBAAuB,MAAM,IAAI,QAAQ,QAAQ;GAC1E,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CAAC;AAOF,SAAO,eALU,GAAG,QAAQ,UAAU,GAAG,IAAI,gBAAgB;GAC5D,WAAW,OAAO;GAClB;GACA,OAAO,MAAM;GACb,CAAC,CAAC,UAAU,GACkB;;AAIhC,KAAI,CAAC,gBAAgB;EACpB,MAAM,sBAAsB,IAAI,IAAI,YAAY;AAChD,sBAAoB,aAAa,IAAI,QAAQ,KAAK;AAClD,sBAAoB,aAAa,IAAI,SAAS,IAAI,MAAM,MAAM;AAC9D,SAAO,eAAe,oBAAoB,UAAU,CAAC;;AAKtD,KAAI,SAAS,aAAa;AAEzB,QAAM,IAAI,gBAAgB,uBAAuB,MAAM,IAAI,QAAQ,QAAQ;GAC1E,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CAAC;EAGF,MAAM,YAAY,IAAI,iBAAiB;AACvC,YAAU,IAAI,gBAAgB,KAAK;AACnC,YAAU,IAAI,aAAa,OAAO,SAAS;AAC3C,YAAU,IAAI,SAAS,aAAa,KAAK,IAAI,CAAC;AAG9C,SAAO,eAFY,GAAG,QAAQ,YAAY,GAAG,UAAU,UAAU,GAEhC;;CAElC,MAAM,SAAS,SAAS;AAExB,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,yBAAyB,EAC3C,SAAS,4BACT,CAAC;AAGH,QAAO,IAAI,SACV,OAAO;EACN,QAAQ;EACR,gBAAgB,OAAO;EACvB,YAAY,QAAQ;EACpB,UAAU,OAAO;EACjB,YAAY,OAAO;EACnB;EACA,CAAC,EACF,EACC,SAAS,EACR,gBAAgB,aAChB,EACD,CACD"}

package/dist/plugins/oidc-provider/index.d.mts

@@ -3,8 +3,8 @@ import { schema } from "./schema.mjs";
 import { AuthorizationQuery, Client, CodeVerificationValue, OAuthAccessToken, OIDCMetadata, OIDCOptions, TokenBody } from "./types.mjs";
 import "../index.mjs";
 import { GenericEndpointContext } from "@better-auth/core";
-import * as _better_auth_core_db2 from "@better-auth/core/db";
-import * as better_call247 from "better-call";
+import * as _better_auth_core_db0 from "@better-auth/core/db";
+import * as better_call219 from "better-call";
 import { OpenAPIParameter } from "better-call";
 import * as z from "zod";
 
@@ -31,21 +31,21 @@ declare const oidcProvider: (options: OIDCOptions) => {
   hooks: {
     after: {
       matcher(): true;
-      handler: (inputContext: better_call247.MiddlewareInputContext<better_call247.MiddlewareOptions>) => Promise<Response | {
+      handler: (inputContext: better_call219.MiddlewareInputContext<better_call219.MiddlewareOptions>) => Promise<Response | {
         redirect: boolean;
         url: string;
       } | undefined>;
     }[];
   };
   endpoints: {
-    getOpenIdConfig: better_call247.StrictEndpoint<"/.well-known/openid-configuration", {
+    getOpenIdConfig: better_call219.StrictEndpoint<"/.well-known/openid-configuration", {
       method: "GET";
       operationId: string;
       metadata: {
         readonly scope: "server";
       };
     }, OIDCMetadata>;
-    oAuth2authorize: better_call247.StrictEndpoint<"/oauth2/authorize", {
+    oAuth2authorize: better_call219.StrictEndpoint<"/oauth2/authorize", {
       method: "GET";
       operationId: string;
       query: z.ZodRecord<z.ZodString, z.ZodAny>;
@@ -72,14 +72,14 @@ declare const oidcProvider: (options: OIDCOptions) => {
       redirect: boolean;
       url: string;
     }>;
-    oAuthConsent: better_call247.StrictEndpoint<"/oauth2/consent", {
+    oAuthConsent: better_call219.StrictEndpoint<"/oauth2/consent", {
       method: "POST";
       operationId: string;
       body: z.ZodObject<{
         accept: z.ZodBoolean;
         consent_code: z.ZodOptional<z.ZodNullable<z.ZodOptional<z.ZodString>>>;
       }, z.core.$strip>;
-      use: ((inputContext: better_call247.MiddlewareInputContext<better_call247.MiddlewareOptions>) => Promise<{
+      use: ((inputContext: better_call219.MiddlewareInputContext<better_call219.MiddlewareOptions>) => Promise<{
         session: {
           session: Record<string, any> & {
             id: string;
@@ -151,7 +151,7 @@ declare const oidcProvider: (options: OIDCOptions) => {
     }, {
       redirectURI: string;
     }>;
-    oAuth2token: better_call247.StrictEndpoint<"/oauth2/token", {
+    oAuth2token: better_call219.StrictEndpoint<"/oauth2/token", {
       method: "POST";
       operationId: string;
       body: z.ZodRecord<z.ZodAny, z.ZodAny>;
@@ -173,7 +173,7 @@ declare const oidcProvider: (options: OIDCOptions) => {
       scope: string;
       id_token: string | undefined;
     }>;
-    oAuth2userInfo: better_call247.StrictEndpoint<"/oauth2/userinfo", {
+    oAuth2userInfo: better_call219.StrictEndpoint<"/oauth2/userinfo", {
       method: "GET";
       operationId: string;
       metadata: {
@@ -265,7 +265,7 @@ declare const oidcProvider: (options: OIDCOptions) => {
      *
      * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/oidc-provider#api-method-oauth2-register)
      */
-    registerOAuthApplication: better_call247.StrictEndpoint<"/oauth2/register", {
+    registerOAuthApplication: better_call219.StrictEndpoint<"/oauth2/register", {
       method: "POST";
       body: z.ZodObject<{
         redirect_uris: z.ZodArray<z.ZodString>;
@@ -405,9 +405,9 @@ declare const oidcProvider: (options: OIDCOptions) => {
       client_secret?: string | undefined;
       client_id: string;
     }>;
-    getOAuthClient: better_call247.StrictEndpoint<"/oauth2/client/:id", {
+    getOAuthClient: better_call219.StrictEndpoint<"/oauth2/client/:id", {
       method: "GET";
-      use: ((inputContext: better_call247.MiddlewareInputContext<better_call247.MiddlewareOptions>) => Promise<{
+      use: ((inputContext: better_call219.MiddlewareInputContext<better_call219.MiddlewareOptions>) => Promise<{
         session: {
           session: Record<string, any> & {
             id: string;
@@ -478,7 +478,7 @@ declare const oidcProvider: (options: OIDCOptions) => {
      *
      * @see [OpenID Connect RP-Initiated Logout Spec](https://openid.net/specs/openid-connect-rpinitiated-1_0.html)
      */
-    endSession: better_call247.StrictEndpoint<"/oauth2/endsession", {
+    endSession: better_call219.StrictEndpoint<"/oauth2/endsession", {
       method: ("GET" | "POST")[];
       query: z.ZodOptional<z.ZodObject<{
         id_token_hint: z.ZodOptional<z.ZodString>;
@@ -504,7 +504,7 @@ declare const oidcProvider: (options: OIDCOptions) => {
         scope: "server";
       };
     }, {
-      status: ("OK" | "CREATED" | "ACCEPTED" | "NO_CONTENT" | "MULTIPLE_CHOICES" | "MOVED_PERMANENTLY" | "FOUND" | "SEE_OTHER" | "NOT_MODIFIED" | "TEMPORARY_REDIRECT" | "BAD_REQUEST" | "UNAUTHORIZED" | "PAYMENT_REQUIRED" | "FORBIDDEN" | "NOT_FOUND" | "METHOD_NOT_ALLOWED" | "NOT_ACCEPTABLE" | "PROXY_AUTHENTICATION_REQUIRED" | "REQUEST_TIMEOUT" | "CONFLICT" | "GONE" | "LENGTH_REQUIRED" | "PRECONDITION_FAILED" | "PAYLOAD_TOO_LARGE" | "URI_TOO_LONG" | "UNSUPPORTED_MEDIA_TYPE" | "RANGE_NOT_SATISFIABLE" | "EXPECTATION_FAILED" | "I'M_A_TEAPOT" | "MISDIRECTED_REQUEST" | "UNPROCESSABLE_ENTITY" | "LOCKED" | "FAILED_DEPENDENCY" | "TOO_EARLY" | "UPGRADE_REQUIRED" | "PRECONDITION_REQUIRED" | "TOO_MANY_REQUESTS" | "REQUEST_HEADER_FIELDS_TOO_LARGE" | "UNAVAILABLE_FOR_LEGAL_REASONS" | "INTERNAL_SERVER_ERROR" | "NOT_IMPLEMENTED" | "BAD_GATEWAY" | "SERVICE_UNAVAILABLE" | "GATEWAY_TIMEOUT" | "HTTP_VERSION_NOT_SUPPORTED" | "VARIANT_ALSO_NEGOTIATES" | "INSUFFICIENT_STORAGE" | "LOOP_DETECTED" | "NOT_EXTENDED" | "NETWORK_AUTHENTICATION_REQUIRED") | better_call247.Status;
+      status: ("OK" | "CREATED" | "ACCEPTED" | "NO_CONTENT" | "MULTIPLE_CHOICES" | "MOVED_PERMANENTLY" | "FOUND" | "SEE_OTHER" | "NOT_MODIFIED" | "TEMPORARY_REDIRECT" | "BAD_REQUEST" | "UNAUTHORIZED" | "PAYMENT_REQUIRED" | "FORBIDDEN" | "NOT_FOUND" | "METHOD_NOT_ALLOWED" | "NOT_ACCEPTABLE" | "PROXY_AUTHENTICATION_REQUIRED" | "REQUEST_TIMEOUT" | "CONFLICT" | "GONE" | "LENGTH_REQUIRED" | "PRECONDITION_FAILED" | "PAYLOAD_TOO_LARGE" | "URI_TOO_LONG" | "UNSUPPORTED_MEDIA_TYPE" | "RANGE_NOT_SATISFIABLE" | "EXPECTATION_FAILED" | "I'M_A_TEAPOT" | "MISDIRECTED_REQUEST" | "UNPROCESSABLE_ENTITY" | "LOCKED" | "FAILED_DEPENDENCY" | "TOO_EARLY" | "UPGRADE_REQUIRED" | "PRECONDITION_REQUIRED" | "TOO_MANY_REQUESTS" | "REQUEST_HEADER_FIELDS_TOO_LARGE" | "UNAVAILABLE_FOR_LEGAL_REASONS" | "INTERNAL_SERVER_ERROR" | "NOT_IMPLEMENTED" | "BAD_GATEWAY" | "SERVICE_UNAVAILABLE" | "GATEWAY_TIMEOUT" | "HTTP_VERSION_NOT_SUPPORTED" | "VARIANT_ALSO_NEGOTIATES" | "INSUFFICIENT_STORAGE" | "LOOP_DETECTED" | "NOT_EXTENDED" | "NETWORK_AUTHENTICATION_REQUIRED") | better_call219.Status;
       body: ({
         message?: string;
         code?: string;
@@ -678,7 +678,7 @@ declare const oidcProvider: (options: OIDCOptions) => {
     allowPlainCodeChallengeMethod: boolean;
     generateClientId?: (() => string) | undefined;
     generateClientSecret?: (() => string) | undefined;
-    getAdditionalUserInfoClaim?: ((user: _better_auth_core_db2.User & Record<string, any>, scopes: string[], client: Client) => Record<string, any> | Promise<Record<string, any>>) | undefined;
+    getAdditionalUserInfoClaim?: ((user: _better_auth_core_db0.User & Record<string, any>, scopes: string[], client: Client) => Record<string, any> | Promise<Record<string, any>>) | undefined;
     trustedClients?: Client[] | undefined;
     storeClientSecret: "hashed" | "plain" | "encrypted" | {
       hash: (clientSecret: string) => Promise<string>;

package/dist/plugins/one-tap/client.d.mts

@@ -1,6 +1,6 @@
-import * as _better_auth_core24 from "@better-auth/core";
+import * as _better_auth_core40 from "@better-auth/core";
 import { ClientFetchOption } from "@better-auth/core";
-import * as _better_fetch_fetch96 from "@better-fetch/fetch";
+import * as _better_fetch_fetch112 from "@better-fetch/fetch";
 
 //#region src/plugins/one-tap/client.d.ts
 declare global {
@@ -161,13 +161,13 @@ declare const oneTapClient: (options: GoogleOneTapOptions) => {
     id: string;
     name: string;
     hooks: {
-      onResponse(ctx: _better_fetch_fetch96.ResponseContext): Promise<void>;
+      onResponse(ctx: _better_fetch_fetch112.ResponseContext): Promise<void>;
     };
   }[];
-  getActions: ($fetch: _better_fetch_fetch96.BetterFetch, _: _better_auth_core24.ClientStore) => {
+  getActions: ($fetch: _better_fetch_fetch112.BetterFetch, _: _better_auth_core40.ClientStore) => {
     oneTap: (opts?: GoogleOneTapActionOptions | undefined, fetchOptions?: ClientFetchOption | undefined) => Promise<void>;
   };
-  getAtoms($fetch: _better_fetch_fetch96.BetterFetch): {};
+  getAtoms($fetch: _better_fetch_fetch112.BetterFetch): {};
 };
 //#endregion
 export { GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, oneTapClient };

package/dist/plugins/one-tap/index.d.mts

@@ -1,4 +1,4 @@
-import * as better_call10 from "better-call";
+import * as better_call7 from "better-call";
 import * as z from "zod";
 
 //#region src/plugins/one-tap/index.d.ts
@@ -20,7 +20,7 @@ interface OneTapOptions {
 declare const oneTap: (options?: OneTapOptions | undefined) => {
   id: "one-tap";
   endpoints: {
-    oneTapCallback: better_call10.StrictEndpoint<"/one-tap/callback", {
+    oneTapCallback: better_call7.StrictEndpoint<"/one-tap/callback", {
       method: "POST";
       body: z.ZodObject<{
         idToken: z.ZodString;

package/dist/plugins/one-time-token/index.d.mts

@@ -1,7 +1,7 @@
 import { Session, User } from "../../types/models.mjs";
 import "../../types/index.mjs";
 import { GenericEndpointContext } from "@better-auth/core";
-import * as better_call241 from "better-call";
+import * as better_call252 from "better-call";
 import * as z from "zod";
 
 //#region src/plugins/one-time-token/index.d.ts
@@ -60,9 +60,9 @@ declare const oneTimeToken: (options?: OneTimeTokenOptions | undefined) => {
      *
      * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/one-time-token#api-method-one-time-token-generate)
      */
-    generateOneTimeToken: better_call241.StrictEndpoint<"/one-time-token/generate", {
+    generateOneTimeToken: better_call252.StrictEndpoint<"/one-time-token/generate", {
       method: "GET";
-      use: ((inputContext: better_call241.MiddlewareInputContext<better_call241.MiddlewareOptions>) => Promise<{
+      use: ((inputContext: better_call252.MiddlewareInputContext<better_call252.MiddlewareOptions>) => Promise<{
         session: {
           session: Record<string, any> & {
             id: string;
@@ -103,7 +103,7 @@ declare const oneTimeToken: (options?: OneTimeTokenOptions | undefined) => {
      *
      * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/one-time-token#api-method-one-time-token-verify)
      */
-    verifyOneTimeToken: better_call241.StrictEndpoint<"/one-time-token/verify", {
+    verifyOneTimeToken: better_call252.StrictEndpoint<"/one-time-token/verify", {
       method: "POST";
       body: z.ZodObject<{
         token: z.ZodString;
@@ -116,7 +116,7 @@ declare const oneTimeToken: (options?: OneTimeTokenOptions | undefined) => {
   hooks: {
     after: {
       matcher: () => true;
-      handler: (inputContext: better_call241.MiddlewareInputContext<better_call241.MiddlewareOptions>) => Promise<void>;
+      handler: (inputContext: better_call252.MiddlewareInputContext<better_call252.MiddlewareOptions>) => Promise<void>;
     }[];
   };
   options: OneTimeTokenOptions | undefined;

package/dist/plugins/open-api/index.d.mts

@@ -1,6 +1,6 @@
 import { FieldSchema, OpenAPIModelSchema, Path, generator } from "./generator.mjs";
 import { LiteralString } from "@better-auth/core";
-import * as better_call75 from "better-call";
+import * as better_call190 from "better-call";
 
 //#region src/plugins/open-api/index.d.ts
 type ScalarTheme = "alternate" | "default" | "moon" | "purple" | "solarized" | "bluePlanet" | "saturn" | "kepler" | "mars" | "deepSpace" | "laserwave" | "none";
@@ -36,7 +36,7 @@ interface OpenAPIOptions {
 declare const openAPI: <O extends OpenAPIOptions>(options?: O | undefined) => {
   id: "open-api";
   endpoints: {
-    generateOpenAPISchema: better_call75.StrictEndpoint<"/open-api/generate-schema", {
+    generateOpenAPISchema: better_call190.StrictEndpoint<"/open-api/generate-schema", {
       method: "GET";
     }, {
       openapi: string;
@@ -76,7 +76,7 @@ declare const openAPI: <O extends OpenAPIOptions>(options?: O | undefined) => {
       }[];
       paths: Record<string, Path>;
     }>;
-    openAPIReference: better_call75.StrictEndpoint<"/reference", {
+    openAPIReference: better_call190.StrictEndpoint<"/reference", {
       method: "GET";
       metadata: {
         readonly scope: "server";

package/dist/plugins/organization/client.d.mts

@@ -12,10 +12,10 @@ import { OrganizationPlugin } from "./organization.mjs";
 import "./index.mjs";
 import "../../client/index.mjs";
 import { HasPermissionBaseInput } from "./permission.mjs";
-import * as _better_auth_core25 from "@better-auth/core";
+import * as _better_auth_core41 from "@better-auth/core";
 import { DBFieldAttribute } from "@better-auth/core/db";
-import * as nanostores4 from "nanostores";
-import * as _better_fetch_fetch99 from "@better-fetch/fetch";
+import * as nanostores6 from "nanostores";
+import * as _better_fetch_fetch115 from "@better-fetch/fetch";
 
 //#region src/plugins/organization/client.d.ts
 /**
@@ -86,7 +86,7 @@ declare const organizationClient: <CO extends OrganizationClientOptions>(options
       } ? true : false;
     };
   }>;
-  getActions: ($fetch: _better_fetch_fetch99.BetterFetch, _$store: _better_auth_core25.ClientStore, co: _better_auth_core25.BetterAuthClientOptions | undefined) => {
+  getActions: ($fetch: _better_fetch_fetch115.BetterFetch, _$store: _better_auth_core41.ClientStore, co: _better_auth_core41.BetterAuthClientOptions | undefined) => {
     $Infer: {
       ActiveOrganization: CO["teams"] extends {
         enabled: true;
@@ -178,11 +178,11 @@ declare const organizationClient: <CO extends OrganizationClientOptions>(options
       }) => boolean;
     };
   };
-  getAtoms: ($fetch: _better_fetch_fetch99.BetterFetch) => {
-    $listOrg: nanostores4.PreinitializedWritableAtom<boolean> & object;
-    $activeOrgSignal: nanostores4.PreinitializedWritableAtom<boolean> & object;
-    $activeMemberSignal: nanostores4.PreinitializedWritableAtom<boolean> & object;
-    $activeMemberRoleSignal: nanostores4.PreinitializedWritableAtom<boolean> & object;
+  getAtoms: ($fetch: _better_fetch_fetch115.BetterFetch) => {
+    $listOrg: nanostores6.PreinitializedWritableAtom<boolean> & object;
+    $activeOrgSignal: nanostores6.PreinitializedWritableAtom<boolean> & object;
+    $activeMemberSignal: nanostores6.PreinitializedWritableAtom<boolean> & object;
+    $activeMemberRoleSignal: nanostores6.PreinitializedWritableAtom<boolean> & object;
     activeOrganization: AuthQueryAtom<Prettify<({
       id: string;
       name: string;

package/dist/plugins/organization/error-codes.d.mts

@@ -56,6 +56,7 @@ declare const ORGANIZATION_ERROR_CODES: {
   readonly INVALID_RESOURCE: "The provided permission includes an invalid resource";
   readonly ROLE_NAME_IS_ALREADY_TAKEN: "That role name is already taken";
   readonly CANNOT_DELETE_A_PRE_DEFINED_ROLE: "Cannot delete a pre-defined role";
+  readonly ROLE_IS_ASSIGNED_TO_MEMBERS: "Cannot delete a role that is assigned to members. Please reassign the members to a different role first";
 };
 //#endregion
 export { ORGANIZATION_ERROR_CODES };

package/dist/plugins/organization/error-codes.mjs

@@ -57,7 +57,8 @@ const ORGANIZATION_ERROR_CODES = defineErrorCodes({
 	TOO_MANY_ROLES: "This organization has too many roles",
 	INVALID_RESOURCE: "The provided permission includes an invalid resource",
 	ROLE_NAME_IS_ALREADY_TAKEN: "That role name is already taken",
-	CANNOT_DELETE_A_PRE_DEFINED_ROLE: "Cannot delete a pre-defined role"
+	CANNOT_DELETE_A_PRE_DEFINED_ROLE: "Cannot delete a pre-defined role",
+	ROLE_IS_ASSIGNED_TO_MEMBERS: "Cannot delete a role that is assigned to members. Please reassign the members to a different role first"
 });
 
 //#endregion

package/dist/plugins/organization/error-codes.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"error-codes.mjs","names":[],"sources":["../../../src/plugins/organization/error-codes.ts"],"sourcesContent":["import { defineErrorCodes } from \"@better-auth/core/utils\";\n\nexport const ORGANIZATION_ERROR_CODES = defineErrorCodes({\n\tYOU_ARE_NOT_ALLOWED_TO_CREATE_A_NEW_ORGANIZATION:\n\t\t\"You are not allowed to create a new organization\",\n\tYOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_ORGANIZATIONS:\n\t\t\"You have reached the maximum number of organizations\",\n\tORGANIZATION_ALREADY_EXISTS: \"Organization already exists\",\n\tORGANIZATION_SLUG_ALREADY_TAKEN: \"Organization slug already taken\",\n\tORGANIZATION_NOT_FOUND: \"Organization not found\",\n\tUSER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION:\n\t\t\"User is not a member of the organization\",\n\tYOU_ARE_NOT_ALLOWED_TO_UPDATE_THIS_ORGANIZATION:\n\t\t\"You are not allowed to update this organization\",\n\tYOU_ARE_NOT_ALLOWED_TO_DELETE_THIS_ORGANIZATION:\n\t\t\"You are not allowed to delete this organization\",\n\tNO_ACTIVE_ORGANIZATION: \"No active organization\",\n\tUSER_IS_ALREADY_A_MEMBER_OF_THIS_ORGANIZATION:\n\t\t\"User is already a member of this organization\",\n\tMEMBER_NOT_FOUND: \"Member not found\",\n\tROLE_NOT_FOUND: \"Role not found\",\n\tYOU_ARE_NOT_ALLOWED_TO_CREATE_A_NEW_TEAM:\n\t\t\"You are not allowed to create a new team\",\n\tTEAM_ALREADY_EXISTS: \"Team already exists\",\n\tTEAM_NOT_FOUND: \"Team not found\",\n\tYOU_CANNOT_LEAVE_THE_ORGANIZATION_AS_THE_ONLY_OWNER:\n\t\t\"You cannot leave the organization as the only owner\",\n\tYOU_CANNOT_LEAVE_THE_ORGANIZATION_WITHOUT_AN_OWNER:\n\t\t\"You cannot leave the organization without an owner\",\n\tYOU_ARE_NOT_ALLOWED_TO_DELETE_THIS_MEMBER:\n\t\t\"You are not allowed to delete this member\",\n\tYOU_ARE_NOT_ALLOWED_TO_INVITE_USERS_TO_THIS_ORGANIZATION:\n\t\t\"You are not allowed to invite users to this organization\",\n\tUSER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION:\n\t\t\"User is already invited to this organization\",\n\tINVITATION_NOT_FOUND: \"Invitation not found\",\n\tYOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION:\n\t\t\"You are not the recipient of the invitation\",\n\tEMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION:\n\t\t\"Email verification required before accepting or rejecting invitation\",\n\tYOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION:\n\t\t\"You are not allowed to cancel this invitation\",\n\tINVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION:\n\t\t\"Inviter is no longer a member of the organization\",\n\tYOU_ARE_NOT_ALLOWED_TO_INVITE_USER_WITH_THIS_ROLE:\n\t\t\"You are not allowed to invite a user with this role\",\n\tFAILED_TO_RETRIEVE_INVITATION: \"Failed to retrieve invitation\",\n\tYOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_TEAMS:\n\t\t\"You have reached the maximum number of teams\",\n\tUNABLE_TO_REMOVE_LAST_TEAM: \"Unable to remove last team\",\n\tYOU_ARE_NOT_ALLOWED_TO_UPDATE_THIS_MEMBER:\n\t\t\"You are not allowed to update this member\",\n\tORGANIZATION_MEMBERSHIP_LIMIT_REACHED:\n\t\t\"Organization membership limit reached\",\n\tYOU_ARE_NOT_ALLOWED_TO_CREATE_TEAMS_IN_THIS_ORGANIZATION:\n\t\t\"You are not allowed to create teams in this organization\",\n\tYOU_ARE_NOT_ALLOWED_TO_DELETE_TEAMS_IN_THIS_ORGANIZATION:\n\t\t\"You are not allowed to delete teams in this organization\",\n\tYOU_ARE_NOT_ALLOWED_TO_UPDATE_THIS_TEAM:\n\t\t\"You are not allowed to update this team\",\n\tYOU_ARE_NOT_ALLOWED_TO_DELETE_THIS_TEAM:\n\t\t\"You are not allowed to delete this team\",\n\tINVITATION_LIMIT_REACHED: \"Invitation limit reached\",\n\tTEAM_MEMBER_LIMIT_REACHED: \"Team member limit reached\",\n\tUSER_IS_NOT_A_MEMBER_OF_THE_TEAM: \"User is not a member of the team\",\n\tYOU_CAN_NOT_ACCESS_THE_MEMBERS_OF_THIS_TEAM:\n\t\t\"You are not allowed to list the members of this team\",\n\tYOU_DO_NOT_HAVE_AN_ACTIVE_TEAM: \"You do not have an active team\",\n\tYOU_ARE_NOT_ALLOWED_TO_CREATE_A_NEW_TEAM_MEMBER:\n\t\t\"You are not allowed to create a new member\",\n\tYOU_ARE_NOT_ALLOWED_TO_REMOVE_A_TEAM_MEMBER:\n\t\t\"You are not allowed to remove a team member\",\n\tYOU_ARE_NOT_ALLOWED_TO_ACCESS_THIS_ORGANIZATION:\n\t\t\"You are not allowed to access this organization as an owner\",\n\tYOU_ARE_NOT_A_MEMBER_OF_THIS_ORGANIZATION:\n\t\t\"You are not a member of this organization\",\n\tMISSING_AC_INSTANCE:\n\t\t\"Dynamic Access Control requires a pre-defined ac instance on the server auth plugin. Read server logs for more information\",\n\tYOU_MUST_BE_IN_AN_ORGANIZATION_TO_CREATE_A_ROLE:\n\t\t\"You must be in an organization to create a role\",\n\tYOU_ARE_NOT_ALLOWED_TO_CREATE_A_ROLE: \"You are not allowed to create a role\",\n\tYOU_ARE_NOT_ALLOWED_TO_UPDATE_A_ROLE: \"You are not allowed to update a role\",\n\tYOU_ARE_NOT_ALLOWED_TO_DELETE_A_ROLE: \"You are not allowed to delete a role\",\n\tYOU_ARE_NOT_ALLOWED_TO_READ_A_ROLE: \"You are not allowed to read a role\",\n\tYOU_ARE_NOT_ALLOWED_TO_LIST_A_ROLE: \"You are not allowed to list a role\",\n\tYOU_ARE_NOT_ALLOWED_TO_GET_A_ROLE: \"You are not allowed to get a role\",\n\tTOO_MANY_ROLES: \"This organization has too many roles\",\n\tINVALID_RESOURCE: \"The provided permission includes an invalid resource\",\n\tROLE_NAME_IS_ALREADY_TAKEN: \"That role name is already taken\",\n\tCANNOT_DELETE_A_PRE_DEFINED_ROLE: \"Cannot delete a pre-defined role\",\n});\n"],"mappings":";;;AAEA,MAAa,2BAA2B,iBAAiB;CACxD,kDACC;CACD,sDACC;CACD,6BAA6B;CAC7B,iCAAiC;CACjC,wBAAwB;CACxB,0CACC;CACD,iDACC;CACD,iDACC;CACD,wBAAwB;CACxB,+CACC;CACD,kBAAkB;CAClB,gBAAgB;CAChB,0CACC;CACD,qBAAqB;CACrB,gBAAgB;CAChB,qDACC;CACD,oDACC;CACD,2CACC;CACD,0DACC;CACD,8CACC;CACD,sBAAsB;CACtB,6CACC;CACD,sEACC;CACD,+CACC;CACD,mDACC;CACD,mDACC;CACD,+BAA+B;CAC/B,8CACC;CACD,4BAA4B;CAC5B,2CACC;CACD,uCACC;CACD,0DACC;CACD,0DACC;CACD,yCACC;CACD,yCACC;CACD,0BAA0B;CAC1B,2BAA2B;CAC3B,kCAAkC;CAClC,6CACC;CACD,gCAAgC;CAChC,iDACC;CACD,6CACC;CACD,iDACC;CACD,2CACC;CACD,qBACC;CACD,iDACC;CACD,sCAAsC;CACtC,sCAAsC;CACtC,sCAAsC;CACtC,oCAAoC;CACpC,oCAAoC;CACpC,mCAAmC;CACnC,gBAAgB;CAChB,kBAAkB;CAClB,4BAA4B;CAC5B,kCAAkC;CAClC,CAAC"}
+{"version":3,"file":"error-codes.mjs","names":[],"sources":["../../../src/plugins/organization/error-codes.ts"],"sourcesContent":["import { defineErrorCodes } from \"@better-auth/core/utils\";\n\nexport const ORGANIZATION_ERROR_CODES = defineErrorCodes({\n\tYOU_ARE_NOT_ALLOWED_TO_CREATE_A_NEW_ORGANIZATION:\n\t\t\"You are not allowed to create a new organization\",\n\tYOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_ORGANIZATIONS:\n\t\t\"You have reached the maximum number of organizations\",\n\tORGANIZATION_ALREADY_EXISTS: \"Organization already exists\",\n\tORGANIZATION_SLUG_ALREADY_TAKEN: \"Organization slug already taken\",\n\tORGANIZATION_NOT_FOUND: \"Organization not found\",\n\tUSER_IS_NOT_A_MEMBER_OF_THE_ORGANIZATION:\n\t\t\"User is not a member of the organization\",\n\tYOU_ARE_NOT_ALLOWED_TO_UPDATE_THIS_ORGANIZATION:\n\t\t\"You are not allowed to update this organization\",\n\tYOU_ARE_NOT_ALLOWED_TO_DELETE_THIS_ORGANIZATION:\n\t\t\"You are not allowed to delete this organization\",\n\tNO_ACTIVE_ORGANIZATION: \"No active organization\",\n\tUSER_IS_ALREADY_A_MEMBER_OF_THIS_ORGANIZATION:\n\t\t\"User is already a member of this organization\",\n\tMEMBER_NOT_FOUND: \"Member not found\",\n\tROLE_NOT_FOUND: \"Role not found\",\n\tYOU_ARE_NOT_ALLOWED_TO_CREATE_A_NEW_TEAM:\n\t\t\"You are not allowed to create a new team\",\n\tTEAM_ALREADY_EXISTS: \"Team already exists\",\n\tTEAM_NOT_FOUND: \"Team not found\",\n\tYOU_CANNOT_LEAVE_THE_ORGANIZATION_AS_THE_ONLY_OWNER:\n\t\t\"You cannot leave the organization as the only owner\",\n\tYOU_CANNOT_LEAVE_THE_ORGANIZATION_WITHOUT_AN_OWNER:\n\t\t\"You cannot leave the organization without an owner\",\n\tYOU_ARE_NOT_ALLOWED_TO_DELETE_THIS_MEMBER:\n\t\t\"You are not allowed to delete this member\",\n\tYOU_ARE_NOT_ALLOWED_TO_INVITE_USERS_TO_THIS_ORGANIZATION:\n\t\t\"You are not allowed to invite users to this organization\",\n\tUSER_IS_ALREADY_INVITED_TO_THIS_ORGANIZATION:\n\t\t\"User is already invited to this organization\",\n\tINVITATION_NOT_FOUND: \"Invitation not found\",\n\tYOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION:\n\t\t\"You are not the recipient of the invitation\",\n\tEMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION:\n\t\t\"Email verification required before accepting or rejecting invitation\",\n\tYOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION:\n\t\t\"You are not allowed to cancel this invitation\",\n\tINVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION:\n\t\t\"Inviter is no longer a member of the organization\",\n\tYOU_ARE_NOT_ALLOWED_TO_INVITE_USER_WITH_THIS_ROLE:\n\t\t\"You are not allowed to invite a user with this role\",\n\tFAILED_TO_RETRIEVE_INVITATION: \"Failed to retrieve invitation\",\n\tYOU_HAVE_REACHED_THE_MAXIMUM_NUMBER_OF_TEAMS:\n\t\t\"You have reached the maximum number of teams\",\n\tUNABLE_TO_REMOVE_LAST_TEAM: \"Unable to remove last team\",\n\tYOU_ARE_NOT_ALLOWED_TO_UPDATE_THIS_MEMBER:\n\t\t\"You are not allowed to update this member\",\n\tORGANIZATION_MEMBERSHIP_LIMIT_REACHED:\n\t\t\"Organization membership limit reached\",\n\tYOU_ARE_NOT_ALLOWED_TO_CREATE_TEAMS_IN_THIS_ORGANIZATION:\n\t\t\"You are not allowed to create teams in this organization\",\n\tYOU_ARE_NOT_ALLOWED_TO_DELETE_TEAMS_IN_THIS_ORGANIZATION:\n\t\t\"You are not allowed to delete teams in this organization\",\n\tYOU_ARE_NOT_ALLOWED_TO_UPDATE_THIS_TEAM:\n\t\t\"You are not allowed to update this team\",\n\tYOU_ARE_NOT_ALLOWED_TO_DELETE_THIS_TEAM:\n\t\t\"You are not allowed to delete this team\",\n\tINVITATION_LIMIT_REACHED: \"Invitation limit reached\",\n\tTEAM_MEMBER_LIMIT_REACHED: \"Team member limit reached\",\n\tUSER_IS_NOT_A_MEMBER_OF_THE_TEAM: \"User is not a member of the team\",\n\tYOU_CAN_NOT_ACCESS_THE_MEMBERS_OF_THIS_TEAM:\n\t\t\"You are not allowed to list the members of this team\",\n\tYOU_DO_NOT_HAVE_AN_ACTIVE_TEAM: \"You do not have an active team\",\n\tYOU_ARE_NOT_ALLOWED_TO_CREATE_A_NEW_TEAM_MEMBER:\n\t\t\"You are not allowed to create a new member\",\n\tYOU_ARE_NOT_ALLOWED_TO_REMOVE_A_TEAM_MEMBER:\n\t\t\"You are not allowed to remove a team member\",\n\tYOU_ARE_NOT_ALLOWED_TO_ACCESS_THIS_ORGANIZATION:\n\t\t\"You are not allowed to access this organization as an owner\",\n\tYOU_ARE_NOT_A_MEMBER_OF_THIS_ORGANIZATION:\n\t\t\"You are not a member of this organization\",\n\tMISSING_AC_INSTANCE:\n\t\t\"Dynamic Access Control requires a pre-defined ac instance on the server auth plugin. Read server logs for more information\",\n\tYOU_MUST_BE_IN_AN_ORGANIZATION_TO_CREATE_A_ROLE:\n\t\t\"You must be in an organization to create a role\",\n\tYOU_ARE_NOT_ALLOWED_TO_CREATE_A_ROLE: \"You are not allowed to create a role\",\n\tYOU_ARE_NOT_ALLOWED_TO_UPDATE_A_ROLE: \"You are not allowed to update a role\",\n\tYOU_ARE_NOT_ALLOWED_TO_DELETE_A_ROLE: \"You are not allowed to delete a role\",\n\tYOU_ARE_NOT_ALLOWED_TO_READ_A_ROLE: \"You are not allowed to read a role\",\n\tYOU_ARE_NOT_ALLOWED_TO_LIST_A_ROLE: \"You are not allowed to list a role\",\n\tYOU_ARE_NOT_ALLOWED_TO_GET_A_ROLE: \"You are not allowed to get a role\",\n\tTOO_MANY_ROLES: \"This organization has too many roles\",\n\tINVALID_RESOURCE: \"The provided permission includes an invalid resource\",\n\tROLE_NAME_IS_ALREADY_TAKEN: \"That role name is already taken\",\n\tCANNOT_DELETE_A_PRE_DEFINED_ROLE: \"Cannot delete a pre-defined role\",\n\tROLE_IS_ASSIGNED_TO_MEMBERS:\n\t\t\"Cannot delete a role that is assigned to members. Please reassign the members to a different role first\",\n});\n"],"mappings":";;;AAEA,MAAa,2BAA2B,iBAAiB;CACxD,kDACC;CACD,sDACC;CACD,6BAA6B;CAC7B,iCAAiC;CACjC,wBAAwB;CACxB,0CACC;CACD,iDACC;CACD,iDACC;CACD,wBAAwB;CACxB,+CACC;CACD,kBAAkB;CAClB,gBAAgB;CAChB,0CACC;CACD,qBAAqB;CACrB,gBAAgB;CAChB,qDACC;CACD,oDACC;CACD,2CACC;CACD,0DACC;CACD,8CACC;CACD,sBAAsB;CACtB,6CACC;CACD,sEACC;CACD,+CACC;CACD,mDACC;CACD,mDACC;CACD,+BAA+B;CAC/B,8CACC;CACD,4BAA4B;CAC5B,2CACC;CACD,uCACC;CACD,0DACC;CACD,0DACC;CACD,yCACC;CACD,yCACC;CACD,0BAA0B;CAC1B,2BAA2B;CAC3B,kCAAkC;CAClC,6CACC;CACD,gCAAgC;CAChC,iDACC;CACD,6CACC;CACD,iDACC;CACD,2CACC;CACD,qBACC;CACD,iDACC;CACD,sCAAsC;CACtC,sCAAsC;CACtC,sCAAsC;CACtC,oCAAoC;CACpC,oCAAoC;CACpC,mCAAmC;CACnC,gBAAgB;CAChB,kBAAkB;CAClB,4BAA4B;CAC5B,kCAAkC;CAClC,6BACC;CACD,CAAC"}

package/dist/plugins/organization/organization.d.mts

@@ -10,7 +10,7 @@ import { addMember, getActiveMember, getActiveMemberRole, leaveOrganization, lis
 import { checkOrganizationSlug, createOrganization, deleteOrganization, getFullOrganization, listOrganizations, setActiveOrganization, updateOrganization } from "./routes/crud-org.mjs";
 import { addTeamMember, createTeam, listOrganizationTeams, listTeamMembers, listUserTeams, removeTeam, removeTeamMember, setActiveTeam, updateTeam } from "./routes/crud-team.mjs";
 import * as _better_auth_core_db58 from "@better-auth/core/db";
-import * as better_call747 from "better-call";
+import * as better_call759 from "better-call";
 import * as z from "zod";
 
 //#region src/plugins/organization/organization.d.ts
@@ -88,7 +88,7 @@ type OrganizationEndpoints<O extends OrganizationOptions> = {
   getActiveMemberRole: ReturnType<typeof getActiveMemberRole<O>>;
   hasPermission: ReturnType<typeof createHasPermission<O>>;
 };
-declare const createHasPermission: <O extends OrganizationOptions>(options: O) => better_call747.StrictEndpoint<"/organization/has-permission", {
+declare const createHasPermission: <O extends OrganizationOptions>(options: O) => better_call759.StrictEndpoint<"/organization/has-permission", {
   method: "POST";
   requireHeaders: true;
   body: z.ZodIntersection<z.ZodObject<{
@@ -100,8 +100,8 @@ declare const createHasPermission: <O extends OrganizationOptions>(options: O) =
     permission: z.ZodUndefined;
     permissions: z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString>>;
   }, z.core.$strip>]>>;
-  use: ((inputContext: better_call747.MiddlewareInputContext<{
-    use: ((inputContext: better_call747.MiddlewareInputContext<better_call747.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call759.MiddlewareInputContext<{
+    use: ((inputContext: better_call759.MiddlewareInputContext<better_call759.MiddlewareOptions>) => Promise<{
       session: {
         session: Record<string, any> & {
           id: string;

package/dist/plugins/organization/routes/crud-access-control.d.mts

@@ -6,13 +6,13 @@ import { Statements, Subset } from "../../access/types.mjs";
 import { OrganizationOptions } from "../types.mjs";
 import { OrganizationRole } from "../schema.mjs";
 import "../../index.mjs";
-import * as _better_auth_core_db130 from "@better-auth/core/db";
-import * as better_call929 from "better-call";
+import * as _better_auth_core_db123 from "@better-auth/core/db";
+import * as better_call913 from "better-call";
 import * as z from "zod";
 
 //#region src/plugins/organization/routes/crud-access-control.d.ts
 type IsExactlyEmptyObject<T> = keyof T extends never ? T extends {} ? {} extends T ? true : false : false : false;
-declare const createOrgRole: <O extends OrganizationOptions>(options: O) => better_call929.StrictEndpoint<"/organization/create-role", {
+declare const createOrgRole: <O extends OrganizationOptions>(options: O) => better_call913.StrictEndpoint<"/organization/create-role", {
   method: "POST";
   body: z.ZodObject<{
     organizationId: z.ZodOptional<z.ZodString>;
@@ -36,8 +36,8 @@ declare const createOrgRole: <O extends OrganizationOptions>(options: O) => bett
     };
   };
   requireHeaders: true;
-  use: ((inputContext: better_call929.MiddlewareInputContext<{
-    use: ((inputContext: better_call929.MiddlewareInputContext<better_call929.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call913.MiddlewareInputContext<{
+    use: ((inputContext: better_call913.MiddlewareInputContext<better_call913.MiddlewareOptions>) => Promise<{
       session: {
         session: Record<string, any> & {
           id: string;
@@ -62,7 +62,7 @@ declare const createOrgRole: <O extends OrganizationOptions>(options: O) => bett
     }>)[];
   }>) => Promise<{
     session: {
-      session: _better_auth_core_db130.Session & {
+      session: _better_auth_core_db123.Session & {
         activeTeamId?: string | undefined;
         activeOrganizationId?: string | undefined;
       };
@@ -81,7 +81,7 @@ declare const createOrgRole: <O extends OrganizationOptions>(options: O) => bett
   } & InferAdditionalFieldsFromPluginOptions<"organizationRole", O, false>;
   statements: Subset<string, Statements>;
 }>;
-declare const deleteOrgRole: <O extends OrganizationOptions>(options: O) => better_call929.StrictEndpoint<"/organization/delete-role", {
+declare const deleteOrgRole: <O extends OrganizationOptions>(options: O) => better_call913.StrictEndpoint<"/organization/delete-role", {
   method: "POST";
   body: z.ZodIntersection<z.ZodObject<{
     organizationId: z.ZodOptional<z.ZodString>;
@@ -91,8 +91,8 @@ declare const deleteOrgRole: <O extends OrganizationOptions>(options: O) => bett
     roleId: z.ZodString;
   }, z.core.$strip>]>>;
   requireHeaders: true;
-  use: ((inputContext: better_call929.MiddlewareInputContext<{
-    use: ((inputContext: better_call929.MiddlewareInputContext<better_call929.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call913.MiddlewareInputContext<{
+    use: ((inputContext: better_call913.MiddlewareInputContext<better_call913.MiddlewareOptions>) => Promise<{
       session: {
         session: Record<string, any> & {
           id: string;
@@ -117,7 +117,7 @@ declare const deleteOrgRole: <O extends OrganizationOptions>(options: O) => bett
     }>)[];
   }>) => Promise<{
     session: {
-      session: _better_auth_core_db130.Session & {
+      session: _better_auth_core_db123.Session & {
         activeTeamId?: string | undefined;
         activeOrganizationId?: string | undefined;
       };
@@ -136,11 +136,11 @@ declare const deleteOrgRole: <O extends OrganizationOptions>(options: O) => bett
 }, {
   success: boolean;
 }>;
-declare const listOrgRoles: <O extends OrganizationOptions>(options: O) => better_call929.StrictEndpoint<"/organization/list-roles", {
+declare const listOrgRoles: <O extends OrganizationOptions>(options: O) => better_call913.StrictEndpoint<"/organization/list-roles", {
   method: "GET";
   requireHeaders: true;
-  use: ((inputContext: better_call929.MiddlewareInputContext<{
-    use: ((inputContext: better_call929.MiddlewareInputContext<better_call929.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call913.MiddlewareInputContext<{
+    use: ((inputContext: better_call913.MiddlewareInputContext<better_call913.MiddlewareOptions>) => Promise<{
       session: {
         session: Record<string, any> & {
           id: string;
@@ -165,7 +165,7 @@ declare const listOrgRoles: <O extends OrganizationOptions>(options: O) => bette
     }>)[];
   }>) => Promise<{
     session: {
-      session: _better_auth_core_db130.Session & {
+      session: _better_auth_core_db123.Session & {
         activeTeamId?: string | undefined;
         activeOrganizationId?: string | undefined;
       };
@@ -183,11 +183,11 @@ declare const listOrgRoles: <O extends OrganizationOptions>(options: O) => bette
   createdAt: Date;
   updatedAt?: Date | undefined;
 } & InferAdditionalFieldsFromPluginOptions<"organizationRole", O, false>)[]>;
-declare const getOrgRole: <O extends OrganizationOptions>(options: O) => better_call929.StrictEndpoint<"/organization/get-role", {
+declare const getOrgRole: <O extends OrganizationOptions>(options: O) => better_call913.StrictEndpoint<"/organization/get-role", {
   method: "GET";
   requireHeaders: true;
-  use: ((inputContext: better_call929.MiddlewareInputContext<{
-    use: ((inputContext: better_call929.MiddlewareInputContext<better_call929.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call913.MiddlewareInputContext<{
+    use: ((inputContext: better_call913.MiddlewareInputContext<better_call913.MiddlewareOptions>) => Promise<{
       session: {
         session: Record<string, any> & {
           id: string;
@@ -212,7 +212,7 @@ declare const getOrgRole: <O extends OrganizationOptions>(options: O) => better_
     }>)[];
   }>) => Promise<{
     session: {
-      session: _better_auth_core_db130.Session & {
+      session: _better_auth_core_db123.Session & {
         activeTeamId?: string | undefined;
         activeOrganizationId?: string | undefined;
       };
@@ -243,7 +243,7 @@ declare const getOrgRole: <O extends OrganizationOptions>(options: O) => better_
   createdAt: Date;
   updatedAt?: Date | undefined;
 } & InferAdditionalFieldsFromPluginOptions<"organizationRole", O, false>>;
-declare const updateOrgRole: <O extends OrganizationOptions>(options: O) => better_call929.StrictEndpoint<"/organization/update-role", {
+declare const updateOrgRole: <O extends OrganizationOptions>(options: O) => better_call913.StrictEndpoint<"/organization/update-role", {
   method: "POST";
   body: z.ZodIntersection<z.ZodObject<{
     organizationId: z.ZodOptional<z.ZodString>;
@@ -270,8 +270,8 @@ declare const updateOrgRole: <O extends OrganizationOptions>(options: O) => bett
     };
   };
   requireHeaders: true;
-  use: ((inputContext: better_call929.MiddlewareInputContext<{
-    use: ((inputContext: better_call929.MiddlewareInputContext<better_call929.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call913.MiddlewareInputContext<{
+    use: ((inputContext: better_call913.MiddlewareInputContext<better_call913.MiddlewareOptions>) => Promise<{
       session: {
         session: Record<string, any> & {
           id: string;
@@ -296,7 +296,7 @@ declare const updateOrgRole: <O extends OrganizationOptions>(options: O) => bett
     }>)[];
   }>) => Promise<{
     session: {
-      session: _better_auth_core_db130.Session & {
+      session: _better_auth_core_db123.Session & {
         activeTeamId?: string | undefined;
         activeOrganizationId?: string | undefined;
       };

package/dist/plugins/organization/routes/crud-access-control.mjs

@@ -248,6 +248,28 @@ const deleteOrgRole = (options) => {
 			throw new APIError("BAD_REQUEST", { message: ORGANIZATION_ERROR_CODES.ROLE_NOT_FOUND });
 		}
 		existingRoleInDB.permission = JSON.parse(existingRoleInDB.permission);
+		const roleToDelete = existingRoleInDB.role;
+		if ((await ctx.context.adapter.findMany({
+			model: "member",
+			where: [{
+				field: "organizationId",
+				value: organizationId,
+				operator: "eq",
+				connector: "AND"
+			}, {
+				field: "role",
+				value: roleToDelete,
+				operator: "contains"
+			}]
+		})).find((member$1) => {
+			return member$1.role.split(",").map((r) => r.trim()).includes(roleToDelete);
+		})) {
+			ctx.context.logger.error(`[Dynamic Access Control] Cannot delete a role that is assigned to members.`, {
+				role: existingRoleInDB.role,
+				organizationId
+			});
+			throw new APIError("BAD_REQUEST", { message: ORGANIZATION_ERROR_CODES.ROLE_IS_ASSIGNED_TO_MEMBERS });
+		}
 		await ctx.context.adapter.delete({
 			model: "organizationRole",
 			where: [{