better-auth 1.4.9 → 1.5.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (228) hide show
  1. package/dist/api/index.d.mts +396 -395
  2. package/dist/api/index.mjs +6 -4
  3. package/dist/api/index.mjs.map +1 -1
  4. package/dist/api/middlewares/origin-check.d.mts +3 -3
  5. package/dist/api/middlewares/origin-check.mjs +14 -4
  6. package/dist/api/middlewares/origin-check.mjs.map +1 -1
  7. package/dist/api/routes/account.d.mts +11 -11
  8. package/dist/api/routes/account.mjs +59 -30
  9. package/dist/api/routes/account.mjs.map +1 -1
  10. package/dist/api/routes/callback.d.mts +2 -2
  11. package/dist/api/routes/email-verification.d.mts +4 -4
  12. package/dist/api/routes/email-verification.mjs +14 -14
  13. package/dist/api/routes/email-verification.mjs.map +1 -1
  14. package/dist/api/routes/error.d.mts +2 -2
  15. package/dist/api/routes/ok.d.mts +2 -2
  16. package/dist/api/routes/reset-password.d.mts +5 -5
  17. package/dist/api/routes/reset-password.mjs +9 -7
  18. package/dist/api/routes/reset-password.mjs.map +1 -1
  19. package/dist/api/routes/session.d.mts +14 -14
  20. package/dist/api/routes/session.mjs +31 -11
  21. package/dist/api/routes/session.mjs.map +1 -1
  22. package/dist/api/routes/sign-in.d.mts +3 -3
  23. package/dist/api/routes/sign-in.mjs +22 -17
  24. package/dist/api/routes/sign-in.mjs.map +1 -1
  25. package/dist/api/routes/sign-out.d.mts +2 -2
  26. package/dist/api/routes/sign-up.d.mts +2 -2
  27. package/dist/api/routes/sign-up.mjs +15 -12
  28. package/dist/api/routes/sign-up.mjs.map +1 -1
  29. package/dist/api/routes/update-user.d.mts +13 -13
  30. package/dist/api/routes/update-user.mjs +29 -24
  31. package/dist/api/routes/update-user.mjs.map +1 -1
  32. package/dist/api/to-auth-endpoints.mjs +7 -6
  33. package/dist/api/to-auth-endpoints.mjs.map +1 -1
  34. package/dist/client/lynx/index.d.mts +15 -15
  35. package/dist/client/plugins/index.d.mts +12 -2
  36. package/dist/client/plugins/index.mjs +11 -1
  37. package/dist/client/react/index.d.mts +13 -13
  38. package/dist/client/solid/index.d.mts +13 -13
  39. package/dist/client/svelte/index.d.mts +15 -15
  40. package/dist/client/types.d.mts +4 -1
  41. package/dist/client/vue/index.d.mts +13 -13
  42. package/dist/context/create-context.mjs +2 -2
  43. package/dist/context/create-context.mjs.map +1 -1
  44. package/dist/context/helpers.mjs +2 -2
  45. package/dist/context/helpers.mjs.map +1 -1
  46. package/dist/db/field.d.mts +6 -6
  47. package/dist/db/schema.mjs +14 -5
  48. package/dist/db/schema.mjs.map +1 -1
  49. package/dist/index.d.mts +1 -1
  50. package/dist/integrations/next-js.d.mts +4 -4
  51. package/dist/integrations/svelte-kit.d.mts +2 -2
  52. package/dist/integrations/tanstack-start.d.mts +4 -4
  53. package/dist/oauth2/link-account.mjs +3 -2
  54. package/dist/oauth2/link-account.mjs.map +1 -1
  55. package/dist/oauth2/state.mjs +3 -3
  56. package/dist/oauth2/state.mjs.map +1 -1
  57. package/dist/plugins/admin/admin.d.mts +200 -137
  58. package/dist/plugins/admin/admin.mjs +3 -4
  59. package/dist/plugins/admin/admin.mjs.map +1 -1
  60. package/dist/plugins/admin/client.d.mts +87 -0
  61. package/dist/plugins/admin/client.mjs +3 -1
  62. package/dist/plugins/admin/client.mjs.map +1 -1
  63. package/dist/plugins/admin/error-codes.d.mts +90 -0
  64. package/dist/plugins/admin/error-codes.mjs.map +1 -1
  65. package/dist/plugins/admin/routes.mjs +40 -46
  66. package/dist/plugins/admin/routes.mjs.map +1 -1
  67. package/dist/plugins/anonymous/client.d.mts +19 -0
  68. package/dist/plugins/anonymous/client.mjs +4 -1
  69. package/dist/plugins/anonymous/client.mjs.map +1 -1
  70. package/dist/plugins/anonymous/error-codes.d.mts +22 -0
  71. package/dist/plugins/anonymous/index.d.mts +21 -9
  72. package/dist/plugins/anonymous/index.mjs +5 -5
  73. package/dist/plugins/anonymous/index.mjs.map +1 -1
  74. package/dist/plugins/api-key/client.d.mts +103 -0
  75. package/dist/plugins/api-key/client.mjs +4 -1
  76. package/dist/plugins/api-key/client.mjs.map +1 -1
  77. package/dist/plugins/api-key/error-codes.d.mts +106 -0
  78. package/dist/plugins/api-key/error-codes.mjs +34 -0
  79. package/dist/plugins/api-key/error-codes.mjs.map +1 -0
  80. package/dist/plugins/api-key/index.d.mts +181 -112
  81. package/dist/plugins/api-key/index.mjs +7 -34
  82. package/dist/plugins/api-key/index.mjs.map +1 -1
  83. package/dist/plugins/api-key/rate-limit.mjs +3 -2
  84. package/dist/plugins/api-key/rate-limit.mjs.map +1 -1
  85. package/dist/plugins/api-key/routes/create-api-key.mjs +19 -17
  86. package/dist/plugins/api-key/routes/create-api-key.mjs.map +1 -1
  87. package/dist/plugins/api-key/routes/delete-api-key.mjs +7 -5
  88. package/dist/plugins/api-key/routes/delete-api-key.mjs.map +1 -1
  89. package/dist/plugins/api-key/routes/get-api-key.mjs +5 -3
  90. package/dist/plugins/api-key/routes/get-api-key.mjs.map +1 -1
  91. package/dist/plugins/api-key/routes/update-api-key.mjs +18 -16
  92. package/dist/plugins/api-key/routes/update-api-key.mjs.map +1 -1
  93. package/dist/plugins/api-key/routes/verify-api-key.mjs +16 -35
  94. package/dist/plugins/api-key/routes/verify-api-key.mjs.map +1 -1
  95. package/dist/plugins/bearer/index.d.mts +3 -3
  96. package/dist/plugins/captcha/index.d.mts +2 -2
  97. package/dist/plugins/captcha/index.mjs +3 -3
  98. package/dist/plugins/captcha/index.mjs.map +1 -1
  99. package/dist/plugins/captcha/verify-handlers/captchafox.mjs +2 -2
  100. package/dist/plugins/captcha/verify-handlers/captchafox.mjs.map +1 -1
  101. package/dist/plugins/captcha/verify-handlers/cloudflare-turnstile.mjs +2 -2
  102. package/dist/plugins/captcha/verify-handlers/cloudflare-turnstile.mjs.map +1 -1
  103. package/dist/plugins/captcha/verify-handlers/google-recaptcha.mjs +2 -2
  104. package/dist/plugins/captcha/verify-handlers/google-recaptcha.mjs.map +1 -1
  105. package/dist/plugins/captcha/verify-handlers/h-captcha.mjs +2 -2
  106. package/dist/plugins/captcha/verify-handlers/h-captcha.mjs.map +1 -1
  107. package/dist/plugins/custom-session/index.d.mts +5 -5
  108. package/dist/plugins/device-authorization/index.d.mts +54 -18
  109. package/dist/plugins/device-authorization/routes.mjs +18 -18
  110. package/dist/plugins/device-authorization/routes.mjs.map +1 -1
  111. package/dist/plugins/email-otp/client.d.mts +15 -0
  112. package/dist/plugins/email-otp/client.mjs +4 -1
  113. package/dist/plugins/email-otp/client.mjs.map +1 -1
  114. package/dist/plugins/email-otp/error-codes.d.mts +18 -0
  115. package/dist/plugins/email-otp/error-codes.mjs +12 -0
  116. package/dist/plugins/email-otp/error-codes.mjs.map +1 -0
  117. package/dist/plugins/email-otp/index.d.mts +64 -55
  118. package/dist/plugins/email-otp/index.mjs +4 -3
  119. package/dist/plugins/email-otp/index.mjs.map +1 -1
  120. package/dist/plugins/email-otp/routes.mjs +30 -35
  121. package/dist/plugins/email-otp/routes.mjs.map +1 -1
  122. package/dist/plugins/generic-oauth/client.d.mts +27 -0
  123. package/dist/plugins/generic-oauth/client.mjs +4 -1
  124. package/dist/plugins/generic-oauth/client.mjs.map +1 -1
  125. package/dist/plugins/generic-oauth/error-codes.d.mts +30 -0
  126. package/dist/plugins/generic-oauth/index.d.mts +55 -37
  127. package/dist/plugins/generic-oauth/index.mjs +4 -4
  128. package/dist/plugins/generic-oauth/index.mjs.map +1 -1
  129. package/dist/plugins/generic-oauth/routes.mjs +11 -12
  130. package/dist/plugins/generic-oauth/routes.mjs.map +1 -1
  131. package/dist/plugins/haveibeenpwned/index.d.mts +7 -4
  132. package/dist/plugins/haveibeenpwned/index.mjs +5 -4
  133. package/dist/plugins/haveibeenpwned/index.mjs.map +1 -1
  134. package/dist/plugins/index.d.mts +4 -2
  135. package/dist/plugins/index.mjs +6 -4
  136. package/dist/plugins/jwt/index.d.mts +9 -9
  137. package/dist/plugins/jwt/index.mjs +2 -2
  138. package/dist/plugins/jwt/index.mjs.map +1 -1
  139. package/dist/plugins/last-login-method/index.d.mts +4 -4
  140. package/dist/plugins/magic-link/index.d.mts +4 -4
  141. package/dist/plugins/mcp/authorize.mjs +1 -1
  142. package/dist/plugins/mcp/authorize.mjs.map +1 -1
  143. package/dist/plugins/mcp/index.d.mts +10 -10
  144. package/dist/plugins/multi-session/client.d.mts +10 -14
  145. package/dist/plugins/multi-session/client.mjs +5 -2
  146. package/dist/plugins/multi-session/client.mjs.map +1 -1
  147. package/dist/plugins/multi-session/error-codes.d.mts +10 -0
  148. package/dist/plugins/multi-session/error-codes.mjs +8 -0
  149. package/dist/plugins/multi-session/error-codes.mjs.map +1 -0
  150. package/dist/plugins/multi-session/index.d.mts +18 -14
  151. package/dist/plugins/multi-session/index.mjs +6 -7
  152. package/dist/plugins/multi-session/index.mjs.map +1 -1
  153. package/dist/plugins/oauth-proxy/index.d.mts +8 -8
  154. package/dist/plugins/oidc-provider/authorize.mjs +1 -1
  155. package/dist/plugins/oidc-provider/authorize.mjs.map +1 -1
  156. package/dist/plugins/oidc-provider/error.mjs +1 -1
  157. package/dist/plugins/oidc-provider/error.mjs.map +1 -1
  158. package/dist/plugins/oidc-provider/index.d.mts +15 -15
  159. package/dist/plugins/one-tap/client.d.mts +2 -2
  160. package/dist/plugins/one-tap/index.d.mts +2 -2
  161. package/dist/plugins/one-time-token/index.d.mts +5 -5
  162. package/dist/plugins/open-api/index.d.mts +3 -3
  163. package/dist/plugins/organization/client.d.mts +229 -2
  164. package/dist/plugins/organization/client.mjs +3 -1
  165. package/dist/plugins/organization/client.mjs.map +1 -1
  166. package/dist/plugins/organization/error-codes.d.mts +224 -56
  167. package/dist/plugins/organization/organization.d.mts +7 -7
  168. package/dist/plugins/organization/organization.mjs +4 -4
  169. package/dist/plugins/organization/organization.mjs.map +1 -1
  170. package/dist/plugins/organization/routes/crud-access-control.d.mts +22 -22
  171. package/dist/plugins/organization/routes/crud-access-control.mjs +40 -39
  172. package/dist/plugins/organization/routes/crud-access-control.mjs.map +1 -1
  173. package/dist/plugins/organization/routes/crud-invites.d.mts +58 -58
  174. package/dist/plugins/organization/routes/crud-invites.mjs +42 -40
  175. package/dist/plugins/organization/routes/crud-invites.mjs.map +1 -1
  176. package/dist/plugins/organization/routes/crud-members.d.mts +67 -67
  177. package/dist/plugins/organization/routes/crud-members.mjs +41 -54
  178. package/dist/plugins/organization/routes/crud-members.mjs.map +1 -1
  179. package/dist/plugins/organization/routes/crud-org.d.mts +51 -51
  180. package/dist/plugins/organization/routes/crud-org.mjs +28 -25
  181. package/dist/plugins/organization/routes/crud-org.mjs.map +1 -1
  182. package/dist/plugins/organization/routes/crud-team.d.mts +77 -77
  183. package/dist/plugins/organization/routes/crud-team.mjs +41 -47
  184. package/dist/plugins/organization/routes/crud-team.mjs.map +1 -1
  185. package/dist/plugins/phone-number/client.d.mts +51 -0
  186. package/dist/plugins/phone-number/client.mjs +4 -1
  187. package/dist/plugins/phone-number/client.mjs.map +1 -1
  188. package/dist/plugins/phone-number/error-codes.d.mts +54 -0
  189. package/dist/plugins/phone-number/index.d.mts +81 -45
  190. package/dist/plugins/phone-number/index.mjs +2 -2
  191. package/dist/plugins/phone-number/index.mjs.map +1 -1
  192. package/dist/plugins/phone-number/routes.mjs +27 -28
  193. package/dist/plugins/phone-number/routes.mjs.map +1 -1
  194. package/dist/plugins/siwe/index.d.mts +3 -3
  195. package/dist/plugins/siwe/index.mjs +7 -6
  196. package/dist/plugins/siwe/index.mjs.map +1 -1
  197. package/dist/plugins/two-factor/backup-codes/index.mjs +7 -7
  198. package/dist/plugins/two-factor/backup-codes/index.mjs.map +1 -1
  199. package/dist/plugins/two-factor/client.d.mts +39 -0
  200. package/dist/plugins/two-factor/client.mjs +4 -1
  201. package/dist/plugins/two-factor/client.mjs.map +1 -1
  202. package/dist/plugins/two-factor/error-code.d.mts +36 -9
  203. package/dist/plugins/two-factor/index.d.mts +54 -27
  204. package/dist/plugins/two-factor/index.mjs +4 -5
  205. package/dist/plugins/two-factor/index.mjs.map +1 -1
  206. package/dist/plugins/two-factor/otp/index.mjs +8 -6
  207. package/dist/plugins/two-factor/otp/index.mjs.map +1 -1
  208. package/dist/plugins/two-factor/totp/index.mjs +16 -8
  209. package/dist/plugins/two-factor/totp/index.mjs.map +1 -1
  210. package/dist/plugins/two-factor/verify-two-factor.mjs +9 -6
  211. package/dist/plugins/two-factor/verify-two-factor.mjs.map +1 -1
  212. package/dist/plugins/username/client.d.mts +35 -0
  213. package/dist/plugins/username/client.mjs +4 -1
  214. package/dist/plugins/username/client.mjs.map +1 -1
  215. package/dist/plugins/username/error-codes.d.mts +32 -8
  216. package/dist/plugins/username/index.d.mts +41 -17
  217. package/dist/plugins/username/index.mjs +21 -31
  218. package/dist/plugins/username/index.mjs.map +1 -1
  219. package/dist/plugins/username/schema.d.mts +3 -3
  220. package/dist/test-utils/test-instance.d.mts +1349 -1198
  221. package/dist/utils/is-api-error.d.mts +7 -0
  222. package/dist/utils/is-api-error.mjs +11 -0
  223. package/dist/utils/is-api-error.mjs.map +1 -0
  224. package/dist/utils/password.mjs +3 -3
  225. package/dist/utils/password.mjs.map +1 -1
  226. package/dist/utils/plugin-helper.mjs +2 -2
  227. package/dist/utils/plugin-helper.mjs.map +1 -1
  228. package/package.json +3 -3
package/dist/plugins/two-factor/error-code.d.mts CHANGED
@@ -1,14 +1,41 @@
1
1
  //#region src/plugins/two-factor/error-code.d.ts
2
2
  declare const TWO_FACTOR_ERROR_CODES: {
3
- readonly OTP_NOT_ENABLED: "OTP not enabled";
4
- readonly OTP_HAS_EXPIRED: "OTP has expired";
5
- readonly TOTP_NOT_ENABLED: "TOTP not enabled";
6
- readonly TWO_FACTOR_NOT_ENABLED: "Two factor isn't enabled";
7
- readonly BACKUP_CODES_NOT_ENABLED: "Backup codes aren't enabled";
8
- readonly INVALID_BACKUP_CODE: "Invalid backup code";
9
- readonly INVALID_CODE: "Invalid code";
10
- readonly TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE: "Too many attempts. Please request a new code.";
11
- readonly INVALID_TWO_FACTOR_COOKIE: "Invalid two factor cookie";
3
+ readonly OTP_NOT_ENABLED: {
4
+ code: "OTP_NOT_ENABLED";
5
+ message: "OTP not enabled";
6
+ };
7
+ readonly OTP_HAS_EXPIRED: {
8
+ code: "OTP_HAS_EXPIRED";
9
+ message: "OTP has expired";
10
+ };
11
+ readonly TOTP_NOT_ENABLED: {
12
+ code: "TOTP_NOT_ENABLED";
13
+ message: "TOTP not enabled";
14
+ };
15
+ readonly TWO_FACTOR_NOT_ENABLED: {
16
+ code: "TWO_FACTOR_NOT_ENABLED";
17
+ message: "Two factor isn't enabled";
18
+ };
19
+ readonly BACKUP_CODES_NOT_ENABLED: {
20
+ code: "BACKUP_CODES_NOT_ENABLED";
21
+ message: "Backup codes aren't enabled";
22
+ };
23
+ readonly INVALID_BACKUP_CODE: {
24
+ code: "INVALID_BACKUP_CODE";
25
+ message: "Invalid backup code";
26
+ };
27
+ readonly INVALID_CODE: {
28
+ code: "INVALID_CODE";
29
+ message: "Invalid code";
30
+ };
31
+ readonly TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE: {
32
+ code: "TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE";
33
+ message: "Too many attempts. Please request a new code.";
34
+ };
35
+ readonly INVALID_TWO_FACTOR_COOKIE: {
36
+ code: "INVALID_TWO_FACTOR_COOKIE";
37
+ message: "Invalid two factor cookie";
38
+ };
12
39
  };
13
40
  //#endregion
14
41
  export { TWO_FACTOR_ERROR_CODES };
package/dist/plugins/two-factor/index.d.mts CHANGED
@@ -4,9 +4,9 @@ import { TOTPOptions, totp2fa } from "./totp/index.mjs";
4
4
  import { TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor } from "./types.mjs";
5
5
  import { TWO_FACTOR_ERROR_CODES } from "./error-code.mjs";
6
6
  import { twoFactorClient } from "./client.mjs";
7
- import * as _better_auth_core12 from "@better-auth/core";
7
+ import * as _better_auth_core14 from "@better-auth/core";
8
8
  import * as z from "zod";
9
- import * as better_call203 from "better-call";
9
+ import * as better_call84 from "better-call";
10
10
 
11
11
  //#region src/plugins/two-factor/index.d.ts
12
12
  declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
@@ -27,13 +27,13 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
27
27
  *
28
28
  * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-enable)
29
29
  */
30
- enableTwoFactor: better_call203.StrictEndpoint<"/two-factor/enable", {
30
+ enableTwoFactor: better_call84.StrictEndpoint<"/two-factor/enable", {
31
31
  method: "POST";
32
32
  body: z.ZodObject<{
33
33
  password: z.ZodString;
34
34
  issuer: z.ZodOptional<z.ZodString>;
35
35
  }, z.core.$strip>;
36
- use: ((inputContext: better_call203.MiddlewareInputContext<better_call203.MiddlewareOptions>) => Promise<{
36
+ use: ((inputContext: better_call84.MiddlewareInputContext<better_call84.MiddlewareOptions>) => Promise<{
37
37
  session: {
38
38
  session: Record<string, any> & {
39
39
  id: string;
@@ -106,12 +106,12 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
106
106
  *
107
107
  * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-disable)
108
108
  */
109
- disableTwoFactor: better_call203.StrictEndpoint<"/two-factor/disable", {
109
+ disableTwoFactor: better_call84.StrictEndpoint<"/two-factor/disable", {
110
110
  method: "POST";
111
111
  body: z.ZodObject<{
112
112
  password: z.ZodString;
113
113
  }, z.core.$strip>;
114
- use: ((inputContext: better_call203.MiddlewareInputContext<better_call203.MiddlewareOptions>) => Promise<{
114
+ use: ((inputContext: better_call84.MiddlewareInputContext<better_call84.MiddlewareOptions>) => Promise<{
115
115
  session: {
116
116
  session: Record<string, any> & {
117
117
  id: string;
@@ -160,7 +160,7 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
160
160
  }, {
161
161
  status: boolean;
162
162
  }>;
163
- verifyBackupCode: better_call203.StrictEndpoint<"/two-factor/verify-backup-code", {
163
+ verifyBackupCode: better_call84.StrictEndpoint<"/two-factor/verify-backup-code", {
164
164
  method: "POST";
165
165
  body: z.ZodObject<{
166
166
  code: z.ZodString;
@@ -271,12 +271,12 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
271
271
  updatedAt: Date;
272
272
  };
273
273
  }>;
274
- generateBackupCodes: better_call203.StrictEndpoint<"/two-factor/generate-backup-codes", {
274
+ generateBackupCodes: better_call84.StrictEndpoint<"/two-factor/generate-backup-codes", {
275
275
  method: "POST";
276
276
  body: z.ZodObject<{
277
277
  password: z.ZodString;
278
278
  }, z.core.$strip>;
279
- use: ((inputContext: better_call203.MiddlewareInputContext<better_call203.MiddlewareOptions>) => Promise<{
279
+ use: ((inputContext: better_call84.MiddlewareInputContext<better_call84.MiddlewareOptions>) => Promise<{
280
280
  session: {
281
281
  session: Record<string, any> & {
282
282
  id: string;
@@ -335,7 +335,7 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
335
335
  status: boolean;
336
336
  backupCodes: string[];
337
337
  }>;
338
- viewBackupCodes: better_call203.StrictEndpoint<string, {
338
+ viewBackupCodes: better_call84.StrictEndpoint<string, {
339
339
  method: "POST";
340
340
  body: z.ZodObject<{
341
341
  userId: z.ZodCoercedString<unknown>;
@@ -344,7 +344,7 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
344
344
  status: boolean;
345
345
  backupCodes: string[];
346
346
  }>;
347
- sendTwoFactorOTP: better_call203.StrictEndpoint<"/two-factor/send-otp", {
347
+ sendTwoFactorOTP: better_call84.StrictEndpoint<"/two-factor/send-otp", {
348
348
  method: "POST";
349
349
  body: z.ZodOptional<z.ZodObject<{
350
350
  trustDevice: z.ZodOptional<z.ZodBoolean>;
@@ -375,7 +375,7 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
375
375
  }, {
376
376
  status: boolean;
377
377
  }>;
378
- verifyTwoFactorOTP: better_call203.StrictEndpoint<"/two-factor/verify-otp", {
378
+ verifyTwoFactorOTP: better_call84.StrictEndpoint<"/two-factor/verify-otp", {
379
379
  method: "POST";
380
380
  body: z.ZodObject<{
381
381
  code: z.ZodString;
@@ -461,7 +461,7 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
461
461
  updatedAt: Date;
462
462
  };
463
463
  }>;
464
- generateTOTP: better_call203.StrictEndpoint<string, {
464
+ generateTOTP: better_call84.StrictEndpoint<string, {
465
465
  method: "POST";
466
466
  body: z.ZodObject<{
467
467
  secret: z.ZodString;
@@ -492,9 +492,9 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
492
492
  }, {
493
493
  code: string;
494
494
  }>;
495
- getTOTPURI: better_call203.StrictEndpoint<"/two-factor/get-totp-uri", {
495
+ getTOTPURI: better_call84.StrictEndpoint<"/two-factor/get-totp-uri", {
496
496
  method: "POST";
497
- use: ((inputContext: better_call203.MiddlewareInputContext<better_call203.MiddlewareOptions>) => Promise<{
497
+ use: ((inputContext: better_call84.MiddlewareInputContext<better_call84.MiddlewareOptions>) => Promise<{
498
498
  session: {
499
499
  session: Record<string, any> & {
500
500
  id: string;
@@ -546,7 +546,7 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
546
546
  }, {
547
547
  totpURI: string;
548
548
  }>;
549
- verifyTOTP: better_call203.StrictEndpoint<"/two-factor/verify-totp", {
549
+ verifyTOTP: better_call84.StrictEndpoint<"/two-factor/verify-totp", {
550
550
  method: "POST";
551
551
  body: z.ZodObject<{
552
552
  code: z.ZodString;
@@ -591,8 +591,8 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
591
591
  options: NoInfer<O>;
592
592
  hooks: {
593
593
  after: {
594
- matcher(context: _better_auth_core12.HookEndpointContext): boolean;
595
- handler: (inputContext: better_call203.MiddlewareInputContext<better_call203.MiddlewareOptions>) => Promise<{
594
+ matcher(context: _better_auth_core14.HookEndpointContext): boolean;
595
+ handler: (inputContext: better_call84.MiddlewareInputContext<better_call84.MiddlewareOptions>) => Promise<{
596
596
  twoFactorRedirect: boolean;
597
597
  } | undefined>;
598
598
  }[];
@@ -640,15 +640,42 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
640
640
  max: number;
641
641
  }[];
642
642
  $ERROR_CODES: {
643
- readonly OTP_NOT_ENABLED: "OTP not enabled";
644
- readonly OTP_HAS_EXPIRED: "OTP has expired";
645
- readonly TOTP_NOT_ENABLED: "TOTP not enabled";
646
- readonly TWO_FACTOR_NOT_ENABLED: "Two factor isn't enabled";
647
- readonly BACKUP_CODES_NOT_ENABLED: "Backup codes aren't enabled";
648
- readonly INVALID_BACKUP_CODE: "Invalid backup code";
649
- readonly INVALID_CODE: "Invalid code";
650
- readonly TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE: "Too many attempts. Please request a new code.";
651
- readonly INVALID_TWO_FACTOR_COOKIE: "Invalid two factor cookie";
643
+ readonly OTP_NOT_ENABLED: {
644
+ code: "OTP_NOT_ENABLED";
645
+ message: "OTP not enabled";
646
+ };
647
+ readonly OTP_HAS_EXPIRED: {
648
+ code: "OTP_HAS_EXPIRED";
649
+ message: "OTP has expired";
650
+ };
651
+ readonly TOTP_NOT_ENABLED: {
652
+ code: "TOTP_NOT_ENABLED";
653
+ message: "TOTP not enabled";
654
+ };
655
+ readonly TWO_FACTOR_NOT_ENABLED: {
656
+ code: "TWO_FACTOR_NOT_ENABLED";
657
+ message: "Two factor isn't enabled";
658
+ };
659
+ readonly BACKUP_CODES_NOT_ENABLED: {
660
+ code: "BACKUP_CODES_NOT_ENABLED";
661
+ message: "Backup codes aren't enabled";
662
+ };
663
+ readonly INVALID_BACKUP_CODE: {
664
+ code: "INVALID_BACKUP_CODE";
665
+ message: "Invalid backup code";
666
+ };
667
+ readonly INVALID_CODE: {
668
+ code: "INVALID_CODE";
669
+ message: "Invalid code";
670
+ };
671
+ readonly TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE: {
672
+ code: "TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE";
673
+ message: "Too many attempts. Please request a new code.";
674
+ };
675
+ readonly INVALID_TWO_FACTOR_COOKIE: {
676
+ code: "INVALID_TWO_FACTOR_COOKIE";
677
+ message: "Invalid two factor cookie";
678
+ };
652
679
  };
653
680
  };
654
681
  //#endregion
package/dist/plugins/two-factor/index.mjs CHANGED
@@ -5,16 +5,15 @@ import { deleteSessionCookie, setSessionCookie } from "../../cookies/index.mjs";
5
5
  import { sessionMiddleware } from "../../api/routes/session.mjs";
6
6
  import "../../api/index.mjs";
7
7
  import { validatePassword } from "../../utils/password.mjs";
8
- import { twoFactorClient } from "./client.mjs";
9
8
  import { TWO_FACTOR_ERROR_CODES } from "./error-code.mjs";
9
+ import { twoFactorClient } from "./client.mjs";
10
10
  import { TRUST_DEVICE_COOKIE_MAX_AGE, TRUST_DEVICE_COOKIE_NAME, TWO_FACTOR_COOKIE_NAME } from "./constant.mjs";
11
11
  import { backupCode2fa, generateBackupCodes } from "./backup-codes/index.mjs";
12
12
  import { otp2fa } from "./otp/index.mjs";
13
13
  import { schema } from "./schema.mjs";
14
14
  import { totp2fa } from "./totp/index.mjs";
15
- import { BASE_ERROR_CODES } from "@better-auth/core/error";
15
+ import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
16
16
  import * as z from "zod";
17
- import { APIError } from "better-call";
18
17
  import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
19
18
  import { createHMAC } from "@better-auth/utils/hmac";
20
19
  import { createOTP } from "@better-auth/utils/otp";
@@ -71,7 +70,7 @@ const twoFactor = (options) => {
71
70
  if (!await validatePassword(ctx, {
72
71
  password,
73
72
  userId: user.id
74
- })) throw new APIError("BAD_REQUEST", { message: BASE_ERROR_CODES.INVALID_PASSWORD });
73
+ })) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.INVALID_PASSWORD);
75
74
  const secret = generateRandomString(32);
76
75
  const encryptedSecret = await symmetricEncrypt({
77
76
  key: ctx.context.secret,
@@ -134,7 +133,7 @@ const twoFactor = (options) => {
134
133
  if (!await validatePassword(ctx, {
135
134
  password,
136
135
  userId: user.id
137
- })) throw new APIError("BAD_REQUEST", { message: BASE_ERROR_CODES.INVALID_PASSWORD });
136
+ })) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.INVALID_PASSWORD);
138
137
  const updatedUser = await ctx.context.internalAdapter.updateUser(user.id, { twoFactorEnabled: false });
139
138
  await ctx.context.adapter.delete({
140
139
  model: opts.twoFactorTable,
package/dist/plugins/two-factor/index.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/two-factor/index.ts"],"sourcesContent":["import type { BetterAuthPlugin } from \"@better-auth/core\";\nimport {\n\tcreateAuthEndpoint,\n\tcreateAuthMiddleware,\n} from \"@better-auth/core/api\";\nimport { BASE_ERROR_CODES } from \"@better-auth/core/error\";\nimport { createHMAC } from \"@better-auth/utils/hmac\";\nimport { createOTP } from \"@better-auth/utils/otp\";\nimport { APIError } from \"better-call\";\nimport * as z from \"zod\";\nimport { sessionMiddleware } from \"../../api\";\nimport { deleteSessionCookie, setSessionCookie } from \"../../cookies\";\nimport { symmetricEncrypt } from \"../../crypto\";\nimport { generateRandomString } from \"../../crypto/random\";\nimport { mergeSchema } from \"../../db/schema\";\nimport { validatePassword } from \"../../utils/password\";\nimport type { BackupCodeOptions } from \"./backup-codes\";\nimport { backupCode2fa, generateBackupCodes } from \"./backup-codes\";\nimport {\n\tTRUST_DEVICE_COOKIE_MAX_AGE,\n\tTRUST_DEVICE_COOKIE_NAME,\n\tTWO_FACTOR_COOKIE_NAME,\n} from \"./constant\";\nimport { TWO_FACTOR_ERROR_CODES } from \"./error-code\";\nimport { otp2fa } from \"./otp\";\nimport { schema } from \"./schema\";\nimport { totp2fa } from \"./totp\";\nimport type { TwoFactorOptions, UserWithTwoFactor } from \"./types\";\n\nexport * from \"./error-code\";\n\nconst enableTwoFactorBodySchema = z.object({\n\tpassword: z.string().meta({\n\t\tdescription: \"User password\",\n\t}),\n\tissuer: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"Custom issuer for the TOTP URI\",\n\t\t})\n\t\t.optional(),\n});\n\nconst disableTwoFactorBodySchema = z.object({\n\tpassword: z.string().meta({\n\t\tdescription: \"User password\",\n\t}),\n});\n\nexport const twoFactor = <O extends TwoFactorOptions>(options?: O) => {\n\tconst opts = {\n\t\ttwoFactorTable: \"twoFactor\",\n\t};\n\tconst backupCodeOptions = {\n\t\tstoreBackupCodes: \"encrypted\",\n\t\t...options?.backupCodeOptions,\n\t} satisfies BackupCodeOptions;\n\tconst totp = totp2fa(options?.totpOptions);\n\tconst backupCode = backupCode2fa(backupCodeOptions);\n\tconst otp = otp2fa(options?.otpOptions);\n\n\treturn {\n\t\tid: \"two-factor\",\n\t\tendpoints: {\n\t\t\t...totp.endpoints,\n\t\t\t...otp.endpoints,\n\t\t\t...backupCode.endpoints,\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/enable`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.enableTwoFactor`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.enable`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-enable)\n\t\t\t */\n\t\t\tenableTwoFactor: createAuthEndpoint(\n\t\t\t\t\"/two-factor/enable\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: enableTwoFactorBodySchema,\n\t\t\t\t\tuse: [sessionMiddleware],\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tsummary: \"Enable two factor authentication\",\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"Use this endpoint to enable two factor authentication. This will generate a TOTP URI and backup codes. Once the user verifies the TOTP URI, the two factor authentication will be enabled.\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Successful response\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttotpURI: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"TOTP URI\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tbackupCodes: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Backup codes\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst user = ctx.context.session.user as UserWithTwoFactor;\n\t\t\t\t\tconst { password, issuer } = ctx.body;\n\t\t\t\t\tconst isPasswordValid = await validatePassword(ctx, {\n\t\t\t\t\t\tpassword,\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t});\n\t\t\t\t\tif (!isPasswordValid) {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\tmessage: BASE_ERROR_CODES.INVALID_PASSWORD,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tconst secret = generateRandomString(32);\n\t\t\t\t\tconst encryptedSecret = await symmetricEncrypt({\n\t\t\t\t\t\tkey: ctx.context.secret,\n\t\t\t\t\t\tdata: secret,\n\t\t\t\t\t});\n\t\t\t\t\tconst backupCodes = await generateBackupCodes(\n\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\tbackupCodeOptions,\n\t\t\t\t\t);\n\t\t\t\t\tif (options?.skipVerificationOnEnable) {\n\t\t\t\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\t\t\t\tuser.id,\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttwoFactorEnabled: true,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t\tconst newSession = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\t\tupdatedUser.id,\n\t\t\t\t\t\t\tfalse,\n\t\t\t\t\t\t\tctx.context.session.session,\n\t\t\t\t\t\t);\n\t\t\t\t\t\t/**\n\t\t\t\t\t\t * Update the session cookie with the new user data\n\t\t\t\t\t\t */\n\t\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\t\tsession: newSession,\n\t\t\t\t\t\t\tuser: updatedUser,\n\t\t\t\t\t\t});\n\n\t\t\t\t\t\t//remove current session\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(\n\t\t\t\t\t\t\tctx.context.session.session.token,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t\t//delete existing two factor\n\t\t\t\t\tawait ctx.context.adapter.deleteMany({\n\t\t\t\t\t\tmodel: opts.twoFactorTable,\n\t\t\t\t\t\twhere: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\t\t\t\tvalue: user.id,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t});\n\n\t\t\t\t\tawait ctx.context.adapter.create({\n\t\t\t\t\t\tmodel: opts.twoFactorTable,\n\t\t\t\t\t\tdata: {\n\t\t\t\t\t\t\tsecret: encryptedSecret,\n\t\t\t\t\t\t\tbackupCodes: backupCodes.encryptedBackupCodes,\n\t\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t\t},\n\t\t\t\t\t});\n\t\t\t\t\tconst totpURI = createOTP(secret, {\n\t\t\t\t\t\tdigits: options?.totpOptions?.digits || 6,\n\t\t\t\t\t\tperiod: options?.totpOptions?.period,\n\t\t\t\t\t}).url(issuer || options?.issuer || ctx.context.appName, user.email);\n\t\t\t\t\treturn ctx.json({ totpURI, backupCodes: backupCodes.backupCodes });\n\t\t\t\t},\n\t\t\t),\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/disable`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.disableTwoFactor`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.disable`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-disable)\n\t\t\t */\n\t\t\tdisableTwoFactor: createAuthEndpoint(\n\t\t\t\t\"/two-factor/disable\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: disableTwoFactorBodySchema,\n\t\t\t\t\tuse: [sessionMiddleware],\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tsummary: \"Disable two factor authentication\",\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"Use this endpoint to disable two factor authentication.\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Successful response\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tstatus: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst user = ctx.context.session.user as UserWithTwoFactor;\n\t\t\t\t\tconst { password } = ctx.body;\n\t\t\t\t\tconst isPasswordValid = await validatePassword(ctx, {\n\t\t\t\t\t\tpassword,\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t});\n\t\t\t\t\tif (!isPasswordValid) {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\tmessage: BASE_ERROR_CODES.INVALID_PASSWORD,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\t\t\tuser.id,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttwoFactorEnabled: false,\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\t\t\t\t\tawait ctx.context.adapter.delete({\n\t\t\t\t\t\tmodel: opts.twoFactorTable,\n\t\t\t\t\t\twhere: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\t\t\t\tvalue: updatedUser.id,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t});\n\t\t\t\t\tconst newSession = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\tupdatedUser.id,\n\t\t\t\t\t\tfalse,\n\t\t\t\t\t\tctx.context.session.session,\n\t\t\t\t\t);\n\t\t\t\t\t/**\n\t\t\t\t\t * Update the session cookie with the new user data\n\t\t\t\t\t */\n\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\tsession: newSession,\n\t\t\t\t\t\tuser: updatedUser,\n\t\t\t\t\t});\n\t\t\t\t\t//remove current session\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(\n\t\t\t\t\t\tctx.context.session.session.token,\n\t\t\t\t\t);\n\t\t\t\t\treturn ctx.json({ status: true });\n\t\t\t\t},\n\t\t\t),\n\t\t},\n\t\toptions: options as NoInfer<O>,\n\t\thooks: {\n\t\t\tafter: [\n\t\t\t\t{\n\t\t\t\t\tmatcher(context) {\n\t\t\t\t\t\treturn (\n\t\t\t\t\t\t\tcontext.path === \"/sign-in/email\" ||\n\t\t\t\t\t\t\tcontext.path === \"/sign-in/username\" ||\n\t\t\t\t\t\t\tcontext.path === \"/sign-in/phone-number\"\n\t\t\t\t\t\t);\n\t\t\t\t\t},\n\t\t\t\t\thandler: createAuthMiddleware(async (ctx) => {\n\t\t\t\t\t\tconst data = ctx.context.newSession;\n\t\t\t\t\t\tif (!data) {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif (!data?.user.twoFactorEnabled) {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tconst trustDeviceCookieAttrs = ctx.context.createAuthCookie(\n\t\t\t\t\t\t\tTRUST_DEVICE_COOKIE_NAME,\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tmaxAge: TRUST_DEVICE_COOKIE_MAX_AGE,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t\t// Check for trust device cookie\n\t\t\t\t\t\tconst trustDeviceCookie = await ctx.getSignedCookie(\n\t\t\t\t\t\t\ttrustDeviceCookieAttrs.name,\n\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t);\n\n\t\t\t\t\t\tif (trustDeviceCookie) {\n\t\t\t\t\t\t\tconst [token, sessionToken] = trustDeviceCookie.split(\"!\");\n\t\t\t\t\t\t\tconst expectedToken = await createHMAC(\n\t\t\t\t\t\t\t\t\"SHA-256\",\n\t\t\t\t\t\t\t\t\"base64urlnopad\",\n\t\t\t\t\t\t\t).sign(ctx.context.secret, `${data.user.id}!${sessionToken}`);\n\n\t\t\t\t\t\t\t// Checks if the token is signed correctly, not that its the current session token\n\t\t\t\t\t\t\tif (token === expectedToken) {\n\t\t\t\t\t\t\t\t// Trust device cookie is valid, refresh it and skip 2FA\n\t\t\t\t\t\t\t\tconst newTrustDeviceCookie = ctx.context.createAuthCookie(\n\t\t\t\t\t\t\t\t\tTRUST_DEVICE_COOKIE_NAME,\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tmaxAge: TRUST_DEVICE_COOKIE_MAX_AGE,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\tconst newToken = await createHMAC(\n\t\t\t\t\t\t\t\t\t\"SHA-256\",\n\t\t\t\t\t\t\t\t\t\"base64urlnopad\",\n\t\t\t\t\t\t\t\t).sign(\n\t\t\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t\t\t\t`${data.user.id}!${data.session.token}`,\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\tawait ctx.setSignedCookie(\n\t\t\t\t\t\t\t\t\tnewTrustDeviceCookie.name,\n\t\t\t\t\t\t\t\t\t`${newToken}!${data.session.token}`,\n\t\t\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t\t\t\ttrustDeviceCookieAttrs.attributes,\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t/**\n\t\t\t\t\t\t * remove the session cookie. It's set by the sign in credential\n\t\t\t\t\t\t */\n\t\t\t\t\t\tdeleteSessionCookie(ctx, true);\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(data.session.token);\n\t\t\t\t\t\tconst maxAge = (options?.otpOptions?.period ?? 3) * 60; // 3 minutes\n\t\t\t\t\t\tconst twoFactorCookie = ctx.context.createAuthCookie(\n\t\t\t\t\t\t\tTWO_FACTOR_COOKIE_NAME,\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tmaxAge,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t\tconst identifier = `2fa-${generateRandomString(20)}`;\n\t\t\t\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\t\t\t\tvalue: data.user.id,\n\t\t\t\t\t\t\tidentifier,\n\t\t\t\t\t\t\texpiresAt: new Date(Date.now() + maxAge * 1000),\n\t\t\t\t\t\t});\n\t\t\t\t\t\tawait ctx.setSignedCookie(\n\t\t\t\t\t\t\ttwoFactorCookie.name,\n\t\t\t\t\t\t\tidentifier,\n\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t\ttwoFactorCookie.attributes,\n\t\t\t\t\t\t);\n\t\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\t\ttwoFactorRedirect: true,\n\t\t\t\t\t\t});\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t],\n\t\t},\n\t\tschema: mergeSchema(schema, options?.schema),\n\t\trateLimit: [\n\t\t\t{\n\t\t\t\tpathMatcher(path) {\n\t\t\t\t\treturn path.startsWith(\"/two-factor/\");\n\t\t\t\t},\n\t\t\t\twindow: 10,\n\t\t\t\tmax: 3,\n\t\t\t},\n\t\t],\n\t\t$ERROR_CODES: TWO_FACTOR_ERROR_CODES,\n\t} satisfies BetterAuthPlugin;\n};\n\nexport * from \"./client\";\nexport * from \"./types\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;AA+BA,MAAM,4BAA4B,EAAE,OAAO;CAC1C,UAAU,EAAE,QAAQ,CAAC,KAAK,EACzB,aAAa,iBACb,CAAC;CACF,QAAQ,EACN,QAAQ,CACR,KAAK,EACL,aAAa,kCACb,CAAC,CACD,UAAU;CACZ,CAAC;AAEF,MAAM,6BAA6B,EAAE,OAAO,EAC3C,UAAU,EAAE,QAAQ,CAAC,KAAK,EACzB,aAAa,iBACb,CAAC,EACF,CAAC;AAEF,MAAa,aAAyC,YAAgB;CACrE,MAAM,OAAO,EACZ,gBAAgB,aAChB;CACD,MAAM,oBAAoB;EACzB,kBAAkB;EAClB,GAAG,SAAS;EACZ;CACD,MAAM,OAAO,QAAQ,SAAS,YAAY;CAC1C,MAAM,aAAa,cAAc,kBAAkB;CACnD,MAAM,MAAM,OAAO,SAAS,WAAW;AAEvC,QAAO;EACN,IAAI;EACJ,WAAW;GACV,GAAG,KAAK;GACR,GAAG,IAAI;GACP,GAAG,WAAW;GAgBd,iBAAiB,mBAChB,sBACA;IACC,QAAQ;IACR,MAAM;IACN,KAAK,CAAC,kBAAkB;IACxB,UAAU,EACT,SAAS;KACR,SAAS;KACT,aACC;KACD,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY;QACX,SAAS;SACR,MAAM;SACN,aAAa;SACb;QACD,aAAa;SACZ,MAAM;SACN,OAAO,EACN,MAAM,UACN;SACD,aAAa;SACb;QACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,OAAO,IAAI,QAAQ,QAAQ;IACjC,MAAM,EAAE,UAAU,WAAW,IAAI;AAKjC,QAAI,CAJoB,MAAM,iBAAiB,KAAK;KACnD;KACA,QAAQ,KAAK;KACb,CAAC,CAED,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,kBAC1B,CAAC;IAEH,MAAM,SAAS,qBAAqB,GAAG;IACvC,MAAM,kBAAkB,MAAM,iBAAiB;KAC9C,KAAK,IAAI,QAAQ;KACjB,MAAM;KACN,CAAC;IACF,MAAM,cAAc,MAAM,oBACzB,IAAI,QAAQ,QACZ,kBACA;AACD,QAAI,SAAS,0BAA0B;KACtC,MAAM,cAAc,MAAM,IAAI,QAAQ,gBAAgB,WACrD,KAAK,IACL,EACC,kBAAkB,MAClB,CACD;;;;AASD,WAAM,iBAAiB,KAAK;MAC3B,SATkB,MAAM,IAAI,QAAQ,gBAAgB,cACpD,YAAY,IACZ,OACA,IAAI,QAAQ,QAAQ,QACpB;MAMA,MAAM;MACN,CAAC;AAGF,WAAM,IAAI,QAAQ,gBAAgB,cACjC,IAAI,QAAQ,QAAQ,QAAQ,MAC5B;;AAGF,UAAM,IAAI,QAAQ,QAAQ,WAAW;KACpC,OAAO,KAAK;KACZ,OAAO,CACN;MACC,OAAO;MACP,OAAO,KAAK;MACZ,CACD;KACD,CAAC;AAEF,UAAM,IAAI,QAAQ,QAAQ,OAAO;KAChC,OAAO,KAAK;KACZ,MAAM;MACL,QAAQ;MACR,aAAa,YAAY;MACzB,QAAQ,KAAK;MACb;KACD,CAAC;IACF,MAAM,UAAU,UAAU,QAAQ;KACjC,QAAQ,SAAS,aAAa,UAAU;KACxC,QAAQ,SAAS,aAAa;KAC9B,CAAC,CAAC,IAAI,UAAU,SAAS,UAAU,IAAI,QAAQ,SAAS,KAAK,MAAM;AACpE,WAAO,IAAI,KAAK;KAAE;KAAS,aAAa,YAAY;KAAa,CAAC;KAEnE;GAgBD,kBAAkB,mBACjB,uBACA;IACC,QAAQ;IACR,MAAM;IACN,KAAK,CAAC,kBAAkB;IACxB,UAAU,EACT,SAAS;KACR,SAAS;KACT,aACC;KACD,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,QAAQ,EACP,MAAM,WACN,EACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,OAAO,IAAI,QAAQ,QAAQ;IACjC,MAAM,EAAE,aAAa,IAAI;AAKzB,QAAI,CAJoB,MAAM,iBAAiB,KAAK;KACnD;KACA,QAAQ,KAAK;KACb,CAAC,CAED,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,kBAC1B,CAAC;IAEH,MAAM,cAAc,MAAM,IAAI,QAAQ,gBAAgB,WACrD,KAAK,IACL,EACC,kBAAkB,OAClB,CACD;AACD,UAAM,IAAI,QAAQ,QAAQ,OAAO;KAChC,OAAO,KAAK;KACZ,OAAO,CACN;MACC,OAAO;MACP,OAAO,YAAY;MACnB,CACD;KACD,CAAC;;;;AASF,UAAM,iBAAiB,KAAK;KAC3B,SATkB,MAAM,IAAI,QAAQ,gBAAgB,cACpD,YAAY,IACZ,OACA,IAAI,QAAQ,QAAQ,QACpB;KAMA,MAAM;KACN,CAAC;AAEF,UAAM,IAAI,QAAQ,gBAAgB,cACjC,IAAI,QAAQ,QAAQ,QAAQ,MAC5B;AACD,WAAO,IAAI,KAAK,EAAE,QAAQ,MAAM,CAAC;KAElC;GACD;EACQ;EACT,OAAO,EACN,OAAO,CACN;GACC,QAAQ,SAAS;AAChB,WACC,QAAQ,SAAS,oBACjB,QAAQ,SAAS,uBACjB,QAAQ,SAAS;;GAGnB,SAAS,qBAAqB,OAAO,QAAQ;IAC5C,MAAM,OAAO,IAAI,QAAQ;AACzB,QAAI,CAAC,KACJ;AAGD,QAAI,CAAC,MAAM,KAAK,iBACf;IAGD,MAAM,yBAAyB,IAAI,QAAQ,iBAC1C,0BACA,EACC,QAAQ,6BACR,CACD;IAED,MAAM,oBAAoB,MAAM,IAAI,gBACnC,uBAAuB,MACvB,IAAI,QAAQ,OACZ;AAED,QAAI,mBAAmB;KACtB,MAAM,CAAC,OAAO,gBAAgB,kBAAkB,MAAM,IAAI;AAO1D,SAAI,UANkB,MAAM,WAC3B,WACA,iBACA,CAAC,KAAK,IAAI,QAAQ,QAAQ,GAAG,KAAK,KAAK,GAAG,GAAG,eAAe,EAGhC;MAE5B,MAAM,uBAAuB,IAAI,QAAQ,iBACxC,0BACA,EACC,QAAQ,6BACR,CACD;MACD,MAAM,WAAW,MAAM,WACtB,WACA,iBACA,CAAC,KACD,IAAI,QAAQ,QACZ,GAAG,KAAK,KAAK,GAAG,GAAG,KAAK,QAAQ,QAChC;AACD,YAAM,IAAI,gBACT,qBAAqB,MACrB,GAAG,SAAS,GAAG,KAAK,QAAQ,SAC5B,IAAI,QAAQ,QACZ,uBAAuB,WACvB;AACD;;;;;;AAOF,wBAAoB,KAAK,KAAK;AAC9B,UAAM,IAAI,QAAQ,gBAAgB,cAAc,KAAK,QAAQ,MAAM;IACnE,MAAM,UAAU,SAAS,YAAY,UAAU,KAAK;IACpD,MAAM,kBAAkB,IAAI,QAAQ,iBACnC,wBACA,EACC,QACA,CACD;IACD,MAAM,aAAa,OAAO,qBAAqB,GAAG;AAClD,UAAM,IAAI,QAAQ,gBAAgB,wBAAwB;KACzD,OAAO,KAAK,KAAK;KACjB;KACA,WAAW,IAAI,KAAK,KAAK,KAAK,GAAG,SAAS,IAAK;KAC/C,CAAC;AACF,UAAM,IAAI,gBACT,gBAAgB,MAChB,YACA,IAAI,QAAQ,QACZ,gBAAgB,WAChB;AACD,WAAO,IAAI,KAAK,EACf,mBAAmB,MACnB,CAAC;KACD;GACF,CACD,EACD;EACD,QAAQ,YAAY,QAAQ,SAAS,OAAO;EAC5C,WAAW,CACV;GACC,YAAY,MAAM;AACjB,WAAO,KAAK,WAAW,eAAe;;GAEvC,QAAQ;GACR,KAAK;GACL,CACD;EACD,cAAc;EACd"}
1
+ {"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/two-factor/index.ts"],"sourcesContent":["import type { BetterAuthPlugin } from \"@better-auth/core\";\nimport {\n\tcreateAuthEndpoint,\n\tcreateAuthMiddleware,\n} from \"@better-auth/core/api\";\nimport { APIError, BASE_ERROR_CODES } from \"@better-auth/core/error\";\nimport { createHMAC } from \"@better-auth/utils/hmac\";\nimport { createOTP } from \"@better-auth/utils/otp\";\nimport * as z from \"zod\";\nimport { sessionMiddleware } from \"../../api\";\nimport { deleteSessionCookie, setSessionCookie } from \"../../cookies\";\nimport { symmetricEncrypt } from \"../../crypto\";\nimport { generateRandomString } from \"../../crypto/random\";\nimport { mergeSchema } from \"../../db/schema\";\nimport { validatePassword } from \"../../utils/password\";\nimport type { BackupCodeOptions } from \"./backup-codes\";\nimport { backupCode2fa, generateBackupCodes } from \"./backup-codes\";\nimport {\n\tTRUST_DEVICE_COOKIE_MAX_AGE,\n\tTRUST_DEVICE_COOKIE_NAME,\n\tTWO_FACTOR_COOKIE_NAME,\n} from \"./constant\";\nimport { TWO_FACTOR_ERROR_CODES } from \"./error-code\";\nimport { otp2fa } from \"./otp\";\nimport { schema } from \"./schema\";\nimport { totp2fa } from \"./totp\";\nimport type { TwoFactorOptions, UserWithTwoFactor } from \"./types\";\n\nexport * from \"./error-code\";\n\nconst enableTwoFactorBodySchema = z.object({\n\tpassword: z.string().meta({\n\t\tdescription: \"User password\",\n\t}),\n\tissuer: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"Custom issuer for the TOTP URI\",\n\t\t})\n\t\t.optional(),\n});\n\nconst disableTwoFactorBodySchema = z.object({\n\tpassword: z.string().meta({\n\t\tdescription: \"User password\",\n\t}),\n});\n\nexport const twoFactor = <O extends TwoFactorOptions>(options?: O) => {\n\tconst opts = {\n\t\ttwoFactorTable: \"twoFactor\",\n\t};\n\tconst backupCodeOptions = {\n\t\tstoreBackupCodes: \"encrypted\",\n\t\t...options?.backupCodeOptions,\n\t} satisfies BackupCodeOptions;\n\tconst totp = totp2fa(options?.totpOptions);\n\tconst backupCode = backupCode2fa(backupCodeOptions);\n\tconst otp = otp2fa(options?.otpOptions);\n\n\treturn {\n\t\tid: \"two-factor\",\n\t\tendpoints: {\n\t\t\t...totp.endpoints,\n\t\t\t...otp.endpoints,\n\t\t\t...backupCode.endpoints,\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/enable`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.enableTwoFactor`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.enable`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-enable)\n\t\t\t */\n\t\t\tenableTwoFactor: createAuthEndpoint(\n\t\t\t\t\"/two-factor/enable\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: enableTwoFactorBodySchema,\n\t\t\t\t\tuse: [sessionMiddleware],\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tsummary: \"Enable two factor authentication\",\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"Use this endpoint to enable two factor authentication. This will generate a TOTP URI and backup codes. Once the user verifies the TOTP URI, the two factor authentication will be enabled.\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Successful response\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttotpURI: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"TOTP URI\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tbackupCodes: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Backup codes\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst user = ctx.context.session.user as UserWithTwoFactor;\n\t\t\t\t\tconst { password, issuer } = ctx.body;\n\t\t\t\t\tconst isPasswordValid = await validatePassword(ctx, {\n\t\t\t\t\t\tpassword,\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t});\n\t\t\t\t\tif (!isPasswordValid) {\n\t\t\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\t\t\"BAD_REQUEST\",\n\t\t\t\t\t\t\tBASE_ERROR_CODES.INVALID_PASSWORD,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t\tconst secret = generateRandomString(32);\n\t\t\t\t\tconst encryptedSecret = await symmetricEncrypt({\n\t\t\t\t\t\tkey: ctx.context.secret,\n\t\t\t\t\t\tdata: secret,\n\t\t\t\t\t});\n\t\t\t\t\tconst backupCodes = await generateBackupCodes(\n\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\tbackupCodeOptions,\n\t\t\t\t\t);\n\t\t\t\t\tif (options?.skipVerificationOnEnable) {\n\t\t\t\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\t\t\t\tuser.id,\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttwoFactorEnabled: true,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t\tconst newSession = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\t\tupdatedUser.id,\n\t\t\t\t\t\t\tfalse,\n\t\t\t\t\t\t\tctx.context.session.session,\n\t\t\t\t\t\t);\n\t\t\t\t\t\t/**\n\t\t\t\t\t\t * Update the session cookie with the new user data\n\t\t\t\t\t\t */\n\t\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\t\tsession: newSession,\n\t\t\t\t\t\t\tuser: updatedUser,\n\t\t\t\t\t\t});\n\n\t\t\t\t\t\t//remove current session\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(\n\t\t\t\t\t\t\tctx.context.session.session.token,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t\t//delete existing two factor\n\t\t\t\t\tawait ctx.context.adapter.deleteMany({\n\t\t\t\t\t\tmodel: opts.twoFactorTable,\n\t\t\t\t\t\twhere: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\t\t\t\tvalue: user.id,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t});\n\n\t\t\t\t\tawait ctx.context.adapter.create({\n\t\t\t\t\t\tmodel: opts.twoFactorTable,\n\t\t\t\t\t\tdata: {\n\t\t\t\t\t\t\tsecret: encryptedSecret,\n\t\t\t\t\t\t\tbackupCodes: backupCodes.encryptedBackupCodes,\n\t\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t\t},\n\t\t\t\t\t});\n\t\t\t\t\tconst totpURI = createOTP(secret, {\n\t\t\t\t\t\tdigits: options?.totpOptions?.digits || 6,\n\t\t\t\t\t\tperiod: options?.totpOptions?.period,\n\t\t\t\t\t}).url(issuer || options?.issuer || ctx.context.appName, user.email);\n\t\t\t\t\treturn ctx.json({ totpURI, backupCodes: backupCodes.backupCodes });\n\t\t\t\t},\n\t\t\t),\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/disable`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.disableTwoFactor`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.disable`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-disable)\n\t\t\t */\n\t\t\tdisableTwoFactor: createAuthEndpoint(\n\t\t\t\t\"/two-factor/disable\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: disableTwoFactorBodySchema,\n\t\t\t\t\tuse: [sessionMiddleware],\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tsummary: \"Disable two factor authentication\",\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"Use this endpoint to disable two factor authentication.\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Successful response\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tstatus: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst user = ctx.context.session.user as UserWithTwoFactor;\n\t\t\t\t\tconst { password } = ctx.body;\n\t\t\t\t\tconst isPasswordValid = await validatePassword(ctx, {\n\t\t\t\t\t\tpassword,\n\t\t\t\t\t\tuserId: user.id,\n\t\t\t\t\t});\n\t\t\t\t\tif (!isPasswordValid) {\n\t\t\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\t\t\"BAD_REQUEST\",\n\t\t\t\t\t\t\tBASE_ERROR_CODES.INVALID_PASSWORD,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\t\t\tuser.id,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttwoFactorEnabled: false,\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\t\t\t\t\tawait ctx.context.adapter.delete({\n\t\t\t\t\t\tmodel: opts.twoFactorTable,\n\t\t\t\t\t\twhere: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\t\t\t\tvalue: updatedUser.id,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t});\n\t\t\t\t\tconst newSession = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\tupdatedUser.id,\n\t\t\t\t\t\tfalse,\n\t\t\t\t\t\tctx.context.session.session,\n\t\t\t\t\t);\n\t\t\t\t\t/**\n\t\t\t\t\t * Update the session cookie with the new user data\n\t\t\t\t\t */\n\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\tsession: newSession,\n\t\t\t\t\t\tuser: updatedUser,\n\t\t\t\t\t});\n\t\t\t\t\t//remove current session\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(\n\t\t\t\t\t\tctx.context.session.session.token,\n\t\t\t\t\t);\n\t\t\t\t\treturn ctx.json({ status: true });\n\t\t\t\t},\n\t\t\t),\n\t\t},\n\t\toptions: options as NoInfer<O>,\n\t\thooks: {\n\t\t\tafter: [\n\t\t\t\t{\n\t\t\t\t\tmatcher(context) {\n\t\t\t\t\t\treturn (\n\t\t\t\t\t\t\tcontext.path === \"/sign-in/email\" ||\n\t\t\t\t\t\t\tcontext.path === \"/sign-in/username\" ||\n\t\t\t\t\t\t\tcontext.path === \"/sign-in/phone-number\"\n\t\t\t\t\t\t);\n\t\t\t\t\t},\n\t\t\t\t\thandler: createAuthMiddleware(async (ctx) => {\n\t\t\t\t\t\tconst data = ctx.context.newSession;\n\t\t\t\t\t\tif (!data) {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tif (!data?.user.twoFactorEnabled) {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tconst trustDeviceCookieAttrs = ctx.context.createAuthCookie(\n\t\t\t\t\t\t\tTRUST_DEVICE_COOKIE_NAME,\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tmaxAge: TRUST_DEVICE_COOKIE_MAX_AGE,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t\t// Check for trust device cookie\n\t\t\t\t\t\tconst trustDeviceCookie = await ctx.getSignedCookie(\n\t\t\t\t\t\t\ttrustDeviceCookieAttrs.name,\n\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t);\n\n\t\t\t\t\t\tif (trustDeviceCookie) {\n\t\t\t\t\t\t\tconst [token, sessionToken] = trustDeviceCookie.split(\"!\");\n\t\t\t\t\t\t\tconst expectedToken = await createHMAC(\n\t\t\t\t\t\t\t\t\"SHA-256\",\n\t\t\t\t\t\t\t\t\"base64urlnopad\",\n\t\t\t\t\t\t\t).sign(ctx.context.secret, `${data.user.id}!${sessionToken}`);\n\n\t\t\t\t\t\t\t// Checks if the token is signed correctly, not that its the current session token\n\t\t\t\t\t\t\tif (token === expectedToken) {\n\t\t\t\t\t\t\t\t// Trust device cookie is valid, refresh it and skip 2FA\n\t\t\t\t\t\t\t\tconst newTrustDeviceCookie = ctx.context.createAuthCookie(\n\t\t\t\t\t\t\t\t\tTRUST_DEVICE_COOKIE_NAME,\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tmaxAge: TRUST_DEVICE_COOKIE_MAX_AGE,\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\tconst newToken = await createHMAC(\n\t\t\t\t\t\t\t\t\t\"SHA-256\",\n\t\t\t\t\t\t\t\t\t\"base64urlnopad\",\n\t\t\t\t\t\t\t\t).sign(\n\t\t\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t\t\t\t`${data.user.id}!${data.session.token}`,\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\tawait ctx.setSignedCookie(\n\t\t\t\t\t\t\t\t\tnewTrustDeviceCookie.name,\n\t\t\t\t\t\t\t\t\t`${newToken}!${data.session.token}`,\n\t\t\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t\t\t\ttrustDeviceCookieAttrs.attributes,\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\t/**\n\t\t\t\t\t\t * remove the session cookie. It's set by the sign in credential\n\t\t\t\t\t\t */\n\t\t\t\t\t\tdeleteSessionCookie(ctx, true);\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(data.session.token);\n\t\t\t\t\t\tconst maxAge = (options?.otpOptions?.period ?? 3) * 60; // 3 minutes\n\t\t\t\t\t\tconst twoFactorCookie = ctx.context.createAuthCookie(\n\t\t\t\t\t\t\tTWO_FACTOR_COOKIE_NAME,\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tmaxAge,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t\tconst identifier = `2fa-${generateRandomString(20)}`;\n\t\t\t\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\t\t\t\tvalue: data.user.id,\n\t\t\t\t\t\t\tidentifier,\n\t\t\t\t\t\t\texpiresAt: new Date(Date.now() + maxAge * 1000),\n\t\t\t\t\t\t});\n\t\t\t\t\t\tawait ctx.setSignedCookie(\n\t\t\t\t\t\t\ttwoFactorCookie.name,\n\t\t\t\t\t\t\tidentifier,\n\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t\ttwoFactorCookie.attributes,\n\t\t\t\t\t\t);\n\t\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\t\ttwoFactorRedirect: true,\n\t\t\t\t\t\t});\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t],\n\t\t},\n\t\tschema: mergeSchema(schema, options?.schema),\n\t\trateLimit: [\n\t\t\t{\n\t\t\t\tpathMatcher(path) {\n\t\t\t\t\treturn path.startsWith(\"/two-factor/\");\n\t\t\t\t},\n\t\t\t\twindow: 10,\n\t\t\t\tmax: 3,\n\t\t\t},\n\t\t],\n\t\t$ERROR_CODES: TWO_FACTOR_ERROR_CODES,\n\t} satisfies BetterAuthPlugin;\n};\n\nexport * from \"./client\";\nexport * from \"./types\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AA8BA,MAAM,4BAA4B,EAAE,OAAO;CAC1C,UAAU,EAAE,QAAQ,CAAC,KAAK,EACzB,aAAa,iBACb,CAAC;CACF,QAAQ,EACN,QAAQ,CACR,KAAK,EACL,aAAa,kCACb,CAAC,CACD,UAAU;CACZ,CAAC;AAEF,MAAM,6BAA6B,EAAE,OAAO,EAC3C,UAAU,EAAE,QAAQ,CAAC,KAAK,EACzB,aAAa,iBACb,CAAC,EACF,CAAC;AAEF,MAAa,aAAyC,YAAgB;CACrE,MAAM,OAAO,EACZ,gBAAgB,aAChB;CACD,MAAM,oBAAoB;EACzB,kBAAkB;EAClB,GAAG,SAAS;EACZ;CACD,MAAM,OAAO,QAAQ,SAAS,YAAY;CAC1C,MAAM,aAAa,cAAc,kBAAkB;CACnD,MAAM,MAAM,OAAO,SAAS,WAAW;AAEvC,QAAO;EACN,IAAI;EACJ,WAAW;GACV,GAAG,KAAK;GACR,GAAG,IAAI;GACP,GAAG,WAAW;GAgBd,iBAAiB,mBAChB,sBACA;IACC,QAAQ;IACR,MAAM;IACN,KAAK,CAAC,kBAAkB;IACxB,UAAU,EACT,SAAS;KACR,SAAS;KACT,aACC;KACD,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY;QACX,SAAS;SACR,MAAM;SACN,aAAa;SACb;QACD,aAAa;SACZ,MAAM;SACN,OAAO,EACN,MAAM,UACN;SACD,aAAa;SACb;QACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,OAAO,IAAI,QAAQ,QAAQ;IACjC,MAAM,EAAE,UAAU,WAAW,IAAI;AAKjC,QAAI,CAJoB,MAAM,iBAAiB,KAAK;KACnD;KACA,QAAQ,KAAK;KACb,CAAC,CAED,OAAM,SAAS,KACd,eACA,iBAAiB,iBACjB;IAEF,MAAM,SAAS,qBAAqB,GAAG;IACvC,MAAM,kBAAkB,MAAM,iBAAiB;KAC9C,KAAK,IAAI,QAAQ;KACjB,MAAM;KACN,CAAC;IACF,MAAM,cAAc,MAAM,oBACzB,IAAI,QAAQ,QACZ,kBACA;AACD,QAAI,SAAS,0BAA0B;KACtC,MAAM,cAAc,MAAM,IAAI,QAAQ,gBAAgB,WACrD,KAAK,IACL,EACC,kBAAkB,MAClB,CACD;;;;AASD,WAAM,iBAAiB,KAAK;MAC3B,SATkB,MAAM,IAAI,QAAQ,gBAAgB,cACpD,YAAY,IACZ,OACA,IAAI,QAAQ,QAAQ,QACpB;MAMA,MAAM;MACN,CAAC;AAGF,WAAM,IAAI,QAAQ,gBAAgB,cACjC,IAAI,QAAQ,QAAQ,QAAQ,MAC5B;;AAGF,UAAM,IAAI,QAAQ,QAAQ,WAAW;KACpC,OAAO,KAAK;KACZ,OAAO,CACN;MACC,OAAO;MACP,OAAO,KAAK;MACZ,CACD;KACD,CAAC;AAEF,UAAM,IAAI,QAAQ,QAAQ,OAAO;KAChC,OAAO,KAAK;KACZ,MAAM;MACL,QAAQ;MACR,aAAa,YAAY;MACzB,QAAQ,KAAK;MACb;KACD,CAAC;IACF,MAAM,UAAU,UAAU,QAAQ;KACjC,QAAQ,SAAS,aAAa,UAAU;KACxC,QAAQ,SAAS,aAAa;KAC9B,CAAC,CAAC,IAAI,UAAU,SAAS,UAAU,IAAI,QAAQ,SAAS,KAAK,MAAM;AACpE,WAAO,IAAI,KAAK;KAAE;KAAS,aAAa,YAAY;KAAa,CAAC;KAEnE;GAgBD,kBAAkB,mBACjB,uBACA;IACC,QAAQ;IACR,MAAM;IACN,KAAK,CAAC,kBAAkB;IACxB,UAAU,EACT,SAAS;KACR,SAAS;KACT,aACC;KACD,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,QAAQ,EACP,MAAM,WACN,EACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,OAAO,IAAI,QAAQ,QAAQ;IACjC,MAAM,EAAE,aAAa,IAAI;AAKzB,QAAI,CAJoB,MAAM,iBAAiB,KAAK;KACnD;KACA,QAAQ,KAAK;KACb,CAAC,CAED,OAAM,SAAS,KACd,eACA,iBAAiB,iBACjB;IAEF,MAAM,cAAc,MAAM,IAAI,QAAQ,gBAAgB,WACrD,KAAK,IACL,EACC,kBAAkB,OAClB,CACD;AACD,UAAM,IAAI,QAAQ,QAAQ,OAAO;KAChC,OAAO,KAAK;KACZ,OAAO,CACN;MACC,OAAO;MACP,OAAO,YAAY;MACnB,CACD;KACD,CAAC;;;;AASF,UAAM,iBAAiB,KAAK;KAC3B,SATkB,MAAM,IAAI,QAAQ,gBAAgB,cACpD,YAAY,IACZ,OACA,IAAI,QAAQ,QAAQ,QACpB;KAMA,MAAM;KACN,CAAC;AAEF,UAAM,IAAI,QAAQ,gBAAgB,cACjC,IAAI,QAAQ,QAAQ,QAAQ,MAC5B;AACD,WAAO,IAAI,KAAK,EAAE,QAAQ,MAAM,CAAC;KAElC;GACD;EACQ;EACT,OAAO,EACN,OAAO,CACN;GACC,QAAQ,SAAS;AAChB,WACC,QAAQ,SAAS,oBACjB,QAAQ,SAAS,uBACjB,QAAQ,SAAS;;GAGnB,SAAS,qBAAqB,OAAO,QAAQ;IAC5C,MAAM,OAAO,IAAI,QAAQ;AACzB,QAAI,CAAC,KACJ;AAGD,QAAI,CAAC,MAAM,KAAK,iBACf;IAGD,MAAM,yBAAyB,IAAI,QAAQ,iBAC1C,0BACA,EACC,QAAQ,6BACR,CACD;IAED,MAAM,oBAAoB,MAAM,IAAI,gBACnC,uBAAuB,MACvB,IAAI,QAAQ,OACZ;AAED,QAAI,mBAAmB;KACtB,MAAM,CAAC,OAAO,gBAAgB,kBAAkB,MAAM,IAAI;AAO1D,SAAI,UANkB,MAAM,WAC3B,WACA,iBACA,CAAC,KAAK,IAAI,QAAQ,QAAQ,GAAG,KAAK,KAAK,GAAG,GAAG,eAAe,EAGhC;MAE5B,MAAM,uBAAuB,IAAI,QAAQ,iBACxC,0BACA,EACC,QAAQ,6BACR,CACD;MACD,MAAM,WAAW,MAAM,WACtB,WACA,iBACA,CAAC,KACD,IAAI,QAAQ,QACZ,GAAG,KAAK,KAAK,GAAG,GAAG,KAAK,QAAQ,QAChC;AACD,YAAM,IAAI,gBACT,qBAAqB,MACrB,GAAG,SAAS,GAAG,KAAK,QAAQ,SAC5B,IAAI,QAAQ,QACZ,uBAAuB,WACvB;AACD;;;;;;AAOF,wBAAoB,KAAK,KAAK;AAC9B,UAAM,IAAI,QAAQ,gBAAgB,cAAc,KAAK,QAAQ,MAAM;IACnE,MAAM,UAAU,SAAS,YAAY,UAAU,KAAK;IACpD,MAAM,kBAAkB,IAAI,QAAQ,iBACnC,wBACA,EACC,QACA,CACD;IACD,MAAM,aAAa,OAAO,qBAAqB,GAAG;AAClD,UAAM,IAAI,QAAQ,gBAAgB,wBAAwB;KACzD,OAAO,KAAK,KAAK;KACjB;KACA,WAAW,IAAI,KAAK,KAAK,KAAK,GAAG,SAAS,IAAK;KAC/C,CAAC;AACF,UAAM,IAAI,gBACT,gBAAgB,MAChB,YACA,IAAI,QAAQ,QACZ,gBAAgB,WAChB;AACD,WAAO,IAAI,KAAK,EACf,mBAAmB,MACnB,CAAC;KACD;GACF,CACD,EACD;EACD,QAAQ,YAAY,QAAQ,SAAS,OAAO;EAC5C,WAAW,CACV;GACC,YAAY,MAAM;AACjB,WAAO,KAAK,WAAW,eAAe;;GAEvC,QAAQ;GACR,KAAK;GACL,CACD;EACD,cAAc;EACd"}
package/dist/plugins/two-factor/otp/index.mjs CHANGED
@@ -5,9 +5,8 @@ import { setSessionCookie } from "../../../cookies/index.mjs";
5
5
  import { TWO_FACTOR_ERROR_CODES } from "../error-code.mjs";
6
6
  import { verifyTwoFactor } from "../verify-two-factor.mjs";
7
7
  import { defaultKeyHasher } from "../utils.mjs";
8
- import { BASE_ERROR_CODES } from "@better-auth/core/error";
8
+ import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
9
9
  import * as z from "zod";
10
- import { APIError } from "better-call";
11
10
  import { createAuthEndpoint } from "@better-auth/core/api";
12
11
 
13
12
  //#region src/plugins/two-factor/otp/index.ts
@@ -66,7 +65,10 @@ const otp2fa = (options) => {
66
65
  }, async (ctx) => {
67
66
  if (!options || !options.sendOTP) {
68
67
  ctx.context.logger.error("send otp isn't configured. Please configure the send otp function on otp options.");
69
- throw new APIError("BAD_REQUEST", { message: "otp isn't configured" });
68
+ throw APIError.from("BAD_REQUEST", {
69
+ message: "otp isn't configured",
70
+ code: "OTP_NOT_CONFIGURED"
71
+ });
70
72
  }
71
73
  const { session, key } = await verifyTwoFactor(ctx);
72
74
  const code = generateRandomString(opts.digits, "0-9");
@@ -159,16 +161,16 @@ const otp2fa = (options) => {
159
161
  const decryptedOtp = await decryptOTP(ctx, otp);
160
162
  if (!toCheckOtp || toCheckOtp.expiresAt < /* @__PURE__ */ new Date()) {
161
163
  if (toCheckOtp) await ctx.context.internalAdapter.deleteVerificationValue(toCheckOtp.id);
162
- throw new APIError("BAD_REQUEST", { message: TWO_FACTOR_ERROR_CODES.OTP_HAS_EXPIRED });
164
+ throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.OTP_HAS_EXPIRED);
163
165
  }
164
166
  const allowedAttempts = options?.allowedAttempts || 5;
165
167
  if (parseInt(counter) >= allowedAttempts) {
166
168
  await ctx.context.internalAdapter.deleteVerificationValue(toCheckOtp.id);
167
- throw new APIError("BAD_REQUEST", { message: TWO_FACTOR_ERROR_CODES.TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE });
169
+ throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE);
168
170
  }
169
171
  if (constantTimeEqual(new TextEncoder().encode(decryptedOtp), new TextEncoder().encode(ctx.body.code))) {
170
172
  if (!session.user.twoFactorEnabled) {
171
- if (!session.session) throw new APIError("BAD_REQUEST", { message: BASE_ERROR_CODES.FAILED_TO_CREATE_SESSION });
173
+ if (!session.session) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.FAILED_TO_CREATE_SESSION);
172
174
  const updatedUser = await ctx.context.internalAdapter.updateUser(session.user.id, { twoFactorEnabled: true });
173
175
  const newSession = await ctx.context.internalAdapter.createSession(session.user.id, false, session.session);
174
176
  await ctx.context.internalAdapter.deleteSession(session.session.token);
package/dist/plugins/two-factor/otp/index.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.mjs","names":[],"sources":["../../../../src/plugins/two-factor/otp/index.ts"],"sourcesContent":["import type { Awaitable, GenericEndpointContext } from \"@better-auth/core\";\nimport { createAuthEndpoint } from \"@better-auth/core/api\";\nimport { BASE_ERROR_CODES } from \"@better-auth/core/error\";\nimport { APIError } from \"better-call\";\nimport * as z from \"zod\";\nimport { setSessionCookie } from \"../../../cookies\";\nimport {\n\tconstantTimeEqual,\n\tgenerateRandomString,\n\tsymmetricDecrypt,\n\tsymmetricEncrypt,\n} from \"../../../crypto\";\nimport { TWO_FACTOR_ERROR_CODES } from \"../error-code\";\nimport type { TwoFactorProvider, UserWithTwoFactor } from \"../types\";\nimport { defaultKeyHasher } from \"../utils\";\nimport { verifyTwoFactor } from \"../verify-two-factor\";\n\nexport interface OTPOptions {\n\t/**\n\t * How long the opt will be valid for in\n\t * minutes\n\t *\n\t * @default \"3 mins\"\n\t */\n\tperiod?: number | undefined;\n\t/**\n\t * Number of digits for the OTP code\n\t *\n\t * @default 6\n\t */\n\tdigits?: number | undefined;\n\t/**\n\t * Send the otp to the user\n\t *\n\t * @param user - The user to send the otp to\n\t * @param otp - The otp to send\n\t * @param request - The request object\n\t * @returns void | Promise<void>\n\t */\n\tsendOTP?:\n\t\t| ((\n\t\t\t\t/**\n\t\t\t\t * The user to send the otp to\n\t\t\t\t * @type UserWithTwoFactor\n\t\t\t\t * @default UserWithTwoFactors\n\t\t\t\t */\n\t\t\t\tdata: {\n\t\t\t\t\tuser: UserWithTwoFactor;\n\t\t\t\t\totp: string;\n\t\t\t\t},\n\t\t\t\t/**\n\t\t\t\t * The request object\n\t\t\t\t */\n\t\t\t\tctx?: GenericEndpointContext,\n\t\t ) => Awaitable<void>)\n\t\t| undefined;\n\t/**\n\t * The number of allowed attempts for the OTP\n\t *\n\t * @default 5\n\t */\n\tallowedAttempts?: number | undefined;\n\tstoreOTP?:\n\t\t| (\n\t\t\t\t| \"plain\"\n\t\t\t\t| \"encrypted\"\n\t\t\t\t| \"hashed\"\n\t\t\t\t| { hash: (token: string) => Promise<string> }\n\t\t\t\t| {\n\t\t\t\t\t\tencrypt: (token: string) => Promise<string>;\n\t\t\t\t\t\tdecrypt: (token: string) => Promise<string>;\n\t\t\t\t }\n\t\t )\n\t\t| undefined;\n}\n\nconst verifyOTPBodySchema = z.object({\n\tcode: z.string().meta({\n\t\tdescription: 'The otp code to verify. Eg: \"012345\"',\n\t}),\n\t/**\n\t * if true, the device will be trusted\n\t * for 30 days. It'll be refreshed on\n\t * every sign in request within this time.\n\t */\n\ttrustDevice: z.boolean().optional().meta({\n\t\tdescription:\n\t\t\t\"If true, the device will be trusted for 30 days. It'll be refreshed on every sign in request within this time. Eg: true\",\n\t}),\n});\n\nconst send2FaOTPBodySchema = z\n\t.object({\n\t\t/**\n\t\t * if true, the device will be trusted\n\t\t * for 30 days. It'll be refreshed on\n\t\t * every sign in request within this time.\n\t\t */\n\t\ttrustDevice: z.boolean().optional().meta({\n\t\t\tdescription:\n\t\t\t\t\"If true, the device will be trusted for 30 days. It'll be refreshed on every sign in request within this time. Eg: true\",\n\t\t}),\n\t})\n\t.optional();\n\n/**\n * The otp adapter is created from the totp adapter.\n */\nexport const otp2fa = (options?: OTPOptions | undefined) => {\n\tconst opts = {\n\t\tstoreOTP: \"plain\",\n\t\tdigits: 6,\n\t\t...options,\n\t\tperiod: (options?.period || 3) * 60 * 1000,\n\t};\n\n\tasync function storeOTP(ctx: GenericEndpointContext, otp: string) {\n\t\tif (opts.storeOTP === \"hashed\") {\n\t\t\treturn await defaultKeyHasher(otp);\n\t\t}\n\t\tif (typeof opts.storeOTP === \"object\" && \"hash\" in opts.storeOTP) {\n\t\t\treturn await opts.storeOTP.hash(otp);\n\t\t}\n\t\tif (typeof opts.storeOTP === \"object\" && \"encrypt\" in opts.storeOTP) {\n\t\t\treturn await opts.storeOTP.encrypt(otp);\n\t\t}\n\t\tif (opts.storeOTP === \"encrypted\") {\n\t\t\treturn await symmetricEncrypt({\n\t\t\t\tkey: ctx.context.secret,\n\t\t\t\tdata: otp,\n\t\t\t});\n\t\t}\n\t\treturn otp;\n\t}\n\n\tasync function decryptOTP(ctx: GenericEndpointContext, otp: string) {\n\t\tif (opts.storeOTP === \"hashed\") {\n\t\t\treturn await defaultKeyHasher(otp);\n\t\t}\n\t\tif (opts.storeOTP === \"encrypted\") {\n\t\t\treturn await symmetricDecrypt({\n\t\t\t\tkey: ctx.context.secret,\n\t\t\t\tdata: otp,\n\t\t\t});\n\t\t}\n\t\tif (typeof opts.storeOTP === \"object\" && \"encrypt\" in opts.storeOTP) {\n\t\t\treturn await opts.storeOTP.decrypt(otp);\n\t\t}\n\t\tif (typeof opts.storeOTP === \"object\" && \"hash\" in opts.storeOTP) {\n\t\t\treturn await opts.storeOTP.hash(otp);\n\t\t}\n\t\treturn otp;\n\t}\n\n\t/**\n\t * Generate OTP and send it to the user.\n\t */\n\tconst send2FaOTP = createAuthEndpoint(\n\t\t\"/two-factor/send-otp\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: send2FaOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tsummary: \"Send two factor OTP\",\n\t\t\t\t\tdescription: \"Send two factor OTP to the user\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Successful response\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tstatus: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tif (!options || !options.sendOTP) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t\"send otp isn't configured. Please configure the send otp function on otp options.\",\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: \"otp isn't configured\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst { session, key } = await verifyTwoFactor(ctx);\n\t\t\tconst code = generateRandomString(opts.digits, \"0-9\");\n\t\t\tconst hashedCode = await storeOTP(ctx, code);\n\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\tvalue: `${hashedCode}:0`,\n\t\t\t\tidentifier: `2fa-otp-${key}`,\n\t\t\t\texpiresAt: new Date(Date.now() + opts.period),\n\t\t\t});\n\t\t\tconst sendOTPResult = options.sendOTP(\n\t\t\t\t{ user: session.user as UserWithTwoFactor, otp: code },\n\t\t\t\tctx,\n\t\t\t);\n\t\t\tif (sendOTPResult instanceof Promise) {\n\t\t\t\tawait ctx.context.runInBackgroundOrAwait(\n\t\t\t\t\tsendOTPResult.catch((e: unknown) => {\n\t\t\t\t\t\tctx.context.logger.error(\"Failed to send two-factor OTP\", e);\n\t\t\t\t\t}),\n\t\t\t\t);\n\t\t\t}\n\t\t\treturn ctx.json({ status: true });\n\t\t},\n\t);\n\n\tconst verifyOTP = createAuthEndpoint(\n\t\t\"/two-factor/verify-otp\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: verifyOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tsummary: \"Verify two factor OTP\",\n\t\t\t\t\tdescription: \"Verify two factor OTP\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Two-factor OTP verified successfully\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\ttoken: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Session token for the authenticated session\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tid: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Unique identifier of the user\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\temail: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"email\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"User's email address\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\temailVerified: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Whether the email is verified\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tname: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"User's name\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\timage: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"User's profile image URL\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tcreatedAt: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"date-time\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Timestamp when the user was created\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tupdatedAt: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"date-time\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Timestamp when the user was last updated\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"id\", \"createdAt\", \"updatedAt\"],\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"The authenticated user object\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\trequired: [\"token\", \"user\"],\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst { session, key, valid, invalid } = await verifyTwoFactor(ctx);\n\t\t\tconst toCheckOtp =\n\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t`2fa-otp-${key}`,\n\t\t\t\t);\n\t\t\tconst [otp, counter] = toCheckOtp?.value?.split(\":\") ?? [];\n\t\t\tconst decryptedOtp = await decryptOTP(ctx, otp!);\n\t\t\tif (!toCheckOtp || toCheckOtp.expiresAt < new Date()) {\n\t\t\t\tif (toCheckOtp) {\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\t\ttoCheckOtp.id,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: TWO_FACTOR_ERROR_CODES.OTP_HAS_EXPIRED,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst allowedAttempts = options?.allowedAttempts || 5;\n\t\t\tif (parseInt(counter!) >= allowedAttempts) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\ttoCheckOtp.id,\n\t\t\t\t);\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: TWO_FACTOR_ERROR_CODES.TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE,\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst isCodeValid = constantTimeEqual(\n\t\t\t\tnew TextEncoder().encode(decryptedOtp),\n\t\t\t\tnew TextEncoder().encode(ctx.body.code),\n\t\t\t);\n\t\t\tif (isCodeValid) {\n\t\t\t\tif (!session.user.twoFactorEnabled) {\n\t\t\t\t\tif (!session.session) {\n\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\tmessage: BASE_ERROR_CODES.FAILED_TO_CREATE_SESSION,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\t\t\tsession.user.id,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttwoFactorEnabled: true,\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\t\t\t\t\tconst newSession = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\tsession.user.id,\n\t\t\t\t\t\tfalse,\n\t\t\t\t\t\tsession.session,\n\t\t\t\t\t);\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(\n\t\t\t\t\t\tsession.session.token,\n\t\t\t\t\t);\n\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\tsession: newSession,\n\t\t\t\t\t\tuser: updatedUser,\n\t\t\t\t\t});\n\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\ttoken: newSession.token,\n\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\tid: updatedUser.id,\n\t\t\t\t\t\t\temail: updatedUser.email,\n\t\t\t\t\t\t\temailVerified: updatedUser.emailVerified,\n\t\t\t\t\t\t\tname: updatedUser.name,\n\t\t\t\t\t\t\timage: updatedUser.image,\n\t\t\t\t\t\t\tcreatedAt: updatedUser.createdAt,\n\t\t\t\t\t\t\tupdatedAt: updatedUser.updatedAt,\n\t\t\t\t\t\t},\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t\treturn valid(ctx);\n\t\t\t} else {\n\t\t\t\tawait ctx.context.internalAdapter.updateVerificationValue(\n\t\t\t\t\ttoCheckOtp.id,\n\t\t\t\t\t{\n\t\t\t\t\t\tvalue: `${otp}:${(parseInt(counter!, 10) || 0) + 1}`,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\treturn invalid(\"INVALID_CODE\");\n\t\t\t}\n\t\t},\n\t);\n\n\treturn {\n\t\tid: \"otp\",\n\t\tendpoints: {\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/send-otp`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.send2FaOTP`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.sendOtp`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-send-otp)\n\t\t\t */\n\t\t\tsendTwoFactorOTP: send2FaOTP,\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/verify-otp`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.verifyOTP`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.verifyOtp`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-verify-otp)\n\t\t\t */\n\t\t\tverifyTwoFactorOTP: verifyOTP,\n\t\t},\n\t} satisfies TwoFactorProvider;\n};\n"],"mappings":";;;;;;;;;;;;;AA4EA,MAAM,sBAAsB,EAAE,OAAO;CACpC,MAAM,EAAE,QAAQ,CAAC,KAAK,EACrB,aAAa,0CACb,CAAC;CAMF,aAAa,EAAE,SAAS,CAAC,UAAU,CAAC,KAAK,EACxC,aACC,2HACD,CAAC;CACF,CAAC;AAEF,MAAM,uBAAuB,EAC3B,OAAO,EAMP,aAAa,EAAE,SAAS,CAAC,UAAU,CAAC,KAAK,EACxC,aACC,2HACD,CAAC,EACF,CAAC,CACD,UAAU;;;;AAKZ,MAAa,UAAU,YAAqC;CAC3D,MAAM,OAAO;EACZ,UAAU;EACV,QAAQ;EACR,GAAG;EACH,SAAS,SAAS,UAAU,KAAK,KAAK;EACtC;CAED,eAAe,SAAS,KAA6B,KAAa;AACjE,MAAI,KAAK,aAAa,SACrB,QAAO,MAAM,iBAAiB,IAAI;AAEnC,MAAI,OAAO,KAAK,aAAa,YAAY,UAAU,KAAK,SACvD,QAAO,MAAM,KAAK,SAAS,KAAK,IAAI;AAErC,MAAI,OAAO,KAAK,aAAa,YAAY,aAAa,KAAK,SAC1D,QAAO,MAAM,KAAK,SAAS,QAAQ,IAAI;AAExC,MAAI,KAAK,aAAa,YACrB,QAAO,MAAM,iBAAiB;GAC7B,KAAK,IAAI,QAAQ;GACjB,MAAM;GACN,CAAC;AAEH,SAAO;;CAGR,eAAe,WAAW,KAA6B,KAAa;AACnE,MAAI,KAAK,aAAa,SACrB,QAAO,MAAM,iBAAiB,IAAI;AAEnC,MAAI,KAAK,aAAa,YACrB,QAAO,MAAM,iBAAiB;GAC7B,KAAK,IAAI,QAAQ;GACjB,MAAM;GACN,CAAC;AAEH,MAAI,OAAO,KAAK,aAAa,YAAY,aAAa,KAAK,SAC1D,QAAO,MAAM,KAAK,SAAS,QAAQ,IAAI;AAExC,MAAI,OAAO,KAAK,aAAa,YAAY,UAAU,KAAK,SACvD,QAAO,MAAM,KAAK,SAAS,KAAK,IAAI;AAErC,SAAO;;AAiOR,QAAO;EACN,IAAI;EACJ,WAAW;GAgBV,kBA7OiB,mBAClB,wBACA;IACC,QAAQ;IACR,MAAM;IACN,UAAU,EACT,SAAS;KACR,SAAS;KACT,aAAa;KACb,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,QAAQ,EACP,MAAM,WACN,EACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;AACd,QAAI,CAAC,WAAW,CAAC,QAAQ,SAAS;AACjC,SAAI,QAAQ,OAAO,MAClB,oFACA;AACD,WAAM,IAAI,SAAS,eAAe,EACjC,SAAS,wBACT,CAAC;;IAEH,MAAM,EAAE,SAAS,QAAQ,MAAM,gBAAgB,IAAI;IACnD,MAAM,OAAO,qBAAqB,KAAK,QAAQ,MAAM;IACrD,MAAM,aAAa,MAAM,SAAS,KAAK,KAAK;AAC5C,UAAM,IAAI,QAAQ,gBAAgB,wBAAwB;KACzD,OAAO,GAAG,WAAW;KACrB,YAAY,WAAW;KACvB,WAAW,IAAI,KAAK,KAAK,KAAK,GAAG,KAAK,OAAO;KAC7C,CAAC;IACF,MAAM,gBAAgB,QAAQ,QAC7B;KAAE,MAAM,QAAQ;KAA2B,KAAK;KAAM,EACtD,IACA;AACD,QAAI,yBAAyB,QAC5B,OAAM,IAAI,QAAQ,uBACjB,cAAc,OAAO,MAAe;AACnC,SAAI,QAAQ,OAAO,MAAM,iCAAiC,EAAE;MAC3D,CACF;AAEF,WAAO,IAAI,KAAK,EAAE,QAAQ,MAAM,CAAC;KAElC;GAkMC,oBAhMgB,mBACjB,0BACA;IACC,QAAQ;IACR,MAAM;IACN,UAAU,EACT,SAAS;KACR,SAAS;KACT,aAAa;KACb,WAAW,EACV,OAAO;MACN,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY;QACX,OAAO;SACN,MAAM;SACN,aACC;SACD;QACD,MAAM;SACL,MAAM;SACN,YAAY;UACX,IAAI;WACH,MAAM;WACN,aAAa;WACb;UACD,OAAO;WACN,MAAM;WACN,QAAQ;WACR,UAAU;WACV,aAAa;WACb;UACD,eAAe;WACd,MAAM;WACN,UAAU;WACV,aAAa;WACb;UACD,MAAM;WACL,MAAM;WACN,UAAU;WACV,aAAa;WACb;UACD,OAAO;WACN,MAAM;WACN,QAAQ;WACR,UAAU;WACV,aAAa;WACb;UACD,WAAW;WACV,MAAM;WACN,QAAQ;WACR,aAAa;WACb;UACD,WAAW;WACV,MAAM;WACN,QAAQ;WACR,aACC;WACD;UACD;SACD,UAAU;UAAC;UAAM;UAAa;UAAY;SAC1C,aAAa;SACb;QACD;OACD,UAAU,CAAC,SAAS,OAAO;OAC3B,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,EAAE,SAAS,KAAK,OAAO,YAAY,MAAM,gBAAgB,IAAI;IACnE,MAAM,aACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,WAAW,MACX;IACF,MAAM,CAAC,KAAK,WAAW,YAAY,OAAO,MAAM,IAAI,IAAI,EAAE;IAC1D,MAAM,eAAe,MAAM,WAAW,KAAK,IAAK;AAChD,QAAI,CAAC,cAAc,WAAW,4BAAY,IAAI,MAAM,EAAE;AACrD,SAAI,WACH,OAAM,IAAI,QAAQ,gBAAgB,wBACjC,WAAW,GACX;AAEF,WAAM,IAAI,SAAS,eAAe,EACjC,SAAS,uBAAuB,iBAChC,CAAC;;IAEH,MAAM,kBAAkB,SAAS,mBAAmB;AACpD,QAAI,SAAS,QAAS,IAAI,iBAAiB;AAC1C,WAAM,IAAI,QAAQ,gBAAgB,wBACjC,WAAW,GACX;AACD,WAAM,IAAI,SAAS,eAAe,EACjC,SAAS,uBAAuB,oCAChC,CAAC;;AAMH,QAJoB,kBACnB,IAAI,aAAa,CAAC,OAAO,aAAa,EACtC,IAAI,aAAa,CAAC,OAAO,IAAI,KAAK,KAAK,CACvC,EACgB;AAChB,SAAI,CAAC,QAAQ,KAAK,kBAAkB;AACnC,UAAI,CAAC,QAAQ,QACZ,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,iBAAiB,0BAC1B,CAAC;MAEH,MAAM,cAAc,MAAM,IAAI,QAAQ,gBAAgB,WACrD,QAAQ,KAAK,IACb,EACC,kBAAkB,MAClB,CACD;MACD,MAAM,aAAa,MAAM,IAAI,QAAQ,gBAAgB,cACpD,QAAQ,KAAK,IACb,OACA,QAAQ,QACR;AACD,YAAM,IAAI,QAAQ,gBAAgB,cACjC,QAAQ,QAAQ,MAChB;AACD,YAAM,iBAAiB,KAAK;OAC3B,SAAS;OACT,MAAM;OACN,CAAC;AACF,aAAO,IAAI,KAAK;OACf,OAAO,WAAW;OAClB,MAAM;QACL,IAAI,YAAY;QAChB,OAAO,YAAY;QACnB,eAAe,YAAY;QAC3B,MAAM,YAAY;QAClB,OAAO,YAAY;QACnB,WAAW,YAAY;QACvB,WAAW,YAAY;QACvB;OACD,CAAC;;AAEH,YAAO,MAAM,IAAI;WACX;AACN,WAAM,IAAI,QAAQ,gBAAgB,wBACjC,WAAW,IACX,EACC,OAAO,GAAG,IAAI,IAAI,SAAS,SAAU,GAAG,IAAI,KAAK,KACjD,CACD;AACD,YAAO,QAAQ,eAAe;;KAGhC;GAqCC;EACD"}
1
+ {"version":3,"file":"index.mjs","names":[],"sources":["../../../../src/plugins/two-factor/otp/index.ts"],"sourcesContent":["import type { Awaitable, GenericEndpointContext } from \"@better-auth/core\";\nimport { createAuthEndpoint } from \"@better-auth/core/api\";\nimport { APIError, BASE_ERROR_CODES } from \"@better-auth/core/error\";\nimport * as z from \"zod\";\nimport { setSessionCookie } from \"../../../cookies\";\nimport {\n\tconstantTimeEqual,\n\tgenerateRandomString,\n\tsymmetricDecrypt,\n\tsymmetricEncrypt,\n} from \"../../../crypto\";\nimport { TWO_FACTOR_ERROR_CODES } from \"../error-code\";\nimport type { TwoFactorProvider, UserWithTwoFactor } from \"../types\";\nimport { defaultKeyHasher } from \"../utils\";\nimport { verifyTwoFactor } from \"../verify-two-factor\";\n\nexport interface OTPOptions {\n\t/**\n\t * How long the opt will be valid for in\n\t * minutes\n\t *\n\t * @default \"3 mins\"\n\t */\n\tperiod?: number | undefined;\n\t/**\n\t * Number of digits for the OTP code\n\t *\n\t * @default 6\n\t */\n\tdigits?: number | undefined;\n\t/**\n\t * Send the otp to the user\n\t *\n\t * @param user - The user to send the otp to\n\t * @param otp - The otp to send\n\t * @param request - The request object\n\t * @returns void | Promise<void>\n\t */\n\tsendOTP?:\n\t\t| ((\n\t\t\t\t/**\n\t\t\t\t * The user to send the otp to\n\t\t\t\t * @type UserWithTwoFactor\n\t\t\t\t * @default UserWithTwoFactors\n\t\t\t\t */\n\t\t\t\tdata: {\n\t\t\t\t\tuser: UserWithTwoFactor;\n\t\t\t\t\totp: string;\n\t\t\t\t},\n\t\t\t\t/**\n\t\t\t\t * The request object\n\t\t\t\t */\n\t\t\t\tctx?: GenericEndpointContext,\n\t\t ) => Awaitable<void>)\n\t\t| undefined;\n\t/**\n\t * The number of allowed attempts for the OTP\n\t *\n\t * @default 5\n\t */\n\tallowedAttempts?: number | undefined;\n\tstoreOTP?:\n\t\t| (\n\t\t\t\t| \"plain\"\n\t\t\t\t| \"encrypted\"\n\t\t\t\t| \"hashed\"\n\t\t\t\t| { hash: (token: string) => Promise<string> }\n\t\t\t\t| {\n\t\t\t\t\t\tencrypt: (token: string) => Promise<string>;\n\t\t\t\t\t\tdecrypt: (token: string) => Promise<string>;\n\t\t\t\t }\n\t\t )\n\t\t| undefined;\n}\n\nconst verifyOTPBodySchema = z.object({\n\tcode: z.string().meta({\n\t\tdescription: 'The otp code to verify. Eg: \"012345\"',\n\t}),\n\t/**\n\t * if true, the device will be trusted\n\t * for 30 days. It'll be refreshed on\n\t * every sign in request within this time.\n\t */\n\ttrustDevice: z.boolean().optional().meta({\n\t\tdescription:\n\t\t\t\"If true, the device will be trusted for 30 days. It'll be refreshed on every sign in request within this time. Eg: true\",\n\t}),\n});\n\nconst send2FaOTPBodySchema = z\n\t.object({\n\t\t/**\n\t\t * if true, the device will be trusted\n\t\t * for 30 days. It'll be refreshed on\n\t\t * every sign in request within this time.\n\t\t */\n\t\ttrustDevice: z.boolean().optional().meta({\n\t\t\tdescription:\n\t\t\t\t\"If true, the device will be trusted for 30 days. It'll be refreshed on every sign in request within this time. Eg: true\",\n\t\t}),\n\t})\n\t.optional();\n\n/**\n * The otp adapter is created from the totp adapter.\n */\nexport const otp2fa = (options?: OTPOptions | undefined) => {\n\tconst opts = {\n\t\tstoreOTP: \"plain\",\n\t\tdigits: 6,\n\t\t...options,\n\t\tperiod: (options?.period || 3) * 60 * 1000,\n\t};\n\n\tasync function storeOTP(ctx: GenericEndpointContext, otp: string) {\n\t\tif (opts.storeOTP === \"hashed\") {\n\t\t\treturn await defaultKeyHasher(otp);\n\t\t}\n\t\tif (typeof opts.storeOTP === \"object\" && \"hash\" in opts.storeOTP) {\n\t\t\treturn await opts.storeOTP.hash(otp);\n\t\t}\n\t\tif (typeof opts.storeOTP === \"object\" && \"encrypt\" in opts.storeOTP) {\n\t\t\treturn await opts.storeOTP.encrypt(otp);\n\t\t}\n\t\tif (opts.storeOTP === \"encrypted\") {\n\t\t\treturn await symmetricEncrypt({\n\t\t\t\tkey: ctx.context.secret,\n\t\t\t\tdata: otp,\n\t\t\t});\n\t\t}\n\t\treturn otp;\n\t}\n\n\tasync function decryptOTP(ctx: GenericEndpointContext, otp: string) {\n\t\tif (opts.storeOTP === \"hashed\") {\n\t\t\treturn await defaultKeyHasher(otp);\n\t\t}\n\t\tif (opts.storeOTP === \"encrypted\") {\n\t\t\treturn await symmetricDecrypt({\n\t\t\t\tkey: ctx.context.secret,\n\t\t\t\tdata: otp,\n\t\t\t});\n\t\t}\n\t\tif (typeof opts.storeOTP === \"object\" && \"encrypt\" in opts.storeOTP) {\n\t\t\treturn await opts.storeOTP.decrypt(otp);\n\t\t}\n\t\tif (typeof opts.storeOTP === \"object\" && \"hash\" in opts.storeOTP) {\n\t\t\treturn await opts.storeOTP.hash(otp);\n\t\t}\n\t\treturn otp;\n\t}\n\n\t/**\n\t * Generate OTP and send it to the user.\n\t */\n\tconst send2FaOTP = createAuthEndpoint(\n\t\t\"/two-factor/send-otp\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: send2FaOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tsummary: \"Send two factor OTP\",\n\t\t\t\t\tdescription: \"Send two factor OTP to the user\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\tdescription: \"Successful response\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tstatus: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tif (!options || !options.sendOTP) {\n\t\t\t\tctx.context.logger.error(\n\t\t\t\t\t\"send otp isn't configured. Please configure the send otp function on otp options.\",\n\t\t\t\t);\n\t\t\t\tthrow APIError.from(\"BAD_REQUEST\", {\n\t\t\t\t\tmessage: \"otp isn't configured\",\n\t\t\t\t\tcode: \"OTP_NOT_CONFIGURED\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst { session, key } = await verifyTwoFactor(ctx);\n\t\t\tconst code = generateRandomString(opts.digits, \"0-9\");\n\t\t\tconst hashedCode = await storeOTP(ctx, code);\n\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\tvalue: `${hashedCode}:0`,\n\t\t\t\tidentifier: `2fa-otp-${key}`,\n\t\t\t\texpiresAt: new Date(Date.now() + opts.period),\n\t\t\t});\n\t\t\tconst sendOTPResult = options.sendOTP(\n\t\t\t\t{ user: session.user as UserWithTwoFactor, otp: code },\n\t\t\t\tctx,\n\t\t\t);\n\t\t\tif (sendOTPResult instanceof Promise) {\n\t\t\t\tawait ctx.context.runInBackgroundOrAwait(\n\t\t\t\t\tsendOTPResult.catch((e: unknown) => {\n\t\t\t\t\t\tctx.context.logger.error(\"Failed to send two-factor OTP\", e);\n\t\t\t\t\t}),\n\t\t\t\t);\n\t\t\t}\n\t\t\treturn ctx.json({ status: true });\n\t\t},\n\t);\n\n\tconst verifyOTP = createAuthEndpoint(\n\t\t\"/two-factor/verify-otp\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: verifyOTPBodySchema,\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tsummary: \"Verify two factor OTP\",\n\t\t\t\t\tdescription: \"Verify two factor OTP\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Two-factor OTP verified successfully\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\ttoken: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Session token for the authenticated session\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tid: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Unique identifier of the user\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\temail: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"email\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"User's email address\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\temailVerified: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Whether the email is verified\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tname: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"User's name\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\timage: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"User's profile image URL\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tcreatedAt: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"date-time\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Timestamp when the user was created\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tupdatedAt: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"date-time\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Timestamp when the user was last updated\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"id\", \"createdAt\", \"updatedAt\"],\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"The authenticated user object\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\trequired: [\"token\", \"user\"],\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\tconst { session, key, valid, invalid } = await verifyTwoFactor(ctx);\n\t\t\tconst toCheckOtp =\n\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t`2fa-otp-${key}`,\n\t\t\t\t);\n\t\t\tconst [otp, counter] = toCheckOtp?.value?.split(\":\") ?? [];\n\t\t\tconst decryptedOtp = await decryptOTP(ctx, otp!);\n\t\t\tif (!toCheckOtp || toCheckOtp.expiresAt < new Date()) {\n\t\t\t\tif (toCheckOtp) {\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\t\ttoCheckOtp.id,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\"BAD_REQUEST\",\n\t\t\t\t\tTWO_FACTOR_ERROR_CODES.OTP_HAS_EXPIRED,\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst allowedAttempts = options?.allowedAttempts || 5;\n\t\t\tif (parseInt(counter!) >= allowedAttempts) {\n\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationValue(\n\t\t\t\t\ttoCheckOtp.id,\n\t\t\t\t);\n\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\"BAD_REQUEST\",\n\t\t\t\t\tTWO_FACTOR_ERROR_CODES.TOO_MANY_ATTEMPTS_REQUEST_NEW_CODE,\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst isCodeValid = constantTimeEqual(\n\t\t\t\tnew TextEncoder().encode(decryptedOtp),\n\t\t\t\tnew TextEncoder().encode(ctx.body.code),\n\t\t\t);\n\t\t\tif (isCodeValid) {\n\t\t\t\tif (!session.user.twoFactorEnabled) {\n\t\t\t\t\tif (!session.session) {\n\t\t\t\t\t\tthrow APIError.from(\n\t\t\t\t\t\t\t\"BAD_REQUEST\",\n\t\t\t\t\t\t\tBASE_ERROR_CODES.FAILED_TO_CREATE_SESSION,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t\tconst updatedUser = await ctx.context.internalAdapter.updateUser(\n\t\t\t\t\t\tsession.user.id,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttwoFactorEnabled: true,\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\t\t\t\t\tconst newSession = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\tsession.user.id,\n\t\t\t\t\t\tfalse,\n\t\t\t\t\t\tsession.session,\n\t\t\t\t\t);\n\t\t\t\t\tawait ctx.context.internalAdapter.deleteSession(\n\t\t\t\t\t\tsession.session.token,\n\t\t\t\t\t);\n\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\tsession: newSession,\n\t\t\t\t\t\tuser: updatedUser,\n\t\t\t\t\t});\n\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\ttoken: newSession.token,\n\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\tid: updatedUser.id,\n\t\t\t\t\t\t\temail: updatedUser.email,\n\t\t\t\t\t\t\temailVerified: updatedUser.emailVerified,\n\t\t\t\t\t\t\tname: updatedUser.name,\n\t\t\t\t\t\t\timage: updatedUser.image,\n\t\t\t\t\t\t\tcreatedAt: updatedUser.createdAt,\n\t\t\t\t\t\t\tupdatedAt: updatedUser.updatedAt,\n\t\t\t\t\t\t},\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t\treturn valid(ctx);\n\t\t\t} else {\n\t\t\t\tawait ctx.context.internalAdapter.updateVerificationValue(\n\t\t\t\t\ttoCheckOtp.id,\n\t\t\t\t\t{\n\t\t\t\t\t\tvalue: `${otp}:${(parseInt(counter!, 10) || 0) + 1}`,\n\t\t\t\t\t},\n\t\t\t\t);\n\t\t\t\treturn invalid(\"INVALID_CODE\");\n\t\t\t}\n\t\t},\n\t);\n\n\treturn {\n\t\tid: \"otp\",\n\t\tendpoints: {\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/send-otp`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.send2FaOTP`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.sendOtp`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-send-otp)\n\t\t\t */\n\t\t\tsendTwoFactorOTP: send2FaOTP,\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/two-factor/verify-otp`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.verifyOTP`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.twoFactor.verifyOtp`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/2fa#api-method-two-factor-verify-otp)\n\t\t\t */\n\t\t\tverifyTwoFactorOTP: verifyOTP,\n\t\t},\n\t} satisfies TwoFactorProvider;\n};\n"],"mappings":";;;;;;;;;;;;AA2EA,MAAM,sBAAsB,EAAE,OAAO;CACpC,MAAM,EAAE,QAAQ,CAAC,KAAK,EACrB,aAAa,0CACb,CAAC;CAMF,aAAa,EAAE,SAAS,CAAC,UAAU,CAAC,KAAK,EACxC,aACC,2HACD,CAAC;CACF,CAAC;AAEF,MAAM,uBAAuB,EAC3B,OAAO,EAMP,aAAa,EAAE,SAAS,CAAC,UAAU,CAAC,KAAK,EACxC,aACC,2HACD,CAAC,EACF,CAAC,CACD,UAAU;;;;AAKZ,MAAa,UAAU,YAAqC;CAC3D,MAAM,OAAO;EACZ,UAAU;EACV,QAAQ;EACR,GAAG;EACH,SAAS,SAAS,UAAU,KAAK,KAAK;EACtC;CAED,eAAe,SAAS,KAA6B,KAAa;AACjE,MAAI,KAAK,aAAa,SACrB,QAAO,MAAM,iBAAiB,IAAI;AAEnC,MAAI,OAAO,KAAK,aAAa,YAAY,UAAU,KAAK,SACvD,QAAO,MAAM,KAAK,SAAS,KAAK,IAAI;AAErC,MAAI,OAAO,KAAK,aAAa,YAAY,aAAa,KAAK,SAC1D,QAAO,MAAM,KAAK,SAAS,QAAQ,IAAI;AAExC,MAAI,KAAK,aAAa,YACrB,QAAO,MAAM,iBAAiB;GAC7B,KAAK,IAAI,QAAQ;GACjB,MAAM;GACN,CAAC;AAEH,SAAO;;CAGR,eAAe,WAAW,KAA6B,KAAa;AACnE,MAAI,KAAK,aAAa,SACrB,QAAO,MAAM,iBAAiB,IAAI;AAEnC,MAAI,KAAK,aAAa,YACrB,QAAO,MAAM,iBAAiB;GAC7B,KAAK,IAAI,QAAQ;GACjB,MAAM;GACN,CAAC;AAEH,MAAI,OAAO,KAAK,aAAa,YAAY,aAAa,KAAK,SAC1D,QAAO,MAAM,KAAK,SAAS,QAAQ,IAAI;AAExC,MAAI,OAAO,KAAK,aAAa,YAAY,UAAU,KAAK,SACvD,QAAO,MAAM,KAAK,SAAS,KAAK,IAAI;AAErC,SAAO;;AAqOR,QAAO;EACN,IAAI;EACJ,WAAW;GAgBV,kBAjPiB,mBAClB,wBACA;IACC,QAAQ;IACR,MAAM;IACN,UAAU,EACT,SAAS;KACR,SAAS;KACT,aAAa;KACb,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,QAAQ,EACP,MAAM,WACN,EACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;AACd,QAAI,CAAC,WAAW,CAAC,QAAQ,SAAS;AACjC,SAAI,QAAQ,OAAO,MAClB,oFACA;AACD,WAAM,SAAS,KAAK,eAAe;MAClC,SAAS;MACT,MAAM;MACN,CAAC;;IAEH,MAAM,EAAE,SAAS,QAAQ,MAAM,gBAAgB,IAAI;IACnD,MAAM,OAAO,qBAAqB,KAAK,QAAQ,MAAM;IACrD,MAAM,aAAa,MAAM,SAAS,KAAK,KAAK;AAC5C,UAAM,IAAI,QAAQ,gBAAgB,wBAAwB;KACzD,OAAO,GAAG,WAAW;KACrB,YAAY,WAAW;KACvB,WAAW,IAAI,KAAK,KAAK,KAAK,GAAG,KAAK,OAAO;KAC7C,CAAC;IACF,MAAM,gBAAgB,QAAQ,QAC7B;KAAE,MAAM,QAAQ;KAA2B,KAAK;KAAM,EACtD,IACA;AACD,QAAI,yBAAyB,QAC5B,OAAM,IAAI,QAAQ,uBACjB,cAAc,OAAO,MAAe;AACnC,SAAI,QAAQ,OAAO,MAAM,iCAAiC,EAAE;MAC3D,CACF;AAEF,WAAO,IAAI,KAAK,EAAE,QAAQ,MAAM,CAAC;KAElC;GAqMC,oBAnMgB,mBACjB,0BACA;IACC,QAAQ;IACR,MAAM;IACN,UAAU,EACT,SAAS;KACR,SAAS;KACT,aAAa;KACb,WAAW,EACV,OAAO;MACN,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY;QACX,OAAO;SACN,MAAM;SACN,aACC;SACD;QACD,MAAM;SACL,MAAM;SACN,YAAY;UACX,IAAI;WACH,MAAM;WACN,aAAa;WACb;UACD,OAAO;WACN,MAAM;WACN,QAAQ;WACR,UAAU;WACV,aAAa;WACb;UACD,eAAe;WACd,MAAM;WACN,UAAU;WACV,aAAa;WACb;UACD,MAAM;WACL,MAAM;WACN,UAAU;WACV,aAAa;WACb;UACD,OAAO;WACN,MAAM;WACN,QAAQ;WACR,UAAU;WACV,aAAa;WACb;UACD,WAAW;WACV,MAAM;WACN,QAAQ;WACR,aAAa;WACb;UACD,WAAW;WACV,MAAM;WACN,QAAQ;WACR,aACC;WACD;UACD;SACD,UAAU;UAAC;UAAM;UAAa;UAAY;SAC1C,aAAa;SACb;QACD;OACD,UAAU,CAAC,SAAS,OAAO;OAC3B,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,EAAE,SAAS,KAAK,OAAO,YAAY,MAAM,gBAAgB,IAAI;IACnE,MAAM,aACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,WAAW,MACX;IACF,MAAM,CAAC,KAAK,WAAW,YAAY,OAAO,MAAM,IAAI,IAAI,EAAE;IAC1D,MAAM,eAAe,MAAM,WAAW,KAAK,IAAK;AAChD,QAAI,CAAC,cAAc,WAAW,4BAAY,IAAI,MAAM,EAAE;AACrD,SAAI,WACH,OAAM,IAAI,QAAQ,gBAAgB,wBACjC,WAAW,GACX;AAEF,WAAM,SAAS,KACd,eACA,uBAAuB,gBACvB;;IAEF,MAAM,kBAAkB,SAAS,mBAAmB;AACpD,QAAI,SAAS,QAAS,IAAI,iBAAiB;AAC1C,WAAM,IAAI,QAAQ,gBAAgB,wBACjC,WAAW,GACX;AACD,WAAM,SAAS,KACd,eACA,uBAAuB,mCACvB;;AAMF,QAJoB,kBACnB,IAAI,aAAa,CAAC,OAAO,aAAa,EACtC,IAAI,aAAa,CAAC,OAAO,IAAI,KAAK,KAAK,CACvC,EACgB;AAChB,SAAI,CAAC,QAAQ,KAAK,kBAAkB;AACnC,UAAI,CAAC,QAAQ,QACZ,OAAM,SAAS,KACd,eACA,iBAAiB,yBACjB;MAEF,MAAM,cAAc,MAAM,IAAI,QAAQ,gBAAgB,WACrD,QAAQ,KAAK,IACb,EACC,kBAAkB,MAClB,CACD;MACD,MAAM,aAAa,MAAM,IAAI,QAAQ,gBAAgB,cACpD,QAAQ,KAAK,IACb,OACA,QAAQ,QACR;AACD,YAAM,IAAI,QAAQ,gBAAgB,cACjC,QAAQ,QAAQ,MAChB;AACD,YAAM,iBAAiB,KAAK;OAC3B,SAAS;OACT,MAAM;OACN,CAAC;AACF,aAAO,IAAI,KAAK;OACf,OAAO,WAAW;OAClB,MAAM;QACL,IAAI,YAAY;QAChB,OAAO,YAAY;QACnB,eAAe,YAAY;QAC3B,MAAM,YAAY;QAClB,OAAO,YAAY;QACnB,WAAW,YAAY;QACvB,WAAW,YAAY;QACvB;OACD,CAAC;;AAEH,YAAO,MAAM,IAAI;WACX;AACN,WAAM,IAAI,QAAQ,gBAAgB,wBACjC,WAAW,IACX,EACC,OAAO,GAAG,IAAI,IAAI,SAAS,SAAU,GAAG,IAAI,KAAK,KACjD,CACD;AACD,YAAO,QAAQ,eAAe;;KAGhC;GAqCC;EACD"}
package/dist/plugins/two-factor/totp/index.mjs CHANGED
@@ -4,9 +4,8 @@ import { sessionMiddleware } from "../../../api/routes/session.mjs";
4
4
  import "../../../api/index.mjs";
5
5
  import { TWO_FACTOR_ERROR_CODES } from "../error-code.mjs";
6
6
  import { verifyTwoFactor } from "../verify-two-factor.mjs";
7
- import { BASE_ERROR_CODES } from "@better-auth/core/error";
7
+ import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
8
8
  import * as z from "zod";
9
- import { APIError } from "better-call";
10
9
  import { createAuthEndpoint } from "@better-auth/core/api";
11
10
  import { createOTP } from "@better-auth/utils/otp";
12
11
 
@@ -44,7 +43,10 @@ const totp2fa = (options) => {
44
43
  }, async (ctx) => {
45
44
  if (options?.disable) {
46
45
  ctx.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp");
47
- throw new APIError("BAD_REQUEST", { message: "totp isn't configured" });
46
+ throw APIError.from("BAD_REQUEST", {
47
+ message: "totp isn't configured",
48
+ code: "TOTP_NOT_CONFIGURED"
49
+ });
48
50
  }
49
51
  return { code: await createOTP(ctx.body.secret, {
50
52
  period: opts.period,
@@ -69,7 +71,10 @@ const totp2fa = (options) => {
69
71
  }, async (ctx) => {
70
72
  if (options?.disable) {
71
73
  ctx.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp");
72
- throw new APIError("BAD_REQUEST", { message: "totp isn't configured" });
74
+ throw APIError.from("BAD_REQUEST", {
75
+ message: "totp isn't configured",
76
+ code: "TOTP_NOT_CONFIGURED"
77
+ });
73
78
  }
74
79
  const user = ctx.context.session.user;
75
80
  const twoFactor = await ctx.context.adapter.findOne({
@@ -79,7 +84,7 @@ const totp2fa = (options) => {
79
84
  value: user.id
80
85
  }]
81
86
  });
82
- if (!twoFactor) throw new APIError("BAD_REQUEST", { message: TWO_FACTOR_ERROR_CODES.TOTP_NOT_ENABLED });
87
+ if (!twoFactor) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.TOTP_NOT_ENABLED);
83
88
  const secret = await symmetricDecrypt({
84
89
  key: ctx.context.secret,
85
90
  data: twoFactor.secret
@@ -107,7 +112,10 @@ const totp2fa = (options) => {
107
112
  }, async (ctx) => {
108
113
  if (options?.disable) {
109
114
  ctx.context.logger.error("totp isn't configured. please pass totp option on two factor plugin to enable totp");
110
- throw new APIError("BAD_REQUEST", { message: "totp isn't configured" });
115
+ throw APIError.from("BAD_REQUEST", {
116
+ message: "totp isn't configured",
117
+ code: "TOTP_NOT_CONFIGURED"
118
+ });
111
119
  }
112
120
  const { session, valid, invalid } = await verifyTwoFactor(ctx);
113
121
  const user = session.user;
@@ -118,7 +126,7 @@ const totp2fa = (options) => {
118
126
  value: user.id
119
127
  }]
120
128
  });
121
- if (!twoFactor) throw new APIError("BAD_REQUEST", { message: TWO_FACTOR_ERROR_CODES.TOTP_NOT_ENABLED });
129
+ if (!twoFactor) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.TOTP_NOT_ENABLED);
122
130
  if (!await createOTP(await symmetricDecrypt({
123
131
  key: ctx.context.secret,
124
132
  data: twoFactor.secret
@@ -127,7 +135,7 @@ const totp2fa = (options) => {
127
135
  digits: opts.digits
128
136
  }).verify(ctx.body.code)) return invalid("INVALID_CODE");
129
137
  if (!user.twoFactorEnabled) {
130
- if (!session.session) throw new APIError("BAD_REQUEST", { message: BASE_ERROR_CODES.FAILED_TO_CREATE_SESSION });
138
+ if (!session.session) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.FAILED_TO_CREATE_SESSION);
131
139
  const updatedUser = await ctx.context.internalAdapter.updateUser(user.id, { twoFactorEnabled: true });
132
140
  const newSession = await ctx.context.internalAdapter.createSession(user.id, false, session.session).catch((e) => {
133
141
  throw e;