better-auth 1.5.4 → 1.5.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (117) hide show
  1. package/dist/adapters/index.d.mts +25 -1
  2. package/dist/adapters/index.mjs +9 -1
  3. package/dist/adapters/index.mjs.map +1 -0
  4. package/dist/api/index.d.mts +36 -10
  5. package/dist/api/index.mjs +19 -4
  6. package/dist/api/index.mjs.map +1 -1
  7. package/dist/api/middlewares/origin-check.mjs +17 -8
  8. package/dist/api/middlewares/origin-check.mjs.map +1 -1
  9. package/dist/api/routes/account.d.mts +1 -1
  10. package/dist/api/routes/email-verification.d.mts +0 -1
  11. package/dist/api/routes/password.d.mts +1 -0
  12. package/dist/api/routes/password.mjs +2 -1
  13. package/dist/api/routes/password.mjs.map +1 -1
  14. package/dist/api/routes/session.d.mts +0 -1
  15. package/dist/api/routes/sign-in.d.mts +16 -2
  16. package/dist/api/routes/sign-in.mjs +10 -2
  17. package/dist/api/routes/sign-in.mjs.map +1 -1
  18. package/dist/api/routes/sign-up.d.mts +0 -1
  19. package/dist/api/routes/sign-up.mjs +3 -2
  20. package/dist/api/routes/sign-up.mjs.map +1 -1
  21. package/dist/api/routes/update-session.d.mts +0 -1
  22. package/dist/api/routes/update-user.d.mts +0 -1
  23. package/dist/api/to-auth-endpoints.mjs +49 -12
  24. package/dist/api/to-auth-endpoints.mjs.map +1 -1
  25. package/dist/auth/full.d.mts +0 -1
  26. package/dist/auth/minimal.d.mts +0 -1
  27. package/dist/client/index.d.mts +3 -4
  28. package/dist/client/index.mjs.map +1 -1
  29. package/dist/client/path-to-object.d.mts +9 -2
  30. package/dist/client/query.mjs +3 -2
  31. package/dist/client/query.mjs.map +1 -1
  32. package/dist/client/session-refresh.d.mts +11 -3
  33. package/dist/client/session-refresh.mjs +13 -8
  34. package/dist/client/session-refresh.mjs.map +1 -1
  35. package/dist/client/types.d.mts +0 -1
  36. package/dist/context/create-context.mjs +4 -1
  37. package/dist/context/create-context.mjs.map +1 -1
  38. package/dist/context/helpers.mjs +10 -4
  39. package/dist/context/helpers.mjs.map +1 -1
  40. package/dist/cookies/index.d.mts +0 -1
  41. package/dist/cookies/session-store.d.mts +0 -2
  42. package/dist/db/get-migration.mjs +3 -2
  43. package/dist/db/get-migration.mjs.map +1 -1
  44. package/dist/db/index.d.mts +2 -2
  45. package/dist/db/internal-adapter.d.mts +2 -1
  46. package/dist/db/internal-adapter.mjs +1 -1
  47. package/dist/db/internal-adapter.mjs.map +1 -1
  48. package/dist/db/schema.d.mts +0 -1
  49. package/dist/db/with-hooks.d.mts +6 -2
  50. package/dist/db/with-hooks.mjs +72 -31
  51. package/dist/db/with-hooks.mjs.map +1 -1
  52. package/dist/index.d.mts +0 -2
  53. package/dist/integrations/node.d.mts +0 -1
  54. package/dist/oauth2/link-account.d.mts +0 -1
  55. package/dist/plugins/admin/access/statement.d.mts +0 -2
  56. package/dist/plugins/admin/admin.d.mts +0 -1
  57. package/dist/plugins/admin/client.d.mts +0 -2
  58. package/dist/plugins/admin/types.d.mts +0 -2
  59. package/dist/plugins/anonymous/types.d.mts +0 -1
  60. package/dist/plugins/email-otp/index.mjs +2 -1
  61. package/dist/plugins/email-otp/index.mjs.map +1 -1
  62. package/dist/plugins/email-otp/otp-token.mjs +31 -2
  63. package/dist/plugins/email-otp/otp-token.mjs.map +1 -1
  64. package/dist/plugins/email-otp/routes.mjs +60 -59
  65. package/dist/plugins/email-otp/routes.mjs.map +1 -1
  66. package/dist/plugins/email-otp/types.d.mts +12 -0
  67. package/dist/plugins/email-otp/utils.mjs +4 -1
  68. package/dist/plugins/email-otp/utils.mjs.map +1 -1
  69. package/dist/plugins/generic-oauth/client.d.mts +0 -1
  70. package/dist/plugins/generic-oauth/index.d.mts +0 -1
  71. package/dist/plugins/index.d.mts +0 -3
  72. package/dist/plugins/jwt/types.d.mts +0 -1
  73. package/dist/plugins/magic-link/index.d.mts +2 -0
  74. package/dist/plugins/magic-link/index.mjs +5 -3
  75. package/dist/plugins/magic-link/index.mjs.map +1 -1
  76. package/dist/plugins/mcp/index.d.mts +0 -1
  77. package/dist/plugins/oidc-provider/authorize.mjs +13 -4
  78. package/dist/plugins/oidc-provider/authorize.mjs.map +1 -1
  79. package/dist/plugins/oidc-provider/error.mjs +12 -2
  80. package/dist/plugins/oidc-provider/error.mjs.map +1 -1
  81. package/dist/plugins/oidc-provider/index.d.mts +0 -1
  82. package/dist/plugins/oidc-provider/types.d.mts +0 -1
  83. package/dist/plugins/one-time-token/index.d.mts +0 -1
  84. package/dist/plugins/organization/access/statement.d.mts +0 -2
  85. package/dist/plugins/organization/adapter.d.mts +0 -2
  86. package/dist/plugins/organization/adapter.mjs +2 -2
  87. package/dist/plugins/organization/adapter.mjs.map +1 -1
  88. package/dist/plugins/organization/client.d.mts +0 -5
  89. package/dist/plugins/organization/organization.d.mts +0 -2
  90. package/dist/plugins/organization/permission.d.mts +0 -1
  91. package/dist/plugins/organization/routes/crud-access-control.d.mts +0 -2
  92. package/dist/plugins/organization/routes/crud-invites.d.mts +0 -3
  93. package/dist/plugins/organization/routes/crud-invites.mjs +1 -1
  94. package/dist/plugins/organization/routes/crud-invites.mjs.map +1 -1
  95. package/dist/plugins/organization/routes/crud-members.d.mts +0 -3
  96. package/dist/plugins/organization/routes/crud-members.mjs +1 -1
  97. package/dist/plugins/organization/routes/crud-members.mjs.map +1 -1
  98. package/dist/plugins/organization/routes/crud-org.d.mts +0 -3
  99. package/dist/plugins/organization/routes/crud-team.d.mts +2 -3
  100. package/dist/plugins/organization/routes/crud-team.mjs +18 -14
  101. package/dist/plugins/organization/routes/crud-team.mjs.map +1 -1
  102. package/dist/plugins/organization/schema.d.mts +0 -1
  103. package/dist/plugins/organization/types.d.mts +0 -2
  104. package/dist/plugins/phone-number/types.d.mts +0 -1
  105. package/dist/plugins/siwe/index.d.mts +0 -1
  106. package/dist/plugins/test-utils/types.d.mts +0 -2
  107. package/dist/plugins/two-factor/client.d.mts +7 -0
  108. package/dist/plugins/two-factor/client.mjs +5 -1
  109. package/dist/plugins/two-factor/client.mjs.map +1 -1
  110. package/dist/plugins/two-factor/index.mjs +7 -1
  111. package/dist/plugins/two-factor/index.mjs.map +1 -1
  112. package/dist/plugins/two-factor/otp/index.d.mts +2 -2
  113. package/dist/plugins/two-factor/otp/index.mjs.map +1 -1
  114. package/dist/plugins/two-factor/types.d.mts +7 -1
  115. package/dist/test-utils/test-instance.d.mts +108 -21
  116. package/dist/types/index.d.mts +0 -1
  117. package/package.json +13 -10
package/dist/plugins/index.d.mts CHANGED
@@ -2,13 +2,11 @@ import { InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPlug
2
2
  import { HIDE_METADATA } from "../utils/hide-metadata.mjs";
3
3
  import { AccessControl, ArrayElement, Role, Statements, SubArray, Subset } from "./access/types.mjs";
4
4
  import { AuthorizeResponse, createAccessControl, role } from "./access/access.mjs";
5
- import "./access/index.mjs";
6
5
  import { OrganizationOptions } from "./organization/types.mjs";
7
6
  import { InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferTeam, Invitation, InvitationInput, InvitationStatus, Member, MemberInput, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, Team, TeamInput, TeamMember, TeamMemberInput, defaultRolesSchema, invitationSchema, invitationStatus, memberSchema, organizationRoleSchema, organizationSchema, roleSchema, teamMemberSchema, teamSchema } from "./organization/schema.mjs";
8
7
  import { getOrgAdapter } from "./organization/adapter.mjs";
9
8
  import { AdminOptions, InferAdminRolesFromOption, SessionWithImpersonatedBy, UserWithRole } from "./admin/types.mjs";
10
9
  import { admin } from "./admin/admin.mjs";
11
- import "./admin/index.mjs";
12
10
  import { AnonymousOptions, AnonymousSession, UserWithAnonymous } from "./anonymous/types.mjs";
13
11
  import { anonymous } from "./anonymous/index.mjs";
14
12
  import { BearerOptions, bearer } from "./bearer/index.mjs";
@@ -64,5 +62,4 @@ import { USERNAME_ERROR_CODES } from "./username/error-codes.mjs";
64
62
  import { UsernameOptions, username } from "./username/index.mjs";
65
63
  import { hasPermission } from "./organization/has-permission.mjs";
66
64
  import { DefaultOrganizationPlugin, DynamicAccessControlEndpoints, OrganizationCreator, OrganizationEndpoints, OrganizationPlugin, TeamEndpoints, organization, parseRoles } from "./organization/organization.mjs";
67
- import "./organization/index.mjs";
68
65
  export { AccessControl, AdminOptions, AnonymousOptions, AnonymousSession, ArrayElement, Auth0Options, AuthorizationQuery, AuthorizeResponse, BackupCodeOptions, BaseCaptchaOptions, BaseOAuthProviderOptions, BearerOptions, CaptchaFoxOptions, CaptchaOptions, Client, CloudflareTurnstileOptions, CodeVerificationValue, CustomSessionPluginOptions, DefaultOrganizationPlugin, DeviceAuthorizationOptions, DynamicAccessControlEndpoints, MULTI_SESSION_ERROR_CODES as ERROR_CODES, EmailOTPOptions, FieldSchema, GenericOAuthConfig, GenericOAuthOptions, GoogleRecaptchaOptions, GumroadOptions, HCaptchaOptions, HIDE_METADATA, HaveIBeenPwnedOptions, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOptionSchema, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginContext, InferPluginErrorCodes, InferPluginIDs, InferTeam, Invitation, InvitationInput, InvitationStatus, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodOptions, LineOptions, LoginResult, MagicLinkOptions, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OAuthProxyOptions, OIDCMetadata, OIDCOptions, OTPOptions, OktaOptions, OneTapOptions, OneTimeTokenOptions, OpenAPIModelSchema, OpenAPIOptions, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, Path, PatreonOptions, PhoneNumberOptions, Provider, Role, SIWEPluginOptions, SessionWithImpersonatedBy, SlackOptions, Statements, SubArray, Subset, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, TestCookie, TestHelpers, TestUtilsOptions, TimeString, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, UsernameOptions, admin, anonymous, auth0, backupCode2fa, bearer, captcha, createAccessControl, createJwk, customSession, defaultRolesSchema, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, generateBackupCodes, generateExportedKeyPair, generator, genericOAuth, getBackupCodes, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, hasPermission, haveIBeenPwned, hubspot, invitationSchema, invitationStatus, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, memberSchema, microsoftEntraId, ms, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, organizationRoleSchema, organizationSchema, otp2fa, parseRoles, patreon, phoneNumber, role, roleSchema, sec, signJWT, siwe, slack, teamMemberSchema, teamSchema, testUtils, toExpJWT, totp2fa, twoFactor, twoFactorClient, username, verifyBackupCode, verifyJWT, withMcpAuth };
package/dist/plugins/jwt/types.d.mts CHANGED
@@ -1,6 +1,5 @@
1
1
  import { Session, User } from "../../types/models.mjs";
2
2
  import { InferOptionSchema } from "../../types/plugins.mjs";
3
- import "../../types/index.mjs";
4
3
  import { schema } from "./schema.mjs";
5
4
  import { Awaitable, GenericEndpointContext } from "@better-auth/core";
6
5
  import { JWTPayload } from "jose";
package/dist/plugins/magic-link/index.d.mts CHANGED
@@ -29,6 +29,7 @@ interface MagicLinkOptions {
29
29
  email: string;
30
30
  url: string;
31
31
  token: string;
32
+ metadata?: Record<string, any>;
32
33
  }, ctx?: GenericEndpointContext | undefined) => Awaitable<void>;
33
34
  /**
34
35
  * Disable sign up if user is not found.
@@ -90,6 +91,7 @@ declare const magicLink: (options: MagicLinkOptions) => {
90
91
  callbackURL: z.ZodOptional<z.ZodString>;
91
92
  newUserCallbackURL: z.ZodOptional<z.ZodString>;
92
93
  errorCallbackURL: z.ZodOptional<z.ZodString>;
94
+ metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
93
95
  }, z.core.$strip>;
94
96
  metadata: {
95
97
  openapi: {
package/dist/plugins/magic-link/index.mjs CHANGED
@@ -14,7 +14,8 @@ const signInMagicLinkBodySchema = z.object({
14
14
  name: z.string().meta({ description: "User display name. Only used if the user is registering for the first time. Eg: \"my-name\"" }).optional(),
15
15
  callbackURL: z.string().meta({ description: "URL to redirect after magic link verification" }).optional(),
16
16
  newUserCallbackURL: z.string().meta({ description: "URL to redirect after new user signup. Only used if the user is registering for the first time." }).optional(),
17
- errorCallbackURL: z.string().meta({ description: "URL to redirect after error." }).optional()
17
+ errorCallbackURL: z.string().meta({ description: "URL to redirect after error." }).optional(),
18
+ metadata: z.record(z.string(), z.any()).meta({ description: "Additional metadata to pass to sendMagicLink." }).optional()
18
19
  });
19
20
  const magicLinkVerifyQuerySchema = z.object({
20
21
  token: z.string().meta({ description: "Verification token" }),
@@ -52,7 +53,7 @@ const magicLink = (options) => {
52
53
  } }
53
54
  } }
54
55
  }, async (ctx) => {
55
- const { email } = ctx.body;
56
+ const { email, metadata } = ctx.body;
56
57
  const verificationToken = opts?.generateToken ? await opts.generateToken(email) : generateRandomString(32, "a-z", "A-Z");
57
58
  const storedToken = await storeToken(ctx, verificationToken);
58
59
  await ctx.context.internalAdapter.createVerificationValue({
@@ -75,7 +76,8 @@ const magicLink = (options) => {
75
76
  await options.sendMagicLink({
76
77
  email,
77
78
  url: url.toString(),
78
- token: verificationToken
79
+ token: verificationToken,
80
+ metadata
79
81
  }, ctx);
80
82
  return ctx.json({ status: true });
81
83
  }),
package/dist/plugins/magic-link/index.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/magic-link/index.ts"],"sourcesContent":["import type {\n\tAwaitable,\n\tBetterAuthPlugin,\n\tGenericEndpointContext,\n} from \"@better-auth/core\";\nimport { createAuthEndpoint } from \"@better-auth/core/api\";\nimport * as z from \"zod\";\nimport { originCheck } from \"../../api\";\nimport { setSessionCookie } from \"../../cookies\";\nimport { generateRandomString } from \"../../crypto\";\nimport { parseUserOutput } from \"../../db/schema\";\nimport { defaultKeyHasher } from \"./utils\";\n\ndeclare module \"@better-auth/core\" {\n\tinterface BetterAuthPluginRegistry<AuthOptions, Options> {\n\t\t\"magic-link\": {\n\t\t\tcreator: typeof magicLink;\n\t\t};\n\t}\n}\n\nexport interface MagicLinkOptions {\n\t/**\n\t * Time in seconds until the magic link expires.\n\t * @default (60 * 5) // 5 minutes\n\t */\n\texpiresIn?: number | undefined;\n\t/**\n\t * Allowed attempts for verifying the magic link token.\n\t * Note: Passing Infinity will allow unlimited attempts.\n\t * @default 1\n\t */\n\tallowedAttempts?: number;\n\t/**\n\t * Send magic link implementation.\n\t */\n\tsendMagicLink: (\n\t\tdata: {\n\t\t\temail: string;\n\t\t\turl: string;\n\t\t\ttoken: string;\n\t\t},\n\t\tctx?: GenericEndpointContext | undefined,\n\t) => Awaitable<void>;\n\t/**\n\t * Disable sign up if user is not found.\n\t *\n\t * @default false\n\t */\n\tdisableSignUp?: boolean | undefined;\n\t/**\n\t * Rate limit configuration.\n\t *\n\t * @default {\n\t * window: 60,\n\t * max: 5,\n\t * }\n\t */\n\trateLimit?:\n\t\t| {\n\t\t\t\twindow: number;\n\t\t\t\tmax: number;\n\t\t }\n\t\t| undefined;\n\t/**\n\t * Custom function to generate a token\n\t */\n\tgenerateToken?: ((email: string) => Awaitable<string>) | undefined;\n\n\t/**\n\t * This option allows you to configure how the token is stored in your database.\n\t * Note: This will not affect the token that's sent, it will only affect the token stored in your database.\n\t *\n\t * @default \"plain\"\n\t */\n\tstoreToken?:\n\t\t| (\n\t\t\t\t| \"plain\"\n\t\t\t\t| \"hashed\"\n\t\t\t\t| { type: \"custom-hasher\"; hash: (token: string) => Promise<string> }\n\t\t )\n\t\t| undefined;\n}\n\nconst signInMagicLinkBodySchema = z.object({\n\temail: z.email().meta({\n\t\tdescription: \"Email address to send the magic link\",\n\t}),\n\tname: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'User display name. Only used if the user is registering for the first time. Eg: \"my-name\"',\n\t\t})\n\t\t.optional(),\n\tcallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"URL to redirect after magic link verification\",\n\t\t})\n\t\t.optional(),\n\tnewUserCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t\"URL to redirect after new user signup. Only used if the user is registering for the first time.\",\n\t\t})\n\t\t.optional(),\n\terrorCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"URL to redirect after error.\",\n\t\t})\n\t\t.optional(),\n});\nconst magicLinkVerifyQuerySchema = z.object({\n\ttoken: z.string().meta({\n\t\tdescription: \"Verification token\",\n\t}),\n\tcallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'URL to redirect after magic link verification, if not provided the user will be redirected to the root URL. Eg: \"/dashboard\"',\n\t\t})\n\t\t.optional(),\n\terrorCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"URL to redirect after error.\",\n\t\t})\n\t\t.optional(),\n\tnewUserCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t\"URL to redirect after new user signup. Only used if the user is registering for the first time.\",\n\t\t})\n\t\t.optional(),\n});\nexport const magicLink = (options: MagicLinkOptions) => {\n\tconst opts = {\n\t\tstoreToken: \"plain\",\n\t\tallowedAttempts: 1,\n\t\t...options,\n\t} satisfies MagicLinkOptions;\n\n\tasync function storeToken(ctx: GenericEndpointContext, token: string) {\n\t\tif (opts.storeToken === \"hashed\") {\n\t\t\treturn await defaultKeyHasher(token);\n\t\t}\n\t\tif (\n\t\t\ttypeof opts.storeToken === \"object\" &&\n\t\t\t\"type\" in opts.storeToken &&\n\t\t\topts.storeToken.type === \"custom-hasher\"\n\t\t) {\n\t\t\treturn await opts.storeToken.hash(token);\n\t\t}\n\t\treturn token;\n\t}\n\n\treturn {\n\t\tid: \"magic-link\",\n\t\tendpoints: {\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/sign-in/magic-link`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.signInMagicLink`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.signIn.magicLink`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/sign-in#api-method-sign-in-magic-link)\n\t\t\t */\n\t\t\tsignInMagicLink: createAuthEndpoint(\n\t\t\t\t\"/sign-in/magic-link\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\trequireHeaders: true,\n\t\t\t\t\tbody: signInMagicLinkBodySchema,\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\toperationId: \"signInWithMagicLink\",\n\t\t\t\t\t\t\tdescription: \"Sign in with magic link\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tstatus: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst { email } = ctx.body;\n\n\t\t\t\t\tconst verificationToken = opts?.generateToken\n\t\t\t\t\t\t? await opts.generateToken(email)\n\t\t\t\t\t\t: generateRandomString(32, \"a-z\", \"A-Z\");\n\t\t\t\t\tconst storedToken = await storeToken(ctx, verificationToken);\n\t\t\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\t\t\tidentifier: storedToken,\n\t\t\t\t\t\tvalue: JSON.stringify({ email, name: ctx.body.name, attempt: 0 }),\n\t\t\t\t\t\texpiresAt: new Date(Date.now() + (opts.expiresIn || 60 * 5) * 1000),\n\t\t\t\t\t});\n\t\t\t\t\tconst realBaseURL = new URL(ctx.context.baseURL);\n\t\t\t\t\tconst pathname =\n\t\t\t\t\t\trealBaseURL.pathname === \"/\" ? \"\" : realBaseURL.pathname;\n\t\t\t\t\tconst basePath = pathname ? \"\" : ctx.context.options.basePath || \"\";\n\t\t\t\t\tconst url = new URL(\n\t\t\t\t\t\t`${pathname}${basePath}/magic-link/verify`,\n\t\t\t\t\t\trealBaseURL.origin,\n\t\t\t\t\t);\n\t\t\t\t\turl.searchParams.set(\"token\", verificationToken);\n\t\t\t\t\turl.searchParams.set(\"callbackURL\", ctx.body.callbackURL || \"/\");\n\t\t\t\t\tif (ctx.body.newUserCallbackURL) {\n\t\t\t\t\t\turl.searchParams.set(\n\t\t\t\t\t\t\t\"newUserCallbackURL\",\n\t\t\t\t\t\t\tctx.body.newUserCallbackURL,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t\tif (ctx.body.errorCallbackURL) {\n\t\t\t\t\t\turl.searchParams.set(\"errorCallbackURL\", ctx.body.errorCallbackURL);\n\t\t\t\t\t}\n\t\t\t\t\tawait options.sendMagicLink(\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\temail,\n\t\t\t\t\t\t\turl: url.toString(),\n\t\t\t\t\t\t\ttoken: verificationToken,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tctx,\n\t\t\t\t\t);\n\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\tstatus: true,\n\t\t\t\t\t});\n\t\t\t\t},\n\t\t\t),\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * GET `/magic-link/verify`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.magicLinkVerify`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.magicLink.verify`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/magic-link#api-method-magic-link-verify)\n\t\t\t */\n\t\t\tmagicLinkVerify: createAuthEndpoint(\n\t\t\t\t\"/magic-link/verify\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\tquery: magicLinkVerifyQuerySchema,\n\t\t\t\t\tuse: [\n\t\t\t\t\t\toriginCheck((ctx) => {\n\t\t\t\t\t\t\treturn ctx.query.callbackURL\n\t\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.callbackURL)\n\t\t\t\t\t\t\t\t: \"/\";\n\t\t\t\t\t\t}),\n\t\t\t\t\t\toriginCheck((ctx) => {\n\t\t\t\t\t\t\treturn ctx.query.newUserCallbackURL\n\t\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.newUserCallbackURL)\n\t\t\t\t\t\t\t\t: \"/\";\n\t\t\t\t\t\t}),\n\t\t\t\t\t\toriginCheck((ctx) => {\n\t\t\t\t\t\t\treturn ctx.query.errorCallbackURL\n\t\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.errorCallbackURL)\n\t\t\t\t\t\t\t\t: \"/\";\n\t\t\t\t\t\t}),\n\t\t\t\t\t],\n\t\t\t\t\trequireHeaders: true,\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\toperationId: \"verifyMagicLink\",\n\t\t\t\t\t\t\tdescription: \"Verify magic link\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tsession: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/Session\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst token = ctx.query.token;\n\t\t\t\t\t// If the first argument provides the origin, it will ignore the second argument of `new URL`.\n\t\t\t\t\t// new URL(\"http://localhost:3001/hello\", \"http://localhost:3000\").toString()\n\t\t\t\t\t// Returns http://localhost:3001/hello\n\t\t\t\t\tconst callbackURL = new URL(\n\t\t\t\t\t\tctx.query.callbackURL\n\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.callbackURL)\n\t\t\t\t\t\t\t: \"/\",\n\t\t\t\t\t\tctx.context.baseURL,\n\t\t\t\t\t).toString();\n\t\t\t\t\tconst errorCallbackURL = new URL(\n\t\t\t\t\t\tctx.query.errorCallbackURL\n\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.errorCallbackURL)\n\t\t\t\t\t\t\t: callbackURL,\n\t\t\t\t\t\tctx.context.baseURL,\n\t\t\t\t\t);\n\n\t\t\t\t\tfunction redirectWithError(error: string): never {\n\t\t\t\t\t\terrorCallbackURL.searchParams.set(\"error\", error);\n\t\t\t\t\t\tthrow ctx.redirect(errorCallbackURL.toString());\n\t\t\t\t\t}\n\n\t\t\t\t\tconst newUserCallbackURL = new URL(\n\t\t\t\t\t\tctx.query.newUserCallbackURL\n\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.newUserCallbackURL)\n\t\t\t\t\t\t\t: callbackURL,\n\t\t\t\t\t\tctx.context.baseURL,\n\t\t\t\t\t).toString();\n\t\t\t\t\tconst storedToken = await storeToken(ctx, token);\n\t\t\t\t\tconst tokenValue =\n\t\t\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t\t\tstoredToken,\n\t\t\t\t\t\t);\n\t\t\t\t\tif (!tokenValue) {\n\t\t\t\t\t\tredirectWithError(\"INVALID_TOKEN\");\n\t\t\t\t\t}\n\t\t\t\t\tif (tokenValue.expiresAt < new Date()) {\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationByIdentifier(\n\t\t\t\t\t\t\tstoredToken,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tredirectWithError(\"EXPIRED_TOKEN\");\n\t\t\t\t\t}\n\t\t\t\t\tconst {\n\t\t\t\t\t\temail,\n\t\t\t\t\t\tname,\n\t\t\t\t\t\tattempt = 0,\n\t\t\t\t\t} = JSON.parse(tokenValue.value) as {\n\t\t\t\t\t\temail: string;\n\t\t\t\t\t\tname?: string | undefined;\n\t\t\t\t\t\tattempt?: number | undefined;\n\t\t\t\t\t};\n\t\t\t\t\tif (attempt >= opts.allowedAttempts) {\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationByIdentifier(\n\t\t\t\t\t\t\tstoredToken,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tredirectWithError(\"ATTEMPTS_EXCEEDED\");\n\t\t\t\t\t}\n\t\t\t\t\tawait ctx.context.internalAdapter.updateVerificationByIdentifier(\n\t\t\t\t\t\tstoredToken,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tvalue: JSON.stringify({\n\t\t\t\t\t\t\t\temail,\n\t\t\t\t\t\t\t\tname,\n\t\t\t\t\t\t\t\tattempt: attempt + 1,\n\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\n\t\t\t\t\tlet isNewUser = false;\n\t\t\t\t\tlet user = await ctx.context.internalAdapter\n\t\t\t\t\t\t.findUserByEmail(email)\n\t\t\t\t\t\t.then((res) => res?.user);\n\n\t\t\t\t\tif (!user) {\n\t\t\t\t\t\tif (!opts.disableSignUp) {\n\t\t\t\t\t\t\tconst newUser = await ctx.context.internalAdapter.createUser({\n\t\t\t\t\t\t\t\temail: email,\n\t\t\t\t\t\t\t\temailVerified: true,\n\t\t\t\t\t\t\t\tname: name || \"\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\tisNewUser = true;\n\t\t\t\t\t\t\tuser = newUser;\n\t\t\t\t\t\t\tif (!user) {\n\t\t\t\t\t\t\t\tredirectWithError(\"failed_to_create_user\");\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tredirectWithError(\"new_user_signup_disabled\");\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif (!user.emailVerified) {\n\t\t\t\t\t\tuser = await ctx.context.internalAdapter.updateUser(user.id, {\n\t\t\t\t\t\t\temailVerified: true,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tconst session = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\tuser.id,\n\t\t\t\t\t);\n\n\t\t\t\t\tif (!session) {\n\t\t\t\t\t\tredirectWithError(\"failed_to_create_session\");\n\t\t\t\t\t}\n\n\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\tsession,\n\t\t\t\t\t\tuser,\n\t\t\t\t\t});\n\t\t\t\t\tif (!ctx.query.callbackURL) {\n\t\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\t\ttoken: session.token,\n\t\t\t\t\t\t\tuser: parseUserOutput(ctx.context.options, user),\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tif (isNewUser) {\n\t\t\t\t\t\tthrow ctx.redirect(newUserCallbackURL);\n\t\t\t\t\t}\n\t\t\t\t\tthrow ctx.redirect(callbackURL);\n\t\t\t\t},\n\t\t\t),\n\t\t},\n\t\trateLimit: [\n\t\t\t{\n\t\t\t\tpathMatcher(path) {\n\t\t\t\t\treturn (\n\t\t\t\t\t\tpath.startsWith(\"/sign-in/magic-link\") ||\n\t\t\t\t\t\tpath.startsWith(\"/magic-link/verify\")\n\t\t\t\t\t);\n\t\t\t\t},\n\t\t\t\twindow: opts.rateLimit?.window || 60,\n\t\t\t\tmax: opts.rateLimit?.max || 5,\n\t\t\t},\n\t\t],\n\t\toptions,\n\t} satisfies BetterAuthPlugin;\n};\n"],"mappings":";;;;;;;;;;;AAoFA,MAAM,4BAA4B,EAAE,OAAO;CAC1C,OAAO,EAAE,OAAO,CAAC,KAAK,EACrB,aAAa,wCACb,CAAC;CACF,MAAM,EACJ,QAAQ,CACR,KAAK,EACL,aACC,+FACD,CAAC,CACD,UAAU;CACZ,aAAa,EACX,QAAQ,CACR,KAAK,EACL,aAAa,iDACb,CAAC,CACD,UAAU;CACZ,oBAAoB,EAClB,QAAQ,CACR,KAAK,EACL,aACC,mGACD,CAAC,CACD,UAAU;CACZ,kBAAkB,EAChB,QAAQ,CACR,KAAK,EACL,aAAa,gCACb,CAAC,CACD,UAAU;CACZ,CAAC;AACF,MAAM,6BAA6B,EAAE,OAAO;CAC3C,OAAO,EAAE,QAAQ,CAAC,KAAK,EACtB,aAAa,sBACb,CAAC;CACF,aAAa,EACX,QAAQ,CACR,KAAK,EACL,aACC,kIACD,CAAC,CACD,UAAU;CACZ,kBAAkB,EAChB,QAAQ,CACR,KAAK,EACL,aAAa,gCACb,CAAC,CACD,UAAU;CACZ,oBAAoB,EAClB,QAAQ,CACR,KAAK,EACL,aACC,mGACD,CAAC,CACD,UAAU;CACZ,CAAC;AACF,MAAa,aAAa,YAA8B;CACvD,MAAM,OAAO;EACZ,YAAY;EACZ,iBAAiB;EACjB,GAAG;EACH;CAED,eAAe,WAAW,KAA6B,OAAe;AACrE,MAAI,KAAK,eAAe,SACvB,QAAO,MAAM,iBAAiB,MAAM;AAErC,MACC,OAAO,KAAK,eAAe,YAC3B,UAAU,KAAK,cACf,KAAK,WAAW,SAAS,gBAEzB,QAAO,MAAM,KAAK,WAAW,KAAK,MAAM;AAEzC,SAAO;;AAGR,QAAO;EACN,IAAI;EACJ,WAAW;GAgBV,iBAAiB,mBAChB,uBACA;IACC,QAAQ;IACR,gBAAgB;IAChB,MAAM;IACN,UAAU,EACT,SAAS;KACR,aAAa;KACb,aAAa;KACb,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,QAAQ,EACP,MAAM,WACN,EACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,EAAE,UAAU,IAAI;IAEtB,MAAM,oBAAoB,MAAM,gBAC7B,MAAM,KAAK,cAAc,MAAM,GAC/B,qBAAqB,IAAI,OAAO,MAAM;IACzC,MAAM,cAAc,MAAM,WAAW,KAAK,kBAAkB;AAC5D,UAAM,IAAI,QAAQ,gBAAgB,wBAAwB;KACzD,YAAY;KACZ,OAAO,KAAK,UAAU;MAAE;MAAO,MAAM,IAAI,KAAK;MAAM,SAAS;MAAG,CAAC;KACjE,WAAW,IAAI,KAAK,KAAK,KAAK,IAAI,KAAK,aAAa,OAAU,IAAK;KACnE,CAAC;IACF,MAAM,cAAc,IAAI,IAAI,IAAI,QAAQ,QAAQ;IAChD,MAAM,WACL,YAAY,aAAa,MAAM,KAAK,YAAY;IACjD,MAAM,WAAW,WAAW,KAAK,IAAI,QAAQ,QAAQ,YAAY;IACjE,MAAM,MAAM,IAAI,IACf,GAAG,WAAW,SAAS,qBACvB,YAAY,OACZ;AACD,QAAI,aAAa,IAAI,SAAS,kBAAkB;AAChD,QAAI,aAAa,IAAI,eAAe,IAAI,KAAK,eAAe,IAAI;AAChE,QAAI,IAAI,KAAK,mBACZ,KAAI,aAAa,IAChB,sBACA,IAAI,KAAK,mBACT;AAEF,QAAI,IAAI,KAAK,iBACZ,KAAI,aAAa,IAAI,oBAAoB,IAAI,KAAK,iBAAiB;AAEpE,UAAM,QAAQ,cACb;KACC;KACA,KAAK,IAAI,UAAU;KACnB,OAAO;KACP,EACD,IACA;AACD,WAAO,IAAI,KAAK,EACf,QAAQ,MACR,CAAC;KAEH;GAgBD,iBAAiB,mBAChB,sBACA;IACC,QAAQ;IACR,OAAO;IACP,KAAK;KACJ,aAAa,QAAQ;AACpB,aAAO,IAAI,MAAM,cACd,mBAAmB,IAAI,MAAM,YAAY,GACzC;OACF;KACF,aAAa,QAAQ;AACpB,aAAO,IAAI,MAAM,qBACd,mBAAmB,IAAI,MAAM,mBAAmB,GAChD;OACF;KACF,aAAa,QAAQ;AACpB,aAAO,IAAI,MAAM,mBACd,mBAAmB,IAAI,MAAM,iBAAiB,GAC9C;OACF;KACF;IACD,gBAAgB;IAChB,UAAU,EACT,SAAS;KACR,aAAa;KACb,aAAa;KACb,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY;QACX,SAAS,EACR,MAAM,gCACN;QACD,MAAM,EACL,MAAM,6BACN;QACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,QAAQ,IAAI,MAAM;IAIxB,MAAM,cAAc,IAAI,IACvB,IAAI,MAAM,cACP,mBAAmB,IAAI,MAAM,YAAY,GACzC,KACH,IAAI,QAAQ,QACZ,CAAC,UAAU;IACZ,MAAM,mBAAmB,IAAI,IAC5B,IAAI,MAAM,mBACP,mBAAmB,IAAI,MAAM,iBAAiB,GAC9C,aACH,IAAI,QAAQ,QACZ;IAED,SAAS,kBAAkB,OAAsB;AAChD,sBAAiB,aAAa,IAAI,SAAS,MAAM;AACjD,WAAM,IAAI,SAAS,iBAAiB,UAAU,CAAC;;IAGhD,MAAM,qBAAqB,IAAI,IAC9B,IAAI,MAAM,qBACP,mBAAmB,IAAI,MAAM,mBAAmB,GAChD,aACH,IAAI,QAAQ,QACZ,CAAC,UAAU;IACZ,MAAM,cAAc,MAAM,WAAW,KAAK,MAAM;IAChD,MAAM,aACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,YACA;AACF,QAAI,CAAC,WACJ,mBAAkB,gBAAgB;AAEnC,QAAI,WAAW,4BAAY,IAAI,MAAM,EAAE;AACtC,WAAM,IAAI,QAAQ,gBAAgB,+BACjC,YACA;AACD,uBAAkB,gBAAgB;;IAEnC,MAAM,EACL,OACA,MACA,UAAU,MACP,KAAK,MAAM,WAAW,MAAM;AAKhC,QAAI,WAAW,KAAK,iBAAiB;AACpC,WAAM,IAAI,QAAQ,gBAAgB,+BACjC,YACA;AACD,uBAAkB,oBAAoB;;AAEvC,UAAM,IAAI,QAAQ,gBAAgB,+BACjC,aACA,EACC,OAAO,KAAK,UAAU;KACrB;KACA;KACA,SAAS,UAAU;KACnB,CAAC,EACF,CACD;IAED,IAAI,YAAY;IAChB,IAAI,OAAO,MAAM,IAAI,QAAQ,gBAC3B,gBAAgB,MAAM,CACtB,MAAM,QAAQ,KAAK,KAAK;AAE1B,QAAI,CAAC,KACJ,KAAI,CAAC,KAAK,eAAe;KACxB,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,WAAW;MACrD;MACP,eAAe;MACf,MAAM,QAAQ;MACd,CAAC;AACF,iBAAY;AACZ,YAAO;AACP,SAAI,CAAC,KACJ,mBAAkB,wBAAwB;UAG3C,mBAAkB,2BAA2B;AAI/C,QAAI,CAAC,KAAK,cACT,QAAO,MAAM,IAAI,QAAQ,gBAAgB,WAAW,KAAK,IAAI,EAC5D,eAAe,MACf,CAAC;IAGH,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,cACjD,KAAK,GACL;AAED,QAAI,CAAC,QACJ,mBAAkB,2BAA2B;AAG9C,UAAM,iBAAiB,KAAK;KAC3B;KACA;KACA,CAAC;AACF,QAAI,CAAC,IAAI,MAAM,YACd,QAAO,IAAI,KAAK;KACf,OAAO,QAAQ;KACf,MAAM,gBAAgB,IAAI,QAAQ,SAAS,KAAK;KAChD,CAAC;AAEH,QAAI,UACH,OAAM,IAAI,SAAS,mBAAmB;AAEvC,UAAM,IAAI,SAAS,YAAY;KAEhC;GACD;EACD,WAAW,CACV;GACC,YAAY,MAAM;AACjB,WACC,KAAK,WAAW,sBAAsB,IACtC,KAAK,WAAW,qBAAqB;;GAGvC,QAAQ,KAAK,WAAW,UAAU;GAClC,KAAK,KAAK,WAAW,OAAO;GAC5B,CACD;EACD;EACA"}
1
+ {"version":3,"file":"index.mjs","names":[],"sources":["../../../src/plugins/magic-link/index.ts"],"sourcesContent":["import type {\n\tAwaitable,\n\tBetterAuthPlugin,\n\tGenericEndpointContext,\n} from \"@better-auth/core\";\nimport { createAuthEndpoint } from \"@better-auth/core/api\";\nimport * as z from \"zod\";\nimport { originCheck } from \"../../api\";\nimport { setSessionCookie } from \"../../cookies\";\nimport { generateRandomString } from \"../../crypto\";\nimport { parseUserOutput } from \"../../db/schema\";\nimport { defaultKeyHasher } from \"./utils\";\n\ndeclare module \"@better-auth/core\" {\n\tinterface BetterAuthPluginRegistry<AuthOptions, Options> {\n\t\t\"magic-link\": {\n\t\t\tcreator: typeof magicLink;\n\t\t};\n\t}\n}\n\nexport interface MagicLinkOptions {\n\t/**\n\t * Time in seconds until the magic link expires.\n\t * @default (60 * 5) // 5 minutes\n\t */\n\texpiresIn?: number | undefined;\n\t/**\n\t * Allowed attempts for verifying the magic link token.\n\t * Note: Passing Infinity will allow unlimited attempts.\n\t * @default 1\n\t */\n\tallowedAttempts?: number;\n\t/**\n\t * Send magic link implementation.\n\t */\n\tsendMagicLink: (\n\t\tdata: {\n\t\t\temail: string;\n\t\t\turl: string;\n\t\t\ttoken: string;\n\t\t\tmetadata?: Record<string, any>;\n\t\t},\n\t\tctx?: GenericEndpointContext | undefined,\n\t) => Awaitable<void>;\n\t/**\n\t * Disable sign up if user is not found.\n\t *\n\t * @default false\n\t */\n\tdisableSignUp?: boolean | undefined;\n\t/**\n\t * Rate limit configuration.\n\t *\n\t * @default {\n\t * window: 60,\n\t * max: 5,\n\t * }\n\t */\n\trateLimit?:\n\t\t| {\n\t\t\t\twindow: number;\n\t\t\t\tmax: number;\n\t\t }\n\t\t| undefined;\n\t/**\n\t * Custom function to generate a token\n\t */\n\tgenerateToken?: ((email: string) => Awaitable<string>) | undefined;\n\n\t/**\n\t * This option allows you to configure how the token is stored in your database.\n\t * Note: This will not affect the token that's sent, it will only affect the token stored in your database.\n\t *\n\t * @default \"plain\"\n\t */\n\tstoreToken?:\n\t\t| (\n\t\t\t\t| \"plain\"\n\t\t\t\t| \"hashed\"\n\t\t\t\t| { type: \"custom-hasher\"; hash: (token: string) => Promise<string> }\n\t\t )\n\t\t| undefined;\n}\n\nconst signInMagicLinkBodySchema = z.object({\n\temail: z.email().meta({\n\t\tdescription: \"Email address to send the magic link\",\n\t}),\n\tname: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'User display name. Only used if the user is registering for the first time. Eg: \"my-name\"',\n\t\t})\n\t\t.optional(),\n\tcallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"URL to redirect after magic link verification\",\n\t\t})\n\t\t.optional(),\n\tnewUserCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t\"URL to redirect after new user signup. Only used if the user is registering for the first time.\",\n\t\t})\n\t\t.optional(),\n\terrorCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"URL to redirect after error.\",\n\t\t})\n\t\t.optional(),\n\tmetadata: z\n\t\t.record(z.string(), z.any())\n\t\t.meta({\n\t\t\tdescription: \"Additional metadata to pass to sendMagicLink.\",\n\t\t})\n\t\t.optional(),\n});\nconst magicLinkVerifyQuerySchema = z.object({\n\ttoken: z.string().meta({\n\t\tdescription: \"Verification token\",\n\t}),\n\tcallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t'URL to redirect after magic link verification, if not provided the user will be redirected to the root URL. Eg: \"/dashboard\"',\n\t\t})\n\t\t.optional(),\n\terrorCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription: \"URL to redirect after error.\",\n\t\t})\n\t\t.optional(),\n\tnewUserCallbackURL: z\n\t\t.string()\n\t\t.meta({\n\t\t\tdescription:\n\t\t\t\t\"URL to redirect after new user signup. Only used if the user is registering for the first time.\",\n\t\t})\n\t\t.optional(),\n});\nexport const magicLink = (options: MagicLinkOptions) => {\n\tconst opts = {\n\t\tstoreToken: \"plain\",\n\t\tallowedAttempts: 1,\n\t\t...options,\n\t} satisfies MagicLinkOptions;\n\n\tasync function storeToken(ctx: GenericEndpointContext, token: string) {\n\t\tif (opts.storeToken === \"hashed\") {\n\t\t\treturn await defaultKeyHasher(token);\n\t\t}\n\t\tif (\n\t\t\ttypeof opts.storeToken === \"object\" &&\n\t\t\t\"type\" in opts.storeToken &&\n\t\t\topts.storeToken.type === \"custom-hasher\"\n\t\t) {\n\t\t\treturn await opts.storeToken.hash(token);\n\t\t}\n\t\treturn token;\n\t}\n\n\treturn {\n\t\tid: \"magic-link\",\n\t\tendpoints: {\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * POST `/sign-in/magic-link`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.signInMagicLink`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.signIn.magicLink`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/sign-in#api-method-sign-in-magic-link)\n\t\t\t */\n\t\t\tsignInMagicLink: createAuthEndpoint(\n\t\t\t\t\"/sign-in/magic-link\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\trequireHeaders: true,\n\t\t\t\t\tbody: signInMagicLinkBodySchema,\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\toperationId: \"signInWithMagicLink\",\n\t\t\t\t\t\t\tdescription: \"Sign in with magic link\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tstatus: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst { email, metadata } = ctx.body;\n\n\t\t\t\t\tconst verificationToken = opts?.generateToken\n\t\t\t\t\t\t? await opts.generateToken(email)\n\t\t\t\t\t\t: generateRandomString(32, \"a-z\", \"A-Z\");\n\t\t\t\t\tconst storedToken = await storeToken(ctx, verificationToken);\n\t\t\t\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\t\t\tidentifier: storedToken,\n\t\t\t\t\t\tvalue: JSON.stringify({ email, name: ctx.body.name, attempt: 0 }),\n\t\t\t\t\t\texpiresAt: new Date(Date.now() + (opts.expiresIn || 60 * 5) * 1000),\n\t\t\t\t\t});\n\t\t\t\t\tconst realBaseURL = new URL(ctx.context.baseURL);\n\t\t\t\t\tconst pathname =\n\t\t\t\t\t\trealBaseURL.pathname === \"/\" ? \"\" : realBaseURL.pathname;\n\t\t\t\t\tconst basePath = pathname ? \"\" : ctx.context.options.basePath || \"\";\n\t\t\t\t\tconst url = new URL(\n\t\t\t\t\t\t`${pathname}${basePath}/magic-link/verify`,\n\t\t\t\t\t\trealBaseURL.origin,\n\t\t\t\t\t);\n\t\t\t\t\turl.searchParams.set(\"token\", verificationToken);\n\t\t\t\t\turl.searchParams.set(\"callbackURL\", ctx.body.callbackURL || \"/\");\n\t\t\t\t\tif (ctx.body.newUserCallbackURL) {\n\t\t\t\t\t\turl.searchParams.set(\n\t\t\t\t\t\t\t\"newUserCallbackURL\",\n\t\t\t\t\t\t\tctx.body.newUserCallbackURL,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t\tif (ctx.body.errorCallbackURL) {\n\t\t\t\t\t\turl.searchParams.set(\"errorCallbackURL\", ctx.body.errorCallbackURL);\n\t\t\t\t\t}\n\t\t\t\t\tawait options.sendMagicLink(\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\temail,\n\t\t\t\t\t\t\turl: url.toString(),\n\t\t\t\t\t\t\ttoken: verificationToken,\n\t\t\t\t\t\t\tmetadata,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tctx,\n\t\t\t\t\t);\n\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\tstatus: true,\n\t\t\t\t\t});\n\t\t\t\t},\n\t\t\t),\n\t\t\t/**\n\t\t\t * ### Endpoint\n\t\t\t *\n\t\t\t * GET `/magic-link/verify`\n\t\t\t *\n\t\t\t * ### API Methods\n\t\t\t *\n\t\t\t * **server:**\n\t\t\t * `auth.api.magicLinkVerify`\n\t\t\t *\n\t\t\t * **client:**\n\t\t\t * `authClient.magicLink.verify`\n\t\t\t *\n\t\t\t * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/magic-link#api-method-magic-link-verify)\n\t\t\t */\n\t\t\tmagicLinkVerify: createAuthEndpoint(\n\t\t\t\t\"/magic-link/verify\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\tquery: magicLinkVerifyQuerySchema,\n\t\t\t\t\tuse: [\n\t\t\t\t\t\toriginCheck((ctx) => {\n\t\t\t\t\t\t\treturn ctx.query.callbackURL\n\t\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.callbackURL)\n\t\t\t\t\t\t\t\t: \"/\";\n\t\t\t\t\t\t}),\n\t\t\t\t\t\toriginCheck((ctx) => {\n\t\t\t\t\t\t\treturn ctx.query.newUserCallbackURL\n\t\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.newUserCallbackURL)\n\t\t\t\t\t\t\t\t: \"/\";\n\t\t\t\t\t\t}),\n\t\t\t\t\t\toriginCheck((ctx) => {\n\t\t\t\t\t\t\treturn ctx.query.errorCallbackURL\n\t\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.errorCallbackURL)\n\t\t\t\t\t\t\t\t: \"/\";\n\t\t\t\t\t\t}),\n\t\t\t\t\t],\n\t\t\t\t\trequireHeaders: true,\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\toperationId: \"verifyMagicLink\",\n\t\t\t\t\t\t\tdescription: \"Verify magic link\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t200: {\n\t\t\t\t\t\t\t\t\tdescription: \"Success\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tsession: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/Session\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tuser: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t$ref: \"#/components/schemas/User\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tconst token = ctx.query.token;\n\t\t\t\t\t// If the first argument provides the origin, it will ignore the second argument of `new URL`.\n\t\t\t\t\t// new URL(\"http://localhost:3001/hello\", \"http://localhost:3000\").toString()\n\t\t\t\t\t// Returns http://localhost:3001/hello\n\t\t\t\t\tconst callbackURL = new URL(\n\t\t\t\t\t\tctx.query.callbackURL\n\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.callbackURL)\n\t\t\t\t\t\t\t: \"/\",\n\t\t\t\t\t\tctx.context.baseURL,\n\t\t\t\t\t).toString();\n\t\t\t\t\tconst errorCallbackURL = new URL(\n\t\t\t\t\t\tctx.query.errorCallbackURL\n\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.errorCallbackURL)\n\t\t\t\t\t\t\t: callbackURL,\n\t\t\t\t\t\tctx.context.baseURL,\n\t\t\t\t\t);\n\n\t\t\t\t\tfunction redirectWithError(error: string): never {\n\t\t\t\t\t\terrorCallbackURL.searchParams.set(\"error\", error);\n\t\t\t\t\t\tthrow ctx.redirect(errorCallbackURL.toString());\n\t\t\t\t\t}\n\n\t\t\t\t\tconst newUserCallbackURL = new URL(\n\t\t\t\t\t\tctx.query.newUserCallbackURL\n\t\t\t\t\t\t\t? decodeURIComponent(ctx.query.newUserCallbackURL)\n\t\t\t\t\t\t\t: callbackURL,\n\t\t\t\t\t\tctx.context.baseURL,\n\t\t\t\t\t).toString();\n\t\t\t\t\tconst storedToken = await storeToken(ctx, token);\n\t\t\t\t\tconst tokenValue =\n\t\t\t\t\t\tawait ctx.context.internalAdapter.findVerificationValue(\n\t\t\t\t\t\t\tstoredToken,\n\t\t\t\t\t\t);\n\t\t\t\t\tif (!tokenValue) {\n\t\t\t\t\t\tredirectWithError(\"INVALID_TOKEN\");\n\t\t\t\t\t}\n\t\t\t\t\tif (tokenValue.expiresAt < new Date()) {\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationByIdentifier(\n\t\t\t\t\t\t\tstoredToken,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tredirectWithError(\"EXPIRED_TOKEN\");\n\t\t\t\t\t}\n\t\t\t\t\tconst {\n\t\t\t\t\t\temail,\n\t\t\t\t\t\tname,\n\t\t\t\t\t\tattempt = 0,\n\t\t\t\t\t} = JSON.parse(tokenValue.value) as {\n\t\t\t\t\t\temail: string;\n\t\t\t\t\t\tname?: string | undefined;\n\t\t\t\t\t\tattempt?: number | undefined;\n\t\t\t\t\t};\n\t\t\t\t\tif (attempt >= opts.allowedAttempts) {\n\t\t\t\t\t\tawait ctx.context.internalAdapter.deleteVerificationByIdentifier(\n\t\t\t\t\t\t\tstoredToken,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tredirectWithError(\"ATTEMPTS_EXCEEDED\");\n\t\t\t\t\t}\n\t\t\t\t\tawait ctx.context.internalAdapter.updateVerificationByIdentifier(\n\t\t\t\t\t\tstoredToken,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tvalue: JSON.stringify({\n\t\t\t\t\t\t\t\temail,\n\t\t\t\t\t\t\t\tname,\n\t\t\t\t\t\t\t\tattempt: attempt + 1,\n\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\n\t\t\t\t\tlet isNewUser = false;\n\t\t\t\t\tlet user = await ctx.context.internalAdapter\n\t\t\t\t\t\t.findUserByEmail(email)\n\t\t\t\t\t\t.then((res) => res?.user);\n\n\t\t\t\t\tif (!user) {\n\t\t\t\t\t\tif (!opts.disableSignUp) {\n\t\t\t\t\t\t\tconst newUser = await ctx.context.internalAdapter.createUser({\n\t\t\t\t\t\t\t\temail: email,\n\t\t\t\t\t\t\t\temailVerified: true,\n\t\t\t\t\t\t\t\tname: name || \"\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\tisNewUser = true;\n\t\t\t\t\t\t\tuser = newUser;\n\t\t\t\t\t\t\tif (!user) {\n\t\t\t\t\t\t\t\tredirectWithError(\"failed_to_create_user\");\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t} else {\n\t\t\t\t\t\t\tredirectWithError(\"new_user_signup_disabled\");\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif (!user.emailVerified) {\n\t\t\t\t\t\tuser = await ctx.context.internalAdapter.updateUser(user.id, {\n\t\t\t\t\t\t\temailVerified: true,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\n\t\t\t\t\tconst session = await ctx.context.internalAdapter.createSession(\n\t\t\t\t\t\tuser.id,\n\t\t\t\t\t);\n\n\t\t\t\t\tif (!session) {\n\t\t\t\t\t\tredirectWithError(\"failed_to_create_session\");\n\t\t\t\t\t}\n\n\t\t\t\t\tawait setSessionCookie(ctx, {\n\t\t\t\t\t\tsession,\n\t\t\t\t\t\tuser,\n\t\t\t\t\t});\n\t\t\t\t\tif (!ctx.query.callbackURL) {\n\t\t\t\t\t\treturn ctx.json({\n\t\t\t\t\t\t\ttoken: session.token,\n\t\t\t\t\t\t\tuser: parseUserOutput(ctx.context.options, user),\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\tif (isNewUser) {\n\t\t\t\t\t\tthrow ctx.redirect(newUserCallbackURL);\n\t\t\t\t\t}\n\t\t\t\t\tthrow ctx.redirect(callbackURL);\n\t\t\t\t},\n\t\t\t),\n\t\t},\n\t\trateLimit: [\n\t\t\t{\n\t\t\t\tpathMatcher(path) {\n\t\t\t\t\treturn (\n\t\t\t\t\t\tpath.startsWith(\"/sign-in/magic-link\") ||\n\t\t\t\t\t\tpath.startsWith(\"/magic-link/verify\")\n\t\t\t\t\t);\n\t\t\t\t},\n\t\t\t\twindow: opts.rateLimit?.window || 60,\n\t\t\t\tmax: opts.rateLimit?.max || 5,\n\t\t\t},\n\t\t],\n\t\toptions,\n\t} satisfies BetterAuthPlugin;\n};\n"],"mappings":";;;;;;;;;;;AAqFA,MAAM,4BAA4B,EAAE,OAAO;CAC1C,OAAO,EAAE,OAAO,CAAC,KAAK,EACrB,aAAa,wCACb,CAAC;CACF,MAAM,EACJ,QAAQ,CACR,KAAK,EACL,aACC,+FACD,CAAC,CACD,UAAU;CACZ,aAAa,EACX,QAAQ,CACR,KAAK,EACL,aAAa,iDACb,CAAC,CACD,UAAU;CACZ,oBAAoB,EAClB,QAAQ,CACR,KAAK,EACL,aACC,mGACD,CAAC,CACD,UAAU;CACZ,kBAAkB,EAChB,QAAQ,CACR,KAAK,EACL,aAAa,gCACb,CAAC,CACD,UAAU;CACZ,UAAU,EACR,OAAO,EAAE,QAAQ,EAAE,EAAE,KAAK,CAAC,CAC3B,KAAK,EACL,aAAa,iDACb,CAAC,CACD,UAAU;CACZ,CAAC;AACF,MAAM,6BAA6B,EAAE,OAAO;CAC3C,OAAO,EAAE,QAAQ,CAAC,KAAK,EACtB,aAAa,sBACb,CAAC;CACF,aAAa,EACX,QAAQ,CACR,KAAK,EACL,aACC,kIACD,CAAC,CACD,UAAU;CACZ,kBAAkB,EAChB,QAAQ,CACR,KAAK,EACL,aAAa,gCACb,CAAC,CACD,UAAU;CACZ,oBAAoB,EAClB,QAAQ,CACR,KAAK,EACL,aACC,mGACD,CAAC,CACD,UAAU;CACZ,CAAC;AACF,MAAa,aAAa,YAA8B;CACvD,MAAM,OAAO;EACZ,YAAY;EACZ,iBAAiB;EACjB,GAAG;EACH;CAED,eAAe,WAAW,KAA6B,OAAe;AACrE,MAAI,KAAK,eAAe,SACvB,QAAO,MAAM,iBAAiB,MAAM;AAErC,MACC,OAAO,KAAK,eAAe,YAC3B,UAAU,KAAK,cACf,KAAK,WAAW,SAAS,gBAEzB,QAAO,MAAM,KAAK,WAAW,KAAK,MAAM;AAEzC,SAAO;;AAGR,QAAO;EACN,IAAI;EACJ,WAAW;GAgBV,iBAAiB,mBAChB,uBACA;IACC,QAAQ;IACR,gBAAgB;IAChB,MAAM;IACN,UAAU,EACT,SAAS;KACR,aAAa;KACb,aAAa;KACb,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,QAAQ,EACP,MAAM,WACN,EACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,EAAE,OAAO,aAAa,IAAI;IAEhC,MAAM,oBAAoB,MAAM,gBAC7B,MAAM,KAAK,cAAc,MAAM,GAC/B,qBAAqB,IAAI,OAAO,MAAM;IACzC,MAAM,cAAc,MAAM,WAAW,KAAK,kBAAkB;AAC5D,UAAM,IAAI,QAAQ,gBAAgB,wBAAwB;KACzD,YAAY;KACZ,OAAO,KAAK,UAAU;MAAE;MAAO,MAAM,IAAI,KAAK;MAAM,SAAS;MAAG,CAAC;KACjE,WAAW,IAAI,KAAK,KAAK,KAAK,IAAI,KAAK,aAAa,OAAU,IAAK;KACnE,CAAC;IACF,MAAM,cAAc,IAAI,IAAI,IAAI,QAAQ,QAAQ;IAChD,MAAM,WACL,YAAY,aAAa,MAAM,KAAK,YAAY;IACjD,MAAM,WAAW,WAAW,KAAK,IAAI,QAAQ,QAAQ,YAAY;IACjE,MAAM,MAAM,IAAI,IACf,GAAG,WAAW,SAAS,qBACvB,YAAY,OACZ;AACD,QAAI,aAAa,IAAI,SAAS,kBAAkB;AAChD,QAAI,aAAa,IAAI,eAAe,IAAI,KAAK,eAAe,IAAI;AAChE,QAAI,IAAI,KAAK,mBACZ,KAAI,aAAa,IAChB,sBACA,IAAI,KAAK,mBACT;AAEF,QAAI,IAAI,KAAK,iBACZ,KAAI,aAAa,IAAI,oBAAoB,IAAI,KAAK,iBAAiB;AAEpE,UAAM,QAAQ,cACb;KACC;KACA,KAAK,IAAI,UAAU;KACnB,OAAO;KACP;KACA,EACD,IACA;AACD,WAAO,IAAI,KAAK,EACf,QAAQ,MACR,CAAC;KAEH;GAgBD,iBAAiB,mBAChB,sBACA;IACC,QAAQ;IACR,OAAO;IACP,KAAK;KACJ,aAAa,QAAQ;AACpB,aAAO,IAAI,MAAM,cACd,mBAAmB,IAAI,MAAM,YAAY,GACzC;OACF;KACF,aAAa,QAAQ;AACpB,aAAO,IAAI,MAAM,qBACd,mBAAmB,IAAI,MAAM,mBAAmB,GAChD;OACF;KACF,aAAa,QAAQ;AACpB,aAAO,IAAI,MAAM,mBACd,mBAAmB,IAAI,MAAM,iBAAiB,GAC9C;OACF;KACF;IACD,gBAAgB;IAChB,UAAU,EACT,SAAS;KACR,aAAa;KACb,aAAa;KACb,WAAW,EACV,KAAK;MACJ,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY;QACX,SAAS,EACR,MAAM,gCACN;QACD,MAAM,EACL,MAAM,6BACN;QACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;IACd,MAAM,QAAQ,IAAI,MAAM;IAIxB,MAAM,cAAc,IAAI,IACvB,IAAI,MAAM,cACP,mBAAmB,IAAI,MAAM,YAAY,GACzC,KACH,IAAI,QAAQ,QACZ,CAAC,UAAU;IACZ,MAAM,mBAAmB,IAAI,IAC5B,IAAI,MAAM,mBACP,mBAAmB,IAAI,MAAM,iBAAiB,GAC9C,aACH,IAAI,QAAQ,QACZ;IAED,SAAS,kBAAkB,OAAsB;AAChD,sBAAiB,aAAa,IAAI,SAAS,MAAM;AACjD,WAAM,IAAI,SAAS,iBAAiB,UAAU,CAAC;;IAGhD,MAAM,qBAAqB,IAAI,IAC9B,IAAI,MAAM,qBACP,mBAAmB,IAAI,MAAM,mBAAmB,GAChD,aACH,IAAI,QAAQ,QACZ,CAAC,UAAU;IACZ,MAAM,cAAc,MAAM,WAAW,KAAK,MAAM;IAChD,MAAM,aACL,MAAM,IAAI,QAAQ,gBAAgB,sBACjC,YACA;AACF,QAAI,CAAC,WACJ,mBAAkB,gBAAgB;AAEnC,QAAI,WAAW,4BAAY,IAAI,MAAM,EAAE;AACtC,WAAM,IAAI,QAAQ,gBAAgB,+BACjC,YACA;AACD,uBAAkB,gBAAgB;;IAEnC,MAAM,EACL,OACA,MACA,UAAU,MACP,KAAK,MAAM,WAAW,MAAM;AAKhC,QAAI,WAAW,KAAK,iBAAiB;AACpC,WAAM,IAAI,QAAQ,gBAAgB,+BACjC,YACA;AACD,uBAAkB,oBAAoB;;AAEvC,UAAM,IAAI,QAAQ,gBAAgB,+BACjC,aACA,EACC,OAAO,KAAK,UAAU;KACrB;KACA;KACA,SAAS,UAAU;KACnB,CAAC,EACF,CACD;IAED,IAAI,YAAY;IAChB,IAAI,OAAO,MAAM,IAAI,QAAQ,gBAC3B,gBAAgB,MAAM,CACtB,MAAM,QAAQ,KAAK,KAAK;AAE1B,QAAI,CAAC,KACJ,KAAI,CAAC,KAAK,eAAe;KACxB,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,WAAW;MACrD;MACP,eAAe;MACf,MAAM,QAAQ;MACd,CAAC;AACF,iBAAY;AACZ,YAAO;AACP,SAAI,CAAC,KACJ,mBAAkB,wBAAwB;UAG3C,mBAAkB,2BAA2B;AAI/C,QAAI,CAAC,KAAK,cACT,QAAO,MAAM,IAAI,QAAQ,gBAAgB,WAAW,KAAK,IAAI,EAC5D,eAAe,MACf,CAAC;IAGH,MAAM,UAAU,MAAM,IAAI,QAAQ,gBAAgB,cACjD,KAAK,GACL;AAED,QAAI,CAAC,QACJ,mBAAkB,2BAA2B;AAG9C,UAAM,iBAAiB,KAAK;KAC3B;KACA;KACA,CAAC;AACF,QAAI,CAAC,IAAI,MAAM,YACd,QAAO,IAAI,KAAK;KACf,OAAO,QAAQ;KACf,MAAM,gBAAgB,IAAI,QAAQ,SAAS,KAAK;KAChD,CAAC;AAEH,QAAI,UACH,OAAM,IAAI,SAAS,mBAAmB;AAEvC,UAAM,IAAI,SAAS,YAAY;KAEhC;GACD;EACD,WAAW,CACV;GACC,YAAY,MAAM;AACjB,WACC,KAAK,WAAW,sBAAsB,IACtC,KAAK,WAAW,qBAAqB;;GAGvC,QAAQ,KAAK,WAAW,UAAU;GAClC,KAAK,KAAK,WAAW,OAAO;GAC5B,CACD;EACD;EACA"}
package/dist/plugins/mcp/index.d.mts CHANGED
@@ -1,5 +1,4 @@
1
1
  import { OAuthAccessToken, OIDCMetadata, OIDCOptions } from "../oidc-provider/types.mjs";
2
- import "../oidc-provider/index.mjs";
3
2
  import { BetterAuthOptions, GenericEndpointContext } from "@better-auth/core";
4
3
  import * as better_call0 from "better-call";
5
4
  import * as z from "zod";
package/dist/plugins/oidc-provider/authorize.mjs CHANGED
@@ -2,9 +2,11 @@ import { generateRandomString } from "../../crypto/random.mjs";
2
2
  import "../../crypto/index.mjs";
3
3
  import { getSessionFromCtx } from "../../api/routes/session.mjs";
4
4
  import "../../api/index.mjs";
5
+ import { InvalidClient, InvalidRequest } from "./error.mjs";
5
6
  import { parsePrompt } from "./utils/prompt.mjs";
6
7
  import { getClient } from "./index.mjs";
7
8
  import { APIError } from "@better-auth/core/error";
9
+ import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
8
10
 
9
11
  //#region src/plugins/oidc-provider/authorize.ts
10
12
  function formatErrorURL(url, error, description) {
@@ -15,7 +17,7 @@ function getErrorURL(ctx, error, description) {
15
17
  }
16
18
  async function authorize(ctx, options) {
17
19
  const handleRedirect = (url) => {
18
- if (ctx.request?.headers.get("sec-fetch-mode") === "cors") return ctx.json({
20
+ if (isBrowserFetchRequest(ctx.request?.headers)) return ctx.json({
19
21
  redirect: true,
20
22
  url
21
23
  });
@@ -37,10 +39,18 @@ async function authorize(ctx, options) {
37
39
  error_description: "request not found",
38
40
  error: "invalid_request"
39
41
  });
42
+ const query = ctx.query;
40
43
  const session = await getSessionFromCtx(ctx);
41
44
  if (!session) {
42
- const query = ctx.query;
43
- if (parsePrompt(query.prompt ?? "").has("none") && query.redirect_uri) return handleRedirect(formatErrorURL(query.redirect_uri, "login_required", "Authentication required but prompt is none"));
45
+ if (parsePrompt(query.prompt ?? "").has("none")) {
46
+ if (!query.redirect_uri) throw new InvalidRequest("redirect_uri is required when prompt=none and must be usable to return errors without displaying UI");
47
+ if (!query.client_id) throw new InvalidClient("client_id is required");
48
+ const client = await getClient(query.client_id, options.trustedClients || []);
49
+ if (!client) throw new InvalidClient("client_id is required");
50
+ const validRedirectURI = client.redirectUrls.find((url) => url === query.redirect_uri);
51
+ if (!validRedirectURI) throw new InvalidRequest("redirect_uri is invalid or not registered for this client");
52
+ return handleRedirect(formatErrorURL(validRedirectURI, "login_required", "Authentication required but prompt is none"));
53
+ }
44
54
  /**
45
55
  * If the user is not logged in, we need to redirect them to the
46
56
  * login page.
@@ -53,7 +63,6 @@ async function authorize(ctx, options) {
53
63
  const queryFromURL = ctx.request.url?.split("?")[1];
54
64
  return handleRedirect(`${options.loginPage}?${queryFromURL}`);
55
65
  }
56
- const query = ctx.query;
57
66
  if (!query.client_id) {
58
67
  const errorURL = getErrorURL(ctx, "invalid_client", "client_id is required");
59
68
  throw ctx.redirect(errorURL);
package/dist/plugins/oidc-provider/authorize.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"authorize.mjs","names":[],"sources":["../../../src/plugins/oidc-provider/authorize.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError } from \"@better-auth/core/error\";\nimport { getSessionFromCtx } from \"../../api\";\nimport { generateRandomString } from \"../../crypto\";\nimport { getClient } from \"./index\";\nimport type { AuthorizationQuery, OIDCOptions } from \"./types\";\nimport { parsePrompt } from \"./utils/prompt\";\n\nfunction formatErrorURL(url: string, error: string, description: string) {\n\treturn `${url}${\n\t\turl.includes(\"?\") ? \"&\" : \"?\"\n\t}error=${error}&error_description=${description}`;\n}\n\nfunction getErrorURL(\n\tctx: GenericEndpointContext,\n\terror: string,\n\tdescription: string,\n) {\n\tconst baseURL =\n\t\tctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;\n\tconst formattedURL = formatErrorURL(baseURL, error, description);\n\treturn formattedURL;\n}\n\nexport async function authorize(\n\tctx: GenericEndpointContext,\n\toptions: OIDCOptions,\n) {\n\tconst handleRedirect = (url: string) => {\n\t\tconst fromFetch = ctx.request?.headers.get(\"sec-fetch-mode\") === \"cors\";\n\t\tif (fromFetch) {\n\t\t\treturn ctx.json({\n\t\t\t\tredirect: true,\n\t\t\t\turl,\n\t\t\t});\n\t\t} else {\n\t\t\tthrow ctx.redirect(url);\n\t\t}\n\t};\n\n\tconst opts = {\n\t\tcodeExpiresIn: 600,\n\t\tdefaultScope: \"openid\",\n\t\t...options,\n\t\tscopes: [\n\t\t\t\"openid\",\n\t\t\t\"profile\",\n\t\t\t\"email\",\n\t\t\t\"offline_access\",\n\t\t\t...(options?.scopes || []),\n\t\t],\n\t};\n\tif (!ctx.request) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"request not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) {\n\t\t// Handle prompt=none per OIDC spec - must return error instead of redirecting\n\t\tconst query = ctx.query as AuthorizationQuery;\n\t\tconst promptSet = parsePrompt(query.prompt ?? \"\");\n\t\tif (promptSet.has(\"none\") && query.redirect_uri) {\n\t\t\treturn handleRedirect(\n\t\t\t\tformatErrorURL(\n\t\t\t\t\tquery.redirect_uri,\n\t\t\t\t\t\"login_required\",\n\t\t\t\t\t\"Authentication required but prompt is none\",\n\t\t\t\t),\n\t\t\t);\n\t\t}\n\n\t\t/**\n\t\t * If the user is not logged in, we need to redirect them to the\n\t\t * login page.\n\t\t */\n\t\tawait ctx.setSignedCookie(\n\t\t\t\"oidc_login_prompt\",\n\t\t\tJSON.stringify(ctx.query),\n\t\t\tctx.context.secret,\n\t\t\t{\n\t\t\t\tmaxAge: 600,\n\t\t\t\tpath: \"/\",\n\t\t\t\tsameSite: \"lax\",\n\t\t\t},\n\t\t);\n\t\tconst queryFromURL = ctx.request.url?.split(\"?\")[1]!;\n\t\treturn handleRedirect(`${options.loginPage}?${queryFromURL}`);\n\t}\n\n\tconst query = ctx.query as AuthorizationQuery;\n\tif (!query.client_id) {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"invalid_client\",\n\t\t\t\"client_id is required\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tif (!query.response_type) {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"invalid_request\",\n\t\t\t\"response_type is required\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tconst client = await getClient(\n\t\tctx.query.client_id,\n\t\toptions.trustedClients || [],\n\t);\n\tif (!client) {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"invalid_client\",\n\t\t\t\"client_id is required\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\tconst redirectURI = client.redirectUrls.find(\n\t\t(url) => url === ctx.query.redirect_uri,\n\t);\n\n\tif (!redirectURI || !query.redirect_uri) {\n\t\t/**\n\t\t * show UI error here warning the user that the redirect URI is invalid\n\t\t */\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\tmessage: \"Invalid redirect URI\",\n\t\t});\n\t}\n\tif (client.disabled) {\n\t\tconst errorURL = getErrorURL(ctx, \"client_disabled\", \"client is disabled\");\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tif (query.response_type !== \"code\") {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"unsupported_response_type\",\n\t\t\t\"unsupported response type\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tconst requestScope =\n\t\tquery.scope?.split(\" \").filter((s) => s) ||\n\t\topts.defaultScope?.split(\" \") ||\n\t\t[];\n\tconst invalidScopes = requestScope.filter((scope) => {\n\t\treturn !opts.scopes.includes(scope);\n\t});\n\tif (invalidScopes.length) {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_scope\",\n\t\t\t\t`The following scopes are invalid: ${invalidScopes.join(\", \")}`,\n\t\t\t),\n\t\t);\n\t}\n\n\tif (\n\t\t(!query.code_challenge || !query.code_challenge_method) &&\n\t\toptions.requirePKCE\n\t) {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(query.redirect_uri, \"invalid_request\", \"pkce is required\"),\n\t\t);\n\t}\n\n\tif (!query.code_challenge_method) {\n\t\tquery.code_challenge_method = \"plain\";\n\t}\n\n\tif (\n\t\t![\n\t\t\t\"s256\",\n\t\t\toptions.allowPlainCodeChallengeMethod ? \"plain\" : \"s256\",\n\t\t].includes(query.code_challenge_method?.toLowerCase() || \"\")\n\t) {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_request\",\n\t\t\t\t\"invalid code_challenge method\",\n\t\t\t),\n\t\t);\n\t}\n\n\tconst code = generateRandomString(32, \"a-z\", \"A-Z\", \"0-9\");\n\tconst codeExpiresInMs = opts.codeExpiresIn! * 1000;\n\tconst expiresAt = new Date(Date.now() + codeExpiresInMs);\n\n\t// Determine if consent is required\n\t// Consent is ALWAYS required unless:\n\t// 1. The client is trusted (skipConsent = true)\n\t// 2. The user has already consented and prompt is not \"consent\"\n\tconst skipConsentForTrustedClient = client.skipConsent;\n\tconst hasAlreadyConsented = await ctx.context.adapter\n\t\t.findOne<{\n\t\t\tconsentGiven: boolean;\n\t\t\tscopes: string;\n\t\t}>({\n\t\t\tmodel: \"oauthConsent\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t\tvalue: client.clientId,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\tvalue: session.user.id,\n\t\t\t\t},\n\t\t\t],\n\t\t})\n\t\t.then((res) => {\n\t\t\tif (!res?.consentGiven) {\n\t\t\t\treturn false;\n\t\t\t}\n\t\t\tconst consentedScopes = res.scopes ? res.scopes.split(\" \") : [];\n\t\t\tconst hasConsented = requestScope.every((scope) =>\n\t\t\t\tconsentedScopes.includes(scope),\n\t\t\t);\n\t\t\treturn hasConsented;\n\t\t});\n\n\tconst promptSet = parsePrompt(query.prompt ?? \"\");\n\n\t// Handle prompt=none per OIDC spec 3.1.2.1\n\t// The Authorization Server MUST NOT display any authentication or consent UI\n\tif (promptSet.has(\"none\")) {\n\t\t// If consent is required, return consent_required error\n\t\tif (!skipConsentForTrustedClient && !hasAlreadyConsented) {\n\t\t\treturn handleRedirect(\n\t\t\t\tformatErrorURL(\n\t\t\t\t\tquery.redirect_uri,\n\t\t\t\t\t\"consent_required\",\n\t\t\t\t\t\"Consent required but prompt is none\",\n\t\t\t\t),\n\t\t\t);\n\t\t}\n\t\t// If we reach here, user is authenticated and consent is satisfied\n\t\t// Continue without any UI interaction\n\t}\n\n\t// Handle max_age parameter per OIDC spec 3.1.2.1\n\t// max_age=0 is equivalent to prompt=login\n\tlet requireLogin = promptSet.has(\"login\");\n\tif (query.max_age !== undefined) {\n\t\tconst maxAge = Number(query.max_age);\n\t\tif (Number.isInteger(maxAge) && maxAge >= 0) {\n\t\t\tconst sessionAge =\n\t\t\t\t(Date.now() - new Date(session.session.createdAt).getTime()) / 1000;\n\t\t\tif (sessionAge > maxAge) {\n\t\t\t\t// Session is older than max_age, force re-authentication\n\t\t\t\trequireLogin = true;\n\t\t\t}\n\t\t}\n\t\t// If max_age is invalid (not a non-negative integer), ignore it per OIDC spec\n\t}\n\n\tconst requireConsent =\n\t\t!skipConsentForTrustedClient &&\n\t\t(!hasAlreadyConsented || promptSet.has(\"consent\"));\n\n\ttry {\n\t\t/**\n\t\t * Save the code in the database\n\t\t */\n\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\tvalue: JSON.stringify({\n\t\t\t\tclientId: client.clientId,\n\t\t\t\tredirectURI: query.redirect_uri,\n\t\t\t\tscope: requestScope,\n\t\t\t\tuserId: session.user.id,\n\t\t\t\tauthTime: new Date(session.session.createdAt).getTime(),\n\t\t\t\t/**\n\t\t\t\t * Consent is required per OIDC spec unless:\n\t\t\t\t * 1. Client is trusted (skipConsent = true)\n\t\t\t\t * 2. User has already consented (and prompt is not \"consent\")\n\t\t\t\t *\n\t\t\t\t * When consent is required, the code needs to be treated as a\n\t\t\t\t * consent request. Once the user consents, the code will be\n\t\t\t\t * updated with the actual authorization code.\n\t\t\t\t */\n\t\t\t\trequireConsent,\n\t\t\t\tstate: requireConsent ? query.state : null,\n\t\t\t\tcodeChallenge: query.code_challenge,\n\t\t\t\tcodeChallengeMethod: query.code_challenge_method,\n\t\t\t\tnonce: query.nonce,\n\t\t\t}),\n\t\t\tidentifier: code,\n\t\t\texpiresAt,\n\t\t});\n\t} catch {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"server_error\",\n\t\t\t\t\"An error occurred while processing the request\",\n\t\t\t),\n\t\t);\n\t}\n\n\tif (requireLogin) {\n\t\tawait ctx.setSignedCookie(\n\t\t\t\"oidc_login_prompt\",\n\t\t\tJSON.stringify(ctx.query),\n\t\t\tctx.context.secret,\n\t\t\t{\n\t\t\t\tmaxAge: 600,\n\t\t\t\tpath: \"/\",\n\t\t\t\tsameSite: \"lax\",\n\t\t\t},\n\t\t);\n\t\tawait ctx.setSignedCookie(\"oidc_consent_prompt\", code, ctx.context.secret, {\n\t\t\tmaxAge: 600,\n\t\t\tpath: \"/\",\n\t\t\tsameSite: \"lax\",\n\t\t});\n\n\t\tconst loginURI = `${options.loginPage}?${new URLSearchParams({\n\t\t\tclient_id: client.clientId,\n\t\t\tcode,\n\t\t\tstate: query.state,\n\t\t}).toString()}`;\n\t\treturn handleRedirect(loginURI);\n\t}\n\n\t// If consent is not required, redirect with the code immediately\n\tif (!requireConsent) {\n\t\tconst redirectURIWithCode = new URL(redirectURI);\n\t\tredirectURIWithCode.searchParams.set(\"code\", code);\n\t\tredirectURIWithCode.searchParams.set(\"state\", ctx.query.state);\n\t\treturn handleRedirect(redirectURIWithCode.toString());\n\t}\n\n\t// Consent is required - redirect to consent page or show consent HTML\n\n\tif (options?.consentPage) {\n\t\t// Set cookie to support cookie-based consent flows\n\t\tawait ctx.setSignedCookie(\"oidc_consent_prompt\", code, ctx.context.secret, {\n\t\t\tmaxAge: 600,\n\t\t\tpath: \"/\",\n\t\t\tsameSite: \"lax\",\n\t\t});\n\n\t\t// Pass the consent code as a URL parameter to support URL-based consent flows\n\t\tconst urlParams = new URLSearchParams();\n\t\turlParams.set(\"consent_code\", code);\n\t\turlParams.set(\"client_id\", client.clientId);\n\t\turlParams.set(\"scope\", requestScope.join(\" \"));\n\t\tconst consentURI = `${options.consentPage}?${urlParams.toString()}`;\n\n\t\treturn handleRedirect(consentURI);\n\t}\n\tconst htmlFn = options?.getConsentHTML;\n\n\tif (!htmlFn) {\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\tmessage: \"No consent page provided\",\n\t\t});\n\t}\n\n\treturn new Response(\n\t\thtmlFn({\n\t\t\tscopes: requestScope,\n\t\t\tclientMetadata: client.metadata,\n\t\t\tclientIcon: client?.icon,\n\t\t\tclientId: client.clientId,\n\t\t\tclientName: client.name,\n\t\t\tcode,\n\t\t}),\n\t\t{\n\t\t\theaders: {\n\t\t\t\t\"content-type\": \"text/html\",\n\t\t\t},\n\t\t},\n\t);\n}\n"],"mappings":";;;;;;;;;AAQA,SAAS,eAAe,KAAa,OAAe,aAAqB;AACxE,QAAO,GAAG,MACT,IAAI,SAAS,IAAI,GAAG,MAAM,IAC1B,QAAQ,MAAM,qBAAqB;;AAGrC,SAAS,YACR,KACA,OACA,aACC;AAID,QADqB,eADpB,IAAI,QAAQ,QAAQ,YAAY,YAAY,GAAG,IAAI,QAAQ,QAAQ,SACvB,OAAO,YAAY;;AAIjE,eAAsB,UACrB,KACA,SACC;CACD,MAAM,kBAAkB,QAAgB;AAEvC,MADkB,IAAI,SAAS,QAAQ,IAAI,iBAAiB,KAAK,OAEhE,QAAO,IAAI,KAAK;GACf,UAAU;GACV;GACA,CAAC;MAEF,OAAM,IAAI,SAAS,IAAI;;CAIzB,MAAM,OAAO;EACZ,eAAe;EACf,cAAc;EACd,GAAG;EACH,QAAQ;GACP;GACA;GACA;GACA;GACA,GAAI,SAAS,UAAU,EAAE;GACzB;EACD;AACD,KAAI,CAAC,IAAI,QACR,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAEH,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,SAAS;EAEb,MAAM,QAAQ,IAAI;AAElB,MADkB,YAAY,MAAM,UAAU,GAAG,CACnC,IAAI,OAAO,IAAI,MAAM,aAClC,QAAO,eACN,eACC,MAAM,cACN,kBACA,6CACA,CACD;;;;;AAOF,QAAM,IAAI,gBACT,qBACA,KAAK,UAAU,IAAI,MAAM,EACzB,IAAI,QAAQ,QACZ;GACC,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CACD;EACD,MAAM,eAAe,IAAI,QAAQ,KAAK,MAAM,IAAI,CAAC;AACjD,SAAO,eAAe,GAAG,QAAQ,UAAU,GAAG,eAAe;;CAG9D,MAAM,QAAQ,IAAI;AAClB,KAAI,CAAC,MAAM,WAAW;EACrB,MAAM,WAAW,YAChB,KACA,kBACA,wBACA;AACD,QAAM,IAAI,SAAS,SAAS;;AAG7B,KAAI,CAAC,MAAM,eAAe;EACzB,MAAM,WAAW,YAChB,KACA,mBACA,4BACA;AACD,QAAM,IAAI,SAAS,SAAS;;CAG7B,MAAM,SAAS,MAAM,UACpB,IAAI,MAAM,WACV,QAAQ,kBAAkB,EAAE,CAC5B;AACD,KAAI,CAAC,QAAQ;EACZ,MAAM,WAAW,YAChB,KACA,kBACA,wBACA;AACD,QAAM,IAAI,SAAS,SAAS;;CAE7B,MAAM,cAAc,OAAO,aAAa,MACtC,QAAQ,QAAQ,IAAI,MAAM,aAC3B;AAED,KAAI,CAAC,eAAe,CAAC,MAAM;;;;AAI1B,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,wBACT,CAAC;AAEH,KAAI,OAAO,UAAU;EACpB,MAAM,WAAW,YAAY,KAAK,mBAAmB,qBAAqB;AAC1E,QAAM,IAAI,SAAS,SAAS;;AAG7B,KAAI,MAAM,kBAAkB,QAAQ;EACnC,MAAM,WAAW,YAChB,KACA,6BACA,4BACA;AACD,QAAM,IAAI,SAAS,SAAS;;CAG7B,MAAM,eACL,MAAM,OAAO,MAAM,IAAI,CAAC,QAAQ,MAAM,EAAE,IACxC,KAAK,cAAc,MAAM,IAAI,IAC7B,EAAE;CACH,MAAM,gBAAgB,aAAa,QAAQ,UAAU;AACpD,SAAO,CAAC,KAAK,OAAO,SAAS,MAAM;GAClC;AACF,KAAI,cAAc,OACjB,QAAO,eACN,eACC,MAAM,cACN,iBACA,qCAAqC,cAAc,KAAK,KAAK,GAC7D,CACD;AAGF,MACE,CAAC,MAAM,kBAAkB,CAAC,MAAM,0BACjC,QAAQ,YAER,QAAO,eACN,eAAe,MAAM,cAAc,mBAAmB,mBAAmB,CACzE;AAGF,KAAI,CAAC,MAAM,sBACV,OAAM,wBAAwB;AAG/B,KACC,CAAC,CACA,QACA,QAAQ,gCAAgC,UAAU,OAClD,CAAC,SAAS,MAAM,uBAAuB,aAAa,IAAI,GAAG,CAE5D,QAAO,eACN,eACC,MAAM,cACN,mBACA,gCACA,CACD;CAGF,MAAM,OAAO,qBAAqB,IAAI,OAAO,OAAO,MAAM;CAC1D,MAAM,kBAAkB,KAAK,gBAAiB;CAC9C,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,gBAAgB;CAMxD,MAAM,8BAA8B,OAAO;CAC3C,MAAM,sBAAsB,MAAM,IAAI,QAAQ,QAC5C,QAGE;EACF,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,OAAO;GACd,EACD;GACC,OAAO;GACP,OAAO,QAAQ,KAAK;GACpB,CACD;EACD,CAAC,CACD,MAAM,QAAQ;AACd,MAAI,CAAC,KAAK,aACT,QAAO;EAER,MAAM,kBAAkB,IAAI,SAAS,IAAI,OAAO,MAAM,IAAI,GAAG,EAAE;AAI/D,SAHqB,aAAa,OAAO,UACxC,gBAAgB,SAAS,MAAM,CAC/B;GAEA;CAEH,MAAM,YAAY,YAAY,MAAM,UAAU,GAAG;AAIjD,KAAI,UAAU,IAAI,OAAO,EAExB;MAAI,CAAC,+BAA+B,CAAC,oBACpC,QAAO,eACN,eACC,MAAM,cACN,oBACA,sCACA,CACD;;CAQH,IAAI,eAAe,UAAU,IAAI,QAAQ;AACzC,KAAI,MAAM,YAAY,QAAW;EAChC,MAAM,SAAS,OAAO,MAAM,QAAQ;AACpC,MAAI,OAAO,UAAU,OAAO,IAAI,UAAU,GAGzC;QADE,KAAK,KAAK,GAAG,IAAI,KAAK,QAAQ,QAAQ,UAAU,CAAC,SAAS,IAAI,MAC/C,OAEhB,gBAAe;;;CAMlB,MAAM,iBACL,CAAC,gCACA,CAAC,uBAAuB,UAAU,IAAI,UAAU;AAElD,KAAI;;;;AAIH,QAAM,IAAI,QAAQ,gBAAgB,wBAAwB;GACzD,OAAO,KAAK,UAAU;IACrB,UAAU,OAAO;IACjB,aAAa,MAAM;IACnB,OAAO;IACP,QAAQ,QAAQ,KAAK;IACrB,UAAU,IAAI,KAAK,QAAQ,QAAQ,UAAU,CAAC,SAAS;IAUvD;IACA,OAAO,iBAAiB,MAAM,QAAQ;IACtC,eAAe,MAAM;IACrB,qBAAqB,MAAM;IAC3B,OAAO,MAAM;IACb,CAAC;GACF,YAAY;GACZ;GACA,CAAC;SACK;AACP,SAAO,eACN,eACC,MAAM,cACN,gBACA,iDACA,CACD;;AAGF,KAAI,cAAc;AACjB,QAAM,IAAI,gBACT,qBACA,KAAK,UAAU,IAAI,MAAM,EACzB,IAAI,QAAQ,QACZ;GACC,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CACD;AACD,QAAM,IAAI,gBAAgB,uBAAuB,MAAM,IAAI,QAAQ,QAAQ;GAC1E,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CAAC;AAOF,SAAO,eALU,GAAG,QAAQ,UAAU,GAAG,IAAI,gBAAgB;GAC5D,WAAW,OAAO;GAClB;GACA,OAAO,MAAM;GACb,CAAC,CAAC,UAAU,GACkB;;AAIhC,KAAI,CAAC,gBAAgB;EACpB,MAAM,sBAAsB,IAAI,IAAI,YAAY;AAChD,sBAAoB,aAAa,IAAI,QAAQ,KAAK;AAClD,sBAAoB,aAAa,IAAI,SAAS,IAAI,MAAM,MAAM;AAC9D,SAAO,eAAe,oBAAoB,UAAU,CAAC;;AAKtD,KAAI,SAAS,aAAa;AAEzB,QAAM,IAAI,gBAAgB,uBAAuB,MAAM,IAAI,QAAQ,QAAQ;GAC1E,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CAAC;EAGF,MAAM,YAAY,IAAI,iBAAiB;AACvC,YAAU,IAAI,gBAAgB,KAAK;AACnC,YAAU,IAAI,aAAa,OAAO,SAAS;AAC3C,YAAU,IAAI,SAAS,aAAa,KAAK,IAAI,CAAC;AAG9C,SAAO,eAFY,GAAG,QAAQ,YAAY,GAAG,UAAU,UAAU,GAEhC;;CAElC,MAAM,SAAS,SAAS;AAExB,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,yBAAyB,EAC3C,SAAS,4BACT,CAAC;AAGH,QAAO,IAAI,SACV,OAAO;EACN,QAAQ;EACR,gBAAgB,OAAO;EACvB,YAAY,QAAQ;EACpB,UAAU,OAAO;EACjB,YAAY,OAAO;EACnB;EACA,CAAC,EACF,EACC,SAAS,EACR,gBAAgB,aAChB,EACD,CACD"}
1
+ {"version":3,"file":"authorize.mjs","names":[],"sources":["../../../src/plugins/oidc-provider/authorize.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError } from \"@better-auth/core/error\";\nimport { isBrowserFetchRequest } from \"@better-auth/core/utils/fetch-metadata\";\nimport { getSessionFromCtx } from \"../../api\";\nimport { generateRandomString } from \"../../crypto\";\nimport { InvalidClient, InvalidRequest } from \"./error\";\nimport { getClient } from \"./index\";\nimport type { AuthorizationQuery, OIDCOptions } from \"./types\";\nimport { parsePrompt } from \"./utils/prompt\";\n\nfunction formatErrorURL(url: string, error: string, description: string) {\n\treturn `${url}${\n\t\turl.includes(\"?\") ? \"&\" : \"?\"\n\t}error=${error}&error_description=${description}`;\n}\n\nfunction getErrorURL(\n\tctx: GenericEndpointContext,\n\terror: string,\n\tdescription: string,\n) {\n\tconst baseURL =\n\t\tctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;\n\tconst formattedURL = formatErrorURL(baseURL, error, description);\n\treturn formattedURL;\n}\n\nexport async function authorize(\n\tctx: GenericEndpointContext,\n\toptions: OIDCOptions,\n) {\n\tconst handleRedirect = (url: string) => {\n\t\tconst fromFetch = isBrowserFetchRequest(ctx.request?.headers);\n\t\tif (fromFetch) {\n\t\t\treturn ctx.json({\n\t\t\t\tredirect: true,\n\t\t\t\turl,\n\t\t\t});\n\t\t} else {\n\t\t\tthrow ctx.redirect(url);\n\t\t}\n\t};\n\n\tconst opts = {\n\t\tcodeExpiresIn: 600,\n\t\tdefaultScope: \"openid\",\n\t\t...options,\n\t\tscopes: [\n\t\t\t\"openid\",\n\t\t\t\"profile\",\n\t\t\t\"email\",\n\t\t\t\"offline_access\",\n\t\t\t...(options?.scopes || []),\n\t\t],\n\t};\n\tif (!ctx.request) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"request not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tconst query = ctx.query as AuthorizationQuery;\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) {\n\t\t// Handle prompt=none per OIDC spec - must return error instead of redirecting\n\t\tconst promptSet = parsePrompt(query.prompt ?? \"\");\n\t\tif (promptSet.has(\"none\")) {\n\t\t\tif (!query.redirect_uri) {\n\t\t\t\tthrow new InvalidRequest(\n\t\t\t\t\t\"redirect_uri is required when prompt=none and must be usable to return errors without displaying UI\",\n\t\t\t\t);\n\t\t\t}\n\t\t\tif (!query.client_id) {\n\t\t\t\tthrow new InvalidClient(\"client_id is required\");\n\t\t\t}\n\t\t\tconst client = await getClient(\n\t\t\t\tquery.client_id,\n\t\t\t\toptions.trustedClients || [],\n\t\t\t);\n\t\t\tif (!client) {\n\t\t\t\tthrow new InvalidClient(\"client_id is required\");\n\t\t\t}\n\t\t\tconst validRedirectURI = client.redirectUrls.find(\n\t\t\t\t(url) => url === query.redirect_uri,\n\t\t\t);\n\t\t\tif (!validRedirectURI) {\n\t\t\t\tthrow new InvalidRequest(\n\t\t\t\t\t\"redirect_uri is invalid or not registered for this client\",\n\t\t\t\t);\n\t\t\t}\n\t\t\treturn handleRedirect(\n\t\t\t\tformatErrorURL(\n\t\t\t\t\tvalidRedirectURI,\n\t\t\t\t\t\"login_required\",\n\t\t\t\t\t\"Authentication required but prompt is none\",\n\t\t\t\t),\n\t\t\t);\n\t\t}\n\n\t\t/**\n\t\t * If the user is not logged in, we need to redirect them to the\n\t\t * login page.\n\t\t */\n\t\tawait ctx.setSignedCookie(\n\t\t\t\"oidc_login_prompt\",\n\t\t\tJSON.stringify(ctx.query),\n\t\t\tctx.context.secret,\n\t\t\t{\n\t\t\t\tmaxAge: 600,\n\t\t\t\tpath: \"/\",\n\t\t\t\tsameSite: \"lax\",\n\t\t\t},\n\t\t);\n\t\tconst queryFromURL = ctx.request.url?.split(\"?\")[1]!;\n\t\treturn handleRedirect(`${options.loginPage}?${queryFromURL}`);\n\t}\n\n\tif (!query.client_id) {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"invalid_client\",\n\t\t\t\"client_id is required\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tif (!query.response_type) {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"invalid_request\",\n\t\t\t\"response_type is required\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tconst client = await getClient(\n\t\tctx.query.client_id,\n\t\toptions.trustedClients || [],\n\t);\n\tif (!client) {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"invalid_client\",\n\t\t\t\"client_id is required\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\tconst redirectURI = client.redirectUrls.find(\n\t\t(url) => url === ctx.query.redirect_uri,\n\t);\n\n\tif (!redirectURI || !query.redirect_uri) {\n\t\t/**\n\t\t * show UI error here warning the user that the redirect URI is invalid\n\t\t */\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\tmessage: \"Invalid redirect URI\",\n\t\t});\n\t}\n\tif (client.disabled) {\n\t\tconst errorURL = getErrorURL(ctx, \"client_disabled\", \"client is disabled\");\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tif (query.response_type !== \"code\") {\n\t\tconst errorURL = getErrorURL(\n\t\t\tctx,\n\t\t\t\"unsupported_response_type\",\n\t\t\t\"unsupported response type\",\n\t\t);\n\t\tthrow ctx.redirect(errorURL);\n\t}\n\n\tconst requestScope =\n\t\tquery.scope?.split(\" \").filter((s) => s) ||\n\t\topts.defaultScope?.split(\" \") ||\n\t\t[];\n\tconst invalidScopes = requestScope.filter((scope) => {\n\t\treturn !opts.scopes.includes(scope);\n\t});\n\tif (invalidScopes.length) {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_scope\",\n\t\t\t\t`The following scopes are invalid: ${invalidScopes.join(\", \")}`,\n\t\t\t),\n\t\t);\n\t}\n\n\tif (\n\t\t(!query.code_challenge || !query.code_challenge_method) &&\n\t\toptions.requirePKCE\n\t) {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(query.redirect_uri, \"invalid_request\", \"pkce is required\"),\n\t\t);\n\t}\n\n\tif (!query.code_challenge_method) {\n\t\tquery.code_challenge_method = \"plain\";\n\t}\n\n\tif (\n\t\t![\n\t\t\t\"s256\",\n\t\t\toptions.allowPlainCodeChallengeMethod ? \"plain\" : \"s256\",\n\t\t].includes(query.code_challenge_method?.toLowerCase() || \"\")\n\t) {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_request\",\n\t\t\t\t\"invalid code_challenge method\",\n\t\t\t),\n\t\t);\n\t}\n\n\tconst code = generateRandomString(32, \"a-z\", \"A-Z\", \"0-9\");\n\tconst codeExpiresInMs = opts.codeExpiresIn! * 1000;\n\tconst expiresAt = new Date(Date.now() + codeExpiresInMs);\n\n\t// Determine if consent is required\n\t// Consent is ALWAYS required unless:\n\t// 1. The client is trusted (skipConsent = true)\n\t// 2. The user has already consented and prompt is not \"consent\"\n\tconst skipConsentForTrustedClient = client.skipConsent;\n\tconst hasAlreadyConsented = await ctx.context.adapter\n\t\t.findOne<{\n\t\t\tconsentGiven: boolean;\n\t\t\tscopes: string;\n\t\t}>({\n\t\t\tmodel: \"oauthConsent\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t\tvalue: client.clientId,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\tvalue: session.user.id,\n\t\t\t\t},\n\t\t\t],\n\t\t})\n\t\t.then((res) => {\n\t\t\tif (!res?.consentGiven) {\n\t\t\t\treturn false;\n\t\t\t}\n\t\t\tconst consentedScopes = res.scopes ? res.scopes.split(\" \") : [];\n\t\t\tconst hasConsented = requestScope.every((scope) =>\n\t\t\t\tconsentedScopes.includes(scope),\n\t\t\t);\n\t\t\treturn hasConsented;\n\t\t});\n\n\tconst promptSet = parsePrompt(query.prompt ?? \"\");\n\n\t// Handle prompt=none per OIDC spec 3.1.2.1\n\t// The Authorization Server MUST NOT display any authentication or consent UI\n\tif (promptSet.has(\"none\")) {\n\t\t// If consent is required, return consent_required error\n\t\tif (!skipConsentForTrustedClient && !hasAlreadyConsented) {\n\t\t\treturn handleRedirect(\n\t\t\t\tformatErrorURL(\n\t\t\t\t\tquery.redirect_uri,\n\t\t\t\t\t\"consent_required\",\n\t\t\t\t\t\"Consent required but prompt is none\",\n\t\t\t\t),\n\t\t\t);\n\t\t}\n\t\t// If we reach here, user is authenticated and consent is satisfied\n\t\t// Continue without any UI interaction\n\t}\n\n\t// Handle max_age parameter per OIDC spec 3.1.2.1\n\t// max_age=0 is equivalent to prompt=login\n\tlet requireLogin = promptSet.has(\"login\");\n\tif (query.max_age !== undefined) {\n\t\tconst maxAge = Number(query.max_age);\n\t\tif (Number.isInteger(maxAge) && maxAge >= 0) {\n\t\t\tconst sessionAge =\n\t\t\t\t(Date.now() - new Date(session.session.createdAt).getTime()) / 1000;\n\t\t\tif (sessionAge > maxAge) {\n\t\t\t\t// Session is older than max_age, force re-authentication\n\t\t\t\trequireLogin = true;\n\t\t\t}\n\t\t}\n\t\t// If max_age is invalid (not a non-negative integer), ignore it per OIDC spec\n\t}\n\n\tconst requireConsent =\n\t\t!skipConsentForTrustedClient &&\n\t\t(!hasAlreadyConsented || promptSet.has(\"consent\"));\n\n\ttry {\n\t\t/**\n\t\t * Save the code in the database\n\t\t */\n\t\tawait ctx.context.internalAdapter.createVerificationValue({\n\t\t\tvalue: JSON.stringify({\n\t\t\t\tclientId: client.clientId,\n\t\t\t\tredirectURI: query.redirect_uri,\n\t\t\t\tscope: requestScope,\n\t\t\t\tuserId: session.user.id,\n\t\t\t\tauthTime: new Date(session.session.createdAt).getTime(),\n\t\t\t\t/**\n\t\t\t\t * Consent is required per OIDC spec unless:\n\t\t\t\t * 1. Client is trusted (skipConsent = true)\n\t\t\t\t * 2. User has already consented (and prompt is not \"consent\")\n\t\t\t\t *\n\t\t\t\t * When consent is required, the code needs to be treated as a\n\t\t\t\t * consent request. Once the user consents, the code will be\n\t\t\t\t * updated with the actual authorization code.\n\t\t\t\t */\n\t\t\t\trequireConsent,\n\t\t\t\tstate: requireConsent ? query.state : null,\n\t\t\t\tcodeChallenge: query.code_challenge,\n\t\t\t\tcodeChallengeMethod: query.code_challenge_method,\n\t\t\t\tnonce: query.nonce,\n\t\t\t}),\n\t\t\tidentifier: code,\n\t\t\texpiresAt,\n\t\t});\n\t} catch {\n\t\treturn handleRedirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"server_error\",\n\t\t\t\t\"An error occurred while processing the request\",\n\t\t\t),\n\t\t);\n\t}\n\n\tif (requireLogin) {\n\t\tawait ctx.setSignedCookie(\n\t\t\t\"oidc_login_prompt\",\n\t\t\tJSON.stringify(ctx.query),\n\t\t\tctx.context.secret,\n\t\t\t{\n\t\t\t\tmaxAge: 600,\n\t\t\t\tpath: \"/\",\n\t\t\t\tsameSite: \"lax\",\n\t\t\t},\n\t\t);\n\t\tawait ctx.setSignedCookie(\"oidc_consent_prompt\", code, ctx.context.secret, {\n\t\t\tmaxAge: 600,\n\t\t\tpath: \"/\",\n\t\t\tsameSite: \"lax\",\n\t\t});\n\n\t\tconst loginURI = `${options.loginPage}?${new URLSearchParams({\n\t\t\tclient_id: client.clientId,\n\t\t\tcode,\n\t\t\tstate: query.state,\n\t\t}).toString()}`;\n\t\treturn handleRedirect(loginURI);\n\t}\n\n\t// If consent is not required, redirect with the code immediately\n\tif (!requireConsent) {\n\t\tconst redirectURIWithCode = new URL(redirectURI);\n\t\tredirectURIWithCode.searchParams.set(\"code\", code);\n\t\tredirectURIWithCode.searchParams.set(\"state\", ctx.query.state);\n\t\treturn handleRedirect(redirectURIWithCode.toString());\n\t}\n\n\t// Consent is required - redirect to consent page or show consent HTML\n\n\tif (options?.consentPage) {\n\t\t// Set cookie to support cookie-based consent flows\n\t\tawait ctx.setSignedCookie(\"oidc_consent_prompt\", code, ctx.context.secret, {\n\t\t\tmaxAge: 600,\n\t\t\tpath: \"/\",\n\t\t\tsameSite: \"lax\",\n\t\t});\n\n\t\t// Pass the consent code as a URL parameter to support URL-based consent flows\n\t\tconst urlParams = new URLSearchParams();\n\t\turlParams.set(\"consent_code\", code);\n\t\turlParams.set(\"client_id\", client.clientId);\n\t\turlParams.set(\"scope\", requestScope.join(\" \"));\n\t\tconst consentURI = `${options.consentPage}?${urlParams.toString()}`;\n\n\t\treturn handleRedirect(consentURI);\n\t}\n\tconst htmlFn = options?.getConsentHTML;\n\n\tif (!htmlFn) {\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\tmessage: \"No consent page provided\",\n\t\t});\n\t}\n\n\treturn new Response(\n\t\thtmlFn({\n\t\t\tscopes: requestScope,\n\t\t\tclientMetadata: client.metadata,\n\t\t\tclientIcon: client?.icon,\n\t\t\tclientId: client.clientId,\n\t\t\tclientName: client.name,\n\t\t\tcode,\n\t\t}),\n\t\t{\n\t\t\theaders: {\n\t\t\t\t\"content-type\": \"text/html\",\n\t\t\t},\n\t\t},\n\t);\n}\n"],"mappings":";;;;;;;;;;;AAUA,SAAS,eAAe,KAAa,OAAe,aAAqB;AACxE,QAAO,GAAG,MACT,IAAI,SAAS,IAAI,GAAG,MAAM,IAC1B,QAAQ,MAAM,qBAAqB;;AAGrC,SAAS,YACR,KACA,OACA,aACC;AAID,QADqB,eADpB,IAAI,QAAQ,QAAQ,YAAY,YAAY,GAAG,IAAI,QAAQ,QAAQ,SACvB,OAAO,YAAY;;AAIjE,eAAsB,UACrB,KACA,SACC;CACD,MAAM,kBAAkB,QAAgB;AAEvC,MADkB,sBAAsB,IAAI,SAAS,QAAQ,CAE5D,QAAO,IAAI,KAAK;GACf,UAAU;GACV;GACA,CAAC;MAEF,OAAM,IAAI,SAAS,IAAI;;CAIzB,MAAM,OAAO;EACZ,eAAe;EACf,cAAc;EACd,GAAG;EACH,QAAQ;GACP;GACA;GACA;GACA;GACA,GAAI,SAAS,UAAU,EAAE;GACzB;EACD;AACD,KAAI,CAAC,IAAI,QACR,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAEH,MAAM,QAAQ,IAAI;CAClB,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,SAAS;AAGb,MADkB,YAAY,MAAM,UAAU,GAAG,CACnC,IAAI,OAAO,EAAE;AAC1B,OAAI,CAAC,MAAM,aACV,OAAM,IAAI,eACT,sGACA;AAEF,OAAI,CAAC,MAAM,UACV,OAAM,IAAI,cAAc,wBAAwB;GAEjD,MAAM,SAAS,MAAM,UACpB,MAAM,WACN,QAAQ,kBAAkB,EAAE,CAC5B;AACD,OAAI,CAAC,OACJ,OAAM,IAAI,cAAc,wBAAwB;GAEjD,MAAM,mBAAmB,OAAO,aAAa,MAC3C,QAAQ,QAAQ,MAAM,aACvB;AACD,OAAI,CAAC,iBACJ,OAAM,IAAI,eACT,4DACA;AAEF,UAAO,eACN,eACC,kBACA,kBACA,6CACA,CACD;;;;;;AAOF,QAAM,IAAI,gBACT,qBACA,KAAK,UAAU,IAAI,MAAM,EACzB,IAAI,QAAQ,QACZ;GACC,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CACD;EACD,MAAM,eAAe,IAAI,QAAQ,KAAK,MAAM,IAAI,CAAC;AACjD,SAAO,eAAe,GAAG,QAAQ,UAAU,GAAG,eAAe;;AAG9D,KAAI,CAAC,MAAM,WAAW;EACrB,MAAM,WAAW,YAChB,KACA,kBACA,wBACA;AACD,QAAM,IAAI,SAAS,SAAS;;AAG7B,KAAI,CAAC,MAAM,eAAe;EACzB,MAAM,WAAW,YAChB,KACA,mBACA,4BACA;AACD,QAAM,IAAI,SAAS,SAAS;;CAG7B,MAAM,SAAS,MAAM,UACpB,IAAI,MAAM,WACV,QAAQ,kBAAkB,EAAE,CAC5B;AACD,KAAI,CAAC,QAAQ;EACZ,MAAM,WAAW,YAChB,KACA,kBACA,wBACA;AACD,QAAM,IAAI,SAAS,SAAS;;CAE7B,MAAM,cAAc,OAAO,aAAa,MACtC,QAAQ,QAAQ,IAAI,MAAM,aAC3B;AAED,KAAI,CAAC,eAAe,CAAC,MAAM;;;;AAI1B,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,wBACT,CAAC;AAEH,KAAI,OAAO,UAAU;EACpB,MAAM,WAAW,YAAY,KAAK,mBAAmB,qBAAqB;AAC1E,QAAM,IAAI,SAAS,SAAS;;AAG7B,KAAI,MAAM,kBAAkB,QAAQ;EACnC,MAAM,WAAW,YAChB,KACA,6BACA,4BACA;AACD,QAAM,IAAI,SAAS,SAAS;;CAG7B,MAAM,eACL,MAAM,OAAO,MAAM,IAAI,CAAC,QAAQ,MAAM,EAAE,IACxC,KAAK,cAAc,MAAM,IAAI,IAC7B,EAAE;CACH,MAAM,gBAAgB,aAAa,QAAQ,UAAU;AACpD,SAAO,CAAC,KAAK,OAAO,SAAS,MAAM;GAClC;AACF,KAAI,cAAc,OACjB,QAAO,eACN,eACC,MAAM,cACN,iBACA,qCAAqC,cAAc,KAAK,KAAK,GAC7D,CACD;AAGF,MACE,CAAC,MAAM,kBAAkB,CAAC,MAAM,0BACjC,QAAQ,YAER,QAAO,eACN,eAAe,MAAM,cAAc,mBAAmB,mBAAmB,CACzE;AAGF,KAAI,CAAC,MAAM,sBACV,OAAM,wBAAwB;AAG/B,KACC,CAAC,CACA,QACA,QAAQ,gCAAgC,UAAU,OAClD,CAAC,SAAS,MAAM,uBAAuB,aAAa,IAAI,GAAG,CAE5D,QAAO,eACN,eACC,MAAM,cACN,mBACA,gCACA,CACD;CAGF,MAAM,OAAO,qBAAqB,IAAI,OAAO,OAAO,MAAM;CAC1D,MAAM,kBAAkB,KAAK,gBAAiB;CAC9C,MAAM,YAAY,IAAI,KAAK,KAAK,KAAK,GAAG,gBAAgB;CAMxD,MAAM,8BAA8B,OAAO;CAC3C,MAAM,sBAAsB,MAAM,IAAI,QAAQ,QAC5C,QAGE;EACF,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,OAAO;GACd,EACD;GACC,OAAO;GACP,OAAO,QAAQ,KAAK;GACpB,CACD;EACD,CAAC,CACD,MAAM,QAAQ;AACd,MAAI,CAAC,KAAK,aACT,QAAO;EAER,MAAM,kBAAkB,IAAI,SAAS,IAAI,OAAO,MAAM,IAAI,GAAG,EAAE;AAI/D,SAHqB,aAAa,OAAO,UACxC,gBAAgB,SAAS,MAAM,CAC/B;GAEA;CAEH,MAAM,YAAY,YAAY,MAAM,UAAU,GAAG;AAIjD,KAAI,UAAU,IAAI,OAAO,EAExB;MAAI,CAAC,+BAA+B,CAAC,oBACpC,QAAO,eACN,eACC,MAAM,cACN,oBACA,sCACA,CACD;;CAQH,IAAI,eAAe,UAAU,IAAI,QAAQ;AACzC,KAAI,MAAM,YAAY,QAAW;EAChC,MAAM,SAAS,OAAO,MAAM,QAAQ;AACpC,MAAI,OAAO,UAAU,OAAO,IAAI,UAAU,GAGzC;QADE,KAAK,KAAK,GAAG,IAAI,KAAK,QAAQ,QAAQ,UAAU,CAAC,SAAS,IAAI,MAC/C,OAEhB,gBAAe;;;CAMlB,MAAM,iBACL,CAAC,gCACA,CAAC,uBAAuB,UAAU,IAAI,UAAU;AAElD,KAAI;;;;AAIH,QAAM,IAAI,QAAQ,gBAAgB,wBAAwB;GACzD,OAAO,KAAK,UAAU;IACrB,UAAU,OAAO;IACjB,aAAa,MAAM;IACnB,OAAO;IACP,QAAQ,QAAQ,KAAK;IACrB,UAAU,IAAI,KAAK,QAAQ,QAAQ,UAAU,CAAC,SAAS;IAUvD;IACA,OAAO,iBAAiB,MAAM,QAAQ;IACtC,eAAe,MAAM;IACrB,qBAAqB,MAAM;IAC3B,OAAO,MAAM;IACb,CAAC;GACF,YAAY;GACZ;GACA,CAAC;SACK;AACP,SAAO,eACN,eACC,MAAM,cACN,gBACA,iDACA,CACD;;AAGF,KAAI,cAAc;AACjB,QAAM,IAAI,gBACT,qBACA,KAAK,UAAU,IAAI,MAAM,EACzB,IAAI,QAAQ,QACZ;GACC,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CACD;AACD,QAAM,IAAI,gBAAgB,uBAAuB,MAAM,IAAI,QAAQ,QAAQ;GAC1E,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CAAC;AAOF,SAAO,eALU,GAAG,QAAQ,UAAU,GAAG,IAAI,gBAAgB;GAC5D,WAAW,OAAO;GAClB;GACA,OAAO,MAAM;GACb,CAAC,CAAC,UAAU,GACkB;;AAIhC,KAAI,CAAC,gBAAgB;EACpB,MAAM,sBAAsB,IAAI,IAAI,YAAY;AAChD,sBAAoB,aAAa,IAAI,QAAQ,KAAK;AAClD,sBAAoB,aAAa,IAAI,SAAS,IAAI,MAAM,MAAM;AAC9D,SAAO,eAAe,oBAAoB,UAAU,CAAC;;AAKtD,KAAI,SAAS,aAAa;AAEzB,QAAM,IAAI,gBAAgB,uBAAuB,MAAM,IAAI,QAAQ,QAAQ;GAC1E,QAAQ;GACR,MAAM;GACN,UAAU;GACV,CAAC;EAGF,MAAM,YAAY,IAAI,iBAAiB;AACvC,YAAU,IAAI,gBAAgB,KAAK;AACnC,YAAU,IAAI,aAAa,OAAO,SAAS;AAC3C,YAAU,IAAI,SAAS,aAAa,KAAK,IAAI,CAAC;AAG9C,SAAO,eAFY,GAAG,QAAQ,YAAY,GAAG,UAAU,UAAU,GAEhC;;CAElC,MAAM,SAAS,SAAS;AAExB,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,yBAAyB,EAC3C,SAAS,4BACT,CAAC;AAGH,QAAO,IAAI,SACV,OAAO;EACN,QAAQ;EACR,gBAAgB,OAAO;EACvB,YAAY,QAAQ;EACpB,UAAU,OAAO;EACjB,YAAY,OAAO;EACnB;EACA,CAAC,EACF,EACC,SAAS,EACR,gBAAgB,aAChB,EACD,CACD"}
package/dist/plugins/oidc-provider/error.mjs CHANGED
@@ -5,13 +5,23 @@ var OIDCProviderError = class extends APIError {};
5
5
  var InvalidRequest = class extends OIDCProviderError {
6
6
  constructor(error_description, error_detail) {
7
7
  super("BAD_REQUEST", {
8
- message: "invalid_request",
8
+ message: error_description,
9
+ error: "invalid_request",
9
10
  error_description,
10
11
  error_detail
11
12
  });
12
13
  }
13
14
  };
15
+ var InvalidClient = class extends OIDCProviderError {
16
+ constructor(error_description) {
17
+ super("BAD_REQUEST", {
18
+ message: error_description,
19
+ error: "invalid_client",
20
+ error_description
21
+ });
22
+ }
23
+ };
14
24
 
15
25
  //#endregion
16
- export { InvalidRequest };
26
+ export { InvalidClient, InvalidRequest };
17
27
  //# sourceMappingURL=error.mjs.map
package/dist/plugins/oidc-provider/error.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"error.mjs","names":[],"sources":["../../../src/plugins/oidc-provider/error.ts"],"sourcesContent":["import { APIError } from \"@better-auth/core/error\";\n\nclass OIDCProviderError extends APIError {}\n\nexport class InvalidRequest extends OIDCProviderError {\n\tconstructor(error_description: string, error_detail?: string) {\n\t\tsuper(\"BAD_REQUEST\", {\n\t\t\tmessage: \"invalid_request\",\n\t\t\terror_description,\n\t\t\terror_detail,\n\t\t});\n\t}\n}\n"],"mappings":";;;AAEA,IAAM,oBAAN,cAAgC,SAAS;AAEzC,IAAa,iBAAb,cAAoC,kBAAkB;CACrD,YAAY,mBAA2B,cAAuB;AAC7D,QAAM,eAAe;GACpB,SAAS;GACT;GACA;GACA,CAAC"}
1
+ {"version":3,"file":"error.mjs","names":[],"sources":["../../../src/plugins/oidc-provider/error.ts"],"sourcesContent":["import { APIError } from \"@better-auth/core/error\";\n\nclass OIDCProviderError extends APIError {}\n\nexport class InvalidRequest extends OIDCProviderError {\n\tconstructor(error_description: string, error_detail?: string) {\n\t\tsuper(\"BAD_REQUEST\", {\n\t\t\tmessage: error_description,\n\t\t\terror: \"invalid_request\",\n\t\t\terror_description,\n\t\t\terror_detail,\n\t\t});\n\t}\n}\n\nexport class InvalidClient extends OIDCProviderError {\n\tconstructor(error_description: string) {\n\t\tsuper(\"BAD_REQUEST\", {\n\t\t\tmessage: error_description,\n\t\t\terror: \"invalid_client\",\n\t\t\terror_description,\n\t\t});\n\t}\n}\n"],"mappings":";;;AAEA,IAAM,oBAAN,cAAgC,SAAS;AAEzC,IAAa,iBAAb,cAAoC,kBAAkB;CACrD,YAAY,mBAA2B,cAAuB;AAC7D,QAAM,eAAe;GACpB,SAAS;GACT,OAAO;GACP;GACA;GACA,CAAC;;;AAIJ,IAAa,gBAAb,cAAmC,kBAAkB;CACpD,YAAY,mBAA2B;AACtC,QAAM,eAAe;GACpB,SAAS;GACT,OAAO;GACP;GACA,CAAC"}
package/dist/plugins/oidc-provider/index.d.mts CHANGED
@@ -1,7 +1,6 @@
1
1
  import { InferOptionSchema } from "../../types/plugins.mjs";
2
2
  import { schema } from "./schema.mjs";
3
3
  import { AuthorizationQuery, Client, CodeVerificationValue, OAuthAccessToken, OIDCMetadata, OIDCOptions, TokenBody } from "./types.mjs";
4
- import "../index.mjs";
5
4
  import { GenericEndpointContext } from "@better-auth/core";
6
5
  import * as _better_auth_core_db0 from "@better-auth/core/db";
7
6
  import * as better_call0 from "better-call";
package/dist/plugins/oidc-provider/types.d.mts CHANGED
@@ -1,6 +1,5 @@
1
1
  import { User } from "../../types/models.mjs";
2
2
  import { InferOptionSchema } from "../../types/plugins.mjs";
3
- import "../../types/index.mjs";
4
3
  import { OAuthApplication, schema } from "./schema.mjs";
5
4
 
6
5
  //#region src/plugins/oidc-provider/types.d.ts
package/dist/plugins/one-time-token/index.d.mts CHANGED
@@ -1,5 +1,4 @@
1
1
  import { Session, User } from "../../types/models.mjs";
2
- import "../../types/index.mjs";
3
2
  import { GenericEndpointContext } from "@better-auth/core";
4
3
  import * as better_call0 from "better-call";
5
4
  import * as z from "zod";
package/dist/plugins/organization/access/statement.d.mts CHANGED
@@ -1,7 +1,5 @@
1
1
  import { Subset } from "../../access/types.mjs";
2
2
  import { AuthorizeResponse } from "../../access/access.mjs";
3
- import "../../index.mjs";
4
-
5
3
  //#region src/plugins/organization/access/statement.d.ts
6
4
  declare const defaultStatements: {
7
5
  readonly organization: readonly ["update", "delete"];
package/dist/plugins/organization/adapter.d.mts CHANGED
@@ -1,7 +1,5 @@
1
1
  import { FieldAttributeToObject, InferAdditionalFieldsFromPluginOptions, RemoveFieldsWithReturnedFalse } from "../../db/field.mjs";
2
2
  import { User as User$1 } from "../../types/models.mjs";
3
- import "../../types/index.mjs";
4
- import "../../db/index.mjs";
5
3
  import { OrganizationOptions } from "./types.mjs";
6
4
  import { InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferTeam, InvitationStatus, MemberInput, OrganizationInput, TeamInput, TeamMember } from "./schema.mjs";
7
5
  import { AuthContext, GenericEndpointContext } from "@better-auth/core";
package/dist/plugins/organization/adapter.mjs CHANGED
@@ -537,9 +537,9 @@ const getOrgAdapter = (context, options) => {
537
537
  value: email.toLowerCase()
538
538
  }],
539
539
  join: { organization: true }
540
- })).map(({ organization, ...inv }) => ({
540
+ })).filter(Boolean).map(({ organization, ...inv }) => ({
541
541
  ...inv,
542
- organizationName: organization.name
542
+ organizationName: organization?.name
543
543
  }));
544
544
  },
545
545
  createInvitation: async ({ invitation, user }) => {