better-auth 1.6.1 → 1.6.2

package/dist/api/routes/callback.mjs

@@ -104,7 +104,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 			return redirectOnError("unable_to_link_account");
 		}
 		if (userInfo.email?.toLowerCase() !== link.email.toLowerCase() && c.context.options.account?.accountLinking?.allowDifferentEmails !== true) return redirectOnError("email_doesn't_match");
-		const existingAccount = await c.context.internalAdapter.findAccount(String(userInfo.id));
+		const existingAccount = await c.context.internalAdapter.findAccountByProviderId(String(userInfo.id), provider.id);
 		if (existingAccount) {
 			if (existingAccount.userId.toString() !== link.userId.toString()) return redirectOnError("account_already_linked_to_different_user");
 			const updateData = Object.fromEntries(Object.entries({

package/dist/integrations/next-js.mjs

@@ -24,20 +24,29 @@ const nextCookies = () => {
 				matcher(ctx) {
 					return ctx.path === "/get-session";
 				},
-				handler: createAuthMiddleware(async () => {
-					let cookieStore;
+				handler: createAuthMiddleware(async (ctx) => {
+					if ("_flag" in ctx && ctx._flag === "router") return;
+					let headersStore;
 					try {
-						const { cookies } = await import("next/headers.js");
-						cookieStore = await cookies();
+						const { headers } = await import("next/headers.js");
+						headersStore = await headers();
 					} catch {
 						return;
 					}
-					try {
-						cookieStore.set("__better-auth-cookie-store", "1", { maxAge: 0 });
-						cookieStore.delete("__better-auth-cookie-store");
-					} catch {
-						await setShouldSkipSessionRefresh(true);
-					}
+					/**
+					* Detect RSC via headers, NOT by probing cookies().set().
+					* In Next.js, cookies().set() unconditionally triggers router
+					* cache invalidation -- even if the value is unchanged.
+					*
+					* RSC sends `RSC: 1` without `next-action`. Only in that
+					* context cookies cannot be written -- skip session refresh
+					* to avoid DB/cookie mismatch.
+					*
+					* @see https://github.com/vercel/next.js/blob/8c5af211d580/packages/next/src/server/web/spec-extension/adapters/request-cookies.ts#L112-L157
+					*/
+					const isRSC = headersStore.get("RSC") === "1";
+					const isServerAction = !!headersStore.get("next-action");
+					if (isRSC && !isServerAction) await setShouldSkipSessionRefresh(true);
 				})
 			}],
 			after: [{
@@ -51,12 +60,12 @@ const nextCookies = () => {
 						const setCookies = returned?.get("set-cookie");
 						if (!setCookies) return;
 						const parsed = parseSetCookieHeader(setCookies);
-						const { cookies } = await import("next/headers.js");
 						let cookieHelper;
 						try {
+							const { cookies } = await import("next/headers.js");
 							cookieHelper = await cookies();
 						} catch (error) {
-							if (error instanceof Error && error.message.startsWith("`cookies` was called outside a request scope.")) return;
+							if (error instanceof Error && (error.message.startsWith("`cookies` was called outside a request scope.") || error.message.includes("Cannot find module"))) return;
 							throw error;
 						}
 						parsed.forEach((value, key) => {

package/dist/oauth2/state.d.mts

@@ -15,6 +15,7 @@ declare function parseState(c: GenericEndpointContext): Promise<{
   expiresAt: number;
   errorURL?: string | undefined;
   newUserURL?: string | undefined;
+  oauthState?: string | undefined;
   link?: {
     email: string;
     userId: string;

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.1";
+var version = "1.6.2";
 //#endregion
 export { version };

package/dist/plugins/oauth-proxy/index.mjs

@@ -164,6 +164,10 @@ const oAuthProxy = (opts) => {
 						return;
 					}
 					const errorURL = stateData.errorURL || ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
+					if (stateData.oauthState !== void 0 && stateData.oauthState !== statePackage.state) {
+						ctx.context.logger.error("OAuth proxy state binding mismatch");
+						throw redirectOnError(ctx, errorURL, "state_mismatch");
+					}
 					if (error) throw redirectOnError(ctx, errorURL, error);
 					if (!code) {
 						ctx.context.logger.error("OAuth callback missing authorization code");

package/dist/plugins/two-factor/client.d.mts

@@ -19,8 +19,18 @@ declare const twoFactorClient: (options?: {
   /**
    * a redirect function to call if a user needs to verify
    * their two factor
+   *
+   * @param context.twoFactorMethods - The list of
+   * enabled two factor providers (e.g. ["totp", "otp"]).
+   * Use this to determine which 2FA UI to show.
    */
-  onTwoFactorRedirect?: () => void | Promise<void>;
+  onTwoFactorRedirect?: (context: {
+    /**
+     * The list of enabled two factor providers
+     * for the user (e.g. ["totp", "otp"]).
+     */
+    twoFactorMethods?: string[];
+  }) => void | Promise<void>;
 } | undefined) => {
   id: "two-factor";
   version: string;

package/dist/plugins/two-factor/client.mjs

@@ -26,7 +26,7 @@ const twoFactorClient = (options) => {
 			hooks: { async onSuccess(context) {
 				if (context.data?.twoFactorRedirect) {
 					if (options?.onTwoFactorRedirect) {
-						await options.onTwoFactorRedirect();
+						await options.onTwoFactorRedirect({ twoFactorMethods: context.data.twoFactorMethods });
 						return;
 					}
 					if (options?.twoFactorPage && typeof window !== "undefined") window.location.href = options.twoFactorPage;

package/dist/plugins/two-factor/index.d.mts

@@ -618,6 +618,7 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
       matcher(context: _better_auth_core0.HookEndpointContext): boolean;
       handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
         twoFactorRedirect: boolean;
+        twoFactorMethods: string[];
       } | undefined>;
     }[];
   };
@@ -655,6 +656,12 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
           };
           index: true;
         };
+        verified: {
+          type: "boolean";
+          required: false;
+          defaultValue: true;
+          input: false;
+        };
       };
     };
   };

package/dist/plugins/two-factor/index.mjs

@@ -103,6 +103,13 @@ const twoFactor = (options) => {
 					});
 					await ctx.context.internalAdapter.deleteSession(ctx.context.session.session.token);
 				}
+				const existingTwoFactor = await ctx.context.adapter.findOne({
+					model: opts.twoFactorTable,
+					where: [{
+						field: "userId",
+						value: user.id
+					}]
+				});
 				await ctx.context.adapter.deleteMany({
 					model: opts.twoFactorTable,
 					where: [{
@@ -115,7 +122,8 @@ const twoFactor = (options) => {
 					data: {
 						secret: encryptedSecret,
 						backupCodes: backupCodes.encryptedBackupCodes,
-						userId: user.id
+						userId: user.id,
+						verified: existingTwoFactor != null && existingTwoFactor.verified !== false || !!options?.skipVerificationOnEnable
 					}
 				});
 				const totpURI = createOTP(secret, {
@@ -225,7 +233,30 @@ const twoFactor = (options) => {
 					expiresAt: new Date(Date.now() + maxAge * 1e3)
 				});
 				await ctx.setSignedCookie(twoFactorCookie.name, identifier, ctx.context.secret, twoFactorCookie.attributes);
-				return ctx.json({ twoFactorRedirect: true });
+				const twoFactorMethods = [];
+				/**
+				* totp requires per-user setup, so we check
+				* that the user actually has a secret stored.
+				*/
+				if (!options?.totpOptions?.disable) {
+					const userTotpSecret = await ctx.context.adapter.findOne({
+						model: opts.twoFactorTable,
+						where: [{
+							field: "userId",
+							value: data.user.id
+						}]
+					});
+					if (userTotpSecret && userTotpSecret.verified !== false) twoFactorMethods.push("totp");
+				}
+				/**
+				* otp is server-level — if sendOTP is configured,
+				* any user with 2fa enabled can receive a code.
+				*/
+				if (options?.otpOptions?.sendOTP) twoFactorMethods.push("otp");
+				return ctx.json({
+					twoFactorRedirect: true,
+					twoFactorMethods
+				});
 			})
 		}] },
 		schema: mergeSchema(schema, {

package/dist/plugins/two-factor/otp/index.mjs

@@ -175,11 +175,11 @@ const otp2fa = (options) => {
 						if (!session.session) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.FAILED_TO_CREATE_SESSION);
 						const updatedUser = await ctx.context.internalAdapter.updateUser(session.user.id, { twoFactorEnabled: true });
 						const newSession = await ctx.context.internalAdapter.createSession(session.user.id, false, session.session);
-						await ctx.context.internalAdapter.deleteSession(session.session.token);
 						await setSessionCookie(ctx, {
 							session: newSession,
 							user: updatedUser
 						});
+						await ctx.context.internalAdapter.deleteSession(session.session.token);
 						return ctx.json({
 							token: newSession.token,
 							user: parseUserOutput(ctx.context.options, updatedUser)

package/dist/plugins/two-factor/schema.d.mts

@@ -33,6 +33,12 @@ declare const schema: {
         };
         index: true;
       };
+      verified: {
+        type: "boolean";
+        required: false;
+        defaultValue: true;
+        input: false;
+      };
     };
   };
 };

package/dist/plugins/two-factor/schema.mjs

@@ -27,6 +27,12 @@ const schema = {
 				field: "id"
 			},
 			index: true
+		},
+		verified: {
+			type: "boolean",
+			required: false,
+			defaultValue: true,
+			input: false
 		}
 	} }
 };

package/dist/plugins/two-factor/totp/index.mjs

@@ -124,6 +124,7 @@ const totp2fa = (options) => {
 				}
 				const { session, valid, invalid } = await verifyTwoFactor(ctx);
 				const user = session.user;
+				const isSignIn = !session.session;
 				const twoFactor = await ctx.context.adapter.findOne({
 					model: twoFactorTable,
 					where: [{
@@ -132,6 +133,7 @@ const totp2fa = (options) => {
 					}]
 				});
 				if (!twoFactor) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.TOTP_NOT_ENABLED);
+				if (isSignIn && twoFactor.verified === false) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.TOTP_NOT_ENABLED);
 				if (!await createOTP(await symmetricDecrypt({
 					key: ctx.context.secretConfig,
 					data: twoFactor.secret
@@ -139,16 +141,23 @@ const totp2fa = (options) => {
 					period: opts.period,
 					digits: opts.digits
 				}).verify(ctx.body.code)) return invalid("INVALID_CODE");
-				if (!user.twoFactorEnabled) {
-					if (!session.session) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.FAILED_TO_CREATE_SESSION);
-					const updatedUser = await ctx.context.internalAdapter.updateUser(user.id, { twoFactorEnabled: true });
-					const newSession = await ctx.context.internalAdapter.createSession(user.id, false, session.session).catch((e) => {
-						throw e;
-					});
-					await ctx.context.internalAdapter.deleteSession(session.session.token);
-					await setSessionCookie(ctx, {
-						session: newSession,
-						user: updatedUser
+				if (twoFactor.verified !== true) {
+					if (!user.twoFactorEnabled) {
+						const activeSession = session.session;
+						const updatedUser = await ctx.context.internalAdapter.updateUser(user.id, { twoFactorEnabled: true });
+						await setSessionCookie(ctx, {
+							session: await ctx.context.internalAdapter.createSession(user.id, false, activeSession),
+							user: updatedUser
+						});
+						await ctx.context.internalAdapter.deleteSession(activeSession.token);
+					}
+					await ctx.context.adapter.update({
+						model: twoFactorTable,
+						update: { verified: true },
+						where: [{
+							field: "id",
+							value: twoFactor.id
+						}]
 					});
 				}
 				return valid(ctx);

package/dist/plugins/two-factor/types.d.mts

@@ -80,7 +80,7 @@ interface TwoFactorTable {
   userId: string;
   secret: string;
   backupCodes: string;
-  enabled: boolean;
+  verified: boolean;
 }
 //#endregion
 export { TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor };

package/dist/state.d.mts

@@ -9,6 +9,11 @@ declare const stateDataSchema: z.ZodObject<{
   errorURL: z.ZodOptional<z.ZodString>;
   newUserURL: z.ZodOptional<z.ZodString>;
   expiresAt: z.ZodNumber;
+  /**
+   * CSRF nonce returned to the OAuth provider. When using cookie state storage,
+   * this must match the callback `state` query parameter.
+   */
+  oauthState: z.ZodOptional<z.ZodString>;
   link: z.ZodOptional<z.ZodObject<{
     email: z.ZodString;
     userId: z.ZodCoercedString<unknown>;
@@ -32,6 +37,7 @@ declare function parseGenericState(c: GenericEndpointContext, state: string, set
   expiresAt: number;
   errorURL?: string | undefined;
   newUserURL?: string | undefined;
+  oauthState?: string | undefined;
   link?: {
     email: string;
     userId: string;

package/dist/state.mjs

@@ -10,6 +10,7 @@ const stateDataSchema = z.looseObject({
 	errorURL: z.string().optional(),
 	newUserURL: z.string().optional(),
 	expiresAt: z.number(),
+	oauthState: z.string().optional(),
 	link: z.object({
 		email: z.string(),
 		userId: z.coerce.string()
@@ -28,9 +29,13 @@ var StateError = class extends BetterAuthError {
 async function generateGenericState(c, stateData, settings) {
 	const state = generateRandomString(32);
 	if (c.context.oauthConfig.storeStateStrategy === "cookie") {
+		const payload = {
+			...stateData,
+			oauthState: state
+		};
 		const encryptedData = await symmetricEncrypt({
 			key: c.context.secretConfig,
-			data: JSON.stringify(stateData)
+			data: JSON.stringify(payload)
 		});
 		const stateCookie = c.context.createAuthCookie(settings?.cookieName ?? "oauth_state", { maxAge: 600 });
 		c.setCookie(stateCookie.name, encryptedData, stateCookie.attributes);
@@ -44,7 +49,10 @@ async function generateGenericState(c, stateData, settings) {
 	const expiresAt = /* @__PURE__ */ new Date();
 	expiresAt.setMinutes(expiresAt.getMinutes() + 10);
 	if (!await c.context.internalAdapter.createVerificationValue({
-		value: JSON.stringify(stateData),
+		value: JSON.stringify({
+			...stateData,
+			oauthState: state
+		}),
 		identifier: state,
 		expiresAt
 	})) throw new StateError("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database", { code: "state_generation_error" });
@@ -76,6 +84,10 @@ async function parseGenericState(c, state, settings) {
 				cause: error
 			});
 		}
+		if (!parsedData.oauthState || parsedData.oauthState !== state) throw new StateError("State mismatch: OAuth state parameter does not match stored state", {
+			code: "state_security_mismatch",
+			details: { state }
+		});
 		expireCookie(c, stateCookie);
 	} else {
 		const data = await c.context.internalAdapter.findVerificationValue(state);
@@ -84,6 +96,10 @@ async function parseGenericState(c, state, settings) {
 			details: { state }
 		});
 		parsedData = stateDataSchema.parse(JSON.parse(data.value));
+		if (parsedData.oauthState !== void 0 && parsedData.oauthState !== state) throw new StateError("State mismatch: OAuth state parameter does not match stored state", {
+			code: "state_security_mismatch",
+			details: { state }
+		});
 		const stateCookie = c.context.createAuthCookie(settings?.cookieName ?? "state");
 		const stateCookieValue = await c.getSignedCookie(stateCookie.name, c.context.secret);
 		if (!(settings?.skipStateCookieCheck ?? c.context.oauthConfig.skipStateCookieCheck) && (!stateCookieValue || stateCookieValue !== state)) throw new StateError("State mismatch: State not persisted correctly", {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.1",
+  "version": "1.6.2",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -489,13 +489,13 @@
     "kysely": "^0.28.14",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.6.1",
-    "@better-auth/drizzle-adapter": "1.6.1",
-    "@better-auth/kysely-adapter": "1.6.1",
-    "@better-auth/memory-adapter": "1.6.1",
-    "@better-auth/mongo-adapter": "1.6.1",
-    "@better-auth/prisma-adapter": "1.6.1",
-    "@better-auth/telemetry": "1.6.1"
+    "@better-auth/core": "1.6.2",
+    "@better-auth/drizzle-adapter": "1.6.2",
+    "@better-auth/kysely-adapter": "1.6.2",
+    "@better-auth/memory-adapter": "1.6.2",
+    "@better-auth/mongo-adapter": "1.6.2",
+    "@better-auth/prisma-adapter": "1.6.2",
+    "@better-auth/telemetry": "1.6.2"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",