better-auth 1.6.1 → 1.6.3

package/dist/plugins/mcp/index.mjs

@@ -1,7 +1,8 @@
 import { getBaseURL, isDynamicBaseURLConfig, resolveBaseURL } from "../../utils/url.mjs";
-import { generateRandomString } from "../../crypto/random.mjs";
 import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { generateRandomString } from "../../crypto/random.mjs";
 import { expireCookie } from "../../cookies/index.mjs";
+import { resolveDynamicTrustedProxyHeaders } from "../../context/helpers.mjs";
 import { getSessionFromCtx } from "../../api/routes/session.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { APIError } from "../../api/index.mjs";
@@ -15,9 +16,9 @@ import { safeJSONParse } from "@better-auth/core/utils/json";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
 import * as z from "zod";
 import { base64 } from "@better-auth/utils/base64";
-import { createHash } from "@better-auth/utils/hash";
-import { getWebcryptoSubtle } from "@better-auth/utils";
 import { SignJWT } from "jose";
+import { getWebcryptoSubtle } from "@better-auth/utils";
+import { createHash } from "@better-auth/utils/hash";
 //#region src/plugins/mcp/index.ts
 const getMCPProviderMetadata = (ctx, options) => {
 	const issuer = typeof ctx.context.options.baseURL === "string" ? ctx.context.options.baseURL : "";
@@ -662,10 +663,15 @@ const mcp = (options) => {
 const withMcpAuth = (auth, handler) => {
 	return async (req) => {
 		const basePath = auth.options.basePath || "/api/auth";
-		const baseURL = isDynamicBaseURLConfig(auth.options.baseURL) ? resolveBaseURL(auth.options.baseURL, basePath, req) : getBaseURL(typeof auth.options.baseURL === "string" ? auth.options.baseURL : void 0, basePath);
+		const trustedProxyHeaders = resolveDynamicTrustedProxyHeaders(auth.options);
+		const baseURL = isDynamicBaseURLConfig(auth.options.baseURL) ? resolveBaseURL(auth.options.baseURL, basePath, req, void 0, trustedProxyHeaders) : getBaseURL(typeof auth.options.baseURL === "string" ? auth.options.baseURL : void 0, basePath);
 		if (!baseURL && !isProduction) logger.warn("Unable to get the baseURL, please check your config!");
-		const session = await auth.api.getMcpSession({ headers: req.headers });
-		const wwwAuthenticateValue = `Bearer resource_metadata="${baseURL}/.well-known/oauth-protected-resource"`;
+		const session = await auth.api.getMcpSession({
+			request: req,
+			headers: req.headers,
+			asResponse: false
+		});
+		const wwwAuthenticateValue = baseURL ? `Bearer resource_metadata="${baseURL}/.well-known/oauth-protected-resource"` : "Bearer";
 		if (!session) return Response.json({
 			jsonrpc: "2.0",
 			error: {
@@ -686,7 +692,10 @@ const withMcpAuth = (auth, handler) => {
 };
 const oAuthDiscoveryMetadata = (auth) => {
 	return async (request) => {
-		const res = await auth.api.getMcpOAuthConfig();
+		const res = await auth.api.getMcpOAuthConfig({
+			request,
+			asResponse: false
+		});
 		return new Response(JSON.stringify(res), {
 			status: 200,
 			headers: {
@@ -701,7 +710,10 @@ const oAuthDiscoveryMetadata = (auth) => {
 };
 const oAuthProtectedResourceMetadata = (auth) => {
 	return async (request) => {
-		const res = await auth.api.getMCPProtectedResource();
+		const res = await auth.api.getMCPProtectedResource({
+			request,
+			asResponse: false
+		});
 		return new Response(JSON.stringify(res), {
 			status: 200,
 			headers: {

package/dist/plugins/oauth-proxy/index.mjs

@@ -1,7 +1,7 @@
 import { getOrigin } from "../../utils/url.mjs";
 import { originCheck } from "../../api/middlewares/origin-check.mjs";
-import { symmetricDecrypt, symmetricEncrypt } from "../../crypto/index.mjs";
 import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { symmetricDecrypt, symmetricEncrypt } from "../../crypto/index.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { parseGenericState } from "../../state.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
@@ -164,6 +164,10 @@ const oAuthProxy = (opts) => {
 						return;
 					}
 					const errorURL = stateData.errorURL || ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
+					if (stateData.oauthState !== void 0 && stateData.oauthState !== statePackage.state) {
+						ctx.context.logger.error("OAuth proxy state binding mismatch");
+						throw redirectOnError(ctx, errorURL, "state_mismatch");
+					}
 					if (error) throw redirectOnError(ctx, errorURL, error);
 					if (!code) {
 						ctx.context.logger.error("OAuth callback missing authorization code");

package/dist/plugins/oidc-provider/index.mjs

@@ -1,7 +1,7 @@
 import { mergeSchema } from "../../db/schema.mjs";
+import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
 import { generateRandomString } from "../../crypto/random.mjs";
 import { symmetricDecrypt, symmetricEncrypt } from "../../crypto/index.mjs";
-import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
 import { expireCookie } from "../../cookies/index.mjs";
 import { getSessionFromCtx, sessionMiddleware } from "../../api/routes/session.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
@@ -18,8 +18,8 @@ import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api"
 import { deprecate } from "@better-auth/core/utils/deprecate";
 import * as z from "zod";
 import { base64 } from "@better-auth/utils/base64";
-import { createHash } from "@better-auth/utils/hash";
 import { SignJWT, jwtVerify } from "jose";
+import { createHash } from "@better-auth/utils/hash";
 //#region src/plugins/oidc-provider/index.ts
 /**
 * Get a client by ID, checking trusted clients first, then database

package/dist/plugins/organization/organization.d.mts

@@ -99,11 +99,9 @@ declare const createHasPermission: <O extends OrganizationOptions>(options: O) =
   requireHeaders: true;
   body: z.ZodIntersection<z.ZodObject<{
     organizationId: z.ZodOptional<z.ZodString>;
-  }, z.core.$strip>, z.ZodUnion<readonly [z.ZodObject<{
+  }, z.core.$strip>, z.ZodXor<readonly [z.ZodObject<{
     permission: z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString>>;
-    permissions: z.ZodUndefined;
   }, z.core.$strip>, z.ZodObject<{
-    permission: z.ZodUndefined;
     permissions: z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString>>;
   }, z.core.$strip>]>>;
   use: ((inputContext: better_call0.MiddlewareInputContext<{

package/dist/plugins/organization/organization.mjs

@@ -18,13 +18,7 @@ import * as z from "zod";
 function parseRoles(roles) {
 	return Array.isArray(roles) ? roles.join(",") : roles;
 }
-const createHasPermissionBodySchema = z.object({ organizationId: z.string().optional() }).and(z.union([z.object({
-	permission: z.record(z.string(), z.array(z.string())),
-	permissions: z.undefined()
-}), z.object({
-	permission: z.undefined(),
-	permissions: z.record(z.string(), z.array(z.string()))
-})]));
+const createHasPermissionBodySchema = z.object({ organizationId: z.string().optional() }).and(z.xor([z.object({ permission: z.record(z.string(), z.array(z.string())) }), z.object({ permissions: z.record(z.string(), z.array(z.string())) })]));
 const createHasPermission = (options) => {
 	return createAuthEndpoint("/organization/has-permission", {
 		method: "POST",

package/dist/plugins/organization/routes/crud-invites.mjs

@@ -1,6 +1,6 @@
 import { getDate } from "../../../utils/date.mjs";
-import { toZodSchema } from "../../../db/to-zod.mjs";
 import { setSessionCookie } from "../../../cookies/index.mjs";
+import { toZodSchema } from "../../../db/to-zod.mjs";
 import { getSessionFromCtx } from "../../../api/routes/session.mjs";
 import { defaultRoles } from "../access/statement.mjs";
 import { ORGANIZATION_ERROR_CODES } from "../error-codes.mjs";

package/dist/plugins/organization/routes/crud-org.mjs

@@ -1,5 +1,5 @@
-import { toZodSchema } from "../../../db/to-zod.mjs";
 import { setSessionCookie } from "../../../cookies/index.mjs";
+import { toZodSchema } from "../../../db/to-zod.mjs";
 import { getSessionFromCtx, requestOnlySessionMiddleware } from "../../../api/routes/session.mjs";
 import { ORGANIZATION_ERROR_CODES } from "../error-codes.mjs";
 import { getOrgAdapter } from "../adapter.mjs";

package/dist/plugins/organization/routes/crud-team.mjs

@@ -1,5 +1,5 @@
-import { toZodSchema } from "../../../db/to-zod.mjs";
 import { setSessionCookie } from "../../../cookies/index.mjs";
+import { toZodSchema } from "../../../db/to-zod.mjs";
 import { getSessionFromCtx } from "../../../api/routes/session.mjs";
 import { ORGANIZATION_ERROR_CODES } from "../error-codes.mjs";
 import { getOrgAdapter } from "../adapter.mjs";

package/dist/plugins/phone-number/routes.mjs

@@ -1,5 +1,5 @@
-import { getDate } from "../../utils/date.mjs";
 import { parseUserInput, parseUserOutput } from "../../db/schema.mjs";
+import { getDate } from "../../utils/date.mjs";
 import { generateRandomString } from "../../crypto/random.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getSessionFromCtx } from "../../api/routes/session.mjs";

package/dist/plugins/two-factor/backup-codes/index.d.mts

@@ -36,6 +36,7 @@ interface BackupCodeOptions {
    */
   allowPasswordless?: boolean | undefined;
 }
+declare function encodeBackupCodes(codes: string[], secret: string | SecretConfig, options?: BackupCodeOptions | undefined): Promise<string>;
 declare function generateBackupCodes(secret: string | SecretConfig, options?: BackupCodeOptions | undefined): Promise<{
   backupCodes: string[];
   encryptedBackupCodes: string;
@@ -286,4 +287,4 @@ declare const backupCode2fa: (opts: BackupCodeOptions) => {
   };
 };
 //#endregion
-export { BackupCodeOptions, backupCode2fa, generateBackupCodes, getBackupCodes, verifyBackupCode };
+export { BackupCodeOptions, backupCode2fa, encodeBackupCodes, generateBackupCodes, getBackupCodes, verifyBackupCode };

package/dist/plugins/two-factor/backup-codes/index.mjs

@@ -14,22 +14,20 @@ import * as z from "zod";
 function generateBackupCodesFn(options) {
 	return Array.from({ length: options?.amount ?? 10 }).fill(null).map(() => generateRandomString(options?.length ?? 10, "a-z", "0-9", "A-Z")).map((code) => `${code.slice(0, 5)}-${code.slice(5)}`);
 }
+async function encodeBackupCodes(codes, secret, options) {
+	const json = JSON.stringify(codes);
+	if (options?.storeBackupCodes === "encrypted") return symmetricEncrypt({
+		data: json,
+		key: secret
+	});
+	if (typeof options?.storeBackupCodes === "object" && "encrypt" in options?.storeBackupCodes) return options.storeBackupCodes.encrypt(json);
+	return json;
+}
 async function generateBackupCodes(secret, options) {
 	const backupCodes = options?.customBackupCodesGenerate ? options.customBackupCodesGenerate() : generateBackupCodesFn(options);
-	if (options?.storeBackupCodes === "encrypted") return {
-		backupCodes,
-		encryptedBackupCodes: await symmetricEncrypt({
-			data: JSON.stringify(backupCodes),
-			key: secret
-		})
-	};
-	if (typeof options?.storeBackupCodes === "object" && "encrypt" in options?.storeBackupCodes) return {
-		backupCodes,
-		encryptedBackupCodes: await options?.storeBackupCodes.encrypt(JSON.stringify(backupCodes))
-	};
 	return {
 		backupCodes,
-		encryptedBackupCodes: JSON.stringify(backupCodes)
+		encryptedBackupCodes: await encodeBackupCodes(backupCodes, secret, options)
 	};
 }
 async function verifyBackupCode(data, key, options) {
@@ -177,11 +175,8 @@ const backupCode2fa = (opts) => {
 					backupCodes: twoFactor.backupCodes,
 					code: ctx.body.code
 				}, ctx.context.secretConfig, opts);
-				if (!validate.status) throw APIError.from("UNAUTHORIZED", TWO_FACTOR_ERROR_CODES.INVALID_BACKUP_CODE);
-				const updatedBackupCodes = await symmetricEncrypt({
-					key: ctx.context.secretConfig,
-					data: JSON.stringify(validate.updated)
-				});
+				if (!validate.status || !validate.updated) throw APIError.from("UNAUTHORIZED", TWO_FACTOR_ERROR_CODES.INVALID_BACKUP_CODE);
+				const updatedBackupCodes = await encodeBackupCodes(validate.updated, ctx.context.secretConfig, opts);
 				if (!await ctx.context.adapter.update({
 					model: twoFactorTable,
 					update: { backupCodes: updatedBackupCodes },

package/dist/plugins/two-factor/client.d.mts

@@ -1,4 +1,4 @@
-import { BackupCodeOptions, backupCode2fa, generateBackupCodes, getBackupCodes, verifyBackupCode } from "./backup-codes/index.mjs";
+import { BackupCodeOptions, backupCode2fa, encodeBackupCodes, generateBackupCodes, getBackupCodes, verifyBackupCode } from "./backup-codes/index.mjs";
 import { OTPOptions, otp2fa } from "./otp/index.mjs";
 import { TOTPOptions, totp2fa } from "./totp/index.mjs";
 import { TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor } from "./types.mjs";
@@ -19,8 +19,18 @@ declare const twoFactorClient: (options?: {
   /**
    * a redirect function to call if a user needs to verify
    * their two factor
+   *
+   * @param context.twoFactorMethods - The list of
+   * enabled two factor providers (e.g. ["totp", "otp"]).
+   * Use this to determine which 2FA UI to show.
    */
-  onTwoFactorRedirect?: () => void | Promise<void>;
+  onTwoFactorRedirect?: (context: {
+    /**
+     * The list of enabled two factor providers
+     * for the user (e.g. ["totp", "otp"]).
+     */
+    twoFactorMethods?: string[];
+  }) => void | Promise<void>;
 } | undefined) => {
   id: "two-factor";
   version: string;

package/dist/plugins/two-factor/client.mjs

@@ -26,7 +26,7 @@ const twoFactorClient = (options) => {
 			hooks: { async onSuccess(context) {
 				if (context.data?.twoFactorRedirect) {
 					if (options?.onTwoFactorRedirect) {
-						await options.onTwoFactorRedirect();
+						await options.onTwoFactorRedirect({ twoFactorMethods: context.data.twoFactorMethods });
 						return;
 					}
 					if (options?.twoFactorPage && typeof window !== "undefined") window.location.href = options.twoFactorPage;

package/dist/plugins/two-factor/index.d.mts

@@ -1,4 +1,4 @@
-import { BackupCodeOptions, backupCode2fa, generateBackupCodes, getBackupCodes, verifyBackupCode } from "./backup-codes/index.mjs";
+import { BackupCodeOptions, backupCode2fa, encodeBackupCodes, generateBackupCodes, getBackupCodes, verifyBackupCode } from "./backup-codes/index.mjs";
 import { OTPOptions, otp2fa } from "./otp/index.mjs";
 import { TOTPOptions, totp2fa } from "./totp/index.mjs";
 import { TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor } from "./types.mjs";
@@ -618,6 +618,7 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
       matcher(context: _better_auth_core0.HookEndpointContext): boolean;
       handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
         twoFactorRedirect: boolean;
+        twoFactorMethods: string[];
       } | undefined>;
     }[];
   };
@@ -655,6 +656,12 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
           };
           index: true;
         };
+        verified: {
+          type: "boolean";
+          required: false;
+          defaultValue: true;
+          input: false;
+        };
       };
     };
   };
@@ -676,4 +683,4 @@ declare const twoFactor: <O extends TwoFactorOptions>(options?: O) => {
   };
 };
 //#endregion
-export { BackupCodeOptions, OTPOptions, TOTPOptions, TWO_FACTOR_ERROR_CODES, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor, backupCode2fa, generateBackupCodes, getBackupCodes, otp2fa, totp2fa, twoFactor, twoFactorClient, verifyBackupCode };
+export { BackupCodeOptions, OTPOptions, TOTPOptions, TWO_FACTOR_ERROR_CODES, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor, backupCode2fa, encodeBackupCodes, generateBackupCodes, getBackupCodes, otp2fa, totp2fa, twoFactor, twoFactorClient, verifyBackupCode };

package/dist/plugins/two-factor/index.mjs

@@ -103,6 +103,13 @@ const twoFactor = (options) => {
 					});
 					await ctx.context.internalAdapter.deleteSession(ctx.context.session.session.token);
 				}
+				const existingTwoFactor = await ctx.context.adapter.findOne({
+					model: opts.twoFactorTable,
+					where: [{
+						field: "userId",
+						value: user.id
+					}]
+				});
 				await ctx.context.adapter.deleteMany({
 					model: opts.twoFactorTable,
 					where: [{
@@ -115,7 +122,8 @@ const twoFactor = (options) => {
 					data: {
 						secret: encryptedSecret,
 						backupCodes: backupCodes.encryptedBackupCodes,
-						userId: user.id
+						userId: user.id,
+						verified: existingTwoFactor != null && existingTwoFactor.verified !== false || !!options?.skipVerificationOnEnable
 					}
 				});
 				const totpURI = createOTP(secret, {
@@ -181,12 +189,13 @@ const twoFactor = (options) => {
 		options,
 		hooks: { after: [{
 			matcher(context) {
-				return context.path === "/sign-in/email" || context.path === "/sign-in/username" || context.path === "/sign-in/phone-number";
+				return context.context.newSession != null && !context.path?.startsWith("/two-factor/");
 			},
 			handler: createAuthMiddleware(async (ctx) => {
 				const data = ctx.context.newSession;
 				if (!data) return;
 				if (!data?.user.twoFactorEnabled) return;
+				if (ctx.context.session) return;
 				const trustDeviceCookieAttrs = ctx.context.createAuthCookie(TRUST_DEVICE_COOKIE_NAME, { maxAge: trustDeviceMaxAge });
 				const trustDeviceCookie = await ctx.getSignedCookie(trustDeviceCookieAttrs.name, ctx.context.secret);
 				if (trustDeviceCookie) {
@@ -225,7 +234,30 @@ const twoFactor = (options) => {
 					expiresAt: new Date(Date.now() + maxAge * 1e3)
 				});
 				await ctx.setSignedCookie(twoFactorCookie.name, identifier, ctx.context.secret, twoFactorCookie.attributes);
-				return ctx.json({ twoFactorRedirect: true });
+				const twoFactorMethods = [];
+				/**
+				* totp requires per-user setup, so we check
+				* that the user actually has a secret stored.
+				*/
+				if (!options?.totpOptions?.disable) {
+					const userTotpSecret = await ctx.context.adapter.findOne({
+						model: opts.twoFactorTable,
+						where: [{
+							field: "userId",
+							value: data.user.id
+						}]
+					});
+					if (userTotpSecret && userTotpSecret.verified !== false) twoFactorMethods.push("totp");
+				}
+				/**
+				* otp is server-level — if sendOTP is configured,
+				* any user with 2fa enabled can receive a code.
+				*/
+				if (options?.otpOptions?.sendOTP) twoFactorMethods.push("otp");
+				return ctx.json({
+					twoFactorRedirect: true,
+					twoFactorMethods
+				});
 			})
 		}] },
 		schema: mergeSchema(schema, {

package/dist/plugins/two-factor/otp/index.mjs

@@ -175,11 +175,11 @@ const otp2fa = (options) => {
 						if (!session.session) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.FAILED_TO_CREATE_SESSION);
 						const updatedUser = await ctx.context.internalAdapter.updateUser(session.user.id, { twoFactorEnabled: true });
 						const newSession = await ctx.context.internalAdapter.createSession(session.user.id, false, session.session);
-						await ctx.context.internalAdapter.deleteSession(session.session.token);
 						await setSessionCookie(ctx, {
 							session: newSession,
 							user: updatedUser
 						});
+						await ctx.context.internalAdapter.deleteSession(session.session.token);
 						return ctx.json({
 							token: newSession.token,
 							user: parseUserOutput(ctx.context.options, updatedUser)

package/dist/plugins/two-factor/schema.d.mts

@@ -33,6 +33,12 @@ declare const schema: {
         };
         index: true;
       };
+      verified: {
+        type: "boolean";
+        required: false;
+        defaultValue: true;
+        input: false;
+      };
     };
   };
 };

package/dist/plugins/two-factor/schema.mjs

@@ -27,6 +27,12 @@ const schema = {
 				field: "id"
 			},
 			index: true
+		},
+		verified: {
+			type: "boolean",
+			required: false,
+			defaultValue: true,
+			input: false
 		}
 	} }
 };

package/dist/plugins/two-factor/totp/index.mjs

@@ -124,6 +124,7 @@ const totp2fa = (options) => {
 				}
 				const { session, valid, invalid } = await verifyTwoFactor(ctx);
 				const user = session.user;
+				const isSignIn = !session.session;
 				const twoFactor = await ctx.context.adapter.findOne({
 					model: twoFactorTable,
 					where: [{
@@ -132,6 +133,7 @@ const totp2fa = (options) => {
 					}]
 				});
 				if (!twoFactor) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.TOTP_NOT_ENABLED);
+				if (isSignIn && twoFactor.verified === false) throw APIError.from("BAD_REQUEST", TWO_FACTOR_ERROR_CODES.TOTP_NOT_ENABLED);
 				if (!await createOTP(await symmetricDecrypt({
 					key: ctx.context.secretConfig,
 					data: twoFactor.secret
@@ -139,16 +141,23 @@ const totp2fa = (options) => {
 					period: opts.period,
 					digits: opts.digits
 				}).verify(ctx.body.code)) return invalid("INVALID_CODE");
-				if (!user.twoFactorEnabled) {
-					if (!session.session) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.FAILED_TO_CREATE_SESSION);
-					const updatedUser = await ctx.context.internalAdapter.updateUser(user.id, { twoFactorEnabled: true });
-					const newSession = await ctx.context.internalAdapter.createSession(user.id, false, session.session).catch((e) => {
-						throw e;
-					});
-					await ctx.context.internalAdapter.deleteSession(session.session.token);
-					await setSessionCookie(ctx, {
-						session: newSession,
-						user: updatedUser
+				if (twoFactor.verified !== true) {
+					if (!user.twoFactorEnabled) {
+						const activeSession = session.session;
+						const updatedUser = await ctx.context.internalAdapter.updateUser(user.id, { twoFactorEnabled: true });
+						await setSessionCookie(ctx, {
+							session: await ctx.context.internalAdapter.createSession(user.id, false, activeSession),
+							user: updatedUser
+						});
+						await ctx.context.internalAdapter.deleteSession(activeSession.token);
+					}
+					await ctx.context.adapter.update({
+						model: twoFactorTable,
+						update: { verified: true },
+						where: [{
+							field: "id",
+							value: twoFactor.id
+						}]
 					});
 				}
 				return valid(ctx);

package/dist/plugins/two-factor/types.d.mts

@@ -80,7 +80,7 @@ interface TwoFactorTable {
   userId: string;
   secret: string;
   backupCodes: string;
-  enabled: boolean;
+  verified: boolean;
 }
 //#endregion
 export { TwoFactorOptions, TwoFactorProvider, TwoFactorTable, UserWithTwoFactor };

package/dist/state.d.mts

@@ -9,6 +9,11 @@ declare const stateDataSchema: z.ZodObject<{
   errorURL: z.ZodOptional<z.ZodString>;
   newUserURL: z.ZodOptional<z.ZodString>;
   expiresAt: z.ZodNumber;
+  /**
+   * CSRF nonce returned to the OAuth provider. When using cookie state storage,
+   * this must match the callback `state` query parameter.
+   */
+  oauthState: z.ZodOptional<z.ZodString>;
   link: z.ZodOptional<z.ZodObject<{
     email: z.ZodString;
     userId: z.ZodCoercedString<unknown>;
@@ -32,6 +37,7 @@ declare function parseGenericState(c: GenericEndpointContext, state: string, set
   expiresAt: number;
   errorURL?: string | undefined;
   newUserURL?: string | undefined;
+  oauthState?: string | undefined;
   link?: {
     email: string;
     userId: string;

package/dist/state.mjs

@@ -10,6 +10,7 @@ const stateDataSchema = z.looseObject({
 	errorURL: z.string().optional(),
 	newUserURL: z.string().optional(),
 	expiresAt: z.number(),
+	oauthState: z.string().optional(),
 	link: z.object({
 		email: z.string(),
 		userId: z.coerce.string()
@@ -28,9 +29,13 @@ var StateError = class extends BetterAuthError {
 async function generateGenericState(c, stateData, settings) {
 	const state = generateRandomString(32);
 	if (c.context.oauthConfig.storeStateStrategy === "cookie") {
+		const payload = {
+			...stateData,
+			oauthState: state
+		};
 		const encryptedData = await symmetricEncrypt({
 			key: c.context.secretConfig,
-			data: JSON.stringify(stateData)
+			data: JSON.stringify(payload)
 		});
 		const stateCookie = c.context.createAuthCookie(settings?.cookieName ?? "oauth_state", { maxAge: 600 });
 		c.setCookie(stateCookie.name, encryptedData, stateCookie.attributes);
@@ -44,7 +49,10 @@ async function generateGenericState(c, stateData, settings) {
 	const expiresAt = /* @__PURE__ */ new Date();
 	expiresAt.setMinutes(expiresAt.getMinutes() + 10);
 	if (!await c.context.internalAdapter.createVerificationValue({
-		value: JSON.stringify(stateData),
+		value: JSON.stringify({
+			...stateData,
+			oauthState: state
+		}),
 		identifier: state,
 		expiresAt
 	})) throw new StateError("Unable to create verification. Make sure the database adapter is properly working and there is a verification table in the database", { code: "state_generation_error" });
@@ -76,6 +84,10 @@ async function parseGenericState(c, state, settings) {
 				cause: error
 			});
 		}
+		if (!parsedData.oauthState || parsedData.oauthState !== state) throw new StateError("State mismatch: OAuth state parameter does not match stored state", {
+			code: "state_security_mismatch",
+			details: { state }
+		});
 		expireCookie(c, stateCookie);
 	} else {
 		const data = await c.context.internalAdapter.findVerificationValue(state);
@@ -84,6 +96,10 @@ async function parseGenericState(c, state, settings) {
 			details: { state }
 		});
 		parsedData = stateDataSchema.parse(JSON.parse(data.value));
+		if (parsedData.oauthState !== void 0 && parsedData.oauthState !== state) throw new StateError("State mismatch: OAuth state parameter does not match stored state", {
+			code: "state_security_mismatch",
+			details: { state }
+		});
 		const stateCookie = c.context.createAuthCookie(settings?.cookieName ?? "state");
 		const stateCookieValue = await c.getSignedCookie(stateCookie.name, c.context.secret);
 		if (!(settings?.skipStateCookieCheck ?? c.context.oauthConfig.skipStateCookieCheck) && (!stateCookieValue || stateCookieValue !== state)) throw new StateError("State mismatch: State not persisted correctly", {

package/dist/test-utils/test-instance.d.mts

@@ -261,7 +261,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
                 "application/json": {
                   schema: {
                     type: "object";
-                    nullable: boolean;
                     properties: {
                       session: {
                         $ref: string;
@@ -2265,7 +2264,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
                 "application/json": {
                   schema: {
                     type: "object";
-                    nullable: boolean;
                     properties: {
                       session: {
                         $ref: string;
@@ -4272,7 +4270,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
                     "application/json": {
                       schema: {
                         type: "object";
-                        nullable: boolean;
                         properties: {
                           session: {
                             $ref: string;
@@ -6276,7 +6273,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
                     "application/json": {
                       schema: {
                         type: "object";
-                        nullable: boolean;
                         properties: {
                           session: {
                             $ref: string;
@@ -8354,7 +8350,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
                     "application/json": {
                       schema: {
                         type: "object";
-                        nullable: boolean;
                         properties: {
                           session: {
                             $ref: string;
@@ -10358,7 +10353,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
                     "application/json": {
                       schema: {
                         type: "object";
-                        nullable: boolean;
                         properties: {
                           session: {
                             $ref: string;

package/dist/test-utils/test-instance.mjs

@@ -80,7 +80,13 @@ async function getTestInstance(options, config) {
 	};
 	async function createTestUser() {
 		if (config?.disableTestUser) return;
-		await auth.api.signUpEmail({ body: testUser });
+		const dynamicBaseURL = isDynamicBaseURLConfig(auth.options.baseURL) ? auth.options.baseURL : void 0;
+		const host = (dynamicBaseURL?.allowedHosts.find((h) => !h.includes("*") && !h.includes("?")) ?? dynamicBaseURL?.allowedHosts[0])?.replace(/^https?:\/\//, "").split(/[/#]/)[0]?.replace(/\*/g, "test").replace(/\?/g, "x");
+		const headers = host ? new Headers({ host }) : void 0;
+		await auth.api.signUpEmail({
+			body: testUser,
+			headers
+		});
 	}
 	if (testWith !== "mongodb") {
 		const { runMigrations } = await getMigrations({

package/dist/utils/index.d.mts

@@ -1,4 +1,4 @@
 import { generateState, parseState } from "../oauth2/state.mjs";
 import { StateData, generateGenericState, parseGenericState } from "../state.mjs";
 import { HIDE_METADATA } from "./hide-metadata.mjs";
-import { getBaseURL, getHost, getHostFromRequest, getOrigin, getProtocol, getProtocolFromRequest, isDynamicBaseURLConfig, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./url.mjs";
+import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./url.mjs";