better-auth 1.6.1 → 1.6.3

package/dist/utils/url.d.mts

@@ -10,22 +10,29 @@ declare function getHost(url: string): string | null;
  */
 declare function isDynamicBaseURLConfig(config: BaseURLConfig | undefined): config is DynamicBaseURLConfig;
 /**
- * Extracts the host from the request headers.
- * Tries x-forwarded-host first (for proxy setups), then falls back to host header.
+ * Check if a value is a `Request`
+ * - `instanceof`: works for native Request instances
+ * - `toString`: handles where instanceof check fails but the object is still a
+ *   valid Request (e.g. cross-realm, polyfills). Paired with a shape check so
+ *   an object that only spoofs `Symbol.toStringTag` without the real shape is
+ *   rejected before downstream code tries to read `.headers` / `.url`.
  *
- * @param request The incoming request
- * @returns The host string or null if not found
+ * @param value The value to check
+ * @returns `true` if the value is a Request instance
  */
-declare function getHostFromRequest(request: Request): string | null;
+declare function isRequestLike(value: unknown): value is Request;
 /**
- * Extracts the protocol from the request headers.
- * Tries x-forwarded-proto first (for proxy setups), then infers from request URL.
- *
- * @param request The incoming request
- * @param configProtocol Protocol override from config
- * @returns The protocol ("http" or "https")
+ * Extracts the host from a `Request` or `Headers`.
+ * Honors `x-forwarded-host` only when `trustedProxyHeaders` is enabled,
+ * then falls back to the `host` header and finally the request URL.
+ */
+declare function getHostFromSource(source: Request | Headers, trustedProxyHeaders?: boolean): string | null;
+/**
+ * Extracts the protocol from a `Request` or `Headers`.
+ * Honors `x-forwarded-proto` only when `trustedProxyHeaders` is enabled,
+ * then falls back to the request URL, then to "https".
  */
-declare function getProtocolFromRequest(request: Request, configProtocol?: "http" | "https" | "auto" | undefined): "http" | "https";
+declare function getProtocolFromSource(source: Request | Headers, configProtocol?: "http" | "https" | "auto" | undefined, trustedProxyHeaders?: boolean): "http" | "https";
 /**
  * Matches a hostname against a host pattern.
  * Supports wildcard patterns like `*.vercel.app` or `preview-*.myapp.com`.
@@ -53,7 +60,7 @@ declare const matchesHostPattern: (host: string, pattern: string) => boolean;
  * @returns The resolved base URL with path
  * @throws BetterAuthError if host is not in allowedHosts and no fallback is set
  */
-declare function resolveDynamicBaseURL(config: DynamicBaseURLConfig, request: Request, basePath: string): string;
+declare function resolveDynamicBaseURL(config: DynamicBaseURLConfig, source: Request | Headers, basePath: string, trustedProxyHeaders?: boolean): string;
 /**
  * Resolves the base URL from any config type (static string or dynamic object).
  * This is the main entry point for base URL resolution.
@@ -65,6 +72,6 @@ declare function resolveDynamicBaseURL(config: DynamicBaseURLConfig, request: Re
  * @param trustedProxyHeaders Whether to trust proxy headers (for legacy behavior)
  * @returns The resolved base URL with path
  */
-declare function resolveBaseURL(config: BaseURLConfig | undefined, basePath: string, request?: Request, loadEnv?: boolean, trustedProxyHeaders?: boolean): string | undefined;
+declare function resolveBaseURL(config: BaseURLConfig | undefined, basePath: string, source?: Request | Headers, loadEnv?: boolean, trustedProxyHeaders?: boolean): string | undefined;
 //#endregion
-export { getBaseURL, getHost, getHostFromRequest, getOrigin, getProtocol, getProtocolFromRequest, isDynamicBaseURLConfig, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL };
+export { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL };

package/dist/utils/url.mjs

@@ -93,41 +93,66 @@ function isDynamicBaseURLConfig(config) {
 	return typeof config === "object" && config !== null && "allowedHosts" in config && Array.isArray(config.allowedHosts);
 }
 /**
-* Extracts the host from the request headers.
-* Tries x-forwarded-host first (for proxy setups), then falls back to host header.
+* Check if a value is a `Request`
+* - `instanceof`: works for native Request instances
+* - `toString`: handles where instanceof check fails but the object is still a
+*   valid Request (e.g. cross-realm, polyfills). Paired with a shape check so
+*   an object that only spoofs `Symbol.toStringTag` without the real shape is
+*   rejected before downstream code tries to read `.headers` / `.url`.
 *
-* @param request The incoming request
-* @returns The host string or null if not found
+* @param value The value to check
+* @returns `true` if the value is a Request instance
+*/
+function isRequestLike(value) {
+	if (value instanceof Request) return true;
+	if (typeof value !== "object" || value === null || Object.prototype.toString.call(value) !== "[object Request]") return false;
+	const v = value;
+	return typeof v.url === "string" && typeof v.headers === "object" && v.headers !== null && typeof v.headers.get === "function";
+}
+/**
+* Extracts the host from a `Request` or `Headers`.
+* Honors `x-forwarded-host` only when `trustedProxyHeaders` is enabled,
+* then falls back to the `host` header and finally the request URL.
 */
-function getHostFromRequest(request) {
-	const forwardedHost = request.headers.get("x-forwarded-host");
-	if (forwardedHost && validateProxyHeader(forwardedHost, "host")) return forwardedHost;
-	const host = request.headers.get("host");
+function getHostFromSource(source, trustedProxyHeaders) {
+	const headers = isRequestLike(source) ? source.headers : source;
+	if (trustedProxyHeaders) {
+		const forwardedHost = headers.get("x-forwarded-host");
+		if (forwardedHost && validateProxyHeader(forwardedHost, "host")) return forwardedHost;
+	}
+	const host = headers.get("host");
 	if (host && validateProxyHeader(host, "host")) return host;
-	try {
-		return new URL(request.url).host;
+	if (isRequestLike(source)) try {
+		return new URL(source.url).host;
 	} catch {
 		return null;
 	}
+	return null;
 }
 /**
-* Extracts the protocol from the request headers.
-* Tries x-forwarded-proto first (for proxy setups), then infers from request URL.
-*
-* @param request The incoming request
-* @param configProtocol Protocol override from config
-* @returns The protocol ("http" or "https")
+* Extracts the protocol from a `Request` or `Headers`.
+* Honors `x-forwarded-proto` only when `trustedProxyHeaders` is enabled,
+* then falls back to the request URL, then to "https".
 */
-function getProtocolFromRequest(request, configProtocol) {
+function getProtocolFromSource(source, configProtocol, trustedProxyHeaders) {
 	if (configProtocol === "http" || configProtocol === "https") return configProtocol;
-	const forwardedProto = request.headers.get("x-forwarded-proto");
-	if (forwardedProto && validateProxyHeader(forwardedProto, "proto")) return forwardedProto;
-	try {
-		const url = new URL(request.url);
+	const headers = isRequestLike(source) ? source.headers : source;
+	if (trustedProxyHeaders) {
+		const forwardedProto = headers.get("x-forwarded-proto");
+		if (forwardedProto && validateProxyHeader(forwardedProto, "proto")) return forwardedProto;
+	}
+	if (isRequestLike(source)) try {
+		const url = new URL(source.url);
 		if (url.protocol === "http:" || url.protocol === "https:") return url.protocol.slice(0, -1);
 	} catch {}
+	const host = getHostFromSource(source, trustedProxyHeaders);
+	if (host && isLoopbackHost(host)) return "http";
 	return "https";
 }
+function isLoopbackHost(host) {
+	const h = host.toLowerCase();
+	return h === "localhost" || h.startsWith("localhost:") || h === "127.0.0.1" || h.startsWith("127.0.0.1:") || h === "[::1]" || h.startsWith("[::1]:") || h === "0.0.0.0" || h.startsWith("0.0.0.0:");
+}
 /**
 * Matches a hostname against a host pattern.
 * Supports wildcard patterns like `*.vercel.app` or `preview-*.myapp.com`.
@@ -161,13 +186,13 @@ const matchesHostPattern = (host, pattern) => {
 * @returns The resolved base URL with path
 * @throws BetterAuthError if host is not in allowedHosts and no fallback is set
 */
-function resolveDynamicBaseURL(config, request, basePath) {
-	const host = getHostFromRequest(request);
+function resolveDynamicBaseURL(config, source, basePath, trustedProxyHeaders) {
+	const host = getHostFromSource(source, trustedProxyHeaders);
 	if (!host) {
 		if (config.fallback) return withPath(config.fallback, basePath);
 		throw new BetterAuthError("Could not determine host from request headers. Please provide a fallback URL in your baseURL config.");
 	}
-	if (config.allowedHosts.some((pattern) => matchesHostPattern(host, pattern))) return withPath(`${getProtocolFromRequest(request, config.protocol)}://${host}`, basePath);
+	if (config.allowedHosts.some((pattern) => matchesHostPattern(host, pattern))) return withPath(`${getProtocolFromSource(source, config.protocol, trustedProxyHeaders)}://${host}`, basePath);
 	if (config.fallback) return withPath(config.fallback, basePath);
 	throw new BetterAuthError(`Host "${host}" is not in the allowed hosts list. Allowed hosts: ${config.allowedHosts.join(", ")}. Add this host to your allowedHosts config or provide a fallback URL.`);
 }
@@ -182,14 +207,15 @@ function resolveDynamicBaseURL(config, request, basePath) {
 * @param trustedProxyHeaders Whether to trust proxy headers (for legacy behavior)
 * @returns The resolved base URL with path
 */
-function resolveBaseURL(config, basePath, request, loadEnv, trustedProxyHeaders) {
+function resolveBaseURL(config, basePath, source, loadEnv, trustedProxyHeaders) {
 	if (isDynamicBaseURLConfig(config)) {
-		if (request) return resolveDynamicBaseURL(config, request, basePath);
+		if (source) return resolveDynamicBaseURL(config, source, basePath, trustedProxyHeaders);
 		if (config.fallback) return withPath(config.fallback, basePath);
-		return getBaseURL(void 0, basePath, request, loadEnv, trustedProxyHeaders);
+		return getBaseURL(void 0, basePath, void 0, loadEnv, trustedProxyHeaders);
 	}
+	const request = isRequestLike(source) ? source : void 0;
 	if (typeof config === "string") return getBaseURL(config, basePath, request, loadEnv, trustedProxyHeaders);
 	return getBaseURL(void 0, basePath, request, loadEnv, trustedProxyHeaders);
 }
 //#endregion
-export { getBaseURL, getHost, getHostFromRequest, getOrigin, getProtocol, getProtocolFromRequest, isDynamicBaseURLConfig, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL };
+export { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.1",
+  "version": "1.6.3",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -489,17 +489,17 @@
     "kysely": "^0.28.14",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.6.1",
-    "@better-auth/drizzle-adapter": "1.6.1",
-    "@better-auth/kysely-adapter": "1.6.1",
-    "@better-auth/memory-adapter": "1.6.1",
-    "@better-auth/mongo-adapter": "1.6.1",
-    "@better-auth/prisma-adapter": "1.6.1",
-    "@better-auth/telemetry": "1.6.1"
+    "@better-auth/core": "1.6.3",
+    "@better-auth/drizzle-adapter": "1.6.3",
+    "@better-auth/kysely-adapter": "1.6.3",
+    "@better-auth/memory-adapter": "1.6.3",
+    "@better-auth/mongo-adapter": "1.6.3",
+    "@better-auth/prisma-adapter": "1.6.3",
+    "@better-auth/telemetry": "1.6.3"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",
-    "@sveltejs/kit": "^2.53.3",
+    "@sveltejs/kit": "^2.57.1",
     "@tanstack/react-start": "^1.163.2",
     "@tanstack/solid-start": "^1.163.2",
     "@types/bun": "^1.3.9",