npm - better-auth - Versions diffs - 1.6.10 → 1.6.12 - Mend

better-auth 1.6.10 → 1.6.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (90) hide show

package/dist/api/index.d.mts +8 -2
package/dist/api/routes/callback.d.mts +1 -1
package/dist/api/routes/callback.mjs +36 -40
package/dist/api/routes/email-verification.d.mts +1 -0
package/dist/api/routes/email-verification.mjs +4 -3
package/dist/api/routes/session.mjs +14 -9
package/dist/api/routes/sign-in.d.mts +1 -0
package/dist/api/routes/sign-in.mjs +2 -1
package/dist/api/routes/sign-up.d.mts +1 -0
package/dist/api/routes/sign-up.mjs +9 -7
package/dist/api/routes/update-user.mjs +5 -5
package/dist/client/index.d.mts +2 -2
package/dist/client/parser.mjs +0 -1
package/dist/client/plugins/index.d.mts +3 -3
package/dist/client/proxy.mjs +2 -1
package/dist/context/helpers.mjs +3 -2
package/dist/cookies/cookie-utils.d.mts +24 -1
package/dist/cookies/cookie-utils.mjs +85 -22
package/dist/cookies/index.d.mts +2 -3
package/dist/cookies/index.mjs +39 -11
package/dist/cookies/session-store.mjs +4 -23
package/dist/db/get-migration.mjs +4 -4
package/dist/db/index.d.mts +2 -2
package/dist/db/index.mjs +3 -2
package/dist/db/internal-adapter.mjs +96 -1
package/dist/db/schema.d.mts +15 -2
package/dist/db/schema.mjs +26 -1
package/dist/db/with-hooks.d.mts +1 -0
package/dist/db/with-hooks.mjs +58 -1
package/dist/index.d.mts +2 -2
package/dist/index.mjs +2 -2
package/dist/oauth2/errors.mjs +16 -1
package/dist/oauth2/link-account.mjs +6 -4
package/dist/oauth2/state.mjs +8 -2
package/dist/package.mjs +1 -1
package/dist/plugins/access/access.d.mts +3 -15
package/dist/plugins/access/access.mjs +11 -6
package/dist/plugins/access/index.d.mts +2 -2
package/dist/plugins/access/types.d.mts +11 -4
package/dist/plugins/admin/access/statement.d.mts +29 -93
package/dist/plugins/admin/admin.mjs +0 -4
package/dist/plugins/admin/client.d.mts +1 -1
package/dist/plugins/admin/routes.mjs +1 -0
package/dist/plugins/anonymous/client.d.mts +1 -0
package/dist/plugins/anonymous/error-codes.d.mts +1 -0
package/dist/plugins/anonymous/error-codes.mjs +1 -0
package/dist/plugins/anonymous/index.d.mts +1 -0
package/dist/plugins/anonymous/index.mjs +16 -2
package/dist/plugins/bearer/index.mjs +4 -9
package/dist/plugins/captcha/index.mjs +2 -2
package/dist/plugins/device-authorization/error-codes.mjs +1 -0
package/dist/plugins/device-authorization/index.d.mts +1 -0
package/dist/plugins/device-authorization/routes.mjs +34 -3
package/dist/plugins/generic-oauth/index.d.mts +1 -1
package/dist/plugins/generic-oauth/index.mjs +6 -6
package/dist/plugins/generic-oauth/routes.mjs +34 -32
package/dist/plugins/generic-oauth/types.d.mts +7 -0
package/dist/plugins/index.d.mts +2 -2
package/dist/plugins/last-login-method/client.mjs +2 -2
package/dist/plugins/magic-link/index.d.mts +8 -1
package/dist/plugins/magic-link/index.mjs +4 -17
package/dist/plugins/mcp/authorize.mjs +8 -2
package/dist/plugins/mcp/index.mjs +73 -34
package/dist/plugins/multi-session/index.mjs +2 -2
package/dist/plugins/oauth-proxy/index.mjs +44 -31
package/dist/plugins/oauth-proxy/utils.mjs +3 -10
package/dist/plugins/oidc-provider/authorize.mjs +8 -2
package/dist/plugins/oidc-provider/index.mjs +63 -37
package/dist/plugins/one-tap/index.mjs +13 -8
package/dist/plugins/open-api/generator.mjs +16 -5
package/dist/plugins/organization/access/statement.d.mts +68 -201
package/dist/plugins/organization/adapter.mjs +61 -56
package/dist/plugins/organization/client.d.mts +3 -1
package/dist/plugins/organization/error-codes.d.mts +2 -0
package/dist/plugins/organization/error-codes.mjs +3 -1
package/dist/plugins/organization/routes/crud-access-control.d.mts +2 -2
package/dist/plugins/organization/routes/crud-invites.mjs +7 -2
package/dist/plugins/organization/types.d.mts +12 -2
package/dist/plugins/two-factor/index.mjs +3 -2
package/dist/plugins/username/index.d.mts +24 -2
package/dist/plugins/username/index.mjs +49 -3
package/dist/state.d.mts +2 -2
package/dist/state.mjs +18 -4
package/dist/test-utils/headers.mjs +2 -7
package/dist/test-utils/test-instance.d.mts +25 -6
package/dist/test-utils/test-instance.mjs +11 -2
package/dist/utils/index.d.mts +1 -1
package/dist/utils/url.d.mts +2 -1
package/dist/utils/url.mjs +9 -3
package/package.json +15 -14

package/dist/api/index.d.mts CHANGED Viewed

@@ -228,7 +228,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         allowedMediaTypes: string[];
         scope: "server";
       };
-    }, void>;
+    }, never>;
     readonly getSession: better_call0.StrictEndpoint<"/get-session", {
       method: ("GET" | "POST")[];
       operationId: string;
@@ -327,6 +327,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         callbackURL: zod.ZodOptional<zod.ZodString>;
         rememberMe: zod.ZodOptional<zod.ZodBoolean>;
       }, zod_v4_core0.$strip>, zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
+      cloneRequest: true;
       metadata: {
         allowedMediaTypes: string[];
         $Infer: {
@@ -493,6 +494,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
       method: "POST";
       operationId: string;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodString;
         password: zod.ZodString;
@@ -724,6 +726,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
     readonly sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
       method: "POST";
       operationId: string;
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodEmail;
         callbackURL: zod.ZodOptional<zod.ZodString>;
@@ -2216,7 +2219,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         allowedMediaTypes: string[];
         scope: "server";
       };
-    }, void>;
+    }, never>;
     readonly getSession: better_call0.StrictEndpoint<"/get-session", {
       method: ("GET" | "POST")[];
       operationId: string;
@@ -2315,6 +2318,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         callbackURL: zod.ZodOptional<zod.ZodString>;
         rememberMe: zod.ZodOptional<zod.ZodBoolean>;
       }, zod_v4_core0.$strip>, zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
+      cloneRequest: true;
       metadata: {
         allowedMediaTypes: string[];
         $Infer: {
@@ -2481,6 +2485,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
       method: "POST";
       operationId: string;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodString;
         password: zod.ZodString;
@@ -2712,6 +2717,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
     readonly sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
       method: "POST";
       operationId: string;
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodEmail;
         callbackURL: zod.ZodOptional<zod.ZodString>;

package/dist/api/routes/callback.d.mts CHANGED Viewed

@@ -25,6 +25,6 @@ declare const callbackOAuth: better_call0.StrictEndpoint<"/callback/:id", {
     allowedMediaTypes: string[];
     scope: "server";
   };
-}, void>;
+}, never>;
 //#endregion
 export { callbackOAuth };

package/dist/api/routes/callback.mjs CHANGED Viewed

@@ -1,6 +1,7 @@
+import { isAPIError } from "../../utils/is-api-error.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
-import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
+import { missingEmailLogMessage, redirectOnError } from "../../oauth2/errors.mjs";
 import { parseState } from "../../oauth2/state.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
@@ -47,31 +48,20 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		else throw new Error("Unsupported method");
 	} catch (e) {
 		c.context.logger.error("INVALID_CALLBACK_REQUEST", e);
-		throw c.redirect(`${defaultErrorURL}?error=invalid_callback_request`);
-	}
-	const { code, error, state, error_description, device_id, user: userData } = queryOrBody;
-	if (!state) {
-		c.context.logger.error("State not found", error);
-		const url = `${defaultErrorURL}${defaultErrorURL.includes("?") ? "&" : "?"}state=state_not_found`;
-		throw c.redirect(url);
+		redirectOnError(c, defaultErrorURL, "invalid_callback_request");
 	}
+	const { code, error, error_description, device_id, user: userData } = queryOrBody;
 	const { codeVerifier, callbackURL, link, errorURL, newUserURL, requestSignUp } = await parseState(c);
-	function redirectOnError(error, description) {
-		const baseURL = errorURL ?? defaultErrorURL;
-		const params = new URLSearchParams({ error });
-		if (description) params.set("error_description", description);
-		const url = `${baseURL}${baseURL.includes("?") ? "&" : "?"}${params.toString()}`;
-		throw c.redirect(url);
-	}
-	if (error) redirectOnError(error, error_description);
+	const resolvedErrorURL = errorURL ?? defaultErrorURL;
+	if (error) redirectOnError(c, resolvedErrorURL, error, error_description);
 	if (!code) {
 		c.context.logger.error("Code not found");
-		throw redirectOnError("no_code");
+		redirectOnError(c, resolvedErrorURL, "no_code");
 	}
 	const provider = await getAwaitableValue(c.context.socialProviders, { value: c.params.id });
 	if (!provider) {
 		c.context.logger.error("Oauth provider with id", c.params.id, "not found");
-		throw redirectOnError("oauth_provider_not_found");
+		redirectOnError(c, resolvedErrorURL, "oauth_provider_not_found");
 	}
 	let tokens;
 	try {
@@ -83,9 +73,9 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		});
 	} catch (e) {
 		c.context.logger.error("", e);
-		throw redirectOnError("invalid_code");
+		redirectOnError(c, resolvedErrorURL, "invalid_code");
 	}
-	if (!tokens) throw redirectOnError("invalid_code");
+	if (!tokens) redirectOnError(c, resolvedErrorURL, "invalid_code");
 	const parsedUserData = userData ? safeJSONParse(userData) : null;
 	const userInfo = await provider.getUserInfo({
 		...tokens,
@@ -93,22 +83,22 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	}).then((res) => res?.user);
 	if (!userInfo || userInfo.id === void 0 || userInfo.id === null) {
 		c.context.logger.error("Unable to get user info");
-		return redirectOnError("unable_to_get_user_info");
+		redirectOnError(c, resolvedErrorURL, "unable_to_get_user_info");
 	}
 	const providerAccountId = String(userInfo.id);
 	if (!callbackURL) {
 		c.context.logger.error("No callback URL found");
-		throw redirectOnError("no_callback_url");
+		redirectOnError(c, resolvedErrorURL, "no_callback_url");
 	}
 	if (link) {
 		if (!c.context.trustedProviders.includes(provider.id) && !userInfo.emailVerified || c.context.options.account?.accountLinking?.enabled === false) {
 			c.context.logger.error("Unable to link account - untrusted provider");
-			return redirectOnError("unable_to_link_account");
+			redirectOnError(c, resolvedErrorURL, "unable_to_link_account");
 		}
-		if (userInfo.email?.toLowerCase() !== link.email.toLowerCase() && c.context.options.account?.accountLinking?.allowDifferentEmails !== true) return redirectOnError("email_doesn't_match");
+		if (userInfo.email?.toLowerCase() !== link.email.toLowerCase() && c.context.options.account?.accountLinking?.allowDifferentEmails !== true) redirectOnError(c, resolvedErrorURL, "email_doesn't_match");
 		const existingAccount = await c.context.internalAdapter.findAccountByProviderId(providerAccountId, provider.id);
 		if (existingAccount) {
-			if (existingAccount.userId.toString() !== link.userId.toString()) return redirectOnError("account_already_linked_to_different_user");
+			if (existingAccount.userId.toString() !== link.userId.toString()) redirectOnError(c, resolvedErrorURL, "account_already_linked_to_different_user");
 			const updateData = Object.fromEntries(Object.entries({
 				accessToken: await setTokenUtil(tokens.accessToken, c.context),
 				refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
@@ -126,7 +116,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 			accessToken: await setTokenUtil(tokens.accessToken, c.context),
 			refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
 			scope: tokens.scopes?.join(",")
-		})) return redirectOnError("unable_to_link_account");
+		})) redirectOnError(c, resolvedErrorURL, "unable_to_link_account");
 		let toRedirectTo;
 		try {
 			toRedirectTo = callbackURL.toString();
@@ -137,7 +127,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	}
 	if (!userInfo.email) {
 		c.context.logger.error(missingEmailLogMessage(provider.id));
-		return redirectOnError("email_not_found");
+		redirectOnError(c, resolvedErrorURL, "email_not_found");
 	}
 	const accountData = {
 		providerId: provider.id,
@@ -145,21 +135,27 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		...tokens,
 		scope: tokens.scopes?.join(",")
 	};
-	const result = await handleOAuthUserInfo(c, {
-		userInfo: {
-			...userInfo,
-			id: providerAccountId,
-			email: userInfo.email,
-			name: userInfo.name || ""
-		},
-		account: accountData,
-		callbackURL,
-		disableSignUp: provider.disableImplicitSignUp && !requestSignUp || provider.options?.disableSignUp,
-		overrideUserInfo: provider.options?.overrideUserInfoOnSignIn
-	});
+	let result;
+	try {
+		result = await handleOAuthUserInfo(c, {
+			userInfo: {
+				...userInfo,
+				id: providerAccountId,
+				email: userInfo.email,
+				name: userInfo.name || ""
+			},
+			account: accountData,
+			callbackURL,
+			disableSignUp: provider.disableImplicitSignUp && !requestSignUp || provider.options?.disableSignUp,
+			overrideUserInfo: provider.options?.overrideUserInfoOnSignIn
+		});
+	} catch (e) {
+		if (isAPIError(e) && e.body?.code) redirectOnError(c, resolvedErrorURL, e.body.code, e.body.message);
+		throw e;
+	}
 	if (result.error) {
 		c.context.logger.error(result.error.split(" ").join("_"));
-		return redirectOnError(result.error.split(" ").join("_"));
+		redirectOnError(c, resolvedErrorURL, result.error.split(" ").join("_"));
 	}
 	const { session, user } = result.data;
 	await setSessionCookie(c, {

package/dist/api/routes/email-verification.d.mts CHANGED Viewed

@@ -27,6 +27,7 @@ declare function sendVerificationEmailFn(ctx: GenericEndpointContext, user: User
 declare const sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
   method: "POST";
   operationId: string;
+  cloneRequest: true;
   body: z.ZodObject<{
     email: z.ZodEmail;
     callbackURL: z.ZodOptional<z.ZodString>;

package/dist/api/routes/email-verification.mjs CHANGED Viewed

@@ -31,11 +31,12 @@ async function sendVerificationEmailFn(ctx, user) {
 		user,
 		url,
 		token
-	}, ctx.request));
+	}, ctx.request?.clone()));
 }
 const sendVerificationEmail = createAuthEndpoint("/send-verification-email", {
 	method: "POST",
 	operationId: "sendVerificationEmail",
+	cloneRequest: true,
 	body: z.object({
 		email: z.email().meta({ description: "The email to send the verification email to" }),
 		callbackURL: z.string().meta({ description: "The URL to use for email verification callback" }).optional()
@@ -185,7 +186,7 @@ const verifyEmail = createAuthEndpoint("/verify-email", {
 					},
 					url,
 					token: newToken
-				}, ctx.request));
+				}, ctx.request?.clone()));
 				if (ctx.query.callbackURL) throw ctx.redirect(ctx.query.callbackURL);
 				return ctx.json({ status: true });
 			}
@@ -238,7 +239,7 @@ const verifyEmail = createAuthEndpoint("/verify-email", {
 					user: updatedUser,
 					url: `${ctx.context.baseURL}/verify-email?token=${newToken}&callbackURL=${updateCallbackURL}`,
 					token: newToken
-				}, ctx.request));
+				}, ctx.request?.clone()));
 				await setSessionCookie(ctx, {
 					session: activeSession.session,
 					user: {

package/dist/api/routes/session.mjs CHANGED Viewed

@@ -129,12 +129,8 @@ const getSession = () => createAuthEndpoint("/get-session", {
 					const updateAge = cookieRefreshCache.updateAge * 1e3;
 					const shouldSkipSessionRefresh = await getShouldSkipSessionRefresh();
 					if (timeUntilExpiry < updateAge && !shouldSkipSessionRefresh) {
-						const newExpiresAt = getDate(ctx.context.options.session?.cookieCache?.maxAge || 300, "sec");
 						const refreshedSession = {
-							session: {
-								...session.session,
-								expiresAt: newExpiresAt
-							},
+							session: { ...session.session },
 							user: session.user,
 							updatedAt: Date.now()
 						};
@@ -276,17 +272,26 @@ const getSessionFromCtx = async (ctx, config) => {
 		method: "GET",
 		asResponse: false,
 		headers: ctx.headers,
-		returnHeaders: false,
+		returnHeaders: true,
 		returnStatus: false,
 		query: {
 			...config,
 			...ctx.query
 		}
-	}).catch((e) => {
+	}).catch(() => {
 		return null;
 	});
-	ctx.context.session = session;
-	return session;
+	if (!session) {
+		ctx.context.session = null;
+		return null;
+	}
+	if (session.headers) session.headers.forEach((value, key) => {
+		if (!ctx.context.responseHeaders) ctx.context.responseHeaders = new Headers({ [key]: value });
+		else if (key.toLowerCase() === "set-cookie") ctx.context.responseHeaders.append(key, value);
+		else ctx.context.responseHeaders.set(key, value);
+	});
+	ctx.context.session = session.response;
+	return session.response;
 };
 /**
 * The middleware forces the endpoint to require a valid session.

package/dist/api/routes/sign-in.d.mts CHANGED Viewed

@@ -114,6 +114,7 @@ declare const signInEmail: <O extends BetterAuthOptions>() => better_call0.Stric
   method: "POST";
   operationId: string;
   use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+  cloneRequest: true;
   body: z.ZodObject<{
     email: z.ZodString;
     password: z.ZodString;

package/dist/api/routes/sign-in.mjs CHANGED Viewed

@@ -144,6 +144,7 @@ const signInEmail = () => createAuthEndpoint("/sign-in/email", {
 	method: "POST",
 	operationId: "signInEmail",
 	use: [formCsrfMiddleware],
+	cloneRequest: true,
 	body: z.object({
 		email: z.string().meta({ description: "Email of the user" }),
 		password: z.string().meta({ description: "Password of the user" }),
@@ -236,7 +237,7 @@ const signInEmail = () => createAuthEndpoint("/sign-in/email", {
 				user: user.user,
 				url,
 				token
-			}, ctx.request));
+			}, ctx.request?.clone()));
 		}
 		throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.EMAIL_NOT_VERIFIED);
 	}

package/dist/api/routes/sign-up.d.mts CHANGED Viewed

@@ -16,6 +16,7 @@ declare const signUpEmail: <O extends BetterAuthOptions>() => better_call0.Stric
     callbackURL: z.ZodOptional<z.ZodString>;
     rememberMe: z.ZodOptional<z.ZodBoolean>;
   }, z.core.$strip>, z.ZodRecord<z.ZodString, z.ZodAny>>;
+  cloneRequest: true;
   metadata: {
     allowedMediaTypes: string[];
     $Infer: {

package/dist/api/routes/sign-up.mjs CHANGED Viewed

@@ -1,6 +1,6 @@
 import { isAPIError } from "../../utils/is-api-error.mjs";
 import { formCsrfMiddleware } from "../middlewares/origin-check.mjs";
-import { parseUserInput, parseUserOutput } from "../../db/schema.mjs";
+import { buildSyntheticUserOutput, parseUserInput, parseUserOutput } from "../../db/schema.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { createEmailVerificationToken } from "./email-verification.mjs";
 import { runWithTransaction } from "@better-auth/core/context";
@@ -23,6 +23,7 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 	operationId: "signUpWithEmailAndPassword",
 	use: [formCsrfMiddleware],
 	body: signUpEmailBodySchema,
+	cloneRequest: true,
 	metadata: {
 		allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
 		$Infer: {
@@ -170,14 +171,14 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 				* between existing and non-existing emails.
 				*/
 				await ctx.context.password.hash(password);
-				if (ctx.context.options.emailAndPassword?.onExistingUserSignUp) await ctx.context.runInBackgroundOrAwait(ctx.context.options.emailAndPassword.onExistingUserSignUp({ user: dbUser.user }, ctx.request));
+				if (ctx.context.options.emailAndPassword?.onExistingUserSignUp) await ctx.context.runInBackgroundOrAwait(ctx.context.options.emailAndPassword.onExistingUserSignUp({ user: dbUser.user }, ctx.request?.clone()));
 				const now = /* @__PURE__ */ new Date();
 				const generatedId = ctx.context.generateId({ model: "user" }) || generateId();
 				const coreFields = {
 					name,
 					email: normalizedEmail,
 					emailVerified: false,
-					image: image || null,
+					image: image ?? null,
 					createdAt: now,
 					updatedAt: now
 				};
@@ -187,16 +188,17 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 					const additionalFieldKeys = Object.keys(ctx.context.options.user?.additionalFields ?? {});
 					const additionalFields = {};
 					for (const key of additionalFieldKeys) if (key in additionalUserFields) additionalFields[key] = additionalUserFields[key];
-					syntheticUser = customSyntheticUser({
+					const customResult = customSyntheticUser({
 						coreFields,
 						additionalFields,
 						id: generatedId
 					});
-				} else syntheticUser = {
+					syntheticUser = buildSyntheticUserOutput(ctx.context.options, customResult);
+				} else syntheticUser = buildSyntheticUserOutput(ctx.context.options, {
 					...coreFields,
 					...additionalUserFields,
 					id: generatedId
-				};
+				});
 				return ctx.json({
 					token: null,
 					user: parseUserOutput(ctx.context.options, syntheticUser)
@@ -244,7 +246,7 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 				user: createdUser,
 				url,
 				token
-			}, ctx.request));
+			}, ctx.request?.clone()));
 		}
 		if (shouldSkipAutoSignIn) return ctx.json({
 			token: null,

package/dist/api/routes/update-user.mjs CHANGED Viewed

@@ -410,7 +410,7 @@ const changeEmail = createAuthEndpoint("/change-email", {
 }, async (ctx) => {
 	if (!ctx.context.options.user?.changeEmail?.enabled) {
 		ctx.context.logger.error("Change email is disabled.");
-		throw APIError.fromStatus("BAD_REQUEST", { message: "Change email is disabled" });
+		throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.CHANGE_EMAIL_DISABLED);
 	}
 	const newEmail = ctx.body.newEmail.toLowerCase();
 	if (newEmail === ctx.context.session.user.email) {
@@ -424,8 +424,8 @@ const changeEmail = createAuthEndpoint("/change-email", {
 	* email would later throw 400, leaking email existence.
 	*/
 	const canUpdateWithoutVerification = ctx.context.session.user.emailVerified !== true && ctx.context.options.user.changeEmail.updateEmailWithoutVerification;
-	const canSendConfirmation = ctx.context.session.user.emailVerified && ctx.context.options.user.changeEmail.sendChangeEmailConfirmation;
 	const canSendVerification = ctx.context.options.emailVerification?.sendVerificationEmail;
+	const canSendConfirmation = canSendVerification && ctx.context.session.user.emailVerified && ctx.context.options.user.changeEmail.sendChangeEmailConfirmation;
 	if (!canUpdateWithoutVerification && !canSendConfirmation && !canSendVerification) {
 		ctx.context.logger.error("Verification email isn't enabled.");
 		throw APIError.fromStatus("BAD_REQUEST", { message: "Verification email isn't enabled" });
@@ -449,7 +449,7 @@ const changeEmail = createAuthEndpoint("/change-email", {
 		});
 		if (canSendVerification) {
 			const token = await createEmailVerificationToken(ctx.context.secret, newEmail, void 0, ctx.context.options.emailVerification?.expiresIn);
-			const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${ctx.body.callbackURL || "/"}`;
+			const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${encodeURIComponent(ctx.body.callbackURL || "/")}`;
 			await ctx.context.runInBackgroundOrAwait(canSendVerification({
 				user: {
 					...ctx.context.session.user,
@@ -466,7 +466,7 @@ const changeEmail = createAuthEndpoint("/change-email", {
 	*/
 	if (canSendConfirmation) {
 		const token = await createEmailVerificationToken(ctx.context.secret, ctx.context.session.user.email, newEmail, ctx.context.options.emailVerification?.expiresIn, { requestType: "change-email-confirmation" });
-		const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${ctx.body.callbackURL || "/"}`;
+		const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${encodeURIComponent(ctx.body.callbackURL || "/")}`;
 		await ctx.context.runInBackgroundOrAwait(canSendConfirmation({
 			user: ctx.context.session.user,
 			newEmail,
@@ -480,7 +480,7 @@ const changeEmail = createAuthEndpoint("/change-email", {
 		throw APIError.fromStatus("BAD_REQUEST", { message: "Verification email isn't enabled" });
 	}
 	const token = await createEmailVerificationToken(ctx.context.secret, ctx.context.session.user.email, newEmail, ctx.context.options.emailVerification?.expiresIn, { requestType: "change-email-verification" });
-	const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${ctx.body.callbackURL || "/"}`;
+	const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${encodeURIComponent(ctx.body.callbackURL || "/")}`;
 	await ctx.context.runInBackgroundOrAwait(canSendVerification({
 		user: {
 			...ctx.context.session.user,

package/dist/client/index.d.mts CHANGED Viewed

@@ -8,7 +8,7 @@ import { parseJSON } from "./parser.mjs";
 import { AuthQueryAtom, useAuthQuery } from "./query.mjs";
 import { SessionRefreshOptions, SessionResponse, createSessionRefreshManager } from "./session-refresh.mjs";
 import { AuthClient, createAuthClient } from "./vanilla.mjs";
-import { AccessControl, ArrayElement, Role, Statements, SubArray, Subset } from "../plugins/access/types.mjs";
+import { AccessControl, ArrayElement, ExactRoleStatements, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, Statements, SubArray, Subset } from "../plugins/access/types.mjs";
 import { AuthorizeResponse, createAccessControl, role } from "../plugins/access/access.mjs";
 import { OrganizationOptions } from "../plugins/organization/types.mjs";
 import { InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferTeam, Invitation, InvitationInput, InvitationStatus, Member, MemberInput, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, Team, TeamInput, TeamMember, TeamMemberInput, defaultRolesSchema, invitationSchema, invitationStatus, memberSchema, organizationRoleSchema, organizationSchema, roleSchema, teamMemberSchema, teamSchema } from "../plugins/organization/schema.mjs";
@@ -31,4 +31,4 @@ declare function InferAuth<O extends {
   options: BetterAuthOptions;
 }>(): O["options"];
 //#endregion
-export { AccessControl, ArrayElement, AuthClient, AuthQueryAtom, AuthorizeResponse, BetterAuthClientOptions, BetterAuthClientPlugin, BroadcastChannel, BroadcastListener, BroadcastMessage, CamelCase, ClientAtomListener, ClientStore, type DBPrimitive, DefaultOrganizationPlugin, DynamicAccessControlEndpoints, ExtractPluginField, type FocusListener, type FocusManager, HasRequiredKeys, InferActions, InferAdditionalFromClient, InferAuth, InferClientAPI, InferCtx, InferErrorCodes, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPlugin, InferPluginFieldFromTuple, InferRoute, InferRoutes, InferSessionFromClient, InferSignUpEmailCtx, InferTeam, InferUserFromClient, InferUserUpdateCtx, Invitation, InvitationInput, InvitationStatus, IsAny, IsSignal, Member, MemberInput, MergeRoutes, type OnlineListener, type OnlineManager, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, OverrideMerge, PathToObject, Prettify, PrettifyDeep, ProxyRequest, RequiredKeysOf, Role, SessionQueryParams, SessionRefreshOptions, SessionResponse, Statements, StripEmptyObjects, SubArray, Subset, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, type UnionToIntersection, createAccessControl, createAuthClient, createSessionRefreshManager, defaultRolesSchema, getGlobalBroadcastChannel, getOrgAdapter, hasPermission, invitationSchema, invitationStatus, kBroadcastChannel, kFocusManager, kOnlineManager, memberSchema, organization, organizationRoleSchema, organizationSchema, parseJSON, parseRoles, role, roleSchema, teamMemberSchema, teamSchema, useAuthQuery };
+export { AccessControl, ArrayElement, AuthClient, AuthQueryAtom, AuthorizeResponse, BetterAuthClientOptions, BetterAuthClientPlugin, BroadcastChannel, BroadcastListener, BroadcastMessage, CamelCase, ClientAtomListener, ClientStore, type DBPrimitive, DefaultOrganizationPlugin, DynamicAccessControlEndpoints, ExactRoleStatements, ExtractPluginField, type FocusListener, type FocusManager, HasRequiredKeys, InferActions, InferAdditionalFromClient, InferAuth, InferClientAPI, InferCtx, InferErrorCodes, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPlugin, InferPluginFieldFromTuple, InferRoute, InferRoutes, InferSessionFromClient, InferSignUpEmailCtx, InferTeam, InferUserFromClient, InferUserUpdateCtx, Invitation, InvitationInput, InvitationStatus, IsAny, IsSignal, Member, MemberInput, MergeRoutes, type OnlineListener, type OnlineManager, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, OverrideMerge, PathToObject, Prettify, PrettifyDeep, ProxyRequest, RequiredKeysOf, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, SessionQueryParams, SessionRefreshOptions, SessionResponse, Statements, StripEmptyObjects, SubArray, Subset, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, type UnionToIntersection, createAccessControl, createAuthClient, createSessionRefreshManager, defaultRolesSchema, getGlobalBroadcastChannel, getOrgAdapter, hasPermission, invitationSchema, invitationStatus, kBroadcastChannel, kFocusManager, kOnlineManager, memberSchema, organization, organizationRoleSchema, organizationSchema, parseJSON, parseRoles, role, roleSchema, teamMemberSchema, teamSchema, useAuthQuery };

package/dist/client/parser.mjs CHANGED Viewed

@@ -34,7 +34,6 @@ function betterJSONParse(value, options = {}) {
 	const { strict = false, warnings = false, reviver, parseDates = true } = options;
 	if (typeof value !== "string") return value;
 	const trimmed = value.trim();
-	if (trimmed.length > 0 && trimmed[0] === "\"" && trimmed.endsWith("\"") && !trimmed.slice(1, -1).includes("\"")) return trimmed.slice(1, -1);
 	const lowerValue = trimmed.toLowerCase();
 	if (lowerValue.length <= 9 && lowerValue in SPECIAL_VALUES) return SPECIAL_VALUES[lowerValue];
 	if (!JSON_SIGNATURE.test(trimmed)) {

package/dist/client/plugins/index.d.mts CHANGED Viewed

@@ -31,7 +31,7 @@ import { USERNAME_ERROR_CODES } from "../../plugins/username/error-codes.mjs";
 import { ORGANIZATION_ERROR_CODES } from "../../plugins/organization/error-codes.mjs";
 import { inferAdditionalFields } from "../../plugins/additional-fields/client.mjs";
 import { ADMIN_ERROR_CODES } from "../../plugins/admin/error-codes.mjs";
-import { adminClient } from "../../plugins/admin/client.mjs";
+import { AdminClientOptions, adminClient } from "../../plugins/admin/client.mjs";
 import { ANONYMOUS_ERROR_CODES } from "../../plugins/anonymous/error-codes.mjs";
 import { anonymousClient } from "../../plugins/anonymous/client.mjs";
 import { customSessionClient } from "../../plugins/custom-session/client.mjs";
@@ -47,10 +47,10 @@ import { multiSessionClient } from "../../plugins/multi-session/client.mjs";
 import { OidcClientPlugin, oidcClient } from "../../plugins/oidc-provider/client.mjs";
 import { GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, oneTapClient } from "../../plugins/one-tap/client.mjs";
 import { oneTimeTokenClient } from "../../plugins/one-time-token/client.mjs";
-import { clientSideHasPermission, inferOrgAdditionalFields, organizationClient } from "../../plugins/organization/client.mjs";
+import { OrganizationClientOptions, clientSideHasPermission, inferOrgAdditionalFields, organizationClient } from "../../plugins/organization/client.mjs";
 import { PHONE_NUMBER_ERROR_CODES } from "../../plugins/phone-number/error-codes.mjs";
 import { phoneNumberClient } from "../../plugins/phone-number/client.mjs";
 import { siweClient } from "../../plugins/siwe/client.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, type FieldAttributeToObject, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, type RemoveFieldsWithReturnedFalse, RequiredKeysOf, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminClientOptions, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, type FieldAttributeToObject, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationClientOptions, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, type RemoveFieldsWithReturnedFalse, RequiredKeysOf, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };

package/dist/client/proxy.mjs CHANGED Viewed

@@ -1,4 +1,5 @@
 import { isAtom } from "../utils/is-atom.mjs";
+import { toKebabCase } from "@better-auth/core/utils/string";
 //#region src/client/proxy.ts
 function getMethod(path, knownPathMethods, args) {
 	const method = knownPathMethods[path];
@@ -26,7 +27,7 @@ function createDynamicPathProxy(routes, client, knownPathMethods, atoms, atomLis
 				return createProxy(fullPath);
 			},
 			apply: async (_, __, args) => {
-				const routePath = "/" + path.map((segment) => segment.replace(/[A-Z]/g, (letter) => `-${letter.toLowerCase()}`)).join("/");
+				const routePath = "/" + path.map(toKebabCase).join("/");
 				const arg = args[0] || {};
 				const fetchOptions = args[1] || {};
 				const { query, fetchOptions: argFetchOptions, ...body } = arg;

package/dist/context/helpers.mjs CHANGED Viewed

@@ -61,9 +61,10 @@ async function getTrustedOrigins(options, request) {
 	const trustedOrigins = [];
 	if (isDynamicBaseURLConfig(options.baseURL)) {
 		const allowedHosts = options.baseURL.allowedHosts;
+		const proto = options.baseURL.protocol;
 		for (const host of allowedHosts) if (!host.includes("://")) {
-			trustedOrigins.push(`https://${host}`);
-			if (isLoopbackHost(host)) trustedOrigins.push(`http://${host}`);
+			if (!proto || proto === "https" || proto === "auto") trustedOrigins.push(`https://${host}`);
+			if (proto === "http" || proto === "auto" || isLoopbackHost(host)) trustedOrigins.push(`http://${host}`);
 		} else trustedOrigins.push(host);
 		if (options.baseURL.fallback) try {
 			trustedOrigins.push(new URL(options.baseURL.fallback).origin);

package/dist/cookies/cookie-utils.d.mts CHANGED Viewed

@@ -33,6 +33,20 @@ declare function stripSecureCookiePrefix(cookieName: string): string;
 declare function splitSetCookieHeader(setCookie: string): string[];
 declare function parseSetCookieHeader(setCookie: string): Map<string, CookieAttributes>;
 declare function toCookieOptions(attributes: CookieAttributes): ParsedCookieOptions;
+/**
+ * Cookie-name token char set per RFC 7230 §3.2.6.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+ */
+declare const cookieNameRegex: RegExp;
+/**
+ * Tolerates `;` separators without the SP that RFC 6265 §4.2.1 mandates,
+ * since proxies and runtimes commonly strip it. Silently drops entries
+ * whose name violates RFC 7230 token or whose value violates RFC 6265
+ * cookie-octet (plus space and comma). Strips optional surrounding
+ * double-quotes per RFC 6265 §4.1.1.
+ */
+declare function parseCookies(cookie: string): Map<string, string>;
 /**
  * Add or replace a cookie in the request `Cookie` header.
  *
@@ -42,8 +56,17 @@ declare function toCookieOptions(attributes: CookieAttributes): ParsedCookieOpti
  * parse-mutate-serialize.
  */
 declare function setRequestCookie(headers: Headers, name: string, value: string): void;
+/**
+ * Merge `Set-Cookie` header values into the target's `Cookie` header.
+ * Mutates `target`.
+ *
+ * Name/value-level merge only. RFC 6265 §5 user-agent semantics
+ * (expiration, domain/path scoping, ordering) are out of scope. Suitable
+ * for single-request proxy, middleware, and test contexts.
+ */
+declare function applySetCookies(target: Headers, setCookieValues: Iterable<string>): void;
 declare function setCookieToHeader(headers: Headers): (context: {
   response: Response;
 }) => void;
 //#endregion
-export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, parseCookies, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };