better-auth 1.6.10 → 1.6.12

package/dist/cookies/cookie-utils.mjs

@@ -1,5 +1,6 @@
 //#region src/cookies/cookie-utils.ts
 function tryDecode(str) {
+	if (str.indexOf("%") === -1) return str;
 	try {
 		return decodeURIComponent(str);
 	} catch {
@@ -49,9 +50,9 @@ function parseSetCookieHeader(setCookie) {
 	splitSetCookieHeader(setCookie).forEach((cookieString) => {
 		const [nameValue, ...attributes] = cookieString.split(";").map((part) => part.trim());
 		const [name, ...valueParts] = (nameValue || "").split("=");
-		const value = valueParts.join("=");
-		if (!name || value === void 0) return;
-		const attrObj = { value: value.includes("%") ? tryDecode(value) : value };
+		const value = unquoteCookieValue(valueParts.join("="));
+		if (!name) return;
+		const attrObj = { value: tryDecode(value) };
 		attributes.forEach((attribute) => {
 			const [attrName, ...attrValueParts] = attribute.split("=");
 			const attrValue = attrValueParts.join("=");
@@ -103,6 +104,69 @@ function toCookieOptions(attributes) {
 	};
 }
 /**
+* Cookie-name token char set per RFC 7230 §3.2.6.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+*/
+const cookieNameRegex = /^[\w!#$%&'*.^`|~+-]+$/;
+/**
+* Cookie-value char set per RFC 6265 §4.1.1, plus space and comma.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1
+* @see https://github.com/golang/go/issues/7243
+*/
+const cookieValueRegex = /^[ !#-:<-[\]-~]*$/;
+/**
+* Strip surrounding double-quotes per RFC 6265 §4.1.1 quoted-string form.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1
+*/
+function unquoteCookieValue(value) {
+	if (value.length < 2 || !value.startsWith("\"") || !value.endsWith("\"")) return value;
+	return value.slice(1, -1);
+}
+/**
+* Trim leading/trailing OWS (space / horizontal tab) per RFC 7230 §3.2.3.
+* Narrower than `String.prototype.trim()`, which strips CR/LF and other
+* whitespace and would let CTLs escape `cookieValueRegex`.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.3
+*/
+function trimOWS(s) {
+	let start = 0;
+	let end = s.length;
+	while (start < end) {
+		const c = s.charCodeAt(start);
+		if (c !== 32 && c !== 9) break;
+		start++;
+	}
+	while (end > start) {
+		const c = s.charCodeAt(end - 1);
+		if (c !== 32 && c !== 9) break;
+		end--;
+	}
+	return start === 0 && end === s.length ? s : s.slice(start, end);
+}
+/**
+* Tolerates `;` separators without the SP that RFC 6265 §4.2.1 mandates,
+* since proxies and runtimes commonly strip it. Silently drops entries
+* whose name violates RFC 7230 token or whose value violates RFC 6265
+* cookie-octet (plus space and comma). Strips optional surrounding
+* double-quotes per RFC 6265 §4.1.1.
+*/
+function parseCookies(cookie) {
+	const cookieMap = /* @__PURE__ */ new Map();
+	if (cookie.length < 2) return cookieMap;
+	for (const chunk of cookie.split(";")) {
+		const eq = chunk.indexOf("=");
+		if (eq === -1) continue;
+		const key = trimOWS(chunk.slice(0, eq));
+		const val = unquoteCookieValue(trimOWS(chunk.slice(eq + 1)));
+		if (cookieNameRegex.test(key) && cookieValueRegex.test(val)) cookieMap.set(key, tryDecode(val));
+	}
+	return cookieMap;
+}
+/**
 * Add or replace a cookie in the request `Cookie` header.
 *
 * Cookie pairs are joined with `; `, but `headers.append("cookie", ...)`
@@ -111,30 +175,29 @@ function toCookieOptions(attributes) {
 * parse-mutate-serialize.
 */
 function setRequestCookie(headers, name, value) {
-	const cookieMap = /* @__PURE__ */ new Map();
-	for (const pair of (headers.get("cookie") || "").split(";")) {
-		const trimmed = pair.trim();
-		const eq = trimmed.indexOf("=");
-		if (eq > 0) cookieMap.set(trimmed.slice(0, eq), trimmed.slice(eq + 1));
-	}
-	cookieMap.set(name, value);
-	headers.set("cookie", Array.from(cookieMap, ([k, v]) => `${k}=${v}`).join("; "));
+	const cookieMap = parseCookies(headers.get("cookie") || "");
+	if (cookieNameRegex.test(name)) cookieMap.set(name, value);
+	headers.set("cookie", Array.from(cookieMap, ([k, v]) => `${k}=${encodeURIComponent(v)}`).join("; "));
+}
+/**
+* Merge `Set-Cookie` header values into the target's `Cookie` header.
+* Mutates `target`.
+*
+* Name/value-level merge only. RFC 6265 §5 user-agent semantics
+* (expiration, domain/path scoping, ordering) are out of scope. Suitable
+* for single-request proxy, middleware, and test contexts.
+*/
+function applySetCookies(target, setCookieValues) {
+	const cookieMap = parseCookies(target.get("cookie") || "");
+	for (const setCookie of setCookieValues) for (const [name, attr] of parseSetCookieHeader(setCookie)) if (cookieNameRegex.test(name)) cookieMap.set(name, attr.value);
+	target.set("cookie", Array.from(cookieMap, ([k, v]) => `${k}=${encodeURIComponent(v)}`).join("; "));
 }
 function setCookieToHeader(headers) {
 	return (context) => {
 		const setCookieHeader = context.response.headers.get("set-cookie");
 		if (!setCookieHeader) return;
-		const cookieMap = /* @__PURE__ */ new Map();
-		(headers.get("cookie") || "").split(";").forEach((cookie) => {
-			const [name, ...rest] = cookie.trim().split("=");
-			if (name && rest.length > 0) cookieMap.set(name, rest.join("="));
-		});
-		parseSetCookieHeader(setCookieHeader).forEach((value, name) => {
-			cookieMap.set(name, value.value);
-		});
-		const updatedCookies = Array.from(cookieMap.entries()).map(([name, value]) => `${name}=${value}`).join("; ");
-		headers.set("cookie", updatedCookies);
+		applySetCookies(headers, [setCookieHeader]);
 	};
 }
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, parseCookies, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.d.mts

@@ -1,5 +1,5 @@
 import { Session, User } from "../types/models.mjs";
-import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
+import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, parseCookies, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createSessionStore, getAccountCookie, getChunkedCookie } from "./session-store.mjs";
 import { BetterAuthCookie, BetterAuthCookies, BetterAuthOptions, GenericEndpointContext } from "@better-auth/core";
 import * as better_call0 from "better-call";
@@ -95,7 +95,6 @@ declare function setSessionCookie(ctx: GenericEndpointContext, session: {
  */
 declare function expireCookie(ctx: GenericEndpointContext, cookie: BetterAuthCookie): void;
 declare function deleteSessionCookie(ctx: GenericEndpointContext, skipDontRememberMe?: boolean | undefined): void;
-declare function parseCookies(cookieHeader: string): Map<string, string>;
 type EligibleCookies = (string & {}) | (keyof BetterAuthCookies & {});
 declare const getSessionCookie: (request: Request | Headers, config?: {
   cookiePrefix?: string;
@@ -116,4 +115,4 @@ declare const getCookieCache: <S extends {
   version?: string | ((session: Session & Record<string, any>, user: User & Record<string, any>) => string) | ((session: Session & Record<string, any>, user: User & Record<string, any>) => Promise<string>);
 } | undefined) => Promise<S | null>;
 //#endregion
-export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.mjs

@@ -4,7 +4,7 @@ import { parseUserOutput } from "../db/schema.mjs";
 import { getDate } from "../utils/date.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
 import { sec } from "../utils/time.mjs";
-import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
+import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, parseCookies, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createAccountStore, createSessionStore, getAccountCookie, getChunkedCookie, setAccountCookie } from "./session-store.mjs";
 import { env, isProduction } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
@@ -134,9 +134,46 @@ async function setSessionCookie(ctx, session, dontRememberMe, overrides) {
 	ctx.context.setNewSession(session);
 }
 /**
+* Remove any prior `Set-Cookie` entries on the current response whose cookie
+* name matches `cookieName` or any chunked variant (`${cookieName}.0`, etc.).
+*
+* Prevents a valid cookie value from leaking on the wire when the same cookie
+* is set and then expired within a single request (e.g. `/sign-in/email`
+* writes credential session cookies and the 2FA after-hook expires them).
+* Browsers honor the expiring entry, but anything reading the raw response
+* headers — proxy/LB logs, server-side SDK consumers, observability tools —
+* sees the earlier valid value and could replay it (bypassing the 2FA gate
+* when the cookie cache is enabled).
+*
+* Scrubs both the local middleware scope's `responseHeaders` and the outer
+* endpoint scope's `ctx.context.responseHeaders`, because plugin after-hooks
+* run in a fresh local scope while accumulated response headers live on the
+* outer one. `scoped.context` is required by {@link GenericEndpointContext}
+* but unit-test mocks pass a minimal object via `as any`, so we use optional
+* chaining defensively. The `Set` collapses the case where both scopes
+* reference the same `Headers`.
+*/
+function removeSetCookieEntries(ctx, cookieName) {
+	const scoped = ctx;
+	const targets = /* @__PURE__ */ new Set();
+	if (scoped.responseHeaders) targets.add(scoped.responseHeaders);
+	if (scoped.context?.responseHeaders) targets.add(scoped.context.responseHeaders);
+	const exact = `${cookieName}=`;
+	const chunk = `${cookieName}.`;
+	for (const headers of targets) {
+		const existing = typeof headers.getSetCookie === "function" ? headers.getSetCookie() : splitSetCookieHeader(headers.get("set-cookie") || "");
+		if (!existing.length) continue;
+		const survivors = existing.filter((entry) => !entry.startsWith(exact) && !entry.startsWith(chunk));
+		if (survivors.length === existing.length) continue;
+		headers.delete("set-cookie");
+		for (const entry of survivors) headers.append("set-cookie", entry);
+	}
+}
+/**
 * Expires a cookie by setting `maxAge: 0` while preserving its attributes
 */
 function expireCookie(ctx, cookie) {
+	removeSetCookieEntries(ctx, cookie.name);
 	ctx.setCookie(cookie.name, "", {
 		...cookie.attributes,
 		maxAge: 0
@@ -157,15 +194,6 @@ function deleteSessionCookie(ctx, skipDontRememberMe) {
 	sessionStore.setCookies(cleanCookies);
 	if (!skipDontRememberMe) expireCookie(ctx, ctx.context.authCookies.dontRememberToken);
 }
-function parseCookies(cookieHeader) {
-	const cookies = cookieHeader.split("; ");
-	const cookieMap = /* @__PURE__ */ new Map();
-	cookies.forEach((cookie) => {
-		const [name, value] = cookie.split(/=(.*)/s);
-		cookieMap.set(name, value);
-	});
-	return cookieMap;
-}
 const getSessionCookie = (request, config) => {
 	const cookies = (request instanceof Headers || !("headers" in request) ? request : request.headers).get("cookie");
 	if (!cookies) return null;
@@ -258,4 +286,4 @@ const getCookieCache = async (request, config) => {
 	return null;
 };
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/session-store.mjs

@@ -1,4 +1,5 @@
 import { symmetricDecodeJWT, symmetricEncodeJWT } from "../crypto/jwt.mjs";
+import { parseCookies } from "./cookie-utils.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 import * as z from "zod";
 //#region src/cookies/session-store.ts
@@ -6,20 +7,6 @@ const ALLOWED_COOKIE_SIZE = 4096;
 const ESTIMATED_EMPTY_COOKIE_SIZE = 200;
 const CHUNK_SIZE = ALLOWED_COOKIE_SIZE - ESTIMATED_EMPTY_COOKIE_SIZE;
 /**
-* Parse cookies from the request headers
-*/
-function parseCookiesFromContext(ctx) {
-	const cookieHeader = ctx.headers?.get("cookie");
-	if (!cookieHeader) return {};
-	const cookies = {};
-	const pairs = cookieHeader.split("; ");
-	for (const pair of pairs) {
-		const [name, ...valueParts] = pair.split("=");
-		if (name && valueParts.length > 0) cookies[name] = valueParts.join("=");
-	}
-	return cookies;
-}
-/**
 * Extract the chunk index from a cookie name
 */
 function getChunkIndex(cookieName) {
@@ -33,8 +20,8 @@ function getChunkIndex(cookieName) {
 */
 function readExistingChunks(cookieName, ctx) {
 	const chunks = {};
-	const cookies = parseCookiesFromContext(ctx);
-	for (const [name, value] of Object.entries(cookies)) if (name.startsWith(cookieName)) chunks[name] = value;
+	const cookies = parseCookies(ctx.headers?.get("cookie") || "");
+	for (const [name, value] of cookies) if (name.startsWith(cookieName)) chunks[name] = value;
 	return chunks;
 }
 /**
@@ -140,13 +127,7 @@ function getChunkedCookie(ctx, cookieName) {
 	const chunks = [];
 	const cookieHeader = ctx.headers?.get("cookie");
 	if (!cookieHeader) return null;
-	const cookies = {};
-	const pairs = cookieHeader.split("; ");
-	for (const pair of pairs) {
-		const [name, ...valueParts] = pair.split("=");
-		if (name && valueParts.length > 0) cookies[name] = valueParts.join("=");
-	}
-	for (const [name, val] of Object.entries(cookies)) if (name.startsWith(cookieName + ".")) {
+	for (const [name, val] of parseCookies(cookieHeader)) if (name.startsWith(cookieName + ".")) {
 		const indexStr = name.split(".").at(-1);
 		const index = parseInt(indexStr || "0", 10);
 		if (!isNaN(index)) chunks.push({

package/dist/db/get-migration.mjs

@@ -269,13 +269,14 @@ async function getMigrations(config) {
 			return `${model}.${field}`;
 		}
 	}
+	const deferredIndexes = [];
 	if (toBeAdded.length) for (const table of toBeAdded) for (const [fieldName, field] of Object.entries(table.fields)) {
 		const type = getType(field, fieldName);
 		const builder = db.schema.alterTable(table.table);
 		if (field.index) {
 			const indexName = `${table.table}_${fieldName}_${field.unique ? "uidx" : "idx"}`;
 			const indexBuilder = db.schema.createIndex(indexName).on(table.table).columns([fieldName]);
-			migrations.push(field.unique ? indexBuilder.unique() : indexBuilder);
+			deferredIndexes.push(field.unique ? indexBuilder.unique() : indexBuilder);
 		}
 		const built = builder.addColumn(fieldName, type, (col) => {
 			col = field.required !== false ? col.notNull() : col;
@@ -287,7 +288,6 @@ async function getMigrations(config) {
 		});
 		migrations.push(built);
 	}
-	const toBeIndexed = [];
 	if (toBeCreated.length) for (const table of toBeCreated) {
 		const idType = getType({ type: useNumberId ? "number" : "string" }, "id");
 		let dbT = db.schema.createTable(table.table).addColumn("id", idType, (col) => {
@@ -315,12 +315,12 @@ async function getMigrations(config) {
 			});
 			if (field.index) {
 				const builder = db.schema.createIndex(`${table.table}_${fieldName}_${field.unique ? "uidx" : "idx"}`).on(table.table).columns([fieldName]);
-				toBeIndexed.push(field.unique ? builder.unique() : builder);
+				deferredIndexes.push(field.unique ? builder.unique() : builder);
 			}
 		}
 		migrations.push(dbT);
 	}
-	if (toBeIndexed.length) for (const index of toBeIndexed) migrations.push(index);
+	for (const index of deferredIndexes) migrations.push(index);
 	async function runMigrations() {
 		for (const migration of migrations) await migration.execute();
 	}

package/dist/db/index.d.mts

@@ -3,7 +3,7 @@ import { convertFromDB, convertToDB } from "./field-converter.mjs";
 import { getSchema } from "./get-schema.mjs";
 import { DatabaseHooksEntry, getWithHooks } from "./with-hooks.mjs";
 import { createInternalAdapter } from "./internal-adapter.mjs";
-import { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
+import { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
 import { FieldAttributeToSchema, toZodSchema } from "./to-zod.mjs";
 export * from "@better-auth/core/db";
-export { DatabaseHooksEntry, FieldAttributeToObject, FieldAttributeToSchema, InferAdditionalFieldsFromPluginOptions, InferFieldsInputClient, InferFieldsOutput, RemoveFieldsWithReturnedFalse, convertFromDB, convertToDB, createInternalAdapter, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };
+export { DatabaseHooksEntry, FieldAttributeToObject, FieldAttributeToSchema, InferAdditionalFieldsFromPluginOptions, InferFieldsInputClient, InferFieldsOutput, RemoveFieldsWithReturnedFalse, buildSyntheticUserOutput, convertFromDB, convertToDB, createInternalAdapter, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };

package/dist/db/index.mjs

@@ -1,6 +1,6 @@
 import { __exportAll, __reExport } from "../_virtual/_rolldown/runtime.mjs";
 import { getSchema } from "./get-schema.mjs";
-import { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
+import { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
 import { convertFromDB, convertToDB } from "./field-converter.mjs";
 import { getWithHooks } from "./with-hooks.mjs";
 import { createInternalAdapter } from "./internal-adapter.mjs";
@@ -8,6 +8,7 @@ import { toZodSchema } from "./to-zod.mjs";
 export * from "@better-auth/core/db";
 //#region src/db/index.ts
 var db_exports = /* @__PURE__ */ __exportAll({
+	buildSyntheticUserOutput: () => buildSyntheticUserOutput,
 	convertFromDB: () => convertFromDB,
 	convertToDB: () => convertToDB,
 	createInternalAdapter: () => createInternalAdapter,
@@ -28,4 +29,4 @@ var db_exports = /* @__PURE__ */ __exportAll({
 import * as import__better_auth_core_db from "@better-auth/core/db";
 __reExport(db_exports, import__better_auth_core_db);
 //#endregion
-export { convertFromDB, convertToDB, createInternalAdapter, db_exports, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };
+export { buildSyntheticUserOutput, convertFromDB, convertToDB, createInternalAdapter, db_exports, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };

package/dist/db/internal-adapter.mjs

@@ -15,8 +15,9 @@ const createInternalAdapter = (adapter, ctx) => {
 	const logger = ctx.logger;
 	const options = ctx.options;
 	const secondaryStorage = options.secondaryStorage;
+	const verificationConsumeLocks = /* @__PURE__ */ new Map();
 	const sessionExpiration = options.session?.expiresIn || 3600 * 24 * 7;
-	const { createWithHooks, updateWithHooks, updateManyWithHooks, deleteWithHooks, deleteManyWithHooks } = getWithHooks(adapter, ctx);
+	const { createWithHooks, updateWithHooks, updateManyWithHooks, deleteWithHooks, deleteManyWithHooks, consumeOneWithHooks } = getWithHooks(adapter, ctx);
 	async function refreshUserSessions(user) {
 		if (!secondaryStorage) return;
 		const listRaw = await secondaryStorage.get(`active-sessions-${user.id}`);
@@ -35,6 +36,22 @@ const createInternalAdapter = (adapter, ctx) => {
 			}), Math.floor(sessionTTL));
 		}));
 	}
+	async function withVerificationConsumeLock(key, fn) {
+		const previous = verificationConsumeLocks.get(key) ?? Promise.resolve();
+		let release;
+		const current = new Promise((resolve) => {
+			release = resolve;
+		});
+		const next = previous.catch(() => {}).then(() => current);
+		verificationConsumeLocks.set(key, next);
+		await previous.catch(() => {});
+		try {
+			return await fn();
+		} finally {
+			release();
+			if (verificationConsumeLocks.get(key) === next) verificationConsumeLocks.delete(key);
+		}
+	}
 	return {
 		createOAuthUser: async (user, account) => {
 			return runWithTransaction(adapter, async () => {
@@ -618,6 +635,84 @@ const createInternalAdapter = (adapter, ctx) => {
 				value: storedIdentifier
 			}], "verification", void 0);
 		},
+		consumeVerificationValue: async (identifier) => {
+			const storageOption = getStorageOption(identifier, options.verification?.storeIdentifier);
+			const storedIdentifier = await processIdentifier(identifier, storageOption);
+			const identifiersToTry = storageOption && storageOption !== "plain" ? [storedIdentifier, identifier] : [storedIdentifier];
+			const hydrateCachedVerification = (raw) => {
+				if (!raw) return null;
+				const candidate = typeof raw === "string" ? safeJSONParse(raw) : typeof raw === "object" ? raw : null;
+				if (!candidate) return null;
+				const expiresAt = new Date(candidate.expiresAt);
+				if (!Number.isFinite(expiresAt.getTime())) return null;
+				return {
+					...candidate,
+					expiresAt
+				};
+			};
+			let consumed = null;
+			if (secondaryStorage && !options.verification?.storeInDatabase) {
+				const consumeCacheKey = async (key) => {
+					if (secondaryStorage.getAndDelete) return hydrateCachedVerification(await secondaryStorage.getAndDelete(key));
+					return withVerificationConsumeLock(key, async () => {
+						const parsed = hydrateCachedVerification(await secondaryStorage.get(key));
+						if (!parsed) return null;
+						await secondaryStorage.delete(key);
+						return parsed;
+					});
+				};
+				for (const stored of identifiersToTry) {
+					const cached = await consumeCacheKey(`verification:${stored}`);
+					if (!cached) continue;
+					await Promise.all(identifiersToTry.filter((candidate) => candidate !== stored).map((candidate) => secondaryStorage.delete(`verification:${candidate}`)));
+					consumed = cached;
+					break;
+				}
+			} else {
+				const consumeByIdentifier = async (id) => withVerificationConsumeLock(`verification:${id}`, () => runWithTransaction(adapter, async () => {
+					const txAdapter = await getCurrentAdapter(adapter);
+					const where = [{
+						field: "identifier",
+						value: id
+					}];
+					const latest = (await txAdapter.findMany({
+						model: "verification",
+						where,
+						sortBy: {
+							field: "createdAt",
+							direction: "desc"
+						},
+						limit: 1
+					}))[0] ?? null;
+					if (!latest) return null;
+					return consumeOneWithHooks("verification", [{
+						field: "id",
+						value: latest.id
+					}], async () => {
+						const row = await txAdapter.consumeOne({
+							model: "verification",
+							where: [{
+								field: "id",
+								value: latest.id
+							}]
+						});
+						if (!row) return null;
+						await txAdapter.deleteMany({
+							model: "verification",
+							where
+						});
+						return row;
+					}, latest);
+				}));
+				for (const stored of identifiersToTry) {
+					consumed = await consumeByIdentifier(stored);
+					if (consumed) break;
+				}
+				if (consumed && secondaryStorage) await Promise.all(identifiersToTry.map((stored) => secondaryStorage.delete(`verification:${stored}`)));
+			}
+			if (!consumed || consumed.expiresAt < /* @__PURE__ */ new Date()) return null;
+			return consumed;
+		},
 		updateVerificationByIdentifier: async (identifier, data) => {
 			const storedIdentifier = await processIdentifier(identifier, getStorageOption(identifier, options.verification?.storeIdentifier));
 			if (secondaryStorage) {

package/dist/db/schema.d.mts

@@ -4,8 +4,21 @@ import { BetterAuthPluginDBSchema, DBFieldAttribute } from "@better-auth/core/db
 
 //#region src/db/schema.d.ts
 declare function parseUserOutput<T extends User$1>(options: BetterAuthOptions, user: T): T;
+/**
+ * Builds a synthetic user object that matches the shape of a real user
+ * returned from the database. This ensures enumeration protection works
+ * correctly by making synthetic and real user responses indistinguishable.
+ *
+ * The function iterates over the user output schema and:
+ * - Includes all fields that should be returned (returned !== false)
+ * - Uses provided values when available
+ * - Sets optional fields to null when no value is provided
+ * - Applies default values where defined
+ * - Always includes the 'id' field (not part of schema but always present)
+ */
+declare function buildSyntheticUserOutput(options: BetterAuthOptions, data: Record<string, unknown>): Record<string, unknown>;
 declare function parseSessionOutput<T extends Session$1>(options: BetterAuthOptions, session: T): T;
-declare function parseAccountOutput<T extends Account>(options: BetterAuthOptions, account: T): Omit<T, "idToken" | "accessToken" | "refreshToken" | "accessTokenExpiresAt" | "refreshTokenExpiresAt" | "password">;
+declare function parseAccountOutput<T extends Account>(options: BetterAuthOptions, account: T): Omit<T, "idToken" | "accessToken" | "refreshToken" | "password" | "accessTokenExpiresAt" | "refreshTokenExpiresAt">;
 declare function parseInputData<T extends Record<string, any>>(data: T, schema: {
   fields: Record<string, DBFieldAttribute>;
   action?: ("create" | "update") | undefined;
@@ -45,4 +58,4 @@ declare function mergeSchema<S extends BetterAuthPluginDBSchema>(schema: S, newS
   } | undefined;
 } | undefined } | undefined): S;
 //#endregion
-export { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };
+export { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };

package/dist/db/schema.mjs

@@ -24,6 +24,31 @@ function getFields(options, modelName, mode) {
 function parseUserOutput(options, user) {
 	return filterOutputFields(user, getFields(options, "user", "output"));
 }
+/**
+* Builds a synthetic user object that matches the shape of a real user
+* returned from the database. This ensures enumeration protection works
+* correctly by making synthetic and real user responses indistinguishable.
+*
+* The function iterates over the user output schema and:
+* - Includes all fields that should be returned (returned !== false)
+* - Uses provided values when available
+* - Sets optional fields to null when no value is provided
+* - Applies default values where defined
+* - Always includes the 'id' field (not part of schema but always present)
+*/
+function buildSyntheticUserOutput(options, data) {
+	const schema = getFields(options, "user", "output");
+	const result = {};
+	for (const key in schema) {
+		const fieldAttr = schema[key];
+		if (fieldAttr.returned === false) continue;
+		if (key in data && data[key] !== void 0) result[key] = data[key];
+		else if (fieldAttr.defaultValue !== void 0) result[key] = typeof fieldAttr.defaultValue === "function" ? fieldAttr.defaultValue() : fieldAttr.defaultValue;
+		else if (!fieldAttr.required) result[key] = null;
+	}
+	if ("id" in data) result.id = data.id;
+	return result;
+}
 function parseSessionOutput(options, session) {
 	return filterOutputFields(session, getFields(options, "session", "output"));
 }
@@ -121,4 +146,4 @@ function mergeSchema(schema, newSchema) {
 	return schema;
 }
 //#endregion
-export { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };
+export { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };

package/dist/db/with-hooks.d.mts

@@ -31,6 +31,7 @@ declare function getWithHooks(adapter: DBAdapter<BetterAuthOptions>, ctx: {
     fn: (where: Where[]) => void | Promise<any>;
     executeMainFn?: boolean;
   } | undefined) => Promise<any>;
+  consumeOneWithHooks: <T extends Record<string, any>>(model: BaseModelNames, hookWhere: Where[], consumeFn: () => Promise<T | null>, preSnapshot?: T | null) => Promise<T | null>;
 };
 //#endregion
 export { DatabaseHooksEntry, getWithHooks };

package/dist/db/with-hooks.mjs

@@ -185,12 +185,69 @@ function getWithHooks(adapter, ctx) {
 		}
 		return deleted;
 	}
+	/**
+	* Wraps an atomic consume operation in the plugin `delete.before` and
+	* `delete.after` hook lifecycle. The caller supplies a `consumeFn` that
+	* performs the actual single-row delete-and-return (typically the
+	* adapter's `consumeOne`). The first concurrent caller wins, subsequent
+	* racers resolve to `null` without firing `delete.after` hooks.
+	*
+	* `preSnapshot` lets the caller hand in a row it already fetched so
+	* `delete.before` hooks don't trigger a second read. Without it, the
+	* helper falls back to a best-effort `findMany` against `hookWhere`.
+	* The snapshot only feeds `delete.before`; the `consumeFn` return value
+	* is the race gate.
+	*
+	* Returning `false` from a `delete.before` hook aborts the consume and
+	* the helper resolves to `null` (no `consumeFn` call, no after hooks).
+	*/
+	async function consumeOneWithHooks(model, hookWhere, consumeFn, preSnapshot) {
+		const context = await getCurrentAuthContext().catch(() => null);
+		const beforeHooks = hooksEntries.flatMap(({ source, hooks }) => {
+			const fn = hooks[model]?.delete?.before;
+			return fn ? [{
+				source,
+				fn
+			}] : [];
+		});
+		let snapshot = preSnapshot ?? null;
+		if (beforeHooks.length) {
+			if (!snapshot) try {
+				snapshot = (await (await getCurrentAdapter(adapter)).findMany({
+					model,
+					where: hookWhere,
+					limit: 1
+				}))[0] || null;
+			} catch {}
+			if (snapshot) {
+				for (const { source, fn } of beforeHooks) if (await withSpan(`db delete.before ${model}`, {
+					[ATTR_HOOK_TYPE]: "delete.before",
+					[ATTR_DB_COLLECTION_NAME]: model,
+					[ATTR_CONTEXT]: source
+				}, () => fn(snapshot, context)) === false) return null;
+			}
+		}
+		const consumed = await consumeFn();
+		if (!consumed) return null;
+		for (const { source, hooks } of hooksEntries) {
+			const toRun = hooks[model]?.delete?.after;
+			if (toRun) await queueAfterTransactionHook(async () => {
+				await withSpan(`db delete.after ${model}`, {
+					[ATTR_HOOK_TYPE]: "delete.after",
+					[ATTR_DB_COLLECTION_NAME]: model,
+					[ATTR_CONTEXT]: source
+				}, () => toRun(consumed, context));
+			});
+		}
+		return consumed;
+	}
 	return {
 		createWithHooks,
 		updateWithHooks,
 		updateManyWithHooks,
 		deleteWithHooks,
-		deleteManyWithHooks
+		deleteManyWithHooks,
+		consumeOneWithHooks
 	};
 }
 //#endregion

package/dist/index.d.mts

@@ -10,7 +10,7 @@ import { betterAuth } from "./auth/full.mjs";
 import { generateState, parseState } from "./oauth2/state.mjs";
 import { StateData, generateGenericState, parseGenericState } from "./state.mjs";
 import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
-import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
+import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes } from "./utils/url.mjs";
 import { APIError } from "./api/index.mjs";
 import { StandardSchemaV1 } from "@better-auth/core";
 import { getCurrentAdapter } from "@better-auth/core/context";
@@ -27,4 +27,4 @@ export * from "@better-auth/core/utils/json";
 export * from "@better-auth/core/social-providers";
 export * from "better-call";
 export * from "zod";
-export { APIError, Account, AdditionalSessionFieldsInput, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, ExtractPluginField, FilteredAPI, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginFieldFromTuple, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsAny, IsSignal, type JSONWebKeySet, type JWTPayload, JoinConfig, JoinOption, OverrideMerge, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, type StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, type TelemetryEvent, UnionToIntersection, User, Verification, Where, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };
+export { APIError, Account, AdditionalSessionFieldsInput, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, ExtractPluginField, FilteredAPI, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginFieldFromTuple, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsAny, IsSignal, type JSONWebKeySet, type JWTPayload, JoinConfig, JoinOption, OverrideMerge, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, type StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, type TelemetryEvent, UnionToIntersection, User, Verification, Where, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes };