better-auth 1.6.10 → 1.6.12

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
+import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes } from "./utils/url.mjs";
 import { generateGenericState, parseGenericState } from "./state.mjs";
 import { generateState, parseState } from "./oauth2/state.mjs";
 import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
@@ -14,4 +14,4 @@ export * from "@better-auth/core/oauth2";
 export * from "@better-auth/core/utils/error-codes";
 export * from "@better-auth/core/utils/id";
 export * from "@better-auth/core/utils/json";
-export { APIError, HIDE_METADATA, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };
+export { APIError, HIDE_METADATA, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes };

package/dist/oauth2/errors.mjs

@@ -1,6 +1,21 @@
 //#region src/oauth2/errors.ts
 const HANDLING_DOCS_URL = "https://www.better-auth.com/docs/concepts/oauth#handling-providers-without-email";
 /**
+* Redirect the user to the OAuth error page with a machine-readable `error`
+* code (and optional `error_description`).
+*
+* Every OAuth callback path routes its failures through this helper so the
+* query parameter name, the `?`/`&` separator, and URL encoding are decided in
+* one place. The error page reads the `error` query parameter, so callers must
+* never hand-build the redirect with a different parameter name.
+*/
+function redirectOnError(ctx, errorURL, error, description) {
+	const params = new URLSearchParams({ error });
+	if (description) params.set("error_description", description);
+	const sep = errorURL.includes("?") ? "&" : "?";
+	throw ctx.redirect(`${errorURL}${sep}${params.toString()}`);
+}
+/**
 * Build the logger message shown when an OAuth provider does not return an
 * email address. Kept in one place so every rejection site points users at
 * the same workaround docs.
@@ -9,4 +24,4 @@ function missingEmailLogMessage(providerId, options) {
 	return `${options?.source === "generic" ? `Generic OAuth provider "${providerId}"` : `Provider "${providerId}"`} did not return an email${options?.source === "id_token" ? " in the id token" : ""}. Either request the provider's email scope, or synthesize one via \`mapProfileToUser\`. See ${HANDLING_DOCS_URL}`;
 }
 //#endregion
-export { missingEmailLogMessage };
+export { missingEmailLogMessage, redirectOnError };

package/dist/oauth2/link-account.mjs

@@ -1,5 +1,6 @@
 import { isAPIError } from "../utils/is-api-error.mjs";
 import { setAccountCookie } from "../cookies/session-store.mjs";
+import { redirectOnError } from "./errors.mjs";
 import { setTokenUtil } from "./utils.mjs";
 import { createEmailVerificationToken } from "../api/routes/email-verification.mjs";
 import { isDevelopment, logger } from "@better-auth/core/env";
@@ -8,8 +9,7 @@ async function handleOAuthUserInfo(c, opts) {
 	const { userInfo, account, callbackURL, disableSignUp, overrideUserInfo } = opts;
 	const dbUser = await c.context.internalAdapter.findOAuthUser(userInfo.email.toLowerCase(), account.accountId, account.providerId).catch((e) => {
 		logger.error("Better auth was unable to query your database.\nError: ", e);
-		const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
-		throw c.redirect(`${errorURL}?error=internal_server_error`);
+		redirectOnError(c, c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`, "internal_server_error");
 	});
 	let user = dbUser?.user;
 	const isRegister = !user;
@@ -17,7 +17,9 @@ async function handleOAuthUserInfo(c, opts) {
 		const linkedAccount = dbUser.linkedAccount ?? dbUser.accounts.find((acc) => acc.providerId === account.providerId && acc.accountId === account.accountId);
 		if (!linkedAccount) {
 			const accountLinking = c.context.options.account?.accountLinking;
-			if (!(opts.isTrustedProvider || c.context.trustedProviders.includes(account.providerId)) && !userInfo.emailVerified || accountLinking?.enabled === false || accountLinking?.disableImplicitLinking === true) {
+			const isTrustedProvider = opts.isTrustedProvider || c.context.trustedProviders.includes(account.providerId);
+			const requireLocalEmailVerified = accountLinking?.requireLocalEmailVerified ?? true;
+			if (!isTrustedProvider && !userInfo.emailVerified || requireLocalEmailVerified && !dbUser.user.emailVerified || accountLinking?.enabled === false || accountLinking?.disableImplicitLinking === true) {
 				if (isDevelopment()) logger.warn(`User already exist but account isn't linked to ${account.providerId}. To read more about how account linking works in Better Auth see https://www.better-auth.com/docs/concepts/users-accounts#account-linking.`);
 				return {
 					error: "account not linked",
@@ -94,7 +96,7 @@ async function handleOAuthUserInfo(c, opts) {
 			if (c.context.options.account?.storeAccountCookie) await setAccountCookie(c, createdAccount);
 			if (!userInfo.emailVerified && user && c.context.options.emailVerification?.sendOnSignUp && c.context.options.emailVerification?.sendVerificationEmail) {
 				const token = await createEmailVerificationToken(c.context.secret, user.email, void 0, c.context.options.emailVerification?.expiresIn);
-				const url = `${c.context.baseURL}/verify-email?token=${token}&callbackURL=${callbackURL}`;
+				const url = `${c.context.baseURL}/verify-email?token=${token}&callbackURL=${encodeURIComponent(callbackURL || "/")}`;
 				await c.context.runInBackgroundOrAwait(c.context.options.emailVerification.sendVerificationEmail({
 					user,
 					url,

package/dist/oauth2/state.mjs

@@ -1,4 +1,5 @@
 import { generateRandomString } from "../crypto/random.mjs";
+import { redirectOnError } from "./errors.mjs";
 import { setOAuthState } from "../api/state/oauth.mjs";
 import { StateError, generateGenericState, parseGenericState } from "../state.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
@@ -36,8 +37,13 @@ async function parseState(c) {
 		parsedData = await parseGenericState(c, state);
 	} catch (error) {
 		c.context.logger.error("Failed to parse state", error);
-		if (error instanceof StateError && error.code === "state_security_mismatch") throw c.redirect(`${errorURL}?error=state_mismatch`);
-		throw c.redirect(`${errorURL}?error=please_restart_the_process`);
+		let code = "internal_server_error";
+		let redirectErrorURL = errorURL;
+		if (error instanceof StateError) {
+			code = error.code === "state_security_mismatch" ? "state_mismatch" : error.code;
+			redirectErrorURL = error.errorURL ?? errorURL;
+		}
+		redirectOnError(c, redirectErrorURL, code);
 	}
 	if (!parsedData.errorURL) parsedData.errorURL = errorURL;
 	if (parsedData) await setOAuthState(parsedData);

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.10";
+var version = "1.6.12";
 //#endregion
 export { version };

package/dist/plugins/access/access.d.mts

@@ -1,4 +1,4 @@
-import { Statements, Subset } from "./types.mjs";
+import { ExactRoleStatements, Role, RoleInput, Statements } from "./types.mjs";
 
 //#region src/plugins/access/access.d.ts
 type AuthorizeResponse = {
@@ -8,21 +8,9 @@ type AuthorizeResponse = {
   success: true;
   error?: never | undefined;
 };
-declare function role<TStatements extends Statements>(statements: TStatements): {
-  authorize<K extends keyof TStatements>(request: { [key in K]?: TStatements[key] | {
-    actions: TStatements[key];
-    connector: "OR" | "AND";
-  } }, connector?: "OR" | "AND"): AuthorizeResponse;
-  statements: TStatements;
-};
+declare function role<const TRoleStatements extends Statements, TAuthorizeStatements extends Statements = TRoleStatements>(statements: TRoleStatements): Role<ExactRoleStatements<TRoleStatements>, TAuthorizeStatements>;
 declare function createAccessControl<const TStatements extends Statements>(s: TStatements): {
-  newRole<K extends keyof TStatements>(statements: Subset<K, TStatements>): {
-    authorize<K_1 extends K>(request: K_1 extends infer T extends keyof Subset<K, TStatements> ? { [key in T]?: Subset<K, TStatements>[key] | {
-      actions: Subset<K, TStatements>[key];
-      connector: "OR" | "AND";
-    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-    statements: Subset<K, TStatements>;
-  };
+  newRole<const TRoleStatements extends Statements>(statements: RoleInput<TStatements, TRoleStatements>): Role<ExactRoleStatements<TRoleStatements>, TStatements>;
   statements: TStatements;
 };
 //#endregion

package/dist/plugins/access/access.mjs

@@ -6,14 +6,19 @@ function role(statements) {
 			let success = false;
 			for (const [requestedResource, requestedActions] of Object.entries(request)) {
 				const allowedActions = statements[requestedResource];
-				if (!allowedActions) return {
-					success: false,
-					error: `You are not allowed to access resource: ${requestedResource}`
-				};
-				if (Array.isArray(requestedActions)) success = requestedActions.every((requestedAction) => allowedActions.includes(requestedAction));
+				if (!allowedActions) {
+					if (connector === "AND") return {
+						success: false,
+						error: `You are not allowed to access resource: ${requestedResource}`
+					};
+					success = false;
+					continue;
+				}
+				if (Array.isArray(requestedActions)) success = requestedActions.length > 0 && requestedActions.every((requestedAction) => allowedActions.includes(requestedAction));
 				else if (typeof requestedActions === "object") {
 					const actions = requestedActions;
-					if (actions.connector === "OR") success = actions.actions.some((requestedAction) => allowedActions.includes(requestedAction));
+					if (!Array.isArray(actions.actions) || actions.actions.length === 0) success = false;
+					else if (actions.connector === "OR") success = actions.actions.some((requestedAction) => allowedActions.includes(requestedAction));
 					else success = actions.actions.every((requestedAction) => allowedActions.includes(requestedAction));
 				} else throw new BetterAuthError("Invalid access control request");
 				if (success && connector === "OR") return { success };

package/dist/plugins/access/index.d.mts

@@ -1,3 +1,3 @@
-import { AccessControl, ArrayElement, Role, Statements, SubArray, Subset } from "./types.mjs";
+import { AccessControl, ArrayElement, ExactRoleStatements, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, Statements, SubArray, Subset } from "./types.mjs";
 import { AuthorizeResponse, createAccessControl, role } from "./access.mjs";
-export { AccessControl, ArrayElement, AuthorizeResponse, Role, Statements, SubArray, Subset, createAccessControl, role };
+export { AccessControl, ArrayElement, AuthorizeResponse, ExactRoleStatements, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, Statements, SubArray, Subset, createAccessControl, role };

package/dist/plugins/access/types.d.mts

@@ -8,10 +8,17 @@ type Subset<K extends keyof R, R extends Record<string | LiteralString, readonly
 type Statements = {
   readonly [resource: string]: readonly LiteralString[];
 };
+type RoleStatements<TStatements extends Statements> = { readonly [P in keyof TStatements]?: SubArray<TStatements[P]> };
+type RoleInput<TStatements extends Statements, TRoleStatements extends Statements> = TRoleStatements & (string extends keyof TRoleStatements ? {} : RoleStatements<TStatements> & Record<Exclude<keyof TRoleStatements, keyof TStatements>, never>);
+type ExactRoleStatements<TStatements extends Statements> = { readonly [P in keyof TStatements]: readonly [...TStatements[P]] };
 type AccessControl<TStatements extends Statements = Statements> = ReturnType<typeof createAccessControl<TStatements>>;
-type Role<TStatements extends Statements = Record<string, any>> = {
-  authorize: (request: any, connector?: ("OR" | "AND") | undefined) => AuthorizeResponse;
-  statements: TStatements;
+type RoleAuthorizeRequest<TStatements extends Statements> = { [P in keyof TStatements]?: SubArray<TStatements[P]> | {
+  actions: SubArray<TStatements[P]>;
+  connector: "OR" | "AND";
+} };
+type Role<TRoleStatements extends Statements = Record<string, any>, TAuthorizeStatements extends Statements = TRoleStatements> = {
+  authorize: (request: RoleAuthorizeRequest<TAuthorizeStatements>, connector?: ("OR" | "AND") | undefined) => AuthorizeResponse;
+  statements: TRoleStatements;
 };
 //#endregion
-export { AccessControl, ArrayElement, Role, Statements, SubArray, Subset };
+export { AccessControl, ArrayElement, ExactRoleStatements, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, Statements, SubArray, Subset };

package/dist/plugins/admin/access/statement.d.mts

@@ -1,115 +1,51 @@
-import { Subset } from "../../access/types.mjs";
-import { AuthorizeResponse } from "../../access/access.mjs";
+import { ExactRoleStatements, Role, RoleInput, Statements } from "../../access/types.mjs";
 //#region src/plugins/admin/access/statement.d.ts
 declare const defaultStatements: {
   readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
   readonly session: readonly ["list", "revoke", "delete"];
 };
 declare const defaultAc: {
-  newRole<K extends "user" | "session">(statements: Subset<K, {
+  newRole<const TRoleStatements extends Statements>(statements: RoleInput<{
     readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
     readonly session: readonly ["list", "revoke", "delete"];
-  }>): {
-    authorize<K_1 extends K>(request: K_1 extends infer T extends keyof Subset<K, {
-      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-      readonly session: readonly ["list", "revoke", "delete"];
-    }> ? { [key in T]?: Subset<K, {
-      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-      readonly session: readonly ["list", "revoke", "delete"];
-    }>[key] | {
-      actions: Subset<K, {
-        readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-        readonly session: readonly ["list", "revoke", "delete"];
-      }>[key];
-      connector: "OR" | "AND";
-    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-    statements: Subset<K, {
-      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-      readonly session: readonly ["list", "revoke", "delete"];
-    }>;
-  };
+  }, TRoleStatements>): Role<ExactRoleStatements<TRoleStatements>, {
+    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+    readonly session: readonly ["list", "revoke", "delete"];
+  }>;
   statements: {
     readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
     readonly session: readonly ["list", "revoke", "delete"];
   };
 };
-declare const adminAc: {
-  authorize<K extends "user" | "session">(request: K extends infer T extends keyof Subset<"user" | "session", {
-    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-    readonly session: readonly ["list", "revoke", "delete"];
-  }> ? { [key in T]?: Subset<"user" | "session", {
-    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-    readonly session: readonly ["list", "revoke", "delete"];
-  }>[key] | {
-    actions: Subset<"user" | "session", {
-      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-      readonly session: readonly ["list", "revoke", "delete"];
-    }>[key];
-    connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-  statements: Subset<"user" | "session", {
+declare const adminAc: Role<ExactRoleStatements<{
+  readonly user: ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+  readonly session: ["list", "revoke", "delete"];
+}>, {
+  readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+  readonly session: readonly ["list", "revoke", "delete"];
+}>;
+declare const userAc: Role<ExactRoleStatements<{
+  readonly user: [];
+  readonly session: [];
+}>, {
+  readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
+  readonly session: readonly ["list", "revoke", "delete"];
+}>;
+declare const defaultRoles: {
+  admin: Role<ExactRoleStatements<{
+    readonly user: ["create", "list", "set-role", "ban", "impersonate", "delete", "set-password", "get", "update"];
+    readonly session: ["list", "revoke", "delete"];
+  }>, {
     readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
     readonly session: readonly ["list", "revoke", "delete"];
   }>;
-};
-declare const userAc: {
-  authorize<K extends "user" | "session">(request: K extends infer T extends keyof Subset<"user" | "session", {
-    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-    readonly session: readonly ["list", "revoke", "delete"];
-  }> ? { [key in T]?: Subset<"user" | "session", {
-    readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-    readonly session: readonly ["list", "revoke", "delete"];
-  }>[key] | {
-    actions: Subset<"user" | "session", {
-      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-      readonly session: readonly ["list", "revoke", "delete"];
-    }>[key];
-    connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-  statements: Subset<"user" | "session", {
+  user: Role<ExactRoleStatements<{
+    readonly user: [];
+    readonly session: [];
+  }>, {
     readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
     readonly session: readonly ["list", "revoke", "delete"];
   }>;
 };
-declare const defaultRoles: {
-  admin: {
-    authorize<K extends "user" | "session">(request: K extends infer T extends keyof Subset<"user" | "session", {
-      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-      readonly session: readonly ["list", "revoke", "delete"];
-    }> ? { [key in T]?: Subset<"user" | "session", {
-      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-      readonly session: readonly ["list", "revoke", "delete"];
-    }>[key] | {
-      actions: Subset<"user" | "session", {
-        readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-        readonly session: readonly ["list", "revoke", "delete"];
-      }>[key];
-      connector: "OR" | "AND";
-    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-    statements: Subset<"user" | "session", {
-      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-      readonly session: readonly ["list", "revoke", "delete"];
-    }>;
-  };
-  user: {
-    authorize<K extends "user" | "session">(request: K extends infer T extends keyof Subset<"user" | "session", {
-      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-      readonly session: readonly ["list", "revoke", "delete"];
-    }> ? { [key in T]?: Subset<"user" | "session", {
-      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-      readonly session: readonly ["list", "revoke", "delete"];
-    }>[key] | {
-      actions: Subset<"user" | "session", {
-        readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-        readonly session: readonly ["list", "revoke", "delete"];
-      }>[key];
-      connector: "OR" | "AND";
-    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-    statements: Subset<"user" | "session", {
-      readonly user: readonly ["create", "list", "set-role", "ban", "impersonate", "impersonate-admins", "delete", "set-password", "get", "update"];
-      readonly session: readonly ["list", "revoke", "delete"];
-    }>;
-  };
-};
 //#endregion
 export { adminAc, defaultAc, defaultRoles, defaultStatements, userAc };

package/dist/plugins/admin/admin.mjs

@@ -42,10 +42,6 @@ const admin = (options) => {
 							});
 							return;
 						}
-						if (ctx && (ctx.path.startsWith("/callback") || ctx.path.startsWith("/oauth2/callback"))) {
-							const redirectURI = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
-							throw ctx.redirect(`${redirectURI}?error=banned&error_description=${opts.bannedUserMessage}`);
-						}
 						throw APIError.from("FORBIDDEN", {
 							message: opts.bannedUserMessage,
 							code: "BANNED_USER"

package/dist/plugins/admin/client.d.mts

@@ -76,4 +76,4 @@ declare const adminClient: <O extends AdminClientOptions>(options?: O | undefine
   };
 };
 //#endregion
-export { adminClient };
+export { AdminClientOptions, adminClient };

package/dist/plugins/admin/routes.mjs

@@ -703,6 +703,7 @@ const removeUser = (opts) => createAuthEndpoint("/admin/remove-user", {
 	})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_DELETE_USERS);
 	if (ctx.body.userId === ctx.context.session.user.id) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.YOU_CANNOT_REMOVE_YOURSELF);
 	if (!await ctx.context.internalAdapter.findUserById(ctx.body.userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
+	await ctx.context.internalAdapter.deleteSessions(ctx.body.userId);
 	await ctx.context.internalAdapter.deleteUser(ctx.body.userId);
 	return ctx.json({ success: true });
 });

package/dist/plugins/anonymous/client.d.mts

@@ -23,6 +23,7 @@ declare const anonymousClient: () => {
     COULD_NOT_CREATE_SESSION: _better_auth_core_utils_error_codes0.RawError<"COULD_NOT_CREATE_SESSION">;
     ANONYMOUS_USERS_CANNOT_SIGN_IN_AGAIN_ANONYMOUSLY: _better_auth_core_utils_error_codes0.RawError<"ANONYMOUS_USERS_CANNOT_SIGN_IN_AGAIN_ANONYMOUSLY">;
     FAILED_TO_DELETE_ANONYMOUS_USER: _better_auth_core_utils_error_codes0.RawError<"FAILED_TO_DELETE_ANONYMOUS_USER">;
+    FAILED_TO_DELETE_ANONYMOUS_USER_SESSIONS: _better_auth_core_utils_error_codes0.RawError<"FAILED_TO_DELETE_ANONYMOUS_USER_SESSIONS">;
     USER_IS_NOT_ANONYMOUS: _better_auth_core_utils_error_codes0.RawError<"USER_IS_NOT_ANONYMOUS">;
     DELETE_ANONYMOUS_USER_DISABLED: _better_auth_core_utils_error_codes0.RawError<"DELETE_ANONYMOUS_USER_DISABLED">;
   };

package/dist/plugins/anonymous/error-codes.d.mts

@@ -7,6 +7,7 @@ declare const ANONYMOUS_ERROR_CODES: {
   COULD_NOT_CREATE_SESSION: _better_auth_core_utils_error_codes0.RawError<"COULD_NOT_CREATE_SESSION">;
   ANONYMOUS_USERS_CANNOT_SIGN_IN_AGAIN_ANONYMOUSLY: _better_auth_core_utils_error_codes0.RawError<"ANONYMOUS_USERS_CANNOT_SIGN_IN_AGAIN_ANONYMOUSLY">;
   FAILED_TO_DELETE_ANONYMOUS_USER: _better_auth_core_utils_error_codes0.RawError<"FAILED_TO_DELETE_ANONYMOUS_USER">;
+  FAILED_TO_DELETE_ANONYMOUS_USER_SESSIONS: _better_auth_core_utils_error_codes0.RawError<"FAILED_TO_DELETE_ANONYMOUS_USER_SESSIONS">;
   USER_IS_NOT_ANONYMOUS: _better_auth_core_utils_error_codes0.RawError<"USER_IS_NOT_ANONYMOUS">;
   DELETE_ANONYMOUS_USER_DISABLED: _better_auth_core_utils_error_codes0.RawError<"DELETE_ANONYMOUS_USER_DISABLED">;
 };

package/dist/plugins/anonymous/error-codes.mjs

@@ -6,6 +6,7 @@ const ANONYMOUS_ERROR_CODES = defineErrorCodes({
 	COULD_NOT_CREATE_SESSION: "Could not create session",
 	ANONYMOUS_USERS_CANNOT_SIGN_IN_AGAIN_ANONYMOUSLY: "Anonymous users cannot sign in again anonymously",
 	FAILED_TO_DELETE_ANONYMOUS_USER: "Failed to delete anonymous user",
+	FAILED_TO_DELETE_ANONYMOUS_USER_SESSIONS: "Failed to delete anonymous user sessions",
 	USER_IS_NOT_ANONYMOUS: "User is not anonymous",
 	DELETE_ANONYMOUS_USER_DISABLED: "Deleting anonymous users is disabled"
 });

package/dist/plugins/anonymous/index.d.mts

@@ -162,6 +162,7 @@ declare const anonymous: (options?: AnonymousOptions | undefined) => {
     COULD_NOT_CREATE_SESSION: _better_auth_core_utils_error_codes0.RawError<"COULD_NOT_CREATE_SESSION">;
     ANONYMOUS_USERS_CANNOT_SIGN_IN_AGAIN_ANONYMOUSLY: _better_auth_core_utils_error_codes0.RawError<"ANONYMOUS_USERS_CANNOT_SIGN_IN_AGAIN_ANONYMOUSLY">;
     FAILED_TO_DELETE_ANONYMOUS_USER: _better_auth_core_utils_error_codes0.RawError<"FAILED_TO_DELETE_ANONYMOUS_USER">;
+    FAILED_TO_DELETE_ANONYMOUS_USER_SESSIONS: _better_auth_core_utils_error_codes0.RawError<"FAILED_TO_DELETE_ANONYMOUS_USER_SESSIONS">;
     USER_IS_NOT_ANONYMOUS: _better_auth_core_utils_error_codes0.RawError<"USER_IS_NOT_ANONYMOUS">;
     DELETE_ANONYMOUS_USER_DISABLED: _better_auth_core_utils_error_codes0.RawError<"DELETE_ANONYMOUS_USER_DISABLED">;
   };

package/dist/plugins/anonymous/index.mjs

@@ -101,6 +101,12 @@ const anonymous = (options) => {
 				const session = ctx.context.session;
 				if (options?.disableDeleteAnonymousUser) throw APIError.from("BAD_REQUEST", ANONYMOUS_ERROR_CODES.DELETE_ANONYMOUS_USER_DISABLED);
 				if (!session.user.isAnonymous) throw APIError.from("FORBIDDEN", ANONYMOUS_ERROR_CODES.USER_IS_NOT_ANONYMOUS);
+				try {
+					await ctx.context.internalAdapter.deleteSessions(session.user.id);
+				} catch (error) {
+					ctx.context.logger.error("Failed to delete anonymous user sessions", error);
+					throw APIError.from("INTERNAL_SERVER_ERROR", ANONYMOUS_ERROR_CODES.FAILED_TO_DELETE_ANONYMOUS_USER_SESSIONS);
+				}
 				try {
 					await ctx.context.internalAdapter.deleteUser(session.user.id);
 				} catch (error) {
@@ -113,7 +119,7 @@ const anonymous = (options) => {
 		},
 		hooks: { after: [{
 			matcher(ctx) {
-				return ctx.path?.startsWith("/sign-in") || ctx.path?.startsWith("/sign-up") || ctx.path?.startsWith("/callback") || ctx.path?.startsWith("/oauth2/callback") || ctx.path?.startsWith("/magic-link/verify") || ctx.path?.startsWith("/email-otp/verify-email") || ctx.path?.startsWith("/one-tap/callback") || ctx.path?.startsWith("/passkey/verify-authentication") || ctx.path?.startsWith("/phone-number/verify") || false;
+				return ctx.path?.startsWith("/sign-in") || ctx.path?.startsWith("/sign-up") || ctx.path?.startsWith("/callback") || ctx.path?.startsWith("/oauth2/callback") || ctx.path?.startsWith("/magic-link/verify") || ctx.path?.startsWith("/email-otp/verify-email") || ctx.path?.startsWith("/one-tap/callback") || ctx.path?.startsWith("/passkey/verify-authentication") || ctx.path?.startsWith("/phone-number/verify") || ctx.path?.startsWith("/verify-email") || false;
 			},
 			handler: createAuthMiddleware(async (ctx) => {
 				const setCookie = ctx.context.responseHeaders?.get("set-cookie");
@@ -147,7 +153,15 @@ const anonymous = (options) => {
 				const isSameUser = newSessionUser?.id === session.user.id;
 				const newSessionIsAnonymous = Boolean(newSessionUser?.isAnonymous);
 				if (options?.disableDeleteAnonymousUser || isSameUser || newSessionIsAnonymous) return;
-				await ctx.context.internalAdapter.deleteUser(session.user.id);
+				try {
+					await ctx.context.internalAdapter.deleteSessions(session.user.id);
+					await ctx.context.internalAdapter.deleteUser(session.user.id);
+				} catch (error) {
+					ctx.context.logger.error("Failed to clean up anonymous user during post-link cleanup", {
+						anonymousUserId: session.user.id,
+						error
+					});
+				}
 			})
 		}] },
 		options,

package/dist/plugins/bearer/index.mjs

@@ -30,16 +30,11 @@ const bearer = (options) => {
 					if (authHeader.slice(0, 7).toLowerCase() !== BEARER_SCHEME) return;
 					const token = authHeader.slice(7).trim();
 					if (!token) return;
-					let signedToken;
 					let decodedToken;
-					if (token.includes(".")) {
-						const isEncoded = token.includes("%");
-						signedToken = isEncoded ? token : encodeURIComponent(token);
-						decodedToken = isEncoded ? tryDecode(token) : token;
-					} else {
+					if (token.includes(".")) decodedToken = token.includes("%") ? tryDecode(token) : token;
+					else {
 						if (options?.requireSignature) return;
-						signedToken = (await serializeSignedCookie("", token, c.context.secret)).replace("=", "");
-						decodedToken = tryDecode(signedToken);
+						decodedToken = tryDecode((await serializeSignedCookie("", token, c.context.secret)).replace("=", ""));
 					}
 					try {
 						if (!await createHMAC("SHA-256", "base64urlnopad").verify(c.context.secret, decodedToken.split(".")[0], decodedToken.split(".")[1])) return;
@@ -48,7 +43,7 @@ const bearer = (options) => {
 					}
 					const existingHeaders = c.request?.headers || c.headers;
 					const headers = new Headers({ ...Object.fromEntries(existingHeaders?.entries()) });
-					setRequestCookie(headers, c.context.authCookies.sessionToken.name, signedToken);
+					setRequestCookie(headers, c.context.authCookies.sessionToken.name, decodedToken);
 					return { context: { headers } };
 				})
 			}],

package/dist/plugins/captcha/index.mjs

@@ -21,12 +21,12 @@ const captcha = (options) => ({
 			if (pathname.endsWith("//")) pathname = pathname.slice(0, -1);
 			if (pathname.startsWith("//")) pathname = pathname.slice(1);
 			if (!pathname.startsWith("/")) pathname = "/" + pathname;
-			const blockedPaths = ["/sign-in/email-otp"].reduce((acc, curr) => {
+			const exemptPaths = ["/sign-in/email-otp"].reduce((acc, curr) => {
 				if (options.endpoints?.length && options.endpoints.includes(curr)) return acc;
 				return [...acc, curr];
 			}, []);
 			if (!endpoints.some((endpoint) => {
-				return pathname.includes(endpoint) && !blockedPaths.includes(endpoint);
+				return pathname.includes(endpoint) && !exemptPaths.some((p) => pathname.includes(p));
 			})) return;
 			if (!options.secretKey) throw new Error(INTERNAL_ERROR_CODES.MISSING_SECRET_KEY.message);
 			const captchaResponse = request.headers.get("x-captcha-response");

package/dist/plugins/device-authorization/error-codes.mjs

@@ -8,6 +8,7 @@ const DEVICE_AUTHORIZATION_ERROR_CODES = defineErrorCodes({
 	ACCESS_DENIED: "Access denied",
 	INVALID_USER_CODE: "Invalid user code",
 	DEVICE_CODE_ALREADY_PROCESSED: "Device code already processed",
+	DEVICE_CODE_NOT_CLAIMED: "Device code has not been claimed by a verifying session; call `GET /device` with the `user_code` while signed in before approving or denying",
 	POLLING_TOO_FREQUENTLY: "Polling too frequently",
 	USER_NOT_FOUND: "User not found",
 	FAILED_TO_CREATE_SESSION: "Failed to create session",

package/dist/plugins/device-authorization/index.d.mts

@@ -388,6 +388,7 @@ declare const deviceAuthorization: (options?: Partial<DeviceAuthorizationOptions
     ACCESS_DENIED: _better_auth_core_utils_error_codes0.RawError<"ACCESS_DENIED">;
     INVALID_USER_CODE: _better_auth_core_utils_error_codes0.RawError<"INVALID_USER_CODE">;
     DEVICE_CODE_ALREADY_PROCESSED: _better_auth_core_utils_error_codes0.RawError<"DEVICE_CODE_ALREADY_PROCESSED">;
+    DEVICE_CODE_NOT_CLAIMED: _better_auth_core_utils_error_codes0.RawError<"DEVICE_CODE_NOT_CLAIMED">;
     POLLING_TOO_FREQUENTLY: _better_auth_core_utils_error_codes0.RawError<"POLLING_TOO_FREQUENTLY">;
     INVALID_DEVICE_CODE_STATUS: _better_auth_core_utils_error_codes0.RawError<"INVALID_DEVICE_CODE_STATUS">;
     AUTHENTICATION_REQUIRED: _better_auth_core_utils_error_codes0.RawError<"AUTHENTICATION_REQUIRED">;

package/dist/plugins/device-authorization/routes.mjs

@@ -99,6 +99,7 @@ Follow [rfc8628#section-3.2](https://datatracker.ietf.org/doc/html/rfc8628#secti
 			data: {
 				deviceCode,
 				userCode,
+				userId: null,
 				expiresAt,
 				status: "pending",
 				pollingInterval: ms(opts.interval),
@@ -331,6 +332,28 @@ const deviceVerify = createAuthEndpoint("/device", {
 		error: "expired_token",
 		error_description: DEVICE_AUTHORIZATION_ERROR_CODES.EXPIRED_USER_CODE.message
 	});
+	const session = await getSessionFromCtx(ctx);
+	if (session?.user?.id && !deviceCodeRecord.userId && deviceCodeRecord.status === "pending") {
+		if (await ctx.context.adapter.update({
+			model: "deviceCode",
+			where: [
+				{
+					field: "id",
+					value: deviceCodeRecord.id
+				},
+				{
+					field: "status",
+					value: "pending"
+				},
+				{
+					field: "userId",
+					operator: "eq",
+					value: null
+				}
+			],
+			update: { userId: session.user.id }
+		})) deviceCodeRecord.userId = session.user.id;
+	}
 	return ctx.json({
 		user_code,
 		status: deviceCodeRecord.status
@@ -387,7 +410,11 @@ const deviceApprove = createAuthEndpoint("/device/approve", {
 		error: "invalid_request",
 		error_description: DEVICE_AUTHORIZATION_ERROR_CODES.DEVICE_CODE_ALREADY_PROCESSED.message
 	});
-	if (deviceCodeRecord.userId && deviceCodeRecord.userId !== session.user.id) throw new APIError("FORBIDDEN", {
+	if (!deviceCodeRecord.userId) throw new APIError("BAD_REQUEST", {
+		error: "invalid_request",
+		error_description: DEVICE_AUTHORIZATION_ERROR_CODES.DEVICE_CODE_NOT_CLAIMED.message
+	});
+	if (deviceCodeRecord.userId !== session.user.id) throw new APIError("FORBIDDEN", {
 		error: "access_denied",
 		error_description: "You are not authorized to approve this device authorization"
 	});
@@ -454,7 +481,11 @@ const deviceDeny = createAuthEndpoint("/device/deny", {
 		error: "invalid_request",
 		error_description: DEVICE_AUTHORIZATION_ERROR_CODES.DEVICE_CODE_ALREADY_PROCESSED.message
 	});
-	if (deviceCodeRecord.userId && deviceCodeRecord.userId !== session.user.id) throw new APIError("FORBIDDEN", {
+	if (!deviceCodeRecord.userId) throw new APIError("BAD_REQUEST", {
+		error: "invalid_request",
+		error_description: DEVICE_AUTHORIZATION_ERROR_CODES.DEVICE_CODE_NOT_CLAIMED.message
+	});
+	if (deviceCodeRecord.userId !== session.user.id) throw new APIError("FORBIDDEN", {
 		error: "access_denied",
 		error_description: "You are not authorized to deny this device authorization"
 	});
@@ -466,7 +497,7 @@ const deviceDeny = createAuthEndpoint("/device/deny", {
 		}],
 		update: {
 			status: "denied",
-			userId: deviceCodeRecord.userId || session.user.id
+			userId: session.user.id
 		}
 	});
 	return ctx.json({ success: true });

package/dist/plugins/generic-oauth/index.d.mts

@@ -117,7 +117,7 @@ declare const genericOAuth: (options: GenericOAuthOptions) => {
         };
         scope: "server";
       };
-    }, void>;
+    }, never>;
     oAuth2LinkAccount: better_call0.StrictEndpoint<"/oauth2/link", {
       method: "POST";
       body: zod.ZodObject<{