better-auth 1.6.10 → 1.6.12

package/dist/plugins/generic-oauth/index.mjs

@@ -11,7 +11,7 @@ import { okta } from "./providers/okta.mjs";
 import { patreon } from "./providers/patreon.mjs";
 import { slack } from "./providers/slack.mjs";
 import { APIError } from "@better-auth/core/error";
-import { createAuthorizationURL, refreshAccessToken, validateAuthorizationCode } from "@better-auth/core/oauth2";
+import { applyDefaultAccessTokenExpiry, createAuthorizationURL, refreshAccessToken, validateAuthorizationCode } from "@better-auth/core/oauth2";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/plugins/generic-oauth/index.ts
 /**
@@ -63,7 +63,7 @@ const genericOAuth = (options) => {
 						});
 					},
 					async validateAuthorizationCode(data) {
-						if (c.getToken) return c.getToken(data);
+						if (c.getToken) return applyDefaultAccessTokenExpiry(await c.getToken(data), c.accessTokenExpiresIn);
 						let finalTokenUrl = c.tokenUrl;
 						if (c.discoveryUrl) {
 							const discovery = await betterFetch(c.discoveryUrl, {
@@ -76,7 +76,7 @@ const genericOAuth = (options) => {
 							}
 						}
 						if (!finalTokenUrl) throw APIError.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.TOKEN_URL_NOT_FOUND);
-						return validateAuthorizationCode({
+						return applyDefaultAccessTokenExpiry(await validateAuthorizationCode({
 							headers: c.authorizationHeaders,
 							code: data.code,
 							codeVerifier: data.codeVerifier,
@@ -88,7 +88,7 @@ const genericOAuth = (options) => {
 							},
 							tokenEndpoint: finalTokenUrl,
 							authentication: c.authentication
-						});
+						}), c.accessTokenExpiresIn);
 					},
 					async refreshAccessToken(refreshToken) {
 						let finalTokenUrl = c.tokenUrl;
@@ -100,7 +100,7 @@ const genericOAuth = (options) => {
 							if (discovery.data) finalTokenUrl = discovery.data.token_endpoint;
 						}
 						if (!finalTokenUrl) throw APIError.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.TOKEN_URL_NOT_FOUND);
-						return refreshAccessToken({
+						return applyDefaultAccessTokenExpiry(await refreshAccessToken({
 							refreshToken,
 							options: {
 								clientId: c.clientId,
@@ -108,7 +108,7 @@ const genericOAuth = (options) => {
 							},
 							authentication: c.authentication,
 							tokenEndpoint: finalTokenUrl
-						});
+						}), c.accessTokenExpiresIn);
 					},
 					async getUserInfo(tokens) {
 						const userInfo = c.getUserInfo ? await c.getUserInfo(tokens) : await getUserInfo(tokens, finalUserInfoUrl);

package/dist/plugins/generic-oauth/routes.mjs

@@ -1,5 +1,6 @@
+import { isAPIError } from "../../utils/is-api-error.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
-import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
+import { missingEmailLogMessage, redirectOnError } from "../../oauth2/errors.mjs";
 import { generateState, parseState } from "../../oauth2/state.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
 import { sessionMiddleware } from "../../api/routes/session.mjs";
@@ -8,7 +9,7 @@ import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { APIError as APIError$1 } from "../../api/index.mjs";
 import { GENERIC_OAUTH_ERROR_CODES } from "./error-codes.mjs";
 import { BASE_ERROR_CODES } from "@better-auth/core/error";
-import { createAuthorizationURL, validateAuthorizationCode } from "@better-auth/core/oauth2";
+import { applyDefaultAccessTokenExpiry, createAuthorizationURL, validateAuthorizationCode } from "@better-auth/core/oauth2";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
 import { decodeJwt } from "jose";
@@ -132,7 +133,7 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 	}
 }, async (ctx) => {
 	const defaultErrorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
-	if (ctx.query.error || !ctx.query.code) throw ctx.redirect(`${defaultErrorURL}?error=${encodeURIComponent(ctx.query.error || "oAuth_code_missing")}&error_description=${encodeURIComponent(ctx.query.error_description || "")}`);
+	if (ctx.query.error || !ctx.query.code) redirectOnError(ctx, defaultErrorURL, ctx.query.error || "oAuth_code_missing", ctx.query.error_description || void 0);
 	const providerId = ctx.params?.providerId;
 	if (!providerId) throw APIError$1.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.PROVIDER_ID_REQUIRED);
 	const providerConfig = options.config.find((p) => p.providerId === providerId);
@@ -140,13 +141,7 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 	let tokens = void 0;
 	const { callbackURL, codeVerifier, errorURL, requestSignUp, newUserURL, link } = await parseState(ctx);
 	const code = ctx.query.code;
-	function redirectOnError(error) {
-		const defaultErrorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
-		let url = errorURL || defaultErrorURL;
-		if (url.includes("?")) url = `${url}&error=${encodeURIComponent(error)}`;
-		else url = `${url}?error=${encodeURIComponent(error)}`;
-		throw ctx.redirect(url);
-	}
+	const resolvedErrorURL = errorURL || defaultErrorURL;
 	let finalTokenUrl = providerConfig.tokenUrl;
 	let finalUserInfoUrl = providerConfig.userInfoUrl;
 	let expectedIssuer = providerConfig.issuer;
@@ -168,11 +163,11 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 					expected: expectedIssuer,
 					received: ctx.query.iss
 				});
-				return redirectOnError("issuer_mismatch");
+				redirectOnError(ctx, resolvedErrorURL, "issuer_mismatch");
 			}
 		} else if (providerConfig.requireIssuerValidation) {
 			ctx.context.logger.error("OAuth issuer parameter missing", { expected: expectedIssuer });
-			return redirectOnError("issuer_missing");
+			redirectOnError(ctx, resolvedErrorURL, "issuer_missing");
 		}
 	}
 	try {
@@ -199,25 +194,26 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 				additionalParams
 			});
 		}
+		tokens = applyDefaultAccessTokenExpiry(tokens, providerConfig.accessTokenExpiresIn);
 	} catch (e) {
 		ctx.context.logger.error(e && typeof e === "object" && "name" in e ? e.name : "", e);
-		throw redirectOnError("oauth_code_verification_failed");
+		redirectOnError(ctx, resolvedErrorURL, "oauth_code_verification_failed");
 	}
 	if (!tokens) throw APIError$1.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.INVALID_OAUTH_CONFIG);
 	const userInfo = await (async function handleUserInfo() {
 		const userInfo = providerConfig.getUserInfo ? await providerConfig.getUserInfo(tokens) : await getUserInfo(tokens, finalUserInfoUrl);
-		if (!userInfo) throw redirectOnError("user_info_is_missing");
+		if (!userInfo) redirectOnError(ctx, resolvedErrorURL, "user_info_is_missing");
 		const mapUser = providerConfig.mapProfileToUser ? await providerConfig.mapProfileToUser(userInfo) : userInfo;
 		const email = mapUser.email ? mapUser.email.toLowerCase() : userInfo.email?.toLowerCase();
 		if (!email) {
 			ctx.context.logger.error(missingEmailLogMessage(providerConfig.providerId, { source: "generic" }), userInfo);
-			throw redirectOnError("email_is_missing");
+			redirectOnError(ctx, resolvedErrorURL, "email_is_missing");
 		}
 		const id = mapUser.id ? String(mapUser.id) : String(userInfo.id);
 		const name = mapUser.name ? mapUser.name : userInfo.name;
 		if (!name) {
 			ctx.context.logger.error("Unable to get user info", userInfo);
-			throw redirectOnError("name_is_missing");
+			redirectOnError(ctx, resolvedErrorURL, "name_is_missing");
 		}
 		return {
 			...userInfo,
@@ -228,10 +224,10 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 		};
 	})();
 	if (link) {
-		if (ctx.context.options.account?.accountLinking?.allowDifferentEmails !== true && link.email.toLowerCase() !== userInfo.email.toLowerCase()) return redirectOnError("email_doesn't_match");
+		if (ctx.context.options.account?.accountLinking?.allowDifferentEmails !== true && link.email.toLowerCase() !== userInfo.email.toLowerCase()) redirectOnError(ctx, resolvedErrorURL, "email_doesn't_match");
 		const existingAccount = await ctx.context.internalAdapter.findAccountByProviderId(String(userInfo.id), providerConfig.providerId);
 		if (existingAccount) {
-			if (existingAccount.userId !== link.userId) return redirectOnError("account_already_linked_to_different_user");
+			if (existingAccount.userId !== link.userId) redirectOnError(ctx, resolvedErrorURL, "account_already_linked_to_different_user");
 			const updateData = Object.fromEntries(Object.entries({
 				accessToken: await setTokenUtil(tokens.accessToken, ctx.context),
 				idToken: tokens.idToken,
@@ -251,7 +247,7 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 			scope: tokens.scopes?.join(","),
 			refreshToken: await setTokenUtil(tokens.refreshToken, ctx.context),
 			idToken: tokens.idToken
-		})) return redirectOnError("unable_to_link_account");
+		})) redirectOnError(ctx, resolvedErrorURL, "unable_to_link_account");
 		let toRedirectTo;
 		try {
 			toRedirectTo = callbackURL.toString();
@@ -260,19 +256,25 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 		}
 		throw ctx.redirect(toRedirectTo);
 	}
-	const result = await handleOAuthUserInfo(ctx, {
-		userInfo,
-		account: {
-			providerId: providerConfig.providerId,
-			accountId: userInfo.id,
-			...tokens,
-			scope: tokens.scopes?.join(",")
-		},
-		callbackURL,
-		disableSignUp: providerConfig.disableImplicitSignUp && !requestSignUp || providerConfig.disableSignUp,
-		overrideUserInfo: providerConfig.overrideUserInfo
-	});
-	if (result.error) return redirectOnError(result.error.split(" ").join("_"));
+	let result;
+	try {
+		result = await handleOAuthUserInfo(ctx, {
+			userInfo,
+			account: {
+				providerId: providerConfig.providerId,
+				accountId: userInfo.id,
+				...tokens,
+				scope: tokens.scopes?.join(",")
+			},
+			callbackURL,
+			disableSignUp: providerConfig.disableImplicitSignUp && !requestSignUp || providerConfig.disableSignUp,
+			overrideUserInfo: providerConfig.overrideUserInfo
+		});
+	} catch (e) {
+		if (isAPIError(e) && e.body?.code) redirectOnError(ctx, resolvedErrorURL, e.body.code, e.body.message);
+		throw e;
+	}
+	if (result.error) redirectOnError(ctx, resolvedErrorURL, result.error.split(" ").join("_"));
 	const { session, user } = result.data;
 	await setSessionCookie(ctx, {
 		session,

package/dist/plugins/generic-oauth/types.d.mts

@@ -87,6 +87,13 @@ interface GenericOAuthConfig {
    * Use "offline" to request a refresh token.
    */
   accessType?: string | undefined;
+  /**
+   * Fallback access-token lifetime, in seconds, used only when the provider's
+   * token response omits `expires_in`. Set this so `getAccessToken` can track
+   * expiry and refresh the token; leave unset if the provider returns
+   * `expires_in`.
+   */
+  accessTokenExpiresIn?: number | undefined;
   /**
    * Custom function to exchange authorization code for tokens.
    * If provided, this function will be used instead of the default token exchange logic.

package/dist/plugins/index.d.mts

@@ -1,6 +1,6 @@
 import { InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginIDs } from "../types/plugins.mjs";
 import { HIDE_METADATA } from "../utils/hide-metadata.mjs";
-import { AccessControl, ArrayElement, Role, Statements, SubArray, Subset } from "./access/types.mjs";
+import { AccessControl, ArrayElement, ExactRoleStatements, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, Statements, SubArray, Subset } from "./access/types.mjs";
 import { AuthorizeResponse, createAccessControl, role } from "./access/access.mjs";
 import { OrganizationOptions } from "./organization/types.mjs";
 import { InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferTeam, Invitation, InvitationInput, InvitationStatus, Member, MemberInput, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, Team, TeamInput, TeamMember, TeamMemberInput, defaultRolesSchema, invitationSchema, invitationStatus, memberSchema, organizationRoleSchema, organizationSchema, roleSchema, teamMemberSchema, teamSchema } from "./organization/schema.mjs";
@@ -62,4 +62,4 @@ import { USERNAME_ERROR_CODES } from "./username/error-codes.mjs";
 import { UsernameOptions, username } from "./username/index.mjs";
 import { hasPermission } from "./organization/has-permission.mjs";
 import { DefaultOrganizationPlugin, DynamicAccessControlEndpoints, OrganizationCreator, OrganizationEndpoints, OrganizationPlugin, TeamEndpoints, organization, parseRoles } from "./organization/organization.mjs";
-export { AccessControl, AdminOptions, AnonymousOptions, AnonymousSession, ArrayElement, Auth0Options, AuthorizationQuery, AuthorizeResponse, BackupCodeOptions, BaseCaptchaOptions, BaseOAuthProviderOptions, BearerOptions, CaptchaFoxOptions, CaptchaOptions, Client, CloudflareTurnstileOptions, CodeVerificationValue, CustomSessionPluginOptions, DefaultOrganizationPlugin, DeviceAuthorizationOptions, DynamicAccessControlEndpoints, MULTI_SESSION_ERROR_CODES as ERROR_CODES, EmailOTPOptions, FieldSchema, GenericOAuthConfig, GenericOAuthOptions, GoogleRecaptchaOptions, GumroadOptions, HCaptchaOptions, HIDE_METADATA, HaveIBeenPwnedOptions, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOptionSchema, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginContext, InferPluginErrorCodes, InferPluginIDs, InferTeam, Invitation, InvitationInput, InvitationStatus, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodOptions, LineOptions, LoginResult, MagicLinkOptions, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OAuthProxyOptions, OIDCMetadata, OIDCOptions, OTPOptions, OktaOptions, OneTapOptions, OneTimeTokenOptions, OpenAPIModelSchema, OpenAPIOptions, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, Path, PatreonOptions, PhoneNumberOptions, Provider, Role, SIWEPluginOptions, SessionWithImpersonatedBy, SlackOptions, Statements, SubArray, Subset, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, TestCookie, TestHelpers, TestUtilsOptions, TimeString, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, UsernameOptions, admin, anonymous, auth0, backupCode2fa, bearer, captcha, createAccessControl, createJwk, customSession, defaultRolesSchema, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, encodeBackupCodes, generateBackupCodes, generateExportedKeyPair, generator, genericOAuth, getBackupCodes, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, hasPermission, haveIBeenPwned, hubspot, invitationSchema, invitationStatus, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, memberSchema, microsoftEntraId, ms, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, organizationRoleSchema, organizationSchema, otp2fa, parseRoles, patreon, phoneNumber, role, roleSchema, sec, signJWT, siwe, slack, teamMemberSchema, teamSchema, testUtils, toExpJWT, totp2fa, twoFactor, twoFactorClient, username, verifyBackupCode, verifyJWT, withMcpAuth };
+export { AccessControl, AdminOptions, AnonymousOptions, AnonymousSession, ArrayElement, Auth0Options, AuthorizationQuery, AuthorizeResponse, BackupCodeOptions, BaseCaptchaOptions, BaseOAuthProviderOptions, BearerOptions, CaptchaFoxOptions, CaptchaOptions, Client, CloudflareTurnstileOptions, CodeVerificationValue, CustomSessionPluginOptions, DefaultOrganizationPlugin, DeviceAuthorizationOptions, DynamicAccessControlEndpoints, MULTI_SESSION_ERROR_CODES as ERROR_CODES, EmailOTPOptions, ExactRoleStatements, FieldSchema, GenericOAuthConfig, GenericOAuthOptions, GoogleRecaptchaOptions, GumroadOptions, HCaptchaOptions, HIDE_METADATA, HaveIBeenPwnedOptions, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOptionSchema, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginContext, InferPluginErrorCodes, InferPluginIDs, InferTeam, Invitation, InvitationInput, InvitationStatus, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodOptions, LineOptions, LoginResult, MagicLinkOptions, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OAuthProxyOptions, OIDCMetadata, OIDCOptions, OTPOptions, OktaOptions, OneTapOptions, OneTimeTokenOptions, OpenAPIModelSchema, OpenAPIOptions, Organization, OrganizationCreator, OrganizationEndpoints, OrganizationInput, OrganizationOptions, OrganizationPlugin, OrganizationRole, OrganizationSchema, Path, PatreonOptions, PhoneNumberOptions, Provider, Role, RoleAuthorizeRequest, RoleInput, RoleStatements, SIWEPluginOptions, SessionWithImpersonatedBy, SlackOptions, Statements, SubArray, Subset, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamEndpoints, TeamInput, TeamMember, TeamMemberInput, TestCookie, TestHelpers, TestUtilsOptions, TimeString, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, UsernameOptions, admin, anonymous, auth0, backupCode2fa, bearer, captcha, createAccessControl, createJwk, customSession, defaultRolesSchema, deviceAuthorization, deviceAuthorizationOptionsSchema, emailOTP, encodeBackupCodes, generateBackupCodes, generateExportedKeyPair, generator, genericOAuth, getBackupCodes, getClient, getJwtToken, getMCPProtectedResourceMetadata, getMCPProviderMetadata, getMetadata, getOrgAdapter, gumroad, hasPermission, haveIBeenPwned, hubspot, invitationSchema, invitationStatus, jwt, keycloak, lastLoginMethod, line, magicLink, mcp, memberSchema, microsoftEntraId, ms, multiSession, oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata, oAuthProxy, oidcProvider, okta, oneTap, oneTimeToken, openAPI, organization, organizationRoleSchema, organizationSchema, otp2fa, parseRoles, patreon, phoneNumber, role, roleSchema, sec, signJWT, siwe, slack, teamMemberSchema, teamSchema, testUtils, toExpJWT, totp2fa, twoFactor, twoFactorClient, username, verifyBackupCode, verifyJWT, withMcpAuth };

package/dist/plugins/last-login-method/client.mjs

@@ -1,9 +1,9 @@
+import { parseCookies } from "../../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 //#region src/plugins/last-login-method/client.ts
 function getCookieValue(name) {
 	if (typeof document === "undefined") return null;
-	const cookie = document.cookie.split("; ").find((row) => row.startsWith(`${name}=`));
-	return cookie ? cookie.split("=")[1] : null;
+	return parseCookies(document.cookie).get(name) ?? null;
 }
 /**
 * Client-side plugin to retrieve the last used login method

package/dist/plugins/magic-link/index.d.mts

@@ -18,7 +18,14 @@ interface MagicLinkOptions {
   expiresIn?: number | undefined;
   /**
    * Allowed attempts for verifying the magic link token.
-   * Note: Passing Infinity will allow unlimited attempts.
+   *
+   * @deprecated Multi-attempt verification is no longer supported. Each
+   * magic link token is consumed atomically on the first verification call,
+   * so a given token mints at most one session regardless of this value
+   * (see GHSA-hc7v-rggr-4hvx). The option is kept for source compatibility
+   * and may be removed in a future major; any value other than `1` is
+   * ignored and emits a `console.warn` at plugin construction.
+   *
    * @default 1
    */
   allowedAttempts?: number;

package/dist/plugins/magic-link/index.mjs

@@ -27,6 +27,7 @@ const magicLink = (options) => {
 		allowedAttempts: 1,
 		...options
 	};
+	if (options.allowedAttempts !== void 0 && options.allowedAttempts !== 1) console.warn("[better-auth/magic-link] `allowedAttempts` is ignored: tokens are consumed atomically on the first verification call (GHSA-hc7v-rggr-4hvx). Any value other than `1` has no effect; remove the option to silence this warning.");
 	async function storeToken(ctx, token) {
 		if (opts.storeToken === "hashed") return await defaultKeyHasher(token);
 		if (typeof opts.storeToken === "object" && "type" in opts.storeToken && opts.storeToken.type === "custom-hasher") return await opts.storeToken.hash(token);
@@ -59,8 +60,7 @@ const magicLink = (options) => {
 					identifier: storedToken,
 					value: JSON.stringify({
 						email,
-						name: ctx.body.name,
-						attempt: 0
+						name: ctx.body.name
 					}),
 					expiresAt: new Date(Date.now() + (opts.expiresIn || 300) * 1e3)
 				});
@@ -119,22 +119,9 @@ const magicLink = (options) => {
 				}
 				const newUserCallbackURL = new URL(ctx.query.newUserCallbackURL ? decodeURIComponent(ctx.query.newUserCallbackURL) : callbackURL, ctx.context.baseURL).toString();
 				const storedToken = await storeToken(ctx, token);
-				const tokenValue = await ctx.context.internalAdapter.findVerificationValue(storedToken);
+				const tokenValue = await ctx.context.internalAdapter.consumeVerificationValue(storedToken);
 				if (!tokenValue) redirectWithError("INVALID_TOKEN");
-				if (tokenValue.expiresAt < /* @__PURE__ */ new Date()) {
-					await ctx.context.internalAdapter.deleteVerificationByIdentifier(storedToken);
-					redirectWithError("EXPIRED_TOKEN");
-				}
-				const { email, name, attempt = 0 } = JSON.parse(tokenValue.value);
-				if (attempt >= opts.allowedAttempts) {
-					await ctx.context.internalAdapter.deleteVerificationByIdentifier(storedToken);
-					redirectWithError("ATTEMPTS_EXCEEDED");
-				}
-				await ctx.context.internalAdapter.updateVerificationByIdentifier(storedToken, { value: JSON.stringify({
-					email,
-					name,
-					attempt: attempt + 1
-				}) });
+				const { email, name } = JSON.parse(tokenValue.value);
 				let isNewUser = false;
 				let user = await ctx.context.internalAdapter.findUserByEmail(email).then((res) => res?.user);
 				if (!user) if (!opts.disableSignUp) {

package/dist/plugins/mcp/authorize.mjs

@@ -72,8 +72,14 @@ async function authorizeMCPOAuth(ctx, options) {
 	});
 	if (invalidScopes.length) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_scope", `The following scopes are invalid: ${invalidScopes.join(", ")}`));
 	if ((!query.code_challenge || !query.code_challenge_method) && options.requirePKCE) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_request", "pkce is required"));
-	if (!query.code_challenge_method) query.code_challenge_method = "plain";
-	if (!["s256", options.allowPlainCodeChallengeMethod ? "plain" : "s256"].includes(query.code_challenge_method?.toLowerCase() || "")) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method"));
+	if (query.code_challenge_method && !query.code_challenge) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_request", "code_challenge_method requires code_challenge"));
+	if (query.code_challenge) {
+		const allowedCodeChallengeMethods = options.allowPlainCodeChallengeMethod ? ["s256", "plain"] : ["s256"];
+		let codeChallengeMethod = query.code_challenge_method?.toLowerCase();
+		if (!codeChallengeMethod && options.allowPlainCodeChallengeMethod) codeChallengeMethod = "plain";
+		if (!codeChallengeMethod || !allowedCodeChallengeMethods.includes(codeChallengeMethod)) throw ctx.redirect(redirectErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method"));
+		query.code_challenge_method = codeChallengeMethod;
+	}
 	const code = generateRandomString(32, "a-z", "A-Z", "0-9");
 	const codeExpiresInMs = opts.codeExpiresIn * 1e3;
 	const expiresAt = new Date(Date.now() + codeExpiresInMs);

package/dist/plugins/mcp/index.mjs

@@ -1,5 +1,6 @@
 import { getBaseURL, isDynamicBaseURLConfig, resolveBaseURL } from "../../utils/url.mjs";
 import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { constantTimeEqual } from "../../crypto/buffer.mjs";
 import { generateRandomString } from "../../crypto/random.mjs";
 import { expireCookie } from "../../cookies/index.mjs";
 import { resolveDynamicTrustedProxyHeaders } from "../../context/helpers.mjs";
@@ -45,7 +46,7 @@ const getMCPProviderMetadata = (ctx, options) => {
 		grant_types_supported: ["authorization_code", "refresh_token"],
 		acr_values_supported: ["urn:mace:incommon:iap:silver", "urn:mace:incommon:iap:bronze"],
 		subject_types_supported: ["public"],
-		id_token_signing_alg_values_supported: ["RS256", "none"],
+		id_token_signing_alg_values_supported: ["RS256"],
 		token_endpoint_auth_methods_supported: [
 			"client_secret_basic",
 			"client_secret_post",
@@ -81,7 +82,7 @@ const getMCPProtectedResourceMetadata = (ctx, options) => {
 			"offline_access"
 		],
 		bearer_methods_supported: ["header"],
-		resource_signing_alg_values_supported: ["RS256", "none"]
+		resource_signing_alg_values_supported: ["RS256"]
 	};
 };
 const registerMcpClientBodySchema = z.object({
@@ -122,7 +123,7 @@ const mcp = (options) => {
 		defaultScope: "openid",
 		accessTokenExpiresIn: 3600,
 		refreshTokenExpiresIn: 604800,
-		allowPlainCodeChallengeMethod: true,
+		allowPlainCodeChallengeMethod: false,
 		...options.oidcConfig,
 		loginPage: options.loginPage,
 		scopes: [
@@ -225,10 +226,6 @@ const mcp = (options) => {
 					allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"]
 				}
 			}, async (ctx) => {
-				ctx.setHeader("Access-Control-Allow-Origin", "*");
-				ctx.setHeader("Access-Control-Allow-Methods", "POST, OPTIONS");
-				ctx.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization");
-				ctx.setHeader("Access-Control-Max-Age", "86400");
 				let { body } = ctx;
 				if (!body) throw ctx.error("BAD_REQUEST", {
 					error_description: "request body not found",
@@ -241,25 +238,43 @@ const mcp = (options) => {
 				});
 				let { client_id, client_secret } = body;
 				const authorization = ctx.request?.headers.get("authorization") || null;
-				if (authorization && !client_id && !client_secret && authorization.startsWith("Basic ")) try {
-					const encoded = authorization.replace("Basic ", "");
-					const decoded = new TextDecoder().decode(base64.decode(encoded));
-					if (!decoded.includes(":")) throw new APIError("UNAUTHORIZED", {
+				if (authorization && !client_secret && authorization.startsWith("Basic ")) {
+					let decoded;
+					try {
+						const encoded = authorization.replace("Basic ", "");
+						decoded = new TextDecoder().decode(base64.decode(encoded));
+					} catch {
+						throw new APIError("UNAUTHORIZED", {
+							error_description: "invalid authorization header format",
+							error: "invalid_client"
+						});
+					}
+					const colonIndex = decoded.indexOf(":");
+					if (colonIndex === -1) throw new APIError("UNAUTHORIZED", {
 						error_description: "invalid authorization header format",
 						error: "invalid_client"
 					});
-					const [id, secret] = decoded.split(":");
+					let id;
+					let secret;
+					try {
+						id = decodeURIComponent(decoded.slice(0, colonIndex));
+						secret = decodeURIComponent(decoded.slice(colonIndex + 1));
+					} catch {
+						throw new APIError("UNAUTHORIZED", {
+							error_description: "invalid authorization header format",
+							error: "invalid_client"
+						});
+					}
 					if (!id || !secret) throw new APIError("UNAUTHORIZED", {
 						error_description: "invalid authorization header format",
 						error: "invalid_client"
 					});
-					client_id = id;
-					client_secret = secret;
-				} catch {
-					throw new APIError("UNAUTHORIZED", {
-						error_description: "invalid authorization header format",
+					if (client_id && client_id.toString() !== id) throw new APIError("UNAUTHORIZED", {
+						error_description: "client_id in body does not match Authorization header",
 						error: "invalid_client"
 					});
+					client_id = id;
+					client_secret = secret;
 				}
 				const { grant_type, code, redirect_uri, refresh_token, code_verifier } = body;
 				if (grant_type === "refresh_token") {
@@ -286,6 +301,38 @@ const mcp = (options) => {
 						error_description: "refresh token expired",
 						error: "invalid_grant"
 					});
+					const refreshClient = await ctx.context.adapter.findOne({
+						model: modelName.oauthClient,
+						where: [{
+							field: "clientId",
+							value: client_id.toString()
+						}]
+					}).then((res) => {
+						if (!res) return null;
+						return {
+							...res,
+							redirectUrls: res.redirectUrls.split(","),
+							metadata: res.metadata ? JSON.parse(res.metadata) : {}
+						};
+					});
+					if (!refreshClient) throw new APIError("UNAUTHORIZED", {
+						error_description: "invalid client_id",
+						error: "invalid_client"
+					});
+					if (refreshClient.disabled) throw new APIError("UNAUTHORIZED", {
+						error_description: "client is disabled",
+						error: "invalid_client"
+					});
+					if (refreshClient.type !== "public") {
+						if (!refreshClient.clientSecret || !client_secret) throw new APIError("UNAUTHORIZED", {
+							error_description: "client_secret is required for confidential clients",
+							error: "invalid_client"
+						});
+						if (!constantTimeEqual(refreshClient.clientSecret, client_secret.toString())) throw new APIError("UNAUTHORIZED", {
+							error_description: "invalid client_secret",
+							error: "invalid_client"
+						});
+					}
 					const accessToken = generateRandomString(32, "a-z", "A-Z");
 					const newRefreshToken = generateRandomString(32, "a-z", "A-Z");
 					const accessTokenExpiresAt = new Date(Date.now() + opts.accessTokenExpiresIn * 1e3);
@@ -320,20 +367,11 @@ const mcp = (options) => {
 					error_description: "code verifier is missing",
 					error: "invalid_request"
 				});
-				/**
-				* We need to check if the code is valid before we can proceed
-				* with the rest of the request.
-				*/
-				const verificationValue = await ctx.context.internalAdapter.findVerificationValue(code.toString());
+				const verificationValue = await ctx.context.internalAdapter.consumeVerificationValue(code.toString());
 				if (!verificationValue) throw new APIError("UNAUTHORIZED", {
 					error_description: "invalid code",
 					error: "invalid_grant"
 				});
-				if (verificationValue.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("UNAUTHORIZED", {
-					error_description: "code expired",
-					error: "invalid_grant"
-				});
-				await ctx.context.internalAdapter.deleteVerificationByIdentifier(code.toString());
 				if (!client_id) throw new APIError("UNAUTHORIZED", {
 					error_description: "client_id is required",
 					error: "invalid_client"
@@ -378,11 +416,11 @@ const mcp = (options) => {
 						error: "invalid_request"
 					});
 				} else {
-					if (!client_secret) throw new APIError("UNAUTHORIZED", {
+					if (!client.clientSecret || !client_secret) throw new APIError("UNAUTHORIZED", {
 						error_description: "client_secret is required for confidential clients",
 						error: "invalid_client"
 					});
-					if (!(client.clientSecret === client_secret.toString())) throw new APIError("UNAUTHORIZED", {
+					if (!constantTimeEqual(client.clientSecret, client_secret.toString())) throw new APIError("UNAUTHORIZED", {
 						error_description: "invalid client_secret",
 						error: "invalid_client"
 					});
@@ -400,12 +438,13 @@ const mcp = (options) => {
 					error_description: "code verifier is missing",
 					error: "invalid_request"
 				});
-				if ((value.codeChallengeMethod === "plain" ? code_verifier : await createHash("SHA-256", "base64urlnopad").digest(code_verifier)) !== value.codeChallenge) throw new APIError("UNAUTHORIZED", {
-					error_description: "code verification failed",
-					error: "invalid_request"
-				});
+				if (value.codeChallenge) {
+					if ((value.codeChallengeMethod === "plain" ? code_verifier : await createHash("SHA-256", "base64urlnopad").digest(code_verifier)) !== value.codeChallenge) throw new APIError("UNAUTHORIZED", {
+						error_description: "code verification failed",
+						error: "invalid_request"
+					});
+				}
 				const requestedScopes = value.scope;
-				await ctx.context.internalAdapter.deleteVerificationByIdentifier(code.toString());
 				const accessToken = generateRandomString(32, "a-z", "A-Z");
 				const refreshToken = generateRandomString(32, "A-Z", "a-z");
 				const accessTokenExpiresAt = new Date(Date.now() + opts.accessTokenExpiresIn * 1e3);

package/dist/plugins/multi-session/index.mjs

@@ -1,6 +1,6 @@
 import { parseSessionOutput, parseUserOutput } from "../../db/schema.mjs";
-import { SECURE_COOKIE_PREFIX, parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
-import { deleteSessionCookie, expireCookie, parseCookies, setSessionCookie } from "../../cookies/index.mjs";
+import { SECURE_COOKIE_PREFIX, parseCookies, parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { deleteSessionCookie, expireCookie, setSessionCookie } from "../../cookies/index.mjs";
 import { sessionMiddleware } from "../../api/routes/session.mjs";
 import { APIError } from "../../api/index.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";