better-auth 1.6.10 → 1.6.12

package/dist/plugins/organization/access/statement.d.mts

@@ -1,5 +1,4 @@
-import { Subset } from "../../access/types.mjs";
-import { AuthorizeResponse } from "../../access/access.mjs";
+import { ExactRoleStatements, Role, RoleInput, Statements } from "../../access/types.mjs";
 //#region src/plugins/organization/access/statement.d.ts
 declare const defaultStatements: {
   readonly organization: readonly ["update", "delete"];
@@ -9,137 +8,100 @@ declare const defaultStatements: {
   readonly ac: readonly ["create", "read", "update", "delete"];
 };
 declare const defaultAc: {
-  newRole<K extends "organization" | "member" | "team" | "ac" | "invitation">(statements: Subset<K, {
+  newRole<const TRoleStatements extends Statements>(statements: RoleInput<{
     readonly organization: readonly ["update", "delete"];
     readonly member: readonly ["create", "update", "delete"];
     readonly invitation: readonly ["create", "cancel"];
     readonly team: readonly ["create", "update", "delete"];
     readonly ac: readonly ["create", "read", "update", "delete"];
-  }>): {
-    authorize<K_1 extends K>(request: K_1 extends infer T extends keyof Subset<K, {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }> ? { [key in T]?: Subset<K, {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>[key] | {
-      actions: Subset<K, {
-        readonly organization: readonly ["update", "delete"];
-        readonly member: readonly ["create", "update", "delete"];
-        readonly invitation: readonly ["create", "cancel"];
-        readonly team: readonly ["create", "update", "delete"];
-        readonly ac: readonly ["create", "read", "update", "delete"];
-      }>[key];
-      connector: "OR" | "AND";
-    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-    statements: Subset<K, {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>;
-  };
-  statements: {
-    readonly organization: readonly ["update", "delete"];
-    readonly member: readonly ["create", "update", "delete"];
-    readonly invitation: readonly ["create", "cancel"];
-    readonly team: readonly ["create", "update", "delete"];
-    readonly ac: readonly ["create", "read", "update", "delete"];
-  };
-};
-declare const adminAc: {
-  authorize<K extends "organization" | "member" | "team" | "ac" | "invitation">(request: K extends infer T extends keyof Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-    readonly organization: readonly ["update", "delete"];
-    readonly member: readonly ["create", "update", "delete"];
-    readonly invitation: readonly ["create", "cancel"];
-    readonly team: readonly ["create", "update", "delete"];
-    readonly ac: readonly ["create", "read", "update", "delete"];
-  }> ? { [key in T]?: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-    readonly organization: readonly ["update", "delete"];
-    readonly member: readonly ["create", "update", "delete"];
-    readonly invitation: readonly ["create", "cancel"];
-    readonly team: readonly ["create", "update", "delete"];
-    readonly ac: readonly ["create", "read", "update", "delete"];
-  }>[key] | {
-    actions: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>[key];
-    connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-  statements: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
+  }, TRoleStatements>): Role<ExactRoleStatements<TRoleStatements>, {
     readonly organization: readonly ["update", "delete"];
     readonly member: readonly ["create", "update", "delete"];
     readonly invitation: readonly ["create", "cancel"];
     readonly team: readonly ["create", "update", "delete"];
     readonly ac: readonly ["create", "read", "update", "delete"];
   }>;
-};
-declare const ownerAc: {
-  authorize<K extends "organization" | "member" | "team" | "ac" | "invitation">(request: K extends infer T extends keyof Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-    readonly organization: readonly ["update", "delete"];
-    readonly member: readonly ["create", "update", "delete"];
-    readonly invitation: readonly ["create", "cancel"];
-    readonly team: readonly ["create", "update", "delete"];
-    readonly ac: readonly ["create", "read", "update", "delete"];
-  }> ? { [key in T]?: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-    readonly organization: readonly ["update", "delete"];
-    readonly member: readonly ["create", "update", "delete"];
-    readonly invitation: readonly ["create", "cancel"];
-    readonly team: readonly ["create", "update", "delete"];
-    readonly ac: readonly ["create", "read", "update", "delete"];
-  }>[key] | {
-    actions: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>[key];
-    connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-  statements: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
+  statements: {
     readonly organization: readonly ["update", "delete"];
     readonly member: readonly ["create", "update", "delete"];
     readonly invitation: readonly ["create", "cancel"];
     readonly team: readonly ["create", "update", "delete"];
     readonly ac: readonly ["create", "read", "update", "delete"];
-  }>;
+  };
 };
-declare const memberAc: {
-  authorize<K extends "organization" | "member" | "team" | "ac" | "invitation">(request: K extends infer T extends keyof Subset<"organization" | "member" | "team" | "ac" | "invitation", {
+declare const adminAc: Role<ExactRoleStatements<{
+  readonly organization: ["update"];
+  readonly invitation: ["create", "cancel"];
+  readonly member: ["create", "update", "delete"];
+  readonly team: ["create", "update", "delete"];
+  readonly ac: ["create", "read", "update", "delete"];
+}>, {
+  readonly organization: readonly ["update", "delete"];
+  readonly member: readonly ["create", "update", "delete"];
+  readonly invitation: readonly ["create", "cancel"];
+  readonly team: readonly ["create", "update", "delete"];
+  readonly ac: readonly ["create", "read", "update", "delete"];
+}>;
+declare const ownerAc: Role<ExactRoleStatements<{
+  readonly organization: ["update", "delete"];
+  readonly member: ["create", "update", "delete"];
+  readonly invitation: ["create", "cancel"];
+  readonly team: ["create", "update", "delete"];
+  readonly ac: ["create", "read", "update", "delete"];
+}>, {
+  readonly organization: readonly ["update", "delete"];
+  readonly member: readonly ["create", "update", "delete"];
+  readonly invitation: readonly ["create", "cancel"];
+  readonly team: readonly ["create", "update", "delete"];
+  readonly ac: readonly ["create", "read", "update", "delete"];
+}>;
+declare const memberAc: Role<ExactRoleStatements<{
+  readonly organization: [];
+  readonly member: [];
+  readonly invitation: [];
+  readonly team: [];
+  readonly ac: ["read"];
+}>, {
+  readonly organization: readonly ["update", "delete"];
+  readonly member: readonly ["create", "update", "delete"];
+  readonly invitation: readonly ["create", "cancel"];
+  readonly team: readonly ["create", "update", "delete"];
+  readonly ac: readonly ["create", "read", "update", "delete"];
+}>;
+declare const defaultRoles: {
+  admin: Role<ExactRoleStatements<{
+    readonly organization: ["update"];
+    readonly invitation: ["create", "cancel"];
+    readonly member: ["create", "update", "delete"];
+    readonly team: ["create", "update", "delete"];
+    readonly ac: ["create", "read", "update", "delete"];
+  }>, {
     readonly organization: readonly ["update", "delete"];
     readonly member: readonly ["create", "update", "delete"];
     readonly invitation: readonly ["create", "cancel"];
     readonly team: readonly ["create", "update", "delete"];
     readonly ac: readonly ["create", "read", "update", "delete"];
-  }> ? { [key in T]?: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
+  }>;
+  owner: Role<ExactRoleStatements<{
+    readonly organization: ["update", "delete"];
+    readonly member: ["create", "update", "delete"];
+    readonly invitation: ["create", "cancel"];
+    readonly team: ["create", "update", "delete"];
+    readonly ac: ["create", "read", "update", "delete"];
+  }>, {
     readonly organization: readonly ["update", "delete"];
     readonly member: readonly ["create", "update", "delete"];
     readonly invitation: readonly ["create", "cancel"];
     readonly team: readonly ["create", "update", "delete"];
     readonly ac: readonly ["create", "read", "update", "delete"];
-  }>[key] | {
-    actions: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>[key];
-    connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-  statements: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
+  }>;
+  member: Role<ExactRoleStatements<{
+    readonly organization: [];
+    readonly member: [];
+    readonly invitation: [];
+    readonly team: [];
+    readonly ac: ["read"];
+  }>, {
     readonly organization: readonly ["update", "delete"];
     readonly member: readonly ["create", "update", "delete"];
     readonly invitation: readonly ["create", "cancel"];
@@ -147,100 +109,5 @@ declare const memberAc: {
     readonly ac: readonly ["create", "read", "update", "delete"];
   }>;
 };
-declare const defaultRoles: {
-  admin: {
-    authorize<K extends "organization" | "member" | "team" | "ac" | "invitation">(request: K extends infer T extends keyof Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }> ? { [key in T]?: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>[key] | {
-      actions: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-        readonly organization: readonly ["update", "delete"];
-        readonly member: readonly ["create", "update", "delete"];
-        readonly invitation: readonly ["create", "cancel"];
-        readonly team: readonly ["create", "update", "delete"];
-        readonly ac: readonly ["create", "read", "update", "delete"];
-      }>[key];
-      connector: "OR" | "AND";
-    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-    statements: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>;
-  };
-  owner: {
-    authorize<K extends "organization" | "member" | "team" | "ac" | "invitation">(request: K extends infer T extends keyof Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }> ? { [key in T]?: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>[key] | {
-      actions: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-        readonly organization: readonly ["update", "delete"];
-        readonly member: readonly ["create", "update", "delete"];
-        readonly invitation: readonly ["create", "cancel"];
-        readonly team: readonly ["create", "update", "delete"];
-        readonly ac: readonly ["create", "read", "update", "delete"];
-      }>[key];
-      connector: "OR" | "AND";
-    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-    statements: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>;
-  };
-  member: {
-    authorize<K extends "organization" | "member" | "team" | "ac" | "invitation">(request: K extends infer T extends keyof Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }> ? { [key in T]?: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>[key] | {
-      actions: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-        readonly organization: readonly ["update", "delete"];
-        readonly member: readonly ["create", "update", "delete"];
-        readonly invitation: readonly ["create", "cancel"];
-        readonly team: readonly ["create", "update", "delete"];
-        readonly ac: readonly ["create", "read", "update", "delete"];
-      }>[key];
-      connector: "OR" | "AND";
-    } | undefined } : never, connector?: "OR" | "AND"): AuthorizeResponse;
-    statements: Subset<"organization" | "member" | "team" | "ac" | "invitation", {
-      readonly organization: readonly ["update", "delete"];
-      readonly member: readonly ["create", "update", "delete"];
-      readonly invitation: readonly ["create", "cancel"];
-      readonly team: readonly ["create", "update", "delete"];
-      readonly ac: readonly ["create", "read", "update", "delete"];
-    }>;
-  };
-};
 //#endregion
 export { adminAc, defaultAc, defaultRoles, defaultStatements, memberAc, ownerAc };

package/dist/plugins/organization/adapter.mjs

@@ -1,6 +1,6 @@
 import { getDate } from "../../utils/date.mjs";
 import { parseJSON } from "../../client/parser.mjs";
-import { getCurrentAdapter } from "@better-auth/core/context";
+import { getCurrentAdapter, runWithTransaction } from "@better-auth/core/context";
 import { BetterAuthError } from "@better-auth/core/error";
 import { filterOutputFields } from "@better-auth/core/utils/db";
 //#region src/plugins/organization/adapter.ts
@@ -184,46 +184,49 @@ const getOrgAdapter = (context, options) => {
 			});
 		},
 		deleteMember: async ({ memberId, organizationId, userId: _userId }) => {
-			const adapter = await getCurrentAdapter(baseAdapter);
-			let userId;
-			if (!_userId) {
-				const member = await adapter.findOne({
+			return runWithTransaction(baseAdapter, async () => {
+				const adapter = await getCurrentAdapter(baseAdapter);
+				let userId;
+				if (!_userId) {
+					const member = await adapter.findOne({
+						model: "member",
+						where: [{
+							field: "id",
+							value: memberId
+						}]
+					});
+					if (!member) throw new BetterAuthError("Member not found");
+					userId = member.userId;
+				} else userId = _userId;
+				const member = await adapter.delete({
 					model: "member",
 					where: [{
 						field: "id",
 						value: memberId
 					}]
 				});
-				if (!member) throw new BetterAuthError("Member not found");
-				userId = member.userId;
-			} else userId = _userId;
-			const member = await adapter.delete({
-				model: "member",
-				where: [{
-					field: "id",
-					value: memberId
-				}]
+				if (options?.teams?.enabled) {
+					const teams = await adapter.findMany({
+						model: "team",
+						where: [{
+							field: "organizationId",
+							value: organizationId
+						}]
+					});
+					if (teams.length > 0) await adapter.deleteMany({
+						model: "teamMember",
+						where: [{
+							field: "userId",
+							value: userId
+						}, {
+							field: "teamId",
+							value: teams.map((team) => team.id),
+							operator: "in"
+						}]
+					});
+				}
+				return member;
 			});
-			if (options?.teams?.enabled) {
-				const teams = await adapter.findMany({
-					model: "team",
-					where: [{
-						field: "organizationId",
-						value: organizationId
-					}]
-				});
-				await Promise.all(teams.map((team) => adapter.deleteMany({
-					model: "teamMember",
-					where: [{
-						field: "teamId",
-						value: team.id
-					}, {
-						field: "userId",
-						value: userId
-					}]
-				})));
-			}
-			return member;
 		},
 		updateOrganization: async (organizationId, data) => {
 			const organization = await (await getCurrentAdapter(baseAdapter)).update({
@@ -244,29 +247,31 @@ const getOrgAdapter = (context, options) => {
 			}, orgAdditionalFields);
 		},
 		deleteOrganization: async (organizationId) => {
-			const adapter = await getCurrentAdapter(baseAdapter);
-			await adapter.deleteMany({
-				model: "member",
-				where: [{
-					field: "organizationId",
-					value: organizationId
-				}]
-			});
-			await adapter.deleteMany({
-				model: "invitation",
-				where: [{
-					field: "organizationId",
-					value: organizationId
-				}]
-			});
-			await adapter.delete({
-				model: "organization",
-				where: [{
-					field: "id",
-					value: organizationId
-				}]
+			return runWithTransaction(baseAdapter, async () => {
+				const adapter = await getCurrentAdapter(baseAdapter);
+				await adapter.deleteMany({
+					model: "member",
+					where: [{
+						field: "organizationId",
+						value: organizationId
+					}]
+				});
+				await adapter.deleteMany({
+					model: "invitation",
+					where: [{
+						field: "organizationId",
+						value: organizationId
+					}]
+				});
+				await adapter.delete({
+					model: "organization",
+					where: [{
+						field: "id",
+						value: organizationId
+					}]
+				});
+				return organizationId;
 			});
-			return organizationId;
 		},
 		setActiveOrganization: async (sessionToken, organizationId, ctx) => {
 			return await context.internalAdapter.updateSession(sessionToken, { activeOrganizationId: organizationId });

package/dist/plugins/organization/client.d.mts

@@ -238,6 +238,7 @@ declare const organizationClient: <CO extends OrganizationClientOptions>(options
     INVITATION_NOT_FOUND: _better_auth_core_utils_error_codes0.RawError<"INVITATION_NOT_FOUND">;
     YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION">;
     EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION: _better_auth_core_utils_error_codes0.RawError<"EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION">;
+    EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION: _better_auth_core_utils_error_codes0.RawError<"EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION">;
     YOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION">;
     INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION: _better_auth_core_utils_error_codes0.RawError<"INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION">;
     YOU_ARE_NOT_ALLOWED_TO_INVITE_USER_WITH_THIS_ROLE: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_INVITE_USER_WITH_THIS_ROLE">;
@@ -272,6 +273,7 @@ declare const organizationClient: <CO extends OrganizationClientOptions>(options
     ROLE_NAME_IS_ALREADY_TAKEN: _better_auth_core_utils_error_codes0.RawError<"ROLE_NAME_IS_ALREADY_TAKEN">;
     CANNOT_DELETE_A_PRE_DEFINED_ROLE: _better_auth_core_utils_error_codes0.RawError<"CANNOT_DELETE_A_PRE_DEFINED_ROLE">;
     ROLE_IS_ASSIGNED_TO_MEMBERS: _better_auth_core_utils_error_codes0.RawError<"ROLE_IS_ASSIGNED_TO_MEMBERS">;
+    INVALID_TEAM_ID: _better_auth_core_utils_error_codes0.RawError<"INVALID_TEAM_ID">;
   };
 };
 declare const inferOrgAdditionalFields: <O extends {
@@ -370,4 +372,4 @@ declare const inferOrgAdditionalFields: <O extends {
   additionalFields: unknown;
 } ? K : never]: S_1[K] } : undefined : undefined : undefined : S;
 //#endregion
-export { clientSideHasPermission, inferOrgAdditionalFields, organizationClient };
+export { OrganizationClientOptions, clientSideHasPermission, inferOrgAdditionalFields, organizationClient };

package/dist/plugins/organization/error-codes.d.mts

@@ -25,6 +25,7 @@ declare const ORGANIZATION_ERROR_CODES: {
   INVITATION_NOT_FOUND: _better_auth_core_utils_error_codes0.RawError<"INVITATION_NOT_FOUND">;
   YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION">;
   EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION: _better_auth_core_utils_error_codes0.RawError<"EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION">;
+  EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION: _better_auth_core_utils_error_codes0.RawError<"EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION">;
   YOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION">;
   INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION: _better_auth_core_utils_error_codes0.RawError<"INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION">;
   YOU_ARE_NOT_ALLOWED_TO_INVITE_USER_WITH_THIS_ROLE: _better_auth_core_utils_error_codes0.RawError<"YOU_ARE_NOT_ALLOWED_TO_INVITE_USER_WITH_THIS_ROLE">;
@@ -59,6 +60,7 @@ declare const ORGANIZATION_ERROR_CODES: {
   ROLE_NAME_IS_ALREADY_TAKEN: _better_auth_core_utils_error_codes0.RawError<"ROLE_NAME_IS_ALREADY_TAKEN">;
   CANNOT_DELETE_A_PRE_DEFINED_ROLE: _better_auth_core_utils_error_codes0.RawError<"CANNOT_DELETE_A_PRE_DEFINED_ROLE">;
   ROLE_IS_ASSIGNED_TO_MEMBERS: _better_auth_core_utils_error_codes0.RawError<"ROLE_IS_ASSIGNED_TO_MEMBERS">;
+  INVALID_TEAM_ID: _better_auth_core_utils_error_codes0.RawError<"INVALID_TEAM_ID">;
 };
 //#endregion
 export { ORGANIZATION_ERROR_CODES };

package/dist/plugins/organization/error-codes.mjs

@@ -24,6 +24,7 @@ const ORGANIZATION_ERROR_CODES = defineErrorCodes({
 	INVITATION_NOT_FOUND: "Invitation not found",
 	YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION: "You are not the recipient of the invitation",
 	EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION: "Email verification required before accepting or rejecting invitation",
+	EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION: "Email verification required to view or list invitations for the session email",
 	YOU_ARE_NOT_ALLOWED_TO_CANCEL_THIS_INVITATION: "You are not allowed to cancel this invitation",
 	INVITER_IS_NO_LONGER_A_MEMBER_OF_THE_ORGANIZATION: "Inviter is no longer a member of the organization",
 	YOU_ARE_NOT_ALLOWED_TO_INVITE_USER_WITH_THIS_ROLE: "You are not allowed to invite a user with this role",
@@ -57,7 +58,8 @@ const ORGANIZATION_ERROR_CODES = defineErrorCodes({
 	INVALID_RESOURCE: "The provided permission includes an invalid resource",
 	ROLE_NAME_IS_ALREADY_TAKEN: "That role name is already taken",
 	CANNOT_DELETE_A_PRE_DEFINED_ROLE: "Cannot delete a pre-defined role",
-	ROLE_IS_ASSIGNED_TO_MEMBERS: "Cannot delete a role that is assigned to members. Please reassign the members to a different role first"
+	ROLE_IS_ASSIGNED_TO_MEMBERS: "Cannot delete a role that is assigned to members. Please reassign the members to a different role first",
+	INVALID_TEAM_ID: "Team id contains a reserved character"
 });
 //#endregion
 export { ORGANIZATION_ERROR_CODES };

package/dist/plugins/organization/routes/crud-access-control.d.mts

@@ -1,5 +1,5 @@
 import { InferAdditionalFieldsFromPluginOptions } from "../../../db/field.mjs";
-import { Statements, Subset } from "../../access/types.mjs";
+import { ExactRoleStatements } from "../../access/types.mjs";
 import { OrganizationOptions } from "../types.mjs";
 import { OrganizationRole } from "../schema.mjs";
 import * as better_call0 from "better-call";
@@ -91,7 +91,7 @@ declare const createOrgRole: <O extends OrganizationOptions>(options: O) => bett
     createdAt: Date;
     updatedAt?: Date | undefined;
   } & InferAdditionalFieldsFromPluginOptions<"organizationRole", O, false>;
-  statements: Subset<string, Statements>;
+  statements: ExactRoleStatements<Record<string, string[]>>;
 }>;
 declare const deleteOrgRole: <O extends OrganizationOptions>(options: O) => better_call0.StrictEndpoint<"/organization/delete-role", {
   method: "POST";

package/dist/plugins/organization/routes/crud-invites.mjs

@@ -155,6 +155,9 @@ const createInvitation = (option) => {
 			member
 		}, ctx.context) : ctx.context.orgOptions.invitationLimit ?? 100;
 		if ((await adapter.findPendingInvitations({ organizationId })).length >= invitationLimit) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.INVITATION_LIMIT_REACHED);
+		if (ctx.context.orgOptions.teams?.enabled && "teamId" in ctx.body && ctx.body.teamId) {
+			if ((typeof ctx.body.teamId === "string" ? [ctx.body.teamId] : ctx.body.teamId).some((id) => id.includes(","))) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.INVALID_TEAM_ID);
+		}
 		if (ctx.context.orgOptions.teams && ctx.context.orgOptions.teams.enabled && typeof ctx.context.orgOptions.teams.maximumMembersPerTeam !== "undefined" && "teamId" in ctx.body && ctx.body.teamId) {
 			const teamIds = typeof ctx.body.teamId === "string" ? [ctx.body.teamId] : ctx.body.teamId;
 			for (const teamId of teamIds) {
@@ -244,7 +247,7 @@ const acceptInvitation = (options) => createAuthEndpoint("/organization/accept-i
 	const invitation = await adapter.findInvitationById(ctx.body.invitationId);
 	if (!invitation || invitation.expiresAt < /* @__PURE__ */ new Date() || invitation.status !== "pending") throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.INVITATION_NOT_FOUND);
 	if (invitation.email.toLowerCase() !== session.user.email.toLowerCase()) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION);
-	if (ctx.context.orgOptions.requireEmailVerificationOnInvitation && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
+	if ((ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
 	const membershipLimit = ctx.context.orgOptions?.membershipLimit || 100;
 	const membersCount = await adapter.countMembers({ organizationId: invitation.organizationId });
 	const organization = await adapter.findOrganizationById(invitation.organizationId);
@@ -333,7 +336,7 @@ const rejectInvitation = (options) => createAuthEndpoint("/organization/reject-i
 		code: "INVITATION_NOT_FOUND"
 	});
 	if (invitation.email.toLowerCase() !== session.user.email.toLowerCase()) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION);
-	if (ctx.context.orgOptions.requireEmailVerificationOnInvitation && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
+	if ((ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_BEFORE_ACCEPTING_OR_REJECTING_INVITATION);
 	const organization = await adapter.findOrganizationById(invitation.organizationId);
 	if (!organization) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.ORGANIZATION_NOT_FOUND);
 	if (options?.organizationHooks?.beforeRejectInvitation) await options?.organizationHooks.beforeRejectInvitation({
@@ -452,6 +455,7 @@ const getInvitation = (options) => createAuthEndpoint("/organization/get-invitat
 	const invitation = await adapter.findInvitationById(ctx.query.id);
 	if (!invitation || invitation.status !== "pending" || invitation.expiresAt < /* @__PURE__ */ new Date()) throw APIError.fromStatus("BAD_REQUEST", { message: "Invitation not found!" });
 	if (invitation.email.toLowerCase() !== session.user.email.toLowerCase()) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.YOU_ARE_NOT_THE_RECIPIENT_OF_THE_INVITATION);
+	if ((ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION);
 	const organization = await adapter.findOrganizationById(invitation.organizationId);
 	if (!organization) throw APIError.from("BAD_REQUEST", ORGANIZATION_ERROR_CODES.ORGANIZATION_NOT_FOUND);
 	const member = await adapter.findMemberByOrgId({
@@ -537,6 +541,7 @@ const listUserInvitations = (options) => createAuthEndpoint("/organization/list-
 }, async (ctx) => {
 	const session = await getSessionFromCtx(ctx);
 	if (ctx.request && ctx.query?.email) throw APIError.fromStatus("BAD_REQUEST", { message: "User email cannot be passed for client side API calls." });
+	if (session && (ctx.context.orgOptions.requireEmailVerificationOnInvitation ?? true) && !session.user.emailVerified) throw APIError.from("FORBIDDEN", ORGANIZATION_ERROR_CODES.EMAIL_VERIFICATION_REQUIRED_FOR_INVITATION);
 	const userEmail = session?.user.email || ctx.query?.email;
 	if (!userEmail) throw APIError.fromStatus("BAD_REQUEST", { message: "Missing session headers, or email query parameter." });
 	const pendingInvitations = (await getOrgAdapter(ctx.context, options).listUserInvitations(userEmail)).filter((inv) => inv.status === "pending");

package/dist/plugins/organization/types.d.mts

@@ -165,9 +165,19 @@ interface OrganizationOptions {
    */
   cancelPendingInvitationsOnReInvite?: boolean | undefined;
   /**
-   * Require email verification on accepting or rejecting an invitation
+   * Require email verification on session-authenticated recipient invitation
+   * calls (accept, reject, get, list). Defaults to `true` so unverified
+   * accounts registered against a victim's email cannot accept, read, or
+   * enumerate invitations targeted at that email. Server-side
+   * `listUserInvitations` calls without a session (caller passes
+   * `ctx.query.email`) continue to bypass the gate because the caller is
+   * trusted. Set to `false` for backward compatibility on apps that do not
+   * require email verification; understand the takeover risk before doing so.
    *
-   * @default false
+   * @default true
+   *
+   * @deprecated The option will be removed on the next minor; the gate will
+   * become unconditional. Plan to verify emails before invitation acceptance.
    */
   requireEmailVerificationOnInvitation?: boolean | undefined;
   /**

package/dist/plugins/two-factor/index.mjs

@@ -2,7 +2,7 @@ import { mergeSchema } from "../../db/schema.mjs";
 import { generateRandomString } from "../../crypto/random.mjs";
 import { symmetricEncrypt } from "../../crypto/index.mjs";
 import { deleteSessionCookie, expireCookie, setSessionCookie } from "../../cookies/index.mjs";
-import { sessionMiddleware } from "../../api/routes/session.mjs";
+import { sensitiveSessionMiddleware, sessionMiddleware } from "../../api/routes/session.mjs";
 import { shouldRequirePassword, validatePassword } from "../../utils/password.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { TWO_FACTOR_ERROR_CODES } from "./error-code.mjs";
@@ -138,7 +138,7 @@ const twoFactor = (options) => {
 			disableTwoFactor: createAuthEndpoint("/two-factor/disable", {
 				method: "POST",
 				body: disableTwoFactorBodySchema,
-				use: [sessionMiddleware],
+				use: [sensitiveSessionMiddleware],
 				metadata: { openapi: {
 					summary: "Disable two factor authentication",
 					description: "Use this endpoint to disable two factor authentication.",
@@ -224,6 +224,7 @@ const twoFactor = (options) => {
 				*/
 				deleteSessionCookie(ctx, true);
 				await ctx.context.internalAdapter.deleteSession(data.session.token);
+				ctx.context.setNewSession(null);
 				const maxAge = options?.twoFactorCookieMaxAge ?? 600;
 				const twoFactorCookie = ctx.context.createAuthCookie(TWO_FACTOR_COOKIE_NAME, { maxAge });
 				const identifier = `2fa-${generateRandomString(20)}`;