better-auth 1.6.10 → 1.6.12

package/dist/plugins/username/index.d.mts

@@ -90,9 +90,20 @@ declare const username: (options?: UsernameOptions | undefined) => {
               name: string;
               image?: string | null | undefined;
             } & Record<string, unknown>, context: _better_auth_core0.GenericEndpointContext | null): Promise<{
+              data: {
+                username: string;
+                displayUsername: string;
+                id: string;
+                createdAt: Date;
+                updatedAt: Date;
+                email: string;
+                emailVerified: boolean;
+                name: string;
+                image?: string | null | undefined;
+              };
+            } | {
               data: {
                 displayUsername?: string | undefined;
-                username?: string | undefined;
                 id: string;
                 createdAt: Date;
                 updatedAt: Date;
@@ -115,7 +126,18 @@ declare const username: (options?: UsernameOptions | undefined) => {
             }> & Record<string, unknown>, context: _better_auth_core0.GenericEndpointContext | null): Promise<{
               data: {
                 displayUsername?: string | undefined;
-                username?: string | undefined;
+                username: string;
+                id?: string | undefined;
+                createdAt?: Date | undefined;
+                updatedAt?: Date | undefined;
+                email?: string | undefined;
+                emailVerified?: boolean | undefined;
+                name?: string | undefined;
+                image?: string | null | undefined;
+              };
+            } | {
+              data: {
+                displayUsername?: string | undefined;
                 id?: string | undefined;
                 createdAt?: Date | undefined;
                 updatedAt?: Date | undefined;

package/dist/plugins/username/index.mjs

@@ -28,6 +28,31 @@ const username = (options) => {
 	const displayUsernameNormalizer = (displayUsername) => {
 		return options?.displayUsernameNormalization ? options.displayUsernameNormalization(displayUsername) : displayUsername;
 	};
+	const minUsernameLength = options?.minUsernameLength || 3;
+	const maxUsernameLength = options?.maxUsernameLength || 30;
+	const validator = options?.usernameValidator || defaultUsernameValidator;
+	const pathsWithHttpHookValidation = ["/sign-up/email", "/update-user"];
+	async function validateUsername(username, displayUsername, adapter, currentUserId) {
+		const usernameToValidate = options?.validationOrder?.username === "post-normalization" ? normalizer(username) : username;
+		if (usernameToValidate.length < minUsernameLength) throw APIError.from("BAD_REQUEST", USERNAME_ERROR_CODES.USERNAME_TOO_SHORT);
+		if (usernameToValidate.length > maxUsernameLength) throw APIError.from("BAD_REQUEST", USERNAME_ERROR_CODES.USERNAME_TOO_LONG);
+		if (!await validator(usernameToValidate)) throw APIError.from("BAD_REQUEST", USERNAME_ERROR_CODES.INVALID_USERNAME);
+		const normalizedUsername = normalizer(username);
+		const existingUser = await adapter.findOne({
+			model: "user",
+			where: [{
+				field: "username",
+				value: normalizedUsername
+			}]
+		});
+		if (existingUser) {
+			if (!currentUserId || existingUser.id !== currentUserId) throw APIError.from("BAD_REQUEST", USERNAME_ERROR_CODES.USERNAME_IS_ALREADY_TAKEN);
+		}
+		if (displayUsername && options?.displayUsernameValidator) {
+			const displayUsernameToValidate = options?.validationOrder?.displayUsername === "post-normalization" ? displayUsernameNormalizer(displayUsername) : displayUsername;
+			if (!await options.displayUsernameValidator(displayUsernameToValidate)) throw APIError.from("BAD_REQUEST", USERNAME_ERROR_CODES.INVALID_DISPLAY_USERNAME);
+		}
+	}
 	return {
 		id: "username",
 		version: PACKAGE_VERSION,
@@ -36,18 +61,39 @@ const username = (options) => {
 				create: { async before(user, context) {
 					const username = "username" in user ? user.username : null;
 					const displayUsername = "displayUsername" in user ? user.displayUsername : null;
+					const currentPath = context?.path;
+					const skipValidation = currentPath && pathsWithHttpHookValidation.includes(currentPath);
+					if (username) {
+						if (!skipValidation) await validateUsername(username, displayUsername, ctx.adapter);
+						return { data: {
+							...user,
+							username: normalizer(username),
+							displayUsername: displayUsername ? displayUsernameNormalizer(displayUsername) : username
+						} };
+					}
 					return { data: {
 						...user,
-						...username ? { username: normalizer(username) } : {},
 						...displayUsername ? { displayUsername: displayUsernameNormalizer(displayUsername) } : {}
 					} };
 				} },
 				update: { async before(user, context) {
 					const username = "username" in user ? user.username : null;
 					const displayUsername = "displayUsername" in user ? user.displayUsername : null;
+					const currentPath = context?.path;
+					const skipValidation = currentPath && pathsWithHttpHookValidation.includes(currentPath);
+					if (username) {
+						if (!skipValidation) {
+							const currentUserId = context?.context?.session?.user?.id || ("id" in user ? user.id : null);
+							await validateUsername(username, displayUsername, ctx.adapter, currentUserId);
+						}
+						return { data: {
+							...user,
+							username: normalizer(username),
+							...displayUsername ? { displayUsername: displayUsernameNormalizer(displayUsername) } : {}
+						} };
+					}
 					return { data: {
 						...user,
-						...username ? { username: normalizer(username) } : {},
 						...displayUsername ? { displayUsername: displayUsernameNormalizer(displayUsername) } : {}
 					} };
 				} }
@@ -153,7 +199,7 @@ const username = (options) => {
 					if (!ctx.context.options?.emailVerification?.sendVerificationEmail) throw APIError.from("FORBIDDEN", USERNAME_ERROR_CODES.EMAIL_NOT_VERIFIED);
 					if (ctx.context.options?.emailVerification?.sendOnSignIn) {
 						const token = await createEmailVerificationToken(ctx.context.secret, user.email, void 0, ctx.context.options.emailVerification?.expiresIn);
-						const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${ctx.body.callbackURL || "/"}`;
+						const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${encodeURIComponent(ctx.body.callbackURL || "/")}`;
 						await ctx.context.runInBackgroundOrAwait(ctx.context.options.emailVerification.sendVerificationEmail({
 							user,
 							url,

package/dist/state.d.mts

@@ -27,8 +27,8 @@ declare function generateGenericState(c: GenericEndpointContext, stateData: Stat
   state: string;
   codeVerifier: string;
 }>;
-declare function parseGenericState(c: GenericEndpointContext, state: string, settings?: {
-  cookieName: string;
+declare function parseGenericState(c: GenericEndpointContext, state: string | undefined, settings?: {
+  cookieName?: string;
   skipStateCookieCheck?: boolean;
 }): Promise<{
   [x: string]: unknown;

package/dist/state.mjs

@@ -20,10 +20,19 @@ const stateDataSchema = z.looseObject({
 var StateError = class extends BetterAuthError {
 	code;
 	details;
+	/**
+	* The per-flow `errorCallbackURL` recovered from the parsed state, when the
+	* failure happened after the state was successfully parsed (for example a
+	* nonce or state-cookie mismatch). It was origin-validated at sign-in, so
+	* the callback can safely redirect there instead of the default error page.
+	* Absent when the state could not be parsed at all.
+	*/
+	errorURL;
 	constructor(message, options) {
 		super(message, options);
 		this.code = options.code;
 		this.details = options.details;
+		this.errorURL = options.errorURL;
 	}
 };
 async function generateGenericState(c, stateData, settings) {
@@ -62,6 +71,7 @@ async function generateGenericState(c, stateData, settings) {
 	};
 }
 async function parseGenericState(c, state, settings) {
+	if (!state) throw new StateError("State not found in OAuth callback", { code: "state_not_found" });
 	const storeStateStrategy = c.context.oauthConfig.storeStateStrategy;
 	let parsedData;
 	if (storeStateStrategy === "cookie") {
@@ -86,7 +96,8 @@ async function parseGenericState(c, state, settings) {
 		}
 		if (!parsedData.oauthState || parsedData.oauthState !== state) throw new StateError("State mismatch: OAuth state parameter does not match stored state", {
 			code: "state_security_mismatch",
-			details: { state }
+			details: { state },
+			errorURL: parsedData.errorURL
 		});
 		expireCookie(c, stateCookie);
 	} else {
@@ -98,20 +109,23 @@ async function parseGenericState(c, state, settings) {
 		parsedData = stateDataSchema.parse(JSON.parse(data.value));
 		if (parsedData.oauthState !== void 0 && parsedData.oauthState !== state) throw new StateError("State mismatch: OAuth state parameter does not match stored state", {
 			code: "state_security_mismatch",
-			details: { state }
+			details: { state },
+			errorURL: parsedData.errorURL
 		});
 		const stateCookie = c.context.createAuthCookie(settings?.cookieName ?? "state");
 		const stateCookieValue = await c.getSignedCookie(stateCookie.name, c.context.secret);
 		if (!(settings?.skipStateCookieCheck ?? c.context.oauthConfig.skipStateCookieCheck) && (!stateCookieValue || stateCookieValue !== state)) throw new StateError("State mismatch: State not persisted correctly", {
 			code: "state_security_mismatch",
-			details: { state }
+			details: { state },
+			errorURL: parsedData.errorURL
 		});
 		expireCookie(c, stateCookie);
 		await c.context.internalAdapter.deleteVerificationByIdentifier(state);
 	}
 	if (parsedData.expiresAt < Date.now()) throw new StateError("Invalid state: request expired", {
 		code: "state_mismatch",
-		details: { expiresAt: parsedData.expiresAt }
+		details: { expiresAt: parsedData.expiresAt },
+		errorURL: parsedData.errorURL
 	});
 	return parsedData;
 }

package/dist/test-utils/headers.mjs

@@ -1,3 +1,4 @@
+import { applySetCookies } from "../cookies/cookie-utils.mjs";
 //#region src/test-utils/headers.ts
 /**
 * converts set cookie containing headers to
@@ -9,13 +10,7 @@ function convertSetCookieToCookie(headers) {
 		if (name.toLowerCase() === "set-cookie") setCookieHeaders.push(value);
 	});
 	if (setCookieHeaders.length === 0) return headers;
-	const existingCookies = headers.get("cookie") || "";
-	const cookies = existingCookies ? existingCookies.split("; ") : [];
-	setCookieHeaders.forEach((setCookie) => {
-		const cookiePair = setCookie.split(";")[0];
-		cookies.push(cookiePair.trim());
-	});
-	headers.set("cookie", cookies.join("; "));
+	applySetCookies(headers, setCookieHeaders);
 	return headers;
 }
 //#endregion

package/dist/test-utils/test-instance.d.mts

@@ -240,7 +240,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         allowedMediaTypes: string[];
         scope: "server";
       };
-    }, void>;
+    }, never>;
     readonly getSession: better_call0.StrictEndpoint<"/get-session", {
       method: ("GET" | "POST")[];
       operationId: string;
@@ -339,6 +339,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         callbackURL: zod.ZodOptional<zod.ZodString>;
         rememberMe: zod.ZodOptional<zod.ZodBoolean>;
       }, zod_v4_core0.$strip>, zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
+      cloneRequest: true;
       metadata: {
         allowedMediaTypes: string[];
         $Infer: {
@@ -505,6 +506,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
       method: "POST";
       operationId: string;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodString;
         password: zod.ZodString;
@@ -736,6 +738,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
     readonly sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
       method: "POST";
       operationId: string;
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodEmail;
         callbackURL: zod.ZodOptional<zod.ZodString>;
@@ -2242,7 +2245,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         allowedMediaTypes: string[];
         scope: "server";
       };
-    }, void>;
+    }, never>;
     readonly getSession: better_call0.StrictEndpoint<"/get-session", {
       method: ("GET" | "POST")[];
       operationId: string;
@@ -2341,6 +2344,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         callbackURL: zod.ZodOptional<zod.ZodString>;
         rememberMe: zod.ZodOptional<zod.ZodBoolean>;
       }, zod_v4_core0.$strip>, zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
+      cloneRequest: true;
       metadata: {
         allowedMediaTypes: string[];
         $Infer: {
@@ -2507,6 +2511,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
       method: "POST";
       operationId: string;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodString;
         password: zod.ZodString;
@@ -2738,6 +2743,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
     readonly sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
       method: "POST";
       operationId: string;
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodEmail;
         callbackURL: zod.ZodOptional<zod.ZodString>;
@@ -4247,7 +4253,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             allowedMediaTypes: string[];
             scope: "server";
           };
-        }, void>;
+        }, never>;
         readonly getSession: better_call0.StrictEndpoint<"/get-session", {
           method: ("GET" | "POST")[];
           operationId: string;
@@ -4346,6 +4352,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             callbackURL: zod.ZodOptional<zod.ZodString>;
             rememberMe: zod.ZodOptional<zod.ZodBoolean>;
           }, zod_v4_core0.$strip>, zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
+          cloneRequest: true;
           metadata: {
             allowedMediaTypes: string[];
             $Infer: {
@@ -4512,6 +4519,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
           method: "POST";
           operationId: string;
           use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+          cloneRequest: true;
           body: zod.ZodObject<{
             email: zod.ZodString;
             password: zod.ZodString;
@@ -4743,6 +4751,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         readonly sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
           method: "POST";
           operationId: string;
+          cloneRequest: true;
           body: zod.ZodObject<{
             email: zod.ZodEmail;
             callbackURL: zod.ZodOptional<zod.ZodString>;
@@ -6249,7 +6258,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             allowedMediaTypes: string[];
             scope: "server";
           };
-        }, void>;
+        }, never>;
         readonly getSession: better_call0.StrictEndpoint<"/get-session", {
           method: ("GET" | "POST")[];
           operationId: string;
@@ -6348,6 +6357,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             callbackURL: zod.ZodOptional<zod.ZodString>;
             rememberMe: zod.ZodOptional<zod.ZodBoolean>;
           }, zod_v4_core0.$strip>, zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
+          cloneRequest: true;
           metadata: {
             allowedMediaTypes: string[];
             $Infer: {
@@ -6514,6 +6524,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
           method: "POST";
           operationId: string;
           use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+          cloneRequest: true;
           body: zod.ZodObject<{
             email: zod.ZodString;
             password: zod.ZodString;
@@ -6745,6 +6756,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         readonly sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
           method: "POST";
           operationId: string;
+          cloneRequest: true;
           body: zod.ZodObject<{
             email: zod.ZodEmail;
             callbackURL: zod.ZodOptional<zod.ZodString>;
@@ -8325,7 +8337,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             allowedMediaTypes: string[];
             scope: "server";
           };
-        }, void>;
+        }, never>;
         readonly getSession: better_call0.StrictEndpoint<"/get-session", {
           method: ("GET" | "POST")[];
           operationId: string;
@@ -8424,6 +8436,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             callbackURL: zod.ZodOptional<zod.ZodString>;
             rememberMe: zod.ZodOptional<zod.ZodBoolean>;
           }, zod_v4_core0.$strip>, zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
+          cloneRequest: true;
           metadata: {
             allowedMediaTypes: string[];
             $Infer: {
@@ -8590,6 +8603,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
           method: "POST";
           operationId: string;
           use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+          cloneRequest: true;
           body: zod.ZodObject<{
             email: zod.ZodString;
             password: zod.ZodString;
@@ -8821,6 +8835,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         readonly sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
           method: "POST";
           operationId: string;
+          cloneRequest: true;
           body: zod.ZodObject<{
             email: zod.ZodEmail;
             callbackURL: zod.ZodOptional<zod.ZodString>;
@@ -10327,7 +10342,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             allowedMediaTypes: string[];
             scope: "server";
           };
-        }, void>;
+        }, never>;
         readonly getSession: better_call0.StrictEndpoint<"/get-session", {
           method: ("GET" | "POST")[];
           operationId: string;
@@ -10426,6 +10441,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
             callbackURL: zod.ZodOptional<zod.ZodString>;
             rememberMe: zod.ZodOptional<zod.ZodBoolean>;
           }, zod_v4_core0.$strip>, zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
+          cloneRequest: true;
           metadata: {
             allowedMediaTypes: string[];
             $Infer: {
@@ -10592,6 +10608,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
           method: "POST";
           operationId: string;
           use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+          cloneRequest: true;
           body: zod.ZodObject<{
             email: zod.ZodString;
             password: zod.ZodString;
@@ -10823,6 +10840,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         readonly sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
           method: "POST";
           operationId: string;
+          cloneRequest: true;
           body: zod.ZodObject<{
             email: zod.ZodEmail;
             callbackURL: zod.ZodOptional<zod.ZodString>;
@@ -12151,6 +12169,7 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
       USER_ALREADY_EXISTS: _better_auth_core_utils_error_codes0.RawError<"USER_ALREADY_EXISTS">;
       USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL: _better_auth_core_utils_error_codes0.RawError<"USER_ALREADY_EXISTS_USE_ANOTHER_EMAIL">;
       EMAIL_CAN_NOT_BE_UPDATED: _better_auth_core_utils_error_codes0.RawError<"EMAIL_CAN_NOT_BE_UPDATED">;
+      CHANGE_EMAIL_DISABLED: _better_auth_core_utils_error_codes0.RawError<"CHANGE_EMAIL_DISABLED">;
       CREDENTIAL_ACCOUNT_NOT_FOUND: _better_auth_core_utils_error_codes0.RawError<"CREDENTIAL_ACCOUNT_NOT_FOUND">;
       ACCOUNT_NOT_FOUND: _better_auth_core_utils_error_codes0.RawError<"ACCOUNT_NOT_FOUND">;
       SESSION_EXPIRED: _better_auth_core_utils_error_codes0.RawError<"SESSION_EXPIRED">;

package/dist/test-utils/test-instance.mjs

@@ -7,6 +7,7 @@ import { createAuthClient } from "../client/vanilla.mjs";
 import { bearer } from "../plugins/bearer/index.mjs";
 import { sql } from "kysely";
 import { AsyncLocalStorage } from "node:async_hooks";
+import { randomUUID } from "node:crypto";
 import { afterAll } from "vitest";
 //#region src/test-utils/test-instance.ts
 const cleanupSet = /* @__PURE__ */ new Set();
@@ -19,10 +20,17 @@ afterAll(async () => {
 });
 async function getTestInstance(options, config) {
 	const testWith = config?.testWith || "sqlite";
+	const postgresSchema = testWith === "postgres" ? `ba_test_${randomUUID().replaceAll("-", "_")}` : void 0;
+	const quotePostgresIdentifier = (identifier) => `"${identifier.replaceAll("\"", "\"\"")}"`;
 	async function getPostgres() {
 		const { Kysely, PostgresDialect } = await import("kysely");
 		const { Pool } = await import("pg");
-		return new Kysely({ dialect: new PostgresDialect({ pool: new Pool({ connectionString: "postgres://user:password@localhost:5432/better_auth" }) }) });
+		const pool = new Pool({
+			connectionString: "postgres://user:password@localhost:5432/better_auth",
+			options: postgresSchema ? `-c search_path=${postgresSchema},public` : void 0
+		});
+		if (postgresSchema) await pool.query(`CREATE SCHEMA IF NOT EXISTS ${quotePostgresIdentifier(postgresSchema)}`);
+		return new Kysely({ dialect: new PostgresDialect({ pool }) });
 	}
 	async function getSqlite() {
 		const { DatabaseSync } = await import("node:sqlite");
@@ -103,7 +111,8 @@ async function getTestInstance(options, config) {
 		}
 		if (testWith === "postgres") {
 			const postgres = await getPostgres();
-			await sql`DROP SCHEMA public CASCADE; CREATE SCHEMA public;`.execute(postgres);
+			if (postgresSchema) await sql.raw(`DROP SCHEMA IF EXISTS ${quotePostgresIdentifier(postgresSchema)} CASCADE`).execute(postgres);
+			else await sql`DROP SCHEMA public CASCADE; CREATE SCHEMA public;`.execute(postgres);
 			await postgres.destroy();
 			return;
 		}

package/dist/utils/index.d.mts

@@ -1,4 +1,4 @@
 import { generateState, parseState } from "../oauth2/state.mjs";
 import { StateData, generateGenericState, parseGenericState } from "../state.mjs";
 import { HIDE_METADATA } from "./hide-metadata.mjs";
-import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./url.mjs";
+import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes } from "./url.mjs";

package/dist/utils/url.d.mts

@@ -1,6 +1,7 @@
 import { BaseURLConfig, DynamicBaseURLConfig } from "@better-auth/core";
 
 //#region src/utils/url.d.ts
+declare function trimTrailingSlashes(value: string): string;
 declare function getBaseURL(url?: string, path?: string, request?: Request, loadEnv?: boolean, trustedProxyHeaders?: boolean | undefined): string | undefined;
 declare function getOrigin(url: string): string | null;
 declare function getProtocol(url: string): string | null;
@@ -74,4 +75,4 @@ declare function resolveDynamicBaseURL(config: DynamicBaseURLConfig, source: Req
  */
 declare function resolveBaseURL(config: BaseURLConfig | undefined, basePath: string, source?: Request | Headers, loadEnv?: boolean, trustedProxyHeaders?: boolean): string | undefined;
 //#endregion
-export { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL };
+export { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes };

package/dist/utils/url.mjs

@@ -2,6 +2,7 @@ import { wildcardMatch } from "./wildcard.mjs";
 import { env } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
 //#region src/utils/url.ts
+const SLASH_CHAR_CODE = "/".charCodeAt(0);
 /**
 * Minimal loopback check for dev scheme inference only. Reachable from
 * `client/config.ts` via `getBaseURL`, so we MUST NOT import the full
@@ -17,9 +18,14 @@ function isLoopbackForDevScheme(host) {
 	const hostname = host.replace(/:\d+$/, "").replace(/^\[|\]$/g, "").toLowerCase();
 	return hostname === "localhost" || hostname.endsWith(".localhost") || hostname === "::1" || hostname.startsWith("127.");
 }
+function trimTrailingSlashes(value) {
+	let end = value.length;
+	while (end > 0 && value.charCodeAt(end - 1) === SLASH_CHAR_CODE) end--;
+	return end === value.length ? value : value.slice(0, end);
+}
 function checkHasPath(url) {
 	try {
-		return (new URL(url).pathname.replace(/\/+$/, "") || "/") !== "/";
+		return (trimTrailingSlashes(new URL(url).pathname) || "/") !== "/";
 	} catch {
 		throw new BetterAuthError(`Invalid base URL: ${url}. Please provide a valid base URL.`);
 	}
@@ -36,7 +42,7 @@ function assertHasProtocol(url) {
 function withPath(url, path = "/api/auth") {
 	assertHasProtocol(url);
 	if (checkHasPath(url)) return url;
-	const trimmedUrl = url.replace(/\/+$/, "");
+	const trimmedUrl = trimTrailingSlashes(url);
 	if (!path || path === "/") return trimmedUrl;
 	path = path.startsWith("/") ? path : `/${path}`;
 	return `${trimmedUrl}${path}`;
@@ -229,4 +235,4 @@ function resolveBaseURL(config, basePath, source, loadEnv, trustedProxyHeaders)
 	return getBaseURL(void 0, basePath, request, loadEnv, trustedProxyHeaders);
 }
 //#endregion
-export { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL };
+export { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.10",
+  "version": "1.6.12",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -479,29 +479,29 @@
     }
   },
   "dependencies": {
-    "@better-auth/utils": "0.4.0",
+    "@better-auth/utils": "0.4.1",
     "@better-fetch/fetch": "1.1.21",
     "@noble/ciphers": "^2.1.1",
     "@noble/hashes": "^2.0.1",
     "better-call": "1.3.5",
     "defu": "^6.1.4",
     "jose": "^6.1.3",
-    "kysely": "^0.28.14",
+    "kysely": "^0.28.17 || ^0.29.0",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/drizzle-adapter": "1.6.10",
-    "@better-auth/core": "1.6.10",
-    "@better-auth/kysely-adapter": "1.6.10",
-    "@better-auth/memory-adapter": "1.6.10",
-    "@better-auth/mongo-adapter": "1.6.10",
-    "@better-auth/prisma-adapter": "1.6.10",
-    "@better-auth/telemetry": "1.6.10"
+    "@better-auth/core": "1.6.12",
+    "@better-auth/drizzle-adapter": "1.6.12",
+    "@better-auth/memory-adapter": "1.6.12",
+    "@better-auth/mongo-adapter": "1.6.12",
+    "@better-auth/kysely-adapter": "1.6.12",
+    "@better-auth/prisma-adapter": "1.6.12",
+    "@better-auth/telemetry": "1.6.12"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",
-    "@sveltejs/kit": "^2.57.1",
-    "@tanstack/react-start": "^1.163.2",
-    "@tanstack/solid-start": "^1.163.2",
+    "@sveltejs/kit": "^2.60.1",
+    "@tanstack/react-start": "^1.168.4",
+    "@tanstack/solid-start": "^1.168.4",
     "@types/bun": "^1.3.9",
     "@types/google.accounts": "^0.0.18",
     "@types/pg": "^8.16.0",
@@ -512,7 +512,7 @@
     "happy-dom": "^20.8.9",
     "listhen": "^1.9.0",
     "msw": "^2.12.10",
-    "next": "^16.2.3",
+    "next": "^16.2.6",
     "oauth2-mock-server": "^8.2.2",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
@@ -520,6 +520,7 @@
     "tsdown": "0.21.1",
     "type-fest": "^5.4.4",
     "typescript": "^5.9.3",
+    "vite": "^7.3.2",
     "vitest": "^4.1.5",
     "vue": "^3.5.29"
   },