better-auth 1.6.11 → 1.6.12

package/dist/cookies/cookie-utils.mjs

@@ -1,5 +1,6 @@
 //#region src/cookies/cookie-utils.ts
 function tryDecode(str) {
+	if (str.indexOf("%") === -1) return str;
 	try {
 		return decodeURIComponent(str);
 	} catch {
@@ -49,9 +50,9 @@ function parseSetCookieHeader(setCookie) {
 	splitSetCookieHeader(setCookie).forEach((cookieString) => {
 		const [nameValue, ...attributes] = cookieString.split(";").map((part) => part.trim());
 		const [name, ...valueParts] = (nameValue || "").split("=");
-		const value = valueParts.join("=");
-		if (!name || value === void 0) return;
-		const attrObj = { value: value.includes("%") ? tryDecode(value) : value };
+		const value = unquoteCookieValue(valueParts.join("="));
+		if (!name) return;
+		const attrObj = { value: tryDecode(value) };
 		attributes.forEach((attribute) => {
 			const [attrName, ...attrValueParts] = attribute.split("=");
 			const attrValue = attrValueParts.join("=");
@@ -103,6 +104,69 @@ function toCookieOptions(attributes) {
 	};
 }
 /**
+* Cookie-name token char set per RFC 7230 §3.2.6.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+*/
+const cookieNameRegex = /^[\w!#$%&'*.^`|~+-]+$/;
+/**
+* Cookie-value char set per RFC 6265 §4.1.1, plus space and comma.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1
+* @see https://github.com/golang/go/issues/7243
+*/
+const cookieValueRegex = /^[ !#-:<-[\]-~]*$/;
+/**
+* Strip surrounding double-quotes per RFC 6265 §4.1.1 quoted-string form.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1
+*/
+function unquoteCookieValue(value) {
+	if (value.length < 2 || !value.startsWith("\"") || !value.endsWith("\"")) return value;
+	return value.slice(1, -1);
+}
+/**
+* Trim leading/trailing OWS (space / horizontal tab) per RFC 7230 §3.2.3.
+* Narrower than `String.prototype.trim()`, which strips CR/LF and other
+* whitespace and would let CTLs escape `cookieValueRegex`.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.3
+*/
+function trimOWS(s) {
+	let start = 0;
+	let end = s.length;
+	while (start < end) {
+		const c = s.charCodeAt(start);
+		if (c !== 32 && c !== 9) break;
+		start++;
+	}
+	while (end > start) {
+		const c = s.charCodeAt(end - 1);
+		if (c !== 32 && c !== 9) break;
+		end--;
+	}
+	return start === 0 && end === s.length ? s : s.slice(start, end);
+}
+/**
+* Tolerates `;` separators without the SP that RFC 6265 §4.2.1 mandates,
+* since proxies and runtimes commonly strip it. Silently drops entries
+* whose name violates RFC 7230 token or whose value violates RFC 6265
+* cookie-octet (plus space and comma). Strips optional surrounding
+* double-quotes per RFC 6265 §4.1.1.
+*/
+function parseCookies(cookie) {
+	const cookieMap = /* @__PURE__ */ new Map();
+	if (cookie.length < 2) return cookieMap;
+	for (const chunk of cookie.split(";")) {
+		const eq = chunk.indexOf("=");
+		if (eq === -1) continue;
+		const key = trimOWS(chunk.slice(0, eq));
+		const val = unquoteCookieValue(trimOWS(chunk.slice(eq + 1)));
+		if (cookieNameRegex.test(key) && cookieValueRegex.test(val)) cookieMap.set(key, tryDecode(val));
+	}
+	return cookieMap;
+}
+/**
 * Add or replace a cookie in the request `Cookie` header.
 *
 * Cookie pairs are joined with `; `, but `headers.append("cookie", ...)`
@@ -111,30 +175,29 @@ function toCookieOptions(attributes) {
 * parse-mutate-serialize.
 */
 function setRequestCookie(headers, name, value) {
-	const cookieMap = /* @__PURE__ */ new Map();
-	for (const pair of (headers.get("cookie") || "").split(";")) {
-		const trimmed = pair.trim();
-		const eq = trimmed.indexOf("=");
-		if (eq > 0) cookieMap.set(trimmed.slice(0, eq), trimmed.slice(eq + 1));
-	}
-	cookieMap.set(name, value);
-	headers.set("cookie", Array.from(cookieMap, ([k, v]) => `${k}=${v}`).join("; "));
+	const cookieMap = parseCookies(headers.get("cookie") || "");
+	if (cookieNameRegex.test(name)) cookieMap.set(name, value);
+	headers.set("cookie", Array.from(cookieMap, ([k, v]) => `${k}=${encodeURIComponent(v)}`).join("; "));
+}
+/**
+* Merge `Set-Cookie` header values into the target's `Cookie` header.
+* Mutates `target`.
+*
+* Name/value-level merge only. RFC 6265 §5 user-agent semantics
+* (expiration, domain/path scoping, ordering) are out of scope. Suitable
+* for single-request proxy, middleware, and test contexts.
+*/
+function applySetCookies(target, setCookieValues) {
+	const cookieMap = parseCookies(target.get("cookie") || "");
+	for (const setCookie of setCookieValues) for (const [name, attr] of parseSetCookieHeader(setCookie)) if (cookieNameRegex.test(name)) cookieMap.set(name, attr.value);
+	target.set("cookie", Array.from(cookieMap, ([k, v]) => `${k}=${encodeURIComponent(v)}`).join("; "));
 }
 function setCookieToHeader(headers) {
 	return (context) => {
 		const setCookieHeader = context.response.headers.get("set-cookie");
 		if (!setCookieHeader) return;
-		const cookieMap = /* @__PURE__ */ new Map();
-		(headers.get("cookie") || "").split(";").forEach((cookie) => {
-			const [name, ...rest] = cookie.trim().split("=");
-			if (name && rest.length > 0) cookieMap.set(name, rest.join("="));
-		});
-		parseSetCookieHeader(setCookieHeader).forEach((value, name) => {
-			cookieMap.set(name, value.value);
-		});
-		const updatedCookies = Array.from(cookieMap.entries()).map(([name, value]) => `${name}=${value}`).join("; ");
-		headers.set("cookie", updatedCookies);
+		applySetCookies(headers, [setCookieHeader]);
 	};
 }
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, parseCookies, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.d.mts

@@ -1,5 +1,5 @@
 import { Session, User } from "../types/models.mjs";
-import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
+import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, parseCookies, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createSessionStore, getAccountCookie, getChunkedCookie } from "./session-store.mjs";
 import { BetterAuthCookie, BetterAuthCookies, BetterAuthOptions, GenericEndpointContext } from "@better-auth/core";
 import * as better_call0 from "better-call";
@@ -95,7 +95,6 @@ declare function setSessionCookie(ctx: GenericEndpointContext, session: {
  */
 declare function expireCookie(ctx: GenericEndpointContext, cookie: BetterAuthCookie): void;
 declare function deleteSessionCookie(ctx: GenericEndpointContext, skipDontRememberMe?: boolean | undefined): void;
-declare function parseCookies(cookieHeader: string): Map<string, string>;
 type EligibleCookies = (string & {}) | (keyof BetterAuthCookies & {});
 declare const getSessionCookie: (request: Request | Headers, config?: {
   cookiePrefix?: string;
@@ -116,4 +115,4 @@ declare const getCookieCache: <S extends {
   version?: string | ((session: Session & Record<string, any>, user: User & Record<string, any>) => string) | ((session: Session & Record<string, any>, user: User & Record<string, any>) => Promise<string>);
 } | undefined) => Promise<S | null>;
 //#endregion
-export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.mjs

@@ -4,7 +4,7 @@ import { parseUserOutput } from "../db/schema.mjs";
 import { getDate } from "../utils/date.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
 import { sec } from "../utils/time.mjs";
-import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
+import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, parseCookies, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createAccountStore, createSessionStore, getAccountCookie, getChunkedCookie, setAccountCookie } from "./session-store.mjs";
 import { env, isProduction } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
@@ -134,9 +134,46 @@ async function setSessionCookie(ctx, session, dontRememberMe, overrides) {
 	ctx.context.setNewSession(session);
 }
 /**
+* Remove any prior `Set-Cookie` entries on the current response whose cookie
+* name matches `cookieName` or any chunked variant (`${cookieName}.0`, etc.).
+*
+* Prevents a valid cookie value from leaking on the wire when the same cookie
+* is set and then expired within a single request (e.g. `/sign-in/email`
+* writes credential session cookies and the 2FA after-hook expires them).
+* Browsers honor the expiring entry, but anything reading the raw response
+* headers — proxy/LB logs, server-side SDK consumers, observability tools —
+* sees the earlier valid value and could replay it (bypassing the 2FA gate
+* when the cookie cache is enabled).
+*
+* Scrubs both the local middleware scope's `responseHeaders` and the outer
+* endpoint scope's `ctx.context.responseHeaders`, because plugin after-hooks
+* run in a fresh local scope while accumulated response headers live on the
+* outer one. `scoped.context` is required by {@link GenericEndpointContext}
+* but unit-test mocks pass a minimal object via `as any`, so we use optional
+* chaining defensively. The `Set` collapses the case where both scopes
+* reference the same `Headers`.
+*/
+function removeSetCookieEntries(ctx, cookieName) {
+	const scoped = ctx;
+	const targets = /* @__PURE__ */ new Set();
+	if (scoped.responseHeaders) targets.add(scoped.responseHeaders);
+	if (scoped.context?.responseHeaders) targets.add(scoped.context.responseHeaders);
+	const exact = `${cookieName}=`;
+	const chunk = `${cookieName}.`;
+	for (const headers of targets) {
+		const existing = typeof headers.getSetCookie === "function" ? headers.getSetCookie() : splitSetCookieHeader(headers.get("set-cookie") || "");
+		if (!existing.length) continue;
+		const survivors = existing.filter((entry) => !entry.startsWith(exact) && !entry.startsWith(chunk));
+		if (survivors.length === existing.length) continue;
+		headers.delete("set-cookie");
+		for (const entry of survivors) headers.append("set-cookie", entry);
+	}
+}
+/**
 * Expires a cookie by setting `maxAge: 0` while preserving its attributes
 */
 function expireCookie(ctx, cookie) {
+	removeSetCookieEntries(ctx, cookie.name);
 	ctx.setCookie(cookie.name, "", {
 		...cookie.attributes,
 		maxAge: 0
@@ -157,15 +194,6 @@ function deleteSessionCookie(ctx, skipDontRememberMe) {
 	sessionStore.setCookies(cleanCookies);
 	if (!skipDontRememberMe) expireCookie(ctx, ctx.context.authCookies.dontRememberToken);
 }
-function parseCookies(cookieHeader) {
-	const cookies = cookieHeader.split("; ");
-	const cookieMap = /* @__PURE__ */ new Map();
-	cookies.forEach((cookie) => {
-		const [name, value] = cookie.split(/=(.*)/s);
-		cookieMap.set(name, value);
-	});
-	return cookieMap;
-}
 const getSessionCookie = (request, config) => {
 	const cookies = (request instanceof Headers || !("headers" in request) ? request : request.headers).get("cookie");
 	if (!cookies) return null;
@@ -258,4 +286,4 @@ const getCookieCache = async (request, config) => {
 	return null;
 };
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/session-store.mjs

@@ -1,4 +1,5 @@
 import { symmetricDecodeJWT, symmetricEncodeJWT } from "../crypto/jwt.mjs";
+import { parseCookies } from "./cookie-utils.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 import * as z from "zod";
 //#region src/cookies/session-store.ts
@@ -6,20 +7,6 @@ const ALLOWED_COOKIE_SIZE = 4096;
 const ESTIMATED_EMPTY_COOKIE_SIZE = 200;
 const CHUNK_SIZE = ALLOWED_COOKIE_SIZE - ESTIMATED_EMPTY_COOKIE_SIZE;
 /**
-* Parse cookies from the request headers
-*/
-function parseCookiesFromContext(ctx) {
-	const cookieHeader = ctx.headers?.get("cookie");
-	if (!cookieHeader) return {};
-	const cookies = {};
-	const pairs = cookieHeader.split("; ");
-	for (const pair of pairs) {
-		const [name, ...valueParts] = pair.split("=");
-		if (name && valueParts.length > 0) cookies[name] = valueParts.join("=");
-	}
-	return cookies;
-}
-/**
 * Extract the chunk index from a cookie name
 */
 function getChunkIndex(cookieName) {
@@ -33,8 +20,8 @@ function getChunkIndex(cookieName) {
 */
 function readExistingChunks(cookieName, ctx) {
 	const chunks = {};
-	const cookies = parseCookiesFromContext(ctx);
-	for (const [name, value] of Object.entries(cookies)) if (name.startsWith(cookieName)) chunks[name] = value;
+	const cookies = parseCookies(ctx.headers?.get("cookie") || "");
+	for (const [name, value] of cookies) if (name.startsWith(cookieName)) chunks[name] = value;
 	return chunks;
 }
 /**
@@ -140,13 +127,7 @@ function getChunkedCookie(ctx, cookieName) {
 	const chunks = [];
 	const cookieHeader = ctx.headers?.get("cookie");
 	if (!cookieHeader) return null;
-	const cookies = {};
-	const pairs = cookieHeader.split("; ");
-	for (const pair of pairs) {
-		const [name, ...valueParts] = pair.split("=");
-		if (name && valueParts.length > 0) cookies[name] = valueParts.join("=");
-	}
-	for (const [name, val] of Object.entries(cookies)) if (name.startsWith(cookieName + ".")) {
+	for (const [name, val] of parseCookies(cookieHeader)) if (name.startsWith(cookieName + ".")) {
 		const indexStr = name.split(".").at(-1);
 		const index = parseInt(indexStr || "0", 10);
 		if (!isNaN(index)) chunks.push({

package/dist/db/get-migration.mjs

@@ -269,13 +269,14 @@ async function getMigrations(config) {
 			return `${model}.${field}`;
 		}
 	}
+	const deferredIndexes = [];
 	if (toBeAdded.length) for (const table of toBeAdded) for (const [fieldName, field] of Object.entries(table.fields)) {
 		const type = getType(field, fieldName);
 		const builder = db.schema.alterTable(table.table);
 		if (field.index) {
 			const indexName = `${table.table}_${fieldName}_${field.unique ? "uidx" : "idx"}`;
 			const indexBuilder = db.schema.createIndex(indexName).on(table.table).columns([fieldName]);
-			migrations.push(field.unique ? indexBuilder.unique() : indexBuilder);
+			deferredIndexes.push(field.unique ? indexBuilder.unique() : indexBuilder);
 		}
 		const built = builder.addColumn(fieldName, type, (col) => {
 			col = field.required !== false ? col.notNull() : col;
@@ -287,7 +288,6 @@ async function getMigrations(config) {
 		});
 		migrations.push(built);
 	}
-	const toBeIndexed = [];
 	if (toBeCreated.length) for (const table of toBeCreated) {
 		const idType = getType({ type: useNumberId ? "number" : "string" }, "id");
 		let dbT = db.schema.createTable(table.table).addColumn("id", idType, (col) => {
@@ -315,12 +315,12 @@ async function getMigrations(config) {
 			});
 			if (field.index) {
 				const builder = db.schema.createIndex(`${table.table}_${fieldName}_${field.unique ? "uidx" : "idx"}`).on(table.table).columns([fieldName]);
-				toBeIndexed.push(field.unique ? builder.unique() : builder);
+				deferredIndexes.push(field.unique ? builder.unique() : builder);
 			}
 		}
 		migrations.push(dbT);
 	}
-	if (toBeIndexed.length) for (const index of toBeIndexed) migrations.push(index);
+	for (const index of deferredIndexes) migrations.push(index);
 	async function runMigrations() {
 		for (const migration of migrations) await migration.execute();
 	}

package/dist/db/index.d.mts

@@ -3,7 +3,7 @@ import { convertFromDB, convertToDB } from "./field-converter.mjs";
 import { getSchema } from "./get-schema.mjs";
 import { DatabaseHooksEntry, getWithHooks } from "./with-hooks.mjs";
 import { createInternalAdapter } from "./internal-adapter.mjs";
-import { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
+import { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
 import { FieldAttributeToSchema, toZodSchema } from "./to-zod.mjs";
 export * from "@better-auth/core/db";
-export { DatabaseHooksEntry, FieldAttributeToObject, FieldAttributeToSchema, InferAdditionalFieldsFromPluginOptions, InferFieldsInputClient, InferFieldsOutput, RemoveFieldsWithReturnedFalse, convertFromDB, convertToDB, createInternalAdapter, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };
+export { DatabaseHooksEntry, FieldAttributeToObject, FieldAttributeToSchema, InferAdditionalFieldsFromPluginOptions, InferFieldsInputClient, InferFieldsOutput, RemoveFieldsWithReturnedFalse, buildSyntheticUserOutput, convertFromDB, convertToDB, createInternalAdapter, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };

package/dist/db/index.mjs

@@ -1,6 +1,6 @@
 import { __exportAll, __reExport } from "../_virtual/_rolldown/runtime.mjs";
 import { getSchema } from "./get-schema.mjs";
-import { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
+import { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
 import { convertFromDB, convertToDB } from "./field-converter.mjs";
 import { getWithHooks } from "./with-hooks.mjs";
 import { createInternalAdapter } from "./internal-adapter.mjs";
@@ -8,6 +8,7 @@ import { toZodSchema } from "./to-zod.mjs";
 export * from "@better-auth/core/db";
 //#region src/db/index.ts
 var db_exports = /* @__PURE__ */ __exportAll({
+	buildSyntheticUserOutput: () => buildSyntheticUserOutput,
 	convertFromDB: () => convertFromDB,
 	convertToDB: () => convertToDB,
 	createInternalAdapter: () => createInternalAdapter,
@@ -28,4 +29,4 @@ var db_exports = /* @__PURE__ */ __exportAll({
 import * as import__better_auth_core_db from "@better-auth/core/db";
 __reExport(db_exports, import__better_auth_core_db);
 //#endregion
-export { convertFromDB, convertToDB, createInternalAdapter, db_exports, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };
+export { buildSyntheticUserOutput, convertFromDB, convertToDB, createInternalAdapter, db_exports, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };

package/dist/db/internal-adapter.mjs

@@ -639,17 +639,23 @@ const createInternalAdapter = (adapter, ctx) => {
 			const storageOption = getStorageOption(identifier, options.verification?.storeIdentifier);
 			const storedIdentifier = await processIdentifier(identifier, storageOption);
 			const identifiersToTry = storageOption && storageOption !== "plain" ? [storedIdentifier, identifier] : [storedIdentifier];
-			if (secondaryStorage && !options.verification?.storeInDatabase) {
-				const parseCachedVerification = (raw) => {
-					if (!raw) return null;
-					if (typeof raw === "string") return safeJSONParse(raw);
-					if (typeof raw === "object") return raw;
-					return null;
+			const hydrateCachedVerification = (raw) => {
+				if (!raw) return null;
+				const candidate = typeof raw === "string" ? safeJSONParse(raw) : typeof raw === "object" ? raw : null;
+				if (!candidate) return null;
+				const expiresAt = new Date(candidate.expiresAt);
+				if (!Number.isFinite(expiresAt.getTime())) return null;
+				return {
+					...candidate,
+					expiresAt
 				};
+			};
+			let consumed = null;
+			if (secondaryStorage && !options.verification?.storeInDatabase) {
 				const consumeCacheKey = async (key) => {
-					if (secondaryStorage.getAndDelete) return parseCachedVerification(await secondaryStorage.getAndDelete(key));
+					if (secondaryStorage.getAndDelete) return hydrateCachedVerification(await secondaryStorage.getAndDelete(key));
 					return withVerificationConsumeLock(key, async () => {
-						const parsed = parseCachedVerification(await secondaryStorage.get(key));
+						const parsed = hydrateCachedVerification(await secondaryStorage.get(key));
 						if (!parsed) return null;
 						await secondaryStorage.delete(key);
 						return parsed;
@@ -659,17 +665,16 @@ const createInternalAdapter = (adapter, ctx) => {
 					const cached = await consumeCacheKey(`verification:${stored}`);
 					if (!cached) continue;
 					await Promise.all(identifiersToTry.filter((candidate) => candidate !== stored).map((candidate) => secondaryStorage.delete(`verification:${candidate}`)));
-					return cached;
+					consumed = cached;
+					break;
 				}
-				return null;
-			}
-			async function consumeByIdentifier(id) {
-				const where = [{
-					field: "identifier",
-					value: id
-				}];
-				return withVerificationConsumeLock(`verification:${id}`, () => runWithTransaction(adapter, async () => {
+			} else {
+				const consumeByIdentifier = async (id) => withVerificationConsumeLock(`verification:${id}`, () => runWithTransaction(adapter, async () => {
 					const txAdapter = await getCurrentAdapter(adapter);
+					const where = [{
+						field: "identifier",
+						value: id
+					}];
 					const latest = (await txAdapter.findMany({
 						model: "verification",
 						where,
@@ -680,30 +685,32 @@ const createInternalAdapter = (adapter, ctx) => {
 						limit: 1
 					}))[0] ?? null;
 					if (!latest) return null;
-					const hookWhere = [{
+					return consumeOneWithHooks("verification", [{
 						field: "id",
 						value: latest.id
-					}];
-					return consumeOneWithHooks("verification", hookWhere, async () => {
-						const consumed = await txAdapter.consumeOne({
+					}], async () => {
+						const row = await txAdapter.consumeOne({
 							model: "verification",
-							where: hookWhere
+							where: [{
+								field: "id",
+								value: latest.id
+							}]
 						});
-						if (!consumed) return null;
+						if (!row) return null;
 						await txAdapter.deleteMany({
 							model: "verification",
 							where
 						});
-						return consumed;
+						return row;
 					}, latest);
 				}));
+				for (const stored of identifiersToTry) {
+					consumed = await consumeByIdentifier(stored);
+					if (consumed) break;
+				}
+				if (consumed && secondaryStorage) await Promise.all(identifiersToTry.map((stored) => secondaryStorage.delete(`verification:${stored}`)));
 			}
-			let consumed = null;
-			for (const stored of identifiersToTry) {
-				consumed = await consumeByIdentifier(stored);
-				if (consumed) break;
-			}
-			if (consumed && secondaryStorage) await Promise.all(identifiersToTry.map((stored) => secondaryStorage.delete(`verification:${stored}`)));
+			if (!consumed || consumed.expiresAt < /* @__PURE__ */ new Date()) return null;
 			return consumed;
 		},
 		updateVerificationByIdentifier: async (identifier, data) => {

package/dist/db/schema.d.mts

@@ -4,8 +4,21 @@ import { BetterAuthPluginDBSchema, DBFieldAttribute } from "@better-auth/core/db
 
 //#region src/db/schema.d.ts
 declare function parseUserOutput<T extends User$1>(options: BetterAuthOptions, user: T): T;
+/**
+ * Builds a synthetic user object that matches the shape of a real user
+ * returned from the database. This ensures enumeration protection works
+ * correctly by making synthetic and real user responses indistinguishable.
+ *
+ * The function iterates over the user output schema and:
+ * - Includes all fields that should be returned (returned !== false)
+ * - Uses provided values when available
+ * - Sets optional fields to null when no value is provided
+ * - Applies default values where defined
+ * - Always includes the 'id' field (not part of schema but always present)
+ */
+declare function buildSyntheticUserOutput(options: BetterAuthOptions, data: Record<string, unknown>): Record<string, unknown>;
 declare function parseSessionOutput<T extends Session$1>(options: BetterAuthOptions, session: T): T;
-declare function parseAccountOutput<T extends Account>(options: BetterAuthOptions, account: T): Omit<T, "idToken" | "accessToken" | "refreshToken" | "accessTokenExpiresAt" | "refreshTokenExpiresAt" | "password">;
+declare function parseAccountOutput<T extends Account>(options: BetterAuthOptions, account: T): Omit<T, "idToken" | "accessToken" | "refreshToken" | "password" | "accessTokenExpiresAt" | "refreshTokenExpiresAt">;
 declare function parseInputData<T extends Record<string, any>>(data: T, schema: {
   fields: Record<string, DBFieldAttribute>;
   action?: ("create" | "update") | undefined;
@@ -45,4 +58,4 @@ declare function mergeSchema<S extends BetterAuthPluginDBSchema>(schema: S, newS
   } | undefined;
 } | undefined } | undefined): S;
 //#endregion
-export { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };
+export { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };

package/dist/db/schema.mjs

@@ -24,6 +24,31 @@ function getFields(options, modelName, mode) {
 function parseUserOutput(options, user) {
 	return filterOutputFields(user, getFields(options, "user", "output"));
 }
+/**
+* Builds a synthetic user object that matches the shape of a real user
+* returned from the database. This ensures enumeration protection works
+* correctly by making synthetic and real user responses indistinguishable.
+*
+* The function iterates over the user output schema and:
+* - Includes all fields that should be returned (returned !== false)
+* - Uses provided values when available
+* - Sets optional fields to null when no value is provided
+* - Applies default values where defined
+* - Always includes the 'id' field (not part of schema but always present)
+*/
+function buildSyntheticUserOutput(options, data) {
+	const schema = getFields(options, "user", "output");
+	const result = {};
+	for (const key in schema) {
+		const fieldAttr = schema[key];
+		if (fieldAttr.returned === false) continue;
+		if (key in data && data[key] !== void 0) result[key] = data[key];
+		else if (fieldAttr.defaultValue !== void 0) result[key] = typeof fieldAttr.defaultValue === "function" ? fieldAttr.defaultValue() : fieldAttr.defaultValue;
+		else if (!fieldAttr.required) result[key] = null;
+	}
+	if ("id" in data) result.id = data.id;
+	return result;
+}
 function parseSessionOutput(options, session) {
 	return filterOutputFields(session, getFields(options, "session", "output"));
 }
@@ -121,4 +146,4 @@ function mergeSchema(schema, newSchema) {
 	return schema;
 }
 //#endregion
-export { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };
+export { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };

package/dist/index.d.mts

@@ -10,7 +10,7 @@ import { betterAuth } from "./auth/full.mjs";
 import { generateState, parseState } from "./oauth2/state.mjs";
 import { StateData, generateGenericState, parseGenericState } from "./state.mjs";
 import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
-import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
+import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes } from "./utils/url.mjs";
 import { APIError } from "./api/index.mjs";
 import { StandardSchemaV1 } from "@better-auth/core";
 import { getCurrentAdapter } from "@better-auth/core/context";
@@ -27,4 +27,4 @@ export * from "@better-auth/core/utils/json";
 export * from "@better-auth/core/social-providers";
 export * from "better-call";
 export * from "zod";
-export { APIError, Account, AdditionalSessionFieldsInput, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, ExtractPluginField, FilteredAPI, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginFieldFromTuple, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsAny, IsSignal, type JSONWebKeySet, type JWTPayload, JoinConfig, JoinOption, OverrideMerge, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, type StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, type TelemetryEvent, UnionToIntersection, User, Verification, Where, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };
+export { APIError, Account, AdditionalSessionFieldsInput, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, ExtractPluginField, FilteredAPI, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginFieldFromTuple, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsAny, IsSignal, type JSONWebKeySet, type JWTPayload, JoinConfig, JoinOption, OverrideMerge, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, type StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, type TelemetryEvent, UnionToIntersection, User, Verification, Where, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes };

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
+import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes } from "./utils/url.mjs";
 import { generateGenericState, parseGenericState } from "./state.mjs";
 import { generateState, parseState } from "./oauth2/state.mjs";
 import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
@@ -14,4 +14,4 @@ export * from "@better-auth/core/oauth2";
 export * from "@better-auth/core/utils/error-codes";
 export * from "@better-auth/core/utils/id";
 export * from "@better-auth/core/utils/json";
-export { APIError, HIDE_METADATA, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };
+export { APIError, HIDE_METADATA, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes };

package/dist/oauth2/errors.mjs

@@ -1,6 +1,21 @@
 //#region src/oauth2/errors.ts
 const HANDLING_DOCS_URL = "https://www.better-auth.com/docs/concepts/oauth#handling-providers-without-email";
 /**
+* Redirect the user to the OAuth error page with a machine-readable `error`
+* code (and optional `error_description`).
+*
+* Every OAuth callback path routes its failures through this helper so the
+* query parameter name, the `?`/`&` separator, and URL encoding are decided in
+* one place. The error page reads the `error` query parameter, so callers must
+* never hand-build the redirect with a different parameter name.
+*/
+function redirectOnError(ctx, errorURL, error, description) {
+	const params = new URLSearchParams({ error });
+	if (description) params.set("error_description", description);
+	const sep = errorURL.includes("?") ? "&" : "?";
+	throw ctx.redirect(`${errorURL}${sep}${params.toString()}`);
+}
+/**
 * Build the logger message shown when an OAuth provider does not return an
 * email address. Kept in one place so every rejection site points users at
 * the same workaround docs.
@@ -9,4 +24,4 @@ function missingEmailLogMessage(providerId, options) {
 	return `${options?.source === "generic" ? `Generic OAuth provider "${providerId}"` : `Provider "${providerId}"`} did not return an email${options?.source === "id_token" ? " in the id token" : ""}. Either request the provider's email scope, or synthesize one via \`mapProfileToUser\`. See ${HANDLING_DOCS_URL}`;
 }
 //#endregion
-export { missingEmailLogMessage };
+export { missingEmailLogMessage, redirectOnError };

package/dist/oauth2/link-account.mjs

@@ -1,5 +1,6 @@
 import { isAPIError } from "../utils/is-api-error.mjs";
 import { setAccountCookie } from "../cookies/session-store.mjs";
+import { redirectOnError } from "./errors.mjs";
 import { setTokenUtil } from "./utils.mjs";
 import { createEmailVerificationToken } from "../api/routes/email-verification.mjs";
 import { isDevelopment, logger } from "@better-auth/core/env";
@@ -8,8 +9,7 @@ async function handleOAuthUserInfo(c, opts) {
 	const { userInfo, account, callbackURL, disableSignUp, overrideUserInfo } = opts;
 	const dbUser = await c.context.internalAdapter.findOAuthUser(userInfo.email.toLowerCase(), account.accountId, account.providerId).catch((e) => {
 		logger.error("Better auth was unable to query your database.\nError: ", e);
-		const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
-		throw c.redirect(`${errorURL}?error=internal_server_error`);
+		redirectOnError(c, c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`, "internal_server_error");
 	});
 	let user = dbUser?.user;
 	const isRegister = !user;
@@ -96,7 +96,7 @@ async function handleOAuthUserInfo(c, opts) {
 			if (c.context.options.account?.storeAccountCookie) await setAccountCookie(c, createdAccount);
 			if (!userInfo.emailVerified && user && c.context.options.emailVerification?.sendOnSignUp && c.context.options.emailVerification?.sendVerificationEmail) {
 				const token = await createEmailVerificationToken(c.context.secret, user.email, void 0, c.context.options.emailVerification?.expiresIn);
-				const url = `${c.context.baseURL}/verify-email?token=${token}&callbackURL=${callbackURL}`;
+				const url = `${c.context.baseURL}/verify-email?token=${token}&callbackURL=${encodeURIComponent(callbackURL || "/")}`;
 				await c.context.runInBackgroundOrAwait(c.context.options.emailVerification.sendVerificationEmail({
 					user,
 					url,