better-auth 1.6.11 → 1.6.12

package/dist/oauth2/state.mjs

@@ -1,4 +1,5 @@
 import { generateRandomString } from "../crypto/random.mjs";
+import { redirectOnError } from "./errors.mjs";
 import { setOAuthState } from "../api/state/oauth.mjs";
 import { StateError, generateGenericState, parseGenericState } from "../state.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
@@ -36,8 +37,13 @@ async function parseState(c) {
 		parsedData = await parseGenericState(c, state);
 	} catch (error) {
 		c.context.logger.error("Failed to parse state", error);
-		if (error instanceof StateError && error.code === "state_security_mismatch") throw c.redirect(`${errorURL}?error=state_mismatch`);
-		throw c.redirect(`${errorURL}?error=please_restart_the_process`);
+		let code = "internal_server_error";
+		let redirectErrorURL = errorURL;
+		if (error instanceof StateError) {
+			code = error.code === "state_security_mismatch" ? "state_mismatch" : error.code;
+			redirectErrorURL = error.errorURL ?? errorURL;
+		}
+		redirectOnError(c, redirectErrorURL, code);
 	}
 	if (!parsedData.errorURL) parsedData.errorURL = errorURL;
 	if (parsedData) await setOAuthState(parsedData);

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.11";
+var version = "1.6.12";
 //#endregion
 export { version };

package/dist/plugins/access/access.mjs

@@ -6,14 +6,19 @@ function role(statements) {
 			let success = false;
 			for (const [requestedResource, requestedActions] of Object.entries(request)) {
 				const allowedActions = statements[requestedResource];
-				if (!allowedActions) return {
-					success: false,
-					error: `You are not allowed to access resource: ${requestedResource}`
-				};
-				if (Array.isArray(requestedActions)) success = requestedActions.every((requestedAction) => allowedActions.includes(requestedAction));
+				if (!allowedActions) {
+					if (connector === "AND") return {
+						success: false,
+						error: `You are not allowed to access resource: ${requestedResource}`
+					};
+					success = false;
+					continue;
+				}
+				if (Array.isArray(requestedActions)) success = requestedActions.length > 0 && requestedActions.every((requestedAction) => allowedActions.includes(requestedAction));
 				else if (typeof requestedActions === "object") {
 					const actions = requestedActions;
-					if (actions.connector === "OR") success = actions.actions.some((requestedAction) => allowedActions.includes(requestedAction));
+					if (!Array.isArray(actions.actions) || actions.actions.length === 0) success = false;
+					else if (actions.connector === "OR") success = actions.actions.some((requestedAction) => allowedActions.includes(requestedAction));
 					else success = actions.actions.every((requestedAction) => allowedActions.includes(requestedAction));
 				} else throw new BetterAuthError("Invalid access control request");
 				if (success && connector === "OR") return { success };

package/dist/plugins/admin/admin.mjs

@@ -42,10 +42,6 @@ const admin = (options) => {
 							});
 							return;
 						}
-						if (ctx && (ctx.path.startsWith("/callback") || ctx.path.startsWith("/oauth2/callback"))) {
-							const redirectURI = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
-							throw ctx.redirect(`${redirectURI}?error=banned&error_description=${opts.bannedUserMessage}`);
-						}
 						throw APIError.from("FORBIDDEN", {
 							message: opts.bannedUserMessage,
 							code: "BANNED_USER"

package/dist/plugins/admin/client.d.mts

@@ -76,4 +76,4 @@ declare const adminClient: <O extends AdminClientOptions>(options?: O | undefine
   };
 };
 //#endregion
-export { adminClient };
+export { AdminClientOptions, adminClient };

package/dist/plugins/bearer/index.mjs

@@ -30,16 +30,11 @@ const bearer = (options) => {
 					if (authHeader.slice(0, 7).toLowerCase() !== BEARER_SCHEME) return;
 					const token = authHeader.slice(7).trim();
 					if (!token) return;
-					let signedToken;
 					let decodedToken;
-					if (token.includes(".")) {
-						const isEncoded = token.includes("%");
-						signedToken = isEncoded ? token : encodeURIComponent(token);
-						decodedToken = isEncoded ? tryDecode(token) : token;
-					} else {
+					if (token.includes(".")) decodedToken = token.includes("%") ? tryDecode(token) : token;
+					else {
 						if (options?.requireSignature) return;
-						signedToken = (await serializeSignedCookie("", token, c.context.secret)).replace("=", "");
-						decodedToken = tryDecode(signedToken);
+						decodedToken = tryDecode((await serializeSignedCookie("", token, c.context.secret)).replace("=", ""));
 					}
 					try {
 						if (!await createHMAC("SHA-256", "base64urlnopad").verify(c.context.secret, decodedToken.split(".")[0], decodedToken.split(".")[1])) return;
@@ -48,7 +43,7 @@ const bearer = (options) => {
 					}
 					const existingHeaders = c.request?.headers || c.headers;
 					const headers = new Headers({ ...Object.fromEntries(existingHeaders?.entries()) });
-					setRequestCookie(headers, c.context.authCookies.sessionToken.name, signedToken);
+					setRequestCookie(headers, c.context.authCookies.sessionToken.name, decodedToken);
 					return { context: { headers } };
 				})
 			}],

package/dist/plugins/captcha/index.mjs

@@ -21,12 +21,12 @@ const captcha = (options) => ({
 			if (pathname.endsWith("//")) pathname = pathname.slice(0, -1);
 			if (pathname.startsWith("//")) pathname = pathname.slice(1);
 			if (!pathname.startsWith("/")) pathname = "/" + pathname;
-			const blockedPaths = ["/sign-in/email-otp"].reduce((acc, curr) => {
+			const exemptPaths = ["/sign-in/email-otp"].reduce((acc, curr) => {
 				if (options.endpoints?.length && options.endpoints.includes(curr)) return acc;
 				return [...acc, curr];
 			}, []);
 			if (!endpoints.some((endpoint) => {
-				return pathname.includes(endpoint) && !blockedPaths.includes(endpoint);
+				return pathname.includes(endpoint) && !exemptPaths.some((p) => pathname.includes(p));
 			})) return;
 			if (!options.secretKey) throw new Error(INTERNAL_ERROR_CODES.MISSING_SECRET_KEY.message);
 			const captchaResponse = request.headers.get("x-captcha-response");

package/dist/plugins/generic-oauth/index.d.mts

@@ -117,7 +117,7 @@ declare const genericOAuth: (options: GenericOAuthOptions) => {
         };
         scope: "server";
       };
-    }, void>;
+    }, never>;
     oAuth2LinkAccount: better_call0.StrictEndpoint<"/oauth2/link", {
       method: "POST";
       body: zod.ZodObject<{

package/dist/plugins/generic-oauth/index.mjs

@@ -11,7 +11,7 @@ import { okta } from "./providers/okta.mjs";
 import { patreon } from "./providers/patreon.mjs";
 import { slack } from "./providers/slack.mjs";
 import { APIError } from "@better-auth/core/error";
-import { createAuthorizationURL, refreshAccessToken, validateAuthorizationCode } from "@better-auth/core/oauth2";
+import { applyDefaultAccessTokenExpiry, createAuthorizationURL, refreshAccessToken, validateAuthorizationCode } from "@better-auth/core/oauth2";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/plugins/generic-oauth/index.ts
 /**
@@ -63,7 +63,7 @@ const genericOAuth = (options) => {
 						});
 					},
 					async validateAuthorizationCode(data) {
-						if (c.getToken) return c.getToken(data);
+						if (c.getToken) return applyDefaultAccessTokenExpiry(await c.getToken(data), c.accessTokenExpiresIn);
 						let finalTokenUrl = c.tokenUrl;
 						if (c.discoveryUrl) {
 							const discovery = await betterFetch(c.discoveryUrl, {
@@ -76,7 +76,7 @@ const genericOAuth = (options) => {
 							}
 						}
 						if (!finalTokenUrl) throw APIError.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.TOKEN_URL_NOT_FOUND);
-						return validateAuthorizationCode({
+						return applyDefaultAccessTokenExpiry(await validateAuthorizationCode({
 							headers: c.authorizationHeaders,
 							code: data.code,
 							codeVerifier: data.codeVerifier,
@@ -88,7 +88,7 @@ const genericOAuth = (options) => {
 							},
 							tokenEndpoint: finalTokenUrl,
 							authentication: c.authentication
-						});
+						}), c.accessTokenExpiresIn);
 					},
 					async refreshAccessToken(refreshToken) {
 						let finalTokenUrl = c.tokenUrl;
@@ -100,7 +100,7 @@ const genericOAuth = (options) => {
 							if (discovery.data) finalTokenUrl = discovery.data.token_endpoint;
 						}
 						if (!finalTokenUrl) throw APIError.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.TOKEN_URL_NOT_FOUND);
-						return refreshAccessToken({
+						return applyDefaultAccessTokenExpiry(await refreshAccessToken({
 							refreshToken,
 							options: {
 								clientId: c.clientId,
@@ -108,7 +108,7 @@ const genericOAuth = (options) => {
 							},
 							authentication: c.authentication,
 							tokenEndpoint: finalTokenUrl
-						});
+						}), c.accessTokenExpiresIn);
 					},
 					async getUserInfo(tokens) {
 						const userInfo = c.getUserInfo ? await c.getUserInfo(tokens) : await getUserInfo(tokens, finalUserInfoUrl);

package/dist/plugins/generic-oauth/routes.mjs

@@ -1,5 +1,6 @@
+import { isAPIError } from "../../utils/is-api-error.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
-import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
+import { missingEmailLogMessage, redirectOnError } from "../../oauth2/errors.mjs";
 import { generateState, parseState } from "../../oauth2/state.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
 import { sessionMiddleware } from "../../api/routes/session.mjs";
@@ -8,7 +9,7 @@ import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { APIError as APIError$1 } from "../../api/index.mjs";
 import { GENERIC_OAUTH_ERROR_CODES } from "./error-codes.mjs";
 import { BASE_ERROR_CODES } from "@better-auth/core/error";
-import { createAuthorizationURL, validateAuthorizationCode } from "@better-auth/core/oauth2";
+import { applyDefaultAccessTokenExpiry, createAuthorizationURL, validateAuthorizationCode } from "@better-auth/core/oauth2";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
 import { decodeJwt } from "jose";
@@ -132,7 +133,7 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 	}
 }, async (ctx) => {
 	const defaultErrorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
-	if (ctx.query.error || !ctx.query.code) throw ctx.redirect(`${defaultErrorURL}?error=${encodeURIComponent(ctx.query.error || "oAuth_code_missing")}&error_description=${encodeURIComponent(ctx.query.error_description || "")}`);
+	if (ctx.query.error || !ctx.query.code) redirectOnError(ctx, defaultErrorURL, ctx.query.error || "oAuth_code_missing", ctx.query.error_description || void 0);
 	const providerId = ctx.params?.providerId;
 	if (!providerId) throw APIError$1.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.PROVIDER_ID_REQUIRED);
 	const providerConfig = options.config.find((p) => p.providerId === providerId);
@@ -140,13 +141,7 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 	let tokens = void 0;
 	const { callbackURL, codeVerifier, errorURL, requestSignUp, newUserURL, link } = await parseState(ctx);
 	const code = ctx.query.code;
-	function redirectOnError(error) {
-		const defaultErrorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
-		let url = errorURL || defaultErrorURL;
-		if (url.includes("?")) url = `${url}&error=${encodeURIComponent(error)}`;
-		else url = `${url}?error=${encodeURIComponent(error)}`;
-		throw ctx.redirect(url);
-	}
+	const resolvedErrorURL = errorURL || defaultErrorURL;
 	let finalTokenUrl = providerConfig.tokenUrl;
 	let finalUserInfoUrl = providerConfig.userInfoUrl;
 	let expectedIssuer = providerConfig.issuer;
@@ -168,11 +163,11 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 					expected: expectedIssuer,
 					received: ctx.query.iss
 				});
-				return redirectOnError("issuer_mismatch");
+				redirectOnError(ctx, resolvedErrorURL, "issuer_mismatch");
 			}
 		} else if (providerConfig.requireIssuerValidation) {
 			ctx.context.logger.error("OAuth issuer parameter missing", { expected: expectedIssuer });
-			return redirectOnError("issuer_missing");
+			redirectOnError(ctx, resolvedErrorURL, "issuer_missing");
 		}
 	}
 	try {
@@ -199,25 +194,26 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 				additionalParams
 			});
 		}
+		tokens = applyDefaultAccessTokenExpiry(tokens, providerConfig.accessTokenExpiresIn);
 	} catch (e) {
 		ctx.context.logger.error(e && typeof e === "object" && "name" in e ? e.name : "", e);
-		throw redirectOnError("oauth_code_verification_failed");
+		redirectOnError(ctx, resolvedErrorURL, "oauth_code_verification_failed");
 	}
 	if (!tokens) throw APIError$1.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.INVALID_OAUTH_CONFIG);
 	const userInfo = await (async function handleUserInfo() {
 		const userInfo = providerConfig.getUserInfo ? await providerConfig.getUserInfo(tokens) : await getUserInfo(tokens, finalUserInfoUrl);
-		if (!userInfo) throw redirectOnError("user_info_is_missing");
+		if (!userInfo) redirectOnError(ctx, resolvedErrorURL, "user_info_is_missing");
 		const mapUser = providerConfig.mapProfileToUser ? await providerConfig.mapProfileToUser(userInfo) : userInfo;
 		const email = mapUser.email ? mapUser.email.toLowerCase() : userInfo.email?.toLowerCase();
 		if (!email) {
 			ctx.context.logger.error(missingEmailLogMessage(providerConfig.providerId, { source: "generic" }), userInfo);
-			throw redirectOnError("email_is_missing");
+			redirectOnError(ctx, resolvedErrorURL, "email_is_missing");
 		}
 		const id = mapUser.id ? String(mapUser.id) : String(userInfo.id);
 		const name = mapUser.name ? mapUser.name : userInfo.name;
 		if (!name) {
 			ctx.context.logger.error("Unable to get user info", userInfo);
-			throw redirectOnError("name_is_missing");
+			redirectOnError(ctx, resolvedErrorURL, "name_is_missing");
 		}
 		return {
 			...userInfo,
@@ -228,10 +224,10 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 		};
 	})();
 	if (link) {
-		if (ctx.context.options.account?.accountLinking?.allowDifferentEmails !== true && link.email.toLowerCase() !== userInfo.email.toLowerCase()) return redirectOnError("email_doesn't_match");
+		if (ctx.context.options.account?.accountLinking?.allowDifferentEmails !== true && link.email.toLowerCase() !== userInfo.email.toLowerCase()) redirectOnError(ctx, resolvedErrorURL, "email_doesn't_match");
 		const existingAccount = await ctx.context.internalAdapter.findAccountByProviderId(String(userInfo.id), providerConfig.providerId);
 		if (existingAccount) {
-			if (existingAccount.userId !== link.userId) return redirectOnError("account_already_linked_to_different_user");
+			if (existingAccount.userId !== link.userId) redirectOnError(ctx, resolvedErrorURL, "account_already_linked_to_different_user");
 			const updateData = Object.fromEntries(Object.entries({
 				accessToken: await setTokenUtil(tokens.accessToken, ctx.context),
 				idToken: tokens.idToken,
@@ -251,7 +247,7 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 			scope: tokens.scopes?.join(","),
 			refreshToken: await setTokenUtil(tokens.refreshToken, ctx.context),
 			idToken: tokens.idToken
-		})) return redirectOnError("unable_to_link_account");
+		})) redirectOnError(ctx, resolvedErrorURL, "unable_to_link_account");
 		let toRedirectTo;
 		try {
 			toRedirectTo = callbackURL.toString();
@@ -260,19 +256,25 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 		}
 		throw ctx.redirect(toRedirectTo);
 	}
-	const result = await handleOAuthUserInfo(ctx, {
-		userInfo,
-		account: {
-			providerId: providerConfig.providerId,
-			accountId: userInfo.id,
-			...tokens,
-			scope: tokens.scopes?.join(",")
-		},
-		callbackURL,
-		disableSignUp: providerConfig.disableImplicitSignUp && !requestSignUp || providerConfig.disableSignUp,
-		overrideUserInfo: providerConfig.overrideUserInfo
-	});
-	if (result.error) return redirectOnError(result.error.split(" ").join("_"));
+	let result;
+	try {
+		result = await handleOAuthUserInfo(ctx, {
+			userInfo,
+			account: {
+				providerId: providerConfig.providerId,
+				accountId: userInfo.id,
+				...tokens,
+				scope: tokens.scopes?.join(",")
+			},
+			callbackURL,
+			disableSignUp: providerConfig.disableImplicitSignUp && !requestSignUp || providerConfig.disableSignUp,
+			overrideUserInfo: providerConfig.overrideUserInfo
+		});
+	} catch (e) {
+		if (isAPIError(e) && e.body?.code) redirectOnError(ctx, resolvedErrorURL, e.body.code, e.body.message);
+		throw e;
+	}
+	if (result.error) redirectOnError(ctx, resolvedErrorURL, result.error.split(" ").join("_"));
 	const { session, user } = result.data;
 	await setSessionCookie(ctx, {
 		session,

package/dist/plugins/generic-oauth/types.d.mts

@@ -87,6 +87,13 @@ interface GenericOAuthConfig {
    * Use "offline" to request a refresh token.
    */
   accessType?: string | undefined;
+  /**
+   * Fallback access-token lifetime, in seconds, used only when the provider's
+   * token response omits `expires_in`. Set this so `getAccessToken` can track
+   * expiry and refresh the token; leave unset if the provider returns
+   * `expires_in`.
+   */
+  accessTokenExpiresIn?: number | undefined;
   /**
    * Custom function to exchange authorization code for tokens.
    * If provided, this function will be used instead of the default token exchange logic.

package/dist/plugins/last-login-method/client.mjs

@@ -1,9 +1,9 @@
+import { parseCookies } from "../../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 //#region src/plugins/last-login-method/client.ts
 function getCookieValue(name) {
 	if (typeof document === "undefined") return null;
-	const cookie = document.cookie.split("; ").find((row) => row.startsWith(`${name}=`));
-	return cookie ? cookie.split("=")[1] : null;
+	return parseCookies(document.cookie).get(name) ?? null;
 }
 /**
 * Client-side plugin to retrieve the last used login method

package/dist/plugins/magic-link/index.mjs

@@ -121,7 +121,6 @@ const magicLink = (options) => {
 				const storedToken = await storeToken(ctx, token);
 				const tokenValue = await ctx.context.internalAdapter.consumeVerificationValue(storedToken);
 				if (!tokenValue) redirectWithError("INVALID_TOKEN");
-				if (tokenValue.expiresAt < /* @__PURE__ */ new Date()) redirectWithError("EXPIRED_TOKEN");
 				const { email, name } = JSON.parse(tokenValue.value);
 				let isNewUser = false;
 				let user = await ctx.context.internalAdapter.findUserByEmail(email).then((res) => res?.user);

package/dist/plugins/mcp/index.mjs

@@ -372,10 +372,6 @@ const mcp = (options) => {
 					error_description: "invalid code",
 					error: "invalid_grant"
 				});
-				if (verificationValue.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("UNAUTHORIZED", {
-					error_description: "code expired",
-					error: "invalid_grant"
-				});
 				if (!client_id) throw new APIError("UNAUTHORIZED", {
 					error_description: "client_id is required",
 					error: "invalid_client"

package/dist/plugins/multi-session/index.mjs

@@ -1,6 +1,6 @@
 import { parseSessionOutput, parseUserOutput } from "../../db/schema.mjs";
-import { SECURE_COOKIE_PREFIX, parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
-import { deleteSessionCookie, expireCookie, parseCookies, setSessionCookie } from "../../cookies/index.mjs";
+import { SECURE_COOKIE_PREFIX, parseCookies, parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { deleteSessionCookie, expireCookie, setSessionCookie } from "../../cookies/index.mjs";
 import { sessionMiddleware } from "../../api/routes/session.mjs";
 import { APIError } from "../../api/index.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";

package/dist/plugins/oauth-proxy/index.mjs

@@ -1,13 +1,15 @@
+import { isAPIError } from "../../utils/is-api-error.mjs";
 import { getOrigin } from "../../utils/url.mjs";
 import { originCheck } from "../../api/middlewares/origin-check.mjs";
 import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
 import { symmetricDecrypt, symmetricEncrypt } from "../../crypto/index.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
+import { redirectOnError } from "../../oauth2/errors.mjs";
 import { parseGenericState } from "../../state.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { parseJSON } from "../../client/parser.mjs";
-import { checkSkipProxy, redirectOnError, resolveCurrentURL, stripTrailingSlash } from "./utils.mjs";
+import { checkSkipProxy, resolveCurrentURL, stripTrailingSlash } from "./utils.mjs";
 import { defu } from "defu";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
 import * as z from "zod";
@@ -90,18 +92,28 @@ const oAuthProxy = (opts) => {
 				throw redirectOnError(ctx, errorURL, "payload_expired");
 			}
 			try {
-				await parseGenericState(ctx, payload.state);
+				await parseGenericState(ctx, payload.state, { skipStateCookieCheck: true });
 			} catch (e) {
 				ctx.context.logger.warn("Failed to clean up OAuth state", e);
 			}
-			const result = await handleOAuthUserInfo(ctx, {
-				userInfo: payload.userInfo,
-				account: payload.account,
-				callbackURL: payload.callbackURL,
-				disableSignUp: payload.disableSignUp
-			});
-			if (result.error || !result.data) {
-				ctx.context.logger.error("Failed to create user or session", result.error);
+			let result;
+			try {
+				result = await handleOAuthUserInfo(ctx, {
+					userInfo: payload.userInfo,
+					account: payload.account,
+					callbackURL: payload.callbackURL,
+					disableSignUp: payload.disableSignUp
+				});
+			} catch (e) {
+				if (isAPIError(e) && e.body?.code) throw redirectOnError(ctx, errorURL, e.body.code, e.body.message);
+				throw e;
+			}
+			if (result.error) {
+				ctx.context.logger.error("OAuth proxy callback error", result.error);
+				throw redirectOnError(ctx, errorURL, result.error.split(" ").join("_"));
+			}
+			if (!result.data) {
+				ctx.context.logger.error("OAuth proxy callback missing session data");
 				throw redirectOnError(ctx, errorURL, "user_creation_failed");
 			}
 			await setSessionCookie(ctx, result.data);
@@ -141,6 +153,7 @@ const oAuthProxy = (opts) => {
 							data: state
 						}));
 					} catch {
+						ctx.context.logger.debug("OAuth proxy: could not decrypt state package, falling back to regular callback");
 						return;
 					}
 					if (!statePackage.isOAuthProxy || !statePackage.state || !statePackage.stateCookie) {
@@ -248,29 +261,29 @@ const oAuthProxy = (opts) => {
 					const oauthURL = new URL(providerURL);
 					const originalState = oauthURL.searchParams.get("state");
 					if (!originalState) return;
-					let stateCookieValue;
-					if (ctx.context.oauthConfig.storeStateStrategy === "cookie") {
-						const setCookieHeader = ctx.context.responseHeaders?.get("set-cookie");
-						if (setCookieHeader) {
-							const parsedCookies = parseSetCookieHeader(setCookieHeader);
-							const stateCookie = ctx.context.createAuthCookie("oauth_state");
-							stateCookieValue = parsedCookies.get(stateCookie.name)?.value;
-						}
-					} else {
-						const verification = await ctx.context.internalAdapter.findVerificationValue(originalState);
-						if (verification) stateCookieValue = await symmetricEncrypt({
-							key: getEncryptionKey(ctx),
-							data: verification.value
-						});
-					}
-					if (!stateCookieValue) {
-						ctx.context.logger.warn("No OAuth state cookie value found");
-						return;
-					}
 					try {
+						let plaintextState;
+						if (ctx.context.oauthConfig.storeStateStrategy === "cookie") {
+							const setCookieHeader = ctx.context.responseHeaders?.get("set-cookie");
+							if (setCookieHeader) {
+								const oauthStateCookie = ctx.context.createAuthCookie("oauth_state");
+								const encryptedCookieValue = parseSetCookieHeader(setCookieHeader).get(oauthStateCookie.name)?.value;
+								if (encryptedCookieValue) plaintextState = await symmetricDecrypt({
+									key: ctx.context.secretConfig,
+									data: encryptedCookieValue
+								});
+							}
+						} else plaintextState = (await ctx.context.internalAdapter.findVerificationValue(originalState))?.value;
+						if (!plaintextState) {
+							ctx.context.logger.warn("No OAuth state found for proxy");
+							return;
+						}
 						const statePackage = {
 							state: originalState,
-							stateCookie: stateCookieValue,
+							stateCookie: await symmetricEncrypt({
+								key: getEncryptionKey(ctx),
+								data: plaintextState
+							}),
 							isOAuthProxy: true
 						};
 						const encryptedPackage = await symmetricEncrypt({
@@ -283,7 +296,7 @@ const oAuthProxy = (opts) => {
 							url: oauthURL.toString()
 						};
 					} catch (e) {
-						ctx.context.logger.error("Failed to encrypt OAuth proxy state package:", e);
+						ctx.context.logger.error("Failed to prepare OAuth proxy state:", e);
 					}
 				})
 			}, {

package/dist/plugins/oauth-proxy/utils.mjs

@@ -1,4 +1,4 @@
-import { getOrigin } from "../../utils/url.mjs";
+import { getOrigin, trimTrailingSlashes } from "../../utils/url.mjs";
 import { env } from "@better-auth/core/env";
 //#region src/plugins/oauth-proxy/utils.ts
 /**
@@ -6,7 +6,7 @@ import { env } from "@better-auth/core/env";
 */
 function stripTrailingSlash(url) {
 	if (!url) return "";
-	return url.replace(/\/+$/, "");
+	return trimTrailingSlashes(url);
 }
 /**
 * Get base URL from vendor-specific environment variables
@@ -37,12 +37,5 @@ function checkSkipProxy(ctx, opts) {
 	if (!currentURL) return false;
 	return getOrigin(productionURL) === getOrigin(currentURL);
 }
-/**
-* Redirect to error URL with error code
-*/
-function redirectOnError(ctx, errorURL, error) {
-	const sep = errorURL.includes("?") ? "&" : "?";
-	throw ctx.redirect(`${errorURL}${sep}error=${error}`);
-}
 //#endregion
-export { checkSkipProxy, redirectOnError, resolveCurrentURL, stripTrailingSlash };
+export { checkSkipProxy, resolveCurrentURL, stripTrailingSlash };

package/dist/plugins/oidc-provider/index.mjs

@@ -499,10 +499,6 @@ const oidcProvider = (options) => {
 					error_description: "invalid code",
 					error: "invalid_grant"
 				});
-				if (verificationValue.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("UNAUTHORIZED", {
-					error_description: "code expired",
-					error: "invalid_grant"
-				});
 				if (!client_id) throw new APIError("UNAUTHORIZED", {
 					error_description: "client_id is required",
 					error: "invalid_client"

package/dist/plugins/open-api/generator.mjs

@@ -1,6 +1,7 @@
 import { db_exports } from "../../db/index.mjs";
 import { getEndpoints } from "../../api/index.mjs";
 import * as z from "zod";
+import { toPascalCase } from "@better-auth/core/utils/string";
 //#region src/plugins/open-api/generator.ts
 const allowedType = new Set([
 	"string",
@@ -156,7 +157,7 @@ function getResponse(responses) {
 			} } },
 			description: "Internal Server Error. This is a problem with the server that you cannot fix."
 		},
-		...responses
+		...responses ? structuredClone(responses) : {}
 	};
 }
 function toOpenApiPath(path) {
@@ -196,6 +197,16 @@ async function generator(ctx, options) {
 		return acc;
 	}, {}) } };
 	const paths = {};
+	const seenOperationIds = /* @__PURE__ */ new Set();
+	const uniqueOperationId = (operationId, method) => {
+		if (!operationId) return void 0;
+		const base = seenOperationIds.has(operationId) ? `${operationId}${toPascalCase(method)}` : operationId;
+		let result = base;
+		let n = 2;
+		while (seenOperationIds.has(result)) result = `${base}${n++}`;
+		seenOperationIds.add(result);
+		return result;
+	};
 	Object.entries(baseEndpoints.api).forEach(([_, value]) => {
 		if (!value.path || ctx.options.disabledPaths?.includes(value.path)) return;
 		const options = value.options;
@@ -207,7 +218,7 @@ async function generator(ctx, options) {
 			[method.toLowerCase()]: {
 				tags: ["Default", ...options.metadata?.openapi?.tags || []],
 				description: options.metadata?.openapi?.description,
-				operationId: options.metadata?.openapi?.operationId,
+				operationId: uniqueOperationId(options.metadata?.openapi?.operationId, method),
 				security: [{ bearerAuth: [] }],
 				parameters: getParameters(options),
 				responses: getResponse(options.metadata?.openapi?.responses)
@@ -220,7 +231,7 @@ async function generator(ctx, options) {
 				[method.toLowerCase()]: {
 					tags: ["Default", ...options.metadata?.openapi?.tags || []],
 					description: options.metadata?.openapi?.description,
-					operationId: options.metadata?.openapi?.operationId,
+					operationId: uniqueOperationId(options.metadata?.openapi?.operationId, method),
 					security: [{ bearerAuth: [] }],
 					parameters: getParameters(options),
 					...body ? { requestBody: body } : { requestBody: { content: { "application/json": { schema: {
@@ -253,7 +264,7 @@ async function generator(ctx, options) {
 				[method.toLowerCase()]: {
 					tags: options.metadata?.openapi?.tags || [plugin.id.charAt(0).toUpperCase() + plugin.id.slice(1)],
 					description: options.metadata?.openapi?.description,
-					operationId: options.metadata?.openapi?.operationId,
+					operationId: uniqueOperationId(options.metadata?.openapi?.operationId, method),
 					security: [{ bearerAuth: [] }],
 					parameters: getParameters(options),
 					responses: getResponse(options.metadata?.openapi?.responses)
@@ -264,7 +275,7 @@ async function generator(ctx, options) {
 				[method.toLowerCase()]: {
 					tags: options.metadata?.openapi?.tags || [plugin.id.charAt(0).toUpperCase() + plugin.id.slice(1)],
 					description: options.metadata?.openapi?.description,
-					operationId: options.metadata?.openapi?.operationId,
+					operationId: uniqueOperationId(options.metadata?.openapi?.operationId, method),
 					security: [{ bearerAuth: [] }],
 					parameters: getParameters(options),
 					requestBody: getRequestBody(options),