better-auth 1.6.11 → 1.6.13

package/dist/api/index.d.mts

@@ -228,7 +228,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         allowedMediaTypes: string[];
         scope: "server";
       };
-    }, void>;
+    }, never>;
     readonly getSession: better_call0.StrictEndpoint<"/get-session", {
       method: ("GET" | "POST")[];
       operationId: string;
@@ -327,6 +327,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
         callbackURL: zod.ZodOptional<zod.ZodString>;
         rememberMe: zod.ZodOptional<zod.ZodBoolean>;
       }, zod_v4_core0.$strip>, zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
+      cloneRequest: true;
       metadata: {
         allowedMediaTypes: string[];
         $Infer: {
@@ -493,6 +494,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
       method: "POST";
       operationId: string;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodString;
         password: zod.ZodString;
@@ -724,6 +726,7 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
     readonly sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
       method: "POST";
       operationId: string;
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodEmail;
         callbackURL: zod.ZodOptional<zod.ZodString>;
@@ -1928,29 +1931,6 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
     }>;
     readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
       method: "GET";
-      use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-        session: {
-          session: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            userId: string;
-            expiresAt: Date;
-            token: string;
-            ipAddress?: string | null | undefined;
-            userAgent?: string | null | undefined;
-          };
-          user: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            email: string;
-            emailVerified: boolean;
-            name: string;
-            image?: string | null | undefined;
-          };
-        };
-      }>)[];
       metadata: {
         openapi: {
           description: string;
@@ -2000,6 +1980,8 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
       };
       query: zod.ZodOptional<zod.ZodObject<{
         accountId: zod.ZodOptional<zod.ZodString>;
+        providerId: zod.ZodOptional<zod.ZodString>;
+        userId: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
     }, {
       user: _better_auth_core_oauth20.OAuth2UserInfo;
@@ -2216,7 +2198,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         allowedMediaTypes: string[];
         scope: "server";
       };
-    }, void>;
+    }, never>;
     readonly getSession: better_call0.StrictEndpoint<"/get-session", {
       method: ("GET" | "POST")[];
       operationId: string;
@@ -2315,6 +2297,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
         callbackURL: zod.ZodOptional<zod.ZodString>;
         rememberMe: zod.ZodOptional<zod.ZodBoolean>;
       }, zod_v4_core0.$strip>, zod.ZodRecord<zod.ZodString, zod.ZodAny>>;
+      cloneRequest: true;
       metadata: {
         allowedMediaTypes: string[];
         $Infer: {
@@ -2481,6 +2464,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
       method: "POST";
       operationId: string;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodString;
         password: zod.ZodString;
@@ -2712,6 +2696,7 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
     readonly sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
       method: "POST";
       operationId: string;
+      cloneRequest: true;
       body: zod.ZodObject<{
         email: zod.ZodEmail;
         callbackURL: zod.ZodOptional<zod.ZodString>;
@@ -3916,29 +3901,6 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
     }>;
     readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
       method: "GET";
-      use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-        session: {
-          session: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            userId: string;
-            expiresAt: Date;
-            token: string;
-            ipAddress?: string | null | undefined;
-            userAgent?: string | null | undefined;
-          };
-          user: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            email: string;
-            emailVerified: boolean;
-            name: string;
-            image?: string | null | undefined;
-          };
-        };
-      }>)[];
       metadata: {
         openapi: {
           description: string;
@@ -3988,6 +3950,8 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
       };
       query: zod.ZodOptional<zod.ZodObject<{
         accountId: zod.ZodOptional<zod.ZodString>;
+        providerId: zod.ZodOptional<zod.ZodString>;
+        userId: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
     }, {
       user: _better_auth_core_oauth20.OAuth2UserInfo;

package/dist/api/routes/account.d.mts

@@ -328,29 +328,6 @@ declare const refreshToken: better_call0.StrictEndpoint<"/refresh-token", {
 }>;
 declare const accountInfo: better_call0.StrictEndpoint<"/account-info", {
   method: "GET";
-  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-    session: {
-      session: Record<string, any> & {
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        userId: string;
-        expiresAt: Date;
-        token: string;
-        ipAddress?: string | null | undefined;
-        userAgent?: string | null | undefined;
-      };
-      user: Record<string, any> & {
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        email: string;
-        emailVerified: boolean;
-        name: string;
-        image?: string | null | undefined;
-      };
-    };
-  }>)[];
   metadata: {
     openapi: {
       description: string;
@@ -400,6 +377,8 @@ declare const accountInfo: better_call0.StrictEndpoint<"/account-info", {
   };
   query: z.ZodOptional<z.ZodObject<{
     accountId: z.ZodOptional<z.ZodString>;
+    providerId: z.ZodOptional<z.ZodString>;
+    userId: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>>;
 }, {
   user: _better_auth_core_oauth20.OAuth2UserInfo;

package/dist/api/routes/account.mjs

@@ -2,8 +2,9 @@ import { parseAccountOutput } from "../../db/schema.mjs";
 import { getAccountCookie, setAccountCookie } from "../../cookies/session-store.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
 import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
-import { generateState } from "../../oauth2/state.mjs";
 import { decryptOAuthToken, setTokenUtil } from "../../oauth2/utils.mjs";
+import { applyUpdateUserInfoOnLink } from "../../oauth2/link-account.mjs";
+import { generateState } from "../../oauth2/state.mjs";
 import { freshSessionMiddleware, getSessionFromCtx, sessionMiddleware } from "./session.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { SocialProviderListEnum } from "@better-auth/core/social-providers";
@@ -166,14 +167,7 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 				code: "LINKING_FAILED"
 			});
 		}
-		if (c.context.options.account?.accountLinking?.updateUserInfoOnLink === true) try {
-			await c.context.internalAdapter.updateUser(session.user.id, {
-				name: linkingUserInfo.user?.name,
-				image: linkingUserInfo.user?.image
-			});
-		} catch (e) {
-			console.warn("Could not update user - " + e.toString());
-		}
+		await applyUpdateUserInfoOnLink(c, session.user.id, linkingUserInfo.user);
 		return c.json({
 			url: "",
 			status: true,
@@ -222,50 +216,44 @@ const unlinkAccount = createAuthEndpoint("/unlink-account", {
 	await ctx.context.internalAdapter.deleteAccount(accountExist.id);
 	return ctx.json({ status: true });
 });
-const getAccessToken = createAuthEndpoint("/get-access-token", {
-	method: "POST",
-	body: z.object({
-		providerId: z.string().meta({ description: "The provider ID for the OAuth provider" }),
-		accountId: z.string().meta({ description: "The account ID associated with the refresh token" }).optional(),
-		userId: z.string().meta({ description: "The user ID associated with the account" }).optional()
-	}),
-	metadata: { openapi: {
-		description: "Get a valid access token, doing a refresh if needed",
-		responses: {
-			200: {
-				description: "A Valid access token",
-				content: { "application/json": { schema: {
-					type: "object",
-					properties: {
-						tokenType: { type: "string" },
-						idToken: { type: "string" },
-						accessToken: { type: "string" },
-						accessTokenExpiresAt: {
-							type: "string",
-							format: "date-time"
-						}
-					}
-				} } }
-			},
-			400: { description: "Invalid refresh token or provider configuration" }
-		}
-	} }
-}, async (ctx) => {
-	const { providerId, accountId, userId } = ctx.body || {};
-	const req = ctx.request;
+/**
+* Resolves the user id an account-token operation should act on.
+*
+* A caller reaching the server over HTTP (a request or session headers are
+* present) must have a valid session, and that session's user always wins.
+* A trusted server-side `auth.api` caller with no session may instead name a
+* `userId` directly. Throws `UNAUTHORIZED` when an HTTP caller is
+* unauthenticated, and `USER_ID_OR_SESSION_REQUIRED` when neither a session
+* nor a `userId` is available.
+*/
+async function resolveUserId(ctx, userId) {
 	const session = await getSessionFromCtx(ctx);
-	if (req && !session) throw ctx.error("UNAUTHORIZED");
+	if (!session && (ctx.request || ctx.headers)) throw ctx.error("UNAUTHORIZED");
 	const resolvedUserId = session?.user?.id || userId;
-	if (!resolvedUserId) throw ctx.error("UNAUTHORIZED");
+	if (!resolvedUserId) throw APIError.from("BAD_REQUEST", {
+		message: "Either userId or session is required",
+		code: "USER_ID_OR_SESSION_REQUIRED"
+	});
+	return resolvedUserId;
+}
+/**
+* Fetches a currently-valid access token for a user's provider account,
+* refreshing and persisting it when it is within five seconds of expiry.
+* Shared by the `/get-access-token` endpoint and `/account-info` so both
+* resolve and refresh tokens through one path.
+*/
+async function getValidAccessToken(ctx, { resolvedUserId, providerId, accountId, account: resolvedAccount }) {
 	const provider = await getAwaitableValue(ctx.context.socialProviders, { value: providerId });
 	if (!provider) throw APIError.from("BAD_REQUEST", {
 		message: `Provider ${providerId} is not supported.`,
 		code: "PROVIDER_NOT_SUPPORTED"
 	});
-	const accountData = await getAccountCookie(ctx);
-	let account = void 0;
-	if (accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId)) account = accountData;
-	else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
+	let account = resolvedAccount;
+	if (!account) {
+		const accountData = await getAccountCookie(ctx);
+		if (accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId)) account = accountData;
+		else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
+	}
 	if (!account) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
 	try {
 		let newTokens = null;
@@ -297,19 +285,55 @@ const getAccessToken = createAuthEndpoint("/get-access-token", {
 				return account.accessTokenExpiresAt;
 			}
 		})();
-		const tokens = {
+		return {
 			accessToken: newTokens?.accessToken ?? await decryptOAuthToken(account.accessToken ?? "", ctx.context),
 			accessTokenExpiresAt,
 			scopes: account.scope?.split(",") ?? [],
 			idToken: newTokens?.idToken ?? account.idToken ?? void 0
 		};
-		return ctx.json(tokens);
 	} catch (_error) {
 		throw APIError.from("BAD_REQUEST", {
 			message: "Failed to get a valid access token",
 			code: "FAILED_TO_GET_ACCESS_TOKEN"
 		});
 	}
+}
+const getAccessToken = createAuthEndpoint("/get-access-token", {
+	method: "POST",
+	body: z.object({
+		providerId: z.string().meta({ description: "The provider ID for the OAuth provider" }),
+		accountId: z.string().meta({ description: "The account ID associated with the refresh token" }).optional(),
+		userId: z.string().meta({ description: "The user ID associated with the account" }).optional()
+	}),
+	metadata: { openapi: {
+		description: "Get a valid access token, doing a refresh if needed",
+		responses: {
+			200: {
+				description: "A Valid access token",
+				content: { "application/json": { schema: {
+					type: "object",
+					properties: {
+						tokenType: { type: "string" },
+						idToken: { type: "string" },
+						accessToken: { type: "string" },
+						accessTokenExpiresAt: {
+							type: "string",
+							format: "date-time"
+						}
+					}
+				} } }
+			},
+			400: { description: "Invalid refresh token or provider configuration" }
+		}
+	} }
+}, async (ctx) => {
+	const { providerId, accountId, userId } = ctx.body || {};
+	const tokens = await getValidAccessToken(ctx, {
+		resolvedUserId: await resolveUserId(ctx, userId),
+		providerId,
+		accountId
+	});
+	return ctx.json(tokens);
 });
 const refreshToken = createAuthEndpoint("/refresh-token", {
 	method: "POST",
@@ -346,14 +370,7 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 	} }
 }, async (ctx) => {
 	const { providerId, accountId, userId } = ctx.body;
-	const req = ctx.request;
-	const session = await getSessionFromCtx(ctx);
-	if (req && !session) throw ctx.error("UNAUTHORIZED");
-	const resolvedUserId = session?.user?.id || userId;
-	if (!resolvedUserId) throw APIError.from("BAD_REQUEST", {
-		message: `Either userId or session is required`,
-		code: "USER_ID_OR_SESSION_REQUIRED"
-	});
+	const resolvedUserId = await resolveUserId(ctx, userId);
 	const provider = await getAwaitableValue(ctx.context.socialProviders, { value: providerId });
 	if (!provider) throw APIError.from("BAD_REQUEST", {
 		message: `Provider ${providerId} is not supported.`,
@@ -418,10 +435,13 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 		});
 	}
 });
-const accountInfoQuerySchema = z.optional(z.object({ accountId: z.string().meta({ description: "The provider given account id for which to get the account info" }).optional() }));
+const accountInfoQuerySchema = z.optional(z.object({
+	accountId: z.string().meta({ description: "The provider given account id for which to get the account info" }).optional(),
+	providerId: z.string().meta({ description: "The provider ID to disambiguate provider-issued account IDs" }).optional(),
+	userId: z.string().meta({ description: "The user ID associated with the account" }).optional()
+}));
 const accountInfo = createAuthEndpoint("/account-info", {
 	method: "GET",
-	use: [sessionMiddleware],
 	metadata: { openapi: {
 		description: "Get the account info provided by the provider",
 		responses: { "200": {
@@ -453,7 +473,8 @@ const accountInfo = createAuthEndpoint("/account-info", {
 	} },
 	query: accountInfoQuerySchema
 }, async (ctx) => {
-	const providedAccountId = ctx.query?.accountId;
+	const { accountId: providedAccountId, providerId: providedProviderId, userId } = ctx.query || {};
+	const resolvedUserId = await resolveUserId(ctx, userId);
 	let account = void 0;
 	if (!providedAccountId) {
 		if (ctx.context.options.account?.storeAccountCookie) {
@@ -461,24 +482,24 @@ const accountInfo = createAuthEndpoint("/account-info", {
 			if (accountData) account = accountData;
 		}
 	} else {
-		const accountData = await ctx.context.internalAdapter.findAccount(providedAccountId);
-		if (accountData) account = accountData;
+		const matchingAccounts = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).filter((acc) => acc.accountId === providedAccountId && (!providedProviderId || acc.providerId === providedProviderId));
+		if (matchingAccounts.length > 1) throw APIError.from("BAD_REQUEST", {
+			message: "Multiple accounts share this account ID. Pass a providerId to disambiguate.",
+			code: "AMBIGUOUS_ACCOUNT"
+		});
+		account = matchingAccounts[0];
 	}
-	if (!account || account.userId !== ctx.context.session.user.id) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
+	if (!account || account.userId !== resolvedUserId) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
 	const provider = await getAwaitableValue(ctx.context.socialProviders, { value: account.providerId });
-	if (!provider) throw APIError.from("INTERNAL_SERVER_ERROR", {
-		message: `Provider account provider is ${account.providerId} but it is not configured`,
+	if (!provider) throw APIError.from("BAD_REQUEST", {
+		message: "Account is not associated with a configured social provider.",
 		code: "PROVIDER_NOT_CONFIGURED"
 	});
-	const tokens = await getAccessToken({
-		...ctx,
-		method: "POST",
-		body: {
-			accountId: account.accountId,
-			providerId: account.providerId
-		},
-		returnHeaders: false,
-		returnStatus: false
+	const tokens = await getValidAccessToken(ctx, {
+		resolvedUserId,
+		providerId: account.providerId,
+		accountId: account.accountId,
+		account
 	});
 	if (!tokens.accessToken) throw APIError.from("BAD_REQUEST", {
 		message: "Access token not found",

package/dist/api/routes/callback.d.mts

@@ -25,6 +25,6 @@ declare const callbackOAuth: better_call0.StrictEndpoint<"/callback/:id", {
     allowedMediaTypes: string[];
     scope: "server";
   };
-}, void>;
+}, never>;
 //#endregion
 export { callbackOAuth };

package/dist/api/routes/callback.mjs

@@ -1,9 +1,10 @@
+import { isAPIError } from "../../utils/is-api-error.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
-import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
-import { parseState } from "../../oauth2/state.mjs";
+import { missingEmailLogMessage, redirectOnError } from "../../oauth2/errors.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
-import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { applyUpdateUserInfoOnLink, handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { parseState } from "../../oauth2/state.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 import { createAuthEndpoint } from "@better-auth/core/api";
@@ -47,31 +48,20 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		else throw new Error("Unsupported method");
 	} catch (e) {
 		c.context.logger.error("INVALID_CALLBACK_REQUEST", e);
-		throw c.redirect(`${defaultErrorURL}?error=invalid_callback_request`);
-	}
-	const { code, error, state, error_description, device_id, user: userData } = queryOrBody;
-	if (!state) {
-		c.context.logger.error("State not found", error);
-		const url = `${defaultErrorURL}${defaultErrorURL.includes("?") ? "&" : "?"}state=state_not_found`;
-		throw c.redirect(url);
+		redirectOnError(c, defaultErrorURL, "invalid_callback_request");
 	}
+	const { code, error, error_description, device_id, user: userData } = queryOrBody;
 	const { codeVerifier, callbackURL, link, errorURL, newUserURL, requestSignUp } = await parseState(c);
-	function redirectOnError(error, description) {
-		const baseURL = errorURL ?? defaultErrorURL;
-		const params = new URLSearchParams({ error });
-		if (description) params.set("error_description", description);
-		const url = `${baseURL}${baseURL.includes("?") ? "&" : "?"}${params.toString()}`;
-		throw c.redirect(url);
-	}
-	if (error) redirectOnError(error, error_description);
+	const resolvedErrorURL = errorURL ?? defaultErrorURL;
+	if (error) redirectOnError(c, resolvedErrorURL, error, error_description);
 	if (!code) {
 		c.context.logger.error("Code not found");
-		throw redirectOnError("no_code");
+		redirectOnError(c, resolvedErrorURL, "no_code");
 	}
 	const provider = await getAwaitableValue(c.context.socialProviders, { value: c.params.id });
 	if (!provider) {
 		c.context.logger.error("Oauth provider with id", c.params.id, "not found");
-		throw redirectOnError("oauth_provider_not_found");
+		redirectOnError(c, resolvedErrorURL, "oauth_provider_not_found");
 	}
 	let tokens;
 	try {
@@ -83,9 +73,9 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		});
 	} catch (e) {
 		c.context.logger.error("", e);
-		throw redirectOnError("invalid_code");
+		redirectOnError(c, resolvedErrorURL, "invalid_code");
 	}
-	if (!tokens) throw redirectOnError("invalid_code");
+	if (!tokens) redirectOnError(c, resolvedErrorURL, "invalid_code");
 	const parsedUserData = userData ? safeJSONParse(userData) : null;
 	const userInfo = await provider.getUserInfo({
 		...tokens,
@@ -93,22 +83,22 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	}).then((res) => res?.user);
 	if (!userInfo || userInfo.id === void 0 || userInfo.id === null) {
 		c.context.logger.error("Unable to get user info");
-		return redirectOnError("unable_to_get_user_info");
+		redirectOnError(c, resolvedErrorURL, "unable_to_get_user_info");
 	}
 	const providerAccountId = String(userInfo.id);
 	if (!callbackURL) {
 		c.context.logger.error("No callback URL found");
-		throw redirectOnError("no_callback_url");
+		redirectOnError(c, resolvedErrorURL, "no_callback_url");
 	}
 	if (link) {
 		if (!c.context.trustedProviders.includes(provider.id) && !userInfo.emailVerified || c.context.options.account?.accountLinking?.enabled === false) {
 			c.context.logger.error("Unable to link account - untrusted provider");
-			return redirectOnError("unable_to_link_account");
+			redirectOnError(c, resolvedErrorURL, "unable_to_link_account");
 		}
-		if (userInfo.email?.toLowerCase() !== link.email.toLowerCase() && c.context.options.account?.accountLinking?.allowDifferentEmails !== true) return redirectOnError("email_doesn't_match");
+		if (userInfo.email?.toLowerCase() !== link.email.toLowerCase() && c.context.options.account?.accountLinking?.allowDifferentEmails !== true) redirectOnError(c, resolvedErrorURL, "email_doesn't_match");
 		const existingAccount = await c.context.internalAdapter.findAccountByProviderId(providerAccountId, provider.id);
 		if (existingAccount) {
-			if (existingAccount.userId.toString() !== link.userId.toString()) return redirectOnError("account_already_linked_to_different_user");
+			if (existingAccount.userId.toString() !== link.userId.toString()) redirectOnError(c, resolvedErrorURL, "account_already_linked_to_different_user");
 			const updateData = Object.fromEntries(Object.entries({
 				accessToken: await setTokenUtil(tokens.accessToken, c.context),
 				refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
@@ -126,7 +116,8 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 			accessToken: await setTokenUtil(tokens.accessToken, c.context),
 			refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
 			scope: tokens.scopes?.join(",")
-		})) return redirectOnError("unable_to_link_account");
+		})) redirectOnError(c, resolvedErrorURL, "unable_to_link_account");
+		await applyUpdateUserInfoOnLink(c, link.userId, userInfo);
 		let toRedirectTo;
 		try {
 			toRedirectTo = callbackURL.toString();
@@ -137,7 +128,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	}
 	if (!userInfo.email) {
 		c.context.logger.error(missingEmailLogMessage(provider.id));
-		return redirectOnError("email_not_found");
+		redirectOnError(c, resolvedErrorURL, "email_not_found");
 	}
 	const accountData = {
 		providerId: provider.id,
@@ -145,21 +136,27 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		...tokens,
 		scope: tokens.scopes?.join(",")
 	};
-	const result = await handleOAuthUserInfo(c, {
-		userInfo: {
-			...userInfo,
-			id: providerAccountId,
-			email: userInfo.email,
-			name: userInfo.name || ""
-		},
-		account: accountData,
-		callbackURL,
-		disableSignUp: provider.disableImplicitSignUp && !requestSignUp || provider.options?.disableSignUp,
-		overrideUserInfo: provider.options?.overrideUserInfoOnSignIn
-	});
+	let result;
+	try {
+		result = await handleOAuthUserInfo(c, {
+			userInfo: {
+				...userInfo,
+				id: providerAccountId,
+				email: userInfo.email,
+				name: userInfo.name || ""
+			},
+			account: accountData,
+			callbackURL,
+			disableSignUp: provider.disableImplicitSignUp && !requestSignUp || provider.options?.disableSignUp,
+			overrideUserInfo: provider.options?.overrideUserInfoOnSignIn
+		});
+	} catch (e) {
+		if (isAPIError(e) && e.body?.code) redirectOnError(c, resolvedErrorURL, e.body.code, e.body.message);
+		throw e;
+	}
 	if (result.error) {
 		c.context.logger.error(result.error.split(" ").join("_"));
-		return redirectOnError(result.error.split(" ").join("_"));
+		redirectOnError(c, resolvedErrorURL, result.error.split(" ").join("_"));
 	}
 	const { session, user } = result.data;
 	await setSessionCookie(c, {

package/dist/api/routes/email-verification.d.mts

@@ -27,6 +27,7 @@ declare function sendVerificationEmailFn(ctx: GenericEndpointContext, user: User
 declare const sendVerificationEmail: better_call0.StrictEndpoint<"/send-verification-email", {
   method: "POST";
   operationId: string;
+  cloneRequest: true;
   body: z.ZodObject<{
     email: z.ZodEmail;
     callbackURL: z.ZodOptional<z.ZodString>;

package/dist/api/routes/email-verification.mjs

@@ -31,11 +31,12 @@ async function sendVerificationEmailFn(ctx, user) {
 		user,
 		url,
 		token
-	}, ctx.request));
+	}, ctx.request?.clone()));
 }
 const sendVerificationEmail = createAuthEndpoint("/send-verification-email", {
 	method: "POST",
 	operationId: "sendVerificationEmail",
+	cloneRequest: true,
 	body: z.object({
 		email: z.email().meta({ description: "The email to send the verification email to" }),
 		callbackURL: z.string().meta({ description: "The URL to use for email verification callback" }).optional()
@@ -185,7 +186,7 @@ const verifyEmail = createAuthEndpoint("/verify-email", {
 					},
 					url,
 					token: newToken
-				}, ctx.request));
+				}, ctx.request?.clone()));
 				if (ctx.query.callbackURL) throw ctx.redirect(ctx.query.callbackURL);
 				return ctx.json({ status: true });
 			}
@@ -238,7 +239,7 @@ const verifyEmail = createAuthEndpoint("/verify-email", {
 					user: updatedUser,
 					url: `${ctx.context.baseURL}/verify-email?token=${newToken}&callbackURL=${updateCallbackURL}`,
 					token: newToken
-				}, ctx.request));
+				}, ctx.request?.clone()));
 				await setSessionCookie(ctx, {
 					session: activeSession.session,
 					user: {

package/dist/api/routes/password.mjs

@@ -161,7 +161,7 @@ const resetPassword = createAuthEndpoint("/reset-password", {
 		const user = await ctx.context.internalAdapter.findUserById(userId);
 		if (user) await ctx.context.options.emailAndPassword.onPasswordReset({ user }, ctx.request);
 	}
-	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteSessions(userId);
+	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteUserSessions(userId);
 	return ctx.json({ status: true });
 });
 const verifyPassword = createAuthEndpoint("/verify-password", {