better-auth 1.6.11 → 1.6.13

package/dist/api/routes/session.mjs

@@ -129,12 +129,8 @@ const getSession = () => createAuthEndpoint("/get-session", {
 					const updateAge = cookieRefreshCache.updateAge * 1e3;
 					const shouldSkipSessionRefresh = await getShouldSkipSessionRefresh();
 					if (timeUntilExpiry < updateAge && !shouldSkipSessionRefresh) {
-						const newExpiresAt = getDate(ctx.context.options.session?.cookieCache?.maxAge || 300, "sec");
 						const refreshedSession = {
-							session: {
-								...session.session,
-								expiresAt: newExpiresAt
-							},
+							session: { ...session.session },
 							user: session.user,
 							updatedAt: Date.now()
 						};
@@ -276,17 +272,26 @@ const getSessionFromCtx = async (ctx, config) => {
 		method: "GET",
 		asResponse: false,
 		headers: ctx.headers,
-		returnHeaders: false,
+		returnHeaders: true,
 		returnStatus: false,
 		query: {
 			...config,
 			...ctx.query
 		}
-	}).catch((e) => {
+	}).catch(() => {
 		return null;
 	});
-	ctx.context.session = session;
-	return session;
+	if (!session) {
+		ctx.context.session = null;
+		return null;
+	}
+	if (session.headers) session.headers.forEach((value, key) => {
+		if (!ctx.context.responseHeaders) ctx.context.responseHeaders = new Headers({ [key]: value });
+		else if (key.toLowerCase() === "set-cookie") ctx.context.responseHeaders.append(key, value);
+		else ctx.context.responseHeaders.set(key, value);
+	});
+	ctx.context.session = session.response;
+	return session.response;
 };
 /**
 * The middleware forces the endpoint to require a valid session.
@@ -440,7 +445,7 @@ const revokeSessions = createAuthEndpoint("/revoke-sessions", {
 	} }
 }, async (ctx) => {
 	try {
-		await ctx.context.internalAdapter.deleteSessions(ctx.context.session.user.id);
+		await ctx.context.internalAdapter.deleteUserSessions(ctx.context.session.user.id);
 	} catch (error) {
 		ctx.context.logger.error(error && typeof error === "object" && "name" in error ? error.name : "", error);
 		throw APIError.from("INTERNAL_SERVER_ERROR", {

package/dist/api/routes/sign-in.d.mts

@@ -114,6 +114,7 @@ declare const signInEmail: <O extends BetterAuthOptions>() => better_call0.Stric
   method: "POST";
   operationId: string;
   use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<void>)[];
+  cloneRequest: true;
   body: z.ZodObject<{
     email: z.ZodString;
     password: z.ZodString;

package/dist/api/routes/sign-in.mjs

@@ -3,8 +3,8 @@ import { parseUserOutput } from "../../db/schema.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
 import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
-import { generateState } from "../../oauth2/state.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { generateState } from "../../oauth2/state.mjs";
 import { createEmailVerificationToken } from "./email-verification.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { SocialProviderListEnum } from "@better-auth/core/social-providers";
@@ -144,6 +144,7 @@ const signInEmail = () => createAuthEndpoint("/sign-in/email", {
 	method: "POST",
 	operationId: "signInEmail",
 	use: [formCsrfMiddleware],
+	cloneRequest: true,
 	body: z.object({
 		email: z.string().meta({ description: "Email of the user" }),
 		password: z.string().meta({ description: "Password of the user" }),
@@ -236,7 +237,7 @@ const signInEmail = () => createAuthEndpoint("/sign-in/email", {
 				user: user.user,
 				url,
 				token
-			}, ctx.request));
+			}, ctx.request?.clone()));
 		}
 		throw APIError.from("FORBIDDEN", BASE_ERROR_CODES.EMAIL_NOT_VERIFIED);
 	}

package/dist/api/routes/sign-up.d.mts

@@ -16,6 +16,7 @@ declare const signUpEmail: <O extends BetterAuthOptions>() => better_call0.Stric
     callbackURL: z.ZodOptional<z.ZodString>;
     rememberMe: z.ZodOptional<z.ZodBoolean>;
   }, z.core.$strip>, z.ZodRecord<z.ZodString, z.ZodAny>>;
+  cloneRequest: true;
   metadata: {
     allowedMediaTypes: string[];
     $Infer: {

package/dist/api/routes/sign-up.mjs

@@ -1,6 +1,6 @@
 import { isAPIError } from "../../utils/is-api-error.mjs";
 import { formCsrfMiddleware } from "../middlewares/origin-check.mjs";
-import { parseUserInput, parseUserOutput } from "../../db/schema.mjs";
+import { buildSyntheticUserOutput, parseUserInput, parseUserOutput } from "../../db/schema.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { createEmailVerificationToken } from "./email-verification.mjs";
 import { runWithTransaction } from "@better-auth/core/context";
@@ -23,6 +23,7 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 	operationId: "signUpWithEmailAndPassword",
 	use: [formCsrfMiddleware],
 	body: signUpEmailBodySchema,
+	cloneRequest: true,
 	metadata: {
 		allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
 		$Infer: {
@@ -170,14 +171,14 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 				* between existing and non-existing emails.
 				*/
 				await ctx.context.password.hash(password);
-				if (ctx.context.options.emailAndPassword?.onExistingUserSignUp) await ctx.context.runInBackgroundOrAwait(ctx.context.options.emailAndPassword.onExistingUserSignUp({ user: dbUser.user }, ctx.request));
+				if (ctx.context.options.emailAndPassword?.onExistingUserSignUp) await ctx.context.runInBackgroundOrAwait(ctx.context.options.emailAndPassword.onExistingUserSignUp({ user: dbUser.user }, ctx.request?.clone()));
 				const now = /* @__PURE__ */ new Date();
 				const generatedId = ctx.context.generateId({ model: "user" }) || generateId();
 				const coreFields = {
 					name,
 					email: normalizedEmail,
 					emailVerified: false,
-					image: image || null,
+					image: image ?? null,
 					createdAt: now,
 					updatedAt: now
 				};
@@ -187,16 +188,17 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 					const additionalFieldKeys = Object.keys(ctx.context.options.user?.additionalFields ?? {});
 					const additionalFields = {};
 					for (const key of additionalFieldKeys) if (key in additionalUserFields) additionalFields[key] = additionalUserFields[key];
-					syntheticUser = customSyntheticUser({
+					const customResult = customSyntheticUser({
 						coreFields,
 						additionalFields,
 						id: generatedId
 					});
-				} else syntheticUser = {
+					syntheticUser = buildSyntheticUserOutput(ctx.context.options, customResult);
+				} else syntheticUser = buildSyntheticUserOutput(ctx.context.options, {
 					...coreFields,
 					...additionalUserFields,
 					id: generatedId
-				};
+				});
 				return ctx.json({
 					token: null,
 					user: parseUserOutput(ctx.context.options, syntheticUser)
@@ -244,7 +246,7 @@ const signUpEmail = () => createAuthEndpoint("/sign-up/email", {
 				user: createdUser,
 				url,
 				token
-			}, ctx.request));
+			}, ctx.request?.clone()));
 		}
 		if (shouldSkipAutoSignIn) return ctx.json({
 			token: null,

package/dist/api/routes/update-user.mjs

@@ -168,7 +168,7 @@ const changePassword = createAuthEndpoint("/change-password", {
 	await ctx.context.internalAdapter.updateAccount(account.id, { password: passwordHash });
 	let token = null;
 	if (revokeOtherSessions) {
-		await ctx.context.internalAdapter.deleteSessions(session.user.id);
+		await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 		const newSession = await ctx.context.internalAdapter.createSession(session.user.id);
 		if (!newSession) throw APIError.from("INTERNAL_SERVER_ERROR", BASE_ERROR_CODES.FAILED_TO_GET_SESSION);
 		await setSessionCookie(ctx, {
@@ -309,7 +309,7 @@ const deleteUser = createAuthEndpoint("/delete-user", {
 	const beforeDelete = ctx.context.options.user.deleteUser?.beforeDelete;
 	if (beforeDelete) await beforeDelete(session.user, ctx.request);
 	await ctx.context.internalAdapter.deleteUser(session.user.id);
-	await ctx.context.internalAdapter.deleteSessions(session.user.id);
+	await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 	deleteSessionCookie(ctx);
 	const afterDelete = ctx.context.options.user.deleteUser?.afterDelete;
 	if (afterDelete) await afterDelete(session.user, ctx.request);
@@ -362,7 +362,7 @@ const deleteUserCallback = createAuthEndpoint("/delete-user/callback", {
 	const beforeDelete = ctx.context.options.user.deleteUser?.beforeDelete;
 	if (beforeDelete) await beforeDelete(session.user, ctx.request);
 	await ctx.context.internalAdapter.deleteUser(session.user.id);
-	await ctx.context.internalAdapter.deleteSessions(session.user.id);
+	await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 	await ctx.context.internalAdapter.deleteAccounts(session.user.id);
 	await ctx.context.internalAdapter.deleteVerificationByIdentifier(`delete-account-${ctx.query.token}`);
 	deleteSessionCookie(ctx);
@@ -424,8 +424,8 @@ const changeEmail = createAuthEndpoint("/change-email", {
 	* email would later throw 400, leaking email existence.
 	*/
 	const canUpdateWithoutVerification = ctx.context.session.user.emailVerified !== true && ctx.context.options.user.changeEmail.updateEmailWithoutVerification;
-	const canSendConfirmation = ctx.context.session.user.emailVerified && ctx.context.options.user.changeEmail.sendChangeEmailConfirmation;
 	const canSendVerification = ctx.context.options.emailVerification?.sendVerificationEmail;
+	const canSendConfirmation = canSendVerification && ctx.context.session.user.emailVerified && ctx.context.options.user.changeEmail.sendChangeEmailConfirmation;
 	if (!canUpdateWithoutVerification && !canSendConfirmation && !canSendVerification) {
 		ctx.context.logger.error("Verification email isn't enabled.");
 		throw APIError.fromStatus("BAD_REQUEST", { message: "Verification email isn't enabled" });
@@ -449,7 +449,7 @@ const changeEmail = createAuthEndpoint("/change-email", {
 		});
 		if (canSendVerification) {
 			const token = await createEmailVerificationToken(ctx.context.secret, newEmail, void 0, ctx.context.options.emailVerification?.expiresIn);
-			const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${ctx.body.callbackURL || "/"}`;
+			const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${encodeURIComponent(ctx.body.callbackURL || "/")}`;
 			await ctx.context.runInBackgroundOrAwait(canSendVerification({
 				user: {
 					...ctx.context.session.user,
@@ -466,7 +466,7 @@ const changeEmail = createAuthEndpoint("/change-email", {
 	*/
 	if (canSendConfirmation) {
 		const token = await createEmailVerificationToken(ctx.context.secret, ctx.context.session.user.email, newEmail, ctx.context.options.emailVerification?.expiresIn, { requestType: "change-email-confirmation" });
-		const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${ctx.body.callbackURL || "/"}`;
+		const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${encodeURIComponent(ctx.body.callbackURL || "/")}`;
 		await ctx.context.runInBackgroundOrAwait(canSendConfirmation({
 			user: ctx.context.session.user,
 			newEmail,
@@ -480,7 +480,7 @@ const changeEmail = createAuthEndpoint("/change-email", {
 		throw APIError.fromStatus("BAD_REQUEST", { message: "Verification email isn't enabled" });
 	}
 	const token = await createEmailVerificationToken(ctx.context.secret, ctx.context.session.user.email, newEmail, ctx.context.options.emailVerification?.expiresIn, { requestType: "change-email-verification" });
-	const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${ctx.body.callbackURL || "/"}`;
+	const url = `${ctx.context.baseURL}/verify-email?token=${token}&callbackURL=${encodeURIComponent(ctx.body.callbackURL || "/")}`;
 	await ctx.context.runInBackgroundOrAwait(canSendVerification({
 		user: {
 			...ctx.context.session.user,

package/dist/client/fetch-plugins.mjs

@@ -1,9 +1,10 @@
+import { isSafeUrlScheme } from "@better-auth/core/utils/url";
 //#region src/client/fetch-plugins.ts
 const redirectPlugin = {
 	id: "redirect",
 	name: "Redirect",
 	hooks: { onSuccess(context) {
-		if (context.data?.url && context.data?.redirect) {
+		if (context.data?.url && context.data?.redirect && isSafeUrlScheme(context.data.url)) {
 			if (typeof window !== "undefined" && window.location) {
 				if (window.location) try {
 					window.location.href = context.data.url;

package/dist/client/parser.mjs

@@ -34,7 +34,6 @@ function betterJSONParse(value, options = {}) {
 	const { strict = false, warnings = false, reviver, parseDates = true } = options;
 	if (typeof value !== "string") return value;
 	const trimmed = value.trim();
-	if (trimmed.length > 0 && trimmed[0] === "\"" && trimmed.endsWith("\"") && !trimmed.slice(1, -1).includes("\"")) return trimmed.slice(1, -1);
 	const lowerValue = trimmed.toLowerCase();
 	if (lowerValue.length <= 9 && lowerValue in SPECIAL_VALUES) return SPECIAL_VALUES[lowerValue];
 	if (!JSON_SIGNATURE.test(trimmed)) {

package/dist/client/plugins/index.d.mts

@@ -31,7 +31,7 @@ import { USERNAME_ERROR_CODES } from "../../plugins/username/error-codes.mjs";
 import { ORGANIZATION_ERROR_CODES } from "../../plugins/organization/error-codes.mjs";
 import { inferAdditionalFields } from "../../plugins/additional-fields/client.mjs";
 import { ADMIN_ERROR_CODES } from "../../plugins/admin/error-codes.mjs";
-import { adminClient } from "../../plugins/admin/client.mjs";
+import { AdminClientOptions, adminClient } from "../../plugins/admin/client.mjs";
 import { ANONYMOUS_ERROR_CODES } from "../../plugins/anonymous/error-codes.mjs";
 import { anonymousClient } from "../../plugins/anonymous/client.mjs";
 import { customSessionClient } from "../../plugins/custom-session/client.mjs";
@@ -47,10 +47,10 @@ import { multiSessionClient } from "../../plugins/multi-session/client.mjs";
 import { OidcClientPlugin, oidcClient } from "../../plugins/oidc-provider/client.mjs";
 import { GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, oneTapClient } from "../../plugins/one-tap/client.mjs";
 import { oneTimeTokenClient } from "../../plugins/one-time-token/client.mjs";
-import { clientSideHasPermission, inferOrgAdditionalFields, organizationClient } from "../../plugins/organization/client.mjs";
+import { OrganizationClientOptions, clientSideHasPermission, inferOrgAdditionalFields, organizationClient } from "../../plugins/organization/client.mjs";
 import { PHONE_NUMBER_ERROR_CODES } from "../../plugins/phone-number/error-codes.mjs";
 import { phoneNumberClient } from "../../plugins/phone-number/client.mjs";
 import { siweClient } from "../../plugins/siwe/client.mjs";
 import { usernameClient } from "../../plugins/username/client.mjs";
 import { InferServerPlugin } from "./infer-plugin.mjs";
-export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, type FieldAttributeToObject, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, type RemoveFieldsWithReturnedFalse, RequiredKeysOf, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };
+export { ADMIN_ERROR_CODES, ANONYMOUS_ERROR_CODES, AdminClientOptions, AdminOptions, AnonymousOptions, AnonymousSession, Auth0Options, AuthorizationQuery, BackupCodeOptions, BaseOAuthProviderOptions, Client, CodeVerificationValue, EMAIL_OTP_ERROR_CODES, ExtractPluginField, type FieldAttributeToObject, GENERIC_OAUTH_ERROR_CODES, GenericOAuthConfig, GenericOAuthOptions, GoogleOneTapActionOptions, GoogleOneTapOptions, GsiButtonConfiguration, GumroadOptions, HasRequiredKeys, HubSpotOptions, InferAdminRolesFromOption, InferInvitation, InferMember, InferOrganization, InferOrganizationRolesFromOption, InferOrganizationZodRolesFromOption, InferPluginFieldFromTuple, InferServerPlugin, InferTeam, Invitation, InvitationInput, InvitationStatus, IsAny, JWKOptions, JWSAlgorithms, Jwk, JwtOptions, KeycloakOptions, LastLoginMethodClientConfig, LineOptions, MULTI_SESSION_ERROR_CODES, Member, MemberInput, MicrosoftEntraIdOptions, MultiSessionConfig, OAuthAccessToken, OIDCMetadata, OIDCOptions, ORGANIZATION_ERROR_CODES, OTPOptions, OidcClientPlugin, OktaOptions, OneTimeTokenOptions, Organization, OrganizationClientOptions, OrganizationInput, OrganizationRole, OrganizationSchema, OverrideMerge, PHONE_NUMBER_ERROR_CODES, PatreonOptions, PhoneNumberOptions, Prettify, PrettifyDeep, type RemoveFieldsWithReturnedFalse, RequiredKeysOf, SessionWithImpersonatedBy, SlackOptions, StripEmptyObjects, TOTPOptions, TWO_FACTOR_ERROR_CODES, Team, TeamInput, TeamMember, TeamMemberInput, TokenBody, TwoFactorOptions, TwoFactorProvider, TwoFactorTable, USERNAME_ERROR_CODES, UnionToIntersection, UserWithAnonymous, UserWithPhoneNumber, UserWithRole, UserWithTwoFactor, adminClient, anonymousClient, auth0, backupCode2fa, clientSideHasPermission, customSessionClient, defaultRolesSchema, deviceAuthorizationClient, emailOTPClient, encodeBackupCodes, generateBackupCodes, genericOAuthClient, getBackupCodes, gumroad, hubspot, inferAdditionalFields, inferOrgAdditionalFields, invitationSchema, invitationStatus, jwtClient, keycloak, lastLoginMethodClient, line, magicLinkClient, memberSchema, microsoftEntraId, multiSessionClient, oidcClient, okta, oneTapClient, oneTimeTokenClient, organizationClient, organizationRoleSchema, organizationSchema, otp2fa, patreon, phoneNumberClient, roleSchema, schema, siweClient, slack, teamMemberSchema, teamSchema, totp2fa, twoFactorClient, usernameClient, verifyBackupCode };

package/dist/client/proxy.mjs

@@ -1,4 +1,5 @@
 import { isAtom } from "../utils/is-atom.mjs";
+import { toKebabCase } from "@better-auth/core/utils/string";
 //#region src/client/proxy.ts
 function getMethod(path, knownPathMethods, args) {
 	const method = knownPathMethods[path];
@@ -26,7 +27,7 @@ function createDynamicPathProxy(routes, client, knownPathMethods, atoms, atomLis
 				return createProxy(fullPath);
 			},
 			apply: async (_, __, args) => {
-				const routePath = "/" + path.map((segment) => segment.replace(/[A-Z]/g, (letter) => `-${letter.toLowerCase()}`)).join("/");
+				const routePath = "/" + path.map(toKebabCase).join("/");
 				const arg = args[0] || {};
 				const fetchOptions = args[1] || {};
 				const { query, fetchOptions: argFetchOptions, ...body } = arg;

package/dist/context/create-context.mjs

@@ -42,18 +42,14 @@ function validateSecret(secret, logger) {
 	if (estimateEntropy(secret) < 120) logger.warn("[better-auth] Warning: your BETTER_AUTH_SECRET appears low-entropy. Use a randomly generated secret for production.");
 }
 async function createAuthContext(adapter, options, getDatabaseType) {
-	if (!options.database) options = defu$1(options, {
-		session: { cookieCache: {
-			enabled: true,
-			strategy: "jwe",
-			refreshCache: true,
-			maxAge: options.session?.expiresIn || 3600 * 24 * 7
-		} },
-		account: {
-			storeStateStrategy: "cookie",
-			storeAccountCookie: true
-		}
-	});
+	const isStateful = !!options.database || !!options.secondaryStorage;
+	if (!isStateful) options = defu$1(options, { session: { cookieCache: {
+		enabled: true,
+		strategy: "jwe",
+		refreshCache: true,
+		maxAge: options.session?.expiresIn || 3600 * 24 * 7
+	} } });
+	if (!options.database) options = defu$1(options, { account: { storeAccountCookie: true } });
 	const plugins = options.plugins || [];
 	const internalPlugins = getInternalPlugins(options);
 	const logger = createLogger(options.logger);
@@ -130,7 +126,7 @@ Most of the features of Better Auth will not work correctly.`);
 		socialProviders: providers,
 		options,
 		oauthConfig: {
-			storeStateStrategy: options.account?.storeStateStrategy || (options.database ? "database" : "cookie"),
+			storeStateStrategy: options.account?.storeStateStrategy || (isStateful ? "database" : "cookie"),
 			skipStateCookieCheck: !!options.account?.skipStateCookieCheck
 		},
 		tables,
@@ -146,7 +142,7 @@ Most of the features of Better Auth will not work correctly.`);
 			cookieRefreshCache: (() => {
 				const refreshCache = options.session?.cookieCache?.refreshCache;
 				const maxAge = options.session?.cookieCache?.maxAge || 300;
-				if ((!!options.database || !!options.secondaryStorage) && refreshCache) {
+				if (isStateful && refreshCache) {
 					logger.warn("[better-auth] `session.cookieCache.refreshCache` is enabled while `database` or `secondaryStorage` is configured. `refreshCache` is meant for stateless (DB-less) setups. Disabling `refreshCache` — remove it from your config to silence this warning.");
 					return false;
 				}

package/dist/context/helpers.mjs

@@ -61,9 +61,10 @@ async function getTrustedOrigins(options, request) {
 	const trustedOrigins = [];
 	if (isDynamicBaseURLConfig(options.baseURL)) {
 		const allowedHosts = options.baseURL.allowedHosts;
+		const proto = options.baseURL.protocol;
 		for (const host of allowedHosts) if (!host.includes("://")) {
-			trustedOrigins.push(`https://${host}`);
-			if (isLoopbackHost(host)) trustedOrigins.push(`http://${host}`);
+			if (!proto || proto === "https" || proto === "auto") trustedOrigins.push(`https://${host}`);
+			if (proto === "http" || proto === "auto" || isLoopbackHost(host)) trustedOrigins.push(`http://${host}`);
 		} else trustedOrigins.push(host);
 		if (options.baseURL.fallback) try {
 			trustedOrigins.push(new URL(options.baseURL.fallback).origin);

package/dist/cookies/cookie-utils.d.mts

@@ -33,6 +33,20 @@ declare function stripSecureCookiePrefix(cookieName: string): string;
 declare function splitSetCookieHeader(setCookie: string): string[];
 declare function parseSetCookieHeader(setCookie: string): Map<string, CookieAttributes>;
 declare function toCookieOptions(attributes: CookieAttributes): ParsedCookieOptions;
+/**
+ * Cookie-name token char set per RFC 7230 §3.2.6.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+ */
+declare const cookieNameRegex: RegExp;
+/**
+ * Tolerates `;` separators without the SP that RFC 6265 §4.2.1 mandates,
+ * since proxies and runtimes commonly strip it. Silently drops entries
+ * whose name violates RFC 7230 token or whose value violates RFC 6265
+ * cookie-octet (plus space and comma). Strips optional surrounding
+ * double-quotes per RFC 6265 §4.1.1.
+ */
+declare function parseCookies(cookie: string): Map<string, string>;
 /**
  * Add or replace a cookie in the request `Cookie` header.
  *
@@ -42,8 +56,17 @@ declare function toCookieOptions(attributes: CookieAttributes): ParsedCookieOpti
  * parse-mutate-serialize.
  */
 declare function setRequestCookie(headers: Headers, name: string, value: string): void;
+/**
+ * Merge `Set-Cookie` header values into the target's `Cookie` header.
+ * Mutates `target`.
+ *
+ * Name/value-level merge only. RFC 6265 §5 user-agent semantics
+ * (expiration, domain/path scoping, ordering) are out of scope. Suitable
+ * for single-request proxy, middleware, and test contexts.
+ */
+declare function applySetCookies(target: Headers, setCookieValues: Iterable<string>): void;
 declare function setCookieToHeader(headers: Headers): (context: {
   response: Response;
 }) => void;
 //#endregion
-export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, parseCookies, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/cookie-utils.mjs

@@ -1,5 +1,6 @@
 //#region src/cookies/cookie-utils.ts
 function tryDecode(str) {
+	if (str.indexOf("%") === -1) return str;
 	try {
 		return decodeURIComponent(str);
 	} catch {
@@ -49,9 +50,9 @@ function parseSetCookieHeader(setCookie) {
 	splitSetCookieHeader(setCookie).forEach((cookieString) => {
 		const [nameValue, ...attributes] = cookieString.split(";").map((part) => part.trim());
 		const [name, ...valueParts] = (nameValue || "").split("=");
-		const value = valueParts.join("=");
-		if (!name || value === void 0) return;
-		const attrObj = { value: value.includes("%") ? tryDecode(value) : value };
+		const value = unquoteCookieValue(valueParts.join("="));
+		if (!name) return;
+		const attrObj = { value: tryDecode(value) };
 		attributes.forEach((attribute) => {
 			const [attrName, ...attrValueParts] = attribute.split("=");
 			const attrValue = attrValueParts.join("=");
@@ -103,6 +104,69 @@ function toCookieOptions(attributes) {
 	};
 }
 /**
+* Cookie-name token char set per RFC 7230 §3.2.6.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+*/
+const cookieNameRegex = /^[\w!#$%&'*.^`|~+-]+$/;
+/**
+* Cookie-value char set per RFC 6265 §4.1.1, plus space and comma.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1
+* @see https://github.com/golang/go/issues/7243
+*/
+const cookieValueRegex = /^[ !#-:<-[\]-~]*$/;
+/**
+* Strip surrounding double-quotes per RFC 6265 §4.1.1 quoted-string form.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.1
+*/
+function unquoteCookieValue(value) {
+	if (value.length < 2 || !value.startsWith("\"") || !value.endsWith("\"")) return value;
+	return value.slice(1, -1);
+}
+/**
+* Trim leading/trailing OWS (space / horizontal tab) per RFC 7230 §3.2.3.
+* Narrower than `String.prototype.trim()`, which strips CR/LF and other
+* whitespace and would let CTLs escape `cookieValueRegex`.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.3
+*/
+function trimOWS(s) {
+	let start = 0;
+	let end = s.length;
+	while (start < end) {
+		const c = s.charCodeAt(start);
+		if (c !== 32 && c !== 9) break;
+		start++;
+	}
+	while (end > start) {
+		const c = s.charCodeAt(end - 1);
+		if (c !== 32 && c !== 9) break;
+		end--;
+	}
+	return start === 0 && end === s.length ? s : s.slice(start, end);
+}
+/**
+* Tolerates `;` separators without the SP that RFC 6265 §4.2.1 mandates,
+* since proxies and runtimes commonly strip it. Silently drops entries
+* whose name violates RFC 7230 token or whose value violates RFC 6265
+* cookie-octet (plus space and comma). Strips optional surrounding
+* double-quotes per RFC 6265 §4.1.1.
+*/
+function parseCookies(cookie) {
+	const cookieMap = /* @__PURE__ */ new Map();
+	if (cookie.length < 2) return cookieMap;
+	for (const chunk of cookie.split(";")) {
+		const eq = chunk.indexOf("=");
+		if (eq === -1) continue;
+		const key = trimOWS(chunk.slice(0, eq));
+		const val = unquoteCookieValue(trimOWS(chunk.slice(eq + 1)));
+		if (cookieNameRegex.test(key) && cookieValueRegex.test(val)) cookieMap.set(key, tryDecode(val));
+	}
+	return cookieMap;
+}
+/**
 * Add or replace a cookie in the request `Cookie` header.
 *
 * Cookie pairs are joined with `; `, but `headers.append("cookie", ...)`
@@ -111,30 +175,29 @@ function toCookieOptions(attributes) {
 * parse-mutate-serialize.
 */
 function setRequestCookie(headers, name, value) {
-	const cookieMap = /* @__PURE__ */ new Map();
-	for (const pair of (headers.get("cookie") || "").split(";")) {
-		const trimmed = pair.trim();
-		const eq = trimmed.indexOf("=");
-		if (eq > 0) cookieMap.set(trimmed.slice(0, eq), trimmed.slice(eq + 1));
-	}
-	cookieMap.set(name, value);
-	headers.set("cookie", Array.from(cookieMap, ([k, v]) => `${k}=${v}`).join("; "));
+	const cookieMap = parseCookies(headers.get("cookie") || "");
+	if (cookieNameRegex.test(name)) cookieMap.set(name, value);
+	headers.set("cookie", Array.from(cookieMap, ([k, v]) => `${k}=${encodeURIComponent(v)}`).join("; "));
+}
+/**
+* Merge `Set-Cookie` header values into the target's `Cookie` header.
+* Mutates `target`.
+*
+* Name/value-level merge only. RFC 6265 §5 user-agent semantics
+* (expiration, domain/path scoping, ordering) are out of scope. Suitable
+* for single-request proxy, middleware, and test contexts.
+*/
+function applySetCookies(target, setCookieValues) {
+	const cookieMap = parseCookies(target.get("cookie") || "");
+	for (const setCookie of setCookieValues) for (const [name, attr] of parseSetCookieHeader(setCookie)) if (cookieNameRegex.test(name)) cookieMap.set(name, attr.value);
+	target.set("cookie", Array.from(cookieMap, ([k, v]) => `${k}=${encodeURIComponent(v)}`).join("; "));
 }
 function setCookieToHeader(headers) {
 	return (context) => {
 		const setCookieHeader = context.response.headers.get("set-cookie");
 		if (!setCookieHeader) return;
-		const cookieMap = /* @__PURE__ */ new Map();
-		(headers.get("cookie") || "").split(";").forEach((cookie) => {
-			const [name, ...rest] = cookie.trim().split("=");
-			if (name && rest.length > 0) cookieMap.set(name, rest.join("="));
-		});
-		parseSetCookieHeader(setCookieHeader).forEach((value, name) => {
-			cookieMap.set(name, value.value);
-		});
-		const updatedCookies = Array.from(cookieMap.entries()).map(([name, value]) => `${name}=${value}`).join("; ");
-		headers.set("cookie", updatedCookies);
+		applySetCookies(headers, [setCookieHeader]);
 	};
 }
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, parseCookies, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.d.mts

@@ -1,5 +1,5 @@
 import { Session, User } from "../types/models.mjs";
-import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
+import { CookieAttributes, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, parseCookies, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createSessionStore, getAccountCookie, getChunkedCookie } from "./session-store.mjs";
 import { BetterAuthCookie, BetterAuthCookies, BetterAuthOptions, GenericEndpointContext } from "@better-auth/core";
 import * as better_call0 from "better-call";
@@ -95,7 +95,6 @@ declare function setSessionCookie(ctx: GenericEndpointContext, session: {
  */
 declare function expireCookie(ctx: GenericEndpointContext, cookie: BetterAuthCookie): void;
 declare function deleteSessionCookie(ctx: GenericEndpointContext, skipDontRememberMe?: boolean | undefined): void;
-declare function parseCookies(cookieHeader: string): Map<string, string>;
 type EligibleCookies = (string & {}) | (keyof BetterAuthCookies & {});
 declare const getSessionCookie: (request: Request | Headers, config?: {
   cookiePrefix?: string;
@@ -116,4 +115,4 @@ declare const getCookieCache: <S extends {
   version?: string | ((session: Session & Record<string, any>, user: User & Record<string, any>) => string) | ((session: Session & Record<string, any>, user: User & Record<string, any>) => Promise<string>);
 } | undefined) => Promise<S | null>;
 //#endregion
-export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { CookieAttributes, EligibleCookies, HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };

package/dist/cookies/index.mjs

@@ -4,7 +4,7 @@ import { parseUserOutput } from "../db/schema.mjs";
 import { getDate } from "../utils/date.mjs";
 import { isPromise } from "../utils/is-promise.mjs";
 import { sec } from "../utils/time.mjs";
-import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
+import { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, parseCookies, parseSetCookieHeader, setCookieToHeader, setRequestCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions } from "./cookie-utils.mjs";
 import { createAccountStore, createSessionStore, getAccountCookie, getChunkedCookie, setAccountCookie } from "./session-store.mjs";
 import { env, isProduction } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
@@ -134,9 +134,46 @@ async function setSessionCookie(ctx, session, dontRememberMe, overrides) {
 	ctx.context.setNewSession(session);
 }
 /**
+* Remove any prior `Set-Cookie` entries on the current response whose cookie
+* name matches `cookieName` or any chunked variant (`${cookieName}.0`, etc.).
+*
+* Prevents a valid cookie value from leaking on the wire when the same cookie
+* is set and then expired within a single request (e.g. `/sign-in/email`
+* writes credential session cookies and the 2FA after-hook expires them).
+* Browsers honor the expiring entry, but anything reading the raw response
+* headers — proxy/LB logs, server-side SDK consumers, observability tools —
+* sees the earlier valid value and could replay it (bypassing the 2FA gate
+* when the cookie cache is enabled).
+*
+* Scrubs both the local middleware scope's `responseHeaders` and the outer
+* endpoint scope's `ctx.context.responseHeaders`, because plugin after-hooks
+* run in a fresh local scope while accumulated response headers live on the
+* outer one. `scoped.context` is required by {@link GenericEndpointContext}
+* but unit-test mocks pass a minimal object via `as any`, so we use optional
+* chaining defensively. The `Set` collapses the case where both scopes
+* reference the same `Headers`.
+*/
+function removeSetCookieEntries(ctx, cookieName) {
+	const scoped = ctx;
+	const targets = /* @__PURE__ */ new Set();
+	if (scoped.responseHeaders) targets.add(scoped.responseHeaders);
+	if (scoped.context?.responseHeaders) targets.add(scoped.context.responseHeaders);
+	const exact = `${cookieName}=`;
+	const chunk = `${cookieName}.`;
+	for (const headers of targets) {
+		const existing = typeof headers.getSetCookie === "function" ? headers.getSetCookie() : splitSetCookieHeader(headers.get("set-cookie") || "");
+		if (!existing.length) continue;
+		const survivors = existing.filter((entry) => !entry.startsWith(exact) && !entry.startsWith(chunk));
+		if (survivors.length === existing.length) continue;
+		headers.delete("set-cookie");
+		for (const entry of survivors) headers.append("set-cookie", entry);
+	}
+}
+/**
 * Expires a cookie by setting `maxAge: 0` while preserving its attributes
 */
 function expireCookie(ctx, cookie) {
+	removeSetCookieEntries(ctx, cookie.name);
 	ctx.setCookie(cookie.name, "", {
 		...cookie.attributes,
 		maxAge: 0
@@ -157,15 +194,6 @@ function deleteSessionCookie(ctx, skipDontRememberMe) {
 	sessionStore.setCookies(cleanCookies);
 	if (!skipDontRememberMe) expireCookie(ctx, ctx.context.authCookies.dontRememberToken);
 }
-function parseCookies(cookieHeader) {
-	const cookies = cookieHeader.split("; ");
-	const cookieMap = /* @__PURE__ */ new Map();
-	cookies.forEach((cookie) => {
-		const [name, value] = cookie.split(/=(.*)/s);
-		cookieMap.set(name, value);
-	});
-	return cookieMap;
-}
 const getSessionCookie = (request, config) => {
 	const cookies = (request instanceof Headers || !("headers" in request) ? request : request.headers).get("cookie");
 	if (!cookies) return null;
@@ -258,4 +286,4 @@ const getCookieCache = async (request, config) => {
 	return null;
 };
 //#endregion
-export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };
+export { HOST_COOKIE_PREFIX, SECURE_COOKIE_PREFIX, applySetCookies, cookieNameRegex, createCookieGetter, createSessionStore, deleteSessionCookie, expireCookie, getAccountCookie, getChunkedCookie, getCookieCache, getCookies, getSessionCookie, parseCookies, parseSetCookieHeader, setCookieCache, setCookieToHeader, setRequestCookie, setSessionCookie, splitSetCookieHeader, stripSecureCookiePrefix, toCookieOptions };