better-auth 1.6.11 → 1.6.13

package/dist/cookies/session-store.mjs

@@ -1,4 +1,5 @@
 import { symmetricDecodeJWT, symmetricEncodeJWT } from "../crypto/jwt.mjs";
+import { parseCookies } from "./cookie-utils.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 import * as z from "zod";
 //#region src/cookies/session-store.ts
@@ -6,20 +7,6 @@ const ALLOWED_COOKIE_SIZE = 4096;
 const ESTIMATED_EMPTY_COOKIE_SIZE = 200;
 const CHUNK_SIZE = ALLOWED_COOKIE_SIZE - ESTIMATED_EMPTY_COOKIE_SIZE;
 /**
-* Parse cookies from the request headers
-*/
-function parseCookiesFromContext(ctx) {
-	const cookieHeader = ctx.headers?.get("cookie");
-	if (!cookieHeader) return {};
-	const cookies = {};
-	const pairs = cookieHeader.split("; ");
-	for (const pair of pairs) {
-		const [name, ...valueParts] = pair.split("=");
-		if (name && valueParts.length > 0) cookies[name] = valueParts.join("=");
-	}
-	return cookies;
-}
-/**
 * Extract the chunk index from a cookie name
 */
 function getChunkIndex(cookieName) {
@@ -33,8 +20,8 @@ function getChunkIndex(cookieName) {
 */
 function readExistingChunks(cookieName, ctx) {
 	const chunks = {};
-	const cookies = parseCookiesFromContext(ctx);
-	for (const [name, value] of Object.entries(cookies)) if (name.startsWith(cookieName)) chunks[name] = value;
+	const cookies = parseCookies(ctx.headers?.get("cookie") || "");
+	for (const [name, value] of cookies) if (name.startsWith(cookieName)) chunks[name] = value;
 	return chunks;
 }
 /**
@@ -140,13 +127,7 @@ function getChunkedCookie(ctx, cookieName) {
 	const chunks = [];
 	const cookieHeader = ctx.headers?.get("cookie");
 	if (!cookieHeader) return null;
-	const cookies = {};
-	const pairs = cookieHeader.split("; ");
-	for (const pair of pairs) {
-		const [name, ...valueParts] = pair.split("=");
-		if (name && valueParts.length > 0) cookies[name] = valueParts.join("=");
-	}
-	for (const [name, val] of Object.entries(cookies)) if (name.startsWith(cookieName + ".")) {
+	for (const [name, val] of parseCookies(cookieHeader)) if (name.startsWith(cookieName + ".")) {
 		const indexStr = name.split(".").at(-1);
 		const index = parseInt(indexStr || "0", 10);
 		if (!isNaN(index)) chunks.push({

package/dist/db/get-migration.mjs

@@ -269,13 +269,14 @@ async function getMigrations(config) {
 			return `${model}.${field}`;
 		}
 	}
+	const deferredIndexes = [];
 	if (toBeAdded.length) for (const table of toBeAdded) for (const [fieldName, field] of Object.entries(table.fields)) {
 		const type = getType(field, fieldName);
 		const builder = db.schema.alterTable(table.table);
 		if (field.index) {
 			const indexName = `${table.table}_${fieldName}_${field.unique ? "uidx" : "idx"}`;
 			const indexBuilder = db.schema.createIndex(indexName).on(table.table).columns([fieldName]);
-			migrations.push(field.unique ? indexBuilder.unique() : indexBuilder);
+			deferredIndexes.push(field.unique ? indexBuilder.unique() : indexBuilder);
 		}
 		const built = builder.addColumn(fieldName, type, (col) => {
 			col = field.required !== false ? col.notNull() : col;
@@ -287,7 +288,6 @@ async function getMigrations(config) {
 		});
 		migrations.push(built);
 	}
-	const toBeIndexed = [];
 	if (toBeCreated.length) for (const table of toBeCreated) {
 		const idType = getType({ type: useNumberId ? "number" : "string" }, "id");
 		let dbT = db.schema.createTable(table.table).addColumn("id", idType, (col) => {
@@ -315,12 +315,12 @@ async function getMigrations(config) {
 			});
 			if (field.index) {
 				const builder = db.schema.createIndex(`${table.table}_${fieldName}_${field.unique ? "uidx" : "idx"}`).on(table.table).columns([fieldName]);
-				toBeIndexed.push(field.unique ? builder.unique() : builder);
+				deferredIndexes.push(field.unique ? builder.unique() : builder);
 			}
 		}
 		migrations.push(dbT);
 	}
-	if (toBeIndexed.length) for (const index of toBeIndexed) migrations.push(index);
+	for (const index of deferredIndexes) migrations.push(index);
 	async function runMigrations() {
 		for (const migration of migrations) await migration.execute();
 	}

package/dist/db/index.d.mts

@@ -3,7 +3,7 @@ import { convertFromDB, convertToDB } from "./field-converter.mjs";
 import { getSchema } from "./get-schema.mjs";
 import { DatabaseHooksEntry, getWithHooks } from "./with-hooks.mjs";
 import { createInternalAdapter } from "./internal-adapter.mjs";
-import { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
+import { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
 import { FieldAttributeToSchema, toZodSchema } from "./to-zod.mjs";
 export * from "@better-auth/core/db";
-export { DatabaseHooksEntry, FieldAttributeToObject, FieldAttributeToSchema, InferAdditionalFieldsFromPluginOptions, InferFieldsInputClient, InferFieldsOutput, RemoveFieldsWithReturnedFalse, convertFromDB, convertToDB, createInternalAdapter, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };
+export { DatabaseHooksEntry, FieldAttributeToObject, FieldAttributeToSchema, InferAdditionalFieldsFromPluginOptions, InferFieldsInputClient, InferFieldsOutput, RemoveFieldsWithReturnedFalse, buildSyntheticUserOutput, convertFromDB, convertToDB, createInternalAdapter, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };

package/dist/db/index.mjs

@@ -1,6 +1,6 @@
 import { __exportAll, __reExport } from "../_virtual/_rolldown/runtime.mjs";
 import { getSchema } from "./get-schema.mjs";
-import { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
+import { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput } from "./schema.mjs";
 import { convertFromDB, convertToDB } from "./field-converter.mjs";
 import { getWithHooks } from "./with-hooks.mjs";
 import { createInternalAdapter } from "./internal-adapter.mjs";
@@ -8,6 +8,7 @@ import { toZodSchema } from "./to-zod.mjs";
 export * from "@better-auth/core/db";
 //#region src/db/index.ts
 var db_exports = /* @__PURE__ */ __exportAll({
+	buildSyntheticUserOutput: () => buildSyntheticUserOutput,
 	convertFromDB: () => convertFromDB,
 	convertToDB: () => convertToDB,
 	createInternalAdapter: () => createInternalAdapter,
@@ -28,4 +29,4 @@ var db_exports = /* @__PURE__ */ __exportAll({
 import * as import__better_auth_core_db from "@better-auth/core/db";
 __reExport(db_exports, import__better_auth_core_db);
 //#endregion
-export { convertFromDB, convertToDB, createInternalAdapter, db_exports, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };
+export { buildSyntheticUserOutput, convertFromDB, convertToDB, createInternalAdapter, db_exports, getSchema, getSessionDefaultFields, getWithHooks, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput, toZodSchema };

package/dist/db/internal-adapter.mjs

@@ -388,21 +388,29 @@ const createInternalAdapter = (adapter, ctx) => {
 				value: id
 			}], "account", void 0);
 		},
-		deleteSessions: async (userIdOrSessionTokens) => {
+		deleteUserSessions: async (userId) => {
 			if (secondaryStorage) {
-				if (typeof userIdOrSessionTokens === "string") {
-					const activeSession = await secondaryStorage.get(`active-sessions-${userIdOrSessionTokens}`);
-					const sessions = activeSession ? safeJSONParse(activeSession) : [];
-					if (!sessions) return;
-					for (const session of sessions) await secondaryStorage.delete(session.token);
-					await secondaryStorage.delete(`active-sessions-${userIdOrSessionTokens}`);
-				} else for (const sessionToken of userIdOrSessionTokens) if (await secondaryStorage.get(sessionToken)) await secondaryStorage.delete(sessionToken);
+				const activeSession = await secondaryStorage.get(`active-sessions-${userId}`);
+				const sessions = activeSession ? safeJSONParse(activeSession) : [];
+				if (!sessions) return;
+				for (const session of sessions) await secondaryStorage.delete(session.token);
+				await secondaryStorage.delete(`active-sessions-${userId}`);
 				if (!options.session?.storeSessionInDatabase || ctx.options.session?.preserveSessionInDatabase) return;
 			}
 			await deleteManyWithHooks([{
-				field: Array.isArray(userIdOrSessionTokens) ? "token" : "userId",
-				value: userIdOrSessionTokens,
-				operator: Array.isArray(userIdOrSessionTokens) ? "in" : void 0
+				field: "userId",
+				value: userId
+			}], "session", void 0);
+		},
+		deleteSessions: async (sessionTokens) => {
+			if (secondaryStorage) {
+				for (const sessionToken of sessionTokens) if (await secondaryStorage.get(sessionToken)) await secondaryStorage.delete(sessionToken);
+				if (!options.session?.storeSessionInDatabase || ctx.options.session?.preserveSessionInDatabase) return;
+			}
+			await deleteManyWithHooks([{
+				field: "token",
+				value: sessionTokens,
+				operator: "in"
 			}], "session", void 0);
 		},
 		findOAuthUser: async (email, accountId, providerId) => {
@@ -532,15 +540,6 @@ const createInternalAdapter = (adapter, ctx) => {
 				}]
 			});
 		},
-		findAccount: async (accountId) => {
-			return await (await getCurrentAdapter(adapter)).findOne({
-				model: "account",
-				where: [{
-					field: "accountId",
-					value: accountId
-				}]
-			});
-		},
 		findAccountByProviderId: async (accountId, providerId) => {
 			return await (await getCurrentAdapter(adapter)).findOne({
 				model: "account",
@@ -639,17 +638,23 @@ const createInternalAdapter = (adapter, ctx) => {
 			const storageOption = getStorageOption(identifier, options.verification?.storeIdentifier);
 			const storedIdentifier = await processIdentifier(identifier, storageOption);
 			const identifiersToTry = storageOption && storageOption !== "plain" ? [storedIdentifier, identifier] : [storedIdentifier];
-			if (secondaryStorage && !options.verification?.storeInDatabase) {
-				const parseCachedVerification = (raw) => {
-					if (!raw) return null;
-					if (typeof raw === "string") return safeJSONParse(raw);
-					if (typeof raw === "object") return raw;
-					return null;
+			const hydrateCachedVerification = (raw) => {
+				if (!raw) return null;
+				const candidate = typeof raw === "string" ? safeJSONParse(raw) : typeof raw === "object" ? raw : null;
+				if (!candidate) return null;
+				const expiresAt = new Date(candidate.expiresAt);
+				if (!Number.isFinite(expiresAt.getTime())) return null;
+				return {
+					...candidate,
+					expiresAt
 				};
+			};
+			let consumed = null;
+			if (secondaryStorage && !options.verification?.storeInDatabase) {
 				const consumeCacheKey = async (key) => {
-					if (secondaryStorage.getAndDelete) return parseCachedVerification(await secondaryStorage.getAndDelete(key));
+					if (secondaryStorage.getAndDelete) return hydrateCachedVerification(await secondaryStorage.getAndDelete(key));
 					return withVerificationConsumeLock(key, async () => {
-						const parsed = parseCachedVerification(await secondaryStorage.get(key));
+						const parsed = hydrateCachedVerification(await secondaryStorage.get(key));
 						if (!parsed) return null;
 						await secondaryStorage.delete(key);
 						return parsed;
@@ -659,17 +664,16 @@ const createInternalAdapter = (adapter, ctx) => {
 					const cached = await consumeCacheKey(`verification:${stored}`);
 					if (!cached) continue;
 					await Promise.all(identifiersToTry.filter((candidate) => candidate !== stored).map((candidate) => secondaryStorage.delete(`verification:${candidate}`)));
-					return cached;
+					consumed = cached;
+					break;
 				}
-				return null;
-			}
-			async function consumeByIdentifier(id) {
-				const where = [{
-					field: "identifier",
-					value: id
-				}];
-				return withVerificationConsumeLock(`verification:${id}`, () => runWithTransaction(adapter, async () => {
+			} else {
+				const consumeByIdentifier = async (id) => withVerificationConsumeLock(`verification:${id}`, () => runWithTransaction(adapter, async () => {
 					const txAdapter = await getCurrentAdapter(adapter);
+					const where = [{
+						field: "identifier",
+						value: id
+					}];
 					const latest = (await txAdapter.findMany({
 						model: "verification",
 						where,
@@ -680,30 +684,32 @@ const createInternalAdapter = (adapter, ctx) => {
 						limit: 1
 					}))[0] ?? null;
 					if (!latest) return null;
-					const hookWhere = [{
+					return consumeOneWithHooks("verification", [{
 						field: "id",
 						value: latest.id
-					}];
-					return consumeOneWithHooks("verification", hookWhere, async () => {
-						const consumed = await txAdapter.consumeOne({
+					}], async () => {
+						const row = await txAdapter.consumeOne({
 							model: "verification",
-							where: hookWhere
+							where: [{
+								field: "id",
+								value: latest.id
+							}]
 						});
-						if (!consumed) return null;
+						if (!row) return null;
 						await txAdapter.deleteMany({
 							model: "verification",
 							where
 						});
-						return consumed;
+						return row;
 					}, latest);
 				}));
+				for (const stored of identifiersToTry) {
+					consumed = await consumeByIdentifier(stored);
+					if (consumed) break;
+				}
+				if (consumed && secondaryStorage) await Promise.all(identifiersToTry.map((stored) => secondaryStorage.delete(`verification:${stored}`)));
 			}
-			let consumed = null;
-			for (const stored of identifiersToTry) {
-				consumed = await consumeByIdentifier(stored);
-				if (consumed) break;
-			}
-			if (consumed && secondaryStorage) await Promise.all(identifiersToTry.map((stored) => secondaryStorage.delete(`verification:${stored}`)));
+			if (!consumed || consumed.expiresAt < /* @__PURE__ */ new Date()) return null;
 			return consumed;
 		},
 		updateVerificationByIdentifier: async (identifier, data) => {

package/dist/db/schema.d.mts

@@ -4,8 +4,21 @@ import { BetterAuthPluginDBSchema, DBFieldAttribute } from "@better-auth/core/db
 
 //#region src/db/schema.d.ts
 declare function parseUserOutput<T extends User$1>(options: BetterAuthOptions, user: T): T;
+/**
+ * Builds a synthetic user object that matches the shape of a real user
+ * returned from the database. This ensures enumeration protection works
+ * correctly by making synthetic and real user responses indistinguishable.
+ *
+ * The function iterates over the user output schema and:
+ * - Includes all fields that should be returned (returned !== false)
+ * - Uses provided values when available
+ * - Sets optional fields to null when no value is provided
+ * - Applies default values where defined
+ * - Always includes the 'id' field (not part of schema but always present)
+ */
+declare function buildSyntheticUserOutput(options: BetterAuthOptions, data: Record<string, unknown>): Record<string, unknown>;
 declare function parseSessionOutput<T extends Session$1>(options: BetterAuthOptions, session: T): T;
-declare function parseAccountOutput<T extends Account>(options: BetterAuthOptions, account: T): Omit<T, "idToken" | "accessToken" | "refreshToken" | "accessTokenExpiresAt" | "refreshTokenExpiresAt" | "password">;
+declare function parseAccountOutput<T extends Account>(options: BetterAuthOptions, account: T): Omit<T, "idToken" | "accessToken" | "refreshToken" | "password" | "accessTokenExpiresAt" | "refreshTokenExpiresAt">;
 declare function parseInputData<T extends Record<string, any>>(data: T, schema: {
   fields: Record<string, DBFieldAttribute>;
   action?: ("create" | "update") | undefined;
@@ -45,4 +58,4 @@ declare function mergeSchema<S extends BetterAuthPluginDBSchema>(schema: S, newS
   } | undefined;
 } | undefined } | undefined): S;
 //#endregion
-export { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };
+export { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };

package/dist/db/schema.mjs

@@ -24,6 +24,31 @@ function getFields(options, modelName, mode) {
 function parseUserOutput(options, user) {
 	return filterOutputFields(user, getFields(options, "user", "output"));
 }
+/**
+* Builds a synthetic user object that matches the shape of a real user
+* returned from the database. This ensures enumeration protection works
+* correctly by making synthetic and real user responses indistinguishable.
+*
+* The function iterates over the user output schema and:
+* - Includes all fields that should be returned (returned !== false)
+* - Uses provided values when available
+* - Sets optional fields to null when no value is provided
+* - Applies default values where defined
+* - Always includes the 'id' field (not part of schema but always present)
+*/
+function buildSyntheticUserOutput(options, data) {
+	const schema = getFields(options, "user", "output");
+	const result = {};
+	for (const key in schema) {
+		const fieldAttr = schema[key];
+		if (fieldAttr.returned === false) continue;
+		if (key in data && data[key] !== void 0) result[key] = data[key];
+		else if (fieldAttr.defaultValue !== void 0) result[key] = typeof fieldAttr.defaultValue === "function" ? fieldAttr.defaultValue() : fieldAttr.defaultValue;
+		else if (!fieldAttr.required) result[key] = null;
+	}
+	if ("id" in data) result.id = data.id;
+	return result;
+}
 function parseSessionOutput(options, session) {
 	return filterOutputFields(session, getFields(options, "session", "output"));
 }
@@ -121,4 +146,4 @@ function mergeSchema(schema, newSchema) {
 	return schema;
 }
 //#endregion
-export { getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };
+export { buildSyntheticUserOutput, getSessionDefaultFields, mergeSchema, parseAccountInput, parseAccountOutput, parseAdditionalUserInput, parseInputData, parseSessionInput, parseSessionOutput, parseUserInput, parseUserOutput };

package/dist/index.d.mts

@@ -10,7 +10,7 @@ import { betterAuth } from "./auth/full.mjs";
 import { generateState, parseState } from "./oauth2/state.mjs";
 import { StateData, generateGenericState, parseGenericState } from "./state.mjs";
 import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
-import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
+import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes } from "./utils/url.mjs";
 import { APIError } from "./api/index.mjs";
 import { StandardSchemaV1 } from "@better-auth/core";
 import { getCurrentAdapter } from "@better-auth/core/context";
@@ -27,4 +27,4 @@ export * from "@better-auth/core/utils/json";
 export * from "@better-auth/core/social-providers";
 export * from "better-call";
 export * from "zod";
-export { APIError, Account, AdditionalSessionFieldsInput, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, ExtractPluginField, FilteredAPI, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginFieldFromTuple, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsAny, IsSignal, type JSONWebKeySet, type JWTPayload, JoinConfig, JoinOption, OverrideMerge, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, type StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, type TelemetryEvent, UnionToIntersection, User, Verification, Where, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };
+export { APIError, Account, AdditionalSessionFieldsInput, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, ExtractPluginField, FilteredAPI, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginFieldFromTuple, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsAny, IsSignal, type JSONWebKeySet, type JWTPayload, JoinConfig, JoinOption, OverrideMerge, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, type StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, type TelemetryEvent, UnionToIntersection, User, Verification, Where, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes };

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL } from "./utils/url.mjs";
+import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes } from "./utils/url.mjs";
 import { generateGenericState, parseGenericState } from "./state.mjs";
 import { generateState, parseState } from "./oauth2/state.mjs";
 import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
@@ -14,4 +14,4 @@ export * from "@better-auth/core/oauth2";
 export * from "@better-auth/core/utils/error-codes";
 export * from "@better-auth/core/utils/id";
 export * from "@better-auth/core/utils/json";
-export { APIError, HIDE_METADATA, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL };
+export { APIError, HIDE_METADATA, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes };

package/dist/oauth2/errors.mjs

@@ -1,6 +1,21 @@
 //#region src/oauth2/errors.ts
 const HANDLING_DOCS_URL = "https://www.better-auth.com/docs/concepts/oauth#handling-providers-without-email";
 /**
+* Redirect the user to the OAuth error page with a machine-readable `error`
+* code (and optional `error_description`).
+*
+* Every OAuth callback path routes its failures through this helper so the
+* query parameter name, the `?`/`&` separator, and URL encoding are decided in
+* one place. The error page reads the `error` query parameter, so callers must
+* never hand-build the redirect with a different parameter name.
+*/
+function redirectOnError(ctx, errorURL, error, description) {
+	const params = new URLSearchParams({ error });
+	if (description) params.set("error_description", description);
+	const sep = errorURL.includes("?") ? "&" : "?";
+	throw ctx.redirect(`${errorURL}${sep}${params.toString()}`);
+}
+/**
 * Build the logger message shown when an OAuth provider does not return an
 * email address. Kept in one place so every rejection site points users at
 * the same workaround docs.
@@ -9,4 +24,4 @@ function missingEmailLogMessage(providerId, options) {
 	return `${options?.source === "generic" ? `Generic OAuth provider "${providerId}"` : `Provider "${providerId}"`} did not return an email${options?.source === "id_token" ? " in the id token" : ""}. Either request the provider's email scope, or synthesize one via \`mapProfileToUser\`. See ${HANDLING_DOCS_URL}`;
 }
 //#endregion
-export { missingEmailLogMessage };
+export { missingEmailLogMessage, redirectOnError };

package/dist/oauth2/index.d.mts

@@ -1,5 +1,5 @@
 import { generateState, parseState } from "./state.mjs";
-import { handleOAuthUserInfo } from "./link-account.mjs";
+import { applyUpdateUserInfoOnLink, handleOAuthUserInfo } from "./link-account.mjs";
 import { decryptOAuthToken, setTokenUtil } from "./utils.mjs";
 export * from "@better-auth/core/oauth2";
-export { decryptOAuthToken, generateState, handleOAuthUserInfo, parseState, setTokenUtil };
+export { applyUpdateUserInfoOnLink, decryptOAuthToken, generateState, handleOAuthUserInfo, parseState, setTokenUtil };

package/dist/oauth2/index.mjs

@@ -1,5 +1,5 @@
-import { generateState, parseState } from "./state.mjs";
 import { decryptOAuthToken, setTokenUtil } from "./utils.mjs";
-import { handleOAuthUserInfo } from "./link-account.mjs";
+import { applyUpdateUserInfoOnLink, handleOAuthUserInfo } from "./link-account.mjs";
+import { generateState, parseState } from "./state.mjs";
 export * from "@better-auth/core/oauth2";
-export { decryptOAuthToken, generateState, handleOAuthUserInfo, parseState, setTokenUtil };
+export { applyUpdateUserInfoOnLink, decryptOAuthToken, generateState, handleOAuthUserInfo, parseState, setTokenUtil };

package/dist/oauth2/link-account.d.mts

@@ -42,5 +42,31 @@ declare function handleOAuthUserInfo(c: GenericEndpointContext, opts: {
   error: null;
   isRegister: boolean;
 }>;
+/**
+ * Provider profile a freshly linked account may copy onto the local user.
+ * `id` is the provider's account id (never the local user id), and `email`/
+ * `emailVerified` are identity anchors; all three are stripped before the
+ * remaining fields are written.
+ */
+type LinkedProviderProfile = {
+  id: string | number;
+  name?: string | undefined;
+  email?: string | null | undefined;
+  emailVerified?: boolean | undefined;
+  image?: string | null | undefined;
+};
+/**
+ * Apply the `account.accountLinking.updateUserInfoOnLink` policy: when enabled,
+ * copy the freshly linked provider's profile onto the local user, matching the
+ * field set persisted on sign-up. The local `email` and `emailVerified` are
+ * never changed, so a link can't rebind the account's identity, and
+ * `updateUser` drops `undefined` fields, so a provider that omits one leaves
+ * the existing column intact.
+ *
+ * Returns the updated user so a caller that issues a session can seed the
+ * cookie cache with the fresh row. Returns `undefined` when the policy is
+ * disabled or the update fails: a failed profile sync must not abort the link.
+ */
+declare function applyUpdateUserInfoOnLink(c: GenericEndpointContext, userId: string, userInfo: LinkedProviderProfile): Promise<User | undefined>;
 //#endregion
-export { handleOAuthUserInfo };
+export { applyUpdateUserInfoOnLink, handleOAuthUserInfo };

package/dist/oauth2/link-account.mjs

@@ -1,5 +1,6 @@
 import { isAPIError } from "../utils/is-api-error.mjs";
 import { setAccountCookie } from "../cookies/session-store.mjs";
+import { redirectOnError } from "./errors.mjs";
 import { setTokenUtil } from "./utils.mjs";
 import { createEmailVerificationToken } from "../api/routes/email-verification.mjs";
 import { isDevelopment, logger } from "@better-auth/core/env";
@@ -8,8 +9,7 @@ async function handleOAuthUserInfo(c, opts) {
 	const { userInfo, account, callbackURL, disableSignUp, overrideUserInfo } = opts;
 	const dbUser = await c.context.internalAdapter.findOAuthUser(userInfo.email.toLowerCase(), account.accountId, account.providerId).catch((e) => {
 		logger.error("Better auth was unable to query your database.\nError: ", e);
-		const errorURL = c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`;
-		throw c.redirect(`${errorURL}?error=internal_server_error`);
+		redirectOnError(c, c.context.options.onAPIError?.errorURL || `${c.context.baseURL}/error`, "internal_server_error");
 	});
 	let user = dbUser?.user;
 	const isRegister = !user;
@@ -46,6 +46,7 @@ async function handleOAuthUserInfo(c, opts) {
 				};
 			}
 			if (userInfo.emailVerified && !dbUser.user.emailVerified && userInfo.email.toLowerCase() === dbUser.user.email) await c.context.internalAdapter.updateUser(dbUser.user.id, { emailVerified: true });
+			user = await applyUpdateUserInfoOnLink(c, dbUser.user.id, userInfo) ?? user;
 		} else {
 			const freshTokens = c.context.options.account?.updateAccountOnSignIn !== false ? Object.fromEntries(Object.entries({
 				idToken: account.idToken,
@@ -96,7 +97,7 @@ async function handleOAuthUserInfo(c, opts) {
 			if (c.context.options.account?.storeAccountCookie) await setAccountCookie(c, createdAccount);
 			if (!userInfo.emailVerified && user && c.context.options.emailVerification?.sendOnSignUp && c.context.options.emailVerification?.sendVerificationEmail) {
 				const token = await createEmailVerificationToken(c.context.secret, user.email, void 0, c.context.options.emailVerification?.expiresIn);
-				const url = `${c.context.baseURL}/verify-email?token=${token}&callbackURL=${callbackURL}`;
+				const url = `${c.context.baseURL}/verify-email?token=${token}&callbackURL=${encodeURIComponent(callbackURL || "/")}`;
 				await c.context.runInBackgroundOrAwait(c.context.options.emailVerification.sendVerificationEmail({
 					user,
 					url,
@@ -137,5 +138,27 @@ async function handleOAuthUserInfo(c, opts) {
 		isRegister
 	};
 }
+/**
+* Apply the `account.accountLinking.updateUserInfoOnLink` policy: when enabled,
+* copy the freshly linked provider's profile onto the local user, matching the
+* field set persisted on sign-up. The local `email` and `emailVerified` are
+* never changed, so a link can't rebind the account's identity, and
+* `updateUser` drops `undefined` fields, so a provider that omits one leaves
+* the existing column intact.
+*
+* Returns the updated user so a caller that issues a session can seed the
+* cookie cache with the fresh row. Returns `undefined` when the policy is
+* disabled or the update fails: a failed profile sync must not abort the link.
+*/
+async function applyUpdateUserInfoOnLink(c, userId, userInfo) {
+	if (c.context.options.account?.accountLinking?.updateUserInfoOnLink !== true) return;
+	const { id: _id, email: _email, emailVerified: _emailVerified, ...profile } = userInfo;
+	try {
+		return await c.context.internalAdapter.updateUser(userId, profile);
+	} catch (e) {
+		c.context.logger.warn("Could not update user info on account link", e);
+		return;
+	}
+}
 //#endregion
-export { handleOAuthUserInfo };
+export { applyUpdateUserInfoOnLink, handleOAuthUserInfo };

package/dist/oauth2/state.mjs

@@ -1,4 +1,5 @@
 import { generateRandomString } from "../crypto/random.mjs";
+import { redirectOnError } from "./errors.mjs";
 import { setOAuthState } from "../api/state/oauth.mjs";
 import { StateError, generateGenericState, parseGenericState } from "../state.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
@@ -36,8 +37,13 @@ async function parseState(c) {
 		parsedData = await parseGenericState(c, state);
 	} catch (error) {
 		c.context.logger.error("Failed to parse state", error);
-		if (error instanceof StateError && error.code === "state_security_mismatch") throw c.redirect(`${errorURL}?error=state_mismatch`);
-		throw c.redirect(`${errorURL}?error=please_restart_the_process`);
+		let code = "internal_server_error";
+		let redirectErrorURL = errorURL;
+		if (error instanceof StateError) {
+			code = error.code === "state_security_mismatch" ? "state_mismatch" : error.code;
+			redirectErrorURL = error.errorURL ?? errorURL;
+		}
+		redirectOnError(c, redirectErrorURL, code);
 	}
 	if (!parsedData.errorURL) parsedData.errorURL = errorURL;
 	if (parsedData) await setOAuthState(parsedData);

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.11";
+var version = "1.6.13";
 //#endregion
 export { version };

package/dist/plugins/access/access.mjs

@@ -6,14 +6,19 @@ function role(statements) {
 			let success = false;
 			for (const [requestedResource, requestedActions] of Object.entries(request)) {
 				const allowedActions = statements[requestedResource];
-				if (!allowedActions) return {
-					success: false,
-					error: `You are not allowed to access resource: ${requestedResource}`
-				};
-				if (Array.isArray(requestedActions)) success = requestedActions.every((requestedAction) => allowedActions.includes(requestedAction));
+				if (!allowedActions) {
+					if (connector === "AND") return {
+						success: false,
+						error: `You are not allowed to access resource: ${requestedResource}`
+					};
+					success = false;
+					continue;
+				}
+				if (Array.isArray(requestedActions)) success = requestedActions.length > 0 && requestedActions.every((requestedAction) => allowedActions.includes(requestedAction));
 				else if (typeof requestedActions === "object") {
 					const actions = requestedActions;
-					if (actions.connector === "OR") success = actions.actions.some((requestedAction) => allowedActions.includes(requestedAction));
+					if (!Array.isArray(actions.actions) || actions.actions.length === 0) success = false;
+					else if (actions.connector === "OR") success = actions.actions.some((requestedAction) => allowedActions.includes(requestedAction));
 					else success = actions.actions.every((requestedAction) => allowedActions.includes(requestedAction));
 				} else throw new BetterAuthError("Invalid access control request");
 				if (success && connector === "OR") return { success };

package/dist/plugins/admin/admin.mjs

@@ -42,10 +42,6 @@ const admin = (options) => {
 							});
 							return;
 						}
-						if (ctx && (ctx.path.startsWith("/callback") || ctx.path.startsWith("/oauth2/callback"))) {
-							const redirectURI = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
-							throw ctx.redirect(`${redirectURI}?error=banned&error_description=${opts.bannedUserMessage}`);
-						}
 						throw APIError.from("FORBIDDEN", {
 							message: opts.bannedUserMessage,
 							code: "BANNED_USER"

package/dist/plugins/admin/client.d.mts

@@ -76,4 +76,4 @@ declare const adminClient: <O extends AdminClientOptions>(options?: O | undefine
   };
 };
 //#endregion
-export { adminClient };
+export { AdminClientOptions, adminClient };

package/dist/plugins/admin/routes.mjs

@@ -462,7 +462,7 @@ const banUser = (opts) => createAuthEndpoint("/admin/ban-user", {
 		banExpires: ctx.body.banExpiresIn ? getDate(ctx.body.banExpiresIn, "sec") : opts?.defaultBanExpiresIn ? getDate(opts.defaultBanExpiresIn, "sec") : void 0,
 		updatedAt: /* @__PURE__ */ new Date()
 	});
-	await ctx.context.internalAdapter.deleteSessions(ctx.body.userId);
+	await ctx.context.internalAdapter.deleteUserSessions(ctx.body.userId);
 	return ctx.json({ user: parseUserOutput(ctx.context.options, user) });
 });
 const impersonateUserBodySchema = z.object({ userId: z.coerce.string().meta({ description: "The user id" }) });
@@ -658,7 +658,7 @@ const revokeUserSessions = (opts) => createAuthEndpoint("/admin/revoke-user-sess
 		options: opts,
 		permissions: { session: ["revoke"] }
 	})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_REVOKE_USERS_SESSIONS);
-	await ctx.context.internalAdapter.deleteSessions(ctx.body.userId);
+	await ctx.context.internalAdapter.deleteUserSessions(ctx.body.userId);
 	return ctx.json({ success: true });
 });
 const removeUserBodySchema = z.object({ userId: z.coerce.string().meta({ description: "The user id" }) });
@@ -703,7 +703,7 @@ const removeUser = (opts) => createAuthEndpoint("/admin/remove-user", {
 	})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_DELETE_USERS);
 	if (ctx.body.userId === ctx.context.session.user.id) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.YOU_CANNOT_REMOVE_YOURSELF);
 	if (!await ctx.context.internalAdapter.findUserById(ctx.body.userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
-	await ctx.context.internalAdapter.deleteSessions(ctx.body.userId);
+	await ctx.context.internalAdapter.deleteUserSessions(ctx.body.userId);
 	await ctx.context.internalAdapter.deleteUser(ctx.body.userId);
 	return ctx.json({ success: true });
 });