better-auth 1.6.11 → 1.6.13

package/dist/plugins/anonymous/index.mjs

@@ -102,7 +102,7 @@ const anonymous = (options) => {
 				if (options?.disableDeleteAnonymousUser) throw APIError.from("BAD_REQUEST", ANONYMOUS_ERROR_CODES.DELETE_ANONYMOUS_USER_DISABLED);
 				if (!session.user.isAnonymous) throw APIError.from("FORBIDDEN", ANONYMOUS_ERROR_CODES.USER_IS_NOT_ANONYMOUS);
 				try {
-					await ctx.context.internalAdapter.deleteSessions(session.user.id);
+					await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 				} catch (error) {
 					ctx.context.logger.error("Failed to delete anonymous user sessions", error);
 					throw APIError.from("INTERNAL_SERVER_ERROR", ANONYMOUS_ERROR_CODES.FAILED_TO_DELETE_ANONYMOUS_USER_SESSIONS);
@@ -154,7 +154,7 @@ const anonymous = (options) => {
 				const newSessionIsAnonymous = Boolean(newSessionUser?.isAnonymous);
 				if (options?.disableDeleteAnonymousUser || isSameUser || newSessionIsAnonymous) return;
 				try {
-					await ctx.context.internalAdapter.deleteSessions(session.user.id);
+					await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 					await ctx.context.internalAdapter.deleteUser(session.user.id);
 				} catch (error) {
 					ctx.context.logger.error("Failed to clean up anonymous user during post-link cleanup", {

package/dist/plugins/bearer/index.mjs

@@ -30,16 +30,11 @@ const bearer = (options) => {
 					if (authHeader.slice(0, 7).toLowerCase() !== BEARER_SCHEME) return;
 					const token = authHeader.slice(7).trim();
 					if (!token) return;
-					let signedToken;
 					let decodedToken;
-					if (token.includes(".")) {
-						const isEncoded = token.includes("%");
-						signedToken = isEncoded ? token : encodeURIComponent(token);
-						decodedToken = isEncoded ? tryDecode(token) : token;
-					} else {
+					if (token.includes(".")) decodedToken = token.includes("%") ? tryDecode(token) : token;
+					else {
 						if (options?.requireSignature) return;
-						signedToken = (await serializeSignedCookie("", token, c.context.secret)).replace("=", "");
-						decodedToken = tryDecode(signedToken);
+						decodedToken = tryDecode((await serializeSignedCookie("", token, c.context.secret)).replace("=", ""));
 					}
 					try {
 						if (!await createHMAC("SHA-256", "base64urlnopad").verify(c.context.secret, decodedToken.split(".")[0], decodedToken.split(".")[1])) return;
@@ -48,7 +43,7 @@ const bearer = (options) => {
 					}
 					const existingHeaders = c.request?.headers || c.headers;
 					const headers = new Headers({ ...Object.fromEntries(existingHeaders?.entries()) });
-					setRequestCookie(headers, c.context.authCookies.sessionToken.name, signedToken);
+					setRequestCookie(headers, c.context.authCookies.sessionToken.name, decodedToken);
 					return { context: { headers } };
 				})
 			}],

package/dist/plugins/captcha/index.mjs

@@ -21,12 +21,12 @@ const captcha = (options) => ({
 			if (pathname.endsWith("//")) pathname = pathname.slice(0, -1);
 			if (pathname.startsWith("//")) pathname = pathname.slice(1);
 			if (!pathname.startsWith("/")) pathname = "/" + pathname;
-			const blockedPaths = ["/sign-in/email-otp"].reduce((acc, curr) => {
+			const exemptPaths = ["/sign-in/email-otp"].reduce((acc, curr) => {
 				if (options.endpoints?.length && options.endpoints.includes(curr)) return acc;
 				return [...acc, curr];
 			}, []);
 			if (!endpoints.some((endpoint) => {
-				return pathname.includes(endpoint) && !blockedPaths.includes(endpoint);
+				return pathname.includes(endpoint) && !exemptPaths.some((p) => pathname.includes(p));
 			})) return;
 			if (!options.secretKey) throw new Error(INTERNAL_ERROR_CODES.MISSING_SECRET_KEY.message);
 			const captchaResponse = request.headers.get("x-captcha-response");

package/dist/plugins/email-otp/routes.mjs

@@ -585,7 +585,7 @@ const resetPasswordEmailOTP = (opts) => createAuthEndpoint("/email-otp/reset-pas
 	else await ctx.context.internalAdapter.updatePassword(user.user.id, passwordHash);
 	if (ctx.context.options.emailAndPassword?.onPasswordReset) await ctx.context.options.emailAndPassword.onPasswordReset({ user: user.user }, ctx.request);
 	if (!user.user.emailVerified) await ctx.context.internalAdapter.updateUser(user.user.id, { emailVerified: true });
-	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteSessions(user.user.id);
+	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteUserSessions(user.user.id);
 	return ctx.json({ success: true });
 });
 const requestEmailChangeEmailOTPBodySchema = z.object({

package/dist/plugins/generic-oauth/index.d.mts

@@ -117,7 +117,7 @@ declare const genericOAuth: (options: GenericOAuthOptions) => {
         };
         scope: "server";
       };
-    }, void>;
+    }, never>;
     oAuth2LinkAccount: better_call0.StrictEndpoint<"/oauth2/link", {
       method: "POST";
       body: zod.ZodObject<{

package/dist/plugins/generic-oauth/index.mjs

@@ -11,7 +11,7 @@ import { okta } from "./providers/okta.mjs";
 import { patreon } from "./providers/patreon.mjs";
 import { slack } from "./providers/slack.mjs";
 import { APIError } from "@better-auth/core/error";
-import { createAuthorizationURL, refreshAccessToken, validateAuthorizationCode } from "@better-auth/core/oauth2";
+import { applyDefaultAccessTokenExpiry, createAuthorizationURL, refreshAccessToken, validateAuthorizationCode } from "@better-auth/core/oauth2";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/plugins/generic-oauth/index.ts
 /**
@@ -63,7 +63,7 @@ const genericOAuth = (options) => {
 						});
 					},
 					async validateAuthorizationCode(data) {
-						if (c.getToken) return c.getToken(data);
+						if (c.getToken) return applyDefaultAccessTokenExpiry(await c.getToken(data), c.accessTokenExpiresIn);
 						let finalTokenUrl = c.tokenUrl;
 						if (c.discoveryUrl) {
 							const discovery = await betterFetch(c.discoveryUrl, {
@@ -76,7 +76,7 @@ const genericOAuth = (options) => {
 							}
 						}
 						if (!finalTokenUrl) throw APIError.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.TOKEN_URL_NOT_FOUND);
-						return validateAuthorizationCode({
+						return applyDefaultAccessTokenExpiry(await validateAuthorizationCode({
 							headers: c.authorizationHeaders,
 							code: data.code,
 							codeVerifier: data.codeVerifier,
@@ -88,7 +88,7 @@ const genericOAuth = (options) => {
 							},
 							tokenEndpoint: finalTokenUrl,
 							authentication: c.authentication
-						});
+						}), c.accessTokenExpiresIn);
 					},
 					async refreshAccessToken(refreshToken) {
 						let finalTokenUrl = c.tokenUrl;
@@ -100,7 +100,7 @@ const genericOAuth = (options) => {
 							if (discovery.data) finalTokenUrl = discovery.data.token_endpoint;
 						}
 						if (!finalTokenUrl) throw APIError.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.TOKEN_URL_NOT_FOUND);
-						return refreshAccessToken({
+						return applyDefaultAccessTokenExpiry(await refreshAccessToken({
 							refreshToken,
 							options: {
 								clientId: c.clientId,
@@ -108,7 +108,7 @@ const genericOAuth = (options) => {
 							},
 							authentication: c.authentication,
 							tokenEndpoint: finalTokenUrl
-						});
+						}), c.accessTokenExpiresIn);
 					},
 					async getUserInfo(tokens) {
 						const userInfo = c.getUserInfo ? await c.getUserInfo(tokens) : await getUserInfo(tokens, finalUserInfoUrl);

package/dist/plugins/generic-oauth/routes.mjs

@@ -1,14 +1,15 @@
+import { isAPIError } from "../../utils/is-api-error.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
-import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
-import { generateState, parseState } from "../../oauth2/state.mjs";
+import { missingEmailLogMessage, redirectOnError } from "../../oauth2/errors.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
+import { applyUpdateUserInfoOnLink, handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { generateState, parseState } from "../../oauth2/state.mjs";
 import { sessionMiddleware } from "../../api/routes/session.mjs";
-import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { APIError as APIError$1 } from "../../api/index.mjs";
 import { GENERIC_OAUTH_ERROR_CODES } from "./error-codes.mjs";
 import { BASE_ERROR_CODES } from "@better-auth/core/error";
-import { createAuthorizationURL, validateAuthorizationCode } from "@better-auth/core/oauth2";
+import { applyDefaultAccessTokenExpiry, createAuthorizationURL, validateAuthorizationCode } from "@better-auth/core/oauth2";
 import { createAuthEndpoint } from "@better-auth/core/api";
 import * as z from "zod";
 import { decodeJwt } from "jose";
@@ -132,7 +133,7 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 	}
 }, async (ctx) => {
 	const defaultErrorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
-	if (ctx.query.error || !ctx.query.code) throw ctx.redirect(`${defaultErrorURL}?error=${encodeURIComponent(ctx.query.error || "oAuth_code_missing")}&error_description=${encodeURIComponent(ctx.query.error_description || "")}`);
+	if (ctx.query.error || !ctx.query.code) redirectOnError(ctx, defaultErrorURL, ctx.query.error || "oAuth_code_missing", ctx.query.error_description || void 0);
 	const providerId = ctx.params?.providerId;
 	if (!providerId) throw APIError$1.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.PROVIDER_ID_REQUIRED);
 	const providerConfig = options.config.find((p) => p.providerId === providerId);
@@ -140,13 +141,7 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 	let tokens = void 0;
 	const { callbackURL, codeVerifier, errorURL, requestSignUp, newUserURL, link } = await parseState(ctx);
 	const code = ctx.query.code;
-	function redirectOnError(error) {
-		const defaultErrorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
-		let url = errorURL || defaultErrorURL;
-		if (url.includes("?")) url = `${url}&error=${encodeURIComponent(error)}`;
-		else url = `${url}?error=${encodeURIComponent(error)}`;
-		throw ctx.redirect(url);
-	}
+	const resolvedErrorURL = errorURL || defaultErrorURL;
 	let finalTokenUrl = providerConfig.tokenUrl;
 	let finalUserInfoUrl = providerConfig.userInfoUrl;
 	let expectedIssuer = providerConfig.issuer;
@@ -168,11 +163,11 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 					expected: expectedIssuer,
 					received: ctx.query.iss
 				});
-				return redirectOnError("issuer_mismatch");
+				redirectOnError(ctx, resolvedErrorURL, "issuer_mismatch");
 			}
 		} else if (providerConfig.requireIssuerValidation) {
 			ctx.context.logger.error("OAuth issuer parameter missing", { expected: expectedIssuer });
-			return redirectOnError("issuer_missing");
+			redirectOnError(ctx, resolvedErrorURL, "issuer_missing");
 		}
 	}
 	try {
@@ -199,25 +194,26 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 				additionalParams
 			});
 		}
+		tokens = applyDefaultAccessTokenExpiry(tokens, providerConfig.accessTokenExpiresIn);
 	} catch (e) {
 		ctx.context.logger.error(e && typeof e === "object" && "name" in e ? e.name : "", e);
-		throw redirectOnError("oauth_code_verification_failed");
+		redirectOnError(ctx, resolvedErrorURL, "oauth_code_verification_failed");
 	}
 	if (!tokens) throw APIError$1.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.INVALID_OAUTH_CONFIG);
 	const userInfo = await (async function handleUserInfo() {
 		const userInfo = providerConfig.getUserInfo ? await providerConfig.getUserInfo(tokens) : await getUserInfo(tokens, finalUserInfoUrl);
-		if (!userInfo) throw redirectOnError("user_info_is_missing");
+		if (!userInfo) redirectOnError(ctx, resolvedErrorURL, "user_info_is_missing");
 		const mapUser = providerConfig.mapProfileToUser ? await providerConfig.mapProfileToUser(userInfo) : userInfo;
 		const email = mapUser.email ? mapUser.email.toLowerCase() : userInfo.email?.toLowerCase();
 		if (!email) {
 			ctx.context.logger.error(missingEmailLogMessage(providerConfig.providerId, { source: "generic" }), userInfo);
-			throw redirectOnError("email_is_missing");
+			redirectOnError(ctx, resolvedErrorURL, "email_is_missing");
 		}
 		const id = mapUser.id ? String(mapUser.id) : String(userInfo.id);
 		const name = mapUser.name ? mapUser.name : userInfo.name;
 		if (!name) {
 			ctx.context.logger.error("Unable to get user info", userInfo);
-			throw redirectOnError("name_is_missing");
+			redirectOnError(ctx, resolvedErrorURL, "name_is_missing");
 		}
 		return {
 			...userInfo,
@@ -228,10 +224,10 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 		};
 	})();
 	if (link) {
-		if (ctx.context.options.account?.accountLinking?.allowDifferentEmails !== true && link.email.toLowerCase() !== userInfo.email.toLowerCase()) return redirectOnError("email_doesn't_match");
+		if (ctx.context.options.account?.accountLinking?.allowDifferentEmails !== true && link.email.toLowerCase() !== userInfo.email.toLowerCase()) redirectOnError(ctx, resolvedErrorURL, "email_doesn't_match");
 		const existingAccount = await ctx.context.internalAdapter.findAccountByProviderId(String(userInfo.id), providerConfig.providerId);
 		if (existingAccount) {
-			if (existingAccount.userId !== link.userId) return redirectOnError("account_already_linked_to_different_user");
+			if (existingAccount.userId !== link.userId) redirectOnError(ctx, resolvedErrorURL, "account_already_linked_to_different_user");
 			const updateData = Object.fromEntries(Object.entries({
 				accessToken: await setTokenUtil(tokens.accessToken, ctx.context),
 				idToken: tokens.idToken,
@@ -251,7 +247,8 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 			scope: tokens.scopes?.join(","),
 			refreshToken: await setTokenUtil(tokens.refreshToken, ctx.context),
 			idToken: tokens.idToken
-		})) return redirectOnError("unable_to_link_account");
+		})) redirectOnError(ctx, resolvedErrorURL, "unable_to_link_account");
+		await applyUpdateUserInfoOnLink(ctx, link.userId, userInfo);
 		let toRedirectTo;
 		try {
 			toRedirectTo = callbackURL.toString();
@@ -260,19 +257,25 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 		}
 		throw ctx.redirect(toRedirectTo);
 	}
-	const result = await handleOAuthUserInfo(ctx, {
-		userInfo,
-		account: {
-			providerId: providerConfig.providerId,
-			accountId: userInfo.id,
-			...tokens,
-			scope: tokens.scopes?.join(",")
-		},
-		callbackURL,
-		disableSignUp: providerConfig.disableImplicitSignUp && !requestSignUp || providerConfig.disableSignUp,
-		overrideUserInfo: providerConfig.overrideUserInfo
-	});
-	if (result.error) return redirectOnError(result.error.split(" ").join("_"));
+	let result;
+	try {
+		result = await handleOAuthUserInfo(ctx, {
+			userInfo,
+			account: {
+				providerId: providerConfig.providerId,
+				accountId: userInfo.id,
+				...tokens,
+				scope: tokens.scopes?.join(",")
+			},
+			callbackURL,
+			disableSignUp: providerConfig.disableImplicitSignUp && !requestSignUp || providerConfig.disableSignUp,
+			overrideUserInfo: providerConfig.overrideUserInfo
+		});
+	} catch (e) {
+		if (isAPIError(e) && e.body?.code) redirectOnError(ctx, resolvedErrorURL, e.body.code, e.body.message);
+		throw e;
+	}
+	if (result.error) redirectOnError(ctx, resolvedErrorURL, result.error.split(" ").join("_"));
 	const { session, user } = result.data;
 	await setSessionCookie(ctx, {
 		session,

package/dist/plugins/generic-oauth/types.d.mts

@@ -87,6 +87,13 @@ interface GenericOAuthConfig {
    * Use "offline" to request a refresh token.
    */
   accessType?: string | undefined;
+  /**
+   * Fallback access-token lifetime, in seconds, used only when the provider's
+   * token response omits `expires_in`. Set this so `getAccessToken` can track
+   * expiry and refresh the token; leave unset if the provider returns
+   * `expires_in`.
+   */
+  accessTokenExpiresIn?: number | undefined;
   /**
    * Custom function to exchange authorization code for tokens.
    * If provided, this function will be used instead of the default token exchange logic.

package/dist/plugins/last-login-method/client.mjs

@@ -1,9 +1,9 @@
+import { parseCookies } from "../../cookies/cookie-utils.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 //#region src/plugins/last-login-method/client.ts
 function getCookieValue(name) {
 	if (typeof document === "undefined") return null;
-	const cookie = document.cookie.split("; ").find((row) => row.startsWith(`${name}=`));
-	return cookie ? cookie.split("=")[1] : null;
+	return parseCookies(document.cookie).get(name) ?? null;
 }
 /**
 * Client-side plugin to retrieve the last used login method

package/dist/plugins/magic-link/index.mjs

@@ -121,7 +121,6 @@ const magicLink = (options) => {
 				const storedToken = await storeToken(ctx, token);
 				const tokenValue = await ctx.context.internalAdapter.consumeVerificationValue(storedToken);
 				if (!tokenValue) redirectWithError("INVALID_TOKEN");
-				if (tokenValue.expiresAt < /* @__PURE__ */ new Date()) redirectWithError("EXPIRED_TOKEN");
 				const { email, name } = JSON.parse(tokenValue.value);
 				let isNewUser = false;
 				let user = await ctx.context.internalAdapter.findUserByEmail(email).then((res) => res?.user);

package/dist/plugins/mcp/index.mjs

@@ -14,6 +14,7 @@ import { oidcProvider } from "../oidc-provider/index.mjs";
 import { authorizeMCPOAuth } from "./authorize.mjs";
 import { isProduction, logger } from "@better-auth/core/env";
 import { safeJSONParse } from "@better-auth/core/utils/json";
+import { isSafeUrlScheme } from "@better-auth/core/utils/url";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
 import * as z from "zod";
 import { base64 } from "@better-auth/utils/base64";
@@ -86,7 +87,7 @@ const getMCPProtectedResourceMetadata = (ctx, options) => {
 	};
 };
 const registerMcpClientBodySchema = z.object({
-	redirect_uris: z.array(z.string()),
+	redirect_uris: z.array(z.string().refine(isSafeUrlScheme, { message: "redirect_uri cannot use a javascript:, data:, or vbscript: scheme" })),
 	token_endpoint_auth_method: z.enum([
 		"none",
 		"client_secret_basic",
@@ -372,10 +373,6 @@ const mcp = (options) => {
 					error_description: "invalid code",
 					error: "invalid_grant"
 				});
-				if (verificationValue.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("UNAUTHORIZED", {
-					error_description: "code expired",
-					error: "invalid_grant"
-				});
 				if (!client_id) throw new APIError("UNAUTHORIZED", {
 					error_description: "client_id is required",
 					error: "invalid_client"

package/dist/plugins/multi-session/index.mjs

@@ -1,6 +1,6 @@
 import { parseSessionOutput, parseUserOutput } from "../../db/schema.mjs";
-import { SECURE_COOKIE_PREFIX, parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
-import { deleteSessionCookie, expireCookie, parseCookies, setSessionCookie } from "../../cookies/index.mjs";
+import { SECURE_COOKIE_PREFIX, parseCookies, parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
+import { deleteSessionCookie, expireCookie, setSessionCookie } from "../../cookies/index.mjs";
 import { sessionMiddleware } from "../../api/routes/session.mjs";
 import { APIError } from "../../api/index.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";

package/dist/plugins/oauth-proxy/index.mjs

@@ -1,13 +1,15 @@
+import { isAPIError } from "../../utils/is-api-error.mjs";
 import { getOrigin } from "../../utils/url.mjs";
 import { originCheck } from "../../api/middlewares/origin-check.mjs";
 import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
 import { symmetricDecrypt, symmetricEncrypt } from "../../crypto/index.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
-import { parseGenericState } from "../../state.mjs";
+import { redirectOnError } from "../../oauth2/errors.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { parseGenericState } from "../../state.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { parseJSON } from "../../client/parser.mjs";
-import { checkSkipProxy, redirectOnError, resolveCurrentURL, stripTrailingSlash } from "./utils.mjs";
+import { checkSkipProxy, resolveCurrentURL, stripTrailingSlash } from "./utils.mjs";
 import { defu } from "defu";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
 import * as z from "zod";
@@ -90,18 +92,28 @@ const oAuthProxy = (opts) => {
 				throw redirectOnError(ctx, errorURL, "payload_expired");
 			}
 			try {
-				await parseGenericState(ctx, payload.state);
+				await parseGenericState(ctx, payload.state, { skipStateCookieCheck: true });
 			} catch (e) {
 				ctx.context.logger.warn("Failed to clean up OAuth state", e);
 			}
-			const result = await handleOAuthUserInfo(ctx, {
-				userInfo: payload.userInfo,
-				account: payload.account,
-				callbackURL: payload.callbackURL,
-				disableSignUp: payload.disableSignUp
-			});
-			if (result.error || !result.data) {
-				ctx.context.logger.error("Failed to create user or session", result.error);
+			let result;
+			try {
+				result = await handleOAuthUserInfo(ctx, {
+					userInfo: payload.userInfo,
+					account: payload.account,
+					callbackURL: payload.callbackURL,
+					disableSignUp: payload.disableSignUp
+				});
+			} catch (e) {
+				if (isAPIError(e) && e.body?.code) throw redirectOnError(ctx, errorURL, e.body.code, e.body.message);
+				throw e;
+			}
+			if (result.error) {
+				ctx.context.logger.error("OAuth proxy callback error", result.error);
+				throw redirectOnError(ctx, errorURL, result.error.split(" ").join("_"));
+			}
+			if (!result.data) {
+				ctx.context.logger.error("OAuth proxy callback missing session data");
 				throw redirectOnError(ctx, errorURL, "user_creation_failed");
 			}
 			await setSessionCookie(ctx, result.data);
@@ -141,6 +153,7 @@ const oAuthProxy = (opts) => {
 							data: state
 						}));
 					} catch {
+						ctx.context.logger.debug("OAuth proxy: could not decrypt state package, falling back to regular callback");
 						return;
 					}
 					if (!statePackage.isOAuthProxy || !statePackage.state || !statePackage.stateCookie) {
@@ -248,29 +261,29 @@ const oAuthProxy = (opts) => {
 					const oauthURL = new URL(providerURL);
 					const originalState = oauthURL.searchParams.get("state");
 					if (!originalState) return;
-					let stateCookieValue;
-					if (ctx.context.oauthConfig.storeStateStrategy === "cookie") {
-						const setCookieHeader = ctx.context.responseHeaders?.get("set-cookie");
-						if (setCookieHeader) {
-							const parsedCookies = parseSetCookieHeader(setCookieHeader);
-							const stateCookie = ctx.context.createAuthCookie("oauth_state");
-							stateCookieValue = parsedCookies.get(stateCookie.name)?.value;
-						}
-					} else {
-						const verification = await ctx.context.internalAdapter.findVerificationValue(originalState);
-						if (verification) stateCookieValue = await symmetricEncrypt({
-							key: getEncryptionKey(ctx),
-							data: verification.value
-						});
-					}
-					if (!stateCookieValue) {
-						ctx.context.logger.warn("No OAuth state cookie value found");
-						return;
-					}
 					try {
+						let plaintextState;
+						if (ctx.context.oauthConfig.storeStateStrategy === "cookie") {
+							const setCookieHeader = ctx.context.responseHeaders?.get("set-cookie");
+							if (setCookieHeader) {
+								const oauthStateCookie = ctx.context.createAuthCookie("oauth_state");
+								const encryptedCookieValue = parseSetCookieHeader(setCookieHeader).get(oauthStateCookie.name)?.value;
+								if (encryptedCookieValue) plaintextState = await symmetricDecrypt({
+									key: ctx.context.secretConfig,
+									data: encryptedCookieValue
+								});
+							}
+						} else plaintextState = (await ctx.context.internalAdapter.findVerificationValue(originalState))?.value;
+						if (!plaintextState) {
+							ctx.context.logger.warn("No OAuth state found for proxy");
+							return;
+						}
 						const statePackage = {
 							state: originalState,
-							stateCookie: stateCookieValue,
+							stateCookie: await symmetricEncrypt({
+								key: getEncryptionKey(ctx),
+								data: plaintextState
+							}),
 							isOAuthProxy: true
 						};
 						const encryptedPackage = await symmetricEncrypt({
@@ -283,7 +296,7 @@ const oAuthProxy = (opts) => {
 							url: oauthURL.toString()
 						};
 					} catch (e) {
-						ctx.context.logger.error("Failed to encrypt OAuth proxy state package:", e);
+						ctx.context.logger.error("Failed to prepare OAuth proxy state:", e);
 					}
 				})
 			}, {

package/dist/plugins/oauth-proxy/utils.mjs

@@ -1,4 +1,4 @@
-import { getOrigin } from "../../utils/url.mjs";
+import { getOrigin, trimTrailingSlashes } from "../../utils/url.mjs";
 import { env } from "@better-auth/core/env";
 //#region src/plugins/oauth-proxy/utils.ts
 /**
@@ -6,7 +6,7 @@ import { env } from "@better-auth/core/env";
 */
 function stripTrailingSlash(url) {
 	if (!url) return "";
-	return url.replace(/\/+$/, "");
+	return trimTrailingSlashes(url);
 }
 /**
 * Get base URL from vendor-specific environment variables
@@ -37,12 +37,5 @@ function checkSkipProxy(ctx, opts) {
 	if (!currentURL) return false;
 	return getOrigin(productionURL) === getOrigin(currentURL);
 }
-/**
-* Redirect to error URL with error code
-*/
-function redirectOnError(ctx, errorURL, error) {
-	const sep = errorURL.includes("?") ? "&" : "?";
-	throw ctx.redirect(`${errorURL}${sep}error=${error}`);
-}
 //#endregion
-export { checkSkipProxy, redirectOnError, resolveCurrentURL, stripTrailingSlash };
+export { checkSkipProxy, resolveCurrentURL, stripTrailingSlash };

package/dist/plugins/oidc-provider/index.mjs

@@ -15,6 +15,7 @@ import { authorize } from "./authorize.mjs";
 import { schema } from "./schema.mjs";
 import { defaultClientSecretHasher } from "./utils.mjs";
 import { getCurrentAuthContext } from "@better-auth/core/context";
+import { isSafeUrlScheme } from "@better-auth/core/utils/url";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
 import { deprecate } from "@better-auth/core/utils/deprecate";
 import * as z from "zod";
@@ -101,7 +102,7 @@ const oAuthConsentBodySchema = z.object({
 });
 const oAuth2TokenBodySchema = z.record(z.any(), z.any());
 const registerOAuthApplicationBodySchema = z.object({
-	redirect_uris: z.array(z.string()).meta({ description: "A list of redirect URIs. Eg: [\"https://client.example.com/callback\"]" }),
+	redirect_uris: z.array(z.string().refine(isSafeUrlScheme, { message: "redirect_uri cannot use a javascript:, data:, or vbscript: scheme" })).meta({ description: "A list of redirect URIs. Eg: [\"https://client.example.com/callback\"]" }),
 	token_endpoint_auth_method: z.enum([
 		"none",
 		"client_secret_basic",
@@ -499,10 +500,6 @@ const oidcProvider = (options) => {
 					error_description: "invalid code",
 					error: "invalid_grant"
 				});
-				if (verificationValue.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("UNAUTHORIZED", {
-					error_description: "code expired",
-					error: "invalid_grant"
-				});
 				if (!client_id) throw new APIError("UNAUTHORIZED", {
 					error_description: "client_id is required",
 					error: "invalid_client"

package/dist/plugins/one-tap/client.mjs

@@ -1,4 +1,5 @@
 import { PACKAGE_VERSION } from "../../version.mjs";
+import { isSafeUrlScheme } from "@better-auth/core/utils/url";
 //#region src/plugins/one-tap/client.ts
 let isRequestInProgress = false;
 function isFedCMSupported() {
@@ -49,7 +50,10 @@ const oneTapClient = (options) => {
 							...opts?.fetchOptions,
 							...fetchOptions
 						});
-						if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) window.location.href = opts?.callbackURL ?? "/";
+						if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) {
+							const target = opts?.callbackURL ?? "/";
+							if (isSafeUrlScheme(target)) window.location.href = target;
+						}
 					}
 					const { autoSelect, cancelOnTapOutside, context } = opts ?? {};
 					const contextValue = context ?? options.context ?? "signin";
@@ -82,7 +86,10 @@ const oneTapClient = (options) => {
 						...opts?.fetchOptions,
 						...fetchOptions
 					});
-					if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) window.location.href = opts?.callbackURL ?? "/";
+					if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) {
+						const target = opts?.callbackURL ?? "/";
+						if (isSafeUrlScheme(target)) window.location.href = target;
+					}
 				}
 				const { autoSelect, cancelOnTapOutside, context } = opts ?? {};
 				const contextValue = context ?? options.context ?? "signin";

package/dist/plugins/one-tap/index.mjs

@@ -1,5 +1,6 @@
 import { parseUserOutput } from "../../db/schema.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
+import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { APIError } from "../../api/index.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { toBoolean } from "../../utils/boolean.mjs";
@@ -47,51 +48,27 @@ const oneTap = (options) => ({
 		}
 		const { email: rawEmail, email_verified, name, picture, sub } = payload;
 		if (!rawEmail) return ctx.json({ error: "Email not available in token" });
-		const email = rawEmail.toLowerCase();
-		const user = await ctx.context.internalAdapter.findUserByEmail(email);
-		if (!user) {
-			if (options?.disableSignup) throw new APIError("BAD_GATEWAY", { message: "User not found" });
-			const newUser = await ctx.context.internalAdapter.createOAuthUser({
-				email,
+		const result = await handleOAuthUserInfo(ctx, {
+			userInfo: {
+				id: sub,
+				email: rawEmail.toLowerCase(),
 				emailVerified: typeof email_verified === "boolean" ? email_verified : toBoolean(email_verified),
-				name,
+				name: name ?? "",
 				image: picture
-			}, {
-				providerId: "google",
-				accountId: sub
-			});
-			if (!newUser) throw new APIError("INTERNAL_SERVER_ERROR", { message: "Could not create user" });
-			const session = await ctx.context.internalAdapter.createSession(newUser.user.id);
-			await setSessionCookie(ctx, {
-				user: newUser.user,
-				session
-			});
-			return ctx.json({
-				token: session.token,
-				user: parseUserOutput(ctx.context.options, newUser.user)
-			});
-		}
-		if (!await ctx.context.internalAdapter.findAccount(sub)) {
-			const accountLinking = ctx.context.options.account?.accountLinking;
-			const providerEmailVerified = typeof email_verified === "boolean" ? email_verified : toBoolean(email_verified);
-			const requireLocalEmailVerified = accountLinking?.requireLocalEmailVerified ?? true;
-			if (accountLinking?.enabled !== false && accountLinking?.disableImplicitLinking !== true && (!requireLocalEmailVerified || user.user.emailVerified) && (ctx.context.trustedProviders.includes("google") || providerEmailVerified)) await ctx.context.internalAdapter.linkAccount({
-				userId: user.user.id,
+			},
+			account: {
 				providerId: "google",
 				accountId: sub,
-				scope: "openid,profile,email",
-				idToken
-			});
-			else throw new APIError("UNAUTHORIZED", { message: "Google identity cannot be linked: implicit account-linking is disabled, the local email is not verified, or the Google email_verified claim is false and Google is not a trusted provider" });
-		}
-		const session = await ctx.context.internalAdapter.createSession(user.user.id);
-		await setSessionCookie(ctx, {
-			user: user.user,
-			session
+				idToken,
+				scope: "openid,profile,email"
+			},
+			disableSignUp: options?.disableSignup
 		});
+		if (result.error) throw new APIError("UNAUTHORIZED", { message: result.error });
+		await setSessionCookie(ctx, result.data);
 		return ctx.json({
-			token: session.token,
-			user: parseUserOutput(ctx.context.options, user.user)
+			token: result.data.session.token,
+			user: parseUserOutput(ctx.context.options, result.data.user)
 		});
 	}) },
 	options