better-auth 1.6.12 → 1.6.13

package/dist/api/index.d.mts

@@ -1931,29 +1931,6 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
     }>;
     readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
       method: "GET";
-      use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-        session: {
-          session: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            userId: string;
-            expiresAt: Date;
-            token: string;
-            ipAddress?: string | null | undefined;
-            userAgent?: string | null | undefined;
-          };
-          user: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            email: string;
-            emailVerified: boolean;
-            name: string;
-            image?: string | null | undefined;
-          };
-        };
-      }>)[];
       metadata: {
         openapi: {
           description: string;
@@ -2003,6 +1980,8 @@ declare function getEndpoints<Option extends BetterAuthOptions>(ctx: Awaitable<A
       };
       query: zod.ZodOptional<zod.ZodObject<{
         accountId: zod.ZodOptional<zod.ZodString>;
+        providerId: zod.ZodOptional<zod.ZodString>;
+        userId: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
     }, {
       user: _better_auth_core_oauth20.OAuth2UserInfo;
@@ -3922,29 +3901,6 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
     }>;
     readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
       method: "GET";
-      use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-        session: {
-          session: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            userId: string;
-            expiresAt: Date;
-            token: string;
-            ipAddress?: string | null | undefined;
-            userAgent?: string | null | undefined;
-          };
-          user: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            email: string;
-            emailVerified: boolean;
-            name: string;
-            image?: string | null | undefined;
-          };
-        };
-      }>)[];
       metadata: {
         openapi: {
           description: string;
@@ -3994,6 +3950,8 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
       };
       query: zod.ZodOptional<zod.ZodObject<{
         accountId: zod.ZodOptional<zod.ZodString>;
+        providerId: zod.ZodOptional<zod.ZodString>;
+        userId: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
     }, {
       user: _better_auth_core_oauth20.OAuth2UserInfo;

package/dist/api/routes/account.d.mts

@@ -328,29 +328,6 @@ declare const refreshToken: better_call0.StrictEndpoint<"/refresh-token", {
 }>;
 declare const accountInfo: better_call0.StrictEndpoint<"/account-info", {
   method: "GET";
-  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-    session: {
-      session: Record<string, any> & {
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        userId: string;
-        expiresAt: Date;
-        token: string;
-        ipAddress?: string | null | undefined;
-        userAgent?: string | null | undefined;
-      };
-      user: Record<string, any> & {
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        email: string;
-        emailVerified: boolean;
-        name: string;
-        image?: string | null | undefined;
-      };
-    };
-  }>)[];
   metadata: {
     openapi: {
       description: string;
@@ -400,6 +377,8 @@ declare const accountInfo: better_call0.StrictEndpoint<"/account-info", {
   };
   query: z.ZodOptional<z.ZodObject<{
     accountId: z.ZodOptional<z.ZodString>;
+    providerId: z.ZodOptional<z.ZodString>;
+    userId: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>>;
 }, {
   user: _better_auth_core_oauth20.OAuth2UserInfo;

package/dist/api/routes/account.mjs

@@ -2,8 +2,9 @@ import { parseAccountOutput } from "../../db/schema.mjs";
 import { getAccountCookie, setAccountCookie } from "../../cookies/session-store.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
 import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
-import { generateState } from "../../oauth2/state.mjs";
 import { decryptOAuthToken, setTokenUtil } from "../../oauth2/utils.mjs";
+import { applyUpdateUserInfoOnLink } from "../../oauth2/link-account.mjs";
+import { generateState } from "../../oauth2/state.mjs";
 import { freshSessionMiddleware, getSessionFromCtx, sessionMiddleware } from "./session.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { SocialProviderListEnum } from "@better-auth/core/social-providers";
@@ -166,14 +167,7 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 				code: "LINKING_FAILED"
 			});
 		}
-		if (c.context.options.account?.accountLinking?.updateUserInfoOnLink === true) try {
-			await c.context.internalAdapter.updateUser(session.user.id, {
-				name: linkingUserInfo.user?.name,
-				image: linkingUserInfo.user?.image
-			});
-		} catch (e) {
-			console.warn("Could not update user - " + e.toString());
-		}
+		await applyUpdateUserInfoOnLink(c, session.user.id, linkingUserInfo.user);
 		return c.json({
 			url: "",
 			status: true,
@@ -222,50 +216,44 @@ const unlinkAccount = createAuthEndpoint("/unlink-account", {
 	await ctx.context.internalAdapter.deleteAccount(accountExist.id);
 	return ctx.json({ status: true });
 });
-const getAccessToken = createAuthEndpoint("/get-access-token", {
-	method: "POST",
-	body: z.object({
-		providerId: z.string().meta({ description: "The provider ID for the OAuth provider" }),
-		accountId: z.string().meta({ description: "The account ID associated with the refresh token" }).optional(),
-		userId: z.string().meta({ description: "The user ID associated with the account" }).optional()
-	}),
-	metadata: { openapi: {
-		description: "Get a valid access token, doing a refresh if needed",
-		responses: {
-			200: {
-				description: "A Valid access token",
-				content: { "application/json": { schema: {
-					type: "object",
-					properties: {
-						tokenType: { type: "string" },
-						idToken: { type: "string" },
-						accessToken: { type: "string" },
-						accessTokenExpiresAt: {
-							type: "string",
-							format: "date-time"
-						}
-					}
-				} } }
-			},
-			400: { description: "Invalid refresh token or provider configuration" }
-		}
-	} }
-}, async (ctx) => {
-	const { providerId, accountId, userId } = ctx.body || {};
-	const req = ctx.request;
+/**
+* Resolves the user id an account-token operation should act on.
+*
+* A caller reaching the server over HTTP (a request or session headers are
+* present) must have a valid session, and that session's user always wins.
+* A trusted server-side `auth.api` caller with no session may instead name a
+* `userId` directly. Throws `UNAUTHORIZED` when an HTTP caller is
+* unauthenticated, and `USER_ID_OR_SESSION_REQUIRED` when neither a session
+* nor a `userId` is available.
+*/
+async function resolveUserId(ctx, userId) {
 	const session = await getSessionFromCtx(ctx);
-	if (req && !session) throw ctx.error("UNAUTHORIZED");
+	if (!session && (ctx.request || ctx.headers)) throw ctx.error("UNAUTHORIZED");
 	const resolvedUserId = session?.user?.id || userId;
-	if (!resolvedUserId) throw ctx.error("UNAUTHORIZED");
+	if (!resolvedUserId) throw APIError.from("BAD_REQUEST", {
+		message: "Either userId or session is required",
+		code: "USER_ID_OR_SESSION_REQUIRED"
+	});
+	return resolvedUserId;
+}
+/**
+* Fetches a currently-valid access token for a user's provider account,
+* refreshing and persisting it when it is within five seconds of expiry.
+* Shared by the `/get-access-token` endpoint and `/account-info` so both
+* resolve and refresh tokens through one path.
+*/
+async function getValidAccessToken(ctx, { resolvedUserId, providerId, accountId, account: resolvedAccount }) {
 	const provider = await getAwaitableValue(ctx.context.socialProviders, { value: providerId });
 	if (!provider) throw APIError.from("BAD_REQUEST", {
 		message: `Provider ${providerId} is not supported.`,
 		code: "PROVIDER_NOT_SUPPORTED"
 	});
-	const accountData = await getAccountCookie(ctx);
-	let account = void 0;
-	if (accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId)) account = accountData;
-	else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
+	let account = resolvedAccount;
+	if (!account) {
+		const accountData = await getAccountCookie(ctx);
+		if (accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId)) account = accountData;
+		else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
+	}
 	if (!account) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
 	try {
 		let newTokens = null;
@@ -297,19 +285,55 @@ const getAccessToken = createAuthEndpoint("/get-access-token", {
 				return account.accessTokenExpiresAt;
 			}
 		})();
-		const tokens = {
+		return {
 			accessToken: newTokens?.accessToken ?? await decryptOAuthToken(account.accessToken ?? "", ctx.context),
 			accessTokenExpiresAt,
 			scopes: account.scope?.split(",") ?? [],
 			idToken: newTokens?.idToken ?? account.idToken ?? void 0
 		};
-		return ctx.json(tokens);
 	} catch (_error) {
 		throw APIError.from("BAD_REQUEST", {
 			message: "Failed to get a valid access token",
 			code: "FAILED_TO_GET_ACCESS_TOKEN"
 		});
 	}
+}
+const getAccessToken = createAuthEndpoint("/get-access-token", {
+	method: "POST",
+	body: z.object({
+		providerId: z.string().meta({ description: "The provider ID for the OAuth provider" }),
+		accountId: z.string().meta({ description: "The account ID associated with the refresh token" }).optional(),
+		userId: z.string().meta({ description: "The user ID associated with the account" }).optional()
+	}),
+	metadata: { openapi: {
+		description: "Get a valid access token, doing a refresh if needed",
+		responses: {
+			200: {
+				description: "A Valid access token",
+				content: { "application/json": { schema: {
+					type: "object",
+					properties: {
+						tokenType: { type: "string" },
+						idToken: { type: "string" },
+						accessToken: { type: "string" },
+						accessTokenExpiresAt: {
+							type: "string",
+							format: "date-time"
+						}
+					}
+				} } }
+			},
+			400: { description: "Invalid refresh token or provider configuration" }
+		}
+	} }
+}, async (ctx) => {
+	const { providerId, accountId, userId } = ctx.body || {};
+	const tokens = await getValidAccessToken(ctx, {
+		resolvedUserId: await resolveUserId(ctx, userId),
+		providerId,
+		accountId
+	});
+	return ctx.json(tokens);
 });
 const refreshToken = createAuthEndpoint("/refresh-token", {
 	method: "POST",
@@ -346,14 +370,7 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 	} }
 }, async (ctx) => {
 	const { providerId, accountId, userId } = ctx.body;
-	const req = ctx.request;
-	const session = await getSessionFromCtx(ctx);
-	if (req && !session) throw ctx.error("UNAUTHORIZED");
-	const resolvedUserId = session?.user?.id || userId;
-	if (!resolvedUserId) throw APIError.from("BAD_REQUEST", {
-		message: `Either userId or session is required`,
-		code: "USER_ID_OR_SESSION_REQUIRED"
-	});
+	const resolvedUserId = await resolveUserId(ctx, userId);
 	const provider = await getAwaitableValue(ctx.context.socialProviders, { value: providerId });
 	if (!provider) throw APIError.from("BAD_REQUEST", {
 		message: `Provider ${providerId} is not supported.`,
@@ -418,10 +435,13 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 		});
 	}
 });
-const accountInfoQuerySchema = z.optional(z.object({ accountId: z.string().meta({ description: "The provider given account id for which to get the account info" }).optional() }));
+const accountInfoQuerySchema = z.optional(z.object({
+	accountId: z.string().meta({ description: "The provider given account id for which to get the account info" }).optional(),
+	providerId: z.string().meta({ description: "The provider ID to disambiguate provider-issued account IDs" }).optional(),
+	userId: z.string().meta({ description: "The user ID associated with the account" }).optional()
+}));
 const accountInfo = createAuthEndpoint("/account-info", {
 	method: "GET",
-	use: [sessionMiddleware],
 	metadata: { openapi: {
 		description: "Get the account info provided by the provider",
 		responses: { "200": {
@@ -453,7 +473,8 @@ const accountInfo = createAuthEndpoint("/account-info", {
 	} },
 	query: accountInfoQuerySchema
 }, async (ctx) => {
-	const providedAccountId = ctx.query?.accountId;
+	const { accountId: providedAccountId, providerId: providedProviderId, userId } = ctx.query || {};
+	const resolvedUserId = await resolveUserId(ctx, userId);
 	let account = void 0;
 	if (!providedAccountId) {
 		if (ctx.context.options.account?.storeAccountCookie) {
@@ -461,24 +482,24 @@ const accountInfo = createAuthEndpoint("/account-info", {
 			if (accountData) account = accountData;
 		}
 	} else {
-		const accountData = await ctx.context.internalAdapter.findAccount(providedAccountId);
-		if (accountData) account = accountData;
+		const matchingAccounts = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).filter((acc) => acc.accountId === providedAccountId && (!providedProviderId || acc.providerId === providedProviderId));
+		if (matchingAccounts.length > 1) throw APIError.from("BAD_REQUEST", {
+			message: "Multiple accounts share this account ID. Pass a providerId to disambiguate.",
+			code: "AMBIGUOUS_ACCOUNT"
+		});
+		account = matchingAccounts[0];
 	}
-	if (!account || account.userId !== ctx.context.session.user.id) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
+	if (!account || account.userId !== resolvedUserId) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
 	const provider = await getAwaitableValue(ctx.context.socialProviders, { value: account.providerId });
-	if (!provider) throw APIError.from("INTERNAL_SERVER_ERROR", {
-		message: `Provider account provider is ${account.providerId} but it is not configured`,
+	if (!provider) throw APIError.from("BAD_REQUEST", {
+		message: "Account is not associated with a configured social provider.",
 		code: "PROVIDER_NOT_CONFIGURED"
 	});
-	const tokens = await getAccessToken({
-		...ctx,
-		method: "POST",
-		body: {
-			accountId: account.accountId,
-			providerId: account.providerId
-		},
-		returnHeaders: false,
-		returnStatus: false
+	const tokens = await getValidAccessToken(ctx, {
+		resolvedUserId,
+		providerId: account.providerId,
+		accountId: account.accountId,
+		account
 	});
 	if (!tokens.accessToken) throw APIError.from("BAD_REQUEST", {
 		message: "Access token not found",

package/dist/api/routes/callback.mjs

@@ -2,9 +2,9 @@ import { isAPIError } from "../../utils/is-api-error.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
 import { missingEmailLogMessage, redirectOnError } from "../../oauth2/errors.mjs";
-import { parseState } from "../../oauth2/state.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
-import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { applyUpdateUserInfoOnLink, handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { parseState } from "../../oauth2/state.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 import { createAuthEndpoint } from "@better-auth/core/api";
@@ -117,6 +117,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 			refreshToken: await setTokenUtil(tokens.refreshToken, c.context),
 			scope: tokens.scopes?.join(",")
 		})) redirectOnError(c, resolvedErrorURL, "unable_to_link_account");
+		await applyUpdateUserInfoOnLink(c, link.userId, userInfo);
 		let toRedirectTo;
 		try {
 			toRedirectTo = callbackURL.toString();

package/dist/api/routes/password.mjs

@@ -161,7 +161,7 @@ const resetPassword = createAuthEndpoint("/reset-password", {
 		const user = await ctx.context.internalAdapter.findUserById(userId);
 		if (user) await ctx.context.options.emailAndPassword.onPasswordReset({ user }, ctx.request);
 	}
-	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteSessions(userId);
+	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteUserSessions(userId);
 	return ctx.json({ status: true });
 });
 const verifyPassword = createAuthEndpoint("/verify-password", {

package/dist/api/routes/session.mjs

@@ -445,7 +445,7 @@ const revokeSessions = createAuthEndpoint("/revoke-sessions", {
 	} }
 }, async (ctx) => {
 	try {
-		await ctx.context.internalAdapter.deleteSessions(ctx.context.session.user.id);
+		await ctx.context.internalAdapter.deleteUserSessions(ctx.context.session.user.id);
 	} catch (error) {
 		ctx.context.logger.error(error && typeof error === "object" && "name" in error ? error.name : "", error);
 		throw APIError.from("INTERNAL_SERVER_ERROR", {

package/dist/api/routes/sign-in.mjs

@@ -3,8 +3,8 @@ import { parseUserOutput } from "../../db/schema.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
 import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
-import { generateState } from "../../oauth2/state.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { generateState } from "../../oauth2/state.mjs";
 import { createEmailVerificationToken } from "./email-verification.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { SocialProviderListEnum } from "@better-auth/core/social-providers";

package/dist/api/routes/update-user.mjs

@@ -168,7 +168,7 @@ const changePassword = createAuthEndpoint("/change-password", {
 	await ctx.context.internalAdapter.updateAccount(account.id, { password: passwordHash });
 	let token = null;
 	if (revokeOtherSessions) {
-		await ctx.context.internalAdapter.deleteSessions(session.user.id);
+		await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 		const newSession = await ctx.context.internalAdapter.createSession(session.user.id);
 		if (!newSession) throw APIError.from("INTERNAL_SERVER_ERROR", BASE_ERROR_CODES.FAILED_TO_GET_SESSION);
 		await setSessionCookie(ctx, {
@@ -309,7 +309,7 @@ const deleteUser = createAuthEndpoint("/delete-user", {
 	const beforeDelete = ctx.context.options.user.deleteUser?.beforeDelete;
 	if (beforeDelete) await beforeDelete(session.user, ctx.request);
 	await ctx.context.internalAdapter.deleteUser(session.user.id);
-	await ctx.context.internalAdapter.deleteSessions(session.user.id);
+	await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 	deleteSessionCookie(ctx);
 	const afterDelete = ctx.context.options.user.deleteUser?.afterDelete;
 	if (afterDelete) await afterDelete(session.user, ctx.request);
@@ -362,7 +362,7 @@ const deleteUserCallback = createAuthEndpoint("/delete-user/callback", {
 	const beforeDelete = ctx.context.options.user.deleteUser?.beforeDelete;
 	if (beforeDelete) await beforeDelete(session.user, ctx.request);
 	await ctx.context.internalAdapter.deleteUser(session.user.id);
-	await ctx.context.internalAdapter.deleteSessions(session.user.id);
+	await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 	await ctx.context.internalAdapter.deleteAccounts(session.user.id);
 	await ctx.context.internalAdapter.deleteVerificationByIdentifier(`delete-account-${ctx.query.token}`);
 	deleteSessionCookie(ctx);

package/dist/client/fetch-plugins.mjs

@@ -1,9 +1,10 @@
+import { isSafeUrlScheme } from "@better-auth/core/utils/url";
 //#region src/client/fetch-plugins.ts
 const redirectPlugin = {
 	id: "redirect",
 	name: "Redirect",
 	hooks: { onSuccess(context) {
-		if (context.data?.url && context.data?.redirect) {
+		if (context.data?.url && context.data?.redirect && isSafeUrlScheme(context.data.url)) {
 			if (typeof window !== "undefined" && window.location) {
 				if (window.location) try {
 					window.location.href = context.data.url;

package/dist/context/create-context.mjs

@@ -42,18 +42,14 @@ function validateSecret(secret, logger) {
 	if (estimateEntropy(secret) < 120) logger.warn("[better-auth] Warning: your BETTER_AUTH_SECRET appears low-entropy. Use a randomly generated secret for production.");
 }
 async function createAuthContext(adapter, options, getDatabaseType) {
-	if (!options.database) options = defu$1(options, {
-		session: { cookieCache: {
-			enabled: true,
-			strategy: "jwe",
-			refreshCache: true,
-			maxAge: options.session?.expiresIn || 3600 * 24 * 7
-		} },
-		account: {
-			storeStateStrategy: "cookie",
-			storeAccountCookie: true
-		}
-	});
+	const isStateful = !!options.database || !!options.secondaryStorage;
+	if (!isStateful) options = defu$1(options, { session: { cookieCache: {
+		enabled: true,
+		strategy: "jwe",
+		refreshCache: true,
+		maxAge: options.session?.expiresIn || 3600 * 24 * 7
+	} } });
+	if (!options.database) options = defu$1(options, { account: { storeAccountCookie: true } });
 	const plugins = options.plugins || [];
 	const internalPlugins = getInternalPlugins(options);
 	const logger = createLogger(options.logger);
@@ -130,7 +126,7 @@ Most of the features of Better Auth will not work correctly.`);
 		socialProviders: providers,
 		options,
 		oauthConfig: {
-			storeStateStrategy: options.account?.storeStateStrategy || (options.database ? "database" : "cookie"),
+			storeStateStrategy: options.account?.storeStateStrategy || (isStateful ? "database" : "cookie"),
 			skipStateCookieCheck: !!options.account?.skipStateCookieCheck
 		},
 		tables,
@@ -146,7 +142,7 @@ Most of the features of Better Auth will not work correctly.`);
 			cookieRefreshCache: (() => {
 				const refreshCache = options.session?.cookieCache?.refreshCache;
 				const maxAge = options.session?.cookieCache?.maxAge || 300;
-				if ((!!options.database || !!options.secondaryStorage) && refreshCache) {
+				if (isStateful && refreshCache) {
 					logger.warn("[better-auth] `session.cookieCache.refreshCache` is enabled while `database` or `secondaryStorage` is configured. `refreshCache` is meant for stateless (DB-less) setups. Disabling `refreshCache` — remove it from your config to silence this warning.");
 					return false;
 				}

package/dist/db/internal-adapter.mjs

@@ -388,21 +388,29 @@ const createInternalAdapter = (adapter, ctx) => {
 				value: id
 			}], "account", void 0);
 		},
-		deleteSessions: async (userIdOrSessionTokens) => {
+		deleteUserSessions: async (userId) => {
 			if (secondaryStorage) {
-				if (typeof userIdOrSessionTokens === "string") {
-					const activeSession = await secondaryStorage.get(`active-sessions-${userIdOrSessionTokens}`);
-					const sessions = activeSession ? safeJSONParse(activeSession) : [];
-					if (!sessions) return;
-					for (const session of sessions) await secondaryStorage.delete(session.token);
-					await secondaryStorage.delete(`active-sessions-${userIdOrSessionTokens}`);
-				} else for (const sessionToken of userIdOrSessionTokens) if (await secondaryStorage.get(sessionToken)) await secondaryStorage.delete(sessionToken);
+				const activeSession = await secondaryStorage.get(`active-sessions-${userId}`);
+				const sessions = activeSession ? safeJSONParse(activeSession) : [];
+				if (!sessions) return;
+				for (const session of sessions) await secondaryStorage.delete(session.token);
+				await secondaryStorage.delete(`active-sessions-${userId}`);
 				if (!options.session?.storeSessionInDatabase || ctx.options.session?.preserveSessionInDatabase) return;
 			}
 			await deleteManyWithHooks([{
-				field: Array.isArray(userIdOrSessionTokens) ? "token" : "userId",
-				value: userIdOrSessionTokens,
-				operator: Array.isArray(userIdOrSessionTokens) ? "in" : void 0
+				field: "userId",
+				value: userId
+			}], "session", void 0);
+		},
+		deleteSessions: async (sessionTokens) => {
+			if (secondaryStorage) {
+				for (const sessionToken of sessionTokens) if (await secondaryStorage.get(sessionToken)) await secondaryStorage.delete(sessionToken);
+				if (!options.session?.storeSessionInDatabase || ctx.options.session?.preserveSessionInDatabase) return;
+			}
+			await deleteManyWithHooks([{
+				field: "token",
+				value: sessionTokens,
+				operator: "in"
 			}], "session", void 0);
 		},
 		findOAuthUser: async (email, accountId, providerId) => {
@@ -532,15 +540,6 @@ const createInternalAdapter = (adapter, ctx) => {
 				}]
 			});
 		},
-		findAccount: async (accountId) => {
-			return await (await getCurrentAdapter(adapter)).findOne({
-				model: "account",
-				where: [{
-					field: "accountId",
-					value: accountId
-				}]
-			});
-		},
 		findAccountByProviderId: async (accountId, providerId) => {
 			return await (await getCurrentAdapter(adapter)).findOne({
 				model: "account",

package/dist/oauth2/index.d.mts

@@ -1,5 +1,5 @@
 import { generateState, parseState } from "./state.mjs";
-import { handleOAuthUserInfo } from "./link-account.mjs";
+import { applyUpdateUserInfoOnLink, handleOAuthUserInfo } from "./link-account.mjs";
 import { decryptOAuthToken, setTokenUtil } from "./utils.mjs";
 export * from "@better-auth/core/oauth2";
-export { decryptOAuthToken, generateState, handleOAuthUserInfo, parseState, setTokenUtil };
+export { applyUpdateUserInfoOnLink, decryptOAuthToken, generateState, handleOAuthUserInfo, parseState, setTokenUtil };

package/dist/oauth2/index.mjs

@@ -1,5 +1,5 @@
-import { generateState, parseState } from "./state.mjs";
 import { decryptOAuthToken, setTokenUtil } from "./utils.mjs";
-import { handleOAuthUserInfo } from "./link-account.mjs";
+import { applyUpdateUserInfoOnLink, handleOAuthUserInfo } from "./link-account.mjs";
+import { generateState, parseState } from "./state.mjs";
 export * from "@better-auth/core/oauth2";
-export { decryptOAuthToken, generateState, handleOAuthUserInfo, parseState, setTokenUtil };
+export { applyUpdateUserInfoOnLink, decryptOAuthToken, generateState, handleOAuthUserInfo, parseState, setTokenUtil };

package/dist/oauth2/link-account.d.mts

@@ -42,5 +42,31 @@ declare function handleOAuthUserInfo(c: GenericEndpointContext, opts: {
   error: null;
   isRegister: boolean;
 }>;
+/**
+ * Provider profile a freshly linked account may copy onto the local user.
+ * `id` is the provider's account id (never the local user id), and `email`/
+ * `emailVerified` are identity anchors; all three are stripped before the
+ * remaining fields are written.
+ */
+type LinkedProviderProfile = {
+  id: string | number;
+  name?: string | undefined;
+  email?: string | null | undefined;
+  emailVerified?: boolean | undefined;
+  image?: string | null | undefined;
+};
+/**
+ * Apply the `account.accountLinking.updateUserInfoOnLink` policy: when enabled,
+ * copy the freshly linked provider's profile onto the local user, matching the
+ * field set persisted on sign-up. The local `email` and `emailVerified` are
+ * never changed, so a link can't rebind the account's identity, and
+ * `updateUser` drops `undefined` fields, so a provider that omits one leaves
+ * the existing column intact.
+ *
+ * Returns the updated user so a caller that issues a session can seed the
+ * cookie cache with the fresh row. Returns `undefined` when the policy is
+ * disabled or the update fails: a failed profile sync must not abort the link.
+ */
+declare function applyUpdateUserInfoOnLink(c: GenericEndpointContext, userId: string, userInfo: LinkedProviderProfile): Promise<User | undefined>;
 //#endregion
-export { handleOAuthUserInfo };
+export { applyUpdateUserInfoOnLink, handleOAuthUserInfo };

package/dist/oauth2/link-account.mjs

@@ -46,6 +46,7 @@ async function handleOAuthUserInfo(c, opts) {
 				};
 			}
 			if (userInfo.emailVerified && !dbUser.user.emailVerified && userInfo.email.toLowerCase() === dbUser.user.email) await c.context.internalAdapter.updateUser(dbUser.user.id, { emailVerified: true });
+			user = await applyUpdateUserInfoOnLink(c, dbUser.user.id, userInfo) ?? user;
 		} else {
 			const freshTokens = c.context.options.account?.updateAccountOnSignIn !== false ? Object.fromEntries(Object.entries({
 				idToken: account.idToken,
@@ -137,5 +138,27 @@ async function handleOAuthUserInfo(c, opts) {
 		isRegister
 	};
 }
+/**
+* Apply the `account.accountLinking.updateUserInfoOnLink` policy: when enabled,
+* copy the freshly linked provider's profile onto the local user, matching the
+* field set persisted on sign-up. The local `email` and `emailVerified` are
+* never changed, so a link can't rebind the account's identity, and
+* `updateUser` drops `undefined` fields, so a provider that omits one leaves
+* the existing column intact.
+*
+* Returns the updated user so a caller that issues a session can seed the
+* cookie cache with the fresh row. Returns `undefined` when the policy is
+* disabled or the update fails: a failed profile sync must not abort the link.
+*/
+async function applyUpdateUserInfoOnLink(c, userId, userInfo) {
+	if (c.context.options.account?.accountLinking?.updateUserInfoOnLink !== true) return;
+	const { id: _id, email: _email, emailVerified: _emailVerified, ...profile } = userInfo;
+	try {
+		return await c.context.internalAdapter.updateUser(userId, profile);
+	} catch (e) {
+		c.context.logger.warn("Could not update user info on account link", e);
+		return;
+	}
+}
 //#endregion
-export { handleOAuthUserInfo };
+export { applyUpdateUserInfoOnLink, handleOAuthUserInfo };