better-auth 1.6.12 → 1.6.13

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.6.12";
+var version = "1.6.13";
 //#endregion
 export { version };

package/dist/plugins/admin/routes.mjs

@@ -462,7 +462,7 @@ const banUser = (opts) => createAuthEndpoint("/admin/ban-user", {
 		banExpires: ctx.body.banExpiresIn ? getDate(ctx.body.banExpiresIn, "sec") : opts?.defaultBanExpiresIn ? getDate(opts.defaultBanExpiresIn, "sec") : void 0,
 		updatedAt: /* @__PURE__ */ new Date()
 	});
-	await ctx.context.internalAdapter.deleteSessions(ctx.body.userId);
+	await ctx.context.internalAdapter.deleteUserSessions(ctx.body.userId);
 	return ctx.json({ user: parseUserOutput(ctx.context.options, user) });
 });
 const impersonateUserBodySchema = z.object({ userId: z.coerce.string().meta({ description: "The user id" }) });
@@ -658,7 +658,7 @@ const revokeUserSessions = (opts) => createAuthEndpoint("/admin/revoke-user-sess
 		options: opts,
 		permissions: { session: ["revoke"] }
 	})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_REVOKE_USERS_SESSIONS);
-	await ctx.context.internalAdapter.deleteSessions(ctx.body.userId);
+	await ctx.context.internalAdapter.deleteUserSessions(ctx.body.userId);
 	return ctx.json({ success: true });
 });
 const removeUserBodySchema = z.object({ userId: z.coerce.string().meta({ description: "The user id" }) });
@@ -703,7 +703,7 @@ const removeUser = (opts) => createAuthEndpoint("/admin/remove-user", {
 	})) throw APIError.from("FORBIDDEN", ADMIN_ERROR_CODES.YOU_ARE_NOT_ALLOWED_TO_DELETE_USERS);
 	if (ctx.body.userId === ctx.context.session.user.id) throw APIError.from("BAD_REQUEST", ADMIN_ERROR_CODES.YOU_CANNOT_REMOVE_YOURSELF);
 	if (!await ctx.context.internalAdapter.findUserById(ctx.body.userId)) throw APIError.from("NOT_FOUND", BASE_ERROR_CODES.USER_NOT_FOUND);
-	await ctx.context.internalAdapter.deleteSessions(ctx.body.userId);
+	await ctx.context.internalAdapter.deleteUserSessions(ctx.body.userId);
 	await ctx.context.internalAdapter.deleteUser(ctx.body.userId);
 	return ctx.json({ success: true });
 });

package/dist/plugins/anonymous/index.mjs

@@ -102,7 +102,7 @@ const anonymous = (options) => {
 				if (options?.disableDeleteAnonymousUser) throw APIError.from("BAD_REQUEST", ANONYMOUS_ERROR_CODES.DELETE_ANONYMOUS_USER_DISABLED);
 				if (!session.user.isAnonymous) throw APIError.from("FORBIDDEN", ANONYMOUS_ERROR_CODES.USER_IS_NOT_ANONYMOUS);
 				try {
-					await ctx.context.internalAdapter.deleteSessions(session.user.id);
+					await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 				} catch (error) {
 					ctx.context.logger.error("Failed to delete anonymous user sessions", error);
 					throw APIError.from("INTERNAL_SERVER_ERROR", ANONYMOUS_ERROR_CODES.FAILED_TO_DELETE_ANONYMOUS_USER_SESSIONS);
@@ -154,7 +154,7 @@ const anonymous = (options) => {
 				const newSessionIsAnonymous = Boolean(newSessionUser?.isAnonymous);
 				if (options?.disableDeleteAnonymousUser || isSameUser || newSessionIsAnonymous) return;
 				try {
-					await ctx.context.internalAdapter.deleteSessions(session.user.id);
+					await ctx.context.internalAdapter.deleteUserSessions(session.user.id);
 					await ctx.context.internalAdapter.deleteUser(session.user.id);
 				} catch (error) {
 					ctx.context.logger.error("Failed to clean up anonymous user during post-link cleanup", {

package/dist/plugins/email-otp/routes.mjs

@@ -585,7 +585,7 @@ const resetPasswordEmailOTP = (opts) => createAuthEndpoint("/email-otp/reset-pas
 	else await ctx.context.internalAdapter.updatePassword(user.user.id, passwordHash);
 	if (ctx.context.options.emailAndPassword?.onPasswordReset) await ctx.context.options.emailAndPassword.onPasswordReset({ user: user.user }, ctx.request);
 	if (!user.user.emailVerified) await ctx.context.internalAdapter.updateUser(user.user.id, { emailVerified: true });
-	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteSessions(user.user.id);
+	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteUserSessions(user.user.id);
 	return ctx.json({ success: true });
 });
 const requestEmailChangeEmailOTPBodySchema = z.object({

package/dist/plugins/generic-oauth/routes.mjs

@@ -1,10 +1,10 @@
 import { isAPIError } from "../../utils/is-api-error.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { missingEmailLogMessage, redirectOnError } from "../../oauth2/errors.mjs";
-import { generateState, parseState } from "../../oauth2/state.mjs";
 import { setTokenUtil } from "../../oauth2/utils.mjs";
+import { applyUpdateUserInfoOnLink, handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { generateState, parseState } from "../../oauth2/state.mjs";
 import { sessionMiddleware } from "../../api/routes/session.mjs";
-import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { APIError as APIError$1 } from "../../api/index.mjs";
 import { GENERIC_OAUTH_ERROR_CODES } from "./error-codes.mjs";
@@ -248,6 +248,7 @@ const oAuth2Callback = (options) => createAuthEndpoint("/oauth2/callback/:provid
 			refreshToken: await setTokenUtil(tokens.refreshToken, ctx.context),
 			idToken: tokens.idToken
 		})) redirectOnError(ctx, resolvedErrorURL, "unable_to_link_account");
+		await applyUpdateUserInfoOnLink(ctx, link.userId, userInfo);
 		let toRedirectTo;
 		try {
 			toRedirectTo = callbackURL.toString();

package/dist/plugins/mcp/index.mjs

@@ -14,6 +14,7 @@ import { oidcProvider } from "../oidc-provider/index.mjs";
 import { authorizeMCPOAuth } from "./authorize.mjs";
 import { isProduction, logger } from "@better-auth/core/env";
 import { safeJSONParse } from "@better-auth/core/utils/json";
+import { isSafeUrlScheme } from "@better-auth/core/utils/url";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
 import * as z from "zod";
 import { base64 } from "@better-auth/utils/base64";
@@ -86,7 +87,7 @@ const getMCPProtectedResourceMetadata = (ctx, options) => {
 	};
 };
 const registerMcpClientBodySchema = z.object({
-	redirect_uris: z.array(z.string()),
+	redirect_uris: z.array(z.string().refine(isSafeUrlScheme, { message: "redirect_uri cannot use a javascript:, data:, or vbscript: scheme" })),
 	token_endpoint_auth_method: z.enum([
 		"none",
 		"client_secret_basic",

package/dist/plugins/oauth-proxy/index.mjs

@@ -5,8 +5,8 @@ import { parseSetCookieHeader } from "../../cookies/cookie-utils.mjs";
 import { symmetricDecrypt, symmetricEncrypt } from "../../crypto/index.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { redirectOnError } from "../../oauth2/errors.mjs";
-import { parseGenericState } from "../../state.mjs";
 import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
+import { parseGenericState } from "../../state.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { parseJSON } from "../../client/parser.mjs";
 import { checkSkipProxy, resolveCurrentURL, stripTrailingSlash } from "./utils.mjs";

package/dist/plugins/oidc-provider/index.mjs

@@ -15,6 +15,7 @@ import { authorize } from "./authorize.mjs";
 import { schema } from "./schema.mjs";
 import { defaultClientSecretHasher } from "./utils.mjs";
 import { getCurrentAuthContext } from "@better-auth/core/context";
+import { isSafeUrlScheme } from "@better-auth/core/utils/url";
 import { createAuthEndpoint, createAuthMiddleware } from "@better-auth/core/api";
 import { deprecate } from "@better-auth/core/utils/deprecate";
 import * as z from "zod";
@@ -101,7 +102,7 @@ const oAuthConsentBodySchema = z.object({
 });
 const oAuth2TokenBodySchema = z.record(z.any(), z.any());
 const registerOAuthApplicationBodySchema = z.object({
-	redirect_uris: z.array(z.string()).meta({ description: "A list of redirect URIs. Eg: [\"https://client.example.com/callback\"]" }),
+	redirect_uris: z.array(z.string().refine(isSafeUrlScheme, { message: "redirect_uri cannot use a javascript:, data:, or vbscript: scheme" })).meta({ description: "A list of redirect URIs. Eg: [\"https://client.example.com/callback\"]" }),
 	token_endpoint_auth_method: z.enum([
 		"none",
 		"client_secret_basic",

package/dist/plugins/one-tap/client.mjs

@@ -1,4 +1,5 @@
 import { PACKAGE_VERSION } from "../../version.mjs";
+import { isSafeUrlScheme } from "@better-auth/core/utils/url";
 //#region src/plugins/one-tap/client.ts
 let isRequestInProgress = false;
 function isFedCMSupported() {
@@ -49,7 +50,10 @@ const oneTapClient = (options) => {
 							...opts?.fetchOptions,
 							...fetchOptions
 						});
-						if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) window.location.href = opts?.callbackURL ?? "/";
+						if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) {
+							const target = opts?.callbackURL ?? "/";
+							if (isSafeUrlScheme(target)) window.location.href = target;
+						}
 					}
 					const { autoSelect, cancelOnTapOutside, context } = opts ?? {};
 					const contextValue = context ?? options.context ?? "signin";
@@ -82,7 +86,10 @@ const oneTapClient = (options) => {
 						...opts?.fetchOptions,
 						...fetchOptions
 					});
-					if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) window.location.href = opts?.callbackURL ?? "/";
+					if (!opts?.fetchOptions && !fetchOptions || opts?.callbackURL) {
+						const target = opts?.callbackURL ?? "/";
+						if (isSafeUrlScheme(target)) window.location.href = target;
+					}
 				}
 				const { autoSelect, cancelOnTapOutside, context } = opts ?? {};
 				const contextValue = context ?? options.context ?? "signin";

package/dist/plugins/one-tap/index.mjs

@@ -1,5 +1,6 @@
 import { parseUserOutput } from "../../db/schema.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
+import { handleOAuthUserInfo } from "../../oauth2/link-account.mjs";
 import { APIError } from "../../api/index.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { toBoolean } from "../../utils/boolean.mjs";
@@ -47,51 +48,27 @@ const oneTap = (options) => ({
 		}
 		const { email: rawEmail, email_verified, name, picture, sub } = payload;
 		if (!rawEmail) return ctx.json({ error: "Email not available in token" });
-		const email = rawEmail.toLowerCase();
-		const user = await ctx.context.internalAdapter.findUserByEmail(email);
-		if (!user) {
-			if (options?.disableSignup) throw new APIError("BAD_GATEWAY", { message: "User not found" });
-			const newUser = await ctx.context.internalAdapter.createOAuthUser({
-				email,
+		const result = await handleOAuthUserInfo(ctx, {
+			userInfo: {
+				id: sub,
+				email: rawEmail.toLowerCase(),
 				emailVerified: typeof email_verified === "boolean" ? email_verified : toBoolean(email_verified),
-				name,
+				name: name ?? "",
 				image: picture
-			}, {
-				providerId: "google",
-				accountId: sub
-			});
-			if (!newUser) throw new APIError("INTERNAL_SERVER_ERROR", { message: "Could not create user" });
-			const session = await ctx.context.internalAdapter.createSession(newUser.user.id);
-			await setSessionCookie(ctx, {
-				user: newUser.user,
-				session
-			});
-			return ctx.json({
-				token: session.token,
-				user: parseUserOutput(ctx.context.options, newUser.user)
-			});
-		}
-		if (!await ctx.context.internalAdapter.findAccount(sub)) {
-			const accountLinking = ctx.context.options.account?.accountLinking;
-			const providerEmailVerified = typeof email_verified === "boolean" ? email_verified : toBoolean(email_verified);
-			const requireLocalEmailVerified = accountLinking?.requireLocalEmailVerified ?? true;
-			if (accountLinking?.enabled !== false && accountLinking?.disableImplicitLinking !== true && (!requireLocalEmailVerified || user.user.emailVerified) && (ctx.context.trustedProviders.includes("google") || providerEmailVerified)) await ctx.context.internalAdapter.linkAccount({
-				userId: user.user.id,
+			},
+			account: {
 				providerId: "google",
 				accountId: sub,
-				scope: "openid,profile,email",
-				idToken
-			});
-			else throw new APIError("UNAUTHORIZED", { message: "Google identity cannot be linked: implicit account-linking is disabled, the local email is not verified, or the Google email_verified claim is false and Google is not a trusted provider" });
-		}
-		const session = await ctx.context.internalAdapter.createSession(user.user.id);
-		await setSessionCookie(ctx, {
-			user: user.user,
-			session
+				idToken,
+				scope: "openid,profile,email"
+			},
+			disableSignUp: options?.disableSignup
 		});
+		if (result.error) throw new APIError("UNAUTHORIZED", { message: result.error });
+		await setSessionCookie(ctx, result.data);
 		return ctx.json({
-			token: session.token,
-			user: parseUserOutput(ctx.context.options, user.user)
+			token: result.data.session.token,
+			user: parseUserOutput(ctx.context.options, result.data.user)
 		});
 	}) },
 	options

package/dist/plugins/organization/routes/crud-org.d.mts

@@ -15,7 +15,7 @@ declare const createOrganization: <O extends OrganizationOptions>(options?: O |
     name: z.ZodString;
     slug: z.ZodString;
     userId: z.ZodOptional<z.ZodCoercedString<unknown>>;
-    logo: z.ZodOptional<z.ZodString>;
+    logo: z.ZodOptional<z.ZodNullable<z.ZodString>>;
     metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
     keepCurrentActiveOrganization: z.ZodOptional<z.ZodBoolean>;
   }, z.core.$strip>;
@@ -55,7 +55,7 @@ declare const createOrganization: <O extends OrganizationOptions>(options?: O |
         name: string;
         slug: string;
         userId?: string | undefined;
-        logo?: string | undefined;
+        logo?: string | null | undefined;
         metadata?: Record<string, any> | undefined;
         keepCurrentActiveOrganization?: boolean | undefined;
       };
@@ -165,7 +165,7 @@ declare const updateOrganization: <O extends OrganizationOptions>(options?: O |
     data: z.ZodObject<{
       name: z.ZodOptional<z.ZodOptional<z.ZodString>>;
       slug: z.ZodOptional<z.ZodOptional<z.ZodString>>;
-      logo: z.ZodOptional<z.ZodOptional<z.ZodString>>;
+      logo: z.ZodOptional<z.ZodOptional<z.ZodNullable<z.ZodString>>>;
       metadata: z.ZodOptional<z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>>;
     }, z.core.$strip>;
     organizationId: z.ZodOptional<z.ZodString>;
@@ -207,7 +207,7 @@ declare const updateOrganization: <O extends OrganizationOptions>(options?: O |
         data: {
           name?: string | undefined;
           slug?: string | undefined;
-          logo?: string | undefined;
+          logo?: string | null | undefined;
           metadata?: Record<string, any> | undefined;
         } & Partial<InferAdditionalFieldsFromPluginOptions<"organization", O>>;
         organizationId?: string | undefined;

package/dist/plugins/organization/routes/crud-org.mjs

@@ -13,7 +13,7 @@ const baseOrganizationSchema = z.object({
 	name: z.string().min(1).meta({ description: "The name of the organization" }),
 	slug: z.string().min(1).meta({ description: "The slug of the organization" }),
 	userId: z.coerce.string().meta({ description: "The user id of the organization creator. If not provided, the current user will be used. Should only be used by admins or when called by the server. server-only. Eg: \"user-id\"" }).optional(),
-	logo: z.string().meta({ description: "The logo of the organization" }).optional(),
+	logo: z.string().meta({ description: "The logo of the organization" }).nullish(),
 	metadata: z.record(z.string(), z.any()).meta({ description: "The metadata of the organization" }).optional(),
 	keepCurrentActiveOrganization: z.boolean().meta({ description: "Whether to keep the current active organization active after creating a new one. Eg: true" }).optional()
 });
@@ -160,7 +160,7 @@ const checkOrganizationSlug = (options) => createAuthEndpoint("/organization/che
 const baseUpdateOrganizationSchema = z.object({
 	name: z.string().min(1).meta({ description: "The name of the organization" }).optional(),
 	slug: z.string().min(1).meta({ description: "The slug of the organization" }).optional(),
-	logo: z.string().meta({ description: "The logo of the organization" }).optional(),
+	logo: z.string().meta({ description: "The logo of the organization" }).nullish(),
 	metadata: z.record(z.string(), z.any()).meta({ description: "The metadata of the organization" }).optional()
 });
 const updateOrganization = (options) => {

package/dist/plugins/organization/types.d.mts

@@ -317,7 +317,7 @@ interface OrganizationOptions {
       organization: {
         name?: string;
         slug?: string;
-        logo?: string;
+        logo?: string | null;
         metadata?: Record<string, any>;
         [key: string]: any;
       };
@@ -348,7 +348,7 @@ interface OrganizationOptions {
       organization: {
         name?: string;
         slug?: string;
-        logo?: string;
+        logo?: string | null;
         metadata?: Record<string, any>;
         [key: string]: any;
       };
@@ -358,7 +358,7 @@ interface OrganizationOptions {
       data: {
         name?: string;
         slug?: string;
-        logo?: string;
+        logo?: string | null;
         metadata?: Record<string, any>;
         [key: string]: any;
       };

package/dist/plugins/phone-number/routes.mjs

@@ -470,7 +470,7 @@ const resetPasswordPhoneNumber = (opts) => createAuthEndpoint("/phone-number/res
 	else await ctx.context.internalAdapter.updatePassword(user.id, hashedPassword);
 	await ctx.context.internalAdapter.deleteVerificationByIdentifier(phoneResetIdentifier);
 	if (ctx.context.options.emailAndPassword?.onPasswordReset) await ctx.context.options.emailAndPassword.onPasswordReset({ user }, ctx.request);
-	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteSessions(user.id);
+	if (ctx.context.options.emailAndPassword?.revokeSessionsOnPasswordReset) await ctx.context.internalAdapter.deleteUserSessions(user.id);
 	return ctx.json({ status: true });
 });
 function generateOTP(size) {

package/dist/plugins/two-factor/backup-codes/index.d.mts

@@ -264,9 +264,10 @@ declare const backupCode2fa: (opts: BackupCodeOptions) => {
       backupCodes: string[];
     }>;
     /**
-     * ### Endpoint
-     *
-     * POST `/two-factor/view-backup-codes`
+     * A server-only function that returns a user's decrypted two-factor
+     * backup codes. It is not exposed over HTTP and has no client method;
+     * call it from trusted server code with a `userId` taken from an
+     * authenticated session.
      *
      * ### API Methods
      *

package/dist/plugins/two-factor/client.mjs

@@ -1,5 +1,6 @@
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { TWO_FACTOR_ERROR_CODES } from "./error-code.mjs";
+import { isSafeUrlScheme } from "@better-auth/core/utils/url";
 //#region src/plugins/two-factor/client.ts
 const twoFactorClient = (options) => {
 	return {
@@ -29,7 +30,7 @@ const twoFactorClient = (options) => {
 						await options.onTwoFactorRedirect({ twoFactorMethods: context.data.twoFactorMethods });
 						return;
 					}
-					if (options?.twoFactorPage && typeof window !== "undefined") window.location.href = options.twoFactorPage;
+					if (options?.twoFactorPage && typeof window !== "undefined" && isSafeUrlScheme(options.twoFactorPage)) window.location.href = options.twoFactorPage;
 				}
 			} }
 		}],

package/dist/test-utils/test-instance.d.mts

@@ -1943,29 +1943,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
     }>;
     readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
       method: "GET";
-      use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-        session: {
-          session: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            userId: string;
-            expiresAt: Date;
-            token: string;
-            ipAddress?: string | null | undefined;
-            userAgent?: string | null | undefined;
-          };
-          user: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            email: string;
-            emailVerified: boolean;
-            name: string;
-            image?: string | null | undefined;
-          };
-        };
-      }>)[];
       metadata: {
         openapi: {
           description: string;
@@ -2015,6 +1992,8 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
       };
       query: zod.ZodOptional<zod.ZodObject<{
         accountId: zod.ZodOptional<zod.ZodString>;
+        providerId: zod.ZodOptional<zod.ZodString>;
+        userId: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
     }, {
       user: _better_auth_core_oauth20.OAuth2UserInfo;
@@ -3948,29 +3927,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
     }>;
     readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
       method: "GET";
-      use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-        session: {
-          session: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            userId: string;
-            expiresAt: Date;
-            token: string;
-            ipAddress?: string | null | undefined;
-            userAgent?: string | null | undefined;
-          };
-          user: Record<string, any> & {
-            id: string;
-            createdAt: Date;
-            updatedAt: Date;
-            email: string;
-            emailVerified: boolean;
-            name: string;
-            image?: string | null | undefined;
-          };
-        };
-      }>)[];
       metadata: {
         openapi: {
           description: string;
@@ -4020,6 +3976,8 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
       };
       query: zod.ZodOptional<zod.ZodObject<{
         accountId: zod.ZodOptional<zod.ZodString>;
+        providerId: zod.ZodOptional<zod.ZodString>;
+        userId: zod.ZodOptional<zod.ZodString>;
       }, zod_v4_core0.$strip>>;
     }, {
       user: _better_auth_core_oauth20.OAuth2UserInfo;
@@ -5956,29 +5914,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         }>;
         readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
           method: "GET";
-          use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-            session: {
-              session: Record<string, any> & {
-                id: string;
-                createdAt: Date;
-                updatedAt: Date;
-                userId: string;
-                expiresAt: Date;
-                token: string;
-                ipAddress?: string | null | undefined;
-                userAgent?: string | null | undefined;
-              };
-              user: Record<string, any> & {
-                id: string;
-                createdAt: Date;
-                updatedAt: Date;
-                email: string;
-                emailVerified: boolean;
-                name: string;
-                image?: string | null | undefined;
-              };
-            };
-          }>)[];
           metadata: {
             openapi: {
               description: string;
@@ -6028,6 +5963,8 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
           };
           query: zod.ZodOptional<zod.ZodObject<{
             accountId: zod.ZodOptional<zod.ZodString>;
+            providerId: zod.ZodOptional<zod.ZodString>;
+            userId: zod.ZodOptional<zod.ZodString>;
           }, zod_v4_core0.$strip>>;
         }, {
           user: _better_auth_core_oauth20.OAuth2UserInfo;
@@ -7961,29 +7898,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         }>;
         readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
           method: "GET";
-          use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-            session: {
-              session: Record<string, any> & {
-                id: string;
-                createdAt: Date;
-                updatedAt: Date;
-                userId: string;
-                expiresAt: Date;
-                token: string;
-                ipAddress?: string | null | undefined;
-                userAgent?: string | null | undefined;
-              };
-              user: Record<string, any> & {
-                id: string;
-                createdAt: Date;
-                updatedAt: Date;
-                email: string;
-                emailVerified: boolean;
-                name: string;
-                image?: string | null | undefined;
-              };
-            };
-          }>)[];
           metadata: {
             openapi: {
               description: string;
@@ -8033,6 +7947,8 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
           };
           query: zod.ZodOptional<zod.ZodObject<{
             accountId: zod.ZodOptional<zod.ZodString>;
+            providerId: zod.ZodOptional<zod.ZodString>;
+            userId: zod.ZodOptional<zod.ZodString>;
           }, zod_v4_core0.$strip>>;
         }, {
           user: _better_auth_core_oauth20.OAuth2UserInfo;
@@ -10040,29 +9956,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         }>;
         readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
           method: "GET";
-          use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-            session: {
-              session: Record<string, any> & {
-                id: string;
-                createdAt: Date;
-                updatedAt: Date;
-                userId: string;
-                expiresAt: Date;
-                token: string;
-                ipAddress?: string | null | undefined;
-                userAgent?: string | null | undefined;
-              };
-              user: Record<string, any> & {
-                id: string;
-                createdAt: Date;
-                updatedAt: Date;
-                email: string;
-                emailVerified: boolean;
-                name: string;
-                image?: string | null | undefined;
-              };
-            };
-          }>)[];
           metadata: {
             openapi: {
               description: string;
@@ -10112,6 +10005,8 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
           };
           query: zod.ZodOptional<zod.ZodObject<{
             accountId: zod.ZodOptional<zod.ZodString>;
+            providerId: zod.ZodOptional<zod.ZodString>;
+            userId: zod.ZodOptional<zod.ZodString>;
           }, zod_v4_core0.$strip>>;
         }, {
           user: _better_auth_core_oauth20.OAuth2UserInfo;
@@ -12045,29 +11940,6 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
         }>;
         readonly accountInfo: better_call0.StrictEndpoint<"/account-info", {
           method: "GET";
-          use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
-            session: {
-              session: Record<string, any> & {
-                id: string;
-                createdAt: Date;
-                updatedAt: Date;
-                userId: string;
-                expiresAt: Date;
-                token: string;
-                ipAddress?: string | null | undefined;
-                userAgent?: string | null | undefined;
-              };
-              user: Record<string, any> & {
-                id: string;
-                createdAt: Date;
-                updatedAt: Date;
-                email: string;
-                emailVerified: boolean;
-                name: string;
-                image?: string | null | undefined;
-              };
-            };
-          }>)[];
           metadata: {
             openapi: {
               description: string;
@@ -12117,6 +11989,8 @@ declare function getTestInstance<O extends Partial<BetterAuthOptions>, C extends
           };
           query: zod.ZodOptional<zod.ZodObject<{
             accountId: zod.ZodOptional<zod.ZodString>;
+            providerId: zod.ZodOptional<zod.ZodString>;
+            userId: zod.ZodOptional<zod.ZodString>;
           }, zod_v4_core0.$strip>>;
         }, {
           user: _better_auth_core_oauth20.OAuth2UserInfo;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.6.12",
+  "version": "1.6.13",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -489,13 +489,13 @@
     "kysely": "^0.28.17 || ^0.29.0",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.6.12",
-    "@better-auth/drizzle-adapter": "1.6.12",
-    "@better-auth/memory-adapter": "1.6.12",
-    "@better-auth/mongo-adapter": "1.6.12",
-    "@better-auth/kysely-adapter": "1.6.12",
-    "@better-auth/prisma-adapter": "1.6.12",
-    "@better-auth/telemetry": "1.6.12"
+    "@better-auth/core": "1.6.13",
+    "@better-auth/drizzle-adapter": "1.6.13",
+    "@better-auth/kysely-adapter": "1.6.13",
+    "@better-auth/memory-adapter": "1.6.13",
+    "@better-auth/mongo-adapter": "1.6.13",
+    "@better-auth/prisma-adapter": "1.6.13",
+    "@better-auth/telemetry": "1.6.13"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",